Tag Archives: rhel

Migrating to a new GIT server

Scenario:

You’re decommissioning an old server, which just so happens to have your GIT repo on it.

How can you migrate it without losing the history?

From the NEW SERVER:

Make your new directory & set the permissions to your GIT_USER:

mkdir /opt/git/qa.git
chown git.git /opt/git/qa.git

‘su’ to GIT_USER on the server, and initialize the newly created directory

su - git
cd /opt/git/qa.git
git init --bare

From the EXISTING CLIENT (with most recent copy of repo), make new directory, ‘cd’ into there and initialize it

mkdir ~/git/qa
cd ~/git/qa
git init .

Now, clone the existing repository INTO here.  It will not have the code, it’ll have the repository configuration.  Again, the command will be pointing at the ORIGINAL (soon to be decommissioned) server:

git clone --bare ssh://git@243.268.8.11/opt/git/qa.git

You’ll see something like:

Cloning into bare repository 'qa.git'...
git@243.268.8.11's password:
remote: Counting objects: 841, done.
remote: Compressing objects: 100% (595/595), done.
remote: Total 841 (delta 292), reused 605 (delta 208)
Receiving objects: 100% (841/841), 21.52 MiB | 23.68 MiB/s, done.
Resolving deltas: 100% (292/292), done.

Then, it will create another <repo>.git directory in your “new” local directory (~/git/qa).  ‘cd’ into that

cd ~/git/qa/qa.git

Now, it’s your job to PUSH that config to the NEW server:

git push --mirror ssh://git@991.11.78.221/opt/git/qa.git

You’ll see something like:

Counting objects: 841, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (511/511), done.
Writing objects: 100% (841/841), 21.52 MiB | 0 bytes/s, done.
Total 841 (delta 292), reused 841 (delta 292)
To ssh://991.11.78.221/opt/git/qa.git
 * [new branch]      master -> master

When that’s done, you can ‘cd’ back a level & delete the <repo>.git file that the clone created.

cd ..
rm -rf qa.git

Now, you can either re-clone from the NEW server, seen HERE, or modify the existing .git directory’s config file to point to the new location:

vi ~/git/original_qa_repo_directory/includes/.git/config

and change the OLD server’s IP …

[remote "origin"]
        url = ssh://git@243.268.8.11/opt/git/qa.git

… to the NEW server’s IP:

[remote "origin"]
        url = ssh://git@991.11.78.221/opt/git/qa.git

Now, issue a ‘git pull’ and you should be all set!

$ git pull
Already up-to-date.

 

HOWTO: Configure SELinux to use non-standard ports

First, you need to be able to tune the parameters, so you need some packages:

[root@rhce ~]# yum -y install setroubleshoot-server selinux-policy-devel

Wait, I want to use a port other than 80 for apache/http – how do I know what to use?

[root@rhce ~]# semanage port -l | grep http
http_cache_port_t              tcp      8080, 8118, 8123, 10001-10010
http_cache_port_t              udp      3130
http_port_t                    tcp      80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t            tcp      5988
pegasus_https_port_t           tcp      5989

OK.  80 is “http_port_t”

Now, I need to choose the port I want to use (25000) & see if it’s in use:

[root@rhce ~]# sepolicy network -p 25000
25000: tcp unreserved_port_t 1024-32767
25000: udp unreserved_port_t 1024-32767

NICE!  It’s not in use.  Now, I need to allow apache/httpd to use it:

[root@rhce ~]# semanage port -a -t http_port_t -p tcp 25000

If you want to remove the port, substitute -a for -d & run again.

Check to see that it’s been applied appropriately:

[root@rhce ~]# sepolicy network -p 25000
25000: tcp http_port_t 25000
25000: tcp unreserved_port_t 1024-32767
25000: udp unreserved_port_t 1024-32767

NICE!

