scponly on RHEL5

Installation

  1. Downloaded scponly from here: http://sourceforge.net/projects/scponly/files/
  2. Copy it over to the server: scp scponly-YYYYMMDD.tgz username@serverName:~/
  3. On the SFTP server untar the tarball in /usr/local:
    1. cd /usr/local
    2. cd scponly-YYYYMMDD
    3. ./configure –enable-chrooted-binary
    4. make
    5. sudo make install
  4. This will create the necessary files for scponly under /usr/local

Add SFTP chrooted user

  1. I downloaded the make_chroot_jail.sh script from here: http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/ and modified it for our environment.
  2. Run the make_chroot_jail.sh script. This will create the user if one doesn’t exist, create the directory structure and make a writeable directory for the user to upload files or pull files from.
  3. Add SFTP user to sshd_config AllowUsers, restart SSHD
  4. Test with a SFTP client NOTE: You will not be able to test with SSH!!

Channel bonding interfaces RHEL5

Instructions taken from here: http://www.linuxtopia.org/online_books/rhel5/rhel5_administration/rhel5_s1-networkscripts-interfaces.html

Here’s another good reference: http://www.cyberciti.biz/tips/linux-bond-or-team-multiple-network-interfaces-nic-into-single-interface.html

Create /etc/sysconfig/network-scripts/ifcfg-bond0

DEVICE=bond0
BOOTPROTO=none
ONBOOT=yes
NETWORK=192.168.25.0
NETMASK=255.255.255.0
IPADDR=192.168.25.20
IPV6INIT=no
IPV6_AUTOCONF=no
USERCTL=no

Edit /etc/sysconfig/network-scripts/ifcfg-eth1

# Broadcom Corporation NetXtreme II BCM5709 Gigabit Ethernet
DEVICE=eth1
HWADDR=3C:4A:92:E4:48:A6
BOOTPROTO=none
MASTER=bond0
SLAVE=yes
IPV6INIT=no
IPV6_AUTOCONF=no
ONBOOT=yes
USERCTL=no
HOTPLUG=no

Edit /etc/sysconfig/network-scripts/ifcfg-eth0

# Broadcom Corporation NetXtreme II BCM5709 Gigabit Ethernet
DEVICE=eth0
HWADDR=3C:4A:92:E4:48:A4
BOOTPROTO=none
MASTER=bond0
SLAVE=yes
IPV6INIT=no
IPV6_AUTOCONF=no
ONBOOT=yes
USERCTL=no

Add to /etc/modprobe.conf

alias bond0 bonding
options bond0 mode=balance-alb miimon=100

Install bonding module: modprobe bonding mode=balance-alb miimon=100

Restart networking: service network restart

View the status of bond0: cat /proc/net/bonding/bond0

Ethernet Channel Bonding Driver: v3.4.0-1 (October 7, 2008)

Bonding Mode: adaptive load balancing
Primary Slave: None
Currently Active Slave: eth1
MII Status: up
MII Polling Interval (ms): 100
Up Delay (ms): 0
Down Delay (ms): 0

Slave Interface: eth0
MII Status: up
Speed: 1000 Mbps
Duplex: full
Link Failure Count: 0
Permanent HW addr: 3c:4a:92:e4:48:a4

Slave Interface: eth1
MII Status: up
Speed: 1000 Mbps
Duplex: full
Link Failure Count: 0
Permanent HW addr: 3c:4a:92:e4:48:a6

RHEL5 Rollback RPM Update

Taken from here: http://blog.chris.tylers.info/index.php?/archives/17-How-to-Rollback-Package-UpdatesInstallation-on-Fedora.html

Fedora Core 5, like FC4, uses yum for package management. yum is built on top of rpm, and pirutpup, and yumexare graphical interfaces built on top of yum. Together, these tools provide a simple-to-use, powerful package management system.
One of the least-known secrets about rpm is that it can rollback (undo) package changes. It can take a fair bit of storage space to track the information necessary for rollback, but since storage is cheap, it’s worthwhile enabling this feature on most systems. This is a feature I’ve used several times while writing the book Fedora Linux.

Here’s cut-to-the-chase directions on using this feature:

  1. To configure yum to save rollback information, add the line tsflags=repackage to /etc/yum.conf.
  2. To configure command-line rpm to do the same thing, add the line %_repackage_all_erasures 1 to /etc/rpm/macros.
  3. Install, erase, and update packages to your heart’s content, using puppirutyumexyumrpm, and the yumautomatic update service.
  4. If/when you want to rollback to a previous state, perform an rpm update with the --rollback option followed by a date/time specifier. Some examples: rpm -Uhv --rollback '9:00 am'rpm -Uhv --rollback '4 hours ago'rpm -Uhv --rollback 'december 25'.

RHEL5 svn+https

Introduction

Here are the steps I took to install Subversion over https on RHEL5

Requirements

You will need mod_dav_svn in order to use Apache authentication for subversion repositories and mod_ssl for Apache over SSL to configure https+svn.

To install these if you are using the Apache RPM provided by RedHat Network: yum install mod_ssl mod_dav_svn

You will then need to reload apache.

