Browsed by
Author: Joe

RHEL7 Software Collections – Migrate from PHP 7.1.X to 7.2.X

RHEL7 Software Collections – Migrate from PHP 7.1.X to 7.2.X

We needed to migrate our Drupal servers to a newer version of PHP. RedHat Software Collections is a little odd, but provides newer software and allows administrators to run multiple versions of PHP side-by-side.

Software Collections is replaced by Applications Streams in RHEL8. I basically wanted to quickly document the commands. If you are following this, please make sure you understand what each command does before running it in production.

sudo yum install rh-php72-runtime rh-php72-php-cli rh-php72-php-pear rh-php72 rh-php72-php-fpm rh-php72-php-zip rh-php72-php-process rh-php72-php-gd rh-php72-php-mbstring rh-php72-php rh-php72-php-common rh-php72-php-pdo rh-php72-php-devel rh-php72-php-ldap rh-php72-php-json rh-php72-php-xml rh-php72-php-mysqlnd

sudo sed -i 's/rh-php71/rh-php72/g' /etc/profile.d/enablephp7.sh

cat /etc/profile.d/enablephp7.sh

#!/bin/bash
source scl_source enable rh-php72

sudo ln -s /opt/rh/rh-php72/root/usr/bin/php /usr/bin/php

We double the memory limit.

sudo sed -i 's/128M/256M/g' /etc/opt/rh/rh-php72/php.ini

sudo pecl install oci8

echo 'extension=oci8.so' | sudo tee -a /etc/opt/rh/rh-php72/php.d/oci8.ini

We also wanted to remove an old newrelic client that was used for monitoring.

sudo rpm -qa | grep newrelic | xargs sudo yum remove -y

sudo rpm -qa | grep php71 | xargs sudo yum remove -y

Finishing up and making sure everything looks good.

sudo systemctl restart httpd24-httpd

sudo systemctl status httpd24-httpd

FreeRADIUS Post Authentication

FreeRADIUS Post Authentication

I recently performed a migration from NPS on Server 2008 over to RedHat Linux running FreeRADIUS. We mostly use this for Cisco device authentication, but it could easily be extended to WiFi or other application needs.

LDAP authentication against Active Directory is pretty well documented so I won’t go into that unless there is an interest. However, I did want to talk about post-auth.

I found a basic example at Flaz.net where the author uses LDAP groups to update the cisco-avpair reply. I personally had trouble finding good documentation on more advanced post-auth options.

The example below shows some of the more advance options I was able to come up with after a bit of trial and error.

post-auth {
### Cisco Auth ###
  if (client-shortname == "office" && User-Name == "bliss") {
    update reply {
      cisco-avpair = "clientusername-test"
    }
  }  
  elsif (client-shortname == "office") {
    update reply {
      cisco-avpair = "client-test"
    }
  }
  elsif (User-Name == "bliss") {
    update reply {
      cisco-avpair = "username-test"
                }
        }
  elsif (LDAP-Group == "admins") {
    update reply {
      cisco-avpair = "shell:priv-lvl=15",
    }
  }
  elsif (LDAP-Group == "ops") {
    update reply {
      cisco-avpair = "shell:priv-lvl=1",
    }
  }
  else {
    reject
  }

Since this code uses if statements it will run from top to bottom and accept the first match.

In the first option I strung together “client-shortname” which is setup under the clients.conf with my username to send back clientusername-test.

The additional elsif statements are just an example of ordering importance.

Radtest is the best tool for making sure the proper responses are coming back.

Cisco Prime authentication requires sending additional cisco-avpair attributes. The example below is what I was able to get working for me.

post-auth {
### Cisco Auth ###
  if (LDAP-Group == "network") {
    reply_log
    update reply {
      cisco-avpair = "shell:priv-lvl=15",
      cisco-avpair += "NCS:role0=Admin", 
      cisco-avpair += "NCS:virtual-domain0=ROOT-DOMAIN"
    }
  }
  elsif (LDAP-Group == "support") {
    reply_log
    update reply {
      cisco-avpair = "NCS:role0=User Defined 1", 
      cisco-avpair += "NCS:virtual-domain0=ROOT-DOMAIN"
    }
  }
  elsif (LDAP-Group == "security") {
    reply_log
    update reply {
      cisco-avpair = "NCS:role0=User Defined 2", 
      cisco-avpair += "NCS:virtual-domain0=ROOT-DOMAIN"
    }
  }
  else {
    reject
  }

The only trick here was properly formatting everything. Authentication against Prime did not work when I tried to send role0 and virtual-domain0 inside the same attribute.

Let me know if this is helpful to you or if I can go into anymore details. This is just what is working in my environment. Your usage may vary.

HP iLO Amplifier Pack – Installing VMware Tools

HP iLO Amplifier Pack – Installing VMware Tools

We recently installed the iLO Amplifier Pack at work. HP ships this software as a way to easily manage their servers from a central location. The interface looks nice, however they really lock you out of the virtual machine and limit the command line. This presents a major annoyance because they decided to ship this OVA file without installing VMware tools or open-vm-tools.

