Search This Blog
Monday, June 20, 2011
Puppet Configuration and Installation.
For example:
If a Organization requires you to disable ctr+alt+del on all of its servers by commenting
ca::ctrlaltdel:/sbin/shutdown -t3 -r now line of /etc/inittab file.
You will end up modifying /etc/inittab file of each and every linux distribution.
However the task will be easily done if you install puppet server all you need to do is to keep a copy of /etc/inittab on puppet server and then distribute it on linux distributions throughout your organization(provided they all have same version of /etc/initab files) .
There is lot other things that can be implemented using puppet .
For a basic configuration please refer the below article.
Server Side configuration:
Make sure you have following rpms .
ruby-lib
ruby
facter
puppet-server
puppet
# rpm -ivh ruby-libs-1.8.6.111-1.i686.rpm
Preparing... ########################################### [100%]
1:ruby-libs ########################################### [100%]
# rpm -ivh ruby-1.8.6.111-1.i686.rpm
Preparing... ########################################### [100%]
1:ruby ########################################### [100%]
# rpm -ivh facter-1.5.1-1.el5.noarch.rpm
Preparing... ########################################### [100%]
1:facter ########################################### [100%]
# rpm -ivh puppet-0.24.5-1.el5.noarch.rpm
Preparing... ########################################### [100%]
1:puppet ########################################### [100%]
# rpm -ivh puppet-server-0.24.5-1.el5.noarch.rpm
Preparing... ########################################### [100%]
1:puppet-server ########################################### [100%]
After installing the necessary rpms Now its time to configure the server.
Store all your files at following location(If the location doesnt exists then create it using # mkdir -p /etc/puppet/files).
/etc/puppet/files
We will store /etc/inittab file (with ctr+alt+del disabled) in above location .
Now we will create /etc/puppet/manifests/site.pp file.
This file holds all the puppet rule in form of classes.
class inittab_implement {
file { "/etc/inittab": #This file will be modified at client
ensure => present, #Check file existence . if not exists ,creates the file
mode => 744, #Permission
owner => root, #Ownership
group => root, #Group Owner
source => "puppet:///files/inittab" #source motd file
}
}
node 'default' {
include inittab_implement
}
Now the last step is to modify /etc/puppet/fileserver.conf.
This file ensures
1) Default location of puppet files.
2) which client machines should be allowed to get service from puppet server(This can be different on what is given in below example depending upon your network configuration).
edit the file and add following .
[files]
path /etc/puppet/files
allow 10.0.0.0/8
Start the puppetmaster service on server.
#service puppetmaster start
It would be nice if you add it to startup.
#chkconfig puppetmaster on
This is all about Server configuration now lets talk about client configuration.
Client Side configuration:
Make sure you have following rpms .
ruby-libs
ruby
facter
puppet
# rpm -ivh ruby-libs-1.8.6.111-1.i686.rpm
Preparing... ########################################### [100%]
1:ruby-libs ########################################### [100%]
# rpm -ivh ruby-1.8.6.111-1.i686.rpm
Preparing... ########################################### [100%]
1:ruby ########################################### [100%]
# rpm -ivh facter-1.5.1-1.el5.noarch.rpm
Preparing... ########################################### [100%]
1:facter ########################################### [100%]
# rpm -ivh puppet-
puppet-0.24.5-1.el5.noarch.rpm puppet-server-0.24.5-1.el5.noarch.rpm
# rpm -ivh puppet-0.24.5-1.el5.noarch.rpm
Preparing... ########################################### [100%]
1:puppet ########################################### [100%]
Now edit the /etc/puppet/puppet.conf file and add the below parameter:
server = PuppetMaster.domain.com #(Host name of my puppet server is PuppetMaster)
Make sure you have proper entry in /etc/host file on both puppet server and puppet client side.
Edit /etc/sysconfig/puppet file as mentioned below.
# The puppetmaster server
PUPPET_SERVER=PuppetMaster.domain.com
# If you wish to specify the port to connect to do so here
#PUPPET_PORT=8140
# Where to log to. Specify syslog to send log messages to the system log.
PUPPET_LOG=/var/log/puppet/puppet.log
# You may specify other parameters to the puppet client here
PUPPET_EXTRA_OPTS=--waitforcert=60 #this defines the time interval for puppet client to look for any update on puppet server.
For testing purpose the time is made as 1 minute you may set it little higher once the testing is done.
Now start the puppet service and add it on startup
# service puppet start
# chkconfig puppet on
You should now be able to run below command.
# puppetd --server puppetmaster.domain.com --waitforcert 60 --test
Unfortunately i was getting below error .
You may get this kind of error when both server and client time is not sync.(source google)
So i synced the time
Yet i was facing the same issue.
The problem was with the clients ssl certificate so i deleted the client cert using
# rm -rf /var/lib/puppet/ssl/
Next time when i run the command i got the following output.
