RH7/Centos7 – umask – setuid – setguid

UMASK
By default the OS wants to create files with a permission of 666 and directories with permission of 777.
The umask configuration of a US determines the final default permissions given to a file and directory upon creation.

The umask numerical value of lets say 002 stands for 0=u 0=g 2=o

So if you want to find the default permission given to the creation of a file then you will need to subtract 666-002=664 and for a directory 777-002=775

SETUID and SETGUID
To give elevated temporary privileges to a file you can use the SETUID by issuing the chmod command in the following way.

 
[gmastrokostas@desktop ~]$ chmod 4755 index.html 
[gmastrokostas@desktop ~]$ ll index.html 
-rwsr-xr-x. 1 gmastrokostas gmastrokostas 53310 Oct 11 02:51 index.html
[gmastrokostas@desktop ~]$ chmod 2755 index.html 
[gmastrokostas@desktop ~]$ ll index.html 
-rwxr-sr-x. 1 gmastrokostas gmastrokostas 53310 Oct 11 02:51 index.html
Share Button

virt-install examples

Create VM using a local ISO – No kickstart file

virt-install \
--name=centos7test \ 
--ram=1024 \
--disk path=/var/lib/libvirt/images/centos7.qcow2,size=8 \
--vcpus=1 \
--os-type=linux \
--os-variant=rhl7 \
--network bridge=virbr0 \
--console pty,target_type=serial \
--nographics \
--location /root/isos/CentOS-7-x86_64-Everything-1708.iso \
--extra-args=console=ttyS0; 

Create VM using a kickstart file via HTTPD

 virt-install \
--name=centos7test \
--ram=1024 \ 
--disk path=/var/lib/libvirt/images/centos7.qcow2,size=8 \
--vcpus=1 \
--os-type=linux \
--os-variant=rhl7 \
--network bridge=virbr0 \ 
--console pty,target_type=serial  \
--nographics \
--location /root/isos/CentOS-7-x86_64-Everything-1708.iso \
--extra-args="console=ttyS0, ks=http://192.168.0.2/test.cfg"; 

Important note for the Kistarst file via HTTPD
Provided you speficy the http location of the kickstart file in the virt-install command, in the kickstart file as source installation you should use the following entry.

#Install source
cdrom
Share Button

GRUB2 – RH/Centos7

Interrupt Boot process to gain access to a system to change password

  1. When Grub appears press E
  2. At the end of the image entry enter “rd.break
  3. Press Ctrl-x
  4. You will now boot into init RAM FS.
  5. Mount the sysroot directory  “mount -oremount,rw /sysroot/
  6. Change root into sysroot “chroot /sysroot/
  7. Change root password “passwd” 
  8. If SELInux is enabled you will need to re-label all files by creating file in the / directory of sysroot called .autorelabel
  9. Exit.

How to boot to a different targets
During boot when Grub2 appears press e and at the end of the image enter one of the following:
systemd.unit=multi-user.target” or “systemd.unit=emergency.target

General Settings of GRUB2

The file you are interested in is /etc/default/grub. You can edit this file but you will have to run the following command in order for the changes to take affect.

grub2-mkconfig -o /boot/grub2/grub.cfg

To get the list of the kernels displayed at boot time, type:

grep ^menuentry /boot/grub2/grub.cfg

To permanently define the kernel to execute at boot time

grub2-set-default 0
Share Button

virsh – Manage VMs

List all VMs

virst list --all

[root@desktop ~]# virsh list --all
Id Name State
----------------------------------------------------
- centos7.0 shut off
- centos7.0-2 shut off

Create a snapshot

virsh snapshot-create-as --domain centos7.0-2 \
> -- name "Testing"\
> -- description "Testing stuff"\
> -- live

List any snapshots of a VM

virsh snapshot-list --domain centos7.0-2
Name Creation Time State
------------------------------------------------------------
testing--description 2017-10-22 15:35:40 -0400 shutoff

Revert to a snapshot

virsh snapshot-revert centos7.0-2  testing--description

Power up/off a VM

virsh start/shutdown centos7.0-2 

Find IP of VM By using the MAC address

[root@desktop ~]# arp -n
Address                  HWtype  HWaddress           Flags Mask            Iface
192.168.0.1              ether   28:56:5a:e9:3a:0b   C                     enp5s0
192.168.0.8              ether   74:2f:68:f7:32:0e   C                     enp5s0
192.168.124.148          ether   52:54:00:27:86:b6   C                     virbr0
192.168.0.5              ether   70:85:c2:29:cf:a3   C                     enp5s0
192.168.0.4              ether   d0:50:99:09:38:63   C                     enp5s0

