Записки на память

вторник, 18 мая 2021 г.

rsync from non root user

On the destination server set in the /etc/sudoers file next:

username ALL= NOPASSWD:/usr/bin/rsync

and on the source server run:

rsync -avz -e "ssh" -rsync-path="sudo rsync" /data/source username@dest_host:/data/target

пятница, 27 ноября 2020 г.

Configure postfix to relay mail for exchange server with authentication

It need to add next package to postfix server:

yum install cyrus-sasl cyrus-sasl-lib cyrus-sasl-plain

and add the next rows to postfix main.cf file:

smtp_sasl_auth_enable = yes

smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

smtp_sasl_security_options = noanonymous

smtpd_sasl_path = smtpd

relayhost = [smtp.server.name]

smtp_generic_maps = hash:/etc/postfix/generic

Aslo need add to file /etc/postfix/sasl_passwd auth data in the next format:

smtp.server.name username:password

then run

postmap /etc/postfix/sasl_passwd

Due to local mail send from root user, you need to change mailer from (it is if your exchange server doesn't allow anonymous connection). Add to file /etc/postfix/generic row:

root@your_linux_server_name username

and run

postmap /etc/postfix/generic

and restart postfix

четверг, 29 октября 2020 г.

Firewalld and ipset

How to use ipset with firewalld?

Let's do it.

First of all, let's check, have we any ipsets already?:

# firewall-cmd --get-ipsets

If no, create it:

for networks

# firewall-cmd --permanent --new-ipset=IP-whitelist --type=hash:net

for IP

# firewall-cmd --permanent --new-ipset=IP-whitelist --type=hash:ip

And now add network to whitelist:

# firewall-cmd --permanent --ipset=IP-whitelist --add-entry=172.27.0.0/16

and IP

# firewall-cmd --permanent --ipset=IP-whitelist --add-entry=172.28.1.18

And create rules for ports or services for that whiltelist:

# firewall-cmd --permanent --zone=public --add-rich-rule='rule source ipset="IP-whitelist" port protocol="tcp" port="80-90" accept'

# firewall-cmd --permanent --zone=public --add-rich-rule='rule source ipset="IP-whitelist" service name="ssh" accept'

If we have another rule for access to ssh service, need to remove it:

# firewalld-md --permanent --zone=public --remove-service=ssh

and apply changes:

#firewall-cmd --reload

четверг, 24 сентября 2020 г.

Let's Encrypt certbot shortread

First of all you need to install certbot:

yum install -y certbot

then stop your web server and take certificate.( Note , you should had valid DNS record for your domain):

certbot certonly --standalone

here you should write domain name of your server

To renew certificate add next in crontab:

echo "0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew -q" | sudo tee -a /etc/crontab > /dev/null

If you want to extend exist certificate ( for example you have domain.com and want to extend for www.domain.com) , stop your web server and do next:

certbot certonly --expand -d domain.com,www.domain.com --standalone

then start your web server again.

четверг, 16 июля 2020 г.

Extend logical volume on virtual hard disk

If you use lvm on a virtual machine, you may need to extend logical volume.
For example, I have preconfigured lvm on disks:

[root@centos7 ~]# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 8G 0 disk
├─sda1 8:1 0 1G 0 part /boot
└─sda2 8:2 0 7G 0 part
├─centos_centos7-root 253:0 0 6,2G 0 lvm /
└─centos_centos7-swap 253:1 0 820M 0 lvm [SWAP]
sdb 8:16 0 8G 0 disk
└─sdb1 8:17 0 8G 0 part
├─docker-data 253:2 0 4G 0 lvm
└─docker-var_lib_docker 253:3 0 4G 0 lvm
sr0 11:0 1 1024M 0 rom

and I want to extend logical volume var_lib_docker on the volume group docker
Volume group docker doesn't have any free space:

parted /dev/sdb
GNU Parted 3.1
Using /dev/sdb
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted) p
Model: ATA VBOX HARDDISK (scsi)
Disk /dev/sdb: 8590MB
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Disk Flags:

Number Start End Size File system Name Flags
1 1049kB 8589MB 8588MB primary lvm

So, I've stopped the virtual machine, extended virtual disk sdb and checked it:

(it can do without stopping virtual machine: extend disk, end refresh disk configuration: echo 1 |> /sys/class/block/sda/device/rescan )

[root@centos7 ~]# lsblk

NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT

sda 8:0 0 8G 0 disk

├─sda1 8:1 0 1G 0 part /boot

└─sda2 8:2 0 7G 0 part

├─centos_centos7-root 253:0 0 6,2G 0 lvm /

└─centos_centos7-swap 253:1 0 820M 0 lvm [SWAP]

sdb 8:16 0 10G 0 disk

└─sdb1 8:17 0 8G 0 part

├─docker-data 253:2 0 4G 0 lvm /data

└─docker-var_lib_docker 253:3 0 4G 0 lvm /var/lib/docker

sr0 11:0 1 1024M 0 rom

Ok, disk sdb became 10G size instead 8G, but physical volume and volume group still have old size:

[root@centos7 ~]# pvs

PV VG Fmt Attr PSize PFree

/dev/sda2 centos_centos7 lvm2 a-- <7,00g 0

/dev/sdb1 docker lvm2 a-- <8,00g 0

Let fix it:

[root@centos7 ~]# parted /dev/sdb print

Error: The backup GPT table is not at the end of the disk, as it should be. This might mean that another operating system believes the disk is smaller. Fix,

by moving the backup to the end (and removing the old backup)?

Fix/Ignore/Cancel? Fix

Warning: Not all of the space available to /dev/sdb appears to be used, you can fix the GPT to use all of the space (an extra 4194304 blocks) or continue with

the current setting?

Fix/Ignore? Fix

Model: ATA VBOX HARDDISK (scsi)

Disk /dev/sdb: 10,7GB

Sector size (logical/physical): 512B/512B

Partition Table: gpt

Disk Flags:

Number Start End Size File system Name Flags

1 1049kB 8589MB 8588MB primary lvm

(parted) resizepart

Partition number? 1

End? [8589MB]? 10240

(parted) print

Model: ATA VBOX HARDDISK (scsi)

Disk /dev/sdb: 10,7GB

Sector size (logical/physical): 512B/512B

Partition Table: gpt

Disk Flags:

Number Start End Size File system Name Flags

1 1049kB 10,2GB 10,2GB primary lvm

(parted) q

Information: You may need to update /etc/fstab.

It would be better to umount logical volumes:

[root@centos7 ~]# umount /var/lib/docker/

[root@centos7 ~]# umount /data

Now resize phisycal volume:

[root@centos7 ~]# pvresize /dev/sdb1

Physical volume "/dev/sdb1" changed

1 physical volume(s) resized or updated / 0 physical volume(s) not resized

[root@centos7 ~]# pvs

PV VG Fmt Attr PSize PFree

/dev/sda2 centos_centos7 lvm2 a-- <7,00g 0

/dev/sdb1 docker lvm2 a-- 9,53g <1,54g

Now resize volume group:

[root@centos7 ~]# lvextend -l+100%FREE /dev/mapper/docker-var_lib_docker

Size of logical volume docker/var_lib_docker changed from 4,00 GiB (1024 extents) to <5,54 GiB (1417 extents).

Logical volume docker/var_lib_docker successfully resized.

And check it:

[root@centos7 ~]# e2fsck -f /dev/mapper/docker-var_lib_docker

e2fsck 1.42.9 (28-Dec-2013)

Pass 1: Checking inodes, blocks, and sizes

Pass 2: Checking directory structure

Pass 3: Checking directory connectivity

Pass 4: Checking reference counts

Pass 5: Checking group summary information

/dev/mapper/docker-var_lib_docker: 6226/262144 files (0.1% non-contiguous), 89172/1048576 blocks

Then resize the file system:

[root@centos7 ~]# resize2fs /dev/mapper/docker-var_lib_docker

resize2fs 1.42.9 (28-Dec-2013)

Resizing the filesystem on /dev/mapper/docker-var_lib_docker to 1451008 (4k) blocks.

The filesystem on /dev/mapper/docker-var_lib_docker is now 1451008 blocks long.