Check config for errors: httpd -t

Reload service: service httpd reload

Apache configuration

By default, mod_ssl will add a ssl.conf file to /etc/httpd/conf.d/ssl.conf and include a default localhost certificate with generic information.  You can create a self-signed cert if you like or purchase a valid certificate.

I configured a virtual host to handle the subversion repository. Here is a copy of my virtual host stanza.

<VirtualHost *:443>

ServerAdmin webmaster@example.com

DocumentRoot /var/www/html

ServerName svn.example.com

ErrorLog logs/svn.example.com-error_log

CustomLog logs/svn.example.com-access_log common

<Location />

DAV svn

SVNParentPath /path/to/repo/

AuthType Basic

AuthName “Subversion repository”

AuthUserFile /path/to/svn-auth-file

Require valid-user

AuthzSVNAccessFile /path/to/svn-policy-file

</Location>

</VirtualHost>

SVN Policy File

Located at /path/to/svn-policy-file. The access file below will allow every authenticated user read access for a listing of all the repos.  By selecting repo1, user1 and user2 will be able to view the entire repo1 but user3 and user4 cannot.

[groups]

admins = admin1, admin2, admin3

[/:/]

@admins = rw

* = r

[repo1:/]

@admins = r

user1 = r

user2 = r

[repo2:/]

@admins = r

user3 = r

user4 = r

Apache Basic Authentication File

Finally we need to create an Apache authentication file for access to the subversion repository.

htpasswd -cm /path/to/svn-auth-file user1 [user1 password]

htpasswd -m /path/to/svn-auth-file user2 [user2 password]

htpasswd -m /path/to/svn-auth-file user2 [user2 password]

htpasswd -m /path/to/svn-auth-file user2 [user2 password]

Note: Only the first command has -c option to create the file!

SELinux

I found this great post explaining how to get mod_svn, subversion and selinux all working together.

SELinux, Subversion and mod_svn

Excellent SELinux troubleshooting explained: http://www.threepillarglobal.com/troubleshooting-selinux-issues

Here’s what happened to me. I wanted to put my repository in a partition that was not under /var which is the where Apache by default stores it DocumentRoot.  Knowing that files need a particular SELinux context to run correctly under Apache  edited the security context to be the same as the /var/www/html directory which is the default directory.

chcon -R –reference=/var/www/html /path/to/repo

I was still getting SELinux errors and a permissions denied. All UNIX permissions were correct so I knew it was still SELinux.  So looking at the audit.log errors, I noticed that, similar to UNIX permissions, SELinux permissions are inherited and the permissions have to be correct going up to / as they are going down to the /path/to/repo.  So that lead me to check the SELinux permission on /data which is the partition I wanted my data on.

It was the SELinux permissions on /data that was preventing Apache from working properly. To resolve this I did the following:

chcon –reference=/var /data

NOTE: Make sure this change doesn’t break any other application that may be accessing files or using /data as it’s partition.

Now on to install redmine …

Install json for PHP 5

  1. Install json – This was actually trickier than expected. I assumed I would be able to install this via pear. Apparently, a PEAR Services_JSON package was developed, but it has never been accepted into the official repository. The trick instead is to use the PECL json package. This was as easy as running pecl install json and watching the compiler do its thing. When it’s done you should have ajson.so file in your PHP modules directory. (Mine is/usr/lib/php/modules/.)
  2. Add json.ini file to /etc/php.d/ – This file is pretty simple. Simply add extension=json.so to this file and that will enable the extension.
  3. Restart Apache – Not much more to add here. Without the restart, the extension won’t be loaded.
  4. Profit!

 

Remove i386 packages RHEL5

I recently was updating a server that someone else installed and had way to many unnecessary packages installed. I my quest to uninstall unneeded packages, I ran across packages listed twice for certain ones. By editing my .rpmmacros file in my home directory and adding this:

%_query_all_fmt %%{name}-%%{version}-%%{release}.%%{arch}

I was able to determine that there were several packages installed with both i386 and x86_64 architectures. From this post it looks like there is no harm in removing the packages except you may have some issues with browser plugins or applications that require i386 architecture.  Since all of my apps were 64bit I was able to remove all the i386 rpm with this command:

rpm -qa –queryformat=’%{n}-%{v}-%{r}.%{arch}\n’ | grep ‘\.i[3456]86$’ | wc -l

I found the above command from here which in turn referenced a great post on minimal installs of RHEL/CentOS.

Install of new kernel not updating grub.conf

I recently ran into a situation where I had converted a Xen virtual machine to a VMware virtual machine.  I did so by creating the new virtual machine in VMware and running an rsync from the root of the Xen machine to the new one.

This successfully created the new machine. I then selected the regular kernel to boot into and rebooted the VMware virtual machine. I believe I had to run an selinux restorecon on the / to restore the SElinux permissions but all seemed well after that.

EXCEPT, when I had kernel updates, they would install with a yum install but after a reboot, the system would always boot into the current kernel.

THE CULPRIT: /etc/sysconfig/kernel

In this file the kernel-xen was still listed as the default kernel so the system didn’t know what to update to since kernel-xen was uninstalled so it never correctly updated grub.conf. I changed the default to kernel and viola!