Category: RHEL7

Installing Puppet in RHEL7/ Cent OS 7

Will see Installing Puppet in RHEL7/ Cent OS 7

Nowadays all the administration tasks are rapidly moving to automation and its reducing manpower, cost and time. It’s mandatory to learn any one of the scripting and anyone of automation tool for system administrators at this situation.  Automating tasks in server end is very critical and most important one.  There are lots of tools available for automation. Here we are going to see the puppet.

What is puppet?

It’s an open source tool and developed by puppet labs for Linux/Unix/Mac and Windows machines. Puppet is written in Ruby language and its mostly used for automating jobs in the server and automating the jobs from the server to clients.

Features:

To avoid duplication of work.

Powerful framework

Mature tool

System administrator tasks simplify.

To make speed and repeated changes automatically.

To maintain system consistency and integrity

Very easy to manage vm, cloud and physical machines.

Enabling EPEL repository and dependencies for installation:

System time should be set as accurately on server, which is going to act as master chef server. So, set the time in your server.

Make sure that both the master and agent server should resolev the hostnames. So, make an entry in /etc/hosts file.

once time fixed will enable EPEL repository by using below command.

RHEL7/ Cent OS 7:

[root@server init.d]# rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-releas e-latest-7.noarch.rpm
Retrieving https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
warning: /var/tmp/rpm-tmp.yXngEr: Header V3 RSA/SHA256 Signature, key ID 352c64e 5: NOKEY
Preparing... ################################# [100%]
Updating / installing...
 1:epel-release-7-10 ################################# [100%]

List the EPEL Repository Packages :

[root@server init.d]# yum --disablerepo=* --enablerepo=epel list

Now to have puppet ready setup, have to use apache with passanger. To get that, download and place the repo file in /etc/yum.repos.d/

[root@server init.d]# curl --fail -sSLo /etc/yum.repos.d/passenger.repo https://oss-binaries.phusionpassenger.com/yum/definitions/el-passenger.repo

To setup puppet master/node now we need to enable the puppet lab repository and dependencies and run it on both master and agent servers.

[root@server init.d]# rpm -ivh https://yum.puppetlabs.com/puppetlabs-release-el-7.noarch.rpm
Retrieving https://yum.puppetlabs.com/puppetlabs-release-el-7.noarch.rpm
Preparing... ################################# [100%]
 package puppetlabs-release-22.0-2.noarch is already installed

 

Installing Puppet:

Use the below command to install Puppet server. This will install init script (/etc/init.d/puppetmaster) to run a test-quality puppet master server.

[root@server ~]# yum install puppet-server

Installed:
 puppet-server.noarch 0:3.8.7-1.el7

Dependency Installed:
 facter.x86_64 1:2.4.6-1.el7 hiera.noarch 0:1.3.4-1.el7 libselinux-ruby.x86_64 0:2.5-6.el7 libyaml.x86_64 0:0.1.4-11.el7_0
 puppet.noarch 0:3.8.7-1.el7 ruby.x86_64 0:2.0.0.648-29.el7 ruby-augeas.x86_64 0:0.4.1-3.el7 ruby-irb.noarch 0:2.0.0.648-29.el7
 ruby-libs.x86_64 0:2.0.0.648-29.el7 ruby-shadow.x86_64 1:2.2.0-2.el7 rubygem-bigdecimal.x86_64 0:1.2.0-29.el7 rubygem-io-console.x86_64 0:0.4.2-29.el7
 rubygem-json.x86_64 0:1.7.7-29.el7 rubygem-psych.x86_64 0:2.0.0-29.el7 rubygem-rdoc.noarch 0:4.0.0-29.el7 rubygems.noarch 0:2.0.14.1-29.el7

Complete!

Now we need to configure the puppet master/agent architecture.  in our case this node going to work as master server. So, edit /etc/puppet/puppet.conf file and change the dns_alt_names.

[root@server ~]# vi /etc/puppet/puppet.conf
[main]
 dns_alt_names=server,server.lbcdomain.com
 certname=server.lbcdomain.com

Save and exit from the file.

Run the below command to create puppet master certificate:

[root@server ~]# puppet master --verbose --no-daemonize

Once received “Notice: Starting Puppet master version 3.8.7” press ctrl+c to kill the process.

Now will configure Web server:

Puppet comes with basic web server. In production basically will not use this web server. Before managing nodes by puppet master server, will configure web server first.

[root@server ~]# yum -y install httpd httpd-devel mod_ssl ruby-devel rubygems gcc gcc-c++ pygpgme curl

Now install passenger and apache module:

[root@server ~]# yum install -y mod_passenger

create parent, public and tmp  directories for the application. Copy the ext/rack/config.ru from the puppet source code into the parent directory and set ownership as puppet to the directory.

