rhel-6

Restoring /usr/bin with yum after accidental deletion

Mon, 17 Oct 2011 13:09:06 +0100

Restoring /usr/bin with yum after accidental deletion

I was recently writing a Makefile for cramfs, specifically the distclean and install sections. The installation would copy the program binaries to /usr/bin while the cleanup would remove them… simple enough right?

I wrote a for loop to go through $(PROGS) and remove them from $(INSTLOC):
01 INSTLOC = /usr/bin

02 PROGS = mkcramfs cramfsck

03

04 all: $(PROGS)

05

06 distclean clean:

07 for p in $(PROGS);\

08 do\

09 rm -rf $$p $(INSTLOC)/$$p;\

10 done

11

12 install:

13 cp $(PROGS) $(INSTLOC)

The problem was that I ran this as root (tsk tsk), and since Makefile requires that for loop variables be escaped (line 9: $$p not $p), the rm command translated to this:
1 rm -rf /usr/bin/
Great! So now I had no binaries in /usr/bin, which includes: yum, bash, crontab, python, perl… (800+ in total on a minimal install).

Since I only deleted the binaries, the programs were still listed as installed in the RPM database. The first thing I had to do was reinstall yum and it’s “usrbin” dependency python:

1 [root@demon ~]# mount /dev/sr0 /media/cdrom

2 [root@demon ~]# cd /media/cdrom/Packages

3 [root@demon ~]# rpm -Uvh --force python-2.6.5-3.el6.i686.rpm

4 [root@demon ~]# rpm -Uvh --force yum-3.2.27-14.el6.noarch.rpm

he next step was to figure out which packages had binaries in /usr/bin so I can reinstall them:

view sourceprint?
1 [root@demon ~]# rpm -qf $(rpm -qla|grep ^/usr/bin)|uniq|sort
… and finally send those to yum to do a reinstall and get the binaries back:

view sourceprint?
1 [root@demon ~]# yum reinstall $(rpm -qf $(rpm -qla|grep ^/usr/bin)|uniq|sort)

2 [root@demon ~]# ls -la /usr/bin|wc -l

3 848

4 [root@demon ~]#
… crisis averted! Snapshot time.

One last note: If you manually installed third party RPMs (not listed in the /etc/yum.repos.d repositories), they will not be reinstalled. You can perform reinstall these one by one using the rpm -Uvh command above. Keep in mind that if these RPMs have not undergone proper QA they may overwrite your current configuration files

You can run these RPMs through rpmlint to see if they produce any warnings or errors that may cause a problem when reinstalling:

view sourceprint?1 [root@demon ~]# rpmlint -iv iplog-2.2.1-1_RH7.i386.rpm

2 ...

3 iplog.i386: W: conffile-without-noreplace-flag /etc/iplog.conf

4 A configuration file is stored in your package without the noreplace flag. A

5 way to resolve this is to put the following in your SPEC file:

6 %config(noreplace) /etc/your_config_file_here

7 ...

8 [root@demon ~]#

New Features in RHEL6

Mon, 17 Oct 2011 13:04:51 +0100

New Features in RHEL6

1. ext4 file system is introduced.
2. xen is removed and kernel virtualization machine (KVM) is introduced.
3. neat command is removed.
4. portmap service is removed.
5. iscsi is introduced, which supports for SAN.
6. rpmbuild is available, which is used to create our own rpms.
7. File encyption is added.
8. palimpsest is available for disk management.
9. Virtual machine will run only on 64bit processors.
10. postfix service is recommended instead of sendmail service.

RHEL6 openldap server

Mon, 17 Oct 2011 12:28:53 +0100

RHEL6 openldap server

Please note that all double quote characters in this example are plain ASCII ” characters not typographical ones!

Step 1: first we need to install the required packages:

#yum install openldap-servers migrationtools

Step2: As the configuration for LDAP is stored inside the LDAP server itself the configuration has to be done by editing LDIF files under the /etc/openldap/slapd.d/ directory.

Now create the ldap password:

#slappasswd

you’ll get something like this ”{SSHA}r2or9f2vYlvieCu0LP6wTnSdYfrddsuV” as a result. This is the string we will have to add to the bdb.ldif config file.

# vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}bdb.ldif

substitute my-domain.com with yourdomain.com

:%s/dc=my-domain,dc=com/dc=yourdmain,dc=com/g

Step 3: We now set the admin password and specify the location of our encryption certificate and key.

add these 3 lines at the end of the file bdb.ldif file:

olcRootPW: {SSHA}r2or9f2vYlvieCu0LP6wTnSdYfrddsuV
olcTLSCertificateFile: /etc/pki/tls/certs/slapdcert.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/slapdkey.pem

Step 4: Now we have to specify the monitoring privileges

#vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}monitor.ldif

again, we have to replace the default domain name with our domain name

:%s/cn=manager,dc=my-domain,dc=com/cn=Manager,dc=yourdomain,dc=com/g

Step 5: Now its time for the Database Cache

#updatedb

#cp /usr/share/doc/openldap-servers-2.4.19/ DB_CONFIG.example /var/lib/ldap/DB_CONFIG

#chown -Rf ldap:ldap /var/lib/ldap/

Step 6: Now we will need to set up a certificate for TLS. First we need to edit /etc/sysconfig/ldap and change SLAPD_LDAPS from no to yes.

#vi /etc/sysconfig/ldap
SLAPD_LDAPS=yes

Now we can create the certificate

#openssl req -new -x509 -nodes -out /etc/pki/tls/certs/slapdcert.pem -keyout /etc/pki/tls/certs/slapdkey.pem -days 365

This will create the two required keys in the /etc/pki/tls/certs/ directory. We need to make them readable for the ldap user.

# chown -Rf root:ldap /etc/pki/tls/certs/$cert.pem
# chmod -Rf 750 /etc/pki/tls/certs/$key.pem

Step 7: Time to test our configuration

# slaptest -u
config file testing succeeded

Step 8: Start the ldap server

#service sladp start

lets check if our ldap server really works:

#ldapsearch -x -b ”dc=yourdomain,dc=com”

if you get a search: 2 then your on track!

Step 9: Configure the base domain

#vi base.ldif

dn: dc=yourdomain,dc=net
dc: yourdomain
objectClass: top
objectClass: domain

dn: ou=People,dc=yourdomain,dc=net
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Group,dc=yourdomain,dc=net
ou: Group
objectClass: top
objectClass: organizationalUnit

now we import our base information to the ldap directory:

#ldapadd -x -W -D ”cn=Manager,dc=yourdomain,dc=com” -f base.ldif

Step 10: lets migrate the users

Go to the directory /usr/share/migrationtools. Edit the file

# vim /usr/share/migrationtools/migrate_common.ph

Set:
# Default DNS domain
$DEFAULT_MAIL_DOMAIN = ”yourdomain.com”;
# Default base
$DEFAULT_BASE = ”dc=yourdomain,dc=com”;

#grep ”:5[0-9][0-9]” /etc/passwd > passwd
#grep ”:5[0-9][0-9]” /etc/group > group
#./migrate_passwd.pl passwd > users.ldif
#./migrate_group.pl group > group.ldif
#sed -e ”s/ou=Group/ou=Groups/g” group.ldif > groups.ldif
ldapadd -x -W -D ”cn=Manager,dc=yourdomain,dc=com” -f users.ldif
ldapadd -x -W -D ”cn=Manager,dc=yourdomain,dc=com” -f groups.ldif

Step 11: Testing the ldap server. We check if user mani exists

#ldapsearch -x ”cn=mani” -b ”dc=mycompany,dc=com”

If the test is successful your done

RHEL6 vsftp anonymous access selinux

Mon, 17 Oct 2011 12:25:51 +0100

RHEL6 vsftp anonymous access selinux

First install the vsftpd package

#yum install vsftpd

after that edit the /etc/vsftpd/vsftpd.conf

anonymous_enable=YES
write_enable=YES
local_umask=022
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
ftpd_banner=Welcome to blah FTP service.
listen=YES
local_root=/var/ftp/upload
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES

then edit tcpwrappers /etc/hosts.allow

vsftpd: ALL

Lets set the iptables:

#iptables -A INPUT -m state –state NEW -m tcp -p tcp –dport 21 -j ACCEPT

set rights and user for the upload dir:

#chmod 666 /var/ftp/upload

#chown ftp:ftp /var/ftp/upload

So now we need also a rule for selinux that the anonymous users are allowed to write or upload to my /var/ftp/upload directory

setsebool -P allow_ftpd_anon_write=1

you also need to set the correct filetype for selinux which is:

public_content_t

this can be done with the command:

chcon -t public_content_rw_t /var/ftp/upload

if you messed up to much with the types you could also use the command:

#restorecon /var/ftp/upload

RHEL6 virsh console domain

Mon, 17 Oct 2011 12:24:18 +0100

RHEL6 virsh console domain

To use the #virsh console command on a RHEL6 Virtual Server you need to configure the guests. If you do not configure them, this

Escape character is ^] Is all you get.

For RHEL6 clients you have to configure 2 files:

1./boot/grub/menu.lst
add the modification in bold:
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
serial –unit=0 –speed=115200
terminal –timeout=10 console serial
hiddenmenu
title Red Hat Enterprise Linux (2.6.32-71.el6.x86_64)
root (hd0,0)
kernel /vmlinuz-2.6.32-71.el6.x86_64 ro root=/dev/mapper/vg_testhost-lv_root console=tty0 console=ttyS0,115200n8 rd_LVM_LV=vg_testhost/lv_root rd_LVM_LV=vg_testhost/lv_swap rd_NO_LUKS rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=us crashkernel=auto rhgb quiet
initrd /initramfs-2.6.32-71.el6.x86_64.img

1.and /etc/inittab
S0:2345:respawn:/sbin/agetty ttyS0 115200 linux

your done reboot the box.

DHCP is working good in RHEL6

Mon, 17 Oct 2011 08:52:45 +0100

DHCP is working good in RHEL6

Server Configuration:
Step1: install the following rpm

rpm -ivh dhcp-4.1.1-12.P1.el6.i686.rpm
Step 2: cp /usr/share/doc/dhcp-4.1.1/dhcpd.conf.sample /etc/dhcp/dhcpd.conf
Step 3: change the range of ip address as per your wish.
Step 4: service dhcpd restart
Step 5: chkconfig dhcpd on

Client Configuration:
Step 1: dhclient
Step 2: check the following file
/etc/resolv.conf

Sample file: Copy and paste the specified location /etc/dhcp/dhcpd.conf and get the dhcp service

# dhcpd.conf
#
# Sample configuration file for ISC dhcpd
#

# option definitions common to all supported networks...
option domain-name "jetking.com";
option domain-name-servers ns1.example.org, ns2.example.org;

default-lease-time 600;
max-lease-time 7200;

# Use this to enble / disable dynamic dns updates globally.
#ddns-update-style none;

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
#authoritative;

# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;

# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.

subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.1 192.168.0.10;
}

# This is a very basic subnet declaration..

subnet 10.254.239.0 netmask 255.255.255.224 {
range 10.254.239.10 10.254.239.20;
option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
}

# This declaration allows BOOTP clients to get dynamic addresses,
# which we don't really recommend.

subnet 10.254.239.32 netmask 255.255.255.224 {
range dynamic-bootp 10.254.239.40 10.254.239.60;
option broadcast-address 10.254.239.31;
option routers rtr-239-32-1.example.org;
}

# A slightly different configuration for an internal subnet.
subnet 10.5.5.0 netmask 255.255.255.224 {
range 10.5.5.26 10.5.5.30;
option domain-name-servers ns1.internal.example.org;
option domain-name "internal.example.org";
option routers 10.5.5.1;
option broadcast-address 10.5.5.31;
default-lease-time 600;
max-lease-time 7200;
}

# Hosts which require special configuration options can be listed in
# host statements. If no address is specified, the address will be
# allocated dynamically (if possible), but the host-specific information
# will still come from the host declaration.

host passacaglia {
hardware ethernet 0:0:c0:5d:bd:95;
filename "vmunix.passacaglia";
server-name "toccata.fugue.com";
}

