July 2025
M T W T F S S
 123456
78910111213
14151617181920
21222324252627
28293031  

Categories

July 2025
M T W T F S S
 123456
78910111213
14151617181920
21222324252627
28293031  

Hyper -V 2016

Active memory dump

Windows Server 2016 introduces a dump type of “Active memory dump”, which filters out most memory pages allocated to VMs making the memory.dmp file much smaller and easier to save/copy.

 

Azure Stack

A replacement for Windows Azure Pack (WAPack), bringing the code of the “Ibiza” “preview portal” of Azure to on-premises for private cloud or hosted public cloud. Uses providers to interact with Windows Server 2016. Does not require System Center, but you will want management for some things (monitoring, Hyper-V Network Virtualization, etc).

 

Azure Storage

A post-RTM update (flight) will add support for blobs, tables, and storage accounts, allowing you to deploy Azure storage on-premises or in hosted solutions.

 

Backup Change Tracking

Microsoft will include change tracking so third-party vendors do not need to update/install dodgy kernel level file system filters for change tracking of VM files.

 

Binary VM Configuration Files

Microsoft is moving away from text-based files to increase scalability and performance.

 

Cluster Cloud Witness

You can use Azure storage as a witness for quorum for a multi-site cluster. Stores just an incremental sequence number in an Azure Storage Account, secured by an access key.

 

Cluster Compute Resiliency

Prevents the cluster from failing a host too quickly after a transient error. A host will go into isolation, allowing services to continue to run without disruptive failover.

 

Cluster Functional Level

A rolling upgrade requires mixed-mode clusters, i.e. WS2012 R2 and Windows Server vNext hosts in the same cluster. The cluster will stay and WS2012 R2 functional level until you finish the rolling upgrade and then manually increase the cluster functional level (one-way).

 

Cluster Quarantine

If a cluster node is flapping (going into & out of isolation too often) then the cluster will quarantine a node, and drain it of resources (Live Migration – see MoveTypeThreshold and DefaultMoveType).

 

Cluster Rolling Upgrade

You do not need to create a new cluster or do a cluster migration to get from WS2012 R2 to Windows Server vNext. The new process allows hosts in a cluster to be rebuilt IN THE EXISTING cluster with Windows Server vNext.

 

Containers

Deploy born-in-the-cloud stateless applications using Windows Server Containers or Hyper-V Containers.

 

Converged RDMA

Remote Direct Memory Access (RDMA) NICs (rNICs) can be converged to share both tenant and host storage/clustering traffic roles.

 

Delivery of Integration Components

This will be done via Windows Update

 

Differential Export

Export just the changes between 2 known points in time. Used for incremental file-based backup.

 

Distributed Storage QoS

Enable per-virtual hard disk QoS for VMs stored on a Scale-Out File Server, possibly also available for SANs.

 

File-Based Backup

Hyper-V is decoupling from volume backup for scalability and reliability reasons

 

Host Resource Protection

An automated process for restricting resource availability to VMs that display unwanted “patterns of access”.

 

Hot-Add & Hot-Remove of vNICs

You can hot-add and hot-remove virtual NICs to/from a running virtual machine.

 

Hyper-convergence

This is made possible with Storage Spaces Direct and is aimed initially at smaller deployments.

 

Hyper-V Cluster Management

A new administration model that allows tools to abstract the cluster as a single host. Enables much easier VM management, visible initially with PowerShell (e.g. Get-VM, etc).

 

Hyper-V Replica & Hot Add of Disks

You can add disks to a virtual machine that is already being replicated. Later you can add the disks to the replica set using Set-VMReplication.

 

Hyper-V Manager Alternative Credentials

With CredSSP-enabled PCs and hosts, you can connect to a host with alternative credentials.

 

Hyper-V Manager Down-Level Support

You can manage Windows Server vNext, WS2012 R2 and WS2012 Hyper-V from a single console

 

Hyper-V Manager WinRM

WinRM is used to connect to hosts.

 

MS-SQOS

This is a new protocol for Microsoft Storage QoS. It uses SMB 3.0 as a transport, and it describes the conversation between Hyper-V compute nodes and the SOFS storage nodes. IOPS, latency, initiator names, imitator node information is sent from the compute nodes to the storage nodes. The storage nodes, send back the enforcement commands to limit flows, etc.

 

Nested Virtualization

Yes, you read that right! Required for Hyper-V containers in a hosted environment, e.g. Azure. Side-effect is that WS2016 Hyper-V can run in WS2016 via virtualization of VT-X.

 

Network Controller

A new fabric management feature built-into Windows Server, offering many new features that we see in Azure. Examples are a distributed firewall and software load balancer.

 

Online Resize of Memory

Change memory of running virtual machines that don’t have Dynamic Memory enabled.

 

Power Management

Hyper-V has expanded support for power management, including Connected Standby

 

PowerShell Direct

Target PowerShell at VMs via the hypervisor (VMbus) without requiring network access. You still need local admin credentials for the guest OS.

 

Pre-Authentication Integrity

When talking from one machine to the next via SMB 3.1.1. This is a security feature that uses checks on the sender & recipient side to ensure that there is no man-in-the-middle.

 

Production Checkpoints

Using VSS in the guest OS to create a consistent snapshots that workload services should be able to support. Applying a checkpoint is like performing a VM restore from backup.

 

Nano Server

A new installation option that allows you to deploy headless Windows Servers with tiny install footprint and no UI of any kind. Intended for storage and virtualization scenarios at first. There will be a web version of admin tools that you can deploy centrally.

 

RDMA to the Host

Remote Direct Memory Access will be supported to the management OS virtual NICs via converged networking.

 

ReFS Accelerated VHDX Operations

Operations are accelerated by converting them into metadata operations: fixed VHDX creation, dynamic VHDX extension, merge of checkpoints (better file-based backup).

 

RemoteFX

OpenFL 4.4 and OpenCL 1.1 API are supported.

 

Replica Support for Hot-Add of VHDX

When you hot-add a VHDX to a running VM that is being replicated by Hyper-V Replica, the VHDX is available to be added to the replica set (MSFT doesn’t assume that you want to replicate the new disk).

 

Replica support for Cross-Version Hosts

Your hosts can be of different versions.

 

Runtime Memory Resize

You can increase or decrease the memory assigned to Windows Server vNext guests.

 

Secure Boot for Linux

Enable protection of the boot loader in Generation 2 VMs

 

Shared VHDX Improvements

You will be able to do host-based snapshots of Shared VHDX (so you get host-level backups) and guest clusters. You will be able to hot-resize a Shared VHDX.

Shared VHDX will have its own hardware category in the UI. Note that there is a new file format for Shared VHDX. There will be a tool to upgrade existing files.

 

Shielded Virtual Machines

A new security model that hardens Hyper-V and protects virtual machines against unwanted tampering at the fabric level.

 

SMB 3.1.1

This is a new version of the data transport protocol. The focus has been on security. There is support for mixed mode clusters so there is backwards compatibility. SMB 3.02 is now called SMB 3.0.2.

 

SMB  Negotiated Encryption

Moving from AES CCM to AES GCM (Galois Counter Mode) for efficiency and performance. It will leverage new modern CPUs that have instructions for AES encryption to offload the heavy lifting.

 

SMB Forced Encryption

In older versions of SMB, SMB encryption was opt-in on the client side. This is no longer the case in the next version of Windows Server.

 

Storage Accounts

A later release of WS2016 will bring support for hosting Azure-style Storage accounts, meaning that you can deploy Azure-style storage on-premises or in a hosted cloud.

 

Storage Replica

Built-in, hardware agnostic, synchronous and asynchronous replication of Windows Storage, performed at the file system level (volume-based). Enables campus or multi-site clusters.

Requires GPT. Source and destination need to be the same size. Need low latency. Finish the solution with the Cluster Cloud Witness.

 

Storage Spaces Direct (S2D)

A “low cost” solution for VM storage. A cluster of nodes using internal (DAS) disks (SAS or SATA, SSD, HDD, or NVMe) to create a consistent storage spaces pools that stretch across the servers. Compute is normally on a different cluster (converged) but it can be on one tier (hyper-converged)

 

Storage Transient Failures

Avoid VM bugchecks when storage has a transient issue. The VM freezes while the host retries to get storage back online.

 

Stretch Clusters

The preferred term for when Failover Clustering spans two sites.

 

System Center 2016

Those of you who can afford the per-host SMLs will be able to get System Center 2016 to manage your shiny new Hyper-V hosts and fabric.

 

System Requirements

The system requirements for a server host have been increased. You now must have support for Second-Level Address Translation (SLAT), known as Intel EPT or AMD RVI or NPT. Previously SLAT (Intel Nehalem and later) was recommended but not required on servers and required on Client Hyper-V. It shouldn’t be an issue for most hosts because SLAT has been around for quite some time.

 

Virtual Machine Groups

Group virtual machines for operations such as orchestrated checkpoints (even with shared VHDX) or group checkpoint export.

 

Virtual Machine ID Management

Control whether a VM has same or new ID as before when you import it.

 

Virtual Network Adapter Identification

Not vCDN! You can create/name a vNIC in the settings of a VM and see the name in the guest OS.

 

Virtual Secure Mode (VSM)

A feature of Windows 10 Enterprise that protects LSASS (secret keys) from pass-the-hash attacks by storing the process in a stripped down Hyper-V virtual machine.

 

Virtual TPM (vTPM)

A feature of shielded virtual machines that enables secure boot, disk encrypting within the virtual machine, and VSC.

 

VM Storage Resiliency

A VM will pause when the physical storage of that VM goes offline. Allows the storage to come back (maybe Live Migration) without crashing the VM.