[root@server ~]# mkdir -p /usr/share/puppet/rack/puppetmasterd
[root@server ~]# mkdir /usr/share/puppet/rack/puppetmasterd/public /usr/share/puppet/rack/puppetmasterd/tmp
[root@server ~]# cp /usr/share/puppet/ext/rack/config.ru /usr/share/puppet/rack/puppetmasterd/
[root@server ~]# chown puppet:puppet /usr/share/puppet/rack/puppetmasterd/config.ru

Create configuration file to add virtual host for puppet.

[root@server ~]# vi /etc/httpd/conf.d/puppetmaster.conf

make the below entries in virtual host file.

[root@server ~]# vi /etc/httpd/conf.d/puppetmaster.conf
# you probably want to tune these settings
PassengerHighPerformance on
PassengerMaxPoolSize 12
PassengerPoolIdleTime 1500
# PassengerMaxRequests 1000
PassengerStatThrottleRate 120

Listen 8140

<VirtualHost *:8140>
        SSLEngine on
        SSLProtocol             ALL -SSLv2 -SSLv3
        SSLCipherSuite          EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
        SSLHonorCipherOrder     on

        SSLCertificateFile      /var/lib/puppet/ssl/certs/server.lbcdomain.com.pem
        SSLCertificateKeyFile   /var/lib/puppet/ssl/private_keys/server.lbcdomain.com.pem
        SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
        SSLCACertificateFile   /var/lib/puppet/ssl/ca/ca_crt.pem
        # If Apache complains about invalid signatures on the CRL, you can try disabling
        # CRL checking by commenting the next line, but this is not recommended.
        SSLCARevocationFile     /var/lib/puppet/ssl/ca/ca_crl.pem
        # Apache 2.4 introduces the SSLCARevocationCheck directive and sets it to none
        # which effectively disables CRL checking; if you are using Apache 2.4+ you must
        # specify 'SSLCARevocationCheck chain' to actually use the CRL.
        # SSLCARevocationCheck chain
        SSLVerifyClient optional
        SSLVerifyDepth  1
        # The `ExportCertData` option is needed for agent certificate expiration warnings
        SSLOptions +StdEnvVars +ExportCertData

        # This header needs to be set if using a loadbalancer or proxy
        RequestHeader unset X-Forwarded-For

        RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
        RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
        RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

         DocumentRoot /usr/share/puppet/rack/puppetmasterd/public
        RackBaseURI /
        <Directory /usr/share/puppet/rack/puppetmasterd/>
                Options None
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>
</VirtualHost>  

Now restart the apache service.

[root@server ~]# systemctl restart httpd

Enable apache and disable puppet to autostart while booting.

[root@server ~]# systemctl disable puppet.service
[root@server ~]# systemctl enable httpd.service

Now enable puppet listening port in firewall:

Port: 8140

[root@server ~]# firewall-cmd --zone=public --add-port=8140/tcp --permanent
[root@server ~]# firewall-cmd --reload

 

Now install puppet on Node machines:

before starting puppet agent installation have to configure yum repository same like master server.

Command to install puppet:

[root@client ~]# yum -y install puppet

Make master puppet server details in puppet configuration file like below.

[root@node ~]# vi /etc/puppet/puppet.conf

[agent]
server = server.lbcdomain.com

Now start puppet service in node machine and enable it to start automatically while booting in this run level.

[root@client ~]# systemctl start puppet
[root@client ~]# systemctl enable puppet

Now signin puppet agent node machine certificate in puppet master server:

Agent node will request certificate on first time they attempt to run.

Login and execute the below command in master puppet server.

[root@server ~]# puppet cert list

"node.lbcdomain.com" (SHA256) D4:88:EC:C5:0A:F7:5D:4E:32:C5:B3:61:E0:51:7B:0C:CD:B3:49:9E:68:0B:E7:5D:75:19:1D:0B:92:8A:E7:C1

Run the below command to sign the cert sign

[root@server ~]# puppet cert sign node.lbcdomain.com

Notice: Signed certificate request for node.lbcdomain.com
Notice: Removing file Puppet::SSL::CertificateRequest node.lbcdomain.com at '/var/lib/puppet/ssl/ca/requests/node.lbcdomain.com.pem'

Run below command in puppet agent node machine to verify the certificate.

[root@client ~]# puppet agent -t

Info: Caching certificate for node.lbcdomain.com
Info: Caching certificate_revocation_list for ca
Info: Caching certificate for node.lbcdomain.com
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for node.lbcdomain.com
Info: Applying configuration version '1445401911'
Info: Creating state file /var/lib/puppet/state/state.yaml
Notice: Finished catalog run in 0.09 seconds

Finally we completed puppet master and agent configuration successfully.

 

SSH Authentication in RHEL7/ Cent OS 7

In this post will see how  to enable SSH Authentication in RHEL7/ CentOS 7

SSH authentication will help us to log in a server/node without a password.
here we have two servers

server.lbcdomain.com : 192.168.43.226
node2.localdomain.com : 192.168.43.67

Now we need to install the OpenSSH packages using the command on both the servers.

[root@server ~]# yum -y install openssh

Now we need to start and enable the service permanently in this run level.

