Install and managing iptables in Linux/Unix

Will see Install and managing iptables in Linux/Unix

IPTables is a firewall which comes by default with Linux/ Unix and it’s holds a bunch of rules as a chain. Below are some default chains.

INPUT – Incoming network traffic to this machine from outside.

FORWARD – Network traffic going to/  from machine to another side of this firewall.

OUTPUT – Outgoing network traffic from this machine

Rules are kept in a chain with below-mentioned action in order to do action like below.

ACCEPT – To allow incoming traffic from the outside

DROP –        Will drop the packets with no reply to sender

REJECT –     Packet will be dropped and a message sent to the sender with an appropriate message.

Check whether the iptables package installed or not using the command.

[root@server ~]# rpm -qa | grep iptables
iptables-devel-1.4.21-17.el7.x86_64
iptables-1.4.21-17.el7.x86_64
iptables-services-1.4.21-17.el7.x86_64

If the package not installed use yum to install it like below.

Note: yum package manager should be installed to use it.

[root@server ~]# yum install iptable*

Now enable the iptables permanently in this run level

[root@server ~]# systemctl enable iptables
 Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.

Command to start and check the status of the iptables:

[root@server ~]# systemctl start iptables

[root@server ~]# systemctl status iptables
 ● iptables.service - IPv4 firewall with iptables
 Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)
 Active: active (exited) since Sun 2017-10-29 09:20:21 IST; 5s ago
 Process: 2331 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
 Main PID: 2331 (code=exited, status=0/SUCCESS)

Oct 29 09:20:21 server systemd[1]: Starting IPv4 firewall with ipta....
 Oct 29 09:20:21 server iptables.init[2331]: iptables: Applying firew...
 Oct 29 09:20:21 server systemd[1]: Started IPv4 firewall with iptables.
 Hint: Some lines were ellipsized, use -l to show in full.

To check default configuration of iptables use below command.

[root@server ~]# iptables -L
 Chain INPUT (policy ACCEPT)
 target prot opt source destination
 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
 ACCEPT icmp -- anywhere anywhere
 ACCEPT all -- anywhere anywhere
 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
 target prot opt source destination
 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
 target prot opt source destination

Another important command that will help to save the iptables configuration changes which we made. However, will not save the configuration changes and will lose the changes after restarting iptables/ machine.

Use the below command to save the rules changes which we made.

[root@server ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]

or

[root@server ~]# iptables-save
# Generated by iptables-save v1.4.21 on Sun Oct 29 15:17:07 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [90:12391]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Sun Oct 29 15:17:07 2017

Command to enable port in iptables. here we are going to enable port 80 for webserver(http) from outside to this server.

[root@server ~]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT

Command to enable port 80 to allow traffic from the server/firewall to outside in iptables.

[root@server ~]# iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT

also will enable the port to specific host in iptables. For this we can  -s  option to mention the hostname in the command like below.

enabling 80 port to allow the traffic from the node1 alone.

[root@server ~]# iptables -A INPUT -p tcp -s node1.lbcdomain.com --dport 80 -j ACCEPT

Same like above will enable the ports for specific network to limit the access. So that, traffic allowed from the machines which all are falls under this network.

[root@server ~]# iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 80 -j ACCEPT

 

Increasing LVM in xfs filesystem

We will see how to Increasing LVM in xfs filesystem in this post.

LVM is playing important role in Linux/Unix OS and it will help to increase/ reduce filesystem size in Linux/Unix OS.

We are going to see how to increase a filesystem in Linux/Unix especially in RHEL7 OS.

We can increase the filesystem in online and we no need to unmount the filesystem for this operation.

Steps to be followed in increasing filesystems:

First we need to check whether the free space available in the VG. if the required space available in the VG then will go head and extend simply using from step 4 to 6.

If there is no free space in VG, Follow the below steps.

  1. Create a filesystem and change the filesystem type from “Linux” to “Linux LVM”(8e is the id/Hex code for Linux LVM filesystem type)
  2. Create physical volume for that created filesystem.
  3. Extend the Volume Group by adding the the created PV in this VG. now you will get free/unused space in your VG. Use “vgs” command to check that.
  4. Now extend/increase the size of logical volume using “lvextend” command.
  5. Than run “xfs_growfs” command to shrink the filesystem
  6. Finally check the mount point size using “df -h <mountpoint>” and logical volume size using “lvs” command. Both size should be same after extending the filesystem as well.

In our case we are going to create a fileystem in existing physical disk unused space and than will create PV, vgextend and lvextend likewise.

Using below command will check the free spcae in our physical disk

[root@localhost ~]# df -h /dev/sdb
Filesystem Size Used Avail Use% Mounted on
devtmpfs 1.4G 0 1.4G 0% /dev

we have nearby 2GB space in existing disk.

