Archive for the ‘Fedora’ Category

Host based access control with IPA

Saturday, March 2nd, 2013

Host based access control is easy with IPA/FreeIPA, very easy.

Lets assume you want to have a host group called rhel-prod, a usergroup called prod-admins and you want to let them access the servers in the rhel-prod group by ssh from any host that can reach the servers. Lets call the HBAC rule prod-admins.

You can either user the web GUI or use the command line interface.

Lets create the user group:

[root@ipa1 ~]# ipa group-add prod-admins --desc="Production System Admins"
-------------------------
Added group "prod-admins"
-------------------------
  Group name: prod-admins
  Description: Production System Admins
  GID: 1222000004
[root@ipa1 ~]#

Add some users to the user group:

[root@ipa1 ~]# ipa group-add-member prod-admins --users=luc,htester
  Group name: prod-admins
  Description: Production System Admins
  GID: 1222000004
  Member users: luc, htester
-------------------------
Number of members added 2
-------------------------
[root@ipa1 ~]#

And the hostgroup

[root@ipa1 ~]# ipa hostgroup-add rhel-prod --desc "Production Servers"
---------------------------
Added hostgroup "rhel-prod"
---------------------------
  Host-group: rhel-prod
  Description: Production Servers
[root@ipa1 ~]#

Add some servers as members of the host group

[root@ipa1 ~]# ipa hostgroup-add-member rhel-prod --hosts=ipaclient1.example.com,ipaclient2.example.com
  Host-group: rhel-prod
  Description: Production Servers
  Member hosts: ipaclient1.example.com, ipaclient2.example.com
-------------------------
Number of members added 2
-------------------------
[root@ipa1 ~]#

Note: the servers are comma separated, without a space after the comma

Lets define the HBAC rule:

[root@ipa1 ~]# ipa hbacrule-add --srchostcat=all prod-admins
-----------------------------
Added HBAC rule "prod-admins"
-----------------------------
  Rule name: prod-admins
  Source host category: all
  Enabled: TRUE
[root@ipa1 ~]#

Add the user group to the rule:

[root@ipa1 ~]# ipa hbacrule-add-user --groups prod-admins prod-admins
  Rule name: prod-admins
  Source host category: all
  Enabled: TRUE
  User Groups: prod-admins
-------------------------
Number of members added 1
-------------------------
[root@ipa1 ~]#

Add the service to the rule:

[root@ipa1 ~]# ipa hbacrule-add-service --hbacsvcs sshd prod-admins
  Rule name: prod-admins
  Source host category: all
  Enabled: TRUE
  User Groups: prod-admins
  Services: sshd
-------------------------
Number of members added 1
-------------------------
[root@ipa1 ~]#

And finally add the host group to the rule

[root@ipa1 ~]# ipa hbacrule-add-host --hostgroups rhel-prod prod-admins
  Rule name: prod-admins
  Source host category: all
  Enabled: TRUE
  User Groups: prod-admins
  Host Groups: rhel-prod
  Services: sshd
-------------------------
Number of members added 1
-------------------------
[root@ipa1 ~]#

Of course you can enhance the rule by adding other services or restrict the access from particular hosts and so on.

Have fun :-)

Tags: , , , , ,
Posted in Fedora, Linux, Red Hat | 4 Comments »

Automated disk partitioning on virtual machines with Cobbler

Saturday, December 15th, 2012

The default Cobbler Snippets just do simple auto partitioning. For a more sophisticated partition layout you need to know what kind of VM you are going to install. KVMs and RHEVs device name is /dev/vda, Xen uses /dev/xvda and ESX /dev/sda.

Luckily this can be figured out automatically, those different virtualization vendors are using its own MAC prefixes. So we can add two nice small Cobbler snippets to do the job. In this example, I call them hw-detect and partitioning.

hw-detect

#set $mac = $getVar('$mac_address_eth0')
#if $mac
#set $mac_prefix = $mac[0:8]
#if $mac_prefix == "00:1a:4a"
# This is a RHEV virtual machine
#set global $machinetype = 'kvm'

#else if $mac_prefix == "52:54:00"
# This is a KVM/Qemu virtual machine
#set global $machinetype='kvm'

#else if $mac_prefix == "00:16:3e"
# This is a XEN virtual machine
#set global $machinetype='xen'
#
#else if $mac_prefix == "00:50:56"
# This is a ESX virtual machine
#set global $machinetype = 'esx'

