This article details how to setup a free standing OpenFiler SAN that will authenticate from the built-in LDAP server. This is a great approach if you only need file storage with no network authentication. While you could authenticate other systems from the LDAP in OpenFiler, I would advise you to look at the OpenFiler project – 2 servers article.
OpenFiler Server
OpenFiler 2.2
2G system
2G data raid 5 member
2G data raid 5 member
2G data raid 5 member
256M
This article details how to setup a free standing LDAP server for authentication, and setup an OpenFiler SAN that will authenticate from the LDAP server.
LDAP Server
CentOS 5.1
2G hdd
256M RAM
OpenFiler Server
OpenFiler 2.2
2G system
2G data raid 5 member
2G data raid 5 member
2G data raid 5 member
256M
I’m moving from TiddlyWiki to WordPress. This will provide a nicer online experience at the expense of offline viewing.
Until I get the articles moved you can find previous posts at http://www.revantine.net/revantine.net_TiddlyWiki.html
I found this script at http://www.mailarchives.org/list/debian-user/msg/2002/06558
cat ~/dpkg-verify
#!/bin/sh
# Quick script for verifying the integrity of package files on a Debian
# system.
# Cameron Kerr
# 6 February 2002
#
# NOTE: This is in no way an official Debian provided/supported program,
# its just something I hacked up from need.
# $Id: dpkg-verify,v 0.0 2002/02/06 02:17:51 cameron Exp cameron $
# $Log: dpkg-verify,v $
# Revision 0.0 2002/02/06 02:17:51 cameron
# Initial Revision
#
/bin/ls /var/lib/dpkg/info/*.md5sums | \
sed -e 's:^.*/\(..*\).md5sums$:\1:' | \
while read package;
do
cd /
md5sum -c /var/lib/dpkg/info/$package.md5sums 2>&1 | \
sed 's/\(.*\)/'"$package"':\1/'
doneUse the first command to a file because it is slow. Then you can
awk -F: '/FAILED|FAILED open or read$/{print $0}' filename.verifyYou can change the $0 to $1 for the package or $2 for the filename to generate a list.
You can:
awk -F: '/FAILED|FAILED open or read$/{print $2}' verify >badfilescopy badfiles to an identical server
cd /
tar -czv --ignore-failed-read --files-from ~/badfiles -f ~/bundled.tar.gzcopy the tar back to the broken server
cd /
tar xzvf ~/bundled.tar.gzI output the list to a file. I had to remove xbitmaps because it caused an error.
apt-get --reinstall install `cat broken.apt`This server will run a CentOS 5 host operating system. It will have Debian guest systems virtualized through Xen. I chose CentOS because it has good install support for software raid and lvm and the Red Hat product it derives from seems to have mature virtualization technology (vt). Debian is running on the existing servers I am migrating from physical to virtual. Debian has excellent long term maintainability and I will use my existing disaster recovery plan for the migration.
I installed CentOS. I chose server-gui and virtualization on install. When I setup LVM I created an LVM that mounts to /xen and left 150+G in the Volume Group but unallocated. I will use the space to additional guest vm partitions.
I downloaded the Debian 3.1 xen virtual machine (vm) package from http://jailtime.org . I chose this since I was able to make it work on another machine I was playing with previously. To keep the system as close to the model vm as possible, I have made some additional links.
Setup
I have found the system would kernel panic previously. In part this is because the xenblk module is not loaded. You also need xennet either by including it in the ramdisk or by using modules.conf/modprobe.conf. I chose to include it in the ramdisk.
# uname -r
2.6.18-8.el5xen
# mkinitrd --preload=xenblk --with=xennet /boot/initrd-`uname -r`U.img `uname -r`
# ln -fs /boot/initrd-`uname -r`U.img /boot/initrd-2.6-xenU.imgI linked vmlinuz-2.6-xenU -> vmlinuz-2.6.18-8.el5xen because many of the prebuilt vms expect this to exist.
ln -fs /boot/vmlinuz-`uname -r` /boot/vmlinuz-2.6-xenUBecause the jailtime.org images expect /xen to contain the images, I have linked it to /vserver
ln -s /vserver /xenKernel Panic
At this point when I tried to start the vm, it kernel panic’d. This command creates (starts) the vm, and the -c option takes the console you are viewing for the new vm’s console. This lets you view the boot and errors.
xm create -c /xen/debian/debian.3-1.xen3.cfgThe last of the output:
XENBUS: Device with no driver: device/vbd/2049
XENBUS: Device with no driver: device/vbd/2050
XENBUS: Device with no driver: device/vif/0
md: Autodetecting RAID arrays.
md: autorun ...
md: ... autorun DONE.