 

VM Upgrade Process

VM versions are upgraded manually, allowing VMs to be migrated back down to WS2012 R2 hosts with support from Microsoft.

 

VXLAN Support

The new Network Controller will support VXLAN as well as the incumbent NVGRE for network virtualization.

 

Windows Containers

This is Docker in Windows Server, enabling services to run in containers on a shared set of libaries on an OS, giving you portability, per-OS density, and fast deployment.

August 31st, 2016 | Category: Hyper-V | Leave a comment

Hyper-V Snapshots / Checkpoints

In Windows Server 2012 R2 Hyper-v Snapshots were renamed to so-called “Checkpoints“.

The following are 11 things to know about Hyper-V snapshots and checkpoints. Ideally an IT admin should be aware of all of them in order to make a well informed decision on when and how to use snapshots.

Advantages of Hyper-V Snapshots / Checkpoints

  1. Be able to revert an operating system for software test purposes
  2. Be able to undo accidental mistakes in system configuration
  3. Be able to revert to a ‘clean’ machine in case something is messed up
  4. Keep track of progress
  5. Be able to export the snapshot as a new, separate VM, without losing the chain of snapshots

 

Disadvantages of Snapshots a.k.a. Checkpoints

  1. Risk of data loss and corruption
    1. Hyper-V bugs: Customers reported cases where snapshots simply ‘disappeared’ from their server….and all data with it!
    2. Hyper-V bugs: virtual disks end up corrupted. Risk appears to be greater with differencing disks
  2. Severe performance impact during production
    1. Tremendous overhead required for every single block access (blocks are only 512KB in VHD disks and 4KB when using VHDX)
    2. Snapshots use dynamically growing disks which are a performance killer
  3. Performance impact during backups
  4. Can’t restore a backup taken from a host with different CPU architecture or Windows version
  5. Loss of portability. Snapshots can’t be easily moved to another host. Plain VHD VHDX on the other hand are easy to copy over
  6. You lose the ability of a simple offline copy: Turn off VM and copy VHD file isn’t possible when snapshots are present.

 

Please take note that Microsoft itself recommends against using snapshots on production systems for the above reasons.

 

A couple of details regarding performance and data loss:

When you use dynamic disks (i.e. when you use snapshots) the hard drive’s head needs to jump back and forth even when data blocks are thought to be consecutive, because in fact it’s likely they won’t be a contiguous block on disk. Because dynamic disks grow as needed and because most data these days is block oriented, a severe form of fragmentation results.

Our estimate is that you could probably about 5 to 10 times more VMs on the same system if you don’t use dynamic disks and snapshots.

 

Naturally when snapshots are present, each VM block access now has to be overloaded with additional checks and jumps since each differencing disk needs to be looked at before disk access can commence.

It then follows that backups will cause additional stress on the system since more files need to be read and those files have been likely heavily fragmented over time. The result is that backups will take more time to complete and affect the quality of service of the Hyper-V host due to increased disk activity. This increase of disk activity is a direct result of long-term dynamic differencing disk growth.

 

August 31st, 2016 | Category: Hyper-V | Leave a comment

Deploy MySQL master-slave on CentOS7

Deploy MySQL master-slave on CentOS7

2 Locate the directory my.cnf file resides:
MySQL –help | grep my.cnf
general my.cnf are located in /etc/directory;

3 with vim open MySQL configuration file my.cnf:
vim /etc/my.cnf

4 Locate the [mysqld] and subsequently add the following configuration:
# uniquely identifies this MySQL server, the default value is 1, the general IP terminal belongs value
server-id=1
# binary log file name, MySQL master server must enable this configuration
log-bin=master-bin-log
# master server in the MySQL database name involved in master-slave replication; if there are multiple databases, this parameter can have multiple, one per line, divisions corresponding to different database
binlog-do-db=db_master_slave
# master the MySQL server binary log file name in the index of
log-bin-index=master-bin-log.index

Also open from 5 in the MySQL server using vim my.cnf file, locate the [mysqld], and add the following configuration at the rear:
# uniquely identifies this MySQL server, the default value is 1, the general IP terminal belongs value
server-id=2
# log index file name from the MySQL server the above mentioned id
relay-log-index=slave-relay-log.index
# log file name from the MySQL server
relay-log=slave-relay-log

6, respectively, to create a database db_master_slave on MySQL master and slave servers:
the Create Database db_master_slave;
create database db_master_slave;

7 Create user user_master on MySQL master server, and set a password Password_Master_123456: the Create the User ‘user_master’ @ ‘%’ IDENTIFIED by ‘Password_Master_123456’;
create user ‘user_master’@’%’ identified by ‘Password_Master_123456’;

8 on MySQL master server for users user_master Empowering all rights db_master_slave database:
grant all on db_master_slave.* to ‘user_master’@’%’;

9 On the MySQL master server for the local user access privileges assigned user_master:
grant all privileges on db_master_slave.* to ‘user_master’@’localhost’ identified by ‘Password_Master_123456’;

10 Authorized MySQL slave servers on a MySQL master server can access the host server by user_master User:
grant replication slave on *.* to ‘user_master’@’%’ identified by ‘Password_Master_123456′ with grant option;

11 On the MySQL master and slave servers are restarted MySQL service:
closed MySQL service:
service mysqld stop
open MySQL service:
service mysqld start
restart the MySQL service:
service mysql restart

12 On the MySQL master and slave servers are entered into the database db_master_slave:
use db_master_slave;
create table t_user(id int(3), name varchar(128));

13 See MySQL master server status:
show master status;
the value of its properties and master_log_pos master_log_file property and records;

14 executed on a MySQL slave service as follows:
Change to Master MASTER_HOST =’192.168.1.10′, // the MySQL Master server the IP
MASTER_PORT=3306,
MASTER_USER=’user_master’,
master_password=’Password_Master_123456′,
MASTER_LOG_FILE=’Master-bin-log.000004 ‘, // MySQL master server master_log_file value
master_log_pos=654; // value of MySQL master server master_log_pos

15 db_master_slave library MySQL master server to add data to the user name T_USER:
mysql> insert into t_user(id, name) values(1, ‘idea1’);
mysql> select * from t_user;

16 db_master_slave library MySQL slave server to add data to the user name T_USER:
mysql> insert into t_user(id, name) values(1, ‘idea1’);
mysql> select * from t_user;

17 MySQL slave servers how to discover:
slave_IO_running = NO
then execute the following command:
mysql> stop slave;
mysql> start slave;

18 See MySQL runtime server_id values:
show variables like ‘server_id’;

August 30th, 2016 | Category: Centos RHEL 7 | Leave a comment

db

[root@clusterserver2 ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.1.20 clusterserver1.rmohan.com clusterserver1
192.168.1.21 clusterserver2.rmohan.com clusterserver2
[root@clusterserver2 ~]#

wget https://dev.mysql.com/get/mysql57-community-release-el7-8.noarch.rpm

[root@clusterserver2 software]# rpm -ivh mysql57-community-release-el7-8.noarch.rpm
warning: mysql57-community-release-el7-8.noarch.rpm: Header V3 DSA/SHA1 Signature, key ID 5072e1f5: NOKEY
Preparing…                          ################################# [100%]
Updating / installing…
1:mysql57-community-release-el7-8  ################################# [100%]

wo*fk9,yVb!y

EIJQW-y6:hhe

set password for root@localhost=password(‘Test@123’);

Master1
server_id           = 1
log_bin             = /var/log/mysql/mysql-bin.log
log_bin_index       = /var/log/mysql/mysql-bin.log.index
relay_log           = /var/log/mysql/mysql-relay-bin
relay_log_index     = /var/log/mysql/mysql-relay-bin.index
expire_logs_days    = 10
max_binlog_size     = 100M
log_slave_updates   = 1
auto-increment-increment = 2
auto-increment-offset = 1

GRANT ALL ON sonar.* TO ‘sonar’@’172.27.59.54’ IDENTIFIED BY ‘sonar’;

create user ‘replicator’@’%’ identified by ‘Test@123’;
grant replication slave on *.* to ‘replicator’@’%’ identified by ‘Test@123’;

SHOW MASTER STATUS;
stop slave;
CHANGE MASTER TO MASTER_HOST = ‘192.168.1.21’, master_port=3306, MASTER_USER = ‘replicator’, MASTER_PASSWORD = ‘Test@123’, MASTER_LOG_FILE = ‘mysql-bin.000007’, MASTER_LOG_POS = 1058;
start slave;

Master2

server_id           = 2
log_bin             = /var/log/mysql/mysql-bin.log
log_bin_index       = /var/log/mysql/mysql-bin.log.index
relay_log           = /var/log/mysql/mysql-relay-bin
relay_log_index     = /var/log/mysql/mysql-relay-bin.index
expire_logs_days    = 10
max_binlog_size     = 100M
log_slave_updates   = 1
auto-increment-increment = 2
auto-increment-offset = 2

stop slave;
CHANGE MASTER TO MASTER_HOST = ‘192.168.1.20’,master_port=3306, MASTER_USER = ‘replicator’, MASTER_PASSWORD = ‘Test@123’, MASTER_LOG_FILE = ‘mysql-bin.000005’, MASTER_LOG_POS = 2964;
start slave;

show master status \G
show slave status \G

You can try this:

Slave: stop slave;
Master: flush logs

Master: show master status; — take note of the master log file and master log position

Slave: CHANGE MASTER TO MASTER_LOG_FILE=’log-bin.00000X?, MASTER_LOG_POS=106;
Slave: start slave;

SELECT user, host FROM mysql.user;
SELECT USER(), CURRENT_USER();
SHOW VARIABLES LIKE ‘skip_networking’;

create user ‘replicator’@’%’ identified by ‘Test@123’;
grant replication slave on *.* to ‘replicator’@’%’ identified by ‘Test@123’;
grant replication slave on *.* to ‘replicator’@’192.168.1.20’ identified by ‘Test@123’;
grant replication slave on *.* to ‘replicator’@’192.168.1.21’ identified by ‘Test@123’;
GRANT ALL ON replicator.* TO ‘replicator’@’192.168.1.21’ IDENTIFIED BY ‘Test@123’;
GRANT ALL ON replicator.* TO ‘replicator’@’192.168.1.20’ IDENTIFIED BY ‘Test@123’;
grant all privileges on *.*  to root@”192.168.1.%” identified by ‘Test@123’ with grant option;
FLUSH PRIVILEGES;

Lest start with the advantage for Master-Master replication: allows data to be copied from either server to the other one, it adds redundancy and increases efficiency when dealing with accessing the data, high availability . Now about Disadvantage : cost ( instead of using one machine you will be using two machine with high speed connection).

