firewalld service file for dhcpd-failover

The problem

I have been practicing with ISC dhcp in preparation for overhauling my network. While working with dhcp failover peers, I have run into a problem. My peers couldn’t talk to each other. I eventually figured out it was the firewall. Some of the errors I got included:

Apr 05 17:56:55 centos7-01a.vm.example.com dhcpd[956]: failover peer allvm: I move from recover to startup
Apr 05 17:56:55 centos7-01a.vm.example.com systemd[1]: Started DHCPv4 Server Daemon.
Apr 05 17:57:10 centos7-01a.vm.example.com dhcpd[956]: failover peer allvm: I move from startup to recover

The solution

With the help of a post on the World Wide Web, I have shamelessly ripped off a firewalld service file. Loading this file into the firewall daemon solved my dhcp failover peer communication problem. Do this on both servers.

tf=/usr/lib/firewalld/services/dhcpd-failover.xml
touch "${tf}"; chmod 0644 "${tf}"
cat <<EOF >"${tf}"
<?xml version="1.0" encoding="utf-8"?>
<!-- Reference: https://www.centos.org/forums/viewtopic.php?t=54348 -->
<service version="1.0">
  <short>DHCPD Failover</short>
  <description>This allows a DHCP server to communicate with a failover peer.</description>
  <port protocol="tcp" port="647" />
</service>
EOF
systemctl reload firewalld.service
firewall-cmd --permanent --add-service=dhcpd-failover
firewall-cmd --reload

References

Weblinks

  1. https://www.centos.org/forums/viewtopic.php?t=54348
  2. DHCP failover guide http://geekyadmins.com/dhcp-server-setup-with-failover-in-centos-7/
Advertisements

Comment whole section from ini file

Instead of using the ansible ini_file state=absent section=”Zabbix”, you can use this instead, to comment out the section. I realize you can just do a backup=yes option, but for the quick cases where you don’t want to fire up ansible:

tmpfile1=$( mktemp ); sed -r -e '/^\[/i#ENGLISH877' ~/foo | sed -r -e '/^\[Zabbix\]/,/ENGLISH877/s/^/#/;' | sed -r -e '/#ENGLISH877/d' > ${tmpfile1}; cat ${tmpfile1} > ~/foo

Explanation

The first sed statement inserts a new line with content “#ENGLISH877” (random string that will be unlikely to cause collisions) right before the start of each new section.
The second sed statement then modifies the section specified (“Zabbix”) and inserts comments at the beginning.
The last sed removes all instances of the random string we inserted.

New user in freeipa has plain bash shell instead of reading .bashrc

So you have a new user in freeipa, and he can successfully log in to a freeipa client. And you know for certain you executed ipa-client-install with the –mkhomedir option. But when you open a terminal as the new user, it shows you the boring bash prompt ‘bash-4.1$’ or whatever version.

You checked the /etc/skel, and it has a valid .bashrc file, and when you dot source your own ~/.bashrc, it then loads the prompt you expect.

Here’s your issue: do a getent passwd username. Look at the login shell of the user. It’s going to be the default /bin/sh. Just change it in ipa to be /bin/bash! An sss_cache -E command was not enough; you have to log out and then back in to have it take effect. It’s probably because the terminal emulator is being called from a process that was started before the account was changed.

Ssh into NATted VM via AutoSSH

Overview

Suppose you have a virtual machine running on a natted network connection. It can get out just fine to the Internet.
Now, with the network address translation (NAT), you can’t send traffic in to that network. So you can’t just ssh username@vm.example.com and get in. You are going to need something a little fancier to accomplish that. This document explains how to do that.

Sample environment

For this document, these example values will be used. The vm is centos.vm.example.com and the system on the main network is desktop.example.com. The desktop will have port 5000 be forwarded to the vm’s port 22, which is the standard ssh port.

Set up autossh

You need ssh connectivity between the vm and the physical host. Make sure you have an automatic log in from the vm to the physical host. A good way to do that is by having an ssh key. If you need to generate one on the vm and copy it to the physical machine, use these commands.
# on vm
ssh-keygen # follow the prompts

The next step is to copy it to the physical machine.
# still on vm
ssh-copy-id username@desktop.example.com

Check that you can log in automatically with
ssh username@desktop.example.com
Once that is done, install autossh and make a systemd service file and enable and start it.
yum -y install autossh
tf=/usr/lib/systemd/system/autossh-ssh.service
touch "${tf}"; chmod 0644 "${tf}"
cat <<EOF > "${tf}"
[Unit]
Description=AutoSSH tunnel service for ssh
After=network.target
[Service]
Environment="AUTOSSH_GATETIME=0"
ExecStart=/usr/bin/autossh -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -N -R 5000:localhost:22 username@desktop.example.com -p 22
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable autossh-ssh.service
systemctl start autossh-ssh.service

Using the reverse tunnel

To connect to centos.vm.example.com, you just need to do this:
ssh centosusername@localhost -p 5000

Bonus: nickname the connection and copy ssh key

What I did was set up my ~/.ssh/config file with the following snippet, so I can just use the nickname “centosvm.”

# in ~/.ssh/config, mode 0600
Host centosvm centosvm.vm.example.com
 User centosuser
 Hostname localhost
 Port 5000

I then copied my ssh id to that, so I could connect without a password.
ssh-copy-id centosvm

References

  1. https://www.everythingcli.org/ssh-tunnelling-for-fun-and-profit-autossh/
  2. http://www.harding.motd.ca/autossh/index.html
  3. http://surniaulula.com/2012/12/10/autossh-startup-script-for-multiple-tunnels/

Remove only certain duplicate lines with awk

Basic solution

http://www.unix.com/shell-programming-and-scripting/153131-remove-duplicate-lines-using-awk.html demonstrates and explains how to use awk to remove duplicate lines in a stream without having to sort them. This statement is really useful.
awk '!x[$0]++'

The fancy solution

But if you need certain duplicated lines preserved, such as the COMMIT statements in the output of iptables-save, you can use this one-liner:
iptables-save | awk '!asdf[$0]++; /COMMIT|Completed on|Generated by/;' | uniq
The second awk rule prints again any line that matches “COMMIT” or “Completed on” or “Generated by,” which appear multiple times in the iptables-save output. I was programmatically adding rules and one host in particular was just adding new ones despite the identical rule already existing. So I had to remove the duplicates and save the output, but keep all the duplicate “COMMIT” statements. I also wanted to keep all the comments as well.

vim set regextype perl

The problem

Vim is a great editor. I use it every day, and that includes weekends. I’ve run into an issue where to search with the regular expression (dest|path): I needed to escape the parentheses and the pipe. That gets tedious.

The solution

I found my solution at stackoverflow: http://stackoverflow.com/questions/5770058/vim-and-regular-expression-what-kind-of-regex-does-vim-use/26600989#26600989.

At the beginning of your search expression, use \v which then uses a “very magic” regex mode in which fewer escapes are needed.

/\v(dest|path):

Add extension to firefox as default

Overview

I am building a rpm containing my custom config files for myself. In the course of doing so, I wanted to add an extension to firefox because I want to use it all the time. I wanted an extension to be automatically installed in Firefox for a new user profile.

I had to go learn how to do it. This document shows how to do just that.

Add extension to firefox as default in GNU/Linux

You need to get the extension ID of the extension. You can get the extension id by opening the xpi file in an archive opener (on xfce I used the default Xarchiver) and examining install.rdf. The tag is <em:id>.

Name the file “tag.xpi,” e.g., “{52c2877e-44e1-11e5-8874-a62d1d5d46B0}.xpi.”

Place this file in /usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/ directory. Chmod to 0644 and chown root:root.