Use below commands to create a filesystem:

[root@localhost ~]# fdisk /dev/sdb

use “n” key to create new partition and provide the required details to create it.

Use “t” key to change the filesystem type from “Linux” to “Linux LVM”

Below command will help us to check whether the filesystem created perfectly and change filesystem type. Here “/dev/sdb2” is theone which we created and changed filesystemtype.

Click here to know how to create a filesystem/partition in linux/unix

[root@localhost ~]# fdisk -l /dev/sdb

Disk /dev/sdb: 8589 MB, 8589934592 bytes, 16777216 sectors
 Units = sectors of 1 * 512 = 512 bytes
 Sector size (logical/physical): 512 bytes / 512 bytes
 I/O size (minimum/optimal): 512 bytes / 512 bytes
 Disk label type: dos
 Disk identifier: 0x1f51ec05

Device Boot Start End Blocks Id System
 /dev/sdb1 2048 12584959 6291456 8e Linux LVM
 /dev/sdb2 12584960 16777215 2096128 8e Linux LVM

Now create physical volume using below command:

[root@localhost ~]# pvcreate /dev/sdb2
 Physical volume "/dev/sdb2" successfully created.

As next step we need to extend the VG by adding the created PV in our VG.

Before that check the size and free size of our VG like below.

[root@localhost ~]# vgs
 VG #PV #LV #SN Attr VSize VFree
 newvg 2 2 0 wz--n- 11.50g 516.00m

Extend the newvg using below command:

And check the VG size and free space after extending the VG.

[root@localhost ~]# vgextend newvg /dev/sdb2
 Volume group "newvg" successfully extended
 [root@localhost ~]# vgs
 VG #PV #LV #SN Attr VSize VFree
 newvg 3 2 0 wz--n- 13.50g 2.50g

Now we have 2.5GB free space. SO, we are going to use this free spave to extend the LV.

Use lvs command to check avilabe LV’s and find the LV name which we are going to extend now.

[root@localhost ~]# lvs
 LV VG Attr LSize Pool Origin Data% Meta% Move Log Cpy%Sync Convert
 lv1 newvg -wi-ao---- 4.00g
 lv2 newvg -wi-a----- 7.00g

Here we are going to extend lv1

Use below command to extend the LV1:

[root@localhost ~]# lvextend -L +2G /dev/newvg/lv1
 Size of logical volume newvg/lv1 changed from 4.00 GiB (1024 extents) to 6.00 GiB (1536 extents).
 Logical volume newvg/lv1 successfully resized.

And shrink the filesystem using below command:

[root@localhost ~]# xfs_growfs /dev/newvg/lv1

Finally check the mountpoint size and lv1 size using below command. Both should be same after extending the size.

[root@localhost ~]# df -h /lvolume1
 Filesystem Size Used Avail Use% Mounted on
 /dev/mapper/newvg-lv1 6.0G 33M 6.0G 1% /lvolume1
[root@localhost ~]# lvs /dev/newvg/lv1
 LV VG Attr LSize Pool Origin Data% Meta% Move Log Cpy%Sync Convert
 lv1 newvg -wi-ao---- 6.00g

size replicating in both check.

Successfully we extend the LV size.

 

 

 

Reducing LVM xfs format filesystem

 

In this post we are going to see Reducing LVM xfs format filesystem.

Reducing LV size on xfs fileystem is little different from reducing LV size on etx4/3/2 fileystem’s.

Follow the below steps to perform this:

1. As first step take data backup using xfsdump

2. Then unmount the fileysystem

3. Now shrink the logical volume to the required size using lvreduce command.

4. Format the filesystem using xfs format.

Note: While we reducing size over etx4/3/2 filesystems, will use resize2fs command to shrink instead of formating. So, we no need to take data backup while using etx4/3/2 filesystem for LVM.

5. Mount the filesystem again.

6. Now finally restore the data using xfsrestore command.

LVM details are below:

VG Name: newvg

LV’s: lv1, lv2. Going to use lv2 for this lab.

Use lvs command to check the size of existing LV’s

[root@localhost ~]# lvs
 LV VG Attr LSize Pool Origin Data% Meta% Move Log Cpy%Sync Convert
 lv1 newvg -wi-ao---- 6.00g
 lv2 newvg -wi-a----- 7.00g

lv2 has been mounted under /lvolume2 mount point. Now take the backup of /lvolume2 under /tmp filesystem like below.

[root@localhost ~]#xfsdump -f /tmp/lv2.dump /lvolume2

Now unmount the filesystem using below command:

[root@localhost ~]# umount /lvolume2

Reduce or shrink the size to required size using lvreduce command:

In below example we are going to reduce the lv2 filesystem size from 7Gb to 6GB.