#else
# #This is a physical machine
#set global $machinetype = 'physical'
#end if
#end if

partitioning

#if $machinetype == 'kvm'
#set $disk='vda'
#else if $machinetype == 'xen'
#set $disk = 'xvda'
#else
#set $disk = 'sda'
#end if
# Lets install the system on /dev/$disk
part /boot      --fstype ext2 --size=250 --ondisk=$disk
part pv.0       --size=1 --grow --ondisk=$disk

volgroup vg_${name} pv.0

logvol /        --fstype ext4 --name=lv_root    --vgname=vg_${name} --size=4096
logvol /home    --fstype ext4 --name=lv_home    --vgname=vg_${name} --size=512 --fsoption=nosuid,nodev,noexec
logvol /tmp     --fstype ext4 --name=lv_tmp    --vgname=vg_${name} --size=1024 --fsoption=nosuid,nodev,noexec
logvol /var     --fstype ext4 --name=lv_var    --vgname=vg_${name} --size=2048 --fsoption=nosuid,nodev,noexec
logvol swap     --fstype swap --name=lv_swap    --vgname=vg_${name} --size=2048

An additional “feature” of the partitioning Snippet is: It sets up the Volume Group name according to your systems name. This is the unofficial standard since quite some time. It also sets some more secure mount options. Review them carefully if they make sense for you and edit them as needed.

The next step is to configure your kickstart template.

Standalone Cobbler
On a standalone Cobbler server edit /var/lib/cobbler/kickstart/your-kick-start-template.ks

# Detect the used hardware type
$SNIPPET('hw-detect')
# Set up default partitioning
$SNIPPET('partitioning')

Bundled Cobbler
When using cobbler bundled with Spacewalk or Red Hat Satellite, you need to edit the Kickstart profile in the WebUI.


Navigate to Systems -> Kickstart -> Profile. Select the Kickstart profile to be modified -> System Details -> Partitioning.

Copy the two Snippets in /var/lib/cobbler/spacewalk/1, where 1 is representing your OrgId.

Alternatively you can edit them in the WebUI as well.

To check if all is working as expected, add a system to Cobbler using the Command Line Interface and have a look to the rendered Kickstart file. This can be easily done with cobbler system getks --name=blah.

Happy System installing….

Have fun :-)

Tags: , , , , , ,
Posted in Fedora, Linux, Red Hat, Virtualization | 2 Comments »

How to recover from a lost Kerberos password for admin

Saturday, December 8th, 2012

Ever lost your password for the admin principle on your Linux Kerberos server? It is quite easy to recover by just setting a new one.

You just need to log in to your KDC and proceed as follows:

[root@ipa1 ~]# kadmin.local
Authenticating as principal admin/admin@EXAMPLE.COM with password.
kadmin.local:  change_password admin@EXAMPLE.COM
Enter password for principal "admin@EXAMPLE.COM": 
Re-enter password for principal "admin@EXAMPLE.COM": 
Password for "admin@EXAMPLE.COM" changed.
kadmin.local: q
[root@ipa1 ~]#

Now enter kinit to get a Kerberos ticket.

Have fun :-)

Tags: , , ,
Posted in Fedora, Linux, Red Hat, Uncategorized | 2 Comments »

Migrating from CentOS6 to RHEL6

Saturday, December 8th, 2012

There are different tutorial on the net how to migrate from RHEL to CentOS but almost no information about the other way round. It is quite simple and at the end of the day you have only Red Hat Packages installed.

you need to copy the following packages from a Red Hat medium and install them:

yum localinstall \
rhn-check-1.0.0-87.el6.noarch.rpm \
rhn-client-tools-1.0.0-87.el6.noarch.rpm \
rhnlib-2.5.22-12.el6.noarch.rpm \
rhnsd-4.9.3-2.el6.x86_64.rpm \
rhn-setup-1.0.0-87.el6.noarch.rpm \
yum-3.2.29-30.el6.noarch.rpm \
yum-metadata-parser-1.1.2-16.el6.x86_64.rpm \
yum-rhn-plugin-0.9.1-40.el6.noarch.rpm \
yum-utils-1.1.30-14.el6.noarch.rpm \
sos-2.2-29.el6.noarch.rpm \

Then you need to remove the centos release package and install the Red Hat release package:

rpm -e centos-release-6-3.el6.centos.9.x86_64 --nodeps
yum localinstall redhat-release-server-6Server-6.3.0.3.el6.x86_64.rpm

Now it is time to register your system at RHN with rhn_register

After the successful registration you need to replace all CentOS packages by the RPMs provided by Red Hat:

yum reinstall "*"

