Friday 26 September 2014

Install Keepalived on CentOS 7

Keepalived is a solution that provides a strong & robust health-check framework, and also implementing a Hot Standby protocol. It allows load balancing services to have HA and prevent Single Point of Failure.

The following is a set of instructions on setting up Keepalived service on CentOS7.

Assume network as below:
LB1:Loadbalancer 1:192.168.1.80
LB2:Loadbalancer 2:192.168.1.81
Vip1:Virtual IP:192.168.1.82

We want to use LB1 as the master LB, LB2 as standby. If LB1 fails, LB2 will take over as master. Whoever is the master will take over the Vip of 192.168.1.82.

To configure LB1:192.168.1.80, ssh into LB1:
[root@LB1 ~]# yum install keepalived
To allow kernel binding non-local IP into the hosts and apply the changes: 
[root@LB1 ~]# echo "net.ipv4.ip_nonlocal_bind = 1" >> /etc/sysctl.conf
[root@LB1 ~]# sysctl -p

[root@LB1 ~]# vi /etc/keepalived/keepalived.conf 


! Configuration File for keepalived 

global_defs { 
   notification_email { 
        admin1@domain.com 
   } 
   notification_email_from admin@local 
   smtp_server 192.168.1.99 
   smtp_connect_timeout 30 
} 

vrrp_script chk_curl { 
    script "/usr/bin/curl http://192.168.1.80" 
    interval 2 
    weight -4 
    timeout 5 
    fall 2 
    rise 2 
}

vrrp_instance VI_1 { 
    state MASTER 
    interface eth0 
    virtual_router_id 51 
    priority 101 
    advert_int 1 
    authentication { 
        auth_type PASS 
        auth_pass 1111 
    } 
    virtual_ipaddress { 
        192.168.1.82/32 dev eth0 
    } 
    track_script { 
        chk_curl 
    } 
} 



[root@LB1 ~]# service keepalived start

Next configure LB2:192.168.1.81, ssh into LB2:
[root@LB2 ~]# yum install keepalived
To allow kernel binding non-local IP into the hosts and apply the changes: 
[root@LB2 ~]# echo "net.ipv4.ip_nonlocal_bind = 1" >> /etc/sysctl.conf
[root@LB2 ~]# sysctl -p

[root@LB2 ~]# vi /etc/keepalived/keepalived.conf 


! Configuration File for keepalived 

global_defs { 
   notification_email { 
        admin1@domain.com 
   } 
   notification_email_from admin@local 
   smtp_server 192.168.1.99 
   smtp_connect_timeout 30 
} 

vrrp_script chk_curl { 
    script "/usr/bin/curl http://192.168.1.81" 
    interval 2 
    weight -4 
    timeout 5 
    fall 2 
    rise 2 
}

vrrp_instance VI_1 { 
    state MASTER 
    interface eth0 
    virtual_router_id 51 
    priority 100 
    advert_int 1 
    authentication { 
        auth_type PASS 
        auth_pass 1111 
    } 
    virtual_ipaddress { 
        192.168.1.82/32 dev eth0 
    } 
    track_script { 
        chk_curl 
    } 
} 

[root@LB2 ~]# service keepalived start
chk_curl is a checking script, in above is to check if the httpd service is functioning. 192.168.1.80 is having higher piority(101),1.80 will be master while 1.81 will be backup. If the curl fails, eg httpd down, the vip(192.168.1.82) will swing to 192.168.1.81.

This custom checking script is useful, if you have other checking criteria, you script it in. Basically vrrp_script will check the return value of the script.(eg $? in bash)
Posted by at 5 comments :
Labels: , , , ,

Centos 7 firewall (firewalld)

Centos 7 is using firewalld instead of iptables. Below are the steps to enable/disable firewalld.

To check the status of the firewall:
#  service firewalld status

To disable the firewall:
#  service firewalld stop

To start the firewall:
#  service firewalld start

To enable firewall on boot:
#  systemctl enable firewalld
To disable firewall on boot:
#  systemctl disable firewalld
To check on how to configure firewall:
#  man firewall-cmd
To get the default zone:
#  firewall-cmd --get-default-zone
To list all services in public zone:
#  firewall-cmd --zone=public --list-all
To accept http service in public zone permanently:
#  cat /etc/firewalld/zones/public.xml
#  firewall-cmd --permanent --zone=public --add-service=http
#  firewall-cmd --reload
#  cat /etc/firewalld/zones/public.xml
To deny http service in public zone permanently:
#  cat /etc/firewalld/zones/public.xml
#  firewall-cmd --permanent --zone=public --remove-service=http
#  firewall-cmd --reload
#  cat /etc/firewalld/zones/public.xml
The GUI screen to control the firewall is available from the menu.