Requirements: two servers ( you can use one server but it is not recommended unless its for testing)

How to setup: lets say you have machines one m1 with IP 1.1.1.1 and machine two m2 with IP 2.2.2.2

1) login to M1 you need to edit the cnf file for it by adding or comment\un-comment the following:

server-id               = 1
log_bin                 = /var/log/mysql/mysql-bin.log
binlog_do_db            = MyDB     — if you want the replication for one db, comment this if you want to replicate all the SID
# bind-address            = 127.0.0.1

then restart the SID for M1 and log in to MySQL using the command

mysql -uroot -P[port] -p[password]

2) create a replica user using the following command

create user ‘replicator’@’M2’ identified by ‘password’; — note you can use the IP instead of the host name

3) Next grant the replication privliges to the replica user using:

grant replication slave on *.* to ‘replicator’@’M2’;

4) check the master status to get the log id ** after finish configuration the server one M1 you need to move to server 2 M2 (the same thing you did for server one but you need to make sure to change the host names as needed):

5) edit the cnf file but make sure the server id it not the same as M1

server-id               = 2
log_bin                 = /var/log/mysql/mysql-bin.log
binlog_do_db            = MyDB     — if you want the replication for one db, comment this if you want to replicate all the SID
# bind-address            = 127.0.0.1

6) restart the service

7) create a replication user and provide it with the replication privliges

create user ‘replicator’@’M1’ identified by ‘password’;
grant replication slave on *.* to ‘replicator’@’M1’;

now lets configure the master for M2:

slave stop;

CHANGE MASTER TO MASTER_HOST = ‘1.1.1.1’, MASTER_USER = ‘replicator’, MASTER_PASSWORD = ‘password’, MASTER_LOG_FILE = ‘mysql-bin..xxxxx’, MASTER_LOG_POS = xxx;
slave start;

8) now check the master status

9) then go back to the M1 and start the load balance:

slave stop;

CHANGE MASTER TO MASTER_HOST = ‘2.2.2.2’, MASTER_USER = ‘replicator’, MASTER_PASSWORD = ‘password’, MASTER_LOG_FILE = ‘mysql-bin.xxxxx’, MASTER_LOG_POS = xxx;
slave start;

August 23rd, 2016 | Category: MYSQL | Leave a comment

docker on Centos 7

Install Docker

[root@clusterserver3 /]# yum -y install docker
Loaded plugins: fastestmirror
base                                                                                                                                                                      | 3.6 kB  00:00:00
extras                                                                                                                                                                    | 3.4 kB  00:00:00
updates                                                                                                                                                                   | 3.4 kB  00:00:00
Loading mirror speeds from cached hostfile
* base: mirror.nus.edu.sg
* extras: mirror.nus.edu.sg
* updates: mirror.nus.edu.sg
Resolving Dependencies
–> Running transaction check
—> Package docker.x86_64 0:1.8.2-10.el7.centos will be installed
–> Processing Dependency: docker-selinux >= 1.8.2-10.el7.centos for package: docker-1.8.2-10.el7.centos.x86_64
–> Running transaction check
—> Package docker-selinux.x86_64 0:1.8.2-10.el7.centos will be installed
–> Processing Dependency: policycoreutils-python for package: docker-selinux-1.8.2-10.el7.centos.x86_64
–> Running transaction check
—> Package policycoreutils-python.x86_64 0:2.2.5-20.el7 will be installed
–> Processing Dependency: libsemanage-python >= 2.1.10-1 for package: policycoreutils-python-2.2.5-20.el7.x86_64
–> Processing Dependency: audit-libs-python >= 2.1.3-4 for package: policycoreutils-python-2.2.5-20.el7.x86_64
–> Processing Dependency: python-IPy for package: policycoreutils-python-2.2.5-20.el7.x86_64
–> Processing Dependency: libqpol.so.1(VERS_1.4)(64bit) for package: policycoreutils-python-2.2.5-20.el7.x86_64
–> Processing Dependency: libqpol.so.1(VERS_1.2)(64bit) for package: policycoreutils-python-2.2.5-20.el7.x86_64
–> Processing Dependency: libcgroup for package: policycoreutils-python-2.2.5-20.el7.x86_64
–> Processing Dependency: libapol.so.4(VERS_4.0)(64bit) for package: policycoreutils-python-2.2.5-20.el7.x86_64
–> Processing Dependency: checkpolicy for package: policycoreutils-python-2.2.5-20.el7.x86_64
–> Processing Dependency: libqpol.so.1()(64bit) for package: policycoreutils-python-2.2.5-20.el7.x86_64
–> Processing Dependency: libapol.so.4()(64bit) for package: policycoreutils-python-2.2.5-20.el7.x86_64
–> Running transaction check
—> Package audit-libs-python.x86_64 0:2.4.1-5.el7 will be installed
—> Package checkpolicy.x86_64 0:2.1.12-6.el7 will be installed
—> Package libcgroup.x86_64 0:0.41-8.el7 will be installed
—> Package libsemanage-python.x86_64 0:2.1.10-18.el7 will be installed
—> Package python-IPy.noarch 0:0.75-6.el7 will be installed
—> Package setools-libs.x86_64 0:3.3.7-46.el7 will be installed
–> Finished Dependency Resolution

Dependencies Resolved

=================================================================================================================================================================================================
Package                                                Arch                                   Version                                              Repository                              Size
=================================================================================================================================================================================================
Installing:
docker                                                 x86_64                                 1.8.2-10.el7.centos                                  extras                                  10 M
Installing for dependencies:
audit-libs-python                                      x86_64                                 2.4.1-5.el7                                          base                                    69 k
checkpolicy                                            x86_64                                 2.1.12-6.el7                                         base                                   247 k
docker-selinux                                         x86_64                                 1.8.2-10.el7.centos                                  extras                                  63 k
libcgroup                                              x86_64                                 0.41-8.el7                                           base                                    64 k
libsemanage-python                                     x86_64                                 2.1.10-18.el7                                        base                                    94 k
policycoreutils-python                                 x86_64                                 2.2.5-20.el7                                         base                                   435 k
python-IPy                                             noarch                                 0.75-6.el7                                           base                                    32 k
setools-libs                                           x86_64                                 3.3.7-46.el7                                         base                                   485 k

Transaction Summary
=================================================================================================================================================================================================
Install  1 Package (+8 Dependent packages)

Total download size: 12 M
Installed size: 51 M
Downloading packages:
(1/9): audit-libs-python-2.4.1-5.el7.x86_64.rpm                                                                                                                           |  69 kB  00:00:00
(2/9): libsemanage-python-2.1.10-18.el7.x86_64.rpm                                                                                                                        |  94 kB  00:00:00
(3/9): libcgroup-0.41-8.el7.x86_64.rpm                                                                                                                                    |  64 kB  00:00:00
(4/9): docker-selinux-1.8.2-10.el7.centos.x86_64.rpm                                                                                                                      |  63 kB  00:00:00
(5/9): python-IPy-0.75-6.el7.noarch.rpm                                                                                                                                   |  32 kB  00:00:00
(6/9): checkpolicy-2.1.12-6.el7.x86_64.rpm                                                                                                                                | 247 kB  00:00:01
(7/9): policycoreutils-python-2.2.5-20.el7.x86_64.rpm                                                                                                                     | 435 kB  00:00:02
(8/9): setools-libs-3.3.7-46.el7.x86_64.rpm                                                                                                                               | 485 kB  00:00:01
(9/9): docker-1.8.2-10.el7.centos.x86_64.rpm                                                                                                                              |  10 MB  00:00:09
————————————————————————————————————————————————————————————————-
Total                                                                                                                                                            1.2 MB/s |  12 MB  00:00:09
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : audit-libs-python-2.4.1-5.el7.x86_64                                                                                                                                          1/9
Installing : libsemanage-python-2.1.10-18.el7.x86_64                                                                                                                                       2/9
Installing : python-IPy-0.75-6.el7.noarch                                                                                                                                                  3/9
Installing : checkpolicy-2.1.12-6.el7.x86_64                                                                                                                                               4/9
Installing : libcgroup-0.41-8.el7.x86_64                                                                                                                                                   5/9
Installing : setools-libs-3.3.7-46.el7.x86_64                                                                                                                                              6/9
Installing : policycoreutils-python-2.2.5-20.el7.x86_64                                                                                                                                    7/9
Installing : docker-selinux-1.8.2-10.el7.centos.x86_64                                                                                                                                     8/9
Installing : docker-1.8.2-10.el7.centos.x86_64                                                                                                                                             9/9
Verifying  : setools-libs-3.3.7-46.el7.x86_64                                                                                                                                              1/9
Verifying  : docker-selinux-1.8.2-10.el7.centos.x86_64                                                                                                                                     2/9
Verifying  : libcgroup-0.41-8.el7.x86_64                                                                                                                                                   3/9
Verifying  : checkpolicy-2.1.12-6.el7.x86_64                                                                                                                                               4/9
Verifying  : docker-1.8.2-10.el7.centos.x86_64                                                                                                                                             5/9
Verifying  : python-IPy-0.75-6.el7.noarch                                                                                                                                                  6/9
Verifying  : libsemanage-python-2.1.10-18.el7.x86_64                                                                                                                                       7/9
Verifying  : policycoreutils-python-2.2.5-20.el7.x86_64                                                                                                                                    8/9
Verifying  : audit-libs-python-2.4.1-5.el7.x86_64                                                                                                                                          9/9

