Setting up a Cisco 2960X Switch Stack

This tutorial will demonstrate how to get a pair of Cisco 2960X switches up and running as a stack with stackwise. We'll be using the following for this lab: x2 WS-C2960X-24TD-L x2 2960-X Flexstack Stacking Modules x2 Bladeswitch Stacking Cable I will be creating two stacks (the 2060-X model supports up to 8 stack members) since this provides redundancy if one of the stacking cable goes and also higher overall throughput: A single stackwise...

Read more

Fixed: Call "HostDatastoreSystem.QueryVmfsDatastoreCreateOptions" for object "datastoreSystem-xxxx" on vCenter Server "VC FQDN" failed.

The other day when attempting to create a new VMFS datastore on an ESXI (6.0) host I encountered the following message: Call "HostDatastoreSystem.QueryVmfsDatastoreCreateOptions" for object "datastoreSystem-xxxx" on vCenter Server "VC FQDN" failed. On further investigation it turns out that this usually happens when either the partition table type is not set to GPT / MSDOS or is invalid in some way. This is quite common when re-using old disks that were used by other systems. Note: ESXI 5.0+ will only work with either GPT or msdos partition...

Read more

Setting up SNAT with IPTables / CentOS 7 (NAT)

This tutorial will demonstrate how SNAT can be setup - in a common configuration - where we have an internal subnet / interface (eno1) and external subnet/internet interface (wlp2s0) and we want to forward traffic from the clients on the internal subnet to the internet interface - while ensuring traffic is NAT'd when it leaves the egress (internet) interface. Let's firstly enable ip forwarding: echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf sudo sysctl -p Flush the IPTable chains: Set the policy for the filter table chains: sudo iptables...

Read more

Setting up wireless bridge with CentOS 7, IPTables and dhcpd

This is useful in specific situations were you need to connect hardware appliances that do not have any means on connecting to a wireless network. Yes - you can buy specific 'of the shelf' devices to do this - although I refuse to buy any such device since it's actually pretty easy to peform on a normal computer (in my case an Intel NUC.) I only had a single port on my NIC - so I ended up using a wireless USB dongle. So - lets firstly install CentOS 7 (minimal) onto the hardware we're going to use - i'll do this via USB boot - so to write the...

Read more

Connecting to wireless networks with nmcli in CentOS 7

For this tutorial I'll be using a USB wifi dongle - so we'll firstly check the kernel - ensuring that its picked it up OK: dmesg | usb If detected - we should see it with: nmcli device show To check the device radio / check for available wireless networks we can issue: nmcli device wifi list Let's say that our SSID is 'WirelessNetwork' - in order to connect to it we will use the 'connection add' switch: nmcli connection add ifname wlp2s0 type wifi ssid WirelessNetwork to delete a connection - find out what it's been named with: nmcli connection...

Read more

Understanding the SCSI sg and sd driver in Linux

The sg driver allows users to send SCSI commands to SCSI aware devices - for example scan for disks. Once the scan has completed the SCSI disk drive (sd) can be initialised providing block level access to the media - typically only performing 'SCSI READ' and 'SCSI WRITE' commands. In order to retrieve a list of SCSI devices we can use the 'lsscsi' command (I prefer this than the normal lsblk since it conveniently provides additional information such as the SCSI bus, channel and LUN numbers etc.) lsscsi [0:0:0:0]    disk    ATA...

Read more

Quickly creating a (block) full backup of a USB mass storage device with dd

Are you ever running around and looking for a spare USB drive? Ever wanted to quickly use a USB drive with data / partitions already on and only need it for a few hours - try creating a quick block copy of the device with dd: dd if=/dev/sdd of=usb_backup.img; sync Ensuring we use the 'sync' command to ensure that any buffers are flushed out to disk. and to restore the image back onto the USB drive after use: dd if=usb_backup.img of=/dev/sdd; s...

Read more

Working with extended attributes in Linux

Filesystem attributes on Linux file systems such as ext3, ext4 and xfs allow us to provide enhanced security to our files. In order for extended attributes to work properly the filesystem (and kernel) must support them - you can easily check whether the filesystem supports them by checking he mount options with: sudo tune2fs -l /dev/mapper/fedora-home  | grep xattr Default mount options:    user_xattr acl If it is not enabled you can easily add the 'user_xattr' option to the appropriate mount in the fstab. Below I will describe...

