Yay I passed the EX436 Red Hat Enterprise Storage Management !
https://www.redhat.com/wapps/training/certification/verify.html?certNumber=111-207-403&isSearch=False&verify=Verify
Certificate of Expertise
Leave a reply
Tag Archives: red hat
Red Hat – Clustering and Storage Management – Course Objectives – part 2
Post 1 – http://www.guldmyr.com/blog/red-hat-clustering-and-storage-management-course-objectives/ Where I checked out udev, multipathing, iscsi, LVM and xfs.
This post is about getting using luci/ricci to get a Red Hat cluster working, but not on a RHEL machine because sadly I do not have one available for practice purposes. So CentOS64 it is. Using openstack for virtualization.
Topology: Four hosts on all three networks, -a, -b and internal. Three cluster nodes and one management node.
Get the basic cluster going:
- image four identical nodes
- ssh-key is distributed
- /etc/hosts file has all hosts, IPs and networks
- network interfaces are configured –
- set a gateway in /etc/sysconfig/network
- firewall
- all traffic allowed from -a and -b networks
- at a minimum allow traffic from the network that the hostname corresponds to that you enter in luci
- dns (PEERDNS=no is good with several dhcp interfaces)
- timesync with ntpd
- luci installed on mgmt-node # ricci is a web gui
- ricci installed on all cluster nodes # this is the service talks with corosync
- password set for user ricci on cluster nodes
- create cluster in luci
- multicast perhaps doesn’t work so well in openstack ?
- on cluster nodes this runs “yum -y install cman rgmanager lvm2-cluster sg3_utils gfs2-utils” if shared storage is selected, probably less if not.
- fencing is really important, how to do it in openstack would require a bit of work though. Not as easy as with kvm/xvm to send a destroy domain message.
Tests:
- Update and distribute cluster.conf
- Have a service run on a node on the cluster (doesn’t have to have a shared storage for this).
- Commands:
- clustat
- cman_tool
- rg_test test /etc/cluster/cluster.conf start service name-of-service
- ccs_config_validate
Share an iSCSI target between all nodes:
- Using management node to share the iSCSI LUN.
- tgtd, multipath
- clvmd running on all nodes
- lvmconf – make sure locking is set correctly
- create vg with clustering
- partprobe; multipath -r # do this often
- vgs/lvs and make sure all nodes see the clusterd lv
- minimum GFS filesystem is around 128M – you didn’t use all the vg right? =)
- for testing/small cluster lowering the journal size is goodness
- mount!
Red Hat – Clustering and Storage Management – Course Objectives
Attending “Red Hat Enterprise Clustering and Storage Management” in August. Quite a few of these technologies I haven’t touched upon before so probably best to go through them before the course.
Initially I wonder how many of these are Red Hat specific, or how many of these I can accomplish by using the free clones such as CentOS or Scientific Linux. We’ll see :) At least a lot of Red Hat’s guides will include their Storage Server.
I used the course content summary as a template for this post, my notes are made within them.. below.
For future questions and trolls: this is not a how-to for lazy people who just want to copy and paste. There are plenty of other sites for that. This is just the basics and it might have some pointers so that I know which are the basic steps and names/commands for each task. That way I hope it’s possible to figure out how to use the commands and such by RTFM.
Course content summary :
Clusters and storage
Get an overview of storage and cluster technologies.
ISCSI configuration
Set up and manage iSCSI.
Step 1: Setup a server that can present iSCSI LUNs. A target.
- CentOS 6.4 – minimal. Set up basic stuff like networking, user account, yum update, ntp/time sync then make a clone of the VM.
- Install some useful software like: yum install ntp parted man
- Add a new disk to the VM
Step 2: Make nodes for the cluster.
- yum install iscsi-initiator-utils
Step 3: Setup an iSCSI target on the iSCSI server.
http://www.server-world.info/en/note?os=CentOS_6&p=iscsi
- yum install scsi-target-utils
- allow port 3260
- edit /etc/tgt/target.conf
- if you do comment out the ip range and authentication it’s free-for-all
http://www.server-world.info/en/note?os=CentOS_6&p=iscsi&f=2
Step 4: Login to the target from at least two nodes by running ‘iscsiadm’ commands.
Next step would be to put an appropriate file system on the LUN.
UDEV
Learn basic manipulation and creation of udev rules.
http://www.reactivated.net/writing_udev_rules.html is an old link but just change the commands to “udevadm” instead of “udev*” and at least the sections I read worked the same.
udevadm info -a -n /dev/sdb
Above command helps you find properties which you can build rules from. Only use properties from one parent.
I have a USB key that I can pass through to my VM in VirtualBox, without any modifications it pops up as /dev/sdc.
By looking in the output of the above command I can create /etc/udev/rules.d/10-usb.rules that contains:
SUBSYSTEMS=="usb", ATTRS{serial}=="001CC0EC3450BB40E71401C9", NAME="my_usb_disk"
After “removing” the USB disk from the VM and adding it again the disk (and also all partitions!) will be called /dev/my_usb_disk. This is bad.
By using SYMLINK+=”my_usb_disk” instead of NAME=”my_usb_disk” all the /dev/sdc devices are kept and /dev/my_usb_disk points to /dev/sdc5. And on next boot it pointed to sdc6 (and before that sg3 and sdc7..). This is also bad.
To make one specific partition with a specific size be symlinked to /dev/my_usb_disk I could set this rule:
SUBSYSTEM=="block", ATTR{partition}=="5", ATTR{size}=="1933312", SYMLINK+="my_usb_disk"
You could do:
KERNEL=="sd*" SUBSYSTEM=="block", ATTR{partition}=="5", ATTR{size}=="1933312", SYMLINK+="my_usb_disk%n"
Which will create /dev/my_usb_disk5 !
This would perhaps be acceptable, but if you ever want to re-partition the disk then you’d have to change the udev rules accordingly.
If you want to create symlinks for each partition (based on it being a usb, a disk and have the USB with specified serial number):
SUBSYSTEMS=="usb", KERNEL=="sd*", ATTRS{serial}=="001CC0EC3450BB40E71401C9", SYMLINK+="my_usb_disk%n"
These things can be useful if you have several USB disks but you always want the disk to be called /dev/my_usb_disk and not sometimes /dev/sdb and sometimes /dev/sdc.
For testing one can use “udevadm test /sys/class/block/sdc”
Multipathing
Combine multiple paths to SAN devices into one fault-tolerant virtual device.
Ah, this one I’ve been in touch with before with fibrechannel, it also works with iSCSI.
Multipath is the command and be wary of devices/multipaths vs default settings.
Multipathd can be used in case there are actually multiple paths to a LUN (the target is perhaps available on two IP addresses/networks) but it can also be used to set a user_friendly name to a disk, based on its wwid.
Some good commands:
service multipathd status yum provides */multipath.conf # device-mapper-multipath is the package. multipath -ll
Copy in default multipath.conf to /etc; reload and hit multipath -ll to see what it does.
After that the Fun begins!
Red Hat high-availability overview
Learn the architecture and component technologies in the Red Hat® High Availability Add-On.
Quorum
Understand quorum and quorum calculations.
Fencing
Understand Fencing and fencing configuration.
Resources and resource groups
Understand rgmanager and the configuration of resources and resource groups.
Advanced resource management
Understand resource dependencies and complex resources.
