Friday, 26 October 2018

How To Open A Port In CentOS 7 With Firewalld

Open Specific Port
Opening a port in firewalld is fairly straightforward, in the below example we allow traffic in from any source IP address to TCP port 100. First we modify the persistent configuration, then we reload firewall-cmd to load this change into the running configuration.
[root@centos7 ~]# firewall-cmd --permanent --add-port=100/tcp
success
[root@centos7 ~]# firewall-cmd --reload
success
If the --permanent flag is not specified, this will only change the running configuration but will not be saved.
We can check the ports that are opened in the current default zone with ‘--list-ports’.
[root@centos7 ~]# firewall-cmd --list-ports
100/tcp
As expected we see that TCP port 100 is open.
Should we wish to remove a port, we can use ‘--remove-port=’ instead.
We can also open a range of ports in the same way.
[root@centos7 ~]# firewall-cmd --permanent --add-port=200-300/tcp
success

Open Predefined Service

Rather than manually specifying a port number to allow through the firewall, we can make use of a bunch of predefined services which may be easier. For example instead of opening TCP port 80, we can use the ‘http’ service.
[root@centos7 ~]# firewall-cmd --permanent --add-service=http
success
[root@centos7 ~]# firewall-cmd --reload
success
Now if we list the services that are accepted through the firewall, we will see http listed along with ssh and dhcpv6-client, which are allowed through by default.
[root@centos7 ~]# firewall-cmd --list-services
dhcpv6-client http ssh
This is a predefined service and can be found as an XML file in the /usr/lib/firewalld/services/ directory. Here’s what the http service we just used looks like.
[root@centos7 ~]# cat /usr/lib/firewalld/services/http.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>WWW (HTTP)</short>
  <description>HTTP is the protocol used to serve Web pages. If you plan to make your Web server publicly available, enable this option. This option is not required for viewing pages locally or developing Web pages.</description>
  <port protocol="tcp" port="80"/>
</service>
We can create custom services by copying one of these into the /etc/firewalld/services/ directory and then customizing it. The services in the /usr/lib/firewalld/services/ directory should NOT be modified, changes should be copied into /etc/firewalld/services/ followed by a reload of firewall-cmd to pick up the changes.

Sunday, 21 October 2018

Linux two Face ssh authentication with centralized Database server

Create Databases :- 

  1. mysql -uroot -p
  2. create database Login;
  3. use Login;
  4. create table user (id int(10), Name varchar(25), Password varchar(25));
  5. insert into user (id,Name,Password) values (1,'mukesh','mukesh@123');
  6. exit

Copy Below script  :-


vim /tmp/Login.sh




#!/bin/bash
mukesh=`/usr/bin/ps ax | grep $$ | grep -v grep | awk '{ print $2 }'`
user=root                 #Databases UserName
password=Voip@90 #Database Password
DB=Login                 #Database Name
host=192.168.2.176 #Set Local or centralized Server Ip
while [ 1=1 ]
do
UserName=$(whiptail --inputbox "please enter your username" 8 78 --title "User Name" 3>&1 1>&2 2>&3)
                                                                        # A trick to swap stdout and stderr.
# Again, you can pack this inside if, but it seems really long for some 80-col terminal users.
exitstatus=$?
if [ $exitstatus = 0 ]; then

                Password=$(whiptail --passwordbox "please enter your Password" 8 78 --title "Password" 3>&1 1>&2 2>&3)
                if [ $exitstatus = 0 ]; then
        {
    for ((i = 0 ; i <= 100 ; i+=5)); do
        sleep 0.1
        echo $i
    done
} | whiptail --gauge "Please wait while we check..." 6 50 0

                IsUserExist=$(echo "SELECT count(*) as '' from user  WHERE Name='$UserName'  AND Password='$Password' limit 1 " | mysql $DB -u $user -p$password )
                        if [ "$IsUserExist" -eq 1 ] ;then
echo "Thanks for Login $UserName" > test_textbox
#                  filename height width
whiptail --textbox test_textbox 12 80
                        break
                        else
                        echo "You have enter wrong Username & Password." > test_textbox
#                  filename height width
whiptail --textbox test_textbox 12 80
                        logout=`/usr/bin/pkill -9 -t $mukesh`
                        continue
                        fi
                else
                logout=`/usr/bin/pkill -9 -t $mukesh`
                fi

else
    echo "User selected Cancel."
logout=`/usr/bin/pkill -9 -t $mukesh`
fi
done

