Search

Jackie Chen's IT Workshop

The only thing that doesn't change is change itself

Tag

Linux

Puppet cron job configuration


In my lab, I want everything to be controlled by puppet. So I use puppet to set up the cron job that I mentioned in step 3) in the post Integrate puppet to foreman.

# Push puppet node facts to foreman
*/10 * * * * /etc/puppet/push_facts.rb

The manifest can be found here as well.

class sys_cron::push_facts {

cron { puppet_push_facts:
ensure => present,
command => “/etc/puppet/push_facts.rb”,
user => root,
minute => ‘*/5’,
}

}

Reference:
https://docs.puppetlabs.com/references/latest/type.html#cron

Check major/ minor device number in Linux


In Linux world, everything is presented as a file in /dev to users no matter it is disk, network adapter or any other devices. In the background, kernel manages all the devices. To be specific, through the device drivers in the kernel.

The devices controlled by the same device driver have a common device number which is referred as major number. The number is used to distinguish between differentdevice are called minor number.

Examples:

– Check the disk, memory and mouse major/ minor device number

[jchen@fedora ~]$ ll /dev/sda1
brw-rw—-. 1 root disk 8, 1 Sep 1 09:01 /dev/sda1
[jchen@fedora ~]$ ll /dev/mem
crw-r—–. 1 root kmem 1, 1 Sep 1 09:01 /dev/mem
[jchen@fedora ~]$ ll /dev/input/mice
crw——-. 1 root root 13, 63 Sep 1 09:01 /dev/input/mice

– Check the mounted file system either mount folder (mountpoint -d <folder>) or device (mountpoint -x <device>)

[jchen@fedora ~]$ mountpoint -d /home
253:2
[jchen@fedora ~]$ mountpoint -x /dev/mapper/fedora_1004521-home
253:2
[jchen@fedora ~]$ mountpoint -x /dev/sda1
8:1

Reference:
http://www.linux-tutorial.info/modules.php?name=MContent&pageid=94
http://man7.org/linux/man-pages/man1/mountpoint.1.html
http://www.linux.org/threads/what-are-those-dev-files.4713/

Missing NIC in cloned VirtualBox VM


If you ever encounter similar error ‘Device eth0 does not seem to be present, delaying initialization‘ in the cloned VirtualBox VM, the fix is to remove this file (/etc/udev/rules.d/70-persistent-net.rules) and reboot the VM. 

The reason is that the new cloned VM generates new MAC addresses which do not match the previous ones that have been recorded by the kernel in the above file. 

Selection_007

Selection_008

Setup LDAP authentication in CentOS (openldap+sssd)


1) Install openldap server in CentOS 6.5

yum install -y openldap*

2) Copy the sample slapd.conf configuration

cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf

3) Generate encrypted password for later use

slappasswd

4) Modify /etc/openldap/slapd.conf, use the encrypted password created in above step.

#TLSCACertificatePath /etc/openldap/certs
#TLSCertificateFile “\”OpenLDAP Server\””
#TLSCertificateKeyFile /etc/openldap/certs/password

database monitor
access to *
by dn.exact=”gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth” read
by dn.exact=”cn=Manager,dc=mylab,dc=local” read
by * none

database bdb
suffix “dc=mylab,dc=local”
checkpoint 1024 15
rootdn “cn=Manager,dc=mylab,dc=local”
rootpw {SSHA}TgnKeaT3EArzI1xqW/CpzmCRFa88xPS0
loglevel 256
sizelimit unlimited

5) Copy the sample DB_CONFIG file

cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown -R ldap:ldap /var/lib/ldap/
chmod 600 /var/lib/ldap/DB_CONFIG

6) Start service

service slapd start
chkconfig slapd on

7) Use the following two commands to verify. (The default LDAP port is 389)

netstat -ntlup | grep slapd
ps -ef | grep slapd

8) Generate a certificate pair for secured LDAP connection

openssl req -newkey rsa:2048 -x509 -nodes -out /etc/openldap/certs/ldap-pub.pem -keyout /etc/openldap/certs/ldap-pri.pem

chown ldap. /etc/openldap/certs/ldap*

9) Configure the olcDatabase={0}config.ldif file

cd /etc/openldap/slapd.d/cn=config

Add the following two lines into: olcDatabase\=\{0\}config.ldif

olcTLSCertificateFile: /etc/openldap/certs/ldap-pub.pem
olcTLSCertificateKeyFile: /etc/openldap/certs/ldap-pri.pem

10) Modify /etc/sysconfig/ldap to only allow secure ldap (ldaps)

SLAPD_LDAP=no
SLAPD_LDAPI=no
SLAPD_LDAPS=yes

11) Restart the slapd.

service slapd restart

12) Verify it (secure ldap port is 636, and ldaps only in the ‘ps -ef’ command results)

netstat -ntlup | grep slapd
ps -ef | grep slapd

13) Add OU, users to your ldap database.

create /etc/openldap/base.ldif, then run the ldapadd command. The password is created in step 3).

ldapadd -x -D “cn=Manager,dc=mylab,dc=local” -f base.ldif -H ldaps://ldap.mylab.local -W

14) Use ldapsearch to query the ldap database.

ldapsearch -x -D “cn=Manager,dc=mylab,dc=local” -H ldaps://ldap.mylab.local -W

15) Use ldapmodify to modify the exisiting value in ldap database. I include a sample here:

ldapmodify -D “cn=Manager,dc=mylab,dc=local” -f modify.ldif -H ldaps://ldap -W

16) Set up the openldap client

yum install -y openldap-clients sssd

17) Copy the the public certificat that generated in step 8) to /etc/openldap/cacerts in the client machine.

cp the ldap-pub.pem to /etc/openldap/cacerts

18) Modify /etc/openldap/ldap.conf to add the following entries:

TLS_CACERTDIR /etc/openldap/cacerts
ssl start_tls
TLS_REQCERT allow
BASE dc=mylab,dc=local
URI ldaps://ldap.mylab.local/
HOST 192.168.56.11

19) Define your ldap URI in the sssd.conf

chmod 600 /etc/sssd/sssd.conf

Sample:  /etc/sssd/sssd.conf

20) Set up the ldap authentication

authconfig –enablesssd –enablesssdauth –enableldap –enableldapauth –enablemkhomedir –ldapserver=ldaps://ldap.mylab.local –ldapbasedn=dc=mylab,dc=local –enablelocauthorize –enableldaptls –update

21) Test by looking for the ldap user

getent passwd jchen
id jchen

Update puppet tags


This script allow you to apply the specified puppet tags to the listed hosts. It will do a dry run against the first host, if you are happy with the results then you can kick off the changes to all hosts.

Selection_003

The script can be downloaded from here.

Create a free website or blog at WordPress.com. | The Baskerville Theme.

Up ↑