How to Fix NGINX error “Failed to read PID from file”

It seems to be a race between systemd and nginx. As if systemd was expecting the PID file to be populated before nginx had the time to create it.

mkdir /etc/systemd/system/nginx.service.d
printf "[Service]\nExecStartPost=/bin/sleep 0.1\n" > /etc/systemd/system/nginx.service.d/override.conf
systemctl daemon-reload
systemctl restart nginx

 
Link: http://alfredoroca.github.io/nginx/2016/09/04/How-to-solve-failure-read-of-nginx-pid-file

PostgreSQL upgrade on Red Hat 7

Installation
Following instructions from here https://www.postgresql.org/download/linux/redhat/:
Select version: 9.6 (I needed 9.6 because of my specific product requirements)
Select platform: RHEL7
Install the repository RPM: yum install https://download.postgresql.org/pub/repos/yum/9.6/redhat/rhel-7-x86_64/pgdg-redhat96-9.6-3.noarch.rpm

yum install postgresql96 postgresql96-server postgresql96-libs postgresql96-contrib
/usr/pgsql-9.6/bin/postgresql96-setup initdb

My previous PostgreSQL was 9.2 and it was installed from RHEL repo, so all directories and configs are standards.

Upgrade
This is important! You can’t use pg_upgrade in this particular upgrade, because they *censored* changed “unix_socket_directory parameter” to “unix_socket_directories”. Check this out – https://www.postgresql.org/docs/9.3/release-9-3.html#AEN114343. Luckily there’s a workaround:

mv /usr/bin/pg_ctl{,-orig}
echo '#!/bin/bash' > /usr/bin/pg_ctl
echo '"$0"-orig "${@/unix_socket_directory/unix_socket_directories}"' >>  /usr/bin/pg_ctl
chmod +x /usr/bin/pg_ctl

Let’s stop the old PostgreSQL 9.2 service and disable it
systemctl stop postgresql
systemctl disable postgresql

Finally actual upgrade:

su - postgres
#with --check first
/usr/pgsql-9.6/bin/pg_upgrade --old-bindir=/usr/bin/ --new-bindir=/usr/pgsql-9.6/bin/ --old-datadir=/var/lib/pgsql/data --new-datadir=/var/lib/pgsql/9.6/data/ --check
#if everything is ok, then
/usr/pgsql-9.6/bin/pg_upgrade --old-bindir=/usr/bin/ --new-bindir=/usr/pgsql-9.6/bin/ --old-datadir=/var/lib/pgsql/data --new-datadir=/var/lib/pgsql/9.6/data/

Undo the “hack”:
mv -f /usr/bin/pg_ctl{-orig,}

systemctl enable postgresql-9.6
systemctl start postgresql-9.6
systemctl status postgresql-9.6

Let’s run this analyze_new_cluster.sh:

su - postgres
/var/lib/pgsql/analyze_new_cluster.sh

and also check DB version

psql -d 
SHOW server_version;
\q

 
Links:
https://www.postgresql.org/download/linux/redhat/
https://dba.stackexchange.com/questions/50135/pg-upgrade-unrecognized-configuration-parameter-unix-socket-directory
https://www.postgresql.org/docs/9.3/release-9-3.html#AEN114343
https://support.code42.com/Administrator/6/Planning_and_installing/PostgreSQL_upgrade_on_Red_Hat
http://www.uptimemadeeasy.com/databases/upgrade-postgresql/

Flood (web interface for rtorrent) on CentOS 7

Install rTorrent
install rtorrent screen
adduser rtorrent

Confgure rTorrent

vi /home/rtorrent/.rtorrent.rc
    # Where rTorrent saves the downloaded files
    directory = /srv/torrent/downloads

    # Where rTorrent saves the session
    session = /srv/torrent/.session

    # Which ports rTorrent can use (Make sure to open them in your router)
    port_range = 50000-50000
    port_random = no

    # Check the hash after the end of the download
    check_hash = yes

    # Enable DHT (for torrents without trackers)
    dht = auto
    dht_port = 6881
    peer_exchange = yes

    # Authorize UDP trackers
    use_udp_trackers = yes

    # Enable encryption when possible
    encryption = allow_incoming,try_outgoing,enable_retry

    # SCGI port, used to communicate with Flood
    scgi_port = 127.0.0.1:5000

mkdir /srv/torrent
mkdir /srv/torrent/downloads
mkdir /srv/torrent/.session
chmod 775 -R /srv/torrent
chown rtorrent:rtorrent -R /srv/torrent
chown rtorrent:rtorrent /home/rtorrent/.rtorrent.rc

vi /etc/systemd/system/rtorrent.service
    [Unit]
    Description=rTorrent
    After=network.target

    [Service]
    User=rtorrent
    Type=forking
    KillMode=none
    ExecStart=/usr/bin/screen -d -m -fa -S rtorrent /usr/bin/rtorrent
    ExecStop=/usr/bin/killall -w -s 2 /usr/bin/rtorrent
    WorkingDirectory=%h

    [Install]
    WantedBy=default.target

systemctl enable rtorrent.service
systemctl start rtorrent

Install Flood
yum install gcc-c++ make curl git -y
curl -sL https://rpm.nodesource.com/setup_8.x | bash -
yum install -y nodejs

cd /srv/torrent
git clone https://github.com/jfurrow/flood.git
cd flood
cp config.template.js config.js

To access flood remotely
vi config.js
floodServerHost: '0.0.0.0'

npm install

If no error, continue with:

npm install -g node-gyp
npm run build

Start Flood
adduser flood
chown -R flood:flood /srv/torrent/flood/

vi /etc/systemd/system/flood.service
    [Service]
    WorkingDirectory=/srv/torrent/flood
    ExecStart=/usr/bin/npm start
    Restart=always
    StandardOutput=syslog
    StandardError=syslog
    SyslogIdentifier=notell
    User=flood
    Group=flood
    Environment=NODE_ENV=production

    [Install]
    WantedBy=multi-user.target

systemctl enable flood
systemctl start flood

Flood should be available via http://IP:3000. You need to create a new user and you’re all set.

Links:
https://github.com/jfurrow/flood
https://freedif.org/flood-modern-web-ui-for-rtorrent
https://github.com/nodesource/distributions
https://wiki.archlinux.org/index.php/RTorrent
https://en.wikipedia.org/wiki/BitTorrent_protocol_encryption

Samba 3 as a Domain Member (CentOS 6+PBIS)

Requirements

Supported Samba versions:
– Samba version 3.0.25 or later versions in the 3.0 series
– Samba 3.2.X
– Samba 3.4.X
– Samba 3.5.X

Winbind must be installed and running when you are using Samba version 3.0.25 or later versions in the 3.0 series.
If you are using Samba version 3.2.X or 3.5.X, Winbind is not required.

Samba package must support ADS security.
PowerBroker Identity Services relies on ADS security in a Samba and PowerBroker Identity Services configuration.
For more information, see: https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member

Installation and configuration

https://github.com/BeyondTrust/pbis-open/releases

wget https://github.com/BeyondTrust/pbis-open/releases/download/8.6.0/pbis-open-8.6.0.427.linux.x86_64.rpm.sh
./pbis-open-8.6.0.427.linux.x86_64.rpm.sh install

/opt/pbis/bin/domainjoin-cli join --assumeDefaultDomain yes sub.domain.com domainjoinusername
/opt/pbis/bin/update-dns

/opt/pbis/bin/get-status

yum install samba-3.6.23

mv /etc/samba/smb.conf /etc/samba/smb.conf_bk

vi /etc/samba/smb.conf
[global]
        workgroup = SUB
        realm = SUB.DOMAIN.COM
        server string = %h server
        security = ADS
        map to guest = Bad User
        pam password change = Yes
        passwd program = /usr/bin/passwd %u
        passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
        unix password sync = Yes
;        syslog = 0
        log file = /var/log/samba/log.%m
;        max log size = 1000
        load printers = No
        printcap name = /dev/null
        disable spoolss = Yes
        dns proxy = No
;        wins server = 10.10.10.10
;        usershare allow guests = Yes
        panic action = /usr/share/samba/panic-action %d
;        idmap config * : range = 10000-33554431
;        idmap config * : range = 3000-7999
;        idmap config * : backend = tdb
;        printing = bsd
;        print command = lpr -r -P'%p' %s
;        lpq command = lpq -P'%p'
;        lprm command = lprm -P'%p' %j
        machine password timeout = 0
;        log level = 5
;        debug pid = true

[share]
        path = /smb/share
        valid users = @adgroup
        force user = aduser
        force group = domain^users
        read only = No
        acl check permissions = No
        create mask = 0640
        directory mask = 0750
        browseable = No

/opt/pbis/bin/samba-interop-install --check-version
Found smbd version 3.6.23-46el6_9
Samba version supported

/opt/pbis/bin/samba-interop-install --install --loglevel verbose

service smb restart;service nmb restart;

Troubleshooting

Issue: The primary group domain sid(S-1-2-34-5678901234-5678901234-5678901234-567) does not match the domain sid(S-1-2-34-2414616913-1771598462-3719962008) for aduser(S-1-22-1-1234567890)

Fix:
net getdomainsid
net setlocalsid S-1-2-34-5678901234-5678901234-5678901234-567

————————————————————————
# net ads join -U administrator
Enter administrator’s password: Passw0rd
Using short domain name — SUB
Joined ‘SMBTEST01V’ to dns domain ‘sub.domain.com’
————————————————————————

Debug:
smbclient //10.10.10.11/share/ -U SUB/aduser
smbclient -L 10.10.10.11 -U SUB/aduser
/opt/pbis/bin/enum-users
pbis status
/opt/pbis/domainjoin-cli query
/opt/pbis/bin/lwsm list
/opt/pbis/bin/lwsm set-log-target -p lsass – file /tmp/lsass.log
/opt/pbis/bin/lwsm set-log-level -p lsass – debug

“Troubleshooting PBIS-Samba Integration” from here https://www.beyondtrust.com/wp-content/uploads/documentation-pbis-samba-integration-guide.pdf

Links:
https://www.beyondtrust.com/wp-content/uploads/documentation-pbis-samba-integration-guide.pdf
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
https://github.com/BeyondTrust/pbis-open/releases

Display SFP+ transceiver details on the Juniper switch (EX4600)

To check the PIC media type and status for a particular FPC, use the show chassis fpc pic-status fpc-slot command.

