August 2025
M T W T F S S
 123
45678910
11121314151617
18192021222324
25262728293031

Categories

August 2025
M T W T F S S
 123
45678910
11121314151617
18192021222324
25262728293031

Securing Apache – TRACE TRACK XSS

Securing Apache – TRACE TRACK XSS

I always scan my servers every month with Openvas as one of my PCI-DSS task. And this week I locking down my Apache servers.

Add this in you vhost file ore in the welcome.conf file and rerun you scan.

TraceEnable off

RewriteEngine On

RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)

RewriteRule .* – [F]

May 13th, 2016 | Category: Apache | Leave a comment

Apache performance config

Apache performance config

Now on all my Apache i always load this Apache config. It enabled some apache standard performance config for Apache as a good standard.

KeepAlive. Gzip all transfer and local disk cache

my /etc/httpd/cond.f/01.conf

NameVirtualHost *:80
NameVirtualHost *:443

#Speedning upp webres Apache config

# 2 HOURS

Header set Cache-Control “max-age=7200, public”

# 1 HOUR

Header set Cache-Control “max-age=3600, public, must-revalidate”

# 2 HOURS

Header set Cache-Control “max-age=7200, must-revalidate”

#
KeepAlive On

#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#
MaxKeepAliveRequests 100

#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
KeepAliveTimeout 100


mod_gzip_on Yes
mod_gzip_dechunk Yes
mod_gzip_item_include file .(html?|txt|css|js|php|pl)$
mod_gzip_item_include handler ^cgi-script$
mod_gzip_item_include mime ^text/.*
mod_gzip_item_include mime ^application/x-javascript.*
mod_gzip_item_exclude mime ^image/.*
mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*


#LoadModule disk_cache_module modules/mod_disk_cache.so # If you want to use mod_disk_cache instead of mod_mem_cache, # uncomment the line above and comment out the LoadModule line below.


CacheRoot /tmp
CacheEnable disk /
CacheDirLevels 5
CacheDirLength 3

May 13th, 2016 | Category: Apache | Leave a comment

Downgrade with glibc Update to using YUM

Downgrade with glibc Update to using YUM

1). Existing RPM version checking and backup
#rpm -qa | grep glibc
compat-glibc-headers-2.3.4-2.26
glibc-common-2.5-81
glibc-devel-2.5-81
compat-glibc-2.3.4-2.26
compat-glibc-2.3.4-2.26
glibc-2.5-81
glibc-headers-2.5-81
glibc-devel-2.5-81
glibc-2.5-81

2). createrepo REPODATA
/usr/local/src/new_glibc

# pwd
/usr/local/src/new_glibc

#createrepo ./
12/12 – glibc-devel-2.5-123.el5_11.1.i386.rpm
Saving Primary metadata
Saving file lists metadata
Saving other metadata

3). old_glibc.repo
#vim /etc/yum.repos.d/new_glibc.repo
[old-glibc]
baseurl=file:///usr/local/src/new_glibc/
enabled=1
gpgcheck=0

# yum repolist
Loaded plugins: katello, product-id, security, subscription-manager
Updating certificate-based repositories.
Repository ‘new-glibc’ is missing name in configuration, using id
Unable to read consumer identity
new-glibc| 951 B 00:00
new-glibc/primary| 10 kB 00:00 new-glibc12/12
repo id repo name status
new-glibc new-glibc 12
rhel-DVD Red Hat Enterprise Linux 5Server – x86_64 – DVD 3,285
repolist: 3,297

# yum update glibc
Loaded plugins: katello, product-id, security, subscription-manager
Updating certificate-based repositories.
Repository ‘new-glibc’ is missing name in configuration, using id
Unable to read consumer identity
Skipping security plugin, no data
Setting up Update Process
Resolving Dependencies
Skipping security plugin, no data
–> Running transaction check
–> Processing Dependency: glibc = 2.5-81 for package: glibc-devel
–> Processing Dependency: glibc = 2.5-81 for package: glibc-headers
–> Processing Dependency: glibc = 2.5-81 for package: nscd
–> Processing Dependency: glibc = 2.5-81 for package: glibc-devel
—> Package glibc.i686 0:2.5-123.el5_11.1 set to be updated
–> Processing Dependency: glibc-common = 2.5-123.el5_11.1 for package: glibc
—> Package glibc.x86_64 0:2.5-123.el5_11.1 set to be updated
–> Running transaction check
—> Package glibc-common.x86_64 0:2.5-123.el5_11.1 set to be updated
—> Package glibc-devel.i386 0:2.5-123.el5_11.1 set to be updated
—> Package glibc-devel.x86_64 0:2.5-123.el5_11.1 set to be updated
—> Package glibc-headers.x86_64 0:2.5-123.el5_11.1 set to be updated
—> Package nscd.x86_64 0:2.5-123.el5_11.1 set to be updated
–> Finished Dependency Resolution

Dependencies Resolved

=====================================================================
Package Arch Version Repository Size
=====================================================================
Updating:
glibc i686 2.5-123.el5_11.1 new-glibc 5.4 M
glibc x86_64 2.5-123.el5_11.1 new-glibc 4.8 M
Updating for dependencies:
glibc-common x86_64 2.5-123.el5_11.1 new-glibc 16 M
glibc-devel i386 2.5-123.el5_11.1 new-glibc 2.1 M
glibc-devel x86_64 2.5-123.el5_11.1 new-glibc 2.4 M
glibc-headers x86_64 2.5-123.el5_11.1 new-glibc 602 k
nscd x86_64 2.5-123.el5_11.1 new-glibc 178 k

Transaction Summary
====================================================================
Install 0 Package(s)
Upgrade 7 Package(s)

Total download size: 32 M
Is this ok [y/N]: y
Downloading Packages:
——————————————————————-
Total 14 GB/s | 32 MB 00:00
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Updating : glibc-common 1/14
Updating : glibc 2/14
Updating : nscd 3/14
Updating : glibc-headers 4/14
Updating : glibc-devel 5/14
Updating : glibc 6/14
Updating : glibc-devel 7/14
Cleanup : glibc-headers 8/14
Cleanup : glibc-common 9/14
Cleanup : glibc 10/14
Cleanup : glibc 11/14
Cleanup : nscd 12/14
Cleanup : glibc-devel 13/14
Cleanup : glibc-devel 14/14
Installed products updated.

Updated:
glibc.i686 0:2.5-123.el5_11.1
glibc.x86_64 0:2.5-123.el5_11.1

Dependency Updated:
glibc-common.x86_64 0:2.5-123.el5_11.1
glibc-devel.i386 0:2.5-123.el5_11.1
glibc-devel.x86_64 0:2.5-123.el5_11.1
glibc-headers.x86_64 0:2.5-123.el5_11.1
nscd.x86_64 0:2.5-123.el5_11.1

Complete!

