Friday, 21 November 2014

HP CloudSystem 8.1 Part 2


So, I've been banging my head on the deployment of this product at home but have since gotten some hands on experience in work to start getting my head around concepts and today I've retried setting up my Lab from scratch to rebuild CS8.1 and get it to work. I consolidated my SSDs to two largish ones to help with space requirements but this wasn't a show stopper as much as a nice to have. I was using an LSI card but in JBOD mode, found this wasn't great in terms of performance so now each SSD is allocated to a RAID 0 array albeit with one drive and things have improved with it's SSD caching ability.

None of that is really relevant or interesting (!) to what I'll describe here - the biggest piece of the puzzle came when my I broke the CAT-5e cable I had running downstairs to my Lab. I had strange issues with my netgear prosafe switch so after some research ordered a Cisco SG300-10 but subsequently discovered the cable issue, the switch was actually fine! The reason I went with the Cisco is to get layer 3 capability plus it's a much more powerful unit albeit with a web front end and not a full cisco IOS. I saved a fair bit by buying via Newegg but had to get a shipping forwarder to send it onto Ireland, didn't get hit with Duty so it worked out very well. The unit is €330 here, I got it for $172 + $72 forwarding charge (It's a heavy item) as an example. The Netgear power supply worked with it perfectly which was a bonus! There is a trick to getting it in layer 3 mode via a serial cable but they supply it so don't worry, I've it hooked into my vCenter VM by adding a virtual serial interface to that VM in ESXi!

Now, I was able to spend some time recently understanding the CS8.1 networking and after I redid it from scratch I deployed all the VMs without the previous HP-OO password issue. I found that the Enterprise appliance ignores the template values in terms of vCPU & RAM, it demanded 8 vCPU and 20GB Ram for itself, the cheek! I powered it off and applied 4 vCPU and 8GB of Ram and restarted it to see if this would work. My Lab only has 4 physical cores after all!

The Networking piece is described below to help you plan your own deployments. I think it's key to have a good Switch/Router and not just rely on ESXi for cloud stuff in particular.

vLAN ID Subnet Gateway Port Group
1 192.168.10.0/24 192.168.10.254 vLAN_Cloud_DC_Mgmt
50 192.168.11.0/24 N/A vLAN50_Cloud_Mgmt
51 192.168.12.0/24 192.168.12.254 vLAN51_Cloud_CAN
55 192.168.13.0/24 192.168.13.254 vLAN4095_Cloud_Data_Trunk
56 192.168.14.0/24 192.168.14.254 vLAN4095_Cloud_Data_Trunk
57 192.168.15.0/24 192.168.15.254 vLAN4095_Cloud_Data_Trunk
58 192.168.16.0/24 192.168.16.254 vLAN4095_Cloud_Data_Trunk
59 192.168.17.0/24 192.168.17.254 vLAN4095_Cloud_Data_Trunk
N/A 192.168.1.0/24 192.168.1.1 vLAN_Cloud_External

My Default Network for all my existing VMs was using subnet 192.168.10.0/24 so I left that as the native vLAN. I pretty much used the same settings as before with a few changes as shown below:

 
 
I updated my Windows PC Hosts file to make sure I could communicate. Now, I get as far as the Enterprise Appliance but it's refusing to start up and my Foundation Appliance is going crazy, 100% cpu! Looks like I'll need a Hardware Upgrade to deploy Enterprise at this rate! At least I can play with Foundation and it's portal until I figure out what's happening. I would suggest that if your lab is like mine this might be something you'll have to do on a work server not at home. I'll post any updates if I manage to get this working. At least we've no errors as shown below during the Foundation Appliance Deployment:
 
start>csstart gui --start-browser --auto-accept-cert
Web server starting.
serving on http://127.0.0.1:5000
Config file - passed basic tests, moving to advanced tests.
Config file - passed advanced tests.
Config file - passed basic tests, moving to advanced tests.
Config file - passed advanced tests.
Creating new base appliance.
Warning: Found 4 cores on the hypvervisor. Decreasing core request from 8 for ap
pliance.
Appliance (ca1) successfully reconfigured
Booting the appliance.
This step could take between 5 and 20 minutes to complete.
Elapsed time (minutes):  2
Finished.
The CloudSystem controller is being started.
This step could take between 10 and 20 minutes to complete.
Elapsed time (minutes):  6
Finished.
Waiting for the CloudSystem services to finish starting.
This step could take between 5 and 15 minutes to complete.
Elapsed time (minutes):  0 Complete.
Configured appliance EULA and support access.
Applying the first time setup network selections.
Using ssl cert:
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
VM started successfully.
Open browser to https://192.168.10.70/

Update: Power Cycling the Foundation Appliance resolves the issue. You can then go in and choose to "uninstall" CloudSystem Enterprise, it just seems to reset the integration until you win the lottery and can afford a massive home server!