Next, open the firewall to allow the port & then make it permanent:

[root@rhce ~]# firewall-cmd --add-port 25000/tcp
success
[root@rhce ~]# firewall-cmd --add-port 25000/tcp --permanent
success

Make your httpd.conf / vhosts.conf changes, restart apache & you’re IN with the new port:

 

HOWTO: Add Virtual Hosts in Apache on RHEL7

This isn’t terrible.  Install httpd & open up the firewall:

[root@rhce ~]# yum -y install httpd
[root@rhce ~]# firewall-cmd --add-service http
success
[root@rhce ~]# apachectl start

Test that the webpage responds (use the bond you just set up!) and when it does, enable the service and make the firewall permanent:

[root@rhce ~]# systemctl enable httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
[root@rhce ~]# firewall-cmd --add-service http --permanent
success

Now, make some directories in /var/www/html and echo some content into an index.html file:

[root@rhce html]# mkdir tom base blog
[root@rhce html]# ll
total 0
drwxr-xr-x. 2 root root 23 Sep 15 22:45 base
drwxr-xr-x. 2 root root 23 Sep 15 22:43 blog
drwxr-xr-x. 2 root root 23 Sep 15 22:43 tom

[root@rhce html]# for i in $(ls); do echo "you are at $(pwd)/$i" >> $i/index.html; done

Fix the SELinux contexts for this location as so:

[root@rhce html]# restorecon -R *

Now, create & edit the /etc/httpd/conf.d/vhosts.conf file.  You want to make the directories above the “DocumentRoot” and the URLs to be the ServerName directives:

<virtualhost *:80>
ServerName tom.rhce.com
DocumentRoot /var/www/html/tom
</virtualhost>
<virtualhost *:80>
ServerName blog.rhce.com
DocumentRoot /var/www/html/blog
</virtualhost>
<virtualhost *:80>
ServerName rhce.com
DocumentRoot /var/www/html/base
</virtualhost>

Once saved, restart httpd:

[root@rhce html]# systemctl restart httpd

- or - 

[root@rhce html]# apachectl restart

And browse to your site & test.  You can see that the loop above inserted the “you are at …” text into the index.html file, which is shown when you browse the site:

 

HOWTO: Create a BOND with RHEL7

Let’s say you have a few spare NICs and want to put them together in a (active/passive) bond.  What do you do?

Well, this is pretty straight-forward.

First, connect via SSH to an IP on a NIC that WILL NOT be part of the bond.

Using ‘nmcli’ – remove references to the NICs you want IN the bond and reload nmcli:

[root@rhce ~]# nmcli con del p4p1 p4p2
Connection 'p4p1' (92d6456d-16bd-4eae-9ecb-386cb4ce4d29) successfully deleted.
Connection 'p4p2' (e52eca2f-8c84-428d-8959-93e85f4b03f3) successfully deleted.
[root@rhce ~]# nmcli con reload

Next, with nmcli, create the bond:

[root@rhce ~]# nmcli con add type bond ifname bond0 con-name bond0 mode active-backup miimon 100 ip4 192.168.1.50/24
Connection 'bond0' (5886c4c3-6ed7-4785-be41-7ef4c6f29373) successfully added.

Now, the bond is just an IP at this point in time; there are no NICs associated with it.  Time to add the two NICs (p4p1 & p4p2) in:

[root@rhce ~]# nmcli connection add type bond-slave ifname p4p1 con-name p4p1 master bond0
Connection 'p4p1' (ef7fd007-af66-43f2-a769-a8916dbf09c9) successfully added.
[root@rhce ~]# nmcli connection add type bond-slave ifname p4p2 con-name p4p2 master bond0
Connection 'p4p2' (d40213dd-4fd7-4a62-ac4c-1cc2d7480284) successfully added.

Optional (I think, but I still do it), modify the bond to have DNS:

[root@rhce ~]# nmcli connection modify bond0 ipv4.dns "192.168.1.1,8.8.8.8"

Now, ‘up’ the bond:

[root@rhce ~]# nmcli con bond0 up

It’ll take about 30 seconds to configure behind the scenes, so set up a continuous ping and wait for it to reply.

