Upgrading linux machines with Apt-Cacher NG

Apt-Cacher NG is an actualizations proxy for Linux distributions based in Debian. It’s almost similar to the WSUS in the Windows world.

It avoids the need to download the same packages over and over again from the Internet, reducing both your and the repository server’s bandwidth.

Apt Cacher DiagramTo avoid new downloads, Apt-Cacher stores in a directory (or cache) all the packages that the rest of the machines ask for.

The installation is really simple:

sudo apt-get install apt-cacher-ng

Once it is finished, the program is fully functional with the default options. However, if you need it, you can modify any parameter in the configuration file:
etc/apt-cacher-ng/acng.conf
On the machines you want to upgrade you only need to create the next file:
/etc/apt/apt.conf.d/02proxy
And add this line inside:
Acquire::http { Proxy "http://CacheServerIp:3142"; };
Don’t forget to change CacheServerIP to your current IP address of your apt-cacher server or its network name.

The log files can be found in /var/log/apt-cacher. And their ouput should be something similar to this:
1296413268|I|548458|192.168.1.2|uburep/pool/main/p/php5/php5-common_5.3.2-1ubuntu4.7_amd64.deb1296413268|O|548491|192.168.1.2|uburep/pool/main/p/php5/php5-common_5.3.2-1ubuntu4.7_amd64.deb1296413269|O|143760|192.168.1.2|uburep/pool/main/d/dbus/libdbus-1-3_1.2.16-2ubuntu4.1_amd64.deb1296413269|O|10154004|192.168.1.2|uburep/pool/main/l/linux-firmware/linux-firmware_1.34.3_all.deb1296413269|O|4658|192.168.1.2|uburep/pool/main/l/linux-meta/linux-server_2.6.32.28.32_amd64.deb1296413269|O|4668|192.168.1.2|uburep/pool/main/l/linux-meta/linux-image-server_2.6.32.28.32_amd64.deb
The letter ‘I’ indicates the package has been downloaded and the letter ‘O’ means the package has been sent to the machine that asked for it.

You can access a part of the configuration and some statistics of the cache in the next link:
http://CacheServerIp:3142/acng-report.html
There are some alternatives to Apt-Cacher-NG like:

  • apt-cacher: Similar to Apt-Cacher NG, based in an perl script, but Apt-Cacher NG is written in C and is more light.
  • apt-proxy: Only allows one repository.
  • apt-mirror: Creates a full mirror of the repository. I do not advise it, it is more logical to download only the packages you need and not overload the repository’s servers.

To finish, here is a really good manual:
http://www.unix-ag.uni-kl.de/~bloch/acng/html/index.html

Posted in Sin categoría | Tagged , , , , , , , , | 4 Comments

Replication in PostgreSQL (II) – Hot Standby/Streaming Replication

Hot Standby/Streaming Replication

Hot Standby/Streaming Replication This process is similar to the Warm StandBy replication that I showed you in the last article. A difference is that this reduces the time of the synchronization of the databases to less than 1 second because WAL records are sent instead of the complete files. You can also query the secondary server if you want to reduce the load in the main server.

Advantages 

  • Easy to implement
  • All the actions that we made on the main server, including DLL sentences, will be replicated to the secondary server (sometimes this is a disadvantage, for example, if you only want to replicate one of the databases in a server or if you want to have different indexes)
  • Can be used to ease the load on the main server

Disadvantages

  • You cannot choose the databases or tables that you want to replicate.
  • You cannot change the schema in the secondary server (for example, a different indexation).
  • Both machines have to have the same architecture and same PostgreSQL version

Procedure

Similar to the last article, I going to use Ubuntu Server 11.04 and PostgresSQL 9.1. I have not compiled PostgreSQL, but I have installed it from the Official Ubuntu repositories. This is an important detail because depending on the system that you use and the way that you install PostgreSQL, the configuration files can be located in different paths.

In this example, we have two servers: the master with the IP address 10.0.0.1, and the Hot Standby or slave with the IP address 10.0.0.2 like in the picture below.

Important: the PostgreSQL services must be stopped in the slave server.

The configuration is quite similar to the one in the Warm StandBy replication. First configure the master server to allow connections from the slave server. Edit the pg_hba.conf and add the next line:
host replication postgres 10.0.0.2/32 trust
Important: The database parameter has to be the word ‘replication’. Because it is the name of the pseudo database for the master server replication. The user that you specify needs superuser access permits. If you want to use a different user than postgres you can use the next command to create it:
CREATE USER myuser WITH SUPERUSER ENCRYPTED PASSWORD 'mypassword';
The authentication can be different than trust (for example md5).

