Tuesday, August 23, 2016

Scaling up number of tcp/ip connections in linux

#as client
sysctl net.ipv4.ip_local_port_range="20000 65535"
sysctl net.ipv4.tcp_fin_timeout=30

#as server
ifconfig eth0 txqueuelen 10000
sysctl net.core.somaxconn=10240
sysctl net.core.netdev_max_backlog=10000
sysctl net.ipv4.tcp_max_syn_backlog=2560
echo 3000000 > /proc/sys/fs/nr_open
ulimit -n 2000000

Sunday, August 14, 2016

Allow 65536 threads with 65536 tcp ports listening



Thread-65532 tcp_port= 65531
Thread-65533 tcp_port= 65532
Thread-65534 tcp_port= 65533
Thread-65535 tcp_port= 65534
Thread-65536 tcp_port= 65535
active threads 62547
join

Saturday, August 13, 2016

fix gitlab with letsencrypt certificate

Cannot register Go Runner because of x509: certificate signed by unknown authority If you are using a letsencrypt certificate the bug is trigged by curl. curl https://gitlab.example.com:9999/ci/api/v1/runners/register.json curl: (60) SSL certificate problem: unable to get local issuer certificate To fix this, add letsencrypt root certificates to system
sudo curl https://letsencrypt.org/certs/isrgrootx1.pem.txt -o /usr/local/share/ca-certificates/isrgrootx1.crt
sudo curl https://letsencrypt.org/certs/letsencryptauthorityx1.pem.txt -o /usr/local/share/ca-certificates/letsencryptauthorityx1.crt
sudo curl https://letsencrypt.org/certs/letsencryptauthorityx2.pem.txt -o /usr/local/share/ca-certificates/letsencryptauthorityx2.crt
sudo curl https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem.txt -o /usr/local/share/ca-certificates/letsencryptx1.crt
sudo curl https://letsencrypt.org/certs/lets-encrypt-x2-cross-signed.pem.txt -o /usr/local/share/ca-certificates/letsencryptx2.crt
sudo curl https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt -o /usr/local/share/ca-certificates/letsencryptx3.crt
sudo curl https://letsencrypt.org/certs/lets-encrypt-x4-cross-signed.pem.txt -o /usr/local/share/ca-certificates/letsencryptx4.crt
sudo dpkg-reconfigure ca-certificates
gitlab-ci-multi-runner register
Running in system-mode.

Please enter the gitlab-ci coordinator URL (e.g. https://gitlab.com/ci):
https://gitlab.example.com:9999/ci
Please enter the gitlab-ci token for this runner:
5454353453453453534
Please enter the gitlab-ci description for this runner:
[example2]:
Please enter the gitlab-ci tags for this runner (comma separated):
shared
Registering runner... succeeded                     runner=43242342
Please enter the executor: parallels, shell, ssh, virtualbox, docker+machine, docker-ssh+machine, docker, docker-ssh:
docker
Please enter the default Docker image (eg. ruby:2.1):
ubuntu:16.04
Runner registered successfully. Feel free to start it, but if it's running already the config should be automatically reloaded!

Wednesday, August 10, 2016

RabbitMQ server configure

# enable plugins and restart
rabbitmq-plugins enable rabbitmq_management
rabbitmq-plugins enable rabbitmq_mqtt
rabbitmq-plugins enable rabbitmq_web_stomp
rabbitmq-plugins enable rabbitmq_shovel
rabbitmq-plugins enable rabbitmq_management_visualiser 
rabbitmq-plugins enable rabbitmq_recent_history_exchange 
rabbitmq-plugins enable rabbitmq_top 
rabbitmq-plugins enable rabbitmq_tracing

# install and enable mqtt over websockets
cd /usr/lib/rabbitmq/lib/rabbitmq_server-3.6.5/plugins
wget http://www.rabbitmq.com/community-plugins/v3.6.x/rabbitmq_web_mqtt-3.6.x-3b6a09bb.ez
 rabbitmq-plugins enable rabbitmq_web_mqtt

/etc/init.d/rabbitmq-server restart

#change default passwrd
rabbitmqctl change_password guest s0m3p4ssw0rd

#configure new user
rabbitmqctl add_user newadmin s0m3p4ssw0rd
rabbitmqctl set_user_tags newadmin administrator
rabbitmqctl set_permissions -p / newadmin ".*" ".*" ".*"


Generate SSL/TLS chain



Edit /etc/rabbitmq/rabbitmq.config
[
 {rabbit,
   {ssl_listeners, [5671]},
    {ssl_options, [
     {cacertfile,           "/opt/rabbitmq-ssl/testca/cacert.pem"},
     {certfile,             "/opt/rabbitmq-ssl/server/cert.pem"},
     {keyfile,              "/opt/rabbitmq-ssl/server/key.pem"},
     {verify,               verify_peer},
     {fail_if_no_peer_cert, false}]}
  ]},
 {rabbitmq_mqtt,
    {default_user, <<"guest">>},
    {default_pass, <<"guest">>},
    {allow_anonymous, true},
    {tcp_listeners, [1883]},
    {ssl_listeners, [8883]}
  ]},
].
Restart server
/etc/init.d/rabbitmq-server restart

#Test TLS
openssl s_client -connect 127.0.0.1:5671 -tls1

# Test MQTT
mosquitto_sub -h localhost -v -t '#'
mosquitto_pub -h localhost -t 'test' -m 'msg'

# Test MQTT with TLS
mosquitto_sub -h localhost -p 8883 -v -t '#' \
 --key /opt/rabbitmq-ssl/client/key.pem \
 --cert /opt/rabbitmq-ssl/client/cert.pem \
 --cafile /opt/rabbitmq-ssl/testca/cacert.pem
mosquitto_pub -h localhost -p 8883 -t 'test' -m 'msg' \
 --key /opt/rabbitmq-ssl/client/key.pem \
 --cert /opt/rabbitmq-ssl/client/cert.pem \
 --cafile /opt/rabbitmq-ssl/testca/cacert.pem