Start Archives - ☩ Walking in Light with Christ - Faith, Computing, Diary ☩ Walking in Light with Christ

Posts Tagged ‘Start’

How to Set Up SSH Two-Factor Authentication (2FA) on Linux Without Google Authenticator with OATH Toolkit

Wednesday, November 5th, 2025

Most tutorials online on how to secure your SSH server with a 2 Factor Authentication 2FA will tell you to use Google Authenticator to secure SSH logins.

But what if you don’t want to depend on Google software – maybe for privacy, security, or ideological reasons ?

Luckily, you have a choice thanks to free oath toolkit.
The free and self-hosted alternative: OATH Toolkit has its own PAM module libpam-oath to make the 2FA work the openssh server.

OATH-Toolkit is a free software toolkit for (OTP) One-Time Password authentication using HOTP/TOTP algorithms. The software ships a small set of command line utilities covering most OTP operation related tasks.

In this guide, I’ll show you how to implement 2-Factor Authentication (TOTP) for SSH on any Linux system using OATH Toolkit, compatible with privacy-friendly authenticator apps like FreeOTP, Aegis, or and OTP.

It is worthy to check out OATH Toolkit author original post here, that will give you a bit of more insight on the tool.

1. Install the Required Packages

For Debian / Ubuntu systems:

# apt update
# apt install libpam-oath oathtool qrencode
...

For RHEL / CentOS / AlmaLinux:

# dnf install pam_oath oathtool

The oathtool command lets you test or generate one-time passwords (OTPs) directly from the command line.

2. Create a User Secret File

libpam-oath uses a file to store each user’s secret key (shared between your server and your phone app).

By default, it reads from:

/etc/users.oath

Let’s create it securely and set proper permissions to secure it:

# touch /etc/users.oath
# chmod 600 /etc/users.oath

Now, generate a new secret key for your user (replace hipo with your actual username):

# head -10 /dev/urandom | sha1sum | cut -c1-32

This generates a random 32-character key.
Example:

9b0e4e9fdf33cce9c76431dc8e7369fe

Add this to /etc/users.oath in the following format:

HOTP/T30 hipo - 9b0e4e9fdf33cce9c76431dc8e7369fe

HOTP/T30 means Time-based OTP with 30-second validity (standard TOTP).

Replace hipo with the Linux username you want to protect.

3. Add the Key to Your Authenticator App

Now we need to add that secret to your preferred authenticator app.

You can create a TOTP URI manually (to generate a QR code):

$ echo "otpauth://totp/hipo@jericho?secret=\
$(echo 9b0e4e9fdf33cce9c76431dc8e7369fe \
| xxd -r -p | base32)"

You can paste this URI into a QR code generator (e.g., https://qr-code-generator.com) and scan it using FreeOTP , Aegis, or any open TOTP app.
The FreeOTP Free Ap is my preferred App to use, you can install it via Apple AppStore or Google Play Store.

Alternatively, enter the Base32-encoded secret manually into your app:

# echo 9b0e4e9fdf33cce9c76431dc8e7369fe | xxd -r -p | base32

You can also use qrencode nice nifty tool to generate out of your TOTP code in ASCII mode and scan it with your Phone FreeOTP / Aegis App and add make it ready for use:

# qrencode –type=ANSIUTF8 otpauth://totp/hipo@jericho?secret=$( oathtool –verbose –totp 9b0e4e9fdf33cce9c76431dc8e7369fe –digits=6 -w 1 | grep Base32 | cut -d ' ' -f 3 )\&digits=6\&issuer=pc-freak.net\&period=30

qrencode will generate the code. We set the type to ANSI-UTF8 terminal graphics so you can generate this in an ssh login. It can also generate other formats if you were to incorporate this into a web interface. See the man page for qrencode for more options.
The rest of the line is the being encoded into the QR code, and is a URL of the type otpauth, with time based one-time passwords (totp). The user is “hipo@jericho“, though PAM will ignore the @jericho if you are not joined to a domain (I have not tested this with domains yet).

The parameters follow the ‘?‘, and are separated by ‘&‘.

otpauth uses a base32 hash of the secret password you created earlier. oathtool will generate the appropriate hash inside the block:

$( oathtool –verbose –totp 9b0e4e9fdf33cce9c76431dc8e7369fe | grep Base32 | cut -d ' ' -f 3 )

We put the secret from earlier, and search for “Base32”. This line will contain the Base32 hash that we need from the output:

Hex secret: 9b0e4e9fdf33cce9c76431dc8e7369fe
Base32 secret: E24ABZ2CTW3CH3YIN5HZ2RXP
Digits: 6
Window size: 0
Step size (seconds): 30
Start time: 1970-01-01 00:00:00 UTC (0)
Current time: 2022-03-03 00:09:08 UTC (1646266148)
Counter: 0x3455592 (54875538)

368784
From there we cut out the third field, “E24ABZ2CTW3CH3YIN5HZ2RXP“, and place it in the line.

Next, we set the number of digits for the codes to be 6 digits (valid values are 6, 7, and 8). 6 is sufficient for most people, and easier to remember.

The issuer is optional, but useful to differentiate where the code came from.

We set the time period (in seconds) for how long a code is valid to 30 seconds.

Note that: Google authenticator ignores this and uses 30 seconds whether you like it or not.

4. Configure PAM to Use libpam-oath

Edit the PAM configuration for SSH:

# vim /etc/pam.d/sshd

At the top of the file, add:

auth required pam_oath.so usersfile=/etc/users.oath window=30 digits=6

This tells PAM to check OTP codes against /etc/users.oath.

5. Configure SSH Daemon to Ask for OTP

Edit the SSH daemon configuration file:

# vim /etc/ssh/sshd_config

Ensure these lines are set:

UsePAM yes
challengeresponseauthentication yes
ChallengeResponseAuthentication yes
AuthenticationMethods publickey keyboard-interactive
##KbdInteractiveAuthentication no
KbdInteractiveAuthentication yes

N.B.! The KbdInteractiveAuthentication yes variable is necessery on OpenSSH servers with version > of version 8.2_ .

In short This setup means:
1. The user must first authenticate with their SSH key (or local / LDAP password),
2. Then enter a valid one-time code generated from TOTP App from their phone.