[root@localhost ~]# lvreduce -L -1G /dev/newvg/lv2
 WARNING: Reducing active logical volume to 6.00 GiB.
 THIS MAY DESTROY YOUR DATA (filesystem etc.)
 Do you really want to reduce newvg/lv2? [y/n]: y
 Size of logical volume newvg/lv2 changed from 7.00 GiB (1792 extents) to 6.00 GiB (1536 extents).
 Logical volume newvg/lv2 successfully resized.

Now format the filesystem using below command:

[root@localhost ~]#mkfs.xfs -f /dev/newvg/lv2

Mount the filesystem again into the /lvolume2

[root@localhost ~]#mount /dev/newvg/lv2 /lvolume2

Finally restore the backup data

[root@localhost ~]#xfsrestore -f /tmp/lv2.dump /lvolume2

 

Reference: yallalabs

sed command in Unix/Linux

We are going to see how to use sed command in Unix/Linux

SED – Stream Editor This is doing maximum operation over the file like insert, delete, search and replace the word or a character. mostly its used to find and replace operation in Linux/Unix environment.

Note: Once executed sed command, the output will be changed as per your requirement and original file remain the same.

Substituting or replacing string in a file using sed:

Mostly we are using sed to replace the string in a file. Use the below command to change a string. Here I am going to change platform as technology and I will use the below mentioned same file in all the examples.

[root@localhost ~]# cat > sed.txt
Linux is more secure and opensource operating system and Linux is low cast.
Multiuser is available in Linux and Linux is powerful OS.
Linux is the current and future OS in administration.

The command for substituting and replacing string in above file:

[root@localhost ~]# sed `s/Linux/Unix/` sed.txt
Unix is more secure and opensource operating system and Linux is low cast.
Multiuser is available in Unix and Linux is powerful OS.
Unix is the current and future OS in administration.

 

Command to change the nth occurrence of the string/pattern in a line:

Below command will change the nth string/pattern in line and we are going to change the second string.

[root@localhost ~]# sed 's/Linux/Unix/2' sed.txt
Linux is more secure and opensource operating system and Unix is low cast.
Multiuser is available in Linux and Unix is powerful OS.
Linux is the current and future OS in administration.

 

Command to  change the string/pattern which is matching to our string in a file:

Command will change all the string which matching to our given string/pattern in a file and we need to use  option for this.

[root@localhost ~]# sed 's/Linux/Unix/g' sed.txt
Unix is more secure and opensource operating system and Unix is low cast.
Multiuser is available in Unix and Unix is powerful OS.
Unix is the current and future OS in administration.

 

Command to change nth occurrence of all the line in a file which matching to our given string/pattern:

This command will change all the nth occurrence in all the lines.

[root@localhost ~]# sed 's/Linux/Unix/2g' sed.txt
Linux is more secure and opensource operating system and Unix is low cast.
Multiuser is available in Linux and Unix is powerful OS.
Linux is the current and future OS in administration.

g is the key to change the occurrence globally in a file and here we are mentioning which occurrence have to be changed in a file which we mentioned as 2.

Command to set parenthesize first letter of all the characters in a line:

[root@localhost ~]# sed 's/\(\b[A-Z]\)/\(\1\)/g' sed.txt
(L)inux is more secure and opensource operating system and (L)inux is low cast.
(M)ultiuser is available in (L)inux and (L)inux is powerful (O)S.
(L)inux is the current and future (O)S in administration.

 

Here all the capital letters are taken as a first word and parenthesize has been set.

Command to replace the string/pattern in specific line:

[root@localhost ~]# sed '3 s/Linux/Unix/' sed.txt
Linux is more secure and opensource operating system and Linux is low cast.
Multiuser is available in Linux and Linux is powerful OS.
Unix is the current and future OS in administration.

Command to duplicate/print the modified line again:

Below command will print the modified line two times.

[root@localhost ~]# sed 's/Linux/Unix/p' sed.txt
Unix is more secure and opensource operating system and Linux is low cast.
Unix is more secure and opensource operating system and Linux is low cast.
Multiuser is available in Unix and Linux is powerful OS.
Multiuser is available in Unix and Linux is powerful OS.
Unix is the current and future OS in administration.
Unix is the current and future OS in administration.

 

Command to display/print the modified line alone:

in below example we are going to change the string in second line and will display the second line alone because its modified. We should use -n option along with /p tag in sed command.

[root@localhost ~]# sed -n '2 s/Linux/Unix/p' sed.txt
Multiuser is available in Unix and Linux is powerful OS.

 

Command to replace string/pattern in range of lines:

Command will replace the first occurrence in 2 and 3rd line.

