Autenticazione SSSD/LDAP su AD
/etc/portage/package.use
=sys-auth/sssd-1.16.3-r1 ssh sudo >=sys-libs/pam-1.3.0-r2 audit
emerge sssd
/etc/sshd/sssd.conf
[pam] reconnection_retries = 3 [domain/LDAP] id_provider = ldap auth_provider = ldap ldap_schema = AD #ldap_schema = rfc2307bis ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true ldap_id_mapping = true ldap_uri = ldaps://,ldap:// ldap_default_bind_dn = ... ldap_default_authtok = ... ldap_default_authtok_type = password #ldap_referrals = false ldap_search_base = ... #ldap_user_search_base = ... ldap_user_search_base = ... ldap_user_object_class = user ldap_user_principal = userPrincipalName ldap_user_name = sAMAccountName ldap_user_fullname = displayName ldap_group_search_base = ... ldap_group_object_class = group ldap_group_name = sAMAccountName ldap_tls_reqcert = never #ldap_tls_reqcert = hard ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt ldap_id_use_start_tls = true override_shell = /bin/bash cache_credentials = true enumerate = true #ldap_rfc2307_fallback_to_local_users = true override_homedir = /home/%u #min_id = 10000 #ldap_group_gid = 9999 #override_gid = 9999 #ad_gpo_access_control = disabled access_provider = simple simple_allow_groups = ..., ... #access_provider = ldap #ldap_access_order = filter #ldap_group_member = member #ldap_access_filter = (|(memberOf=CN=...)(memberOf=CN=...))
nsswitch.conf
passwd: compat shadow: compat group: compat passwd: db files nis sss shadow: db files nis sss group: db files nis sss #group: db files nis hosts: files dns networks: files dns services: db files protocols: db files rpc: db files ethers: db files netmasks: files netgroup: files sss bootparams: files sudoers: ldap files sss automount: files aliases: files
/etc/pam.d/system-auth
auth sufficient pam_sss.so forward_pass auth required pam_env.so auth required pam_unix.so try_first_pass likeauth nullok auth optional pam_permit.so account [default=bad success=ok user_unknown=ignore authinfo_unavail=ignore] pam_sss.so account required pam_unix.so account optional pam_permit.so password sufficient pam_sss.so use_authtok password sufficient pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 password required pam_unix.so try_first_pass use_authtok nullok sha512 shadow password optional pam_permit.so session required pam_tty_audit.so enable=* session required pam_mkhomedir.so skel=/etc/skel/ umask=0077 session required pam_limits.so session required pam_env.so session required pam_unix.so session optional pam_permit.so
sshd_config
UsePAM yes
getent passwd
getent groups
andrea
- Pubblicato il Sistemistica, Tips & Tricks
HP Tools per il controller SAS [SSACLI]
Crea un file hp.list in /etc/apt/sources.list.d contenente
deb http://downloads.linux.hpe.com/SDR/repo/mcp stretch/current non-free
Importa le chiavi:
curl http://downloads.linux.hpe.com/SDR/hpPublicKey1024.pub | apt-key add - curl http://downloads.linux.hpe.com/SDR/hpPublicKey2048.pub | apt-key add - curl http://downloads.linux.hpe.com/SDR/hpPublicKey2048_key1.pub | apt-key add - curl http://downloads.linux.hpe.com/SDR/hpePublicKey2048_key1.pub | apt-key add -
Aggiorna i repository:
apt-get update apt dist-upgrade
Installa i pacchetti del controller:
apt install ssacli ssaducli amsd hponcfg
Attivare rc.local Rc.local in Debian stretch
Inserire in rc.local:
