March 27, 2014

Fedora 20 Better Theme

The default theme (Adwaita) that Fedora 20 is shipped is not the best. And beside it has a large window border at the top of each window. A better theme that exists in default rpm repo is greybird. To install

yum install greybird-*

and to change use gnome-tweak-tool (rpm package gnome-tweak-tool)

March 26, 2014

Fedora 20 Install MySQL Server 5.5 and Workbench 6

MySQL Server 5.5

The MySQL packages has been renamed. The now official open source version of MySQL is MariaDB. To install the same version of MySQL on Fedora as in Enterprise Linux, such as RHEL, install these packages.

yum install community-mysql-server community-mysql-libs community-mysql

To start the mysqld.

service mysqld start

Set MySQL root password to 'root'.

mysqladmin -u root password root

Finally login and test password.

$ mysql -u root -p
Enter password: <root>

MySQL Workbench 6

The workbench rpm is orphan, so you need to download and install it manually. http://dev.mysql.com/downloads/tools/workbench/

$ rpm -pi /home/magnus/Downloads/mysql-workbench-community-6.0.9-1.fc20.x86_64.rpm 
error: Failed dependencies:
 libctemplate.so.2()(64bit) is needed by mysql-workbench-community-6.0.9-1.fc20.x86_64
 liblua-5.1.so()(64bit) is needed by mysql-workbench-community-6.0.9-1.fc20.x86_64
 libtinyxml.so.0()(64bit) is needed by mysql-workbench-community-6.0.9-1.fc20.x86_64
 libvsqlitepp.so.3()(64bit) is needed by mysql-workbench-community-6.0.9-1.fc20.x86_64
 libzip.so.2()(64bit) is needed by mysql-workbench-community-6.0.9-1.fc20.x86_64
 python-paramiko is needed by mysql-workbench-community-6.0.9-1.fc20.x86_64

Little bit of searching for installing dependeny packages, with 'yum provides', e.g.

yum provides "*/libctemplate.so.2"

And finally ending up with all required packages.

yum install -y ctemplate-devel compat-lua-libs tinyxml vsqlite++ libzip python-paramiko

Then run install of workbench again and start workbench and connect to you localhost.

Fedora 20 How to Install Eclipse

Before Eclipse started with bundling Eclipse into EE, C++, etc bundles. There were pain to install Eclipse and to get all it's plugins right. Then the bundles came. You download a zip file and unzipped and off you go.

But a better way is to have RPM packages of everything. And that is done with Fedora. (That is also done in Ubuntu, but they don't have any modern version of Eclipse available.)

To install Eclipse 4.3.1 (Kepler)

$ yum install eclipse-platform

Now you can search and install Eclipse plugin

$ yum search eclipse
...
eclipse-gef.noarch : Graphical Editing Framework (GEF) Eclipse plugin
eclipse-anyedit.noarch : AnyEdit plugin for eclipse
eclipse-avr.noarch : AVR Eclipse Plugin Sources
eclipse-cdt.x86_64 : Eclipse C/C++ Development Tools (CDT) plugin
eclipse-changelog.noarch : Eclipse ChangeLog plug-in
eclipse-checkstyle.noarch : Checkstyle plugin for Eclipse
eclipse-cmakeed.noarch : CMake Editor plug-in for Eclipse
eclipse-dltk.noarch : Dynamic Languages Toolkit (DLTK) Eclipse plugin
eclipse-dtp.noarch : Eclipse Data Tools Platform
eclipse-eclox.noarch : Eclipse-based doxygen plugin
eclipse-egit.noarch : Eclipse Git Integration
eclipse-egit-github.noarch : Eclipse EGit Mylyn GitHub Connector
eclipse-emf.noarch : Eclipse Modeling Framework (EMF) Eclipse plugin
eclipse-epic.noarch : Perl Eclipse plug-in
eclipse-fedorapackager.noarch : Fedora Packager for Eclipse
eclipse-findbugs.noarch : Eclipse plugin for FindBugs
eclipse-jbosstools.noarch : Eclipse plugins that support JBoss and related technology
eclipse-jgit.noarch : Eclipse JGit
eclipse-linuxtools.noarch : Linux specific Eclipse plugins
eclipse-m2e-core.noarch : Maven integration for Eclipse

$ yum install eclipse-gef eclipse-anyedit eclipse-changelog eclipse-checkstyle eclipse-dltk eclipse-dtp eclipse-egit eclipse-emf eclipse-fedorapackager eclipse-findbugs eclipse-jbosstools eclipse-m2e-core eclipse-subclipse

Fedora 20 Disable Gnome Alt+Tab from Grouping Windows

Most modern Linux distros (and including Windows) now days group window from the same application. I found this not effective and lowers mine productivity.