[root@desktop ~]# virsh domiflist centos7.0-2
Interface  Type       Source     Model       MAC
-------------------------------------------------------
vnet0      network    default    virtio      52:54:00:27:86:b6

Enable/Disable Auto Start of guest upon boot

[root@desktop ~]# virsh autostart centos7.0-2 
Domain centos7.0-2 marked as autostarted

[root@desktop ~]# virsh autostart centos7.0-2  --disable
Domain centos7.0-2 unmarked as autostarted


Share Button

Centos 7 – Part 5 – HAproxy systemctl script

vi /etc/systemd/system/haproxy
[Service]
ExecStart=/usr/sbin/haproxy
Restart=always
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=haproxy
User=root
Group=root
Environment=NODE_ENV=production

[Install]
WantedBy=multi-user.target
systemctl enable haproxy
Share Button

Centos 7 – Part 4 – HAProxy Standby with SSL support combined with NGINX Load Balancing

These instructions expand on the previous post. The previous post shows how to implement HAPROXY with SSL in front of two NGINX load balancers with NGINX servers having Fail Over enabled.  This post will show how to create add another HAPROXY server in order to have fail over enabled,

As explained on the previous post, HAPROXY and keepalived needs to be installed.

HAProxy

Configure HAProxy.

The configuration file for server HAPROXY2 is the same as with the configuration file with server HAPROXY1, minus of course the IP address that we bind. Important: You must copy the ssl certificate files from HAPROXY1 to HAPROXY2 server under the directory specified in the config file.

global
        log 127.0.0.1   local0
        log 127.0.0.1   local1 debug
        maxconn   45000 # Total Max Connections.
        daemon
        nbproc      1 # Number of processing cores.
defaults
        timeout server 86400000
        timeout connect 86400000
        timeout client 86400000
        timeout queue   1000s

frontend https_frontend
  bind 10.0.0.53:443 ssl crt /etc/ssl/haproxy1.sfentona.lol/haproxy1.pem
  mode http
  option httpclose
  option forwardfor
  reqadd X-Forwarded-Proto:\ https
  default_backend web_server

backend web_server
  mode http
  balance roundrobin
  cookie SERVERID insert indirect nocache
  server wordpressvirtip 10.0.0.44:80

Configure Keepalived

Keep in mind that we already have keepalived running for the two NGINX load balancers. We have designated them in the keepalived.cfg as virtual_router_id 51. For the HAproxy servers we are going to assign them a different id. Servers HAPROXY1 and HAPROXY2 will now be designated as virtual_router_id 52 .

Keepalived config file for HAPROXY1

vrrp_script chk_haproxy {           # Requires keepalived-1.1.13
script "killall -0 haproxy"     # cheaper than pidof
interval 2                      # check every 2 seconds
weight 2                        # add 2 points of prio if OK
}
vrrp_instance VI_1 {
interface ens192
state MASTER
virtual_router_id 52
priority 101                    # 101 on master, 100 on backup
virtual_ipaddress {
10.0.0.54
}
track_script {
chk_haproxy
}
}

Keepalived config file for HAPROXY2

vrrp_script chk_haproxy {           # Requires keepalived-1.1.13
script "killall -0 haproxy"     # cheaper than pidof
interval 2                      # check every 2 seconds
weight 2                        # add 2 points of prio if OK
}
vrrp_instance VI_1 {
interface ens192
state MASTER
virtual_router_id 52
priority 100                    # 101 on master, 100 on backup
virtual_ipaddress {
10.0.0.54
}
track_script {
chk_haproxy
}
}

Configure your Firewall
The following IPTABLE rules should be running on both HAPROXY1 and HAPROXY2. Copy and paste the following rules in a text file and import them to your firewall table.

# Generated by iptables-save v1.4.21 on Thu Oct  8 15:18:59 2015
*filter
:INPUT ACCEPT [26988:2784395]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [35111:2263400]
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p vrrp -j ACCEPT
-A INPUT -d 224.0.0.0/8 -j ACCEPT
COMMIT
# Completed on Thu Oct  8 15:18:59 2015
iptables-restore < /root/firewall.fw
Share Button

Centos 7 – Part 3 – HAProxy with SSL support combined with NGINX Load Balancing

In the previous post instructions were given on how to create a HAProxy combined with NGINX Load Balancing. However that particular setup did not support SSL. These instructions will implement SSL support at the HAProxy server. The NGINX servers receive SSL traffic but the connection between the NGINX servers and the Apache web servers are with out SSL. It should be noted the ability to login the actual IPs of visitors is not lost with the implementation of SSL.

