Refinishing The Deck

The deck at the house is a bit dried out and aged looking. We’d been on the lookout for someone to do the siding and decks as protection is needed here in the mountains. We’re closer to the sun and elements. As we were passing one of the homes up here, we spotted one of the yard signs for Mountain Woodcare. I called them and had them come out and provide a quote on refreshing the siding and deck. The owner, Jeremy (“J” or “Jay”) came out and after a pretty thorough review, he suggested the siding didn’t need to be done right now but the decks could certainly use some TLC. With the estimate and a quick discussion with Jeanne, we approved the work and they came out Monday last week to get started. We moved all the furniture and such off the deck so they could get right to work 🙂 Over the course of the week, they were out every day stripping the old paint off the rails and power washing everything with chemicals to get things nice and clean and ready for application of the stain and oil based sealant. There was even some sanding that was needed. By Friday they had it all done and it looked excellent. Of course I took before, during and after pictures because I like to be able to compare and see the improvements.

We’d discussed work on the decks with the previous owners and again with Jay. Jay said he recalls coming out to give an estimate but no followup. Based on the looks, it’s been 3 or 4 years at least since any maintenance was done on the decks. Fortunately a bit of maintenance and TLC brought the decks back to beauty.

We have essentially four decks. A Kitchen deck, a Master Bedroom Deck, a lower deck that fronts the entire house, and an Entryway deck (upper by the garage, stairs down to the front door and a deck that wraps around to the MBR bathroom). I’ll present each as a block of Before, During, and After pictures.

And as a note Jay was nice enough to take a few extra minutes to power wash the Gazebo. We’ll hit it with some fresh paint this week.

Kitchen Deck – Before

We were trying to show how dry all the wood was before the team got started. All the Before pictures try to catch it at different times of the day so you can see the differences.

Kitchen Deck – During

You can see the wood railings have been stripped and the deck washed. See how the water soaks in to the wood?

Kitchen Deck – After

And After looks great. Jay recommended a bit of a tint to the oil vs a clear oil as UV protection. The wood is apparently Brazilian Redwood. The thing to note later is the beading up of the water on the freshly oiled deck. Looking good.

Master Bedroom Deck – Before

Master Bedroom Deck – During

Master Bedroom Deck – After

Entryway Deck – Before

Entryway Deck – During

Entryway Deck – After

Lower Deck – Before

Lower Deck – During

Lower Deck – After

Posted in Colorado, Deck Refinish, Home Improvement, Rocky Knob | Leave a comment

git Version Control for rcs Users – Synchronization

Now that I can check out files, edit, and check them back in. The last step is syncing the files with the target server or servers. I’m trying to eliminate the extra static files/put them into the repo vs having them be a second area to manage. Part of the problem is other teams. We want to be able to have them manage files without having to log in to the git server and manually touch the old static files.

It works pretty much the same as the previous configuration.

Copy the unixsvc public key to the target server(s).

Set up a script to do a pull and check for the error code.

If changes, use rsync to sync the data across.

Simple enough script. Set up a cron job to run every minute and the target server(s) will always be updated.

Need to test the heck out of this to make sure it works as expected. Add the other projects, less the inventory and status ones (they’re websites). And finish documenting it so I can enable it at work.

Next up, gitlab and jenkins. Let’s try this through a web interface using “normal” DevOps.

Posted in Uncategorized | Leave a comment

git Version Control for rcs Users – Setup and Usage

At least for someone like me where I’m the only person working on projects, the setup and usage of RCS and git are pretty straightforward. Once we get into team usage, it gets to be a bit more complicated. Right now the team can check out and check in a script but due to permissions, they aren’t able to sync the repositories. Fortunately the scripts do that every minute (checking for the flag file) but it’s a bit cumbersome.

Setup ssh git

There are a few bits that need to be done in order to get git set up.

1. Create the git user on the git server. Make sure you have sufficient space for all the code. I created a 30 gig slice in /opt/git and used it for git’s home directory.

useradd -c 'Git Service Account' -d /opt/git -m git
passwd git

2. You’ll need to add your public keys into git’s .ssh directory as ‘authorized_keys’. Do this for every server you will be pulling files from.

3. Create the Master repository on the git server. You won’t need to put any code into the directory but you do need to run ‘git init –base’ to initialize it.

mkdir /opt/projects
for i in suite inventory status httpd kubernetes changelog admin newuser
do
  mkdir /opt/projects/$i
  cd /opt/projects/$i
  git init --base
done

The “–base” option indicates this is a master repository, not a user’s working directory. The working directory will be on your home system.

4. On your home system, create the local or working repository.

mkdir projects
cd projects

5. If you’re creating the first repository as I would for the ‘suite’ scripts, make the ‘suite’ directory and initialize it. You’ll want to set a couple of variables as well.

mkdir suite
cd suite
git init
git config --global user.name 'Carl Schelin'
git config --global user.email cschelin@west.com

6. Since I’m converting existing RCS files, I want to bring all the previous changes into git. I’m using rcs-fast-export, a Ruby script that imports all the RCS changes into git. You’ll want to run the script in the directory.

rcs-fast-export.rb . | git fast-import && git reset

Note – this script isn’t working for the inventory application. I suspect it’s because I have three places where the same file name is used but for different purposes. Do some testing before you commit the updates.

7. Once done, push the code up to the git server. This will depend on what you have set up to manage repositories.

git push git@lnmt1cuomgit1.internal.pri:projects/suite

And you’re done. The project is ready for the team to retrieve and manage.

Team Setup

1. Very similar to above, each member of the team will need to copy their ssh keys over to the git server. Concatenate it with git’s authorized_keys file.

2. Create a projects directory. Don’t forget to set your git environment variables.

mkdir projects
cd projects
git config --global user.name 'Carl Schelin'
git config --global user.email cschelin@west.com

And you’re ready to edit code.

Managing Code

1. Before you can do anything, you’ll need to retrieve the git project. For the first time, you’ll have to use the clone options.

git clone git@lnmt1cuomgit1.internal.pri/projects/suite

This will retrieve all the files associated with the project you want to manage.

2. For subsequent updates, you’ll want to pull files from the server.

git pull git@lnmt1cuomgit1.internal.pri/projects/suite

3. You’ll now have a ‘suite’ directory. Within that are a ‘bin’ and ‘etc’ directory. Files in these directories are managed by git. As you know from RCS, you need to check out and check in changes. Use the ‘checkout’ keyword to begin editing the files. Change to the ‘bin’ directory and check out the ‘chkserver’ script.

cd suite/bin
git checkout chkserver

4. You can now edit the file. Once done, you’ll need to check it back in. It’s a two step process. You need to ‘add’ it back in and then ‘commit’ the change.

git add chkserver
git commit chkserver

Your editor of choice will display the current ‘git status’ as comments. Anything that’s not a comment will be added to the gitlog.

5. Once done, you’ll need to upload changes to the master.

git push git@lnmt1cuomgit1.internal.pri:projects/suite master

git Commands

List of commands that you’ll find useful. I’ll add more as I explore.

  • git status – Show the status of the project
  • git log – Show the commit log for the project or if you pass a file name, shows the commit log for the file.
Posted in Uncategorized | Leave a comment

git Version Control for rcs Users – Background

As a Unix Systems Administrator, I’m a long time user of Revision Control System (RCS) to manage configuration files. My first time was in managing DNS Zone Files at NASA Headquarters. Over the past few years, I’ve been using RCS to manage my personal projects and work shell scripts. While I’m not the only one writing scripts and code, I believe I write the bulk of them. Anyway, I want to bring the team on board with managing scripts. Adding theirs into revision control and making it easy for the team to manage their and my scripts. Then we, everyone on the team and any new team members, can do nothing but benefit from managing each others scripts.

In order for me personally set up, I need to come up with a git/rcs Rosetta Stone. Not just commands but concepts. Taking the hacks I currently do to make RCS work in a team environment and bringing the team on board with documentation they can understand and use. This is done because I’m the one mainly using revision control for the scripts and I want to keep the history of the projects. Honestly though, it’s not super important to maintain the current history. Moving straight over to git with the existing files would also work fine and if problems occur, that’s what may happen. We’ll see as we progress.