Sunday, 7 October 2018

Create custom Centos 7 Kickstart boot CD iso

Scenario: You want to create a custom CentOS 7 / RHEL 7 boot CD with custom kickstart files located on the CD. Furthermore you want to perform some post installation tasks like running some Puppet manifests. In this post I describe the process based on CentOS 7.1.

1) Install a base CentOS 7.1 virtual machine
First you need to install your build environment. It is sufficient to install a “@Base” system.
2) Prepare your build environment
If the installation of your CentOS 7.1 virtual machine is finished you can continue with preparing your build environment.
2.1 Create needed folder structure as root

mkdir -p ~/kickstart_build/isolinux/{images,ks,LiveOS,Packages,postinstall}

The folders will contain the following:
  • images: contents of the images directory located on the CentOS DVD
  • ks: all your kickstart files which we will create later on
  • LiveOS: contents of the LieveOS directory on the CentOS DVD
  • Packages: all RPM packages from CentOS 7 DVD plus additional packages. In my case I will also install Puppet agent. Therefore I need some packages from Puppet Labs
  • postinstall: everything you want so to do after installation, for example executing custom scripts or in my case Puppet modules.
2.2 Copy needed content
Now you need to copy all needed content from the CentOS DVD to your local folders. Please save the CentOS 7 ISO file in /tmp and mount it somewhere.

mkdir -p /mnt/iso
mount -o loop /tmp/CentOS-7-x86_64-DVD-1503-01.iso /mnt/iso
cp /mnt/iso/.discinfo ~/kickstart_build/isolinux/
cp /mnt/iso/isolinux/* ~/kickstart_build/isolinux/
rsync -av /mnt/iso/images/ ~/kickstart_build/isolinux/images/
cp /mnt/iso/LiveOS/* ~/kickstart_build/isolinux/LiveOS/
ll /mnt/iso/repodata/ | grep -i comps
-rw-r--r--. 1 root root 157580 1. Apr 01:43 0e6e90965f55146ba5025ea450f822d1bb0267d0299ef64dd4365825e6bad995-c7-x86_64-comps.xml.gz

cp /mnt/iso/repodata/0e6e90965f55146ba5025ea450f822d1bb0267d0299ef64dd4365825e6bad995-c7-x86_64-comps.xml.gz ~/kickstart_build/
cd ~/kickstart_build/
gunzip 0e6e90965f55146ba5025ea450f822d1bb0267d0299ef64dd4365825e6bad995-c7-x86_64-comps.xml
mv 0e6e90965f55146ba5025ea450f822d1bb0267d0299ef64dd4365825e6bad995-c7-x86_64-comps.xml comps.xml

2.3 Get additional packages if needed
As I already mentioned I will also install Puppet Opensource client on my machines to install and configure my machines as needed. So I need to implement additional packages on the custom boot ISO to be able to install and run Puppet manifests.

mkdir /tmp/packages
cd /tmp/packages
wget http://mirror.centos.org/centos/7/os/x86_64/Packages/libselinux-ruby-2.2.2-6.el7.x86_64.rpm
wget -e robots=off --mirror --no-parent --no-host-directories --cut-dirs=4 http://yum.puppetlabs.com/el/7/products/x86_64/
wget -e robots=off --mirror --no-parent --no-host-directories --cut-dirs=4 http://yum.puppetlabs.com/el/7/dependencies/x86_64/
rm -Rf index* repodata

2.4 Copy all your packages and create repodata
Now it`s time to bring the CentOS packages and your additional needed packages together. First copy all packages from CentOS 7 ISO to your local folder. Afterwards you can move all additional packages from /tmp/packages to your kickstart packages folder:

rsync -av /mnt/iso/Packages/ ~/kickstart_build/isolinux/Packages/
rsync -av /tmp/packages/ ~/kickstart_build/isolinux/Packages/

Now we need to create the repodata folder in ~/kickstart_build/isolinux/Packages/:

yum install -y createrepo
cd ~/kickstart_build/isolinux
createrepo -g ~/kickstart_build/comps.xml .

