Category Archives: System Admin

Disable SELinux on CentOS 6

Check SELinux status using the sestatus command.

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted

You can change the mode from enforcing to permissive and vice versa using the setenforce command.

# setenforce permissive

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted

To disable SELinux completely, modify the line ‘SELINUX=enforcing’ to ‘SELINUX=disabled’ in /etc/sysconfig/selinux .  The file will then look like this:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

Reboot the server and the config will take effect.

# sestatus
SELinux status:                 disabled

Set up SSL on CentOS running apache

Finally got SSL running on this blog.  This post is to document the steps I took.

This wiki page was what I used as a guide.

OS is CentOS 6.4 running Apache that is packaged together with the base repository.

First, make sure the required packages are installed.

# yum install mod_ssl openssl

The installation of mod_ssl will include a default https configuration with pre-generated key and self-signed certificate.

Pre-generated key = /etc/pki/tls/private/localhost.key
Pre-generated certificate = /etc/pki/tls/certs/localhost.crt
Default config = /etc/httpd/conf.d/ssl.conf

Restarting httpd at this point will give you a working https page served with the certificate mentioned above.  Do not forget to add firewall exception for port 443.

# service httpd restart
# iptables -I INPUT <line#> -p tcp --dport 443 -j ACCEPT
# service iptables save

Browsing to this page will show a security warning on browsers because the certificate used is not issued by a trusted certificate authority.  To get rid of the security warning, we have to sign our key with a trusted certificate authority.

Now let’s move on to generating our own key and getting it signed.

Generate key using openssl (change 1024 to 2048 or higher for better encryption).

# openssl genrsa -out ca.key 1024

Now, generate a certificate signing request (CSR) for the key.

# openssl req -new -key ca.key -out ca.csr

The command will prompt for further details to be embedded in the CSR.  The output file ca.csr will then be sent to a certificate authority for them to come up with a corresponding certificate.

You can also sign your own certificate using the following command.

openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt

After you have received the certificate, either from the certificate authority or via self-signing, the CSR file is no longer needed.

Now, copy the key and the certificate to the corresponding directories (so SELinux contexts can be applied without much tinkering).

Certificates go to /etc/pki/tls/certs/while keys go to /etc/pki/tls/private/

Next we can start configuring apache to use the certificate and key.  This can be done either in the main SSL configuration file at /etc/httpd/conf.d/ssl.conf or in the VirtualHost records.

Example VirtualHost record:

<VirtualHost *:443>
        SSLEngine on
        SSLCertificateFile /etc/pki/tls/certs/ca.crt
        SSLCertificateKeyFile /etc/pki/tls/private/ca.key
        ...
        ...
        ServerName centos01.hazrulnizam.com
</VirtualHost>

Finally, restart httpd and your https page will now use the new key and certificate.  If the certificate comes from a trusted certificate authority, you will no longer get the untrusted warning.

Multiple A record vs CNAMEs (For one IP)

I have been thinking about the best way to handle DNS for multiple services pointing to one IP address.  For instance, you have a server with a configured hostname of server.example.com, and you have two websites www.example.com and blog.example.com running on that server.  This means there will be three names that will have to resolve to the same IP address.  Is it better to have three A records pointing to that IP address, or to use only one A record (server.example.com) and use CNAMEs for www and blog?

Found a good answer here.

Basically, using CNAMEs is easier to manage because a change of IP address of the server will only necessitate the change of one A record.

However, using a lot of CNAMEs will put extra strain on the DNS server, as the DNS server will have to resolve the name twice before getting to the IP address.  If you are worried about the performance of the DNS server, CNAMEs should be avoided.

Using multiple A records poses another problem, which is there can be only one reverse pointer to the IP address.  Ideally, you would want each A record to have a corresponding PTR (not a requirement, though).

Finally, ‘bare’ hostnames like example.com (without any prefix) will have to be A records.  So if you want example.com to go to server.example.com you cannot CNAME it as it will not work.

Adding Oracle Linux 6.4 Installation DVD as a yum repository

First, make sure the install DVD is mounted properly and take note of the mount point.  For the purpose of this post, the DVD is mounted at /mnt.

Next, create a repository file at the yum repository directory.

# vi /etc/yum.repos.d/dvd.repo

Insert the following lines inside the file, and save.

[ol6-dvd]
name=Oracle Linux 6.4 Installation DVD $basearch
baseurl=file:///mnt/Server/
enabled=1
gpgcheck=1
gpgkey=file:///mnt/RPM-GPG-KEY

[ol6-dvd-UEK]
name=Oracle Linux 6.4 Installation DVD $basearch - UEK
baseurl=file:///mnt/UEK2/
enabled=1
gpgcheck=1
gpgkey=file:///mnt/RPM-GPG-KEY

Now, the yum command will use the DVD as a repository.  Don’t forget to disable other repositories in the folder if you do not want newer packages to be installed.