The last part of this is testing the functionality.  Start a PING test, pull a cable & see what happens:

$ ping 192.168.1.50
PING 192.168.1.50 (192.168.1.50): 56 data bytes
64 bytes from 192.168.1.50: icmp_seq=52 ttl=64 time=0.357 ms
64 bytes from 192.168.1.50: icmp_seq=53 ttl=64 time=0.301 ms
64 bytes from 192.168.1.50: icmp_seq=54 ttl=64 time=0.359 ms
64 bytes from 192.168.1.50: icmp_seq=55 ttl=64 time=0.339 ms
Pull active cable
Request timeout for icmp_seq 6
<10-45 more times>
Request timeout for icmp_seq 51
64 bytes from 192.168.1.50: icmp_seq=82 ttl=64 time=0.607 ms
64 bytes from 192.168.1.50: icmp_seq=83 ttl=64 time=0.339 ms
64 bytes from 192.168.1.50: icmp_seq=84 ttl=64 time=0.361 ms
64 bytes from 192.168.1.50: icmp_seq=85 ttl=64 time=0.276 ms
64 bytes from 192.168.1.50: icmp_seq=86 ttl=64 time=0.306 ms

Looks like you got an active/backup bond working successfully!

HOWTO: Set up an iSCSI target on RHEL7

Install targetcli:

[root@rhce ~]# yum install targetcli -y

I used a USB drive as the soon-to-be-block device, so I had to prep it:

[root@rhce ~]# fdisk /dev/sdb
Welcome to fdisk (util-linux 2.23.2).

Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

Command (m for help): n
Partition type:
   p   primary (0 primary, 0 extended, 4 free)
   e   extended
Select (default p): p
Partition number (1-4, default 1): 
First sector (2048-31285247, default 2048): 
Using default value 2048
Last sector, +sectors or +size{K,M,G} (2048-31285247, default 31285247): 
Using default value 31285247
Partition 1 of type Linux and of size 14.9 GiB is set

Command (m for help): p

Disk /dev/sdb: 16.0 GB, 16018046976 bytes, 31285248 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x00000000

   Device Boot      Start         End      Blocks   Id  System
/dev/sdb1            2048    31285247    15641600   83  Linux

Command (m for help): w
The partition table has been altered!

Start & enable (start on boot) target  (not targetd or targetcli):

[root@rhce ~]# systemctl start target
[root@rhce ~]# systemctl enable target

Enter targetcli and go to the backstores/block directory:

[root@rhce ~]# targetcli
Warning: Could not load preferences file /root/.targetcli/prefs.bin.
targetcli shell version 2.1.fb41
Copyright 2011-2013 by Datera, Inc and others.
For help on commands, type 'help'.
/> cd /backstores/block 

Now, we create a LUN from the newly carved out USB drive:

/backstores/block> create lun0 /dev/sdb1 
Created block storage object lun0 using /dev/sdb1.

Now,  go to the /iscsi directory & create an official target name:

/backstores/block> cd /iscsi
/iscsi> create
Created target iqn.2003-01.org.linux-iscsi.rhce.x8664:sn.dd8b652b6367.
Created TPG 1.
Global pref auto_add_default_portal=true
Created default portal listening on all IPs (0.0.0.0), port 3260.

Now, ‘cd’ into the iqn and target name (seen as TPG 1 above):

/iscsi> cd iqn.2003-01.org.linux-iscsi.rhce.x8664:sn.dd8b652b6367/

/iscsi/iqn.20....dd8b652b6367> cd tpg1

Add your ACL; it could be an IP or IQN of another machine.  I elected to use the Microsoft Initiator, mainly because I had a Windoze VM running at the time:

/iscsi/iqn.20...652b6367/tpg1> cd acls
/iscsi/iqn.20...367/tpg1/acls> create iqn.1991-05.com.microsoft:whoosiewhatsit
Created Node ACL for iqn.1991-05.com.microsoft:whoosiewhatsit

Without a TargetIP, you can’t get here … so, let’s set a listener:

/iscsi/iqn.20...367/tpg1/acls> cd ../portals
/iscsi/iqn.20.../tpg1/portals> create
Using default IP port 3260
Binding to INADDR_ANY (0.0.0.0)
This NetworkPortal already exists in configFS

Now, we have to map the LUN created earlier, into this portal.  You’ll see that it carries across and maps the ACL.