#rpm -qa | grep glibc
glibc-devel-2.5-123.el5_11.1
compat-glibc-headers-2.3.4-2.26
compat-glibc-2.3.4-2.26
compat-glibc-2.3.4-2.26
glibc-2.5-123.el5_11.1
glibc-2.5-123.el5_11.1
glibc-devel-2.5-123.el5_11.1
glibc-headers-2.5-123.el5_11.1
glibc-common-2.5-123.el5_11.1

1).

#rpm -qa | grep glibc
glibc-devel-2.5-123.el5_11.1
compat-glibc-headers-2.3.4-2.26
compat-glibc-2.3.4-2.26
compat-glibc-2.3.4-2.26
glibc-2.5-123.el5_11.1
glibc-2.5-123.el5_11.1
glibc-devel-2.5-123.el5_11.1
glibc-headers-2.5-123.el5_11.1
glibc-common-2.5-123.el5_11.1

2). yum downgrade

# yum downgrade glibc glibc-devel glibc-headers glibc-common nscd
Loaded plugins: katello, product-id, security, subscription-manager
Updating certificate-based repositories.
Repository ‘new-glibc’ is missing name in configuration, using id
Unable to read consumer identity
Setting up Downgrade Process
No Match for available package: nscd-2.5-81.x86_64
Resolving Dependencies
–> Running transaction check
—> Package glibc.i686 0:2.5-81 set to be updated
—> Package glibc.x86_64 0:2.5-81 set to be updated
—> Package glibc.i686 0:2.5-123.el5_11.1 set to be erased
—> Package glibc.x86_64 0:2.5-123.el5_11.1 set to be erased
—> Package glibc-common.x86_64 0:2.5-81 set to be updated
—> Package glibc-common.x86_64 0:2.5-123.el5_11.1 set to be erased
—> Package glibc-devel.i386 0:2.5-81 set to be updated
—> Package glibc-devel.x86_64 0:2.5-81 set to be updated
—> Package glibc-devel.i386 0:2.5-123.el5_11.1 set to be erased
—> Package glibc-devel.x86_64 0:2.5-123.el5_11.1 set to be erased
—> Package glibc-headers.x86_64 0:2.5-81 set to be updated
—> Package glibc-headers.x86_64 0:2.5-123.el5_11.1 set to be erased
–> Finished Dependency Resolution

Dependencies Resolved

===========================================
Package Arch Version Repository Size
===========================================
Downgrading:
glibc i686 2.5-81 rhel-DVD 5.3 M
glibc x86_64 2.5-81 rhel-DVD 4.8 M
glibc-common x86_64 2.5-81 rhel-DVD 16 M
glibc-devel i386 2.5-81 rhel-DVD 2.0 M
glibc-devel x86_64 2.5-81 rhel-DVD 2.4 M
glibc-headers x86_64 2.5-81 rhel-DVD 596 k

Transaction Summary
===========================================
Remove 0 Package(s)
Reinstall 0 Package(s)
Downgrade 6 Package(s)

Total download size: 32 M
Is this ok [y/N]: y
Downloading Packages:
——————————————-
Total 10 GB/s | 32 MB 00:00
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : glibc-common 1/12
Installing : 2/12
Installing : glibc-headers 3/12
Installing : glibc-devel 4/12
Installing : glibc 5/12
Installing : glibc-devel 6/12
Cleanup : glibc-headers 7/12
Cleanup : glibc-common 8/12
Cleanup : glibc 9/12
Cleanup : glibc 10/12
Cleanup : glibc-devel 11/12
Cleanup : glibc-devel 12/12
Installed products updated.

Removed:
glibc.i686 0:2.5-123.el5_11.1
glibc.x86_64 0:2.5-123.el5_11.1
glibc-common.x86_64 0:2.5-123.el5_11.1
glibc-devel.i386 0:2.5-123.el5_11.1
glibc-devel.x86_64 0:2.5-123.el5_11.1
glibc-headers.x86_64 0:2.5-123.el5_11.1

Installed:
glibc.i686 0:2.5-81
glibc.x86_64 0:2.5-81
glibc-common.x86_64 0:2.5-81
glibc-devel.i386 0:2.5-81
glibc-devel.x86_64 0:2.5-81
glibc-headers.x86_64 0:2.5-81

Complete!

3).
# rpm -qa | grep glibc
glibc-2.5-81
glibc-2.5-81
compat-glibc-headers-2.3.4-2.26
compat-glibc-2.3.4-2.26
compat-glibc-2.3.4-2.26
glibc-headers-2.5-81
glibc-devel-2.5-81
glibc-common-2.5-81
glibc-devel-2.5-81

May 11th, 2016 | Category: Centos | Leave a comment

Linux operation and maintenance of automated tools Cobbler

Linux operation and maintenance of automated tools Cobbler

About operating system installation automation, the earlier we use RedHat launched Kickstart to batch install the operating system, in recent years, RedHat has introduced a Cobbler.

Cobbler development using Python, compact and lightweight, able to complete the installation of the system, and even manage some services. (Known as a tool cobbler can learn)

Cobbler supports command line management, web interface management, but also provides an API interface to open the second method.

## Close SELinux, iptables! ! !

A supporting environment installation

yum -y install epel-release

yum -y install cobbler httpd rsync tftp-server xinetd dhcp pykickstart fence-agents

vim /etc/xinetd.d/tftp

service tftp
{
socket_type = dgram
protocol = udp
wait = yes
user = root
server = /usr/sbin/in.tftpd
server_args = -s /var/lib/tftpboot
disable = no
per_source = 11
cps = 100 2
flags = IPv4
}

vim /etc/xinetd.d/rsync

service rsync
{
disable = no
flags = IPv6
socket_type = stream
wait = no
user = root
server = /usr/bin/rsync
server_args = –daemon
log_on_failure += USERID
}

vim /etc/httpd/conf

ServerName 127.0.0.1:80

openssl passwd -1 -salt ‘random-phrase-here’ ‘test123’
$1$random-p$mzxQ/Sx848sXgvfwJCoZM0

vim /etc/cobbler/settings

manage_dhcp: 1

manage_tftpd: 1

manage_rsync: 1

next_server: 192.168.1.10

server: 192.168.1.10

default_password_crypted: “$1$random-p$mzxQ/Sx848sXgvfwJCoZM0″

vim /etc/cobbler/dhcp.template

subnet 192.168.1.0 netmask 255.255.255.0 {
option routers 192.168.1.2;
option subnet-mask 255.255.255.0;
range dynamic-bootp 192.168.1.100 192.168.1.120;
default-lease-time 21600;
max-lease-time 43200;
next-server $next_server;

chkconfig –add httpd
chkconfig –add xinetd
chkconfig –add dhcpd
chkconfig –add cobblerd
service httpd start
service xinetd start
service dhcpd start
service cobblerd start

cobbler check

The following are potential configuration items that you may want to fix:

1 : service dhcpd is not running
2 : debmirror package is not installed, it will be required to manage debian deployments and repositories

Restart cobblerd and then run ‘cobbler sync’ to apply changes.

cobbler sync
task started: 2015-05-27_010456_sync
task started (id=Sync, time=Wed May 27 01:04:56 2015)
running pre-sync triggers
cleaning trees
mkdir: /var/lib/tftpboot/pxelinux.cfg
mkdir: /var/lib/tftpboot/grub
mkdir: /var/lib/tftpboot/s390x
mkdir: /var/lib/tftpboot/ppc
mkdir: /var/lib/tftpboot/etc
removing: /var/lib/tftpboot/grub/images
copying bootloaders
trying hardlink /var/lib/cobbler/loaders/pxelinux.0 -> /var/lib/tftpboot/pxelinux.0
trying hardlink /var/lib/cobbler/loaders/menu.c32 -> /var/lib/tftpboot/menu.c32
trying hardlink /var/lib/cobbler/loaders/yaboot -> /var/lib/tftpboot/yaboot
trying hardlink /var/lib/cobbler/loaders/grub-x86.efi -> /var/lib/tftpboot/grub/grub-x86.efi
trying hardlink /var/lib/cobbler/loaders/grub-x86_64.efi -> /var/lib/tftpboot/grub/grub-x86_64.efi
copying distros to tftpboot
copying images
generating PXE configuration files
generating PXE menu structure
rendering DHCP files
generating /etc/dhcp/dhcpd.conf
rendering TFTPD files
generating /etc/xinetd.d/tftp
cleaning link caches
rendering Rsync files
running post-sync triggers
running python triggers from /var/lib/cobbler/triggers/sync/post/*
running python trigger cobbler.modules.sync_post_restart_services
running: dhcpd -t -q
received on stdout:
received on stderr:
running: service dhcpd restart
received on stdout: dhcpd?

received on stderr:
running shell triggers from /var/lib/cobbler/triggers/sync/post/*
running python triggers from /var/lib/cobbler/triggers/change/*
running python trigger cobbler.modules.scm_track
running shell triggers from /var/lib/cobbler/triggers/change/*
*** TASK COMPLETE ***

service xinetd restart
service cobblerd restart

mount /dev/cdrom /mnt/
cobbler import –path=/mnt/ –arch=x86_64 –name=CentOS-6.6-minimal

cobbler list
distros:
Centos-6.6-minimal-x86_64

profiles:
Centos-6.6-minimal-x86_64

systems:

repos:

images:

mgmtclasses:

packages:

files:

ks

shell > vim /var/lib/cobbler/kickstarts/Centos-6.6_minimal-x86_64.ks

# platform=x86, AMD64, Intel EM64T
# version=DEVEL
# Firewall configuration
firewall –disabled
# Install OS instead of upgrade
install
# Use network installation
url –url=”http://192.168.214.10/cobbler/ks_mirror/Centos-6.6-minimal-x84_64/”
# Root password
rootpw –iscrypted $1$hk0MvN4A$Dz.sYvyDjac1.cMVTk9270
# System authorization information
auth –useshadow –passalgo=sha512
# Use text mode install
text
# System keyboard
keyboard us
# System language
lang eng_US
# SELinux configuration
selinux –disabled
# Do not configure the X Window System
skipx
# Installation logging level
logging –level=info
# Reboot after installation
reboot
# System timezone
timezone –isUtc Asia/Singapore
# Network information
network –bootproto=dhcp –device=eth0 –onboot=on
# System bootloader configuration
bootloader –location=mbr
# Clear the Master Boot Record
zerombr
# Partition clearing information
clearpart –all –initlabel
# Disk partitioning information
part /boot –fstype=”ext4″ –size=200
part swap –fstype=”swap” –size=1024
part / –fstype=”ext4″ –grow –size=1

system-config-kickstart ks

ks

shell > cobbler distro list
Centos-6.6-minimal-x86_64

shell > cobbler profile report –name Centos-6.6-minimal-x86_64
Name : Centos-6.6-minimal-x86_64
TFTP Boot Files : {}
Comment :
DHCP Tag : default
Distribution : Centos-6.6-minimal-x86_64
Enable gPXE? : 0
Enable PXE Menu? : 1
Fetchable Files : {}
Kernel Options : {}
Kernel Options (Post Install) : {}
Kickstart : /var/lib/cobbler/kickstarts/sample_end.ks
Kickstart Metadata : {}
Management Classes : []
Management Parameters : <>
Name Servers : []
Name Servers Search Path : []
Owners : [‘admin’]
Parent Profile :
Proxy :
Red Hat Management Key : <>
Red Hat Management Server : <>
Repos : []
Server Override : <>
Template Files : {}
Virt Auto Boot : 1
Virt Bridge : xenbr0
Virt CPUs : 1
Virt Disk Driver Type : raw
Virt File Size(GB) : 5
Virt Path :
Virt RAM (MB) : 512
Virt Type : kvm

/var/lib/cobbler/kickstarts/sample_end.ks

shell > cobbler profile add –name=Centos-6.6-minimal –distro=Centos-6.6-minimal-x86_64 –kickstart=/var/lib/cobbler/kickstarts/Centos-6.6_minimal-x86_64.ks

shell > cobbler profile report –name Centos-6.6-minimal
Name : Centos-6.6-minimal
TFTP Boot Files : {}
Comment :
DHCP Tag : default
Distribution : Centos-6.6-minimal-x86_64
Enable gPXE? : 0
Enable PXE Menu? : 1
Fetchable Files : {}
Kernel Options : {}
Kernel Options (Post Install) : {}
Kickstart : /var/lib/cobbler/kickstarts/Centos-6.6_minimal-x86_64.ks
Kickstart Metadata : {}
Management Classes : []
Management Parameters : <>
Name Servers : []
Name Servers Search Path : []
Owners : [‘admin’]
Parent Profile :
Proxy :
Red Hat Management Key : <>
Red Hat Management Server : <>
Repos : []
Server Override : <>
Template Files : {}
Virt Auto Boot : 1
Virt Bridge : xenbr0
Virt CPUs : 1
Virt Disk Driver Type : raw
Virt File Size(GB) : 5
Virt Path :
Virt RAM (MB) : 512
Virt Type : xenpv

shell > cobbler –help
usage
=====
cobbler
[add|edit|copy|getks*|list|remove|rename|report] [options|–help]
cobbler [options|–help]

shell > cobbler profile –help
usage
=====
cobbler profile add
cobbler profile copy
cobbler profile dumpvars
cobbler profile edit
cobbler profile find
cobbler profile getks
cobbler profile list
cobbler profile remove
cobbler profile rename
cobbler profile report

shell > cobbler sync

May 8th, 2016 | Category: Centos | Leave a comment

Linux operation and maintenance of automated tools Kickstart

Linux operation and maintenance of automated tools Kickstart

Bulk Kickstart installation of the operating system tools, RedHat earlier launch of the product (not much to say, now playing Cobbler friends

