Motorcycle Touring

Continuing on Chapter 4 finds firewall configuration and selinux.

Firewalls are something I’ve dealt with before over the years. In general they’re pretty simple but you do need to understand what you’re doing in order to properly set up a firewall.

SELinux is a different kettle of fish. You have basic system access; logins and groups with sudo to provide additional access at root level where necessary. Then you have ACLs which let you further define access restrictions but you need to enable it for the file system you’re intending on using it on. When I enabled acl on my /home directory on my system, it failed to boot this morning. I had to remove it and reboot. I’ll need to check that out and see what I did wrong.

SELinux is even more restrictive or controlling. Plus there are differences between RH6 and RH7, at least in the location of some of the info. RH6 has /selinux which doesn’t exist on RH7. So there will be differences in what I get from the RH6 book and possible RH7 test. I found a RH7 (CentOS7) page on the ‘net:

https://www.digitalocean.com/community/tutorials/an-introduction-to-selinux-on-centos-7-part-1-basic-concepts

There are some differences between 6 and 7. I’ll need to identify and document the changes. Main good thing is if it is used, make sure you install the setroubleshooting package.

Next up, chapter 5 which deals with the boot process, network configuration, and time configuration. Shouldn’t be too hard. The security part is harder in part because it’s not needed is a majority of environments. Firewalls are dealt with by a different team (InfoSec) but is good to know for your personal gear and most folks can be permitted access within the guidelines.

I decided to check out the new ‘*ctl’ features of RH7 and found a few new things in addition to systemctl and journalctl.

bootctl – Manages the boot loader and firmware. ‘status’ tells the status of the boot loader. On Solaris, you don’t know if the boot loader exists on a mirrored drive so you run the command anyway just in case. This might let you confirm there’s a boot loader on a disk?

http://www.freedesktop.org/software/systemd/man/bootctl.html

hostnamectl – Manages the three hostname bits; pretty, icon, and chassis.

http://standards.freedesktop.org/icon-naming-spec/icon-naming-spec-latest.html for icon naming conventions.

journalctl – Manages the binary log file.

kdumpctl – Manage kdump? No man page and nothing from a quick google search.

keyctl – Manages various system keys; user and keyrings. Long man page but doesn’t really explain why.

http://www.ibm.com/developerworks/library/l-key-retention/

localectl – manage locales on a system (change keyboard language type for example)

loginctl – manage user logins

machinectl – vm and container manager

pactl – Manage a PulseAudio sound server. 🙂

panelctl – Manage a digital cable box?

pmcollectl – similar to collectl but provides more info (and is written in python instead of perl; wtf?)

systemctl – manages services, similar to svcs and svcadm on Solaris or service/chkconfig on Linux.

systemd-coredumpctl – get coredumps from journeld

systemd-loginctl – seems similar to loginctl

teamctl – An alternative (and supposedly better) way of aggregating interfaces into a single L2 interface.

http://rhelblog.redhat.com/2014/06/23/team-driver/

timedatectl – Manages the date and time and ntp info.

udisksctl – Gets information from disks. List shows the disks, info gives more detailed information about disks.

wdctl – Manage the watchdog status.

This is more of a permissions and security chapter.

First off are file permissions. Executable, sticky bits, etc. Interesting that you cannot set umask to create executable files by default. The parts I’ll need to remember are the various special values. SUID==4, SGID==2, and the sticky bit==1. Of course it’s easier to just run chmod u+s file, chmod g+s, or chmod o+t for the three special values.

SELinux will be the big study part as it’s listed as being pretty pervasive in the test. Per the book, he doesn’t think you can pass the test without knowledge of SELinux.

But the file permissions and tools are pretty common and reasonably well known to a working sysadmin.

The chattr command (and lsattr) could really cause problems with documented procedures. If during a process you find a file can’t be copied or edited, even as root, you may be stymied until you figure it out. It needs to be added to the processes.

Hmm, Access Control Lists need the file system mounted with the acl option. Lots of nice bits with ACLs including letting just one person or group have access to a file or directory. Standard permissions apply too though. If a directory is 700, even if a file is ACLd to permit editing by account, if it can’t get into the directory, it can’t view the file. You can add an ACL to the directory to permit just the user access to the directory. And deny access by passing ‘—‘ to chattr for the user.

Second day of poking about at certification. I’m studying the Red Hat 6 exam but have a dual environment set up. Three CentOS 6.6 virtual servers and three CentOS 7.0 servers. It lets me look at what the book is presenting and compare it against the new OS poking about at differences between the two.

Chapter 2 sets up the KVM (virtual machine) environment, which I did yesterday, and reviews both the kickstart process (which we do a lot), the kickstart-configurator, and finally a review of ssh. While we don’t use the configurator, we do use ssh, a lot. But I’m sure there’ll be a few things I knew in my day-to-day work and a few things I didn’t know because either the way I did things already worked or it wasn’t something we needed to do.