/iscsi/iqn.20.../tpg1/portals> cd ../luns 
/iscsi/iqn.20...367/tpg1/luns> create /backstores/block/lun0 
Created LUN 0.
Created LUN 0->0 mapping in node ACL iqn.1991-05.com.microsoft:whoosiewhatsit

‘cd’ back to the beginning & save the config:

/iscsi/iqn.20...367/tpg1/luns> cd /
/> saveconfig

The (second to) last thing you need to do, is open up the firewall to allow iSCSI port 3260:

[root@rhce ~]# firewall-cmd --add-port 3260/tcp
success

Now, test the iSCSI initiator, using the IP of the system and see if your SEND_TARGETS request comes back with your new “target”:

 

SUCCESS!  Now, you must make your firewall change permanent:

[root@rhce ~]# firewall-cmd --add-port 3260/tcp --permanent
success

You’re now free to connect, initialize, assign a drive letter & sector-align that bad-boy.

Enjoy!

 

Repos and Subscriptions needed to install RHEV 3.5

After some fighting, here’s what you have to to ..

Install a RHEL 6 VM

First:
# subscription-manager register
Registering to: subscription.rhn.redhat.com:443/subscription
Username: your new shiny name
Password:
The system has been registered with ID: XXXXXXXX

Then:
# subscription-manager attach
Installed Product Current Status:
Product Name: Red Hat Enterprise Linux Server
Status: Subscribed

(Does the above look familiar?)

 

Once that’s done, go to your RHN account & click on the VM you just ‘attached’ and pick ‘Attach a subscription’ and select your Virtualization Entitlement.

Once that’s done, issue:

subscription-manager repos –enable rhel-6-server-rhevm-3.5-rpms ; sleep 1 ; subscription-manager repos –enable jb-eap-5-for-rhel-6-server-rpms ; sleep 1 ; subscription-manager repos –enable rhel-6-server-supplementary-rpms  ; sleep 1 ; subscription-manager repos –enable jb-eap-6-for-rhel-6-server-rpms; sleep 1 ; subscription-manager repos –enable rhel-6-server-rhevh-rpms

THEN, you can install RHEV & the hypervisor (to get the ISOs):

yum -y install rhevm “rhev-hypervisor*”

Enjoy!

Have you heard that RHEL is available ‘free’ for your Development Environment?

It sure is – woo hoo!

Dance on over to https://developer.redhat.com, sign up and accept their terms.

You can then download the latest ISO (7.2 at the time of this writing) and load it up on a server or VM. Make sure you select “Developer Tools” during the installation.

If you selected Basic (no GUI), you’ll need to run a few extra steps after installing, in order to get your yum updates.

First:

# subscription-manager register

Registering to: subscription.rhn.redhat.com:443/subscription
Username: your new shiny name
Password:
The system has been registered with ID: XXXXXXXX

Then:

# subscription-manager attach

 

Installed Product Current Status:
Product Name: Red Hat Enterprise Linux Server
Status: Subscribed

Finally:

# subscription-manager repos --enable=rhel-server-rhscl-7-rpms
# subscription-manager repos --enable=rhel-7-server-optional-rpms
# subscription-manager repos --enable=rhel-7-server-extras-rpms

 



Now don’t be a jerk and try to use it in production; all it takes is one support call and accidentally outing yourself to cause your entire company to be forced to conduct a licensing audit.  That won’t be fun. 

HOWTO: firewalld – allowing individual host access

So, you’re rolling out a new webserver and want only certain people to take a look at the content? Here’s how you do it.
CentOS 7.2 is the OS being used.