There are plenty of git books and documentation but a google search doesn’t really identify a tutorial for moving from managing files in RCS to managing files in git. And while RCS is pretty simple in general, I do have a few scripts to help in managing my coding environment. Since it’s RCS, there are additional hacks to make it work the way I want it to work which make it more difficult for others on the team to manage it.

Background, environment setup first. Then some quick references in the rcs commands I’m using, followed by the scripts and data files I wrap around the rcs commands and a list of other scripts I use to manage the environment.

First off, you can poke at the various RCS books on line without too much trouble to see what RCS is and how it works. In general you have a directory of files. You can store versions in the current directory or create an RCS subdirectory and the RCS commands will store versions there. I prefer this method as it makes it cleaner when you’re viewing directories.

The environment:

code Directory

changelog
httpd
inventory
kubernetes
status
suite

makechangelog
makehttpd
makeinventory
makekubernetes
makestatus
makesuite

manifest.changelog
manifest.httpd
manifest.inventory
manifest.kubernetes
manifest.status
manifest.suite

* code – A set of directories that contain checked out scripts and RCS subdirectories.
** [project] – The source code for that project
** make[project] – A script that creates the provisioning directory structure using the manifest and copying all the files from the static directory.
** manifest.[project] – A file that contains all the scripts that belong to the project. I use a couple of symbols to create directories and list what’s being done.

archive Directory

Archived data. Either code bits that aren’t useful any more (in a [project] directory) or older data files. I like to maintain the data imports for historical purposes.

static Directory

The most current files that aren’t code. Spreadsheet .csv files for importing, pictures, data files, etc.

stage Directory

changelog
httpd
inventory
kubernetes
status
suite
tcpdf

exclude.changelog
exclude.httpd
exclude.inventory
exclude.kubernetes
exclude.status
exclude.suite
exclude.tcpdf

syncchangelog
synchttpd
syncinventory
synckubernetes
syncstatus
syncsuite

* stage – The provisioning staging area. The make[project] script copies the code and all the static data for the project into this directory under a [project] subdirectory.
** [project] – The staged files for the project.
** exclude.[project] – Files and directories that aren’t to be synchronized.
** sync[project] – The script that uses rsync to synchronize the directory structure (code and static data) out to the various servers as required.

scripts Directory

A project’s working directory for

[project] – An individual’s working directory for any scripts.
* /var/www/html – My php working directory for three projects.

The sync[project] scripts are run every minute out of cron. They’re looking for a sync.[project] file which was created by the make[project] script.

The make[project] scripts are run every night at 1am. This ensures the scripts are up to date even if a sync wasn’t performed earlier.

The rcs commands I use:

* co – With the -l(ock) option, check out the current revision, place it in the current directory, and lock the revision. This prevents others from updating the script.
* ci – With the -u(nlock) option, check in, don’t lock the script, and leave the original in place for further editing.
* rlog – Show the history of the script.

There are a lot more options and commands but as it’s just me, I haven’t needed to explore too far. These three commands do everything I need.

The script wrappers I use:

I have several scripts I use to manage the environment. There are things I want to do to make sure work is complete and that all files are included when provisioning.

* check – This is a wrapper around the various check scripts. It greps out the comments from each check script and then lists all the scripts.
* checkdiff – Compares the passed script name with the master script to show you the differences between the two.
* checkin – Runs a ‘checkdiff’ command to show the differences between the two scripts, then runs the RCS ci -u command. As ci doesn’t show differences, I wanted to be able to see what had changed so I could properly document the change.
* checkinstall – Runs through the working directory and returns a file name if a script exists in the working directory but not in the master code directory.
* checkmanifest – Parses the manifest file and reports any files that are checked out and being worked on in the working directory.
* checkout – Sees if there’s a difference between the master script and the current script. If so, it simply exits. Otherwise it checks out the script and copies it into your working directory.
* checkrw – Basically checks for any script in the code directory that has ‘rw’ permissions indicating it’s been checked out. I use it to make sure I haven’t missed any scripts when checking in several.

In the code directory, I have a few scripts that help manage the code.

* findcount – This script essentially creates a list of all files in the project and writes it to a countall file. It also counts lines of code, comments, etc for statistical purposes.
** countall – The list of all files in the project.
** countall.backup – The make[project] script runs a diff against the countall and countall.backup files. If there’s a difference, the script exits without creating the staging directory. To correct, just copy the countall file over the countall.backup file.
** fixsettings – This script makes sure the settings.php configuration file exists in every directory.
** searchall – This script does a search of every file in the working directory for the passed keyword. Helpful when searching for all instances of a keyword.

Where do the files go?

* Inventory – The inventory project goes to three servers in /usr/local/httpd/htsecure.
* php Scripts – This goes to four servers including the Ansible server to build host files. In /usr/local/httpd/bin.
* Shell Scripts – These scripts go to just the Jumpstart server and then is sync’d across all 1,200 servers.
* Kubernetes – These scripts go to each of the Kubernetes clusters in /var/tmp/kubernetes.

As you can see, there are several scripts and the environment is really configured for one person.

Goal is to document how to create your own working server using VirtualBox. One problem with a tool like Vagrant is the work environment doesn’t permit access to outside sites without going through a proxy. So setting up an environment that can be used at work will be beneficial.

1. Create your working environment using VirtualBox. You need a working directory plus a web site for testing the two web projects.
2. Create a Source Code Control git server. I’m using ssh to retrieve projects.
3. Pull the project code to your working server.
4. Check out project code.
5. Check in project code.
6. Push the project code back to the git server.
7. Provision project code to the various servers as listed above.

But the documentation needs to reference the existing environment in order for the new commands and processes to be understood.

Posted in Computers | Leave a comment

The New Game Room

I’ve spent the past week moving boxes from the garage into the new house. Mainly into the new Library/Guest Bedroom, Studio/Media Room, and Game Room. Part of this was getting shelves in place and boxes stashed where appropriate. Part was unpacking boxes and putting books and games on shelves. And of course, assembling the gaming table. The table itself is actually a four 3’x3′ module but due to the space taken by the couch, only two squares were assembled. It works pretty well as a board gaming table though.

At the moment, the left three Kallax shelves on the left are full of board games along with the top two shelves on the far right Kallax shelves. The right most two Kallax shelves are all RPGs with the bottom three shelves of the last one holding RPGs. The last shelf unit is a bit more haphazard in part because I found several boxes of games when I was unpacking the Library.

For your viewing pleasure, here’s the Game Room:

As these were taken in the dark, here’s a pic from the original sale site:

And another one with a bit of precipitation 🙂

Posted in Gaming | Leave a comment

New House!

That’s right. Both Jeanne and I are moving. She’s sold her place in Thornton and should be pretty much moved out by Saturday and I’m busy boxing up all my stuff and working around the house to put it up on the market.

We’re moving up into the mountains. A whole different way of living. More snow. Wildlife (including rodents and moose!). And working from home from time to time 🙂

The new place?

Woah! Very very nice picture.

About a month back, Jeanne, Abi, and I were out driving in the mountains. As is our habit, we’ll stop and snag a flyer for a house for sale. I’ve been checking out the Land For Sale site on the ‘net for several years and Jeanne and I have been poking at different types of sites for the past year since she was selling her place. More of a place farther away that we can use for weekends or vacations, either land or a less expensive house. During that drive we went a bit farther up Magnolia Road off of 119 here in Colorado (west of Boulder) and snagged a flyer from a 37 acre horse ranch up for sale for 1.1 million. Lots and lots of money but one of my biggest criteria for moving into the mountains is high speed internet which this place claimed to have. So we decided to see if we can walk through the place and check it out.

