Saturday 19 September 2015

Install and Configure Puppet on Ubuntu 14.04

apt-get install openssl

configure dns for master and agent
dev.puppetmaster.com
dev.puppetagent.com

192.168.190.133
apt-get install puppetmaster

192.168.190.134
apt-get install puppet

nano /etc/puppet/puppet.conf
server=dev.puppetmaster.com

puppet agent --no-daemonize --onetime --verbose
Info: Creating a new SSL key for dev.puppetagent.com
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for dev.puppetagent.com
Info: Certificate Request fingerprint (SHA256): ED:AD:10:24:4D:F0:FF:C1:11:D5:E1:94:AD:C7:01:3C:1B:E4:E0:E3:0F:14:16:ED:5A:F7:A1:E0:AE:76:07:51
Info: Caching certificate for ca
Exiting; no certificate found and waitforcert is disabled

puppet cert list
  "dev.puppetagent.com" (SHA256) ED:AD:10:24:4D:F0:FF:C1:11:D5:E1:94:AD:C7:01:3C:1B:E4:E0:E3:0F:14:16:ED:5A:F7:A1:E0:AE:76:07:51

puppet cert sign "dev.puppetagent.com"
Notice: Signed certificate request for dev.puppetagent.com
Notice: Removing file Puppet::SSL::CertificateRequest dev.puppetagent.com at '/var/lib/puppet/ssl/ca/requests/dev.puppetagent.com.pem'

puppet agent --no-daemonize --onetime --verbose
Info: Retrieving plugin
Info: Caching catalog for dev.puppetagent.com
Info: Applying configuration version '1442726550'
Info: Creating state file /var/lib/puppet/state/state.yaml
Notice: Finished catalog run in 0.02 seconds

Example puppet configuration,

cd /etc/puppet/manifests/
nano site.pp

class toolbox {
        file { '/usr/local/sbin/puppetsimple.sh':
                owner => root, group => root, mode => 0755,
                content => "#!/bin/sh\npuppet agent --onetime --no-daemonize --verbose $1\n",
                }
        }

node 'dev.puppetagent.com' {
        include toolbox
        }


puppet agent --no-daemonize --onetime --verbose
Info: Retrieving plugin
Info: Caching catalog for dev.puppetagent.com
Info: Applying configuration version '1442727359'
Notice: /Stage[main]/Toolbox/File[/usr/local/sbin/puppetsimple.sh]/ensure: defined content as '{md5}db35206364e274612ff0caee2ce0f9d0'
Notice: Finished catalog run in 0.05 seconds

puppetsimple.sh
Info: Retrieving plugin
Info: Caching catalog for dev.puppetagent.com
Info: Applying configuration version '1442728015'
Notice: Finished catalog run in 0.03 seconds

chmod 0123 /usr/local/sbin/puppetsimple.sh

puppet agent --no-daemonize --onetime --verbose
Info: Retrieving plugin
Info: Caching catalog for dev.puppetagent.com
Info: Applying configuration version '1442728015'
Notice: /Stage[main]/Toolbox/File[/usr/local/sbin/puppetsimple.sh]/mode: mode changed '0123' to '0755'
Notice: Finished catalog run in 0.03 seconds

Ref :- https://www.youtube.com/watch?v=Hiu_ui2nZa0

Change Hostname in Ubuntu

Manually Edit the hostname

sudo nano /etc/hosts
sudo nano /etc/hostname
sudo reboot

Use sed to change the hostname

sudo sed -i 's/ubuntu/new-hostname/g' /etc/hosts
sudo sed -i 's/ubuntu/new-hostname/g' /etc/hostname
sudo reboot

Write a Bash Script

#!/bin/bash
#Assign existing hostname to $hostn
hostn=$(cat /etc/hostname)

#Display existing hostname
echo "Existing hostname is $hostn"

#Ask for new hostname $newhost
echo "Enter new hostname: "
read newhost

#change hostname in /etc/hosts & /etc/hostname
sudo sed -i "s/$hostn/$newhost/g" /etc/hosts
sudo sed -i "s/$hostn/$newhost/g" /etc/hostname