[root@server ~]# systemctl enable sshd.service

[root@server ~]# systemctl start sshd.service

Then need to edit /etc/ssh/sshd_config file and change if Password authentication is set as No to yes

[root@server ~]# vi /etc/ssh/sshd-config

then change the below

PasswordAuthentication No

Then save and exit from the file.

This is the right time to generate the key pair using command

Press Enter to confirm the default path (/home/root/.ssh/id_rsa)and the file name for RSA keys.

Next, for passphrase press enter to leave it blank.

After that, you will receive a message that mentioned RSA key pairs details.

[root@server ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/root/.ssh/id_rsa):
Created directory '/home/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/root/.ssh/id_rsa.
Your public key has been saved in /home/root/.ssh/id_rsa.pub.
The key fingerprint is:
d5:44:c4:ef:ef:49:ff:fe:e0:06:ed:d3:0e:71:e4:08 sshuser1@server
The key's randomart image is:
+--[ RSA 2048]----+
| ++ |
| o. |
| . E. .|
| . ..+ |
| S oo o|
| . oo |
| oo+ |
| .=o=|
| ..*X|
+-----------------+


[sshuser1@server root]$ cd ~/.ssh/
[sshuser1@server .ssh]$ ls
id_rsa id_rsa.pub

We generated keys above and we should copy the public key to the remote server which we need to allow to access this server without password

use the command to copy the public key

#ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]

Now open /etc/ssh/sshd_config file in node2 server and make the below changes.

PasswordAuthentication no

save and exit from the file.

Now restart the sshd service on both the servers

RHEL7:
 systemctl restart sshd

RHEL6: 
service sshd restart

We almost completed the ssh authentication. To test this connection will try to log in from server.lbcdomain.com to node2.lbcdomain.com server using ssh

#ssh [email protected]

 

 

Booting process in RHEL7/ Cent OS 7

Will see the Booting process in RHEL7/ CentOS 7 in this post. It’s very important to know the booting process for all operating system. It will help us to troubleshoot the booting issues.

We are going to see about RHEL / Cent OS 7 booting process.

Below are booting stages:

BIOS:

BIOS stands for basic input output system.

It will do a POST (Power on self-test) to check system hardware.

And it will search, load and execute MBR  in memory(Master Boot Recorder).

MBR:

MBR Stands for Master boot recorder.

MBR will be available in first 512 bytes of the boot drive. In this 512 bytes 446 bytes contains boot loader information, in 64 bytes contains partition table information available and remaining 2 bytes for MBR validation check. Boot drive will be anything like Hard disk, Pendrive, Floppy.

MBR will search and load the GRUB2 boot loader in memory and control moved to the bootloader.

GRUB2 Bootloader:

GRUB stands for Grand Unified Bootloader.

GRUB will be the default boot loader in RHEL7.

GRUB configuration file is available in this path: /boot/grub2/grub.cfg. Editing this file directly is not advisable.

GRUB file configuration:

# cat /etc/default/grub
GRUB_TIMEOUT=5
GRUB_DEFAULT=saved
GRUB_DISABLE_SUBMENU=true
GRUB_TERMINAL_OUTPUT="console"
GRUB_CMDLINE_LINUX="rd.lvm.lv=rhel/swap crashkernel=auto rd.lvm.lv=rhel/root rhgb quiet net.ifnames=0"
GRUB_DISABLE_RECOVERY="true"

To change these configuration settings will edit this /etc/default/grub file.

Once modified have to execute the below command to make this change affect in the main configuration file (/boot/grub2/grub.cfg).

# grub2-mkconfig –o /boot/grub2/grub.cfg

grub has kernel image(vmlinuz) and initramfs image details.

grub will search and load the kernel image into memory and it will extract the initramfs image contents into memory based filesystem which is called tmpfs.

initramfs stands for initial ramdisk

initial ramdisk will load the block devices (HDD, CD, Floppy, etc). So that it will find the exact root filesystem and will mount it. Till mounting this exact root filesystem, initramfs will act as a temporary root filesystem.

kernel mounts the initramfs image as two-stage boot process.

Will use the lsinitrd command to view initramfs content.

Kernel:

Kernel will start systemd process and PID is 1 for this, as this will be the first process.

root 1 0 0 02:10 ? 00:00:02 /usr/lib/systemd/systemd --switched-root --system --deserialize 23

Systemd:

Systemd will be the first process.

This process will read the /etc/systemd/system/default.target file to determine the default system target. The system target file defines the services which is started by systemd.

Systemd will bring the system based on the system target runlevel and perform system initialization process such as hostname, network settings, initializing SELinux, Printing welcome banner and mounting all filesystems.

 

 

 

Configuring LDAP based authentication in RHEL7

WHat is LDAP?

LDAP: Light weight Directory Access Protocol

This authentication will allow client machine to access any centralized   data/service from different places.

Keeping services/data centralized is very simple to maintain and Grant/Deny permission centrally.