Local mirror of Oracle public yum – UPDATED

Updating Oracle Linux installations via the Oracle public yum server has been cumbersome because the download speeds I have been getting are quite terrible.

Having quite a number of Oracle Linux installations compounds the issue as each server will have to endure the same slow download speeds for the same packages.  One way to stop this from happening is having a local mirror of the public yum server.  This local mirror will perform the download of the packages from the public yum server, and all other Oracle Linux installations will then grab the packages from the local mirror, saving lots of time.

I have been scouring the internet for days looking for the best way to do this, and I think the best guide so far comes from this post by Martin Nash.

I hope to setup my own mirror soon.


Update 19 August 2013

Below are the steps to setup yum mirror from a fresh CentOS 6.4 Minimal Install.

Create the directory to put the repository in.

# mkdir -p /repos/x86_64

Install the yum-utils and createrepo packages that provide the reposync and createrepo commands.

# yum install yum-utils createrepo

Set up the repository to mirror as per the instruction at Oracle.  Open the repo file and disable all repos by making sure enabled=0 for all repos.

# vi /etc/yum.repos.d/public-yum-ol6.repo

Run reposync.  This will take quite a long time, especially with the slow speeds from the Oracle public yum server.

# reposync --repoid=ol6-latest --repoid=ol6-UEK-latest -p /repos/ol6

After the reposync command finished downloading all the packages from the source repo, run createrepo to create the repository metadata.

# createrepo /repos/ol6/ol6_UEK_latest/getPackage/
# createrepo /repos/ol6/ol6_latest/getPackage/

Create a script to re-run the above as often as required (I am going to run it once a day).

#!/bin/bash
LOG_FILE=/repos/logs/orayum-update_$(date +%Y.%m.%d).log
/usr/bin/reposync --repoid=ol6_latest --repoid=ol6_UEK_latest -p /repos/ol6 >> $LOG_FILE 2>&1
/usr/bin/createrepo /repos/ol6/ol6_UEK_latest/getPackage/ >> $LOG_FILE 2>&1
/usr/bin/createrepo /repos/ol6/ol6_latest/getPackage/ >> $LOG_FILE 2>&1

Create the directories to store the script and logs, and move the script inside the directory

# mkdir -p /repos/logs
# mkdir -p /repos/scripts
# mv orayum-update.sh /repos/scripts

Make the script executable

# chmod +x /repos/scripts/orayum-update.sh

Add the script to crontab, and run once every day.

# crontab -e
0 0 * * * /repos/scripts/orayum-update.sh

# crontab -l
0 0 * * * /repos/scripts/orayum-update.sh

Install and configure Apache webserver.

# yum install httpd
# chkconfig httpd on
# service httpd start

Now configure Apache to serve the repository.

# mkdir -p /var/www/html/repo/OracleLinux/OL6/latest
# mkdir -p /var/www/html/repo/OracleLinux/OL6/UEK/latest
# ln -s /repos/ol6/ol6_latest/getPackage/ /var/www/html/repo/OracleLinux/OL6/latest/x86_64
# ln -s /repos/ol6/ol6_UEK_latest/getPackage/ /var/www/html/repo/OracleLinux/OL6/UEK/latest/x86_64

Open up the firewall for Apache.

# iptables -I INPUT 5 -p tcp --dport 80 -m state --state NEW -j ACCEPT
# service iptables save

Now we need to fix the SELinux contexts for the repository files, so that the repository, which is soft-linked from the /var/www/html sub-folders, can be served by Apache.

# yum install policycoreutils-python
# semanage fcontext -a -t httpd_sys_content_t "/repos/ol6/ol6_latest/getPackage(/.*)?"
# semanage fcontext -a -t httpd_sys_content_t "/repos/ol6/ol6_UEK_latest/getPackage(/.*)?"
# restorecon -R -v /repos/ol6/

Get the repository GPG key as well, and put it into the root Apache directory.

# cd /var/www/html
# wget http://public-yum.oracle.com/RPM-GPG-KEY-oracle-ol6

Now the local yum mirror is fully setup!  Local Oracle Linux 6 installations can now use this repository by creating a repo file in /etc/yum.repos.d/ folder.

# cd /etc/yum.repos.d
# vi public-yum-ol6-local.repo

The repo file looks something like this:

[ol6_latest_local]
name=Oracle Linux $releasever Latest ($basearch)
baseurl=http://<hostname>/repo/OracleLinux/OL6/latest/$basearch/
gpgkey=http://<hostname>/RPM-GPG-KEY-oracle-ol6
gpgcheck=1
enabled=1

[ol6_UEK_latest_local]
name=Latest Unbreakable Enterprise Kernel for Oracle Linux $releasever ($basearch)
baseurl=http://<hostname>/repo/OracleLinux/OL6/UEK/latest/$basearch/
gpgkey=http://<hostname>/RPM-GPG-KEY-oracle-ol6
gpgcheck=1
enabled=1

Done!

