Search This Blog

Showing posts with label infrastructure. Show all posts
Showing posts with label infrastructure. Show all posts

Tuesday, April 18, 2023

How to change download policy of repositories in Red Hat Satellite 6.3?

Tested on Red Hat Satellite 6.3


Issue

How to change the download policy of all enabled repositories in Satellite 6.3?

How to change the repository download policy to immediate in Satellite 6.3?


Raw

- Changing download policy to 'immediate'.

foreman-rake katello:change_download_policy DOWNLOAD_POLICY=immediate


- Changing download policy to 'on-demand'.

foreman-rake katello:change_download_policy DOWNLOAD_POLICY=on_demand

Wednesday, December 12, 2018

How to disable Cloud-Init in a EL-like Cloud Image

So this one is pretty simple. However, I found a lot of misinformation along the way, so I figured that I would jot the proper (and most simple) process here.

Symptoms: an RHEL (or variant) VM that takes a very long time to boot. On the VM console, you can see the following output while the VM boot process is stalled and waiting for a timeout. Note that the message below has nothing to do with cloud-init, but it's the output that I have most often seen on the console while waiting for a VM to boot.

[106.325574} random: crng init done

Note that I have run into this issue in both OpenStack (when booting from external provider networks) and in KVM.

Upon initial boot of the VM, run the command below.

13:18:01 alvaro@lykan /home/alvaro/Documents/2post
$ sudo dnf install libguestfs libguestfs-tools openssl
Last metadata expiration check: 1:53:31 ago on Mon 16 Jul 2018 01:51:05 PM CDT.
Package libguestfs-1:1.38.2-1.fc27.x86_64 is already installed, skipping.
Package libguestfs-tools-1:1.38.2-1.fc27.noarch is already installed, skipping.
Package openssl-1:1.1.0h-3.fc27.x86_64 is already installed, skipping.
Dependencies resolved.
Nothing to do.
Complete!

13:18:26 alvaro@lykan /home/alvaro/Documents/2post
$ guestfish --rw -a ../../Downloads/CentOS-7-x86_64-GenericCloud-1805.qcow2
Welcome to guestfish, the guest filesystem shell for
editing virtual machine filesystems and disk images.

Type: ‘help’ for help on commands
‘man’ to read the manual
‘quit’ to quit the shell

> run
100% ⟦▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒⟧ 00:00
> list-filesystems
/dev/sda1: xfs
> mount /dev/sda1 /
> touch /etc/cloud/cloud-init.disabled
> quit

Seriously, that’s it. No need to disable or remove cloud-init services.

Monday, October 8, 2012

Free EL YUM Repositories

If you are using some flavor of Enterprise Linux, eventually will get tired of downloading rpm packages from Here BTW, this is a really great page when you don't have access to FTP services (damn telecom/security guys). And eventually, you will need to have repositories on your server to solve the dependencies. Here are some free repositories provided by Oracle for FREE, but of course, with NO SUPPORT.

OEL 4/RHEL 4, Update 6 or Newer
# cd /etc/yum.repos.d
# wget http://public-yum.oracle.com/public-yum-el4.repo

 

OEL 5/RHEL 5
# cd /etc/yum.repos.d
# wget http://public-yum.oracle.com/public-yum-el5.repo

 

OEL 6/RHEL 6
# cd /etc/yum.repos.d
# wget http://public-yum.oracle.com/public-yum-ol6.repo

 

Oracle VM 2
# cd /etc/yum.repos.d
# wget http://public-yum.oracle.com/public-yum-ovm2.repo

 

After downloading the repo file, you should set the correct version of your Linux, enabling the "enabled" variable.


[root@openstack yum.repos.d]# cat /etc/yum.repos.d/public-yum-ol6.repo
[ol6_latest]
name=Oracle Linux $releasever Latest ($basearch)
baseurl=http://public-yum.oracle.com/repo/OracleLinux/OL6/latest/$basearch/
gpgkey=http://public-yum.oracle.com/RPM-GPG-KEY-oracle-ol6
gpgcheck=1
enabled=1


And of course, the EPEL repositories. Surf looking for your correct version here EPEL Repository and install the rpm, like this one:


[root@openstack yum.repos.d]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.2 (Santiago)
[root@openstack ~]# rpm -Uvh http://fedora.mirror.nexicom.net/epel/6/x86_64/epel-release-6-7.noarch.rpm
Retrieving http://fedora.mirror.nexicom.net/epel//6/x86_64/epel-release-6-7.noarch.rpm
warning: /var/tmp/rpm-tmp.h0G5aN: Header V3 RSA/SHA256 Signature, key ID 0608b895: NOKEY
Preparing...                ########################################### [100%]
   1:epel-release           ########################################### [100%]
[root@openstack ~]# ll /etc/yum.repos.d/
total 8
-rw-r--r--. 1 root root  957 May  9 10:55 epel.repo
-rw-r--r--. 1 root root 1056 May  9 10:55 epel-testing.repo

Saturday, April 7, 2012

[Solved] su: /bin/bash: Permission denied

New user created as:

groupadd mygroup useradd -s /bin/bash -g myuser -m -k /dev/null myuser

When trying to log in:

[root@vserver~]# su - myuser su: /bin/bash: Permission denied

Solution:

[root@vserver~]# chmod 755 /bin [root@vserver~]# su - myuser [myuser@vserver~]$

Wednesday, December 21, 2011

HowTo Clean and Re-build Squid cache

First, check your squid.conf file and locate the location of your cache directory, you should have a line starting with "cache_dir"

  1. Shutdown your squid server: squid -k shutdown
  2. Remove the cache directory: rm -r /squid/cache/*
  3. Re-Create the squid cache directory: squid -z
  4. Start the squid cache server
Thanks for reading.

Tuesday, November 8, 2011

GRSecurity + Java = Killed + Headup = Running App

 When we work with hardened kernels and tools like grsecurity and PaX, we face problems like:

  1. The kernel kills applications.
  2. Some applications can not start.
  3. We can't compile applications.
  4. And many others.....

This problem depends on the security level configured in the kernel. We need to configure and tell the system that some blocked applications are reliable and trusted, this is because some legitimate applications will attempt to generate code at run time which is executed out of memory. PaX does not allow this and will promptly kill the offending application.

The most notable of these applications are XFree/Xorg, mplayer, and multimedia tools based on xine-lib and Java virtual machine.

homero / # java -version
Killed
homero / # uname -a
Linux homero 2.6.27.15-grsec-2.1.12-vs2.3.0.36.4 #11 SMP Fri Mar 25 17:30:38 CST 2011 i686 Intel(R) Xeon(TM) CPU 3.20GHz GenuineIntel GNU/Linux
homero ~ # tail -f /var/log/pax.log 
Aug  8 13:06:23 homero kernel: [7748633.853670] PAX: From X.X.X.X: execution attempt in: , 48f7f000-48fa7000 48f7f000
Aug  8 13:06:23 homero kernel: [7748633.853683] PAX: terminating task: /usr/local/jdk1.6.0_26/bin/java(java):18549, uid/euid: 0/0, PC: 48f7f040, SP: 4b05dddc
Aug  8 13:06:23 homero kernel: [7748633.853695] PAX: bytes at PC: f0 83 04 24 00 8b 44 24 0c c3 00 00 00 00 00 00 00 00 00 00 
Aug  8 13:06:23 homero kernel: [7748633.853718] PAX: bytes at SP-4:
homero bin # pwd
/usr/local/jdk1.6.0_26/bin

To solve this problem we need to work with some PaX utils and applications, such as paxctl and chpax, in order to change the rules of security but only with some applications.

homero bin # emerge pax-utils pax paxctl paxtest -pv These are the packages that would be merged, in order: Calculating dependencies... done! [ebuild R ] sys-apps/paxctl-0.5 0 kB [ebuild R ] app-misc/pax-utils-0.2.2 USE="caps" 0 kB [ebuild R ] app-arch/pax-3.3.4 0 kB [ebuild R ~] app-admin/paxtest-0.9.9-r2 0 kB Total: 4 packages (4 reinstalls), Size of downloads: 0 kB * IMPORTANT: 4 news items need reading for repository 'gentoo'. * Use eselect news to read news items.

