Configuring a RHN Satellite Server with a Third Party Cert

Posted on February 1, 2013 by Mars

Before making any adjustments, I made a backup of all of the files that I would be messing with using the tar command.

# tar -cvjf /root/ssl-backup.tar.bz2 /etc/httpd/conf/ssl.* \
/var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT /etc/pki/spacewalk/jabberd/server.pem

The first think that I wanted to do was change the hostname of my server to be something more user friendly. In my environment we have a very specific host naming convention that is extremely useful in determining the location, type, and environment of a server. They do not always make great URLs, so I wanted to CNAME it to satelite.example.com.

To change the hostname of the satellite server, you need to use the spacewalk-hostname-rename command. Unfortunately, it checks the hostname in a couple of different way, including /proc/sys/kernel/hostname, the hostname command, and in /etc/sysconfig/network. In order to make the command work, I temporarily changed the hostname of the box.

# hostname satellite.example.com
# vi /etc/sysconfig/network
HOSTNAME=satellite.example.com

After the hostname change is complete, you can run the spacewalk-hostname-rename command. When you run the command it will generate new certificates for you as
well. Make sure you use the correct values for the CA you plan to use.

# spacewalk-hostname-rename

Once you have completed the rename and the services have been restarted, you will need to get the CSR and upload it to your CA. The CSR is located in /root/ssl-build/satellite/server.csr. After you have processed it through your CA and have received the cert, you need to install it on the server. To do that you will need to create a package and then install it.

# rhn-ssl-tool --gen-server --set-hostname=satellite --rpm-only
rpm -Uvh ./ssl-build/satellite/rhn-org-httpd-ssl-key-pair-satellite-1.0-2.noarch.rpm

The last thing is to setup your Root CA. Copy the Root CA into the RHN-ORG -TRUSTED-SSL-CERT file in /var/www/html/pub, /usr/share/rhn, and /root/ssl_build. Once you have copied the file over you can update the SSL package for the hosts and copy it to the pub directory. Once you have created the DB you can add need to add it to the local database with the rhn-ssl-dbstore command.

# rhn-ssl-tool --gen-ca --rpm-only
# cp rhn-org-trusted-ssl-cert-1.0-1.noarch.rpm /var/www/html/pub/
# rhn-ssl-dbstore --ca-cert=/var/www/html/pub/RHN-ORG-TRUSTED-SSL-CER

If you cert has an intermediate cert in addition to a root cert, you can chain them by combining both of them into the RHN-ORG-TRUSTED-SSL-CERT file, adding the intermediate followed by the root.

Posted in Linux, RHEL | Leave a comment

CFEngine 3 Access Controls

Posted on January 6, 2013 by Mars

Yesterday I installed CFEngine 3 Enterprise in my home lab to start checking out what the differences are with the community edition that we use at work. The installation was extremely easy, and I like how CFEngine uses itself to install and configure it’s dependencies.

The first promise that I added was one to create my user accounts on any Linux box and copy over my .bashrc and .ssh/authorized_keys file to all my Linux boxes. The account creation worked just fine, but the copying of files kept failing.

At work, we use a seperate directory outside of the normal CFEngine structure to
store all of the files that we copy over to servers. Inside the directory it is structured like a normal Linux file system. For example, the generic httpd.conf file that we copy to our all our servers would be in /cfrepo/etc/httpd/httpd.conf. For files that only go to specific servers or classes of servers, we do the same thing, only we add and extension to it, such as /cfrepo/etc/ntp.conf.colo1.

While this worked without any issues in the community edition, it didn’t work in the Enterprise edition. After increasing the debugging level on the both the server and client I determined it had something to do with access controls.

After doing some research, I figured out that I needed to udpate /var/cfengine/masterfiles/controls/cf_serverd.cf and add my directory to the access_rules bundle. The code looks like:

"/cfrepo"
handle => "cfengine_dir_access_policy",
comment => "Grant Access to the cfengine repository",
admit => { "192\..*"};

The first line is the directory that you want to be available. It is followed by the handle and the comment. Finally, the admit string allows access to anybody on the 192 network.

Once I made the change, the files copied over as expected. I need to do a little bit more research on access controls work on the commercial version, but for now I am happy.

Posted in CFEngine, Linux | Leave a comment

CFEngine

Posted on January 4, 2013 by Mars

I have been working with CFEngine for a couple of years now. Up until about a year ago we were strictly running CFEngine 2, using it primarily to enforce compliance with our security policies. We had kicked around using it for more, but with everything else we had to do we never really got around to it.

We started our virtualization efforts about a year ago, and decided since we were going to be rebuilding a lot of systems and retiring many of our old physical boxes, it would be a great time to both move to CFEngine 3 as well as start using it for more than just enforcing some security policies.