#display new hostname
echo "Your new hostname is $newhost"

#Press a key to reboot
read -s -n 1 -p "Press any key to reboot"
sudo reboot

Ref:- https://pricklytech.wordpress.com/2013/04/24/ubuntu-change-hostname-permanently-using-the-command-line/

Friday 18 September 2015

Regenerate SSL Certs on Puppet Master

SSL: Regenerating All Certificates in a Puppet Deployment

backup ssl dir
/var/lib/puppet/ssl

Stop the Puppet agent service
/etc/init.d/puppetmaster stop

Stop the Puppet master service
/etc/init.d/apache2 stop

Locate Puppet’s ssldir
puppet config print ssldir

Delete all files in the ssldir
rm -r /var/lib/puppet/ssl

Regenerate the CA by running
uppet cert list -a

Generate the Puppet master’s new certs
puppet master --no-daemonize --verbose

When you see Notice: Starting Puppet master <your Puppet version>,
type CTRL + C

Start the Puppet master service
/etc/init.d/puppetmaster start

Start the Puppet agent service
/etc/init.d/apache2 start

Ref : -
http://docs.puppetlabs.com/puppet/3.7/reference/ssl_regenerate_certificates.html

OpenSSH Server in Ubuntu


OpenSSH is a freely available version of the Secure Shell (SSH) protocol family of tools for remotely controlling, or transferring files between, computers.

apt-get install openssh-server

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.original
sudo chmod a-w /etc/ssh/sshd_config.original

The following are examples of configuration directives you may change:

To set your OpenSSH to listen on TCP port 2222 instead of the default TCP port 22, change the Port directive as such:

Port 22

To have sshd allow public key-based login credentials, simply add or modify the line:

PubkeyAuthentication yes

If the line is already present, then ensure it is not commented out.

To make your OpenSSH server display the contents of the /etc/issue.net file as a pre-login banner, simply add or modify the line:

Banner /etc/issue.net

In the /etc/ssh/sshd_config file.

sudo service ssh restart

Ref:- https://help.ubuntu.com/lts/serverguide/openssh-server.html


Thursday 17 September 2015

Ubuntu 14.04 Root Password Recovery

First reboot/reset your system to GRUB2 boot loader menu.

Find the line which starts with "linux". Navigate to the end of the line and add:
init=/bin/bash

Once you have changed boot options as indicated in the previous step press F10 to instruct your Ubuntu system to boot.

Your system will boot and you will be provided with root command line prompt.

Once you get to the command line prompt enter the following commands:
mount -o remount,rw /
passwd
reboot -f

Ref :- http://linuxconfig.org/ubuntu-14-04-lost-password-recovery


Monday 7 September 2015

Chef Installation and configure on CentOS



Install chef-server
iptables -F
rpm -ivh chef-server-11.1.7-1.el6.x86_64

Configure Chef Server

chef-server-ctl reconfigure

Running handlers:
Running handlers complete
Chef Client finished, 415/479 resources updated in 220.548599949 seconds
Chef Server Reconfigured!

Confirm Chef server is running by,

chef-server-ctl status
run: bookshelf: (pid 1084) 60730s; run: log: (pid 1083) 60730s
run: chef-expander: (pid 1080) 60730s; run: log: (pid 1079) 60730s
run: chef-server-webui: (pid 1070) 60730s; run: log: (pid 1068) 60730s
run: chef-solr: (pid 1076) 60730s; run: log: (pid 1073) 60730s
run: erchef: (pid 1085) 60730s; run: log: (pid 1082) 60730s
down: nginx: 0s, normally up, want up; run: log: (pid 1078) 60730s
run: postgresql: (pid 1091) 60730s; run: log: (pid 1072) 60730s
run: rabbitmq: (pid 1075) 60730s; run: log: (pid 1071) 60730s


