Author: Rohit Chormale

I am software engineer from Hyderabad, India with primary interests in distributed systems. In my leisure time, I love to read technical papers and hacking emacs.

How to Setup Redis Cluster from Source

What is redis

Redis is an open source in-memory database. It stores data in key-value format. Because of residing in memory, redis is an excellent tool for caching. Redis provides a rich set of data types. This gives redis upper hand over Memcached. Apart from caching, redis can be used as distributed message broker.

Redis Cluster and Sentinels

To achieve high availability, redis can be deployed in cluster along with Sentinels. Sentinel is a feature of redis. Multiple sentinels are deployed across redis clusters for monitoring purpose. When redis master goes down, sentinels elect a new master from slaves. When old master comes up again, it is added as slave.

Another use case of clustering is a distribution of load. In high load environment, we can send write requests to master and read request to slaves.

This tutorial is specifically focused on Redis Cluster Master Slave model. We will not cover data sharding across cluster here. In data sharding, keys are distributed across multiple redis nodes.

Setup for tutorial

For this tutorial, we will use 3 (virtual) servers. On one server Redis master will reside while other two servers will be used for slaves. Standard redis port is 6379. To differentiate easily, we will run master on 6379 port and slaves on
6380 and 6381 ports. Same will be applied for sentinel services. Master sentinel will listen on 16379 port while slave sentinels will be on 16380 and 16381.

Lets put this easy way.

This tutorial is tested on CentOS 6.9. For CentOS 7.X, check below Notes Section.

Installation

We will follow same installation steps for setting up of all servers. Only difference will be in configurations.

  • Step 1: Grab redis source, make and install
  • Step 2: Setup required directories
  • Step 3: Configure redis master
  • Step 4: Configure redis master sentinel
  • Step 5: Add low privileged user to run redis
  • Step 6: Setup init scripts
  • Step 7: Start service

Server 1 (Redis Master)

Install Redis

Setup required directories

Configure redis master

Edit config file /etc/redis/6379.conf in your favorite editor and change below options.

Configure redis master sentinel

Add config file for sentinel at /etc/redis/sentinel_6379.conf. Open a file and add below content

Add non-privileged user

Setup init scripts

You can find sample init scripts in Notes section below.

Start service

Server 2 (Redis Slave 1)

Install Redis

Setup required directories

Configure redis slave 1

Edit config file /etc/redis/6380.conf in your favorite editor and change below options.

Configure redis slave 1 sentinel

Add config file for sentinel at /etc/redis/sentinel_6380.conf. Open a file and add below content

Add non-privileged user

Setup init scripts

You can find sample init scripts in Notes section below. Change $HOST and $PORT values accordingly

Start service

Server 3 (Redis Slave 2)

Install Redis

Setup required directories

Configure redis slave 2

Edit config file /etc/redis/6381.conf in your favorite editor and change below options.

Configure redis slave 2 sentinel

Add config file for sentinel at /etc/redis/sentinel_6381.conf. Open a file and add below content

Add non-privileged user

Setup init scripts

You can find sample init scripts in Notes section below. Change $HOST and $PORT values accordingly

Start service

Sentinel Testing

Redis Fail-over Testing

For fail-over testing, we can take down redis-master either using init script or below command.

Also we can force sentinel to run fail over using below command

Sample init scripts

Redis Init Script

Sentinel Init Script

Notes

Security

  • NEVER EVER run redis on public interface
  • If redis is deployed in cloud environment like AWS, set up security groups/firewalls carefully. Most of times, cloud providers use ephemeral ips. Because of ephermal ips, even redis is bound to private ip, it can be accessed over public interface.
  • For more security, dangerous commands can be disabled(renamed). But be careful with them in cluster environment.
  • Redis also provides simple authentication mechanism. It is not covered here because of scope.

Sentinel management

  • During redis fail-over, config files are rewritten by sentinel program. So when restarting redis-cluster, be careful.

Sources

  • https://redis.io/topics/cluster-tutorial
  • https://redis.io/topics/security
  • https://redis.io/commands/debug-segfault

How to build and install FreeSWITCH 1.6 on Debian 8 Jessie

FreeSWITCH is an opensource telephony soft switch created in 2006. As per official wiki  page,

It is a scalable open source cross-platform telephony platform designed to route and interconnect popular communication protocols using audio, video, text or any other form of media.

Sounds good. right ?

We are using Debian for this tutorial as it is very stable & mature linux distribution and FreeSWITCH core developers’ choice-of-distribution .
You can read more about FreeSWITCH on there wiki page.