The difference here is that in the haproxy config file we specify the use of SSL and we no longer use the “listen” section like we did with out the use of SSL in the previous post.

nginx-HA

Generate the SSL certificate.

openssl genrsa -out haproxy1.key  1024
openssl  req -new -key haproxy1.key  -out haproxy1.csr
openssl ca -policy policy_anything -in haproxy1.csr  -out haproxy1.crt
openssl x509 -req -days 365 -in  haproxy1.csr  -signkey haproxy1.key  -out haproxy1.cr
cat haproxy1.crt haproxy1.key |   tee haproxy1.pem

 

Configure HAPROXY

vi /etc/haproxy/haproxy.cfg
global
        log 127.0.0.1   local0
        log 127.0.0.1   local1 debug
        maxconn   45000 # Total Max Connections.
        daemon
        nbproc      1 # Number of processing cores.
defaults
        timeout server 86400000
        timeout connect 86400000
        timeout client 86400000
        timeout queue   1000s

frontend https_frontend
  bind 10.0.0.52:443 ssl crt /etc/ssl/haproxy1.sfentona.lol/haproxy1.pem
  mode http
  option httpclose
  option forwardfor
  reqadd X-Forwarded-Proto:\ https
  default_backend web_server

backend web_server
  mode http
  balance roundrobin
  cookie SERVERID insert indirect nocache
  server wordpressvirtip 10.0.0.44:80
Share Button

Centos 7 – Part 2 – HAProxy combined with NGINX Load Balancing.

In this previous post instructions were written on how to setup a Round Robin Load Balancer by using NGINX and a virtual IP that would pass requests to the Apache Web Servers.

In this post we will use the very same setup but we place a HAProxy server in front of the Virtual IP the NGINX servers created. This server will use the Round Robin protocol as well and it will pass the requests to the NGINX servers which will in return will pass the web requests to the Apache web servers. SSL is not yet implemented.

The IP address of the HAProxy is 10.0.0.52 and the IP address of the virtual IP we created is 10.0.0.44 with a DNS entry “wordpressvirtip”

nginx-HA

 

 

 

 

 

 

 

 

 

 

 

 

 

 

yum install haproxy
vi /etc/haproxy/haproxy.cfg
global
        log 127.0.0.1   local0
        log 127.0.0.1   local1 debug
        maxconn   45000 # Total Max Connections.
        daemon
        nbproc      1 # Number of processing cores.
defaults
        timeout server 86400000
        timeout connect 86400000
        timeout client 86400000
        timeout queue   1000s

# [HTTP Site Configuration]
listen  http_web 10.0.0.52:80
        mode http
        balance roundrobin  # Load Balancing algorithm
        option httpchk
        option forwardfor
        server wordpressvirtip 10.0.0.44:80 weight 1 maxconn 512 check
        #server server2 10.0.0.40:80 weight 1 maxconn 512 check

# [HTTPS Site Configuration]
#listen  https_web 192.168.10.10:443
#        mode tcp
#        balance source# Load Balancing algorithm
#        reqadd X-Forwarded-Proto:\ http
#        server server1 192.168.10.100:443 weight 1 maxconn 512 check
#        server server2 192.168.10.101:443 weight 1 maxconn 512 check
 system start haproxy
Share Button

Centos 7 – Part 1 – NGINX – Apache – Load Balancing High Availability

These instructions show how to setup a web Load Balancer by using two NGINX servers as the Load Balancers and two Apache servers.

2 – Centos 7  servers running NGINX will be used as Load Balancers.

2 – Cent0s 7 serves running Apache will be used to serve web pages via virtual hosts.

The NGINX servers will:
– Determine the appropriate destination service based on the method chosen; in this case it will be Round Robin, which is the default option.
– Will use KeepAlive in order to create a virtual IP address. The IP address will based on the already NICs of the Load Balancers.

The Apache servers will:
– Act as your normal every day web servers with virtual hosts.
– Will log the IP of the actual client.

nginx-HA

Setting up the Apache web Servers.

  • Create the directories where the content of you virtual hosts will be placed.
mkdir /etc/httpd/vhosts.d
mkdir -p /sites/wordpress/
chown -R apache:apache /sites/wordpress/
chmod 755 /sites/wordpress/

 

  • Instruct Apache to look into the directory you created for your virtual hosts.
vim /etc/httpd/conf.d/vhosts.conf
IncludeOptional vhosts.d/*.conf

 

  • Create the config file for the corresponding web site.
vim /etc/httpd/vhosts.d/wordpress.sfentona.lol.conf
ServerAdmin webmaster@dummy-host.example.com
DocumentRoot /sites/wordpress/
ServerName wordpress.sfentona.lol
ServerAlias www.wordpress.sfentona.lol

