Monday 28 December 2015

Installing Mosquitto on a Raspberry Pi

I was talking to a friend, extolling the features and future of @OwnTracks, a project I talked about not so long ago. Said friend asked about where to place the MQTT broker, and I said "for example, on your home-server". He doesn't have one. Come to think of it, not many of my friends do, so here comes a small post on setting up an MQTT broker, specifically Mosquitto, on a Raspberry Pi, which most people can easily set up.
Mosquitto on a Raspbi
The hardest bit is installing an OS, say, Raspbian Wheezy, onto an SD card, but there are many tutorials on how to do that. (Here's an example using Mac OS X.) A basic install will suffice, and after logging in with Raspbian's default username and password, we'll get started from there.
Roger Light, Mosquitto's creator has thankfully (!) set up a Mosquitto Debian repository we can use to obtain the latest and greatest version, so we'll do just that. We first perform the required steps to add and activate the repository. The last step in particular can take a few moments.
curl -O http://repo.mosquitto.org/debian/mosquitto-repo.gpg.key
sudo apt-key add mosquitto-repo.gpg.key
rm mosquitto-repo.gpg.key
cd /etc/apt/sources.list.d/
sudo curl -O http://repo.mosquitto.org/debian/mosquitto-repo.list
sudo apt-get update
Now we can go ahead and install Mosquitto proper. There are three packages:
  • mosquitto is the MQTT broker (i.e. server)
  • mosquitto-clients are the command-line clients, which I recommend you install
  • python-mosquitto are the Python bindings, which I also think you should install
all three packages together require about 665Kb of space, which we can easily afford even on the tiny Pi.
sudo apt-get install mosquitto mosquitto-clients python-mosquitto
Regrettably, as with most Debian packages, the broker is immediately started; stop it.
sudo /etc/init.d/mosquitto stop
That concludes the installation of the Mosquitto MQTT broker, and we'll now proceed to its configuration. This section is geared towards a configuration of Mosquitto which will work well with@OwnTracks. In particular we want the following features enabled by default:
  • Connections to the broker must be TLS protected. This requires a TLS certificate and key which will be configured automatically.
  • ACLs will restrict who may access what.
Over at the OwnTracks repository, I'm working on some utilities which are going to automate this. It's a work-in-progress (of course), but this is what sudo ./mosquitto-setup.sh looks like at the moment:
Saving previous configuration as mosquitto.conf-20130901-133525
Generating a 2048 bit RSA private key
.................................................................................................+++
...............................+++
writing new private key to '/etc/mosquitto/ca.key'
-----
Created CA certificate in /etc/mosquitto/ca.crt
subject=
    commonName                = An MQTT broker
    organizationName          = MQTTitude.org
    emailAddress              = nobody@example.net
--- Creating server key and signing request
Generating RSA private key, 2048 bit long modulus
............+++
..............+++
e is 65537 (0x10001)
--- Creating and signing server certificate
Signature ok
subject=/CN=raspberrypi/O=MQTTitude.org/emailAddress=nobody@example.net
Getting CA Private Key
A CA is created together with a server key-pair with a whole bunch of subjAltName settings:
X509v3 Subject Alternative Name:
        IP Address:192.168.1.189, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1, DNS:broker.example.com, DNS:foo.example.de, DNS:localhost
Will it work? Let's start the broker manually to see what it says:
sudo /usr/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf
1378042632: mosquitto version 1.2 (build date 2013-08-09 21:49:03+0100) starting
1378042632: Config loaded from /etc/mosquitto/mosquitto.conf.
1378042632: Opening ipv4 listen socket on port 1883.
1378042632: Opening ipv4 listen socket on port 8883.
1378042632: Opening ipv6 listen socket on port 8883.
1378042632: Warning: Address family not supported by protocol
...^C
1378042634: mosquitto version 1.2 terminating
1378042634: Saving in-memory database to /tmp/mosquitto.db.
The Mosquitto clients need to have access to a copy of the CA certificate (ca.crt) and you can transport that insecurely to your clients (it's a public certificate).
mosquitto_pub  --cafile ca.crt -h 127.0.0.1 -p 8883  ...
Newer Mosquitto 1.2 clients use TLSv1.2 per default, and to force them to use TLSv1 (which we need on the OwnTracks broker because of the apps -- it's a long story) you add the appropriate option:
mosquitto_pub  --cafile ca.crt -h 127.0.0.1 -p 8883 --tls-version tlsv1 ...
That's it for the moment.
As for ACLs, we'll be using auth-plug because it's so versatile. I'll update this post as soon as we're ready to automate setting that up as well.