Installed:
docker.x86_64 0:1.8.2-10.el7.centos

Dependency Installed:
audit-libs-python.x86_64 0:2.4.1-5.el7          checkpolicy.x86_64 0:2.1.12-6.el7                  docker-selinux.x86_64 0:1.8.2-10.el7.centos       libcgroup.x86_64 0:0.41-8.el7
libsemanage-python.x86_64 0:2.1.10-18.el7       policycoreutils-python.x86_64 0:2.2.5-20.el7       python-IPy.noarch 0:0.75-6.el7                    setools-libs.x86_64 0:3.3.7-46.el7

Complete!

[root@clusterserver3 /]#

[root@clusterserver3 /]# systemctl start docker

root@clusterserver3 /]# systemctl status docker
? docker.service – Docker Application Container Engine
Loaded: loaded (/usr/lib/systemd/system/docker.service; disabled; vendor preset: disabled)
Active: active (running) since Sat 2016-01-02 00:45:24 SGT; 4s ago
Docs: http://docs.docker.com
Main PID: 2382 (docker)
CGroup: /system.slice/docker.service
??2382 /usr/bin/docker daemon –selinux-enabled

Jan 02 00:45:24 clusterserver3.rmohan.com docker[2382]: time=”2016-01-02T00:45:24.802613004+08:00″ level=warning msg=”Docker could not enable SELinux on the host system”
Jan 02 00:45:24 clusterserver3.rmohan.com docker[2382]: time=”2016-01-02T00:45:24.812225532+08:00″ level=info msg=”Option DefaultDriver: bridge”
Jan 02 00:45:24 clusterserver3.rmohan.com docker[2382]: time=”2016-01-02T00:45:24.812247573+08:00″ level=info msg=”Option DefaultNetwork: bridge”
Jan 02 00:45:24 clusterserver3.rmohan.com docker[2382]: time=”2016-01-02T00:45:24.833117198+08:00″ level=warning msg=”Running modprobe bridge nf_nat br_netfilter failed with messa….el7.x86_64
Jan 02 00:45:24 clusterserver3.rmohan.com docker[2382]: time=”2016-01-02T00:45:24.839917218+08:00″ level=info msg=”Firewalld running: false”
Jan 02 00:45:24 clusterserver3.rmohan.com docker[2382]: time=”2016-01-02T00:45:24.929783683+08:00″ level=info msg=”Loading containers: start.”
Jan 02 00:45:24 clusterserver3.rmohan.com docker[2382]: time=”2016-01-02T00:45:24.929962936+08:00″ level=info msg=”Loading containers: done.”
Jan 02 00:45:24 clusterserver3.rmohan.com docker[2382]: time=”2016-01-02T00:45:24.929979555+08:00″ level=info msg=”Daemon has completed initialization”
Jan 02 00:45:24 clusterserver3.rmohan.com docker[2382]: time=”2016-01-02T00:45:24.929995986+08:00″ level=info msg=”Docker daemon” commit=”a01dc02/1.8.2″ execdriver=native-0.2 grap…-el7.centos
Jan 02 00:45:24 clusterserver3.rmohan.com systemd[1]: Started Docker Application Container Engine.
Hint: Some lines were ellipsized, use -l to show in full.
[root@clusterserver3 /]#

Download the official image and create a Container

[root@clusterserver3 /]# docker pull centos
Using default tag: latest
Trying to pull repository docker.io/library/centos … latest: Pulling from library/centos
47d44cb6f252: Pull complete
838c1c5c4f83: Extracting [==============================================>    ] 65.18 MB/70.51 MB
5764f0a31317: Download complete
60e65a8e4030: Download complete

root@clusterserver3 /]# docker pull centos
Using default tag: latest
Trying to pull repository docker.io/library/centos … latest: Pulling from library/centos
47d44cb6f252: Pull complete
838c1c5c4f83: Pull complete
5764f0a31317: Pull complete
60e65a8e4030: Pull complete
library/centos:latest: The image you are pulling has been verified. Important: image verification is a tech preview feature and should not be relied on to provide security.
Digest: sha256:8072bc7c66c3d5b633c3fddfc2bf12d5b4c2623f7004d9eed6aae70e0e99fbd7
Status: Downloaded newer image for docker.io/centos:latest

[root@clusterserver3 /]# docker run centos /bin/echo “welcome to rmohan.com in docker”
welcome to rmohan.com in docker
[root@clusterserver3 /]#

Connect to the interactive session of a Container with “i” and “t” option like follows. If exit from the Container session, the process of a Container finishes.

[root@clusterserver3 /]# docker run -i -t centos /bin/bash
[root@805a5cacc15e /]#

[root@805a5cacc15e ~]# uname -a
Linux 805a5cacc15e 3.10.0-327.3.1.el7.x86_64 #1 SMP Wed Dec 9 14:09:15 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
[root@805a5cacc15e ~]#

 

[root@clusterserver3 ~]#  docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
502b544df6af        centos              “/bin/bash”         34 seconds ago      Up 34 seconds                           naughty_torvalds
[root@clusterserver3 ~]#
[root@clusterserver3 ~]# docker kill 502b544df6af

[root@clusterserver3 ~]# docker ps

 

[root@clusterserver3 ~]# docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             VIRTUAL SIZE
docker.io/centos    latest              60e65a8e4030        8 days ago          196.6 MB
[root@clusterserver3 ~]#

 

[root@clusterserver3 /]# docker run centos /bin/bash -c “yum -y update; yum -y install httpd”
Loaded plugins: fastestmirror, ovl
Determining fastest mirrors
* base: centos.usonyx.net
* extras: centos.usonyx.net
* updates: centos.usonyx.net
No packages marked for update
Loaded plugins: fastestmirror, ovl
Loading mirror speeds from cached hostfile
* base: centos.usonyx.net
* extras: centos.usonyx.net
* updates: centos.usonyx.net
Resolving Dependencies
–> Running transaction check
—> Package httpd.x86_64 0:2.4.6-40.el7.centos will be installed
–> Processing Dependency: httpd-tools = 2.4.6-40.el7.centos for package: httpd-2.4.6-40.el7.centos.x86_64
–> Processing Dependency: system-logos >= 7.92.1-1 for package: httpd-2.4.6-40.el7.centos.x86_64
–> Processing Dependency: /etc/mime.types for package: httpd-2.4.6-40.el7.centos.x86_64
–> Processing Dependency: libaprutil-1.so.0()(64bit) for package: httpd-2.4.6-40.el7.centos.x86_64
–> Processing Dependency: libapr-1.so.0()(64bit) for package: httpd-2.4.6-40.el7.centos.x86_64
–> Running transaction check
—> Package apr.x86_64 0:1.4.8-3.el7 will be installed
—> Package apr-util.x86_64 0:1.5.2-6.el7 will be installed
—> Package centos-logos.noarch 0:70.0.6-3.el7.centos will be installed
—> Package httpd-tools.x86_64 0:2.4.6-40.el7.centos will be installed
—> Package mailcap.noarch 0:2.1.41-2.el7 will be installed
–> Finished Dependency Resolution

Dependencies Resolved

================================================================================
Package             Arch          Version                    Repository   Size
================================================================================
Installing:
httpd               x86_64        2.4.6-40.el7.centos        base        2.7 M
Installing for dependencies:
apr                 x86_64        1.4.8-3.el7                base        103 k
apr-util            x86_64        1.5.2-6.el7                base         92 k
centos-logos        noarch        70.0.6-3.el7.centos        base         21 M
httpd-tools         x86_64        2.4.6-40.el7.centos        base         82 k
mailcap             noarch        2.1.41-2.el7               base         31 k

Transaction Summary
================================================================================
Install  1 Package (+5 Dependent packages)

Total download size: 24 M
Installed size: 31 M
Downloading packages:
warning: /var/cache/yum/x86_64/7/base/packages/httpd-tools-2.4.6-40.el7.centos.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY
Public key for httpd-tools-2.4.6-40.el7.centos.x86_64.rpm is not installed
——————————————————————————–
Total                                              3.8 MB/s |  24 MB  00:06
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
Importing GPG key 0xF4A80EB5:
Userid     : “CentOS-7 Key (CentOS 7 Official Signing Key) <security@centos.org>”
Fingerprint: 6341 ab27 53d7 8a78 a7c2 7bb1 24c6 a8a7 f4a8 0eb5
Package    : centos-release-7-2.1511.el7.centos.2.10.x86_64 (@CentOS)
From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : apr-1.4.8-3.el7.x86_64                                       1/6
Installing : apr-util-1.5.2-6.el7.x86_64                                  2/6
Installing : httpd-tools-2.4.6-40.el7.centos.x86_64                       3/6
Installing : centos-logos-70.0.6-3.el7.centos.noarch                      4/6
Installing : mailcap-2.1.41-2.el7.noarch                                  5/6
Installing : httpd-2.4.6-40.el7.centos.x86_64                             6/6
Verifying  : httpd-2.4.6-40.el7.centos.x86_64                             1/6
Verifying  : httpd-tools-2.4.6-40.el7.centos.x86_64                       2/6
Verifying  : apr-1.4.8-3.el7.x86_64                                       3/6
Verifying  : mailcap-2.1.41-2.el7.noarch                                  4/6
Verifying  : apr-util-1.5.2-6.el7.x86_64                                  5/6
Verifying  : centos-logos-70.0.6-3.el7.centos.noarch                      6/6

