How to Install Zenoss Core 4.2 Over SSL with Nginx reverse proxy

Before you start doing the installation, you should check your server specs if you meet the minimum hardware requirements, which is Zenoss Core 4.2 runs natively on the following Linux-based operating systems:

• Red Hat Enterprise Linux 64-bit 6.x (recommended) or 5.x
• CentOS 64-bit 6.x (recommended) or 5.x

Zenoss Installation Steps

• Auto-deploy Installation

Using the auto-deploy script (core-autodeploy-4.2.sh) is the simplest way to install Zenoss Core 4.2 on a newly-deployed RHEL/CentOS 64-bit 5/6 system. To use the script, execute the following as root in sequential order.

# wget --no-check-certificate https://raw.github.com/zenoss/core-autodeploy/master/core-autodeploy-4.2.sh
# chmod +x core-autodeploy-4.2.sh
# ./core-autodeploy-4.2.sh

The auto-deploy script automatically download and install Zenoss Core 4.2 and all required dependencies. So wait until the auto-deploy installation will be finished.

• Configure Zenoss over SSL with Nginx reverse proxy

We will be used Nginx as reverse proxy server instead of running in on the box (e.g. http://127.0.0.1:8080). So, to proceed our installation, we need to comment out “ip-address 127.0.0.1″ in zope.conf (/opt/zenoss/etc/zope.conf) using your favorite editor. 

# vi /opt/zenoss/etc/zope.conf
  From: # ip-address 127.0.0.1
  To: ip-address 127.0.0.1
# su - zenoss
# zopectl restart

From this point, we will install Nginx and the OpenSSL utilities. But first, we need to add nginx yum repository. We need to create a file named /etc/yum.repos.d/nginx.repo and paste one of the configurations below: 

CentOS:

[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=0
enabled=1

RHEL:

[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/rhel/$releasever/$basearch/
gpgcheck=0
enabled=1

And proceed the Nginx and OpenSSL installation

# yum install nginx openssl

Then create an ssl directory to store the certificates and generate certificates using openssl. 

# mkdir /etc/nginx/ssl
# cd /etc/nginx/ssl
# openssl req -new -x509 -days 365 -nodes -out zenoss-cert.pem -keyout zenoss-cert.key

Configure the default.conf file in /etc/nginx/conf.d

# cp /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf.orig
# vi /etc/nginx/conf.d/default.conf   

Then, replace with:

  server {
    listen 443 default ssl;
    server_name Your-IP-Address;

      ssl on;
      ssl_certificate      /etc/nginx/ssl/zenoss-cert.pem;
      ssl_certificate_key  /etc/nginx/ssl/zenoss-cert.key;

location / {
        rewrite ^(.*)$ /VirtualHostBase/https/Your-IP-Address:443$1 break;
        proxy_pass http://127.0.0.1:8080;
    }
}

Restart Nginx and Zenoss

# /etc/init.d/nginx restart
# /etc/init.d/zenoss-stack restart
or 
# su - zenoss
$ zenoss restart

 

Finally, open your Zenoss over SSL using your favorite browser e.g. https://your-ip-address

References:

http://wiki.nginx.org/Install

http://wiki.zenoss.org/Install_Zenoss

http://bailey.st/blog/2012/03/24/zenoss-over-ssl-with-nginx-reverse-proxy/

  

Automatic Amazon Web Simple Storage Service (AWS3) Backups

1.) First, you have to set up encryption by using the gpg (GNU Privacy Guard) tool. GPG works by creating two key files:

•  Public key (pubring.gpg) – Used to encrypt your data. It doesn’t matter who sees this.
• Private key (secring.gpg) – Used to decrypt your data. This file must be kept safe and only          seen by you.

The two files it creates are essentially a pair. Files encrypted by a public key can only be decrypted by the corresponding private key. If you lose your private key, you will not get your files back, ever. So, let’s get to it!