 

Installing Openldap:

[root@server ~]# yum -y install openldap*

 

Make sure that SELinux should not deny LDAP. So for that we have to enable the below Boolean values in both server and client.

[root@server ~]# setsebool -P allow_ypbind=0 authlogin_nsswitch_use_ldap=0

Now enable ldap permanently in this session and start the ldap service

[root@server ~]# systemctl enable slapd
[root@server ~]# systemctl start slapd

Since ldap service is running ldap user should be the owner for /var/lib/ldap directory. By default this will be modified by root user as its administrator.
So, we have to change owner and group as ldap user. Before that make a copy of configuration file for slapd into /var/lib/ldap with the DB_CONFIG name.

Note: slapd configuration file will be available under /usr/share/openldap-servers/DB_CONFIG.example

 

[root@server ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
cp: overwrite ‘/var/lib/ldap/DB_CONFIG’? y

Now change the owenr as ldap user recursively to that directory.

 

[root@server ~]# chown -R ldap:ldap /var/lib/ldap

 

Now set password for ldap admin use and take a copy of create password for future use.

[root@server ~]# slappasswd
New password:
Re-enter new password:
{SSHA}Kp/mCASZRf/dBKNHKOxg4O5lEt7vyiRB

 

LDAP configuration files are available under /etc/openldap/slapd.d/.
We need to update the “olcSuffix” and “olcRootDN” varialbles.

olcSuffix: Its domain for the LDAP Server to provided the information.
olcRootDN: This is administrator user entry who has all the permission to do operation like root (Root Distinguished Name)

olcRootPW: Password of above user.

 

Above entries should be updated in /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif file.
Note: Updating the entries manually is nont adviseable. So, we are going to create a ldif file and update it using ldapmodify command.

 

Now creare ldaprootpasswd.ldif file with following contents:

[root@server cn=config]# vi db.ldif

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=lbcdomain,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=ldapadm,dc=lbcdomain,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}Kp/mCASZRf/dBKNHKOxg4O5lEt7vyiRB

save and exit.

once file created with above content execute the below command

[root@server cn=config]# ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

[root@server cn=config]#

 

Do changes in /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif file to restrict monitor access to only ldap root user.

 

[root@server ~]# vi monitor.ldif

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=ldapadm,dc=lbcdomain,dc=com" read by * none

 

save and exit from the file.

once created file with above content send configuration to ldap server by usinf ldapmodify command.

 

[root@server cn=config]# ldapmodify -Y EXTERNAL -H ldapi:/// -f monitor.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"

[root@server cn=config]#

 

Creating LDAP Certificate:

now will create certifiate and private key with ldap server self signed by using below command in /etc/openldap/certs/ directory

[root@server cn=config]# openssl req -new -x509 -nodes -out /etc/openldap/certs/lbcdomainldapcert.pem -keyout /etc/openldap/certs/lbcdomainldapkey.pem -days 365
Generating a 2048 bit RSA private key
..........................................................................................................................................................................................................................+++
................+++
writing new private key to '/etc/openldap/certs/lbcdomainldapkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Tamilnadu
Locality Name (eg, city) [Default City]:Chennai
Organization Name (eg, company) [Default Company Ltd]:Linux Book Center
Organizational Unit Name (eg, section) []:Linux Book Center
Common Name (eg, your name or your server's hostname) []:Server
Email Address []:[email protected]

 

Now change the ownership and group to key files.

[root@server cn=config]# chown -R ldap:ldap /etc/openldap/certs/*.pem

[root@server certs]# ll | grep pem
-rw-r--r--. 1 ldap ldap 1480 Aug 15 11:32 lbcdomainldapcert.pem
-rw-r--r--. 1 ldap ldap 1708 Aug 15 11:32 lbcdomainldapkey.pem

 

Create certs.ldif file to configure LDAP to use secure communication using self signed certificates.

[root@server certs]# vi certs.ldif

dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/lbcdomainldapcert.pem

dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/lbcdomainldapkey.pem

oncefile created import the certificate configuration by usging below ldapmodify command

[root@server certs]# ldapmodify -Y EXTERNAL -H ldapi:/// -f certs.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

modifying entry "cn=config"

[root@server certs]#

 

Use the below command to verify the configuration:

[root@server certs]# slaptest -u
5992a281 UNKNOWN attributeDescription "CHANGETYPE" inserted.
5992a281 UNKNOWN attributeDescription "REPLACE" inserted.
5992a281 is_entry_objectclass("olcDatabase={2}hdb,cn=config,cn=config", "2.16.840.1.113730.3.2.6") no objectClass attribute
5992a281 is_entry_objectclass("olcDatabase={1}monitor,cn=config,cn=config", "2.16.840.1.113730.3.2.6") no objectClass attribute
config file testing succeeded

LDAP Database creation:

Sample configuration file will be available in /var/lib/ldap  file. Copy the sample file and change the file permission.