Installed:
httpd.x86_64 0:2.4.6-40.el7.centos

Dependency Installed:
apr.x86_64 0:1.4.8-3.el7
apr-util.x86_64 0:1.5.2-6.el7
centos-logos.noarch 0:70.0.6-3.el7.centos
httpd-tools.x86_64 0:2.4.6-40.el7.centos
mailcap.noarch 0:2.1.41-2.el7

Complete!
[root@clusterserver3 /]#

 

[root@clusterserver3 ~]#  docker ps -a | head -2
CONTAINER ID        IMAGE               COMMAND                  CREATED              STATUS                          PORTS               NAMES
0ea3378b8999        centos              “/bin/bash -c ‘yum -y”   9 seconds ago        Up 9 seconds                                        reverent_bose
[root@clusterserver3 ~]#  docker commit  0ea3378b8999 my_image/centos_httpd
bc71655dc09687f4e7a78372d86fd46b110c3147d58e5bb1b77db0355cf6ad56
[root@clusterserver3 ~]#

[root@clusterserver3 ~]# docker images
REPOSITORY              TAG                 IMAGE ID            CREATED             VIRTUAL SIZE
my_image/centos_httpd   latest              bc71655dc096        37 seconds ago      250 MB
docker.io/centos        latest              60e65a8e4030        8 days ago          196.6 MB
[root@clusterserver3 ~]#

August 23rd, 2016 | Category: Linux | Leave a comment

Your password does not satisfy the current policy requirements

wget https://dev.mysql.com/get/mysql57-community-release-el7-8.noarch.rpm

[root@clusterserver2 software]# rpm -ivh mysql57-community-release-el7-8.noarch.rpm
warning: mysql57-community-release-el7-8.noarch.rpm: Header V3 DSA/SHA1 Signature, key ID 5072e1f5: NOKEY
Preparing…                          ################################# [100%]
Updating / installing…
1:mysql57-community-release-el7-8  ################################# [100%]

After the installation of this package. We will get two new yum repo related to MySQL

[root@localhost ~]# ls -1 /etc/yum.repos.d/mysql-community*
/etc/yum.repos.d/mysql-community.repo
/etc/yum.repos.d/mysql-community-source.repo
[root@localhost ~]#

Installing MySQL Server

By using yum command, now we will install MySQL Server 5.6 . All dependencies will be installed itself.

yum install mysql-server

How to start/stop/restart MySQL Server

Now MySQL Server is installed on your system.

To start MySQL Service, run command

systemctl start mysqld

To stop MySQL Service, run command

systemctl stop mysqld

To restart MySQL Service, run command

systemctl restart mysqld

To get status of MySQL Service, run command

systemctl status mysqld

Reset MySQL root password

On fresh installation of MySQL Server. The MySQL root user password is blank.
For good security practice, we should reset the password MySQL root user.

On newly installed MySQL Server, we generally recommend to use the command script. You have to just follow the instructions.

mysql_secure_installation

In another method,you can log into MySQL server database and reset the password in secure way.

mysql -u root

You will see mysql prompt like this mysql> . Use the below given commands to reset root’s password.

mysql> use mysql;
mysql> update user set password=PASSWORD("GIVE-NEW-ROOT-PASSWORD") where User='root';
mysql> flush privileges;
mysql> quit

 

MySQL version: 5.7.9

For development, using a MySQL server with strong password policy is dosing some matter.

If you set a simply password for someone, you will got an error like this:

ERROR 1819 (HY000): Your password does not satisfy the current policy requirements

To change the default password plugin level, we can change the settings at runtime or in config file.

mysql> SHOW VARIABLES LIKE 'validate_password%';
+--------------------------------------+--------+
| Variable_name                        | Value  |
+--------------------------------------+--------+
| validate_password_dictionary_file    |        |
| validate_password_length             | 8      |
| validate_password_mixed_case_count   | 1      |
| validate_password_number_count       | 1      |
| validate_password_policy             | MEDIUM |
| validate_password_special_char_count | 1      |
+--------------------------------------+--------+
6 rows in set (0.01 sec)

The default level is MEDIUM, we can change it to LOW, which will only check the password’s length(min: 8 chars).

mysql> SET GLOBAL validate_password_policy=LOW;
Query OK, 0 rows affected (0.00 sec)
$ mysql -u root -p
> setpassword forroot@localhost=password('newpass');
$ mysql -u root -p
> show variables like 'char%';
+--------------------------+----------------------------+
| Variable_name            | Value                      |
+--------------------------+----------------------------+
| character_set_client     | utf8                       |
| character_set_connection | utf8                       |
| character_set_database   | utf8                       |
| character_set_filesystem | binary                     |
| character_set_results    | utf8                       |
| character_set_server     | utf8                       |
| character_set_system     | utf8                       |
| character_sets_dir       | /usr/share/mysql/charsets/ |
+--------------------------+----------------------------+
8 rows in set (0.00 sec)

Or we can set it in my.cnf file

[mysqld]
validate_password_policy=LOW



systemctl restart mysqld.service
August 23rd, 2016 | Category: MYSQL | Leave a comment

Securing Your Postfix Mail Server with Greylisting, SPF, DKIM and DMARC and TLS

”Domain-based Message Authentication, Reporting & Conformance” (DMARC).

DMARC basically builds on top of two existing frameworks, Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM).

SPF is used to define who can send mail for a specific domain, while DKIM signs the message. Both of these are pretty useful on their own, and reduce incoming spam A LOT, but the problem is you don’t have any “control” over what the receiving end does with email. For example, company1’s mail server may just give the email a higher spam score if the sending mail server fails SPF authentication, while company2’s mail server might outright reject it.

DMARC gives you finer control, allowing you to dictate what should be done. DMARC also lets you publish a forensics address. This is used to send back a report from remote mail servers, and contains details such as how many mails were received from your domain, how many failed authentication, from which IPs and which authentication tests failed.

I’ve had a DMARC record published for my domains for a few months now, but I have not setup any filter to check incoming mail for their DMARC records, or sending back forensic reports.

Today, I was in the process of setting up a third backup MX for my domains, so I thought I’d clean up my configs a little, and also setup DMARC properly in my mail servers.

So in this article, I will be discussing how I setup my Postfix servers using Greylisting, SPF, DKIM and DMARC, and also using TLS for incoming/outgoing mail. I won’t be going into full details for how to setup a Postfix server, only the specifics needed for SPF/DKIM/DMARC and TLS.

We’ll start with TLS as that is easiest.
TLS

I wanted all incoming and outgoing mail to use opportunistic TLS.

To do this all you need to do is create a certificate:
[root@servah ~]# cd /etc/postfix/
[root@servah ~]# openssl genrsa -des3 -out mx1.example.org.key
[root@servah ~]# openssl rsa -in mx1.example.org.key -out mx1.example.org.key-nopass
[root@servah ~]# mv mx1.example.org.key-nopass mx1.example.org.key
[root@servah ~]# openssl req -new -key mx1.example.org.key -out mx1.example.org.csr

Now, you can either self sign it the certificate request, or do as I have and use CAcert.org. Once you have a signed certificate, dump it in mx1.example.crt, and tell postfix to use it in /etc/postfix/main.cf:
# Use opportunistic TLS (STARTTLS) for outgoing mail if the remote server supports it.
smtp_tls_security_level = may
# Tell Postfix where your ca-bundle is or it will complain about trust issues!
smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.trust.crt
# I wanted a little more logging than default for outgoing mail.
smtp_tls_loglevel = 1
# Offer opportunistic TLS (STARTTLS) to connections to this mail server.
smtpd_tls_security_level = may
# Add TLS information to the message headers
smtpd_tls_received_header = yes
# Point this to your CA file. If you used CAcert.org, this
# available at http://www.cacert.org/certs/root.crt
smtpd_tls_CAfile = /etc/postfix/ca.crt
# Point at your cert and key
smtpd_tls_cert_file = /etc/postfix/mx1.example.org.crt
smtpd_tls_key_file = /etc/postfix/mx1.example.org.key
# I wanted a little more logging than default for incoming mail.
smtpd_tls_loglevel = 1

Restart Postfix:
[root@servah ~]# service postfix restart

That should do it for TLS. I tested by sending an email from my email server, to my Gmail account, and back again, checking in the logs to see if the connections were indeed using TLS.
Greylisting

Greylisting is method of reducing spam, which is so simple, yet so effective it’s quite amazing!

Basically, incoming relay attempts are temporarily delayed with a SMTP temporary reject for a fixed amount of time. Once this time has finished, any further attempts to relay from that IP are allowed to progress further through your ACLs.

This is extremely effective, as a lot of spam bots will not have any queueing system, and will not re-try to send the message!