First, we need to create the PT_PAX_FLAGS

homero bin # paxctl -C *
file ControlPanel is not a valid ELF executable
file HtmlConverter is not a valid ELF executable
file appletviewer got a new PT_PAX_FLAGS program header
file apt got a new PT_PAX_FLAGS program header
file extcheck got a new PT_PAX_FLAGS program header
file idlj got a new PT_PAX_FLAGS program header
file jar got a new PT_PAX_FLAGS program header
file jarsigner got a new PT_PAX_FLAGS program header
file java got a new PT_PAX_FLAGS program header
file java-rmi.cgi is not a valid ELF executable
file javac got a new PT_PAX_FLAGS program header
file javadoc got a new PT_PAX_FLAGS program header
file javah got a new PT_PAX_FLAGS program header
file javap got a new PT_PAX_FLAGS program header
file javaws got a new PT_PAX_FLAGS program header
file jconsole got a new PT_PAX_FLAGS program header
file jcontrol is not a valid ELF executable
file jdb got a new PT_PAX_FLAGS program header
file jhat got a new PT_PAX_FLAGS program header
file jinfo got a new PT_PAX_FLAGS program header
file jmap got a new PT_PAX_FLAGS program header
file jps got a new PT_PAX_FLAGS program header
file jrunscript got a new PT_PAX_FLAGS program header
file jsadebugd got a new PT_PAX_FLAGS program header
file jstack got a new PT_PAX_FLAGS program header
file jstat got a new PT_PAX_FLAGS program header
file jstatd got a new PT_PAX_FLAGS program header
file jvisualvm is not a valid ELF executable
file keytool got a new PT_PAX_FLAGS program header
file native2ascii got a new PT_PAX_FLAGS program header
file orbd got a new PT_PAX_FLAGS program header
file pack200 got a new PT_PAX_FLAGS program header
file policytool got a new PT_PAX_FLAGS program header
file rmic got a new PT_PAX_FLAGS program header
file rmid got a new PT_PAX_FLAGS program header
file rmiregistry got a new PT_PAX_FLAGS program header
file schemagen got a new PT_PAX_FLAGS program header
file serialver got a new PT_PAX_FLAGS program header
file servertool got a new PT_PAX_FLAGS program header
file tnameserv got a new PT_PAX_FLAGS program header
file unpack200 got a new PT_PAX_FLAGS program header
file wsgen got a new PT_PAX_FLAGS program header
file wsimport got a new PT_PAX_FLAGS program header
file xjc got a new PT_PAX_FLAGS program header
homero bin # paxctl -v java
PaX control v0.5
Copyright 2004,2005,2006,2007 PaX Team 

- PaX flags: -------x-e-- [java]
    RANDEXEC is disabled
    EMUTRAMP is disabled

The problem is the mprotect flag, because it is enabled.

Name
mprotect - control allowable accesses to a region of memory

Synopsis
#include 
int mprotect(const void *addr, size_t len, int prot);

Description
The function mprotect() specifies the desired protection for the memory page(s) containing part or all of the interval [addr,addr+len-1]. If an access is disallowed by the protection given it, the program receives a SIGSEGV. 

The goal of MPROTECT is to help prevent the introduction of new executable code into the task’s address space. This is accomplished by restricting the mmap() and mprotect() interfaces.

The restrictions prevent:
     - Creating executable anonymous mappings.
     - Creating executable/writable file mappings.
     - Making an executable/read-only file mapping writable except for performing relocations on an ET_DYN ELF file (non-PIC shared library).
     - Making a non-executable mapping executable.

So we need to disable it.

homero bin # paxctl -m *
file ControlPanel is not a valid ELF executable
file HtmlConverter is not a valid ELF executable
file java-rmi.cgi is not a valid ELF executable
file jcontrol is not a valid ELF executable
file jvisualvm is not a valid ELF executable
homero bin # paxctl -v java
PaX control v0.5
Copyright 2004,2005,2006,2007 PaX Team 

- PaX flags: -----m-x-e-- [java]
    MPROTECT is disabled
    RANDEXEC is disabled
    EMUTRAMP is disabled
homero bin # java -version
java version "1.6.0_26"
Java(TM) SE Runtime Environment (build 1.6.0_26-b03)
Java HotSpot(TM) Client VM (build 20.1-b02, mixed mode)

And now we can run any java application on our hardened system.

Thursday, October 6, 2011

Setup MX records with tinydns or djbdns and gmail

 Just modify the data file to look like this one.

evo ~ # vi /bla/bla/bla/tinydns-IPX/root/data
...
...
...
# myowndomain.com's MX Servers
@myowndomain.com::aspmx.l.google.com.:10:86400
@myowndomain.com::alt1.aspmx.l.google.com.:20:86400
@myowndomain.com::alt2.aspmx.l.google.com.:20:86400
@myowndomain.com::aspmx2.googlemail.com.:30:86400
@myowndomain.com::aspmx3.googlemail.com.:30:86400
@myowndomain.com::aspmx4.googlemail.com.:30:86400
@myowndomain.com::aspmx5.googlemail.com.:30:86400
...
...
...

