Friday, August 17, 2012

Running PowerShell code from a web page

As PowerShell gets used more and more in the IT industry, its not unusual to begin growing libraries of scripts and commands, and even automate some of the scripts to run automatically. After a while, I have developed a method of organizing my library so I can find my scripts as needed, and even include some rudimentary version control.
The growing library becomes an issue when multiple people in your organization are using PowerShell as well. Each person begins growing a library, each person handles versioning independently, and each person may schedule the scripts to run automatically. Suddenly there is a lot of tribal knowledge (i.e. I don't know how to do that, go talk to X).
I had always felt that having some centralized web portal that allowed me to see my organizations scripting library would be ideal. Additionally, it would be awesome if I could simply click a button on a form and make a PowerShell script execute.

  • Need a VM? Fill out this online form and click create.
  • Reboot a host? Select the system to reboot and click go.
  • Restart services? Select the system and service and click Restart.

The first major hurdle to this is getting PowerShell to run through a web page, it turns out this has been around for some time at http://devinfra-us.blogspot.com/2011/02/using-powershell-20-from-aspnet-part-1.html. The example simply imports System.Management.Automation from PowerShell and creates a PowerShell object. Once created, use PowerShell.Commands.AddScript() to import the PS code, and PowerShell.Invoke() to execute.

What next? Add security, tie it into a database to act as the library, maybe add some scheduling...

Tuesday, August 14, 2012

Another Vyatta config guide

I find myself using the Vyatta virtual router (http://www.vyatta.org) for most everytime I need a router. It hasn't yet replaced my core enterprise routers, but it fits in nicely for smaller environments. This example is going to be a basic home configuration - The internet facing interface receives its address via DHCP, the internal interface is static at 10.0.0.1/24 and provides DHCP, DNS, and Proxy services. Additionally, an internal web server is published via HTTPS.
NOTE: I am using Vyatta version 6.4 which changed some of the configuration commands. Confirm the version you are running to ensure the commands are appropriate


1. Deploy the router

Deploying the router is probably the easiest step to perform, especially if you are running VMware. If your running VMware, simply go to http://www.vyatta.com/downloads/vmware_ovf.php to get the link for the latest OVF available. Import this into VMware and your good to go.

If your running some other virtualization stack (Hyper-V, Xen, etc...), you will need to install from ISO. The latest stable version can be found at http://packages.vyatta.com/vyatta/iso/stable/, just download the LiveCD, create a VM with 512MB RAM, 4GB disk, 2 NICs, and boot from the ISO. NOTE: Be careful the type of NIC chosen as not all adapters are supported by Vyatta. For Hyper-V, you have to use the Legacy Network Adapter. The default adapter type will not work
Once booted, log into the console with username/password of vyatta/vyatta. At the prompt type install system, accept the default options, allow the install to overwrite the disk, and set the password. When installed, type poweroff and remove the ISO. Power back up and your up and running.

NOTE: I find it a good step to write down the MAC addresses of the interfaces so I can easily determine which is internal and which is external.

2. Configure the interfaces

Log into the console as the vyatta user and enter configuration mode by typing configure.

Identify the interfaces
The first step needed is to determine which interface is which. We know that we will have 1 interface on the open internet, and the other interface on the trusted network - we obviously dont want to get these backwards.
While in configuration mode, type show interfaces and you will see something similar to below.
vyatta@vyatta# show interfaces
 ethernet eth0 {
     hw-id 00:15:5d:14:ed:2e
 }
 ethernet eth1 {
     hw-id 00:15:5d:14:ed:2f
 }
 loopback lo {
 }

The router sees the interfaces as eth0 and eth1 and provides the associated MAC addresses. Using the MAC addresses of the interfaces, I can determine which interface is which, and even move them based on need. In my case, eth0 is the external interface

Configure DHCP
Since our external interface will be receiving its IP address from our ISP, we configure it to use DHCP. To configure eth0 for DHCP, simply type set interfaces ethernet eth0 address dhcp

Configure Static Address
Our internal network is owned/managed by us, so we can choose to use a private addressing scheme for our systems. To configure eth1 for a static address, simply type set interfaces ethernet eth1 address 10.0.0.1/24

Commit the Changes
Whenever you make a change the the Vyatta configuration, it doesn't take effect until you commit them. Additionally, the changes aren't resilient (don't remain after reboot) until you save them.
To commit the changes, type commit
To save the changes, type save

3. Configure the services

System Names
We want to give our router a descriptive name as well as create an internal domain name. In this case I am naming it intRtr for internet router, and giving it a domain of goad.local. This gives me a unique name and domain to identify the router and other systems.
set system host-name intRtr
set system domain-name goad.local

DHCP
Next we configure the DHCP server on the router. This involves creating a pool of addresses for DHCP to use, configuring the default gateway, DNS server and domain name.

