Monthly Archives: June 2012

Red Hat Certification – RHCE – KVM via CLI

In a previous post while preparing for RHCSA I installed kvm post-installation, via the GUI.

But how to install, configure and use it only from the CLI?

Virt-Manager

http://virt-manager.org/page/Main_Page has some details

As a test-machine I’m using a server with Scientific Linux 6.2 (with virtualization enabled as seen by ‘cat /proc/cpuinfo|grep vmx’).

None of the Virtualization Groups are installed, as seen by ‘yum grouplist’. While doing that you’ll find four different groups. You can use

yum groupinfo "Virtualization Client"

or correspondingly to get more information about the group.

yum groupinstall Virtualization "Virtualization Tools" "Virtualization Platform" "Virtualization Client"

This installs a lot of things. Libvirt, virt-manager, qemu, gnome and python things.

lsmod|grep kvm
service libvirtd start
lsmod|grep kvm

This also sets up a bridge-interface (virbr0).

Now, how to install a machine or connect to the hypervisor?

How to get console?

ssh -XYC user@kvmserver
virt-manager

did not work.

On the client you could try to do:

yum groupinstall "Virtualization Client"
yum install libvirt
virt-manager

Then start virt-manager and connect to your server. However this didn’t work for me either. Is virtualization needed on the client too?

Noit is not, first: check if Virtualization is enabled on the server. Look in /var/log/messages for

kernel: kvm: disabled by bios

If it says that you’ll need to go into BIOS / Processor Options / and enable Virtualization.

Then you can start virt-manager, check that you can connect to the KVMserver.

Copy a .iso to /var/lib/libvirt/images on the server.

Re-connect to the kvm-server in virt-manager.

Add a new VM called test. Using 6.2 net-install and NAT network interface. This may take a while.

Pointing the VM to kvm-server where a httpd is running (remember firewall rules) and an SL 6.2 is stored. Installing a Basic Server.

OK, we could use virt-manager, it’s quite straight-forward and doesn’t require any edits of config files at all.

Moving on to virsh.

To install a vm you use ‘virt-install’.

You can get lots of info from ‘virsh’

virsh pool-list
virsh vol-list default
virsh list
virsh list-all
virsh dumpxml test > /tmp/test.xml
cp /tmp/test.xml /tmp/new.xml

Edit new.xml

change name to new and remove line with UUID

virt-xml-validate /tmp/new.xml
virsh help create
virsh create --file /tmp/new.xml
virsh list

This creates a new VM that uses the same disk and setup. But, if you shut down this new domain, it will disappear from virsh list –all and the list. To keep it you need to define it first:

virsh define --file /tmp/new.xml
virsh start new

This can become quite a bit more complicated. You would probably want to make clones (virt-clone) or snapshots (virsh help snapshot) instead of using the same disk file.

Making your own .xml from scratch looks fairly complicated. You could use ‘virt-install’ however.

virt-install --help
virt-install -n awesome -r 1024 --vcpus 1 --description=AWESOME --cdrom /var/lib/libvirt/images/CentOS-6.2-x86_64-netinstall.iso --os-type=linux --os-variant=rhel6 --disk path=/var/lib/libvirt/images/awesome,size=8 --hvm

For this the console actually works while running ‘virt-install’ over ssh on the kvm-server.

To make edit to a vm over ssh:

virsh edit NAMEOFVM

Red Hat Certification – RHCE – Course Outline

Howdy!

In case you saw my previous posts I’ve been prepping for a RHCE course the last couple of weeks.

Here are the posts based on the objectives:

Odds are quite high that I’ve missed something or not gone deep enough into some subjects and for the record some subjects I decided to skip.

I’m taking the course over at Tieturi here in Helsinki and they have published the schedule for the course, with quite detailed outline.

This outline of the course can with benefit be used to see if you missed any terms or functions while going through the objectives.

I’ll go through the ones I find more interesting below:

Network Resource Access Controls

-Internet Protocol and Routing

OK, well this is quite obvious, some commands:

ip addr
ip route
route add
netstat -rn

IPv6

-IPv6: Dynamic Interface Configuration
-IPv6: StaticInterface Configuration
-IPv6: Routing Configuration

You can add IPV6 specific lines in the ifcfg-device files in /etc/sysconfig/network-scripts/. See /usr/share/doc/initscripts*/sysconfig

Some settings can also go into /etc/sysconfig/network

iptables

Netfilter Overview
-Rules: General Considerations
Connection Tracking
-Network Address Translation (NAT)
-IPv6 and ip6tables

 

Web Services

-Squid Web Proxy Cache

On client check what IP you get:

curl --proxy squid-server.example.com:3128 www.guldmyr.com/ip.php

On server install and setup squid:

yum install squid
vi /etc/squid/squid.conf
#add this line in the right place:
acl localnet src 192.168.1.1/32
#allow port 3128 TCP in the firewall (use very strict access here)
service squid start

On client:

curl --proxy squid-server.example.com:3128 www.guldmyr.com/ip.php

Beware that this is unsecure. Very unsecure. You should at least set up a password for the proxy, change the default port and have as limited firewall rules as possible.

E-mail Services

-Simple Mail Transport Protocol
-Sendmail SMTP Restrictions
-Sendmail Operation

 

Securing Data

-The Need For Encryption

-Symmetric Encryption

Symmetric uses a secret/password to encrypt and decrypt a message.
You can use GnuPG (cli command is ‘gpg’) to encrypt and decrypt a file symmetrically. Arguments:

–symmetric/-c == symmetric cipher (CAST5 by default)
–force-mdc == if you don’t have this you’ll get “message was not integrity protected”

There are many more things you can specify.

echo "awesome secret message" > /tmp/file
gpg --symmetric --force-mdc /tmp/file
#(enter password)
#this creates a /tmp/file.gpg
#beware that /tmp/file still exists
#to decrypt:
gpg --decrypt /tmp/file.gpg
gpg: 3DES encrypted data
gpg: encrypted with 1 passphrase
awesome secret message

 

-Asymmetric Encryption

Uses a key-pair. A public key and a private key.
A message encrypted with the public key can only be decrypted with the private key.
A message encrypted with the private key can only be decrypted with the public key.

GnuPG can let you handle this.

Login with a user called ‘labber’:

gpg --gen-key
# in this interactive dialog enter username: labber, e-mail and password
# this doesn't always work, might take _long_time_, eventually I just tried on another machine
echo "secret message" > /tmp/file
gpg -e -r labber /tmp/file
# enter password
gpg --decrypt /tmp/file
# enter password

To export the public key in ASCII format you can:

gpg --armor --output "key.txt" --export "labber"

However, how to encrypt a file with somebody else’s public key?

-Public Key Infrastructures – PKI

Consists of:

  • CA – certificate authority – issues and verifies digital certiciates
  • RA – registration authoriy – verifies user identity requesting info from the CA
  • central directory – used to store and index keys

-Digital Certificates

A certificate has user details and the public key.

Account Management

-Account Management
-Account Information (Name Service)
Name Service Switch (NSS)
Pluggable Authentication Modules (PAM)
-PAM Operation
-Utilities and Authentication

 

PAM

Basically a way to authenticate users. You can put different types of authentication ways behind PAM. So that a software only needs to learn to authenticate to PAM and then PAM takes care of the behind-the-scenes-work.

For example you can have PAM connect to an ldap-server.

CLI: authconfig

Files:
/etc/sysconfig/authconfig
/etc/pam.d/
/etc/sssd/sssd.conf

 

Red Hat Certification – RHCE – Network Services – NTP

1st post – System Management and Configuration

Objectives

Network services

Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:

  • Install the packages needed to provide the service.
  • Configure SELinux to support the service.
  • Configure the service to start when the system is booted.
  • Configure the service for basic operation.
  • Configure host-based and user-based security for the service.

User should be able to do the following for all these services:

NTP:

You could possibly test this from Windows as well.

On linux it’s fairly straight-forward, you can use ntpd both as a client and as a server.

