вторник, 18 мая 2021 г.

rsync from non root user

 On the destination server set in the /etc/sudoers file next:

username ALL= NOPASSWD:/usr/bin/rsync

and on the source server run:

rsync -avz -e "ssh" -rsync-path="sudo rsync" /data/source  username@dest_host:/data/target



пятница, 27 ноября 2020 г.

Configure postfix to relay mail for exchange server with authentication

 It need to add next package to postfix server:

yum install cyrus-sasl cyrus-sasl-lib cyrus-sasl-plain

and add the next rows to postfix main.cf file:

smtp_sasl_auth_enable = yes

smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

smtp_sasl_security_options = noanonymous 

smtpd_sasl_path = smtpd

relayhost = [smtp.server.name]

smtp_generic_maps = hash:/etc/postfix/generic


Aslo need add to file /etc/postfix/sasl_passwd auth data in the next format:

smtp.server.name   username:password

then run 

postmap   /etc/postfix/sasl_passwd

Due to local mail send from root user, you need to change mailer from (it is if your exchange server doesn't allow anonymous connection). Add to file /etc/postfix/generic row:

root@your_linux_server_name       username

and run 

postmap  /etc/postfix/generic


and restart postfix



четверг, 29 октября 2020 г.

Firewalld and ipset

 How  to use ipset with firewalld?

Let's do it.

First of all, let's check, have we any ipsets already?:

# firewall-cmd --get-ipsets

If no, create it:
for networks

# firewall-cmd --permanent --new-ipset=IP-whitelist --type=hash:net

for IP

# firewall-cmd --permanent --new-ipset=IP-whitelist --type=hash:ip

And now add network to whitelist:

# firewall-cmd --permanent --ipset=IP-whitelist --add-entry=172.27.0.0/16 

and IP

# firewall-cmd --permanent --ipset=IP-whitelist --add-entry=172.28.1.18 

And create rules for ports or services for that whiltelist:

# firewall-cmd --permanent --zone=public --add-rich-rule='rule source ipset="IP-whitelist" port protocol="tcp" port="80-90" accept'
# firewall-cmd --permanent --zone=public --add-rich-rule='rule source ipset="IP-whitelist" service name="ssh" accept'


If we have another rule for access to ssh service, need to remove it:

# firewalld-md --permanent --zone=public --remove-service=ssh

and apply changes:

#firewall-cmd --reload



четверг, 24 сентября 2020 г.

Let's Encrypt certbot shortread

First of all you need to install certbot:

yum install -y certbot

then stop your web server and take certificate.( Note , you should had valid DNS record for your domain):

certbot certonly --standalone

here you should write domain name of your server


To renew certificate add next in crontab:

 echo "0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew -q" | sudo tee -a /etc/crontab > /dev/null


If you want to extend exist certificate ( for example you have domain.com and want to extend for www.domain.com) , stop your web server and do next:

 certbot certonly --expand -d domain.com,www.domain.com --standalone

then start your web server again.


четверг, 16 июля 2020 г.

Extend logical volume on virtual hard disk

If you use lvm on a virtual machine, you may need to extend logical volume.
For example, I have preconfigured lvm on disks:

[root@centos7 ~]# lsblk 
NAME                      MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
sda                         8:0    0    8G  0 disk 
├─sda1                      8:1    0    1G  0 part /boot
└─sda2                      8:2    0    7G  0 part 
  ├─centos_centos7-root   253:0    0  6,2G  0 lvm  /
  └─centos_centos7-swap   253:1    0  820M  0 lvm  [SWAP]
sdb                         8:16   0    8G  0 disk 
└─sdb1                      8:17   0    8G  0 part 
  ├─docker-data           253:2    0    4G  0 lvm  
  └─docker-var_lib_docker 253:3    0    4G  0 lvm  
sr0                        11:0    1 1024M  0 rom  

and I want to extend logical volume var_lib_docker on the volume group docker
Volume group docker doesn't have any free space:

parted /dev/sdb
GNU Parted 3.1
Using /dev/sdb
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted) p                                                                
Model: ATA VBOX HARDDISK (scsi)
Disk /dev/sdb: 8590MB
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Disk Flags: 

Number  Start   End     Size    File system  Name     Flags
 1      1049kB  8589MB  8588MB               primary  lvm

