linux – put things down

Migrating Kickstart from CentOS 6 to CentOS 7 + ESXi VMware Tools

In another post I described how to install CentOS 6 via a kickstart file (be sure to check out the “Kickstart Sample Configuration” section). CentOS 7 was recently released, and with that I needed to also use a kickstart configuration. However, simply using the previous kickstart configuration was not as easy as copy-and-paste (besides updating the release version in the repository configuration).

Summary of Kickstart Changes

There were a few changes that needed to be made for a base/core installation of CentOS 7:

Include eula --agreed (read the documentation)
Include services --enabled=NetworkManager,sshd (read the documentation)
Update the install packages list ( %packages section)
CentOS 7 is also a bit more strict with the kickstart file, so I had to explicitly include %end where applicable
CentOS 7’s default file system is now xfs, in CentOS 6 it was ext4, so consider updating the automatic partitioning to use xfs
Package groups @scalable-file-systems, @server-platform, @server-policy, and @system-admin-tools no longer exist – I haven’t located suitable replacements yet
Things like ifconfig are no longer included by default (they are now deprecated), so if you need them be sure to include net-tools. You should be using ip by now anyway.

Kickstart Sample Configuration

And now, an updated kickstart config for CentOS 7, with consideration of the previously mentioned updates (compare it with the previous Kickstart Sample Configuration mentioned in the other post). I also chose to include some extra packages that don’t exist by default with a @core installation.

#version=RHEL7
install
nfs --server=repo.hostname.tld --dir=/repo/centos/7/os/x86_64
lang en_US.UTF-8
keyboard --vckeymap=us --xlayouts='us'
zerombr
eula --agreed
services --enabled=NetworkManager,sshd
reboot

# leaving network in here, but it'll be dhcp for now, make sure you have KVM access
#network --onboot no --device eth0 --bootproto static --ip 172.16.0.254 --netmask 255.255.0.0 --gateway 172.16.1.1 --noipv6 --nameserver 172.16.0.2 --hostname new.hostname.tld
rootpw --iscrypted DEFAULT_SALTED_ROOT_PASSWORD
firewall --service=ssh
auth --enableshadow --passalgo=sha512
selinux --enforcing
timezone America/Phoenix --isUtc --ntpservers=0.centos.pool.ntp.org,1.centos.pool.ntp.org,2.centos.pool.ntp.org,3.centos.pool.ntp.org

### LVM
bootloader --location=mbr --boot-drive=sda
clearpart --all --drives=sda
ignoredisk --only-use=sda

part /boot --fstype="xfs" --ondisk=sda --size=256
part pv.01 --fstype="lvmpv" --ondisk=sda --grow --size=1

volgroup vg_main pv.01
logvol / --fstype="xfs" --name=lv_root --vgname=vg_main --grow --size=8192
logvol swap --fstype="swap" --name=lv_swap --vgname=vg_main --grow --size=4096 --maxsize=4096

%packages
@core
net-tools
policycoreutils
screen
tree
vim
wget
%end

%post
wget http://your.hostn.tld/scripts/c7/post-install.sh -O post-install.sh
sh post-install.sh
rm -f post-install.sh
%end

#version=RHEL7

install

nfs --server=repo.hostname.tld --dir=/repo/centos/7/os/x86_64

lang en_US.UTF-8

keyboard --vckeymap=us --xlayouts='us'

zerombr

eula --agreed

services --enabled=NetworkManager,sshd

reboot

# leaving network in here, but it'll be dhcp for now, make sure you have KVM access

#network --onboot no --device eth0 --bootproto static --ip 172.16.0.254 --netmask 255.255.0.0 --gateway 172.16.1.1 --noipv6 --nameserver 172.16.0.2 --hostname new.hostname.tld

rootpw --iscrypted DEFAULT_SALTED_ROOT_PASSWORD

firewall --service=ssh

auth --enableshadow --passalgo=sha512

selinux --enforcing

timezone America/Phoenix --isUtc --ntpservers=0.centos.pool.ntp.org,1.centos.pool.ntp.org,2.centos.pool.ntp.org,3.centos.pool.ntp.org

### LVM

bootloader --location=mbr --boot-drive=sda

clearpart --all --drives=sda

ignoredisk --only-use=sda

part /boot --fstype="xfs" --ondisk=sda --size=256

part pv.01 --fstype="lvmpv" --ondisk=sda --grow --size=1

volgroup vg_main pv.01

logvol / --fstype="xfs" --name=lv_root --vgname=vg_main --grow --size=8192

logvol swap --fstype="swap" --name=lv_swap --vgname=vg_main --grow --size=4096 --maxsize=4096

%packages

@core

net-tools

policycoreutils

screen

tree

vim

wget

%end

%post

wget http://your.hostn.tld/scripts/c7/post-install.sh -O post-install.sh

sh post-install.sh

rm -f post-install.sh

%end

VMware Tools Change

If you’re like me and use ESXi, I’m currently on version 5.5 and 5.5u1, the installable tools for integrating with ESXi is a nice treat. However, the repository location has changed specifically for RHEL7, and so have the packages.

The new repository location is at http://packages.vmware.com/packages/rhel7/x86_64/.
The only package that needs to be installed is open-vm-tools.
Note that the tools are currently only available for the x86_64 architecture, but I’m still including $basearch in the URL.
The “packages” repo at packages.vmware.com does not include a GPG Key, but it is the same one from the older “tools” repo.

Add VMware Tools to YUM

Put the following repo configuration in /etc/yum.repos.d/vmware-tools.repo:

[vmwarec7]

name=VMware Tools - $basearch

baseurl=http://packages.vmware.com/packages/rhel7/$basearch/

gpgkey=http://packages.vmware.com/tools/keys/VMWARE-PACKAGING-GPG-RSA-KEY.pub

gpgcheck=1

protect=1

enabled=1

Then update yum and install the tools:

# clean yum's cache

yum clean all

# reload yum.repos.d

yum check-update

# install the package

yum install open-vm-tools

uberSVN: Cheap Backup Script Using hotcopy and rdiff-backup

SVN backups, and backing up in general, is critical for the purpose of disaster recovery. There are a few requirements to consider:

Backups should mirror (or come close to) the current state of system, i.e. a snapshot.
Backups should be incremental. In the event a snapshot is malformed, or the system during the snapshot is corrupt, one can roll back to previously working snapshot.
~~Take~~ Backup only what you need to survive. No sense in including temporary files, libs that are part of the distribution (easily downloadable), etc.

Lower-level note: I don’t have the resources for LVM snapshots, and the physical disks are RAID 6.

Considerations

Originally, I was backing up my uberSVN installation and all of the SVN repositories using a simple rdiff-backup command. This approach is shortsighted: a rsync of the internal repositories directory does not consider current commits, prop changes, hooks, etc. that are occurring while the rsync is happening which could cause a non-restorable backup; using svnadmin hotcopy addresses this concern. However, the issue with hotcopy is that it does not perform an incremental backup for you, so I needed to couple it with rdiff-backup. It is worth noting that performing this type of copy operation will include, props, hooks, commits and other information – it is more comprehensive than a normal svnadmin dump, but with the downside that it is only truly compatible with the version of SVN that generated it.