Check in /var/log/messages for details

The time-synchronization with ntpd is slow by design (to not overload or cause dramatic changes in the time set).

ntpdate is instant but it’s not recommended to be used. For example with ‘ntpdate -q’.

man ntp.conf
this then points to :
man ntp_acc
man ntp_auth
man ntp_clock
man ntp_misc

  • Install the packages needed to provide the service.
    • yum install ntp
  • Configure SELinux to support the service
    • nothing to configure??
  • Configure the service to start when the system is booted.
    • chkconfig ntpd on
  • Configure the service for basic operation.
    • /etc/ntp.conf
      • server ntp.server.com
    • service ntpd start
    • ntpq -p # to see status
  • Configure host-based and user-based security for the service
    • iptables
      • port 123 (UDP)

Enable ntpd as a client

What’s a bit reverse for ntpd is that first you need to configure the server as a client

So that your local ntp-server gets good time from somewhere else. You can find a good time-server to use on www.pool.ntp.org

You only need to add one server line but for redundancy you should probably have more than one.

As an example with your client on 192.168.0.0/24 and server is on 192.168.1.0/24.

All you need to do is for the client part:

server ntp.example.com
service ntpd restart
ntpq -p

 

Enable ntpd as a server

You need to add a restrict line in ntp.conf.

You also need to allow port 123 UDP in the firewall.

restrict 192.168.0.0 mask 255.255.255.0 nomodify notrap
service ntpd restart

Client to use your ntp server

Basically the same as the above for client, but you specify the address to your NTP-server instead of one from pool.ntp.org.

Extra

  • Synchronize time using other NTP peers.

I believe this has been covered.

More Extra

One extra thing you may want to check out is the ‘tinker’ command.

This is put on top of ntp.conf and more info are available in ‘man ntp_misc’.

However, most of the time you just need to wait a bit for the time change to come through.

tcpdump

There’s not much to go in logs on either server or client for ntpd. You’ll get messages in /var/log/messages though that says “synchronized” and when the service is starting.

You can also use tcpdump on the server to see if there are any packets coming in.

tcpdump -i eth0 -w /tmp/tcmpdump.123 -s0 'udp port 123 and host NTP.CLIENT.IP'
# wait a while, restart ntpd on client
tcpdump -r /tmp/tcmpdump.123
# this will then show some packets if you have a working communication between server and client

To test that it’s working

Start with the server still connecting to an ntp-server with good time.

You could then set the date and time manually on the server to something else. For example, let’s say the current time is 6 JUN 2012 17:15:00.

Set it to 15 minutes before:

date -s "6 JUN 2012 17:00:00"
service ntpd restart

Also restart ntpd on the client, then wait, this will probably take a bit longer than before.

If you set the time manually to something too big it won’t work. You could then experiment with ‘tinker panic 0’

Red Hat Certification – RHCE – Network Services – ssh

1st post – System Management and Configuration

Objectives

Network services

Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:

  • Install the packages needed to provide the service.
  • Configure SELinux to support the service.
  • Configure the service to start when the system is booted.
  • Configure the service for basic operation.
  • Configure host-based and user-based security for the service.

User should be able to do the following for all these services:

SSH:

To test from windows you can use putty.

But in linux you just need ssh for client and sshd for server.

man 5 sshd_config and this blogpost has an overview.

  • Install the packages needed to provide the service.
    • yum install openssh
  • Configure SELinux to support the service
    • getsebool -a|grep ssh
  • Configure the service to start when the system is booted.
    • chkconfig sshd on
  • Configure the service for basic operation.
    • /etc/ssh/sshd_config
  • Configure host-based and user-based security for the service
    • iptables
      • port 22 (TCP)
    • tcp.wrapper

 

TCP Wrapper

More info in man tcpd and man 5 hosts_access

Check that your daemon supports it:

which sshd
ldd /usr/sbin/sshd|grep wrap

For this test, let’s say that the server you are configuring has IP/netmask 192.168.1.1/24 and that you have a client on 192.168.0.0/24

cat /etc/hosts.allow

sshd: 192.168.0.0/255.255.255.0
sshd: ALL : twist /bin/echo DEATH

The last row sends a special message to a client connecting from a non-allowed network.

cat /etc/hosts.deny

ALL: ALL

If you on the server with these settings try to do “ssh -v root@localhost” or “ssh -v root@192.168.1.1” you’ll get the message from twist.

If you in hosts.allow add:

sshd: KNOWN

You can log on to the localhost, but not if you add “LOCAL”.

If you add

sshd: 192.168.1.

you can log on from localhost to the public IP of the server.