[root@localhost ~]# sed '2,3 s/Linux/Unix/' sed.txt
Linux is more secure and opensource operating system and Linux is low cast.
Multiuser is available in Unix and Linux is powerful OS.
Unix is the current and future OS in administration.

 

Command to replace all the occurrence in rage of lines:

in below command string will be replaced in 2 and 3rd lines of all occurrence.

[root@localhost ~]# sed '2,$ s/Linux/Unix/g' sed.txt
Linux is more secure and opensource operating system and Linux is low cast.
Multiuser is available in Unix and Unix is powerful OS.
Unix is the current and future OS in administration.

 

About Python

About Python:

Python language created by Guido van Rossum.

Features of Python

Built on c  routines

Easy to use and debug

Portable

Object oriented

Interface with other languages

compiled and Interpreted language

Open and free

 

Download link:        www.python.org

To know python version use below command

python -v

Note: Any line starts with # will commented and not used by script while executing.

Will create a script file with .py extension and should use python command to run the python script.

Example:     

python first.py

Installing Puppet in RHEL7/ Cent OS 7

Will see Installing Puppet in RHEL7/ Cent OS 7

Nowadays all the administration tasks are rapidly moving to automation and its reducing manpower, cost and time. It’s mandatory to learn any one of the scripting and anyone of automation tool for system administrators at this situation.  Automating tasks in server end is very critical and most important one.  There are lots of tools available for automation. Here we are going to see the puppet.

What is puppet?

It’s an open source tool and developed by puppet labs for Linux/Unix/Mac and Windows machines. Puppet is written in Ruby language and its mostly used for automating jobs in the server and automating the jobs from the server to clients.

Features:

To avoid duplication of work.

Powerful framework

Mature tool

System administrator tasks simplify.

To make speed and repeated changes automatically.

To maintain system consistency and integrity

Very easy to manage vm, cloud and physical machines.

Enabling EPEL repository and dependencies for installation:

System time should be set as accurately on server, which is going to act as master chef server. So, set the time in your server.

Make sure that both the master and agent server should resolev the hostnames. So, make an entry in /etc/hosts file.

once time fixed will enable EPEL repository by using below command.

RHEL7/ Cent OS 7:

[root@server init.d]# rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-releas e-latest-7.noarch.rpm
Retrieving https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
warning: /var/tmp/rpm-tmp.yXngEr: Header V3 RSA/SHA256 Signature, key ID 352c64e 5: NOKEY
Preparing... ################################# [100%]
Updating / installing...
 1:epel-release-7-10 ################################# [100%]

List the EPEL Repository Packages :

[root@server init.d]# yum --disablerepo=* --enablerepo=epel list

Now to have puppet ready setup, have to use apache with passanger. To get that, download and place the repo file in /etc/yum.repos.d/

[root@server init.d]# curl --fail -sSLo /etc/yum.repos.d/passenger.repo https://oss-binaries.phusionpassenger.com/yum/definitions/el-passenger.repo

To setup puppet master/node now we need to enable the puppet lab repository and dependencies and run it on both master and agent servers.

[root@server init.d]# rpm -ivh https://yum.puppetlabs.com/puppetlabs-release-el-7.noarch.rpm
Retrieving https://yum.puppetlabs.com/puppetlabs-release-el-7.noarch.rpm
Preparing... ################################# [100%]
 package puppetlabs-release-22.0-2.noarch is already installed

 

Installing Puppet:

Use the below command to install Puppet server. This will install init script (/etc/init.d/puppetmaster) to run a test-quality puppet master server.

[root@server ~]# yum install puppet-server

Installed:
 puppet-server.noarch 0:3.8.7-1.el7

Dependency Installed:
 facter.x86_64 1:2.4.6-1.el7 hiera.noarch 0:1.3.4-1.el7 libselinux-ruby.x86_64 0:2.5-6.el7 libyaml.x86_64 0:0.1.4-11.el7_0
 puppet.noarch 0:3.8.7-1.el7 ruby.x86_64 0:2.0.0.648-29.el7 ruby-augeas.x86_64 0:0.4.1-3.el7 ruby-irb.noarch 0:2.0.0.648-29.el7
 ruby-libs.x86_64 0:2.0.0.648-29.el7 ruby-shadow.x86_64 1:2.2.0-2.el7 rubygem-bigdecimal.x86_64 0:1.2.0-29.el7 rubygem-io-console.x86_64 0:0.4.2-29.el7
 rubygem-json.x86_64 0:1.7.7-29.el7 rubygem-psych.x86_64 0:2.0.0-29.el7 rubygem-rdoc.noarch 0:4.0.0-29.el7 rubygems.noarch 0:2.0.14.1-29.el7

Complete!