You can also use Match directives to enforce 2FA under certain conditions, but not under others.
For example, if you didn’t want to be bothered with it while you are logging in on your LAN,
but do from any other network, you could add something like:

Match Address 127.0.0.1,10.10.10.0/8,192.168.5.0/24
Authenticationmethods publickey

6. Restart SSH and Test It

Apply your configuration:

# systemctl restart ssh

Now, open a new terminal window and try logging in (don’t close your existing one yet, in case you get locked out):

$ ssh hipo@your-server-ip

You should see something like:

Verification code:

Enter the 6-digit code displayed in your FreeOTP (or similar) app.
If it’s correct, you’re logged in! Hooray ! 🙂

7. Test Locally and Secure the Secrets

If you want to test OTPs manually with a base32 encrypted output of hex string:

# oathtool --totp -b \
9b0e4e9fdf33cce9c76431dc8e7369fe

As above might be a bit confusing for starters, i recommend to use below few lines instead:

$ secret_hex="9b0e4e9fdf33cce9c76431dc8e7369fe"
$ secret_base32=$(echo $secret_hex | xxd -r -p | base32)
$ oathtool –totp -b "$secret_base32"
156874

You’ll get the same 6-digit code your authenticator shows – useful for debugging.

If you rerun the oathtool again you will get a difffefrent TOTP code, e.g. :

$ oathtool –totp -b "$secret_base32"
258158

Use this code as a 2FA TOTP auth code together with local user password (2FA + pass pair), when prompted for a TOTP code, once you entered your user password first.

To not let anyone who has a local account on the system to be able to breach the 2FA additional password protection,
Ensure the secrets file is protected well, i.e.:

# chown root:root /etc/users.oath
# chmod 600 /etc/users.oath

How to Enable 2FA Only for Certain Users

If you want to force OTP only for admins, create a group ssh2fa:

# groupadd ssh2fa
# usermod -aG ssh2fa hipo

Then modify /etc/pam.d/sshd:

auth [success=1 default=ignore] pam_succeed_if.so \
user notingroup ssh2fa
auth required pam_oath.so usersfile=/etc/users.oath \
window=30 digits=6

Only users in ssh2fa will be asked for a one-time code.

Troubleshooting

Problem: SSH rejects OTP
Check /var/log/auth.log or /var/log/secure for more details.
Make sure your phone’s time is in sync (TOTP depends on accurate time).

Problem: Locked out after restart
Always keep one root session open until you confirm login works.

Problem: Everything seems configured fine but still the TOTP is not accepted by remote OpenSSHD.
– Check out the time on the Phone / Device where the TOTP code is generated is properly synched to an Internet Time Server
– Check the computer system clock is properly synchornized to the Internet Time server (via ntpd / chronyd etc.), below is sample:

hipo@jeremiah:~$ timedatectl status
Local time: Wed 2025-11-05 00:39:17 EET
Universal time: Tue 2025-11-04 22:39:17 UTC
RTC time: Tue 2025-11-04 22:39:17
Time zone: Europe/Sofia (EET, +0200)
System clock synchronized: yes
NTP service: n/a
RTC in local TZ: no

Why Choose libpam-oath?

100% Free Software (GPL)
Works completely offline / self-hosted
Compatible with any standard TOTP app (FreeOTP, Aegis, andOTP, etc.)
Doesn’t depend on Google APIs or cloud services
Lightweight (just one PAM module and a text file)

Conclusion

Two-Factor Authentication doesn’t have to rely on Google’s ecosystem.
With OATH Toolkit and libpam-oath, you get a simple, private, and completely open-source way to harden your SSH server against brute-force and stolen-key attacks.

Once configured, even if an attacker somehow steals your SSH key or password, they can’t log in without your phone’s one-time code – making your system dramatically safer.

Tags: Certain Users, configuration file, create, Edit, generate, hipo, Install, online, openssh, PAM, password, phone, Phone Device, sample, security, Start, string, terminal window, Test It, TOTP, User Secret File
Posted in Linux, Linux and FreeBSD Desktop, Security, System Administration | No Comments »

How to Run Your Own Windows Domain Authentication on Linux

Thursday, October 2nd, 2025

Run Your Own Domain Authentication on Linux

Running your own domain authentication system on Linux can significantly enhance security and manageability in your IT environment. Whether you're setting up centralized login for a small network or a more complex domain environment, Linux provides powerful tools to become your own domain controller using open-source software.

In this guide, we’ll walk you through setting up Samba as an Active Directory (AD) Domain Controller on a Linux server.
These tutorial should work fine on Debian 12 (Bookworm), though it should work with minor modifications on pretty much most of recent Debs and deb based distros.

What is Domain Authentication?

Domain authentication allows users to log in to any authorized machine within a network using the same set of credentials. It provides centralized management of:

Users and groups
Computer accounts
Group policies
File and printer sharing
Access control

Microsoft's Active Directory is the most well-known implementation, but you can achieve similar functionality using Samba on Linux.

Pre-requirements

A fresh Linux installation (Ubuntu Server 22.04 LTS or Debian 12 recommended)
Static IP address
Root or sudo access
Domain name (e.g., mydomain.local)

1. Update System and Set proper Hostname

# apt update && sudo apt upgrade -y

# hostnamectl set-hostname dc1.mydomain.local

Add the hostname to /etc/hosts:

# vim /etc/hosts

Add the local network IP the SMB Domain controller will have locally on the machine:

192.168.1.100 dc1.mydomain.local dc1

2. Install Samba and Required Packages

# apt install samba krb5-config krb5-user winbind smbclient dnsutils -y

During the installation, you may be prompted for Kerberos configuration:

Default realm: MYDOMAIN.LOCAL
KDC: dc1.mydomain.local
Admin server: dc1.mydomain.local

3. Provision Samba as a Domain Controller

First, stop any running Samba services:

# systemctl stop smbd nmbd winbind

# systemctl disable smbd nmbd winbind

Move default config:

# mv /etc/samba/smb.conf /etc/samba/smb.conf.bak

Now provision the domain:

# samba-tool domain provision –use-rfc2307 –interactive

Answer prompts:

Realm: MYDOMAIN.LOCAL
Domain: MYDOMAIN
Server role: dc
DNS backend: SAMBA_INTERNAL
Admin password: (choose a strong one)

Once done, configure Kerberos using the samba krb5.conf template file:

# mv /etc/krb5.conf /etc/krb5.conf.bak

# cp /var/lib/samba/private/krb5.conf /etc/

4. Start and Enable Samba AD Services

# systemctl unmask samba-ad-dc

# systemctl enable samba-ad-dc –now

Verify it’s working by running:

# samba-tool domain level show

Check Kerberos authentication is OK:

# kinit administrator

# klist

You should see a valid Kerberos ticket.

5. Configure DNS (Optional but Recommended)

If using SAMBA_INTERNAL DNS backend:

Check DNS resolution is OK:

# host -t A dc1.mydomain.local

# host -t SRV _kerberos._udp.mydomain.local

If you want clients to resolve domain names, configure them to use the Samba DC's IP as their DNS server.

