Curl is one of those command line tools that really does make our lives easier. APIs are expected of everything these days, from your washing machine to cloud management software, and rightly so. This is just a very simple example of using Curl to update a DNS record with an IP address. In this case I use it in my home lab to update a DNS record with my home internet IP address. Unfortunately my ISP doesn’t offer a static IP, but it’s not really a problem. There are free (with limitations) and paid dynamic DNS services out there, but why not do it yourself with a couple of lines of code? [Read more…] about Use Curl and Wget to Make Your Life Easier (DNS API update with external IP)
Following the theme for ELS (Essential Linux Skills) with CentOS 7 (see part 1), today I want to share what I consider to the the most important topic of the lot. Firewalls. Securing your Linux host is, in my opinion, the first thing you should be doing before hosting any web services. In my last post, you learned all about systemd and hopefully are now comfortable with the switch from SysV init.
If you are responsible for building Linux hosts for web applications then this will be an especially important topic for you. The same applies if you want to master security with Linux. This might get a little technical, but hang in there.
RHEL (RedHat Enterprise Linux) and CentOS 7 introduces firewalld which is now installed by default instead of iptables. Another newcomer, but not yet loaded by default with CentOS 7 is nftables. What’s the difference? Well firewalld is new to the user-space, but it doesn’t replace iptables. Nftables will eventually replace iptables.
Confused? I don’t blame you, so let me explain the iptables architecture. It’s important to understand how iptables works in order to understand the changes that firewalld and what nftables brings to the table (pun intended).
We’ll start with this basic architecture diagram for netfilter:
This is the first of two Essential Linux Skills for CentOS blogs (see part 2). For many years I’ve become used to using service and chkconfig commands to manage services with RHEL (RedHat Enterprise Linux) and CentOS. In fact I first got my hands on a Unix system back in 1993, then got my first ever job as a Unix admin in 1996. I learned about SystemV runlevels, and then became used to using /etc/init.d/<service> to manage services. It takes a while to shake
bad old habits, but CentOS 7 now uses systemd as the default init system.
Init (short for initialization) was the first process to start and the last to stop on a SysV (System V Unix) Linux system, and therefore we have the concept of runlevels. Each runlevel represents the state of the system, with runlevel 0 being shutdown (halt), 3 being multiuser mode (in other words it has now booted), and runlevel 5 is running the desktop environment if you use one (X Server starts and you have a desktop). Oh and runlevel 6 restarts the system.
Why is this important? Well, whether you like it or not, having core Linux skills is essential in the IT world we live in. In fact just a few weeks ago I was presenting at VMworld in San Francisco on VMware Horizon for Linux Virtual Desktops technical deep dive. I was approached after the session by a customer that has a project to deploy RHEL virtual desktops to hundreds of students in a college. He thanked me as he had to go home the following week to configure some of those virtual desktops with direct pass-through to NVIDIA GRID graphics cards. The process of doing that requires installation of the driver at runlevel 3, but he had no idea what it meant despite it being a simple command (init 3). It also meant that he learned about how to optimize RHEL by disabling unnecessary services that start at runlevel 3.
At VMware I see more and more customers deploying Linux desktops, but also server workloads are often running Linux (such as the server hosting this blog!), and virtual appliances.
SysV is still present on CentOS 7, but you’ll not find much there. If you run the following command, you can see which services are enabled at boot (runlevel 3). [Read more…] about Essential Linux Skills with CentOS 7 – Managing Services with systemd
As tempting as it is, I have no intention of jumping on the ‘Shellshock’ band wagon and writing a vague post on the subject. However, I do find this recent bash exploit interesting and worthy of investigation as it’s simple to test and has a plethora of vectors that could be exploited. I’ve read many media reports on this and unfortunately some of their layman’s terms are inaccurate or do not provide the full picture. The purpose of this blog post is for my own reference and anybody that needs starting point of where to look. For an in-depth look at this then I would recommend you read Troy Hunt’s article. For a quick technical reference then feel free to read on… [Read more…] about Shellshock Vulnerability and Potential Exploitation (not another blog post on CVE-2014-6271 / CVE-2014-7169)
You know the story… you don’t have a static IP address for your internet connection so you use dynamic DNS, except a certain dynamic DNS company are no longer offering this for free. Well, an alternative is to script this yourself with a single line of code on your own Linux box at home and get it to update your DNS for you. You can have home.yourdomain.com update with your home internet IP automatically! I use Linode to provide me with my Linux web server, which runs on CentOS 6.2, but the other great thing about Linode is that you can use their name servers and have full access to your zone files. Even better still, they provide an API to do this and it’s really easy to set up.