echo 655360 > /proc/sys/vm/min_free_kbytes echo 0 > /proc/sys/kernel/hung_task_timeout_secs echo 1 > /proc/sys/vm/swappiness echo 50 > /proc/sys/vm/vfs_cache_pressure echo 1 > /proc/sys/kernel/dmesg_restrict ssacli controller slot=0 modify cacheratio=70/30 ssacli controller slot=0 modify dwc=enable HBA=( sda sdb ) for DISK in "${HBA[@]}" do echo noop > /sys/block/$DISK/queue/scheduler echo 1024 > /sys/block/$DISK/queue/nr_requests echo 1024 > /sys/block/$DISK/queue/read_ahead_kb sdparm --set WCE=1 /dev/$DISK 2>/dev/null done
Inserire in .bashrc:
ssacli ctrl all show status ssacli ctrl slot=0 pd all show status ssacli ctrl slot=0 ld all show
In cron.hourly:
#!/bin/bash # Check for HP Smart Array Controller ssacli ctrl all show config | grep "Smart Array" &>/dev/null # If Smart Array Controller exists continue with script if not exit script if [ $? -eq 0 ]; then # Check HP Smart Array disk status for string "OK" ssacli ctrl slot=0 pd all show status | grep physicaldrive | grep -vi "OK" &>/dev/null # If all disks do not report "OK" then continue with script otherwise exit. if [ $? -eq 1 ]; then exit 0 else # Display hostname, HP serial number, disks and RAID configuration of disks # that failed ALERT="ALERT-$(date +%Y%m%d-%H%M%S)" echo "Hostname: $(hostname)" > /root/$ALERT echo "HP Serial Number: $(dmidecode -t 1 | grep "Serial" | awk '{print $3}')" >> /root/$ALERT echo "----------------------------------------------------------------------------" >> /root/$ALERT ssacli ctrl all show config >> /root/$ALERT cat /root/$ALERT | mail -s "$(hostname)-$ALERT" <..> -c<..> ssacli ctrl slot=0 pd all show detail >> /root/$ALERT exit 1 fi else echo "HP Smart Array Card not installed" exit 0 fi
andrea
- Pubblicato il Sistemistica, Tips & Tricks
Reverse Proxy Apache HTTPS High Security and Mod_Security
Listen 443 # security ServerTokens Prod ServerSignature Off # modules LoadModule allowmethods_module modules/mod_allowmethods.so <Proxy "balancer://cluster443"> BalancerMember "https://XXX.XXX.XXX.XXX:443" ttl=240 keepalive=On route=1 BalancerMember "https://XXX.XXX.XXX.XXX:443" ttl=240 keepalive=On route=2 ProxySet stickysession=ROUTEID </Proxy> <VirtualHost <FQDN>:443> ServerName <FQDN> # Status manager bilanciamento ProxyPass /balancer-manager ! ProxyPass "/" "balancer://cluster443/" ProxyPassReverse "/" "balancer://cluster443/" #ProxyPreserveHost On ProxyRequests On ProxyVia off # autenticazione server ------------------------------------------ <IfModule mod_ssl.c> SSLEngine On #SSLCipherSuite ALL:!ADH:!EXPORT56:!EXPORT40:!SSLv2:!LOW SSLCertificateFile <CRT> SSLCertificateChainFile <PEM> SSLCertificateKeyFile <KEY> SSLCACertificateFile <PEM> SSLProxyEngine On SSLProxyCheckPeerName off SSLProxyVerify none SSLProxyCheckPeerCN off SSLProxyCheckPeerExpire off # Cipher Suite e Protocolli SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 SSLHonorCipherOrder On SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH </IfModule> RewriteEngine On RewriteCond %{SSL:SSL_PROTOCOL} ^SSLv3$ RewriteRule ^.*$ http://<SERVER>/SSLv3/ [L,R=302] # No HTTP1.0 RewriteCond %{THE_REQUEST} !HTTP/1.1$ RewriteRule .* - [F] # - direttive generali ------------------------------------------- DocumentRoot <ROOT> # sicurezza RequestReadTimeout header=20-40,MinRate=500 body=20-60,MinRate=500 RequestHeader set X-Forwarded-Proto "https" env=HTTPS Header always set X-XSS-Protection "1; mode=block" Header always set Content-Security-Policy "upgrade-insecure-requests; default-src https:" Header always append X-Frame-Options SAMEORIGIN Header always set X-Content-Type-Options "nosniff" Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure FileETag None TraceEnable off <Location "/"> AllowMethods GET POST OPTIONS </Location> # cache ExpiresActive On Header unset Etag Header unset Cache-Control Header unset