Two-node cluster issues
Understand the use and limitations of 2-node clusters.
http://en.wikipedia.org/wiki/Split-brain_(computing)
LVM management
Review LVM commands and Clustered LVM (clvm).
Create Normal LVM and make a snapshot:
Tutonics has a good “ubuntu” guide for LVMs, but at least the snapshot part works the same.
- yum install lvm2
- parted /dev/vda # create two primary large physical partitions. With a CentOS64 VM in openstack I had to reboot after this step.
- pvcreate /dev/vda3 pvcreate /dev/vda4
- vgcreate VG1 /dev/vda3 /dev/vda4
- lvcreate -L 1G VG1 # create a smaller logical volume (to give room for snapshot volume)
- mkfs.ext4 /dev/VG1/
- mount /dev/VG1/lvol0 /mnt
- date >> /mnt/datehere
- lvcreate -L 1G -s -n snap_lvol0 /dev/VG1/lvol0
- date >> /mnt/datehere
- mkdir /snapmount
- mount /dev/VG1/snap_lvol0 /snapmount # mount the snapshot :)
- diff /snapmount/datehere /mnt/datehere
Revert a Logival Volume to the state of the snapshot:
- umount /mnt /snapmount
- lvconvert –merge /dev/VG1/snap_lvol0 # this also removes the snapshot under /dev/VG1/
- mount /mnt
- cat /mnt/datehere
XFS
Explore the Features of the XFS® file system and tools required for creating, maintaining, and troubleshooting.
yum provides */mkfs.xfs
yum install quota
XFS Quotas:
mount with uquota for user quotas, mount with uqnoenforce for soft quotas.
use xfs_quota -x to set quotas
help limit
To illustrate the quotas: set a limit for user “user”:
xfs -x -c "limit bsoft=100m bhard=110m user"
Then create two 50M files. While writing the 3rd file the cp command will halt when it is at the hard limit:
[user@rhce3 home]$ cp 50M 50M_2 cp: writing `50M_2': Disk quota exceeded [user@rhce3 home]$ ls -l total 112636 -rw-rw-r-- 1 user user 52428800 Aug 15 09:29 50M -rw-rw-r-- 1 user user 52428800 Aug 15 09:29 50M_1 -rw-rw-r-- 1 user user 10477568 Aug 15 09:29 50M_2
Red Hat Storage
Work with Gluster to create and maintain a scale-out storage solution.
http://chauhan-rhce.blogspot.fi/2013/04/gluster-file-system-configuration-steps.html
Updates to the Red Hat Enterprise Clustering and Storage Management course
Comprehensive review
Set up high-availability services and storage.
RHCE Certified
Passed the exam!
https://www.redhat.com/wapps/training/certification/verify.html?certNumber=111-207-403
Red Hat Certification – RHCE – KVM via CLI
In a previous post while preparing for RHCSA I installed kvm post-installation, via the GUI.
But how to install, configure and use it only from the CLI?
Virt-Manager
http://virt-manager.org/page/Main_Page has some details
As a test-machine I’m using a server with Scientific Linux 6.2 (with virtualization enabled as seen by ‘cat /proc/cpuinfo|grep vmx’).
None of the Virtualization Groups are installed, as seen by ‘yum grouplist’. While doing that you’ll find four different groups. You can use
yum groupinfo "Virtualization Client"
or correspondingly to get more information about the group.
yum groupinstall Virtualization "Virtualization Tools" "Virtualization Platform" "Virtualization Client"
This installs a lot of things. Libvirt, virt-manager, qemu, gnome and python things.
lsmod|grep kvm service libvirtd start lsmod|grep kvm
This also sets up a bridge-interface (virbr0).
Now, how to install a machine or connect to the hypervisor?
How to get console?
ssh -XYC user@kvmserver virt-manager
did not work.
On the client you could try to do:
yum groupinstall "Virtualization Client" yum install libvirt virt-manager
Then start virt-manager and connect to your server. However this didn’t work for me either. Is virtualization needed on the client too?
Noit is not, first: check if Virtualization is enabled on the server. Look in /var/log/messages for
kernel: kvm: disabled by bios
If it says that you’ll need to go into BIOS / Processor Options / and enable Virtualization.
Then you can start virt-manager, check that you can connect to the KVMserver.
Copy a .iso to /var/lib/libvirt/images on the server.
Re-connect to the kvm-server in virt-manager.
Add a new VM called test. Using 6.2 net-install and NAT network interface. This may take a while.
Pointing the VM to kvm-server where a httpd is running (remember firewall rules) and an SL 6.2 is stored. Installing a Basic Server.
OK, we could use virt-manager, it’s quite straight-forward and doesn’t require any edits of config files at all.
Moving on to virsh.
To install a vm you use ‘virt-install’.
You can get lots of info from ‘virsh’
virsh pool-list virsh vol-list default virsh list virsh list-all virsh dumpxml test > /tmp/test.xml cp /tmp/test.xml /tmp/new.xml
Edit new.xml
change name to new and remove line with UUID
virt-xml-validate /tmp/new.xml virsh help create virsh create --file /tmp/new.xml virsh list
This creates a new VM that uses the same disk and setup. But, if you shut down this new domain, it will disappear from virsh list –all and the list. To keep it you need to define it first:
virsh define --file /tmp/new.xml virsh start new
This can become quite a bit more complicated. You would probably want to make clones (virt-clone) or snapshots (virsh help snapshot) instead of using the same disk file.
Making your own .xml from scratch looks fairly complicated. You could use ‘virt-install’ however.
virt-install --help virt-install -n awesome -r 1024 --vcpus 1 --description=AWESOME --cdrom /var/lib/libvirt/images/CentOS-6.2-x86_64-netinstall.iso --os-type=linux --os-variant=rhel6 --disk path=/var/lib/libvirt/images/awesome,size=8 --hvm
For this the console actually works while running ‘virt-install’ over ssh on the kvm-server.
To make edit to a vm over ssh:
virsh edit NAMEOFVM
Red Hat Certification – RHCE – Course Outline
Howdy!
In case you saw my previous posts I’ve been prepping for a RHCE course the last couple of weeks.
Here are the posts based on the objectives:
Odds are quite high that I’ve missed something or not gone deep enough into some subjects and for the record some subjects I decided to skip.
I’m taking the course over at Tieturi here in Helsinki and they have published the schedule for the course, with quite detailed outline.
This outline of the course can with benefit be used to see if you missed any terms or functions while going through the objectives.
I’ll go through the ones I find more interesting below:
Network Resource Access Controls
-Internet Protocol and Routing
OK, well this is quite obvious, some commands:
ip addr ip route route add netstat -rn
IPv6
-IPv6: Dynamic Interface Configuration
-IPv6: StaticInterface Configuration
-IPv6: Routing Configuration
You can add IPV6 specific lines in the ifcfg-device files in /etc/sysconfig/network-scripts/. See /usr/share/doc/initscripts*/sysconfig
Some settings can also go into /etc/sysconfig/network
iptables
–Netfilter Overview
-Rules: General Considerations
–Connection Tracking
-Network Address Translation (NAT)
-IPv6 and ip6tables
Web Services
-Squid Web Proxy Cache
On client check what IP you get:
curl --proxy squid-server.example.com:3128 www.guldmyr.com/ip.php
On server install and setup squid:
yum install squid vi /etc/squid/squid.conf #add this line in the right place: acl localnet src 192.168.1.1/32 #allow port 3128 TCP in the firewall (use very strict access here) service squid start
On client:
curl --proxy squid-server.example.com:3128 www.guldmyr.com/ip.php
Beware that this is unsecure. Very unsecure. You should at least set up a password for the proxy, change the default port and have as limited firewall rules as possible.