So it has created new certificate.
# puppetd --server puppetmaster.domain.com --waitforcert 60 --test
info: Creating a new certificate request for test-ovs-2.domain.com
info: Creating a new SSL key at /var/lib/puppet/ssl/private_keys/test-ovs-2.domain.com.pem
warning: peer certificate won't be verified in this SSL session
notice: Did not receive certificate
notice: Set to run 'one time'; exiting with no certificate
warning: Certificate validation failed; considering using the certname configuration option
err: Could not retrieve catalog: Certificates were not trusted: certificate verify failed
warning: Not using cache on failed catalog
Now run the below command on puppet server.
It should now list the puppet client.
# puppetca --list
puppetclient.domain.com
Now sign the puppet client using
# puppetca --sign test-ovs-2.domain.com
Signed test-ovs-2.domain.com
Now try to execute previous command on client.
# puppetd --server puppetmaster.domain.com --waitforcert 60 --test
warning: peer certificate won't be verified in this SSL session
notice: Got signed certificate
info: Caching catalog at /var/lib/puppet/localconfig.yaml
notice: Starting catalog run
53c53
< x:5:respawn:/etc/X11/prefdm -nodaemon
---
> #x:5:respawn:/etc/X11/prefdm -nodaemon
info: Filebucket[/var/lib/puppet/clientbucket]: Adding /etc/inittab(5528f318b4fa5604efe51f3a8c5ca734)
info: //Node[default]/inittab_implement/File[/etc/inittab]: Filebucketed to with sum 5528f318b4fa5604efe51f3a8c5ca734
notice: //Node[default]/inittab_implement/File[/etc/inittab]/source: replacing from source puppet:///files/inittab with contents {md5}a43ac1c17a59b1facea7db112e69fb42
notice: Finished catalog run in 0.38 seconds
Now check the /etc/inittab file on client machine it should match to puppet server's(/etc/puppet/files/inittab) file.
I hope this article solved your basic queries over puppet configuration and installation.
Wednesday, June 15, 2011
Password Hardening in linux
Every prevention from attack is in vain if we loose out root password.
passwords for other users(non root) are also considered to be equally important considering data theft.
So lets implement it.
System administrator must ensure that the password composition meets following basic requirements.
1) Length of 8 Characters.
2)Atleast one uppercase character or digit or special character.
Lets first observe system behavior before implementing password policies.
Added new user rohan with password oracle.
(oracle is not a strong password hence it has given me a warning message but it changed the password to oracle)
# useradd rohan
# passwd rohan
Changing password for user rohan.
New UNIX password:
BAD PASSWORD: it is based on a dictionary word
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
Modify /etc/pam.d/system-auth file.
Replace this line.
password requisite pam_cracklib.so try_first_pass retry=3
With this.
password requisite pam_cracklib.so retry=3 minlen=8 lcredit=1 ucredit=1 dcredit=1 ocredit=0
Above line will make sure that minimum length of password will be 8.
A password must contain atleast one lowercase character.
A password must contain atleast one uppercase character.
A password must contain atleast one decimal character.
A password must contain atleast one special(other) character.
A prompt (incase previous is failed) will not be more than 3 times.
The four parameters "lcredit", "ucredit", "dcredit", and "ocredit" are used to set the maximum credit for lower-case, upper-case, numeric (digit), and non-alphanumeric (other) characters respectively.
Now try to login into machine with user rohan and try to change the password.The password matching above criteria will only be accepted otherwise you will receive following error.
passwd: Authentication token manipulation error
You may find following article useful for further study.
http://www.linuxquestions.org/questions/linux-newbie-8/how-to-implement-password-policies-846413/
http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html
Please Leave us with your comments and Queries/Suggestions.
I will try to reply asap.
Wednesday, June 1, 2011
How to find Big Size File and Folder in Linux?
Use the following to find the spacious directory.
#find / -type d -exec ls -ld {} \; |sort -nrk5|head
Use the following to find the spacious file.
#find / -type f -exec ls -ld {} \; |sort -nrk5|head
The output may take time depending on your system performance.
How to Extend Root partition using LVM?
The linux machine is allocated a harddisk space of 5 gb .
The root partition itself occupied 4 GB of space and the rest was allocated to Swap.
It was all clear from a beginning that i m going to face space crunch on the newly created machine.
Thankfully root was partitioned with LVM.
So i added a new Hardisk of 8 GB and extended the / size.
I found following post very useful .
http://www.turnkeylinux.org/blog/extending-lvm
I described my problem on following forum and the reply was so informative.
http://www.unix.com/unix-dummies-questions-answers/160635-how-extend-root-partition.html#post302526559
http://www.linuxquestions.org/questions/showthread.php?p=4372596#post4372596
I learned not to grow the partition when it is mounted(Especially /) and rather use live CD to do the same.