Monday, September 12, 2011

Hardened environment running GRSecurity and VMWare Server

After a common install of vmware-server...
vm-win ~ # emerge vmware-server -pv These are the packages that would be merged, in order: Calculating dependencies... done! [ebuild Rf ] app-emulation/vmware-server-2.0.2.203138-r1 0 kB Total: 1 package (1 reinstall), Size of downloads: 0 kB Fetch Restriction: 1 package * IMPORTANT: 3 news items need reading for repository 'gentoo'. * Use eselect news to read news items.

... our vmware-server cannot start, to solve this problem we need to work with some PaX utils and applications, such as paxctl and chpax, in order to change the rules of security but only with some applications.

vm-win ~ # emerge pax-utils pax paxctl paxtest -pv These are the packages that would be merged, in order: Calculating dependencies... done! [ebuild R ] sys-apps/paxctl-0.5 0 kB [ebuild R ] app-misc/pax-utils-0.2.1 USE="caps" 0 kB [ebuild R ] app-arch/pax-3.3.4 0 kB [ebuild R ] app-admin/paxtest-0.9.9-r1 0 kB Total: 4 packages (4 reinstalls), Size of downloads: 0 kB * IMPORTANT: 4 news items need reading for repository 'gentoo'. * Use eselect news to read news items.

Here are some options.

vm-win ~ # chpax --help chpax 0.7 .::. Manage PaX flags for binaries Usage: chpax OPTIONS FILE1 FILE2 FILEN ... -P enforce paging based non-executable pages -p do not enforce paging based non-executable pages -E emulate trampolines -e do not emulate trampolines -M restrict mprotect() -m do not restrict mprotect() -R randomize mmap() base [ELF only] -r do not randomize mmap() base [ELF only] -X randomize ET_EXEC base [ELF only] -x do not randomize ET_EXEC base [ELF only] -S enforce segmentation based non-executable pages -s do not enforce segmentation based non-executable pages -v view current flag mask -z zero flag mask (next flags still apply)
The flags only have effect when running the patched Linux kernel.

vm-win ~ # paxctl -h PaX control v0.5 Copyright 2004,2005,2006,2007 PaX Team usage: paxctl options: -p: disable PAGEEXEC -P: enable PAGEEXEC -e: disable EMUTRMAP -E: enable EMUTRMAP -m: disable MPROTECT -M: enable MPROTECT -r: disable RANDMMAP -R: enable RANDMMAP -x: disable RANDEXEC -X: enable RANDEXEC -s: disable SEGMEXEC -S: enable SEGMEXEC -v: view flags -z: restore default flags -q: suppress error messages -Q: report flags in short format -c: convert PT_GNU_STACK into PT_PAX_FLAGS (see manpage!) -C: create PT_PAX_FLAGS (see manpage!)


The next script will change the security policy rules of the vmware-server-2.0.2.
First the config and opts file.

vm-win ~ # cat /etc/conf.d/grsecurity # /etc/conf.d/grsecurity CHPAX_CMD="/sbin/chpax" CHPAX_OPTIONS="-rsm" PAXCTL_CMD="/sbin/paxctl" PAXCTL_OPTIONS="-pemrxs" PAXCTL_OPTIONS_="-z" PAXCTL_CONVERT="-c"

Then the init script.

vm-win ~ # cat /etc/init.d/grsecurity #!/sbin/runscript # Copyright 1999-2010 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 # $Header: $ depend() { before vmware } start() { ebegin "Setting grsecurity rules and options" ${PAXCTL_CMD} ${PAXCTL_CONVERT} /opt/vmware/server/lib/bin/vmware-hostd ${PAXCTL_CMD} ${PAXCTL_OPTIONS} /opt/vmware/server/lib/bin/vmware-hostd ${PAXCTL_CMD} ${PAXCTL_CONVERT} /opt/vmware/server/bin/vmnet-bridge ${PAXCTL_CMD} ${PAXCTL_OPTIONS} /opt/vmware/server/bin/vmnet-bridge ${PAXCTL_CMD} ${PAXCTL_CONVERT} /opt/vmware/server/lib/bin/vmware-vmx ${PAXCTL_CMD} ${PAXCTL_OPTIONS} /opt/vmware/server/lib/bin/vmware-vmx } stop(){ ebegin "Restoring default grsecurity rules and options" ${PAXCTL_CMD} ${PAXCTL_CONVERT} /opt/vmware/server/lib/bin/vmware-hostd ${PAXCTL_CMD} ${PAXCTL_OPTIONS_} /opt/vmware/server/lib/bin/vmware-hostd ${PAXCTL_CMD} ${PAXCTL_CONVERT} /opt/vmware/server/bin/vmnet-bridge ${PAXCTL_CMD} ${PAXCTL_OPTIONS_} /opt/vmware/server/bin/vmnet-bridge ${PAXCTL_CMD} ${PAXCTL_CONVERT} /opt/vmware/server/lib/bin/vmware-vmx ${PAXCTL_CMD} ${PAXCTL_OPTIONS_} /opt/vmware/server/lib/bin/vmware-vmx } restart() { stop start }


