Supported styling.
https://github.com/rwz/SyntaxHighlighter/blob/master/demos/autoloader.html
I'm dedicated agile security architect/system architect/developer with specialty of open source framework.
In my previous blog about Java EE 6 Maven Dependency a wrote about the crippled javaee-api maven dependency in maven central.
That is finally fixed in EE 7.
<dependency>
<groupid>javax</groupid>
<artifactid>javaee-api</artifactid>
<version>7.0</version>
<scope>provided</scope>
</dependency>
See also Essential Maven POM For JavaEE 7
The EE 6 classes are available in maven central.
<dependency>
<groupid>javax</groupid>
<artifactid>javaee-api</artifactid>
<version>6.0</version>
<scope>provided</scope>
</dependency>
But when running unit test against them you receive the below error. Thats because they do not contain implementation classes, only api class.
java.lang.ClassFormatError: Absent Code attribute in method that is not native or abstract in class file javax/persistence/LockModeType
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClassCond(ClassLoader.java:632)
at java.lang.ClassLoader.defineClass(ClassLoader.java:616)
at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:141)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:283)
at java.net.URLClassLoader.access$000(URLClassLoader.java:58)
at java.net.URLClassLoader$1.run(URLClassLoader.java:197)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:190)
So in practice, the dependecy is in real life unusable. Instead you must use api classes from specific vendors like JBoss.
<dependency>
<groupid>org.jboss.spec</groupid>
<artifactid>jboss-javaee-6.0</artifactid>
<version>1.0.0.Final</version>
<type>pom</type>
<scope>provided</scope>
</dependency>
Interceptor was in EE 5 introduced in EJB 3.0, see EJB3 Interceptors javax.ejb.AroundInvoke. In EE 6 that was taken out and made generic into Interceptors (JSR318), package javax.interceptor.*.
You can call Interceptor in EE 6 in two way:
Your custom Interceptor.
package se.magnuskkarlsson.example.interceptor;
import java.io.Serializable;
import javax.interceptor.AroundInvoke;
import javax.interceptor.Interceptor;
import javax.interceptor.InvocationContext;
import org.apache.log4j.Logger;
@Audit
@Interceptor
public class AuditInterceptor implements Serializable {
private static final long serialVersionUID = 1L;
private static final Logger log = Logger.getLogger(AuditInterceptor.class);
@AroundInvoke
public Object intercept(InvocationContext ctx) throws Exception {
log.info("### Entering method: " + ctx.getMethod().getName()
+ " in class " + ctx.getMethod().getDeclaringClass().getName());
return ctx.proceed();
}
}
Interception in a POJO.
package se.magnuskkarlsson.example.interceptor;
import javax.interceptor.Interceptors;
public class DemoPOJO {
@Interceptors(AuditInterceptor.class)
public String sayHello() {
return "Hello POJO";
}
}
Interception in a Stateless Session Bean.
package se.magnuskkarlsson.example.interceptor;
import javax.ejb.Stateless;
import javax.interceptor.Interceptors;
@Stateless
public class DemoSLSB {
@Interceptors(AuditInterceptor.class)
public String sayHello() {
return "Hello SLSB";
}
}
beans.xml located for war in WEB-INF/.
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/beans_1_0.xsd">
</beans>
To use the Interceptor you must let weld create the intercepted class, otherwise will weld never knew about the interceptor and hence will the interceptor never work.
Example usage from a Servlet.
package se.magnuskkarlsson.example.interceptor;
import java.io.IOException;
import java.io.PrintWriter;
import javax.ejb.EJB;
import javax.inject.Inject;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@WebServlet("/audit")
public class DemoServlet extends javax.servlet.http.HttpServlet {
private static final long serialVersionUID = 1L;
@Inject
private DemoPOJO pojo;
@EJB
private DemoSLSB slsb;
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException {
req.setCharacterEncoding("UTF-8");
resp.setCharacterEncoding("UTF-8");
resp.setContentType("text/html; charset=UTF-8");
PrintWriter out = null;
try {
out = resp.getWriter();
out.println("<html><body>");
out.println("<h1>" + pojo.sayHello() + "</h1>");
out.println("<h1>" + slsb.sayHello() + "</h1>");
out.println("</html></html>");
} finally {
if (out != null) {
out.close();
}
}
}
}
You cannot use Interceptor directly in servlets, see https://java.net/projects/servlet-spec/lists/jsr340-experts/archive/2012-02/message/0.
To list all JNDI entries with JBoss CLI.
First start JBoss CLI.
$ ./jboss-cli.sh --connect
Then execute.
[standalone@localhost:9999 /] /subsystem=naming:jndi-view
When deploying a snapshot release or if you by some other reason want to generate sources or javadoc jar, you could always configure maven-source-plugin and maven-javadoc-plugin and hook them in maven life cycle.
But that is not necessary in maven uber pom is that already defined for release. You can reuse that by adding -DperformRelease=true
mvn -DperformRelease=true [goals]
Different example of usage:
Local build with sources and javadoc jar generation
mvn -DperformRelease=true clean install
Deploy target. Use only with snapshot version. Then deploy means snapshot publishing to defined snapshot repository.
mvn -DperformRelease=true clean install deploy
The capabilities and what is supported out of the box in EE, is increasing from next version to next version. The drive behind the new feature are:
EE 4 - JBoss AS 4.X, JBoss EAP 4 *
EE 5 - JBoss AS 5.1, JBoss EAP 5 *
EE 6 - JBoss AS 7.1, JBoss EAP 6 *
EE 7 - Wildfly 8.x, JBoss EAP 7 * (release date Q2-Q3? 2015)
*) The EAP is forked from AS/Wildfly version left to it, but with much more quality (tested, patched, security compliance testing, security patched), documentation and with support.
Very good comprehensive CSS cheat sheets summarized on one single page http://slodive.com/freebies/css-cheat-sheets/.
In this blog will I show how to setup a NTP server and perform NTP synchronizing on remote server.
yum install ntp ntpdate -y
vi /etc/ntp.conf
...
restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
...
The server IP is 192.168.1.240 and is located in 192.168.1.0/24 subnet.
vi /etc/sysconfig/iptables
...
-A INPUT -m state --state NEW -m udp -p udp --dport 123 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 123 -j ACCEPT
...
service ntpd restart; chkconfig ntpd on
yum install ntp ntpdate -y
service ntpd restart; chkconfig ntpd on
Query your NTP server, but NOT set time. If query return higher stratum than 16, just wait a little and then requery.
$ ntpdate -q 192.168.1.240
server 192.168.1.240, stratum 3, offset -0.000189, delay 0.02585
12 Aug 16:43:45 ntpdate[1700]: adjust time server 192.168.1.240 offset -0.000189 sec
$ sudo vi /etc/ntp.conf
...
server 192.168.1.240
#server 0.rhel.pool.ntp.org iburst
#server 1.rhel.pool.ntp.org iburst
#server 2.rhel.pool.ntp.org iburst
#server 3.rhel.pool.ntp.org iburst
...
And finally you need to restart ntpd service.
A relay mail server (MTA) is a intermediate server that forwards email to the final delivery mail server (MDA), i.e. writes message to default store /var/spool/mail/${USER}.
Remote Client --> Mail Transfer Agent, MTA (192.168.1.11) --> Mail Delivery Agent, MDA (192.168.1.12)
$ vi /etc/postfix/main.cf
...
myhostname = san.magnuskkarlsson.com
...
mydomain = magnuskkarlsson.com
...
myorigin = $mydomain
...
inet_interfaces = all
...
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
...
mynetworks = 192.168.1.0/28, 127.0.0.0/8
...
relayhost = 192.168.1.12
If you want MTA to ONLY transfer mail then set 'mydestination = '. With the above configuration the MTA will delivers local users email from remote client.
Restart service to let configuration take effects.
service postfix restart; chkconfig postfix on
Check that SMTP port 25 (TCP) is open in iptables. If you need to update the configuration, don't forget to restart iptables service.
$ vi /etc/sysconfig/iptables
...