set service dhcp-server shared-network-name ETH1_POOL subnet 10.0.0.0/24 start 10.0.0.65 stop 10.0.0.199
set service dhcp-server shared-network-name ETH1_POOL subnet 10.0.0.0/24 default-router 10.0.0.1
set service dhcp-server shared-network-name ETH1_POOL subnet 10.0.0.0/24 dns-server 10.0.0.1
set service dhcp-server shared-network-name ETH1_POOL subnet 10.0.0.0/24 domain-name goad.local
set service dhcp-server shared-network-name ETH1_POOL authoritative enable 


DNS
Now that clients have DHCP addresses, it is time to configure the DNS server. In this case we are creating a caching DNS server that receives requests, forwards them to the external DNS server, and caches them for future reference. This speeds up recurring requests, as well as contains the configuration for easy management.

set service dns forwarding dhcp eth0
set service dns forwarding listen-on eth1


PROXY
Now we set the outbound proxy
set service webproxy listen-address 10.0.0.1
set service webproxy listen-address 10.0.0.1 disable-transparent
NOTE: This means that clients will have to configure their browsers as http://10.0.0.1:3128 to utilize the proxy

4. Configure outbound NAT for all traffic

For anything other that web traffic (or web traffic we don't want to proxy), we enable Network Address Translation.

set nat source rule 10 source address 10.0.0.0/24
set nat source rule 10 outbound-interface eth0
set nat source rule 10 translation address masquerade

5. Configure web publishing

Finally, we want to publish the web server so that when someone browses to port 443 on the external interface, it is forwarded internally.

set nat destination rule 200 destination port https
set nat destination rule 200 inbound-interface eth0
set nat destination rule 200 translation address 10.0.0.2
set nat destination rule 200 translation port https
set nat destination rule 200 protocol tcp
set interfaces ethernet eth0 firewall in name FROM-EXTERNAL
set firewall name FROM-EXTERNAL description "Block Unwanted Internet Traffic"
set firewall name FROM-EXTERNAL rule 10 description "Accept Established-Related Connections"
set firewall name FROM-EXTERNAL rule 10 action accept
set firewall name FROM-EXTERNAL rule 10 state established enable
set firewall name FROM-EXTERNAL rule 10 state related enable
set firewall name FROM-EXTERNAL rule 20 description "Allow https"
set firewall name FROM-EXTERNAL rule 20 action accept
set firewall name FROM-EXTERNAL rule 20 destination address 10.0.0.2
set firewall name FROM-EXTERNAL rule 20 destination port https
set firewall name FROM-EXTERNAL rule 20 protocol tcp


Thats it, commit and save and your golden

Monday, August 13, 2012

Powershell cmdlets for Hyper-V in Windows Server 8

I had the opportunity to do a little lab time today and I was looking forward to working with Windows Server 8. My test lab is essentially a single Hyper-V server, and a client to access the environment. As such, I wanted to see what I could do in order to speed up my testing.

Long ago I learned that Hyper-V can create differencing disks - i.e. you create a "gold master" image of an OS, and then create one or more differencing disks based on the master image. This prevents you from having to re-install the OS everytime you rebuild your lab, but still required a good deal of clicking to build the VM and VHD appropriately.

Enter PowerShell - the way to automate everything windows. In Server 8, the built-in cmdlets are significantly better, and there is a list of available cmds at http://technet.microsoft.com/library/hh848559.aspx.

I created a base install of Server 8 and sysprep'd it (c:\windows\system32\sysprep\sysprep.exe). Once the system shutdown, I went into the filesystem of the Hyper-V server and created a "Templates" folder and moved the new vhdx into it. Rename the file to Server8_Template.vhdx and we are all set.

To create a new Server 8 VM I need to perform two steps: 1) Create the differencing hard disk, 2) Create the VM using the harddisk. In my case the VHD's are on the E:\ drive of my Hyper-V server HyperTest
Create the differencing disk:
New-vhd "e:\vm\Virtual Hard Disks\DC1.vhdx" -ParentPath e:\vm\template\Server8_template.vhdx -computername HyperTest

Create the VM:
new-vm -Name DC1 -ComputerName HyperTest -memorystartupbytes 1073741824 -VHDPath "e:\vm\Virtual Hard Disks\DC1.vhdx" -switchname Corpnet


My testing is based off the Server 8 Test Labs (http://social.technet.microsoft.com/wiki/contents/articles/7807.windows-server-2012-beta-test-lab-guides-en-us.aspx) and are going to use multiple Server 8 VMs. To automate multiple builds, I created a function that automates all of the necessary steps.
Function MakeServer8VM($vmName){
New-vhd "e:\vm\Virtual Hard Disks\$vmName.vhdx" -ParentPath e:\vm\template\Server8_template.vhdx -computername HyperTest
new-vm -Name $vmName -ComputerName HyperTest -memorystartupbytes 1073741824 -VHDPath "e:\vm\Virtual Hard Disks\$vmName.vhdx" -switchname Corpnet
start-vm $vmName -computername HyperTest
}


The process is exactly the same for Windows 8, just create another template and update the function to use the new template name.

The only item I havnt yet configured is enabling of Dynamic Memory in the VMs. This allows the VM to only claim the memory it needs, and grow/shrink as needed. The new-vm cmdlet doesn't seem to allow this option, so I am sure it would require an additional step in the function.