Expires Header unset Pragma Header set Cache-Control "private, no-cache, no-store, proxy-revalidate, no-transform" Header set Pragma "no-cache" # mod_security SecRuleEngine DetectionOnly #SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403,msg:'Our test rule has triggered'" IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_47_common_exceptions.conf IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_20_protocol_violations.conf IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_23_request_limits.conf IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_42_tight_security.conf IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_21_protocol_anomalies.conf IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_41_xss_attacks.conf IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_50_outbound.conf IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_45_trojans.conf IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_60_correlation.conf IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_59_outbound_blocking.conf IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_40_generic_attacks.conf IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_49_inbound_blocking.conf IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_30_http_policy.conf IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_35_bad_robots.conf IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_48_local_exceptions.conf IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_55_marketing.conf IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_47_skip_outbound_checks.conf #IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_42_comment_spam.conf IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_13_xml_enabler.conf IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_11_avs_traffic.conf #IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_25_cc_known.conf IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_16_session_hijacking.conf #IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_55_application_defects.conf IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_49_header_tagging.conf IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_46_av_scanning.conf IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_16_username_tracking.conf IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_43_csrf_protection.conf IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_16_authentication_tracking.conf #IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_10_ignore_static.conf IncludeOptional /etc/modsecurity/git/crs-setup.conf IncludeOptional /etc/modsecurity/git/REQUEST-901-INITIALIZATION.conf IncludeOptional /etc/modsecurity/git/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf IncludeOptional /etc/modsecurity/git/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf IncludeOptional /etc/modsecurity/git/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf IncludeOptional /etc/modsecurity/git/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf IncludeOptional /etc/modsecurity/git/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf IncludeOptional /etc/modsecurity/git/REQUEST-905-COMMON-EXCEPTIONS.conf IncludeOptional /etc/modsecurity/git/REQUEST-910-IP-REPUTATION.conf IncludeOptional /etc/modsecurity/git/REQUEST-911-METHOD-ENFORCEMENT.conf IncludeOptional /etc/modsecurity/git/REQUEST-912-DOS-PROTECTION.conf IncludeOptional /etc/modsecurity/git/REQUEST-913-SCANNER-DETECTION.conf IncludeOptional /etc/modsecurity/git/REQUEST-914-FILE-DETECTION.conf IncludeOptional /etc/modsecurity/git/REQUEST-920-PROTOCOL-ENFORCEMENT.conf IncludeOptional /etc/modsecurity/git/REQUEST-921-PROTOCOL-ATTACK.conf IncludeOptional /etc/modsecurity/git/REQUEST-930-APPLICATION-ATTACK-LFI.conf IncludeOptional /etc/modsecurity/git/REQUEST-931-APPLICATION-ATTACK-RFI.conf IncludeOptional /etc/modsecurity/git/REQUEST-932-APPLICATION-ATTACK-RCE.conf IncludeOptional /etc/modsecurity/git/REQUEST-933-APPLICATION-ATTACK-PHP.conf IncludeOptional /etc/modsecurity/git/REQUEST-941-APPLICATION-ATTACK-XSS.conf IncludeOptional /etc/modsecurity/git/REQUEST-942-APPLICATION-ATTACK-SQLI.conf IncludeOptional /etc/modsecurity/git/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf IncludeOptional /etc/modsecurity/git/REQUEST-944-APPLICATION-ATTACK-JAVA.conf IncludeOptional /etc/modsecurity/git/REQUEST-949-BLOCKING-EVALUATION.conf IncludeOptional /etc/modsecurity/git/RESPONSE-950-DATA-LEAKAGES.conf IncludeOptional /etc/modsecurity/git/RESPONSE-951-DATA-LEAKAGES-SQL.conf IncludeOptional /etc/modsecurity/git/RESPONSE-952-DATA-LEAKAGES-JAVA.conf IncludeOptional /etc/modsecurity/git/RESPONSE-953-DATA-LEAKAGES-PHP.conf IncludeOptional /etc/modsecurity/git/RESPONSE-954-DATA-LEAKAGES-IIS.conf IncludeOptional /etc/modsecurity/git/RESPONSE-959-BLOCKING-EVALUATION.conf IncludeOptional /etc/modsecurity/git/RESPONSE-980-CORRELATION.conf SecAuditEngine On # SecAuditEngine RelevantOnly # SecAuditLogRelevantStatus ^1-5 # SecAuditLogParts ABCIFHZ SecAuditLogType Serial SecAuditLog /var/log/apache2/modsec_audit.log </VirtualHost>
andrea
- Pubblicato il Networking, Sistemistica, Tips & Tricks
Debian Bonding LACP con Switch HP 1820-24G
Una volta configurato lo switch HP 1820-24G Switch J9980A per avere il port trunking tra le porte selezionate ed eventualmente aver assegnato il trunk alla VLAN si passa alla configurazione del sistema.
Attenzione che HP chiama Trunk dinamico la modalità LACP.
Ho trovato in alcuni howto questa specifica.
Male non dovrebbe fare.
echo "mii" >> /etc/modules
Si passa alla configurazione dell file /etc/network/interfaces in questo modo.
auto lo iface lo inet loopback iface enp2s0f0 inet manual post-up ifconfig enp2s0f0 txqueuelen 5000 && ifconfig enp2s0f0 mtu 9000 iface enp2s0f1 inet manual post-up ifconfig enp2s0f1 txqueuelen 5000 && ifconfig enp2s0f1 mtu 9000 auto bond0 iface bond0 inet manual bond-slaves enp2s0f0 enp2s0f1 bond-mode 802.3ad bond-miimon 100 bond-downdelay 200 bond-updelay 200 bond-lacp-rate 1 bond-xmit-hash-policy layer2+3 post-up ifconfig bond0 mtu 9000 && ifconfig bond0 txqueuelen 5000 auto vmbr0 iface vmbr0 inet static address 172.16.5.10 netmask 255.255.255.0 bridge_ports bond0 bridge_stp off bridge_fd 0 post-up ifconfig vmbr0 mtu 9000 && ifconfig vmbr0 txqueuelen 5000
A questo punto dopo il riavvio il Bond/Trunk risulterà attivo.
# dmesg
igb 0000:02:00.0 enp2s0f0: igb: enp2s0f0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None bond0: link status up for interface enp2s0f0, enabling it in 0 ms bond0: link status definitely up for interface enp2s0f0, 1000 Mbps full duplex bond0: Warning: No 802.3ad response from the link partner for any adapters in the bond bond0: first active interface up! vmbr0: port 1(bond0) entered blocking state vmbr0: port 1(bond0) entered forwarding state IPv6: ADDRCONF(NETDEV_CHANGE): vmbr0: link becomes ready igb 0000:02:00.1 enp2s0f1: igb: enp2s0f1 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None bond0: link status up for interface enp2s0f1, enabling it in 200 ms bond0: link status definitely up for interface enp2s0f1, 1000 Mbps full duplex