To display PIC hardware information, including the media type description, use the show chassis hardware command.
show chassis fpc <pic-status <fpc-slot >>
show chassis hardware

show chassis fpc pic-status

Slot 0   Online       EX4600-40F
  PIC 0  Online       24x10G-4x40G
  PIC 1  Online       EX4600-EM-8F


show chassis pic fpc-slot 0 pic-slot 0

FPC slot 0, PIC slot 0 information:
  Type             24x10G-4x40G
  State            Online
  PIC version      3.22
  Uptime           111 days, 1 hours, 11 minutes, 11 seconds

PIC port information:
                         Fiber                    Xcvr vendor       Wave-    Xcvr
  Port Cable type        type  Xcvr vendor        part number       length   Firmware
  2    10GBASE LR        SM    FINISAR CORP.      FTLX1471D3BCL-J1  1310 nm  0.0
  6    GIGE 1000LX10     SM    FINISAR CORP.      FTLF1318P3BTL-J1  1310 nm  0.0
  24   40GBASE SR4       MM    AVAGO              AFBR-79EQDZ-JU1   n/a      0.0


Some additional optic info…
show interfaces diagnostics optics xe-0/0/1

Physical interface: xe-0/0/1
    Laser bias current                        :  42.276 mA
    Laser output power                        :  0.6990 mW / -1.56 dBm
    Module temperature                        :  38 degrees C / 100 degrees F
    Module voltage                            :  3.3150 V
    Receiver signal average optical power     :  0.0001 mW / -40.00 dBm
    Laser bias current high alarm             :  Off
    Laser bias current low alarm              :  Off
    Laser bias current high warning           :  Off
    Laser bias current low warning            :  Off
    Laser output power high alarm             :  Off
    Laser output power low alarm              :  Off
    Laser output power high warning           :  Off
    Laser output power low warning            :  Off
    Module temperature high alarm             :  Off
    Module temperature low alarm              :  Off
    Module temperature high warning           :  Off
    Module temperature low warning            :  Off
    Module voltage high alarm                 :  Off
    Module voltage low alarm                  :  Off
    Module voltage high warning               :  Off
    Module voltage low warning                :  Off
    Laser rx power high alarm                 :  Off
    Laser rx power low alarm                  :  On
    Laser rx power high warning               :  Off
    Laser rx power low warning                :  On
    Laser bias current high alarm threshold   :  85.000 mA
    Laser bias current low alarm threshold    :  15.000 mA
    Laser bias current high warning threshold :  80.000 mA
    Laser bias current low warning threshold  :  20.000 mA
    Laser output power high alarm threshold   :  1.5840 mW / 2.00 dBm
    Laser output power low alarm threshold    :  0.1580 mW / -8.01 dBm
    Laser output power high warning threshold :  1.2580 mW / 1.00 dBm
    Laser output power low warning threshold  :  0.1990 mW / -7.01 dBm
    Module temperature high alarm threshold   :  78 degrees C / 172 degrees F
    Module temperature low alarm threshold    :  -13 degrees C / 9 degrees F
    Module temperature high warning threshold :  73 degrees C / 163 degrees F
    Module temperature low warning threshold  :  -8 degrees C / 18 degrees F
    Module voltage high alarm threshold       :  3.700 V
    Module voltage low alarm threshold        :  2.900 V
    Module voltage high warning threshold     :  3.600 V
    Module voltage low warning threshold      :  3.000 V
    Laser rx power high alarm threshold       :  1.7783 mW / 2.50 dBm
    Laser rx power low alarm threshold        :  0.0100 mW / -20.00 dBm
    Laser rx power high warning threshold     :  1.5849 mW / 2.00 dBm
    Laser rx power low warning threshold      :  0.0158 mW / -18.01 dBm

Nginx with SSL as reverse proxy on CentOS 7

FirewallD

firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --reload

Nginx

yum install epel-release
yum install nginx

systemctl enable nginx
systemctl start nginx

setsebool -P httpd_can_network_relay 1
setsebool -P httpd_can_network_connect 1

getsebool -a | grep -i http

HTTPS

mkdir /etc/ssl/nginx/

openssl req -new -x509 -days 365 -nodes -out /etc/ssl/nginx/drive.domain.com/drive.domain.com.crt -keyout /etc/ssl/nginx/drive.domain.com/drive.domain.com.key -subj "/CN=drive.domain.com"
openssl dhparam -out /etc/ssl/nginx/drive.domain.com/dh4096.pem 4096

openssl req -new -x509 -days 365 -nodes -out /etc/ssl/nginx/wiki.domain.com/wiki.domain.com.crt -keyout /etc/ssl/nginx/wiki.domain.com/wiki.domain.com.key -subj "/CN=wiki.domain.com"
openssl dhparam -out /etc/ssl/nginx/wiki.domain.com/dh4096.pem 4096


chown -R nginx:nginx /etc/ssl/nginx/
chmod 600 /etc/ssl/nginx/drive.domain.com/drive.domain.com.key
chmod 600 /etc/ssl/nginx/wiki.domain.com/wiki.domain.com.key
restorecon -Rv /etc/ssl/nginx/

Nginx configuration

vi /etc/nginx/nginx.conf
server {
    listen 80;
    return 301 https://$host$request_uri;
}

vi /etc/nginx/conf.d/wiki.domain.com.conf
server {

    listen 443;
    server_name wiki.domain.com www.wiki.domain.com;

    ssl_certificate /etc/ssl/nginx/wiki.domain.com.crt;

    ssl_certificate_key /etc/ssl/nginx/wiki.domain.com.key;

    ssl on;
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "-ALL:EECDH+AES256:EDH+AES256:AES256-SHA:EECDH+AES:EDH+AES:!ADH:!NULL:!aNULL:!eNULL:!EXPORT:!LOW:!MD5:!3DES:!PSK:!SRP:!DSS:!AESGCM:!RC4";
    ssl_dhparam /etc/ssl/nginx/dh4096.pem;
    ssl_prefer_server_ciphers on;

    access_log            /var/log/nginx/wiki.domain.com.access.log;

    location / {

      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;

      # Fix the “It appears that your reverse proxy set up is broken" error.
      proxy_pass          http://192.168.0.24:8080;
      proxy_read_timeout  90;

      proxy_redirect      http://192.168.0.24:8080 https://wiki.domain.com;
    }
}

vi /etc/nginx/conf.d/drive.domain.com.conf
server {

    listen 443;
    server_name drive.domain.com www.drive.domain.com;

    ssl_certificate /etc/ssl/nginx/drive.domain.com/drive.domain.com.crt;
    ssl_certificate_key /etc/ssl/nginx/drive.domain.com/drive.domain.com.key;

    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "-ALL:EECDH+AES256:EDH+AES256:AES256-SHA:EECDH+AES:EDH+AES:!ADH:!NULL:!aNULL:!eNULL:!EXPORT:!LOW:!MD5:!3DES:!PSK:!SRP:!DSS:!AESGCM:!RC4";
    ssl_dhparam /etc/ssl/nginx/drive.domain.com/dh4096.pem;
    ssl_prefer_server_ciphers on;
    keepalive_timeout    70;
    ssl_stapling on;
    ssl_stapling_verify on;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this topic first.
    add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;


    access_log            /var/log/nginx/drive.domain.com.access.log;

    location / {

      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;

      # Fix the “It appears that your reverse proxy set up is broken" error.
      proxy_pass          http://192.168.0.23:8080;
      proxy_read_timeout  90;

      proxy_redirect      http://192.168.0.23:8080 https://drive.domain.com;
      }
}

Links:
https://www.digitalocean.com/community/tutorials/how-to-install-linux-nginx-mysql-php-lemp-stack-on-centos-7
https://www.digitalocean.com/community/tutorials/how-to-configure-nginx-with-ssl-as-a-reverse-proxy-for-jenkins
https://www.nginx.com/blog/nginx-se-linux-changes-upgrading-rhel-6-6/
http://sharadchhetri.com/2014/07/21/owncloud-error-accessing-server-untrusted-domain/

Mediawiki on CentOS 7

FirewallD

firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --reload

#yum install policycoreutils-python
yum install epel-release

Nginx

yum install nginx

systemctl enable nginx
systemctl start nginx

vi /etc/nginx/conf.d/wiki.domain.com.conf

server {
    listen 80;
    server_name wiki.domain.com www.wiki.domain.com;