Now lets cut a crap & start an action, assuming you  already have working Debian 8 OS.

Build & Install FreeSWITCH

There are different ways to install FreeSWITCH. In this tutorial, we will see how to install it from source.

  1. First update your Debian box & install curl & git.

  2. Add FreeSWITCH GPG key to APT sources keyring.

  3. Add FreeSWITCH repository to APT sources.

  4. Once again update your system.

  5. Now lets first install FreeSWITCH dependencies.

  6. Though above step takes care of most of dependencies, few still remains required to compile mod_fsv. So install them as,

  7. Grab source code of FreeSWITCH as follows,

  8. Now lets compile FreeSWITCH source for version 1.6

  9. Now lets compile sounds

  10. Lets create simlinks to required binaries to access them from anywhere.

     

Set Owner & Permissions

Starting FreeSWITCH service on boot automatically

To start FreeSWITCH after each boot automatically we need to set up init script. Init script is script used by init system to manipulate services. Debian 8 is now migrated to systemd init system, we will add systemd unit file.

Copy following content to ‘/lib/systemd/system/freeswitch.service’

Now execute following commands in your shell

Start FreeSWITCH

Now we are all set. Lets start hacking FreeSWITCH.

 

Notes

  1. If something goes wrong & you try compilation again by ‘make clean’, sometimes you get errors regarding ‘spandsp’. To resolve them try to clean using
    ‘git clean -fdx’. For more info check this ticket – https://freeswitch.org/jira/browse/FS-6405

 

Sending emails asynchronously using Twisted – Part 2

In Part 1 of article, we saw how to send blocking emails using ‘smtplib’ module & non-blocking emails using Twisted framework. In this part, we will see how to send asynchronous emails to multiple recipients using Twisted

  • Sending multiple emails

    Refer following script.This script sends emails to given recipients asynchronously. Here we have used twisted.internet.defer.DeferredList API. This API is very useful in some scenarios. Suppose you have to finish multiple task asynchronously and then you have to finish one final task. For examples, your program is connected to 4 different clients & and before shutting it down, you have to make sure that all connections are closed properly. In such cases, DeferredList API is used. Create deferrands of each task & make their list. Pass this list to ‘DeferredList‘ API which will return you another deferrand. This final deferrand will be fired when all deferrands in list will be fired.


     

  • Sending multiple emails using coiterator

    Though above script runs fine, there is one problem. Here, recipients number is very small. But suppose you have to send emails to millions recipients then will this code work ?. Refer function ‘send_multiple_emails’.


    Here we have used ‘for’ loop which is blocking. So until this ‘for’ loop is iterated, program will not move to next line of code. For 3 recipients iteration will not take much time however for millions of recipients, it will not work.
    So lets modify our code to work like generators.

    Here, we have used twisted.internet.task.coiterate API. This API iterates over iterator by dividing reactor runtime between all iterators. Thus we can send millions of emails asynchronously.

Sending emails asynchronously using Twisted – Part 1

  • Using ‘smtplib‘ module

It is very easy to send emails using ‘smtplib‘ module of python. Check following recipe.

But ‘smtplib’ module sends emails synchronously. So code execution is blocked until email is sent. To overcome this, lets try to send email asynchornously.

  • Using Twisted

For this tutorial we are going to use Twisted framework. Twisted is event-driven networking engine. It uses reactor-pattern. Twisted uses deferred objects to address waiting IOs. Deferred is more like subset of promises. Check following recipe to send asynchronously MIME message using Twisted.

 

 

How to chat securely using Pidgin and OTR

These days surveillance news are coming out frequently. After Snowden’s revelation if you’r suffering from paranoia and want to secure your digital presence, follow this tutorial to communicate securely.

  1. Install Pidgin chat client.
    • for ubuntu –
    • for arch linux –
    • also you can download it manually from here & then install it as per instructions
  2. Install OTR plugin of Pidgin.
    • for ubuntu –
    • for arch linux –
  3. Now start Pidgin. It will show ‘Accounts’ Popup. Click on ‘Add’ button. add
  4. Now you will get ‘Add Account’ popup.
    add-account-0
  5. Now configure new account as follows.
    • Tab ‘Basic’
      • Login Options
        • Protocol : XMPP (don’t use ‘Facebook XMPP’)
        • Username: (don’t use a username which will somehow connected to real you)
        • jabber.rayservers.com
        • leave blank
        • enter password you want
      • User Options
        • Local alias : Leave blank
        • New mail notifications : DO NOT check
        • Use this buddy icon : check if you want
        • Create this new account on the server : MUST checkadd-account-1
    • Tab ‘Advanced’
      • Connection security : Require Encryption
      • Allow plaintext auth over unencrypted streams : DO NOT check
      • Connect port : 5222
      • Show Custom Smileys : check
      • Create this new account on the server : MUST check add-account-2
    • Tab ‘Proxy’
      • Proxy type : Use Global Proxy Settings
      • Create this new account on the server : MUST check add-account-3
    • Tab ‘Voice and Video’
      • Use silence suppression : leave default
      • Create this new account on the server : MUST check add-account-4
  6. Now to add this new account, click on ‘Add’
  7. Wait for few seconds. Popup will come for ‘SSL Certificate Verification’. Click on ‘Accept’. Cross-check ‘Certificate Information’. Then ‘Accept’ cetificate. cert-1 cert-2
  8. Now you will get popup saying ‘Register New XMPP Account’. Click on ‘Register’.
  9. From top menus select
    Tools -> Plugins -> Off-The-Record Messaging (MUST checked)
  10. Click on ‘Configure Plugin’
  11. Configure ‘Off-the-record Messaging’ popup as follows, otr-1
    • My Private Keys –
      • Click on ‘Generate’ if you get message ‘No key present’. Generating keys takes time. When keys are getting generated try to do some CPU intensive work to add more entropy.
    • Default OTR Settings – Check all
      • Enable private messaging – check
      • Automatically initiate private messaging – check
      • Require private messaging – check
      • Don’t log OTR conversations – check
    • OTR UI Options
      • Show OTR button in toolbar – check
  12. Once key is generated, click on ‘Close’ to close popup windows of ‘Off-the-record Messaging’ & ‘Configure plugin’.
    otr-2
  13. Now in top window ‘Buddy List’ ,
    Tools -> Preferences -> Logging -> Do NOT check any options here & close popup. otr-4
  14. Now enable your new account as,
    Accounts -> Enable account -> Select newly created account
  15. Now to add buddy,
    Buddies -> Add buddy
  16. In ‘Add Buddy’ popup, enter ‘Buddy’s username’ – something like ‘foo@bar.qux.com’.  Optionally you can add ‘Alias name’ for ease. Here important thing to remember is, once you add buddy it will appear in your buddy list only after authorization of your buddy.
  17. Now if you add buddy successfully and he is online & double-click on buddy and start to chat.
  18. Here you will get another private messaging window. Don’t forget to ‘Start OTR’ here & to Authenticate your buddy.
  19. Further, you can use Tor with Pidgin to circumvent IP address.

How to secure yourself with GPG

Generate your key

  1. Run following command in your shell,
  2. Now program will ask you to choose couple of options, use following preferences
  3.  Please select what kind of key you want: 1    RSA and RSA (default)
  4.  What keysize do you want? (2048) 4096
  5.  Key is valid for? (0) 0
  6. Is this correct? (y/N) y
  7. Now enter name, email and comment message.
  8. Change (N)ame, (C)omment, (E)-mail or (O)kay/(Q)uit? o
  9. Finally, enter a passphrase to protect your secret key.

Edit your key

We can later edit key to use other options.
e.g Lets set our key to use stronger hashes.

  1. Edit key using following command,
  2. Now set hash preferences as follows,
  3.  Really update the preferences? (y/N) y
  4. Enter your passphrase
  5. Save new preferences by command,

Make available your key

There are 2 ways to make available your key to other users.

  1. Give them manually. Use following command,

    You will get your public key. Copy and paste it and send to other user.
  2. Upload to key server. You can do this again using 2 ways. One is using, forms available on server. While for second way, first grab your id using following command’s output & then upload to keyservers like http://pgp.mit.edu/

 

Importing other keys

  1. Import other user’s keys. We can import keys of other users with multiple ways. From text file – If someone sends you text file containing his public key, import it as,

    From key server – There are some popular key serves which host public keys.
    One of such server is http://pgp.mit.edu. Here you can search particular user’s key as follows,
  2. Validate key. The easy way to validate person’s identification is match fingerprint of key.
  3. Sign imported key as,
  4. Optionally you can send back signed key

Using gpg key

  • To encrypt message using your key use following command,
  • To decrypt file,

    Creating revocation certificate

There is always possibility that your master key-pair may get lost. (and may be stolen if you are unfortunate). If this happen, you must tell other people to not use your public key. This can be done using revocation certificate. Generate revocation certificate using following command,

Store it safe somewhere separately from master key-pair

Some useful commands

  • List available keys,
  • Update key information,

     

 

 

Coloring shell output

Using coloring, we can enhance output of shell script. Run following script in your terminal and see magic.