To install using yum:
# yum install firewall-config
To get to Firewall GUI:

Fedora : System > Administration > Firewall
RHEL7/OL7 : Applications > Sundry > Firewall

Posted by at No comments :
Labels: , ,

Friday 18 July 2014

CentOS 7: "-bash: ifconfig: command not found"

After new installed Centos 7, entering network command "ifconfig", caused this error "-bash: ifconfig: command not found". This was due to "net-tools" not installed by default. Install "net-tools" will solve the problem. 
# yum install net-tools
# ifconfig

Posted by at No comments :
Labels:

Friday 16 May 2014

Apache http server ldap authentication (by group)

To setup the apache server to use 389 Directory Server as access manager you will need to make sure the mod_ldap was setup with the apache server: 
yum install mod_ldap

vi /etc/httpd/conf.modules.d/01-ldap.conf

# This file configures the LDAP modules:
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
And that these lines are in the httpd.conf file: 
AuthType Basic
AuthName "Protected Area"
AuthBasicProvider ldap
AuthLDAPURL "ldap://r65-1.local/dc=local"
Require ldap-group cn=Managers,ou=Groups,dc=local
Posted by at No comments :
Labels: , ,

Apache http server ldap authentication (by uid)

To setup the apache server to use 389 Directory Server as access manager you will need to make sure the mod_ldap was setup with the apache server: 
yum install mod_ldap

vi /etc/httpd/conf.modules.d/01-ldap.conf

# This file configures the LDAP modules:
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
And that these lines are in the httpd.conf file: 
AuthType Basic
AuthName "Protected Area"
AuthBasicProvider ldap
AuthLDAPURL "ldap://r65-1.local/dc=local"
Require ldap-user john
Posted by at No comments :
Labels: , ,

Wednesday 14 May 2014

Static IP network configuration on CentOS 6

Below are the templates to configure CentOS for static ip: 
# cat /etc/hosts
127.0.0.1       localhost.localdomain localhost
::1             localhost6.localdomain6 localhost6
192.168.1.41    r65-1.local     r65-1

# cat /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=r65-1
GATEWAY=192.168.1.1

# cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=none
IPADDR=192.168.1.41
NETMASK=255.255.255.0
ONBOOT=yes
TYPE=Ethernet
PREFIX=24
GATEWAY=192.168.1.1
DNS1=192.168.1.1
DOMAIN=local
DEFROUTE=no
IPV4_FAILURE_FATAL=yes
IPV6INIT=no
NAME="System eth0"

# cat /etc/resolv.conf
search local
nameserver 192.168.1.1
Posted by at No comments :
Labels: , ,

Setup LDAP authentication on CentOS 6 with SSSD

To install LDAP authentication on CentOS 6 (with SSSD)
yum install sssd
To get the TLS/SSL cert:
cd /etc/sssd
sftp *389 directory server/cert directory*
mget cacert.asc
chown nobody:nobody cacert.asc
Configuring NSS Services to Use SSSD
# authconfig --enablesssd --update

The services map is not enabled by default when SSSD is enabled with authconfig. To include that map, open the nsswitch.conf file and add the sss module to the services map:
# vim /etc/nsswitch.conf
...
services: file sss

To configure the PAM service. Use authconfig to enable SSSD for system authentication.
# authconfig --update --enablesssd --enablesssdauth

Configure sssd.conf:
vi /etc/sssd/sssd.conf

[sssd]
config_file_version = 2
services = nss, pam
domains = LDAP
reconnection_retries = 3
sbus_timeout = 30

[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
filter_groups = root
reconnection_retries = 3
entry_cache_timeout = 300
entry_cache_nowait_percentage = 75

[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5

[domain/LDAP]
cache_credentials = false
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://r65-1.local
ldap_search_base = dc=local
ldap_tls_cacert = /etc/sssd/cacert.asc
debug_level = 9
access_provider = ldap
ldap_access_filter = host=r65-2.local
The last 2 sentences are for Host-Based Access Control (eg old config=>pam_check_host_attr), if you are not using this feature, you can omit these.

Restart sssd and the machine can login using LDAP:
chmod 600 /etc/sssd/sssd.conf
service sssd restart
Posted by at 4 comments :
Labels: , ,
Subscribe to: Posts ( Atom )

search iomeweekly