I did a little digging around through the Veeam backup and discovered the virtual machine was running Debian 9.5. HP pretty much locks out the Administrator account by not assigning the user a shell and using ForceCommand within the sshd_config configuration.

ForceCommand /opt/wolfram/bin/wcli

I was able to install open-vm-tools by booting into the Debian Live CD and using change root to modify the virtual machine environment. We don’t have DHCP on the server network, so I had to set an IP address and DNS server. Make sure the live environment has access to the network before continuing.

sudo mount /dev/sda1 /mnt
sudo mount --bind /dev /mnt/dev
sudo mount --bind /proc /mnt/proc
sudo mount --bind /sys /mnt/sys
sudo chroot /mnt

nano /etc/apt/source.list
apt update
apt install open-vm-tools

I confirmed VMware tools was running after rebooting the machine.

I also discovered a couple other things that I will write another post about some day…

HP – In the meantime, please consider shipping this OVA file with open-vm-tools. It is pretty rare to run into a situation where it is not included.

6/13/19 – As of right now the OVA is running Debian Stretch and the sources.list should look like the one below.

Qubes OS 4.0 Release

Qubes OS 4.0 Release

Qubes OS 4.0 was recently released after a fairly lengthy development cycle. https://www.qubes-os.org/doc/releases/4.0/schedule/

I have been running the new release on my Librem 13 laptop since RC3 and all the changes have been great. I am sure the release notes on their website will do a better job describing all of the changes than me. If you are interested you can find them here: https://www.qubes-os.org/doc/releases/4.0/release-notes/

My favorite noticeable changes were to the user interface. Widgets were added for mounting/unmounting USB devices, interacting with or shutting down running Qubes, and showing system disk space usage. Despite it being a controversial idea, the Qube Manager was slated to removed from this release. In the end the Qube Manager stayed, but with the addition of the new widgets I find myself rarely opening it anyways.

Purism has also released new firmware that supports Intel VT-d which is “required” in version 4.0. The update process was pretty straight forward on my Librem 13. I ran the update from a Debian Stretch installation I had on a 32GB flashdrive. https://code.puri.sm/kakaroto/coreboot-files/src/master/Changelog.txt

I previously wrote a short post detailing a business use case for running Qubes OS and would recommend anyone who wants better control of their data and security to give it a try.

Purism Librem 13 v2 Review

Purism Librem 13 v2 Review

At first I thought about writing your typical hardware review, however, it seems like they can become repetitive by following a similar layout to cover similar hardware and software aspects of the machine. Instead, I want to briefly talk about how I justified the cost of and my first impressions of the laptop as an end user.

I wanted to replace my old and cracking Thinkpad x230 running Coreboot, gain NVMe support, and finally get back to a 1080p screen. My main reasons for purchasing this laptop was because Purism supports privacy and ships Coreboot on their machines. As I said in an earlier post, I think it’s important to support companies providing specialty hardware like this so it continues to be available and may prompt others to follow suit. For example, it was great to see Purism start disabling Intel Me, followed by System 76, and even Dell.

Initially, I was supposed to receive my laptop around August… My understanding is there were supply chain issues, Coreboot kinks to work out, and a large effort on the phone (I pre-ordered one of these too) funding campaign which delayed shipments. The laptop finally arrived in December. I tried to be very understanding of this because, in my view, Purism is a smaller company that does not have the resources to have a large amount of stock on hand like other established hardware providers. They do everything in batches. They were also releasing the first i7 version of the Librem 13 v2 with Coreboot support. Sill, it would have been nice to have had better expectations set upfront and to have been better kept in the loop of progress and delays.

After unboxing the laptop I was honestly I little worried it would not meet my expectations. I have been using a Thinkpad of some sort for the last eight years and have grown accustomed to their feel and durability. While the aluminum body looks great, it almost felt fragile, and at first I was worried about damaging it. I also read some reviews about it showing lots of grease from your fingers. However, after using the laptop for the last three weeks it has really grown on me and I am happy with the feel of everything.

The finish does show some spots, but they are not nearly as bad as some other posts made me think. I actually think the trackpad will be more resistant to the typical Thinkpad-trackpad-wear, in which a large greasy/polished/shiny spots shows up where it is used the most. Time will tell.

I killed PureOS in favor of running Qubes OS too quickly to give much of a review, but the setup was quick and easy. If you are new to running Linux I would recommend sticking with PureOS because it is easy to use, a derivative of Debian, and was recently added to the Free Software Foundation‘s list of endorsed distributions. Currently, I am having a major problem with Qubes 3.2 as it will not resume from suspend…

Overall, I am real happy with the final product that was delivered. It will take a little time to get used to a new keyboard layout and I am eagerly awaiting VT-d support to be added so Qubes OS 4.0 will be supported.