As EPEL already has an RPM for Postgrey, so I’ll use that for Greylisting:
[root@servah ~]# yum install postgrey

Set it to start on boot, and manually start it:

[root@servah ~]# chkconfig postgrey on
[root@servah ~]# service postgrey start

Next we need to tell Postfix to pass messages through Postgrey. By default, the RPM provided init scripts setup a unix socket in /var/spool/postfix/postgrey/socket so we’ll use that. Edit /etc/postfix/main.cf, and in your smtpd_recipient_restrictions, add “check_policy_service unix:postgrey/socket”, like I have:

smtpd_recipient_restrictions=
permit_mynetworks,
reject_invalid_hostname,
reject_unknown_recipient_domain,
reject_non_fqdn_recipient,
permit_sasl_authenticated,
reject_unauth_destination,
check_policy_service unix:postgrey/socket,
reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client b.barracudacentral.org,
reject_rbl_client dnsbl-1.uceprotect.net,
permit

As you can see, I am also using various RBLs.

Next, we restart Postfix:

[root@servah ~]# service postfix restart

All done. Greylisting is now in effect!
SPF

Next we’ll setup SPF.

There are many different SPF filters available, and probably the most popular one to use with Postfix would be pypolicyd-spf, which is also included in EPEL, but I was unable to get OpenDMARC to see the Recieved-SPF headers. I think this is due to the order in which a message is passed through a milter and through a postfix policy engine, and I was unable to find a workaround. So instead I decided to use smf-spf, which is currently unmaintained, but from what I understand it is quite widely used, and quite stable.

I did apply some patches to smf-spf which were posted by Andreas Schulze on the the OpenDMARC mailing lists. They are mainly cosmetic patches, and aren’t necessary but I liked them so I applied them.

I was going to write a RPM spec file for smf-spf, but I noticed that Matt Domsch has kindly already submitted packages for smf-spf and libspf2 for review.

I did have to modify both packages a little. For smf-spf I pretty much only added the patches I mentioned eariler, and a few minor changes I wanted. For libspf2 I had to re-run autoreconf and update Matt Domsch’s patch as it seemed to break on EL6 boxes due to incompatible autoconf versions. I will edit this post later and add links to the SRPMS later.

I build the RPMs, signed them with my key and published it in my internal RPM repo.
I won’t go into detail into that, and will continue from installation:

[root@servah ~]# yum install smf-spf

Next, I edited /etc/mail/smfs/smf-spf.conf, set smf-spf to start on boot and started smf-spf:

[root@servah ~]# cat /etc/mail/smfs/smf-spf.conf|grep -v “^#” | grep -v “^$”
WhitelistIP 127.0.0.0/8
RefuseFail on
AddHeader on
User smfs
Socket inet:8890@localhost

Set smf-spf to start on boot, and also start it manually:
[root@servah ~]# chkconfig smf-spf on
[root@servah ~]# service smf-spf start

Now we edit the Postfix config again, and add the following to the end of main.cf:
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:8890

Restart Postfix:
[root@servah ~]# service postfix restart

Your mail server should now be checking SPF records! ????
You can test this by trying to forge an email from Gmail or something.
DKIM

DKIM was a little more complicated to setup as I have multiple domains. Luckily, OpenDKIM is already in EPEL, so I didn’t have to do any work to get an RPM for it! ????

Install it using yum:
[root@servah ~]# yum install opendkim

Next, edit the OpenDKIM config file. I’ll just show what I done using a diff:
[root@servah ~]# diff /etc/opendkim.conf.stock /etc/opendkim.conf
20c20
< Mode v

> Mode sv
58c58
< Selector default

> #Selector default
70c70
< #KeyTable /etc/opendkim/KeyTable

> KeyTable /etc/opendkim/KeyTable
75c75
< #SigningTable refile:/etc/opendkim/SigningTable

> SigningTable refile:/etc/opendkim/SigningTable
79c79
< #ExternalIgnoreList refile:/etc/opendkim/TrustedHosts

> ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
82c82
< #InternalHosts refile:/etc/opendkim/TrustedHosts

> InternalHosts refile:/etc/opendkim/TrustedHosts

Next, I created a key:
[root@servah ~]# cd /etc/opendkim/keys
[root@servah ~]# opendkim-genkey –append-domain –bits=2048 –domain example.org –selector=dkim2k –restrict –verbose

This will give you two files in /etc/opendkim/keys:

dkim2k.txt – Contains your public key which can be published in DNS. It’s already in a BIND compatible format, so I won’t explain how to publish this in DNS.
dkim2k.private – Contains your private key.

Next, we edit /etc/opendkim/KeyTable. Comment out any of the default keys that are there and add your own:
[root@servah ~]# cat /etc/opendkim/KeyTable
dkim2k._domainkey.example.org example.org:dkim2k:/etc/opendkim/keys/dkim2k.private

(Thank you to andrewgdotcom for spotting the typo here)

Now edit /etc/opendkim/SigningTable, again commenting out the default entries and entering our own:
[root@servah ~]# cat /etc/opendkim/SigningTable
*@example.org dkim2k._domainkey.example.org

Repeat this process for as many domains as you want. It would also be quite a good idea to use different keys for different domains.

We can now start opendkim, and set it to start on boot:
[root@servah ~]# chkconfig opendkim on
[root@servah ~]# service opendkim start

Almost done with DKIM!
We just need to tell Postfix to pass mail through OpenDKIM to verify signatures of incoming mail, and to sign outgoing mail. To do this, edit /etc/postfix/main.cf again:
# Pass SMTP messages through smf-spf first, then OpenDKIM
smtpd_milters = inet:localhost:8890, inet:localhost:8891
# This line is so mail received from the command line, e.g. using the sendmail binary or mail() in PHP
# is signed as well.
non_smtpd_milters = inet:localhost:8891

Restart Postfix:
[root@servah ~]# service postfix restart

Done with DKIM!
Now your mail server will verify incoming messages that have a DKIM header, and sign outgoing messages with your own!
OpenDMARC

Now it’s the final part of the puzzle.

OpenDMARC is not yet in EPEL, but again I did find an RPM spec waiting review, so I used it.

Again, I won’t go into the process of how to build an RPM, lets assume you have already published it in your own internal repos and continue from installation:
[root@servah ~]# yum install opendmarc

First I edited /etc/opendmarc.conf:
15c15
< # AuthservID name

> AuthservID mx1.example.org
121c121
< # ForensicReports false

> ForensicReports true
144,145c144
< HistoryFile /var/run/opendmarc/opendmarc.dat/;
< s

> HistoryFile /var/run/opendmarc/opendmarc.dat
221c220
< # ReportCommand /usr/sbin/sendmail -t

> ReportCommand /usr/sbin/sendmail -t -F ‘Example.org DMARC Report” -f ‘sysops@example.org’
236c235
< # Socket inet:8893@localhost

> Socket inet:8893@localhost
246c245
< # SoftwareHeader false

> SoftwareHeader true
253c252
< # Syslog false

> Syslog true
261c260
< # SyslogFacility mail

> SyslogFacility mail
301c300
< # UserID opendmarc

> UserID opendmarc

Next, set OpenDMARC to start on boot and manually start it:
[root@servah ~]# chkconfig opendmarc on
[root@servah ~]# service opendmarc start

Now we tell postfix to pass messages through OpenDMARC. To do this, we edit /etc/postfix/main.cf once again:
# Pass SMTP messages through smf-spf first, then OpenDKIM, then OpenDMARC
smtpd_milters = inet:localhost:8890, inet:localhost:8891, inet:localhost:8893

Restart Postfix:
[root@servah ~]# service postfix restart

That’s it! Your mail server will now check the DMARC record of incoming mail, and check the SPF and DKIM results.

I confirmed that OpenDMARC is working by sending a message from Gmail to my own email, and checking the message headers, then also sending an email back and checking the headers on the Gmail side.

You should see that SPF, DKIM and DMARC are all being checked when receiving on either side.

Finally, we can also setup forensic reporting for the benefit of others who are using DMARC.
DMARC Forensic Reporting

I  found OpenDMARC’s documentation to be extremely limited and quite vague, so there was a lot of guess work involved.

As I didn’t want my mail servers to have access to my DB server, I decided to run the reporting scripts on a different box I use for running cron jobs.

First I created a MySQL database and user for opendmarc:
[root@mysqlserver ~]# mysql -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 1474392
Server version: 5.5.34-MariaDB-log MariaDB Server

Copyright (c) 2000, 2013, Oracle, Monty Program Ab and others.

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.

MariaDB [(none)]> CREATE DATABASE opendmarc;
MariaDB [(none)]> GRANT ALL PRIVILEGES ON opendmarc.* TO opendmarc@’script-server.example.org’ IDENTIFIED BY ‘supersecurepassword’;

Next, we import the schema into the database:

[root@scripty ~]# mysql -h mysql.example.org -u opendmarc -p opendmarc < /usr/share/doc/opendmarc-1.1.3/schema.mysql

Now, to actually import the data from my mail servers into the DB, and send out the forensics reports, I have the following script running daily:

#!/bin/bash

set -e

cd /home/rmohan.com/dmarc/

HOSTS=”mx1.example.org mx2.example.org mx3.example.org”
DBHOST=’mysql.example.org’
DBUSER=’opendmarc’
DBPASS=’supersecurepassword’
DBNAME=’opendmarc’

for HOST in $HOSTS; do
# Pull the history from each host
scp -i /home/rmohan.com/.ssh/dmarc root@${HOST}:/var/run/opendmarc/opendmarc.dat ${HOST}.dat
# Purge history on each each host.
ssh -i /home/rmohan.com/.ssh/dmarc root@${HOST} “cat /dev/null > /var/run/opendmarc/opendmarc.dat”

# Merge the history files. Not needed, but this way opendmarc-import only needs to run once.
cat ${HOST}.dat >> merged.dat
done

/usr/sbin/opendmarc-import –dbhost=${DBHOST} –dbuser=${DBUSER} –dbpasswd=${DBPASS} –dbname=${DBNAME} –verbose < merged.dat
/usr/sbin/opendmarc-reports –dbhost=${DBHOST} –dbuser=${DBUSER} –dbpasswd=${DBPASS} –dbname=${DBNAME} –verbose –interval=86400 –report-email ‘sysops@example.org’ –report-org ‘Example.org’
/usr/sbin/opendmarc-expire –dbhost=${DBHOST} –dbuser=${DBUSER} –dbpasswd=${DBPASS} –dbname=${DBNAME} –verbose

rm -rf *.dat

That’s it! Run that daily, and you’ll send forensic reports to those who want them. ????