We rebuilt our kickstart environment to use only one profile for every server that we built. Rather than using finish scripts to customize each host for it’s purpose (apache, java app server, db, etc), we starting putting it into CFEngine.  Account creation, package installation, and management of configuration files are all a part of our environment.

The key to our success is our host naming convention. Our contention is 9 characters: 6 letters and 3 numbers. A typical host name might look like this: c0htpr001. The first two letters tell the type and location of the server, in this case, it is a physical server colo-0 (we use v0 for a virtual server in colo-0). The second two letters describe the type of server, such as an httpd server or db server. The final two letters indicate the environment it is in, qa, staging, production, etc. The numbers are used to iterate for servers that do the same thing.

This convention allows us to create classes in CFEngine to deploy specific files
to the correct servers. If our qa server configuration is slightly different from prod, we just create a class called qa_servers. When we combine it with the type of server, such as ht_servers.qa_servers, we can now kickstart a new server and let CFEngine configure it for us.

We have come a long way from our CFEngine 2 days. We still have a lot of work to do and a few more challenges to figure out, we are definitely on the right path.

Posted in CFEngine, Linux, Operations | 4 Comments

Switching Distro’s

Posted on January 3, 2013 by Mars

Over the course of the last 15 years, I have ran many different distro’s of Linux. My first exposure to Linux was back in 1998, when my buddy and I ordered a couple of different distro’s from cheapbytes.com, including Red Hat and Caldera. Back then, installation was difficult I was doing it a lot so I gravitated towards Caldera since it had a game you could play during installation (Pac-Man in 1.2 and Tetris in 2.3, I think).

I have mostly run distro’s on the Red Hat side of the tree, including Red Hat, Fedora, Mandrake, and openSUSE. I favored Mandrake for a long time until I took my first pure Linux Administrator position (I was primarily a Solaris Administrator prior to that) and the corporation favored SUSE.

I switched my laptop distro to openSUSE and was immediately impressed. The YaST configuration tools are far superior to anything the other distro’s were doing. Manual configuration was a little more tricky, but once I got the hang of how things were done it was pretty straight forward. I became a little bit of an openSUSE evangelist, at least with my co-workers.

That lasted up until a few weeks ago, when I made the switch to Ubuntu for all my Linux desktop systems. The reason? Encryption. At the risk of sounding a little paranoid, I am a little uncomfortable with some of the recent pushes by government officials and law enforcement to have more access to data. If my elected official don’t seem to feel that I deserve my privacy, I figured I better take matters into my own hands.

The switch has been pretty seamless with the biggest learning curve centered around package management and installation. I am primarily a command line guy, so figuring out dpkg and apt-get as opposed to yum, zypper, or rpm was took a little bit of time, mainly in figuring out the proper switches. I did have to switch from the default Unity desktop to KDE, which is my preferred desktop.

I haven’t run into any issues that I haven’t been able to solve, though there were a few that took a little bit of research. So far, I am pretty happy with the switch.

Posted in Linux | 1 Comment

5 Goals for 2013

Posted on January 1, 2013 by Mars

With the New Year, comes a new set of goals. This year, there are five main goals that I will work to accomplish:

Write More. This is my top goal. I am always a bit self-conscience about my writing and as a result I struggle every time I sit down to write. I also know that the only way for me to get better at it is to actually do it every day. My goal is to write at least 350 words every day.

Improve My Time Managegement. I have been working on my time management over the years, but there is still room for improvement. I do a pretty good job of
getting my daily tasks into my system, I just don’t do a great job using my system. My goal is to use my system to get more done.

Become More Self Sufficient. I am fascinated by the skills that we no longer possess. Growing and storing our own food, raising livestock, and maintaining our land are all things that our grandparents knew how to do that we no longer know how to do. My goal is to depend less on supermarkets and more on my own food source.

Lose Some Weight. Since leaving the military in 2000 I have put on more than a few too many pounds. While I do feel I am healthier than I was a few years ago, since I quit smoking and started running, I now need to tackle my weight. My goal is to lose 30 pounds this year.

Earn my VCP5-DV. For the last year or so I have been immersed in VMware. As I gain a more in depth knowledge, I have decided that I would like to be certified to show that I have that knowledge. My goal is to earn my VCP5-DV certification.

I am hopeful that the New Year will bring new challenges and new opportunities to grow. I am thankful for everything that happened in 2012. I pray that 2013 brings you everything you need and want.

Happy New Year!

Posted in Life, Philosophy | Leave a comment

Hitting the Trail

Posted on October 27, 2012 by Mars

Damage from last year’s wildfire in Bastrop State Park

Things have started to cool down a little bit down here in Texas, which means spending a lot more time outdoors.  Today we spent the day at Bastrop State Park.  Last September, a wildfire swept through most of this park, affecting 96 percent of it .