As if this wasn’t enough to think about, hotcopy does not preserve file system timestamps. This is problematic with rdiff-backup which relies on a timestamp + file size combination; even though it uses the same underlying algorithm as rsync, AFAIK it does not support the checksum feature for transfers. So after the svnadmin hotcopy is performed, file attributes should be synchronized as well (with slight risk I might add).

Lastly, uberSVN has a handful of configurations and metadata that must be backed up per installation. Its GUI has an easy backup feature, but there is no CLI access/equivalent that I could find. I’m sure I could dig through the source and figure out exactly what was included in the backup, but I decided to reverse-engineer the backup file (which uses ZIP compression by the way) and infer other details. uberSVN includes (or should include) the following directories from its install directory (default is /opt/ubersvn): /opt/ubersvn{conf,openssl,tomcat,ubersvn-db}. From this, a backup archive can be carefully constructed for later restoration within the GUI.

The Implementation (tl;dr)

This is a bash script that is configurable in the first two grouping of variables (lines are highlighted). It also uses a subsys lock mechanism (flock) so it cannot be run in parallel which is helpful when using it in a crontab. I haven’t extensively tested its reliability, but it does work… generally speaking. Here’s the hack:

#!/bin/bash

remotePath="/home/backup/ubersvn-repos";
remotePort=22;
remoteUser="backup";
remoteHost="example.com";
targetPrefix="/tmp/svnbackup"; # no trailing slash, where to put it temporarily
repoPrefix="/opt/ubersvn/repositories/"; # with trailing slash, contains all the repos
svnadmin="/opt/ubersvn/bin/svnadmin"; # path to ubersvn's svnadmin binary
rdb="/usr/bin/rdiff-backup"; # path to rdiff-backup binary
lockPath="/var/lock/subsys/backup-svn.sh.lock"; # path to store the lock file

extraPathsPrefix="/opt/ubersvn"; # no trailing slash, $extraPaths will be postfixed
read -r -d '' extraPaths <<EOT
conf
openssl
tomcat
ubersvn-db
EOT

# prepare repo hotcopy paths
timestamp=`date +"%s"`;
targetTemp="${targetPrefix}_${timestamp}";
repoList=`find "$repoPrefix" -maxdepth 1 -type d -not -wholename "$repoPrefix"`;

(
flock -x -w 10 200 || exit 1

# hotcopy all svn repos
for repoPath in $repoList; do
	repo=`echo "$repoPath" | rev | cut -d/ -f1 | rev`;
	tempRepoPath="${targetTemp}/repositories/${repo}";
	mkdir -p "$tempRepoPath";
	"$svnadmin" hotcopy --clean-logs "$repoPath" "$tempRepoPath";
done;

# sync file attributes (i.e. timestamps) to prepare incremental backup, this is kinda dirty
cd "${targetTemp}/repositories/";
find . -exec touch -r "$repoPrefix"\{\} \{\} \;
cd - >/dev/null 2>&1;

# copy extra paths (e.g. ubersvn configs)
for extra in $extraPaths; do
	/bin/cp -fRp "${extraPathsPrefix}/${extra}" "${targetTemp}/${extra}"; # preserve attributes
done;

"$rdb" --remote-schema "ssh -C -p $remotePort %s" "$targetTemp" "$remoteUser"@"$remoteHost"::"$remotePath"; # incremental backup

rm -fr "$targetTemp"; # clean up

) 200>"$lockPath";

#!/bin/bash

remotePath="/home/backup/ubersvn-repos";

remotePort=22;

remoteUser="backup";

remoteHost="example.com";

targetPrefix="/tmp/svnbackup"; # no trailing slash, where to put it temporarily

repoPrefix="/opt/ubersvn/repositories/"; # with trailing slash, contains all the repos

svnadmin="/opt/ubersvn/bin/svnadmin"; # path to ubersvn's svnadmin binary

rdb="/usr/bin/rdiff-backup"; # path to rdiff-backup binary

lockPath="/var/lock/subsys/backup-svn.sh.lock"; # path to store the lock file

extraPathsPrefix="/opt/ubersvn"; # no trailing slash, $extraPaths will be postfixed

read -r -d '' extraPaths <<EOT

conf

openssl

tomcat

ubersvn-db

EOT

# prepare repo hotcopy paths

timestamp=`date +"%s"`;

targetTemp="${targetPrefix}_${timestamp}";

repoList=`find "$repoPrefix" -maxdepth 1 -type d -not -wholename "$repoPrefix"`;

(

flock -x -w 10 200 || exit 1

# hotcopy all svn repos

for repoPath in $repoList; do

repo=`echo "$repoPath" | rev | cut -d/ -f1 | rev`;

tempRepoPath="${targetTemp}/repositories/${repo}";

mkdir -p "$tempRepoPath";

"$svnadmin" hotcopy --clean-logs "$repoPath" "$tempRepoPath";

done;

# sync file attributes (i.e. timestamps) to prepare incremental backup, this is kinda dirty

cd "${targetTemp}/repositories/";

find . -exec touch -r "$repoPrefix"\{\} \{\} \;

cd - >/dev/null 2>&1;

# copy extra paths (e.g. ubersvn configs)

for extra in $extraPaths; do

/bin/cp -fRp "${extraPathsPrefix}/${extra}" "${targetTemp}/${extra}"; # preserve attributes

done;

"$rdb" --remote-schema "ssh -C -p $remotePort %s" "$targetTemp" "$remoteUser"@"$remoteHost"::"$remotePath"; # incremental backup

rm -fr "$targetTemp"; # clean up

) 200>"$lockPath";

Scripting Parallel Bash Commands (Jobs)

Sometimes commands take a long time to process (in my case importing huge SQL dumps into a series of sandboxed MySQL databases), in which case it may be favorable to take advantage of multiple CPUs/cores. This can be handled in shell/bash with the background control operator & in combination with wait. Got a little insight from this StackOverflow answer.

The Technique

The break-down is commented inline.

#!/bin/bash

processes=4; # max number of parallel processes

#list of stuff

read -r -d '' theList <<EOT

big

long

list

args

commands

work

with

EOT

count=0;

pidList='';

for item in $theList; do

count=$((count + 1));

longOperationWith "$item"&

lastPid=${!}; # get the PID of `longOperationWith "$item"`

pidList=`echo "$pidList $lastPid" | sed 's/^ *//g'`; # concat and strip that initial beginning space

if [ $count -ge $processes ]; then # when we've reached the max number of processes

echo "Waiting for $pidList to finish...";

wait $pidList; # wait for all PIDs in pidList to finish (don't quote)

count=0; # then reset counter

pidList=''; # and reset the list of PIDs

fi;

done;

Notes

This does not function like a pool (task queue) where once a “thread” is freed up it will be immediately eligible for the next task, although I don’t see why something like this could be implemented with a little work.
wait will pause script execution for all PID parameters it is provided to complete before moving on.
Once the if...fi control block is entered wait will cause the for...in loop to suspend.
$! (or ${!}) contains the PID of the most previously executed command; make sure it comes directly after the operation used with &. Throw it into a variable (like lastPid) for future use.
This is not multi-threading, although this simplified concept is similar. Each command spawns a separate process.
read is just creating a multiline list; in my specific case this was favorable over a bash array, but either will work.

Screenshot of htop showing parallel process tree.

Reload DNS Zone with Bind9 and rndc

Was really confused when trying to reload a zone. I would receive the error rndc: 'reload' failed: dynamic zone. This was especially frustrating because in a similar installation, a simple service named reload would do just fine; not this time. Also, remember the point is to not completely reload named; doing so will clear its cache (if used as a local DNS resolver) and cause a small outage if clients do not have their current domain lookup cached.

