config

Getting Started with Git: Creating a Git Repo

/ Christopher Paquin

NettutsFetch-1So first off let me start by saying that I know that there is a ton of information out there on how to get started with Git. Heck, when you create your repo in GitLab it spits these instructions right out in front of your nose. However, what I have found is that most instructions tell you what to do to get started with git, however they do not tell you exactly what you are doing. You end up running a few command and then sit back and try to figure out what you actually just did.

 

That being said, getting started with Git has been the hardest part of the process, as most of us traditional grey-beard sysadmins are not that familiar with code management. When I was first getting started in technology, there were developers and there were sysadmins, and those two worlds were extremely separate. Now, we as we enter the age of DEVOPS and automation these two worlds are once again colliding (like they did in the beginning, but more on that another day).

 

 In my lab I decided to build a stand alone vm for Git and Puppet. After doing some research – and asking others– on how and what to do to get Git up and running with a nice front end web interface, I decided to get started by installing the GitLab Omnibus package for Centos 6. This process was quick, easy, and painless.

 

Once I had a working webUI up and running it was time to create my first repo. Instead of trying to accomplish this from my Fedora workstaion, I just clicked on the "New Project" button on the GitLab dashboard and created an empty repo called "General_Scripts".

 

Back on my Fedora workstation I created a new directory in my home dir called git, and inside that directory I created a directory called "General_Scripts" as I had done in the webUI.

 

Now it was time to use Git.

 

First off you need to configure a few global Git options. This only needs to be done once.

#git config –global user.name "Fatmin"

#git config –global user.email "fatmin@fatmin.com"

 

Once these global configs are set you can then you can move on to seeding your repo. Here you see my change directories to the Global_Scripts directory and tell Git to initialize this directory as a repo.

#cd Global_Scripts

#git init

 

Now lets create a file and add it to the repo. Here were are going to create a simple README containing a description of my new repo. The instructions do not tell you that you have to put anything in this initial file, however what good is an empty README anyway

#vi README.md

 

Now tell git that this file needs to be added to the "General_Scripts" repo that we created a few steps ago.

#git add README.md

 

Now lets commit that file with a nice little comment. Commit comments should describe what the file we added or what we changed in an existing file

#git commit -m "Added README.md"

 

Now we need to tell our local git command what remote repo we are going to sync to. Note my git repo url is puppet.lab.localdomain, fatmin is my user's namespace, and General_Scripts is my repo.

#git remote add origin git@puppet.lab.localdomain:/fatmin/General_Scripts.git

 

Now we need to actually push the local files to the remote repo (origin) in the master branch.

#git push -u origin master

 

Now wait a bit and go check out the webUI. You should now see the README.md file in your new remote repo.

Related articles

Super Quick Git Guide
Bashit… Just a Custom Bash Prompt Setup for Git
Git and GitHub LiveLessons

Working With Extended Filesystem Attributes in Linux

/ Christopher Paquin

GarfatIn my previous post I went over standard filesystem attibutes in Linux, and how to set and view those attibutes with lsattr and chattr. You can view that post here if you are interested.

In this post we are going to go over extended filesystem attibutes. Now there is not much to this as you are probably not going to ever have to use these settings. That being said, its not a bad thing to be aware of.

Attribute names are strings that can be set and configured at will using the setfatr command. They can be viewed with the getfattr command. There are 4 namespaces of attibutes, security, system, trusted, and user.

When using getfattr ( which I pronounce as getfatter) the -d option dumps only user namespace attibutes. The rest of the namespace attributes can be viewed by using the -m option along with the namespace name. In the example below you can see that there are no user namespace attibutes set on my anaconda-ks.cfg file, however there are attibutes set in the security namespace.

[root@localhost ~]# getfattr -d anaconda-ks.cfg
[root@localhost ~]# getfattr -d -m security anaconda-ks.cfg
# file: anaconda-ks.cfg
security.selinux="unconfined_u:object_r:admin_home_t:s0"

 

Using setfattr you can define and set custom attributes. See the useless example below.

[root@localhost ~]# setfattr -n user.example -v example anaconda-ks.cfg
[root@localhost ~]# getfattr -d anaconda-ks.cfg
# file: anaconda-ks.cfg
user.example="example"

However this could be cool if you got an md5 sum on a file and dumped it into a file attibute. You could, in theory, use this process to see if someone has messed with one of your config files.

 

[root@localhost ~]# md5sum anaconda-ks.cfg
fda1aa550d3cf82423d1b1ad1ae53a13  anaconda-ks.cfg
[root@localhost ~]# setfattr -n user.md5sum -v fda1aa550d3cf82423d1b1ad1ae53a13 anaconda-ks.cfg
[root@localhost ~]# getfattr -d anaconda-ks.cfg
# file: anaconda-ks.cfg
user.example="example"
user.md5sum="fda1aa550d3cf82423d1b1ad1ae53a13"

 

Related articles

Why Extended Attributes are Coming to HDFS
Advanced Filesystem Attributes in Linux
How to create a file that root user also can't delete?