How not to do it

I started this task for Firefox actually as a way to have all my settings made available, similar to what this person does: https://github.com/jamielinux/securemymozilla. I eventually made my way to what extensions I want to have present (because the Korora guys can do it). So I started looking at ~/.config. Well, I learned Firefox uses ~/.mozilla/firefox/.
I eventually learned that Korora installs its default firefox extensions (xclear and uBlock origin) to /usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/ directory. There was a weird hashed extension (extension being a .xpi file I remember from a decade ago, in my Windows days, so I know what they are), as well as two named xpi files: xclear and uBlock. I eventually figured out (by using Firefox to try to open) the hashed file: It was the default firefox theme.
I downloaded the xpi file of my choice (Remove It Permanently) but I couldn’t get it to actually load in a new firefox profile. You can force a new firefox profile by deleting ~/.mozilla/firefox/profiles.ini and ~/.mozilla/firefox/987654321.default/.

References

Weblinks

  1. Useful for other customization of firefox https://developer.mozilla.org/en-US/Firefox/Enterprise_deployment
  2. Most helpful, from search “Linux add default extension to firefox” https://developer.mozilla.org/en-US/Add-ons/Installing_extensions
  3. Interesting but didn’t use https://mike.kaply.com/2010/08/05/creating-a-customized-firefox-distribution/
  4. Also interesting but not helpful here https://developer.mozilla.org/en-US/docs/Mozilla/Developer_guide/Customizing_Firefox
  5. Pointed me in the right direction https://github.com/kororaproject/kp-mozilla-xclear/blob/master/build/mozilla-xclear.spec
  6. Cool project that inspired me https://github.com/jamielinux/securemymozilla

People

Korora developers in #korora irc channel on freenode

Send authenticated gmail from command line

Overview

You can send basic email from the command line. That’s been done a million times before, including by me!
Did you know that you can send email from the command line, from your gmail account that you authenticated to? That’s a big deal for some people. This document describes how to do that.

Sending gmail from command line

Install packages msmtp and mutt.
yum install msmtp mutt
Write the conf file and fill in the pertinent information.
# write conf file
tf=/etc/msmtprc
touch "${tf}"; chmod 0600 "${tf}"; chown root:root "${tf}";
cat <<EOF >"${tf}"
account default
tls on
tls_certcheck off
auth on
host smtp.gmail.com
port 587
user bgstack15@gmail.com
from bgstack15@gmail.com
password plaintextpassword
#
account second
tls on
tls_certcheck off
auth on
host smtp.gmail.com
port 587
user secondaccount@gmail.com
from secondaccount@gmail.com
password plaintextpassword
EOF

Now you can send an email with this command.
echo -e "From: Pretty Name\r\nSubject: Example subject\r\nContent goes here." | msmtp --debug --from=default -t destination@example.com

Sending attachments

Configure mutt if you want to send attachments from the command line.
cat <<EOF >> /etc/Muttrc.local
set sendmail="/usr/bin/msmtp"
set use_from=yes
set realname="Pretty Name"
set from=bgstack15@gmail.com
set envelope_from=yes
EOF

Send an email in html format and with an attachment.
subject="This is the subject
Mime-Version: 1.0
Content-Type: text/html"
mutt -a ~/attachment.txt -s "${subject}" -- destination@example.com << EOF
<html><body><pre>
This will be fixed width font. I find it useful for sending code fragments or log files.
</pre></body></html>
EOF

Authenticating to gmail from command line

The Arch Linux wiki provides an important reminder:

Tip: If using Gmail you’ll need to either

  • Allow “Less Secure Apps” in Settings > Security. Make sure to sign out of your other Gmail accounts first because the security settings part of Google Accounts can not manage concurrent sessions of more than one account.
  • Enable two factor authentication and create an app password.

References

  1. Send.sh from bgscripts package https://github.com/bgstack15/bgscripts/blob/master/usr/share/bgscripts/send.sh
  2. https://wiki.archlinux.org/index.php/Msmtp#Test_functionality