-A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
...
$ vi /etc/postfix/main.cf
...
myhostname = rhel6.magnuskkarlsson.com
...
mydomain = magnuskkarlsson.com
...
myorigin = $mydomain
...
inet_interfaces = all
...
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
...
mynetworks = 192.168.1.0/28, 127.0.0.0/8
...
relayhost =
Do not forget to restart postfix service after configuration changes.
Create ordinary unix user for test, via command adduser mail2.
Check iptables SMTP port 25 (tcp) is open. Update if needed and restart iptables service.
If SELinux is active (default), check that default SELinux boolean for postfix is on.
$ getenforce
Enforcing
# getsebool -a | grep postfix
allow_postfix_local_write_mail_spool --> on
Now we are ready to test by sending mail from a remote client.
$ telnet 192.168.1.11 25
Trying 192.168.1.11...
Connected to 192.168.1.11.
Escape character is '^]'.
220 san.magnuskkarlsson.com ESMTP Postfix
EHLO 192.168.1.11
250-san.magnuskkarlsson.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM: foo@bar.com
250 2.1.0 Ok
RCPT TO: mail2@rhel6.magnuskkarlsson.com
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
Subject: hello
sbj
.
250 2.0.0 Ok: queued as 92E1040EB2
^]
telnet&gr; quit
Connection closed.
Now verify that mail was delivered on MDA (192.168.1.12).
$ cat /var/spool/mail/mail2
...
From foo@bar.com Sun Aug 10 01:18:34 2014
Return-Path: <foo@bar.com>
X-Original-To: mail2@rhel6.magnuskkarlsson.com
Delivered-To: mail2@rhel6.magnuskkarlsson.com
Received: from san.magnuskkarlsson.com (unknown [192.168.1.11])
by rhel6.magnuskkarlsson.com (Postfix) with ESMTP id 2ADC210CB
for <mail2@rhel6.magnuskkarlsson.com>; Sun, 10 Aug 2014 01:18:34 +0200 (CEST)
Received: from 192.168.1.11 (unknown [192.168.1.122])
by san.magnuskkarlsson.com (Postfix) with ESMTP id 92E1040EB2
for <mail2@rhel6.magnuskkarlsson.com>; Sun, 10 Aug 2014 19:01:59 +0200 (CEST)
Subject: hello
sbj
In my previos blog I described to configure and run MTA with postfix. Here I will describe how to make aliases.
Now to let this take effect you must run the program newaliases.
On remote client send mail to root@san.magnuskkarlsson.com.
And to verify on server.
Add TCP port 25 for SMTP.
Then restart firewall, to let new configuration take effect.
First create a test user on server.
Then on remote client, we use telnet to send mail. For details see http://magnus-k-karlsson.blogspot.se/2014/06/how-to-send-mail-from-command-line-with.html.Here follows a summary.
Now check mail on server.
yum install vsftpd -y
$ vi /etc/vsftpd/vsftpd.conf
...
# Allow anonymous FTP?
anonymous_enable=YES
..
# Uncomment this to allow local users to log in.
local_enable=NO
...
# Uncomment this to enable any form of FTP write command.
write_enable=NO
...
service vsftpd restart; chkconfig vsftpd on
$ vi /etc/sysconfig/iptables
...
-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
...
$ vi /etc/sysconfig/iptables-config
...
IPTABLES_MODULES="nf_nat_ftp nf_nat_tftp"
...
$ service iptables restart
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Flushing firewall rules: [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]
iptables: Loading additional modules: nf_nat_ftp nf_nat_tft[ OK ]
Create test data.
$ echo "Hello" >> /var/ftp/pub/hello.txt
$ restorecon -RFv /var/ftp/pub/hello.txt
restorecon reset /var/ftp/pub/hello.txt context unconfined_u:object_r:public_content_t:s0->system_u:object_r:public_content_t:s0
And download it from remote host.
$ lftp 192.168.1.11
lftp 192.168.1.11:~> ls
drwxr-xr-x 2 0 0 4096 Aug 07 19:22 pub
lftp 192.168.1.11:/> cd pub/
lftp 192.168.1.11:/pub> ls
-rw-r--r-- 1 0 0 6 Aug 07 19:22 hello.txt
lftp 192.168.1.11:/pub> get hello.txt
6 bytes transferred
lftp 192.168.1.11:/pub> exit
# cat hello.txt
Hello
yum install bind bind-chroot bind-utils -y
$ vi /etc/named.conf
...
listen-on port 53 { any; };
listen-on-v6 port 53 { any; };
...
allow-query { 192.168.1.0/24; };
forwarders { 192.168.1.1; };
...
dnssec-validation no;
...
service named restart; chkconfig named on
$ nslookup www.sunet.se 192.168.1.11
Server: 192.168.1.11
Address: 192.168.1.11#53
Non-authoritative answer:
www.sunet.se canonical name = vision.sunet.se.
Name: vision.sunet.se
Address: 192.36.171.156
$ vi /etc/sysconfig/iptables
...
-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
...
Packt is celebrating 10 years anniversary and is celebrating that with offering all of its eBooks and Videos at just $10 each for 10 days.
http://bit.ly/1k5EUYD
You can easily test your mail configuration from a linux server with telnet.
$ telnet rhel1 25
Trying 172.168.1.1...
Connected to rhel1.
Escape character is '^]'.
220 rhel1.localdomain ESMTP Postfix
<b>HELO rhel1</b> # Note that "HELO" is not a misspelled. It is the command for telnet services.
250-rhel1.localdomain
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
<b>MAIL FROM: ivan@rhel2</b>
250 2.1.0 Ok
<b>RCPT TO: david@rhel1</b>
250 2.1.5 Ok
<b>DATA</b>
354 End data with <CR><LF>.<CR><LF>
<b>Subject: Subject goes here.</b>
<b>Body goes here.</b>
<b>.</b> # End body with '.' and Enter
250 2.0.0 Ok: queued as 5C3E5E12EA
# Quite interactive mail session with ctrl + ']'
<b>quit</b>
221 2.0.0 Bye
Connection closed by foreign host.
For a more detail description, please see http://www.ehow.com/how_5209651_use-sendmail-command-line.html.
An interesting comparison (in swedish) between RHEL server and Windows server.
Source:http://techworld.idg.se/2.2524/1.498006/windows-vs-linux---nu-avgors-kampen
Verify that you have enabled virtualization in BIOS. For detail see Virtualization with KVM on RHEL 6
Install required packages.
$ sudo apt-get install qemu-kvm libvirt-bin bridge-utils virt-manager
Now you ready to run virt-manager and install new virtual guests.
$ sudo virt-manager
If you are new to kvm, please read Virtualization with KVM on RHEL 6 for a detailed description.
The preferred way to tweak the user interface (Unity) in Ubuntu 14.04 is via the unity-tweak-tool. You can also use ccsm - CompizConfig Settings Manager, but I would recommend to stick with the recommended unity-tweak-tool, since settings can be messed up, when manipulating settings with different tools.
To install:
$ sudo apt-get install unity-tweak-tool
And if you have got lost when configure, you can always get back to original configuration with:
$ unity-tweak-tool --reset-unity
The new way to add static routes in RHEL 6 is
$ vi /etc/sysconfig/network-scripts/route-<interface>
ADDRESS0=X.X.X.X
NETMASK0=X.X.X.X
GATEWAY0=X.X.X.X
Or alternative via the old ip command style.
$ vi /etc/sysconfig/network-scripts/route-<interface>
X.X.X.X/Y via X.X.X.X dev <interface>
And to set the default gateway.
$ vi /etc/sysconfig/network
...
GATEWAY=X.X.X.X
...
Kids go crazy over the swedish developed game Minecraft. Below is a link how to install it on Ubuntu 14.04.
http://ubuntuhandbook.org/index.php/2014/04/install-minecraft-in-ubuntu-14-04/
You can easily merge several pdf files into on file with 'pdftk - A handy tool for manipulating PDF'
Example how to merge file1.pdf and file2.pdf to mergedfile.pdf.