Edit now the postgresql.conf file in the main server and modify the next parameters:
listen_addresses = '*'
This allows the incoming connections. We can specify more granularity by writing the slave server IP address:
listen_addresses = '10.0.0.2'

wal_level = hot_standby
Enable the WAL files to be stored in a way that allows read-only queries in the slave server.
max_wal_senders = 5
This sets the maximum number of concurrent connections or how many slave servers are going to connect to the main one.
wal_keep_segments = 32
This sets the minimum number of WAL segments retained in the pg_xlog directory. This prevents the primary server from removing the WAL segments required for the standby server before shipping them off. The wal_keep_segments value should be larger than the number of segments generated between the beginning of the online-backup and the startup of the streaming replication. As you will see later, if you enable WAL archiving to an archive directory accessible from the standby, this parameter may not be necessary.

Optional

Now the master server is set up. If you want to ensure that the slave server always has access to the WAL files, you can activate the WAL archiving. This is not necessary if you have set a high vale in wal_keep_segments.
archive_mode = on
Activate the shipping of the WAL segments.
archive_command = ‘scp /var/lib/postgresql/9.1/main/%p 10.0.0.2:/wal/%f’
This will be the command used every time that a new WAL file is ready to ship off. The %p parameter contains the location of the WAL file that has been generated and the %f parameter is the name of this file.

Now restart the postgresql service at the master server to reload the configuration.

Edit the postgresql.conf file in the slave server. And modify the next parameters:
hot_standby = on
This indicates PostgreSQL that we are allow to query the slave server.

Now in the slave server we have to create a new file with the name recovery.conf

IMPORTANT: the location of this file has to be the $PGDATA directory, by this I mean the path of your cluster data directory. In my case it is on /var/lib/postgresql/9.1/main/. Do not save this file with the rest of the configurations files (/etc/posgresql/). The content of the file has to be:
standby_mode = ‘on’
This sets the server in StandBy mode.
primary_conninfo = 'host=10.0.0.1 port=5432 user=postgres'
This specifies a connection string which is used for the standby server to connect with the primary server.

If you have enabled WAL archiving you will need to add the next line to specify a command to load the archive segments from the WAL archive.
restore_command = ‘cp /wal/%f /var/lib/postgresql/9.1/main/”%p”’
As I said earlier, this parameter is not necessary if the wal_keep_segments is high enough to retain the WAL segments required for the standby server. A large work load can cause segments to be recycled before the slave server is fully synchronized, requiring you to start again from a base backup.

Now we are going to copy the cluster with the next commands:
psql -c "SELECT pg_start_backup('label')"
rsync -a /var/lib/postgresql/9.1/main/ 10.0.0.2:/var/lib/postgresql/9.1/main/ --exclude postmaster.pid
psql -c "SELECT pg_stop_backup()"

This copy can also be made through the network (samba, nfs) or by using an external usb drive.

Now we have to start postgresql in the slave server. With this last step the Hot StandBy replication is ready.

Posted in Sin categoría | Tagged , , , , , , | 31 Comments

Replication in PostgreSQL (I) – Warm StandBy/Log Shipping

Replication is a technique used to store objects of one database in multiple locations. This allows us to have an exact or partial replica of the database that can be used as an emergency backup and also to perform some queries and reduce the load on the main server.

I’ll show you through a series of articles some of the replication solutions for PostgreSQL.

Below you can see a table comparing the 4 most common replications:

Schema modifications on the secondary server Queries on the secondary server Replications of changes in schema Selection of the tables to replicate
Warm StandBy No No Yes No
Streaming Replication No Yes Yes No
Slony-I Yes Yes No* Yes
PgPool** Yes Yes Yes No

*No by default, yes using propagation scripts

**PgPool is a Load Balancing solution and also implements replication

Warm StandBy/Log Shipping

This solution came natively with PostgreSQL from the 8.3 version. It is based in the periodical shipping of WAL files to the secondary server. The WAL files or Write Ahead Logging are similar to the Redo Log files of other DBA. Every time that a transaction is committed in the database, it is also written to a file. That way, if there is a mishap with the database it can be restored using the WAL files.

Advantages

  • Easy to implement, modifying just 6 lines in the configuration files the system ready.
  • All the actions that we made on the main server, including DLL sentences, will be replicated to the secondary (sometimes this is a disadvantage, for example, if you only want to replicate one of the databases in a server or if you want to have different indexes).

Disadvantages

  • The Warm StandBy Server cannot be used to ease the load on the main one because it is not possible to run queries on it.
  • You can specify the WAL files shipping period or ‘timeout ‘, but if this is really low, you can overload the server or the network. Depending of the level of transactions that you have, it is possible that you can lose some of them in the event of an emergency.
  • Both of the machines have to have the same architecture (32 or 64 bits) and the same PostgreSQL version.

Procedure

Let’s see how to prepare this replication over Ubuntu Server 11.04 and PostgresSQL 9.1. I have not compiled PostgreSQL, but I have installed it from the Official Ubuntu repositories. This is an important detail, because depending of the system that you use and the way that you install PostgreSQL, the configuration files can be located in different paths.

