Thursday 1 November 2012

Windows 7 internal shutdown command

It looks like Windows 7 now has its own shutdown command. If you want to shutdown your computer with a timer, you can run:

shutdown.exe /s /t 3600

/s tells the command to do a shutdown (no reboot) and /t is to add a time out. So the command above is equivalent to the linux command
shutdown -h 3600
If you suddenly don't want to shutdown (or reboot) your computer, you can abort the command with
shutdown.exe /a
Posted by at No comments:
Labels:

Centos 6 hangs up at boot - say hi to selinux

Last night, I was updating some packages on a few Centos 6.2 VMs that I have in my home server when I found out that some commands hung (such as rpm), and that I couldn't open new login shells on any of the VMs.

I tried restarting one, just to see the boot process hang while starting bind/named. I restarted the VM again in single user mode, and disabled that service using chkconfig. Rebooted the VM, and it hung up on dhcpd, and later, after doing the same process, hung up on postfix.

At this point, I noticed a pattern: I obviously had broken a core library. Some of the packages that I had cherry picked for the update, were the standard C++ runtime libraries, and some other core components.

After searching the web for a while and fearing that I would need to reinstall all the VMs (luckily I have a golden VM template and I use puppet, so this wouldn't have been terrible, just very annoying), I found the release notes for Centos 6.3, which stated

If you update CentOS 6.2 to 6.3 with certain packages only, the system may hang upon reboot. For example, this happens if you apply only the security updates from CentOS 6.3. To fix this issue, boot the system with a "enforcing=0" kernel option and update selinux policy to 3.7.19-155.el6_3 (or later) available in the 6.3 updates repository.
Phew, I had a solution. I restarted all the VMs with the boot option enforcing=0, and updated the following two package
  • selinux-policy
  • selinux-policy-targeted
Some of the VMs had an inconsistent rpm database (2 VMs with unfinished transactions and 1 with duplicate packages). I was able to sort this out by running yum-complete-transactions and cleaning any of the unfinished transactions.

After that, all of the VMs started properly without any issues. Unfortunately, the one that failed to start up is the one that has all the core network services (dns, dhcpd, ntp, etc). And further it failed with the message Kernel panic - not syncing - Attempted to kill init!. I particularly don't like KP. But I assumed that it was related to selinux issue.

I rebooted the VM with enforcing=0 and it did boot up, which pointed to an error on the selinux database. I run semodule -B to rebuild the selinux policy and I got an odd error saying that it couldn't find some files. The fix was quite simple
  • Removed the policy packages with yum remove selinux-policy selinuc-policy-targeted 
  • Reinstalled the packages with yum install selinux-policy selinuc-policy-targeted
  • And to be sure I run semodule -B again
This time I didn't get any errors and the VM restarted without a KP.


So last night I've learned:
  • Don't do any patching/upgrading half an hour before your target time to go to sleep.
  • Respect selinux
  • Always upgrade first selinux policy files, before upgrading any other OS library package
  • Do a snapshot of the VMs before any big patching (schoolboy error)
Posted by at No comments:
Labels: ,

Sunday 30 September 2012

Cygwin: How to paste with a right click

For the last few weeks, I've been scratching my head because I could paste content into cygwin with a right click on my work computer, but I couldn't do it at home. And more annoyingly, I couldn't figure it out until a few minutes ago.

To enable paste with a right mouse click, follow these steps (written for dummies like me)

1) Open the cygwin options (aka preferences or settings)




2) Select mouse in the left menu, and select Paste under Right click action



And since the last few versions of cygwin supports windows resize, it has the same good features as putty :).
Posted by at 1 comment:
Labels:

Sunday 9 September 2012

Git error about missing ca-bundle.crt on Cygwin

If you get the following error: 
$ git push -u origin master
error: error setting certificate verify locations:
  CAfile: /usr/ssl/certs/ca-bundle.crt
   [...]
when pushing, cloning, or any other operation that requires https access, the problem is that cygwin hasn't installed the ca-certificates package. Run the cygwin installer again, and add that package; after that git should start working.
Posted by at 14 comments:
Labels:

Sunday 5 February 2012

SELinux policy to run check_yum with sudo

A small update on the previous post. If you want to run check_yum with sudo you'll need to use the following policy file:


#-- Start nagios_plugin_checkum.te
module nagios_plugin_checkyum 1.0.4;

require {
        type usr_t;
        type boot_t;
        type admin_home_t;
        type rpm_var_lib_t;
        type tmp_t;
        type rpm_var_cache_t;
        type nrpe_t;
        type sudo_exec_t;
        type http_port_t;
        type rpm_exec_t;
        class capability { sys_nice audit_write };
        class tcp_socket name_connect;
        class file { rename execute setattr read lock create ioctl execute_no_trans write getattr unlink open };
        class netlink_audit_socket { write nlmsg_relay create read };
        class lnk_file read;
        class dir { search read write getattr remove_name open add_name };
}

#============= nrpe_t ==============
allow nrpe_t admin_home_t:dir search;
allow nrpe_t boot_t:dir { read getattr open };
allow nrpe_t http_port_t:tcp_socket name_connect;
allow nrpe_t rpm_exec_t:file { execute getattr read open ioctl execute_no_trans };
allow nrpe_t rpm_var_cache_t:dir { search getattr };
allow nrpe_t rpm_var_cache_t:dir { write read open add_name remove_name };
allow nrpe_t rpm_var_cache_t:file { rename create unlink setattr };
allow nrpe_t rpm_var_cache_t:file { write read getattr open lock };
allow nrpe_t rpm_var_lib_t:dir add_name;
allow nrpe_t rpm_var_lib_t:dir write;
allow nrpe_t rpm_var_lib_t:dir { getattr search };
allow nrpe_t rpm_var_lib_t:file create;
allow nrpe_t rpm_var_lib_t:file write;
allow nrpe_t rpm_var_lib_t:file { read lock getattr open };
allow nrpe_t self:capability { sys_nice audit_write };
allow nrpe_t self:netlink_audit_socket { write nlmsg_relay create read };
allow nrpe_t sudo_exec_t:file { read execute open execute_no_trans };
allow nrpe_t tmp_t:dir { read write add_name remove_name };
allow nrpe_t tmp_t:file { rename setattr read lock create write getattr unlink open };
allow nrpe_t usr_t:file { read getattr open };
allow nrpe_t usr_t:lnk_file read;
#-- End nagios_plugin_checkum.te

And you'll need to add something like the following to your /etc/sudoers file
nagios  ALL=(ALL) NOPASSWD: /usr/lib64/nagios/plugins/check_yum
 
And you need to comment out the following line in the sudores file, otherwise nrpe won't be able to parse the return
#Defaults    requiretty



References
  1. http://blog.gnucom.cc/2009/configuring-nagios-to-run-privileged-or-root-commands-with-nrpe/
Posted by at 1 comment:
Labels: , ,

SELinux policy to run check_yum

The EPEL repo has lots of good (and SELinux friendy) plugins to run on remote hosts with NRPE. One that is missing is check_yum, which checks that the OS has the latest security patches.
To make that plugin work on CentOS 6, download the script from Nagios Exchange and apply a small change that is described in this comment.

When we try to run this script though nrpe in a SELinux enabled service, it will explode in a million colour pieces, as it tries to access some restricted resources. Here's the output when we try to run it.

[root@host plugins]# ./check_nrpe -H nrpehost.com -c check_yum
UNKNOWN: /usr/bin/yum cannot be found

To make it work, we need to create a selinux policy that will allow nrpe run yum.