Generally you have to have a relationship with a realtor before you can do such things which has kept us from going further in the past but in this case Jeanne had a realtor because she was selling her place. Parvin was nice enough to help us out and got us permission to view the site. It fit a lot of the requirements I had for a mountain place. Nice house with decent floor space, high speed internet, and lots of walking around space on the property. While 1.1 million sounds pretty high (it is really 🙂 ), we decided to further check it out financially and see if we could afford it.

Zillow Listing

With how much we make, what we anticipated to receive from selling both of our homes, I figured we could just make buying this place. It would be right on the edge of the recommended monthly payment. But Jeanne is paying for Abi’s apartment right now which pretty much keeps this just a bit out of reach. Just a tiny bit 🙂

While we were looking at this place though, we did some hunting on Zillow to see what else was available and closer to our range. We spotted several places that sort of fit our criteria but there were slight problems here and there. One place was on a flatter piece of property but not far past Peak to Peak on Rt 7. Another place had 25 acres but the views weren’t quite what we wanted either (and it was partly in a burn area). But this place really struck us.

Zillow Listing

Front looking up the hill. Note that the blue bits are 8″ Trombe Walls. A passive solar heating system:

And looking down the hill. There’s a 1 car garage at the top followed by a 2 car garage, and then the house. There’s a gazebo you can see to the left of the picture and below that is a fire pit.

Obviously the picture was stupendous and the pics of the interior were outstanding as well. Space wise it’s almost as big as my place (3,300 vs 3,500 sqft) but it’s in fewer rooms so there is spaciousness.

All the pictures from the Zillow site.

Awesome living room views:

And master bedroom. The blinds are controlled via remote:

Master bedroom deck 😀

Computers and guitars go into the blue room (under the master bedroom):

Guest bedroom and library go into the pink room (under the kitchen):

And the game shelves and table (and games) go into the center room (under the living room):

There are two mud rooms (the small brown and blue rooms with doors) that may hold shelves as well depending on space and where things will fit.

Check the rest of the pictures above for more pics of the interior, views, and exterior (and animals 😀 ).

We went up during some snowy weather which was awesome. We saw deer/elk and a pair of moose!

In checking out the “House Book”, we found the owners had done about $85,000 in work around the house and property over the past 2 years. I’m hoping the book remains as there’s an interesting article on what the house originally looked like. And there’s a HOA, which we’re not fond of, however the $19 a month fee is basically for snow plow work. Cool beans.

We did some wandering around the next time we visited in order to check out the site further and see if we wanted to bid.

We spoke to their real estate agent, Jackie, who gave us some additional information about the house and helped us poke around a bit. We found someone else had placed a bid on the house and were told we had until Monday noon to respond with a bid if we were interested.

We’d also been speaking with a lender who was requesting documentation from us. Portia gave us the thumbs up. Based on what she had, she felt we had no problem affording the house.

After discussing it over the weekend, reviewing finances, and reviewing what it would take to sell my place, we decided to place a bid.

We were a bit anxious Monday as we waited to see if the other family would counter and as 2pm rolled around (when the buyers would decide), we got a call from Parvin.

We got the house!

Friday we headed up to the house for the Inspection. Duane was our inspector and did Jeanne’s pre-inspection. We found:

o flashing on the roof was up
o hole in blue bedroom
o drain from water heater didn’t reach the floor drain
o garage door tension too high
o what looked like a hole in the siding from the MBR to the outside
o bird nest in the side of the garage (hole in the siding and bird poop on the wall and ground)
o damage to the siding of the house
o two wires into a single circuit in the electrical box

There were several other very minor recommendations. After some rewording, Parvin sent our objections and the buyers responded with they’ll correct the flashing, hole in the bedroom, water heater drain, and garage door tension. The rest were explained to our satisfaction.

Per the buyer, he’d purchased some special seed and dirt for gardening if we were interested and he’d worked the house up to be a “smart home”. He was willing to get with us to show us how things worked and I’d snag some items from the ‘net to get smarter as well. Oh and internet was tested at 20/7. Not the fastest but fast enough to work from home (I tested it).

Update: He will fix the flashing, the drain, and the garage doors.

The “hole” was a reflection of the insulation wrap. The hole was for another light. Apparently the original deck went around farther and this was for the light fixture. The problem in the bedroom (hole) was access to move some electrical wires around when he was redoing the bathroom. The bird nest, we thought was wooodpecker and we were concerned. Turns out it’s a swallow’s next and they eat the bugs that fly around. So we’re cool with that.

We spoke to him last week as well and he gave us a lot of information about living in the mountains and the things you need to do. From the trash/recycle drop off point to window washing service to the cistern to various other tidbits. Good stuff that.

We also brought up a handful of things we’d like to keep and he was pretty cool with most of it. We just needed to provide an offer and he’ll let us know.

We also got our assessment back. Very very good news. Value is 2k more than we offered. Excellent!

Still going forward. 26th of May is closing. Packing like crazy at my place. New roof ($10,000 bucks), finish with the wood floor redo, painting the colorful rooms, getting it ready to be shown. Cross fingers!

Update: We both took a few days off to get ready. On Thursday the 25th we walked through the house and property to make sure it was all there. 🙂 Friday morning we packed up both cars with boxes and such from the old place and headed to Boulder for the signing. Fun as always as we both had to sign a bunch of papers. His daughter was nice enough to let us keep a picture of a kitten for Jeanne’s daughter so we gave her a thank you card and a couple of gift cards. After the signing (lots of paper!) we made a right turn out onto Canyon Road and headed up to our new place!

My PODS pod was delivered Friday as well and Saturday a couple of friends helped by coming up to help unpack the pod into the garage. They also volunteered their truck so we were able to make a couple of runs to get some bigger gear to the house. Went out for pizza at the place in Nederland. Pretty nice actually.

Over the next week we drove down to my place to pick up gear and bring it to the new place. Up to three trips a day. Saturday we rented a U-Haul and loaded it up with furniture. See Jeanne was supposed to get her stuff from Storage on the 26th but they forgot to write it down so she didn’t get it until the 3rd. We got the furniture unloaded and into the house along with the currently non-working motorcycles (2). I also rode my bikes up and parked them. When I rode the Hayabusa, I went through a pea-sized hail storm (not that the storm was small but the hail was large 🙂 ).

We snagged a U-haul for a second Saturday for another load. This was hurry-scurry as folks were coming out at 11 and we couldn’t get the truck until 10. We got the tool chest, end tables, TV stand, and big TV along with a bunch of rakes and the cart.

Over the next week or so, I moved all the boxes (and just the boxes mainly) into the appropriate rooms. Books for Library/Guest bedroom, games for the game room, music for the media room.

Housewarming Party on the 17th so we’ve been hurrying, getting things unpacked and put away and boxes removed. I purchased another 3 Kallax Ikea shelves for a total of 6 and had to put them all together. Then Jeanne and I spent an evening unpacking games and putting them on the shelves.

Can’t wait for the 18th and we can settle down a bit.

Posted in Colorado, Rocky Knob | Leave a comment

Media Bubbles

Back when I was first starting out in life on my own, I read the Reader’s Digest. Initially for the jokes and Word Power and some articles that piqued my interest. As I expanded my reading to newspapers (Washington Post and local papers), I found the Reader’s Digest was pretty clearly a Christian oriented magazine and spun news in ways positive to being a Christian. Of course, negative spin on non-Christian activities. They were interesting but I found the actual News was more accurate. It was News. Simple reporting on the facts without apparent spin. I did read the opinion columns on the Editorial page (inside back page of the A section) with William Raspberry being one of the more columnists. As I got older, I did pick up a few other papers now and then. The Washington Times and USA Today when it started out. I found they also spun News articles but in a way that didn’t align with my own leanings. I felt the Washington Post was reporting accurately. Certainly it reported News in a way I accepted.

Internet is next though. Folks now think of Facebook and maybe MySpace if you’re a bit older. But back when I first got on the ‘net, it was Usenet. Usenet had all sorts of interesting groups. Technical support groups for just about anything you could think of, no matter how obscure. Recreational groups like rec.humor and rec.humor.funny. But others as well, again on just about anything you could think of. As groups needed to be approved for transfer, there were groups that were somewhat frivolous, fringe, or even illegal. These were the Alternative groups. You could find interesting stuff of course like alt.folklore.urban, but you really had to be thoughtful as to where you wandered or you might get into some bad stuff. Note that much of the FAQ from that group turned into Snopes.