I bricked (and recovered) the Meraki Z1

I bricked (and recovered) the Meraki Z1

I purchased a used Meraki Z1 on eBay (~ $70) because it is supported by LEDE and seems to be pretty good hardware. It has 4 GbE LAN ports, 1 WAN port, and dual-concurrent 802.11n radios 2×2 MIMO. The LEDE support is important because I am not paying Cisco a yearly license to put my device in their cloud. Unfortunately, while flashing it the first time around I ended up with a brick.


TL;DR

Bricked after using beta build on Github. Lesson learned – Build from source.

  1. Build from source
  2. Follow directions and flash
  3. Win

Read More Read More

Purism Librem 13 Ordered

Purism Librem 13 Ordered

I have been happy with my Lenovo x230 up until this point, but was really looking for a 1080p screen, NVMe support, and USB-C. Purism recently started supporting Coreboot and added an i7 processor to the 13″ model which helped sway my decision on purchasing a new laptop.

It certainly was not a cheap purchase, nevertheless I am glad that they are supporting Coreboot and working on reverse engineering Intel ME. Hopefully they will continue to contribute to open source and their work on freedom-respecting computers. I believe in voting with your dollars and want to see more current hardware supported by Coreboot in the future.

The i7 models are currently back ordered, but it sounds like my new laptop should ship sometime in August or September. I may decide to write up a simple review or comparison to the x230 once it arrives.

https://puri.sm/

Free the Meraki MR24 w/ LEDE Project

Free the Meraki MR24 w/ LEDE Project

The LEDE Project (“Linux Embedded Development Environment”) is a Linux operating system based on OpenWrt.
https://lede-project.org/start

I have used OpenWrt in the past and had not heard of the LEDE Project until I was researching the ability to reflash Meraki gear. I picked up a couple Meraki MR24s for cheap on ebay after finding out they were supported. The hardware is a 3×3 MIMO 802.11n access point which supports up to 900 Mbps. If you are not familiar with Meraki, it is cloud based gear that is managed from the cloud and requires users to purchase a yearly license.

A GitHub user named riptidewave93 posted code and a flashing guide to liberate the Meraki and convert it to a standard access point. His work was merged into the LEDE Project, but has not made it into OpenWRT yet.

His flashing process is pretty straight forward, but doesn’t cover the UART pins which can be found here:

To open the case you need a T6 Torx bit and I used a knife to pry the metal case past the plastic.

On the other side I hooked up my USB to Serial adapter and booted into LEDE.

Some of the information was all over the place which is why I consolidated it here. The AP has been working great and it is worth the cost if you are looking for an enterprise level Wireless-N device.

Separating Work/Life Data

Separating Work/Life Data

As a system administrator I deal with a lot of different systems and accounts on a daily basis. Over the last six months I have been struggling with the idea of splitting work from my personal life. I would like to keep them separate, but the thought of carrying two laptops makes me cringe.

Qubes OS aims to solve this problem and many others by splitting these actives into different AppVMs. Qubes OS 3.2 was released recently and I thought now would be a good time to try switching.

After installing Qubes, I had it create the basic AppVMs. These included untrusted, personal, and work. I am a big fan of Debian so I switched all the default VMs to the debain-8 template. The last step was to configure my personal and work AppVMs which included a new LastPass account and adding some applications to the template.

Now I will work on getting used to the new work flow and plan on adding interesting information to the blog as I run across it.

screenshot_2016-11-30_16-54-53

Uninstalling PE from agent nodes

Uninstalling PE from agent nodes

At work we switched from using Puppet Enterprise to Ansible for a variety of reasons. After the switch I disabled the Puppet agents, but never got around to uninstalling all of them.

Recently, I ran into an issue where one server suddenly turned the Puppet agent back on and reverted changes that were made. I decided it was time to clean up the mess, but Puppet requires files from the server in order to uninstall the agent and my server was long gone.

This document covers the agent uninstall process: https://docs.puppet.com/pe/latest/install_uninstalling.html#uninstalling-pe-from-agent-nodes

I uploaded the necessary files here, in order to prevent myself or other people from installing Puppet Enterprise again to retrieve them: pe-uninstall.zip

ansibleThe next step was to create an Ansible job to copy these to the server and run the uninstall script. Easy.

https://bitbucket.org/blissjoe/ansible-remove-peagent/

 

---
- hosts: puppet
become: true
tasks:

- name: check for pe-agent
command: rpm -q pe-agent
register: rpm_check
ignore_errors: true

- block:
- name: copy uninstall script
copy: src=files/puppet/puppet-enterprise-uninstaller dest=/tmp/puppet-enterprise-uninstaller mode="u+rwx"

- name: copy utils and answers
copy: src=files/puppet/{{ item }} dest=/tmp/{{ item }}
with_items:
- utilities
- answers.remove

- name: run uninstall script
command: "/tmp/puppet-enterprise-uninstaller -a /tmp/answers.remove"

- name: cleanup
file: path=/tmp/{{ item }} state=absent
with_items:
- utilities
- answers.remove
- puppet-enterprise-uninstaller

when: rpm_check.rc ==0