    # For Lets Encrypt, this needs to be served via HTTP
    location /.well-known/acme-challenge/ {
        root /usr/share/nginx/html; # Specify here where the challenge file is placed
    }

    # enforce https
    location / {
        return 301 https://$server_name$request_uri;
    }
}

server {
    listen 443 ssl http2;
    server_name wiki.domain.com www.wiki.domain.com;

    ssl_certificate /etc/ssl/nginx/wiki.domain.com.crt;
    ssl_certificate_key /etc/ssl/nginx/wiki.domain.com.key;

    # Example SSL/TLS configuration. Please read into the manual of
    # nginx before applying these.
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "-ALL:EECDH+AES256:EDH+AES256:AES256-SHA:EECDH+AES:EDH+AES:!ADH:!NULL:!aNULL:!eNULL:!EXPORT:!LOW:!MD5:!3DES:!PSK:!SRP:!DSS:!AESGCM:!RC4";
    ssl_dhparam /etc/ssl/nginx/dh4096.pem;
    ssl_prefer_server_ciphers on;
    keepalive_timeout    70;
    ssl_stapling on;
    ssl_stapling_verify on;

    root /usr/share/nginx/html/;

    #client_max_body_size 5m;
    client_max_body_size 100m;
    client_body_timeout 60;

    location / {
        try_files $uri $uri/ @rewrite;
    }

    location @rewrite {
        rewrite ^/(.*)$ /index.php?title=$1&$args;
    }

    location ^~ /maintenance/ {
        return 403;
    }

    location ~ \.php$ {
        include fastcgi_params;
        fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
        fastcgi_param HTTPS on;
        fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice

    }

    location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
        try_files $uri /index.php;
        expires max;
        log_not_found off;
    }

    location = /_.gif {
        expires max;
        empty_gif;
    }

    location ^~ /cache/ {
        deny all;
    }

    location /dumps {
        root /usr/share/nginx/html/local;
        autoindex on;
    }
}

systemctl restart nginx

PHP

yum install https://rpms.remirepo.net/enterprise/remi-release-7.rpm
yum install php-fpm php-cli php-gd php-xml php-intl texlive php-xcache php-pgsql php-mbstring php-json php-openssl pcre

php --version

vi /etc/php.ini
cgi.fix_pathinfo=0

vi /etc/php-fpm.d/www.conf
listen = /var/run/php-fpm/php-fpm.sock
listen.owner = nginx
listen.group = nginx
listen.mode = 0660
user = nginx
group = nginx
env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp

systemctl enable php-fpm
systemctl start php-fpm

vi /usr/share/nginx/html/info.php
<?php phpinfo(); ?>

HTTPS

mkdir /etc/ssl/nginx/
restorecon -Rv /etc/ssl/nginx/

openssl req -new -x509 -days 365 -nodes -out /etc/ssl/nginx/wiki.domain.com.crt -keyout /etc/ssl/nginx/wiki.domain.com.key -subj "/CN=wiki.domain.com"
openssl dhparam -out /etc/ssl/nginx/dh4096.pem 4096

PostgreSQL

yum install postgresql postgresql-server postgresql-contrib
postgresql-setup initdb
systemctl enable postgresql
systemctl start postgresql

vi /var/lib/pgsql/data/postgresql.conf
listen_addresses = 'localhost'
port = 5432

cat <<EOT > /var/lib/pgsql/data/pg_hba.conf
local all postgres trust
local all all md5
host all all 127.0.0.1/32 md5
host all all ::1/128 md5
EOT

passwd postgres

su - postgres
psql -d template1 -c "ALTER USER postgres WITH PASSWORD 'newpassword';"

createuser -S -D -R -P -E wikiuser #(then enter the password)
createdb -O wikiuser wikidb
exit

systemctl restart postgresql

semanage boolean -m --on httpd_can_network_connect_db

MediaWiki

wget https://releases.wikimedia.org/mediawiki/1.29/mediawiki-1.29.1.tar.gz
tar zxvf mediawiki-1.29.1.tar.gz
mv mediawiki-1.29.1/* /usr/share/nginx/html/
chown -R nginx:nginx /usr/share/nginx/html/*
chmod -R 0755 /usr/share/nginx/html/*
chmod 600 /usr/share/nginx/html/LocalSettings.php

semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/html'
restorecon -Rv '/usr/share/nginx/html'

systemctl restart php-fpm nginx; systemctl status php-fpm nginx

https://wiki.domain.com:20002/mw-config/index.php?page=Name
Name of wiki: wiki
Project namespace: Project
User rights profile: Private wiki
Settings for object caching: PHP object caching (APC, APCu, XCache or WinCache)

PostrgeSQL DB backup

pg_dump wikidb > wikidbdump2017_09_27.sql
pg_dumpall --globals > postgres_globals2017_09_27.sql

Issues

MediaWiki 1.29 internal error MediaWiki 1.29 requires at least PHP version 5.5.9, you are using PHP 5.4.16. Supported PHP versions Please consider upgrading your copy of PHP. PHP versions less than 5.5.0 are no longer supported by the PHP Group and will not receive security or bugfix updates. If for some reason you are unable to upgrade your PHP version, you will need to download an older version of MediaWiki from our website. See our compatibility page for details of which versions are compatible with prior versions of PHP. https://www.mediawiki.org/wiki/Compatibility#PHP

Links:
https://www.digitalocean.com/community/tutorials/how-to-install-mediawiki-on-centos-7
https://www.nginx.com/resources/wiki/start/topics/recipes/mediawiki/
https://www.rosehosting.com/blog/install-mediawiki-on-a-centos-7-vps/
https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Installing_MediaWiki

Juniper Junos OS EX 4300 Series Ethernet Switch Port Security

Interface configuration
set switch-options interface ge-2/0/17.0 interface-mac-limit 1
set switch-options interface ge-2/0/17.0 interface-mac-limit packet-action drop-and-log
set switch-options interface ge-2/0/17.0 persistent-learning

Clear specific interface MAC database
run clear ethernet-switching table interface ge-2/0/17.0
delete switch-options interface ge-2/0/17.0

Troubleshooting and verification
show interfaces ge-2/0/17 detail
show ethernet-switching interface ge-2/0/17
show ethernet-switching interface ge-2/0/17.0 brief

show configuration switch-options interface ge-2/0/17.0

interface-mac-limit {
    3;
    packet-action drop-and-log;
}
persistent-learning;

show ethernet-switching table interface ge-2/0/17.0

MAC database for interface ge-2/0/17.0

MAC flags (S - static MAC, D - dynamic MAC, L - locally learned, P - Persistent static
           SE - statistics enabled, NM - non configured MAC, R - remote PE MAC)

Ethernet switching table : 73 entries, 73 learned
Routing instance : default-switch
    Vlan                MAC                 MAC         Age    Logical
    name                address             flags              interface
    vlan.110            01:12:23:34:45:56   P             -   ge-2/0/17.0
    vlan.110            56:45:34:23:12:01   P             -   ge-2/0/17.0
    vlan.110            23:12:01:56:45:34   P             -   ge-2/0/17.0

show ethernet-switching table | match "01:12:23:34:45:56"

vlan.110            01:12:23:34:45:56   P             -   ge-2/0/17.0

show ethernet-switching table | match "ge-2/0/17.0"
    vlan.110            01:12:23:34:45:56   P             -   ge-2/0/17.0
    vlan.110            56:45:34:23:12:01   P             -   ge-2/0/17.0
    vlan.110            23:12:01:56:45:34   P             -   ge-2/0/17.0

show ethernet-switching interface ge-2/0/17.0
Routing Instance Name : default-switch
Logical Interface flags (DL - disable learning, AD - packet action drop,
                         LH - MAC limit hit, DN - interface down,
                         SCTL - shutdown by Storm-control )

Logical             Vlan          TAG     MAC         STP               Logical              Tagging
interface           members               limit       state             interface flags
ge-2/0/17.0                               3                                AD,LH              untagged
                    vlan.110      110     65535       Forwarding                              untagged

show log messages | match ge-2/0/17

Link:
https://forums.juniper.net/t5/Ethernet-Switching/EX4300-Port-Security-MAC-Limiting-Allowed-MAC-amp-ELS/td-p/308978
http://www.juniper.net/documentation/en_US/junos10.2/topics/task/configuration/port-security-cli.html
http://www.juniper.net/documentation/en_US/junos/information-products/pathway-pages/ex4300/port-security.pdf
https://www.juniper.net/documentation/en_US/junos/topics/task/verification/port-security-qfx-series-mac-limiting.html
http://forums.juniper.net/t5/Junos/Mac-Filtering-on-EX4200-JUNOS/td-p/48473
https://networkengineering.stackexchange.com/questions/19181/how-can-i-view-a-list-of-which-macs-an-interface-is-restricted-to-on-a-juniper-s

Owncloud 10.0 on CentOS 7

FirewallD

#yum install policycoreutils-python
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --reload

MySQL(MariaDB)

yum install mariadb-server mariadb

systemctl enable mariadb
systemctl start mariadb

mysql_secure_installation

mysql -u root -p
CREATE DATABASE owncloud;
GRANT ALL ON owncloud.* to 'ownclouduser'@'localhost' IDENTIFIED BY 'password';
FLUSH PRIVILEGES;
quit

HTTPS

mkdir /etc/ssl/nginx/
restorecon -Rv /etc/ssl/nginx/

openssl req -new -x509 -days 365 -nodes -out /etc/ssl/nginx/drive.domain.com.crt -keyout /etc/ssl/nginx/drive.domain.com.key -subj "/CN=drive.domain.com"
openssl dhparam -out /etc/ssl/nginx/dh4096.pem 4096

Nginx

yum install epel-release
yum install nginx

systemctl enable nginx
systemctl start nginx

vi /etc/nginx/conf.d/drive.domain.com.conf
upstream php-handler {
    #server 127.0.0.1:9000;
    # Depending on your used PHP version
    #server unix:/var/run/php5-fpm.sock;
    #server unix:/var/run/php7-fpm.sock;
    server unix:/var/run/php-fpm/php-fpm.sock;
}

server {
    listen 80;
    server_name drive.domain.com www.drive.domain.com;

    # For Lets Encrypt, this needs to be served via HTTP
    location /.well-known/acme-challenge/ {
        root /usr/share/nginx/html; # Specify here where the challenge file is placed
    }

    # enforce https
    location / {
        return 301 https://$server_name$request_uri;
    }
}

server {
    listen 443 ssl http2;
    server_name drive.domain.com www.drive.domain.com;

    ssl_certificate /etc/ssl/nginx/drive.domain.com.crt;
    ssl_certificate_key /etc/ssl/nginx/drive.domain.com.key;

    # Example SSL/TLS configuration. Please read into the manual of
    # nginx before applying these.
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "-ALL:EECDH+AES256:EDH+AES256:AES256-SHA:EECDH+AES:EDH+AES:!ADH:!NULL:!aNULL:!eNULL:!EXPORT:!LOW:!MD5:!3DES:!PSK:!SRP:!DSS:!AESGCM:!RC4";
    ssl_dhparam /etc/ssl/nginx/dh4096.pem;
    ssl_prefer_server_ciphers on;
    keepalive_timeout    70;
    ssl_stapling on;
    ssl_stapling_verify on;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this topic first.
    add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;

    # Path to the root of your installation
    root /usr/share/nginx/html;

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    # The following 2 rules are only needed for the user_webfinger app.
    # Uncomment it if you're planning to use this app.
    #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
    #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;

    location = /.well-known/carddav {
        return 301 $scheme://$host/remote.php/dav;
    }
    location = /.well-known/caldav {
        return 301 $scheme://$host/remote.php/dav;
    }

    # set max upload size
    client_max_body_size 16400M;
    fastcgi_buffers 64 4K;

    # Disable gzip to avoid the removal of the ETag header
    # Enabling gzip would also make your server vulnerable to BREACH
    # if no additional measures are done. See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773332
    gzip off;

    # Uncomment if your server is build with the ngx_pagespeed module
    # This module is currently not supported.
    #pagespeed off;

    error_page 403 /core/templates/403.php;
    error_page 404 /core/templates/404.php;

    location / {
        rewrite ^ /index.php$uri;
    }

    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
        return 404;
    }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
        return 404;
    }

    location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
        fastcgi_split_path_info ^(.+\.php)(/.*)$;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param SCRIPT_NAME $fastcgi_script_name; # necessary for owncloud to detect the contextroot https://github.com/owncloud/core/blob/v10.0.0/lib/private/AppFramework/Http/Request.php#L603
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_param HTTPS on;
        fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
        fastcgi_param front_controller_active true;
        fastcgi_read_timeout 180; # increase default timeout e.g. for long running carddav/ caldav syncs with 1000+ entries
        fastcgi_pass php-handler;
        fastcgi_intercept_errors on;
        fastcgi_request_buffering off; #Available since NGINX 1.7.11
    }

    location ~ ^/(?:updater|ocs-provider)(?:$|/) {
        try_files $uri $uri/ =404;
        index index.php;
    }

    # Adding the cache control header for js and css files
    # Make sure it is BELOW the PHP block
    location ~ \.(?:css|js)$ {
        try_files $uri /index.php$uri$is_args$args;
        add_header Cache-Control "max-age=15778463";
        # Add headers to serve security related headers (It is intended to have those duplicated to the ones above)
        # Before enabling Strict-Transport-Security headers please read into this topic first.
        add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";
        add_header X-Content-Type-Options nosniff;
        add_header X-Frame-Options "SAMEORIGIN";
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;
        # Optional: Don't log access to assets
        access_log off;
    }

    location ~ \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg|map)$ {
        add_header Cache-Control "public, max-age=7200";
        try_files $uri /index.php$uri$is_args$args;
        # Optional: Don't log access to other assets
        access_log off;
    }
}

systemctl restart nginx

PHP

yum install https://rpms.remirepo.net/enterprise/remi-release-7.rpm

#yum-config-manager --enable remi-php71
#yum --enablerepo=remi-php71 install php-fpm php-cli php-gd php-mcrypt php-mysql php-pear php-xml php-mbstring php-pdo php-json

vi /etc/yum.repos.d/remi-php71.repo
[remi-php71]
enabled=1

yum install php-fpm php-cli php-gd php-mcrypt php-mysqlnd php-pear php-xml php-mbstring php-pdo php-json php-pecl-zip php-intl

php --version

vi /etc/php.ini
cgi.fix_pathinfo=0

vi /etc/php-fpm.d/www.conf
listen = /var/run/php-fpm/php-fpm.sock
listen.owner = nginx
listen.group = nginx
listen.mode = 0660
user = nginx
group = nginx
env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp

systemctl enable php-fpm
systemctl start php-fpm

vi /usr/share/nginx/html/info.php
<? php phpinfo(); ?>

Owncload download and install

wget https://download.owncloud.org/community/owncloud-10.0.3.tar.bz2
tar jxvf owncloud-10.0.3.tar.bz2
mv owncloud/* /usr/share/nginx/html/
chown -R nginx:nginx /usr/share/nginx/html/

semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/html/data'
restorecon '/usr/share/nginx/html/data'
semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/html/config'
restorecon '/usr/share/nginx/html/config'
semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/html/apps'
restorecon '/usr/share/nginx/html/apps'
semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/html/assets'
restorecon '/usr/share/nginx/html/assets'

chown -R nginx:nginx /var/lib/php/session

Caching

APCu

yum install php-devel
yum groupinstall "Development Tools"
pecl install apcu

cat < /etc/php.d/20-apcu.ini
; APCu php extension
extension=apcu.so
EOF
vi /usr/share/nginx/html/config/config.php
'memcache.local' => '\OC\Memcache\APCu',

Redis

yum install centos-release-scl-rh
yum install rh-redis32-redis

pecl install redis

chown -R redis:redis /var/run/redis/
semanage fcontext -a -t redis_var_run_t '/var/run/redis(/.*)?'
restorecon -Rv /run/redis/

vi /etc/opt/rh/rh-redis32/redis.conf
unixsocket /var/run/redis/redis.sock
unixsocketperm 700

systemctl start rh-redis32-redis
systemctl enable rh-redis32-redis

yum install net-tools
ps ax | grep redis
netstat -tlnp | grep redis
cat < /etc/php.d/20-redis.ini
; Redis php extension
extension=redis.so
EOF
vi /usr/share/nginx/html/config/config.php
'memcache.locking' => '\OC\Memcache\Redis',
'redis' => [
     'host' => '/var/run/redis/redis.sock',
     'port' => 0,
],

usermod -a -G redis nginx

Additional SELinux configuration

setsebool -P daemons_enable_cluster_mode 1

semodule -l | grep my-redisserver
ausearch -c 'redis-server' --raw | audit2allow -M my-redisserver
semodule -i my-redisserver.pp
ausearch -c 'php-fpm' --raw | audit2allow -M my-phpfpm
semodule -i my-phpfpm.pp
ausearch -c 'nginx' --raw | audit2allow -M my-nginx
semodule -i my-nginx.pp

setsebool -P httpd_can_sendmail=1

systemctl restart php-fpm nginx; systemctl status php-fpm nginx

crontab -u nginx -e
*/15  *  *  *  * /usr/bin/php -f /usr/share/nginx/html/cron.php

yum install samba-client nfs-utils

Links:
https://www.howtoforge.com/tutorial/owncloud-centos-install/
https://tecadmin.net/install-owncloud-on-centos/
https://doc.owncloud.org/server/10.0/admin_manual
https://www.simplehelix.com/blog/uncategorized/installing-and-configuring-nginx-php-fpm-mariadb-on-centos-7/
https://www.digitalocean.com/community/tutorials/how-to-install-linux-nginx-mysql-php-lemp-stack-on-centos-7
https://www.digitalocean.com/community/tutorials/how-to-upgrade-to-php-7-on-centos-7
https://stackoverflow.com/questions/6628275/how-to-get-my-session-to-write-to-apache
https://github.com/owncloud/core/issues/25927#issuecomment-262703655
https://doc.owncloud.org/server/9.1/admin_manual/installation/selinux_configuration.html#troubleshooting
https://doc.owncloud.org/server/10.0/admin_manual/configuration/server/caching_configuration.html#redis-label
https://help.nextcloud.com/t/install-nextcloud-into-root-directory-of-my-domain/2513?page=2
https://github.com/nrk/predis/issues/277
https://doc.owncloud.org/server/latest/admin_manual/installation/nginx_configuration.html#example-configurations