Then email. Sure, email has been available for quite some time already but now we have family members and non-technical friends getting email. Mainly from work but you had AOL for personal access. The problem here were the silly Urban Folklore stuff folks would pass around to all their friends. “Can you believe this?” I’d check alt.folklore.urban’s FAQ and then Snopes and send links to Snopes off to friends and family. Eventually either they checked Snopes first or realized I wasn’t going to “OMG” the email and pass it along and dropped me from their distributions 🙂

Back to the News though. I’d get interesting news bits that aligned with my own standards from Usenet. The bulk of it is technical, how it relates to what I do professionally and as a hobby. I remember an old article on Microsoft and how they didn’t have much of a Government Lobby for their products (Windows) to advance their agenda. But News that was relevant to my own niche. Oh I read the Paper but was getting more and more annoyed with the number of Ads. There’s be a 3/4 column with a couple of continuations in column 2 and 3 but 3/4 or more of the page were Ads. And in the middle of Section A, two or four full page Ads. At one point I considered getting two papers and cutting out the Ads just to see how much actual News there was in the paper.

Bit of a side note, a lot of the tech and “Guy Stuff” were advertised or reported on in the Sports section. As I didn’t follow sports, I seldom saw these ads. I did read the Lifestyle section so I got to see all the less “Guy” Ads.

I do want to point out something that is relevant to where I’m going here. Way back when there were only a few channels on TV, the Fairness Doctrine was enacted. This ensured that, due to the limited access to News, TV Channels must provide access to folks who wanted to discuss controversial issues, forcing these channels to be ‘honest, equitable, and balanced’. In 1987, President Reagan pressured the FCC to eliminate this Doctrine due to the availability of Cable Television, so folks could get alternate viewpoints from an alternate channel on Cable.

I find this problematic as folks would actually have to find these channels and would then be in their own little bubble. Mainstream News organizations like ABC, CBS, and NBC didn’t need to present these viewpoints any more. To me, this is the start of the Media Bubble. From a conspiracy view point, Fox itself, a channel that was mostly the alternate local station in most regions, was consolidated by Rupert Murdoch in 1985. Could pressure from Rupert Murdoch have influenced the GOP?

Read about The Fairness Doctrine here.

As to Politics and the Media Bubble. In general I was somewhat aware of politics. Not active and not more than being aware of various bits as they occurred. I did vote, in general but didn’t really follow all the things going on. As I got older, I did start paying more attention. A little at a time. I did think a businessman as president might prove to be good for the country. Lee Iaccoca and Ross Perot were the ones I was thinking of. One of the ones I really paid attention to was in the mid-90’s. A measure came up for vote about raising sales tax up from 4% to 4.5%. In reading the news and paying some attention, I voted against. My reasoning mainly was the county (Fairfax) wasn’t doing a good job with my existing tax money. Why give them more? The response after the measure failed was surprise by the business folks.

Since then I’ve gotten more thoughtful in my voting and in understanding issues as they pertain to me and to my beliefs. Still not keeping up on every little thing. Once voting, kind of let things run. Only pay attention when it’s time to vote again. In addition, I’m reading more on line. Digital news. But really only when things pop up in one of my various discussion sites. Meaning generally related to my hobbies. Motorcycles, gaming, and computers. Occasionally something political would pop up and of course watching the Presidential elections.

And over the past 20 years, we’ve had more folks get on line. It’s easier to create websites and post content. You can pretty much find any conspiracy theory web site from Anti-Vaxxers to ChemTrails to, well whatever feeds your beliefs. GeoCites and then MySpace gave you a single place to post such things. Then sites like reddit where you can create sub-reddits for just about anything. And of course Social Media pops up. It’s cool to keep in touch with family and friends but you’re now open to those same weird emails you got from Grandma about coke dissolving a steak over night. You can respond with ‘this is nonsense’ but Grandma has 100,000 other friends and now she’s a force to be reckoned with. With Obama getting in office, even more silly things popped up like the Birther nonsense or Secret Muslim or maneuvers in Texas where he’ll be taking over the US. Ultimately I just blocked the sites my family and friends posted.

With the recent election, I was paying about the same attention as usual. Reading the same sites and keeping up on the news. I don’t watch Fox News as they’re pretty right leaning and their opinion folks are pretty out there to me.

But.

As we led up and Trump became the front runner, I was seeing more false stories showing up on my Facebook feed. I posted rebuttals and advisories about reading further into what’s posted but as we know, false stories feed narratives, feed folks beliefs. These things spread over Social Media like wildfire. You can try to prove they’re wrong but Grandma’s 100,000 Granny Force is bigger than you little peep. I posted queries several times after all the ‘Fake News’ quotes Trump spouted. “What news are you reading or watching?” But no response. I worked on expanding my own reading beyond the tidbits I got here and there for the Washington Post, New York Times, CNN, and BBC. Some folks steered me to Al Jazeera which I was hesitant about but did read a few articles and of course NPR which I did occasional read an article on, but more oriented to my hobbies.

An interesting Pew Report on news after the election pointed out that the majority of Conservative voters got most of their news from Fox News (40%) with the next at 8% for CNN. But Liberal voters were spread around much more evenly, reading a broad range of news. And that was interesting. Folks speak of Media Bubbles but it appears the biggest bubble is on the Conservative side, unless you assume every other news organization is Liberal.

Anyway, I’ve expanded further. I purchased subscriptions to both The Washington Post and the New York Times and even created an account on Fox where I do read an occasional article. Yes, they’re biased but I can compare their bias with every other news organization and their biases.

Posted in About Carl | Leave a comment

RHCE Test

Well, when I took the test last time I received a 130 score. Total possible is 300 and 210 is passing so not all that good. Studying was mainly for the extra stuff we don’t do; selinux and firewalld, and stuff we don’t do often like manage systems through yum (package manager), NFS, and Samba. And you have to break in to the system (reset root’s password) in order to proceed. I was beating my head trying to figure that one out.

Since then I’ve built a replacement firewall for my home environment using firewalld so I’m more familiar with it and at work we’ve started working with Satellite and yum to manage systems so I’m a lot more familiar with that.

Okay, study deeper this time. I have a more robust environment and can set up and use the same sorts of tools that will be used on the exam. I snagged a book to study and did a few blog posts here to document how things actually worked for me. I memorized how to accomplish some tasks in the ‘Red Hat Way’ vs just editing a file to make a change. Installed selinux on all servers and configured firewalld.

Took the test. 193 score. Sooo close.

Observations:

First main observation after discussing it with Jeanne. I really don’t study for these sorts of things. I’m validating my own knowledge. So testing on things we don’t do will be my blind spot. In this case I did hit the books more over the two weeks prior to the test but clearly that wasn’t enough.

For example, I set up a kerberos server and client several times in the 2 weeks prior to the test. Had that down without a problem. One of the tasks is to set up a kerberos server. Running kadmin builds the keyfile, a random hash used to encrypt sessions. It can take minutes to generate as it’s pulling information from random this or that, /dev/urandom and things like that. In the test, they simply provided the key file. The problem? Where does the file go??? As I don’t use Kerberos to actually manage users, I really didn’t know where the file belongs. Didn’t even know where to look for the information. I set up the configurations on the server and client including the NFS kerberos configuration but had no idea if it would have worked.

There were other odd things that slowed me down. One of the requirements is to set up a bonded/teamed interface. The systems have three interfaces; eth0, eth1, and eth2. eth0 is the main interface and eth1 and eth2 are to be bonded. The bond should work if either interface is down. Standard bonding. I’ve been doing it at work for the past 9 years including Solaris IPMI. But I’m trying to use the RH7 commands so nmcli con add but I added eth0. Rats. Use nmcli to reconfigure eth0 and then properly configure bond0 with eth1 and eth2. Unfortunately, and it took minutes for me to figure it out, eth0 wasn’t managed using nmcli. I had to check the other system’s ifcfg-eth0 file to recreate the first systems ifcfg-eth0 file and move forward. Plus there was some issue with eth2.