$ pdftk file1.pdf file2.pdf cat output mergedfile.pdf
There is a program available on Ubuntu youtube-dl, that can download videos from youtube.com or other video platforms. But it stores the file in mp4, since it contains video. But sometimes you do not want the video and only the audio. To extract only the audio part, you can use the pacpl comamnd line tool.
pacpl --to mp3 -v -r- -bitrate 320 targetfile.mp4
I'm not a bash script guru, so I need documentation. Here I will show you how to get/install that for RHEL 6.
All the BASH documentation is available via the bash-doc RPM, but it is not located in the RHEL base channel (rhel-x86_64-server-6), but in the RHEL Server Optional channel (rhel-x86_64-server-optional-6).
To add or remove channels from the command line you use the rhn-channel.
rhn-channel --channel=rhel-x86_64-server-optional-6 --add --user=<RHNREG_USERNAME> --password=<RHNREG_PASSWORD>
Now you are ready to install the bash-doc package.
yum install bash-doc
And to list the installed files.
$ rpm -ql bash-doc
...
/usr/share/doc/bash-4.1.2/doc/bashref.pdf
...
And the most interesting file is the BASH Reference Manual, as highlighted above.
In this blog I will show you how to configure a RHEL 6 server as router for LAN (eth1) and WAN (eth0).
First we need to enable IP forwarding.
$ sysctl -w "net.ipv4.ip_forward=1"
net.ipv4.ip_forward = 1
And to verify.
$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
To make it permanent, you need to edit /etc/sysctl.conf.
$ grep "^net.ipv4.ip_forward" /etc/sysctl.conf
net.ipv4.ip_forward = 1
Before we begin, we disable NetworkManager.
$ service NetworkManager stop
$ chkconfig NetworkManager off
Then we manually edit our network configuration files.
We begin with our WAN (eth0) card.
$ cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
TYPE=Ethernet
HWADDR=64:70:02:11:d9:83
NM_CONTROLLED=no
ONBOOT=yes
BOOTPROTO=none
IPADDR=192.168.1.100
NETMASK=255.255.255.0
GATEWAY=192.168.1.1
DNS1=192.168.1.1
And continue with our LAN (eth1) card.
$ cat /etc/sysconfig/network-scripts/ifcfg-eth1
DEVICE=eth1
TYPE=Ethernet
HWADDR=64:70:02:13:CB:95
NM_CONTROLLED=no
ONBOOT=yes
BOOTPROTO=none
IPADDR=192.168.2.100
NETMASK=255.255.255.0
GATEWAY=192.168.1.1
DNS1=192.168.1.1
The above HWADDR is different for your environment. To get yours use ifconfig.
$ ifconfig
eth0 Link encap:Ethernet HWaddr 64:70:02:11:D9:83
...
eth1 Link encap:Ethernet HWaddr 64:70:02:13:CB:95
...
Finally restart network service and check new ip addresses are set, via ip or ifconfig command.
$ service network restart
$ ip addr show
...
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
...
inet 192.168.1.100/24 brd 192.168.1.255 scope global eth0
...
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
...
inet 192.168.2.100/24 brd 192.168.2.255 scope global eth1
...
Now we are ready to configure iptables. First flush existing rules.
$ iptables -t filter -F
$ iptables -t nat -F
$ iptables -t mangle -F
Then add the MASQUERADE roule to the WAN (eth0) card
$ iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Finally save iptables configuration.
$ service iptables save
I have connected a separate machine on LAN and configure it manually with static IP.
$IP: 192.168.2.3
NETMASK: 255.255.255.0
GATEWAY: 192.168.2.100
DNS1: 192.168.2.100
Now we can ping 192.168.2.100 (gateway), 192.168.1.100 (rhel 6 router), 192.168.1.1 (WAN GATEWAY) and finally www.google.com.
$ yum -y install samba samba-client
$ service smb restart
The default configuration works just fine.
$ cat /etc/samba/smb.conf
...
[global]
workgroup = MYGROUP
server string = Samba Server Version %v
log file = /var/log/samba/log.%m
max log size = 50
security = user
passdb backend = tdbsam
load printers = yes
cups options = raw
[homes]
comment = Home Directories
browseable = no
writable = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
...
Having 'security = user' means we need a UNIX account. Lets create one.
$ useradd -s /sbin/nologin winuser1
And set samba password for account.
$ smbpasswd -a winuser1
$ iptables -I INPUT 5 -m state --state new -p tcp --dport 445 -j ACCEPT
$ iptables -I INPUT 6 -m state --state new -p udp --dport 137 -j ACCEPT
$ iptables -I INPUT 7 -m state --state new -p udp --dport 138 -j ACCEPT
$ iptables -I INPUT 8 -m state --state new -p tcp --dport 139 -j ACCEPT
Now lets test it from a remote client. First lets list all shares on host.
$ smbclient -L 127.0.0.1 -U winuser1
Enter winuser1's password:
Domain=[MYGROUP] OS=[Unix] Server=[Samba 3.6.9-168.el6_5]
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (Samba Server Version 3.6.9-168.el6_5)
winuser1 Disk Home Directories
Domain=[MYGROUP] OS=[Unix] Server=[Samba 3.6.9-168.el6_5]
Server Comment
--------- -------
Workgroup Master
--------- -------
And to mount it.
$ mount -t cifs -o user=winuser1 //192.168.1.16/winuser1 /remote
Finally lets test to write to winuser1 home directory.
$ echo "Hello" >> /remote/foo
-bash: /remote/foo: Permission denied
This did not go well. The missing configuration is SELinux.
On the SAMBA server, run the following command, if you want to share home directories via samba.
$ setsebool -P samba_enable_home_dirs on
Now lets get back to client and un mount and the remount and write and read and that should be successful.
The below will auto mount the user 'ldapuser1' home directory with rw permission on nfs.server.com.
$ vi /etc/auto.master
/home /etc/auto.home
$ vi /etc/auto.home
ldapuser1 -rw nfs.server.com:/export/path/ldapuser1
You can manually mount a nfs exported directory to a local directory /remote.
$ mount -t nfs nfs.server.com:/export/path /remote
$ vi /etc/fstab
nfs.server.com:/export/path /remote nfs defaults 0 0
yum groupinstall nfs-file-server
To get nfs to work we need to install and start rpcbind and nfslock. Double check that is done.
chkconfig rpcbind on
service rpcbind restart
chkconfig nfslock on
service nfslock restart
Now we are ready to start NFS.
service nfs restart
Finally lets test our new NFS server.
showmount -e 127.0.0.1
This will return a empty export list, without error.
To be able to access NFS exports remotely, we need to open certain ports in the firewall. To investigate which one, we use the command rpcinfo.
rpcinfo -p
This will return quite some ports. To lock down which port that are used please uncomment all ports in NFS conf file.
$ grep -i port /etc/sysconfig/nfs
RQUOTAD_PORT=875
LOCKD_TCPPORT=32803
LOCKD_UDPPORT=32769
MOUNTD_PORT=892
STATD_PORT=662
STATD_OUTGOING_PORT=2020
RDMA_PORT=20049
Now restart NFS service and lets start open ports.
service nfs restart
And after opening all ports the iptables should look like.
$ iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 1540 127K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
3 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:111
5 1 84 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:111
6 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:60584
7 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:56907
8 1 60 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:892
9 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:892
10 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2049
11 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:2049
12 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:32769
13 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:32803
14 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
15 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 122 packets, 17748 bytes)
num pkts bytes target prot opt in out source destination
Test your new firewall configuration by from remote client execute command.
showmount -e 192.168.1.15
After we have successfully configured the firewall, lets back to our server and configure NFS export directories. We start with creating a new directory, that we will exports.
mkdir /exports
chmod 777 /exports/
Now configure NFS to export it.