[root@server certs]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@server certs]# chown ldap:ldap /var/lib/ldap/*

Add cosine ans nis LDAP schemas

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

 

[root@server certs]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
ldap_add: Other (e.g., implementation specific) error (80)
 additional info: olcAttributeTypes: Duplicate attributeType: "0.9.2342.19200300.100.1.2"

 

[root@server certs]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
ldap_add: Other (e.g., implementation specific) error (80)
 additional info: olcAttributeTypes: Duplicate attributeType: "1.3.6.1.1.1.1.2"
[root@server certs]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"
ldap_add: Other (e.g., implementation specific) error (80)
 additional info: olcAttributeTypes: Duplicate attributeType: "2.16.840.1.113730.3.1.1"

 

Now create ldif file for our domain

[root@server certs]# vi base.ldif

dn: dc=lbcdomain,dc=com
dc: lbcdomain
objectClass: top
objectClass: domain

dn: cn=ldapadm ,dc=lbcdomain,dc=com
objectClass: organizationalRole
cn: ldapadm
description: LDAP Manager

dn: ou=People,dc=lbcdomain,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=lbcdomain,dc=com
objectClass: organizationalUnit
ou: Group

Now build the directory structure

[root@server certs]# ldapadd -x -W -D "cn=ldapadm,dc=lbcdomain,dc=com" -f base.ldif
Enter LDAP Password:
adding new entry "dc=lbcdomain,dc=com"
ldap_add: Already exists (68)

 

We configured LDAP server and now will use ldap credentials to access centralized data/ service like NFS share.

 

What is SELinux?

SELinux stands for Security-Enhanced Linux. Its set of security modules/policies are going to apply on machine to increase the overall security of the server.In this modules has been loaded into kernel
while accessing files/services which improves security. This was came with RHEL5 and its more secure comparing to PAM and initd.

Models in SELinux:

Enforcing:
In this model policy has been enforced. It will enforce the policy strictly.

Permissive:
In this model SELinux will give warning, if SELinux policy settings breached.

Disabled:
In this model SELinux totally is disabled.

Levels in SELinux:
SELinux uses two levels.
Targeted – Targeted processes/services are protected by SELinux
Mls – Multi level security protection

Command to check the SELinux status:

[root@server ~]#getenforce
permissive

Output will be “enabled” or “disbaled”

Command to check SELinux status in simplified way:

[root@server ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28

 

Command to check SELinux status in detailed:

[root@server ~]# sestatus -b
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28

Policy booleans:
abrt_anon_write off
abrt_handle_event off
abrt_upload_watch_anon_write on
antivirus_can_scan_system off
antivirus_use_jit off
auditadm_exec_content on
authlogin_nsswitch_use_ldap off
authlogin_radius off
authlogin_yubikey off
awstats_purge_apache_log_files off
boinc_execmem on
cdrecord_read_content off
cluster_can_network_connect off
cluster_manage_all_files off
cluster_use_execmem off
cobbler_anon_write off

How to disbale SELinux?

Using two ways will disable SELinux.

1. To disbale permanently will edit the /etc/selinux/config file and change the status from
enforce to disbaled

 

2. To disbale temporarily execute the below command

 #echo 0 > /selinux/enforce

or

 #setenforce 0

How to enable SELinux?

Same like above will enable SELinux using two ways

1. To enable permanently will edit the /etc/selinux/config file and change the status from
disbaled to enforce

2. To enable temporarily execute the below command

 #echo 1 > /selinux/enforce

or

 #setenforce 1

 

Command to list all the modules:

[root@server ~]# semodule -l
abrt
accountsd
acct
afs
aiccu
aide
ajaxterm
alsa
amanda
amtu
anaconda
antivirus
apache
apcupsd
apm
application

Command to enable a module:

in below command use -v  key to show what this command was doing.

[root@server ~]# semodule -v -e application
Attempting to enable module 'application':
Ok: return value of 0.
Committing changes:
Ok: transaction number 0.

Command to disable a module:

[root@server ~]# semodule -v -d application
Attempting to disable module 'application':
Ok: return value of 0.
Committing changes:

 

Linux Basic Commands: ls, mkdir, rm, cd, pwd, cat, touch

ls  command will list all files and directory.

[root@server ~]# ls
192.168.0.101 Downloads ks.cfg Pictures Templates
file25 localhost Public testscript1.sh
file26 mem.sh testscript.sh

ls -a will list all including hidden files.

[root@server ~]# ls -a
. chandu forloop1 Music sedfile
.. .config forloop2.sh numbers server
192.168.0.101 .cshrc hst.txt output .ssh
abu data .ICEauthority output1 tcp.txt

mkdir command will help us to create a directory.

[root@server ~]# mkdir test

To delete a directory use rm -rf command with directory name.

[root@server ~]# rm -rf test

cd <dir_name> command will change to named directory.

[root@server ~]# cd data

cd ~ command will change to home directory of current user.

[root@server ~]# cd ~
[root@server ~]# pwd
/root

cd .. command will change to parent directory of present working directory.

[root@server ~]# cd ..
[root@server /]# pwd
/

pwd command will print present working directory

[root@server etc]# pwd
/etc

rm  command will remove file and it will ask for user confirmation.