So, I've stopped the virtual machine, extended virtual disk sdb and checked it:
 (it can do without stopping virtual machine: extend disk, end refresh disk configuration:   echo 1 |> /sys/class/block/sda/device/rescan )

[root@centos7 ~]# lsblk 
NAME                      MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
sda                         8:0    0    8G  0 disk 
├─sda1                      8:1    0    1G  0 part /boot
└─sda2                      8:2    0    7G  0 part 
  ├─centos_centos7-root   253:0    0  6,2G  0 lvm  /
  └─centos_centos7-swap   253:1    0  820M  0 lvm  [SWAP]
sdb                         8:16   0   10G  0 disk 
└─sdb1                      8:17   0    8G  0 part 
  ├─docker-data           253:2    0    4G  0 lvm  /data
  └─docker-var_lib_docker 253:3    0    4G  0 lvm  /var/lib/docker
sr0                        11:0    1 1024M  0 rom  

Ok, disk sdb became 10G size instead 8G, but physical volume and volume group still have old size:

[root@centos7 ~]# pvs
  PV         VG             Fmt  Attr PSize  PFree
  /dev/sda2  centos_centos7 lvm2 a--  <7,00g    0 
  /dev/sdb1  docker         lvm2 a--  <8,00g    0

Let fix it:

[root@centos7 ~]# parted /dev/sdb print
Error: The backup GPT table is not at the end of the disk, as it should be.  This might mean that another operating system believes the disk is smaller.  Fix,
by moving the backup to the end (and removing the old backup)?
Fix/Ignore/Cancel? Fix                                                    
Warning: Not all of the space available to /dev/sdb appears to be used, you can fix the GPT to use all of the space (an extra 4194304 blocks) or continue with
the current setting? 
Fix/Ignore? Fix                                                           
Model: ATA VBOX HARDDISK (scsi)
Disk /dev/sdb: 10,7GB
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Disk Flags: 

Number  Start   End     Size    File system  Name     Flags
 1      1049kB  8589MB  8588MB               primary  lvm
(parted) resizepart 
Partition number? 1                                                       
End?  [8589MB]? 10240                                                     
(parted) print                                                            
Model: ATA VBOX HARDDISK (scsi)
Disk /dev/sdb: 10,7GB
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Disk Flags: 

Number  Start   End     Size    File system  Name     Flags
 1      1049kB  10,2GB  10,2GB               primary  lvm

(parted) q                                                                
Information: You may need to update /etc/fstab.

It would be better to umount logical volumes:

[root@centos7 ~]# umount /var/lib/docker/
[root@centos7 ~]# umount /data

Now resize phisycal volume:

[root@centos7 ~]# pvresize /dev/sdb1
  Physical volume "/dev/sdb1" changed
  1 physical volume(s) resized or updated / 0 physical volume(s) not resized
[root@centos7 ~]# pvs
  PV         VG             Fmt  Attr PSize  PFree 
  /dev/sda2  centos_centos7 lvm2 a--  <7,00g     0 
  /dev/sdb1  docker         lvm2 a--   9,53g <1,54g

Now resize volume group:

[root@centos7 ~]# lvextend -l+100%FREE /dev/mapper/docker-var_lib_docker 
  Size of logical volume docker/var_lib_docker changed from 4,00 GiB (1024 extents) to <5,54 GiB (1417 extents).
  Logical volume docker/var_lib_docker successfully resized.

And check it:

[root@centos7 ~]# e2fsck -f /dev/mapper/docker-var_lib_docker
e2fsck 1.42.9 (28-Dec-2013)
Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information
/dev/mapper/docker-var_lib_docker: 6226/262144 files (0.1% non-contiguous), 89172/1048576 blocks

Then resize the file system:

[root@centos7 ~]# resize2fs /dev/mapper/docker-var_lib_docker 
resize2fs 1.42.9 (28-Dec-2013)
Resizing the filesystem on /dev/mapper/docker-var_lib_docker to 1451008 (4k) blocks.
The filesystem on /dev/mapper/docker-var_lib_docker is now 1451008 blocks long.