6. Add Users and Join Client Machines

Add a new user:

# samba-tool user add your.samba.user

Join a Windows client:

Go to System Properties → Computer Name → Change settings
Click Domain, enter MYDOMAIN
Authenticate with Administrator and the password you set
Reboot

7. Managing the Domain

You can manage users, groups, and policies simply via commands or GUI interface or LDAP tools:

samba-tool (CLI)
RSAT tools on Windows (for GUI management)
via LDAP tools (if you have to stick to RFC2307)

Example commands:

# samba-tool user list

# samba-tool group list

# samba-tool user setpassword your.samba.user

8. Managing Samba AD Samba Linux Domain easily with UI

You can manage a Samba domain (especially when it's running as an Active Directory Domain Controller) via a web interface — but not directly through Samba itself, since it doesn't come with a built-in web UI.

Instead, you can integrate Samba with third-party web-based tools that provide management interfaces for:

Users and groups
Computer accounts
LDAP directory entries
Domain policies (to a limited extent)

Popular Web Interfaces to Manage a Samba Domain

Here are the most reliable options:

8.1. [Cockpit + 389 Directory Server or FreeIPA (for LDAP-based domains)]

Cockpit is a modern web admin interface for Linux servers.
When paired with FreeIPA, you can manage users, groups, policies, and more.
However, this is more suited for FreeIPA-based domains, not Samba AD.

✅ Great for: Linux-native domains
❌ Not compatible with Windows-style Samba AD

8.2. [LDAP Account Manager (LAM)] – RECOMMENDED FOR SAMBA + AD

Website: https://www.ldap-account-manager.org/

LDAP Account Manager (LAM) is one of the best tools to manage a Samba domain via LDAP, especially when:

You use Samba in AD DC mode with RFC2307 extensions (for Unix attributes)
Or, you're using Samba as a member server with an external LDAP backend

Features:

Web-based GUI to manage:
- Users and groups
- Samba-specific attributes (like SID, RID, home directories)
- POSIX and Windows-compatible accounts
Can bind directly to the Samba LDAP directory

Authentication: Admin binds via LDAP (either over plain or TLS)

✅ Works with Samba AD (with some config)
✅ Handles Samba3/4 user schemas
✅ Active development and documentation

8.3. Samba Web Administration Tool (SWAT) ❌ Deprecated

SWAT was the original web interface for Samba but:

It was deprecated and removed from Samba after version 4.1
It's no longer secure or maintained
Not suitable for Samba AD DC environments

Recommendation: Do not use SWAT

8.4. Webmin (Partial Support)

Webmin is a general Linux web admin tool
It has a Samba module, but:
- Designed for traditional Samba file sharing (not AD/DC mode)
- Cannot manage Samba AD users/groups
- Doesn’t interact with samba-tool or the AD schema

✅ Works for standalone Samba file servers
❌ Not suitable for Samba AD DCs

Can You really Use RSAT Instead ?

If you want full Active Directory-style control (like Group Policy, OU structure, DNS, etc.), the best GUI tool is actually RSAT (Remote Server Administration Tools) on Windows
but for that of course you will have to have an own Windows Server setup especailly for it.

Connects to your Samba AD DC
Fully supports:
- Users and groups
- Group Policy Objects (GPO)
- DNS management (if using internal Samba DNS)

Install RSAT on a Windows machine and run dsa.msc (Active Directory Users and Computers).

✅ Officially supported
✅ Full compatibility with Samba AD
❌ Requires a Windows machine

Summary: Web UI for Samba Domain Management

Tool	Works with Samba AD DC?	Features	Notes
LDAP Account Manager (LAM)	Yes	User/group management	Best web option
Cockpit + FreeIPA	❌ No (not Samba AD)	Excellent for FreeIPA domains	Not compatible with Samba AD
Webmin	❌ Not fully	File shares only	No AD/DC management
RSAT (Windows)	✅ Yes	Full AD management	Not web-based

Recommendation

If you're running a Samba AD DC and want a web-based interface:

Use LAM (LDAP Account Manager) for basic account management
Use RSAT tools on Windows for full domain administration
Avoid SWAT and Webmin for this purpose

Security Considerations

Ensure firewall allows relevant ports (e.g., 53, 88, 389, 445, etc.) with Iptables / firewalld or whatever firewall solution you have present on the server and in the Network in which you hosted the server
Keep the system updated
Use secure passwords and rotate them regularly
Consider setting up replication if high availability is needed

Conclusion

Running your own domain authentication system on Linux using Samba is a powerful way to control user access in a centralized manner. It’s ideal for small to mid-sized networks, homelabs, or even enterprise environments looking for a cost-effective alternative to Windows Server.

With Samba acting as your domain controller, you can enjoy the benefits of centralized authentication, integrated DNS, and a high degree of compatibility with Windows clients — all while staying in the open-source ecosystem.

References

Samba Wiki: Setting up Samba as an AD Domain Controller
man samba-tool
man smb.conf

Notes and things to consider:

/var/lib/samba/private/krb5.conf file is generated only after you provision Samba as an Active Directory (AD) Domain Controller using:

# samba-tool domain provision

After provisioning, Samba creates a custom Kerberos config at:

/var/lib/samba/private/krb5.conf

This is true for both Debian and Ubuntu because it's handled by the Samba package itself, not the distro.

Why use that krb5.conf instead of Debian's default?

Well because:

The default /etc/krb5.conf on Debian isn't tailored for Samba AD.
The one Samba generates includes correct realm, KDC, and admin server settings.
It avoids subtle issues like failed kinit or broken Kerberos trust.

So you copy it over Debian’s default:

Gotchas on Debian to be aware of

Do not install samba via tasksel (like tasksel's “Samba file server” role), as it sets up a traditional SMB server, not AD.

Only use samba-tool domain provision if you're setting up AD DC.

Debian sometimes separates systemd services (e.g., samba-ad-dc might not be enabled by default). So make sure to enable samba-ad-dc instead of smbd/nmbd.

Tags: Active Directory Domain Controller, configure, Debian, DNS, LDAP, linux?, mydomain, OK, options, Start, Users
Posted in Everyday Life, Linux, Samba, System Administration, Various | No Comments »

How to Install and use FreeIPA forcentralized SSO authention on Linux computer domain

Wednesday, October 1st, 2025

FreeIPA is a popular open-source identity management solution that centralizes user, host, and service authentication for Linux environments. It combines LDAP, Kerberos, DNS, and certificate management into a single platform, making it easier to manage large Linux deployments securely.