 

[root@server ~]# rm file1
rm: remove regular empty file ‘file1’? y

To delete a file without user confirmation will use  -f  option.

[root@server ~]# rm -f file1

will use vi editor, cat and touch to create files. touch command will create empty files.

[root@server ~]# touch file1

will explain about vi editor in next post, because we have multiple operation to explain in vi editor and now will see cat command operations.

creating and reading file using cat command:

After entering your content to the file, press enter to go next line and then press  ctrl+c  to save and exit from the file.

For reading a file use cat <filename> syntax like below mentioned.

[root@server ~]# cat > file2
This is a test file
^C
[root@server ~]# cat file2
This is a test file

use the below command to append one file content to another file. In this method it will not remove the existing contents from the file and it will just copy next to the last line.

Even if we doesn’t have file3, it will create automatically and copy the file2 content to the file3

[root@server ~]# cat file2 >> file3

using below command will copy the content from two file and will paste it in a single file. to paste the content in existing file use >> symbol instead of >, it will help to paste the two files content without deleting or modifying existing content.

[root@server ~]# cat file2 file3 > file4

 

How to perform kickstart installation for Linux ?

What is Kickstart installation?

Kick start installation is unattended installation, where we can install the operating system
without fully seated in front of system till completing the installation.

Here we need to create a kickstart configuration file which contains all the details like,
Language, Timezone, Network details, Partition details, Package details, etc…

1. Creating a Kickstart configuration File

by default kickstart configuration file will be available in /root directory with the name of anaconda-ks.cfg in linux machine which is already installed. by editing this file will create new kickstart file for our requirement. But comparing to this method will create kickstart file in Graphical mode which will be very easier way.

GUI mode should be working in our machine to create kickstart file in Graphical utility.

Login the server in Graphical mode as root user and issue the below command to open the kickstart file configuration window.

[root@server ~]# system-config-kickstart

will get a window now to configure new kickstart file.

Using above window we need provide the required details in each section by selecting the option which is available in left pane.

Basic Configuration:

Default and keyboard Layout Language, Time Zone, Root password, Architecture and Reboot option after installation the Operating system.

Installation Method:

Whether its going to be a new installation or upgrade and which source we are going to use for OS media.

Boot Loader Option:

Its advisable to use “Install new boot loader” option.

Partition Information: 

Depends on your requirement you can create partitions or you may leave it to create automatically by the OS.

Network Configuration:

Based on your requirement you can provide static or DHCP IP’s and you should select the adapter first for that.

Authentication, Firewall Configuration & Display Configuration:

You may leave it by default. If you have any specific reason you can select the option.

Package Selection:

Here we need to provide what type of server you are going to install. Like, Web server,  Minimal package, DNS Server, Application Server, etc…

By default it will be minimal only.

Pre and Post Installation Script:

You may leave it.

After creating file use file-> save option to save the configuration. Here i’m saving this file under /root  with  ks.cfg name.

If you are going to create same configuration Operating system you can open the existing file which is available in you machine under /root directory.

2. Verifying the Kickstart File

After created the kickstart configuration file will verify using below command. We should install the package called ypkickstart to run the command.

ksvalidator command will help to verify the created kickstart file

[root@server ~]# yum install ypkickstart

[root@server ~]# ksvalidator /root/ks.cfg

3. Making the Kickstart File Available

Now i’m going to use http service to access created kickstart file through network for unattended  installation.

Simply install httpd package and start the service in remote machine where we are going to kept kickstart file.

Then copying created kickstart file from /root to /var/www/html/kickstart/  which is default location where the pages available to access using http service on browser.

[root@server ~]# yum install httpd
[root@server ~]# systemctl start httpd
[root@server ~]# cp /root/ks.cfg /var/www/html/kickstart/

4. Making the Installation Source Available

This section is pointing that which source of OS media we are going to use for this installation. We can use Local media, NFS, HTTP, HTTPS, FTP.

For Local media installation simply will use OS media or OS image file, if we are going to install in Virtual Machine and for other options OS image will be placed in remote machine and will be accessed using anyone of mentioned protocol.

In our case going to install in VMWare using Local media(OS Image file) source with kickstart file, which will be placed in remote machine and going to use http service to access kickstart file.

5. Starting the Kickstart Installation

Now start the virtual machine which is create in VMWare and interrupt by pressing Tab  key in keyborad and will get the screen like below.

Now insert the below entry to mention the kickstart file http location like below.

inst.ks=http://192.168.43.226/kickstart/ks.cfg

Then press enter to begin the installation.

Configuring bonding on RHEL7 step by step

What is ?

Two or more than that network adapters in corporate with single logical network pipe.

Logical network interface work as master and physical network interfaces are work as slave.

IP Address is assigned to  logical interface instead of assigning physical interfaces.

Logical interface only will work on connecting any internal/external network traffic.

It has several modes of operations based on behavior.