Without taking the exams, I’m curious if it’s a “this stuff is broken, fix it” or “we need 6 servers that do web, ftp, nfs, database, and a front end firewall on these networks” type of test. Break-fix can be fun but if things are working, troubleshooting it can be a PITA.

And standard admin tools are discussed; nmap, telnet, mail, lynx (well, elinks; text web browser), and ftp (well, lftp). Pretty common stuff although with some differences in the commands to use.

Chapter 3 is standard command line tools. Should be a piece of cake.

Shells, commands, manage files, text file review (grep anyone?), man and info pages, text editors (as long as they don’t force emacs 🙂 ), services, and network management (hosts, resolv.conf, network, ifcfg-eth0, ifcfg-bond0, route-eth0). All pretty normal stuff.

One of the things I’m tasked with at work is to be the point man for patch management on the Red Hat/CentOS infrastructure. A daunting task in part because patching, unless under critical circumstances, is almost impossible. It takes months and maybe years to get patches through testing before we’re able to even start scheduling patching.

One of the things we’re looking at is the Red Hat Satellite service to manage newer versions of Red Hat (6 and newer). This leaves a bunch of our older systems in the cold and one of the things I tend to avoid is a solution that only works with a subset of our environment. It might not be a good way to manage things though. But purchased tools tend to only work on the vendor’s product. This has us descend into an environment with 6 or 7 “solutions” turning it into a management nightmare. Even things like configuration managers (puppet, chef, ansible, salt, cfengine, etc) have their problems and likely only work on a portion of the systems we manage.

Anyway, while looking over something else, I discovered the kickstart manager, ‘cobbler’. This lets us manage a Red Hat, CentOS, or other environments. I did this post to remind me to look it over further.

cobbler

🙂

Going through the study book which is 17 chapters of which the first chapter is setting up your system and installing Red Hat. Disk layout, configuration, setting up an http and ftp server with installation media. I got the http and ftp sites set up, no big deal. It has selinux enabled (sestatus) so you have to change the context of the directories or they won’t be visible to the services (chcon -R –reference).

Which means chapter 1 is completed.

Chapter 2 is setting up virtual machines and kickstarts. I already set up the first server (server1) using both CentOS 6.6 and CentOS 7.1 for comparison purposes. I have two more to set up in each environment. They are setting up a webserver/dbserver back end protected by a firewall from the third server, an external “attacker”.

Chapter 3 is basic command line stuff, should be simple enough.

Chapter 4 lists security bits.

Chapter 5 is the boot process

Chapter 6 is file system administration

Chapter 7 is Package management. Should be interesting since I do know how to use yum (package manager) but there are extra bits on managing repos and in creating rpms.

Chapter 8 is User administration.

Chapter 9 is System administration tasks. Probably printers (cups) and such.

Chapter 10 starts the RHCE chapters starting with ‘A Security Primer’, probably firewalls. I’ve managed various different firewalls including iptables. CentOS7 has firewalld though, should be different 🙂

Chapter 11 discusses services and SELinux.

Chapter 12 is more extensive System administration tasks.

Chapter 13 is Email. I’ve managed sendmail and postfix so don’t feel too out of it.

Chapter 14 is the web server. I’ve set up many web servers. I expect no surprises here.

Chapter 15 is Samba (accessing Windows servers from Linux). I did lots of work with Samba back 10 years or so ago and I’ve some client scripting so it shouldn’t be too difficult.

Chapter 16 is more about File Sharing (probably NFS). Little NFS work in my experience. It’s come up a few times but generally it requires some review before implementing.

Chapter 17 looks to touch on DNS, FTP, and log review. I run DNS servers and have for years. I just set up an ftp server at work so no biggie. And I’m a big log management type person.

After that, there are exam preps to review.

Let’s get the server environment up, shall we?

As I prepare for the RHCSA/RHCE certifications, I have to do some conversion between the RH6 book I’m using examining the new ways of doing things in RH7 (when I say “RH6” or “RH7” I’m including CentOS and ScientificOS in the list). On to Things to Think About:

System Logging

One of the new bits in RH7 is how to manage logs. Lots are now binary and contain all the logs for the system. With RH6, logs were generally in /var/log under various files like messages, secure, httpd, etc. Now you use journalctl to view logs.

I have a couple of concerns with this. First, I can’t seem to let a non-root user access the log files. Since in RH6, the files are ‘600’ in permissions, in order for regular users to view the log files (messages or httpd error_log), you’d just change the permissions to ‘640’. The benefit is I can pull the logs to a central server for review. With almost 1,000 systems, having to log in to each one, become root, and review the log is impossible. I’d like to have a central syslog server but I’d also like to keep network traffic down, especially for systems where the application is logging several times a second.

journalctl doesn’t seem to have the ability to let a user view logs on a system without using sudo or having root run the journalctl command to export the data.

I can see this being an issue, not just for system admins, but for users of applications who need access in order to manage the behavior of their applications. Same with monitoring tools such as OpenView. Many of the alarms are generated by syslog scraping (the messages file).