# Fixed IP addresses can also be specified for hosts. These addresses
# should not also be listed as being available for dynamic assignment.
# Hosts for which fixed IP addresses have been specified can boot using
# BOOTP or DHCP. Hosts for which no fixed address is specified can only
# be booted with DHCP, unless there is an address range on the subnet
# to which a BOOTP client is connected which has the dynamic-bootp flag
# set.
host fantasia {
hardware ethernet 08:00:07:26:c0:a5;
fixed-address fantasia.fugue.com;
}

# You can declare a class of clients and then do address allocation
# based on that. The example below shows a case where all clients
# in a certain class get addresses on the 10.17.224/24 subnet, and all
# other clients get addresses on the 10.0.29/24 subnet.

class "foo" {
match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
}

shared-network 224-29 {
subnet 10.17.224.0 netmask 255.255.255.0 {
option routers rtr-224.example.org;
}
subnet 10.0.29.0 netmask 255.255.255.0 {
option routers rtr-29.example.org;
}
pool {
allow members of "foo";
range 10.17.224.10 10.17.224.250;
}
pool {
deny members of "foo";
range 10.0.29.10 10.0.29.230;
}
}

RHEL secondary Name Server

Mon, 17 Oct 2011 08:28:12 +0100

RHEL secondary Name Server

Open /etc/named.conf

//
// named.conf for Red Hat caching-nameserver
//

options {
directory “/var/named”;
dump-file “/var/named/data/cache_dump.db”;
statistics-file “/var/named/data/named_stats.txt”;

// query-source address * port 53; (only needed when there is a FW between master an slave)
allow-transfer {192.168.1.104/24;}; (slaveip)
};

//
// a caching only nameserver config
//

controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};

zone “localhost” IN {
type master;
file “localhost.zone”;
allow-update { none; };
};

zone “yourdomain.com” IN {
type slave;
file “/var/named/yourdomain.com.zone”;
// allow-update { none; };
allow-transfer { 192.168.1.1/24; };
masters { 192.168.1.1; };
};

zone “1.168.192.in-addr.arpa” IN {
type slave;
file “/var/named/1.168.192.rev”;
// allow-update { none; };
allow-transfer { 192.168.1.1/24; };
masters { 192.168.1.1; };
};

include “/etc/rndc.key”;

Thats it. Restart the nameserver

RHEL6 and SElinux

Mon, 17 Oct 2011 08:27:24 +0100

RHEL6 and SElinux

One of the most important packages to run successfully RHEL6 and SElinux is the setroubleshoot package. It includes useful tools like the setroubleshoot daemon and utils like sealert, sestatus…..

So lets see whats the sestatus of my system:
[root@rhel1 ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted

Ok so assuming i want to set up an ftp server. I know my configuration is correct. Permissions on the directories are set etc… But ftp still do not let me write to the directory. So i need to have a tool which shows me the audit.log of selinux. This can be done with sealert.

If you only have a console available and no X-Window System you can use the command

#sealert -a /var/log/audit/audit.log > myselinuxerrors.txt

or if you have gui

#sealert -b

Mostly you will find hints like

To let anonymous users write to a ftp directory set allow_ftpd_anon_write to 1

to do this just set

#setsebool -P allow_ftpd_anon_write=1

How To Install YUM Server in RHEL 6

Mon, 17 Oct 2011 08:24:09 +0100

How To Install YUM Server in RHEL 6

Step By Step Configration of Yum Server
1. mount /dev/cdrom /mnt
2 rpm -ivh /mnt/Server/Packages/vsftpd*
3. cp -rv /mnt/* /var/ftp/pub/
4. rpm -ivh /mnt/Server/Packages/delta*
5. rpm -ivh /mnt/Server/Packages/Pythen-delta*
6. rpm -ivh /mnt/Server/Packages/createrepo*
7. vi /etc/yum.repos.d/server.repo
[yum-server]
name= This is my RPM store
baseurl=file:///var/ftp/pub/
enable=1
gpgcheck=0
8. createrepo -v /var/ftp/pub
9. rm -rf /var/ftp/pub/.olddata
10. yum clean all
11. yum update
Now Your Yum Server is Configured