And mount logical volumes again:

[root@centos7 ~]# mount -a

check:

[root@centos7 ~]# lsblk

NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT

sda 8:0 0 8G 0 disk

├─sda1 8:1 0 1G 0 part /boot

└─sda2 8:2 0 7G 0 part

├─centos_centos7-root 253:0 0 6,2G 0 lvm /

└─centos_centos7-swap 253:1 0 820M 0 lvm [SWAP]

sdb 8:16 0 10G 0 disk

└─sdb1 8:17 0 9,5G 0 part

├─docker-data 253:2 0 4G 0 lvm /data

└─docker-var_lib_docker 253:3 0 5,5G 0 lvm /var/lib/docker

sr0 11:0 1 1024M 0 rom

the logical volume var_lib_docker was resized up to 5,5G.

понедельник, 27 апреля 2020 г.

Docker how to use tls

According to the official docker docs docker security let's make tls connection to docker host:

go to the docker host and generate CA key:

# openssl genrsa -aes256 -out ca-key.pem 4096

then generate CA certificate:

# openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem

Now create server private keey:

# openssl genrsa -out server-key.pem 4096

And then certificate request:

# openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr

Create extfile.cnf to be able connect to docker host via hostname or IP:

# echo subjectAltName = DNS:$HOST,IP:10.10.10.20,IP:127.0.0.1 >> extfile.cnf
# echo extendedKeyUsage = serverAuth >> extfile.cnf

Now, generate the signed certificate:

# openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf

Now we can generate clients' private key

# openssl genrsa -out key.pem 4096
# echo extendedKeyUsage = clientAuth > extfile-client.cnf

and request for certificate:

# openssl req -subj '/CN=client' -new -key key.pem -out client.csr

and create clinet's certificate:

# openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile-client.cnf

change permission :

# chmod -v 0400 ca-key.pem key.pem server-key.pem
# chmod -v 0444 ca.pem server-cert.pem cert.pem

Stop docker service and modify it:

# systemctl stop docker

# vi /usr/lib/systemd/system/docker.service

Modify ExecStart command:

ExecStart=/usr/bin/dockerd --tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/server-cert.pem --tlskey=/etc/docker/private/server-key.pem -H tcp://0.0.0.0:2376 -H unix:///var/run/docker.sock

and then reload daemon config and start docker service:

# systemctl daemon-reload
# systemct start docker

Add firewall rules:
# firewall-cmd --permanent --zone=public --add-port=2376/tcp
# firewall-cmd --reload

Now on the client host put the appropriate key, certificates: ca.pem, cert.pem, key.pem and set DOCKER_HOST variable :

# export DOCKER_HOST=$HOST:2376

and try to connect to docker host :

# docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem info

суббота, 25 апреля 2020 г.

Firewalld how to block all but allow specific

Usually, default zone = public

So, to block all need to make default zone drop:

firewall-cmd --set-default-zone=drop

Then add the specific address to zone trusted:

firewall-cmd --permanent --add-source=$YOUR_IP --zone=trusted

and service ssh

firewall-cmd --permanent --add-service=ssh --zone=trusted

and specific interface to zone trusted:

firewall-cmd --permanent --zone=trusted --add-interface=eth0

save firewalld config:

firewall-cmd --reload

If you need to restrict access to port published by docker container :

firewall-cmd --permanent --direct --remove-chain ipv4 filter DOCKER-USER
firewall-cmd --permanent --direct --remove-rules ipv4 filter DOCKER-USER
firewall-cmd --permanent --direct --add-chain ipv4 filter DOCKER-USER
firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment 'Allow containers to connect to the outside world'

Add you docker network (in this case 172.17.0.0/16 ):

firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 1 -j RETURN -s 172.17.0.0/16 -m comment --comment 'allow internal docker communication'

Lets allow access to ports 8983 and 8443 from your home network 1.2.3.0/24:

firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 1 -o docker0 -p tcp -m multiport --dports 8983,8443 -s 1.2.3.0/24 -j ACCEPT -m comment --comment 'Allow Home IP to access to 8983,8443 docker ports'
firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 10 -j REJECT -m comment --comment 'reject all other traffic to DOCKER-USER'

If you need to allow access from work's address 2.3.4.5 to these ports:

firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 1 -o docker0 -p tcp -m multiport --dports 8983,8443 -s 2.3.4.5 -j ACCEPT -m comment --comment 'Allow work's IP to access to 8983,8443 docker ports'

firewall-cmd --reload

вторник, 18 мая 2021 г.