In this example, we have two servers: the master with the IP address 10.0.0.1, and the Warm-StandBy or slave with the IP address 10.0.0.2 like in the picture below.

The PostgreSQL service has to be stopped in the slave server.

In the master we are going to edit the configuration file postgresql.conf and modify the next parameters:
wal_level = archive
This determines how much information is written to the WAL. The default value is minimal, which writes only the information needed to recover from a crash or immediate shutdown. archive adds logging required for WAL archiving.
archive_mode = on
Activate the shipping of the WAL segments.
archive_command = ‘scp /var/lib/postgresql/9.1/main/%p 10.0.0.2:/wal/%f’
This will be the command used every time that a new WAL file is ready to ship off. The %p parameter contains the location of the WAL file that has been generated and the %f parameter is the name of this file.

PostgreSQL allow us to select the way that these files are copied to the slave.

Another alternative is to prepare a network unit that both machines have access to and execute a simple copy (cp -i %p /mnt/server/archivedir/%f)
archive_timeout = 60;
The timeout parameter is optional. It specifies that we don’t want that PostgreSQL to wait until the WAL files contains 16 MB to be sent as it does by default. You have to consider the amount of transactions that you are going to have in order to avoid problems with the bandwidth. The 0 default value indicates that it will wait until the WAL filled.

Now restart the postgresql service at master server to reload the configuration.

If you want to use the copy method from the above example, you need to create a folder in the slave and change the owner to the postgres.
sudo mkdir /wal
sudo chown postgres:postgres /wal

For using scp (Secure Copy) in the master without the postgres user password, you need to generate the key par (public and private) and add the public key in the slave server. You need openssh-server installed in both servers in order to do that.

From the main server, run the next command logged in as the postgres user (sudo su postgres in the case you are using Ubuntu)
ssh-keygen -t dsa
Below you can see how your output should be.

Connect now to the slave server. We need to generate a temporary password for the postgres user.
sudo passwd postgres
Again from the master server, run the next command to install the credential on the slave server.
ssh-copy-id -i /var/lib/postgresql/.ssh/id_dsa.pub postgres@10.0.0.2
We can remove the postgres password from the slave server with the next command:
sudo passwd -l postgres
Now in the slave server we have to create a new file with the name recovery.conf
IMPORTANT the location of this file has to be the $PGDATA directory, by this I mean the path of your cluster data directory. In my case it is on /var/lib/postgresql/9.1/main/. Do not save this file with the rest of the configurations files (/etc/posgresql/).
The content of the file has to be:
standby_mode = 'on'
restore_command = ‘cp /wal/%f /var/lib/postgresql/9.1/main/"%p"’

Now we have to perform a binary backup of the cluster. In the Master server we have to login like the postgres user.

Enter in the database interpreter
psql
Run the next command to indicate that you are going to perform the backup. This allows you to set an initial and end point to get consistency. This will generate a flush of all the current WAL to disk and set the initial point of the data copy.
SELECT pg_start_backup('label');
‘label’ can be any name that you want.

Now we are going to copy the cluster with the next command
rsync -a /var/lib/postgresql/9.1/main/ 10.0.0.2:/var/lib/postgresql/9.1/main/ --exclude postmaster.pid
This copy can also made through the network (samba, nfs) or using an external usb drive.

Once the copy is finished, run the next command again inside of the psql interpreter:
SELECT pg_stop_backup();
Now we have to start postgresql in the slave server. With this the Warm-Standby replication is ready.

Posted in Sin categoría | Tagged , , , , , | 6 Comments

Install Adobe Reader using a GPO

A common problem for system administrators is the update of third party programs in business environments.

Sometimes, we can create a simple script that installs the desired application. However if this is not done correctly, it is possible that the application will get installed several times in the same computer resulting in the loss of performance and bandwidth .

It is logical to use Active Directory as it implements group policies for the installation of software.

Let’s see how to install Adobe Reader X through a GPO.

Installing Adobe Reader

Adobe is a free application, but if we want to deploy it on a business environment, we have to request a distribution license. This license is also free.

Once we have our license, we should download the msi package from the following FTP site:

ftp://ftp.adobe.com/pub/adobe/reader/win/

Customization of the Installation Package

Although we can distribute the msi package that we have just downloaded, it is worth it to briefly see how to modify its default behavior.

We can change the way that the msi packages are installed using different modifiers when we install them via command line. However, when we use a Group Policy or GPO the installation is silent, without user interference and we cannot specify these modifiers. If we want to modify the installation process, we have to edit the msi packages with a third party tool or Microsoft ORCA.

Luckily, Adobe simplifies our work and provides us with a configuration wizard for its msi packages. We can find it in this link.