You now have a nice mail server that checks SPF, DKIM, and DMARC for authentication, and sends out forensic reports!

With this setup, I haven’t received any spam in the last two months! That’s just as far as I can remember, but I’m sure it’s been a lot longer than that! ????

August 19th, 2016 | Category: Postfix | Leave a comment

Postfix Implement SPF Record Checking

So I’ve been dealing with quite a bit of spam recently, the usual “You’re due a tax rebate open XYZ.zip and fill out the form”, etc. Following from my last blog post, Postfix Force SMTP Authentication, I noticed I never setup my mail server to check received mail against the senders SPF records, which I always take the time to setup on domains, so why had I not taken the time to make sure my own mail server was taking advantage of SPF.

In this guide I’ll cover configuring postfix to check SPF records under Debian 7 Wheezy

What are SPF records?

Sender Policy Framework (SPF) records are a DNS record you apply to your domain to let other mail servers know emails originating from your mail server are legitimate and not spam.

As with real-world snail mail anyone can put a return address on an envelope, the same applies to email. SPF records provide a way of saying mail from example.com should only be accepted if they’re from this server, or this cluster of servers and if they originate from another source, don’t accept them.

Installing the daemon

First things first we need to install the daemon that is going to check the SPF records for us. This comes as a postfix module we’ll need to configure.

sudo apt-get install postfix-policyd-spf-perl

Next we need to locate the executable file, by default this is located at /usr/sbin/postfix-policyd-spf-perl however for other linux flavours this is likely located elsewhere.

To locate the executable we can use the following commands

updatedb
locate policyd-spf

Likely locations are /usr/bin/, /usr/sbin/, /usr/local/bin/ etc. (The usual locations you’d find an executable at). Take note of the executable’s location as we’ll need it later.

Configuring postfix

Next up we need to configure postfix to use the new daemon we’ve installed. Open /etc/postfix/main.cf with your favourite editor

vi /etc/postfix/main.cf

Add the following option at the bottom of the file

policy-spf_time_limit = 3600s

This changes the time out limit so the policy server won’t time out while a message is still being processed.

After that we now need to edit /etc/postfix/master.cf to configure a new service for postfix to use.

policy-spf unix - n n - - spawn user=nobody argv=/usr/sbin/postfix-policyd-spf-perl

Change the argv= option accordingly with the location of the executable we installed previously.

Finally we need to add the new policy service to our smtpd_recipient_restrictions option in /etc/postfix/main.cf

smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policy-spf

Note: Put the policy server after reject\_unauth\_destination to prevent unexpected responses from the policy service and to prevent your system from becoming an open relay. You should also put the policy service after you permit local senders as we only want to check the SPF records of inbound mail from the internet, not outbound mail from you or your users.

The last thing to do is reload postfix

sudo /etc/init.d/postfix reload

Verifying It’s working

The simplest way to varify you’ve successfully installed and configured the SPF checking is to monitor your mail log whilst sending yourself an email from an external source such as Gmail.

tail -f /var/log/mail.log

If there is a problem with the policy service or its integration with Postfix it will be logged, likewise accepted mail that passes the SPF checking will also be logged.

May 13 18:23:51 postfix/policy-spf[5509]: Policy action=PREPEND Received-SPF: pass (gmail.com ... _spf.google.com: Sender is authorized to use '@gmail.com' in 'mfro
August 19th, 2016 | Category: Postfix | Leave a comment

iSCSI Configuration on RHEL 7 / CentOS 7

iSCSI Configuration on RHEL 7 / CentOS 7

Step 1: First you need to create partition

[root@server1 ~]# fdisk -c /dev/sdb

Press ‘p’ to print partition table

Press ‘n’ to create a new partition

Press ‘p’ to create primary partition

Type Partition Number : 1

First Sector        : PRESS ENTER

Last Sector        : +1G

Press ‘p’ to print partition tables again

Press ‘t’ to change partition ID

Type your partition Number :1

Type Partition code     : 8e

Press ‘p’ to print partition tables again

Press ‘w’ to save and exit
Step 2: if required, use partprobe command to update partition table entry into kernel.

[root@server1 ~]# partprobe /dev/sdb

Step 3: Now create a Logical Volume using /dev/sdb1 partition

[root@server1 ~]# pvcreate /dev/sdb1

[root@server1 ~]# vgcreate iSCSI_vg /dev/sdb1

[root@server1 ~]# lvcreate -n iscsi_lv1 -l 100%FREE iSCSI_vg

Step 4: First you need to install “targetcli” package

[root@server1 ~]# yum install targetcli -y

Step 5: Now run targetcli with no options to enter into interactive mode:

[root@server1 ~]# targetcli

/> ls

Now Configure the existing /dev/iSCSI_vg/iscsi_lv1 logical volume as a block-type backing store using the name of “server1.disk1”.

/> cd backstores/

/backstores> ls

/backstores> cd block

/backstores/block> ls

/backstores/block> create server1.disk1 /dev/iSCSI_vg/iscsi_lv1

/backstores/block> ls

Now Create a unique iSCSI Qualified Name (IQN) for the target.

/backstores/block> cd /iscsi

/iscsi> create iqn.2014-10.com.example.server1:iscsi-1

Now an ACL for client node (initiator). the initiator will be connecting with it’s initiator name.

/iscsi> cd /iscsi/iqn.2014-10.com.example.server1:iscsi-1/tpg1/acls

/iscsi/iqn.20…i-1/tpg1/acls> create iqn.2014-10.com.example.com.server1:server2
Now set username and password into ACL to access this LUN

/> cd iqn.2014-10.com.example.com.server1:server2

/> set auth userid=user1

/> set auth password=password

Now Create a LUN under the target, The LUN should use the previously defined backing storage device named “server1.disk1″

/iscsi/iqn.20…i-1/tpg1/acls> cd /iscsi/iqn.2014-10.com.example.server1:iscsi-1/tpg1/luns

/iscsi/iqn.20…i-1/tpg1/luns> create /backstores/block/server1.disk1

Now Configure a portal for the target to listen on 192.168.0.254

/iscsi/iqn.20…i-1/tpg1/luns> cd /iscsi/iqn.2014-10.com.example.server1:iscsi-1/tpg1/portals

/iscsi/iqn.20…/tpg1/portals> create 192.168.0.254

Now view, verify and save the target server configuration

/iscsi/iqn.20…/tpg1/portals> cd /

/> ls

Now Save this configuration

/> saveconfig

/> exit

NOTE-: this configuration will be saved to ” ~]# cat /etc/target/saveconfig.json”

Step 6: Now Enable and Start target service

[root@server1 ~]# systemctl enable target.service

[root@server1 ~]# systemctl restart target.service
[root@server1 ~]# systemctl status target.service

Step 7: Now Configure firewall to allow target service
[root@server1 ~]# firewall-cmd –permanent –add-port=3260/tcp
[root@server1 ~]# firewall-cmd –reload

Accessing iSCSI Storage with CHAP Authentication 

Step 1: First you need to install iSCSI initiator package

[root@server2 ~]# yum install iscsi-initiator-utils -y

Step 2: Now Create a unique iSCSI IQN name for the client initiator. Otherwise you will not able to connect/login into IQN

[root@server2 ~]# vim /etc/iscsi/initiatorname.iscsi

InitiatorName=iqn.2014-10.com.example.server1:server2
:wq (save and exit)

Step 3: Now you need to modify “/etc/iscsi/iscsid.conf” to provide username and password for chap authentication

[root@server2 ~]# vim /etc/iscsi/iscsid.conf

# line 54: uncomment

node.session.auth.authmethod = CHAP

# line 58,59: uncomment and specify the username and password you set on the iSCSI target server

node.session.auth.username = user1

node.session.auth.password = password
:wq (save and exit)

Step 4: Now Enable and start iscsi client service
[root@server2 ~]# systemctl restart iscsid.service

[root@server2 ~]# systemctl enable iscsid.service

Step 5: Now discover target using the following command:

[root@server2 ~]# iscsiadm -m discovery -t st -p 192.168.0.254

Step 6: Confirm status after discovery

[root@server2 ~]# iscsiadm -m node -o show

Step 7: Now connect/login the discovered target into system

[root@server2 ~]# iscsiadm -m node -T iqn.2014-10.com.example.server1:tgt1 -p 192.168.0.254 -l
Step 8: Confirm the established session

[root@server2 ~]# iscsiadm -m session -o show

Step 9: Confirm the partitions

[root@server2 ~]# cat /proc/partitions

Step 10: Create label,  create a new primary partition, format it using xfs file system and the mount it on /mnt directory.