$ vi /etc/exports
/exports 192.168.1.0/24(rw,sync) 127.0.0.1(rw,sync)
To apply the new changes run
exportfs -r
And to list current exports
$ exportfs -v
/exports 192.168.1.0/24(rw,wdelay,root_squash,no_subtree_check)
/exports 127.0.0.1(rw,wdelay,root_squash,no_subtree_check)
From a second machine on the same LAN, test connectivity to NFS server (192.168.1.15).
showmount -e 192.168.1.15
The simplest way to test read and write is to use the automounting functionality.
echo "Hello" >> /net/192.168.1.15/exports/foo.txt
Open a Terminal and run the commands.
Add the public key for the Google repo.
sudo wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | sudo apt-key add -
Add the Google repo for the chome package.
sudo sh -c 'echo "deb http://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google.list'
Update and install chrome web browser.
sudo apt-get update && sudo apt-get install google-chrome-stable
Here I will configure a KVM host with virtual machines to be accessible from a local network.
This can be achieved in two ways by configure on KVM host machine:
The easiest way is to use a network bridge, since then both desktop and virtual machines will be on the same subnet.
Here we will configure the KVM host machine network configuration, manually, so we start by disable the NetworkManager
service NetworkManager stop
chkconfig NetworkManager off
/etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
TYPE=Ethernet
HWADDR=64:70:02:11:d9:83
NM_CONTROLLED=no
ONBOOT=yes
BRIDGE=br0
Above we have disabled NetworkManager (NM_CONTROLLED=no) and is using a Bridge.
/etc/sysconfig/network-scripts/ifcfg-br0
DEVICE=br0
TYPE=Bridge
ONBOOT=yes
DELAY=0
IPV6INIT=no
BOOTPROTO=none
IPADDR=192.168.1.10
NETMASK=255.255.255.0
GATEWAY=192.168.1.1
DNS1=192.168.1.1
Above have we configured a static IP (BOOTPROTO=none) and assigned IP, Gateway and DNS.
Since we are not using the second alternative with routing, the KVM host machines iptables configuration is the same as default.
$ cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
After editing/creating files you might need to restore SELinux security contexts.
restorecon -RFv /etc/sysconfig/network-scripts/*
And finally restart network on KVM host
service network restart
The last part is to configure the virtual machine network. This is easiest achieved with the virt-manager.
For an existing virtual machine.
And for a new.
Inside the virtual machine you can configure either a static IP or a dynamic one. The easiest way is to use the tool system-config-network-tui.
And finally test to ping the virtual machine (virtual1) from the desktop.
The default theme (Adwaita) that Fedora 20 is shipped is not the best. And beside it has a large window border at the top of each window. A better theme that exists in default rpm repo is greybird. To install
yum install greybird-*
and to change use gnome-tweak-tool (rpm package gnome-tweak-tool)
The MySQL packages has been renamed. The now official open source version of MySQL is MariaDB. To install the same version of MySQL on Fedora as in Enterprise Linux, such as RHEL, install these packages.
yum install community-mysql-server community-mysql-libs community-mysql
To start the mysqld.
service mysqld start
Set MySQL root password to 'root'.
mysqladmin -u root password root
Finally login and test password.
$ mysql -u root -p
Enter password: <root>
The workbench rpm is orphan, so you need to download and install it manually. http://dev.mysql.com/downloads/tools/workbench/
$ rpm -pi /home/magnus/Downloads/mysql-workbench-community-6.0.9-1.fc20.x86_64.rpm
error: Failed dependencies:
libctemplate.so.2()(64bit) is needed by mysql-workbench-community-6.0.9-1.fc20.x86_64
liblua-5.1.so()(64bit) is needed by mysql-workbench-community-6.0.9-1.fc20.x86_64
libtinyxml.so.0()(64bit) is needed by mysql-workbench-community-6.0.9-1.fc20.x86_64
libvsqlitepp.so.3()(64bit) is needed by mysql-workbench-community-6.0.9-1.fc20.x86_64
libzip.so.2()(64bit) is needed by mysql-workbench-community-6.0.9-1.fc20.x86_64
python-paramiko is needed by mysql-workbench-community-6.0.9-1.fc20.x86_64
Little bit of searching for installing dependeny packages, with 'yum provides', e.g.
yum provides "*/libctemplate.so.2"
And finally ending up with all required packages.
yum install -y ctemplate-devel compat-lua-libs tinyxml vsqlite++ libzip python-paramiko
Then run install of workbench again and start workbench and connect to you localhost.
Before Eclipse started with bundling Eclipse into EE, C++, etc bundles. There were pain to install Eclipse and to get all it's plugins right. Then the bundles came. You download a zip file and unzipped and off you go.
But a better way is to have RPM packages of everything. And that is done with Fedora. (That is also done in Ubuntu, but they don't have any modern version of Eclipse available.)
To install Eclipse 4.3.1 (Kepler)
$ yum install eclipse-platform
Now you can search and install Eclipse plugin
$ yum search eclipse
...
eclipse-gef.noarch : Graphical Editing Framework (GEF) Eclipse plugin
eclipse-anyedit.noarch : AnyEdit plugin for eclipse
eclipse-avr.noarch : AVR Eclipse Plugin Sources
eclipse-cdt.x86_64 : Eclipse C/C++ Development Tools (CDT) plugin
eclipse-changelog.noarch : Eclipse ChangeLog plug-in
eclipse-checkstyle.noarch : Checkstyle plugin for Eclipse
eclipse-cmakeed.noarch : CMake Editor plug-in for Eclipse
eclipse-dltk.noarch : Dynamic Languages Toolkit (DLTK) Eclipse plugin
eclipse-dtp.noarch : Eclipse Data Tools Platform
eclipse-eclox.noarch : Eclipse-based doxygen plugin
eclipse-egit.noarch : Eclipse Git Integration
eclipse-egit-github.noarch : Eclipse EGit Mylyn GitHub Connector
eclipse-emf.noarch : Eclipse Modeling Framework (EMF) Eclipse plugin
eclipse-epic.noarch : Perl Eclipse plug-in
eclipse-fedorapackager.noarch : Fedora Packager for Eclipse
eclipse-findbugs.noarch : Eclipse plugin for FindBugs
eclipse-jbosstools.noarch : Eclipse plugins that support JBoss and related technology
eclipse-jgit.noarch : Eclipse JGit
eclipse-linuxtools.noarch : Linux specific Eclipse plugins
eclipse-m2e-core.noarch : Maven integration for Eclipse
$ yum install eclipse-gef eclipse-anyedit eclipse-changelog eclipse-checkstyle eclipse-dltk eclipse-dtp eclipse-egit eclipse-emf eclipse-fedorapackager eclipse-findbugs eclipse-jbosstools eclipse-m2e-core eclipse-subclipse
Most modern Linux distros (and including Windows) now days group window from the same application. I found this not effective and lowers mine productivity.
To disable grouping when Alt-Tab switching, install gnome extension https://extensions.gnome.org/extension/15/alternatetab/
Install
$ yum groupinstall Virtialuzation
To manage the KVM daemon - libvirtd.
$ service libvirtd [status|start|stop|restart]
Imported directories.
Graphical manager, to install new virtual machines and control them.
$ virt-manager
Or the command line way.
$ virt-install --help
And to control the virtual machines, via command line.
$ virsh --help
In my previous blog I showed you how to set up basic authentication via access file for a private directory. To do the same thing for LDAP, use this configuration instead.
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LDAPTrustedGlobalCert CA_BASE64 /etc/httpd/example-ca.crt
<Directory "/private">
AuthType Basic
AuthName "Restricted Resource"
AuthBasicProvider ldap
AuthLDAPUrl "ldap://ldap.example.com/dc=example,dc=com" TLS
Require valid-user
Order deny,allow
Deny from all
Allow from all
</Directory>
Here we will make things a little more difficult, we are going to create our new directory outside the apache default document root, which means, we will need to manually handle SELinux policy. We will get into detail how to do that soon, but first lets create our new private directory.
$ mkdir /private
$ echo "<h1>Hello Private</h1>" > /private/index.html
Set file permissions.
$ chown root:root -R /private
$ chmod 755 /private
$ chmod 644 /private/index.html
Ok, here is where things get a little more complicated. Lets first have a look of the SELinux file context of the default document root.
$ ll -Zd /var/www/
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/
$ ll -Zd /var/www/html/
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/
$ ll -Z /var/www/html/index.html
-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/index.html
Ok, now we knew how things should look like. Now lets look how things currently look in our new directory.
$ ll -Zd /private/
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /private/
The thing you always should try first, is to try to restore default SELinux policy. Lets do that.
$ restorecon -RFv /private/
$ ll -Zd /private/
drwxr-xr-x. root root system_u:object_r:default_t:s0 /private/
$ ll -Z /private/index.html
-rw-r--r--. root root system_u:object_r:default_t:s0 /private/index.html
Ok, so the last part that is missing is the file context. We can set that with semanage (policycoreutils-python package).
$ semanage fcontext -a -t httpd_sys_content_t '/private(/.*)?'
And to verify.
$ semanage fcontext -l | grep /private
/private(/.*)? all files system_u:object_r:httpd_sys_content_t:s0
Now we only need to restorecon on our new private directory.
$ restorecon -RFv /private
$ restorecon reset /private context system_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
$ restorecon reset /private/index.html context system_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
Now lets begin to add our new private directory as public and test.
$ vi /etc/httpd/conf/httpd.conf
...
Alias /private/ "/private/"
<Directory "/private">
Order deny,allow
Deny from all
Allow from all
</Directory>
...
Restart apache and test our new private directory. If things are not working go back and fix it.
Now we are going to add user authentication, but before that you might want to install apache manual.
$ yum install httpd-manual
We will here configure a basic authentication with file containing our user credential.
LoadModule authn_file_module modules/mod_authn_file.so
<Directory "/private">
AuthType Basic
AuthName "Restricted Resource"
AuthUserFile /etc/httpd/.htpasswd
Require valid-user
Order deny,allow
Deny from all
Allow from all
</Directory>
To create the user credential
$ htpasswd -cm /etc/httpd/.htpasswd bob
New password: <redhat>
Re-type new password: <redhat>
Adding password for user bob
And now finally restart and test your new private directory.
You have successfully installed apache web server with default configuration.
Copy our CGI script to default directory.
$ cat /var/www/cgi-bin/hello.cgi
#!/usr/bin/perl
print "Content-type: text/html\n\n";
print <<HTML;
<html>
<head>
<title>A Simple Perl CGI</title>
</head>
<body>
<h1>A Simple Perl CGI</h1>
<p>Hello World</p>
</body>
HTML
exit;
Set file permission
$ chown root:root /var/www/cgi-bin/hello.cgi
$ chmod 755 /var/www/cgi-bin/hello.cgi
Set SELinux
$ restorecon -RFv /var/www/cgi-bin/hello.cgi
Open http://<your-host>/cgi-bin/hello.cgi
Virtual hosts are good when you want to server multiple web sites from the same web server.
Install Apache Web Server.
$ yum install httpd
Since I do not have a reliable DNS, we need to hardcode the host name in /etc/hosts on the client.
$ cat /etc/hosts
...
192.168.122.20 jbossas1.magnuskkarlsson.com
192.168.122.20 virtualhost1.magnuskkarlsson.com
Configure Listen and ServerName, to be able to start the server clean without warnings.
$ egrep "Listen|ServerName" /etc/httpd/conf/httpd.conf
Listen 192.168.122.20:80
ServerName jbossas1.magnuskkarlsson.com:80
Also verify that firewall (iptables) is configured or stop it 'service iptables stop'.
$ iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
...
5 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
...
8 3 180 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
...
Now check our installation by restarting apache web server and open url 'jbossas1.magnuskkarlsson.com' from client machine. You should be able to see Apache Welcome Page. If not go back and fix.
$ service httpd restart
Now create two virtual host, one for the default host 'jbossas1.magnuskkarlsson.com' and one new 'virtualhost1.magnuskkarlsson.com'.
$ vi /etc/httpd/conf/httpd.conf
...
NameVirtualHost 192.168.122.20:80
<VirtualHost 192.168.122.20:80>
ServerName jbossas1.magnuskkarlsson.com
ServerAdmin webmaster@jbossas1.magnuskkarlsson.com
DocumentRoot /var/www/html
ErrorLog logs/jbossas1.magnuskkarlsson.com-error_log
CustomLog logs/jbossas1.magnuskkarlsson.com-access_log common
</VirtualHost>
<VirtualHost 192.168.122.20:80>
ServerName virtualhost1.magnuskkarlsson.com
ServerAdmin webmaster@dummy-host.example.com
DocumentRoot /var/www/virtualhost1-magnuskkarlsson-com/html
ErrorLog logs/virtualhost1.magnuskkarlsson.com-error_log
CustomLog logs/virtualhost1.magnuskkarlsson.com-access_log common
</VirtualHost>
Now create the new document root for 'virtualhost1.magnuskkarlsson.com'.
$ mkdir -p /var/www/virtualhost1-magnuskkarlsson-com/html
Set file permissions.
$ chmod 755 /var/www/virtualhost1-magnuskkarlsson-com
$ chmod 755 /var/www/virtualhost1-magnuskkarlsson-com/html
Create test web page.
$ echo "Hello World
" > /var/www/virtualhost1-magnuskkarlsson-com/html/index.html
Set SELinux for our new virtual host.
$ restorecon -RFv /var/www/
Restart apache web server and test your new virtual host by accessing:
Example forward all info message to remote host 192.168.122.10.
$ vi /etc/rsyslog.conf
...
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
...
$WorkDirectory /var/lib/rsyslog # where to place spool files
$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # run asynchronously
$ActionResumeRetryCount -1 # infinite retries if host is down
*.info @192.168.122.10:514
...
Restart rsyslog to let changes take effects.
$ service rsyslog restart
And to test it use logger tool from client.
$ logger "Hello from client"
Open /var/log/messages on server and verify.
/usr/share/doc/rsyslog-*/rsyslog_conf.html
Edit /etc/rsyslog.conf and enable module imudp.
$ vi /etc/rsyslog.conf
...
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
...
Restart rsyslog to let changes take effects.
$ service rsyslog restart
Edit /etc/rsyslog.conf and enable module imtcp.
$ vi /etc/rsyslog.conf
...
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
...
Restart rsyslog to let changes take effects.
$ service rsyslog restart
System Activity Reporter, SAR. To display 5 samples with 2 seconds apart.
$ sar -u 2 5
...
12:01:10 PM CPU %user %nice %system %iowait %steal %idle
12:01:12 PM all 1.25 0.00 0.69 0.06 0.00 98.00
12:01:14 PM all 1.56 0.00 0.56 0.00 0.00 97.88
...
-u Report CPU utilization.
vmstat - Report virtual memory statistics. To display 5 samples with 2 seconds apart.
$ vmstat 2 5
procs -----------memory---------- ---swap-- -----io---- --system-- -----cpu-----
r b swpd free buff cache si so bi bo in cs us sy id wa st
0 0 0 9898656 325956 1829612 0 0 1 5 10 8 1 0 99 0 0
0 0 0 9898136 325960 1829692 0 0 0 24 721 3252 1 0 99 0 0
...
Report file system disk space usage.
$ df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/vg_rhel6-lv_root
77G 19G 55G 25% /
tmpfs 7.8G 740K 7.8G 1% /dev/shm
/dev/sda1 485M 87M 374M 19% /boot
/dev/mapper/vg_rhel6-lv_home
49G 7.8G 38G 18% /home
/dev/sdf1 3.8G 246M 3.5G 7% /media/0526-3346
-h, --human-readable Print sizes in human readable format (e.g., 1K 234M 2G)
Statistics for input/output statistics for devices, partitions and network filesystems (NFS). To display 5 samples with 2 seconds apart.
$ iostat -dNk 2 5
...
Device: tps kB_read/s kB_wrtn/s kB_read kB_wrtn
sda 3.53 8.77 92.35 3226500 33970982
vg_rhel6-lv_root 4.70 8.63 22.48 3173286 8268420
vg_rhel6-lv_swap 0.00 0.00 55.68 1288 20479992
vg_rhel6-lv_home 3.55 0.13 14.20 48597 5222552
sdf 0.00 0.04 0.00 15962 11
...
-d Display the device utilization report.
-N Display the registered device mapper names for any device mapper devices.
Useful for viewing LVM2 statistics.
-k Display statistics in kilobytes per second instead of blocks per second.
Data displayed are valid only with kernels 2.4 and later.
$ sar -n DEV
...
09:30:01 AM IFACE rxpck/s txpck/s rxkB/s txkB/s rxcmp/s txcmp/s rxmcst/s
09:40:01 AM lo 0.00 0.00 0.00 0.00 0.00 0.00 0.00
09:40:01 AM eth0 0.16 0.16 0.04 0.04 0.00 0.00 0.00
09:40:01 AM wlan0 0.00 0.00 0.00 0.00 0.00 0.00 0.00
09:40:01 AM virbr0 0.28 0.41 0.05 0.06 0.00 0.00 0.00
09:40:01 AM virbr0-nic 0.00 0.00 0.00 0.00 0.00 0.00 0.00
09:40:01 AM vnet0 0.11 0.61 0.03 0.06 0.00 0.00 0.00
09:40:01 AM vnet1 0.16 0.81 0.02 0.05 0.00 0.00 0.00
09:50:01 AM lo 0.00 0.00 0.00 0.00 0.00 0.00 0.00
09:50:01 AM eth0 0.09 0.11 0.03 0.02 0.00 0.00 0.00
09:50:01 AM wlan0 0.00 0.00 0.00 0.00 0.00 0.00 0.00
09:50:01 AM virbr0 1.35 2.18 1.26 0.19 0.00 0.00 0.00
09:50:01 AM virbr0-nic 0.00 0.00 0.00 0.00 0.00 0.00 0.00
...
You can either do this graphically (system-config-authentication) or via command line (authconfig).
When doing it with the command line, it can be hard to remember all the parameter, but with help of '--help' it is easier.
The LDAP parameters
$ authconfig --help | grep ldap
--enableldap enable LDAP for user information by default
--disableldap disable LDAP for user information by default
--enableldapauth enable LDAP for authentication by default
--disableldapauth disable LDAP for authentication by default
--ldapserver=<server>
--ldapbasedn=<dn> default LDAP base DN
--enableldaptls, --enableldapstarttls
--disableldaptls, --disableldapstarttls
--ldaploadcacert=<URL>
The Kerberos parameter.
$ authconfig --help | grep krb
--enablekrb5 enable kerberos authentication by default
--disablekrb5 disable kerberos authentication by default
--krb5kdc=<server> default kerberos KDC
--krb5adminserver=<server>
--krb5realm=<realm> default kerberos realm
--enablekrb5kdcdns enable use of DNS to find kerberos KDCs
--disablekrb5kdcdns disable use of DNS to find kerberos KDCs
--enablekrb5realmdns enable use of DNS to find kerberos realms
--disablekrb5realmdns
And finally SSSD (System Security Services Daemon), which enable cached authentication, which in turn means enabled off-line authentication. Which both can be good and bad. An unstable network connection does not stop you for logging in. But you also need to remember that authentication data might be stale.
$ authconfig --help | grep sssd
--enablesssd enable SSSD for user information by default with
--disablesssd disable SSSD for user information by default (still
--enablesssdauth enable SSSD for authentication by default with
--disablesssdauth disable SSSD for authentication by default (still used
Lets put all this together and add --update at the end to update authentication configuration.
$ authconfig --enableldap --disableldapauth --ldapserver=<server> --ldapbasedn=<dn> --enableldaptls --ldaploadcacert=<URL> --enablekrb5 --krb5kdc=<server> --krb5adminserver=<server> --krb5realm=<realm> --enablesssd --enablesssdauth --update
We have 3 machines.
SSH Port Forwardning from localhost:5555 to 192.168.122.20:8080.
$ ssh -L 5555:192.168.122.20:8080 root@localhost
Now test your tunnel by opening a web browser from client and enter http://localhost:5555/. The tunnel is:
localhost:5555 -> 192.168.122.20:8080
Now lets tunnel through apache server (192.168.122.10:22) to jboss server (192.168.122.20:8080).
$ ssh -L 5555:192.168.122.20:8080 root@192.168.122.10
The tunnel is now:
localhost:5555 -> 192.168.122.10:22 -> 192.168.122.20:8080
So every tunneling begins at the client, that opens the tunnel.
Install the kernel documentation package, if you have not.
$ yum install kernel-doc -y
The package contains several documentation and you can list them all with 'rpm -ql kernel-doc'.
$ ip route show
To enable kernel paremeter ip_forward needs to be on.
$ sysctl -a | grep ip_forward
net.ipv4.ip_forward = 1
And the corresponding documentation.
$ less /usr/share/doc/kernel-doc-2.6.32/Documentation/networking/ip-sysctl.txt
...
ip_forward - BOOLEAN
0 - disabled (default)
not 0 - enabled
Forward Packets between interfaces.
This variable is special, its change resets all configuration
parameters to their default state (RFC1122 for hosts, RFC1812
for routers)
...
If you are not sure how to add search the system documentation.
$ find /usr/share/doc/ -name "*" | xargs grep -i "static route"
...
/usr/share/doc/initscripts-9.03.40/sysconfig.txt: bring up static routes that depend on that device. Calls
/usr/share/doc/initscripts-9.03.40/sysconfig.txt: Set up static routes for a device.
...
$ less /usr/share/doc/initscripts-9.03.40/sysconfig.txt
...
/etc/sysconfig/network-scripts/route-<interface-name>
Contains lines that specify additional routes that should be added when the
associated interface is brought up.
The files are processed by the ifup-routes script and uses the /sbin/ipcalc
utility for all network masks and numbers. Routes are specified using the
syntax:
ADDRESSn=<network>
NETMASKn=<network/prefix mask>
GATEWAYn=<next-hop router/gateway IP address>
The "n" is expected to be consecutive positive integers starting from 0.
For example:
ADDRESS0=192.168.2.0
NETMASK0=255.255.255.0
GATEWAY0=192.168.1.1
adds a network route to the 192.168.2.0 network via the gateway at
192.168.1.1. Since you must already have a route to the network of the
gateway, there is no need to specify a device.
Note: The ifup-routes script also supports an older syntax designed to be
used directly as an argument to "/sbin/ip route add".
If no "ADDRESSn" lines are found the following will still
work:
192.168.2.0/24 dev ppp0
adds a network route to the 192.168.2.0 network through ppp0.
...
Or you can add via CLI, but this will not be permanent.
$ ip route add network/netmask via router_ip
Install the kernel documentation package, if you have not.
$ yum install kernel-doc -y
The package contains several documentation and you can list them all with 'rpm -ql kernel-doc'.
$ ping 192.168.122.10
PING 192.168.122.10 (192.168.122.10) 56(84) bytes of data.
64 bytes from 192.168.122.10: icmp_seq=1 ttl=64 time=0.171 ms
Ok. The machine is responding to ping.
Now use kernel configuration tool, sysctl, to first list all parameter that contain ICMP.
$ sysctl -a | grep icmp
net.netfilter.nf_conntrack_icmpv6_timeout = 30
net.netfilter.nf_conntrack_icmp_timeout = 30
net.ipv4.icmp_echo_ignore_all = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.icmp_errors_use_inbound_ifaddr = 0
net.ipv4.icmp_ratelimit = 1000
net.ipv4.icmp_ratemask = 6168
net.ipv6.icmp.ratelimit = 1000
To find out what each parameter do read the kernel network ip sysctl documentation.
$ grep -A5 icmp /usr/share/doc/kernel-doc-*/Documentation/networking/ip-sysctl.txt
icmp_echo_ignore_all - BOOLEAN
If set non-zero, then the kernel will ignore all ICMP ECHO
requests sent to it.
Default: 0
...
And to set kernel parameter.
$ sysctl -w net.ipv4.icmp_echo_ignore_all=1
Now test again to ping server and you should not get any respond.
To make the changes permanent.
$ echo "net.ipv4.icmp_echo_ignore_all = 1" >> /etc/sysctl.conf
To bind multiple network interfaces together into a single channel is called bonding.
The reason for this is to achieve:
Assigning multiple IP addresses to a single interface is called IP aliasing. This can be handy if you want a single web server to serve multiple sites.
It is advised to disable NetworkManager.
$ service NetworkManager stop; chkconfig NetworkManager off
Show current configuration for eth0.
$ ip addr show eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 52:54:00:22:d1:df brd ff:ff:ff:ff:ff:ff
inet 192.168.122.20/24 brd 192.168.122.255 scope global eth0
inet6 fe80::5054:ff:fe22:d1df/64 scope link
valid_lft forever preferred_lft forever
Add IP alias.
$ ip addr add 192.168.122.250/24 dev eth0 label eth0:0
Show new configuration for eth0
$ ip addr show eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 52:54:00:22:d1:df brd ff:ff:ff:ff:ff:ff
inet 192.168.122.20/24 brd 192.168.122.255 scope global eth0
inet 192.168.122.250/24 scope global eth0:0
inet6 fe80::5054:ff:fe22:d1df/64 scope link
valid_lft forever preferred_lft forever
To make it persistent edit the following
$ vi /etc/sysconfig/network-scripts/ifcfg-eth0:0
DEVICE=eth0:0
IPADDR=192.168.122.250
PREFIX=24
ONPARENT=yes
Now restart network service.
$ service network restart
Ping from another machine
$ ping 192.168.122.250
PING 192.168.122.250 (192.168.122.250) 56(84) bytes of data.
64 bytes from 192.168.122.250: icmp_seq=1 ttl=64 time=1.05 ms
Install package that contain the rpmbuild tool that create the rpm package.
$ yum install rpm-build
Install also a convenient development tool for setting up environment.
$ yum install rpmdevtools
When building rpm package you should do that with a noon root user. To create a new user.
$ useradd rpmuser
Change to rpm user and from it's home directory run:
$ rpmdev-setuptree
This will create a new empty catalogue structure for your rpm package development.
$ vi ~/rpmbuild/SOURCES/hello.sh
#!/bin/bash
echo "Good morning, world."
We can test run to see that it actually runs.
$ chmod +x ~/rpmbuild/SOURCES/hello.sh
$ ~/rpmbuild/SOURCES/hello.sh
Good morning, world.
Now with help of wim, that will create a template spec file, we will create a rpm spec file for our hello rpm package.
$ vim ~/rpmbuild/SPECS/hello.spec
Name: hello
Version: 1.0
Release: 1%{?dist}
Summary: A simple hello world application.
Group: Applications/File
License: GPLv2+
URL: http://magnus-k-karlsson.blogspot.se/
Source0: hello.sh
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
#BuildRequires:
Requires: bash
%description
# Prep is used to set up the environment for building the rpm package
# Expansion of source tar balls are done in this section
#%prep
#%setup -q
# Used to compile and to build the source
#%build
#%configure
#make %{?_smp_mflags}
# The installation.
%install
rm -rf %{buildroot}
#make install DESTDIR=%{buildroot}
mkdir -p %{buildroot}/usr/bin
cp %{SOURCE0} $RPM_BUILD_ROOT/usr/bin/.
%clean
rm -rf %{buildroot}
%files
%defattr(-,root,root,-)
/usr/bin/hello.sh
%doc
%changelog
$ rpmbuild -ba ~/rpmbuild/SPECS/hello.spec
Query (q) the local package (p) for all it's files (l).
$ rpm -qpl rpmbuild/RPMS/x86_64/hello-1.0-1.el6.x86_64.rpm
/usr/bin/hello.sh
Now switch to root and install the package.
$ rpm -pi /home/rpmuser/rpmbuild/RPMS/x86_64/hello-1.0-1.el6.x86_64.rpm
And test it.
$ hello.sh
Good morning, world.
And to uninstall it.
$ yum erase hello
...
There are numerous yum plugins. You can search for which are available.
$ yum search yum-plugin
...
PackageKit-yum-plugin.x86_64 : Tell PackageKit to check for updates when yum exits
anaconda-yum-plugins.noarch : Installation-related yum plugins
kabi-yum-plugins.noarch : The Red Hat Enterprise Linux kernel ABI yum plugin
yum-plugin-aliases.noarch : Yum plugin to enable aliases filters
yum-plugin-changelog.noarch : Yum plugin for viewing package changelogs before/after updating
yum-plugin-downloadonly.noarch : Yum plugin to add downloadonly command option
yum-plugin-protect-packages.noarch : Yum plugin to prevents Yum from removing itself and other protected packages
yum-plugin-security.noarch : Yum plugin to enable security filters
yum-plugin-tmprepo.noarch : Yum plugin to add temporary repositories
yum-plugin-verify.noarch : Yum plugin to add verify command, and options
yum-plugin-versionlock.noarch : Yum plugin to lock specified packages from being updated
What does yum-plugin-verify do?
"This plugin adds the commands verify, verify-all and verify-rpm. There are also a couple of options. This command works like rpm -V, to verify your installation." [yum info yum-plugin-verify]
For more information about each commands, run 'yum --help'
What does yum-plugin-versionlock do?
"This plugin takes a set of name/versions for packages and excludes all other versions of those packages (including optionally following obsoletes). This allows you to protect packages from being updated by newer versions, for example." [yum info yum-plugin-versionlock]
The yum-plugin-versionlock uses the /etc/yum/pluginconf.d/versionlock.list to lock down specific packages.
The following format is used for locking down. See /usr/share/doc/yum-plugin-versionlock-*/README.
EPOCH:NAME-VERSION-RELEASE.ARCH
Generate private key.
$ gpg --gen-key
List all public keys.
$ gpg --list-keys
Export a public key.
$ gpg --armor --output "magnus.k.karlsson.txt.asc" --export "Magnus K Karlsson"
Import a public key from "Pelle Petterson".
$ gpg --import pelle.petterson.txt.asc
Encrypt a file for recipient "Pelle Petterson", with public key from "Pelle Petterson".
$ gpg --armor --recipient "Pelle Petterson" --output "foo.txt.gpg" --encrypt "foo.txt"
Decrypt a file, encrypted with your public key.
$ gpg --output "foo.txt" --decrypt "foo.txt.gpg"
$ yum install -y openldap openldap-clients openldap-servers
Modify domain (olcSuffix) and the LDAP super username (olcRootDN).
$ egrep "Suffix|Root" olcDatabase\=\{2\}bdb.ldif
olcSuffix: dc=example,dc=com
olcRootDN: cn=admin,dc=example,dc=com
Set password for the LDAP super user. To create password use slappasswd.
$ slappasswd
New password: <redhat>
Re-enter new password: <redhat>
{SSHA}VG9HSAjxn19Qb3+gveyC2H5DlFRMIACD
And add password to configuration file.
$ grep olcRootPW /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif
olcRootPW: {SSHA}0aIvJ8mtnCYGqDc5YhW2C9rRLJwWv/HX
Creat an empty text file /root/example.com.ldif, with
$ service slapd start
# Root entry
dn: dc=example,dc=com
objectclass: dcObject
objectclass: organization
o: Example Company
dc: example
# Admin DN
dn: cn=admin,dc=example,dc=com
objectclass: organizationalRole
cn: admin
# Base DN for users
dn: ou=users,dc=example,dc=com
changetype: add
objectclass: top
objectclass: organizationalUnit
ou: users
# Base DN for groups
dn: ou=groups,dc=example,dc=com
changetype: add
objectclass: top
objectclass: organizationalUnit
ou: groups
Add this.
$ ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f /root/example.com.ldif
Enter LDAP Password: <redhat>
adding new entry "dc=example,dc=com"
adding new entry "cn=admin,dc=example,dc=com"
adding new entry "ou=users,dc=example,dc=com"
adding new entry "ou=groups,dc=example,dc=com"
Verify add with search.