We took the Scenic Overlook Trail and the  Lost Pines Trail for about four miles in full pack to prepare for our overnight trip to Enchanted Rock in a few weeks.  As we walked through the blackened pine trees, it was a little surreal.  What struck me the most was the occasional pine tree that still green and living, even with a blackened trunk.

A little bit of green in the black.

The blackened trees were beautiful in their own way, if not a little eerie.   While we heard an occasional bird call, there really wasn’t a whole lot of wildlife in the area.  If course, it could be that we had 8 of my Boy Scouts along with us on the trip.

All in all, we had a great hike in great weather.  As I told my wife shortly after the hike began, I felt like a slinking on an escalator.

 

Posted in Outdoors | Leave a comment

Lament of the Lion’s Fan

Posted on October 22, 2012 by Mars

As a Michigan native, I have always been a fan of the Detroit Lions.  Growing up, we never had the best team but we were at least always were in the hunt.  We could almost always count on being over .500 and a wildcard birth into the playoffs.  Then Ford Sr. went bat shit crazy and hired Matt F*ing Millen.

This hiring began our decent into football hell.  In eight years the Lions amassed a record of 31-97.  Of course, his mark has been left on this team long after his departure.  With the exception of last year (which is now looking like an anomaly), we really haven’t had shit to root for in 10+ years.

And it looks like that is going to continue for at least another year.  Good thing that I have the Tigers and the Red Wings, or else I would be going insane.

Posted in Rant | Leave a comment

Leadership Traits

Posted on September 19, 2012 by Mars

This week I started a new series of Scoutmaster Minutes with my Boy Scout Troop.  The focus is on leadership development.  I learned most of my leadership skills from the time in the U.S. Army (almost 10 years).  Some people may disagree, but after more than 10 years in civilian life I have found that the military is probably the best place to learn leadership.

It’s not to say that there are not other ways, but the hierarchical nature of the military lends itself to teaching leadership.  A Sergeant never worries about losing his job to a Private. They both know that on the field of battle, however, if the Sergeant dies the Private may need to be ready to step in their place.    So they train you from the first day to be a leader.

When I moved to the civilian world, I was amazed at how much different it was.  Most of the people I worked for were more concerned with keeping the power they had or afraid that someone would outshine them to really  mentor subordinates.  I was fortunate a time or two to have a supervisor that did care about mentoring subordinates (not surprisingly they were ex-military).

When I was working on my Business Management degree, one of the courses included a story about a Naval Officer who kept a list of 8 leadership traits on a 3×5 card in his pocket at all times.  As I read them I recognized them as the traits that I tried to exemplify in my leadership, even though I had never specifically spelled them out anywhere.  For a while I copied the Officer and kept them on a 3×5 card.  As technology changed my 3×5 card changed to various Palm Pilots & Window’s CE  devices, blackberry’s, Treo’s, and now my android device.

As I was preparing my Scoutmaster Minute, I started searching the internet to see if I could find out where these 8 leadership traits originated.  As I mentioned, I originally saw them in a textbook in a side story about a Naval Officer.  I found a speech given by the Secretary of the Navy in 1995 where he shared these leadership traits with graduating officers from Annapolis.   He mentioned in that speech that these traits were given to him by a theologian from California and were drawn from Chapter 27 of the Book of Acts in the Bible, what he calls “The Timeless Traits of Leadership”

As you read through the list that follows, take a few minutes to reflect on each trait.  I think that you will find, as I had, that nearly every leader that you have ever had that you considers a good leader exemplified these traits.  It is what I strive for on a daily basis.

 

The Timeless Traits of Leadership

A leader is trusted
A leader takes the initiative
A leader uses good judgment
A leader speaks with authority
A leader strengthens others
A Leader is Optimistic and enthusiastic
A leader never compromises his absolutes
A leader leads by example

Posted in Leadership, Life, Philosophy | Leave a comment

Kickstart Files

Posted on August 7, 2012 by Mars

I meant to post this last week, but unfortunately things were pretty busy.  While I was putting together my post on RHEL Kickstarts, I built a couple of files that I thought I would share.  You can find them at my Github account.  The kickstart.cfg file is the profile I used to create the host, and the kickstart.sh file is a finish script that runs post installation that copies over the source tree and configures the services that are needed.

Since my Kickstart server is a virtual, I also created a virtual floppy (kickstart_config.flp) that has both files on them and can be used for a completely automated build by adding the line “ks=hd:fd0:kickstart.cfg” to the boot parameters of the Install Disk.

You will need to edit the files for your environment, changing hostnames and IP addresses as needed.  These scripts will work with CentOS as well, but I would recommend editing the files and replacing RHEL63 with CentOS63.

Happy Kickstarting!

