Thursday, January 7, 2010

How to do the same on CentOS

This is related to this change. I have done the same on CentOS 5.4 and there are a few differences but essentially the modifications are the same.

The root.war file is on the same location and the change to be done is the same as in Ubuntu (remove the confidentiality requirement). The funny thing is that there is another file with the same content as the modified web.xml in etc/eucalyptus/cloud.d/gwt-web.xml but it doesn't seem to have any effect (modifying root.war is enough)

The Jetty connector change is a bit trickier, though. In this setup (I installed from RPMs) the Jetty configuration file (eucalyptus-jetty.xml) is not within the configuration files in /etc/eucalyptus but inside one of the Eucalyptus JAR files:
/usr/share/eucalyptus/eucalyptus-www-1.6.1.jar
This file must be uncompressed, the eucalyptus-jetty.xml modified as in Ubuntu (replacing the HTTPS connector with and HTTP connector) and compressed back.
I don't especially like this setup since it makes it more difficult to fine tune Jetty not only for this HTTPS/HTTP change but also for some other connector parameters that you might want to modify in order to do some fine tuning.

Wednesday, January 6, 2010

How to disable SSL in the Eucalyptus web interface in Ubuntu

I recently installed Eucalyptus on Ubuntu 9.04 to do some tests, and the first thing I tried was to disable SSL in the admin interface.

Why would I want to disable SSL and use plain HTTP? You might wonder... The reason is quite simple, from the beginning I found a bit strange that a system such as the Eucalyptus Cloud Controller, the "heart" of Eucalyptus, was intended to run exposed to the Internet.
Coming from a traditional three-tier architecture mindset my first thought was that such a system, handling user credentials, business logic and many other "sensitive" topics would best fit into a backend - secure backend kind of setup.
As it is today the system looks quite tightly coupled, therefore a "secure backend" with a database, LDAP or similar seems not so easy to achieve without a deeper knowledge, but I though that a frontend - backend approach should be easy to apply.
In any case the modularity introduced with release 1.6.1 allowing a separate installation for each component and some comments in the Eucalyptus forums make me think something might happen in that area in the future.

Therefore I went for a frontend - backend approach, where the plan was to setup a frontend layer using Apache in the frontend performing the SSL offload (with my own certificates) and acting as a reverse proxy towards the Eucalyptus setup in the backend.
I setup a standard reverse proxy configuration in Apache, taking care of the SSL listening on the standard 443 port and the only thing left was to remove the SSL layer from Eucalyptus and have it listen to plain HTTP on its standard web GUI port 8443.

In order to do that I just edited a couple of files from the standard Eucalyptus installation:

1.- /etc/eucalyptus/cloud.d/eucalyptus-jetty.xml

In this file I removed the Jetty SSL connector and replaced it with an HTTP connector:

Removed

<Call name="addConnector">
<Arg>
<New class="org.mortbay.jetty.security.SslSelectChannelConnector">
<Set name="Port">
<SystemProperty name="euca.www.port" default="8443"/>
</Set>
<Set name="maxIdleTime">30000</Set>
<Set name="keystoreType">pkcs12</Set>
<Set name="truststoreType">pkcs12</Set>
<Set name="keystore"><SystemProperty name="euca.var.dir" default="conf"/>/keys/euca.p12
</Set>
<Set name="truststore"><SystemProperty name="euca.var.dir" default="conf"/>/keys/euca.p12
</Set>
<Set name="password">eucalyptus</Set>
<Set name="keyPassword">eucalyptus</Set>
<Set name="trustPassword">eucalyptus</Set>
<Set name="ThreadPool">
<New class="org.mortbay.thread.QueuedThreadPool">
<Set name="minThreads">10</Set>
<Set name="maxThreads">25</Set>
<Set name="lowThreads">5</Set>
<Set name="SpawnOrShrinkAt">2</Set>
</New>
</Set>
</New>
</Arg>
</Call>

Replaced with:

<Call name="addConnector">
<Arg>
<New class="org.mortbay.jetty.nio.SelectChannelConnector">
<Set name="Port">
<SystemProperty name="euca.www.port" default="8443"/>
</Set>
<Set name="maxIdleTime">30000</Set>
<Set name="ThreadPool">
<New class="org.mortbay.thread.QueuedThreadPool">
<Set name="minThreads">10</Set>
<Set name="maxThreads">25</Set>
<Set name="lowThreads">5</Set>
<Set name="SpawnOrShrinkAt">2</Set>
</New>
</Set>
</New>
</Arg>
</Call>

2.- /var/lib/eucalyptus/webapps/root.war

I uncompressed this WAR file and extracted the /META-INF/web.xml file which I then edited to comment the following section:

<!--
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>

-->

Then I compressed back the WAR containing the updated web.xml and put it back where it belongs.

After those two changes I restarted the cloud controller and voilá! Eucalyptus is now serving the web admin interface over HTTP and the SSL offload is performed in a frontend Apache.

Then I configured Eucalyptus (first time admin login) with the frontend DNS name as "cloud IP". Although the text in the form only talks about your cloud controller's IP I wrote the DNS name and didn't have any problem, so I guess it works just fine.

Since the credentials seem to have some dependency on this last parameter I find a DNS name much more convenient than the IP itself.

Anyway, I've just started testing it and although the web part works I might run into issues later on, time will tell.

Tuesday, January 5, 2010

AdSense

I just found out that AdSense registration might be trickier that expected, when trying to login to the account I created earlier today I get the following message:

"Account Not Active
An AdSense account does not exist for this login, as your application is currently in review. Within a week of your application date, we'll review your application and follow-up with you via email. Once you are approved to join AdSense, you'll be able to log in to your account and get started."

I guess I'll have to wait and see.

Update (11:55 PM): I've just received an email saying that my AdSense account has been approved and it is already active. That was fast!

Analytics

Keeping the experimentation rush I've just added Google Analytics tracking to the blog, let's see what happens.
It seems that I need to wait 24 hours to be able to get some results, so more to come...

Ads in the blog

I have added some Google AdSense and Amazon ads to the blog. I know it looks awful but it's just a test, that's not the final look & feel.
I've been wondering for a while how this online advertising thing works, how complex it is to setup an account, how do you track the activity, what kind of money is involved, etc.
Setting up the accounts has been pretty easy, especially for AdSense (since I'm already using a Google service), where my account is said to be pending approval. For Amazon it is also integrated into Blogger, except for the initial registration page, but everything was smooth.
In both cases there are many options such as ad content, size, etc. so it might take a while until I figure what fits best., if i ever get there.
So far the experience has just started, so I can't tell yet but I'll try to keep posting about it.

Urteberri on!

New year new blog.