3) Prepare Kickstart file
3.1 Create a kickstart
You need to create the kickstart file in ~/kickstart_build/isolinux/ks and name it for example ks.cfg. The content can look like this:

#version=RHEL7
# System authorization information
auth --enableshadow --passalgo=sha512

# Use CDROM installation media
cdrom
# Use text install
install
text
# Run the Setup Agent on first boot
firstboot --disable
#ignoredisk --only-use=sda
# Keyboard layouts
keyboard --vckeymap=de-nodeadkeys --xlayouts='de (nodeadkeys)'
# System language
lang de_DE.UTF-8
# Network information
network --bootproto=static --device=ens3 --noipv6 --activate --ip=192.168.100.2 --netmask=255.255.255.0 --gateway=192.168.100.1 --nameserver=192.168.100.1 --hostname=infrastructure.reimer.local
network --bootproto=static --device=ens9 --noipv6 --activate --ip=10.10.100.2 --netmask=255.255.255.0
# Root password
rootpw --iscrypted "some-crypted-password"
# System timezone
timezone Europe/Berlin --isUtc
# System bootloader configuration
bootloader --append=" crashkernel=auto" --location=mbr --boot-drive=sda
# Partition clearing information
clearpart --all --initlabel
# Disk partitioning information
part /boot --fstype="xfs" --size=512
part pv.219 --fstype="lvmpv" --size 1 --grow
volgroup vg_system --pesize=4096 pv.219
logvol / --fstype="xfs" --size=1 --grow --label="rootlv" --name=rootlv --vgname=vg_system
logvol swap --fstype="swap" --size=2048 --name=swaplv --vgname=vg_system
reboot
%packages
@core
@Base
kexec-tools
git
mc
screen
puppet
tree
%end

You can validate your kickstart file like this:

ksvalidator ~/kickstart_build/isolinux/ks/ks.cfg

To create a crypted root password which you can use within your kickstart file do the following:

python -c 'import crypt; print(crypt.crypt("My Password", "$6$My Salt"))'

This generates a SHA512 crypted password.
3.2 Create kickstart postinstallation section
If you want to perform some postinstallation tasks within your kickstart installation you can add an appropriate section in the kickstart file. In my case I want to perform my Puppet configuration during the kickstart installation.
HINT: Be careful. In this case the first step will be the copy of the Puppet manifests from the ISO from which you boot your machine you want to kickstart. This action takes place in the NON-CHROOTED environment. The second step will be the Puppet run itself. This takes place in the CHROOTED environment.
Add the following at the end of your kickstart file:

# Copy needed Puppet files to /root/postinstall
%post --nochroot
#!/bin/sh

set -x -v
exec 1>/mnt/sysimage/root/kickstart-stage1.log 2>&1
echo "==> copying files from media to install drive..."
cp -r /run/install/repo/postinstall /mnt/sysimage/root
%end
%post
#!/bin/sh
set -x -v
exec 1>/root/kickstart-stage2.log 2>&1
ls -l /root/postinstall
puppet apply -l /root/puppetrun.log /root/postinstall/puppet/manifests/site.pp --modulepath=/root/postinstall/puppet/modules/ $*
%end

4) Time for action: create your custom CentOS 7 ISO file and test it

yum install -y genisoimage
cd ~/kickstart_build/
mkisofs -o centos-7-custom.iso -b isolinux.bin -c boot.cat -no-emul-boot -V 'CentOS 7 x86_64' -boot-load-size 4 -boot-info-table -R -J -v -T isolinux/

Now start a new virtual machine from your custom CentOS 7 ISO file and insert the following option at kernel boot:

linux inst.ks=cdrom:/dev/cdrom:/ks/ks.cfg

Congratulations http://www.frankreimer.de/?p=522🙂 Your kickstart installation should run.

How To Open A Port In CentOS 7 With Firewalld

Open Specific Port Opening a port in firewalld is fairly straightforward, in the below example we allow traffic in from any source IP ad...