Copy the following in a file called ~/nagios-plugin-checkyum.te

#-- Start ~/nagios-plugin-checkyum.te --
module nagios_plugin_checkyum 1.0.3;
 
require {
        type tmp_t;
        type usr_t;
        type boot_t;
        type http_port_t;
        type nrpe_t;
        type rpm_exec_t;
        type rpm_var_lib_t;
        class tcp_socket name_connect;
        class lnk_file read;
        class dir { search read write getattr remove_name open add_name };
        class file { rename execute setattr read lock create ioctl execute_no_trans write getattr unlink open };
}

#============= nrpe_t ==============
allow nrpe_t boot_t:dir { read getattr open };
allow nrpe_t http_port_t:tcp_socket name_connect;
allow nrpe_t rpm_exec_t:file { execute getattr read open ioctl execute_no_trans };
allow nrpe_t rpm_var_lib_t:dir add_name;
allow nrpe_t rpm_var_lib_t:dir { getattr search };
allow nrpe_t rpm_var_lib_t:file create;
allow nrpe_t rpm_var_lib_t:file { read lock getattr open };
allow nrpe_t tmp_t:dir { read write add_name remove_name };
allow nrpe_t tmp_t:file { rename setattr read lock create write getattr unlink open };
allow nrpe_t usr_t:file { read getattr open };
allow nrpe_t usr_t:lnk_file read;

#-- End of ~/nagios-plugin-checkyum.te --

Some of the attributes make sense, for example, to allow nrpe to access an http port and run rpm. Since I'm not a SELinux expert I'm not sure it all the other permissions are ok, but at least, we're assigning this permissions only to the type nrpe_t, which shouldn't open a big hole in SELinux.

Now we need to build the policy as selinux requires binary package. To do so, run the following command on the same directory where you stored the previous file.

make -f /usr/share/selinux/devel/Makefile

This will create a few files, but the one we're interested in is nagios-plugin-checkyum.pp, which is the selinux module. To install it run

semodule -i nagios_plugin_checkyum.pp

After doing this, when we run the check, we get a response.

[root@host plugins]# ./check_nrpe -H nrpehost.com -c check_yum
YUM OK: 0 Security Updates Available. 5 Non-Security Updates Available

It is tricky to get the right policy for this plugin, as some of the selinux warnings when running in permissive mode marked with noaudit, so we need to disable no audit with semodule -DB, capture all the warnings, and then enable noaudit again with semodule -B.

Please share your experience whether this has worked for you.
Posted by at 4 comments:
Labels: , ,

Saturday 4 February 2012

Yum update - Metadata file does not match checksum

Today I was testing some nagios plugins to report missing security updates on Centos 6, and I started to get an error on one of the boxes when I tried to run "yum check-update". It looks like yum somehow got the wrong checksum from epel (maybe they were just updating the packages?).

This is the error I saw from yum,

Limiting package lists to security relevant ones
epel/updateinfo                                               | 308 kB     00:01
http://mirror.bytemark.co.uk/fedora/epel/6/x86_64/repodata/updateinfo.xml.gz: [Errno -1] Metadata file does not match checksum
Trying other mirror.
epel/updateinfo                                               | 308 kB     00:01
http://ftp.ntua.gr/pub/linux/fedora-epel/6/x86_64/repodata/updateinfo.xml.gz: [Errno -1] Metadata file does not match checksum
[...]

Trying to run the command resulted in the same error, so I had to clear all the metadata with the following command:

yum clean metadata dbcache expire-cache

After running that command yum was happy again.
Posted by at No comments:
Labels: ,

Wednesday 1 February 2012

Changing putty default configuration

Today I found out a simple way to change the default values in putty that doesn't involve fiddling with the registry.

To change the defaults:
  1. Open putty and change any parameter you want as the new default.
  2. Go back to Session on the Category list.
  3. Enter Default Settings in Saved Sessions.
  4. Click save.


Enjoy!
Posted by at 1 comment:
Labels:

Monday 23 January 2012

Centos 6.2 graphical installation adds a few extra packages

Today I discovered that the minimal installation of Centos 6.2 installs a few extra packages if it's done in graphical mode. The graphical installation adds the package matahari, which also adds another 32 dependencies.