Update #2: After adding in the Compute Cluster you get to choose which vSwitch the Cloud Data Trunk gets created on. I noted that the proxy is actually a clone of the base appliance and like Enterprise it doesn't take it's hardware settings from the template so prepare for a 4 x vCPU and 16GB Ram VM in your environment. I've since downgraded it to 2 x vCPU and 8 GB Ram to see how it plays.

Friday, 17 October 2014

VMworld 2014


Well, I'm just back from attending the conference in Barcelona and I was taking particular interest in Security & VVols during the event. With Cloud taking off there's an increase in awareness of how vulnerable this infrastructure is to attack. Azura has had a few hiccups affecting many of their customers as they made changes to their networking stack earlier this year. Code Spaces is also of course in everyone's mind as they were held ransom and the criminal deleted their data forcing them to close. As we layer up the automation, how easy would it be to power down 20,000 VMs instead of powering them up?!

I'll list the main things I found out below throughout the Conference:

  • Do I put my VMs in the Cloud? If they are Core - Stay on Floor (In House), if they are Non-Core - They go out the door (Cloud). Keep the apps you run your business on in house!
  • Incident Management: Preparation, Identification, Containment, Eradication, Recovery, Lessons
  • 2 Man Rule - get two people to make all changes especially after 4pm on a Friday. It's called the "weekend saver"!
  • Is there any regulation around Cloud Providers themselves, to help ensure they are not just ramping up an insecure solution? FedRAMP is one strategy, the EU is working on another but it might be 2 years before they bite. Link below.
  • VVols - saw a few sessions on these. There's a VASA 2.0 network link to the Array that controls creating new VMs, snapshots, cloning etc. If this link is down, existing VMs are ok, you just can't create new ones etc using VVols, bit like HA! It won't support SCSI-3 so no windows clusters. I asked if it's possible to insert a windows CD into a VMware Host and install windows into the Storage Container directly and wipe everything and they said no, this is not possible! As you are removing the LUN construct, you will end up with fairly large Storage Containers, great if someone tramples all over it! It won't support vSAN, I think you can pass UNMAP direct to the array now from the VM O/S so that will be great for space management. You can control features like replication per VM but there's no SRM integration in the initial release. You can deploy up to 256 Storage Containers, each supports a single protocol (NFS/iSCSI/FC). Backup Providers should be onboard and ready to support too (Veeam & Commvault mentioned). You can see the VVol Container in vCenter to use for Datastore Heartbeating & HA. HP 3PAR will run a PE on each Controller from what I saw and is a Firmware Upgrade. Licensing costs still to be decided by VMware of course! Enterprise Plus Plus?!!
  • More Security: Designing a way to escape out of a VM is highly complex and costly. It's much easier to go after the admin / operational security threats, scripts are cheap and it's low cost and much easier to walk onto a site and do the deed. Secure your Management plane off the rest of the network. Don't use common accounts, give admins a separate super user account to use for changes so you can track them. Check Host Uptime and patch, patch, patch. With vMotion there's no reason not to. vRealise Air Compliance is in Beta to give you a Hardening guide / PCI scorecard. It uses the cloud however which I'm not too keen on. Consider introducing vCAC / vCO workflows for deleting VMs and archive them to nearline and ecrypt for security. Integrate Approvals into the workflow. Remove Browse Datastore permissions from most admins. $375 to build a laptop sized device that can scan an employee badge for later duplication has been demoed elsewhere!
  • Veeam v8: Has a web gui you can use to delegate individual SQL DB restores for Devs. AD comparison tool - find out what changed then fix it. Can replicate from Array snapshots. Now has SRM like features for orchestrating failovers. Snapshot hunter to find them even if vCenter says there aren't there!
  • vCenter Best Practices - watch out for the Inventory Service, it acts as a cache for the web interface to speed it up but it stores tags and storage profiles, you need to be backing these up! The XDB can grow to 60GB is worst cases, requires a reboot and tweaking to fix if this happens. Enable 8.3 paths if installing vCenter to Drive other than C:. Next version: supports upgrade from 5.0+ to 6.0 and up to 64 hosts per cluster. Linked mode with appliance possible. Still no HTML 5.0 support and switch to Chromium if using Linux.
Overall, busy Event, lots going on. Found the Hands On Labs tricky. The tasks pane on the right hand side didn't update, click on more tasks view and you'll get the true state. Gave up 30 minutes into NSX lab but was shown this trick the following day doing the VVol Intro Lab so it's just a quirk of the nested environment. Bit sluggish I must say, not as fast as when it was hosted locally in previous years. Some labs are served out of Amsterdam, others from US.

I won €500 for Charity throwing a paper plane which was unexpected!