VFS: Cannot open root device "sda1" or unknown-block(0,0)
Please append a correct "root=" boot option
Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(0,0)Troubleshooting and the fix
You can mount the image with a loop device and look at the files in the vm image. You cannot do this while the vm is running, and you cannot start the vm while it is mounted like this. Keep this in mind for later; you don’t need to do this right now.
cd /mnt
mkdir vm
mount -o loop /vserver/debian/debian.3-1.img /mnt/vmI added this to the bottom of /xen/debian/debian.3-1.xen3.cfg
ramdisk = "/boot/initrd-2.6-xenU.img"Running, almost…
Now I start it, and it boots completely. You can leave the console with Ctrl+]
xm create -c /xen/debian/debian.3-1.xen3.cfgAnd the catch? No way to interact.
$ nmap 192.168.0.202
Starting Nmap 4.20 ( http://insecure.org ) at 2007-07-29 23:14 CDT
All 1697 scanned ports on 192.168.0.202 are closed
Nmap finished: 1 IP address (1 host up) scanned in 1.832 secondsShutting down
I am shutting down the vm now. I will probably need to mount the image in a loopback and use chroot to add ssh. I will pursue this more tomorrow.
# xm list
Name ID Mem(MiB) VCPUs State Time(s)
Domain-0 0 3920 2 r----- 510.5
debian.3-1 5 127 1 r----- 5255.2
# xm shutdown debian.3-1
# xm list
Name ID Mem(MiB) VCPUs State Time(s)
Domain-0 0 3920 2 r----- 512.0Configuration
I need to add ssh for it to be usable as a base system.
Starting OpenBSD Secure Shell server: sshd
PRNG is not seededThe error is caused by no /dev/urandom being present. Mount the disk image in loop.
nano /etc/init.d/localand add this
#!/bin/bash
cd /dev
./MAKEDEV mem
./MAKEDEV urandom
/etc/init.d/ssh startMake it executable and link it to start on boot. This assumes you are in the folder where you mounted to.
chmod +x etc/init.d/local
ln -s etc/iniit.d/local etc/rc3.d/localcd /dev && ./MAKEDEV zeroChange the permission of /tmp
chmod 1777 tmpAs long as you have it mounted, change the ssh setting so you can login as root.
mv etc/ssh/sshd_config{,~} && sed 's/PermitRootLogin no/PermitRootLogin yes/' etc/ssh/sshd_config~ >etc/ssh/sshd_configNow a few additions to make the deployment easier.
Copy the edited makedev to root/etc. This will become a directory to hold /etc files that should be retained when we rsync /etc
mkdir root/etc/init.d
cp etc/init.d/makedev ~/etc/init.d/I also put the “flip” script in root since I am using this everytime. vm flip filesystems
Now boot the vm.
Running
The first thing you should do is change the root passwd. The default password of the jailtime.org images is password.
I changed the virtual interface so that it will use the same MAC address everytime.
vif = [ 'bridge=xenbr0,mac=00:16:3e:xx:xx:xx' ]00:16:3e is the MAC vendor code for Xen. The last 3 bytes should be unique, especially on your network. You can use this to generate 3 unique hex bytes.
dd if=/dev/urandom bs=1 count=3 2>/dev/null | od -tx1 | head -1 | cut -d' ' -f2- | tr -d ' ' | tr '[a-f]' '[A-F]'I booted the vm and edited /etc/apt/sources.list. I changed “sarge” to “stable” to upgrade to etch. I then ran:
apt-get update
apt-get dist-upgrade
...
Do you want to upgrade glibc now? [Y/n] Y
Do you wish to restart services? [Y/n] YStarted getting this error:
4gb seg fixup, process dpkg (pid 1292), cs:ip 73:4003ede1Because this requires changes in /etc and I rsync that directory, I will save the fix for the vms.
I renamed the img and config to debian.3-1 to debian.4-0 to reflect the new version, and changed the config to correctly load the image.
Error during boot
Setting hostname to 'debian_pristine'...hostname: the specified hostname is invalidI do not plan on fixing this since I will be changing the hostname on deployment.
tar’ing the image as the deployment model.
Automatically starting domains
link to article
If you would like a domain to start automatically when the (dom0) system is started, move the domain configuration to the /etc/xen/auto directory. For instance:
ln -s /xen/debian/debian/cfg /etc/xen/auto/I will likely try linking to that directory.