E-mail Services
-Simple Mail Transport Protocol
-Sendmail SMTP Restrictions
-Sendmail Operation
Securing Data
-The Need For Encryption
Symmetric uses a secret/password to encrypt and decrypt a message.
You can use GnuPG (cli command is ‘gpg’) to encrypt and decrypt a file symmetrically. Arguments:
–symmetric/-c == symmetric cipher (CAST5 by default)
–force-mdc == if you don’t have this you’ll get “message was not integrity protected”
There are many more things you can specify.
echo "awesome secret message" > /tmp/file gpg --symmetric --force-mdc /tmp/file #(enter password) #this creates a /tmp/file.gpg #beware that /tmp/file still exists #to decrypt: gpg --decrypt /tmp/file.gpg gpg: 3DES encrypted data gpg: encrypted with 1 passphrase awesome secret message
-Asymmetric Encryption
Uses a key-pair. A public key and a private key.
A message encrypted with the public key can only be decrypted with the private key.
A message encrypted with the private key can only be decrypted with the public key.
GnuPG can let you handle this.
Login with a user called ‘labber’:
gpg --gen-key # in this interactive dialog enter username: labber, e-mail and password # this doesn't always work, might take _long_time_, eventually I just tried on another machine echo "secret message" > /tmp/file gpg -e -r labber /tmp/file # enter password gpg --decrypt /tmp/file # enter password
To export the public key in ASCII format you can:
gpg --armor --output "key.txt" --export "labber"
However, how to encrypt a file with somebody else’s public key?
-Public Key Infrastructures – PKI
Consists of:
- CA – certificate authority – issues and verifies digital certiciates
- RA – registration authoriy – verifies user identity requesting info from the CA
- central directory – used to store and index keys
-Digital Certificates
A certificate has user details and the public key.
Account Management
-Account Management
-Account Information (Name Service)
–Name Service Switch (NSS)
–Pluggable Authentication Modules (PAM)
-PAM Operation
-Utilities and Authentication
PAM
Basically a way to authenticate users. You can put different types of authentication ways behind PAM. So that a software only needs to learn to authenticate to PAM and then PAM takes care of the behind-the-scenes-work.
For example you can have PAM connect to an ldap-server.
CLI: authconfig
Files:
/etc/sysconfig/authconfig
/etc/pam.d/
/etc/sssd/sssd.conf
Red Hat Certification – RHCE – Network Services – NTP
1st post – System Management and Configuration
Network services
Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:
- Install the packages needed to provide the service.
- Configure SELinux to support the service.
- Configure the service to start when the system is booted.
- Configure the service for basic operation.
- Configure host-based and user-based security for the service.
User should be able to do the following for all these services:
NTP:
You could possibly test this from Windows as well.
On linux it’s fairly straight-forward, you can use ntpd both as a client and as a server.
Check in /var/log/messages for details
The time-synchronization with ntpd is slow by design (to not overload or cause dramatic changes in the time set).
ntpdate is instant but it’s not recommended to be used. For example with ‘ntpdate -q’.
man ntp.conf
this then points to :
man ntp_acc
man ntp_auth
man ntp_clock
man ntp_misc
- Install the packages needed to provide the service.
- yum install ntp
- Configure SELinux to support the service
- nothing to configure??
- Configure the service to start when the system is booted.
- chkconfig ntpd on
- Configure the service for basic operation.
- /etc/ntp.conf
- server ntp.server.com
- service ntpd start
- ntpq -p # to see status
- Configure host-based and user-based security for the service
- iptables
- port 123 (UDP)
Enable ntpd as a client
What’s a bit reverse for ntpd is that first you need to configure the server as a client
So that your local ntp-server gets good time from somewhere else. You can find a good time-server to use on www.pool.ntp.org
You only need to add one server line but for redundancy you should probably have more than one.
As an example with your client on 192.168.0.0/24 and server is on 192.168.1.0/24.
All you need to do is for the client part:
server ntp.example.com service ntpd restart ntpq -p
Enable ntpd as a server
You need to add a restrict line in ntp.conf.
You also need to allow port 123 UDP in the firewall.
restrict 192.168.0.0 mask 255.255.255.0 nomodify notrap service ntpd restart
Client to use your ntp server
Basically the same as the above for client, but you specify the address to your NTP-server instead of one from pool.ntp.org.
Extra
- Synchronize time using other NTP peers.
I believe this has been covered.
More Extra
One extra thing you may want to check out is the ‘tinker’ command.
This is put on top of ntp.conf and more info are available in ‘man ntp_misc’.
However, most of the time you just need to wait a bit for the time change to come through.
tcpdump
There’s not much to go in logs on either server or client for ntpd. You’ll get messages in /var/log/messages though that says “synchronized” and when the service is starting.
You can also use tcpdump on the server to see if there are any packets coming in.
tcpdump -i eth0 -w /tmp/tcmpdump.123 -s0 'udp port 123 and host NTP.CLIENT.IP' # wait a while, restart ntpd on client tcpdump -r /tmp/tcmpdump.123 # this will then show some packets if you have a working communication between server and client
To test that it’s working
Start with the server still connecting to an ntp-server with good time.
You could then set the date and time manually on the server to something else. For example, let’s say the current time is 6 JUN 2012 17:15:00.
Set it to 15 minutes before:
date -s "6 JUN 2012 17:00:00" service ntpd restart
Also restart ntpd on the client, then wait, this will probably take a bit longer than before.
If you set the time manually to something too big it won’t work. You could then experiment with ‘tinker panic 0’
Red Hat Certification – RHCE – Network Services – ssh
1st post – System Management and Configuration
Network services
Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:
- Install the packages needed to provide the service.
- Configure SELinux to support the service.
- Configure the service to start when the system is booted.
- Configure the service for basic operation.
- Configure host-based and user-based security for the service.
User should be able to do the following for all these services:
SSH:
To test from windows you can use putty.
But in linux you just need ssh for client and sshd for server.
man 5 sshd_config and this blogpost has an overview.
- Install the packages needed to provide the service.
- yum install openssh
- Configure SELinux to support the service
- getsebool -a|grep ssh
- Configure the service to start when the system is booted.
- chkconfig sshd on
- Configure the service for basic operation.
- /etc/ssh/sshd_config
- Configure host-based and user-based security for the service
- iptables
- port 22 (TCP)
- tcp.wrapper
TCP Wrapper
More info in man tcpd and man 5 hosts_access
Check that your daemon supports it:
which sshd ldd /usr/sbin/sshd|grep wrap
For this test, let’s say that the server you are configuring has IP/netmask 192.168.1.1/24 and that you have a client on 192.168.0.0/24
cat /etc/hosts.allow
sshd: 192.168.0.0/255.255.255.0 sshd: ALL : twist /bin/echo DEATH
The last row sends a special message to a client connecting from a non-allowed network.
cat /etc/hosts.deny
ALL: ALL
If you on the server with these settings try to do “ssh -v root@localhost” or “ssh -v root@192.168.1.1” you’ll get the message from twist.
If you in hosts.allow add:
sshd: KNOWN
You can log on to the localhost, but not if you add “LOCAL”.
If you add
sshd: 192.168.1.
you can log on from localhost to the public IP of the server.