Mosquitto Broker

Publish/Subscribe queues are fun and useful. I first learned about them when tinkering with Redis a while back. One big drawback of RedisPub/Sub is that Redis project refuses to add some form of transport layer security, which means anything and everything is transferred into and out of Redis unencrypted.
I recently discovered MQTT, the Message Queue Telemetry Transport protocol, which is
is a lightweight broker-based publish/subscribe messaging protocol designed to be open, simple, lightweight and easy to implement.
The MQTT protocol provides one-to-may message distribution over TCP/IP with a small transport overhead, and a method to notify parties of abnormal disconnection of a client.
I think of a Pub/Sub message queue as "Twitter for my network". Clients subscribe to be notified of incoming messages pertaining to specific topics, and other clients publish on those topics. A topic (think of it as a kind of channel) classifies messages. For example, I could have topics callednagios/mtanagios/disktest/jp/private, etc. Clients can subscribe to any number of topics, and may include wild-cards when subscribing (e.g. nagios/#). In the context of MQTT, messages are blobs of opaque data (UTF-8, i.e. binary safe) with a maximum size of 256MB.
MQTT can be used in low-bandwidth or unreliable network environments, on embedded devices (e.g. on an mbed with the mbed MQTT library, on an Arduino with the Arduino client for MQTT), from Lua,PythonPerl, etc.
What I find particularly interesting with this technology, is that it enables me to employ a single (secured) transport mechanism for all sorts of data. I don't have to pierce holes in a firewall to specifically allow this and that; a single TCP port suffices to transport all sorts of (smallish) stuff.
Mosquitto is an open source MQTT broker, which I chose over IBM's RSMB because source code of the latter is not freely available. Mosquitto is easy to install and deploy, and its documentation is more than adequate.
The Mosquitto broker supports TLS out of the box, and provides authentication either via username/password, pre-shared keys or TLS client certificates. Furthermore, Mosquitto has a simple ACL by which the broker administrator can configure which clients may access which topics. (Clients identify themselves by a name they specify upon connecting.)
A small Python program connects to the broker and subscribes to a few topics:
#!/usr/bin/env python

import mosquitto

def on_message(mosq, obj, msg):
    print "%-20s %d %s" % (msg.topic, msg.qos, msg.payload)

    mosq.publish('pong', "Thanks", 0)

def on_publish(mosq, obj, mid):
    pass

cli = mosquitto.Mosquitto()
cli.on_message = on_message
cli.on_publish = on_publish

cli.tls_set('root.ca',
    certfile='c1.crt',
    keyfile='c1.key')

cli.connect("hippo", 1883, 60)

cli.subscribe("dns/all", 0)
cli.subscribe("nagios/#", 0)

while cli.loop() == 0:
    pass
If I run that on a client, the program will sit there waiting for messages published to the dns/all ornagios/# topics. In a different window, I can use the mosquitto_pub utility to fire off a message:
mosquitto_pub -d -h hippo.ww.mens.de \
    --cafile root.ca \
    --cert c1.crt \
    --key c1.key \
    -q 0 \                             # quality-of-service
    -t nagios/n1 \                     # topic
    -m 'mail server 001 is broke'      # message
Whereupon the Python program displays:
nagios/n1 0 mail server 001 is broke
(You'll have noticed that the Python program publishes a "Thanks" on the pong topic; clients subscribed to that will receive it.)
Clients can optionally set a Will (in Python before the connect() call). This "last will and testament" (so to speak) is published by the broker when a client disconnects unexpectedly. This can be useful to notify of particular clients' deaths. In other words, if a client issues the following request before connecting, and it dies at some later point, the broker will publish the payload on this client's behalf.
cli.will_set('clients/w1', payload="Adios!", qos=0)

Bridge

Mosquitto can be configured as a so-called "bridge". I could imagine this being useful in, say, different data centers.
In a bridge configuration, Mosquitto is configured to pass certain topics in certain directions. For example, I could configure a bridge to notify a "central" broker for messages of topic +/important. A bridge connects to a broker like any other client and subscribes to topics which are then "imported" into the bridge; clients connected to said bridge can thus be notified for particular subscriptions from the "main" broker.
Mosquitto periodically publishes statistics which interested parties can subscribe to, e.g. for monitoring purposes.
$SYS/broker/version mosquitto version 1.1
$SYS/broker/clients/total 368
$SYS/broker/clients/active 91
$SYS/broker/clients/inactive 277
$SYS/broker/clients/maximum 368
$SYS/broker/messages/received 13358099
$SYS/broker/messages/sent 16381123
$SYS/broker/messages/dropped 414180
$SYS/broker/messages/stored 10806
$SYS/broker/messages/sent 16381123
$SYS/broker/messages/sent 16381123
$SYS/broker/bytes/received 761223497
$SYS/broker/bytes/sent 476065843
$SYS/broker/load/bytes/sent/1min 28745.93
$SYS/broker/load/bytes/sent/5min 15418.24
$SYS/broker/load/bytes/sent/15min 6980.69
[...]
The Mosquitto project has a test server you can use if you don't want to set up your own (just launchmosquitto_sub at it), and there's a nice-looking Web-based interface you can use (on your public MQTTserver) at http://mqtt.io.