I know!!!!.... This is an ugly script, but it worked at a "Hardened Gentoo [server] " security level.


┌────────────────────────── Security Level ──────────────────────────┐                                                                  
│  Use the arrow keys to navigate this window or press the hotkey of │                                                                  
│  the item you wish to select followed by the . Press    │                                                                  
│  > for additional information about this option.                 │                                                                  
│ ┌────────────────────────────────────────────────────────────────┐ │                                                                  
│ │           ( ) Low                                              │ │                                                                  
│ │           ( ) Medium                                           │ │                                                                  
│ │           ( ) High                                             │ │                                                                  
│ │           (X) Hardened Gentoo [server]                         │ │                                                                  
│ │           ( ) Hardened Gentoo [server no rbac]                 │ │                                                                  
│ │           ( ) Hardened Gentoo [workstation]                    │ │                                                                  
│ └───────────────v(+)─────────────────────────────────────────────┘ │                                                                  
├────────────────────────────────────────────────────────────────────┤                                                                  
│                                                    │                                                                  
└────────────────────────────────────────────────────────────────────┘                                                                  

Runing kernel

vm-win ~ # uname -a Linux vm-win 2.6.35-hardened #7 SMP Thu Sep 30 22:13:03 GMT 2010 x86_64 Intel(R) Xeon(R) CPU L5410 @ 2.33GHz GenuineIntel GNU/Linux


And now... all is running correctly.

vm-win ~ # ps ax PID TTY STAT TIME COMMAND 1 ? Ss 0:00 init [3] .......... 2010 ? Ss 0:00 /usr/bin/svscan /service 2038 ? Ss 0:00 /usr/sbin/cron 2125 ? Ss 0:00 /opt/vmware/server/bin/vmnet-bridge -d /var/run/vmnet-bridge-0.pid -n 0 -i eth0 2404 ? Ss 0:00 /opt/vmware/server/sbin/vmware-authdlauncher 2418 ? S 0:00 /bin/sh /opt/vmware/server/bin/vmware-watchdog -s webAccess -u 30 -q 5 /opt/vmware/server/lib/webAccess/java/jre1.5.0_15/bin/webAccess -client -Xmx64m -XX:MinHeapFreeRatio=30 2441 ? Ssl 0:29 /opt/vmware/server/lib/webAccess/java/jre1.5.0_15/bin/webAccess -client -Xmx64m -XX:MinHeapFreeRatio=30 -XX:MaxHeapFreeRatio=30 -Djava.util.logging.manager=org.apache.juli.Cla 2523 ? Ssl 0:21 /opt/vmware/server/lib/bin/vmware-hostd -a -d -u /etc/vmware/hostd/config.xml 2576 ? Ssl 9:31 /opt/vmware/server/lib/bin/vmware-vmx -# product=2;name=VMware Server;version=2.0.2;buildnumber=203138;licensename=VMware GSX Server for Linux;licenseversion=3.0 build-203138; 2642 ? Ssl 3:34 /opt/vmware/server/lib/bin/vmware-vmx -# product=2;name=VMware Server;version=2.0.2;buildnumber=203138;licensename=VMware GSX Server for Linux;licenseversion=3.0 build-203138; 2676 ? Ssl 3:48 /opt/vmware/server/lib/bin/vmware-vmx -# product=2;name=VMware Server;version=2.0.2;buildnumber=203138;licensename=VMware GSX Server for Linux;licenseversion=3.0 build-203138;

Tuesday, September 6, 2011

Install grub in a HP Proliant Server

 Edit the file /boot/grub/device.map to look like this

(fd0) /dev/fd0 (hd0) /dev/cciss/c0d0

Run grub like this:

hercules ~ # /sbin/grub --batch --device-map=/boot/grub/device.map --config-file=/boot/grub/grub.conf --no-floppy

grub shell:

grub> root (hd0,0) grub> setup (hd0) grub> quit