To disable grouping when Alt-Tab switching, install gnome extension https://extensions.gnome.org/extension/15/alternatetab/

March 20, 2014

Install and Configure KVM on Fedora 20

Install

$ yum groupinstall Virtialuzation

To manage the KVM daemon - libvirtd.

$ service libvirtd [status|start|stop|restart]

Imported directories.

  • Data - /var/lib/libvirt/
  • Configuration - /etc/libvirt/

Graphical manager, to install new virtual machines and control them.

$ virt-manager

Or the command line way.

$ virt-install --help

And to control the virtual machines, via command line.

$ virsh --help

March 16, 2014

HTTP Configure LDAP-Based Authentication

In my previous blog I showed you how to set up basic authentication via access file for a private directory. To do the same thing for LDAP, use this configuration instead.

LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

LDAPTrustedGlobalCert CA_BASE64 /etc/httpd/example-ca.crt

<Directory "/private">
    AuthType Basic
    AuthName "Restricted Resource"
    AuthBasicProvider ldap
    AuthLDAPUrl "ldap://ldap.example.com/dc=example,dc=com" TLS
    Require valid-user
    Order deny,allow
    Deny from all
    Allow from all
</Directory>

Reference

http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html

HTTP Configure Private Directories

Create Private Directory

Here we will make things a little more difficult, we are going to create our new directory outside the apache default document root, which means, we will need to manually handle SELinux policy. We will get into detail how to do that soon, but first lets create our new private directory.

$ mkdir /private
$ echo "<h1>Hello Private</h1>" > /private/index.html

Set file permissions.

$ chown root:root -R /private 
$ chmod 755 /private
$ chmod 644 /private/index.html

Ok, here is where things get a little more complicated. Lets first have a look of the SELinux file context of the default document root.

$ ll -Zd /var/www/
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/

$ ll -Zd /var/www/html/
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/

$ ll -Z /var/www/html/index.html
-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/index.html

Ok, now we knew how things should look like. Now lets look how things currently look in our new directory.

$ ll -Zd /private/
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /private/

The thing you always should try first, is to try to restore default SELinux policy. Lets do that.

$ restorecon -RFv /private/

$ ll -Zd /private/
drwxr-xr-x. root root system_u:object_r:default_t:s0   /private/

$ ll -Z /private/index.html 
-rw-r--r--. root root system_u:object_r:default_t:s0   /private/index.html

Ok, so the last part that is missing is the file context. We can set that with semanage (policycoreutils-python package).

$ semanage fcontext -a -t httpd_sys_content_t '/private(/.*)?'

And to verify.

$ semanage fcontext -l | grep /private
/private(/.*)?                                     all files          system_u:object_r:httpd_sys_content_t:s0 

Now we only need to restorecon on our new private directory.

$ restorecon -RFv /private
$ restorecon reset /private context system_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
$ restorecon reset /private/index.html context system_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0

Configure Private Directory

Now lets begin to add our new private directory as public and test.

$ vi /etc/httpd/conf/httpd.conf
...
Alias /private/ "/private/"

<Directory "/private">
    Order deny,allow
    Deny from all
    Allow from all
</Directory>
...

Restart apache and test our new private directory. If things are not working go back and fix it.

Now we are going to add user authentication, but before that you might want to install apache manual.

$ yum install httpd-manual

We will here configure a basic authentication with file containing our user credential.

LoadModule authn_file_module modules/mod_authn_file.so

<Directory "/private">
    AuthType Basic
    AuthName "Restricted Resource"
    AuthUserFile /etc/httpd/.htpasswd
    Require valid-user
    Order deny,allow
    Deny from all
    Allow from all
</Directory>

To create the user credential

$ htpasswd -cm /etc/httpd/.htpasswd bob
New password: <redhat>
Re-type new password: <redhat>
Adding password for user bob

And now finally restart and test your new private directory.

Reference

http://httpd.apache.org/docs/2.2/mod/mod_authn_file.html

March 15, 2014

HTTP Deploy a Basic CGI Application

Prerequisite

You have successfully installed apache web server with default configuration.

Deploy

Copy our CGI script to default directory.

$ cat /var/www/cgi-bin/hello.cgi

#!/usr/bin/perl
print "Content-type: text/html\n\n";
print <<HTML;
<html>
<head>
<title>A Simple Perl CGI</title>
</head>
<body>
<h1>A Simple Perl CGI</h1>
<p>Hello World</p>
</body>
HTML
exit;

Set file permission

$ chown root:root /var/www/cgi-bin/hello.cgi
$ chmod 755 /var/www/cgi-bin/hello.cgi

Set SELinux

$ restorecon -RFv /var/www/cgi-bin/hello.cgi

Test

Open http://<your-host>/cgi-bin/hello.cgi

HTTP Configure a Virtual Host

Introduction

Virtual hosts are good when you want to server multiple web sites from the same web server.

Prerequisite

Install Apache Web Server.