Posted in Linux | Tagged , , , | Leave a comment

Automated Host Builds Pt. 2 – Building a Kickstart Server

Posted on August 2, 2012 by Mars

As an administrator, automatically provisioning hosts is one of the most important things you can do to ensure that you have a consistent environment.  For Red Hat Enterprise Linux (and CentOS as well), this is done through a Kickstart server.

Building a Kickstart server is fairly simple and straight forward.  If you are to the point that you are building a Kickstart server I am assuming that you already know how to install the OS from DVD.  I prefer a minimal install, but you can pretty much install the server to your preference.  Once installed you need to make sure that you have the following additional packages installed as well:

libevent
libgssglue
libtirpc
rpcbind
nfs-utils-lib
nfs-utils
xinetd
tftp-server
portreserve
dhcp
mtools
syslinux

Once the host is installed, we need to create the directory structures.  I like to create 5 directories: pre,post,os,profiles, and software.  The pre directory contains the scripts that are run prior to installation, while post contains scripts that are run after installation.  The os directory is where we copy the DVD and the profiles directory is where we will house our Kickstart profiles.  Finally, the software directory is were we place any third party software such as VMware tools or the HP management agents.

# mkdir -p /data/kickstart/RHEL63_64
# mkdir /data/kickstart/pre
# mkdir /data/kickstart/post
# mkdir /data/kickstart/profiles
# mkdir /data/kickstart/software

# mount /dev/cdrom /mnt
# cp -R /mnt/* /data/kickstart/os/RHEL63_64

Configure DHCP

In order for the Kickstart server to work, a DHCP server is needed.  While we use one for our desktops, our server infrastructure resides on different VLANS and rather than muck around with Windows DHCP we run a DHCP server right on the host.  Doing so is fairly straight forward.  All it requires is a dhcpd.conf file in the /etc/dhcpd directory.

# DHCP Server Configuration file.
#   see /usr/share/doc/dhcp*/dhcpd.conf.sample
#   see "man 5 dhcpd.conf"
#
ddns-update-style interim;

# PXE Boot
allow booting;
allow bootp;
class "pxeclients" {
match if substring(option vendor-class-identifier, 0, 9) = "PXEClient";
next-server 192.168.69.200;
filename "linux-install/pxelinux.0";
}

###############################################################################
# Lab 2
subnet 192.168.69.0 netmask 255.255.255.0 {
       option routers                  192.168.69.1;
       option subnet-mask              255.255.255.0;
       option domain-name              "lab.local";
       option domain-name-servers      192.168.69.4;
       #option time-offset             -21600; # Central Standard Time
       option ntp-servers              192.168.69.4;

range dynamic-bootp 192.168.69.193 192.168.69.222;
default-lease-time 3600;
max-lease-time 28800;
}

#host HOSTNAME {
#       option host-name "HOSTNAME.lab.local";
#       hardware ethernet AA:AA:AA:AA:AA:AA;
#       fixed-address IP;
#}

Once you edit dhcpd.conf to match your environment, start the service and configure it to run on startup.

# service dhcpd start
# chkconfig dhcpd on

Configure TFTP

Create the TFTP directory structure and copy the appropriate files into it.

# mkdir -p /var/lib/tftpboot/linux-install/pxelinux.cfg
# mkdir /var/lib/tftpboot/linux-install/RHEL63_64
# cp /usr/share/syslinux/pxelinux.0 /var/lib/tftpboot/linux-install
# cp /usr/share/syslinux/menu.c32 /var/lib/tftpboot/linux-install
# cp /data/kickstart/os/RHEL63_64/images/pxeboot/* /var/lib/tftpboot/linux-install/RHEL63_64

Next, edit /var/lib/tftpboot/linux-install/pxelinux.cfg/default and create the menu that will be used by pxeboot.

timeout 100
default menu.c32

menu title Kickstart Server

LABEL hddboot
LOCALBOOT 0x80
MENU LABEL Boot from local disk

label rhel63
menu label ^ Install RHEL 6.3
KERNEL RHEL63_64/vmlinuz
APPEND initrd=RHEL63_64/initrd.img ramdisk_size=14532 ks=nfs:192.168.69.20:/data/kickstart/profiles/rhel63_64.cfg
MENU LABEL Install RHEL 6.3

Finally, configure xinetd to allow tftp and restart the service.

# sed -i '/disable/ d' /etc/xinetd.d/tftp
# service xinetd restart

Configure NFS

The final Step of configuring the Kickstart server is setting up the NFS server. This is done by adding the Kickstart directory to the /etc/exports file.

/data/kickstart         *(ro,async,no_root_squash)

Start NFS, and configuring it to start on bootup.

service rpcbind start
service nfs start
chkconfig nfs on

With that, your Kickstart server is installed. The next step will be to get a kickstart profile build so that you can start building your hosts.

Posted in Linux, Operations | Tagged | Leave a comment