Assuming the zone to update is called “THEZONE” perform the following:

vim /var/data/named/data/zones/THEZONE.zone;

# update the zone in vim and save

rndc freeze THEZONE

rndc reload THEZONE

rndc thaw THEZONE

If necessary, don’t forget to update the reverse DNS records. I’m lazy and use PTR:

vim /var/data/named/data/zones/reverse-IPADDR.in-addr.arpa.zone

# update the PTR record

rndc freeze IPADDR.in-addr.arpa

rndc reload IPADDR.in-addr.arpa

rndc thaw IPADDR.in-addr.arpa

So… the moral of the story is to freeze, reload and thaw. Remember f-r-t (or fart?).

Install CentOS 6 with Anaconda/Kickstart (plus ESXi VMware Tools)

Synopsis

I’ve been getting my feet wet with ESXi, CentOS 6 VMs, and YUM/RPM. Well the last two I have been using for years, but not like recently.

The goal is to be able to blindly install a controlled distribution of CentOS 6.x quickly and without error (maybe even install multiple at the same time). What I needed:

Anaconda Kickstart file (ks.cfg)
Local mirrored repository for CentOS 6.x (6.3 in my example)
Custom 3rd party repo
HTTP/NFS/RSYNC access to these
Variable disk/cpu/ram size – the partitions need to be dynamic

Without writing a book about all of this, I really want to just highlight some problems I ran into and how I solved them.

An example of my kickstart file is below for reference.

Automated Partition Schema

Since I’m in the world of virtualized hardware, it is important for the disk to scale easily without lost data. The prerequisite to this is of course Logical Volume Management (LVM). Now you may not agree with my LVM layout, and honestly, this isn’t my expertise (optimization of disk partitions), but at the least there must be “boot,” “root,” and “swap” partitions.

The goal here is to make the root partition grow to its maximum size without negating the swap. Also, the boot partition won’t be on the LVM, it will be fixed in the MBR. The kickstart section is as follows:

# delete everything on /dev/sda
clearpart --all --drives=sda

# only use the sda - this is totally fine in the case of a single physical disk (remember, we're virtual here, so this is probably for the best, considering you'll have SAN, DAS or NAS behind it)
ignoredisk --only-use=sda

# make the boot partition in the MBR (only 128mb)
part /boot --fstype=ext4 --size=128

# make the physical partition for the LVM to sit on "pv.01" is "partition volume number 01" alternatively something like "pv.02393" would be fine.
# this partition should "grow" to fill the entire disk, the initial size is 1mb (don't use 0 here)
part pv.01 --grow --size=1

# define the LVM volgroup called "vg_main" - this can be called whatever you want - and put it on the physical partition "pv.01" that was created in previous.
volgroup vg_main pv.01

# the root partition called "lv_root" sitting on the volume group "vg_main" with a minimum size of 8gb, it will grow to fill whatever is left of the disk
logvol / --fstype=ext4 --name=lv_root --vgname=vg_main --grow --size=8192

# the swap partition called "lv_swap" sitting on volgroup "vg_main" that is exactly 2 gb
logvol swap --name=lv_swap --vgname=vg_main --grow --size=2016 --maxsize=2016

# delete everything on /dev/sda

clearpart --all --drives=sda

# only use the sda - this is totally fine in the case of a single physical disk (remember, we're virtual here, so this is probably for the best, considering you'll have SAN, DAS or NAS behind it)

ignoredisk --only-use=sda

# make the boot partition in the MBR (only 128mb)

part /boot --fstype=ext4 --size=128

# make the physical partition for the LVM to sit on "pv.01" is "partition volume number 01" alternatively something like "pv.02393" would be fine.

# this partition should "grow" to fill the entire disk, the initial size is 1mb (don't use 0 here)

part pv.01 --grow --size=1

# define the LVM volgroup called "vg_main" - this can be called whatever you want - and put it on the physical partition "pv.01" that was created in previous.

volgroup vg_main pv.01

# the root partition called "lv_root" sitting on the volume group "vg_main" with a minimum size of 8gb, it will grow to fill whatever is left of the disk

logvol / --fstype=ext4 --name=lv_root --vgname=vg_main --grow --size=8192

# the swap partition called "lv_swap" sitting on volgroup "vg_main" that is exactly 2 gb

logvol swap --name=lv_swap --vgname=vg_main --grow --size=2016 --maxsize=2016

I do want to note that the logvol’s are interpreted in a random order, so it is perfectly fine for the swap logvol to be declared after the root (/) logical volume.

Bypassing “Storage Device Warning”

The only problem I had in regards to a prompt-less install was the “Storage Device Warning” asking if I was sure I wanted to write to the disk and lose all of my data. No matter what I put in the partition specification of kickstart, it would always prompt. The answer is to use zerombr yes. See the option “zerombr” as defined within the CentOS kickstart guide. This can be placed anywhere in the kickstarter file (well except in %packages, %post or similar); just put it up near the top.

Auto Reboot

After the installation is complete, automatically reboot the machine. This works perfectly in ESXi since it automatically unmounts the virtual cdrom after the first boot of the guest! Simply put reboot anywhere in your kickstart – near the top is probably best.

VMware Tools RPM

In order for the vSphere Client to monitor and execute certain tasks on the guest vm, VMware Tools is required. This will show you things like IP addresses, hostnames and guest state as well as integrated shutdown/reboot tools.

Add VMware Tools to YUM

Put the following repo configuration in /etc/yum.repos.d/vmware-tools.repo:

[vmware-tools]

name=VMware Tools

baseurl=http://packages.vmware.com/tools/esx/5.1latest/rhel6/x86_64

enabled=1

gpgcheck=1

gpgkey=http://packages.vmware.com/tools/keys/VMWARE-PACKAGING-GPG-RSA-KEY.pub

Then execute the following shell in %post of kickstart:

1 2	yum -y update yum -y install vmware-tools-plugins-guestInfo

The important part to mention here is that the package is called vmware-tools-plugins-guestInfo. All the dependencies will come with it, so no worries there.

Mirroring a Repository for NFS Kickstart Installation

Create the Repo Mirror

Remember, my goal is to be able to quickly add a CentOS VM. With that, I don’t want to wait 30 minutes to pull down packages from a mirror in Iowa, New York or Cali. I want to pull it down once, keep it up-to-date and have my local install pull from my local mirror. For simplicities sake, I’ll put the mirror in /repo/centos.

MIRROR=mirror.centos.com::centos/6.4

DEST=/repo/centos

mkdir -p /repo/centos

rsync -avSHP --delete --exclude "local*" --exclude "isos" $MIRROR $DEST

I am choosing to exclude any local files/directories (“local*”) and also the huge DVD ISOs (“isos”). Also note that the mirror format is host::path and that the mirror host must support the rsync protocol.

Keep the Local Mirror Updated

To keep the local repo copy up-to-date, run this script via cron (by the way, I stole this from somewhere, I just don’t remember). Please don’t forget to swap out the mirror hostname and path with something that makes more geographical sense to you.