Installing vSphere CLI 5.1 U1 on CentOS 6.4

My attempt to monitor ESXi 5.1 hosts using Zenoss failed spectacularly at the install vCLI phase.  I have since been able to complete vCLI installation, and managed to run the resxtop command successfully.  However, the new version of resxtop (5.1 U1) returns too much output, and will not work with Zenoss’s esxtop ZenPack.  I guess I will have to wait until the Zenoss community comes up with a ZenPack for Zenoss 4.2 to work with the newer ESXi versions.

This post is to document the installation of vSphere CLI 5.1 U1 on CentOS 6.4, which is NOT supported by VMware (they only support vCLI installations on CentOS 5.5).

I will start with a minimal install of CentOS 6.4.  Then SELinux is disabled by editing /etc/sysconfig/selinux and rebooting the system.  Then, a yum upgrade is performed to update the kernel and all packages to the latest versions.  And a reboot, of course.

The vSphere installation will use these packages:

  • perl-CPAN = the installer will use CPAN to install PERL modules.
  • make & gcc = CPAN will use make and gcc to compile codes.
  • openssl-devel = the installer will run a check for this package before it can proceed.
  • perl-YAML = some of the PERL modules required by the installer will need this.
  • libxml2-devel = XML PERL modules will require this library.
  • libuuid-devel = the UUID PERL module will require this.

So let’s install them.

# yum install perl-CPAN make gcc openssl-devel perl-YAML libxml2-devel libuuid-devel

The installation script will also use some environment variables to be fed as arguments.  These environment variables will be needed to be set before installation.

# export http_proxy=
# export ftp_proxy=

Next, download the vSphere CLI installation package, and extract the archive.

# tar xzvf VMware-vSphere-CLI-5.1.0-1060453.x86_64.gz

Travel into the extracted directory, and run the installation program.

# cd vmware-vsphere-cli-distrib
# ./vmware-install.pl
Creating a new vSphere CLI installer database using the tar4 format.

Installing vSphere CLI 5.1.0 build-1060453 for Linux.

You must read and accept the vSphere CLI End User License Agreement to
continue.
Press enter to display it.

-- LICENSE AGREEMENT --

Do you accept? (yes/no) yes

Thank you.

Please wait while configuring CPAN ...

Please wait while configuring perl modules using CPAN ...

CPAN is downloading and installing pre-requisite Perl module "Archive::Zip" .

CPAN is downloading and installing pre-requisite Perl module "Compress::Zlib" .

CPAN is downloading and installing pre-requisite Perl module
"Compress::Raw::Zlib" .

CPAN is downloading and installing pre-requisite Perl module "Crypt::SSLeay" .

CPAN is downloading and installing pre-requisite Perl module
"IO::Compress::Base" .

CPAN is downloading and installing pre-requisite Perl module
"IO::Compress::Zlib::Constants" .

CPAN is downloading and installing pre-requisite Perl module
"Class::MethodMaker" .

CPAN is downloading and installing pre-requisite Perl module "HTML::Parser" .

CPAN is downloading and installing pre-requisite Perl module "UUID" .

CPAN is downloading and installing pre-requisite Perl module "Data::Dump" .

CPAN is downloading and installing pre-requisite Perl module "SOAP::Lite" .

CPAN is downloading and installing pre-requisite Perl module "URI" .

CPAN is downloading and installing pre-requisite Perl module "XML::SAX" .

CPAN is downloading and installing pre-requisite Perl module
"XML::NamespaceSupport" .

CPAN is downloading and installing pre-requisite Perl module
"XML::LibXML::Common" .

CPAN is downloading and installing pre-requisite Perl module "XML::LibXML" .

CPAN is downloading and installing pre-requisite Perl module "LWP" .

CPAN is downloading and installing pre-requisite Perl module
"LWP::Protocol::https" .

In which directory do you want to install the executable files?
[/usr/bin]

Please wait while copying vSphere CLI files...

The installation of vSphere CLI 5.1.0 build-1060453 for Linux completed
successfully. You can decide to remove this software from your system at any
time by invoking the following command:
"/usr/bin/vmware-uninstall-vSphere-CLI.pl".

This installer has successfully installed both vSphere CLI and the vSphere SDK
for Perl.

The following Perl modules were found on the system but may be too old to work
with vSphere CLI:

version 0.78 or newer

Enjoy,

--the VMware team

Checking /usr/bin/ shows a bunch of commands that has been installed like resxtop, vicfg-*, esxcfg-* and others.