Extra
- Configure key-based authentication.
- ssh-keygen
- ssh-copy-id user@host
- ssh user@host
- set PasswordAuthentication to no in sshd_config
- service sshd restart
- Configure additional options described in documentation.
- many things can be done, see “man 5 sshd_config”
- chrootdirectory looks quite cool but requires a bit of work
Red Hat Certification – RHCE – Network Services – e-mail
1st post – System Management and Configuration
Network services
Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:
- Install the packages needed to provide the service.
- Configure SELinux to support the service.
- Configure the service to start when the system is booted.
- Configure the service for basic operation.
- Configure host-based and user-based security for the service.
User should be able to do the following for all these services:
SMTP:
Hackmode has a good article about setting postfix for the first time.
To test that e-mail is working you can – tada – use an e-mail client.
You have lots of details in /usr/share/doc/postfix-N ( the path should be in /etc/postfix/main.cf )
- Install the packages needed to provide the service.
- yum install postfix
- Configure SELinux to support the service
- getsebool -a|grep postfix
- Configure the service to start when the system is booted.
- chkconfig postfix on
- Configure the service for basic operation.
- set hostname to host.example.com
- /etc/postfix/main.cf and define (this assumes hostname is host.example.com):
- myhostname = host.example.com
- mydomain = example.com
- myorigin = $mydomain
- inet_interfaces = all
- mydestination = add $mydomain to the default one
- home_mailbox = Maildir/
- Update firewall to allow port 25 tcp
- Test with: nc localhost 25
- Configure host-based and user-based security for the service
- iptables or $mynetworks in main.cf
- user: postmap
In CLI (important to use ‘ and not “):
#hostname - record the output of this postconf -e 'myhostname = output from hostname in here' #hostname -d postconf -e 'mydomain = output from hostname -d in here' postconf -e 'myorigin = $mydomain' postconf -e 'inet_interface = all' postconf -e 'mydestination = $myhostname, localhost, $mydomain' postconf -e 'mynetworks = 127.0.0.0/8 [::1]/128, /32' postconf -e 'relay_domains = $mydestination' postconf -e 'home_mailbox = Maildir/'
To use it:
useradd -s /sbin/nologin labber passwd labber
Edit /etc/aliases and add:
labber: labber
Then run:
newaliases service postfix start service postfix status netstat -nlp|grep master
Send e-mail:
mail -s "Test e-mail here" labber@mydomain test123 .
The . at the end is quite nice, that stops the input.
Check e-mail:
cat /home/labber/Maildir/new/*
Real E-mail Client
But, perhaps you want to check this out with a real e-mail client like thunderbird 10.
For this there needs to be a e-mail server that stores the e-mails on the server.
For this we can use ‘dovecot’
yum install dovecot service dovecot start
- Update iptables to allow ports 25 and 143 (TCP)
- Update main.cf to allow from your IP
- Restart services
- Add new account in thunderbird –
- do use the IP address of your server, not the DNS
- do not use SMTP security (or username), but use password authentication
- do use IMAP STARTTLS security, username: labber, password auth
Thunderbird is quite nice, it will often tell you which setting is wrong.
You can use /var/log/maillog for details on the server-side (to see if you get connections at all for example).
Deny a User
To illustrate this feature we first need to add a second user/e-mail account:
useradd -s /sbin/nologin labrat passwd labrat echo "labrat: labrat" >> /etc/aliases newaliases service postfix restart service dovecot restart mail -s "test" labrat@mydomain
You need to send an e-mail to the e-mail address before you can add it in Thunderbird (because the user does not have a $HOME/Maildir until you do).
After the new user has been created and added to your e-mail client do the following:
cd /etc/postfix echo "labber@mydomain REJECT" >> sender_access postmap hash:sender_access echo "smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access" >> /etc/postfix/main.cf service postfix restart
Try:
- to send an e-mail from and to both accounts
Extra
- Configure a mail transfer agent (MTA) to accept inbound email from other systems.
- inet_interfaces = all
- Configure an MTA to forward (relay) email through a smart host.
- relayhost=hostname.domain.com
If I understand this correctly to setup the above two we would need to have two servers.
Red Hat Certification – RHCE – Network Services – SMB
1st post – System Management and Configuration
Network services
Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:
- Install the packages needed to provide the service.
- Configure SELinux to support the service.
- Configure the service to start when the system is booted.
- Configure the service for basic operation.
- Configure host-based and user-based security for the service.
User should be able to do the following for all these services:
- http/https
- dns
- ftp
- nfs
- smb
- smtp
- ssh
- ntp
SMB:
Testing an SMB server may be quite easy from Windows, but from Linux I suppose it’s a bit trickier.
The CLI client is called ‘smbclient’
The tool to set passwords: ‘smbpasswd’
You can also get some information with commands starting with ‘net’, for example ‘net -U username session’
testparm is another tool you can use to test that the config file – smb.conf – is not missing anything structural or in syntax.
The server is called ‘samba’.
There are more packages, for example ‘samba-doc’, samba4. You can find them by typing: ‘yum install samba*’
samba-doc installs lots of files in /usr/share/doc/samba*
- Install the packages needed to provide the service.
- yum install samba
- Configure SELinux to support the service
- getsebool -a |grep smb; getsebool -a|grep samba
- /etc/samba/smb.conf # has some information about selinux
- Configure the service to start when the system is booted.
- chkconfig samba on
- Configure the service for basic operation.
- server#: open firewall (check man smb.conf, port 445 and 139 are mentioned)
- server#: mkdir /samba; chcon -t type_in_smb_conf /samba
- server#: edit /etc/samba/smb.conf:
- copy an existing share – make it browseable and allow guest to access
- server#: service smb start
- server#: touch /samba/fileonshare
- client#: smbclient \\\\ip.to.smb.server\\share
- hit enter and it will attempt to log in as anonymous (guest)
- client#: get fileonehsare
- Configure host-based and user-based security for the service
- server#: check that ‘security = user’ in smb.conf.
- server#: add” writable = yes” or “read only = no” to the share in smb.conf
- server#: smbpasswd -a username
- server#: mkdir /samba/upload
- server#: chown username /samba/upload
- server#: chmod 777 /samba/upload
- client#: smbclient -U username \\\\ip.to.smb.server\\share
- client#: cd upload; mkdir newfolder; cd newfolder
- client#: put file
Extra
- Provide network shares to specific clients.
- things you can set on the share:
- write list = +staff
- invalid users =
- valid users =
- hosts allow = 192.168.0.0/255.255.255.0
- hosts deny =
- Provide network shares suitable for group collaboration.
- groupadd staff
- usermod -a -G staff bosse
- chown root.staff /samba/upload
- chmod 775 /samba/upload
- connect with bosse – do things,
- connect with another user – can you do things?
Red Hat Certification – RHCE – Network Services – NFS
1st post – System Management and Configuration
Network services
Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:
- Install the packages needed to provide the service.
- Configure SELinux to support the service.
- Configure the service to start when the system is booted.
- Configure the service for basic operation.
- Configure host-based and user-based security for the service.
User should be able to do the following for all these services:
- http/https
- dns
- ftp
- nfs
- smb
- smtp
- ssh
- ntp
NFS:
Testing an NFS server is generally easier from another linux-server.
- Install the packages needed to provide the service.
- yum install nfs ?? (already installed on mine)
- Configure SELinux to support the service
- getsebool -a |grep nfs
- Configure the service to start when the system is booted.
- chkconfig nfs on
- edit /etc/fstab on the client to mount on boot
- Configure the service for basic operation.
- server#: mkdir /foo
- server#: vi /etc/exports
- /foo 192.168.0.0/24(rw)
- server#: iptables – port 2049 tcp and udp
- server#: service nfs start
- client#: mount -t nfs IP:/foo /mnt
- server#: mkdir /foo/upload
- server#: chown username.username /foo/upload
- server#: chmod 777 /foo/upload
- client#: touch /mnt/upload/file2
- server#: cd /net/ip.to.server/foo
- Configure host-based and user-based security for the service
- iptables to deny hosts
- add permissions appropriately in /etc/exports
- man exports
Extra
- Provide network shares to specific clients.
- Add a new folder / line in /etc/exports and only allow certain clients to connect to it
- Provide network shares suitable for group collaboration.
- With the help of permissions. Use unix group ID number or names.
Red Hat Certification – RHCE – Network Services – FTP
1st post – System Management and Configuration
Network services
Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:
- Install the packages needed to provide the service.
- Configure SELinux to support the service.
- Configure the service to start when the system is booted.
- Configure the service for basic operation.
- Configure host-based and user-based security for the service.
User should be able to do the following for all these services:
- http/https
- dns
- ftp
- nfs
- smb
- smtp
- ssh
- ntp
FTP:
An ftp-server is also quite easy to test. You can test it from many web-browsers, telnet, ftp, lftp or a myriad of other clients.
- Install the packages needed to provide the service.
- yum install vsftpd
- Configure SELinux to support the service
- this might be more interesting, you may need to do some magic here for sharing files
- getsebool -a|grep ftp
- Configure the service to start when the system is booted.
- chkconfig vsftpd on
- Configure the service for basic operation.
- for basic – only open firewall then start the service
- that is enough for anonymous read to /var/ftp/pub/
- cp /root/anaconda-ks.cfg /var/ftp/pub/
- chmod 755 /var/ftp/pub/anaconda-ks.cfg
- Configure host-based and user-based security for the service
- iptables to deny hosts
- you can deny users by putting them in /etc/vsftpd/ftp_users and/or user_list
- in vsftpd.conf there is a tcp_wrappers variable
Extra
- Configure anonymous-only download
- Deny all other users :)
Red Hat Certification – RHCE – Network Services – DNS
1st post – System Management and Configuration
Network services
Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:
- Install the packages needed to provide the service.
- Configure SELinux to support the service.
- Configure the service to start when the system is booted.
- Configure the service for basic operation.
- Configure host-based and user-based security for the service.
User should be able to do the following for all these services:
- http/https
- dns
- ftp
- nfs
- smb
- smtp
- ssh
- ntp
DNS:
A DNS-server is quite easy to test as well, just point a client to the IP of your local DNS server and check /var/log/messages on the DNS-server.
- Install the packages needed to provide the service.
- yum install bind
- Configure SELinux to support the service
- working from scratch, after adding new zones and things you may need to add correct context to the files
- Configure the service to start when the system is booted.
- chkconfig named on
- Configure the service for basic operation.
- /etc/named.conf
- after editing you need to restart named
- edit ‘allow-query’ and ‘listen-on port 53’ – update firewall, start named
- configure a client to use it with /etc/resolv.conf
- see examples in: /usr/share/doc/bind*/
- Configure host-based and user-based security for the service
- host-based can be done via firewall (port 53 UDP and TCP)
- host-based: allow-query { localhost; };
- but user-based??
Extra
- Configure a caching-only name server.
- This is what the default /etc/named.conf does it – (this is also stored in the /usr/shar/doc/bind*/ – but, it a good thing to try would be to try to configure this from an empty named.conf
- Configure a caching-only name server to forward DNS queries.
- Almost same config as caching-only, except for the addition of two lines:
- forward only;
- forwarders { dns.ip; dns.ip2 }
- Note: Candidates are not expected to configure master or slave name servers.
Red Hat Certification – RHCE – Network Services – httpd
1st post – System Management and Configuration
This post is about Network Services.
During all these exercises I try my hardest not to use google, as that’s not available during the exam anyway.
Network services
Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:
- Install the packages needed to provide the service.
- Configure SELinux to support the service.
- Configure the service to start when the system is booted.
- Configure the service for basic operation.
- Configure host-based and user-based security for the service.
User should be able to do the following for all these services:
- http/https
- dns
- ftp
- nfs
- smb
- smtp
- ssh
- ntp
httpd:
- Install the packages needed to provide the service.
- yum install httpd
- Configure SELinux to support the service.
- supports by default, if changing documentroot/defaultroot use:
- chkcon -R –reference /var/www/html /var/newhtmldir
- Configure the service to start when the system is booted.
- chkconfig httpd on
- Configure the service for basic operation.
- rpm -qc httpd (find config file)
- Configure host-based and user-based security for the service
- host-based -> iptables
- user-based -> htpasswd for httpd
htpasswd
An htpasswd file contains users/passwords.
A .htaccess file points to the htpasswd
The .htaccess file is not the recommended way to set up authentication, instead you should do it in the Directory section of httpd.conf.
To get more information about httpd in general do:
yum install httpd-manual
Then surf to http://hostname/manual.
To generate a htpasswd:
[root@rhce webpages]# htpasswd -c /etc/httpd/conf/.htpasswd user New password: Re-type new password: Adding password for user user
Then add this .htaccess file:
AuthUserFile /etc/httpd/conf/.htpasswd AuthGroupFile /dev/null AuthName "Private Area" AuthType Basic AuthBasicProvider file Require user user
https
The s – means the httpd uses another port – 443 and that it uses certificates.
yum install mod_ssl
This adds /etc/httpd/conf.d/ssl.conf
That config file actually has a ‘listen’ directive for port 443.
So add that port in the firewall and restart httpd.
After that you can surf to https://ip and it will complain about the certificate (which is a default generated one).
But wait, there’s more!
Configure a virtual host.
This is can be used when you want to have several hostnames or domains on the same machine.
There’s some info in httpd.conf but there’s quite a lot in the manual via httpd-manual package.
To test this you could either put several IP addresses on the server or point several domains towards it (might be easiest, /etc/hosts). But in VMWare it’s very easy to just add another network interface.
- Add another ethernet interface on the same network as the existing one (mine is bridged behind a NAT).
- Edit /etc/hosts on a client and on the server so that ww1.example.com and ww2.example.com points to the IP addresses on the server
- Make sure /etc/nsswitch.conf has ‘files’ in the hosts row.
- If you have very narrow firewall add the new IP address.
- mkdir /var/www/ww1.example.com; mkdir /var/www/ww2.example.com; chcon -R –reference =/var/www/html /var/www/ww*
- Edit /etc/httpd/conf/httpd.conf
and add this at the end:
NameVirtualHost *:80
ServerAdmin webmaster@dummy-host.example.com
DocumentRoot /var/www/ww1.example.com
ServerName ww1.example.com
ServerAdmin webmaster@dummy-host.example.com
DocumentRoot /var/www/ww2.example.com
ServerName ww2.example.com
7. service httpd restart
Then on the client point your browser to and (add different index.html in each to make it easy to see).
Configure private directories.
I’d say this fall under the htpasswd section.
Deploy a basic CGI application.
FOSwiki for example uses CGI. Perhaps it should be a custom CGI application, like a small hello-world script.
/var/www/cgi-bin is where CGI scripts are stored by default.