Enycrypting Passwords Via SSL for Redhat Kickstart Configuration Files

/ Christopher Paquin

MummyHello again earthlings. The fatmin returns once again to dispense a bit of wisdom. This handy one-liner is a command that for the life of me I cannot remember.

Our story begings when building your kickstart config and post-install config files you are going to need to set the password for at least one user (being root). If you are like me your configs add all sorts of users. As you know you cannot just stick the password for these users into your config files in plain text, rather you need to encrypt them via ssl.

The command to do so is below.

openssl passwd -1

At this point you will be prompted to enter the users password — twice. Then the command will spit out your ssl encrypted password which you can then shove into your config files.

Related articles

Really Awesome Network Config Differ Tricks we use to forget
Strategies to establish secure password storage systems
HomeLab: Simple SSH Setup on a Cisco Router
Re: Sound Wallet – Audio Cold Storage – Your private key as .wav, CD, or a Record

HomeLab: Simple Cisco EIGRP Setup

/ Christopher Paquin / Leave a comment

Sugar_skull_by_nickgo79EIGRP (Enhanced Interior Gateway Routing Protocol), is a Cisco proprietary routing protocol (until recently). When a router runs EIGRP, it keeps a copy of its neighbors routing table. If I router cannot find a route it its, or its neighbor's routing table, it will query its neighbors who in turn query their neighbors.

Exactly how routing protocols work is serious business, but dont worry we are not going to go into that here. Below is the process that I used to setup EIGRP on a Cisco 2811.

Before we do anything, lets get into Configuration mode (conf t).

r-2811-1#conf t

 

Your first step is going to be to enable IP Routing on your device. But before you do so, make sure that you have configured a Gateway of Last Restort. I did not and had to hook up the old console cable.

The IP of this router is 10.1.0.2, and its directly connected to 10.1.0.1, which is its last resort first hop, so lets configure that .

r-2811-1(config)#ip route 0.0.0.0 0.0.0.0 10.1.0.1

 

Ok so now lets enable IP Routing

r-2811-1(config)#ip routing

 

Now lets start EIGRP and chose an AS number. Note that I used 10 on the other three routers in my setup so thats what we are going to use here.

r-2811-1(config)#router eigrp 10

 

Now we need to tell the router what networks are connected to it (or in this case, will be connected to it). This is the information that the router will share with its neighbors.

r-2811-1(config-router)#network 10.3.0.0

 

In this instance my ourside interface is on 10.1.0.0/16, and its inside interface will serve up 10.3.0.0./16.

Dont forget to save your work

r-2811-1#copy run start

 

Related articles

HomeLab: Simple SSH Setup on a Cisco Router
HomeLab: Cisco 2621 Router Password Recovery/Factory Reset
Hour 40: OSPF the new advanced link-state protocol
Route Redistribution: Protocol Rules + EIGRP Redistribution
Eigrp
Hour 31: IGP Review EIGRP

RHEL6 – Using htpasswd to Create a Secure Apache Directory

/ Christopher Paquin / Leave a comment

Bank-vaultThe process of setting up a simple password protected web directory on an Apache server is rather easy. The simplest way to accomplish this task is to use flat-file user authentication. Disclaimer, I am not claiming that the directions below are the most complete, or the most secure. However they work and are probably the most simple.

The first thing that you need to do is to create a "secret" directory. In this instance my web root is /var/www2/html, so I will create my secure directory under that tree.

#mkdir /var/www2/html/secret

Now lets create an index.html inside our secret directory for the purpose of testing.

#echo "Secret Directory Working" > /var/www2/html/secret/index.html

This way we have something to look at when we actually are able to get this working correctly.

Now using the htpasswd command we need to create an htpasswd file and add a user that will have access to our top secret directory. Note that you should not create this file inside your web-root.

#htpasswd -c /etc/httpd/.htpasswd fatmin

In the example above the "-c" option creates our htpasswd file, fatmin is the user that we want to grant access to. You will be prompted for a password.

Now add the following stanza to your httpd.conf. Note that AuthName is the text that will display when the user is prompted for a password. AuthUserFile is the location of the password file. Basic is pretty much the only auth method that anyone uses.

<Directory /var/www2/html/secret>
AuthName "Secret Directory"
AuthType basic
AuthUserFile /etc/httpd/.htpasswd
Require valid-user
</Directory>

Now restart apache, and when you navigate to http://www.mysite.com/secret you should be prompted for a userid and password.

