Prerequisite(s): This requires the binary kit or an alternate system with a working openssl, to create your own self signed certificate.
The "\" means the command is one continuous line to create the self signed certificate. Feel free to experiment and substitute your own arguments for:
days = set to 365 x 10 = 3650 or ~10 yrs
CN = $HOSTNAME = replace with your own storage hostname
O = Gibraltar Engineering
OU = EON Secure Certificate
openssl req -x509 -nodes -days 3650 -newkey rsa:1024 -keyout cert.key -out cert.pem \ -subj "/C=US/ST=NY/CN=$HOSTNAME/O=Gibraltar Engineering/OU=EON Secure Certificate"This will produce 2 files cert.key and cert.pem. For Apache2 they are configured and the proper permissions set as follows:
cp cert.pem /etc/apache2/2.2/server.crt cp cert.key /etc/apache2/2.2/server.key chmod 400 /etc/apache2/2.2/server.crt chmod 400 /etc/apache2/2.2/server.keyFor lighttpd the pem and key file are concatenated to create a single file
cp cert.pem /your_pool/lighttpd/etc cat cert.key >> /your_pool/lighttpd/etc/cert.pem chmod 400 /your_pool/lighttpd/etc/cert.pemFor nginx
cp cert.pem /your_pool/nginx/conf cp cert.key /your_pool/nginx/conf chmod 400 /your_pool/nginx/conf/cert.pem chmod 400 /your_pool/nginx/conf/cert.key
8 comments:
I haven't tested the examples but I think I see an issue or two -
In the lighttpd exampe I think the second line (if the files are to be concatenated) should end in "cert.pem, not "cert.pm". In the nginxcp example I think the second line should end with at "/".
Hi Bob,
Thanks for the cert.pm catch. It's been corrected. The cp example can end with or without the "/", I removed them for consistency.
Thanks
I've used EON for two months. Thanks for your excellent work! One question: how can I add PHP/Python to EON?
Zhangyibin,
Couple of ways:
1. Add the packages and dependencies to the bin-pkg.list and build your own binary kit. The script can be found in the downloads section. Requires SXCE packages and root access on a SXCE system.
2. Compile them with prefix /usr/local and copy the binaries over. Requires a opensolaris system with a working gcc compiler.
Hi Andre,
A small problem in "updimg.sh": after "gzip -f -9 -c ...", you run "gzip -v -t ..." to verify the new gzipped image, but actually it verifies the image in pagecache so it's no use doing this. Am I right?
zhangyibin,
It verifies the integrity of the updated gzip'ed image. The image location being USB/CF/writable media, not pagecache. It's an extra step but it does serve a purpose.
I mean UFS uses memory to cache data, so when gzip verifies the image in whatever media, it's the cached data in memory that it verifies, not the data on media.
Sorry for my poor English :)
zhangyibin,
I am not clear if you're saying UFS or gzip is responsible for caching the data. gzip has been known to cache but I do not understand your conern.
If the gzip data was in cache it would eventually get flushed to media (assuming a crash does not occur before) and the integrity test will have done it's job to indicate success or failure.
You can also turn on the forcedirectio mount option on UFS to eliminate caching.
The gzip integrity test can also be disabled by editing updimg.sh.
Post a Comment