#!/bin/bash

LOCK=/var/lock/subsys/repo_sync;

CENTOS_REPO=mirrors.usc.edu::centos/6.4;

CENTOS_DEST=/repo/centos;

if [ -f $LOCK ]; then

echo "Updates via rsync already running.";

exit 1;

fi;

touch $LOCK;

if [ -d $DEST ] ; then

rsync -avSHP --delete --exclude "local*" --exclude "isos" $CENTOS_REPO $CENTOS_DEST;

else

echo "Target directory "$DEST" does not exist. Cannot update.";

fi;

/bin/rm -f $LOCK;

exit 0;

Configure NFS for Kickstart Network Installations

NFS server support is built into CentOS and running by default, so this is pretty easy. Add the following to /etc/exports:

1	/repo/centos 172.16.0.0/16(ro,sync,all_squash)

This exports the directory “/repo/centos” for NFS. Only the subnet 172.16.0.0/16 is allowed access (no credentials required). It is mounted as read-only (ro), connection are synchronous as opposed to asynchronous (sync), and all connections are anonymous for security purposes (all_squash). Man exports(5) if you need more help.

Restart NFS via service nfs restart.

I feel like I’m missing something with NFS, but I don’t recall; this was too easy. In my memory there was a struggle with rpc!

Update iptables for NFS

Edit /etc/sysconfig/iptables and throw these rules in there before -A INPUT -j REJECT --reject-with icmp-host-prohibited.

-A INPUT -m state --state NEW -p tcp --dport 111 -j ACCEPT

-A INPUT -m state --state NEW -p udp --dport 111 -j ACCEPT

-A INPUT -m state --state NEW -p tcp --dport 662 -j ACCEPT

-A INPUT -m state --state NEW -p udp --dport 662 -j ACCEPT

-A INPUT -m state --state NEW -p tcp --dport 875 -j ACCEPT

-A INPUT -m state --state NEW -p udp --dport 875 -j ACCEPT

-A INPUT -m state --state NEW -p tcp --dport 892 -j ACCEPT

-A INPUT -m state --state NEW -p udp --dport 892 -j ACCEPT

-A INPUT -m state --state NEW -p tcp --dport 2049 -j ACCEPT

-A INPUT -m state --state NEW -p udp --dport 2049 -j ACCEPT

-A INPUT -m state --state NEW -p udp --dport 32769 -j ACCEPT

-A INPUT -m state --state NEW -p tcp --dport 32803 -j ACCEPT

And restart iptables via service iptables restart.

Configure Kickstart to Use Local Repo via NFS

This is an easy one-line if everything is set up correctly. Add the following after the “install” option within the kickstart configuration.

1	nfs --server=YOUR.HOSTNAME.TLD --dir=/repo/centos/6/os/x86_64

Use Local Repo Post Install

So you want to keep using your new local repo beyond the kickstart installation? No worries. Install apache, configure the vhost and update ks.cfg.

1 2	yum install httpd; vim /etc/httpd/conf.d/vhosts.conf

Inside vhosts.conf:

ServerAdmin webmaster@HOSTNAME.TLD

DocumentRoot /repo

ServerName YOUR.HOSTNAME.TLD

ErrorLog logs/YOUR.HOSTNAME.TLD-error_log

Options Indexes MultiViews FollowSymLinks

IndexOptions FancyIndexing FoldersFirst VersionSort XHTML

</Directory>

</VirtualHost>

Add the following rule to iptables:

1	-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

Restart iptables via service iptables restart;.

Start httpd via service httpd start; chkconfig httpd on;.

Update the kickstart configuration:

1	repo --name=My Local Repo --baseurl=YOUR.HOSTNAME.TLD/centos/6/os/x86_64

Done!

Kickstart Sample Configuration

install
nfs --server=repo.hostname.tld --dir=/repo/centos/6/os/x86_64
lang en_US.UTF-8
keyboard us
zerombr yes
reboot

# leaving network in here, but it'll be dhcp for now, make sure you have KVM access
#network --onboot no --device eth0 --bootproto static --ip 172.16.0.254 --netmask 255.255.0.0 --gateway 172.16.0.1 --noipv6 --nameserver 172.16.0.2 --hostname new.hostname.tld
rootpw  --iscrypted DEFAULT_SALTED_ROOT_PASSWORD
firewall --service=ssh
authconfig --enableshadow --passalgo=sha512
selinux --enforcing
timezone --utc Europe/London
bootloader --location=mbr --driveorder=sda --append="crashkernel=auto rhgb quiet"

### LVM
clearpart --all --drives=sda
ignoredisk --only-use=sda

part /boot --fstype=ext4 --size=128
part pv.01 --grow --size=1

volgroup vg_main pv.01
logvol / --fstype=ext4 --name=lv_root --vgname=vg_main --grow --size=8192
logvol swap --name=lv_swap --vgname=vg_main --grow --size=2016 --maxsize=2016

%packages
@base
@core
@scalable-file-systems
@server-platform
@server-policy
@system-admin-tools
pax
sgpio
screen
crypto-utils

%post
wget http://your.hostn.tld/post-install-script.sh -O post-install-script.sh
sh post-install-script.sh
rm -f post-install-script.sh
yum -y upgrade
yum -y install vmware-tools-plugins-guestInfo

%end

install

nfs --server=repo.hostname.tld --dir=/repo/centos/6/os/x86_64

lang en_US.UTF-8

keyboard us

zerombr yes

reboot

# leaving network in here, but it'll be dhcp for now, make sure you have KVM access

#network --onboot no --device eth0 --bootproto static --ip 172.16.0.254 --netmask 255.255.0.0 --gateway 172.16.0.1 --noipv6 --nameserver 172.16.0.2 --hostname new.hostname.tld

rootpw --iscrypted DEFAULT_SALTED_ROOT_PASSWORD

firewall --service=ssh

authconfig --enableshadow --passalgo=sha512

selinux --enforcing

timezone --utc Europe/London

bootloader --location=mbr --driveorder=sda --append="crashkernel=auto rhgb quiet"

### LVM

clearpart --all --drives=sda

ignoredisk --only-use=sda

part /boot --fstype=ext4 --size=128

part pv.01 --grow --size=1

volgroup vg_main pv.01

logvol / --fstype=ext4 --name=lv_root --vgname=vg_main --grow --size=8192

logvol swap --name=lv_swap --vgname=vg_main --grow --size=2016 --maxsize=2016

%packages

@base

@core

@scalable-file-systems

@server-platform

@server-policy

@system-admin-tools

pax

sgpio

screen

crypto-utils

%post

wget http://your.hostn.tld/post-install-script.sh -O post-install-script.sh

sh post-install-script.sh

rm -f post-install-script.sh

yum -y upgrade

yum -y install vmware-tools-plugins-guestInfo

%end

For the option “rootpw” use grub-crypt with the specified hash algorithm under authconfig –passalgo=X (to replace DEFAULT_SALTED_ROOT_PASSWORD). In the sample ks.cfg file, I have sha512, so:

$ grub-crypt --sha-512

Password: 12345

Retype password: 12345

$6$oavua3X2xzo08xkj$r1cYIK4ghmA7FEpIXbNsNQr1Xll13bGJbBX2CpoZGgKuLkDHkA71L/V8mfkiQh1pr4.JQwgW8hOWxhZW9W.y70

Using the Kickstart Configuration

The idea is to create a custom ISO with the kickstart configuration embedded, but I haven’t done this yet. So for now, I’m hosting the file as ks.cfg on an intranet HTTP server and booting a centos 6.3 netinstall (~200mb). At the bootloader prompt, specify extra parameters vmlinux initrd=initrd.img ks=http://some.host.local/ks.cfg. This installs all the packages, updates as needed, partitions the disk, runs a custom script, and reboots the machine.