CentOS 6 as smarthost (sendmail)

yum install mailx sendmail sendmail-cf -y

vi /etc/mail/sendmail.mc

dnl define(`SMART_HOST', `smtp.domain.com')dnl
dnl MASQUERADE_AS(`domain.com')dnl

m4 /etc/mail/senmdmail.mc > /etc/mail/sendmail.cf

chkconfig sendmail on
service sendmail restart

GIT on CentOS 6

GIT + gitolite installation
Prerequisites
yum install curl-devel expat-devel gettext-devel openssl-devel zlib-devel gcc perl-ExtUtils-MakeMaker

GIT installation
cd /usr/src
wget https://www.kernel.org/pub/software/scm/git/git-2.2.0.tar.gz
tar zxvf git-2.2.0.tar.gz
cd git-2.2.0

make prefix=/usr/local/git all
make prefix=/usr/local/git install
echo "export PATH=$PATH:/usr/local/git/bin" >> /etc/bashrc
#SLES
echo "export PATH=$PATH:/usr/local/git/bin" >> /etc/bash.bashrc

source /etc/bashrc
#SLES
source /etc/bash.bashrc

#.bash_profile
#export PATH=$PATH:/usr/local/git/bin

git --version

After this is done, you can also get Git via Git itself for updates:
cd /usr/src
git clone git://git.kernel.org/pub/scm/git/git.git
cd git

groupadd -g 54001 git
adduser -m --system -g git -d /opt/git -s /bin/bash git

ssh-keygen -t rsa
scp .ssh/id_rsa.pub root@192.168.1.84:/tmp/git-admin.pub

su - git
git clone git://github.com/sitaramc/gitolite

cd $HOME
mkdir -p bin
gitolite/install -to $HOME/bin

cd $HOME
$HOME/bin/gitolite setup -pk /tmp/git-admin.pub

Now go to your workstation and type in
git ls-remote git@server:gitolite-admin

This should return something like 
9dd8aab60bac5e54caf887a87b4f3d35c95b05e4    HEAD
9dd8aab60bac5e54caf887a87b4f3d35c95b05e4    refs/heads/master

GIT Configuration
Prevent git push –force
git config --system receive.denyNonFastForwards true
git config --system receive.denyDeletes true

cat /usr/local/git/etc/gitconfig
[receive]
       denyNonFastForwards = true
       denyDeletes = true

Administration from workstation
yum install git
mkdir /home/user/work/git
cd /home/user/work/git/
git clone git@srvgit01v:gitolite-admin
cd gitolite-admin/
vim conf/gitolite.conf

git config --global user.name "Git-Admin"
git config --global user.email "user@domain.com"

git add keydir conf
git commit -m 'added users, repos'
git push origin master

Clients access

To check the available repos, and your access to them, use the following:
ssh git@192.168.1.100 info
or
ssh git@srvgit01v.sub1.domain.com info

Clone down the repo using:
git clone git@192.168.1.100:repo
or
git clone git@srvgit01v.sub1.domain.com:repo

Mirroring gitolite servers
Gitolite: Add, Edit, or Delete Git Repository Name

Add or create repository
Add entry for new project or repository in your gitolite config (conf/gitolite.conf)
Commit and push your changes. this will create and initialize your new repo.

Rename a repository
Modify the name of repo in your gitolite config (conf/gitolite.conf)
Move or rename the actual directory (depending on where you install it, ex: /home/git/repositories) to match your changes in gitolite config.
Commit and push your changes.

Note: Obviously, this changes the remote url of your repo, so don’t forget to change your git remote url config in your project clones.

Delete a repository:
Open your gitolite config and remove the project from there. commit and push your changes.
Then delete its git directory (ex: /home/git/repositories/projectname.git)
You can also remove users/keys that are no longer used

Generate GIT 2.2 RPM
yum install -y rpm-build

mkdir -p ~/rpmbuild/{BUILD,BUILDROOT,RPMS,SOURCES,SPECS,SRPMS}

mkdir -p ~/src && cd ~/src
wget https://www.kernel.org/pub/software/scm/git/git-2.2.0.tar.gz
tar -xzvf git-2.2.0.tar.gz
mv git-2.2.0.tar.gz ~/rpmbuild/SOURCES

# Locate .spec file and build rpm
# If you get any errors during build, it is usually because of dependencies. Simply
# install the dependencies with `yum install [dependency]` and run rpmbuild again.

cd ~/src/git-2.2.0 && ls | grep *.spec

rpmbuild -ba git.spec --define '_prefix /usr/local'

Find

%files -n perl-Git -f perl-files
%defattr(-,root,root)

and add
#for CentOS 6
%config(noreplace) /usr/local/git/share/perl5/vendor_perl/*

or

#for CentOS 5
%config(noreplace) /usr/local/lib/perl5/vendor_perl/5.8.8/*
%config(noreplace) /usr/local/share/man/man3/*

If error: File /usr/src/redhat/SOURCES/git-2.2.0.tar.gz: No such file or directory
echo '%_topdir %(echo $HOME)/rpmbuild' > ~/.rpmmacros

or
#for Centos 7
Find

%files -n perl-Git -f perl-files
%defattr(-,root,root)

and add

%config(noreplace) /usr/local/share/perl5/vendor_perl/*

Install GIT 2.2 RPM
#CentOS 5

Installation of RPMforge
RPMforge
wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el5.rf.x86_64.rpm
rpm --import http://apt.sw.be/RPM-GPG-KEY.dag.txt
rpm -i rpmforge-release-0.5.3-1.el5.rf.*.rpm
yum install perl-YAML

or
wget http://pkgs.repoforge.org/perl-YAML/perl-YAML-0.72-1.el5.rf.noarch.rpm
rpm --import http://apt.sw.be/RPM-GPG-KEY.dag.txt
yum install perl-YAML-0.72-1.el5.rf.noarch.rpm

yum install git-2.2.0-1.x86_64.rpm git-cvs-2.2.0-1.x86_64.rpm gitk-2.2.0-1.x86_64.rpm perl-Git-2.2.0-1.x86_64.rpm git-email-2.2.0-1.x86_64.rpm git-svn-2.2.0-1.x86_64.rpm git-gui-2.2.0-1.x86_64.rpm gitweb-2.2.0-1.x86_64.rpm --nogpgcheck

#CentOS 6

yum install git-2.2.0-1.el6.x86_64.rpm gitk-2.2.0-1.el6.x86_64.rpm git-cvs-2.2.0-1.el6.x86_64.rpm git-svn-2.2.0-1.el6.x86_64.rpm git-email-2.2.0-1.el6.x86_64.rpm gitweb-2.2.0-1.el6.x86_64.rpm git-gui-2.2.0-1.el6.x86_64.rpm perl-Git-2.2.0-1.el6.x86_64.rpm

#CentOS 7

yum install git-2.2.0-1.el7.centos.x86_64.rpm git-svn-2.2.0-1.el7.centos.x86_64.rpm git-cvs-2.2.0-1.el7.centos.x86_64.rpm git-email-2.2.0-1.el7.centos.x86_64.rpm git-gui-2.2.0-1.el7.centos.x86_64.rpm gitk-2.2.0-1.el7.centos.x86_64.rpm gitweb-2.2.0-1.el7.centos.x86_64.rpm perl-Git-2.2.0-1.el7.centos.x86_64.rpm git-debuginfo-2.2.0-1.el7.centos.x86_64.rpm

Delete Git branch
ssh root@srvgit01v
cd /opt/git/repositories/repo1.git

git branch -D 4.1.0.6-rel

chown -R git:git /opt/git/repositories/repo1.git

Link:
http://www.tikalk.com/devops/backing-git-repos-git-bundle/
http://gitolite.com/gitolite/mirroring/#setting-up-mirroring

Syslog-ng on CentOS 6

Server side Syslog-ng installation

vi /etc/sysconfig/iptables
-A INPUT -p tcp -m state --state NEW -m tcp --dport 514 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 514 -j ACCEPT

yum install epel-release
yum install syslog-ng syslog-ng-libdbi -y

vi /etc/syslog-ng/syslog-ng.conf

@version:3.2

options {
long_hostnames(off);
log_msg_size(8192);
flush_lines(1);
log_fifo_size(20480);
time_reopen(10);
# use_dns(yes);
use_dns(no);
# dns_cache(yes);
# use_fqdn(yes);
use_fqdn(no);
keep_hostname(yes);
chain_hostnames(no);
perm(0644);
stats_freq(43200);
};
source s_internal { internal(); };
destination d_syslognglog { file("/var/log/syslog-ng.log"); };
log { source(s_internal); destination(d_syslognglog); };
source s_local {
unix-dgram("/dev/log");
file("/proc/kmsg" program_override("kernel:"));
};
filter f_messages { level(info..emerg); };
filter f_secure   { facility(authpriv); };
filter f_mail     { facility(mail); };
filter f_cron     { facility(cron); };
filter f_emerg    { level(emerg); };
filter f_spooler  { level(crit..emerg) and facility(uucp, news); };
filter f_local7   { facility(local7); };
destination d_messages { file("/var/log/messages"); };
destination d_secure   { file("/var/log/secure"); };
destination d_maillog  { file("/var/log/maillog"); };
destination d_cron     { file("/var/log/cron"); };
destination d_console  { usertty("root"); };
destination d_spooler  { file("/var/log/spooler"); };
destination d_bootlog  { file("/var/log/demsg"); };
log {source(s_local); filter(f_emerg);  destination(d_console); };
log {source(s_local); filter(f_secure); destination(d_secure); flags(final); };
log {source(s_local); filter(f_mail);   destination(d_maillog); flags(final); };
log {source(s_local); filter(f_cron);   destination(d_cron); flags(final); };
log {source(s_local); filter(f_spooler); destination(d_spooler); };
log {source(s_local); filter(f_local7); destination(d_bootlog); };
log {source(s_local); filter(f_messages); destination(d_messages); };
source s_remote {
tcp(ip(0.0.0.0) port(514));
udp(ip(0.0.0.0) port(514));
};
destination r_console {file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/console" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes)); };
destination r_secure {file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/secure" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes)); };
destination r_cron {file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/cron" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes)); };
destination r_spooler {file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/spooler" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes)); };
destination r_bootlog {file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/bootlog" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes)); };
destination r_messages {file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/messages" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes)); };
log { source(s_remote); filter(f_emerg); destination(r_console); };
log { source(s_remote); filter(f_secure); destination(r_secure); flags(final); };
log { source(s_remote); filter(f_cron); destination(r_cron); flags(final); };
log { source(s_remote); filter(f_spooler); destination(r_spooler); };
log { source(s_remote); filter(f_local7); destination(r_bootlog); };
log { source(s_remote); filter(f_messages); destination(r_messages); };