Same things with IPv6. Change the following IPs on eth0. I know the commands for nmcli but not what the actual keywords are. Is it IPADDR6 (that didn’t work) or what? Blah!

I got the iSCSI server set up but couldn’t get the client talking to it. It was using a block device, which I did get working on my home sandbox. Troubleshooting it was a pain, especially when you can’t pop out to google to query some log messages (if there were any).

Heck, I even got the NFS mount working with selinux (semanage fcontext -a -t public_content_rw_t “/shared(/.*)?” top of my head; I’ll check the page to be sure 🙂 ).

Anyway, signed up for another test and I’ll beat on the sandbox again even harder.

Posted in Uncategorized | Leave a comment

Skiing!

I planned out our Valentine’s week vacation starting last February. Scheduled the room, bought two season passes last summer, paid for a semi-private ski lesson for her (5 person vs a 20 group), all out.

Got there Saturday, rented boots for her, and skis and poles for us. Got settled and Sunday morning, went to Winter Park. Took a bit to find her class and I headed up to get my legs back. Been 8 years since I’d been up so it took a couple of runs to get it back. Finally at 3:30 I headed down, picked her up, back to the room and out to dinner.

Personally I’m partial to Chicken Marsala so I ordered Pollo al Marsala. Fettuccini was a bit cheesier than I prefer and virtually no marsala flavor in my opinion. An okay meal but not outstanding. I once gave a $20 tip directly to a cook due to an outstanding Chicken Marsala I had for dinner.

Anyway, 4am rolls around. Up, bathroom, NOW!

Food poisoning. I spent the day Monday either in bed or in the bathroom with dinner making its escape any way it could. By the third time, I was releasing Friday’s breakfast and hoping for death. Jeanne comforted me and made sure I had fluids to stay hydrated. Fruit Juice Gatorade is horrible.

I felt a bit better that night and Tuesday we tentatively headed out for breakfast. I opted for oatmeal and toast and was only able to eat about half and a couple of bites of toast. We did some slight walking but I was pretty weak. But not hungry. All day.

We finally hit a different place for Valentine’s dinner. I had trout to have something mild but only had about half. Still full feeling from breakfast.

Wednesday morning. Now Jeanne is ill. I suspect close association due to us being in the one room while I was sick. I did wash hands and face and brush teeth but floating particles and all. As I was still full feeling, easily out of breath, and weak, I said we should just bail 2 days early. We won’t be well enough to ski but at least we’ll be away from the pest hole.

Took several pauses in getting packed and out. I helped Jeanne out, checked out (and yes, informed the staff -again- about our sickness and the room). Two hour ride home, not too bad. Didn’t need to stop. Washed -all- clothes whether or not we wore them. Crashed Thursday.

I checked in with my health care provider. “Hey, still liquid poo, feel full, ideas?” She said probably an inflamed intestinal tract. Eat bland foods for a few days to reduce irritation and it’ll get better. So bananas, rice, applesauce, tea, and toast. Better today but not fully restored.

So. We skied for a few hours Sunday. Wheee.

On the plus side, Jeanne was super worried about learning to ski. She’s a lot more confident and ready to go again, maybe for a Saturday jaunt in 2 weeks.

But meals next time are at Wendy’s!

Posted in Uncategorized | 2 Comments

RHCE Cheat Sheet

Just the commands ma’am. I can follow the links and read the books but ultimately I just want a cheat sheet to remind me what the actual commands are after all this studying.

Memorize This!

The following bits are the harder to remember, less often used bits. Basically commands with options I tend to forget.
Networking: nmcli con add type team con-name myteam0 ifname team0 config ‘{ “runner”: {“name”: “loadbalance”}}’
iSCSI: iscsiadm –mode discovery –type sendtargets –portal 192.168.1.53 –discover
iSCSI: iscsiadm –mode node –targetname iqn.2017-02.pri.internal:target –portal 192.168.1.53:3260 –login
HTTP: openssl req -new -x509 -nodes -out /etc/pki/tls/certs/host.internal.pri.crt -keyout /etc/pki/tls/private/host.internal.pri.key -days 365
Kerberos/NFS: mount -t nfs4 -o sec=krb5 enwd1cuomnfss1.internal.pri:/home/tools /mnt
MariaDB: grant all on test.* to user@localhost identified by ‘password’;

Password Reset 1

At boot kernel screen
‘e’ to edit
At linux16, add rd.break enforcing=0
Ctrl-X to start
At prompt, mount -o remount,rw /sysroot
chroot /sysroot
passwd – change root password
selinux?
restorecon /etc/shadow
touch /.autorelabel works but is slow as it relabels the system
exit,exit

Password Reset 2

At boot kernel menu, ‘e’ to edit
At linux line, remove rhgb and add init=/bin/sh
At shell, /usr/sbin/load_policy -i
At shell, mount -o remount,rw /
At shell, passwd root
At shell, mount -o remount,ro / (flushes memory)
exit, exit

Networking

man nmcli-examples
nmcli con add con-name ens256 ifname ens256 type ethernet ip4 192.168.1.203/24 gw4 192.168.1.1
nmcli con mod my-con-em1 ipv4.dns “192.168.1.1”
nmcli con mod my-con-em1 +ipv4.dns 8.8.8.8
nmcli con mod my-con-em1 ipv6.dns “2001:4860:4860::8888 2001:4860:4860::8844”
nmcli con mod ens256 ipv4.never-default yes
nmcli -p con show ens256

Networking: Bonding

nmcli con show
nmcli con add type bond con-name mybond0 ifname bond0 mode active-backup
7.0: nmcli con mod mybond0 ipv4.addresses “192.168.1.10/24 192.168.1.1”
7.0: nmcli con mod mybond0 ipv4.method manual
7.1: nmcli con mod mybond0 ipv4.addresses 192.168.1.10/24
7.1: nmcli con mod mybond0 ipv4.gateway 192.168.1.1
7.1: nmcli con mod mybond0 ipv4.method manual
nmcli con add type bond-slave con-name bond0-eth0 ifname eth0 master bond0
nmcli con add type bond-slave con-name bond0-eth1 ifname eth1 master bond0
nmcli con up mybond0
nmcli con show
/etc/sysconfig/network-scripts/ifcfg-[bond-interface]

DEVICE=bond0
TYPE=Bond
BONDING_MASTER=yes
NAME=mybond0
ONBOOT=yes
IPADDR=192.168.1.72
PREFIX=24
GATEWAY=192.168.1.1

/etc/sysconfig/network-scripts/ifcfg-[slave-interface]

NAME=bond0-ens192
DEVICE=ens192
ONBOOT=yes
MASTER=bond0
SLAVE=yes

Networking: Teaming

nmcli con show
nmcli con add type team con-name myteam0 ifname team0 config ‘{ “runner”: {“name”: “loadbalance”}}’
7.0: nmcli con mod myteam0 ipv4.addresses “192.168.1.10/24 192.168.1.1”
7.0: nmcli con mod myteam0 ipv4.method manual
7.1: nmcli con mod myteam0 ipv4.addresses 192.168.1.10/24
7.1: nmcli con mod myteam0 ipv4.gateway 192.168.1.1
7.1: nmcli con mod myteam0 ipv4.method manual
nmcli con add type team-slave con-name team0-slave0 ifname eth0 master team0
nmcli con add type team-slave con-name team0-slave1 ifname eth1 master team0
nmcli con up myteam0
nmcli con show

Networking: IPv6

ip addr show eno16777984
nmcli con show eno16777984 | grep -i ipv6
nmcli con mod eno16777984 ipv6.addresses ‘fddb:fe2a:badb:abe::1/64’
nmcli con mod eno16777984 ipv6.method manual
nmcli con down eno16777984
nmcli con up eno16777984
ip addr show dev eno16777984
/etc/sysconfig/network-scripts/ifcfg-[interface]