In this article, we’ll cover how to install FreeIPA on a Linux server, perform initial configuration, and start using it for basic user management.

Prerequisites

A clean Linux server (CentOS, RHEL, Fedora, or similar)
Root or sudo access
A fully qualified domain name (FQDN) for your server (e.g., ipa.example.com)
Proper DNS setup (recommended but can be configured during installation)

1. Update system to the latest

Start by updating your system to ensure all packages are current.

# dnf update -y

2. Install FreeIPA Server Packages

Install the FreeIPA server and its dependencies:

# dnf install -y ipa-server ipa-server-dns

ipa-server-dns is optional but recommended if you want FreeIPA to manage DNS for your domain.

3. Configure FreeIPA server

Run the FreeIPA installation script to configure the server. Replace ipa.example.com with your actual server hostname.

sudo ipa-server-install

You will be prompted for:

Realm name: Usually uppercase of your domain, e.g., EXAMPLE.COM
Directory Manager password: LDAP admin password
IPA admin password: FreeIPA admin user password
DNS configuration: Enable if you want FreeIPA to manage DNS

Sample configuration flow:

Realm name: EXAMPLE.COM

DNS domain name: example.com

Server host name: ipa.example.com

Directory Manager password: [choose a strong password]

IPA admin password: [choose a strong password]

Do you want to configure integrated DNS (BIND)? [yes/no]: yes

The installer will set up Kerberos, LDAP, the CA, DNS (if chosen), and the Web UI.

4. Start and Enable FreeIPA Services

The installer usually starts services automatically, but you can verify with:

# systemctl status ipa

Enable the service to start on boot:

# systemctl enable ipa

5. Access FreeIPA Web Interface

Open your browser and navigate to:

https://ipa.example.com/ipa/ui/

6. Add Users and Groups

You can manage users and groups either via the Web UI or the CLI.

Using the CLI:

Add a new user:

# ipa user-add johndoe –first=John –last=Doe –email=johndoe@example.com

Set a password for the new user:

# ipa passwd johndoe

Add a new group:

# ipa group-add developers –desc="Development Team"

Add user to the group:

# ipa group-add-member developers –users=johndoe

7. Join Client Machines to the FreeIPA Domain

On a client machine, install the client packages:

# dnf install -y ipa-client

Run the client setup:

# ipa-client-install –mkhomedir

Follow the prompts to join the client to the FreeIPA domain.

8. Test Authentication

Try logging into the client machine with the FreeIPA user you created:

# ssh username@client-machine-host.com

You should be able to authenticate using the FreeIPA credentials.

Conclusion

You now have a basic FreeIPA server up and running, managing users and authentication across your Linux network. FreeIPA simplifies identity management by providing a centralized, secure, and integrated solution. From here, you can explore advanced features like role-based access control, host-based access control, and certificate management.

Here's a practical example of how FreeIPA can be used in a real-world Linux environment.

Scenario: Centralized Authentication in a DevOps Environment

Tech Problem

Lets say you are managing a growing team of DevOps engineers and developers across multiple Linux servers (e.g., for CI/CD, staging, and production). Manually creating and maintaining user accounts, SSH keys, and sudo permissions on each server is:

Time-consuming
Error-prone
A security risk (inconsistent policies, orphaned accounts)

Solution: Use FreeIPA to Centralize Identity & Access Management

By deploying FreeIPA, you can:

Create user accounts once and manage them centrally
Enforce SSO across servers using Kerberos
Automatically apply sudo rules, group permissions, and access control policies
Easily revoke access for offboarded employees
Use host-based access control (HBAC) to control who can log in to what

Solution Walkthrough

1. Set up FreeIPA server

Installed on: ipa.internal.example.com
Domain: internal.example.com
Realm: INTERNAL.EXAMPLE.COM

2. Add User Accounts

Let's add two users: alice (developer) and bob (DevOps).

# ipa user-add alice –first=Alice –last=Smith –email=alice@internal.example.com

# ipa user-add bob –first=Bob –last=Jones –email=bob@internal.example.com

# ipa passwd alice

# ipa passwd bob

3. Create Groups and Roles necessery

Create functional groups for managing permissions.

# ipa group-add developers –desc="Developers Team"

# ipa group-add devops –desc="DevOps Team"

# ipa group-add-member developers –users=alice

# ipa group-add-member devops –users=bob

4. Configure Sudo Rules

Let’s allow DevOps team members to use sudo on all servers:

# ipa sudorule-add devops-sudo –cmdcat=all

# ipa sudorule-add-user devops-sudo –groups=devops

# ipa sudorule-add-host devops-sudo –hostgroups=all

5. Control Access with HBAC Rules

Let’s say:

Developers can access dev and staging servers
DevOps can access all servers

# Create host groups

# ipa hostgroup-add dev-servers –desc="Development Servers"

# ipa hostgroup-add staging-servers –desc="Staging Servers"

# Add hosts to groups

# ipa hostgroup-add-member dev-servers –hosts=dev1.internal.example.com

# ipa hostgroup-add-member staging-servers –hosts=staging1.internal.example.com

# HBAC rule for developers

# ipa hbacrule-add allow-developers

# ipa hbacrule-add-user allow-developers –groups=developers

# ipa hbacrule-add-host allow-developers –hostgroups=dev-servers

# ipa hbacrule-add-host allow-developers –hostgroups=staging-servers

# ipa hbacrule-add-service allow-developers –hbacsvcs=sshd

# HBAC rule for DevOps (all access)

# ipa hbacrule-add allow-devops

# ipa hbacrule-add-user allow-devops –groups=devops

# ipa hbacrule-add-host allow-devops –hostgroups=all

# ipa hbacrule-add-service allow-devops –hbacsvcs=sshd

6. Join Client Servers to FreeIPA

On each Linux server (e.g., dev1, staging1, prod1), run:

# ipa-client-install –mkhomedir –server=ipa.internal.example.com –domain=internal.example.com

Now, user alice can log in to dev1 and staging1, but not prod1. bob can log in to all servers and use sudo.

7. What Happens When Alice Leaves the Company?

Just disable the user in FreeIPA:

# ipa user-disable alice

This immediately revokes her access across all servers — no need to touch individual machines.

Benefits in This Example

Feature	Outcome
Centralized user management	No need to manually create accounts on every server
Group-based sudo	DevOps has privileged access, others don’t
Access control	Developers only access dev/staging, not prod
Kerberos SSO	Secure, passwordless SSH with ticketing
Auditing	Central logs of who accessed what and when
Quick offboarding	Instant account disablement from a single location

Summary

FreeIPA is not just a replacement for LDAP — it's a full-blown identity and access management solution tailored for Linux systems. In this practical example, it brings enterprise-grade access control, authentication, and user management to a DevOps workflow with minimal friction.