What zone are you in?
[root@blog-test ~]# firewall-cmd --get-default-zone
public

OK, let’s make a new zone:

firewall-cmd --permanent --new-zone=blog
systemctl reload firewalld

Now, let’s add your IP & a friends IP to start testing … given you’re using apache & it’s still on port 80:

firewall-cmd --permanent --zone=blog --add-source=YOUR_IP/32
firewall-cmd --permanent --zone=blog --add-source=FRIENDS_IP/32
firewall-cmd --permanent --zone=blog --add-port=80/tcp

NOTE:  If you are using that port in another zone, remove it from that other zone first, because it can’t be in 2 zones at once.

That’s all there is. Move along now.

 

Need WordPress to send email, but you’re on Comcast?

Sending mail with Comcast as your ISP – this is on CentOS 7.2.

Install:
# yum install cyrus-sasl{,-plain}

Edit /etc/postfix/main.cf and insert the following below the other ‘relayhost’ references:
relayhost = [smtp.comcast.net]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/smtp_password
smtp_sasl_security_options =

Note: smtp_sasl_security_options = … is intentionally blank.

Edit:
/etc/postfix/smtp_password and insert:
[smtp.comcast.net]:587
username@comcast.net:password

Lock down the perms:
# chmod 600 /etc/postfix/smtp_password

Run:
postmap hash:/etc/postfix/smtp_password

Create a localhost-rewrite rule. This must be done, or else the Comcast SMTP server will reject your mail as coming from an invalid domain. Insert the following into:
/etc/postfix/sender_rewrite:
/^([^@]*)@.*$/ $1@<
your_domain_here>.com

Allow SELinux to accept apache’s access to send mail:
# setsebool -P httpd_can_sendmail 1

Restart postfix:
# systemctl restart postfix

Test. If it fails, tail /var/log/maillog!

** NEW INFO **
I had some troubles with this (mail still showing root@localhost in the maillog) – and here were a few more steps, if that doesn’t completely work.

vi /etc/postfix/sender_canonical

… and insert the following, to make “root” appear to be the “wordpressuser” on outbound mail. This should have been rewritten by the rule up above, but it wasn’t doing it.

root wordpressuser@yourdomain.com

Create /etc/postfix/sender_canonical.db file
postmap hash:/etc/postfix/sender_canonical

Add sender_canonical variable to /etc/postfix/main.cf
postconf -e "sender_canonical_maps=hash:/etc/postfix/sender_canonical"

Restart postfix:
# systemctl restart postfix

Do you want to build a WordPress …… (site)?

Welcome.

Here’s a build-out on CentOS 7.2.

Install just the core, then add packages as needed – as you see below:

[root@wordpress-server ~]# yum update -y
[root@wordpress-server ~]# yum install bash-completion -y
[root@wordpress-server ~]# systemctl reboot

[root@wordpress-server ~]# yum install httpd php php-gd mariadb mariadb-server php-mysql rsync wget -y
[root@wordpress-server ~]# systemctl start httpd mariadb
[root@wordpress-server ~]# systemctl enable httpd mariadb

[root@wordpress-server ~]# firewall-cmd –add-service=http
[root@wordpress-server ~]# firewall-cmd –add-service=http –permanent

Set passwords for MySql / MariaDB:

[root@wordpress-server ~]# mysql_secure_installation

Set root password? [Y/n] Y
New password:
Re-enter new password:
Password updated successfully!

Remove anonymous users? [Y/n] Y
… Success!

Disallow root login remotely? [Y/n] n
… skipping.

Remove test database and access to it? [Y/n] Y
– Dropping test database…
… Success!
– Removing privileges on test database…
… Success!

Reload privilege tables now? [Y/n] Y
… Success!

[root@wordpress-server ~]# mysql -u root -p
Enter password:

MariaDB [(none)]> create database wp_site_1;
Query OK, 1 row affected (0.01 sec)

MariaDB [(none)]> create user wordpressadmin@localhost identified by ‘pass_from_above’;
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> grant all privileges on wp_site_1.* to wordpressadmin@localhost identified by ‘pass_from_above’;
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> exit
Bye

[root@wordpress-server ~]# groupadd wp

[root@wordpress-server ~]# wget http://wordpress.org/latest.tar.gz

[root@wordpress-server html]# tar zxvf latest.tar.gz

in /var/www/html:
root@wordpress-server html]# mkdir site_1

Copy software to the new directory:
[root@wordpress-server ~]# rsync -aP /root/wordpress/ /var/www/html/site_1/