To be sure there are no new configuration files to take care of run the following:

yum install mlocate.x86_64
updatedb
locate rpmnew

Go through the list and check if there is some configuration work to do

Update your machine to the latest and greatest versions of packages and reboot your machine

yum -y update && reboot

Query the RPM database for leftovers from CentOS:

rpm -qa --queryformat "%{NAME} %{VENDOR}\n" | grep -i centos | cut -d' ' -f1

There are some problematic packages which has “centos” in its name, i.e yum and dhcp

rpm -e yum --nodeps
rpm -ihv yum-3.2.29-30.el6.noarch.rpm

At the end, you have the previously installed kernel packages left. Keep them as a backup, they will be automatically uninstalled after two more kernel updates.

Is the procedure supported by Red Hat? No it is not supported.

Will the converted machine be supported after this procedure? Well, officially it is not supported, but if there are no traces of CentOS on the machine…

Have fun :-)

Tags: ,
Posted in Fedora, Linux, Red Hat, Uncategorized | No Comments »

Kernel 3.5.3 partially broken for virtualization

Wednesday, October 3rd, 2012

Some time ago, Fedora 17 got a Kernel update to 3.5.3-1. Since then, PXE booting virtual machines does not work anymore. It seems that it has not been fixed in the upstream Kernel, but only the 3.5 series of Kernels is affected.

A bug has been filed, but no fix is available. The only solution for now is to stick to Kernel 3.4.5-2. I’ve checked the Fedora annouce mailinglist, looks like there have been no grave bugfixes since then.

The bug only hits when you use PXE boot virtual machines with qemu-kvm. The virtual machine gets just paused, to find out the reason for it, you need to have a closer look to /var/log/libvirt/libvirtd.log. There you can read: “KVM: entry failed, hardware error 0x80000021“.

Someone proposed to use the emulate_invalid_guest_state=y parameter to the kvm_intel module, but according to a Ubuntu bugreport it fails too, but differently.

Hopefully a bug fix will be made available soon.

Having fun? Well, could be worse, could be better.

Tags: , ,
Posted in Fedora, Linux, Virtualization | No Comments »

How to get a RTL2832U based DVB-T stick working on Fedora 17

Sunday, September 16th, 2012

This week I bought a no-name DVB-T stick with the risk to not getting it working with Linux. The device contains a RTL2832u chip which seems to be quite common according to this list. The price tag was just €14, so I was taking the risk.

First experiments shown that there is no chance to get it running on Fedora 17. After digging deeper I figured out that someone wrote a driver and published it on github.

Later on, I figured out that there is a driver also available in upstreams 3.6rc Kernel. Unfortunately the Kernel shipped with Fedora 17 does not support the device yet.

Steps to do

Ensure you have installed the kernel headers package that match your running kernel version. If not, run yum -y install kernel-headers. The package dvb-apps will help you to set up the channels later on, install it with yum -y install dvb-apps

Getting and compiling the kernel module

git clone https://github.com/tmair/DVB-Realtek-RTL2832U-2.2.2-10tuner-mod_kernel-3.0.0.git
cd DVB-Realtek-RTL2832U-2.2.2-10tuner-mod_kernel-3.0.0/RTL2832-2.2.2_kernel-3.0.0/
make && make install

Afterwards you need to scan your DVB-T stick for stations and put it into mplayers channels file. In /usr/share/dvb/dvb-t/ you will find the right setting the region you are living. For me de-Berlin is the right one.

scandvb /usr/share/dvb/dvb-t/de-Berlin -o zap >> ~/.mplayer/channels.conf

Now you are ready to watch digital terrestrial TV on you Fedora box. mplayer "dvb://Das Erste" does the job.

A more comfortable player is kaffeine which has features like EPG (electronic Program Guide), recording facilities etc. It comes with KDE.

Have fun!

Tags: ,
Posted in Fedora, Linux, Uncategorized | 8 Comments »

How to transfer files to the Google Nexus 7

Sunday, September 9th, 2012

It looks like a silly question, but it is not. The device does not support USB Mass storage, but some stuff called MTP. Unfortunately it does not work as expected with Linux.

The first try was to yum -y install libmtp.x86_64 libmtp-examples.x86_64 and mount the device with fuse: mtpfs /mnt. However, it seems it is not mature enough yet to use it.

If you just want to put some sound files on to your device, Amarok works pretty fine. But what if you want to put some i.e Movies on your device?