Still working on my home lab, had network issues earlier this week, turns out landlady crushed my main network cable to downstairs. Stuck now until I get a replacement. Got my LSI 9271-8i working correctly with SSD now (Went Raid 0, 1 per drive instead of JBOD which disables cache) and a Samsung 850 Pro to boot! Retired my oldest SSD drives and hope to get the CloudSystem 8.1 up and running soon! Plus try the VMware Beta one aswell!


Links:
http://cloud.cio.gov/fedramp

Tuesday, 30 September 2014

RHCSA 7 Exam Notes - Consolidated

Hi, I'm working up an exam resit for later next month (October) so I thought I'd consolidate my Exam notes to make it easier to hit particular topics. See link below to download & best of luck!

https://drive.google.com/file/d/0B9WPh0iDN4KwdXpRYzlXTlVHZnM/edit?usp=sharing

Resetting the Root Password in RHEL7

This is one of the exam topics in the RHCSA exam that you should know. I've struggled with it a bit as there was no official documentation on this until July, a bit late for me! I've listed below the steps to help me recall this in future. There is also official documentation here:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-Terminal_Menu_Editing_During_Boot.html#sec-Recovering_Root_Password

Press any key at the Grub boot loader and then e to edit the default option

Scroll down to the line starting with initrd16 and press the left arrow once until you get to the end of the line above it ending in LANG=en_IE.UTF-8 and append as follows:

LANG=en_IE.UTF-8 init=/bin/sh

Press CTRL-X to boot and you’ll get to a sh-4.2# prompt. Enter the following commands:

mount -o remount,rw /

passwd root

touch /.autorelabel     (optional - could delay VM boot excessively)

exec /sbin/init             (continue booting VM or you could power cycle VM)

Note: commands entered in the bash prompt are not echoed to screen. I get palindrome warnings but this doesn't stop it working unless you type more than 1 character – make sure you enter a single character as the new password only at this point you can change it again later.

Maybe it's something I'm doing but the above steps work and it updates the root password fine, then you just have to edit it later after the O/S loads to something more suitable. You can prep a backdoor account using visudo before you carry this out on your Lab VM, just adjust it as follows:

root ALL=(ALL) ALL
student ALL=(ALL) NOPASSWD: ALL
 
 

Saturday, 9 August 2014

HP CloudSystem 8.1

 
Well, I thought I'd get around to doing a more detailed CloudSystem 8.1 installation Post. I've a homelab luckily with 32GB of Ram. I need to run a few management VMs (Firewall, DC, SQL, vCenter) before I even get started so 32GB sounds like a lot but it's a squeeze, believe me! 
 
Download the zip files from the following site:
 
The documentation is available here:
 
Now you should have 4 files (For ESX version):
HP_CloudSystem_Foundation_ESX_8.1_Jul_2014_Z7550-01484.zip
HP_CloudSystem_Enterprise_ESX_8.1_Jul_2014_Z7550-01488.zip
HP_CloudSystem_Tools_8.1_Jul_2014_Z7550-01492.zip
HP_CloudSystem_OO_Studio_8.1_Jul_2014_Z7550-01494.zip
 
Extract these so they are ready to go. We need to import 4 OVFs via the C# Client into vCenter and edit the memory of the base appliance from 32GB Ram to 8Gb Ram. While importing them change the default name to the ones shown below. I used Thin Provisioning to save space but the screenshot gives you an idea of what the footprint is like:

Note: after editing the Ram on the Base appliance to your satisfaction convert the VMs to Templates. Don't power any up!
 
The next step is to open a command prompt as administrator and change to the extracted Tools Directory. Extract the file "csstart-windows.zip" and in the command prompt change into this folder.
Run the command "csstart create-config" to generate a sample deployer.conf file. Edit the file deployer.conf and update the line under the heading [Appliance Setup] so it now reads "security-checking = disabled". This is only if you're using self signed vCenter Certificates in a Lab. See Pages 33 & 86 in installation guide for details on the error you'll get otherwise!
Now launch the setup wizard with the following command "csstartgui --start-browser --insecure"
 

 You local browser will be launched and you can now start going through the wizard to setup your environment. Depending on your network setup I recommend disabling any DHCP services to prevent issues later on. If you're using vLANs etc to separate things out you'll be fine.
 
The Welcome page is as follows:
Click Next
Click Next
Click Next. Fill in the required information:
Click Next. I filled in the desired network configuration. I've a Windows Host file defining the following servers to allow the wizard to work:
192.168.10.70   ca1.lab.local           ca1
192.168.10.71   cse1.lab.local          cse1
192.168.10.72 ca1.dept.lab.local
192.168.10.73 cse1.dept.lab.local
This ensures the wizard will find what it needs. My Lab Domain Controller is on 192.168.10.10 and the Firewall / Internet Gateway is 192.168.10.200.
Click Next.
I've a fairly flat network so I'm using the same subnet for my Lab, will see how this gets on later!
Enter your vCenter Details Next (ensure you use a resolvable FQDN or you'll have to Dick around with the vCenter self signed certificate error like I did for 1/2 day!)
Now your cluster name, my single physical Host has to be in this cluster for this to work.
 