Now we need to configure the puppet master/agent architecture.  in our case this node going to work as master server. So, edit /etc/puppet/puppet.conf file and change the dns_alt_names.

[root@server ~]# vi /etc/puppet/puppet.conf
[main]
 dns_alt_names=server,server.lbcdomain.com
 certname=server.lbcdomain.com

Save and exit from the file.

Run the below command to create puppet master certificate:

[root@server ~]# puppet master --verbose --no-daemonize

Once received “Notice: Starting Puppet master version 3.8.7” press ctrl+c to kill the process.

Now will configure Web server:

Puppet comes with basic web server. In production basically will not use this web server. Before managing nodes by puppet master server, will configure web server first.

[root@server ~]# yum -y install httpd httpd-devel mod_ssl ruby-devel rubygems gcc gcc-c++ pygpgme curl

Now install passenger and apache module:

[root@server ~]# yum install -y mod_passenger

create parent, public and tmp  directories for the application. Copy the ext/rack/config.ru from the puppet source code into the parent directory and set ownership as puppet to the directory.

[root@server ~]# mkdir -p /usr/share/puppet/rack/puppetmasterd
[root@server ~]# mkdir /usr/share/puppet/rack/puppetmasterd/public /usr/share/puppet/rack/puppetmasterd/tmp
[root@server ~]# cp /usr/share/puppet/ext/rack/config.ru /usr/share/puppet/rack/puppetmasterd/
[root@server ~]# chown puppet:puppet /usr/share/puppet/rack/puppetmasterd/config.ru

Create configuration file to add virtual host for puppet.

[root@server ~]# vi /etc/httpd/conf.d/puppetmaster.conf

make the below entries in virtual host file.

[root@server ~]# vi /etc/httpd/conf.d/puppetmaster.conf
# you probably want to tune these settings
PassengerHighPerformance on
PassengerMaxPoolSize 12
PassengerPoolIdleTime 1500
# PassengerMaxRequests 1000
PassengerStatThrottleRate 120

Listen 8140

<VirtualHost *:8140>
        SSLEngine on
        SSLProtocol             ALL -SSLv2 -SSLv3
        SSLCipherSuite          EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
        SSLHonorCipherOrder     on

        SSLCertificateFile      /var/lib/puppet/ssl/certs/server.lbcdomain.com.pem
        SSLCertificateKeyFile   /var/lib/puppet/ssl/private_keys/server.lbcdomain.com.pem
        SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
        SSLCACertificateFile   /var/lib/puppet/ssl/ca/ca_crt.pem
        # If Apache complains about invalid signatures on the CRL, you can try disabling
        # CRL checking by commenting the next line, but this is not recommended.
        SSLCARevocationFile     /var/lib/puppet/ssl/ca/ca_crl.pem
        # Apache 2.4 introduces the SSLCARevocationCheck directive and sets it to none
        # which effectively disables CRL checking; if you are using Apache 2.4+ you must
        # specify 'SSLCARevocationCheck chain' to actually use the CRL.
        # SSLCARevocationCheck chain
        SSLVerifyClient optional
        SSLVerifyDepth  1
        # The `ExportCertData` option is needed for agent certificate expiration warnings
        SSLOptions +StdEnvVars +ExportCertData

        # This header needs to be set if using a loadbalancer or proxy
        RequestHeader unset X-Forwarded-For

        RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
        RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
        RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

         DocumentRoot /usr/share/puppet/rack/puppetmasterd/public
        RackBaseURI /
        <Directory /usr/share/puppet/rack/puppetmasterd/>
                Options None
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>
</VirtualHost>  

Now restart the apache service.

[root@server ~]# systemctl restart httpd

Enable apache and disable puppet to autostart while booting.

[root@server ~]# systemctl disable puppet.service
[root@server ~]# systemctl enable httpd.service

Now enable puppet listening port in firewall:

Port: 8140

[root@server ~]# firewall-cmd --zone=public --add-port=8140/tcp --permanent
[root@server ~]# firewall-cmd --reload

 

Now install puppet on Node machines:

before starting puppet agent installation have to configure yum repository same like master server.

Command to install puppet:

[root@client ~]# yum -y install puppet

Make master puppet server details in puppet configuration file like below.

[root@node ~]# vi /etc/puppet/puppet.conf

[agent]
server = server.lbcdomain.com

Now start puppet service in node machine and enable it to start automatically while booting in this run level.

[root@client ~]# systemctl start puppet
[root@client ~]# systemctl enable puppet

Now signin puppet agent node machine certificate in puppet master server:

Agent node will request certificate on first time they attempt to run.

Login and execute the below command in master puppet server.