The only quick solution I figured out was to use adb with comes with the Android SDK. As root do the following:

yum -y install android-tools.x86_64
adb start-server
for i in /home/user/Movies/*; do
  adb push $i /sdcard/Movies
done

As you can read on the Wikipedia Article about Media Transfer Protocol it is a standard described by Microsoft and originally designed for managing photographs on cameras.

The idea behind it is that every operating system comes with its own file system(s) and when using USB Mass Storage, the common filesystem is FAT32. As you may know, FAT32 has some limitations. Unfortunately there is no other common file system available.

In the case of Linux users, it would be perfect to have USB Mass Storage support, because the file system used is ext4, also on the pseudo sdcard storage built in into the device.

The “successor” of FAT is called exFAT and is Microsoft proprietary and thus out of question for the next 20 years (Software Patents). There, the standardization organisation have completely failed to establish a free and open standard as a common file system suited for applications such as USB-Sticks, Smart Phones and others.

I have no clue how many software patents are related to MTP. I hope there are not any at all, so every operating system vendor can implement it as it seems to get the standard for such devices. Currently, the only “native” support for MTP comes with Windows Media Player. There is some software available for MacOS X provided by Google, and the FUSE implementation for Linux which I call experimental.

I’m sure someone would now bring in the argument that sound and movies can be accessed from the “cloud”. Well sure, but UMTS is too slow and too expensive for HD-Movies, WLAN is – at least in Europeen Hotels – even more expensive. The only way to store media is locally, at least for nomads like me.

Having fun? Not really…

Tags:
Posted in Fedora, Linux | 5 Comments »

FUDCon 2012 Kuala Lumpur, Malaysia

Wednesday, April 4th, 2012
FUDCon 2012 Kuala Lumpur

FUDCon 2012 Kuala Lumpur

Since I’ll be in Kuala Lumpur anyway, I take the chance to visit the upcoming FUDcon (Fedora User and Developer Conference) which will take place May 18th to 20th at the Asia Pacific University College of Technology & Innovation. I dont know yet if I can be there all three days, but at least days 2 and 3.

I’m really glad to meet the Fedora people from another continent. I’ve been visiting Malaysia back in 2009, it is a very beautiful country with nice people. So this time my visit is different, combining vacation and some nice Linux stuff.

Looking at the list of talks, it will be interessting to join those sessions. Unfortunately it is too late for me to prepare a talk. The only thing I miss is the annoucement of a social event, maybe I have overseen it?

See you there… Have fun!

Tags: ,
Posted in Fedora, Linux | No Comments »

Retrospection to FOSDEM 2012 Brussels, Belgium

Monday, February 6th, 2012

This year I made it, It was my first time at FOSDEM, the Free and Open Source Developers European Meeting. I was amazed about the crowd of people and the amount of talks. It was simply impossible to visit all interesting lectures, because lots of them has been held in parallel.

It was also a pleasure to meet again all those people I know from the open source communities. The Friday beer event was very nice, as well as chatting with people between and after the lectures.

From my pint of view, the most important talks have been the inside views to oVirt and the presentations about the Deltacloud project. It was also important to get more informations about Aeolus . Most of the for me important talks are bound to cloud and/or virtualization projects. This is because I’ll hit those project sooner or later on my job as Linux consultant.

Lessons learned
I’ll try to get to Fosdem 2013 if time allows. But next time I’ll be better prepared for the inconveniences of the venue.

  • If the weather will be the same as this year, three layers of clothes are not enough, in some auditoriums the temperatures have been close to the freezing point.
  • If it is heavily snowing, touch screens of smart phones are going berserk, navigation not possible, taking a old style navigation device with me as well a paper city-map
  • If you wait for the bus, you need to wave hands if the bus approaches or it will simply pass you and letting you wait for another 20 min at -15°C
  • Having a hotel near “Gare Central” is a big plus, it is near the Delirium Cafe where the Friday beer event happens as well as on the route of Bus Nr. 71 to ULB
  • SMS messages in Belgium obviously have usually a delay of a few hours and are not reliable, calling friends costs much more but does the job
  • Mobile internet access is not always reliable in Belgium, since I dont know the city very well, I’ll take a off-line navigation Phone with me (my old Nokia E72)

A huge thank you
I would like to thank all the volunteers who organized the event and made it an unforgettable event, as well as the countless speakers sharing their knowledge with the world

Upcoming events
The next upcoming interesting events in Europe:

  • Chemnitzer Linux-Tage 2012 March 17th and 18th
  • LinuxTag 2012 in Berlin (my new home town) May 23th to May 26th.

If I missed an event to mention here, let me know.

Have fun!

Posted in Fedora, Linux, Red Hat | No Comments »