Brain dump complete.

Setting up BIND 9 on CentOS 6 and Securing a Private Nameserver on the Internet

Today I was setting up a brand new server over at LiquidWeb (I have been hosting with this Lansing, MI based company for years, although I’m stubborn and have never tried out their heroic support). I already had the IP addresses (2) and the box provisioned. It is a clean install of the latest CentOS 6 – that means no cPanel/WHM, Plesk or similar. The box will serve many purposes, but it also needs its own nameserver. For the sake of this tutorial, the example domain will be putthingsdown.com and the two IP addresses my host provided are 11.22.33.44 and 11.22.33.45.

Register Your Private Nameservers at Your Registrar

My one-and-only registrar is GoDaddy. They keep things simple and allow for flexibility as far as domain management goes. They are just my registrar: I do not host with them, use their mail servers, nor their nameservers.

This part is simple, when you register the domain name, navigate to the domain management tool and update the namservers to “ns1.putthingsdown.com” and “ns2.putthingsdown.com” – these do not have to exist yet and will be created below.

Lastly, register the nameservers and a utility host at GoDaddy by adding the following three “Host” entries (not subdomain entries, but host entries – there is a difference):

Hostname is ns1 and IP address is 11.22.33.44.
Hostname is ns2 and IP address is 11.22.33.45.
Hostname is host and IP address is 11.22.33.44.

Configuring named

First, get the named service installed: yum install bind-chroot
Notice that bind-chroot will install under /var/named in its own chrooted directory. This is for security purposes. There should be hardlinks to the chrooted “data” and “slave” directories (this was updated with EL6 – yay!)
Configure the rndc key: (Use the ampersand to send this process to the background, it will take 10-15 minutes to generate) rndc-confgen &
Secure the newly generated rndc.key file: chown named /etc/rndc.key; chmod 600 /etc/rndc.key;
Get the rndc key name which is encapsulated in double qutoes from the generated file (it should be rndc-key by default): grep key /etc/rndc.key
Note on CentOS 6 and bind 9.7.3, there will not be a /etc/rndc.conf
Create your first zone file in /var/named/data (example below): vi /var/named/data/putthingsdown.com.zone
Configure named (example below): vi /etc/named.conf

Example Master/Authoritative Zone File

$TTL 38400

putthingsdown.com. 86400 IN SOA ns1.putthingsdown.com. webmaster.putthingsdown.com. (

2012062301 ;serial

7200 ;refresh

900 ;retry

1209600 ;expire

42300 ;minimum

)

putthingsdown.com. 86400 IN NS ns1.putthingsdown.com.

putthingsdown.com. 86400 IN NS ns2.putthingsdown.com.

ns1 86400 IN A 11.22.33.44

ns2 86400 IN A 11.22.33.45

putthingsdown.com. 14400 IN A 11.22.33.44

host 14400 IN A 11.22.33.44

www 14400 IN CNAME putthingsdown.com.

The “serial” should be updated every single time this zone file is modified and reloaded into named. The format is as follows: YYYMMDDnn (where nn is an incrementor for the same day, e.g. 01, 02, 03…. 11, 12, 13)
refresh, retry, expire, and minimum are measured in seconds, just a note that these aren’t always followed, especially by residential DNS mirrors/servers.
The SOA (Start of Authority) is the… well… start of the zone record. This section (including the parens) is what kickstarts the zone file and defines the meta data.
After the SOA the first two records are NS (NameServer): the TTL (time-to-live) is 86400 seconds, or 1 day, and point to the (non-existant, yet) nameservers ns1 and ns2.
The next 2 records are A (Address) records that register the ns1 and ns2 subdomains and bind them to IP addresses – now the two NS records have something to point to.
The third A record is the actual domain itself which is bound to the primary IP address. This is proof that you really don’t need the “www” in front of the domain name, although this is also dependent on the web server configuration
“host” will serve as a utility subdomain which also points to the primary IP. This is helpful in the future if there is a secondary util server used for SSH to manage all the servers within the private network.
Lastly, the www subdomain acts as a CNAME (Canonical Name), or alias to putthingsdown.com – essentially putthingsdown.com and www.putthingsdown.com will take you to the same place. Hint: try not to use CNAME records if you don’t have to, although they make your zone more flexible for future enhancements, since they require a secondary lookup.

Example named Configuration

The lines highlighted below are the ones that changed from the default named.conf provided by the installation script. I am not going to go over this in detail, but do what to highlight a few pieces. Note: this is the insecure version of the named configuration; continue reading for security enhancements.

include "/etc/rndc.key";

controls {
        inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
};

acl "trusted" { 11.22.33.44; 11.22.33.45; };

options {
        listen-on port 53 { 127.0.0.1; 11.22.33.44; 11.22.33.45; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { any; };
        recursion yes;

dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

/* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

zone "putthingsdown.com" {
        type master;
        file "/var/named/data/putthingsdown.com.zone";
};

include "/etc/named.rfc1912.zones";

include "/etc/rndc.key";

controls {

inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };

};

acl "trusted" { 11.22.33.44; 11.22.33.45; };

options {

listen-on port 53 { 127.0.0.1; 11.22.33.44; 11.22.33.45; };

listen-on-v6 port 53 { ::1; };

directory "/var/named";

dump-file "/var/named/data/cache_dump.db";

statistics-file "/var/named/data/named_stats.txt";

memstatistics-file "/var/named/data/named_mem_stats.txt";

allow-query { any; };

recursion yes;

dnssec-enable yes;

dnssec-validation yes;

dnssec-lookaside auto;

/* Path to ISC DLV key */

bindkeys-file "/etc/named.iscdlv.key";

};

logging {

channel default_debug {

file "data/named.run";

severity dynamic;

};

zone "." IN {

type hint;

file "named.ca";

};

zone "putthingsdown.com" {

type master;

file "/var/named/data/putthingsdown.com.zone";

};

include "/etc/named.rfc1912.zones";

The first include is to the rndc.key file that was generated in step 3 above.
The “trusted” ACL has your two IP addresses in it.
Within the controls declaration, the key name found in step 5 above should be defined.
“listen-on” needs to have both IP address listed – named binds itself to port 53 on both these IP addresses
Setting “allow-query” to any will allow any upstream DNS server the ability to query yours.
The section at the bottom for the zone is the inclusion of the zone file created in previous.

Almost Done: Test Stuff

Before we take the step to secure the named server, let’s make sure it works first. Restart the service (hopefully it doesn’t throw any errors). Once it restarts successfully let’s start it on boot-up (with its default run levels); make sure the chkconfig took:

# service named restart

Stopping named: [ OK ]

Starting named: [ OK ]

# chkconfig named on

# chkconfig --list | grep named

named 0:off 1:off 2:on 3:on 4:on 5:on 6:off

I’ll assume port 53 is open for TCP and UDP. Honestly, this isn’t me “not knowing” which protocol; DNS primarily uses UDP, but has been known to use TCP as a fail-over and will definitely be used in IPv6.

Lastly, use a public tool on the web to verify your DNS configuration. I like to use NsLookup by Network-Tools.com. Simply put “putthingsdown.com” in the domain field and hit GO. If everything is set up correctly, some records from the zone file will be listed, specifically the SOA and NS, as well as the primary A.

