Red Hat: Identity Management Server Setup and HA on RHEL 7

cropped-oversaturateddetail.jpg

Introduction

Red Hat Identity Management Server provides is a centralized identity management server for Linux, Mac, Windows.

In this post we are going to setup and configure a HA deployment of Red Hat IDM on two RHEL 7.x servers.

Red Hat Identity Management Server is based on the upstream project, FreeIPA.

Prerequisites

Only a couple of prerequisites for a simple lab setup

  • You need working dns with forward and reverse entries for both IDM servers
  • NSCD needs to be disabled on each IDM server
  • Proper hostname needs to be set on each IDM node (cannot use localhost)
  • IPV6 needs to be enabled, but you do not need to have an IPV6 address on external interfaces

Continue reading

How to Add Standalone Puppet Agents to Foreman

foreman_medium
This example will walk us through the process of adding a standalone Puppet host to Foreman for the purpose of managing the host through Puppet. In this instance we are going to create a standalone-hostgroup for the server.

Note that the Foreman server must be able listening on ports 8140, and 6163 (according to Puppet documentation). My RHEL7 Foreman host was listening on these ports, but the firewall was blocking any inbound connections. I corrected this with the commands shown below.

First I needed to determine my default firewalld zone.

# firewall-cmd –get-default-zone

Then I ran the commands below to punch a hole in the firewall to allow the required traffic. I also reloaded firewald.

# firewall-cmd –permanent –zone=public –add-port=8140/tcp
# firewall-cmd –permanent –zone=public –add-port=61613/tcp

On the puppet client, install the puppet agent

# yum -y install puppet

Now we add an entry for the puppet server in /etc/puppet/puppet.conf in section [agent], where <PUPPETSERVER-FQDN> is the FQDN of your Foreman Server

server = <PUPPETSERVER-FQDN>

Now save the file.

Then on the Puppet client run the following command.

# puppet agent -t waitforcert 60

Log into Foreman WebUI.
Navigate to => “Infrastructure” => “Smart Proxies” => “Certificates”

In the list located the new puppet client and click on sign to accept the key for the new host. The host that I am adding is osd01.lab.localdomain.

NOTE: Once you have accepted the key you need to run the puppet client again (puppet agent -t)  on the client. Otherwise the client will not appear in on the “All hosts” page

foreman1

Now Lets create a new Host Group to use for this server. Come on, its will be a blast.

Navigate to => “Configure” => “Host groups“. Select the green “New Host Group” button and then add your host group. Here I have added a host group called “Standalone Hosts”. See below.

foreman2

Now we need to add our new client to this new host group. We do so by navigating to => “Hosts” => “All hosts“. Then select “Edit” to the left of the host.

foreman3

Click “Submit” an the bottom of the page and you are good to go.

RHEL7 – How to Set Your Hostname in Redhat Enterprise Linux 7

name-badge

Setting a server’s hostname used to be as simple as running the ‘hostname’ command and adding a “HOSTNAME” entry in /etc/sysconfig/network. However things have changed quite a bit in RHEL7. Apparently, systemd now controls setting a server’s hostname. The ‘hostname‘ command no longer works to set your hostname, however the command is still available just to confuse you.

Now in RHEL 7 you use the command ‘hostnamectl‘. Below is an example of how it works.

Here I have logged into my a RHEL 7.1 VM. You can see that the system appears to have the hostname of node1.

[root@node1 ~]# hostname
node1

However upon further inspection, I find that this is not the case. Rather, the server has a static hostname of localhost.localdomain.

[root@node1 ~]# hostnamectl
Static hostname: localhost.localdomain
Transient hostname: node1
Icon name: computer-vm
Chassis: vm
Machine ID: 4c26a2a3101947bfa2ec7d9c16824ca4
Boot ID: f58707942bd1458da48680025b6f1a53
Virtualization: vmware
CPE OS Name: cpe:/o:redhat:enterprise_linux:7.1:GA:server
Kernel: Linux 3.10.0-229.el7.x86_64
Architecture: x86_64

So lets set the hostname permanently using ‘hostnamectl’.

[root@node1 ~]# hostnamectl set-hostname node1.packy.lab.localdomain

As you can see the hostname shows correct in the output of the ‘hostname’ command

[root@node1 ~]# hostname
node1.packy.lab.localdomain

… and in the output from ‘hostnamectl’

[root@node1 ~]# hostnamectl
Static hostname: node1.packy.lab.localdomain
Icon name: computer-vm
Chassis: vm
Machine ID: 4c26a2a3101947bfa2ec7d9c16824ca4
Boot ID: f58707942bd1458da48680025b6f1a53
Virtualization: vmware
Operating System: Employee SKU
CPE OS Name: cpe:/o:redhat:enterprise_linux:7.1:GA:server
Kernel: Linux 3.10.0-229.el7.x86_64
Architecture: x86_64

Fedora21 – Quick and Dirty with Firewalld

firewall

Hey, are you new to Firewalld like most of us?

Unless you have been using Firewalld in the last few releases of Fedora, as some out there have, then you probably could probably use a few pointers to get you started on your way to configuring your Linux firewalls the “new-fangled fancy way”. This is especially the case if you plan on moving to RHEL7 anytime soon — as Firewalld is the default there. So put on your big boy (or girl) pants and say goodbye to your old friend IPTABLES.

According to this page. Firewalld is…

“The dynamic firewall daemon firewalld provides a dynamically managed firewall with support for network zones to assign a level of trust to a network and its associated connections and interfaces. It has support for IPv4 and IPv6 firewall settings. It supports Ethernet bridges and has a separation of runtime and permanent configuration options. It also has an interface for services or applications to add firewall rules directly”

Wow, how fancy. So how do we use it? Well let’s take a stab at enabling HTTP access to our Fedora21 workstation.

First thing first, lets figure out what our default done is on our workstation.

$ sudo firewall-cmd –get-default-zone
FedoraWorkstation

Ok, thats a bit strange, in RHEL you should expect PUBLIC to be your default zone.  Now that we know what zone we need to mess with let’s make sure that its applied to the proper interfaces.

$ sudo firewall-cmd –get-active-zone
FedoraWorkstation
interfaces: enp4s0 enp5s4 macvtap0 tun0 virbr0

The first two interfaces above are our physical interfaces, so we are good here. Now lets apply the rule, and make sure its permanent.

$ sudo firewall-cmd –permanent –zone=FedoraWorkstation –add-service http
success

Now lets check our rules. Note HTTP is missing.

$ sudo firewall-cmd –list-services
dhcpv6-client mdns samba-client ssh

Since we have only applied this new rule to our permanent config and not to our running config, we need to restart firewalld to see the updated rule.

 $ sudo firewall-cmd –reload

Now your can view the updated rules…

$ sudo firewall-cmd –list-services
dhcpv6-client http mdns samba-client ssh