# cat /proc/net/bonding/bond0
Ethernet Channel Bonding Driver: v3.7.1 (April 27, 2011) Bonding Mode: IEEE 802.3ad Dynamic link aggregation Transmit Hash Policy: layer2+3 (2) MII Status: up MII Polling Interval (ms): 100 Up Delay (ms): 200 Down Delay (ms): 200 802.3ad info LACP rate: fast Min links: 0 Aggregator selection policy (ad_select): stable System priority: 65535 System MAC address: 90:e2:ba:74:28:f8 Active Aggregator Info: Aggregator ID: 1 Number of ports: 2 Actor Key: 9 Partner Key: 54 Partner Mac Address: 70:10:6f:71:3a:80 Slave Interface: enp2s0f0 MII Status: up Speed: 1000 Mbps Duplex: full Link Failure Count: 0 Permanent HW addr: 90:e2:ba:74:28:f8 Slave queue ID: 0 Aggregator ID: 1 Actor Churn State: none Partner Churn State: none Actor Churned Count: 0 Partner Churned Count: 0 details actor lacp pdu: system priority: 65535 system mac address: 90:e2:ba:74:28:f8 port key: 9 port priority: 255 port number: 1 port state: 63 details partner lacp pdu: system priority: 32768 system mac address: 70:10:6f:71:3a:80 oper key: 54 port priority: 128 port number: 12 port state: 61 Slave Interface: enp2s0f1 MII Status: up Speed: 1000 Mbps Duplex: full Link Failure Count: 0 Permanent HW addr: 90:e2:ba:74:28:f9 Slave queue ID: 0 Aggregator ID: 1 Actor Churn State: none Partner Churn State: none Actor Churned Count: 0 Partner Churned Count: 0 details actor lacp pdu: system priority: 65535 system mac address: 90:e2:ba:74:28:f8 port key: 9 port priority: 255 port number: 2 port state: 63 details partner lacp pdu: system priority: 32768 system mac address: 70:10:6f:71:3a:80 oper key: 54 port priority: 128 port number: 10 port state: 61
andrea
- Pubblicato il Networking, Sistemistica, Tips & Tricks
Centos 7 Cluster PCS
Installo due VM in VirtualBox identiche (4C, 4Gb RAM, 32Gb HDD) con una versione minimale di Centos 7 aggiornata.
Aggiorno il kernel a 4.16 dal repository elrepo.
# rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org # rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-3.el7.elrepo.noarch.rpm # yum --disablerepo="*" --enablerepo="elrepo-kernel" list available # yum --enablerepo=elrepo-kernel install kernel-ml kernel-ml-devel
Edito il file /etc/default/grub
GRUB_TIMEOUT=5 GRUB_DEFAULT=0 GRUB_DISABLE_SUBMENU=true GRUB_TERMINAL_OUTPUT="console" GRUB_CMDLINE_LINUX="rd.lvm.lv=centos/root rd.lvm.lv=centos/swap crashkernel=auto rhgb quiet" GRUB_DISABLE_RECOVERY="true"
Ed eseguo per attivare la modifica precedente.
# grub2-mkconfig -o /boot/grub2/grub.cfg
Aggiungo qualche pacchetto.
# yum install epel-release.noarch # yum update # yum group install "Development Tools" # yum install bzip2 net-tools psmisc nmap acpid unzip
Modifico /etc/hosts sui due nodi.
192.168.254.83 nodeA.netlite.it nodeA 192.168.254.84 nodeB.netlite.it nodeB
Installo i numerosi pacchetti necessari al cluster.
# yum install pcs fence-agents-all -y
Aggiungo le regole di firewalling.
# firewall-cmd --permanent --add-service=high-availability # firewall-cmd --add-service=high-availability # firewall-cmd --list-service dhcpv6-client ssh high-availability
Modifico la password dell’utente hacluster.
# passwd hacluster Changing password for user hacluster. New password: BAD PASSWORD: The password is shorter than 8 characters Retype new password: passwd: all authentication tokens updated successfully.
Avvio i servizi.
# systemctl start pcsd.service # systemctl enable pcsd.service
Autorizzo i nodi del cluster.
# pcs cluster auth nodeA.netlite.it nodeB.netlite.it Username: hacluster Password: nodeA.netlite.it: Authorized nodeB.netlite.it: Authorized
Inizializzo il cluster.