•  In your command line, type the following:

           sudo gpg --gen-key

You’ll be walked through a few options for your key, select the following:

• Key type – DSA and Elgamal (Default)
• Key size – 2048 bits (Again, the default)
• Expiration – Do not expire (Not necessary for what we’re doing as you won’t be sharing the public key with anyone).
• Name, Comment and Email – You can enter whatever you like here, but do take a note of them

somewhere. They’ll help you remember which key is which if you create multiple keys later. In here, the following values were used:
                    
                             Name: Branz Balugo
                             Comment: domain.com
                             Email: myemailaddress@gmail.com

• Password (gpg passphrase) – Make sure you remember whatever you type, there’s no way to get it back if you forget! The password (gpg passphrase) used here was: s3cr3t
• When it talks about “generating entropy” to make the key, it means that the server needs to be in use in order for it to get some random numbers. Just go refresh a webpage on the server a few times, or run some commands in another terminal window.

When your key is made, you’ll see a few lines about it. The important one looks like this:

    pub 1024D/2A72DARB 2010-09-16

The 2A72DARB is the part you need. That’s your gpg key ID, and you’ll need it later!
If you do end up forgetting your gpg key ID though, it’s easy enough to get that back. Just type:

    sudo gpg --list-keys

          That’s our encryption set up and is now ready to use!

NOTE: The keys generated will be stored in your home directory, under the .gnupgsub-directory.


2.) Sign up for AWS3 (which is already done).
You should have the following:

• username: P!N4K4GWAPONG4T4W0
•  password:batiUUkagXv2UEndagwayXWqYc2WS8CVaXpangitK0n6+wm
• bucket_name: com.sym.backups.domain

3.) Install Duplicity (if it's not installed)
      Enter the following command (yum is specific to Red Hat and its derivatives, like Fedora):

     sudo yum install duplicity

      Now with it installed, we just have to create a script that tells it how to run.


4.) Our Duplicity backup script (backup_aws3)

Here is how we want to set it up:

•  Encrypt with our GPG key.
• Backup to an Amazon s3 “bucket” (a bucket on s3 is like a folder).
• Make an incremental backup every day.
• Make a full backup if it’s been more than 2 weeks since our last full backup.
• Remove backups older than one month.

Now, create a file (that will contain the backup script) in your home directory as,

   nano backup_aws3

where backup_aws3 is the script's filename and then enter the following lines:

#!/bin/sh

config_file=$1 # Config file specified at command prompt
if [ -e "$config_file" ]
then
   echo "--- Reading config file ($config_file) ---"
   username=`grep username $config_file | awk '{ print $2 }'`
   password=`grep password $config_file | awk '{ print $2 }'`
   bucket_name=`grep bucket_name $config_file | awk '{ print $2 }'`
   gpg_passphrase=`grep gpg_passphrase $config_file | awk '{ print $2 }'`
   gpg_key=`grep gpg_key $config_file | awk '{ print $2 }'`
   backup_folder=`grep backup_folder $config_file | awk '{ print $2 }'`
   echo "--- done ---"
   echo "--- Exporting environment variables ---"
   export PASSPHRASE=$gpg_passphrase
   export AWS_ACCESS_KEY_ID=$username
   export AWS_SECRET_ACCESS_KEY=$password
   echo "--- done ---"
   echo "--- Looking for backup files older than 1 month for
   deletion ---"
   # Delete any file older than 1 month
   duplicity remove-older-than 1M --encrypt-key=$gpg_key --sign-key=$gpg_keys3+http://$bucket_name
   echo "--- done ---"
   echo "--- Doing a regular backup (will do a full backup if past 14 days) ---"
   # Make the regular backup
   # Will be a full backup if past the older-than parameter
   duplicity --full-if-older-than 14D --encrypt-key=$gpg_key --sign-key=$gpg_key $backup_folder/ s3+http://$bucket_name
   echo "--- done ---"
   export PASSPHRASE=
   export AWS_ACCESS_KEY_ID=
   export AWS_SECRET_ACCESS_KEY=
else
   echo "Configuration file does not exist!"
   echo "Usage: $0 "
fi
      
         and then save it. Now, you need to change its file permission mode so that it becomes
         executable, by typing the following command:

    chmod a+x backup_aws3

        NOTE: This script has to be specified with a configuration file (say, backup_aws3.cfg) as its parameter when invoked. So create the configuration file as follows:

   nano backup_aws3.cfg

       where backup_aws3.cfg is the name of the configuration file, and then enter the following lines:

       username: P!N4K4GWAPONG4T4W0
    password: batiUUkagXv2UEndagwayXWqYc2WS8CVaXpangitK0n6+wm
   bucket_name: com.sym.backups.domain
       gpg_passphrase: s3cr3t
       gpg_key: 2A72DARB
       backup_folder: /home/admin/backups
       restore_folder: /home/admin/restore

      where 2A72DARB is your gpg key ID generated above and then save it. To run the script on the command line, simply type the following:

      ./backup_aws3 backup_aws3.cfg


5.) Finally, run the script via crontab to automate backups.

