Red Hat: Identity Management Server Setup and HA on RHEL 7

cropped-oversaturateddetail.jpg

Introduction

Red Hat Identity Management Server provides is a centralized identity management server for Linux, Mac, Windows.

In this post we are going to setup and configure a HA deployment of Red Hat IDM on two RHEL 7.x servers.

Red Hat Identity Management Server is based on the upstream project, FreeIPA.

Prerequisites

Only a couple of prerequisites for a simple lab setup

  • You need working dns with forward and reverse entries for both IDM servers
  • NSCD needs to be disabled on each IDM server
  • Proper hostname needs to be set on each IDM node (cannot use localhost)
  • IPV6 needs to be enabled, but you do not need to have an IPV6 address on external interfaces

Continue reading

Advertisements

OpenSCAP Part 4: Integration with Red Hat Satellite 6.5

openscap-base

Introduction

This is the 4th installment of a series of posts focusing on OpenSCAP.  Previous posts in this series can be found below.

OpenSCAP Part 1: Introduction and Basic Usage for RHEL 7/CentOS 7/Fedora
OpenSCAP Part 2: SCAP Content for RHEL 7
OpenSCAP Part 3: Running Scans from the Command Line in RHEL 7

This time around we are going to work on integrating OpenSCAP functionality into Red Hat Satellite 6.5

Installing SCAP Content on Satellite Server

SSH into your satellite server and run the command below as root.

# foreman-rake foreman_openscap:bulk_upload:default

Screenshot from 2019-07-26 17-02-22.png

By default only a few content files are added.

Installing Additional SCAP Content

This can be done via the UI (and possibly via the CLI, however I have not attempted this).

In this example I have already downloaded RHEL 8 content from here.

Log into the Satellite UI, and navigate to “Hosts” > “SCAP content”

Select “Upload New SCAP Content

Screenshot from 2019-07-26 17-09-14.png

And select Choose File to select a file from your local machine.

Screenshot from 2019-07-26 17-20-54.png

Continue reading

OpenSCAP Part 3: Running Scans from the Command Line in RHEL 7

openscap-base

Introduction

In part 1 of this series we were introduced to OpenSCAP and the process of running scans via the SCAP workbench. In part 2, we explored concepts and components that define security/vulnerability scans. In this 3rd post we are going to dive into the command line operation.

Let’s get started with oscap.

Installing oscap

In RHEL 7 oscap can be installed with the following command

# yum -y install scap-security-guide openscap-scanner

Content is installed under the following directory. Note that ssg is short for SCAP Security Guide.

/usr/share/xml/scap/ssg/content

Lets change directories to the one listed above and view the installed files.

Screenshot from 2019-07-24 15-58-04

Using oscap we can view more info on each file shown above. In this example we are going to inspect the ssg-rhel7-ds.xml file.

# oscap info ssg-rhel7-ds.xml

Continue reading

How to disable Cloud-Init in a RHEL Cloud Image

happy_cloud1600

So this one is pretty simple. However, I found a lot of misinformation along the way, so I figured that I would jot the proper (and most simple) process here.

Symptoms: a RHEL (or variant) VM that takes a very long time to boot. On the VM console, you can see the following output while the VM boot process is stalled and waiting for a timeout. Note that the message below has nothing to do with cloud init, but its the output that I have most often seen on the console while waiting for a VM to boot.

[106.325574} random: crng init done

Note that I have run into this issue in both OpenStack (when booting from external provider networks) and in KVM.

Upon initial boot of the VM, run the command below.

touch /etc/cloud/cloud-init.disabled

Seriously, that’s it. No need to disable or remove cloud-init services. See reference.

 

 

Linux: Using Tcpdump to Capture LLDP Info

inner-banner-itnetworkaudit

According to Wikipedia, “Link Layer Discovery Protocol (LLDP) is a vendor-neutral link layer protocol in the Internet Protocol Suite used by network devices for advertising their identity, capabilities, and neighbors on an IEEE 802 local area network, principally wired Ethernet”

LLDP is often what you will find running on non-Cisco switches and routers (which usually run CDP). If you want to use tcpdump to capture northbound switch port information, you can use the example below as a guide.