Test environment: CentOS 6.6 x86_64 minimal

First, the installation package

yum -y install dhcp tftp-server syslinux nfs-utils kickstart

cp /usr/share/doc/dhcp-4.1.1/dhcpd.conf.sample /etc/dhcp/dhcpd.conf

vim /etc/dhcp/dhcpd.conf

# dhcpd.conf
# option definitions common to all supported networks…
option domain-name-servers 192.168.1.2, 192.168.1.3;
# A slightly different configuration for an internal subnet.
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.100 192.168.214.120;
option routers 192.168.1.2;
option subnet-mask 255.255.255.0;
filename “/pxelinux.0”;
default-lease-time 600;
max-lease-time 7200;
}

vim /etc/xinetd.d/tftp

service tftp
{
socket_type = dgram
protocol = udp
wait = yes
user = root
server = /usr/sbin/in.tftpd
server_args = -s /var/lib/tftpboot
disable = no
per_source = 11
cps = 100 2
flags = IPv4
}

pxelinux.0

cp /usr/share/syslinux/pxelinux.0 /var/lib/tftpboot/
mount /dev/cdrom /mnt/
cp /mnt/isolinux/* /var/lib/tftpboot/
cd /var/lib/tftpboot/
mkdir pxelinux.cfg
mv isolinux.cfg pxelinux.cfg/default

NFS

shell > vim /etc/exports

/mnt 192.168.1.0/24(ro,sync)

chkconfig –add nfs
chkconfig –add dhcpd
chkconfig –add xinetd
chkconfig –add rpcbind
chkconfig –level 35 nfs on
chkconfig –level 35 dhcpd on
chkconfig –level 35 xinetd on
chkconfig –level 35 rpcbind on

exportfs -ar
service dhcpd restart
service xinetd restart
service rpcbind restart
service nfs restart
setenforce 0
service iptables stop

Seven test PXE boot installation

1, the client set boot from the network (in fact, do not set the local network can not be found naturally go to find), you can see the installation interface

2, select the language

3, OK

4. Select the keyboard (us) OK

5, select the media location (NFS Directory) OK

6, configure the network (the default can) OK

7, Setting Up NFS Services (NFS server name: 192.168.1.10 ## NFS server address
CentOS directroy: / mnt ## ISO stowed position) OK

8, where the installation interface appears normal, prove no problem (with CD-ROM to install a pattern)

## This is the realization of the PXE boot installation, you want to have unattended configuration Kickstart!

Eight, install the desktop environment

## The following operation is performed directly in the virtual machine, the non-terminal connection! (Not necessary)

yum grouplist | grep -iP “(x window system|desktop)”

Desktop
X Winsow System

yum update

yum -y groupinstall “X Window System”
yum -y groupinstall “Desktop”
init 5

yum -y install system-config-kickstart

system-config-kickstart
The next point on the whole it is a little mouse!

· Basic configuration
Default Language: Simplified Chinese to be the default (English)
keyboard: to default
time zone: Asia /Singapore, according to the actual situation to
UTC clock: Check the
root password: test123
confirm the root password: test123
root password encryption: The default is on the hook, do not control

Advanced Configuration
reboot after installing the system: Check
· Installation
Performing a new installation: Tick
Select the NFS:
the NFS server: 192.168.1.10
the NFS directory: / mnt ## NFS shared storage directory of ISO
· Boot Loader Options

Mounting Type
install a new boot loader: Check the
installation options
Boot Record (MBR) on the primary boot loader installation
· partition information
master boot record
to clear the Master Boot Record: Check the
partition
to remove all existing partitions: Check the
disk label
to initialize the disk label : check the
layout
add partition (with the same real machine installed)
• network configuration
to add network devices – network equipment (eth0) – the network type (DHCP) – to confirm
· verify
default
• firewall configuration
disable
· display configuration
installation graphical environment: not checked (if you do not want to install it)
to disable
· package selection
default
· pre-installation script
by default
after installation script *
default

Select – File – Save – (Save the file to the / root directory, a file named ks.cfg)

mkdir /nfsdir

cp ks.cfg /nfsdir

chown 777 /nfsdir/ks.cfg

vim /etc/exports

/mnt 192.168.1.0/24(ro,sync)
/nfsdir 192.168.1.0/24(ro,sync)
exportfs -ar

vim /var/lib/tftpboot/pxelinux.cfg/default

default vesamenu.c32
#prompt 1
timeout 50

display boot.msg

menu background splash.jpg
menu title Welcome to CentOS 6.6!
menu color border 0 #ffffffff #00000000
menu color sel 7 #ffffffff #ff000000
menu color title 0 #ffffffff #00000000
menu color tabmsg 0 #ffffffff #00000000
menu color unsel 0 #ffffffff #00000000
menu color hotsel 0 #ff000000 #ffffffff
menu color hotkey 7 #ffffffff #ff000000
menu color scrollbar 0 #ffffffff #00000000

label linux
menu label ^Install or upgrade an existing system
menu default
kernel vmlinuz
append ks=nfs:192.168.1.10:/nfsdir/ks.cfg initrd=initrd.img
label vesa
menu label Install system with ^basic video driver
kernel vmlinuz
append initrd=initrd.img xdriver=vesa nomodeset
label rescue
menu label ^Rescue installed system
kernel vmlinuz
append initrd=initrd.img rescue
label local
menu label Boot from ^local drive
localboot 0xffff
label memtest86
menu label ^Memory test
kernel memtest
append –

## Wherein, timeout 50 (formerly 600 this parameter is a time into the system selection mode, we do not want to wait too long so the tone for five seconds)
## In the first label added: ks = nfs: 192.168.1.10: /nfsdir/ks.cfg (defined ks.cfg path)

label linux
menu label ^Install or upgrade an existing system
menu default
kernel vmlinuz
append ks=nfs:192.168.1.10:/nfsdir/ks.cfg initrd=initrd.img

vim /nfsdir/ks.cfg

#platform=x86, AMD64, ? Intel EM64T
#version=DEVEL
# Firewall configuration
firewall –disabled
# Install OS instead of upgrade
install
# Use NFS installation media
nfs –server=192.168.214.10 –dir=/mnt
# Root password
rootpw –iscrypted $1$56NxQt/e$3fz.wnuWl7Ak7q9TIpwl0.
# System authorization information
auth –useshadow –passalgo=sha512
# Use graphical install
graphical
# System keyboard
keyboard us
# System language
lang US_ENG
# SELinux configuration
selinux –disabled
# Do not configure the X Window System
skipx
# Installation logging level
logging –level=info
# Reboot after installation
reboot
# System timezone
timezone –isUtc Asia/singapore
# Network information
network –bootproto=dhcp –device=eth0 –onboot=on
# System bootloader configuration
bootloader –location=mbr
# Clear the Master Boot Record
zerombr
# Partition clearing information
clearpart –all –initlabel
# Disk partitioning information
part /boot –fstype=”ext4″ –size=200
part swap –fstype=”swap” –size=1024
part / –fstype=”ext4″ –grow –size=1

May 8th, 2016 | Category: Centos | Leave a comment

install Redis on a Centos 6.5 & Centos 7.0 Server

How to install Redis on a Centos 6.5 & Centos 7.0 Server

Redis is an open source, BSD licensed, advanced key-value store. It is often referred to as a data structure server since keys can contain strings, hashes, lists, sets and sorted sets.