     To do a backup every 3:30AM of every day, just run the script via crontab like this:

      export EDITOR=nano
  crontab -e

     and once the nano text editor comes up, enter the following on one line:

  30 3 * * * /home/admin/backup_aws3 /home/admin/backup_aws3.cfg > /home/admin/backup_aws3.log 2>&1

     and then save it. The backup script /home/admin/backup_aws3 will now be run by crontab every 3:30AM of everyday.


RESTORING THE BACKUP FILES

     To restore the backup files stored at AWS3 to a specified restore_folder (see its set value in
backup_aws3.cfg) directory, create the following script as,

     nano restore_aws3

     and then enter the following lines:

  #!/bin/sh

  config_file=$1 # Config file specified at command prompt
  if [ -e "$config_file" ]
  then
     echo "--- Reading config file ($config_file) ---"
     username=`grep username $config_file | awk '{ print $2 }'`
     password=`grep password $config_file | awk '{ print $2 }'`
     bucket_name=`grep bucket_name $config_file | awk '{ print $2 }'`
     gpg_passphrase=`grep gpg_passphrase $config_file | awk '{ print $2 }'`
     gpg_key=`grep gpg_key $config_file | awk '{ print $2 }'`
     restore_folder=`grep restore_folder $config_file | awk '{ print $2 }'`
     echo "--- done ---"
     echo "--- Exporting environment variables ---"
     export PASSPHRASE=$gpg_passphrase
     export AWS_ACCESS_KEY_ID=$username
     export AWS_SECRET_ACCESS_KEY=$password
     echo "--- done ---"
     echo "--- Restoring backup files to $restore_folder directory ---"
     duplicity s3+http://$bucket_name $restore_folder/ --encrypt-key=$gpg_key --signkey=$
     gpg_key
     echo "--- done ---"
     export PASSPHRASE=
     export AWS_ACCESS_KEY_ID=
     export AWS_SECRET_ACCESS_KEY=
  else
            echo "Configuration file does not exist!"
     echo "Usage: $0 "
  fi

            and then save it. Now, you need to change its file permission mode so that it becomes executable, by typing the following command:

           chmod a+x restore_aws3

           NOTE: This script has to be specified with a configuration file (say,backup_aws3.cfg) as its
parameter when invoked. To restore your backup files from AWS3 torestore_folder directory,
run the following command:

           ./restore_aws3 backup_aws3.cfg

            IMPORTANT: Since your backup script will be run by your admin account viacrontab and
your restore script will be run manually via command line, make sure that the.gnupg sub-directory,
which contains the keys, is present in admin's home directory. Also, the backup/restore script and its configuration file must be referred to using full path specification as
/home/admin/backup_aws3 (or /home/admin/restore_aws3) and
/home/admin/backup_aws3.cfg.


           MOST IMPORTANT: BACKUP YOUR KEYS!!!

           The duplicity-encrypted backups that you store will NOT be usable unless you have your gpg secret
key. Therefore it is important that you keep a copy of that key somewhere besides the system on
which your original data resides on. To export your public and private (secret) keys, run these
commands:

• For the Public Key, enter:

          gpg -ao public-key-domain.com --export 2A72DARB

• For the Private (Secret) Key, enter:

    gpg -ao secret-key-domain.com --export-secret-keys 2A72DARB

          where 2A72DARB is your gpg key ID.

          and then store the "public-key-domain.com" and "secret-key-domain.com" files that
you created somewhere safe, like a CD-ROM in a safe deposit box, etc.


References:

•  http://www.problogdesign.com/how-to/automatic-amazon-s3-backups-on-ubuntu-debian/
• http://www.rsync.net/resources/howto/duplicity.html