Thursday, May 11, 2017

exsi patch

patch exsi package  -> https://esxi-patches.v-front.de/ESXi-6.0.0.html


[root@bs-lab02:~] esxcli software profile update -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml -p ESXi-6.
0.0-20160804001-standard
Update Result
   Message: The update completed successfully, but the system needs to be rebooted for the changes to be effective.
   Reboot Required: true
   VIBs Installed: VMware_bootbank_esx-base_6.0.0-2.43.4192238, VMware_bootbank_esx-ui_1.4.0-3959074, VMware_bootbank_misc-drivers_6.0.0-2.43.4192238, VMware_bootbank_net-vmxnet3_1.1.3.0-3vmw.600.2.43.4192238, VMware_bootbank_vsan_6.0.0-2.43.4097166, VMware_bootbank_vsanhealth_6.0.0-3000000.3.0.2.43.4064824, VMware_locker_tools-light_6.0.0-2.43.4192238
   VIBs Removed: VMware_bootbank_esx-base_6.0.0-2.34.3620759, VMware_bootbank_esx-ui_1.0.0-3617585, VMware_bootbank_misc-drivers_6.0.0-2.34.3620759, VMware_bootbank_net-vmxnet3_1.1.3.0-3vmw.600.2.34.3620759, VMware_bootbank_vsan_6.0.0-2.34.3563498, VMware_bootbank_vsanhealth_6.0.0-3000000.3.0.2.34.3544323
   VIBs Skipped: VMWARE_bootbank_mtip32xx-native_3.8.5-1vmw.600.0.0.2494585, VMware_bootbank_ata-pata-amd_0.3.10-3vmw.600.0.0.2494585, VMware_bootbank_ata-pata-atiixp_0.4.6-4vmw.600.0.0.2494585,

mount CD and use as repo

# mount -o loop /dev/sr0  /mnt

# cp /mnt/media.repo /etc/yum.repos.d/rhel7dvd.repo
# chmod 644 /etc/yum.repos.d/rhel7dvd.repo

sed notes

sed -ie 's/word1/word2/g' /testing

find word1 and replace it to word2 inside /testing file
-i option is used to edit in place on the file testing.
-e option indicates the expression/command to run, in this case s/.

Notes:
the / can be replace with anything as long no conflict with inside word
example

sed -ie 's:word1:word2:g' /testing

HaProxy

Environment: Centos 7
Haproxy version: 1.5.18
Installation
you can install by using this command
# yum install haproxy

Configure
the configuration file is located at /etc/haproxy/haproxy.cfg
open and edit the file
you need to define frontend and backend

frontend LB
  bind 0.0.0.0:80                       # bind to all network IP:port
  reqadd X-Forwarded-Proto:\ http
  default_backend LB                             # point to backend name LB

backend LB
  mode http
  balance roundrobin                               # Load balancing will work in round-robin process.
  option httpchk
  option  httpclose
  option forwardfor
  cookie SERVERID insert                  # Let the load-balancer set up a cookie for the session.          
  server svrv-trep-app01 172.20.101.115:80 cookie app01 check        # server 1
  server svrv-trep-app02 172.20.101.116:80 cookie app02 check       # server 2
  server backup-server 172.20.101.124:80 check backup              # if all server fail, traffic will go to this backup server



cookie app0x = this is so when client come back, it know which server to go back to.
but if it was new client, then it will set SERVERID=app01 into the header

if using application for session persistence
then replace SERVERID with JSESSIONID

the "check" is use to check if the server is alive or not

Enable Stats
edit 

  stats enable                                            # enable statistic pages
  stats hide-version                                
  stats uri /stats                                         # statistic pages at /stats
  stats realm Haproxy\ Statistics            
  stats auth username:password               # Credentials for HAProxy Statistic report page.

Enable log
1. edit rsyslog file
# vim /etc/rsyslog.conf
find and enable this

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

This will make the server listen to port 514 to collect log

2. since inside haproxy.conf, it already define this
log         127.0.0.1 local2

then we create a new file call haproxy.conf under /etc/rsyslog.d/
# vim /etc/rsyslog.d/haproxy.conf

and put this
local2.*     /var/log/haproxy.log

3. Then restart the rsyslog service
# systemctl restart rsyslog

Enable SSL

1. edit the haproxy.conf and add the httpd frontend

frontend LBS
  bind 0.0.0.0:443 ssl crt /etc/haproxy/test.pem      # listen to port 443, ssl crt is at /etc/haproxy/test.pem
  reqadd X-Forwarded-Proto:\ https
  default_backend LB                                              # go to backend name LB


so the connection will be like this
Public -- use https secure connection --> Haproxy -- use http --> backend server

2. if you want to enforce ssl, then add this to the backend

redirect scheme https if !{ ssl_fc }


so the final configuration will look something like this


frontend LB
  bind 0.0.0.0:80        
  reqadd X-Forwarded-Proto:\ http          
  default_backend LB                          

frontend LBS
  bind 172.20.101.128:443 ssl crt /etc/haproxy/test.pem
  reqadd X-Forwarded-Proto:\ https
  default_backend LB

backend LB
  mode http
  redirect scheme https if !{ ssl_fc }
  stats enable                                        
  stats hide-version                                
  stats uri /stats                                      
  stats realm Haproxy\ Statistics          
  stats auth username:password             
  balance roundrobin                            
  option httpchk
  option  httpclose
  option forwardfor
  cookie SERVERID insert                      
  server svrv-trep-app01 172.20.101.115:80 cookie app01 check      
  server svrv-trep-app02 172.20.101.116:80 cookie app02 check    
  server backup-server 172.20.101.124:80 check backup 


Microsite or redirrect certain sub path to other server

1. define the incoming domain name
        acl in_domain          hdr_dom(host) -i        www.testing.com

2. define backend server
backend testing_backend
        balance roundrobin
        option httpchk GET / HTTP/1.0
        server test-server 172.20.1.60:80 maxconn 200 check inter 5s
        server maintenance 203.208.240.126:80  backup
        timeout server 60s

3. define backend, if want to redirrect www.testing.com/camera to different server

        acl camera_r         path -i            /camera
        redirect location    /camera/           if testing_domain camera_r
        acl camera           path_beg -i        /camera/
        use_backend          testing_backend         if in_domain camera

== explain ==
1st line, is to define camera_r = /camera
2nd line, if fall on in_domain camera_r (mean www.testing.com/camera) then redirrect to www.testing.com/camera/
3rd line, is to define camera = /camera/
4th line, if fall on in_domain camera (www.testing.com/camera/) then redirrect to server testing_backend