Wishlist

There are a couple of things which would be neat to see implemented:
  • Nagios and Icinga typically "go out" and get statii of services, unless I configure them to accept passive checks. How about a plugin or component for Nagios and Icinga which subscribes to specific topics? That would allow for blindingly fast notification of problems within the network, without having to await a check interval? (It's been a while since I did something with these monitoring processes, so this may be stupid, but it sounds good to me ...) A notification could be wrapped into a JSON object containing a Nagios exit code and the reason.
  • Logstash should support MQTT as an input filter. That would allow me to use this message broker for shipping logs. (Logstash already supports AMQP and ZeroMQ.) On the other hand, I could easily create a Mosquitto to Redis "converter", and use Redis as input to Logstash.
Does anybody feel like doing that? :-)

Further reading:

Friday 8 May 2015

How To: Integrate I18n Flash Messages with Devise and Bootstrap

This tutorial was made using Rails 4 and Devise 3 and Bootstrap 2.3
This tutorial is made to show you how to integrate devise flash messages with twitter bootstrap. I wanted to show a way to make devise flash messages look the same as the rest of the site. This will handle normal flash messages and devise flash messages.

Flash Messages For the Site

First we will make a rendered view to make the code concise. Within"app/views/layouts/application.html.erb" I added <%= render 'layouts/messages' %>.
My file looks like:
<body>
  <%= render 'layouts/header' %>
  <div class="container">
    <%= render 'layouts/messages' %>
    <%= yield %>
    <%= render 'layouts/footer' %>
  </div>
</body>
Next we have to make the messages file. Make a new file in"app/views/layouts/_messages.html.erb" and add:
<% flash.each do |key, value| %>
  <div class="alert alert-<%= key %>">
    <a href="#" data-dismiss="alert" class="close">×</a>
      <ul>
        <li>
          <%= value %>
        </li>
      </ul>
  </div>
<% end %>
This will give us flash messages for the entire site.

Flash Messages For Devise

For devise you need to override the way devise handles flash messages. Create a file called devise_helper in "app/helpers/devise_helper.rb".
Inside the file you have to create a method called devise_error_messages!, which is the name of the file that tells devise how to handle flash messages.
module DeviseHelper
  def devise_error_messages!
    return '' if resource.errors.empty?

    messages = resource.errors.full_messages.map { |msg| content_tag(:li, msg) }.join
    html = <<-HTML
    <div class="alert alert-error alert-block"> <button type="button"
    class="close" data-dismiss="alert">x</button>
      #{messages}
    </div>
    HTML

    html.html_safe
  end
end
Next in your devise views you will have to define where you want the error messages to appear. You will need to enter <%= devise_error_messages! %> within the devise pages. An example is entering this within "app/views/devise/registrations/.new.html.erb" (The sign up page)
It should already be within the file, but you can move the code around to customize where it is shown.

CSS For Flash Messages

If you do not want to use the odd blue and yellow alerts that come default, I have set error and alert to have the same colorand success and notice to have the same color. I am using red for errors and alerts, and green for success and notice.
Within my "app/assets/stylesheets/custom.css.scss" I have:
/*flash*/
.alert-error {
    background-color: #f2dede;
    border-color: #eed3d7;
    color: #b94a48;
    text-align: left;
 }

.alert-alert {
    background-color: #f2dede;
    border-color: #eed3d7;
    color: #b94a48;
    text-align: left;
 }

.alert-success {
    background-color: #dff0d8;
    border-color: #d6e9c6;
    color: #468847;
    text-align: left;
 }

.alert-notice {
    background-color: #dff0d8;
    border-color: #d6e9c6;
    color: #468847;
    text-align: left;
 }https://github.com/plataformatec/devise/wiki/How-To:-Integrate-I18n-Flash-Messages-with-Devise-and-Bootstrap

Friday 5 September 2014

steps for google api for Devise Rails

CREATING GOOGLE APP


Login as google user

and visit

https://code.google.com/apis/console/

this page will list all projects for your account

if no project is present this page shows create project button

click create project button

you will be redirected to your project page (here you have to select API Access tab)

under API Access tab you have to Create an OAuth 2.0 client ID

you have to give Product name and Home Page URL: http://u.edgepedia.in/

you can also select Product logo

*( Product name and Product logo selected above will be displayed to user at the time of Sign Up

from google and )

now click next

select

Application type (Web application)

under Your site or hostname click more options and enter following details

Authorized Redirect URIs

http://u.edgepedia.in/users/auth/google_oauth2/callback

*( Will redirect user to this URL after Authentication )

Authorized JavaScript Origins

http://u.edgepedia.in

and click Create Client Id

you will get Client ID for web applications

Client ID and Client secret mentioned here are used to access this app


======================
solution for devise google Error 403: Access Not Configured. Please use Google Developers Console to activate the API for your project

You must enable a couple API's (in new google console) for things to work as expected.
Go to https://console.developers.google.com and make sure under "APIs" that you have following APIs enabled:
  1. "Contacts API"
  2. "Google+ API"