Fix ownership:
[root@wordpress-server html]# chown -R apache.wp *
drwxr-xr-x. 5 apache wp 4096 Feb 2 12:12 site_1

[root@wordpress-server site_1]# cp wp-config-sample.php wp-config.php

Edit wp-config.php file, then copy to the other site_ directories:
define('DB_NAME', 'wp_site_1');
define('DB_USER', 'wordpressadmin');
define('DB_PASSWORD', 'password_from_mysql_secure_installation');

Again:
[root@wordpress-server html]# chown -R apache.wp *

Edit PHP.INI:
[root@wp-srv-001 html]# vi /etc/php.ini
change the line to this: upload_max_filesize = 25M

Add the following as the last line in /etc/httpd/conf/httpd.conf:
IncludeOptional sites-enabled/*.conf

in /etc/httpd, make these directories:
[root@wordpress-server httpd]# mkdir sites-available
[root@wordpress-server httpd]# mkdir sites-enabled

in sites-available, make config files for each domain:
[root@wordpress-server sites-available]# ll
total 12
-rw-r--r--. 1 root root 203 Feb 4 23:37 yourdomain.conf

The file should have:

DocumentRoot /var/www/html/site_1
ServerName www.yourdomain.com
ServerAlias yourdomain.com
ErrorLog logs/yourdomain_error.log

 

Create the following symlinks to the .conf files:
ln -s /etc/httpd/sites-available/yourdomain.conf /etc/httpd/sites-enabled/yourdomain.conf

RESTART APACHE!

[root@wordpress-server httpd]# apachectl restart

Go to your domains!

HOWTO: Back-up your MariaDB and then restore later?

This is with CentOS 7.2.

Dump the Database you want to backup:
mysqldump mariadb_name -u root > /backup/dir/db_name.$(date +%m%d).sql

Make a tarball with the newly created database dump & the /var/www/html/ directory:
tar czf /backup/dir/wp_site_1_backup_$(date +%m%d).tgz /backup/dir/db_name.$(date +%m%d).sql /var/www/html/site_1

Remove the database dump that was just tar’d up:
<code?rm -f /backup/dir/wp_site_1.$(date +%m%d).sql

In use:

[root@websites ~]# mysqldump mariadb_name -u root > ~/backups/mariadb_name/mariadb_name.$(date +%m%d).sql

[root@websites ~]# tar czf ~/backups/mariadb_name/mariadb_name_full_$(date +%m%d).tgz ~/backups/mariadb_name/mariadb_name.$(date +%m%d).sql /var/www/html/mariadb_name

[root@websites ~]# rm -f ~/backups/mariadb_name/mariadb_name.$(date +%m%d).sql

[root@websites ~]# ll ~/backups/mariadb_name
total 9164
-rw-r–r–. 1 root root 9383639 Feb 7 17:30 mariadb_name_full_0207.tgz

[root@websites ~]# tar tzvf mariadb_name_full_0207.tgz | head -n 3
-rw-r–r– root/root 1211612 2016-02-07 17:30 root/backups/mariadb_name/mariadb_name.0207.sql
drwxr-xr-x apache/wp 0 2016-02-07 13:31 var/www/html/mariadb_name/
drwxr-xr-x apache/wp 0 2016-02-02 12:11 var/www/html/mariadb_name/wp-admin/

To script it, in root’s home directory (or whichever user), create:
.my.cnf ; chmod 600 .my.cnf

In the file, have the following:
[mysqldump]
password=

Need to restore?

[root@websites ~]# mysql -u root -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 65
Server version: 5.5.44-MariaDB MariaDB Server

Copyright (c) 2000, 2015, Oracle, MariaDB Corporation Ab and others.

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.

MariaDB [(none)]> create database databasename;
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> \q
Bye
[root@websites ~]# mysql -u root -p -h localhost mariadb_name < backup_file.sql
Enter password: