Tag Archives: ssh

Taking puppet-ghostbuster for a spin

We use puppet at $dayjob to configure OpenStack.

I wanted to know if there’s a lot of unused code in our manifests!

**From left of stage enters: https://github.com/camptocamp/puppet-ghostbuster **

Step one is to install the puppet modules and gems and whatnot, this blog post was good about that: https://codingbee.net/puppet/puppet-identifying-dead-puppet-code-using-puppet-ghostbuster

Next I needed to get the HTTP forwarding of the puppetdb working, this can apparently (I learnt about ssh -J) be done with:

ssh -J jumphost.example.org INTERNALIPOFPUPPETMASTER -L 8081:localhost:8080

Then for setting some variables pointing to hiera.yaml and setting

PUPPETDB_URL=http://localhost:8081
HIERA_YAML=/tmp/hiera.yaml

Unsure if hiera.yaml works, just copied it in from the puppetmaster

Then running it

find . -type f -name ‘*.pp’ -exec puppet-lint –only-checks ghostbuster_classes,ghostbuster_defines,ghostbuster_facts,ghostbuster_files,ghostbuster_functions,ghostbuster_hiera_files,ghostbuster_templates,ghostbuster_types {} \+|grep OURMODULE

Got some output! Are they correct?

./modules/OURMODULE/manifests/profile/apache.pp – WARNING: Class OURMODULE::Profile::Apache seems unused on line 6

But actually we have a role that contains:

class { ‘OURMODULE::profile::apache’: }

So I’m not sure what is up… But if I don’t run all the ghostbuster and instead skip the ghostbuster_classes test I get a lot fewer warnings for our module.

/modules/OURMODULE/manifests/profile/keystone/user.pp – WARNING: Define OURMODULE::Profile::Keystone::User seems unused on line 2

Looking in that one we have a “OURMODULE::profile::keystone::user” which calls keystone_user and keystone_user_role. However we do call it but like this:

OURMODULE::Profile::Keystone::User<| title == ‘barbican’ |>

Or in this other place:

create_resources(OURMODULE::profile::keystone::user, $users)

Let’s look at the next. which was also a “create_resources” . Meh. Same same. And if I skip the ghostbuster_defines? No errors :) Well it was worth a shot. Some googling on the topic hints that it might not be possible with the way puppet works.

Red Hat Certification – RHCE – Network Services – ssh

1st post – System Management and Configuration

Objectives

Network services

Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:

  • Install the packages needed to provide the service.
  • Configure SELinux to support the service.
  • Configure the service to start when the system is booted.
  • Configure the service for basic operation.
  • Configure host-based and user-based security for the service.

User should be able to do the following for all these services:

SSH:

To test from windows you can use putty.

But in linux you just need ssh for client and sshd for server.

man 5 sshd_config and this blogpost has an overview.

  • Install the packages needed to provide the service.
    • yum install openssh
  • Configure SELinux to support the service
    • getsebool -a|grep ssh
  • Configure the service to start when the system is booted.
    • chkconfig sshd on
  • Configure the service for basic operation.
    • /etc/ssh/sshd_config
  • Configure host-based and user-based security for the service
    • iptables
      • port 22 (TCP)
    • tcp.wrapper

 

TCP Wrapper

More info in man tcpd and man 5 hosts_access

Check that your daemon supports it:

which sshd
ldd /usr/sbin/sshd|grep wrap

For this test, let’s say that the server you are configuring has IP/netmask 192.168.1.1/24 and that you have a client on 192.168.0.0/24

cat /etc/hosts.allow

sshd: 192.168.0.0/255.255.255.0
sshd: ALL : twist /bin/echo DEATH

The last row sends a special message to a client connecting from a non-allowed network.

cat /etc/hosts.deny

ALL: ALL

If you on the server with these settings try to do “ssh -v root@localhost” or “ssh -v root@192.168.1.1” you’ll get the message from twist.

If you in hosts.allow add:

sshd: KNOWN

You can log on to the localhost, but not if you add “LOCAL”.

If you add

sshd: 192.168.1.

you can log on from localhost to the public IP of the server.

Extra

  • Configure key-based authentication.
    • ssh-keygen
    • ssh-copy-id user@host
    • ssh user@host
    • set PasswordAuthentication to no in sshd_config
    • service sshd restart
  • Configure additional options described in documentation.
    • many things can be done, see “man 5 sshd_config”
    • chrootdirectory looks quite cool but requires a bit of work

RHEL and web-server

Another thing you will notice if you are used to debian is that RHEL has iptables enabled by default.