[root@server2 ~]# parted –script /dev/sdb “mklabel msdos”

[root@server2 ~]# parted –script /dev/sdb “mkpart primary 0% 100%”

[root@server2 ~]# mkfs.xfs -i size=1024 -s size=4096 /dev/sdb1

[root@server2 ~]# mount /dev/sdb1 /mnt

[root@server2 ~]# df -hT
Step 11: Now make it persistent entry to mount at booting
[root@server2 ~]# blkid

Now Copy the UUID of /deb/sdb1 and paste it into /etc/fstab as following:

[root@server2 ~]# vim /etc/fstab

UUID=”be41aa12-1e30-4678-8c19-da3506df1d84″ /mnt                xfs     _netdev     0 0
:wq (save and exit)

[root@server2 ~]# umount /mnt/

[root@server2 ~]# mount -a

[root@server2 ~]# df -h Step 12: Now unmount the iSCSI Storage

[root@server2 ~]# cd

[root@server2 ~]# umount /mnt/

[root@server2 ~]# vim /etc/fstab

Remove the following entry form this file

UUID=”be41aa12-1e30-4678-8c19-da3506df1d84″ /mnt                xfs     _netdev         0 0
:wq (save and exit)

To Disconnect iSCSI storage

[root@server2 ~]# iscsiadm -m node -T iqn.2014-10.com.example.server1:tgt1 -p 192.168.0.254 -u

To delete cache as well

[root@server2 ~]# iscsiadm -m node -T iqn.2014-10.com.example.server1:tgt1 -p 192.168.0.254 -o delete

Now if you want to connect it again, you need to discover it again.

Configuring iSCSI Targets without CHAP Authentication

Step 1: First you need to create partition

[root@server1 ~]# fdisk -c /dev/sdc

Press ‘p’ to print partition table

Press ‘n’ to create a new partition

Press ‘p’ to create primary partition

Type Partition Number : 1

First Sector        : PRESS ENTER

Last Sector        : +1G

Press ‘p’ to print partition tables again

Press ‘t’ to change partition ID

Type your partition Number :1

Type Partition code     : 8e

Press ‘p’ to print partition tables again

Press ‘w’ to save and exit

Step 2: if required, use partprobe command to update partition table entry into kernel.

[root@server1 ~]# partprobe /dev/sdc

Step 3: Now create a Logical Volume using /dev/sdc1 partition
[root@server1 ~]# pvcreate /dev/sdc1

[root@server1 ~]# vgcreate iSCSI_vg2 /dev/sdc1

[root@server1 ~]# lvcreate -n iscsi_lv2 -l 100%FREE iSCSI_vg2

Step 4: First you need to install “targetcli” package

[root@server1 ~]# yum install targetcli -y

Step 5: Now run targetcli with no options to enter into interactive mode:

[root@server1 ~]# targetcli

/> ls

Now Configure the existing /dev/iSCSI_vg2/iscsi_lv2 logical volume as a block-type backing store using the name of “server1.disk2”.

/> cd backstores/

/backstores> ls

/backstores> cd block

/backstores/block> ls

/backstores/block> create server1.disk2 /dev/iSCSI_vg2/iscsi_lv2

/backstores/block> ls

Now Create a unique iSCSI Qualified Name (IQN) for the target.

/backstores/block> cd /iscsi

/iscsi> create iqn.2014-10.com.example.server1:iscsi-2

Now an ACL for client node (initiator). the initiator will be connecting with it’s initiator name.

/iscsi> cd /iscsi/iqn.2014-10.com.example.server1:iscsi-2/tpg1/acls

/iscsi/iqn.20…i-1/tpg1/acls> create iqn.2014-10.com.example.com.server1:tgt1

By default authentication is enabled. To disable it:

/> cd /iscsi/iqn.2014-10.com.example.server1:iscsi-2/tgp1/

/iscsi/iqn.20…i-1/tpg1> set attribute authentication=0

/iscsi/iqn.20…i-1/tpg1> set attribute generate_node_acls=1

Now Create a LUN under the target, The LUN should use the previously defined backing storage device named “server1.disk2″

/iscsi/iqn.20…i-1/tpg1/acls> cd /iscsi/iqn.2014-10.com.example.server1:iscsi-2/tpg1/luns

/iscsi/iqn.20…i-1/tpg1/luns> create /backstores/block/server1.disk2

Now Configure a portal for the target to listen on 192.168.0.254

/iscsi/iqn.20…i-1/tpg1/luns> cd /iscsi/iqn.2014-10.com.example.server1:iscsi-2/tpg1/portals

/iscsi/iqn.20…/tpg1/portals> create 192.168.0.254

Now view, verify and save the target server configuration

/iscsi/iqn.20…/tpg1/portals> cd /

/> ls

Now Save this configuration

/> saveconfig

/> exit

NOTE-: this configuration will be saved to ” ~]# cat /etc/target/saveconfig.json”

Step 6: Now Enable and Start target service

[root@server1 ~]# systemctl enable target.service

[root@server1 ~]# systemctl restart target.service
[root@server1 ~]# systemctl status target.service

Step 7: Now Configure firewall to allow target service

[root@server1 ~]# firewall-cmd –permanent –add-port=3260/tcp
[root@server1 ~]# firewall-cmd –reload

Accessing iSCSI Storage without CHAP Authentication 

Step 1: First you need to install iSCSI initiator package
[root@server2 ~]# yum install iscsi-initiator-utils -y

Step 2: Now Create a unique iSCSI IQN name for the client initiator. Otherwise you will not able to connect/login into IQN

[root@server2 ~]# vim /etc/iscsi/initiatorname.iscsi

InitiatorName=iqn.2014-10.com.example.server1:tgt1

:wq (save and exit)

Step 3: Now Enable and start iscsi client service

[root@server2 ~]# systemctl restart iscsid.service

[root@server2 ~]# systemctl enable iscsid.service

Step 4: Now discover target using the following command:
[root@server2 ~]# iscsiadm -m discovery -t st -p 192.168.0.254

Step 5: Now you need to connect iscsi storage into system

[root@server2 ~]# iscsiadm -m node -T iqn.2014-10.com.example.server1:iscsi-2 -p 192.168.0.254 -l

[root@server2 ~]# fdisk -l

Step 6: Create label,  create a new primary partition, format it using xfs file system and the mount it on /iscsi2 directory.

[root@server2 ~]# parted –script /dev/sdb “mklabel msdos”

[root@server2 ~]# parted –script /dev/sdb “mkpart primary 0% 100%”

[root@server2 ~]# mkfs.xfs -i size=1024 -s size=4096 /dev/sdb1

[root@server2 ~]# mount /dev/sdb1 /iscsi2

[root@server2 ~]# df -hT

Step 7: Now make it persistent entry to mount at booting

[root@server2 ~]# blkid

Now Copy the UUID of /deb/sdc1 and paste it into /etc/fstab as following:

[root@server2 ~]# vim /etc/fstab

UUID=”be41aa12-1e30-4678-8c19-da3506df1d84″ /iscsi2                xfs     _netdev     0 0

:wq (save and exit)

[root@server2 ~]# umount /mnt/

[root@server2 ~]# mount -a

[root@server2 ~]# df -h

Step 8: Now unmount the iSCSI Storage

[root@server2 ~]# cd

[root@server2 ~]# umount /iscsi2

[root@server2 ~]# vim /etc/fstab

Remove the following entry form this file

UUID=”be41aa12-1e30-4678-8c19-da3506df1d84″ /mnt                xfs     _netdev         0 0

:wq (save and exit)

To Disconnect iSCSI storage

root@server2 ~]# iscsiadm -m node -T iqn.2014-10.com.example.server1:iscsi-2 -p 192.168.0.254 -u

To delete cache as well

[root@server2 ~]# iscsiadm -m node -T iqn.2014-10.com.example.server1:iscsi-2 -p 192.168.0.254 -o delete

Now if you want to connect it again, you need to discover it again.
NOTE-: iSCSI store caching in  /var/lib/iscsi/ directory sometimes when we try to add another iscsi targets, system takes some information
from cache. so you have two option to address it.

1. reboot your system

2. remove iscsi cache

To remove nodes cache
[root@server2 ~]# rm -rf /var/lib/iscsi/nodes/*

To remove send_targets cache

[root@server2 ~]# rm -rf /var/lib/iscsi/send_targets/*

August 9th, 2016 | Category: Centos RHEL 7 | Leave a comment

Reset rhel7 root password

Reset rhel7 root password

 In the RHCSA examination they ask to reset the root password, In this article we are going to learn how to reset rhel7 root user password.
root_password_forgot
Whenever you type user password incorrectly it will shown an above error.
restart rhel7
Immediate After Right side of the corner there is a power button Click on that power button and Click on Restart Server. Server will restart.
Select Kernel
While restarting of server you have to press any key to stop the OS booting process yet the stage of Kernel. As shown in above screen shot kernel line will stop. Then Press ‘e’

After pressing key ‘e’ then kernel lines will be edited. As shown in below screenshot

rd.break console
if you see there is a line start with “linux16” go to that line press ‘END’ key to go last of the line. In END of the line write “rd.break console=tty1” (without quotations). Then Press CTRL+x
Server will go to Single user mode. As shown in above screen shot.
In this mode /sysroot file system bill be mounted as ReadOnly. We have to make /sysroot as ReadWrite then only we can able to change the password.

Changing password means we are indirectly writing the encrypted password in /etc/shadow file.

reset rhel7 root password
To mount /sysroot file system in ReadWrite run below command
# mount -o remount,rw /sysroot

Now change to root using below command
#chroot /sysroot

Now prompt will be changed to Shell.
# passwd
New Password: redhat
Retype Password: redhat

Now root password has been changed to ‘redhat’. If you reboot the server will not come back. in RHEL7 by default SELinux is in enforced mode we have to relabel the SELinux inorder to bring back the server in Normal Stage.

To Relabel the SELinux run below command
# touch /.autorelabel

autorelabel switch_root
August 7th, 2016 | Category: Centos RHEL 7 | Leave a comment
« Newer Entries  
  Older Entries »