Securing named

After some super-fast searching, I found this nifty BSP (not sure what BSP stands for?) over at NIST.gov: How to Secure a Domain Name Server (DNS). Here’s the gist of §3.1.2 (most of these are snippets, they shouldn’t be interpreted verbatim):

override “version” number using options { version "dunno kthxbye"; };
restrict zone transfers: options { allow-transfer { localhost; trusted; }; };
restrict dynamic updates in each zone: zone "putthingsdown.com" { allow-update { localhost; trusted; }; };
protect against DNS spoofing: options { recursion no; };
restrict by default all queries: options { allow-query { localhost; trusted; }; };
allow individual zone queries: zone "putthingsdown.com" { allow-query { any; }; };
Verify with security tools: DNSWalk (online version) zone transfer should fail with “REFUSED”, ZoneCheck, and dlint. Happy hunting.

Download & Install a SSL Cert into a Java keystore with keytool

Today I was notified our notification email mail server was changing hosts. So I made a list of the services that use the notify email address (e.g. notifications@domain.tld) – this email address is responsible for sending info to our network users which include updates for everything from issue tracking to password recovery (and then some). With security in mind all emails should be sent over SSL (the mail server supports SSLv3), but the problem is that the installed cert is self-signed; now I know it is a good cert – I generated it, we just don’t wanna fork over the $$ to have a root cert provider put their stamp of approval on it and it’s used for internal purposes only.

Now, if you generated a self-signed SSL cert and want to import that, just skip the “Download the SSL Certificate” section.

There’s Always Something to Mess Your Day Up

Normally this isn’t a big deal: just update the SMTPS credentials and be on your way. However, most of our service applications are Java-based. You’re thinking, “no biggy, just turn on the flag to trust all certs.” Not that easy; the options within our apps don’t have this fancy little checkbox. So I guess I have to do it the hard way: download the cert from the mail server and add it to the Java keystore, restart the service (bah, I have down time), and cross my fingers that it works.

Download the SSL Certificate

This one is pretty easy, and really straight forward (with the help of Didier Stevens’ quickpost)

[user@host ~]$ openssl s_client -connect host.domain.tld:465 > host.domain.tld.dump

depth=0 /C=****/ST=****/L=****/O=****/OU=****/CN=host.domain.tld/emailAddress=****
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=****/ST=****/L=****/O=****/OU=****/CN=host.domain.tld/emailAddress=****
verify return:1

Ctrl^c

[user@host ~]$ cat host.domain.tld.dump
CONNECTED(00000003)
---
Certificate chain
0 s:/C=****/ST=****/L=****/O=****/OU=****/CN=host.domain.tld/emailAddress=****
i:/C=****/ST=****/L=****/O=****/OU=****/CN=host.domain.tld/emailAddress=****
---
Server certificate
-----BEGIN CERTIFICATE-----
ZSBzY2VsZXJpc3F1ZSB2ZWxpdCwgaWQgZGlnbmlzc2ltIGVuaW0gb2RpbyBxdWlz
IG1pLiBQcm9pbiBhIGRvbG9yIG51bmMsIHZpdGFlIGJpYmVuZHVtIGxpZ3VsYS4g
U2VkIGNvbnNlcXVhdCwganVzdG8gdXQgZnJpbmdpbGxhIHVsdHJpY2VzLCBtYXNz
....................BUNCH OF STUFF..............................
aWJ1bHVtIHNpdCBhbWV0IGxvcmVtIHZpdGFlIG1pIHZlaGljdWxhIGNvbnNlcXVh
dC4gSW4gaWQgZXJhdCBzZWQgcHVydXMgb3JuYXJlIHRlbXBvci4gSW50ZWdlciBh
bnRlIHRvcnRvciwgcGhhcmV0cmEgZGlnbmlzc2ltIGV1aXNtb2QgZWV0IA==
-----END CERTIFICATE-----
subject=/C=****/ST=****/L=****/O=****/OU=****/CN=host.domain.tld/emailAddress=****
issuer=/C=****/ST=****/L=****/O=****/OU=****/CN=host.domain.tld/emailAddress=****
---
No client certificate CA names sent
---
SSL handshake has read XXXX bytes and written XXX bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: ****
Session-ID-ctx:
Master-Key: ****
Key-Arg : None
Krb5 Principal: None
Start Time: 1332275776
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
220-message from host

[user@host ~]$ openssl s_client -connect host.domain.tld:465 > host.domain.tld.dump

depth=0 /C=****/ST=****/L=****/O=****/OU=****/CN=host.domain.tld/emailAddress=****

verify error:num=18:self signed certificate

verify return:1

depth=0 /C=****/ST=****/L=****/O=****/OU=****/CN=host.domain.tld/emailAddress=****

verify return:1

Ctrl^c

[user@host ~]$ cat host.domain.tld.dump

CONNECTED(00000003)

---

Certificate chain

0 s:/C=****/ST=****/L=****/O=****/OU=****/CN=host.domain.tld/emailAddress=****

i:/C=****/ST=****/L=****/O=****/OU=****/CN=host.domain.tld/emailAddress=****

---

Server certificate

-----BEGIN CERTIFICATE-----

ZSBzY2VsZXJpc3F1ZSB2ZWxpdCwgaWQgZGlnbmlzc2ltIGVuaW0gb2RpbyBxdWlz

IG1pLiBQcm9pbiBhIGRvbG9yIG51bmMsIHZpdGFlIGJpYmVuZHVtIGxpZ3VsYS4g

U2VkIGNvbnNlcXVhdCwganVzdG8gdXQgZnJpbmdpbGxhIHVsdHJpY2VzLCBtYXNz

....................BUNCH OF STUFF..............................

aWJ1bHVtIHNpdCBhbWV0IGxvcmVtIHZpdGFlIG1pIHZlaGljdWxhIGNvbnNlcXVh

dC4gSW4gaWQgZXJhdCBzZWQgcHVydXMgb3JuYXJlIHRlbXBvci4gSW50ZWdlciBh

bnRlIHRvcnRvciwgcGhhcmV0cmEgZGlnbmlzc2ltIGV1aXNtb2QgZWV0IA==

-----END CERTIFICATE-----

subject=/C=****/ST=****/L=****/O=****/OU=****/CN=host.domain.tld/emailAddress=****

issuer=/C=****/ST=****/L=****/O=****/OU=****/CN=host.domain.tld/emailAddress=****

---

No client certificate CA names sent

---

SSL handshake has read XXXX bytes and written XXX bytes

---

New, TLSv1/SSLv3, Cipher is AES256-SHA

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

SSL-Session:

Protocol : TLSv1

Cipher : AES256-SHA

Session-ID: ****

Session-ID-ctx:

Master-Key: ****

Key-Arg : None

Krb5 Principal: None

Start Time: 1332275776

Timeout : 300 (sec)

Verify return code: 18 (self signed certificate)

---

220-message from host

Obviously the above dump isn’t exactly what you’ll get, but you get the idea… Also, notice the Ctrl+C up there, this is important, the openssl command hangs and you don’t need all the extra stuff, so just wait for the initial dump and cancel the script.