A simple .cgi script is just a perl script with another extension that outputs .HTML text.
Configure group-managed content.
Group-managed. So this would be somehow using the AuthGroupFile in .htaccess?
Or could be done by creating a new directory under www-root and give specific access to this directory. That means it can be managed by a unix group, (access is a different story however).
Red Hat Certification – RHCE – System Configuration and Management
RHCE Preparation – System Configuration and Management
This is post 1 in a series of posts where I will be going through the objectives for the RHCE certifications. It builds on the initial post that has the objectives:
It appears that the objectives have been updated, at least if you compare between my post above and https://www.redhat.com/training/courses/ex300/examobjective
for example build a simple rpm is installs one package is not in the list.
I bet there are many blogs about this topic. I’m doing this quite a lot for myself, but maybe somebody else finds these useful.
This post will be about the section ‘System Configuration and Management’.
My setup: Core i7, 8GB RAM, Windows 7 x64, VMWare Workstation with CentOS installed.
Installing a fresh VM with 4 cores, 5GB RAM, virtualization and CentOS.
CentOS is a free clone of Red Hat, it’s missing some stuff (satellite for example) but it does the job for learning. You can find it in many places, for example here: http://www.nic.funet.fi/pub/Linux/INSTALL/Centos/6/isos/x86_64/
IP Routing and NAT
The part “Routing / NAT” will be tricky, as I do not have a second computer that I could use for this. Maybe I can get something working inside the virtual machines though, but for now I think I will skip these two and get straight into the other ones.
Use /proc/sys and sysctl to modify and set kernel runtime parameters.
Edit /etc/sysctl.conf
Or use sysctl -w to set it temporary
For example one is: vm.overcommit_ratio
You can then do either of these to view the current setting:
cat /proc/sys/vm/overcommit_ratio sysctl vm.overcommit_ratio
To set it temporarily:
echo "60" > /proc/sys/vm/overcommit_ratio sysctl -w vm.overcommit_ratio="50"
To set each time on boot:
echo "vm.overcommit_ratio = 50" >> /etc/sysctl.conf
Configure a system to authenticate using Kerberos.
Waiting with this. Need to set up a KDC – kerberos service first.
Build a simple RPM that packages a single file.
This appears to be a bit complicated – the details below are about as simple as this can be made. There is a lot more nifty things that you can do with an rpm.
Would be nice to have a guide of this in for example /usr/share/doc
yum install rpm-build
cd $HOME/rpmbuild
mkdir {BUILD,RPMS,SOURCES,SPECS,SRPMS}
mkdir GetIP
cd GetIP
The “program”:
cat getip.sh #!/bin/bash wget -q http://guldmyr.com/ip.php -O/tmp/ip cat /tmp/ip
chmod +x getip.sh
Make an archive and put it in the SOURCES DIR:
cd $HOME/rpmbuild tar -cf GetIP.tar.gz GetIP mv GetIP.tar.gz SOURCES/
Edit a spec-file (do this as a normal user instead of root, it will show the default entries):
cd SPECS vi sample.spec
Make it look like this:
Name:GetIP
Version:1.0
Release: 1%{?dist}
Summary: Get an IP wooop
Group: Development/Tools
License: GPL
URL: http://guldmyr.com/blog
Source0: %{name}.tar.gz
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
BuildRequires:bash
Requires:bash
%description
Get an IP woop!
%prep
%setup -n GetIP
%build
%install
mkdir -p "$RPM_BUILD_ROOT/opt/GetIP"
cp -R * "$RPM_BUILD_ROOT/opt/GetIP"
%clean
rm -rf "$RPM_BUILD_ROOT"
%files
/opt/GetIP
%defattr(-,root,root,-)
%doc
%changelog
Then make an rpm:
rpmbuild -v -bb $HOME/rpmbuild/SPECS/sample.spec
Then as root:
cd /home/user/rpmbuild/RPMS/x86_64/ rpm -ivh GetIP-1.0-1.el6.x86_64.rpm
Then as normal user you can now execute the installed file:
/opt/getip/getip.sh
If you wonder about things – check this fairly unreadable blog post out.
Basically you want to use the $RPM_BUILD_ROOT in front of where you want to install the software. By default there are ‘make’, ‘configure’ and nothing in the ‘require’ entries. I removed the make, configured and just put ‘bash’ in the require entries, it seemed to do the trick though.
More info is also available on rpm.org – which recommend to use /usr/src/redhat for building packages.
Configure a system as an iSCSI initiator that persistently mounts an iSCSI target.
Waiting with this. Need to set up an iSCSI target first.
Produce and deliver reports on system utilization (processor, memory, disk, and network).
sar -A
/etc/cron.d/sysstat
Use shell scripting to automate system maintenance tasks.
Well, this can be a lot of things and is quite hard to prepare for.
But I think a ‘for loop’ is a good thing to know about and can help with a lot of system maintenance tasks.
an input file with usernames:
[martbhell@rhce ~]$ cat /tmp/userlist bengt goran
a scriptfile:
[root@rhce ~]# cat usersndirs.sh #!/bin/sh userlist=/tmp/userlist for i in `cat $userlist`; do echo useradd $i; echo mkdir $i; done
Remove the “echo” to create the users.
Of course, you could also use the ‘newuser’ command (interactive or send a file).
This happens a lot I think: You get an idea that “hey, I can do this with a script”. But then a random amount of time later you find out that there is already a command that does this for you. That doesn’t mean the time spent is a total waste, hopefully you learned something while doing it. Maybe your script even does a better job than the new one you found.
Configure a system to log to a remote system.
syslog / rsyslog
man rsyslog.conf has an example for how to log to a remote machine
edit /etc/rsyslog.conf
add
To forward messages to another host via UDP, prepend the hostname with the at sign ("@"). To forward it via plain tcp, prepend two at
signs ("@@"). To forward via RELP, prepend the string ":omrelp:" in front of the hostname.
Example:
*.* @@192.168.0.8
Set the IP to the machine that will be receiving the logs.
Configure a system to accept logging from a remote system.
So this step you may want to do before the previous step (unless you already have a working syslogd server).
You edit /etc/rsyslog.conf
and uncomment the “reception” parts (don’t forget firewall and restart service).
To test try to “su -” with the wrong password and then check in /var/log/secure on the loghost.
Create a private repository
“To create a private repository you should proceed as follows: – Install the createrepo software package – Create a <directory> where files can be shared (via FTP or HTTP) – Create a subdirectory called Packages and copy all packages to be published in Packages – run createrepo -v <directory>”
Red Hat Certification – RHCE – Skills Assessment
Just tried out the “Red Hat Skills Assessment” for RHCE.
These are apparently the ones I need to work on:
- Managing Simple Partitions and Filesystems Some Understanding
- Managing Flexible Storage with Logical Volumes Substantial Knowledge
- BASH Scripting and Tools Substantial Knowledge
- Manage System Resources Some Understanding
- Logical Volume Management Substantial Knowledge
- Centralized and Secure Storage Familiarity
- Web Server Additional Configuration Familiarity
- Basic SMTP Configuration Familiarity
- Caching-Only DNS Server Familiarity
- File Sharing with NFS Familiarity
But the assessment doesn’t say which questions I missed, so it could be that some of the ones with “Deep Understanding” I could have gotten enough answers right by guessing. Best to not answer if you don’t know so you get a better pointer at what to look at?
Update / Install Spotify 0.8.2.637 on RHEL6 x64
Previous post:
http://www.guldmyr.com/blog/how-to-update-spotify-on-rhel6-x64-native-client/
Installed spotify-client-0.8.2.637.g252b980.486-2.x86_64.rpm – this is converted from the .deb package that is downloaded from: http://repository.spotify.com/pool/non-free/s/spotify/
you convert with ‘alien’ and this command:
alien --to-rpm spotify-client_0.8.2.637.g252b980.486-1_amd64.deb
To install you need to uninstall first:
rpm -ev spotify-client rpm -ivh Downloads/Spotify/spotify-client-0.8.2.637.g252b980.486-2.x86_64.rpm error: Failed dependencies: libcef.so()(64bit) is needed by spotify-client-0.8.2.637.g252b980.486-2.x86_64 libcrypto.so.0.9.8()(64bit) is needed by spotify-client-0.8.2.637.g252b980.486-2.x86_64 libcrypto.so.0.9.8(OPENSSL_0.9.8)(64bit) is needed by spotify-client-0.8.2.637.g252b980.486-2.x86_ libssl.so.0.9.8()(64bit) is needed by spotify-client-0.8.2.637.g252b980.486-2.x86_64 libssl.so.0.9.8(OPENSSL_0.9.8)(64bit) is needed by spotify-client-0.8.2.637.g252b980.486-2.x86_64
OK, that didn’t work so well.
Install:
# rpm -ivh --nodeps Downloads/Spotify/spotify-client-0.8.2.637.g252b980.486-2.x Preparing... ########################################### [100%] 1:spotify-client ########################################### [100%]
You’ll get errors while trying to start spotify:
spotify spotify: error while loading shared libraries: libnss3.so.1d: cannot open shared object file: No such file
What you need to do is create symlinks:
ln -s /usr/lib64/libnss3.so /usr/lib64/libnss3.so.1d ln -s /usr/lib64/libnssutil3.so /usr/lib64/libnssutil3.so.1d ln -s /usr/lib64/libsmime3.so /usr/lib64/libsmime3.so.1d yum -y install nspr nspr-devel ln -s /usr/lib64/libplc4.so /usr/lib64/libplc4.so.0d ln -s /usr/lib64/libnspr4.so /usr/lib64/libnspr4.so.0d
However, it still crashes when I try to right-click on an app – but now it has apps :)
openstack testing day
Only one day late!
I actually started installing this on the 8th but I forgot to install it to hdd so the ‘yum update’ failed and broke the machine with I/O errors :)
Installing it in a VMWare Workstation (fedora 64-bit type, 2, cores, 4G RAM, 20G disk).
http://fedoraproject.org/wiki/Test_Day:2012-03-08_OpenStack_Test_Day
Basic Setup
1
http://fedoraproject.org/wiki/QA:Testcase_install_OpenStack_packages – No problem.
2
http://fedoraproject.org/wiki/QA:Testcase_setup_OpenStack_Nova –
Says that if you are doing this in a VM you need to “configure nova to use qemu without KVM and hardware virtualization:”. This is not true, as VMWare Workstation 8 has virtualization pass-through.
[root@localhost mart]# vgcreate nova-volumes $(sudo losetup --show -f /var/lib/nova/nova-volumes.img) No physical volume label read from /dev/loop0 Writing physical volume data to disk "/dev/loop0" Physical volume "/dev/loop0" successfully created Volume group "nova-volumes" successfully created
openstack-nova-db-setup
Gives this error, which already is reported:
Verified connectivity to MySQL. Creating 'nova' database. Asking openstack-nova to sync the databse. 2012-03-09 07:28:26 WARNING nova.utils [-] /usr/lib/python2.7/site-packages/nova/db/sqlalchemy/migrate_repo/versions/075_convert_bw_usage_to_store_network_id.py:49: SADeprecationWarning: useexisting is deprecated. Use extend_existing. useexisting=True) 2012-03-09 07:28:28 WARNING nova.utils [-] /usr/lib/python2.7/site-packages/nova/db/sqlalchemy/migrate_repo/versions/081_drop_instance_id_bw_cache.py:40: SADeprecationWarning: useexisting is deprecated. Use extend_existing. useexisting=True) Complete!
3
[root@localhost nova]# ADMIN_PASSWORD=$OS_PASSWORD openstack-keystone-sample-data The default service password has been detected. Please consider setting an actual password in environment variable SERVICE_PASSWORD
But after that it generates users.
4
No problems, should ‘glance index’ return anything at this stage?
5
No problems.
6 Add SSH keypair
No problems, just do exactly what the instructions say (don’t try to be smart and put them in .sh files for example :P).
7 Register Guest Images
At this point the wiki went down :/
[root@localhost ~]# glance add name=f16 is_public=true disk_format=qcow2 container_format=ovf copy_from=http://berrange.fedorapeople.org/images/2012-02-29/f16-x86_64-openstack-sda.qcow2 Failed to add image. Got error: Unexpected response: 500 Note: Your image metadata may still be in the registry, but the image's status will likely be 'killed'.
Yes, this is where it fall short. Manpage for clance doesn’t even have the ‘copy_from’. Maybe it could be downloaded? ‘glance index’ doesn’t work either.
[root@localhost ~]# glance index
Failed to show index. Got error:
Internal Server error: Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/eventlet/wsgi.py", line 336, in handle_one_response
result = self.application(self.environ, start_response)
File "/usr/lib/python2.7/site-packages/webob/dec.py", line 147, in __call__
resp = self.call_func(req, *args, **self.kwargs)
File "/usr/lib/python2.7/site-packages/webob/dec.py", line 210, in call_func
return self.func(req, *args, **kwargs)
File "/usr/lib/python2.7/site-packages/glance/common/wsgi.py", line 279, in __
response = req.get_response(self.application)
File "/usr/lib/python2.7/site-packages/webob/request.py", line 1086, in get_re
application, catch_exc_info=False)
File "/usr/lib/python2.7/site-packages/webob/request.py", line 1055, in call_a
app_iter = application(self.environ, start_response)
File "/usr/lib/python2.7/site-packages/keystone/middleware/auth_token.py", lin
valid = self._validate_claims(claims)
File "/usr/lib/python2.7/site-packages/keystone/middleware/auth_token.py", lin
return self._validate_claims(claims, False)
File "/usr/lib/python2.7/site-packages/keystone/middleware/auth_token.py", lin
self.admin_password)
File "/usr/lib/python2.7/site-packages/keystone/middleware/auth_token.py", lin
return json.loads(data)["access"]["token"]["id"]
File "/usr/lib64/python2.7/json/__init__.py", line 326, in loads
return _default_decoder.decode(s)
File "/usr/lib64/python2.7/json/decoder.py", line 366, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File "/usr/lib64/python2.7/json/decoder.py", line 384, in raw_decode
raise ValueError("No JSON object could be decoded")
ValueError: No JSON object could be decoded
[root@localhost ~]# cd images/
[root@localhost images]# ls
aki-tty ami-tty ari-tty
[root@localhost images]# http://berrange.fedorapeople.org/images/2012-02-29/f16- x86_64-openstack-sda.qcow2^C
[root@localhost images]# glance add name=aki-tty is_public=true container_format =aki disk_format=aki < aki-tty/image
=================================================[100%] 7.79M/s, ETA 0h 0m 0s
=[ 2%] 1.25M/s, ETA 0h 0m 3s Failed to add image. Got error:
You are not authorized to complete this action.
Details: 401 Unauthorized
This server could not verify that you are authorized to access the document you requested. Either you supplied the wrong credentials (e.g., bad password), or yo ur browser does not understand how to supply the credentials required.
Note: Your image metadata may still be in the registry, but the image's status w =================================================[100%] 20.9M/s, ETA 0h 0m 0s
[root@localhost images]#
Stuck!
password when starting a linux server in single-user mode
http://www.cromwell-intl.com/unix/linux-break-in-howto.html
On RHEL 6.2-based systems (like Scientific Linux 6.2):
edit /etc/sysconfig/init
# Set to ‘/sbin/sulogin’ to prompt for password on single-user mode
# Set to ‘/sbin/sushell’ otherwise
Like this:
SINGLE=/sbin/sulogin
Then if you add an ‘s’ to the grub entry when the server boots it will ask you for a password , or hit ctrl-d. Ctrl-d makes the server enter normal boot (telinit *).
Should all linux machines be installed this way? To me this sounds like a definite deal, especially if you have the console physically or remotely accessible.
CentOS 5.8 Released
CentOS 5.8 was released today 8th of March.
http://wiki.centos.org/Manuals/ReleaseNotes/CentOS5.8
You can download it from many mirrors, for example from FUNET: http://ftp.funet.fi/pub/Linux/INSTALL/Centos/
It installs just fine on an HP DL360 G7 with P410 and P411 controller.
CentOS has as far as I understand been slower at releasing updates than Scientific Linux (for example 6.2 was out 5 days earlier on SLC than on CentOS), this was not the case today though, SLC 5.8 is not available yet. Why?
Compare release dates here:
http://en.wikipedia.org/wiki/CentOS#Release_history
http://en.wikipedia.org/wiki/Scientific_linux#Release_history
How to find things in Linux man pages
There’s a couple of places (naturally).
It’s easy to be fooled and think: “anybody can type man man”. But in all fairness, you need to figure out which man page to look into, or what command to run and sometimes it’s just a blank.
In RHEL there is /usr/share/doc where there are some special places, for example /usr/share/doc/initscripts*/sysconfig.txt for all config files that relate to the boot-up process.
There is also /usr/share/man. In /usr/share/man/man5 which has all the level 5 man pages in gzip format. For example “man 5 yum.conf” you can find in /usr/share/man/man5/yum.conf.5.gz.
To open a man page you just type ‘man yum’. To get the man page for yum, or ‘man man’ for the manual for man.
To search through man-pages you can use either of these (they are the same):
man -k yum apropos yum
While inside a man-page you can search by typing:
/
and then what you want to search for
and then ENTER.
Like this: /priority
This will hilight all the matched entries, you move to the next match with ‘n’.
This might differ between operating systems, it depends on which viewer is used to present the man page.
Sometimes these don’t find what you are looking for.
In that case you could manually move into /usr/share/man/man5 and hit:
zgrep priority *
to grep through the gzip files looking for any entries that says ‘priority’.
or, if you want to you could use this to search through all directories:
find . -name "*"|xargs zgrep -i priority
or even better (if you’re not looking for a language specific man page):
find /usr/share/man* -name "*"|xargs zgrep -i gpgcheck
These are all relatively slow though, if you read this and have any suggestions please let me know :)
Red Hat Certification – RHCSA – Exam Results
I just received the EXAM results. This was on Sunday at around 1500 Finnish time. About three days after I took the exam, these guys must be working on the weekend to check the results!
Result: 300/300!
Red Hat Certification – RHCE – Preparation
Wow, there’s lots of it in there.
Some of it is about networking and a lot about individual services.
I haven’t actually planned to go get the exam soon, but I think just going through these objectives will make me better at Linux. Anyway, if I pass the RHCE, that extends the RHCSA expiration automagically.
This is going to take a while to do. I will update this post as I progress through the sections.
This is a copy of the objectives from https://www.redhat.com/certification/rhce/objectives/
System Configuration and Management
Routing / NAT
- Route IP traffic and create static routes
- Use iptables to implement packet filtering and configure network address translation (NAT)
For the two above I think I need to use another machine. Maybe the IBM T40 could be of some use again. Install SLC via USB maybe! /2011 12 18: update: Nope, T40 didn’t like booting like that. So, booting via DVD instead. But, maybe I can boot via the small CD and then load the files off of an NFS-server instead. Turns out the CPU in my laptop does not have PAE and thus cannot install anything after RHEL5(possibly) with the default isos. There is a guide on scientificlinux.com that tells you how to do it via a fedora netinstall iso.
Other
- Use /proc/sys and sysctl to modify and set kernel run-time parameters
- Configure system to authenticate using Kerberos
- Configure a system as an iSCSI initiator that persistently mounts an iSCSI target
- Produce and deliver reports on system utilization (processor, memory, disk, and network)
- Use shell scripting to automate system maintenance tasks
rsyslog
- Configure a system to log to a remote system
- Configure a system to accept logging from a remote system
Network Services
Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:
- Install the packages needed to provide the service
- Configure SELinux to support the service
- Configure the service to start when the system is booted
- Configure the service for basic operation
- Configure host-based and user-based security for the service
RHCE candidates should also be capable of meeting the following objectives associated with specific services:
HTTP/HTTPS
- Configure a virtual host
- Configure private directories
- Deploy a basic CGI application
- Configure group-managed content
DNS
- Configure a caching-only name server
- Configure a caching-only name server to forward DNS queries
- Note: Candidates are not expected to configure master or slave name servers
FTP
- Configure anonymous-only download
NFS
- Provide network shares to specific clients
- Provide network shares suitable for group collaboration
SMB
- Provide network shares to specific clients
- Provide network shares suitable for group collaboration
SMTP
- Configure a mail transfer agent (MTA) to accept inbound email from other systems
- Configure an MTA to forward (relay) email through a smart host
SSH
- Configure key-based authentication
- Configure additional options described in documentation
RHCSA – Rapid Track – Day 5 – Exam
Just did the exam.
Not bad at all, I really enjoyed this hands-on exam.
Great way to test someone’s skills, although I thought it would be harder. But maybe I got lucky with the tasks.
I believe this RHCSA Rapid Track (along with My Own Preparation ™) and learning how to work inside a terminal/console is enough.
Can’t wait until next week to find out how it went!
RHCSA – Rapid Track – Day 4
Last day!
A little more kickstarting, LVM – logical volume management and File ACL.
Then a rehearse of the previous chapters.
Feeling a bit excited about tomorrow!
These ACL were a bit more complex than I thought, but they could be made very complicated if you want to. But there’s the default ACL and then there’s the normal ones. Chmod +s for sticky bits.
Also got a 4GB USB pen that does about 4.4MB/s :p
Some important ones:
mount -o remount,rw / /usr/share/doc/initscripts*/sysconfig.txt kernel-doc package and /usr/share/doc/kernel-* rpm -qd; rpm -qc
Some important but not importantest:
getsebool -a setsebool -P usermod -a sssd - service that caches authentication stuff
Automounter
/etc/auto.master ->
/home/guests /etc/auto.guests
/etc/auto.guests ->
* -rw nfsserver:/path/to/mount/on/home/guests/&
If on nfsserver there is an nfsshare that is: /path/to/mount/on/home/guests/
and in there you have home directories for users. Then this will automount these directories when anybody tries to access them. Same concept as doing:
ls /net/nameofnfsserver/