How To Install Redis on Centos 7
# wget -r –no-parent -A ‘epel-release-*.rpm’ http://dl.fedoraproject.org/pub/epel/7/x86_64/e/
# rpm -Uvh dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-*.rpm

It will create two epel’s repo file inside /etc/yum.repos.d
These are –
1. epel.repo
2.epel-testing.repo
Install Redis with Yum
# yum install redis php-pecl-redis

Enable Redis service to start on boot
# systemctl enable redis-server.service

Disable Redis service from start on boot
# systemctl disable redis-server.service

Start/Stop/Restart Redis
# systemctl start redis-server.service
# systemctl stop redis-server.service
# systemctl restart redis-server.service

Check if Redis is Running
#systemctl is-active redis-server.service

How To Install Redis on Centos 6.5
# wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
# wget http://rpms.famillecollet.com/enterprise/remi-release-6.rpm
# rpm -Uvh remi-release-6*.rpm epel-release-6*.rpm
# yum install redis php-pecl-redis
# service redis start
# chkconfig redis on

Now verify its set to start at boot
# chkconfig –list redis
redis 0:off 1:off 2:on 3:on 4:on 5:on 6:off

Install EPEL repo

First we will install the EPEL repo. For more detail on EPEL repo, we suggest you to read our this post.

Because our system has x86_64 Operating System architecture, we will use only epel repo package for x86_64 . Search epel repo package as per your Operating System architecture(EPEL URL)

wget -r –no-parent -A ‘epel-release-*.rpm’ http://dl.fedoraproject.org/pub/epel/7/x86_64/e/

rpm -Uvh dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-*.rpm
It will create two epel’s repo file inside /etc/yum.repos.d
These are –
1. epel.repo
2.epel-testing.repo

[root@localhost ~]# ls -l /etc/yum.repos.d/
total 28
-rw-r–r–. 1 root root 1612 Jul 4 07:00 CentOS-Base.repo
-rw-r–r–. 1 root root 640 Jul 4 07:00 CentOS-Debuginfo.repo
-rw-r–r–. 1 root root 1331 Jul 4 07:00 CentOS-Sources.repo
-rw-r–r–. 1 root root 156 Jul 4 07:00 CentOS-Vault.repo
-rw-r–r–. 1 root root 957 Sep 2 12:14 epel.repo
-rw-r–r–. 1 root root 1056 Sep 2 12:14 epel-testing.repo
[root@localhost ~]#
Install redis server

Now use yum command to install redis server

yum install redis
Two important redis server configuration file’s path
1. /etc/redis.conf
2. /etc/redis-sentinel.conf

Now start the redis server after this.

systemctl start redis.service
Check the running status of redis server

systemctl status redis.service
To test the installation of Redis, use below given command

redis-cli ping
If the response output is PONG, it means installation is completed successfully.

[root@localhost ~]# redis-cli ping
PONG
[root@localhost ~]#
Start/Stop/Restart/Status and Enable redis server

To start redis server

systemctl start redis.service
To stop redis server

systemctl stop redis.service
To restart redis server

systemctl restart redis.service
To get running status of redis server

systemctl status redis.service
To enable redis server at system’s booting time.

systemctl enable redis.service
To disable redis server at system’s booting time.

systemctl disable redis.service
Listening Port Of Redis Server

Redis Server listens by default at port number 6379. Use below given ss command. (To learn more about ss command)

[root@localhost ~]# ss -nlp|grep redis
tcp LISTEN 0 128 127.0.0.1:6379 *:* users:((“redis-server”,19706,4))
[root@localhost ~]#
Note: On minimal installed CentOS 7/ RHEL 7,you wont get netstat command. Instead of netstat command, use ss command which is by default available on system.

[root@localhost ~]# redis-cli
127.0.0.1:6379>
127.0.0.1:6379>
127.0.0.1:6379> exit
[root@localhost ~]#
To check help of redis-cli command.

redis-cli –help

May 8th, 2016 | Category: Centos | Leave a comment

Install Apache 2.4 on CentOS 6

Install Apache 2.4 on CentOS 6

I’m quite to the point. It is to install the Apache version 2.4.7.

yum -y install rpm-build

mkdir -p ~/rpmbuild/{SOURCES,SPECS,BUILD,RPMS,SRPMS}

cd ~/rpmbuild/SOURCES

wget http://ftp.cixug.es/apache//httpd/httpd-2.4.7.tar.bz2

In general, if we execute the following we will fail (but perfect and save yourself a lot of these steps …)

rpmbuild -tb httpd-2.4.7.tar.bz2

To correct this you have to install a lot of things

cd ~/rpmbuild/SOURCES

wget http://ftp.cixug.es/apache//apr/apr-1.5.0.tar.bz2

wget http://ftp.cixug.es/apache//apr/apr-util-1.5.3.tar.bz2

cd ~/rpmbuild/SOURCES

Now we have a theme is that things have to touch the kernel. As that is usually locked, we do the following

vi /etc/yum.conf

and here, in the file, we must comment or delete the appropriate line (we will discuss it)

#exclude=kernel*

yum install kernel-headers

yum -y install autoconf libtool doxygen

rpmbuild -tb apr-1.5.0.tar.bz2

The latter is likely to fail. If this happens, we will review the previously installed rpm

rpm -qa | grep -i apr

If there are previous packages, we will “update” but an “install”

# UPDATE:
rpm -U ~/rpmbuild/RPMS/x86_64/apr-1.5.0-1.x86_64.rpm ~/rpmbuild/RPMS/x86_64/apr-devel-1.5.0-1.x86_64.rpm

#INSTALL
rpm -ivh ~/rpmbuild/RPMS/x86_64/apr-1.5.0-1.x86_64.rpm ~/rpmbuild/RPMS/x86_64/apr-devel-1.5.0-1.x86_64.rpm

he 2.4 on CentOS 6

I’m quite to the point. It is to install the Apache version 2.4.7.