And mount logical volumes again:

[root@centos7 ~]# mount -a

check:

[root@centos7 ~]# lsblk 
NAME                      MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
sda                         8:0    0    8G  0 disk 
├─sda1                      8:1    0    1G  0 part /boot
└─sda2                      8:2    0    7G  0 part 
  ├─centos_centos7-root   253:0    0  6,2G  0 lvm  /
  └─centos_centos7-swap   253:1    0  820M  0 lvm  [SWAP]
sdb                         8:16   0   10G  0 disk 
└─sdb1                      8:17   0  9,5G  0 part 
  ├─docker-data           253:2    0    4G  0 lvm  /data
  └─docker-var_lib_docker 253:3    0  5,5G  0 lvm  /var/lib/docker
sr0                        11:0    1 1024M  0 rom 

the logical volume var_lib_docker was resized up to 5,5G.







понедельник, 27 апреля 2020 г.

Docker how to use tls

According to the official docker docs docker security let's make tls connection to docker host:

go to the  docker host and generate CA key:

#  openssl genrsa -aes256 -out ca-key.pem 4096

then generate  CA certificate:

#  openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem

Now create server private keey:

#  openssl genrsa -out server-key.pem 4096

And then certificate request:

#   openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr

Create extfile.cnf to be able connect to docker host via hostname or IP:

#  echo subjectAltName = DNS:$HOST,IP:10.10.10.20,IP:127.0.0.1 >> extfile.cnf
#  echo extendedKeyUsage = serverAuth >> extfile.cnf

Now, generate the signed certificate:

#  openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf


Now we can generate clients' private key

#  openssl genrsa -out key.pem 4096
#  echo extendedKeyUsage = clientAuth > extfile-client.cnf

and request for certificate:

#  openssl req -subj '/CN=client' -new -key key.pem -out client.csr

and create clinet's certificate:

#  openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile-client.cnf


change permission :

#   chmod -v 0400 ca-key.pem key.pem server-key.pem
#   chmod -v 0444 ca.pem server-cert.pem cert.pem


Stop docker service and modify it:

#  systemctl stop docker

#  vi /usr/lib/systemd/system/docker.service

Modify ExecStart command:

ExecStart=/usr/bin/dockerd --tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/server-cert.pem --tlskey=/etc/docker/private/server-key.pem -H tcp://0.0.0.0:2376 -H unix:///var/run/docker.sock


and then reload daemon config and start docker service:

#  systemctl daemon-reload
#  systemct start docker

Add firewall rules:
#  firewall-cmd --permanent --zone=public --add-port=2376/tcp
#  firewall-cmd --reload




Now on the client host put the appropriate key, certificates: ca.pem, cert.pem, key.pem and set DOCKER_HOST variable :

#  export DOCKER_HOST=$HOST:2376

and try to connect to docker host :

#  docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem info

суббота, 25 апреля 2020 г.

Firewalld how to block all but allow specific

Usually, default zone = public

So, to block all  need to make default zone drop:

firewall-cmd  --set-default-zone=drop

Then add the specific address to zone trusted:

firewall-cmd --permanent --add-source=$YOUR_IP --zone=trusted

and service ssh

firewall-cmd --permanent --add-service=ssh --zone=trusted

and specific interface to zone trusted:

firewall-cmd --permanent --zone=trusted --add-interface=eth0

save firewalld config:

firewall-cmd --reload


If you need to restrict access to port published by docker container :

firewall-cmd --permanent --direct --remove-chain ipv4 filter DOCKER-USER
firewall-cmd --permanent --direct --remove-rules ipv4 filter DOCKER-USER
firewall-cmd --permanent --direct --add-chain ipv4 filter DOCKER-USER
firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment 'Allow containers to connect to the outside world'

Add you docker network (in this case 172.17.0.0/16 ):

firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 1 -j RETURN -s 172.17.0.0/16 -m comment --comment 'allow internal docker communication'

Lets allow access to ports 8983 and 8443 from your home network 1.2.3.0/24:

firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 1 -o docker0 -p tcp -m multiport --dports 8983,8443 -s 1.2.3.0/24 -j ACCEPT -m comment --comment 'Allow Home IP to access to 8983,8443 docker ports'
firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 10 -j REJECT -m comment --comment 'reject all other traffic to DOCKER-USER'

If you need to allow access from work's address 2.3.4.5 to these ports:

firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 1 -o docker0 -p tcp -m multiport --dports 8983,8443 -s 2.3.4.5  -j ACCEPT -m comment --comment 'Allow work's IP to access to 8983,8443 docker ports'

firewall-cmd --reload