mkdir /var/log/syslog-ng
chkconfig rsyslog off
chkconfig --list rsyslog
chkconfig syslog-ng on
chkconfig --list syslog-ng
service rsyslog stop
service syslog-ng restart

Client configuration

yum install epel-release -y
#CentOS6
yum install syslog-ng syslog-ng-libdbi -y
or
#CentOS5
yum install syslog-ng-y

echo 'destination pnjsvmon01v {udp("192.168.1.60" port(514));};' >> /etc/syslog-ng/syslog-ng.conf
echo 'log { source(s_sys); destination(srvmon01v); };' >> /etc/syslog-ng/syslog-ng.conf

#CentOS
chkconfig rsyslog off
chkconfig --list rsyslog
chkconfig syslog-ng on
chkconfig --list syslog-ng
service rsyslog stop
service syslog-ng restart

or
#SLES11
/etc/init.d/syslog restart

Nagios 4.x installation on CentOS 6

Installation and Configuration

yum install httpd php gcc glibc glibc-common gd gd-devel -y
useradd nagios
groupadd nagcmd
usermod -a -G nagcmd nagios
usermod -a -G nagcmd apache

yum install -y rpm-build doxygen gperf bind-utils mysql-devel net-snmp-utils openssl-devel postgresql-devel samba-client

mkdir -p ~/rpmbuild/{BUILD,BUILDROOT,RPMS,SOURCES,SPECS,SRPMS}

mkdir -p ~/src && cd ~/src

wget http://sourceforge.net/projects/nagios/files/nagios-4.x/nagios-4.0.8/nagios-4.0.8.tar.gz
wget http://www.nagios-plugins.org/download/nagios-plugins-2.0.3.tar.gz
tar zxvf nagios-4.0.8.tar.gz
tar zxvf nagios-plugins-2.0.3.tar.gz

mv nagios-4.0.8.tar.gz ~/rpmbuild/SOURCES
mv nagios-plugins-2.0.3.tar.gz ~/rpmbuild/SOURCES/

cd ~/src/nagios-4.0.8 && ls | grep *.spec

vi nagios.spec
#add
%define _libdir %{_exec_prefix}/lib

rpmbuild -ba nagios.spec

cd ~/src/nagios-plugins-2.0.3 && ls | grep *.spec

vi nagios-plugins.spec
comment %config(missingok,noreplace) %{_sysconfdir}/command.cfg

update %doc ChangeLog command.cfg
to
%doc ChangeLog

rpmbuild -ba nagios-plugins.spec

yum install -y nagios-4.0.8-2.el6.x86_64.rpm nagios-contrib-4.0.8-2.el6.x86_64.rpm nagios-devel-4.0.8-2.el6.x86_64.rpm nagios-plugins-2.0.3-1.x86_64.rpm

vi /etc/nagios/objects/contacts.cfg

mail user@domain.com;

vi /etc/httpd/conf.d/nagios.conf

#Order allow,deny
#Allow from all
Order deny,allow
Deny from all
Allow from 127.0.0.1 192.168.1.0/24 192.168.2.0/24

htpasswd -s -c /etc/nagios/htpasswd.users nagiosadmin

service httpd start
service nagios start
chkconfig httpd on
chkconfig nagios on

/usr/bin/nagios -v /etc/nagios/nagios.cfg

yum install policycoreutils-python

If SELinux is enforcing then add this line.
semanage fcontext -a -t httpd_sys_content_t /usr/share/nagios/

yum install mod_ssl

service httpd restart

vi /etc/nagios/nagios.cfg
cfg_dir=/etc/nagios/servers

NRPE Server installation/configuration

yum install nagios-plugins-nrpe -y

ln -s /usr/lib64/nagios/plugins/check_nrpe /usr/lib/nagios/plugins/check_nrpe

vi /etc/nagios/objects/commands.cfg
define command{
command_name check_nrpe
command_line /usr/lib/nagios/plugins/check_nrpe -H '$HOSTADDRESS$' -c '$ARG1$'
}

NRPE Client installation/configuration

#nrpe is a part of EPEL repo
yum install nrpe openssl -y
yum install nagios-plugins-2.0.3-1.x86_64.rpm -y

vi /etc/nagios/nrpe.cfg
#nagios server
allowed_hosts=127.0.0.1,192.168.1.60

service nrpe restart
chkconfig nrpe on

NRPE Server/Client configuration for PostgreSQL monitoring

server:
vi /etc/nagios/servers/dev-servers-services.cfg
define service {
use generic-service
host_name srvwiki01v
service_description Mediawiki PostgreSQLD Connection
check_command check_nrpe!check_pgsql
}

client:
vi /etc/nagios/nrpe.cfg
command[check_pgsql]=/usr/lib/nagios/plugins/check_pgsql -H 192.168.1.62 -l nagios

service nrpe restart

Testing from server:
/usr/lib/nagios/plugins/check_nrpe -H 192.168.1.62 -c check_pgsql
CRITICAL – no connection to ‘wikidb’ (FATAL: no pg_hba.conf entry for host “192.168.1.62”, user “nagios”, database “wikidb”, SSL off). *
* or default DB – “template1”

Let’s configure ACL:
vi /var/lib/pgsql/data/pg_hba.conf
host template1 nagios 192.168.1.62/32 trust

Create nagios user in postgresql:

su postgres -c bash
$createuser
Enter name of role to add: nagios
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) n
$exit

Testing connection from nagios server:

[root@srvmon01v ~]# /usr/lib/nagios/plugins/check_nrpe -H 192.168.1.62 -c check_pgsql
OK - database wikidb (0.003504 sec.)|time=0.003504s;2.000000;8.000000;0.000000

SNMP Client configuration

CentOS6
yum install -y net-snmp

or

CentOS5
yum install -y net-snmp net-snmp-utils net-snmp-devel

or

SLES11
zypper install net-snmp

service snmpd stop

mv /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf_bak

#Creating snmpv3 user
CentOS6
net-snmp-create-v3-user -ro -A snmpv3authPass -a SHA -X snmpv3encPass -x AES snmpv3user

or

CentOS5
net-snmp-config --create-snmpv3-user -ro -A snmpv3authPass -a SHA -X snmpv3encPass -x AES snmpv3user

chkconfig snmpd on
service snmpd start

snmpwalk -u snmpv3user -A snmpv3authPass -a SHA -X snmpv3encPass -x AES -l authPriv 127.0.0.1 -v3

#Ubuntu 9
remove /usr/share/snmp/snmp.conf and /var/lib/snmp/snmpd.conf
net-snmp-config --create-snmpv3-user -ro -A snmpv3authPass -a SHA -X snmpv3encPass -x AES snmpv3user
start snmpd

vi /etc/sysconfig/iptables
CentOS6
-A INPUT -m state --state NEW -m udp -p udp -s 192.168.1.60 --dport 161 -j ACCEPT

or

CentOS5
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp -s 192.168.1.60 --dport 161 -j ACCEPT

service iptables restart

Mediawiki installation on CentOS 6

Embedded DB wiki backup (sqlite)
cd /var/www/html/wiki/
php maintenance/sqlite.php --backup-to /home/user/wikisqlitedb-2017_01_27.backup

cd /var/www/html/
tar zcvfh wikidata2017_01_27.tar.gz wiki

cd /var/www/html/wiki
php maintenance/dumpBackup.php --full > dump-2017_01_27.xml

Mediawiki installation and configuration
Be careful, you have to create main page (there’s no way to import main page with xml import feature). Copy main page source code from the old mediawiki server!

yum install httpd php php-gd php-xml postgresql postgresql-server php-pgsql

chkconfig --level 345 postgresql on
chkconfig --level 345 httpd on

service postgresql initdb

vi /var/lib/pgsql/data/postgresql.conf
listen_addresses = 'localhost'
port = 5432

cat << _EOT >> /var/lib/pgsql/data/pg_hba.conf
local all postgres trust
local all all md5
host all all 127.0.0.1/32 md5
host all all ::1/128 md5
_EOF

service postgresql start

su - postgres

psql -c "alter user postgres with password 'password'"

semanage boolean -m --on httpd_can_network_connect_db

vi /etc/sysconfig/iptables
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

service httpd restart

wget http://releases.wikimedia.org/mediawiki/1.24/mediawiki-1.24.1.tar.gz
tar zxvf mediawiki-1.24.1.tar.gz

vi /etc/httpd/conf.d/mediawiki.conf

### MediaWiki Configuration
Alias /wiki /var/www/html/wiki
<Directory /var/www/html/wiki>
  Options Indexes FollowSymLinks
  AllowOverride None
  Order allow,deny
  # Uncomment this if you have no restrictions
  Allow from all 
  # For restrictive networks, consider using the
  # below and tailoring it to your likings 
  #Allow from 127.0.0.1
  #Allow from 192.168.0. 