Then enter your Port Groups

Now you need to have a load of Port Group ready for this bit. Mine are all attached to the same default vSwitch0 where my 2 Nics are. This is purely for Lab testing purposes.

 

I Disabled support access as this is a Lab. Hopefully HP won't be involved! On the Next Page I've to click "I Agree" to the CloudSystem Software License Terms. After that you might get a local Firewall warning as csstart does it's thing. It lists all the settings and you've a nice "Install" button. I forgot to make my VMs Templates and the names were wrong, I've updated the screenshot at the top so if you match that you'll be sorted! I also got two errors as follows:
Warning: The Enterprise appliance hostname is not valid.  If you are upgrading an Enterprise appliance this must be fixed.
Warning: The Enterprise appliance IP is not valid. If you are upgrading an Enterprise appliance this must be fixed.
There's nothing about this in the release notes, we're installing the Base Appliance and the Enterprise one is done separately later so I'd ignore for now. The Install button is available so what the hell, let's fire it up and see what happens! The CS Base Appliance Template is cloned and you can view the activity in vCenter, in the csstartgui command window or the Web Page Wizard when it updates from time to time.
Now make some coffee.....you can also check out the console of the "ca1" VM if you're bored:
When it finishes it invites you to log in and provides the SSL Certificate for your convenience:
 
Warning: The Enterprise appliance hostname is not valid.  If you are upgrading an Enterprise appliance this must be fixed.
Warning: The Enterprise appliance IP is not valid. If you are upgrading an Enterprise appliance this must be fixed.
Warning: The Enterprise appliance hostname is not valid.  If you are upgrading an Enterprise appliance this must be fixed.
Warning: The Enterprise appliance IP is not valid. If you are upgrading an Enterprise appliance this must be fixed.
Config file - passed basic tests, moving to advanced tests.
Config file - passed advanced tests.
Creating new base appliance.
Warning: Found 4 cores on the hypvervisor. Decreasing core request from 8 for appliance.
Appliance (ca1) successfully reconfigured
Booting the appliance.
This step could take between 5 and 20 minutes to complete.
The CloudSystem controller is being started.
This step could take between 10 and 20 minutes to complete.
Waiting for the CloudSystem services to finish starting.
This step could take between 5 and 15 minutes to complete.
Configured appliance EULA and support access.
 Error: Failed to change HP-OO administrator password within max time allotted. You need to change it manually after logging in to the Admin Console.
Applying the first time setup network selections.
Using ssl cert:
-----BEGIN CERTIFICATE-----
<Edited out>
-----END CERTIFICATE-----
VM started successfully.
Open browser to https://192.168.10.70/
 
Now you can get started. Note the supported browsers are:

You log in with the credentials you specified earlier for the user "administrator" and you can see in vCenter there's only 1 VM running currently, the Base Appliance. The real work starts from here!
In the Help Section on the Right click Edit Cloud Networking.
Click OK. At this stage I got an error as my vCenter certificate is self-signed. The 8.1 installation guide suggests you can turn off security checking but I've no credentials to edit the base appliance and manually editing the deployer.conf doesn't make a damn bit of difference. See pages 33 & 86 in the installation guide for the error & workaround, good luck to you!
 
I had to go back and redeploy the appliance several times. Check your DNS server for stale entries also that might hinder deployment. I reuse some IPs over time and the may still be there. 3 Deployments later and I arrived back where I started! It finally worked by changing from using the vCenter IP to the FQDN.
 
Note: The deployer.conf file contains the password typed in earlier so secure this file once you've finished in a Production environment or change later!
 
Now the next step is to log in via the url listed, in my case http://192.168.10.70
Next on the right Click "Edit Cloud Networking" and enter the Cloud Management Subnet. I used 10.0.0.0/24
Upon clicking Ok it deployed a number of VMs so now my list looks like the following:
 
The Network Nodes are clustered and very important to route traffic around so I would look at anti-affinity rules in a Production environment for these. The others could be spread out but it depends if you're going to use the same cluster to run the management components as the tenant VMs or not. I would suggest not to keep things clean and ensure Management has it's own dedicated environment. They recommend 128GB Ram for the HP CloudSystem 8 VM Host so watch out you size the Servers appropriately! 256GB Ram would be necessary I think to accommodate vCenter and other management plugins etc.
 
Well, that's the Foundation Deployed. I'll skip straight to the Enterprise install next. The GUI takes a bit of getting used to. Persevere and you'll eventually find the menu options you are looking for.
Click the Top Left Menu "CloudSystem Console" and then drift to the far right and Click "Enterprise". Then Click Install CloudSystem Enterprise.
 