IPV6INIT=yes
IPV6ADDR=fddb:fe2a:badb:abe::1/64
IPV6_DEFAULTGW=2001:db8:0:1::1

Networking: IPv6 Troubleshooting

ping6 [ipv6 address]
ip -6 route

Networking: Routing

echo 1 > /proc/sys/net/ipv4/ip_forward
echo net.ipv4.ip_forward = 1 > /etc/sysctl.d/ip_forward.conf
ip route show
/etc/sysconfig/network-scripts/route-[interface]

192.168.1.100/32 via 192.168.1.254 dev eno16777984
ADDRESS0=192.168.1.100
NETMASK0=255.255.255.255
GATEWAY0=192.168.1.254
METRIC0=

Firewall

man firewalld.conf
firewall-cmd –get-services
/usr/lib/firewalld/services
firewall-cmd –zone=external –add-masquerade –permanent
firewall-cmd –reload
firewall-cmd –add-forward-port=port:2022:proto:tcp:toport:22:toaddr:192.168.1.203 –permanent
firewall-cmd –reload

Firewall: Zones

man firewalld.zones
firewall-cmd –get-default-zone
firewall-cmd –get-active-zones
firewall-cmd –get-zones
firewall-cmd –set-default-zone=home
firewall-cmd –permanent –zone=internal –change-interface=eth0
nmcli con show | grep eth0
nmcli con mod “System eth0” connection.zone internal
nmcli con up “System eth0”
/etc/sysconfig/network-scripts/ifcfg-* – ZONE=internal
firewall-cmd –get-zone-of-interface=eth0
firewall-cmd –permanent –zone=public –list-all
firewall-cmd –permanent –new-zone=test
firewall-cmd –reload

Firewall: Rich Rules

man firewalld.richlanguage
firewall-cmd –zone=dmz –add-rich-rule=’rule family=ipv4 source address=10.0.0.100/32 reject’ –timeout=60
firewall-cmd –add-rich-rule=’rule protocol value=icmp accept’ –zone=dmz
firewall-cmd –zone=dmz –add-rich-rule=’rule family=ipv4 source address=10.0.0.0/24 port port=7900-7905 protocol=tcp accept’
firewall-cmd –list-all –zone=dmz

Package Management

/etc/yum.repos.d

[base]
name=Name
baseurl=http://
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/...

yum grouplist
yum whatprovides semanage

SELinux

Test is only on ‘types’ “-t / _t”. _r is Roles, _u is Users.
/etc/selinux/config
/etc/sysconfig/selinux
sestatus -v
getenforce
setenforce
yum install -y policycoreutils-python
semanage
semanage fcontext -l for a long list
semanage fcontext to update the policy
restorecon to apply the policy
chcon updates the context of a file but is temporary only
getsebool
setsebool

iSCSI: Server

vgs
lvcreate -L 200M -n lvsan1 /dev/vg00
lvcreate -L 200M -n lvsan2 /dev/vg00
yum install -y targetcli
Note: cd brings up a select. help gives you help 🙂

# targetcli
Warning: Could not load preferences file /root/.targetcli/prefs.bin.
targetcli shell version 2.1.fb41
Copyright 2011-2013 by Datera, Inc and others.
For help on commands, type 'help'.

/> cd /backstores
/backstores> ls
o- backstores ................................................................................................................ [...]
  o- block .................................................................................................... [Storage Objects: 0]
  o- fileio ................................................................................................... [Storage Objects: 0]
  o- pscsi .................................................................................................... [Storage Objects: 0]
  o- ramdisk .................................................................................................. [Storage Objects: 0]
/backstores> block/ create block1 /dev/vg00/lvsan1
Created block storage object block1 using /dev/vg00/lvsan1.
/backstores> block/ create block2 /dev/vg00/lvsan2
Created block storage object block2 using /dev/vg00/lvsan2.
/backstores> fileio/ create file1 /opt/diskfile1 100M
Created fileio file1 with size 104857600
/backstores> ls
o- backstores ................................................................................................................ [...]
  o- block .................................................................................................... [Storage Objects: 2]
  | o- block1 ................................................................. [/dev/vg00/lvsan1 (200.0MiB) write-thru deactivated]
  | o- block2 ................................................................. [/dev/vg00/lvsan2 (200.0MiB) write-thru deactivated]
  o- fileio ................................................................................................... [Storage Objects: 1]
  | o- file1 .................................................................... [/opt/diskfile1 (100.0MiB) write-back deactivated]
  o- pscsi .................................................................................................... [Storage Objects: 0]
  o- ramdisk .................................................................................................. [Storage Objects: 0]
/backstores> cd /iscsi/
/iscsi> create iqn.2017-02.pri.internal:target
Created target iqn.2017-02.pri.internal:target.
Created TPG 1.
Global pref auto_add_default_portal=true
Created default portal listening on all IPs (0.0.0.0), port 3260.
/iscsi> ls
o- iscsi .............................................................................................................. [Targets: 1]
  o- iqn.2017-02.pri.internal:target ..................................................................................... [TPGs: 1]
    o- tpg1 ................................................................................................. [no-gen-acls, no-auth]
      o- acls ............................................................................................................ [ACLs: 0]
      o- luns ............................................................................................................ [LUNs: 0]
      o- portals ...................................................................................................... [Portals: 1]
        o- 0.0.0.0:3260 ....................................................................................................... [OK]
/iscsi> cd iqn.2017-02.pri.internal:target/
/iscsi/iqn.20...ternal:target> tpg1/acls/ create iqn.2017-02.pri.internal:server1
Created Node ACL for iqn.2017-02.pri.internal:server1
/iscsi/iqn.20...ternal:target> tpg1/luns/ create /backstores/block/block1
Created LUN 0.
Created LUN 0->0 mapping in node ACL iqn.2017-02.pri.internal:server1
/iscsi/iqn.20...ternal:target> tpg1/luns/ create /backstores/block/block2
Created LUN 1.
Created LUN 1->1 mapping in node ACL iqn.2017-02.pri.internal:server1
/iscsi/iqn.20...ternal:target> tpg1/luns/ create /backstores/fileio/file1
Created LUN 2.
Created LUN 2->2 mapping in node ACL iqn.2017-02.pri.internal:server1
/iscsi/iqn.20...ternal:target> ls
o- iqn.2017-02.pri.internal:target ....................................................................................... [TPGs: 1]
  o- tpg1 ................................................................................................... [no-gen-acls, no-auth]
    o- acls .............................................................................................................. [ACLs: 1]
    | o- iqn.2017-02.pri.internal:server1 ......................................................................... [Mapped LUNs: 3]
    |   o- mapped_lun0 .................................................................................... [lun0 block/block1 (rw)]
    |   o- mapped_lun1 .................................................................................... [lun1 block/block2 (rw)]
    |   o- mapped_lun2 .................................................................................... [lun2 fileio/file1 (rw)]
    o- luns .............................................................................................................. [LUNs: 3]
    | o- lun0 .................................................................................... [block/block1 (/dev/vg00/lvsan1)]
    | o- lun1 .................................................................................... [block/block2 (/dev/vg00/lvsan2)]
    | o- lun2 ...................................................................................... [fileio/file1 (/opt/diskfile1)]
    o- portals ........................................................................................................ [Portals: 1]
      o- 0.0.0.0:3260 ......................................................................................................... [OK]
/iscsi/iqn.20...ternal:target> cd /
/> ls
o- / ......................................................................................................................... [...]
  o- backstores .............................................................................................................. [...]
  | o- block .................................................................................................. [Storage Objects: 2]
  | | o- block1 ................................................................. [/dev/vg00/lvsan1 (200.0MiB) write-thru activated]
  | | o- block2 ................................................................. [/dev/vg00/lvsan2 (200.0MiB) write-thru activated]
  | o- fileio ................................................................................................. [Storage Objects: 1]
  | | o- file1 .................................................................... [/opt/diskfile1 (100.0MiB) write-back activated]
  | o- pscsi .................................................................................................. [Storage Objects: 0]
  | o- ramdisk ................................................................................................ [Storage Objects: 0]
  o- iscsi ............................................................................................................ [Targets: 1]
  | o- iqn.2017-02.pri.internal:target ................................................................................... [TPGs: 1]
  |   o- tpg1 ............................................................................................... [no-gen-acls, no-auth]
  |     o- acls .......................................................................................................... [ACLs: 1]
  |     | o- iqn.2017-02.pri.internal:server1 ..................................................................... [Mapped LUNs: 3]
  |     |   o- mapped_lun0 ................................................................................ [lun0 block/block1 (rw)]
  |     |   o- mapped_lun1 ................................................................................ [lun1 block/block2 (rw)]
  |     |   o- mapped_lun2 ................................................................................ [lun2 fileio/file1 (rw)]
  |     o- luns .......................................................................................................... [LUNs: 3]
  |     | o- lun0 ................................................................................ [block/block1 (/dev/vg00/lvsan1)]
  |     | o- lun1 ................................................................................ [block/block2 (/dev/vg00/lvsan2)]
  |     | o- lun2 .................................................................................. [fileio/file1 (/opt/diskfile1)]
  |     o- portals .................................................................................................... [Portals: 1]
  |       o- 0.0.0.0:3260 ..................................................................................................... [OK]
  o- loopback ......................................................................................................... [Targets: 0]
/> exit
Global pref auto_save_on_exit=true
Last 10 configs saved in /etc/target/backup.
Configuration saved to /etc/target/saveconfig.json