Modes:

  1. Round robin
  2. Active backup
  3. XOR
  4. Broadcast

Advantages:

  1. Better throughput
  2. Load balancing
  3. Fault tolerance

Issue ip a command to check available interfaces in server.

in my server, i have two insterfaces called enp0s3  and enp0s8

Using mobprobe command load the bonding kernel if its not loaded already.

[root@server ~]# modprobe bonding

To check whether the bonding driver in kernel  use the modinfo command and that will list the details like below once its loaded.

[root@server ~]# modinfo bonding
 filename: /lib/modules/3.10.0-514.el7.x86_64/kernel/drivers/net/bonding/bonding.ko
 author: Thomas Davis, [email protected] and many others
 description: Ethernet Channel Bonding Driver, v3.7.1
 version: 3.7.1
 license: GPL
 alias: rtnl-link-bond
 rhelversion: 7.3
 srcversion: B664145ACFBCC961505C750
 depends:
 intree: Y
 vermagic: 3.10.0-514.el7.x86_64 SMP mod_unload modversions

Create a file called ifcfg-bond0 which will work as logical interface in bonding using vi editor with below mentioned settings under /etc/sysconfig/network-scripts

[root@server ~]# vi /etc/sysconfig/network-scripts/ifcfg-bond0

DEVICE=bond0
 TYPE=Bond
 NAME=bond0
 BONDING_MASTER=yes
 BOOTPROTO=none
 ONBOOT=yes
 IPADDR=192.168.43.250
 NETMASK=255.255.255.0
 GATEWAY=192.168.43.1
 BONDING_OPTS="mode=5 miimon=100"
 ZONE=public

:wq

save and exit from the file.

now the bond0 logical interface has been created and have to set the slave interface by following below steps.

in our case already we have two interfaces called enp0s3 and enp0s8. for the same configuration file also already there under /etc/sysconfig/network-scripts with below name’s

ifcfg-enp0s3

ifcfg-enp0s8

edit the above two files using vi editor and make entry for MASTER and SLAVE. Set the MASTER=bond0 and SLAVE=Yes for the both interface configuration files like below.

[root@server ~]# vi /etc/sysconfig/network-scripts/ifcfg-enp0s3

TYPE=Ethernet
 NAME=enp0s3
 UUID=f42b80f0-95dd-4126-a5f8-62db4f4a368f
 DEVICE=enp0s3
 ONBOOT=yes
 MASTER=bond0
 SLAVE=Yes

 

[root@server ~]# vi /etc/sysconfig/network-scripts/ifcfg-enp0s8

TYPE=Ethernet
 NAME=enp0s8
 DEVICE=enp0s8

UUID=f42b80f0-95dd-4126-a5f8-62db4f4a368f
 ONBOOT=yes
 MASTER=bond0
 SLAVE=Yes

 

Now use ifdown and ifup command to bring down and bring up the bond0 interface.

[root@server ~]# ifdown bond0
../network: line 2: NETWORKING: command not found
Device 'bond0' successfully disconnected.
[root@server ~]# ifup bond0
../network: line 2: NETWORKING: command not found
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/16)

 

Then check the ip of bond0 to confirm whether our bonding has been working or not.

[root@server ~]# ip a | grep bond0
6: bond0: <NO-CARRIER,BROADCAST,MULTICAST,MASTER,UP> mtu 1500 qdisc noqueue state DOWN qlen 1000
 inet 192.168.43.250/24 brd 192.168.43.255 scope global bond0

 

We configured bonding successfully. Now will communicate from remote server to this server using bond0 interface ip address (192.168.43.250)

Thanks for your support 🙂

User and Group Management in Linux/Unix

User and Group Management in Linux/Unix

We are going to see User and Group Management in Linux/Unix in this post.

 /etc/passwd   ->  This file contains all the users details.

[root@server ~]# more /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin

/etc/passwd file has all the user details with some parameters.

Here i’m taking root user details to explain with details.

root:x:0:0:root:/root:/bin/bash

root – User name

x – Password

0 – User ID

0 – Group ID

Root – Comments/ User description

/root – Home directory

/bin/bash  – shell

Home directory and Group will be created with the same name of user, once we created a user.

Command to create user:

Useradd <username>

adduser <username>

Example:

[root@server ~]# useradd anand

[root@server ~]# adduser anand

Command to delete user account:

deluser <username>

[root@server ~]# userdel anand

The above command will delete a user but will not delete home directory of the user.

Command to delete a user account with home directory:

Use option -r to delete user with home directory.

[root@server ~]# userdel –r deepak

Use id command to know whether a user available in system and if the user exist, it will display User ID, Group ID and Primary group and Secondary group details.

[root@server ~]# id abu
uid=1000(abu) gid=1011(Technology) groups=1011(Technology),1012(DBcheck)

Command to add secondary group to a user:

[root@server ~]# usermod –G Technology abu

Command to change primary group:

[root@server ~]# usermod –g Technology abu

Customizing home directory:

by default home directory will be created under /home for all the users. We can set some other directory as home directory as well.

we have two options to change the home directory.