$ ldapsearch -x -b 'dc=example,dc=com'
# cat student.passwd.ldif
dn: uid=student,ou=users,dc=example,dc=com
uid: student
cn: student
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}!!
shadowLastChange: 16128
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
shadowExpire: 15770
loginShell: /bin/bash
uidNumber: 501
gidNumber: 501
homeDirectory: /home/student
$ ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f student.passwd.ldif
Enter LDAP Password:
adding new entry "uid=student,ou=users,dc=example,dc=com"
# cat student.group.ldif
dn: cn=student,ou=groups,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: student
userPassword: {crypt}x
gidNumber: 501
$ ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f student.group.ldif
Enter LDAP Password:
adding new entry "cn=student,ou=groups,dc=example,dc=com"
$ yum install openldap-clients
You can configure this graphically
or you can do it via command line tool authconfig.
$ authconfig --enableldap --enableldapauth --ldapserver=192.168.122.10 --ldapbasedn="dc=example,dc=com" --disableldaptls --update
Starting sssd: [ OK
$ getent passwd student
student:*:501:501:student:/home/student:/bin/bash
It is quite silly with fix width layout for HTML pages, which indirectly means a web page will only use a small part of modern laptop or monitors screen. Why not make it dynamic? Let people self decide their size, by simply resizing theirs browser window. Static width does not make sense for me. So this is how I changed this blog. Simple and safe http://thewebthought.blogspot.com/2011/09/blogger-make-your-blog-fluid-fit-any.html.
The default setup of Fedora 20 have a quite annoying feature and that is the system beep. The beep sounds when using auto completion in terminal window, but also in firefox when searching in page and not results are found.
To disable Terminal beep.
$ xset b off
To disable Firefox beep, when no search result are found in page.
about:config
accessibility.typeaheadfind.enablesound
In this blog I will show you how to install, configure and test the default directory service in RHEL 6 - OpenLDAP. LDAP directory services are common used for storing authentication credential.
$ yum install -y openldap openldap-clients openldap-servers
The OpenLDAP configuration has been altered in RHEL 6. Previously it was a configuration file /etc/openldap/slapd.conf, but now it is a configuration database located in /etc/openldap/slapd.d/.
Global configuration is stored in /etc/openldap/slapd.d/cn\=config.ldif.
$ cat /etc/openldap/slapd.d/cn\=config.ldif
dn: cn=config
objectClass: olcGlobal
cn: config
olcConfigFile: /etc/openldap/slapd.conf.bak
olcConfigDir: /etc/openldap/slapd.d
olcAllows: bind_v2
olcArgsFile: /var/run/openldap/slapd.args
...
Database specific configuration is stored in /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif.
We will here change the olcSuffix (the domain for which the LDAP server provides information) and the olcRootDN (the LDAP super username).
$ grep olcSuffix /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif
olcSuffix: dc=magnuskkarlsson,dc=com
$ grep olcRootDN /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif
olcRootDN: cn=Manager,dc=magnuskkarlsson,dc=com
Finally we need to generate a password for olcRootDN. To generate the password we use the slappasswd tool. And to add it, we add the directive olcRootPW to the /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif.
$ slappasswd
New password: <redhat>
Re-enter new password: <redhat>
{SSHA}0aIvJ8mtnCYGqDc5YhW2C9rRLJwWv/HX
$ grep olcRootPW /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif
olcRootPW: {SSHA}0aIvJ8mtnCYGqDc5YhW2C9rRLJwWv/HX
$ service slapd start
And to automatically start OpenLDAP at boot time.
$ chkconfig slapd on
To test the installation we perform a simple search (query for you SQL people).
$ ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
...
dn:
namingContexts: dc=magnuskkarlsson,dc=com
...
Now we are going to add entries to your directory. To add entries we use the ldapadd tool. The ldapadd expects LDIF (LDAP Data Interchange Format) file.
$ cat /tmp/example.ldif
dn: dc=magnuskkarlsson,dc=com
objectclass: dcObject
objectclass: organization
o: Magnus K Karlsson AB
dc: magnuskkarlsson
dn: cn=Manager,dc=magnuskkarlsson,dc=com
objectclass: organizationalRole
cn: Manager
$ ldapadd -x -D "cn=Manager,dc=magnuskkarlsson,dc=com" -W -f /tmp/example.ldif
Enter LDAP Password: <redhat>
adding new entry "dc=magnuskkarlsson,dc=com"
adding new entry "cn=Manager,dc=magnuskkarlsson,dc=com"
Finally we test the added entries.
$ ldapsearch -x -b 'dc=magnuskkarlsson,dc=com' '(objectclass=*)'
...
# magnuskkarlsson.com
dn: dc=magnuskkarlsson,dc=com
objectClass: dcObject
objectClass: organization
o: Magnus K Karlsson AB
dc: magnuskkarlsson
# Manager, magnuskkarlsson.com
dn: cn=Manager,dc=magnuskkarlsson,dc=com
objectClass: organizationalRole
cn: Manager
Today the requirement are higher to quicker responds to the market. For a computer operation that means, they must be quicker to bring up new machine. The Red Hat solution for this is to use kickstart to standardize and automate the installation of a new RHEL instances.
The simplest way to create a working kickstart file is to actually install a new system (the way you want) and then use the kickstart created by anaconda to install new machine with.
The more advanced way is to start from scratch and use the system-config-kickstart tool and create you kickstart file. But there are some shortcoming with this tool and that is it can not handle LVM.
The pragmatic way is to start from a anaconda generated kickstart file and then edit with system-config-kickstart and finally manually add the LVM partition.
Here I will show you the easy way and use the anaconda generated file.
Lets get started and install a new RHEL instance the manually way. We will install this machine as a virtualized machine and as hypervisor we will use KVM.
The requirement for this machine are:
We will select the last checkbox 'Review and modify...', so we can see what is actually done.
What we see above is that two primary partitions are created - vda1 and vda2.
The next step is the logical volumes: lv_root and lv_swap.
Note the few partition that are here created. For a server installation you would probably create more partitions, e.g. a separate partition for /var/log directory for a production server and for desktop installation you would probably create a separate partition for /home. But here we will keep to the basic suggested partition layout.
The second thing that is noteworthy is the small swap space. The thumb rule for a minimal installation production server is:
But remember these are not hard rules and dependce how often you will restart you system. For a desktop installation you will get away with smaller swap space.
Finally we will select to install a minimal installation. When installation is finish we will end up with a anaconda generated kickstart file located in /root/anaconda-ks.cfg.
To make this kickstart file automatic we need to do three things:
# Kickstart file automatically generated by anaconda.
#version=DEVEL
install
cdrom
lang en_US.UTF-8
keyboard sv-latin1
network --onboot yes --device eth0 --bootproto dhcp --noipv6
rootpw --iscrypted $6$...$...
firewall --service=ssh
authconfig --enableshadow --passalgo=sha512
selinux --enforcing
timezone --utc Europe/Stockholm
bootloader --location=mbr --driveorder=vda --append="crashkernel=auto rhgb quiet"
# The following is the partition information you requested
# Note that any partitions you deleted are not expressed
# here so unless you clear all partitions first, this is
# not guaranteed to work
zerombr
clearpart --all --drives=vda --initlabel
part /boot --fstype=ext4 --size=500
part pv.253002 --grow --size=1
volgroup vg_rhel6 --pesize=4096 pv.253002
logvol / --fstype=ext4 --name=lv_root --vgname=vg_rhel6 --grow --size=1024 --maxsize=51200
logvol swap --name=lv_swap --vgname=vg_rhel6 --grow --size=819 --maxsize=819
reboot
%packages
@core
@server-policy
%end
The last step is to test it. First we need to make it accessible during installation. The easiest way to do that, is to use either a FTP or HTTP server. There are also other ways, such as using a shared network disk, accessible via NFS or CIFS. But I would recommend using a known FTP server.
Now start a new RHEL installation. At the first menu, press TAB.
Then at the end enter 'ks=ftp://<server>/<path>' and press ENTER.