To alter it you use the ‘iptables’ command. It is quite complex and there are good guides out there.

If you just want to let http and ssh through you can run this:

iptables -I RH-Firewall-1-INPUT 3 -p tcp -m tcp –dport 80 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
iptables -I RH-Firewall-1-INPUT 3 -p tcp -m tcp –dport 22 –tcp-flags SYN,RST,ACK SYN -j ACCEPT

You do not have to change anything in httpd (made by apache by the way) to enable it.
Just point your browser. The document root is by default: /var/www/html

Red Hat Enterprise Linux(RHEL) in VMWare Workstation

Test with Red Hat Enterprise Linux (RHEL).

Download: Sign up for an evaulation on https://access.redhat.com/downloads/

rhel-server-5.6-x86_64-disc1.iso

VMWare Workstation does find this in “easy install”. Not doing that this time.

20GBdisk (default) and 1552MB RAM (default 1024MB)

  1. install in either graphical or text mode, going with graphical. There are also special modes. Maybe something similar to Ubuntu’s minimal virtual kernel is available?
  2. test cd
  3. Mouse works!
  4. Get subscription number with the help of this: https://access.redhat.com/kb/docs/DOC-15404. Copy paste did not work.
  5. Filesystem stuff. Modify or not. Encrypt or not. I went with default and encryption. For encryption you need to set a boot password (min 8 chars).
  6. IP/Timezone settings.
  7. root password (not min 8 chars)
  8. software sets – software development, virtualization, web server. I went with the two last. You can also customize it deeper. Like: gnome/kde? Printing support? Samba? I chose web server but mysql was not selected, not the php-mysql plugin for apache either. Virtualization is Xen – openfabrics enterprise distribution for RDMA/infiniband stuff.
  9. cool stuff found: iptraf, hwbrowser, vnc
  10. /root/install.log for install .. log.
  11. After this it says that it will require all cds.. but I want to download them instead. How? proceeding anyway, let’s see what happens. Maybe it gives the opportunity to download instead. Googling in the meantime. Doesn’t look good. One way to do it would be to put the CDS/dvd on a network/http server in your LAN. But it does not mention a public repository etc.
  12. Formatting, then installing. It asks for CD2. No other buttons. Getting DVD instead. rhel-server-5.6-x86_64-dvd.iso
  13. DVD went fine, nothing after this, just reboot.

Booting

  1. Insert LUKS password – the encryption password you entered before.
  2. IPv6 failed during first boot.
  3. Also some kind of disk monitoring.
  4. Then a little configuration! This is nice. In ubuntu/debian it just goes into the system with a bunch of default setings.
  5. Like firewall, enabled/disabled. Trusted srevices.
  6. SELinux – ‘improved’ security controls, enforced/permissive/disabled. Keeping default: enforced.
  7. no kdump
  8. NTP! Enabling this, using default ntp servers (0.rhel.pool.ntp.org) and disabling ‘use local time source’. This part contacts the NTP server during install, which worked, so that looks good.
  9. Connect to RHN. Said yes. Takes a long time to register? no contact. Trying this later.
  10. Set up a new user. You can use kerberos or NIS too from here.
  11. Insert additional CDS
  12. Login prompt!

After login

  1. VM -> Install VMWare Tools – I want to use “Unity” in Red Hat. I’ve used it for Windows XP (had a guest os for work) and it was great.
  2. Right-click the tarball and ‘extract to’. You need to have root access when you run it. So open a terminal and type ‘su -‘ – this will give you the root prompt.
  3. Then go to where you extracted it. ./vmware-install.pl.
  4. Gives message that I apparently am running a Xen kernel and that this is not supported. Trying anyway. Answering yes as default on the questions.
  5. Install was successful, opening configuration tool. Some green ‘OK’ s.
  6. Before we can compile we need to have make and gcc installed. It also asks for kernel headers that it couldn’t find. Going with the default “” on that.
  7. memory manager, vmhgfs (filesystem driver for shared folders), vmxnet (fast ethernet), vmblock (drag ‘n’ drop), communication service, vsock, vmxnet3 (virtual network card), pvscsi,  – not installed because no compilation software like make/gcc installed.
  8. x configuration, host resolution found but vm resolutions max at 800×600!?
  9. restarting and it said good stuff, but unity does not work and resolution cannot be changed above 800×600.
  10. accessing via ssh works fine too