Next, copy the base64 encoded certificate to a .pem file. Don’t forget to include “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–“. Just save it to something like host.domain.tld.pem. Really, just copy and paste from the terminal. For the idiots: in PuTTY just select it all with the left mouse button, and click on it with the left mouse button. This will copy it to your clipboard. Issue the command “nano host.domain.tld.pem” and right click in nano to paste. Ctrl^O to write out (write the file) and Ctrl^X to exit nano. Done.

Lastly, to figure out the host the certificate belongs to, run the following (this will also confirm if you’ve copied the PEM base64 over correctly):

1	[user@host ~]$ openssl x509 -in host.domain.tld.pem -text \| grep CN

This will show the lines which include “CN” (e.g. “…/CN=host.domain.tld/emailAddress…”). The CN parameter is the host/domain name that the certificate is registered under. This will be required information when importing with keytool.

Install the SSL Certificate with Java’s keytool into the keystore

There are a few things to accomplish in this section: find and locate the JRE you want to use, find the keytool script, find the trusted certificates file (cacerts), and execute a single-line command.

If there are several JRE’s on the system, figure out which one the application uses. For example, the standalone app I have installed has its own jre folder which contains ./bin/keytool, however, I also have a a system-wide Java installation. To expose all the keytools on your system use find / -name “keytool” …don’t use whereis, only registered applications appear with this command.

My setup looks something like this:

[user@host ~]$ find / -name "keytool"

/etc/alternatives/keytool

/opt/thirdpartyapp/jre/bin/keytool

/usr/bin/keytool

/usr/lib/jvm/java-1.4.2-gcj-1.4.2.0/bin/keytool

/usr/lib/jvm/java-1.4.2-gcj-1.4.2.0/jre/bin/keytool

/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/bin/keytool

/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/keytool

Since I need the service app to have the certificate trusted, I’ll use its own embedded jre keytool, “/opt/thirdpartyapp/jre/bin/keytool”.

Also, the cert needs to be installed into the trusted certs file, so within the particular java/jre installation there should also be a ./lib/security directory with a cacerts file.

TL;DR Working with keytool

Now with the previously retrieved information, here’s the bread’n’butter:

1	/opt/thirdpartyapp/jre/bin/keytool -import -alias host.domain.tld -keystore /opt/thirdpartyapp/jre/lib/security/cacerts -file ~/host.domain.tld.pem

The import switch tells keytool we want to import the pem into the trusted certs file (cacerts).
The alias switch’s value should be the CN you found in the previous section (after running openssl x509…), this is the domain for which the cert was created for
The keystore switch is the path to the Java keystore file, usually cacerts, which stores trusted certificates
The file switch’s value is the path to the pem that we created in the previous section.

keytool will now attempt to import the cert. First it’ll prompt for a password, unless you know otherwise try “changeit” or “changeme” – these are widely used defaults. Once you provide the correct password it’ll dump out a bunch of information about the certificate it is importing and lastly ask you if you want to “Trust this certificate” – type “yes” and hit return: “Certificate was added to keystore” is presented.

Now restart the Java application (however it is you do that) and it’ll recognize the SMTPS connection (or what ever else you’re working towards, e.g. HTTPS, SFTP, POP3S etc.)

Piece of cake, after you do it a few times. (Just realized I think i change tenses and POV a couple times in this write up… oh well.)

Password-less SSH with Public/Private Keys

From the POV of an advanced *nix user setting up public and private keys for password-less SSH logins seems trivial. However, to a beginner/novice user this can be confusing. I’ll admit, as comfortable as I am with managing Linux servers, configuring RSA keys on the local and remote machines was messing with my head – until I got the hang of it. I still don’t have a complete top-to-bottom understanding of this when it comes to different versions of SSH and then some, but enough to jot down a note for future reference just in case. I’ll assume the reader has a basic knowledge of CLI, connecting to a remote server with SSH, and that the two (or more) devices in question are both Linux machines.

By the way, there are a lot of these guides out there, but i couldn’t find one that helped. I still had to screw around a bit to really the the hang of it. They were either all too in-depth, too brief, only covered certain parts, or simply just didn’t fit my needs.

Before we get started, there is an easier and less intrusive way to do this if you’re running cPanel. I’ll write about that later.

Use Case

Close your eyes, find your power animal – slide… imagine you’re logged into some nix box (we’ll call this one “foo.com” with user “jack”). Now you need to issue some commands on another remote machine (and we’ll call this one “bar.net” with user “jill”), so what do you do?

1	[jack@foo.com ~]$ ssh jill@bar.net

At this point, it will make the connection, and if is the first time ask if you want permanently trust the connection, in which you reply “yes” after careful consideration. SSH prompts you for a password, you type it in and you’re good to go. You start navigating the filesystem and ferociously execute commands.

Now this scenario is all fine and dandy, until you’re accessing the server so often that you get sick and tired of typing your 15 character password (with upper/lowercase letters, numbers and symbols). Perhaps a better excuse to not enter the password is that you have a non-interactive shell script that needs to make this connection temporarily, in which case you do not have the luxury of entering your password in the prompt; don’t even tell me you were thinking of embedding the password into the command with the p switch. Wish there was a better way? Let me show you the light.

Benefits of Using Keys with SSH

Doesn’t prompt for a password (duh)
Can be used with non-interactive/unmonitored scripts (play off of the previous bullet)
FAR more secure – this is probably the biggest reason you should be going with this approach regardless of the previous benefits
Establish a “trusted connection”
Help prevent brute force attacks
Read this article on “old” password-style authentication

TL;DR Lezzdo’t.

Remember jack and jill on foo.com and bar.net? Well they didn’t fetch a pail of water, instead they generated an RSA key with ssh-keygen. We’re getting back to that now… There are two types of encryption: DSA and RSA. DSA is supposedly faster but not as compatible (isn’t compatible w/ Protocol 1). RSA has higher encryption (4096) and is more compatible, but at the cost of speed. Up to you, but i’ll be sticking with RSA.

Configure SSH and SSHD on foo.com and bar.net

Make sure that ssh is configured correctly on foo.com and bar.net: Use Protocol version 2, not 1 (you can use 1, but it is a PITA especially when you’re configuring multiple keys)
On bar.net in your sshd configuration (e.g., /etc/ssh/sshd_config) you’ll need the following configurations:

RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys

1
2
3

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
All other defaults (OOTB) should be good, maybe when you’re done you can set “PasswordAuthentication no” within bar.net’s sshd_config to force the usage of only key exchanges.

Generate a Key Pair on foo.com for Jack to Use

Create a .ssh directory in jacks’ home directory if it doesn’t exist yet, /home/jack or ~/ if you’re logged in as jack. actually from here on out, just assume you’re logged in as jack, if not, make sure you can sudo -u jack to make it seem like jack is issuing the commands. mkdir /home/jack/.ssh
chown jack:jack /home/jack/.ssh
chmod 700 /home/jack/.ssh
step 3 is important, make sure the perms took: stat .ssh
ssh-keygen -t rsa -C “the key for jill on bar dot net”
the t switch tells ssh-keygen what crypt to use (t = type) and the C switch is just a comment to leave in the public key string (c = comment)
Hit return
Now it starts to generate a public/private key pair and asks you where to save giving you a suggestion (default): /home/jack/.ssh/id_rsa
id_rsa is the default and you can stick with that, but if you want to store multiple, you’ll have to outsmart the keygen. remember, the computer is just a tool, its faster than you, but not nearly as smart. you need to be smarter than the computer if you’re not, this is a requirement unless you’re competing against an IQ of 150. before you hit enter, read step 10
save it to the file: /home/jack/.ssh/id_rsa.jillbarnet
take a moment and think, who is Jill Barnet?
when prompted for a passphrase just keep it blank and hit return (twice)… disclaimer: this is NOT really a good idea. you should always have a passphrase for security purposes, but i’m lazy right now and don’t wanna go through the extra steps, if you’re really worried RTFM.
notice /home/jack/.ssh/id_rsa.jillbarnet and /home/jack/.ssh/id_rsa.jillbarnet.pub
DONE.