There’s also an issue for application developers. How do they now write their logs, especially for dealing with application level issues.

Is systemd replacing syslogd or rsyslogd or just augmenting it for now, but eventually replacing it? I do see messages, secure, and even dmesg in /var/log.

Links:

https://www.digitalocean.com/community/tutorials/how-to-use-journalctl-to-view-and-manipulate-systemd-logs
http://blog.delouw.ch/2013/07/24/why-journalctl-is-cool-and-syslog-will-survive-for-another-decade/

I’ve been mucking around with computers since I picked up a Timex/Sinclair in a K-Mart somewhere in Virginia around 1980. I’d been working as a Typesetter on a computerized system (CompuGraphic EditWriter) and a Field Engineer (FE) gave me an 8″ floppy with a few games on it.

My first certification was the result of quite a few classes for working on 3Com 3+Share local area network products. I was certified as a 3Wizard.

My second set of certifications was the result of becoming a Unix Administrator. I’d taken several different courses on Token Ring, Novell Networks, and Microsoft LAN Manager before I got to this point. I took and got the Sun Certified System Administrator and Sun Network Administrator. Mainly I took those certs to test my knowledge in Unix and specifically Solaris 2.5.1. Currently Oracle has Solaris at version 11 (sunos 2.11) so it’s been a while.

My third set of certifications came about when I went through several company changes when working at NASA HQ. One of the things I wanted to do was learn more about the deeper networking stuff so I asked to get a Cisco Certified Network Administrator class so I could get my CCNA certification. The company happened to have a CCNA/CCNP (Cisco Certified Network Professional) fast track class for me (a cram type course intended more for folks who were already pretty knowledgeable about computers and needed the extra bits to reach certification status). Once class ended, I spent the following few months getting my CCNA and then taking the tests for each of the categories that elevated me to CCNP.

It’s now that time again. I’ve signed up to take the Red Hat Certified System Administrator (RHCSA) test followed up immediately by the Red Hat Certified Engineer (RHCE) test the same day (that afternoon). I will note that you can’t take the RHCE test until you’ve passed the RHCSA test so there’s a bit of hubris here in knowing I’ll pass the one before the other. The tests are $400 each but as long as I pass, the company will reimburse me for them. Red Hat claims that the pass rate for the certification tests are as low as 50% of candidates but they’re pushing their classes as well so take it with a grain of salt 🙂

In reviewing the RHCSA exam prep page, I find the requirements fairly normal for a Unix admin. There are a few bits that only exist in smaller or Red Hat exclusive shops such as using KVM to manage virtual machines, SELinux, system level firewalls (iptables or firewalld), and a few other things. In review, I believe I could pass the RHCSA test right now without studying for it. I do want to do well (not perfect) so I’ll do some poking about at it to make sure I at least understand the bits we don’t normally do in an Enterprise environment.

In reviewing the RHCE exam prep page, I find again that most of the stuff being done would be in a dedicated Red Hat shop however they are things that I do now for the most part. Configuring various services like http, ftp, nfs, smb, smtp, ssh, and ntp, networking like routing, packet filtering, and NAT, and other (for me) standard system admin tasks.

I also have the RHCSA/RHCE Study Guide, which is a couple of years out of date but still should be relevant especially when I use it with a Red Hat Enterprise Linux 7.1 VirtualBox Virtual Machine.

I don’t think I’ll have much of a problem with this but I do want to pass and $400 twice is a bit much to blow on a couple of tests if I fail them.

I will note that I’m also creating a study group at work to go over the requirements and do some studying for the exams.

Starting in on checking out parts and bits in order to build a new system. My current system actually works pretty well but it’s also getting old enough (2008) that the parts I do have will not be easy to replace should something happen; motherboard failure for instance.

So I’ll move this one to the left and set it up as a file server or Virtual server.

In checking out new systems, I was referred to http://falcon-nw.com They have a few very nice, and expensive, systems. But they also show you what parts are something to look at for mid level and higher level systems. A quick run through the parts to compare with http://newegg.com or http://tigerdirect.com and there seems to be a $1,500 to $2,000 extra cost. Probably the warranty with Falcon plus the extra bits. It’d be nice to have a single place to contact should there be a problem but I’m not sure it’s worth $1,500.

Here is the break down for the $8,200 Falcon Mark V I spec’d out for fun. It spec’d out to a touch over $6,000 for the individual parts without the case and a few other bits. The parts marked with an asterisk (*) are part of the default kit if $0.00 or this is an upgrade price over the default if > $0.00. The basic system is $2,939 and noted below with a #.

@ For the tower, I’m considering the ThermalTake Core X9 cube. Since I’m looking at water cooling for the first time, I need to research and see what components I need in order to properly cool the system. The price is for this tower.

Stumbled on to a build it article using the same components I’m considering here with a recommended cooling system.

http://www.pcworld.com/article/2838932/behold-the-most-powerful-diy-gaming-pc-you-can-build-today.html