More Menus to fill in (!) so to begin Click Next to get past the welcome screen
Enter in your Cloud Enterprise Details
Now enter the credentials use in the csstart setup wizard earlier and Click Install
At this stage we run into our problem with the HP-OO account password not being set. From the main menu you can click Integrated Tools and launch the logon page under Integrated UIs "HP Operations Orchestration Central" to test you're bogged out! This is new in 8.1 so we need a way to fix the HP-OO password error encountered before we can deploy the Enteprise Appliance. Oh Joy!
 
Well, that's as far as I can take things today. I'll reach out for a fix to the HP-OO account issue and see what I find. Good luck in setting up your labs and if you see where I've gone wrong let me know!!!
 
Note: Currently all the VMs combined are using the following memory resources for reference in my Lab:
 Error encountered as follows:
 Update 15/08/14:
Well, I tried a different password, then tried increasing the Base Appliance Memory from 8GB to 16GB, then 32GB but to no avail! About to give up I had been blocked before from using the cloudadmin account to check the appliance cli itself so this time I managed to get it. You need to use the csadmin.exe from the tools to do this step and once in you can change the hp_oo password and hopefully get onto the next stage!
 
Fire up admin command prompt and change to directory where csadmin.exe exists and run the command below to set the cloudadmin password:
 
csadmin console-users set-password --vm-name ca1 --os-username administrator --os-password <type your administrator password here> --os-auth-url https://192.168.10.70/ --insecure --password <type what you want to change your cloudadmin password to here>
 
Then use VMware Console to access CTRL+ALT+F1 and log in using the cloudadmin account. Then issue the following command:
sudo passwd hp_oo
and set the hp_oo password accordingly.
 
BUT......this doesn't appear to make any difference, I still can't log into OO !! I'll keep trying but I just need a simple procedure to fix this problem however I've not found anything in csadmin.exe or psql that's helping so far...!
 

 
 
 
 
 
 
 


Wednesday, 6 August 2014

News and Musings

Well, I've heard HP CloudSystem 8.1 has been released. Not played with it yet but plan to once time permits and try my hand at a fresh install although there is an upgrade path to take also....I did get a chance to do some labs with an install done by the experts and think there's as much learning to this product as any I've encountered. Trying to understand the networking alone is interesting plus I've many questions about how to deliver one in Production that will need to be addressed if I get the chance to. At least they permit VMFS Glance repositories now!
 
 
Next up - I took my RHCSA exam last week, took me this long to calm down before I post. Got the grand old score of 0. Must say I've a few tips without breaching NDA that might assist those of you intending to take the Exam:
 
  • The Exam is based on RHEL 7, don't practice on anything else, especially RHEL 6.5!
  • I've asked RedHat to clarify what THEY mean by "Shipping Documentation" from the blueprint as I've sat VMware's VCAP5-DCA and they have a different view. I'll let you know when they respond how they describe it.
  • I'm not a Linux guru, I don't use the console in my day to day job but I'm trying to get a base qualification that some may laugh at because it's so simple. That said I need all the help I can get. I plan to rework my notes once more but in a manner that makes it easier to pick out key commands and all the pointers (man pages and any in the box stuff I can retrieve) to help me around next time. I can get to grips with basic stuff but configuring LUKS encrypted volumes from memory, fair play to you if you can do that off the top of your head, I can't!
The pass rate is 210 out of 300 so I hope I can give a better account of myself next time (209 or so!). Why did I get zero you may ask....NDA says I can't tell. I can understand why but I've been doing Cisco, Microsoft, Citrix and VMware exams for 15+ years and was slightly shocked to say the least. However, if you know what's on the blue print you'll be fine. I'm just starting out on this Linux track so I "crashed and burned" so to speak.
 
Anyway, it's just an exam. I plan to have another crack in October and leave it at that. There's too much else to do, Blade systems, HP Cloud, Openstack etc to get worried about it. Best of luck if you take it in the meantime.  

RHCSA 7 Exam Notes #7: Manage Security


Word version available here:
https://drive.google.com/file/d/0B9WPh0iDN4KwTUJzWUpid0d1WlU/edit?usp=sharing

Configure firewall settings using system-config-firewall or iptables
GUI: Applications, Sundry, Firewall  or firewall-config for same GUI from cli

Default Zone in bold, can be changed via Options menu and also tie interfaces to particular zones. My VMs interface is connected to the public Zone. Services know what ports they need so rules can target services rather than just ports. Services can be further locked down via IP Address if required.

firewall-cmd               (command line equivalent)
firewall-cmd --panic-on          (or panic-off, all packets dropped inbound and outbound)
firewall-cmd --reload
firewall-cmd --zone=public --list-ports
firewall-cmd --zone=public --add-port=8080/tcp --permanent
firewall-cmd --zone=public --add-service=smtp --permanent
(or use --remove-port  --remove-service to get rid of settings and reload afterwards)