$ yum install httpd

Since I do not have a reliable DNS, we need to hardcode the host name in /etc/hosts on the client.

$ cat /etc/hosts
...
192.168.122.20 jbossas1.magnuskkarlsson.com
192.168.122.20 virtualhost1.magnuskkarlsson.com

Initial Configuration

Configure Listen and ServerName, to be able to start the server clean without warnings.

$ egrep "Listen|ServerName" /etc/httpd/conf/httpd.conf
Listen 192.168.122.20:80
ServerName jbossas1.magnuskkarlsson.com:80

Also verify that firewall (iptables) is configured or stop it 'service iptables stop'.

$ iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
...
5        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443 
...
8        3   180 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80 
...

Now check our installation by restarting apache web server and open url 'jbossas1.magnuskkarlsson.com' from client machine. You should be able to see Apache Welcome Page. If not go back and fix.

$ service httpd restart

Configure Name-Based Virtual Hosting

Now create two virtual host, one for the default host 'jbossas1.magnuskkarlsson.com' and one new 'virtualhost1.magnuskkarlsson.com'.

$ vi /etc/httpd/conf/httpd.conf 
...
NameVirtualHost 192.168.122.20:80

<VirtualHost 192.168.122.20:80>
    ServerName jbossas1.magnuskkarlsson.com
    ServerAdmin webmaster@jbossas1.magnuskkarlsson.com
    DocumentRoot /var/www/html
    ErrorLog logs/jbossas1.magnuskkarlsson.com-error_log
    CustomLog logs/jbossas1.magnuskkarlsson.com-access_log common
</VirtualHost>

<VirtualHost 192.168.122.20:80>
    ServerName virtualhost1.magnuskkarlsson.com
    ServerAdmin webmaster@dummy-host.example.com
    DocumentRoot /var/www/virtualhost1-magnuskkarlsson-com/html
    ErrorLog logs/virtualhost1.magnuskkarlsson.com-error_log
    CustomLog logs/virtualhost1.magnuskkarlsson.com-access_log common
</VirtualHost>

Now create the new document root for 'virtualhost1.magnuskkarlsson.com'.

$ mkdir -p /var/www/virtualhost1-magnuskkarlsson-com/html

Set file permissions.

$ chmod 755 /var/www/virtualhost1-magnuskkarlsson-com
$ chmod 755 /var/www/virtualhost1-magnuskkarlsson-com/html

Create test web page.

$ echo "

Hello World

" > /var/www/virtualhost1-magnuskkarlsson-com/html/index.html

Set SELinux for our new virtual host.

$ restorecon -RFv /var/www/

Test

Restart apache web server and test your new virtual host by accessing:

  1. http://virtualhost1.magnuskkarlsson.com/ (you should see default apache web server welcome page)
  2. http://jbossas1.magnuskkarlsson.com/ (you should see your 'Hello World' page)

Configure a System to Log to a Remote System.

Example forward all info message to remote host 192.168.122.10.

$ vi /etc/rsyslog.conf
...
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
...
$WorkDirectory /var/lib/rsyslog # where to place spool files
$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList   # run asynchronously
$ActionResumeRetryCount -1    # infinite retries if host is down
*.info @192.168.122.10:514
...

Restart rsyslog to let changes take effects.

$ service rsyslog restart

And to test it use logger tool from client.

$ logger "Hello from client"

Open /var/log/messages on server and verify.

Reference

/usr/share/doc/rsyslog-*/rsyslog_conf.html

Configure a System to Accept Logging from a Remote System

UDP

Edit /etc/rsyslog.conf and enable module imudp.

$ vi /etc/rsyslog.conf
...
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
...

Restart rsyslog to let changes take effects.

$ service rsyslog restart

TCP

Edit /etc/rsyslog.conf and enable module imtcp.

$ vi /etc/rsyslog.conf
...
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
...

Restart rsyslog to let changes take effects.

$ service rsyslog restart

Produce and Deliver Reports on System Utilization (Processor, Memory, Disk, and Network).

Processor

System Activity Reporter, SAR. To display 5 samples with 2 seconds apart.

$ sar -u 2 5
...
12:01:10 PM     CPU     %user     %nice   %system   %iowait    %steal     %idle
12:01:12 PM     all      1.25      0.00      0.69      0.06      0.00     98.00
12:01:14 PM     all      1.56      0.00      0.56      0.00      0.00     97.88
...
-u      Report  CPU  utilization.

Memory

vmstat - Report virtual memory statistics. To display 5 samples with 2 seconds apart.

$ vmstat 2 5
procs -----------memory---------- ---swap-- -----io---- --system-- -----cpu-----
 r  b   swpd   free   buff  cache   si   so    bi    bo   in   cs us sy id wa st
 0  0      0 9898656 325956 1829612    0    0     1     5   10    8  1  0 99  0  0 
 0  0      0 9898136 325960 1829692    0    0     0    24  721 3252  1  0 99  0  0 
...