 

# tcpdump -nn -v -i p1p2 ether proto 0x88cc
tcpdump: WARNING: p1p2: no IPv4 address assigned
tcpdump: listening on p1p2, link-type EN10MB (Ethernet), capture size 65535 bytes
19:00:12.559556 LLDP, length 218
Chassis ID TLV (1), length 7
Subtype MAC address (4): f4:8e:38:28:b6:87
Port ID TLV (2), length 11
Subtype Interface Name (5): ethernet11
Time to Live TLV (3), length 2: TTL 120s
Port Description TLV (4), length 39: Big Cloud Fabric Switch Port ethernet11
System Name TLV (5), length 22: SW01
..trunc..

 

 

 

Mapping Virtual Networks with plotnetcfg

plot-sheet-large

Plotnetcfg is a Linux utility that you can use to scan the networking configuration on a server and output the configuration hierarchy to a file. Plotnetcfg is most useful when troubleshooting complex virtual networks with all sorts of bonds and bridges, the likes of which you will find on KVM nodes, or OpenStack Controller nodes.

You can install plot on RHEL/Centos as shown below.

# yum -y plotnetcfg.x86_64

You will also want to install the “dot” command which is installed with graphiz. See below.

# yum -y install graphviz.x86_64

Now that the bits and pieces are installed we can run the command below which outputs to PDF file named file.pd

# plotnetcfg | dot -Tpdf > file.pd

If you want to, you can also use “convert” to convert the PDF to a jpg. For example, I exported to jpg to embed below.

file

Super clean, and super easy to read and understand

 

 

RHEL 7 – Setup Software Raid Via mdadm

smarta

In this post I will walk though the steps that I used to setup software raid using mdadm on my RHEL 7.2 server.

The disks in my server are shown below.

  • /dev/sda – 64gb SSD – OS disk
  • /dev/sdb – 4TB – Unused
  • /dev/sdc – 4TB – Unused 

My plan is to create a RAID 1 mirror from the two 4TB drives (sdb and sdc) and mount the mirrored device to “/var/lib/libvirt/images” for use via KVM.

First we need to partition the disks. Note that we cannot use fdisk as does not support partition sizes over 4Tb in size.  See below.

[root@titan]# fdisk /dev/sdb

WARNING: The size of this disk is 4.0 TB (4000000000000 bytes).
DOS partition table format can not be used on drives for volumes
larger than (2199023255040 bytes) for 512-byte sectors. Use parted(1) and GUID partition table format (GPT).

 

Instead we will use parted. See steps below. Note that each step is repeated as we have two disks.

[root@titan]# parted –script /dev/sdb “mklabel gpt”
[root@titan]# parted –script /dev/sdc “mklabel gpt”
[root@titan]# parted –script /dev/sdb “mkpart primary 0% 100%”
[root@titan]# parted –script /dev/sdc “mkpart primary 0% 100%”
[root@titan]# parted –script /dev/sdb “set 1 raid on”
[root@titan]# parted –script /dev/sdc “set 1 raid on”

Now we will create the mirrored device using mdadm.

[root@titan]# mdadm –create /dev/md0 –level=raid1 –raid-devices=2 /dev/sdb1 /dev/sdc1

The new device needs to sync – we can watch its progress using mdstat.

[root@titan]# cat /proc/mdstat
Personalities : [raid1]
md0 : active raid1 sdc1[1] sdb1[0]
3906117632 blocks super 1.2 [2/2] [UU]
[>………………..] resync = 0.0% (1893888/3906117632) finish=515.3min speed=126259K/sec
bitmap: 30/30 pages [120KB], 65536KB chunk

Note that I pretty much followed this guide line for line. Its an older article, but it checks out.

Using fdisk we can see our new mirror device.

[root@titan]# fdisk -l /dev/md0

Disk /dev/md0: 3999.9 GB, 3999864455168 bytes, 7812235264 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes

Let’s put a bird on it. No, let’s create a partition on it

[root@titan]# parted –script /dev/md0 “mklabel gpt”
[root@titan]# parted –script /dev/md0 “mkpart primary 0% 100%”

Great work. Now lets take a peak at our new partition.

[root@titan]# fdisk -l /dev/md0

Disk /dev/md0: 3999.9 GB, 3999864455168 bytes, 7812235264 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x00000000

Device Boot Start End Blocks Id System
/dev/md0p1 1 4294967295 2147483647+ ee GPT

Do you want to create a file system? I know I do. See below. Note the device name that we are using.

[root@titan]# mkfs -t ext4 /dev/md0p1

Now lets mount it up.

[root@titan]# mount /dev/md0p1 /var/lib/libvirt/images/

Don’t forget to add an entry to “/etc/fstab” so that our filesystem mounts at boot time.