# pcs cluster setup --start --name ClusterTest nodeA.netlite.it nodeB.netlite.it Destroying cluster on nodes: nodeA.netlite.it, nodeB.netlite.it... nodeA.netlite.it: Stopping Cluster (pacemaker)... nodeB.netlite.it: Stopping Cluster (pacemaker)... nodeB.netlite.it: Successfully destroyed cluster nodeA.netlite.it: Successfully destroyed cluster Sending 'pacemaker_remote authkey' to 'nodeA.netlite.it', 'nodeB.netlite.it' nodeA.netlite.it: successful distribution of the file 'pacemaker_remote authkey' nodeB.netlite.it: successful distribution of the file 'pacemaker_remote authkey' Sending cluster config files to the nodes... nodeA.netlite.it: Succeeded nodeB.netlite.it: Succeeded Starting cluster on nodes: nodeA.netlite.it, nodeB.netlite.it... nodeB.netlite.it: Starting Cluster... nodeA.netlite.it: Starting Cluster... Synchronizing pcsd certificates on nodes nodeA.netlite.it, nodeB.netlite.it... nodeA.netlite.it: Success nodeB.netlite.it: Success Restarting pcsd on the nodes in order to reload the certificates... nodeA.netlite.it: Success nodeB.netlite.it: Success
Abilito il cluster.
# pcs cluster enable --all
Visualizzo lo stato.
# pcs cluster status Cluster Status: Stack: corosync Current DC: nodeA.netlite.it (version 1.1.16-12.el7_4.8-94ff4df) - partition with quorum Last updated: Tue Apr 3 13:02:21 2018 Last change: Tue Apr 3 13:00:43 2018 by hacluster via crmd on nodeA.netlite.it 2 nodes configured 0 resources configured PCSD Status: nodeA.netlite.it: Online nodeB.netlite.it: Online
Status dettagliati.
# pcs status Cluster name: ClusterTest WARNING: no stonith devices and stonith-enabled is not false Stack: corosync Current DC: nodeA.netlite.it (version 1.1.16-12.el7_4.8-94ff4df) - partition with quorum Last updated: Tue Apr 3 13:02:53 2018 Last change: Tue Apr 3 13:00:43 2018 by hacluster via crmd on nodeA.netlite.it 2 nodes configured 0 resources configured Online: [ nodeA.netlite.it nodeB.netlite.it ] No resources Daemon Status: corosync: active/enabled pacemaker: active/enabled pcsd: active/enabled
Disabilito i device stonith (meglio non farlo ma per test è ok).
# pcs property set stonith-enabled=falseIn caso sia necessario attivare i devices qui c’è un buon punto di partenza STONITH.
Configuro un FS.
# pcs resource create httpd_fs Filesystem device="/dev/mapper/vg_apache-lv_apache" directory="/var/www" fstype="ext4" --group apache
Configuro un VIP.
# pcs resource create httpd_vip IPaddr2 ip=192.168.12.100 cidr_netmask=24 --group apache
Configuro un servizio.
# firewall-cmd --add-service=http # firewall-cmd --permanent --add-service=http # pcs resource create httpd_ser apache configfile="/etc/httpd/conf/httpd.conf" statusurl="http://127.0.0.1/server-status" --group apache
Disabilita un nodo.
# pcs cluster stop nodeA.netlite.it
Comandi utili.