RewriteEngine On 
  # so skins, images and extensions work
  RewriteRule ^(images|skins|extensions)/ - [L]

  # Forces specified index page to go ahead and load
  RewriteRule ^(load|index).php - [L] 
  # The following makes it so if our configuration file isn't
  # present we will always catch this rewrite rule (allowing the 
  # user to set up mediawiki)  
  RewriteCond /usr/share/mediawiki/LocalSettings.php !-f
  RewriteRule ^(.+)  -  [PT] 
  # Path Formating
  RewriteRule ^/*$ /wiki/index.php?title=Main_Page [L,QSA]
  RewriteRule ^/*(.+)$ /wiki/index.php?title=$1 [PT,L,QSA] 
  ## Support colon (:)
  RewriteRule ^/(.*:.*)$  /wiki/index.php?title=$1 [L]
 </Directory>

 <Directory "/var/www/html/wiki/images">
 # Ignore .htaccess files
 AllowOverride None  

# Serve HTML as plaintext, don't execute SHTML
  AddType text/plain .html .htm .shtml .php 
 # Don't run arbitrary PHP code. php_admin_flag engine off 

RewriteEngine On
 RewriteCond %{QUERY_STRING} \.[^\\/:*?\x22|%]+(#|\?|$) [nocase]
 RewriteRule . - [forbidden]  
# If you've other scripting languages, disable them too.
 </Directory>

Go to http://Wiki_IP/wiki to configure and generate LocalSettings.php. Copy LocalSettings.php to wiki dir

Import content from old wiki
cd /var/www/html/wiki/
php maintenance/importDump.php < dumpfile.xml

Mediawiki AD integration
Go to http://www.mediawiki.org/wiki/Special:ExtensionDistributor/LdapAuthentication
https://extdist.wmflabs.org/dist/extensions/LdapAuthentication-REL1_24-24a399e.tar.gz
tar -xzf LdapAuthentication-REL1_24-24a399e.tar.gz -C /var/www/html/wiki/extensions

yum install php-ldap

require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( "SUB1" );
$wgLDAPServerNames = array( "SUB1" => "dc01.sub1.domain.com" );
$wgLDAPSearchStrings = array( "SUB1" => "USER-NAME@SUB1" );
$wgLDAPEncryptionType = array( "SUB1" => "clear" );
$wgLDAPBaseDNs = array( "SUB1" => "dc=sub1,dc=domain,dc=com" );
$wgLDAPSearchAttributes = array( "SUB1" => "sAMAccountName" );
$wgLDAPProxyAgent = array("SUB1" => "CN=wikiop,OU=Other,OU=Users,OU=Administrative,DC=sub1,DC=domain,DC=com");
$wgLDAPProxyAgentPassword = array("SUB1" => "password");
$wgLDAPUseLocal = false;
$wgMinimalPasswordLength = 1;
$wgLDAPDebug = 3; //for debugging LDAP
$wgShowExceptionDetails = true; //for debugging MediaWiki
$wgDebugLogFile = "/var/log/mediawiki/debug-{$wgDBname}.log";
$wgLDAPBaseDNs = array( "SUB1" => "dc=sub1,dc=domain,dc=com" );
$wgLDAPRetrievePrefs = array( "SUB1" => "true" );

php maintenance/update.php

PostrgeSQL DB backup
pg_dump wikidb > wikidbdump2017_01_28.sql
pg_dumpall --globals > postgres_globals2017_01_28.sql

PowerBroker Identity Services Open

Download link: https://github.com/BeyondTrust/pbis-open/releases

PBIS AD membership, basic setup for Linux (RPM)

#UnattendedMode
./pbis-open-8.5.4.334.linux.x86_64.rpm.sh install

/opt/pbis/bin/domainjoin-cli join --assumeDefaultDomain yes your.domain.com yourname

# cat < /etc/pbis.conf
rem AD domain: YOUR
AssumeDefaultDomain true
HomeDirTemplate "%H/%D/%U"
LoginShellTemplate "/bin/bash"
RemoteHomeDirTemplate ""
CacheEntryExpiry "00000060"
EOT

/opt/pbis/bin/config --file /etc/pbis.conf

/opt/pbis/bin/update-dns

Login/Server Access Rights

In the /etc/pbis.conf file, before HomeDirTemplate, add or modify a new line beginning ‘RequireMembershipOf’. RequireMembershipOf specifies a comma separated list of AD groups – To login to the system the user must belong to one of the listed groups eg:
RequireMembershipOf "your\\group1" "your\\group2"

To apply a new configuration, you need to run /opt/pbis/bin/config –file /etc/pbis.conf manually.

SUDO Rights

Use the visudo command, and add the name of the AD group, prefixed with % using standard sudoers syntax: eg:
%group1 ALL=(ALL) ALL

PBIS Utilities

A number of useful scripts are available in the /opt/pbis/bin directory. Most of these scripts are self documenting and support eg, the –help argument.
/opt/pbis/bin/get-status ; show ad connection/status information
/opt/pbis/bin/find-user-by-name ; lookup an ad user by name.
/opt/pbis/bin/find-group-by-name ; lookup an ad group by name.
/opt/pbis/bin/list-groups-for-user [–level=2] ; show group membership for a user.

There are lots of useful scripts in this directory, it’s worth exploring.

Delegate rights using Active Directory Users and Computers for PBIS computer join user

This process allows a specific user/group to manage a group, or a section of the AD tree.
1.Open the Active Directory Users and Computers snap-in.
2.Right-click the container under which you want the computers added, and press Delegate Control.
3.Press Next.
4.Press Add.
5.After adding all the users and/or groups, press Next.
6.Select Create custom task to delegate and press Next.
7.Select Only the following objects in the folder, check Computer objects, check the “Create selected objects in this folder”, “Create selected objects in this folder” boxes, and press Next.
8.Check the “Create all child object”, “Delete all child object” boxes and press Next.
9.Press Finish.

ISSUES

If pbis just stopped working and you get “Error: ERROR_FILE_NOT_FOUND code 0x00000002” after “service lwsmd restart”, remove it completely:
/opt/pbis/bin/domainjoin-cli leave
/opt/pbis/bin/uninstall.sh uninstall

and reinstall/reconfigure

pbis-open-8.5.4.334.linux.x86_64.rpm.sh install /opt/pbis/bin/domainjoin-cli join --assumeDefaultDomain yes your.domain.com yourname

Cobbler and kickstart on CentOS 6 linux

Prerequisites
vi /etc/sysconfig/selinux
SELINUX=disabled

or
sed -i 's/SELINUX\=enforcing/SELINUX\=disabled/g'/etc/selinux/config

Turn off the iptables.
service iptables stop
chkconfig iptables off

Or Allow the following ports, if you want it enabled.
vi /etc/sysconfig/iptables

#Allow the http ports(80/443), Cobbler’s ports 69, and 25151.

-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 69 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 25151 -j ACCEPT

Installation

Cobbler is not available on CentOS default repositories, so let us add EPEL repository first, and install Cobbler.
yum install epel-release

Now, install cobbler, cobbler web interface ,and its dependencies as shown below.
yum -y install cobbler cobbler-web dhcp pykickstart system-config-kickstart mod_python tftp wget cman

Enable TFTP and rsync

vi /etc/xinetd.d/tftp #change disable = yes to disable = no

vi /etc/xinetd.d/rsync #change disable = yes to disable = no

Restart xinetd Now we can restart xinetd to make the changes take affect.
/etc/init.d/xinetd restart

Start xinetd on boot
/sbin/chkconfig xinetd on

Start cobbler services Now lets start the apache webserver (httpd), and cobbler itself. Apache is required by cobbler to serve up the OS images.
/etc/init.d/httpd start
/etc/init.d/cobblerd start
/sbin/chkconfig httpd on
/sbin/chkconfig cobblerd on

Configure Cobbler

Generate a password hash
openssl passwd -1 -salt ‘random-phrase-here’ ‘your-password-here’

I get the hash below for the password motorrobot
openssl passwd -1 -salt

vi /etc/cobbler/settings
Change: next_server: 127.0.0.1 to next_server: 192.168.1.64
Change: server: 127.0.0.1 to server: 192.168.1.64
Change: default_password_crypted: “$1$mF86/UHC$WvcEcX3s9crCz2inWryabc.” to above generated hash default_password_crypted: “$1$centosho$06Gedn1z8BjSu2ZbV4fS.0″
Change: manage_dhcp: 0 to manage_dhcp: 1

sed -i ‘s/server\:\ 127\.0\.0\.1/server\:\ 192\.168\.1\.64/g’ /etc/cobbler/settings
sed -i ‘s/default\_password\_crypted\:\ \”\$1\$mF86\/UHC\$WvcEcX3s9crCz2inWryabc\.\”/default\_password\_crypted\:\ \”\$1\$centosho\$06Gedn1z8BjSu2ZbV4fS\.0\”/g’ /etc/cobbler/settings
sed -i ‘s/manage_dhcp: 0/manage_dhcp: 1/g’ /etc/cobbler/settings