[root@server ~]# puppet cert list

"node.lbcdomain.com" (SHA256) D4:88:EC:C5:0A:F7:5D:4E:32:C5:B3:61:E0:51:7B:0C:CD:B3:49:9E:68:0B:E7:5D:75:19:1D:0B:92:8A:E7:C1

Run the below command to sign the cert sign

[root@server ~]# puppet cert sign node.lbcdomain.com

Notice: Signed certificate request for node.lbcdomain.com
Notice: Removing file Puppet::SSL::CertificateRequest node.lbcdomain.com at '/var/lib/puppet/ssl/ca/requests/node.lbcdomain.com.pem'

Run below command in puppet agent node machine to verify the certificate.

[root@client ~]# puppet agent -t

Info: Caching certificate for node.lbcdomain.com
Info: Caching certificate_revocation_list for ca
Info: Caching certificate for node.lbcdomain.com
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for node.lbcdomain.com
Info: Applying configuration version '1445401911'
Info: Creating state file /var/lib/puppet/state/state.yaml
Notice: Finished catalog run in 0.09 seconds

Finally we completed puppet master and agent configuration successfully.

 

SSH Authentication in RHEL7/ Cent OS 7

In this post will see how  to enable SSH Authentication in RHEL7/ CentOS 7

SSH authentication will help us to log in a server/node without a password.
here we have two servers

server.lbcdomain.com : 192.168.43.226
node2.localdomain.com : 192.168.43.67

Now we need to install the OpenSSH packages using the command on both the servers.

[root@server ~]# yum -y install openssh

Now we need to start and enable the service permanently in this run level.

[root@server ~]# systemctl enable sshd.service

[root@server ~]# systemctl start sshd.service

Then need to edit /etc/ssh/sshd_config file and change if Password authentication is set as No to yes

[root@server ~]# vi /etc/ssh/sshd-config

then change the below

PasswordAuthentication No

Then save and exit from the file.

This is the right time to generate the key pair using command

Press Enter to confirm the default path (/home/root/.ssh/id_rsa)and the file name for RSA keys.

Next, for passphrase press enter to leave it blank.

After that, you will receive a message that mentioned RSA key pairs details.

[root@server ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/root/.ssh/id_rsa):
Created directory '/home/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/root/.ssh/id_rsa.
Your public key has been saved in /home/root/.ssh/id_rsa.pub.
The key fingerprint is:
d5:44:c4:ef:ef:49:ff:fe:e0:06:ed:d3:0e:71:e4:08 sshuser1@server
The key's randomart image is:
+--[ RSA 2048]----+
| ++ |
| o. |
| . E. .|
| . ..+ |
| S oo o|
| . oo |
| oo+ |
| .=o=|
| ..*X|
+-----------------+


[sshuser1@server root]$ cd ~/.ssh/
[sshuser1@server .ssh]$ ls
id_rsa id_rsa.pub

We generated keys above and we should copy the public key to the remote server which we need to allow to access this server without password

use the command to copy the public key

#ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]

Now open /etc/ssh/sshd_config file in node2 server and make the below changes.

PasswordAuthentication no

save and exit from the file.

Now restart the sshd service on both the servers

RHEL7:
 systemctl restart sshd

RHEL6: 
service sshd restart

We almost completed the ssh authentication. To test this connection will try to log in from server.lbcdomain.com to node2.lbcdomain.com server using ssh

#ssh [email protected]

 

 

Booting process in RHEL7/ Cent OS 7

Will see the Booting process in RHEL7/ CentOS 7 in this post. It’s very important to know the booting process for all operating system. It will help us to troubleshoot the booting issues.

We are going to see about RHEL / Cent OS 7 booting process.

Below are booting stages:

BIOS:

BIOS stands for basic input output system.

It will do a POST (Power on self-test) to check system hardware.

And it will search, load and execute MBR  in memory(Master Boot Recorder).

MBR:

MBR Stands for Master boot recorder.

MBR will be available in first 512 bytes of the boot drive. In this 512 bytes 446 bytes contains boot loader information, in 64 bytes contains partition table information available and remaining 2 bytes for MBR validation check. Boot drive will be anything like Hard disk, Pendrive, Floppy.

MBR will search and load the GRUB2 boot loader in memory and control moved to the bootloader.

GRUB2 Bootloader:

GRUB stands for Grand Unified Bootloader.

GRUB will be the default boot loader in RHEL7.

GRUB configuration file is available in this path: /boot/grub2/grub.cfg. Editing this file directly is not advisable.