systemctl enable target
systemctl start target
firewall-cmd –add-port=3260/tcp –permanent
firewall-cmd –reload
systemctl status target

iSCSI: Client

yum install -y iscsi-initiator-utils
/etc/iscsi/initiatorname.iscsi

InitiatorName=iqn.2017-02.pri.internal:server1

systemctl enable iscsid
systemctl start iscsid
systemctl start iscsi
iscsiadm –mode discovery –type sendtargets –portal 192.168.1.53 –discover
iscsiadm –mode discovery -P 1
iscsiadm –mode node –targetname iqn.2017-02.pri.internal:target –portal 192.168.1.53:3260 –login
iscsiadm –mode session -P 3
lsblk –scsi
mkfs.xfs /dev/sdb
blkid /dev/sdb (copy UUID)
mkdir /mnt/iscsi
vi /etc/fstab

UUID=ba082551-c983-4f1f-852a-53b1c8a55106  /mnt/iscsi  xfs   _netdev   0   2

mount -a

Performance

top
/proc/meminfo
free -m
swapon -s
cifsiostat
nfsiostat
iostat
mpstat
pidstat
vmstat
dstat – not noted in materials though

Performance: SAR

/etc/cron.d/sysstat
/etc/sysconfig/sysstat – HISTORY variable – default 28 days
sar -n DEV
sar -b
sar -P 0
sar 1 10

Optimization

/proc/meminfo
/proc/cmdline
/proc/cpuinfo
/proc/partitions
/proc/modules
/etc/sysconf.d
sysconf -a
sysconf -p
sysconf -w

net.ipv4.ip_forward
net.ipv4.icmp_echo_ignore_all
net.ipv4.icmp_echo_ignore_broadcasts
vm.swappiness
kernel.hostname

Logging: Server

/etc/rsyslog.conf – im* (input modules)
/etc/rsyslog.conf – om* (output modules)
/etc/rsyslog.conf

$ModLoad imudp
$InputUDPServerRun 514
$ModLoad imtcp
$InputTCPServerRun 514

systemctl restart rsyslogd
firewall-cmd –add-port=514/tcp –permanent
firewall-cmd –reload

Logging: Clients

@ = via UDP
@@ = via TCP
/etc/rsyslog.conf

*.*   @@enwd1cuomlog1.internal.pri:514

systemctl restart rsyslogd

HTTP/HTTPS: Server

yum groupinstall -y ‘Web Server’
systemctl enable httpd
systemctl start httpd
firewall-cmd –permanent –add-service=http
firewall-cmd –reload

<Directory /var/www/html>
AllowOverride None
Require all granted
</Directory>

HTTP/HTTPS: Virtual Host

/var/www/html
mkdir host.internal.pri
echo “Testing” > /var/www/html/host.internal.pri/index.html
restorecon -R host.internal.pri
cd /etc/httpd/conf.d
edit vhosts.conf

<VirtualHost *:80>
  ServerAdmin webmaster@host.internal.pri
  DocumentRoot /var/www/html/host.internal.pri
  ServerName host.internal.pri
  ErrorLog logs/host.internal.pri-error_log
  CustomLog logs/host.internal.pri-access_log common
</VirtualHost>

mv ssl.conf ssl.conf2
apachectl configtest
apachectl restart
httpd -D DUMP_VHOSTS
yum install -y elinks
elinks http://host.internal.pri

HTTP/HTTPD: Access Restrictions

/var/www/html/private
echo “testing” > /var/www/html/private/index.html
restorecon -R /var/www/html
/etc/httpd/conf/httpd.conf

<Directory "/var/www/html/private">
  AllowOverride None
  Options None
  Require host host.internal.pri
</Directory>

apachectl configtest
/etc/httpd/conf/httpd.conf

<Directory "/var/www/html/private">
  AuthType Basic
  AuthName "Password protected area"
  AuthUserFile /etc/httpd/conf/passwd
  Require user cschelin
<Directory>

apachectl configtest
htpasswd -c /etc/httpd/conf/passwd cschelin
chmod 600 /etc/httpd/conf/passwd
chown apache:apache /etc/httpd/conf/passwd
systemctl restart httpd

HTTP/HTTPD: Group Content

/etc/httpd/conf/httpd.conf

<Directory "/var/www/html/private">
  AuthType Basic
  AuthName "Password protected area"
  AuthGroupFile /etc/httpd/conf/team
  AuthUserFile /etc/httpd/conf/passwd
  Require group team
</Directory>

apachectl configtest
mkdir -p /var/www/html/private
restorecon -R /var/www/html/private
/etc/httpd/conf/team

team: cschelin jainsley

htpasswd -c /etc/httpd/conf/passwd cschelin
htpasswd /etc/httpd/conf/passwd jainsley
systemctl restart httpd

HTTP/HTTPD: TLS

openssl req -new -x509 -nodes -out /etc/pki/tls/certs/host.internal.pri.crt -keyout /etc/pki/tls/private/host.internal.pri.key -days 365
/etc/httpd/confi.d/ssl.conf

SSLCertificateFile /etc/pki/tls/certs/host.internal.pri.crt
SSLCertificateKeyFile /etc/pki/tls/private/host.internal.pri.key
Servername host.internal.pri:443

apachectl configtest
apachectl restart
httpd -D DUMP_VHOSTS
openssl s_client -connect localhost:443 -state

DNS

yum install -y bind
/etc/named.conf

listen-on port 53 { any; };
allow-query { any; };
dnssec-validation no;

named-checkconf
firewall-cmd –permanent –add-service=dns
firewall-cmd –reload
systemctl enable named
systemctl start named

DNS: Troubleshooting

dig
/etc/resolv.conf

NFS: Server

yum groupinstall -y file-server
firewall-cmd –permanent –add-service=nfs
firewall-cmd –reload
systemctl enable rpcbind nfs-server
systemctl start rpcbind nfs-server
mkdir -p /home/tools
chmod 0777 /home/tools
mkdir -p /home/guests
chmod 0777 /home/guests
yum install -y setroubleshoot-server
semanage fcontext –list
semanage fcontext -a -t public_content_rw_t “/home/tools(/.*)?”
semanage fcontext -a -t public_content_rw_t “/home/guests(/.*)?”
restorecon -R /home/tools
restorecon -R /home/guests
semanage boolean -l | egrep “nfs|SELinux”
If needed:
setsebool -P nfs_export_all_rw on
setsebool -P nfs_export_all_ro on
setsebool -P use_nfs_home_dirs on
man exports for examples
/etc/exports