Extra

  • Configure key-based authentication.
    • ssh-keygen
    • ssh-copy-id user@host
    • ssh user@host
    • set PasswordAuthentication to no in sshd_config
    • service sshd restart
  • Configure additional options described in documentation.
    • many things can be done, see “man 5 sshd_config”
    • chrootdirectory looks quite cool but requires a bit of work

Red Hat Certification – RHCE – Network Services – e-mail

1st post – System Management and Configuration

Objectives

Network services

Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:

  • Install the packages needed to provide the service.
  • Configure SELinux to support the service.
  • Configure the service to start when the system is booted.
  • Configure the service for basic operation.
  • Configure host-based and user-based security for the service.

User should be able to do the following for all these services:

SMTP:

Hackmode has a good article about setting postfix for the first time.

To test that e-mail is working you can – tada – use an e-mail client.

You have lots of details in /usr/share/doc/postfix-N ( the path should be in /etc/postfix/main.cf )

  • Install the packages needed to provide the service.
    • yum install postfix
  • Configure SELinux to support the service
    • getsebool -a|grep postfix
  • Configure the service to start when the system is booted.
    • chkconfig postfix on
  • Configure the service for basic operation.
    • set hostname to host.example.com
    • /etc/postfix/main.cf and define (this assumes hostname is host.example.com):
      • myhostname = host.example.com
      • mydomain = example.com
      • myorigin = $mydomain
      • inet_interfaces = all
      • mydestination = add $mydomain to the default one
      • home_mailbox = Maildir/
      • Update firewall to allow port 25 tcp
      • Test with: nc localhost 25
  • Configure host-based and user-based security for the service
    • iptables or $mynetworks in main.cf
    • user: postmap

In CLI (important to use ‘ and not “):

#hostname - record the output of this
postconf -e 'myhostname = output from hostname in here'
#hostname -d
postconf -e 'mydomain = output from hostname -d in here'
postconf -e 'myorigin = $mydomain'
postconf -e 'inet_interface = all'
postconf -e 'mydestination = $myhostname, localhost, $mydomain'
postconf -e 'mynetworks = 127.0.0.0/8 [::1]/128, /32'
postconf -e 'relay_domains = $mydestination'
postconf -e 'home_mailbox = Maildir/'

To use it:

useradd -s /sbin/nologin labber
passwd labber

Edit /etc/aliases and add:

labber: labber

Then run:

newaliases
service postfix start
service postfix status
netstat -nlp|grep master

Send e-mail:

mail -s "Test e-mail here" labber@mydomain
test123
.

The . at the end is quite nice, that stops the input.

Check e-mail:

cat /home/labber/Maildir/new/*

Real E-mail Client

But, perhaps you want to check this out with a real e-mail client like thunderbird 10.

For this there needs to be a e-mail server that stores the e-mails on the server.

For this we can use ‘dovecot’

yum install dovecot
service dovecot start
  1. Update iptables to allow ports 25 and 143 (TCP)
  2. Update main.cf to allow from your IP
  3. Restart services
  4. Add new account in thunderbird –
    1. do use the IP address of your server, not the DNS
    2. do not use SMTP security (or username), but use password authentication
    3. do use IMAP STARTTLS security, username: labber, password auth

Thunderbird is quite nice, it will often tell you which setting is wrong.

You can use /var/log/maillog for details on the server-side (to see if you get connections at all for example).

 

Deny a User

To illustrate this feature we first need to add a second user/e-mail account:

useradd -s /sbin/nologin labrat
passwd labrat
echo "labrat: labrat" >> /etc/aliases
newaliases
service postfix restart
service dovecot restart
mail -s "test" labrat@mydomain

You need to send an e-mail to the e-mail address before you can add it in Thunderbird (because the user does not have a $HOME/Maildir until you do).

After the new user has been created and added to your e-mail client do the following:

cd /etc/postfix
echo "labber@mydomain REJECT" >> sender_access
postmap hash:sender_access
echo "smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access" >> /etc/postfix/main.cf
service postfix restart

Try:

  • to send an e-mail from and to both accounts

Extra

  • Configure a mail transfer agent (MTA) to accept inbound email from other systems.
    • inet_interfaces = all
  • Configure an MTA to forward (relay) email through a smart host.
    • relayhost=hostname.domain.com

If I understand this correctly to setup the above two we would need to have two servers.