Optionally, run the Opscode Pedant test suite. This will verify that everything is working.
chef-server-ctl test

Configure Chef Workstation

check Chef client pkg is already installed or not

rpmquery chef
package chef is not installed

rpm -ivh chef-11.18.12-1.el6.x86_64

rpmquery chef
chef-11.18.12-1.el6.x86_64

chef-client
To Secure communication with Chef server,

copy files from chef server path /etc/chef-server to chef workstation
scp -r admin.pem chef-validator.pem chef-webui.pem root@10.98.33.204:/root/.chef
admin.pem
chef-validator.pem
chef-webui.pem

mkdir .chef @ home and mv all 3 files inside dir

knife configure -i
Overwrite /root/.chef/knife.rb? (Y/N)Y
Please enter the chef server URL: [https://testchefwork.example.com:443] https://testchefserver.example.com:443
Please enter a name for the new user: [root]
Please enter the existing admin name: [admin] admin
Please enter the location of the existing admin's private key: [/etc/chef-server/admin.pem] /root/.chef/admin.pem
Please enter the validation clientname: [chef-validator]
Please enter the location of the validation key: [/etc/chef-server/chef-validator.pem] /root/.chef/chef-validator.pem
Please enter the path to a chef repository (or leave blank):
Creating initial API user...
Please enter a password for the new user:
Created user[root]
Configuration file written to /root/.chef/knife.rb

knife ssl fetch

knife ssl check

Connecting to host testchefserver.example.com:443
ERROR: The SSL certificate of testchefserver.example.com could not be verified
Certificate issuer data: /C=US/ST=WA/L=Seattle/O=YouCorp/OU=Operations/CN=testchefserver.example.com/emailAddress=you@example.com

Configuration Info:

OpenSSL Configuration:
* Version: OpenSSL 1.0.1m 19 Mar 2015
* Certificate file: /opt/chef/embedded/ssl/cert.pem
* Certificate directory: /opt/chef/embedded/ssl/certs
Chef SSL Configuration:
* ssl_ca_path: nil
* ssl_ca_file: nil
* trusted_certs_dir: "/root/.chef/trusted_certs"

TO FIX THIS ERROR:

If the server you are connecting to uses a self-signed certificate, you must
configure chef to trust that server's certificate.

By default, the certificate is stored in the following location on the host
where your chef-server runs:

  /var/opt/chef-server/nginx/ca/SERVER_HOSTNAME.crt

Copy that file to you trusted_certs_dir (currently: /root/.chef/trusted_certs)
using SSH/SCP or some other secure method, then re-run this command to confirm
that the server's certificate is now trusted.

knife ssl check
Connecting to host testchefserver.example.com:443
Successfully verified certificates from `testchefserver.example.com'

knife client list

chef-validator
chef-webui
 knife user list
admin
jojan
root

Node configuration

iptables -L

 rpm -ivh chef-11.18.12-1.el6.x86_64.rpm

warning: chef-11.18.12-1.el6.x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID 83ef826a: NOKEY
Preparing...                ########################################### [100%]
   1:chef                   ########################################### [100%]
Thank you for installing Chef!

copy chef-validator.pem from chef server path /etc/chef-server to /etc/chef in Node server

knife ssl fetch -s https://testchefserver.example.com

WARNING: No knife configuration file found
WARNING: Certificates from testchefserver.example.com will be fetched and placed in your trusted_cert
directory ().

Knife has no means to verify these are the correct certificates. You should
verify the authenticity of these certificates after downloading.

ERROR: TypeError: can't convert nil into String

 knife ssl check
Connecting to host testchefserver.example.com:443
Successfully verified certificates from `testchefserver.example.com'
[root@testchefnode .chef]# knife ssl fetch -s https://testchefserver.example.com
WARNING: Certificates from testchefserver.example.com will be fetched and placed in your trusted_cert
directory (/root/.chef/trusted_certs).

Knife has no means to verify these are the correct certificates. You should
verify the authenticity of these certificates after downloading.