/home/tools enwd1cuomnfsc1.internal.pri(rw,no_root_squash)
/home/guests enwd1cuomnfsc1.internal.pri(rw,no_root_squash)

exportfs -avr
systemctl restart nfs-server
showmount -e localhost

NFS: Client

yum install -y nfs-utils
mount -t nfs enwd1cuomnfss1.internal.pri:/home/tools /mnt

NFS: Group (Server)

yum groupinstall -y ‘file-server’
firewall-cmd –permanent –add-service=nfs
firewall-cmd –reload
systemctl enable rpcbind nfs-server
systemctl start rpcbind nfs-server
mkdir /shared
groupadd -g 60000 sharedgrp
chgrp sharedgrp /shared
chmod 2770 /shared
/etc/exports

/shared enwd1cuomnfsc1.internal.pri(rw,no_root_squash)

exportfs -avr
systemctl restart nfs-server

NFS: Group (Client)

yum install -y nfs-utils
mount -t nfs enwd1cuomnfss1.internal.pri:/shared /mnt

NFS: Kerberos Distribution Center

Need this for further testing:

yum install -y krb5-server krb5-workstation pam_krb5
/var/kerberos/krb5kdc/kdc.conf – update example.com, uncomment master_key_type, add default_principal_flags = +preauth
/var/kerberos/krb5kdc/kadm5.acl – update example.com
/etc/krb5.conf – uncomment lines and replace example.com and kerbserver.example.com
kdb5_util create -s -r internal.pri – This can take quite a while. Be patient
systemctl start krb5kdc kadmin
systemctl enable krb5kdc kadmin
useradd [dummy user]
enter kerberos admin tool: kadmin.local

kadmin.local: addprinc root/admin
kadmin.local: addprinc [dummy user]
kadmin.local: addprinc -randkey host/enwd1cuomkrb1.internal.pri
kadmin.local: ktadd host/enwd1cuomkrb1.internal.pri
kadmin.local: quit

/etc/ssh/ssh_config

GSSAPIAuthentitaction yes
GSSAPIDelegateCredentials yes

systemctl reload sshd
authconfig –enablekrb5 –update
Add the following to /etc/firewalld/services/kerberos.xml to add the kadmin port (cp /usr/lib/firewalld/services/kerberos.xml /etc/firewalld/services/):

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>Kerberos</short>
  <description>Kerberos network authentication protocol server</description>
  <port protocol="tcp" port="88"/>
  <port protocol="udp" port="88"/>
  <port protocol="tcp" port="749"/>
</service>

firewall-cmd –permanent –add-service=kerberos
alternate: firewall-cmd –permanent –add-port 749/tcp
firewall-cmd –reload
su – [dummy user]
kinit (enter password for user)
klist (to see the ticket)

NFS: Kerberos Client

yum install -y krb5-workstation pam_krb5
scp root@enwd1cuomkrb1.internal.pri:/etc/krb5.conf /etc/krb5.conf
Enter kadmin

kadmin: addprinc -randkey host/enwd1cuomnfsc1.internal.pri
kadmin: ktadd host/enwd1cuomnfsc1.internal.pri

/etc/ssh/ssh_config

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

systemctl reload sshd
authconfig –enablekrb5 –update
su – [dummy user]
kinit
klist
ssh enwd1cuomkrb1.internal.pri – to test; should log in without password

NFS: Add NFS Server

kadmin

kadmin: addprinc -randkey nfs/enwd1cuomnfss1.internal.pri
kadmin: ktadd nfs/enwd1cuomnfss1.internal.pri
kadmin: quit

NFS: Add NFS Client

kadmin

kadmin: addprinc -randkey nfs/enwd1cuomnfsc1.internal.pri
kadmin: ktadd nfs/lnmt1cuomdb1.internal.pri
kadmin: quit

systemctl enable nfs-client.target
systemctl start nfs-client.target
mount -t nfs4 -o sec=krb5 enwd1cuomnfss1.internal.pri:/home/tools /mnt
su – [dummy user]
kinit
cd /mnt
echo “This is a test.” > testfile

SMB

yum groupinstall -y ‘file-server’
yum install -y samba-client
/etc/samba/smb.conf

[global]
      workgroup = MYGROUP
      server string = Samba Server Version %v
      netbios name = MYSERVER
      interfaces = lo eth0 192.168.1.0/24
      hosts allow = 127. 192.168.1.
      log file = /var/log/samba/log.%m
      max log size = 50
      security = user
      passdb backend = tdbsam

[shared]
      comment = Shared directory
      browseable = yes
      path = /shared
      valid users = jainsley
      writable = yes

testparm
mkdir /shared
chmod 777 /shared
echo “Testing” > /shared/test
yum install -y setroubleshoot-server
semanage fcontext -a -t samba_share_t “/shared(/.*)?”
restorecon -R /shared
firewall-cmd –permanent –add-service=samba
firewall-cmd –reload
systemctl enable smb
systemctl enable nmb
systemctl start smb
systemctl enable nmb
useradd -s /sbin/nologin cschelin
smbpasswd -a cschelin
smbclient //localhost/shared -U cschelin%[password]

smb: \> ls

SMTP: Forwarder

yum install -y posfix
systemctl enable postfix
systemctl start postfix
/etc/postfix/main.cf

myhostname = enwd1cuomail1.internal.pri
mydomain = internal.pri
myorigin = $mydomain
inet_interfaces = loopback-only
mydestination = 
relayhost = 192.168.1.1

postfix check
postconf -n
systemctl restart postfix
postconf relayhost (to verify)

SMTP: Gateway

yum install -y postfix
systemctl enable postfix
systemctl start postfix
/etc/postfix/main.cf

myhostname = enwd1cuomail1.internal.pri
mydomain = internal.pri
myorigin = $mydomain
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mynetworks = 192.168.1.0/24, 127.0.0.0/8
relayhost = 192.168.1.1

postfix check
postconf -n
systemctl restart postfix
firewall-cmd –add-service=smtp –permanent
firewall-cmd –reload

ssh: Server

yum install -y openssh-server
systemctl enable sshd
systemctl start sshd
firewall-cmd –permanent –add-service=ssh
firewall-cmd –reload

ssh: Client

On both servers:
useradd [dummy user]
passwd [dummy user]
As [dummy user]:
ssh-keygen -b 2048 -t rsa
scp .ssh/rd_rsa.pub [dummy user]@server2
/etc/ssh/sshd_config

PasswordAuthentication no
PubkeyAuthentication yes

systemctl restart sshd
ssh server2

ntp: Client

timedatctl set-timezone America/Denver
yum install -y ntp
systemctl enable ntpd
systemctl start ntpd
/etc/ntp.conf
ntpq -p
ntpstat
systemctl stop ntpd
ntpdate pool.ntp.org
systemctl start ntpd

chrony: Client

yum install -y chrony
systemctl enable chronyd
systemctl start chronyd
/etc/chrony.conf
chronyc tracking
chronyc sources -v
chronyc sourcestats -v
ntpdate pool.ntp.org

MariaDB: Server

yum install -y mariadb mariadb-server
systemctl start mariadb
systemctl enable mariadb
mysql_secure_installation

MariaDB: backup/restore

mysqldump –user=root –password=[password] –result-file=test.sql test
mysqldump –user=root –password=[password] test > test.sql
mysql –user=root –password=[password] testdb < test.sql

MariaDB: Create Schema

mysql –user=root -p

create database test;
grant all on test.* to user@localhost identified by 'password';
flush privileges;
use test;
create table addresses(id int(10) unsigned, name varchar(20), address varchar(40));
quit

Note: drop user ‘name’@’localhost;

MariaDB: Queries

show tables;
desc addresses;
insert addresses values(1,"James","address1");
insert addresses values(2,"Bill","address2");
select * from addresses where name="James";
select * from addresses order by name ASC";
update addresses set name="John" where name="Bill";
delete from addresses where name="James";
Posted in Computers | Tagged | Leave a comment