GRUB file configuration:

# cat /etc/default/grub
GRUB_TIMEOUT=5
GRUB_DEFAULT=saved
GRUB_DISABLE_SUBMENU=true
GRUB_TERMINAL_OUTPUT="console"
GRUB_CMDLINE_LINUX="rd.lvm.lv=rhel/swap crashkernel=auto rd.lvm.lv=rhel/root rhgb quiet net.ifnames=0"
GRUB_DISABLE_RECOVERY="true"

To change these configuration settings will edit this /etc/default/grub file.

Once modified have to execute the below command to make this change affect in the main configuration file (/boot/grub2/grub.cfg).

# grub2-mkconfig –o /boot/grub2/grub.cfg

grub has kernel image(vmlinuz) and initramfs image details.

grub will search and load the kernel image into memory and it will extract the initramfs image contents into memory based filesystem which is called tmpfs.

initramfs stands for initial ramdisk

initial ramdisk will load the block devices (HDD, CD, Floppy, etc). So that it will find the exact root filesystem and will mount it. Till mounting this exact root filesystem, initramfs will act as a temporary root filesystem.

kernel mounts the initramfs image as two-stage boot process.

Will use the lsinitrd command to view initramfs content.

Kernel:

Kernel will start systemd process and PID is 1 for this, as this will be the first process.

root 1 0 0 02:10 ? 00:00:02 /usr/lib/systemd/systemd --switched-root --system --deserialize 23

Systemd:

Systemd will be the first process.

This process will read the /etc/systemd/system/default.target file to determine the default system target. The system target file defines the services which is started by systemd.

Systemd will bring the system based on the system target runlevel and perform system initialization process such as hostname, network settings, initializing SELinux, Printing welcome banner and mounting all filesystems.

 

 

 

vi editor in linux

In vi editor we have below two modes.

1. Insert mode

2. Command mode

Insert Mode:

In this mode we can insert the required content for the file.

Command Mode:

In this mode we can do maximum operations like searching a word, copy, delete, paste, undo changes, etc…

Creating file using vi editor:

[root@server ~]# vi testfile

Once executed above command press  in keyboard to move insert mode. You will find –INSERT–  line bottom of the file once you moved to insert mode.

~
~
~
~
~
~
~
-- INSERT --

Type the content for this file.  Once provided the content press esc key in keyboard to go back to command mode and  use  :wq  to save and exit from the file

[root@server ~]# vi testfile
This is my test file
~
~
~
:wq

 

Find the below more options in vi editor which will be executed in command mode.

:q    Simple q will help us to exit from the file without saving file.

:u    undo operation

/     to search any word inside of this file

example:   /test

yy   to copy a line

<n>yy     to copy n number of lines eg: 5yy

dd    to delete a line

<n>dd   to delete n number of lines  eg: 10dd

p        to paste the copied lines. it will paste the copied lines next line of the                        cursor placed.

:set nu    to set line numbers inside the files.

 

 

Configuring LDAP based authentication in RHEL7

WHat is LDAP?

LDAP: Light weight Directory Access Protocol

This authentication will allow client machine to access any centralized   data/service from different places.

Keeping services/data centralized is very simple to maintain and Grant/Deny permission centrally.

 

Installing Openldap:

[root@server ~]# yum -y install openldap*

 

Make sure that SELinux should not deny LDAP. So for that we have to enable the below Boolean values in both server and client.

[root@server ~]# setsebool -P allow_ypbind=0 authlogin_nsswitch_use_ldap=0

Now enable ldap permanently in this session and start the ldap service

[root@server ~]# systemctl enable slapd
[root@server ~]# systemctl start slapd

Since ldap service is running ldap user should be the owner for /var/lib/ldap directory. By default this will be modified by root user as its administrator.
So, we have to change owner and group as ldap user. Before that make a copy of configuration file for slapd into /var/lib/ldap with the DB_CONFIG name.

Note: slapd configuration file will be available under /usr/share/openldap-servers/DB_CONFIG.example

 

[root@server ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
cp: overwrite ‘/var/lib/ldap/DB_CONFIG’? y

Now change the owenr as ldap user recursively to that directory.

 

[root@server ~]# chown -R ldap:ldap /var/lib/ldap

 

Now set password for ldap admin use and take a copy of create password for future use.

[root@server ~]# slappasswd
New password:
Re-enter new password:
{SSHA}Kp/mCASZRf/dBKNHKOxg4O5lEt7vyiRB

 

LDAP configuration files are available under /etc/openldap/slapd.d/.
We need to update the “olcSuffix” and “olcRootDN” varialbles.

olcSuffix: Its domain for the LDAP Server to provided the information.
olcRootDN: This is administrator user entry who has all the permission to do operation like root (Root Distinguished Name)

olcRootPW: Password of above user.

 

Above entries should be updated in /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif file.
Note: Updating the entries manually is nont adviseable. So, we are going to create a ldif file and update it using ldapmodify command.