Configure Jack’s Account to Use Multiple Key Pairs

This is important if you followed the last steps exactly. We generated a specific key file. By default, ssh looks for a file called id_rsa. If we wouldn’t have specified a file, ssh-keygen would’ve written to that default id_rsa file and loaded it by default every time. This sucks when it comes to managing multiple keys, so forget the default functionality; we’re gunna rock this bitch.

Create a file called config: touch /home/jack/.ssh/config
chown jack:jack /home/jack/.ssh/config
chmod 600 /home/jack/.ssh/config
edit the file (i like nano, sorry @ most of you vi snobs): nano /home/jack/.ssh/config
For each id_rsa.* entry we’ll need a Host and IdentityFile directive, all directives separated by at least a new line…

Host bar.net

IdentityFile ~/.ssh/id_rsa.jillbarnet

Host bobby.org

IdentityFile ~/.ssh/id_rsa.rickybobbyorg

Host *

IdentityFile ~/.ssh/id_rsa

The Host directive means that only the next line (IndentifyFile) is applicable when connecting to that specific host. The IdentifyFile directive describes what file to use in that situation. So lemmie pick this apart really quick. I indent because it looks pretty.

Lines 1 and 2 mean that ssh should use the file id_rsa.jillbarnet when connecting to host bar.net.
Lines 3 and 4tell ssh to only use file id_rsa.rickybobbyorg when connecting to bobby.org (where did he come from? read the next section and find out)
Lines 5 and 6 is basically a catch all. The asterisk is a wildcard, it means, for any host that hasn’t matched yet, use the default identity id_rsa.

Hint: If those files don’t exist ssh won’t crap out at all, it’ll die gracefully during the lookup and continue normal operations (and ask for a password). So no worries there.

In theory you could combine multiple identity files under the same host directive, but i haven’t tried it and don’t take my word for it. You can also wildcard partial host names, e.g. Host *.domain.tld – this i did try.

Understanding the Private Key and Public Key

So here’s the confusing part, really try to pay attention. Remember step 13 (scrunched together letter B) in previous? Why did it generate two files when you only specified one?

Well this is where private key and public key comes into play. The private key is “id_rsa.jillbarnet” and the public key is “id_rsa.jillbarnet.pub”. The private key STAYS with Jack on foo.com, it should never be shared, that’s why it is “private” you I-D TEN TEE. The public key is the one you can whore out to other accounts; i’ll squash the myth right now: the public key is not specifically for jill over at bar.net, it can be used for ricky over at bobby.org, or at both places (jill@bar.net and ricky@bobby.org). The public key simply acts as a “trusted” or “authorized” user who provides the private key. Read that last sentence two or three more times.

The private key looks something like this:

-----BEGIN RSA PRIVATE KEY-----

MIIEoQIBAAKCAQEAxc+8viqVTvwUSUHtI......stuff here...

....stuff here....more stuff........................

..................saE4gu4JClEYa5lPH8pYwnJLymGKZLRX/0

rN+pG5xhyXMGqADipFIWQcO/1z3s/YL3ZRg1h/5Ef7uBFTh3jA==

-----END RSA PRIVATE KEY-----

And the public key looks something like this (a command with a base64 encoded string + your custom comment):

1	ssh-rsa AAAAB3NzaC1yc2EAAAA...lots of characters...HKk3uaQ== the key for jill on bar dot net

Cool? Cool. Now let’s prep jill’s home dir.

Prep Jill’s Home Dir Over at bar.net for Jack’s Key

Let’s assume jill’s home directory is /home/jill. Again assuming you’re logged in as user jill and jill belongs to group jill (in previous i assumed jack belonged to group jack).

Make sure jill has a .ssh dir in her home directory, if not make one: mkdir /home/jill/.ssh
Verify jill is the sole owner: chown jill:jill /home/jill/.ssh
Make sure jill is the only one allowed to access that .ssh directory: chmod 700 /home/jill/.ssh
make a file called authorized_keys: touch authorized_keys
don’t know what touch does? RTFM: man touch. (just wanted to type “man touch”)
set restrictive perms (that’s permissions, not a hair-do) for authorized_keys: chmod 700 authorized_keys
At this point, in some envs/distros they require an authorized_keys2 file, just make sure it is identical to authorized_keys in terms of content and permissions. Or in my case with CentOS5, you don’t need it. so skip this step. I experienced this issue on a Debian box, fyi.
Copy the contents of id_rsa.jillbarnet.pub (the one with the content that starts “ssh-rsa” then has the base64 encoded string w/ the comment) and append it to authorized_keys. There are a million-n-a-half ways to do this. Figure it out.
For multiple entries in authorized_keys, just delimit them by new lines. so each line will start with “ssh_rsa”
I feel like i’m forgetting something, but that should do it.

Test From Jack’s Account on foo.com

1	[jack@foo.com ~]$ ssh jill@bar.net

Granted you did everything correctly, it will log you in w/o a password prompt. If it asks for a password, you screwed up somewhere, try again, do not pass go, do not collect 200 bones. Note that restarting SSHD will NOT solve your problem, no service restart is required.

That’s All She Wrote

Well that’s it. So now you can connect to multiple hosts using multiple private keys for jack at foo.com (using multiple id_rsa files and the config file updates), and multiple people can connect to jill over at bar.net (by copying the public key to authorized_keys and delimiting by new lines). Any questions? Too bad, I closed my comments.

Summary of Kickstart Changes

Kickstart Sample Configuration

VMware Tools Change

Add VMware Tools to YUM

Considerations

The Implementation (tl;dr)

The Technique

Notes

Synopsis

Automated Partition Schema

Bypassing “Storage Device Warning”

Auto Reboot

VMware Tools RPM

Add VMware Tools to YUM

Mirroring a Repository for NFS Kickstart Installation

Create the Repo Mirror

Keep the Local Mirror Updated

Configure NFS for Kickstart Network Installations

Update iptables for NFS

Use Local Repo Post Install

Kickstart Sample Configuration

Using the Kickstart Configuration

Register Your Private Nameservers at Your Registrar

Configuring named

Example Master/Authoritative Zone File

Example named Configuration

Almost Done: Test Stuff

Securing named

There’s Always Something to Mess Your Day Up

Download the SSL Certificate

Install the SSL Certificate with Java’s keytool into the keystore

TL;DR Working with keytool

Further Reading

Use Case

Benefits of Using Keys with SSH

TL;DR Lezzdo’t.

Configure SSH and SSHD on foo.com and bar.net

Generate a Key Pair on foo.com for Jack to Use

Configure Jack’s Account to Use Multiple Key Pairs

Understanding the Private Key and Public Key

Prep Jill’s Home Dir Over at bar.net for Jack’s Key

Test From Jack’s Account on foo.com

That’s All She Wrote