What you need:
- A Linux machine (or Apple Mac) at home – This can either be a virtual machine running on your home PC or lab server, Ubuntu on your PC, laptop or you can even do this on your Apple Mac!
- A domain name hosted on Linode DNS servers.
- API key from Linode (Log into Linode then go to ‘my profile’ and scroll down to API key)
- A chair to sit on whilst you write some awesome bash scripts.
wget -qO- https://api.linode.com/?api_key="$API_KEY"\&api_action=domain.resource.update\&DomainID="$DOMAIN_ID"\&ResourceID="$RESOURCE_ID"\&Target=[remote_addr]
You’ll need to replace the sections in <> as follows:
<API_KEY> – This is the API Key that you can obtain from the ‘my profile’ page on your Linode account.
<DOMAIN_ID> – To obtain this, login into Linode and click on DNS Manager. Click on the ‘zone file’ for the domain and the ID is in square brackets at the top of the zone file (I.e ; yourdomain.com )
<RESOURCE_ID> – Log in to Linode, go to DNS Manager and edit the domain zone that you wish to update. Now edit the host record (I.e. home) and you’ll see the URL is something similar to: https://manager.linode.com/dns/resource/yourdomain.com?id=723215. The ID number (723215) is your Resource ID.
The wget line will call the API function and [remote_addr] will simply update it with the IP address the request is coming from (in other words, your home internet connection). If you want to get a bit more clever with your script, you could create an IF statement to check the IP address it has with your existing one. If they are different then update it, otherwise exit the script.
Automating the DNS Update:
The final step is to schedule this script to run every few hours. I use crontab for this, and it looks something like this:
0 */4 * * * /home/.scripts/linode-dns.sh 2>&1
If you are looking to deploy multiple ESX/ESXi servers then there are plenty of methods and tools out there, some more complex than others. There are vendor specific deployment products available such as HP Rapid Depuployment Pack (RDP) which uses Altiris, or alternatively there are free deployment tools such as ESX Deployment Appliance (EsleeDA) and Ultimate Deployment Appliance (UDA). UDA is my favorite tool for the job as it offers great flexibility such as the use of subtemplates (discussed later), and therefore this will be the basis of this article. It was created by Carl Thijssen and thanks to Mike Laverick of RTFM, it also supports ESX/ESXi deployments, and the latest build supports ESX/ESXi 4.1.
[Read more…] about VMware ESXi 4.1 Kickstart Scripted Deployment with UDA (PXE BOOT)
In this article I detail the steps required to configure your vMA as a Syslog server, and configure your ESX/ESXi hosts to send logging information to the vMA. Logging is often overlooked, but when managing multiple hosts it is far easier to send your logs to a Syslog server. I’m studying for the VCAP-DCA exam, and using vicfg-syslog is a requirement of the exam (Section 6.1) and the vMA is also essential to understand (Section 8.1). I hope my notes help you as they have helped me.
[Read more…] about 8.3 VCAP-DCA Study Guide – Configuring vMA for Logging
Start the VMware Tools installation
Using the VMware VI Client, right click on the Linux guest and select Install/Upgrade VMware Tools.
Mounting the CD-ROM
You’ll need to mount the CD-ROM on the Linux guest.
# mount /dev/cdrom /mnt
[Read more…] about Installing VMware tools on a Linux guest