/etc/sysconfig/iptables           (This file is not used anymore but is present)
You can switch back to using IP Tables but as they refer to an invalid command in the requirements of this section I doubt they will ask for this, but just in case:

systemctl disable firewalld
systemctl stop firewalld
yum -y install iptables-services
systemctl start iptables
systemctl start ip6tables
systemctl enable iptables
systemctl enable ip6tables

Configure key-based authentication for SSH
/etc/ssh/sshd_config               (This is the main file to manipulate ssh authentication)
Remove # in front of PubkeyAuthentication and it should be set to yes
Set PasswordAuthentication to no to ensure ssh keys used only
ssh-keygen      (this generates two files in ~/.ssh directory, prompted for passphrase )
ssh-copy-id -i root@server1.example.com    (copies public key to remote server you are going to log into)
ssh ‘root@10.0.0.128’             (Prompts for passphrase and logs you in, if you left the passphrase blank logs you straight in!)

Set enforcing and permissive modes for SELinux
getenforce                  (Checks current SELinux activation mode)
setenforce {enforcing/permissive}     (Sets activation mode to Enforcing or Permissive)

List and identify SELinux file and process context
sestatus -v                   (Checks current SELinux Status and File/Process contexts)
ll -Z /root/anaconda-ks.cfg     (Determine current SELinux context on file)

Restore default file contexts
restorecon -F /root
restorecon -F /root/anaconda-ks.cfg

Use boolean settings to modify system SELinux settings
semanage boolean -l              (run as root)
getsebool cvs_read_shadow   (lists status of cvs_read_shadow boolean)
setsebool -P httpd_can_network_connect_db on      (turns it on permanently)

Diagnose and address routine SELinux policy violations
yum -y install setroubleshoot setroubleshoot-server
getsebool -a | grep ftp           (Check booleans are on)
semanage port -l | grep http
semanage port -a -t http_port_t -p tcp 9876 (Permits non-standard port to be used)
chown apache:apache /var/www/html/index.html   (if file was owned by root)
semodule -DB             (Temporarily allow all denials to be logged)
semodule -B                (Revert)

ausearch -m avc -c httpd {-ts today/-ts recent}         (list all httpd denials, today’s, last 10 minutes, can leave out -c httpd to show all)
aureport -a                  (Summary of audit system logs)
sealaert -b                   (SELinux Alert Browser)
audit2allow -w -a        (Shows why access was denied)
audit2allow -a -M myrulefix   (gives command to install myrulefix.pp from current working directory and resolve issue)

grep certwatch /var/log/audit/audit.log | audit2allow -R -M myrulefix2  (targets issue with certwatch in logs and only put fix for this in myrulefix2.pp file for later installing)

 

 

RHCSA 7 Exam Notes #6: Manage users and groups


Word version available here:
https://drive.google.com/file/d/0B9WPh0iDN4KwNkRBYUg3ZDh3NWM/edit?usp=sharing

Create, delete, and modify local user accounts
/etc/passwd                (Primary file with user login data)
/etc/shadow                (Stores user passwords separately)
/etc/group                   (Primary file with group data)           
/etc/gshadow              (Stores group passwords separately)
pwck   grpck                (Check consistency of files)

yum -y install system-config-users     (Installs GUI to manage Users & Groups)
system-config-users                            (Open User Manager GUI)
useradd,usermod,userdel                   (Command line equivalents)

chage                                                  (set password aging on account)
vi /etc/sudoers                                    (Set sudo for user)

bob      ALL=(ALL)        ALL
terry    ALL=(ALL)        NOPASSWD: ALL

Change passwords and adjust password aging for local user accounts

passwd <username>               (Changes usernames password)
passwd -n 1 -x 90 -w 7 bob     (Password can be changed after 1 Day, be max 90 days old and you get 7 days warning to change)

Create, delete, and modify local groups and group memberships

groupadd,groupmod,groupdel           (Command line equivalents)
gpasswd          (Adds or deletes group members, assigns or revokes group password)
gpasswd -A bob,terry sales     (Add two users to sales group)

Configure a system to use an existing LDAP directory service for user and group information
yum -y install openldap-clients nss-pam-ldapd
authconfig-tui             (Text graphical utility - choose the following: Cache Information, Use LDAP, Use MD5 Passwords, Use Shadow Passwords, Use LDAP Authentication, Local authorization is sufficient)
getent passwd student            (tests, should get extract of /etc/passwd file for this user)
/etc/pam_ldap.conf                (edit this file with ip/hostname & BaseDN of Ldap server)
/etc/openldap/ldap.conf         (edit this file with

Configure a system to use an existing authentication service for user and group information
yum -y install sssd
authconfig --enableldap --enableldapauth --ldapserver="10.0.0.20" --ldapbasedn="dc=example,dc=com" --update
authconfig --enableldaptls --update               (Drop cert in /etc/openldap/cacerts first)

RHCSA 7 Exam Notes #5: Deploy, configure, and maintain systems


Word version available here:
https://drive.google.com/file/d/0B9WPh0iDN4KwMS0wTzhlbS1yYlE/edit?usp=sharing

Configure networking and hostname resolution statically or dynamically
With the GUI you can click on the Network icon beside the top right hand day/clock. Look for the tiny settings button in the bottom right of the Settings/Network window that opens. There you can set static/automatic IP & Name resolution. You can learn the command line equivalents but seriously, which is going to be quicker? As long as they give you a GUI that is?!!