yum -y install rpm-build

mkdir -p ~ / rpmbuild / {SOURCES, SPECS, BUILD, RPMS, SRPMS}

cd ~ / rpmbuild / SOURCES

wget http://ftp.cixug.es/apache//httpd/httpd-2.4 .7.tar.bz2
In general, if we execute the following we will fail (but perfect and save yourself a lot of these steps …)

rpmbuild -tb httpd-2.4.7.tar.bz2
To correct this you have to install a lot of things

cd ~ / rpmbuild / SOURCES

wget http://ftp.cixug.es/apache//apr/apr-1.5.0.tar.bz2

wget http://ftp.cixug.es/apache//apr/apr-util -1.5.3.tar.bz2

cd ~ / rpmbuild / SOURCES
Now we have a theme is that things have to touch the kernel. As that is usually locked, we do the following

sudo vi /etc/yum.conf
and here, in the file, we must comment or delete the appropriate line (we will discuss it)

# Exclude = kernel *
From here we go forward

sudo yum install kernel-headers

yum -y install autoconf libtool doxygen

rpmbuild -tb apr-1.5.0.tar.bz2
The latter is likely to fail. If this happens, we will review the previously installed rpm

rpm -qa | grep -i apr
If there are previous packages, we will “update” but an “install”

# UPDATE:
rpm -U ~ / rpmbuild / RPMS / x86_64 / apr-1.5.0-1.x86_64.rpm ~ / rpmbuild / RPMS / x86_64 / apr-devel-1.5.0-1.x86_64.rpm

#install
rpm – ivh ~ / rpmbuild / RPMS / x86_64 / apr-1.5.0-1.x86_64.rpm ~ / rpmbuild / RPMS / x86_64 / apr-devel-1.5.0-1.x86_64.rpm
and continued:

yum -y install expat-devel-devel libuuid DB4-devel postgresql-devel mysql-devel freetds-devel unixODBC-devel openldap-devel nss-devel

cd ~ / rpmbuild / SOURCES

yum install sqlite-devel

rpm -ivh

/etc/yum.repos.d/

wget http://rpms.famillecollet.com/enterprise/remi.repo

yum install freetds freetds-devel

cd ~ / rpmbuild / SOURCES

rpmbuild -tb apr-util-1.5.3.tar. bz2

cd ~ / rpmbuild / SOURCES
Here we encounter the above situation … if there are packages reviewed

yum -y install expat-devel libuuid-devel db4-devel postgresql-devel mysql-devel freetds-devel unixODBC-devel openldap-devel nss-devel

cd ~/rpmbuild/SOURCES

yum install sqlite-devel

rpm -ivh ftp://fr2.rpmfind.net/linux/dag/redhat/el6/en/x86_64/dag/RPMS/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm

cd /etc/yum.repos.d/

wget http://rpms.famillecollet.com/enterprise/remi.repo

yum install freetds freetds-devel

cd ~/rpmbuild/SOURCES

rpmbuild -tb apr-util-1.5.3.tar.bz2

cd ~/rpmbuild/SOURCES

rpm -qa | grep -i apr-util

#UPDATE
rpm -U ~/rpmbuild/RPMS/x86_64/apr-util-1.5.3-1.x86_64.rpm ~/rpmbuild/RPMS/x86_64/apr-util-devel-1.5.3-1.x86_64.rpm ~/rpmbuild/RPMS/x86_64/apr-util-ldap-1.5.3-1.x86_64.rpm

#INSTALL
rpm -ivh ~/rpmbuild/RPMS/x86_64/apr-util-1.5.3-1.x86_64.rpm ~/rpmbuild/RPMS/x86_64/apr-util-devel-1.5.3-1.x86_64.rpm ~/rpmbuild/RPMS/x86_64/apr-util-ldap-1.5.3-1.x86_64.rpm

yum -y install expat-devel libuuid-devel db4-devel postgresql-devel mysql-devel freetds-devel unixODBC-devel openldap-devel nss-devel

cd ~/rpmbuild/SOURCES

yum install sqlite-devel

rpm -ivh ftp://fr2.rpmfind.net/linux/dag/redhat/el6/en/x86_64/dag/RPMS/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm

cd /etc/yum.repos.d/

wget http://rpms.famillecollet.com/enterprise/remi.repo

yum install freetds freetds-devel

cd ~/rpmbuild/SOURCES

rpmbuild -tb apr-util-1.5.3.tar.bz2

cd ~/rpmbuild/SOURCES

Here we have to check a few things … the first is if we had a previously installed Apache, and PHP … in this case, we should remove PHP (then reinstall).

cd ~/rpmbuild/SRPMS

wget http://www.gtlib.gatech.edu/pub/fedora.redhat/linux/releases/18/Fedora/source/SRPMS/d/distcache-1.4.5-23.src.rpm

rpmbuild –rebuild distcache-1.4.5-23.src.rpm

rpm -ivh ~/rpmbuild/RPMS/x86_64/distcache-1.4.5-23.x86_64.rpm ~/rpmbuild/RPMS/x86_64/distcache-devel-1.4.5-23.x86_64.rpm

cd ~/rpmbuild/SOURCES/

yum -y install pcre-devel lua-devel libxml2-devel

rpmbuild -tb httpd-2.4.7.tar.bz2

yum -y install mailcap httpd-mmn

mv /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.old

mv /etc/httpd/conf/httpd.conf.rpmnew /etc/httpd/conf/httpd.conf

May 8th, 2016 | Category: Apache | Leave a comment

sysctl centos 7

What is sysctl?

sysctl is an interface to view and dynamically change parameters in Linux and other *NIX operating systems. In Linux, most of the dynamic Kernel settings can be changed via sysctl. The parameters set by sysctl are also available under the virtual /proc filesystem.

How do I use sysctl?

To read values you’ve two options:

reading parametersShell

# Option 1: Using the sysctl command to read current parameters:
sysctl net.ipv4.ip_forward # display specific parameter
sysctl net.ipv4 # display all net.ipv4.* parameters
sysctl -a # display all parameters

# Option 2: Using the /proc filesystem:
cat /proc/sys/net/ipv4/ip_forward

# Option 1: Using the sysctl command to read current parameters:
sysctl net.ipv4.ip_forward # display specific parameter
sysctl net.ipv4 # display all net.ipv4.* parameters
sysctl -a # display all parameters

# Option 2: Using the /proc filesystem:
cat /proc/sys/net/ipv4/ip_forward
To write values you can use both options again:

changing parametersShell

# Option 1: Using the sysctl command to change a parameter:
sysctl net.ipv4.ip_forward=1

# Option 2: Using the /proc filesystem to change a parameter:
echo 1 >/proc/sys/net/ipv4/ip_forward
1
2
3
4
5
# Option 1: Using the sysctl command to change a parameter:
sysctl net.ipv4.ip_forward=1