Tags: Add User Accounts, Configure Sudo Rules, DNS, example, flow, installation, internal, linux?, Open, Quick, recommended, Scenario Centralized Authentication, Set, setup, ssh, SSO, Start, Tech Problem
Posted in Computer Security, Linux, System Administration, Various | No Comments »

How to Install and Set Up an NFS Server network Shares on on Linux to easify data transfer across multiple hosts

Monday, April 7th, 2025

How to Configure NFS Server in Redhat,CentOS,RHEL,Debian,Ubuntu and Oracle Linux

Network File System (NFS) is a protocol that allows one system to share directories and files with others over a network. It's commonly used in Linux environments for file sharing between systems. In this guide, we'll walk you through the steps to install and set up an NFS server on a Linux system.

Prerequisites

Before you start, make sure you have:

A Linux system distros (e.g., Ubuntu, CentOS, Debian, etc.)
Root or sudo privileges on the system.
A network connection between the server (NFS server) and clients (machines that will access the shared directories).

1. Install NFS Server Package

On Ubuntu / Debian based Linux systems:

a. First, update the package list

# apt update

b. Install the NFS server package

# apt install nfs-kernel-server

On CentOS/REL-based systems:

2. Install the NFS server package

      # yum install nfs-utils

Once the package is installed, ensure that the necessary services are enabled.

3. Create Shared Directory for file sharing

Decide which directory you want to share over NFS. If the directory doesn't exist, you can create one. For example:

# mkdir -p /nfs_srv_dir/nfs_share

Make sure the directory has the appropriate permissions so that the nfs clients can access it.

# chown nobody:nogroup /nfs_srv_dir/nfs_share
# chmod 755 /nfs_srv_dir/nfs_share

4. Configure NFS Exports ( /etc/exports file)

The NFS exports file (/etc/exports) is perhaps most important file you will have to create and deal with regularly to define the expored shares, this file contains the configuration settings for directories you want to share with other systems.

a. Open the /etc/exports file for editing:

vi /etc/exports

Add an entry for the directory you want to share. For example, if you're sharing /nfs_srv_dir/nfs_share and allowing access to all systems on the network (192.168.1.0/24), add the following line:

/nfs_srv_dir/nfs_share 192.168.1.0/24(rw,sync,no_subtree_check)

Here’s what each option means:

rw: Read and write access.
sync: Ensures that changes are written to disk before responding to the client.

Here is few lines of example of my working /etc/exports on my home running NFS server

/var/www 192.168.0.209/32(rw,no_root_squash,async,subtree_check)
/home/jordan 192.168.0.209/32(rw,no_root_squash,async,subtree_check)
/mnt/sda1/icons-frescoes/ 192.168.0.209/32(rw,no_root_squash,async,subtree_check)
/home/mobfiles 192.168.0.209/32(rw,no_root_squash,async,subtree_check)
/mnt/sda1/icons-frescoes/ 192.168.0.200/32(rw,no_root_squash,async,subtree_check)
/home/hipo/public_html 192.168.0.209/32(rw,no_root_squash,async,subtree_check)
/home/alex/public_html 192.168.0.209/32(rw,no_root_squash,async,subtree_check)
/home/necroleak/public_html 192.168.0.209/32(rw,no_root_squash,async,subtree_check)
/bashscripts 192.168.0.209/32(rw,no_root_squash,async,subtree_check)
/backups/Family-Videos 192.168.0.200/32(ro,no_root_squash,async,subtree_check)

5. Export the NFS Shares with exportfs command

Once the export file is configured, you need to inform the NFS server to start sharing the directory:

# exportfs -a

The -a flag will make it export all the sharings.

6. Start and Enable NFS Services

You need to start and enable the NFS server so it will run on system boot.

On Ubuntu / Debian Linux run the following commands:

# systemctl start nfs-kernel-server
# systemctl enable nfs-kernel-server

On CentOS / RHEL Linux:

# systemctl start nfs-server
# systemctl enable nfs-server

7. Allow NFS Traffic Through the Firewall

If your server has a firewall configured / enabled, you will need to allow NFS-related ports through the firewall.
These ports include 2049 TCP protocol Ports (NFS) and 111 (RPCbind) UDP and TCP protocol , and some additional ports.

On Ubuntu/Debian (assuming you are using ufw [UNCOMPLICATED FIREWALL]):

# ufw allow from 192.168.1.0/24 to any port nfs sudo ufw reload

On CentOS / RHEL Linux:

# firewall-cmd –permanent –add-service=nfs sudo firewall-cmd –permanent –add-service=mountd sudo firewall-cmd –permanent –add-service=rpc-bind sudo firewall-cmd –reload

8. Verify NFS Server is Running

To ensure the NFS server is running properly, use the following command:

# systemctl status nfs-kernel-server

# systemctl status nfs-server

You should see output indicating that the service is active and running.

9. Test the NFS Share (Client-Side)

To test the NFS share, you will need to mount it on a client machine. Here's how to mount it:

On the client machine, install the NFS client utilities:

Ubuntu / Debian Linux

# apt install nfs-common

For CentOS / RHEL Linux

# yum install nfs-utils

Create a mount point (Nomatter the distro),:

# mkdir -p /mnt/nfs_share

Mount the NFS share:

# mount -t nfs <nfs_server_ip>:/nfs_srv_dir/nfs_share /mnt/nfs_share

Replace <nfs_server_ip> with the IP address of the NFS server or DNS host alias if you have one defined in /etc/hosts file.

Verify that the share is mounted:

# df -h

You should see the NFS share listed under the mounted file systems.

10. Configure Auto-Mount at Boot (Optional)

To have the NFS share automatically mounted at boot, you can add an entry to the /etc/fstab file on the client machine.

Open /etc/fstab for editing:

# vi /etc/fstab

Add the following line:

<server-ip>:/nfs_srv_dir/nfs_share /mnt/nfs_share nfs defaults 0 0

Save and close the file.

The NFS share will now be automatically mounted whenever the system reboots.

Debug NFS configuration issues (basics)

You can continue to modify the /etc/exports file to share more directories or set specific access restrictions depending on your needs.

If you encounter any issues, checking the server logs or using

# exportfs -v
/var/www     192.168.0.209/32(async,wdelay,hide,sec=sys,rw,secure,no_root_squash,no_all_squash)
/home/var_data     192.168.0.205/32(async,wdelay,hide,sec=sys,rw,secure,no_root_squash,no_all_squash)
/mnt/sda1/
       192.168.0.209/32(async,wdelay,hide,sec=sys,rw,secure,no_root_squash,no_all_squash)
/mnt/sda2/info
       192.168.0.200/32(async,wdelay,hide,sec=sys,rw,secure,no_root_squash,no_all_squash)
/home/mobfiles   192.168.0.209/32(async,wdelay,hide,sec=sys,rw,secure,no_root_squash,no_all_squash)
/home/var_data/public_html
       192.168.0.209/32(async,wdelay,hide,sec=sys,rw,secure,no_root_squash,no_all_squash)
/var/public
       192.168.0.209/32(async,wdelay,hide,sec=sys,rw,secure,no_root_squash,no_all_squash)
/neon/data
       192.168.0.209/32(async,wdelay,hide,sec=sys,rw,secure,no_root_squash,no_all_squash)
/scripts     192.168.0.209/32(async,wdelay,hide,sec=sys,rw,secure,no_root_squash,no_all_squash)
/backups/data-limited
       192.168.0.200/32(async,wdelay,hide,sec=sys,ro,secure,no_root_squash,no_all_squash)
/disk/filetransfer
       192.168.0.200/23(async,wdelay,hide,sec=sys,ro,secure,no_root_squash,no_all_squash)
/public_shared/data
       192.168.0.200/23(async,wdelay,hide,sec=sys,ro,secure,no_root_squash,no_all_squash)

Of course there is much more to be said on that you can for example, check /var/log/messages /var/log/syslog and other logs that can give you hints about issues, as well as manually try to mount / unmount a NFS stuck share to know more on what is going on, but for a starter that should be enough.

command can help severely in troubleshooting the NFS configuration.

Sum it up what learned ?

We learned how to set up basic NFS server and mounted its shared directory on a client machine.
This is a great solution for centralized file sharing and collaboration on Linux systems (even though many companies are trying to not use it due to its lack of connection encryption for historical reasons NFS has been widely used over the years and has helped dramatically for the Internet as we know it to become the World Wide Web of today. Thus for a well secured network and perhaps not a critical files infrastructure, still NFS is a key player in file sharing among heterogenous networks for multitudes of Gigabytes or Terra Pentabytes of data you would like to share amoung your Personal Computers / Servers / Phones / Tablets and generally all kind of digital computer equipment devices.

Tags: access, alex, alias, ALL, ALLOW, allows, and, bash, clients, Create Shared Directory, file sharing, installed, list, machines, NFS, ports, Start, sudo, system boot, systemctl
Posted in Everyday Life, Linux, Linux and FreeBSD Desktop, Networking, NFS, System Administration | No Comments »

How to install and configure AIDE ( Advanced Intrusion Detection Environment ) on Debian GNU / Linux 11 to monitor files for changes

Thursday, March 9th, 2023

How to install and configure AIDE ( Advanced Intrusion Detection Environment ) on Debian GNU / Linux 11 to monitor files for changes

Having a intrusion detection system is essential to keeping a server security to good level and being compliant with PCI (Payment Card Industry) DSS Standards. It is a great thing for the sake to protect oneself from hackers assaults.

There is plenty of Intrusion Detection systems available all around since many years, in the past one of main ones for Linux as older system administrators should remember was Tripwire – integrity tool for monitoring and alerting on specific file change(s) on a range of systems.

Tripwire is still used today but many today prefer to use AIDE that is a free software replacement for Tripwire under GPL (General Public License), that is starting to become like a "standard" for many Unix-like systems as an inexpensive baseline control and rootkit detection system.

In this article I'll explain shortly how to Install / Configure and Use AIDE to monitor, changes with files on the system.

But before proceeding it is worthy to mention on some of the alternatives companies and businesses choose to as an IDS (Intrusion Detection Systems), that is useful to give a brief idea of the sysadmins that has to deal with Security, on what is some of the main Intrusion Detection Systems adopted on UNIX OSes today:

Samhain

An integrity checker and host intrusion detection system that can be used on single hosts as well as large, UNIX-based networks. It supports central monitoring as well as powerful (and new) stealth features to run undetected in memory, using steganography. Samhain is an open-source multiplatform application for POSIX systems (Unix, Linux, Cygwin/Windows).
OSSEC
OSSEC uses a centralized, cross-platform architecture allowing multiple systems to be monitored and managed.
Snort
IDS which has the capabilities to prevent attacks. By taking a particular action based on traffic patterns, it can become an intrusion prevention system (IPS). – written in Pure C.
Zeek (Bro)
Zeek helps to perform security monitoring by looking into the network's activity. It can find suspicious data streams. Based on the data, it alert, react, and integrate with other tools – written in C++.
Maltrail (Maltrail monitors for traffic on the network that might indicate system compromise or other bad behavior. It is great for intrusion detection and monitoring. – written in Python).

1. Install aide deb package

# apt -y install aide
…

root@haproxy2:~# aide -v
Aide 0.17.3

Compiled with the following options:

WITH_MMAP
WITH_PCRE
WITH_POSIX_ACL
WITH_SELINUX
WITH_XATTR
WITH_CAPABILITIES
WITH_E2FSATTRS
WITH_ZLIB
WITH_MHASH
WITH_AUDIT

Default config values:
config file: <none>
database_in: <none>
database_out: <none>

Available hashsum groups:
md5: yes
sha1: yes
sha256: yes
sha512: yes
rmd160: yes
tiger: yes
crc32: yes
crc32b: yes
haval: yes
whirlpool: yes
gost: yes
stribog256: no
stribog512: no

Default compound groups:
R: l+p+u+g+s+c+m+i+n+md5+acl+selinux+xattrs+ftype+e2fsattrs+caps
L: l+p+u+g+i+n+acl+selinux+xattrs+ftype+e2fsattrs+caps
>: l+p+u+g+i+n+acl+S+selinux+xattrs+ftype+e2fsattrs+caps
H: md5+sha1+rmd160+tiger+crc32+haval+gost+crc32b+sha256+sha512+whirlpool
X: acl+selinux+xattrs+e2fsattrs+caps

2. Prepare AIDE configuration and geenrate (initialize) database

Either you can use the default AIDE configuration which already has a preset rules for various files and directories to be monitored,
or you might add up additional ones.

For details on configuration of aide.conf accepted options "man aide.conf"

The rules and other configurations resides lays under /etc/aide/ directory

The AIDE database is located under /var/lib/aide

root@server:~# ls -al /var/lib/aide/
общо 33008
drwxr-xr-x 2 root root 4096 9 мар 12:38 ./
drwxr-xr-x 27 root root 4096 9 мар 12:01 ../
-rw——- 1 root root 16895467 9 мар 16:03 aide.db
-rw——- 1 root root 16895467 9 мар 18:49 aide.db.new

Also, details about major setting rules config regarding how AIDE will run via cronjob as with most debian services are into /etc/default/aide

Default aide.conf config is in /etc/aide/aide.conf if you need custom stuff to do with it simply edit it.

Here is an Example:
Lets say you want to omit some directory to not be monitored by aide, which would otherwise do, i.e.
omit /var/log/* from monitoring

# At the end of file /etc/aide/aide.conf

add:

!/var/log
!/home/
!/var/lib
!/proc

Initialize the aide database first time

Run aideinit command, aideinit will create a new baseline database – /var/lib/aide/aide.db.new (a baseline)
Note that, /var/lib/aide/aide.db is the old database that aide uses to check against for any changes of files / directories on the configured monitored filesystem objects.

root@server:~# aideinit
Running aide –init…

debug1: client_input_channel_req: channel 0 rtype keepalive@openssh.com reply 1
debug1: client_input_channel_req: channel 0 rtype keepalive@openssh.com reply 1
debug1: client_input_channel_req: channel 0 rtype keepalive@openssh.com reply 1
debug1: client_input_channel_req: channel 0 rtype keepalive@openssh.com reply 1
debug1: client_input_channel_req: channel 0 rtype keepalive@openssh.com reply 1
Start timestamp: 2023-03-09 12:06:16 +0200 (AIDE 0.17.3)
AIDE initialized database at /var/lib/aide/aide.db.new

Number of entries: 66971

—————————————————
The attributes of the (uncompressed) database(s):
—————————————————

/var/lib/aide/aide.db.new
SHA256 : nVrYljiBFM/KaKCTjbaJtR2w6N8vc8qN
DPObbo2UMVo=
SHA512 : S1ZNB0DCqb4UTmuqaalTgiQ3UAltTOzO
YNfEQJldp32q5ahplBo4/65uwgtGusMy
rJC8nvxvYmh+mq+16kfrKA==
RMD160 : xaUnfW1+/DJV/6FEm/nn1k1UKOU=
TIGER : nGYEbX281tsQ6T21VPx1Hr/FwBdwF4cK
CRC32 : fzf7cg==
HAVAL : yYQw/87KUmRiRLSu5JcEIvBUVfsW/G9H
tVvs6WqL/0I=
WHIRLPOOL : 6b5y42axPjpUxWFipUs1PtbgP2q0KJWK
FwFvAGxHXjZeCBPEYZCNkj8mt8MkXBTJ
g83ZELK9GQBPLea7UF3tng==
GOST : sHAzx7hkr5H3q8TCSGCKjndEiZgcvCEL
E45qcRb25tM=

End timestamp: 2023-03-09 12:38:30 +0200 (run time: 32m 14s)

Be patient now, go grab a coffee / tea or snack as the command might take up to few minutes for the aide to walk through the whole monitored filesystems and built its database.

root@server:~# echo cp /var/lib/aide/aide.db{.new,}
cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db

root@server:~# cp /var/lib/aide/aide.db{.new,}

root@server:~# aide –check –config /etc/aide/aide.conf

Start timestamp: 2023-03-09 13:01:32 +0200 (AIDE 0.17.3)
AIDE found differences between database and filesystem!!

Summary:
Total number of entries: 66972
Added entries: 1
Removed entries: 0
Changed entries: 7

—————————————————
Added entries:
—————————————————

f+++++++++++++++++: /var/lib/aide/aide.db

—————————————————
Changed entries:
—————————————————

d =…. mc.. .. . : /etc/aide
d =…. mc.. .. . : /root
f <…. mci.H.. . : /root/.viminfo
f =…. mc..H.. . : /var/lib/fail2ban/fail2ban.sqlite3
d =…. mc.. .. . : /var/lib/vnstat
f =…. mc..H.. . : /var/lib/vnstat/vnstat.db
f >b… mc..H.. . : /var/log/sysstat/sa09

—————————————————
Detailed information about changes:
—————————————————

Directory: /etc/aide
Mtime : 2023-03-09 12:04:03 +0200 | 2023-03-09 12:51:11 +0200
Ctime : 2023-03-09 12:04:03 +0200 | 2023-03-09 12:51:11 +0200

Directory: /root
Mtime : 2023-03-09 12:06:13 +0200 | 2023-03-09 12:51:11 +0200
Ctime : 2023-03-09 12:06:13 +0200 | 2023-03-09 12:51:11 +0200

File: /root/.viminfo
Size : 18688 | 17764
Mtime : 2023-03-09 12:06:13 +0200 | 2023-03-09 12:51:11 +0200
Ctime : 2023-03-09 12:06:13 +0200 | 2023-03-09 12:51:11 +0200
Inode : 133828 | 133827
SHA256 : aV54gi33aA/z/FuBj2ZioU2cTa9H16TT | dnFdLVQ/kx3UlTah09IgEMrJ/aYgczHe
TzkLSxBDSB4= | DdxDAmPOSAM=

…

3. Test aide detects file changes

Create a new file and append some text and rerun the aide check

root@server:~# touch /root/test.txt
root@server:~# echo aaa > /root/test.txt
root@server:~# aide –check –config /etc/aide/aide.conf

Start timestamp: 2023-03-09 13:07:21 +0200 (AIDE 0.17.3)
AIDE found differences between database and filesystem!!

Summary:
Total number of entries: 66973
Added entries: 2
Removed entries: 0
Changed entries: 7

—————————————————
Added entries:
—————————————————

f+++++++++++++++++: /root/test.txt
f+++++++++++++++++: /var/lib/aide/aide.db

—————————————————
Changed entries:
—————————————————

d =…. mc.. .. . : /etc/aide
d =…. mc.. .. . : /root
f <…. mci.H.. . : /root/.viminfo
f =…. mc..H.. . : /var/lib/fail2ban/fail2ban.sqlite3
d =…. mc.. .. . : /var/lib/vnstat
f =…. mc..H.. . : /var/lib/vnstat/vnstat.db
f >b… mc..H.. . : /var/log/sysstat/sa09

….

The same command can be shortened for the lazy typist:

root@server:~# aide -c /etc/aide/aide.conf -C

The command will basically try to check the deviation between the AIDE database and the filesystem.

4. Limiting AIDES Integrity Checks to Specific Files / Directories

In order to limit the integrity checks to a specific entries for example /etc, pass the –limit REGEX option to AIDE check command where REGEX is the entry to check.