# pcs resource move apache nodeA.netlite.it # pcs resource stop apache nodeB.netlite.it # pcs resource disable apache nodeB.netlite.it # pcs resource enable apache nodeB.netlite.it # pcs resource restart apache
andrea
- Pubblicato il Non categorizzato, Sistemistica, Tips & Tricks, Virtualizzazione
centos 7 cluster
Procedura di setup Centos 7:
yum install epel-release.noarch yum install net-tools yum install psmisc yum install httpd yum install perl yum install perl-Digest-MD5 rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-2.el7.elrepo.noarch.rpm yum install -y kmod-drbd84 drbd84-utils crm_verify -L -V /bin/systemctl start pacemaker.service crmadmin configure property stonith-enabled=false service corosync restart service pacemaker restart yum install nmap yum install open-vm-tools service vmtoolsd start systemctl enable vmtoolsd yum install acpid yum install unzip yum install mod_ssl.x86_64
Configurazione cluster unicast:
logging { fileline: off to_logfile: yes logfile: /var/log/cluster/corosync.log to_stderr: no debug: off timestamp: on to_syslog: yes logger_subsys { subsys: QUORUM debug: off } } totem { version: 2 token: 3000 secauth: on rrp_mode: active interface { member { memberaddr: 172.31.252.41 } member { memberaddr: 172.31.252.42 } ringnumber: 0 bindnetaddr: 172.31.252.0 mcastport: 694 ttl: 1 } transport: udpu } quorum { provider: corosync_votequorum expected_votes: 2 } </code> Configurazione Apache come reverse proxy: <code> <VirtualHost *:80> ServerName webmail.xxxx.it Redirect / https://webmail.xxxx.it/ # ProxyRequests Off # <Proxy *> # Order deny,allow # Allow from all # </Proxy> # ProxyPass / http://XX.XX.XX.XX/ # ProxyPassReverse / http://XX.XX.XX.XX/ </VirtualHost> <VirtualHost *:443> ServerName webmail.xxxx.it RewriteEngine on ProxyPass / http://XX.XX.XX.XX/ retry=0 ttl=120 timeout=120 ProxyPassReverse / http://XX.XX.XX.XX/ <IfModule mod_ssl.c> SSLEngine On SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4" #SSLSessionCache shmcb:/run/httpd/sslcache(512000) #SSLSessionCacheTimeout 300 #128bit #SSLProtocol ALL -SSLv2 #SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DS # 40 bit #SSLCipherSuite ALL:!ADH:!EXPORT56:!EXPORT40:!SSLv2:!LOW SSLCertificateFile /etc/httpd/ssl/2017/STAR_xxxx_it.crt SSLCertificateChainFile /etc/httpd/ssl/2017/COMODORSADomainValidationSecureServerCA.crt SSLCertificateKeyFile /etc/httpd/ssl/2017/xxxx.it.key ErrorDocument 403 http://www.xxxx.it/ ErrorDocument 404 http://www.xxxx.it/ </IfModule> ProxyRequests on ProxyVia on AddOutputFilterByType SUBSTITUTE text/html </VirtualHost>
Configurazione di sicurezza vari servizi:
https://cipherli.st/
- Pubblicato il Cluster, Sistemistica, Tips & Tricks
Corosync/Pacemaker in Centos 7 con LCMC
Corosync/Pacemaker in Centos 7 con LCMC
Pacchetti da installare
yum install perl yum install perl-Digest-MD5 yum install epel-release rpm -ivh http://www.elrepo.org/elrepo-release-7.0-2.el7.elrepo.noarch.rpm rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-elrepo.org yum update yum install kmod-drbd90 drbd90-utils yum install acpid yum install open-vm-tools
/etc/corosync/corosync.conf
logging { fileline: off to_logfile: yes logfile: /var/log/cluster/corosync.log to_stderr: no debug: off timestamp: on to_syslog: yes logger_subsys { subsys: QUORUM debug: off } } totem { version: 2 token: 3000 secauth: on rrp_mode: active transport: udpu } nodelist { node { ring0_addr: 172.21.8.131 nodeid: 1 } node { ring0_addr: 172.21.8.132 nodeid: 2 } } quorum { provider: corosync_votequorum two_node: 1 expected_votes: 2 }
