Tag Archives: rhel7

HOWTO: Configure SELinux to use non-standard ports

First, you need to be able to tune the parameters, so you need some packages:

[root@rhce ~]# yum -y install setroubleshoot-server selinux-policy-devel

Wait, I want to use a port other than 80 for apache/http – how do I know what to use?

[root@rhce ~]# semanage port -l | grep http
http_cache_port_t              tcp      8080, 8118, 8123, 10001-10010
http_cache_port_t              udp      3130
http_port_t                    tcp      80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t            tcp      5988
pegasus_https_port_t           tcp      5989

OK.  80 is “http_port_t”

Now, I need to choose the port I want to use (25000) & see if it’s in use:

[root@rhce ~]# sepolicy network -p 25000
25000: tcp unreserved_port_t 1024-32767
25000: udp unreserved_port_t 1024-32767

NICE!  It’s not in use.  Now, I need to allow apache/httpd to use it:

[root@rhce ~]# semanage port -a -t http_port_t -p tcp 25000

If you want to remove the port, substitute -a for -d & run again.

Check to see that it’s been applied appropriately:

[root@rhce ~]# sepolicy network -p 25000
25000: tcp http_port_t 25000
25000: tcp unreserved_port_t 1024-32767
25000: udp unreserved_port_t 1024-32767

NICE!

Next, open the firewall to allow the port & then make it permanent:

[root@rhce ~]# firewall-cmd --add-port 25000/tcp
success
[root@rhce ~]# firewall-cmd --add-port 25000/tcp --permanent
success

Make your httpd.conf / vhosts.conf changes, restart apache & you’re IN with the new port:

 

HOWTO: Add Virtual Hosts in Apache on RHEL7

This isn’t terrible.  Install httpd & open up the firewall:

[root@rhce ~]# yum -y install httpd
[root@rhce ~]# firewall-cmd --add-service http
success
[root@rhce ~]# apachectl start

Test that the webpage responds (use the bond you just set up!) and when it does, enable the service and make the firewall permanent:

[root@rhce ~]# systemctl enable httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
[root@rhce ~]# firewall-cmd --add-service http --permanent
success

Now, make some directories in /var/www/html and echo some content into an index.html file:

[root@rhce html]# mkdir tom base blog
[root@rhce html]# ll
total 0
drwxr-xr-x. 2 root root 23 Sep 15 22:45 base
drwxr-xr-x. 2 root root 23 Sep 15 22:43 blog
drwxr-xr-x. 2 root root 23 Sep 15 22:43 tom

[root@rhce html]# for i in $(ls); do echo "you are at $(pwd)/$i" >> $i/index.html; done

Fix the SELinux contexts for this location as so:

[root@rhce html]# restorecon -R *

Now, create & edit the /etc/httpd/conf.d/vhosts.conf file.  You want to make the directories above the “DocumentRoot” and the URLs to be the ServerName directives:

<virtualhost *:80>
ServerName tom.rhce.com
DocumentRoot /var/www/html/tom
</virtualhost>
<virtualhost *:80>
ServerName blog.rhce.com
DocumentRoot /var/www/html/blog
</virtualhost>
<virtualhost *:80>
ServerName rhce.com
DocumentRoot /var/www/html/base
</virtualhost>

Once saved, restart httpd:

[root@rhce html]# systemctl restart httpd

- or - 

[root@rhce html]# apachectl restart

And browse to your site & test.  You can see that the loop above inserted the “you are at …” text into the index.html file, which is shown when you browse the site:

 

HOWTO: Create a BOND with RHEL7

Let’s say you have a few spare NICs and want to put them together in a (active/passive) bond.  What do you do?

Well, this is pretty straight-forward.

First, connect via SSH to an IP on a NIC that WILL NOT be part of the bond.

Using ‘nmcli’ – remove references to the NICs you want IN the bond and reload nmcli:

[root@rhce ~]# nmcli con del p4p1 p4p2
Connection 'p4p1' (92d6456d-16bd-4eae-9ecb-386cb4ce4d29) successfully deleted.
Connection 'p4p2' (e52eca2f-8c84-428d-8959-93e85f4b03f3) successfully deleted.
[root@rhce ~]# nmcli con reload

Next, with nmcli, create the bond:

[root@rhce ~]# nmcli con add type bond ifname bond0 con-name bond0 mode active-backup miimon 100 ip4 192.168.1.50/24
Connection 'bond0' (5886c4c3-6ed7-4785-be41-7ef4c6f29373) successfully added.

Now, the bond is just an IP at this point in time; there are no NICs associated with it.  Time to add the two NICs (p4p1 & p4p2) in:

[root@rhce ~]# nmcli connection add type bond-slave ifname p4p1 con-name p4p1 master bond0
Connection 'p4p1' (ef7fd007-af66-43f2-a769-a8916dbf09c9) successfully added.
[root@rhce ~]# nmcli connection add type bond-slave ifname p4p2 con-name p4p2 master bond0
Connection 'p4p2' (d40213dd-4fd7-4a62-ac4c-1cc2d7480284) successfully added.

Optional (I think, but I still do it), modify the bond to have DNS:

[root@rhce ~]# nmcli connection modify bond0 ipv4.dns "192.168.1.1,8.8.8.8"

Now, ‘up’ the bond:

[root@rhce ~]# nmcli con bond0 up

It’ll take about 30 seconds to configure behind the scenes, so set up a continuous ping and wait for it to reply.

The last part of this is testing the functionality.  Start a PING test, pull a cable & see what happens:

$ ping 192.168.1.50
PING 192.168.1.50 (192.168.1.50): 56 data bytes
64 bytes from 192.168.1.50: icmp_seq=52 ttl=64 time=0.357 ms
64 bytes from 192.168.1.50: icmp_seq=53 ttl=64 time=0.301 ms
64 bytes from 192.168.1.50: icmp_seq=54 ttl=64 time=0.359 ms
64 bytes from 192.168.1.50: icmp_seq=55 ttl=64 time=0.339 ms
Pull active cable
Request timeout for icmp_seq 6
<10-45 more times>
Request timeout for icmp_seq 51
64 bytes from 192.168.1.50: icmp_seq=82 ttl=64 time=0.607 ms
64 bytes from 192.168.1.50: icmp_seq=83 ttl=64 time=0.339 ms
64 bytes from 192.168.1.50: icmp_seq=84 ttl=64 time=0.361 ms
64 bytes from 192.168.1.50: icmp_seq=85 ttl=64 time=0.276 ms
64 bytes from 192.168.1.50: icmp_seq=86 ttl=64 time=0.306 ms

Looks like you got an active/backup bond working successfully!