Disk

Report file system disk space usage.

$ df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/mapper/vg_rhel6-lv_root
                       77G   19G   55G  25% /
tmpfs                 7.8G  740K  7.8G   1% /dev/shm
/dev/sda1             485M   87M  374M  19% /boot
/dev/mapper/vg_rhel6-lv_home
                       49G  7.8G   38G  18% /home
/dev/sdf1             3.8G  246M  3.5G   7% /media/0526-3346
-h, --human-readable    Print sizes in human readable format (e.g., 1K 234M 2G)

Statistics for input/output statistics for devices, partitions and network filesystems (NFS). To display 5 samples with 2 seconds apart.

$ iostat -dNk 2 5
...
Device:            tps    kB_read/s    kB_wrtn/s    kB_read    kB_wrtn
sda               3.53         8.77        92.35    3226500   33970982
vg_rhel6-lv_root     4.70         8.63        22.48    3173286    8268420
vg_rhel6-lv_swap     0.00         0.00        55.68       1288   20479992
vg_rhel6-lv_home     3.55         0.13        14.20      48597    5222552
sdf               0.00         0.04         0.00      15962         11
...
-d     Display the device utilization report.
-N     Display the registered device mapper names for any device mapper devices.  
       Useful for viewing LVM2 statistics.
-k     Display statistics in kilobytes per second instead of blocks per second.  
       Data displayed are valid only with kernels 2.4 and later.

network

$ sar -n DEV
...
09:30:01 AM     IFACE   rxpck/s   txpck/s    rxkB/s    txkB/s   rxcmp/s   txcmp/s  rxmcst/s
09:40:01 AM        lo      0.00      0.00      0.00      0.00      0.00      0.00      0.00
09:40:01 AM      eth0      0.16      0.16      0.04      0.04      0.00      0.00      0.00
09:40:01 AM     wlan0      0.00      0.00      0.00      0.00      0.00      0.00      0.00
09:40:01 AM    virbr0      0.28      0.41      0.05      0.06      0.00      0.00      0.00
09:40:01 AM virbr0-nic      0.00      0.00      0.00      0.00      0.00      0.00      0.00
09:40:01 AM     vnet0      0.11      0.61      0.03      0.06      0.00      0.00      0.00
09:40:01 AM     vnet1      0.16      0.81      0.02      0.05      0.00      0.00      0.00
09:50:01 AM        lo      0.00      0.00      0.00      0.00      0.00      0.00      0.00
09:50:01 AM      eth0      0.09      0.11      0.03      0.02      0.00      0.00      0.00
09:50:01 AM     wlan0      0.00      0.00      0.00      0.00      0.00      0.00      0.00
09:50:01 AM    virbr0      1.35      2.18      1.26      0.19      0.00      0.00      0.00
09:50:01 AM virbr0-nic      0.00      0.00      0.00      0.00      0.00      0.00      0.00
...

Configure a System to Authenticate Using Kerberos

You can either do this graphically (system-config-authentication) or via command line (authconfig).

When doing it with the command line, it can be hard to remember all the parameter, but with help of '--help' it is easier.

The LDAP parameters

$ authconfig --help | grep ldap
  --enableldap          enable LDAP for user information by default
  --disableldap         disable LDAP for user information by default
  --enableldapauth      enable LDAP for authentication by default
  --disableldapauth     disable LDAP for authentication by default
  --ldapserver=<server>
  --ldapbasedn=<dn>     default LDAP base DN
  --enableldaptls, --enableldapstarttls
  --disableldaptls, --disableldapstarttls
  --ldaploadcacert=<URL>

The Kerberos parameter.

$ authconfig --help | grep krb
  --enablekrb5          enable kerberos authentication by default
  --disablekrb5         disable kerberos authentication by default
  --krb5kdc=<server>    default kerberos KDC
  --krb5adminserver=<server>
  --krb5realm=<realm>   default kerberos realm
  --enablekrb5kdcdns    enable use of DNS to find kerberos KDCs
  --disablekrb5kdcdns   disable use of DNS to find kerberos KDCs
  --enablekrb5realmdns  enable use of DNS to find kerberos realms
  --disablekrb5realmdns

And finally SSSD (System Security Services Daemon), which enable cached authentication, which in turn means enabled off-line authentication. Which both can be good and bad. An unstable network connection does not stop you for logging in. But you also need to remember that authentication data might be stale.

$ authconfig --help | grep sssd
  --enablesssd          enable SSSD for user information by default with
  --disablesssd         disable SSSD for user information by default (still
  --enablesssdauth      enable SSSD for authentication by default with
  --disablesssdauth     disable SSSD for authentication by default (still used

Lets put all this together and add --update at the end to update authentication configuration.