# Option 2: Using the /proc filesystem to change a parameter:
echo 1 >/proc/sys/net/ipv4/ip_forward
However, these parameters are not persistent. You’ve to configure them in /etc/sysctl.conf or /etc/sysctl.d/* if you want them active after a reboot.

sysctl configuration files

/etc/sysctl.conf
/etc/sysctl.d/
1
2
/etc/sysctl.conf
/etc/sysctl.d/
Please note that configuration changes will not be detected automatically. You’ve to trigger the reload manually:

reload sysctl configuration fileShell

sysctl -p [filename]
1
sysctl -p [filename]
Tuning Linux with sysctl

Kernel

To automatically reboot a system after a kernel panic, you can set the following parameter to the amount of seconds to wait before reboot:

reboot system after kernel panicShell

kernel.panic = 60

kernel.panic = 60
Linux Kernels provide a magic SysRq key, which allows the user to perform low-level commands regardless of the systems state. To enable this magic key you’ve to set:

enable magic SysRq keyShell

kernel.sysrq = 1

kernel.sysrq = 1
To make sure core dumps will always be written set the following parameter:

write core dumpsShell

fs.suid_dumpable = 2

fs.suid_dumpable = 2
It can be useful to have the PID appended on the filename of core dumps. This can be especially useful for debugging multi-threaded applications and it’s easy to setup:

add PID to core dumpsShell

kernel.core_uses_pid = 1

kernel.core_uses_pid = 1
To increase the maximum number of used process IDs you can define the following parameter:

increase maximum PIDShell

kernel.pid_max = 65536

kernel.pid_max = 65536
Memory

To tune the memory (VM) behaviour in Linux, you can set some vm.* parameters.

For example to tell the Kernel how aggressively memory pages should be written to disk (aka swapping), you’ve to change the swappiness value. The higher the value, the more aggressive the swapping:

swappinessShell

vm.swappiness
1
vm.swappiness
When you look at filesystems then most of the time some kind of cache is involved. The amount of filesystem cache is based on the percentage of total available memory. To set the maximum amount of filesystem cache can be defined with:

maximum filesystem cacheShell

vm.dirty_ratio = 40

vm.dirty_ratio = 40
When the defined percentage of memory is reached, then all I/O writes are blocked until enough dirty pages have been flushed to disk by pdflush. This is quite suboptimal because on a healthy system you don’t want to have blocked I/O writes at all. Therefor there’s another parameter, which defines the minimal percentage of dirty memory before the background pdflush process starts to flush out dirty memory pages:

background filesystem cache flushesShell

vm.dirty_background_ratio = 10

vm.dirty_background_ratio = 10
As already described before, pdflush is in charge of flushing dirty pages to disk. So you can optionally change the flush interval by setting the following parameter (in hundredths of seconds, e.g. 500 = 5s):

pdflush intervalShell

vm.dirty_writeback_centisecs = 500

vm.dirty_writeback_centisecs = 500
Of course pdflush needs to know when data can be removed from cache. Sometimes it makes sense to increase the time how long “untouched” data lives be in the cache before it’s marked as expired. Just overwrite the following parameter (again in hundredths of seconds):

pdflush intervalShell

vm.dirty_expire_centiseconds = 3000

vm.dirty_expire_centiseconds = 3000
If you want to have more informations about the memory on your system, just have a look at:

display memory informationsShell

cat /proc/meminfo

cat /proc/meminfo
Filesystem

To increase the maximum amount of file descriptors you can use.

increase maximum filedescriptorsShell

fs.file-max = 65535

fs.file-max = 65535
Exec Shield

Exec Shield is a protection against worms and other automated remote attacks on Linux systems. It was invented by Red Hat in 2002. To enable Exec Shield:

enable Exec Shield protectionShell

kernel.exec-shield = 1
kernel.randomize_va_space = 1

kernel.exec-shield = 1
kernel.randomize_va_space = 1
Network Core

Some applications are configured for performance and sometimes an application can handle huge buffers. To increase the maximum buffer size for all sockets / connections (this will affect all buffers, e.g. net.ipv4.tcp_rmem) you can use:

increase max buffer sizeShell

net.core.rmem_max = 8388608
net.core.wmem_max = 8388608

net.core.rmem_max = 8388608
net.core.wmem_max = 8388608
When a system is under heavy load and an interface receives a lot of packets, then the Kernel might not process them fast enough. You can increase the number of packets hold in the queue (backlog) by changing:

increase maximum backlog size for net devicesShell

net.core.netdev_max_backlog = 5000

net.core.netdev_max_backlog = 5000
IPv4

First of all we recommend you tune ICMP a bit. You can do that by ignoring ICMP broadcasts, which will protect you from ICMP floods. We also ignore bogus responses to broadcast frames (violation against RFC1122), so that our log isn’t full of Kernel warnings:

hardening ICMPShell

net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1

net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
SYN floods are a type of DDoS and can harm your system. To protect from it you should enable SYN cookies, resize the SYN backlog (queue size) and reduce SYN/ACK retries:

enable SYN cookiesShell

# Turn on SYN cookies to protect from SYN flood attacks.
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 3

# Turn on SYN cookies to protect from SYN flood attacks.
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 3
To log packets with impossible addresses simply enable:

log impossible IPv4 addressesShell

net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1

net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
To disable IP source routing (SRR), so that nobody can tell us which path a packet should take:

deny packets with SRR optionShell

net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
By default, routers router everything and even packages which don’t belong to their network(s). To avoid that we’ve to make sure strict reverse path filtering is enabled as defined in RFC3704:

enable strict reverse path filteringShell

net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
Some applications support higher read and write buffers for sockets. The buffer size parameters are defined by 3 values (min, default, max). To increase the maximum buffer set:

increase max TCP buffer sizeShell

net.ipv4.tcp_rmem = 4096 87380 8388608
net.ipv4.tcp_wmem = 4096 87380 8388608

net.ipv4.tcp_rmem = 4096 87380 8388608
net.ipv4.tcp_wmem = 4096 87380 8388608
To get better throughput in a network, it might make sense to enable TCP window scaling as defined in RFC1323:

enable TCP window scalingShell

net.ipv4.tcp_window_scaling = 1

net.ipv4.tcp_window_scaling = 1
Disable (ICMP) redirects at all. Please note that the send_redirects parameters should be enabled on routers:

disable redirectsShell

net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.send_redirects = 0 # Don’t disable this on routers!
net.ipv4.conf.default.send_redirects = 0 # Don’t disable this on routers!

net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.send_redirects = 0 # Don’t disable this on routers!
net.ipv4.conf.default.send_redirects = 0 # Don’t disable this on routers!
Finally disable IPv4 forwarding on non-routing systems:

disable forwardingShell

net.ipv4.ip_forward = 0

net.ipv4.ip_forward = 0
IPv6

Those who don’t use IPv6 at all should disable it:

disable IPv6Shell

net.ipv6.conf.all.disable_ipv6 = 1

net.ipv6.conf.all.disable_ipv6 = 1
If you’re already using IPv6 you might be interested in the following parameters.