Directory "/sites/wordpress";
DirectoryIndex index.html index.php
Options FollowSymLinks
AllowOverride All
Require all granted

 

  • Set up log x-fowarded-for in order to get the the IP of the actual client who visited the site and not the IP of the load balancer in your logs.
vi /etc/httpd/conf/httpd.conf
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" forwarded

 

Configure NGINX as a load balancer (view lines 34-38)

vi /etc/nginx/nginx.conf
# For more information on configuration, see:
#   * Official English Documentation: http://nginx.org/en/docs/
#   * Official Russian Documentation: http://nginx.org/ru/docs/

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;
    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    upstream wordpress {
    server 10.0.0.42:80;
    server 10.0.0.43:80;
}


        server {
        listen       80;
        server_name  www.wordpress.sfentona.lol;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
                proxy_pass http://wordpress;
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }
}

Allow NGINX to bind to a non-local shared ip

vi /etc/sysctl.conf
net.ipv4.ip_nonlocal_bind=1
sysctl -p

Set up your firewall in order for Multicast and VRRP to work correctly.

iptables -I INPUT -d 224.0.0.0/8 -j ACCEPT
iptables -I INPUT -p vrrp -j ACCEPT

 

Configure Keep Alive.

vi/etc/keepalived/keepalived.conf

This is for the Master Load Banacer LB1

 notification_email {
     sysadmin@mydomain.com
     support@mydomain.com
   }
   notification_email_from lb1@mydomain.com
   smtp_server localhost
   smtp_connect_timeout 30
}

vrrp_instance VI_1 {
    state MASTER
    interface ens192
    virtual_router_id 51
    priority 101
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
        10.0.0.44
    }
}

This is for the Master Load Banacer LB2. Priority on the slave is a lower number.

global_defs {
   notification_email {
     sysadmin@mydomain.com
     support@mydomain.com
   }
   notification_email_from lb2@mydomain.com
   smtp_server localhost
   smtp_connect_timeout 30
}

vrrp_instance VI_1 {
    state MASTER
    interface ens192
    virtual_router_id 51
    priority 100
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
        10.0.0.44
    }
}
Share Button

Centos6.5-Win2012R2 – Setup Windows as your Master DNS and Bind as your Slave DNS.

This tutorial show how to setup Windows 2012-R2 as a Master DNS and how to set up Centos 6 as a slave DNS.

PRIMARY DNS NAME AND IP: AD1.SFENTONA.LOL  / 10.0.0.6
SLAVE   DNS NAME AND IP: DNS1.SFENTONA.LOL /10.0.0.10

Centos DNS CONFIG STEPS

———————————————————————————————————-
The following config files have been used in order to get DNS services up and running in Centos 6.

vi /etc/resolv.conf
nameserver 127.0.0.1
search sfentona.lol
vi /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=dns1.sfentona.lol
vi /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
HWADDR=00:0C:29:CA:90:ED
TYPE=Ethernet
UUID=49076518-17fb-4416-be14-de64aa36843a
ONBOOT=yes
NM_CONTROLLED=no
BOOTPROTO=static
IPADDR=10.0.0.10
NETMASK=255.255.255.192
GATEWAY=10.0.0.1
DNS1=127.0.0.1
DOMAIN="sfentona.lol"
vi /etc/named.conf

Under Options you will have to specify the IP address of your Centos DNS server and from which network you will accept queries.

listen-on port 53 { 127.0.0.1; 10.0.0.10; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; 10.0.0.10/26; };
//allow-transfer { 10.0.0.0/26; };
recursion yes;

Under Zones you will have to create your forward lookup and reverse lookup zones. Between the sections LOGGING and ZONE include the following lines. We are essentially telling to our Centos DNS service that it is of type slave and the IP of the master DNS. We are also telling where the location of the zone files will be located

/var/named/slaves

sfentona.lol.zone

zone "sfentona.lol" IN {
type slave;
masters { 10.0.0.6; };
allow-query { any; };
file "slaves/sfentona.lol.zone";
};

sfentona.lol.rr.zone

zone "0.0.10.in-addr.arpa" IN {
type slave;
masters { 10.0.0.6; };
allow-query { any; };
file "slaves/sfentona.lol.rr.zone";
};

 

 

Windows DNS CONFIG STEPS

———————————————————————————————————-

  • On your maind DNS properties settings tree check “Enable Bind Secondaries”
  • You will have enter as Name Server your Linux Server for both your Forward and Reverse Lookup zones.
  • On your DNS Zone (in this case sfentona.lol) under properties settings enable “Zone Transfer”. Specify your slave DNS or you can opt to update all available DNS servers. Make to do this for both your Forward and Reverse lookup zones for your Domain.
Share Button