 

 

XenServer Switch Ports Configuration Best Practices

/ Christopher Paquin / Leave a comment

Old_switch
Finally I have found it! Citrix's XenServer switch configuration best practices document.

While everyone in the world has blog posts and documentation regarding how to set up and configure bridged networks in Xen, they hardly ever go into the physical switch configuration required.

This is the document that you will need to pass along to your friendly Network Administrator, as they will more than likely not be familar with networking for Xen as its much different from networking for Vmware ESX.

http://support.citrix.com/article/CTX123158

The contents of the document above are outlined below.

Change the following options on the switches for XenServer ports:

  1. Enable PortFast on XenServer connected ports.
    PortFast allows a switch port running Spanning Tree Protocol (STP) to go directly from blocking to forwarding mode by skipping the learning and listening modes. PortFast should only be enabled on ports connected to a single host. Port must be an 802.1q trunk port if you are using VLANS and the port must be in access mode.
    Ports used for storage should have PortFast enabled.
    Note    : It is important that you enable PortFast with caution, and only on ports that do not connect to multi-homed devices such as hubs or switches.
  2. Disable Port Security on XenServer connected ports.
    Port security prevents multiple MAC addresses from being presented to the same port. In a virtual environment, you see multiple MAC addresses presented from Virtual Machines to the same port. If you have enabled Port Security, it shuts down the port.
  3. Disable Spanning Tree Protocol on XenServer connected ports.
    Spanning Tree Protocol must be disabled if you are using Bonded or teamed NICs in a virtual environment. Spanning Tree Protocol should be disabled because of the nature of Bonds and NIC teaming, to avoid failover delay issues when using bonding.
  4. Disable BPDU guard on XenServer connected ports.
    BPDU is a protection setting part of the STP that prevents you from attaching a network device to a switch port. When you attach a network device, the port shuts down and has to be enabled by an administrator.
    A PortFast port should never receive configuration BPDUs.
    Note    : When BPDUs are received by a PortFast port, it indicates another bridge is connected to the port, and it indicates that there is a possibility of a bridging loop formation during the Listening and Learning phases. In a valid PortFast configuration, configuration BPDUs should never be received, so Cisco switches support a feature called PortFast BPDU Guard, which is a feature that shuts down a PortFast-enabled port in the event a BPDU is received. This feature ensures that a bridging loop is not formed, because the switch's shutting down the port removes the possibility of a loop forming.

Xenserver: How To Create A Custom Kickstart Template via the CLI

/ Christopher Paquin / 3 Comments

100-Frankenstein-Smiley-Free-Halloween-Vector-Clipart-IllustrationIf you are reading this post, then you should know that I have been spending a lot of time as of late trying to learn XenServer, and I am doing my best to get Xenserver to do my evil bidding.

When I first took a look at XenServer I was dissapointed to find that you cannot PXE boot a VM unless you use the "Other Install Media" Template. However, when you use this template you are not building a fully paravirtualized vm, and you loose some functionality on your vm (like hot adding a virtual disk).

So lets say you want to kickstart a Centos 5 64-bit vm. Traditionally in XenServer,  you need to create a new vm based on the "Centos 5 (64-bit)" template and then point your vm to your kickstart media and ks config file. Being that this is a manual process, and I am trying to automate building virtual machines, I started searching for a better way to make Xenserver do what I wanted… I think I may have accomplished my goal.

So the first thing I did was create a new vm via cli. This step spits out a UUID for your new vm.

#xe vm-install template=CentOS\ 5\ \(64-bit\) new-name-label=Centos5.4_Kickstart

Now setup your boot params to point your new vm to your kickstart config file

#xe vm-param-set uuid=0415bc6c-6129-9bc2-26d7-e15625cf85a1 PV-args="ks=http://<my_kickstart_server>/kickstart/ks/centos5-u4_x86_64.cfg ksdevice=eth0"

Then tell your new vm where to find its install DVD.

#xe vm-param-set uuid=6aaf7e10-59e4-9895-9c7b-6eee32eab9f1 other-config:install-repository=http://<my_kickstart_server>/centos5-u4-x86_64/disc1/

Now figure out the UUID of your Kickstart VLAN

#xe network-list

Create a VIF (virtual interface) on your kickstart vlan.

#xe vif-create vm-uuid=0415bc6c-6129-9bc2-26d7-e15625cf85a1 network-uuid=f5a61f5b-f17c-ac40-0995-c41c3a5a3ea3 device=0

Now on the next step i cheated – I used XenCenter to quick create a vm based on my new template.

Now when I create a new vm from this template, it startes to kickstart on boot. My next steps are to create multiple templates, each based on my different kickstart images/configs. Then figure out how to set their ips and hostnames.

Hopefully that post is coming soon.