systemctl enable corosync
systemctl enable pacemaker
reboot
andrea
- Pubblicato il Sistemistica, Tips & Tricks, vpn
tema vim
.vimrc
execute pathogen#infect() syntax on filetype plugin indent on set nowrap set t_Co=256 set background=dark colorscheme PaperColor
Tema PaperColor
PaperColor-Dark
Wget in /.vim/colors/
wget <a href="https://github.com/NLKNguyen/papercolor-theme/blob/master/colors/PaperColor.vim">https://github.com/NLKNguyen/papercolor-theme/blob/master/colors/PaperColor.vim</a>
andrea
- Pubblicato il Sistemistica, Tips & Tricks, vpn
Esperimenti con multipath e SAN
http://www-01.ibm.com/support/docview.wss?uid=isg3T1011985
http://www.sysadminshare.com/2013/06/multipath-config-status-check-in-linux.html
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html-single/DM_Multipath/index.html#config_file_multipath
https://serverfault.com/questions/288087/linux-multipath-not-using-all-paths-and-wont-use-queue-length-path-selector/355151
https://h50146.www5.hpe.com/products/software/oe/linux/mainstream/support/doc/option/fibre/pdfs/c02020121.pdf
grep mpt /sys/class/scsi_host/host?/proc_name
rescan-scsi-bus.sh
echo “- – -” > /sys/class/scsi_host/host1/scan
multipath -l
multipathd -k”fail path sdb”
multipathd -k”del path sdb”
multipathd -k”reinstate path sdb”
multipathd -k”show paths”
dmsetup remove /dev/mapper/MSA_BELLNET
dmsetup ls
echo 1 > /sys/block/sde/device/delete
echo 1 > /sys/block/sda/device/rescan
service multipath-tools restart
partprobe /dev/sdb
sfdisk -R /dev/sdb
partx -u /dev/sdb
blockdev –rereadpt /dev/mapper/MSA_BELLNET
partprobe -s
pvcreate –uuid “DMD39I-rIMF-vVUc-6KaY-li2N-SF4n-v38O5m” –restorefile /root/VG-BELL.vg /dev/disk/by-id/scsi-MSA_BELLNET
vgcfgbackup -f VG-BELL.vg VG-BELL
vgcfgrestore -f VG-BELL.vg VG-BELL
multipath.conf
defaults { polling_interval 15 path_selector "round-robin 0" path_grouping_policy multibus prio const path_checker directio rr_min_io 100 flush_on_last_del no max_fds 8192 rr_weight priorities failback immediate no_path_retry fail queue_without_daemon no user_friendly_names yes mode 644 uid 0 gid disk } blacklist { devnode "^(ram|raw|loop|fd|md|dm-|sr|scd|st)[0-9]*" devnode "^hd[a-z]" devnode "^sda" devnode "^sda[0-9]" wwid "3600508b1001c1f5b93df16da7e7ab72e" wwid "3600508b1001c81da7e4515d6a1c3a693" wwid "OCZ-VELO_DRIVE_OCZ-938561J47139J405" wwid "OCZ-VELO_DRIVE_OCZ-ADU3LJ4GZL225676" wwid "OCZ-VELO_DRIVE_OCZ-V98FXMA0Q041W67U" # wwid 3600c0ff0001432f020c55c5901000000 device { vendor HP product "P410i|LOGICAL" } } devices { device { vendor "HP" product "P2000 G3*" path_grouping_policy "group_by_prio" # uid_attribute "ID_SERIAL" path_checker "tur" path_selector "round-robin 0" features "0" hardware_handler "0" prio "alua" rr_weight "uniform" failback "immediate" no_path_retry 18 rr_min_io 100 } } multipaths { multipath { wwid 3600c0ff00014e4ed9724235801000000 alias MSA_NETLITE } multipath { wwid 3600c0ff00014e4edfa37695801000000 alias MSA_NETLITE_BACKUP } multipath { # path_grouping_policy multibus wwid 3600c0ff0001432f020c55c5901000000 alias MSA_BELLNET } multipath { wwid 3600c0ff0001432f0a80e5a5901000000 alias MSA_BELLNET_BACKUP } }
andrea
- Pubblicato il Sistemistica, Tips & Tricks, vpn