$ authconfig --enableldap --disableldapauth --ldapserver=<server> --ldapbasedn=<dn> --enableldaptls --ldaploadcacert=<URL> --enablekrb5 --krb5kdc=<server> --krb5adminserver=<server> --krb5realm=<realm> --enablesssd --enablesssdauth --update

March 14, 2014

SSH Port Forwarding

We have 3 machines.

  1. Client (192.168.1.12)
  2. JBoss (192.168.122.20)
  3. Apache (192.168.122.10)

SSH Port Forwardning from localhost:5555 to 192.168.122.20:8080.

$ ssh -L 5555:192.168.122.20:8080 root@localhost

Now test your tunnel by opening a web browser from client and enter http://localhost:5555/. The tunnel is:

localhost:5555 -> 192.168.122.20:8080

Now lets tunnel through apache server (192.168.122.10:22) to jboss server (192.168.122.20:8080).

$ ssh -L 5555:192.168.122.20:8080 root@192.168.122.10

The tunnel is now:

localhost:5555 -> 192.168.122.10:22 -> 192.168.122.20:8080

So every tunneling begins at the client, that opens the tunnel.

Adding a Static Route to the Route Table

Prerequisite

Install the kernel documentation package, if you have not.

$ yum install kernel-doc -y

The package contains several documentation and you can list them all with 'rpm -ql kernel-doc'.

Display Current Routing

$ ip route show

Enabling Kernel Routing

To enable kernel paremeter ip_forward needs to be on.

$ sysctl -a | grep ip_forward
net.ipv4.ip_forward = 1

And the corresponding documentation.

$ less /usr/share/doc/kernel-doc-2.6.32/Documentation/networking/ip-sysctl.txt
...
ip_forward - BOOLEAN
        0 - disabled (default)
        not 0 - enabled

        Forward Packets between interfaces.

        This variable is special, its change resets all configuration
        parameters to their default state (RFC1122 for hosts, RFC1812
        for routers)
...

If you are not sure how to add search the system documentation.

$ find /usr/share/doc/ -name "*" | xargs grep -i "static route"
...
/usr/share/doc/initscripts-9.03.40/sysconfig.txt:  bring up static routes that depend on that device.  Calls
/usr/share/doc/initscripts-9.03.40/sysconfig.txt:  Set up static routes for a device.
...
$ less /usr/share/doc/initscripts-9.03.40/sysconfig.txt
...
/etc/sysconfig/network-scripts/route-<interface-name>

  Contains lines that specify additional routes that should be added when the
  associated interface is brought up.

  The files are processed by the ifup-routes script and uses the /sbin/ipcalc
  utility for all network masks and numbers. Routes are specified using the
  syntax:

    ADDRESSn=<network>
    NETMASKn=<network/prefix mask>
    GATEWAYn=<next-hop router/gateway IP address>

  The "n" is expected to be consecutive positive integers starting from 0.
  For example:

    ADDRESS0=192.168.2.0
    NETMASK0=255.255.255.0
    GATEWAY0=192.168.1.1

  adds a network route to the 192.168.2.0 network via the gateway at
  192.168.1.1. Since you must already have a route to the network of the
  gateway, there is no need to specify a device.

  Note: The ifup-routes script also supports an older syntax designed to be
  used directly as an argument to "/sbin/ip route add".
  If no "ADDRESSn" lines are found the following will still
  work:
  
  192.168.2.0/24 dev ppp0
  
  adds a network route to the 192.168.2.0 network through ppp0.
...

Or you can add via CLI, but this will not be permanent.

$ ip route add network/netmask via router_ip

Disable Ping Request (ICMP Echo) in Linux Kernel

Prerequisite

Install the kernel documentation package, if you have not.

$ yum install kernel-doc -y

The package contains several documentation and you can list them all with 'rpm -ql kernel-doc'.

Test Before

$ ping 192.168.122.10
PING 192.168.122.10 (192.168.122.10) 56(84) bytes of data.
64 bytes from 192.168.122.10: icmp_seq=1 ttl=64 time=0.171 ms

Ok. The machine is responding to ping.

Set Kernel Parameter to Ignore Ping (ICMP echo) Request

Now use kernel configuration tool, sysctl, to first list all parameter that contain ICMP.

$ sysctl -a | grep icmp
net.netfilter.nf_conntrack_icmpv6_timeout = 30
net.netfilter.nf_conntrack_icmp_timeout = 30
net.ipv4.icmp_echo_ignore_all = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.icmp_errors_use_inbound_ifaddr = 0
net.ipv4.icmp_ratelimit = 1000
net.ipv4.icmp_ratemask = 6168
net.ipv6.icmp.ratelimit = 1000

To find out what each parameter do read the kernel network ip sysctl documentation.

$ grep -A5 icmp /usr/share/doc/kernel-doc-*/Documentation/networking/ip-sysctl.txt 
icmp_echo_ignore_all - BOOLEAN
 If set non-zero, then the kernel will ignore all ICMP ECHO
 requests sent to it.
 Default: 0
...

And to set kernel parameter.

$ sysctl -w net.ipv4.icmp_echo_ignore_all=1

Now test again to ping server and you should not get any respond.

To make the changes permanent.

$ echo "net.ipv4.icmp_echo_ignore_all = 1" >> /etc/sysctl.conf

Network Bonding in RHEL 6

Introduction

To bind multiple network interfaces together into a single channel is called bonding.

The reason for this is to achieve:

  1. Round robin around network interfaces.
  2. Master - slave for redundancy.
  3. Throughput. Use all at the same time.

Reference

RHEL 6 Deployment Guide

IP Aliases in RHEL 6

Introduction

Assigning multiple IP addresses to a single interface is called IP aliasing. This can be handy if you want a single web server to serve multiple sites.

Prerequisite

It is advised to disable NetworkManager.

$ service NetworkManager stop; chkconfig NetworkManager off

Configuration

Show current configuration for eth0.

$ ip addr show eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 52:54:00:22:d1:df brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.20/24 brd 192.168.122.255 scope global eth0
    inet6 fe80::5054:ff:fe22:d1df/64 scope link 
       valid_lft forever preferred_lft forever

Add IP alias.

$ ip addr add 192.168.122.250/24 dev eth0 label eth0:0

Show new configuration for eth0

$ ip addr show eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 52:54:00:22:d1:df brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.20/24 brd 192.168.122.255 scope global eth0
    inet 192.168.122.250/24 scope global eth0:0
    inet6 fe80::5054:ff:fe22:d1df/64 scope link 
       valid_lft forever preferred_lft forever

To make it persistent edit the following

$ vi /etc/sysconfig/network-scripts/ifcfg-eth0:0
DEVICE=eth0:0
IPADDR=192.168.122.250
PREFIX=24
ONPARENT=yes

Now restart network service.

$ service network restart

Test

Ping from another machine

$ ping 192.168.122.250
PING 192.168.122.250 (192.168.122.250) 56(84) bytes of data.
64 bytes from 192.168.122.250: icmp_seq=1 ttl=64 time=1.05 ms

Reference

/usr/share/doc/initscripts-*/sysconfig.txt

March 13, 2014

Build a Simple RPM Package

Prerequisite

Install package that contain the rpmbuild tool that create the rpm package.

$ yum install rpm-build

Install also a convenient development tool for setting up environment.

$ yum install rpmdevtools

When building rpm package you should do that with a noon root user. To create a new user.

$ useradd rpmuser

Setup

Change to rpm user and from it's home directory run:

$ rpmdev-setuptree

This will create a new empty catalogue structure for your rpm package development.

Creating the Program

$ vi ~/rpmbuild/SOURCES/hello.sh

#!/bin/bash
echo "Good morning, world."

We can test run to see that it actually runs.

$ chmod +x ~/rpmbuild/SOURCES/hello.sh
$ ~/rpmbuild/SOURCES/hello.sh
Good morning, world.

Creating the RPM Spec File

Now with help of wim, that will create a template spec file, we will create a rpm spec file for our hello rpm package.

$ vim ~/rpmbuild/SPECS/hello.spec
Name:   hello  
Version: 1.0 
Release: 1%{?dist}
Summary:  A simple hello world application. 

Group:  Applications/File
License: GPLv2+
URL:  http://magnus-k-karlsson.blogspot.se/  
Source0: hello.sh 
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)

#BuildRequires: 
Requires: bash

%description

# Prep is used to set up the environment for building the rpm package
# Expansion of source tar balls are done in this section
#%prep
#%setup -q

# Used to compile and to build the source
#%build
#%configure
#make %{?_smp_mflags}

# The installation.
%install
rm -rf %{buildroot}
#make install DESTDIR=%{buildroot}
mkdir -p %{buildroot}/usr/bin
cp %{SOURCE0} $RPM_BUILD_ROOT/usr/bin/.

%clean
rm -rf %{buildroot}

%files
%defattr(-,root,root,-)
/usr/bin/hello.sh
%doc

%changelog

Build the RPM

$ rpmbuild -ba ~/rpmbuild/SPECS/hello.spec

Test the RPM

Query (q) the local package (p) for all it's files (l).

$ rpm -qpl rpmbuild/RPMS/x86_64/hello-1.0-1.el6.x86_64.rpm
/usr/bin/hello.sh

Now switch to root and install the package.

$ rpm -pi /home/rpmuser/rpmbuild/RPMS/x86_64/hello-1.0-1.el6.x86_64.rpm

And test it.

$ hello.sh 
Good morning, world.

And to uninstall it.

$ yum erase hello
...

Yum Plugins

There are numerous yum plugins. You can search for which are available.

$ yum search yum-plugin
...
PackageKit-yum-plugin.x86_64 : Tell PackageKit to check for updates when yum exits
anaconda-yum-plugins.noarch : Installation-related yum plugins
kabi-yum-plugins.noarch : The Red Hat Enterprise Linux kernel ABI yum plugin
yum-plugin-aliases.noarch : Yum plugin to enable aliases filters
yum-plugin-changelog.noarch : Yum plugin for viewing package changelogs before/after updating
yum-plugin-downloadonly.noarch : Yum plugin to add downloadonly command option
yum-plugin-protect-packages.noarch : Yum plugin to prevents Yum from removing itself and other protected packages
yum-plugin-security.noarch : Yum plugin to enable security filters
yum-plugin-tmprepo.noarch : Yum plugin to add temporary repositories
yum-plugin-verify.noarch : Yum plugin to add verify command, and options
yum-plugin-versionlock.noarch : Yum plugin to lock specified packages from being updated

What does yum-plugin-verify do?

"This plugin adds the commands verify, verify-all and verify-rpm. There are also a couple of options. This command works like rpm -V, to verify your installation." [yum info yum-plugin-verify]

For more information about each commands, run 'yum --help'

What does yum-plugin-versionlock do?

"This plugin takes a set of name/versions for packages and excludes all other versions of those packages (including optionally following obsoletes). This allows you to protect packages from being updated by newer versions, for example." [yum info yum-plugin-versionlock]

The yum-plugin-versionlock uses the /etc/yum/pluginconf.d/versionlock.list to lock down specific packages.

The following format is used for locking down. See /usr/share/doc/yum-plugin-versionlock-*/README.

EPOCH:NAME-VERSION-RELEASE.ARCH

Encrypting Files with GnuPG

Generate private key.

$ gpg --gen-key

List all public keys.

$ gpg --list-keys

Export a public key.

$ gpg --armor --output "magnus.k.karlsson.txt.asc" --export "Magnus K Karlsson"

Import a public key from "Pelle Petterson".

$ gpg --import pelle.petterson.txt.asc

Encrypt a file for recipient "Pelle Petterson", with public key from "Pelle Petterson".

$ gpg --armor --recipient "Pelle Petterson" --output "foo.txt.gpg" --encrypt "foo.txt"

Decrypt a file, encrypted with your public key.

$ gpg --output "foo.txt" --decrypt "foo.txt.gpg"

Using OpenLDAP as Authentication Directory Service in RHEL 6

Installing OpenLDAP

$ yum install -y openldap openldap-clients openldap-servers

Configure OpenLDAP

Modify domain (olcSuffix) and the LDAP super username (olcRootDN).

$ egrep "Suffix|Root" olcDatabase\=\{2\}bdb.ldif 
olcSuffix: dc=example,dc=com
olcRootDN: cn=admin,dc=example,dc=com

Set password for the LDAP super user. To create password use slappasswd.

$ slappasswd 
New password: <redhat>
Re-enter new password: <redhat>
{SSHA}VG9HSAjxn19Qb3+gveyC2H5DlFRMIACD

And add password to configuration file.

$ grep olcRootPW /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif
olcRootPW: {SSHA}0aIvJ8mtnCYGqDc5YhW2C9rRLJwWv/HX

Create OpenLDAP Schema

Creat an empty text file /root/example.com.ldif, with

$ service slapd start

Configure OpenLDAP

# Root entry
dn: dc=example,dc=com
objectclass: dcObject
objectclass: organization
o: Example Company
dc: example

# Admin DN
dn: cn=admin,dc=example,dc=com
objectclass: organizationalRole
cn: admin

# Base DN for users
dn: ou=users,dc=example,dc=com
changetype: add
objectclass: top
objectclass: organizationalUnit
ou: users

# Base DN for groups
dn: ou=groups,dc=example,dc=com
changetype: add
objectclass: top
objectclass: organizationalUnit
ou: groups

Add this.

$ ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f /root/example.com.ldif 
Enter LDAP Password: <redhat>
adding new entry "dc=example,dc=com"

adding new entry "cn=admin,dc=example,dc=com"

adding new entry "ou=users,dc=example,dc=com"

adding new entry "ou=groups,dc=example,dc=com"

Verify add with search.

$ ldapsearch -x -b 'dc=example,dc=com'

Add User and Group OpenLDAP

# cat student.passwd.ldif
dn: uid=student,ou=users,dc=example,dc=com
uid: student
cn: student
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}!!
shadowLastChange: 16128
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
shadowExpire: 15770
loginShell: /bin/bash
uidNumber: 501
gidNumber: 501
homeDirectory: /home/student
$ ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f student.passwd.ldif 
Enter LDAP Password: 
adding new entry "uid=student,ou=users,dc=example,dc=com"
# cat student.group.ldif 
dn: cn=student,ou=groups,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: student
userPassword: {crypt}x
gidNumber: 501
$ ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f student.group.ldif 
Enter LDAP Password: 
adding new entry "cn=student,ou=groups,dc=example,dc=com"

Configure Client Authentication through LDAP

$ yum install openldap-clients

You can configure this graphically

or you can do it via command line tool authconfig.