On non-routing systems you should disable router solicitations:

disable router solicitationsShell

net.ipv6.conf.default.router_solicitations = 0
net.ipv6.conf.all.router_solicitations = 0

net.ipv6.conf.default.router_solicitations = 0
net.ipv6.conf.all.router_solicitations = 0
You should also don’t accept routing preferences from router advertisements:

disable router preferences in RAShell

net.ipv6.conf.default.accept_ra_rtr_pref = 0
net.ipv6.conf.all.accept_ra_rtr_pref = 0

net.ipv6.conf.default.accept_ra_rtr_pref = 0
net.ipv6.conf.all.accept_ra_rtr_pref = 0
Don’t try to learn prefix information in router advertisements:

don’t learn prefix informations in RAShell

net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.all.accept_ra_pinfo = 0

net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.all.accept_ra_pinfo = 0
Don’t accept hop limits from router advertisements:

don’t accept hop limits from RAShell

net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.all.accept_ra_defrtr = 0

net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.all.accept_ra_defrtr = 0
Disable IPv6 auto configuration, so that no unicast addresses can automatically be configured on your interface from a router advertisement:

disable auto configuration from RAShell

net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.all.autoconf = 0

net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.all.autoconf = 0
If you don’t want your system to be verbose about its neighbours, you should disable neighbour solicitations at all:

disable auto configuration from RAShell

net.ipv6.conf.default.dad_transmits = 0
net.ipv6.conf.all.dad_transmits = 0

net.ipv6.conf.default.dad_transmits = 0
net.ipv6.conf.all.dad_transmits = 0
Unless you need more than one global unicast address, you should fix the number of assigned global unicast addresses per interface to 1:

disable auto configuration from RAShell

net.ipv6.conf.default.max_addresses = 1
net.ipv6.conf.all.max_addresses = 1

net.ipv6.conf.default.max_addresses = 1
net.ipv6.conf.all.max_addresses = 1
.all & .default

A lot of sysctl parameters have several values, because there’s a .default, .all and sometimes even a . value. While the . value is obvious, you’ve to look closer on the other two.

According to a comment on the linux-kernel mailing list, there’s one major difference:

The default value will only be applied ONCE, at the point when an interface is created.
The all value will ALWAYS applied in addition.
This means when an interface is created, the default value will be applied to it once. However, you can overwrite that with the interface-specific parameter. The global .all parameter will always be applied in addition and in the end it depends of the logical operator how the “final value” looks like.

For example there are parameters where all settings need to be 1 (aka AND), where only one of the settings need to be 1 (aka OR) or where the highest value will be used (aka MAX).

So it’s important to know that existing interfaces might have a different value than the one you’ve set as default or all.

May 8th, 2016 | Category: Centos | Leave a comment

MANAGING VMFS on vsphere 6

April 26th, 2016 | Category: VMware | Leave a comment

vSphere 6.0 Storage Features: NFS v4.1

Although most of my time is dedicated to Virtual SAN (VSAN) these days, I am still very interested in the core storage features that are part of vSphere. I reached out earlier to a number of core storage product managers and engineers to find out what new and exciting features are included in vSphere 6.0. The first feature is one that I know a lot of customers are waiting on – NFS v4.1. Yes, it’s finally here.

Many readers will know that VMware has only supported NFS v3 for the longest time (I think it was introduced in ESX 3.0, way back in the day). Finally we have support for NFS 4.1.

Caution: do not mix protocols

A word of caution before we get into the details. One should also be aware that an NFS volume should not be mounted as NFS v3 to one ESXi host, and NFS v4.1 to another ESXi host. A best practice would be to configure any NFS/NAS array to only allow one NFS protocol access, either NFS v3 or v4.1, but not both. NFS v3 uses propriety client side co-operative locking. NFS v4.1 uses server-side locking. When creating an NFS datastore, this is clearly called out in the Add storage wizard:

NFSv3 or NFSv4.1Yes – that does say “data corruption” folks, so let’s be careful out there.

enable-kerberos

Multipathing and Load-balancing

Now onto the improvements. NFS v4.1 introduces better performance and availability through load balancing and multipathing. Note that this is not pNFS (parallel NFS). pNFS support is not in vSphere 6.0.

Setup NFSv4.1 datastoreIn the server(s) field, add a comma separate list of IP addresses for the server if you wish to use load-balancing and multipathing.

Security/Kerberos

Another major enhancement with NFS v4.1 is the security aspect. With this version, Kerberos and thus non-root user authentication are both supported. With version 3, remote files were accessed with root permissions, and servers had to be configured with the no_root_squash option to allow root access to files. This is known as the AUTH_SYS mechanism. While this method is still supported with NFS v4.1, Kerberos is a much more secure mechanism. An NFS user is now defined on each ESXi host using esxcfg-nas -U -v 4.1, and this is the user that is used for remote file access. One should use the same user on all hosts. If two hosts are using different users, you might find that a vMotion task will fail.

enable-kerberos

There is a requirement on Active Directory for this to work, and each ESXi host should be joined to the AD domain. Kerberos is enabled when the NFS v4.1 datastore is being mounted to the ESXi host.

enable kerberosNote the warning message that each host mounting this datastore needs to be part of an AD domain.

Interoperability

There are some limitations when using NFS v4.1 datastores and other core vSphere 6.0 features however. While NFS v4.1 volumes can be used with features like DRS and HA, it is not supported with Storage DRS, Storage I/O Control, Site Recovery Manager and Virtual Volumes.

[Update – March 20th, 2015] I had a few questions about interop with Fault Tolerance. VMs on NFS v4.1 support FT, as long as it is the new FT mechanism introduced in 6.0. VMs running on NFS v4.1 do not support the old, legacy FT mechanism. In vSphere 6.0, the newer Fault Tolerance mechanism can accommodate symmetric multiprocessor (SMP) virtual machines with up to four vCPUs. Earlier versions of vSphere used a different technology for Fault Tolerance (now known as legacy FT), with different requirements and characteristics (including a limitation of single vCPUs for legacy FT VMs). ?

So lots of nice new features with NFS v4.1 around performance, multipathing, load balancing and security, and we can finally move away from using NFS v3.

NFSv3-or-NFSv4.1

[Update] There have been a few questions about whether or not multiple datastores can be presented to ESXi hosts over NFS v4.1. The answer is yes. We certainly support multiple NFS v4.1 datastores per array.

April 26th, 2016 | Category: VMware | Leave a comment
« Newer Entries  
  Older Entries »