Schedule tasks using at and cron
So, “at” is used for one time, one off, never to be repeated task scheduling. Examples of use are as follows:
at 10am    at 21:30   at 15:00 tomorrow   at now + 10 minutes  at 03:00 8/14/14

When you execute this you will prompted to enter the command(s) you want to execute, type CTRL+D to finish and submit the job. Note the job number. As root you can check on it using “at -c <job number>” or just list all “at -l” or “atq”. “at -d <job number” to remove job.
Or use -f to specify a filename to execute:
at -f ~/myball.sh at 02:00 5/18/14

Now, cron is for repeated executions if you don’t screw up the /etc/crontab file!
The format for entries in the crontab file is:
20 1,12 1-15 * * find / -name core
{20=minute of the hour} {1,12=Hour of the Day} {1-15=Dates of the Month} {*/2=Every second Month of the Year} {*=Day of the Week} Find / -name core

crontab -e -u student              (Run as Root to create cron for user student)
vi /etc/cron.allow                   (Run as root to permit student to execute cron jobs)
Now as the user student run “crontab -l” to show the job and “crontab -r” to remove it.

Start and stop services and configure services to start automatically at boot
Great, they changed this considerably in RHEL7!! HaHa!
systemctl start crond.service              (Start crond service the RHEL7 way!)
systemctl stop crond.service              (Guess what this does)
systemctl status crond.service            (For those with short term memory)
systemctl list-units --type service       (List all active services, add --all for others)
systemctl {enable/disable} crond.service       (Enables/Disabled service automatic startup)

Configure systems to boot into a specific target automatically
This is about booting into specific runlevels but they’ve rebranded it “systemd targets” represented by target units.

Runlevel          Target Units                          Description
0          runlevel0.target, poweroff.target      Shut down and power off the system.
1          runlevel1.target, rescue.target          Set up a rescue shell.
2          runlevel2.target, multi-user.target    Set up a non-graphical multi-user system.
3          runlevel3.target, multi-user.target    Set up a non-graphical multi-user system.
4          runlevel4.target, multi-user.target    Set up a non-graphical multi-user system.
5          runlevel5.target, graphical.target      Set up a graphical multi-user system.
6          runlevel6.target, reboot.target          Shut down and reboot the system.

systemctl get-default                                      (what is the current default?)
systemctl set-default multi-user.target          (Sets default to non-graphical multi-user system. Run “startx” to load graphical interface at run level 3!)
systemctl isolate multi-user.target                (Changes the current target)
By the way, systemctl can be used as follows:
systemctl {halt/poweroff/reboot}      
 

Install Red Hat Enterprise Linux automatically using Kickstart
Check the root users home folder for anaconda-ks.cfg. This is a good Kickstart primer generated using the installation of that RHEL system.
Web Server where RHEL7 DVD is copied
/var/www/html/anaconda-ks.cfg       edit permissions to allow public access to file chmod 777 etc and test download from workstation

Not getting a DHCP Address on the virtual adapter when booting the VM

Configure a physical machine to host virtual guests
A few tools to be aware of:
virsh                (Command line tool, watch out for the virsh # prompt, if you fire this up with options! Exit will return you to normal bash shell)
virt-manager               (Graphical Tool)
virt-install                    (Provisions new VMs)

grep -E ‘svm|vmx’ /proc/cpuinfo       (checks for AMD extension - svm and Intel extensions - vmx required for full virtulization)
yum -y install qemu-kvm qemu-img              (Main two Virtualization packages)

yum -y install virt-manager                            (Appears under system tools. Opening it complains about package libvirt-daemon-config-network missing. Install but you’ll need to enter root password several times. Groupinstall doesn’t appear to work with local yum repository)

Use virt-manager and right click localhost (QEMU) and Click Details to create a virtual network for VMs. (This worked fine in one environment using Workstation 10 but Failed on Workstation 9?!).  I was unable to get a remote ISO to work so I ended up using mount to connect to the extracted RHEL7 DVD on the NFS share as detailed further down this document. Then I just pointed it at /nfs and it worked fine and installed the VM.