LVM
link to article
Create a logical volume of size 4GB named `myvmdisk1′:
# lvcreate -L4096M -n myvmdisk1 vgYou should now see that you have a /dev/vg/myvmdisk1 Make a filesystem, mount it and populate it, e.g.:
# mkfs -t ext3 /dev/vg/myvmdisk1
# mount /dev/vg/myvmdisk1 /mnt
# cp -ax / /mnt
# umount /mntNow configure your VM with the following disk configuration:
disk = [ 'phy:vg/myvmdisk1,sda1,w' ]I am going to name my LVMs after the host and mount point so I can identify them. I use Pooh characters for my servers, so my first will be /dev/VolGroup00/kanga-var and kanga-tmp
kanga vm
* chroot
Here is a site with some chroot jail information http://olivier.sessink.nl/jailkit/
Chroot environment for SSH
http://www.debian.org/doc/manuals/securing-debian-howto/ap-chroot-ssh-env.en.html
* quotas
Quotas are pretty easy. I will need to dedicated filesystem. I think I will limit to 50 or 100M.
Using Quotas
Enabling quota for the respective file systems is as easy as modifying the defaults setting to defaults,usrquota in your /etc/fstab file. If you need group quota, substitute usrquota to grpquota. You can also use them both. Then create empty quota.user and quota.group files in the roots of the file systems you want to use quotas on (e.g. touch /home/quota.user /home/quota.group for a /home file system).
Restart quota by doing /etc/init.d/quota stop;/etc/init.d/quota start. Now quota should be running, and quota sizes can be set.
Editing quotas for a specific user can be done by edquota -u <user>. Group quotas can be modified with edquota -g <group>. Then set the soft and hard quota and/or inode quotas as needed.
* thread restriction
Notes about Gentoo. http://gentoo-wiki.com/SECURITY_Limit_User_Processes
For Debian, 4.10 Providing secure user access
http://www.debian.org/doc/manuals/securing-debian-howto/ch4.en.html
Limiting resource usage: the limits.conf file
You should really take a serious look into this file. Here you can define user resource limits. In old releases this configuration file was /etc/limits.conf, but in newer releases (with PAM) the /etc/security/limits.conf configuration file should be used instead.
There is a way to add resource limits to some shells (for example, bash has ulimit, see bash(1)), but since not all of them provide the same limits and since the user can change shells (see chsh(1)) it is better to place the limits on the PAM modules as they will apply regardless of the shell used and will also apply to PAM modules that are not shell-oriented.
Resource limits are imposed by the kernel, but they need to be configured through the limits.conf and the PAM configuration of the different services need to load the appropriate PAM. You can check which services are enforcing limits by running:
$ find /etc/pam.d/ \! -name “*.dpkg*” | xargs — grep limits |grep -v “:#”
/etc/security/limits.conf
#This would prevent a core file be created by a user
@users soft core 0
@users hard core 0
@users hard rss 1000
@users hard memlock 1000
# limit of 4 processes, a login, a shell, a script and a command
@users hard nproc 4
@users – maxlogins 1
# 10 MB of memory per process
@users hard data 102400
@users hard fsize 2048
@users – priority 10
What it does from http://www.samag.com/documents/s=1161/sam0009a/0009a.htm
core — Limits the core file size (KB); usually set to 0 for most users to prevent core dumps.
data — Maximum data size (KB).
fsize — Maximum file size (KB).
memlock — Maximum locked-in-memory address space (KB).
nofile — Maximum number of open files.
rss — Maximum resident set size (KB).
stack — Maximum stack size (KB).
cpu — Maximum CPU time (MIN).
nproc — Maximum number of processes.
as — Address space limit.
maxlogins — Maximum number of logins for this user or group.
priority — The priority to run user process with.
These would be the limits a default user (including system daemons) would have:
$ ulimit -a
core file size (blocks, -c) 0
data seg size (kbytes, -d) 102400
file size (blocks, -f) 2048
max locked memory (kbytes, -l) 10000
max memory size (kbytes, -m) 10000
open files (-n) 1024
pipe size (512 bytes, -p) 8
stack size (kbytes, -s) 8192
cpu time (seconds, -t) unlimited
max user processes (-u) 100
virtual memory (kbytes, -v) unlimited
* bandwidth throttling
Looks like the tc command will do what I want.
http://www.experts-exchange.com/Networking/Linux_Networking/Q_20819743.html
I wonder if the xen eth0 is closely tied to the system eth0. Specifically would limiting traffic on a vm eth0 restrict system traffic. Probably will not find out until I try and don’t anticipate that result. This looks to be the most complicated of the requirements. I am going to tentatively throttle at 56k up/128k down.
It looks like there is information in VoIP Hacks from O’Reilly as well.
* Authentication
I don’t want centralized authentication at this time. This server will be self-contained.
* Folder permissions
Setting users umasks
You can change this by introducing an umask call in the shell configuration files: /etc/profile (source by all Bourne-compatible shells), /etc/csh.cshrc, /etc/csh.login, /etc/zshrc and probably some others (depending on the shells you have installed on your system). You can also change the UMASK setting in /etc/login.defs
The libpam-umask package adjusts the users’ default umask using PAM. Add the following, after installing the package, to /etc/pam.d/common-session:
session optional pam_umask.so umask=077
Finally, you should consider changing root’s default 022 umask (as defined in /root/.bashrc) to a more strict umask. That will prevent the system administrator from inadvertenly dropping sensitive files when working as root to world-readable directories (such as /tmp) and having them available for your average user.