Once it is installed we can open the msi package and modify its installation behavior.

Some of the most interesting options are: Enable Optimization, Enable Caching, choose how to Run Instalation, Suppress reboot,

suppress display of EULA when the user opens the program for the first time,

or remove the direct access from the desktop or the Start Menu.

We also have an Editor which we can change any possible value of the msi package. Here I recommend that you disable the Adobe Services Update as we will be updating Adobe reader through a GPO manually. To do this we look for the Install Service value and change the StartType field value to 4.

Once all the changes are done we save the package.

If we get an error showing that the Setup was not found, we have to create an empty text file in the folder where the msi package is stored.

If we look at the folder we can see a file with mst extension. This file has the modifications that we have done with the msi package.

GPO Creation

Our msi package path has to be accessible for all the computers in the domain. It is best that this package is in a shared network unit with read only attributes for all the users.

To create the policy we have to open the Group Policy Management Console in the domain controller and create a new policy. Then we edit this policy and search for the next path:

Computer Configuration => Policies => Software Settings => Software Installation.

Then right click => New => Package…

We search for the package in the shared folder and then we click Open.

We can choose two ways for the software implementation. Published is used when we create this policy by User. The application will be not installed, but is available for the user to install by using Add or Remove Programs in Control Panel. In the Assigned however the package will be installed without any user interaction.

If we have make modifications over the msi package we should click on Advance so we can load the mst file. To do so, we have to go to Modifications and then Add… We look for the mst file and then click Open.

In a few seconds we will see how the package has been added to the package list to install.

If you want to test the new policy you can update the Group Policies by typing the command “gpupdate /force” both in the domain server and in the computer where we want the program to be installed. Then if you restart that computer you can see how Adobe Reader has been installed with the desired modifications.

VERY IMPORTANT, the language of Adobe Reader has to match the language of Windows installed on that computer. If for any reason we want to use a different language we have to right click over the package, Properties => Implantation => Advanced Options… and then check the box Ignore Language When Deploying This Package.

References

Deploying Adobe Reader X - http://blog.stealthpuppy.com/deployment/deploying-adobe-reader-x/

Deploy Adobe Reader using Group Policy - http://mysysadmintips.com/index.php/active-directory/24-deploy-adobe-reader-using-group-policy

Windows Installer - http://en.wikipedia.org/wiki/Windows_Installer

Introducción a Instalación de software de Directiva de grupo - http://technet.microsoft.com/es-es/library/cc738858%28WS.10%29.aspx

CÓMO: Utilizar Directiva de grupo para instalar software de forma remota en Windows 2000 - http://support.microsoft.com/kb/314934/es

How to use the Orca database editor to edit Windows Installer files - http://support.microsoft.com/kb/255905

Posted in Sin categoría | Tagged , , , , , | Leave a comment

Problems clonating Windows virtual machines

If you have ever worked with cloned virtual machines, mainly in test environments, you may have encountered some strange problems that drove you crazy.

I recall one particular test I was doing with the new Microsoft Updates Server WSUS. We had a Windows 2008 Server and a couple of Windows XP machines; one was cloned from the other. When we tried to add the last one to the WSUS server, the first disappeared, and if we tried to add the first one again, the second one then disappeared!

The problem is caused because WSUS uses the computer SID to identify computers (something logical if you think about it).

Although this problem happened to me in a test environment, the behavior can occur in more scenarios, for example: in a company whose computers have been cloned.

But, what exactly is the SID?

The SID or Security Identifier is a unique alphanumeric name that is assigned to users, groups and computers – both in a local system and on a domain.

In this way, it is possible to change the name of a computer and keep its SID.

How do you change the SID of a machine?

In the past it was possible to change the SID with the Systernal utility newSID, but the author of this utility, Mark Russinovich, retired it some time ago. The reason was that he could not guaranty it working correctly with Windows Vista.

In its place we can use the Sysprep tool. In fact, this tool dates from the Windows NT times and it is the recommended tool to prepare a cloned system according to Microsoft.

Let’s see it working over a virtual machine with Windows 2008 Server that I have cloned:

First we are going to find out its SID with the Sysinternals utility PsGetSid.

Now we are going to run the Sysprep application. In the past, this app came with the Windows installation cd or could be downloaded from the Microsoft web page. But since Windows Vista, you can find it already installed in following path: C:\Windows\System32\Sysprep\Sysprep.exe.

If we run this app without any commands, a window with two options will appear:

Important! Check the box “Generalize” and leave the rest of the options by default. Then click Accept.

A new message will appear showing that the Sysprep is preparing the system.

After the computer reboots, we have to chosse the language and the system localization.

Accept again the windows licence.

And set a new password for the administrator user.

If we run PsGetSid again, we can see that the computer has a new SID.

Posted in Sin categoría | Tagged , , , , , , , | Leave a comment