Read more

Automatically running a script on system startup with RHEL / CentOS 7

Since CentOS 7 has adopted systemd - hence replacing the need for SysV. This now begs the question of how we can easily add a script to run on startup - traditionally it's pretty easy to do with the rc.local file: /etc/rc.local (RHEL based) or /etc/rc.d/rc.local (Found in Debain based distros) In fact systemd actually maintains backward compatibility for the old SysV init script (/etc/init.d/) by using the systemd-sysv-generator utility. We can manually invoke this with: /usr/lib/systemd/system-generators/systemd-sysv-generator The init scripts...

Read more

Setting up replication with GlusterFS on CentOS 7

GlusterFS is a relatively new (but promising) file system aimed at providing a scalable network file system for typically bandwidth intensive tasks - such as media streaming, file sharing and so on. There are also other alternatives I could have used instead - such as GPFS - although unless you have a pretty substantial budget not many businesses will be able to adopt this. Let's firstly setup our GlusterFS volume - on node A: yum install centos-release-gluster yum install glusterfs-server echo GLUSTER01 > /etc/hostname echo 10.0.0.2 GLUSTER02...

Read more

Warning: The resulting partition is not properly aligned for best performance.

When create a new partition on an old disk via parted I received the following warning: mkpart pri 0 -1 Warning: The resulting partition is not properly aligned for best performance. Ignore/Cancel? This message appears because the logical sector (4kb) does not fit directly onto the physical sector (4kb) and as a result if you needed to read the logical sector - you would have to read both physical sectors resulting in loss of performance. A sector is the smallest unit on a disk and will vary in size from drive to drive - although most modern...

Read more

A quick note on the /var/run directory

You learn something new every day - after manually creating the a directory under /var/run I noticed that the directory did not persist on a reboot. Application startup script manually create necessary folders upon boot. Now normally the /run file system is mounted as a tempfs - you can easily verify this with: fd -H | grep /run Although on closer inspection /var/run is actually a symbolic link to /run! So in order for us to ensure that the directory for our service (haproxy in this case) is created with the service startup script. Or in...

Read more

Getting your logs into AWS CloudWatch on CentOS 7

This tutorial will demonstrate how you can securely get your logs from your applications into the AWS CloudWatch service. For this tutorial we will be forwarding specific syslog messages to CloudWatch (I would like to caputure radius AAA information.) Firstly and most importantly lets setup a secure IAM Policy to ensure that we provide minimal access permissions to the host machine: IAM >> Add User >> Let's call it 'remoteaccess' - we'll untick 'AWS Management Console access' as this won't be necessary for our needs. We'll create...

Read more

Error: libsemanage.semanage_direct_remove_key: Unable to remove module radius_custom at priority 400. (No such file or directory).

The other day I received the following error message when attempting to disable a custom SELinux policy - semodule -r radius_custom libsemanage.semanage_direct_remove_key: Unable to remove module radius_custom at priority 400. (No such file or directory). semodule:  Failed! Clearly it will looking in the wrong place for the module (in hindsight I should have used strace to attempt to work out where it was trying to access) - although I ended up having to manually move the module from: mv /etc/selinux/targeted/active/modules/400/radius_custom...

Read more

Setting up LinOTP on CentOS 7 with FreeRADIUS (Version 3)

Currently the LinOTP documentation does not explain exactly how to get FreeRADIUS 3 up and running with it's perl module. Some notes: There is no need to populate the 'users' file (/etc/raddb/users) Instead refer below for sample configuration that will work with FreeRADIUS 3: https://groups.google.com/forum/#!topic/privacyidea/O2wdnmxIFNw You will also need to install some additional dependencies for the LinOTP perl module: sudo cpan LWP::Protocol::https sudo yum install perl-Crypt-SSLeay perl-Net-SSLeay I had to make extensive...

Read more

Using fatrace to monitor calls to specific directories / files on CentOS 7

Currently fatrace is not available within the EPEL repo's for CentOS 7 - so we must instead download the Fedora COPR repo: cd /tmp curl https://copr.fedorainfracloud.org/coprs/ifas/fatrace/repo/epel-7/ifas-fatrace-epel-7.repo > /etc/yum.repos.d/ifas.repo yum install fatrace and then to monitor the current mount for open handles we can issue: sudo fatrace -f O -c The '-f' parameter specifies that we wish to monitor open handles - available handles are as follows: C = Create file R = Read file O = Open file W = Write to file ...

Read more