New user home permissions
You can change this behavior so that user creation provides different $HOME permissions. To change the behavior for new users when they get created, change DIR_MODE in the configuration file /etc/adduser.conf to 0750 (no world-readable access).
I’m not going to bother with ftp server, it is too much trouble. SSH will let you transfer files, and I will probably make wget available.
Much information used from
http://www.debian.org/doc/manuals/securing-debian-howto/ch4.en.html
I will make the partition table on sdb the same as sda. I will duplicate sda1 (/boot) as well so that if sda fails I can get it booting more quickly as well.
note: md0 doesn’t have a partition. That is really best suited to a seperate article discussing raid and lvm and so I am not going to delve in to it at this moment.
# fdisk -l
Disk /dev/sda: 320.0 GB, 320072933376 bytes
255 heads, 63 sectors/track, 38913 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Device Boot Start End Blocks Id System
/dev/sda1 * 1 13 104391 83 Linux
/dev/sda2 14 38913 312464250 fd Linux raid autodetect
Disk /dev/sdb: 320.0 GB, 320072933376 bytes
255 heads, 63 sectors/track, 38913 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk /dev/sdb doesn't contain a valid partition table
Disk /dev/md0: 319.9 GB, 319963267072 bytes
2 heads, 4 sectors/track, 78116032 cylinders
Units = cylinders of 8 * 512 = 4096 bytes
Disk /dev/md0 doesn't contain a valid partition table# mdadm --detail /dev/md0
/dev/md0:
Version : 00.90.03
Creation Time : Sun Apr 8 00:22:19 2007
Raid Level : raid1
Array Size : 312464128 (297.99 GiB 319.96 GB)
Device Size : 312464128 (297.99 GiB 319.96 GB)
Raid Devices : 2
Total Devices : 1
Preferred Minor : 0
Persistence : Superblock is persistent
Update Time : Thu Aug 16 12:18:10 2007
State : active, degraded
Active Devices : 1
Working Devices : 1
Failed Devices : 0
Spare Devices : 0
UUID : 7ffa6982:50ea5134:11c17882:91cfa617
Events : 0.960047
Number Major Minor RaidDevice State
0 8 2 0 active sync /dev/sda2
1 0 0 1 removedI replace the failed hard drive with an identical hard drive. Create the partitions using the same layout if they match.
# fdisk /dev/sdb
n - new
p - primary
1 - partition number
Start 1
End 13
n - new
p - primary
2 - partition number
Start 14
End 38913
t - type
fd (Linux raid autodetect)
w - write and quitAdded the new raid partition to md0 (/dev/md0 is the mirrored raid array device)
# mdadm /dev/md0 -a /dev/sdb2
mdadm: added /dev/sdb2# cat /proc/mdstat
Personalities : [raid1]
md0 : active raid1 sdb2[2] sda2[0]
312464128 blocks [2/1] [U_]
[>....................] recovery = 0.3% (1072128/312464128) finish=275.0min speed=18869K/secunused devices: <none># mdadm --detail /dev/md0
/dev/md0:
Version : 00.90.03
Creation Time : Sun Apr 8 00:22:19 2007
Raid Level : raid1
Array Size : 312464128 (297.99 GiB 319.96 GB)
Device Size : 312464128 (297.99 GiB 319.96 GB)
Raid Devices : 2
Total Devices : 2
Preferred Minor : 0
Persistence : Superblock is persistent
Update Time : Thu Aug 16 12:23:25 2007
State : active, degraded, recovering
Active Devices : 1
Working Devices : 2
Failed Devices : 0
Spare Devices : 1
Rebuild Status : 0% complete
UUID : 7ffa6982:50ea5134:11c17882:91cfa617
Events : 0.960629
Number Major Minor RaidDevice State
0 8 2 0 active sync /dev/sda2
2 8 18 1 spare rebuilding /dev/sdb2To generate keys for the client, use this command. Since you want unattended login, press enter when it asks for a password.
$ ssh-keygen -t dsaThe destination machine requires an .ssh directory in the home of the user you want to login to, and that directory should be chmod 700. Here are the command to create it in the event it doesn’t exist:
$ mkdir ~/.ssh
$ chmod 700 ~/.sshIf it already exists, you can place the public key from the client without needing to login to the remote machine.
$ cat ~/.ssh/id_dsa.pub | ssh SERVERB 'sh -c "cat - >>~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"'Notice the >> to APPEND to the authorizes keys. If you do not append you will lose the ability to login if you have added other public keys. Most tutorials that scp directly overwrite the authorized_keys.