Adding certificate for testchefserver.example.com in /root/.chef/trusted_certs/testchefserver_example_com.crt

knife ssl check -s https://testchefserver.example.com

Connecting to host testchefserver.example.com:443
Successfully verified certificates from `testchefserver.example.com'

cat /etc/chef/client.rb
log_level :info
log_location STDOUT
chef_server_url "https://testchefserver.example.com:443"
trusted_certs_dir "/root/.chef/trusted_certs"

chef-client -S https://testchefserver.example.com -K /etc/chef/chef-validator.pem

creating a recipe on workstation and upload to server

knife cookbook create motd
** Creating cookbook motd
** Creating README for cookbook: motd
** Creating CHANGELOG for cookbook: motd
** Creating metadata for cookbook: motd

cd /var/chef/cookbooks/motd

ls -l
attributes
CHANGELOG.md
definitions
files
libraries
metadata.rb
providers
README.md
recipes
resources
templates

cd recipes/
vi default.rb

file '/etc/motd' do
        content 'Welcome to chef'
end

Before uploading to server make sure there is no syntax error

knife cookbook test motd
checking motd
Running syntax check on motd
Validating ruby files
Validating templates
Validating ruby files
Validating templates

upload to server,

knife cookbook upload motd
Uploading motd         [0.1.0]
Uploaded 1 cookbook.

to chk from server

knife cookbook list
motd   0.1.0

to chek from dashboard,
https://testchefserver.example.com/cookbooks

Add cookbook to a node,

go to https://testchefserver.example.com/nodes and edit
drag and drop Available Recipes moted to Run List,

chef-client
[2015-09-07T11:17:30+05:30] INFO: Forking chef instance to converge...
[2015-09-07T11:17:30+05:30] WARN:
........................................
- update content in file /etc/motd from e3b0c4 to cad802
    --- /etc/motd       2010-01-12 18:58:22.000000000 +0530
    +++ /tmp/.motd20150907-26207-mb0jjs 2015-09-07 11:17:32.622947241 +0530
    @@ -1 +1,2 @@
    +Welcome to chef
    - restore selinux security context
[2015-09-07T11:17:32+05:30] INFO: Chef Run complete in 0.661581977 seconds

Running handlers:
[2015-09-07T11:17:32+05:30] INFO: Running report handlers
Running handlers complete
[2015-09-07T11:17:32+05:30] INFO: Report handlers complete
Chef Client finished, 1/1 resources updated in 2.350334219 seconds

now cat it in node server,

cat /etc/motd
Welcome to chef

Ref:- https://www.youtube.com/watch?v=egvEPsVMfK0

Wednesday 2 September 2015

Disable FirewallD and use iptables in RHEL 7 and CentOS 7


If you want to use iptables on CentOS 7 and RHEL 7 instead of firewallD Please follow,

systemctl mask firewalld

systemctl stop firewalld

yum -y install iptables-services

systemctl enable iptables

Ref: http://www.tejasbarot.com/2014/08/02/rhel-7-centos-7-disable-firewalld-and-use-iptables/#axzz3keP3fIkw


FirewallD


FirewallD provides a dynamically managed firewall with support for network/firewall zones to define the trust level of network connections or interfaces. It has support for IPv4, IPv6 firewall settings and for ethernet bridges and has a separation of runtime and permanent configuration options. It also supports an interface for services or applications to add firewall rules directly.

Features
D-Bus API
Timed firewall rules
Rich Language for specific firewall rules
IPv4 and IPv6 NAT support
Lockdown: Whitelisting of applications that may modify the firewall
Support for iptables, ip6tables, ebtables firewall backends
Automatic loading of Linux kernel modules
Integration with Puppet

Who’s using it?
FirewallD is used in the following Linux distributions as the default firewall management tool:

RHEL 7
Fedora 18 and newer

Applications and libraries which support FirewallD as a firewall management tool include:

NetworkManager
libvirt
docker 1.7

Ref: http://www.firewalld.org/