If you want to delete all these packages and services, run the following command


yum erase matahari-lib matahari-agent-lib matahari-broker matahari-host matahari-service matahari-sysconfig matahari-network matahari qpid-cpp-client qpid-cpp-client-ssl qpid-cpp-server-ssl qpid-cpp-server sigar polkit dbus qpid-qmf boost ConsoleKit eggdbus boost-filesystem boost-program-options boost-graph boost-date-time boost-serialization boost-test boost-thread boost-regex boost-wave  boost-signals boost-iostreams boost-python ConsoleKit-libs libicu

Remember that this only applies to Centos 6.2.
Posted by at No comments:
Labels:

VMWare vCenter minimum permissions to deploy a VM

These are the minimum permissions that a user / group needs in order to
  • Deploy a VM from a template using VMWare vCenter 5.
  • Interact with the VM, without being able to change its configuration.
  • Delete those VMs.
To do this, we need to create 3 different roles in vSphere. One to allow the user see the folder with the templates and VMs, another to allow it to deploy and delete VMs on that Host and last a role to allow the user interact with the VM.

1. First create a user or group that requires these permissions in windows (vCenter uses the local windows or AD users).
2. Then login to vCenter as an administrator.
3. From the top navigation bar, go to Home -> Roles.
4. Right click on the Roles column and click on Add..
5. Create another role called Browse Datastore and set the following Privileges
  • Datastore
    • Allocate Space
    • Browse Datastore
    • Remove File

    6. Create a role called Deploy and set the following Privileges
    • Host
      • Local operations
        • Create virtual machine
        • Delete virtual machine
    • Resource
      • Assign virtual machine to resource pool
      • modify resource pool

    7. Give the role a name, in this case we'll call it VMUser and set the following Privileges
    • Global
      • Cancel Task
    • Host
      • Local operation
        • Create virtual machine
        • Delete virtual machine
    • Scheduled Task (check all)
    • Virtual Machine
      • Iteraction
        • Answer question
        • Configure CD media
        • Configure floppy media
        • Console interaction
        • Device connection
        • Power off
        • Power on
        • Reset
        • Suspend
        • VMWare tools install
      • Inventory
        • Create from existing
        • Remove
      • Provisioning
        • Deploy template
      • State (check all)

    8. To allow the user / group to connect to vSphere and see the VMs, go to Home > Inventory > Datastores ... and select the datastore where the VMs will be stored.

    9. On the Permissions tab, right click and select Add Permission .... Add the user / group and select the role Browse Datastore from the dropdown. Then, click ok.

    10. To allow the users deploy VMs, go to Home > Inventory > Hosts and Clusters and select the host or cluster where the user will be allowed to deploy vms.

    11. On the Permissions tab, right click and select Add Permission .... Add the user / group and select the role Deploy from the dropdown. Then, click ok.

    12. To allow users interact with the VMs, go to Home > Inventory > VMs and Templates and select a folder that contains the templates the user / group wants to deploy.

    13. On the Permissions tab, right click and select Add Permission .... Add the user / group and select the role VMUser from the dropdown. Then, click ok.

    Try this configuration by opening a new vSphere Vlient and login in as the new user. vSphere client should only show the VMs and templates in the folder that was selected on step 12 and allow a minimal number of operations on both VMs and templates.

    To further secure this, it is good to allow the users to deploy VMs only to a resource pool that is memory and CPU constrained.
    Posted by at 3 comments:
    Labels:

    Wednesday 11 January 2012

    The power of the personal wiki

    In the last few days, I've been implementing a bit of the Getting Things Done process (or workflow) in order to be a bit more in control of everything that is going on in my life.

    One of the things I've done is to create a personal wiki to use as a digital reference system and I've found that I'm adding so much information that I keep looking on the internet over and over again. The benefit is that I don't need to rely on google anymore and I can organize the information in whatever way I want.

    Why is this important? Many times I've spent something between a few hours and a couple of days researching something (eg how to install certain software on the DLink DNS323), just to forget everything about that a few weeks later. This is not really a problem, until a few months later, whatever I did stops working and I need to remember (aka google furiously) what I did in order to revert it or fix it.

    Here's where the personal wiki pays off as lots of the notes, links and sample scripts can be there as a reminder of what we've learned.

    Of course there are lower tech solutions to this (eg use google docs or plain text files), but I like the wiki approach as it also allows to easily link, relate and search content.
    Posted by at No comments:
    Labels:
    Subscribe to: Posts (Atom)