 

Now creare ldaprootpasswd.ldif file with following contents:

[root@server cn=config]# vi db.ldif

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=lbcdomain,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=ldapadm,dc=lbcdomain,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}Kp/mCASZRf/dBKNHKOxg4O5lEt7vyiRB

save and exit.

once file created with above content execute the below command

[root@server cn=config]# ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

[root@server cn=config]#

 

Do changes in /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif file to restrict monitor access to only ldap root user.

 

[root@server ~]# vi monitor.ldif

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=ldapadm,dc=lbcdomain,dc=com" read by * none

 

save and exit from the file.

once created file with above content send configuration to ldap server by usinf ldapmodify command.

 

[root@server cn=config]# ldapmodify -Y EXTERNAL -H ldapi:/// -f monitor.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"

[root@server cn=config]#

 

Creating LDAP Certificate:

now will create certifiate and private key with ldap server self signed by using below command in /etc/openldap/certs/ directory

[root@server cn=config]# openssl req -new -x509 -nodes -out /etc/openldap/certs/lbcdomainldapcert.pem -keyout /etc/openldap/certs/lbcdomainldapkey.pem -days 365
Generating a 2048 bit RSA private key
..........................................................................................................................................................................................................................+++
................+++
writing new private key to '/etc/openldap/certs/lbcdomainldapkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Tamilnadu
Locality Name (eg, city) [Default City]:Chennai
Organization Name (eg, company) [Default Company Ltd]:Linux Book Center
Organizational Unit Name (eg, section) []:Linux Book Center
Common Name (eg, your name or your server's hostname) []:Server
Email Address []:[email protected]

 

Now change the ownership and group to key files.

[root@server cn=config]# chown -R ldap:ldap /etc/openldap/certs/*.pem

[root@server certs]# ll | grep pem
-rw-r--r--. 1 ldap ldap 1480 Aug 15 11:32 lbcdomainldapcert.pem
-rw-r--r--. 1 ldap ldap 1708 Aug 15 11:32 lbcdomainldapkey.pem

 

Create certs.ldif file to configure LDAP to use secure communication using self signed certificates.

[root@server certs]# vi certs.ldif

dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/lbcdomainldapcert.pem

dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/lbcdomainldapkey.pem

oncefile created import the certificate configuration by usging below ldapmodify command

[root@server certs]# ldapmodify -Y EXTERNAL -H ldapi:/// -f certs.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

modifying entry "cn=config"

[root@server certs]#

 

Use the below command to verify the configuration:

[root@server certs]# slaptest -u
5992a281 UNKNOWN attributeDescription "CHANGETYPE" inserted.
5992a281 UNKNOWN attributeDescription "REPLACE" inserted.
5992a281 is_entry_objectclass("olcDatabase={2}hdb,cn=config,cn=config", "2.16.840.1.113730.3.2.6") no objectClass attribute
5992a281 is_entry_objectclass("olcDatabase={1}monitor,cn=config,cn=config", "2.16.840.1.113730.3.2.6") no objectClass attribute
config file testing succeeded

LDAP Database creation:

Sample configuration file will be available in /var/lib/ldap  file. Copy the sample file and change the file permission.

[root@server certs]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@server certs]# chown ldap:ldap /var/lib/ldap/*

Add cosine ans nis LDAP schemas

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

 

[root@server certs]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
ldap_add: Other (e.g., implementation specific) error (80)
 additional info: olcAttributeTypes: Duplicate attributeType: "0.9.2342.19200300.100.1.2"

 

[root@server certs]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
ldap_add: Other (e.g., implementation specific) error (80)
 additional info: olcAttributeTypes: Duplicate attributeType: "1.3.6.1.1.1.1.2"
[root@server certs]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"
ldap_add: Other (e.g., implementation specific) error (80)
 additional info: olcAttributeTypes: Duplicate attributeType: "2.16.840.1.113730.3.1.1"

 

Now create ldif file for our domain

[root@server certs]# vi base.ldif

dn: dc=lbcdomain,dc=com
dc: lbcdomain
objectClass: top
objectClass: domain

dn: cn=ldapadm ,dc=lbcdomain,dc=com
objectClass: organizationalRole
cn: ldapadm
description: LDAP Manager

dn: ou=People,dc=lbcdomain,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=lbcdomain,dc=com
objectClass: organizationalUnit
ou: Group

Now build the directory structure

[root@server certs]# ldapadd -x -W -D "cn=ldapadm,dc=lbcdomain,dc=com" -f base.ldif
Enter LDAP Password:
adding new entry "dc=lbcdomain,dc=com"
ldap_add: Already exists (68)

 

We configured LDAP server and now will use ldap credentials to access centralized data/ service like NFS share.