  1. we can edit /etc/passwd file using vi editor to change the home directory
  2. Using usermod command will change home directory

Changing home directory by editing /etc/passwd  file

[root@server ~]# vi /etc/passwd
testuser:x:1004:1004::/testuser:/bin/bash

Command to change home directory:

[root@server ~]# usermod -m -d /testuser testuser

-m:    option to move the home directory

-d:      option to mention the home directory

Assigning expiry date to user:

Command to check expiry details for a user

[root@server ~]# chage -l testuser
Last password change : May 27, 2017
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7

Command to set expiry date for a user:

[root@server ~]# usermod --expiredate=2017-07-20 testuser

Again will check whether the expire date has been set or not.

[root@server ~]# chage -l testuser
Last password change : May 27, 2017
Password expires : never
Password inactive : never
Account expires : Jul 20, 2017
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7

We successfully set expire date for testuser.

Group Management:

Group is used to manage more than one users without touching the each and every user alone.

Group is created based on the Team on an organization.

All the group details available in /etc/group file, once we created a group.

[root@server ~]# more /etc/group

Using Groupadd command will create group

[root@server ~]# groupadd Technology

 

NFS Server Configuration RHEL 7 / Cent OS 7

Using NFS server will share the files/ Directories over the network.
Using this service will install operating system and access the remote server directory/file to read/write files and will share the file/directory to other machines.

Required Package:

libnfsidmap-0.25-15.el7.x86_64
nfs-utils-1.3.0-0.33.el7.x86_64

Installing NFS packages:

Use the below command to install all the required packages in one shot.

#yum install nfs*

 

Check whether the packages are installed by executing below command

[root@server ~]# rpm -qa | grep nfs
libnfsidmap-0.25-15.el7.x86_64
nfsometer-1.7-1.el7.noarch
nfs4-acl-tools-0.3.3-15.el7.x86_64
nfs-utils-1.3.0-0.33.el7.x86_64
nfstest-2.1.1-0.0.el7.noarch

Important configuration files:

/etc/exports :                This file contains which all are exported to remote                                                                 machines 
/etc/host.allow :           Daemon/ Client which matches the entry available in                                                        this file, will be granted access.
/etc/host.deny :           Access is denied for daemon/ client which matches in                                                     this file.
/etc/fstab :                      Will mount the shared directories/ filesystems                                                                   permanently using this file.
/etc/sysconfig/nfs:  Will manage the nfs port using this file.

Services which need to be enabled and started:

rpcbind  service
nfs-server  service

Command to enable the services:

#systemctl enable rpcbind
#systemctl enable nfs-server

[root@server ~]# systemctl enable rpcbind
[root@server ~]# systemctl enable nfs-server
Created symlink from /etc/systemd/system/multi-user.target.wants/nfs-server.service to /usr/lib/systemd/system/nfs-server.service.

Command to start the services:

#systemctl start rpcbind
#systemctl start nfs-server

[root@server ~]# systemctl start nfs-server

[root@server ~]# systemctl start rpcbind

create directory for sharing:

[root@server ~]# mkdir /nfshare

set the all permission to all

#chmod 777 /nfshare

Now share the directory using NFS by mentioning the directory details in /etc/exports file

#vi /etc/exports

/nfsfileshare 192.168.12.7(rw,sync,no_root_squash)

save and exit from the file

Now use the below command to make it available in network as a shared directory

[root@server ~]# exportfs -r

Enable the services permanently in firewall in this session

[root@server ~]# firewall-cmd --permanent --zone public --add-service  mountd
success
[root@server ~]# firewall-cmd --permanent --zone public --add-service rpc-bind
success
[root@server ~]# firewall-cmd --permanent --zone public --add-service nfs
success

reload the firewall  changes and make effect in this session by executing below command

[root@server ~]# firewall-cmd --reload
success

 

Now all the configuration has been done in server side and have to check and mount the shared directory in client machine.

showmount command will help us to list the directory which is shared from remote machine.

[root@node1 ~]# showmount -e 192.168.43.226
Export list for 192.168.43.226:
/nfshare *

Now we need to mount the shared directory in client. Before that we should create a directory to use that as a mount point.

[root@node1 ~]# mkdir /nfsmount

Mount the directory temporarily

#mount 192.168.43.226:/nfshare  /nfsmount

Mount permanently by editing /etc/fstab file and make entry

#vi /etc/fstab
192.168.43.226:/nfshare/ /nfsmount nfs rw,sync 0 0

save and exit from the file.

unmount the directory because we mounted temporarily before restart and after restart issue mount to check whether the shared directory is listing or not. If its not listing then there is an issue with entry in /etc/fstab file.

#umount /nfsmount

Restart the client and check using mount command

[root@node1 ~]# mount | grep /nfsmount
192.168.43.226:/nfshare/ on /nfsmount type nfs (rw,sync,vers=4,addr=192.168.43.226,clientaddr=192.168.43.67)