Install Red Hat Enterprise Linux systems as virtual guests

Not Completed

Configure systems to launch virtual machines at boot

Bring up the VM Details and under Boot Options you can choose Autostart – Start virtual machine on host boot up.
Configure network services to start automatically at boot

See service section above, many of the older graphical tools are defunct unfortunately.

Configure a system to use time services

timedatectl     (command to configure current time, date & timezone)
timedatectl set-ntp yes

chrony best for mobile/virtual systems, ntpd best for servers left permanently on.
chrony configuration file is /etc/chrony.conf and is populated with remarked examples.

systemctl {status/start/enable} chronyd        (Kick off chronyd service)
chronyc {tracking/sources/sourcestats}         (Various checks you can perform)

Note: There was no /etc/ntp.conf file on my build by default and you need to disable chrony first. I think learn chrony and leave it at that.

Install and update software packages from Red Hat Network, a remote repository, or from the local file system

To configure YUM have a look at /etc/yum.conf. At the end of this file it lists the folder where the .repo files should reside (/etc/yum.repos.d). Now I’m not sure if you’ll have to create the repositories themselves but let’s see how to configure the client piece of each of these requirements above.

Yum has a few useful switches (use “man yum” also):
yum -y install <package>        (standard install and don’t prompt me one)
yum search tigervnc               (searches for packages with the string tigervnc in it)
yum update tigervnc-server   (updates package - needs RHN)                    
yum remove/erase <package>           (Removes selected package)
yum info tigervnc-server        (displays package header information)

So let’s start by creating a local Yum Repository:
yum -y install createrepo
mount /dev/cdrom /mnt        (mounts the RHEL7 DVD to /mnt)
mkdir -p /var/yum/repos.d/local       (Creates folder to store Repository)
cp -a /dev/cdrom/.  /var/yum/repos.d/local (Copies DVD contents locally, watch out for the .period or you’ll get a slightly different subfolder DVD appearing where you don’t want it)
createrepo -v /var/yum/repos.d/local           (Reads all the packages in)
vi /etc/yum.repos.d/local.repo           (Create new definition file with contents below. Note: the name in [] can’t have spaces)

[local]
name=local yum repository
baseurl=file:///var/yum/repos.d/local/
enabled=1
gpgcheck=0

The remote repository could be http/nfs/ftp so let’s cover out bases:
vi /etc/yum.repos.d/http.repo

[http]
name=remote http repository
baseurl=http://10.0.0.129/rhel7/
gpgcheck=0

The IIS7 Engine needs a custom mime map to define .bz2 files (File name extension = “.bz2” MIME type = “application/x-bzip2” without the quotes). This will allow you to download them instead of giving an annoying error. You will need to enable directory browsing to the virtual directory where you copied the RHEL7 DVD contents to the windows server. I configured CIFS/NFS/FTP/HTTP to the same folder.

vi /etc/yum/repos.d/ftp.repo

[ftp]
name=remote ftp repository
baseurl=ftp://10.0.0.129/
gpgcheck=0

Turn off the Windows Server 2012 R2 Firewall to permit FTP on port 21 or create a rule to avoid pulling your hair out! Running a “yum repolist” should pull in the FTP contents,

vi /etc/yum/repos.d/nfs.repo

[nfs]
name=remote nfs repository
baseurl=file:///nfs
gpgcheck=0

mount 10.0.0.129:/rhel7 /nfs            (This will use a mount point to provide a path to the NFS share)
yum clean all              (This can be run after each of the sections above)
yum repolist                (This will validate the repodata xml files from each repository)

For the official RHN, find the GUI under Applications, System Tools, Red Hat Subscription Manager

FYI - You can use the GUI “gpk-update-viewer” to look for available updates and “gpk-prefs” to set update check frequency and source.

Update the kernel package appropriately to ensure a bootable system
uname -r                                 (This shows current version of running kernel)
yum -y install kmod                (is installed by default)
lsmod                                      (Lists all kernel modules loaded in memory)
modinfo e1000e                      (Displays detailed information about a particular kernel module)
modprobe -v wacom               (Loads wacom module and dependencies)
modprobe -r wacom               (removes wacom module from kernel)
yum -y update kernel              (Required RHN subscription)
rpm -ivh /tmp/kernel-*.rpm   (Installs new Kernel Files)
rpm -qa | grep ^kernel           (Checks installed packages. Note: shift + 6 = ^)

Modify the system bootloader

When you boot from the DVD there’s a Troubleshooting option. You can choose “Rescue a Red Hat Enterprise Linux system” from the next menu. Choose continue and ok and it will mount the system and show you the command below.

chroot /mnt/sysimage
/sbin/grub2-install /dev/sda   (Reinstall Grub2 bootloader)
rpm -e xorg-x11-drv-wacom  (Remove failed driver, or use rpm to install one with -ivh)
Reboot                                     (System restarts twice)