Now, edit file /etc/cobbler/dhcp.template,

vi /etc/cobbler/dhcp.template
ddns-update-style interim;

allow booting;
allow bootp;

ignore client-updates;
set vendorclass = option vendor-class-identifier;

option pxe-system-type code 93 = unsigned integer 16;

subnet 192.168.1.0 netmask 255.255.255.0 {
    option routers             192.168.1.99;
    option domain-name-servers 192.168.2.31,192.168.2.32;
    option subnet-mask         255.255.255.0;
    range dynamic-bootp        192.168.1.150 192.168.1.250;
    default-lease-time         21600;
    max-lease-time             43200;
    next-server                $next_server;
    class "pxeclients" {
         match if substring (option vendor-class-identifier, 0, 9) = "PXEClient";
         if option pxe-system-type = 00:02 {
                 filename "ia64/elilo.efi";
         } else if option pxe-system-type = 00:06 {
                 filename "grub/grub-x86.efi";
         } else if option pxe-system-type = 00:07 {
                 filename "grub/grub-x86_64.efi";
         } else {
                 filename "pxelinux.0";
         }
    }
}

Next, we should enable Cobbler’s web interface, and set username and password for Cobbler’s web interface.

To enable, Cobbler’s web interface, edit file /etc/cobbler/modules.conf,

vi /etc/cobbler/modules.conf
[authentication]
module = authn_configfile

[authorization]
module = authz_allowall

Next, we have to setup the setup the username and password for the cobbler web interface. To do that, run the following command. Input your preferred password twice.
htdigest /etc/cobbler/users.digest "Cobbler" cobbler

Download the required network boot loaders using the following command.
cobbler get-loaders

cobbler check
/etc/init.d/cobblerd restart
cobbler sync

Importing multiple CentOS Linux DVDs into Cobbler

Linux distributions are getting larger and larger; CentOS 6.0 64-bit won’t fit on a single DVD anymore. A Cobbler-based provisioning server will normally import only one DVD. So, how do you get around this?
Import the first DVD as usual
Manually add content from the second DVD

Import the first DVD (ISO image):
mkdir /mnt/dvd1; mount -o ro,loop /tmp/CentOS-6.6-x86_64-bin-DVD1.iso /mnt/dvd1

DISTRO=centos66
cobbler import --name=${DISTRO} --arch=x86_64 --path=/mnt/dvd1

Watch the output from Cobbler closely – it will basically shows you the commands you need to import the second DVD

Import the second DVD (ISO image):
mkdir /mnt/dvd2; mount -o ro,loop /tmp/CentOS-6.6-x86_64-bin-DVD2.iso /mnt/dvd2

rsync -a '/mnt/dvd2/' /var/www/cobbler/ks_mirror/${DISTRO} --exclude-from=/etc/cobbler/rsync.exclude --progress
COMPSXML=$(ls /var/www/cobbler/ks_mirror/${DISTRO}/repodata/*comps*.xml)
createrepo -c cache -s sha --update --groupfile ${COMPSXML} /var/www/cobbler/ks_mirror/${DISTRO}

Adding Kickstart file to Cobbler server

vi /var/lib/cobbler/kickstarts/centos65test.ks

url --url http://192.168.1.80/cobbler/ks_mirror/centos66-x86_64/

And then, add the kickstart file(centos65test.ks) to the pxe server.
cobbler profile add --name=CentOS_6.5_KS --distro=CentOS_6.5 --kickstart=/var/lib/cobbler/kickstarts/centos65test.ks

Restart cobbler once again, and run “cobble sync” command to save the changes.
service cobblerd restart
cobbler sync

Local repo on cobbler server

vi /etc/yum.repos.d/centos-6.6-local.repo
[Centos-6.6-local]
name=CentOS 6.5 local repository
baseurl=http://192.168.1.80/cobbler/ks_mirror/centos66-x86_64/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
enabled=1

CentOS DVD local repo creation

yum install createrepo

mkdir /mnt/dvd1 && mkdir /mnt/dvd2 && mkdir /opt/repo && mkdir /opt/iso
mount -o loop /opt/iso/CentOS-6.6-x86_64-bin-DVD1.iso /mnt/dvd1/ && mount -o loop /opt/iso/CentOS-6.6-x86_64-bin-DVD2.iso /mnt/dvd2/

rsync -arv /mnt/dvd1/ /opt/repo/
rsync -arv /mnt/dvd2/ /opt/repo/

createrepo -c cache -s sha –update –groupfile `ls /opt/repo/repodata/*comps*.xml` /opt/repo

cat <<EOT > /etc/yum.repos.d/local.repo
[local-repo]
name=CentOS 6.6 local repository
baseurl=file:///opt/repo/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
enabled=1
EOT

Juniper Pulse VPN client for linux

yum install glibc.i686 zlib.i686 nss-mdns.i686

Get realm name:
wget -q –no-check-certificate -O – ‘https://some.site.com/dana-na/auth/url_0/welcome.cgi’ | sed -n ‘s/.*]*name=”realm” [^>]*\)>.*/\1/p’ | sed -n ‘s/.* value=”\([^”]*\)”.*/\1/p’

wget https://some.site.com/dana-cached/nc/ncLinuxApp.jar
unzip ncLinuxApp.jar

sudo chown root:root ncsvc
sudo chmod 6711 ncsvc
chmod 744 ncdiag
chmod +x getx509certificate.sh

./getx509certificate.sh some.site.com company.cert

./ncsvc -h some.site.com -u username -p password -r REALM -f ./company.cert -U ‘https://some.site.com/dana-na/auth/url_default/welcome.cgi’

Radius 2nd factor configured realm:
dnf install openconnect NetworkManager-openconnect NetworkManager-openconnect-gnome

GNOME NetworkManager:
Add VPN -> Cisco AnyConnect Compatible VPN (openconnect)

In “Identity General” tab:
VPN Protocol “Juniper/Pulse Network Connect”
Gateway pulse.domain.com/name
In “IPV4” tab:
“Use this connection only for resources on its network”

After a new VPN connection was created you need to switch it on. A new “Connect to VPN X” window with “frmLogin” label shows login/password prompt. Next, click “Login” and another window with “frmDefender” requests “password”, which is actually OTP. You could get it from your pre-configured OTP app like google authenticator, SecureAuth, etc. Click “Login” after you typed random OTP and you should be all set.

Links:
https://serverfault.com/questions/363061/how-to-connect-to-a-juniper-vpn-from-linux

Netapp. Opening the export policy of the SVM root volume

You must add a rule to the default export policy to allow all clients access through NFSv3. Without such a rule, all NFS clients are denied access to the Storage Virtual Machine (SVM) and its volumes.

Steps

  1. In the navigation pane, select the SVM and click Policies > Export Policies.
  2. Select the export policy named default, which is applied to the SVM root volume.
  3. In the lower pane, click Add.
  4. In the Create Export Rule dialog box, create a rule that opens access to all clients for NFS clients:
    1. In the Client Specification field, enter 0.0.0.0/0 so that the rule applies to all clients.
    2. Retain the default value as 1 for the rule index.
    3. Select NFSv3.
    4. Clear all the check boxes except the UNIX check box under Read-Only.
    5. Click OK.

Links:
https://library.netapp.com/ecmdocs/ECMP1547459/html/GUID-FC041987-F793-427E-BB00-19D3DB1F30DA.html
https://library.netapp.com/ecmdocs/ECMP12517204/html/GUID-44DFBDC9-03DD-4046-A9B8-4857858AB9C1.html
https://kb.netapp.com/support/s/article/ka21A0000000Z9uQAE/how-do-export-policies-work-in-clustered-data-ontap?language=en_US
https://library.netapp.com/ecmdocs/ECMP1366835/html/GUID-EB3438EC-21B1-401F-8190-D509E67D8E90.html

KVM. Configure Mirrored Port’s Traffic to Be Visible in Guest

cat /etc/sysconfig/network-scripts/ifcfg-eth3
DEVICE=eth3
HWADDR=64:31:50:4B:52:4E
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=no
BOOTPROTO=none
BRIDGE=br2

cat /etc/sysconfig/network-scripts/ifcfg-br2
DEVICE=br2
ONBOOT=yes
TYPE=Bridge
NM_CONTROLLED=no
BOOTPROTO=none

cat /etc/rc.local
#add it to your /etc/rc.local file:
for task in /etc/rc.local.d/*
do
# Source the post-boot script
. $task
done

cat /etc/rc.local.d/kvm
brctl setageing br2 0
brctl setfd br2 0

Links:
http://www.ryanhallman.com/kvm-configure-mirrored-ports-traffic-to-be-visible-in-guest-snort/
https://serverfault.com/questions/798001/kvm-bridge-for-promisc-interface-ids
http://linux-blog.anracom.com/2016/01/14/vmware-ws-bridging-of-linux-bridges-and-security-implications/
https://wiki.linuxfoundation.org/networking/bridge#Showing_devices_in_a_bridge
https://wiki.libvirt.org/page/Networking