PIAF Purple on Non-Local VM

[Lost Trunk]

Subject line pretty much says it - I might at some point be given access to a virtual machine on a server at a place where the internet connectivity is more reliable, but that's not local to me, and I am wondering if it's possible to do a PiaF Purple install without having PHYSICAL access to the machine. All the instructions I've ever seen involve inserting and removing a CD, which is kind of difficult if the machine's at a remote location and you don't have physical access. I don't know anything about vm's to begin with, so basically it would have to be some technique that could be used over a simple ssh connection. My guess is that it just can't be done, but I thought I'd at least ask before jumping to that conclusion.

 

[sircolin]

We Can do this with Proxmox and Openvz, the silver Proxmox template will work with both, and i would recommend using that.

Im currently working on a pbxiaf purple script / template, so hopefully that should soon be finished if you really want to run purple in the cloud.
Maybe someone else can comment on vmware as i don't use that.

Also joe has made a script to install pbxiaf onto an existing Centos machine that would work also

 

[Lost Trunk]

The reason I asked is because I've been given access to a VMware virtual machine, but not any of the underlying hardware or software. The only thing I'm a bit worried about is that PiaF and Incredible PBX recommend a hardware-based firewall, and as far as I know this VM doesn't have one, it just sits right out there on the Internet. I am wondering if there is a way to use iptables to emulate a hardware firewall, basically denying all new incoming connections except from certain IP addresses (the ones I use to administer the system, one of which is a dyndns address) and those necessary to allow sip, iax, and Google Voice connections, similar to what I could do if I did have a hardware firewall. Does anyone know how to do this, or know a good guide to iptables that shows you how to do basic stuff like this without bogging you down in theory? Or does Incredible PBX take care of that for you?

 

[wardmundy]

The only thing I'm a bit worried about is that PiaF and Incredible PBX recommend a hardware-based firewall, and as far as I know this VM doesn't have one, it just sits right out there on the Internet. I am wondering if there is a way to use iptables to emulate a hardware firewall, basically denying all new incoming connections except from certain IP addresses (the ones I use to administer the system, one of which is a dyndns address) and those necessary to allow sip, iax, and Google Voice connections, similar to what I could do if I did have a hardware firewall.

Funny you'd mention that. We've been working on locking down SIP most of the day. IAX already is locked down. It may be next week before it's soup. But it's coming. Trying hard to automate the entire process based upon your existing trunk setups in FreePBX. Here's the main piece:

#!/bin/bash
CMD='SELECT data FROM asterisk.sip WHERE `id` >9999 AND `keyword` = "host"'
TRUNKS=`mysql -u root -ppassw0rd -e "$CMD" -s -N`
for host in $TRUNKS
do
resolveip $host
done
exit 0

Finally we'll use SED to stuff the answers into /etc/sysconfig/iptables, and we'll have a very secure server with no hardware firewall. And, with a couple of little hacks, we can even make Travelin' Man work for remote phones so that individual IP addresses can be activated on the fly with both Asterisk AND iptables.

 

[Lost Trunk]

Thanks, Ward, good to know. Hope you and everyone else has a very happy Thanksgiving weekend (no offense intended to those who live where they don't observe our holiday, or where it was observed a month and a half ago!).

 

[jroper]

...or know a good guide to iptables that shows you how to do basic stuff like this without bogging you down in theory?

My preference is to use Webmin to configure IP Tables, as it sorts all the syntax out for you via easily understood dialogue boxes.

Generally speaking, allow what you want to allow, and disallow everything else.

IP Tables are much more powerful than a standard consumer router, in that you can do so much more than simply block ports and IP addresses. You can even block multiple attempts to register or log on.

Joe

 

[gamey]

Hello everyone! where can download / get this script? I want to install Incredible PBX who use purple PIAF on my VPS... my VPS don't allow mount ISO files...

Thanks in advance,

[email protected]

We Can do this with Proxmox and Openvz, the silver Proxmox template will work with both, and i would recommend using that.

Im currently working on a pbxiaf purple script / template, so hopefully that should soon be finished if you really want to run purple in the cloud.
Maybe someone else can comment on vmware as i don't use that.

Also joe has made a script to install pbxiaf onto an existing Centos machine that would work also

 

[sircolin]

i recommend you

 

[DragonHawk]

Edit: Joe has updated his script for x64. Please use version 1.04+ of his script, which can be found on the PiaF Downloads page. http://www.pbxinaflash.com/downloads/

 

[jroper]

Hi

You may want to take a look at the latest version of the script 1.04.

I would also suggest setting your repo's to be disabled, and enable them when needed with --enable-repos=PiaF

Note that I download the ISO and mount it, and get the packages from the ISO, as some of PiaF packages are non-free.

Finally, as this has my name all over it, and it is GPL, I'd appreciate it if could you annotate the changes you have made to the script (Author date and time), so it is clear what is your work and what is mine, that way if you come up with a really good enhancement, you get the credit, whereas if I have made a mistake, the blame does not fall on you ;-)




Joe

 

[DragonHawk]

Thanks for pointing me to the 1.04 version of your script. I had started tinkering with an older version to enable 64 bit before 1.04 was released. There are a few things I do see that I would like to point out. First is that you disable SELinux. For someone who is very security minded, I am surprised by this move. Yes I understand that SELinux causes problems when left in the enforcing state, but should you ever decide to re-enable it down the road, disabling it will cause permission issues. May I suggest it be changed to permissive.

The second issue is that your scripts appear to be loading un-needed packages. I read that you had copied the installed packages list from a DVD install to come up with your list. May I suggest that you examine ks.cfg on the root of the ISO, it contains a list of all the packages required by the install (and makes the list a lot cleaner looking).

Third issue I had to address was the lack of a hardware clock on most VMs. Your script explicitly references the hardware clock. Also while you are working with time services, why not set a time zone? Most servers operate on UTC, so lets set it to UTC.

In 1.04 you are missing a "-y" from the yum command around line 131 to install the dependencies from the ISO.

On the whole, thanks for updating it for 64 bit, and I really like the idea of mounting the ISO locally (saves on my bandwidth).

Greg

 

[jroper]

Hi

SELINUX used to be one of the checks that the FreePBX install script did before allowing installation, if it was not disabled then FreePBX would not install.

Additionally, this is a script that makes an existing copy of CentOS look like it has been installed by the PiaF ISO so that the checks that the piafdl installer does are passed and the install continues.

The scripts job is not to make improvements or changes to the the system. From ks.cfg on the PiaF iso, we see that SELINUX is set to disabled, as they have set this, so must this script.

Therefore, I would suggest you address your concerns about switching off SELinux to the PiaF development team.

The issue with using the yum install packages from ks.cfg against the CentOS repository is that it will install ALL of the packages in the yum group that exist in the CentOS repository, however when group install is run as part of the ISO install, it will only install those packages that are on the ISO.

So I would argue that your approach installs more "stuff"

So to get the list of packages installed, I simply install the PBX in a Flash ISO, and then exit out of the installation on the first screen, then yum list installed. This gives me an precise list of exactly what was installed by the PiaF ISO with no extras.

Setting the hardware clock just saved me a lot of trouble, where the clock is set incorrectly, some tarballs don't extract, and Zap / Dahdi does not install.

I do not set the TZ because I imagined that it had been done during the initial install of CentOS, although I realise that if you are working with VM's this may not be applicable.

In terms of the -y on line 131, for the moment, I will leave the user to interact with the script but may add it in a future release.

Thank you for your comments.

Yours

Joe

 

[wardmundy]

If you catch us smiling today, it's because this thread really reinforces why we prefer to do the things the way we do. :chefb:

 

[jermut]

Stuck, net install, Joe's script, suggestions pls?

Ok, please bare with me as this is my first try at a "net" install. I've run the downloaded script, then rebooted my machine (which I don't have access to, it's a physical machine hosted, NOT a VM) once rebooted when I type "piafdl" it says "command not found", so I located "piafdl" in the /usr/local/sbin directory, then I type ./piafdl and it just returns me back to the root prompt...and nothing appears to be happening, which too, I can't figure out why, so any suggestions would be greatly appreciated.

and Joe, thanks for this script.

 

[DragonHawk]

I had this once as well. Make sure that you are using the latest version (1.4) of the script. The issue is by default, the PIAF installer (which it is based off) launches the setup routine on first boot. As you are not local, you won't see this setup screen as it is displayed on the console.

remove the line:
echo "/usr/local/sbin/piafdl" >> /etc/rc.d/rc3.d/S99local

and you should be able to run piafdl from the command line after you log in (you will need to likely nuke and pave, or at least try removing and reinstalling the piafdl package).

 

[jermut]

and you should be able to run piafdl from the command line after you log in (you will need to likely nuke and pave, or at least try removing and reinstalling the piafdl package).

Great thanks, I understand about removing the specified line, not sure what you mean by the above comments, would you be so kind to explain?

Thanks a mil

 

[DragonHawk]

Sorry, nuke and pave = format and reinstall the OS. you may be able to get away with a "yum erase piafdl", but I haven't tried it, so I don't know for sure.

 

[jermut]

kk, thanks. What I did was removed the suggested line from your earlier post. Then ran the script again. This time, the behavior was a little different, once completed, I reboot and ran piafdl and thus far al is working.

It's running the update-fixes now. I think your advice was instrumental in me getting this far (I'm no linux guru by any means) and I'm very appreciative of your time and reply.