$ authconfig --enableldap --enableldapauth --ldapserver=192.168.122.10 --ldapbasedn="dc=example,dc=com" --disableldaptls --update
Starting sssd:                                             [  OK  

Test

$ getent passwd student
student:*:501:501:student:/home/student:/bin/bash

Reference

March 12, 2014

Blogspot Blogger set Dynamic Width

It is quite silly with fix width layout for HTML pages, which indirectly means a web page will only use a small part of modern laptop or monitors screen. Why not make it dynamic? Let people self decide their size, by simply resizing theirs browser window. Static width does not make sense for me. So this is how I changed this blog. Simple and safe http://thewebthought.blogspot.com/2011/09/blogger-make-your-blog-fluid-fit-any.html.

How to Disable System Beep in Fedora 20

The default setup of Fedora 20 have a quite annoying feature and that is the system beep. The beep sounds when using auto completion in terminal window, but also in firefox when searching in page and not results are found.

To disable Terminal beep.

$ xset b off

To disable Firefox beep, when no search result are found in page.

about:config
accessibility.typeaheadfind.enablesound

March 11, 2014

Installing RHEL 6 Default Directory Servers, OpenLDAP

Introduction

In this blog I will show you how to install, configure and test the default directory service in RHEL 6 - OpenLDAP. LDAP directory services are common used for storing authentication credential.

1. Install

$ yum install -y openldap openldap-clients openldap-servers

2. Configure

The OpenLDAP configuration has been altered in RHEL 6. Previously it was a configuration file /etc/openldap/slapd.conf, but now it is a configuration database located in /etc/openldap/slapd.d/.

Global configuration is stored in /etc/openldap/slapd.d/cn\=config.ldif.

$ cat /etc/openldap/slapd.d/cn\=config.ldif
dn: cn=config
objectClass: olcGlobal
cn: config
olcConfigFile: /etc/openldap/slapd.conf.bak
olcConfigDir: /etc/openldap/slapd.d
olcAllows: bind_v2
olcArgsFile: /var/run/openldap/slapd.args
...

Database specific configuration is stored in /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif.

We will here change the olcSuffix (the domain for which the LDAP server provides information) and the olcRootDN (the LDAP super username).

$ grep olcSuffix /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif
olcSuffix: dc=magnuskkarlsson,dc=com
$ grep olcRootDN /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif
olcRootDN: cn=Manager,dc=magnuskkarlsson,dc=com

Finally we need to generate a password for olcRootDN. To generate the password we use the slappasswd tool. And to add it, we add the directive olcRootPW to the /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif.

$ slappasswd 
New password: <redhat>
Re-enter new password: <redhat>
{SSHA}0aIvJ8mtnCYGqDc5YhW2C9rRLJwWv/HX
$ grep olcRootPW /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif
olcRootPW: {SSHA}0aIvJ8mtnCYGqDc5YhW2C9rRLJwWv/HX

3. Start

$ service slapd start

And to automatically start OpenLDAP at boot time.

$ chkconfig slapd on

4. Test

To test the installation we perform a simple search (query for you SQL people).

$ ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
...
dn:
namingContexts: dc=magnuskkarlsson,dc=com
...

Now we are going to add entries to your directory. To add entries we use the ldapadd tool. The ldapadd expects LDIF (LDAP Data Interchange Format) file.

$ cat /tmp/example.ldif
dn: dc=magnuskkarlsson,dc=com
objectclass: dcObject
objectclass: organization
o: Magnus K Karlsson AB
dc: magnuskkarlsson

dn: cn=Manager,dc=magnuskkarlsson,dc=com
objectclass: organizationalRole
cn: Manager
$ ldapadd -x -D "cn=Manager,dc=magnuskkarlsson,dc=com" -W -f /tmp/example.ldif
Enter LDAP Password: <redhat>
adding new entry "dc=magnuskkarlsson,dc=com"

adding new entry "cn=Manager,dc=magnuskkarlsson,dc=com"

Finally we test the added entries.

$ ldapsearch -x -b 'dc=magnuskkarlsson,dc=com' '(objectclass=*)'
...
# magnuskkarlsson.com
dn: dc=magnuskkarlsson,dc=com
objectClass: dcObject
objectClass: organization
o: Magnus K Karlsson AB
dc: magnuskkarlsson

# Manager, magnuskkarlsson.com
dn: cn=Manager,dc=magnuskkarlsson,dc=com
objectClass: organizationalRole
cn: Manager