For example, check and update the database entries matching /etc, you would run aide command as shown below;

root@server:~# aide -c /etc/aide/aide.conf –limit /etc –check

AIDE found differences between database and filesystem!!
Limit: /etc

Summary:
Total number of entries: 66791
Added entries: 0
Removed entries: 0
Changed entries: 2

—————————————————
Changed entries:
—————————————————

d =…. mc.. .. . : /etc/aide
d =…. mc.. .. . : /etc/default

—————————————————
Detailed information about changes:
—————————————————

Directory: /etc/aide
Mtime : 2023-03-09 15:59:53 +0200 | 2023-03-09 16:43:03 +0200
Ctime : 2023-03-09 15:59:53 +0200 | 2023-03-09 16:43:03 +0200

Directory: /etc/default
Mtime : 2023-03-09 12:06:13 +0200 | 2023-03-09 18:42:12 +0200
Ctime : 2023-03-09 12:06:13 +0200 | 2023-03-09 18:42:12 +0200

—————————————————
The attributes of the (uncompressed) database(s):
—————————————————

/var/lib/aide/aide.db
SHA256 : sjCxyIkr0nC/gTkNmn7DNqAQWttreDF6
vSUV4jBoFY4=
SHA512 : vNMpb54qxrbOk6S1Z+m9r0UwGvRarkWY
0m50TfMvGElfZWR1I3SSaeTdORAZ4rQe
17Oapo5+Sc0E2E+STO93tA==
RMD160 : anhm5E6UlKmPYYJ4WYnWXk/LT3A=
TIGER : 5e1wycoF35/ABrRf7FNypZ45169VTuV4
CRC32 : EAJlFg==
HAVAL : R5imONWRYgNGEfhBTc096K+ABnMFkMmh
Hsqe9xt20NU=
WHIRLPOOL : c6zySLliXNgnOA2DkHUdLTCG2d/T18gE
4rdAuKaC+s7gqAGyA4p2bnDHhdd0v06I
xEGY7YXCOXiwx8BM8xHAvQ==
GOST : F5zO2Ovtvf+f7Lw0Ef++ign1znZAQMHM
AApQOiB9CqA=

End timestamp: 2023-03-09 20:02:18 +0200 (run time: 1m 32s)

5. Add the modified /root/test.txt to AIDE list of known modified files database

root@server:~# aide –update –config /etc/aide/aide.
ERROR: cannot open config file '/etc/aide/aide.': No such file or directory

root@server:~# aide –update –config /etc/aide/aide.conf

Start timestamp: 2023-03-09 18:45:17 +0200 (AIDE 0.17.3)
AIDE found differences between database and filesystem!!
New AIDE database written to /var/lib/aide/aide.db.new

Summary:
Total number of entries: 66791
Added entries: 0
Removed entries: 0
Changed entries: 8

—————————————————
Changed entries:
—————————————————

d =…. mc.. .. . : /etc/aide
d =…. mc.. .. . : /etc/default
d =…. mc.. .. . : /root
f >…. mci.H.. . : /root/.viminfo
f >…. mci.H.. . : /root/test.txt
f =…. mc..H.. . : /var/lib/fail2ban/fail2ban.sqlite3
d =…. mc.. .. . : /var/lib/vnstat
f =…. mc..H.. . : /var/lib/vnstat/vnstat.db

—————————————————
Detailed information about changes:
—————————————————

Directory: /etc/aide
Mtime : 2023-03-09 15:59:53 +0200 | 2023-03-09 16:43:03 +0200
Ctime : 2023-03-09 15:59:53 +0200 | 2023-03-09 16:43:03 +0200

Directory: /etc/default
Mtime : 2023-03-09 12:06:13 +0200 | 2023-03-09 18:42:12 +0200
Ctime : 2023-03-09 12:06:13 +0200 | 2023-03-09 18:42:12 +0200

Directory: /root
Mtime : 2023-03-09 15:59:53 +0200 | 2023-03-09 18:44:34 +0200
Ctime : 2023-03-09 15:59:53 +0200 | 2023-03-09 18:44:34 +0200

File: /root/.viminfo
Size : 16706 | 16933
Mtime : 2023-03-09 15:59:53 +0200 | 2023-03-09 18:44:34 +0200
Ctime : 2023-03-09 15:59:53 +0200 | 2023-03-09 18:44:34 +0200
Inode : 136749 | 133828
SHA256 : KMHGoMVJo10BtafVrWIOLt3Ht9gK8bc+ | rrp8S3VftzZzvjBP1JC+PBpODv9wPKGw
9uHh/z7iJWA= | TA+hyhTiY+U=
SHA512 : ieDHy7ObSTfYm5d8DtYcHKxHya13CS65 | PDAJjyZ39uU3kKFo2lHBduTqxMDq4i01
ObMYIRAre6IgvLslEs0ZodQFyrczMyRt | 1Kvm/h6xzFhHtFgjidtcemG8wDcjtfNF
+d6SrW0gn3skKn2B7G09eQ== | Z7LO230fgGeO7UepqtxZjQ==
RMD160 : nUgg/G4zsVGKzVmmrqltuYUDvtg= | jj61KAFONK92mj+u66RDJmxFhmI=
TIGER : 3vPSOrla5k+k2br1E2ES4eNiSZ2novFX | mn4kNCzd8SQr2ID2VSe4f4l0ta7pO/xo
CRC32 : NDnMgw== | AyzVUQ==
HAVAL : Q9/KozxRiPbLEkaIfnBUZdEWftaF52Mw | 6jADKV6jg7ZVr/A/oMhR4NXc8TO1AOGW
7tiR7DXhl0o= | NrYe+j6UcO0=
WHIRLPOOL : vB/ZMCul4hN0aYd39gBu+HmZT/peRUI8 | mg6c1lYYVNZcy4mVzGojwraim8e3X2/R
KDkaslNb8+YleoFWx0mbhAbkGurc0+jh | urVvEmbsgTuUCJOuf9+OrEACiF0fbe/x
YPBviZIKcxUbTc2nGthTWw== | t+BXnSQWk08OL9EI6gMGqA==
GOST : owVGTgU9BH3b0If569wQygw3FAbZIZde | ffx29GV2jaCB7XzuNjdiRzziIiZYnbi3
eAfQfzlRPGY= | Ar7jyNMUutk=

File: /root/test.txt
Size : 4 | 8
Mtime : 2023-03-09 13:07:12 +0200 | 2023-03-09 18:44:34 +0200
Ctime : 2023-03-09 13:07:12 +0200 | 2023-03-09 18:44:34 +0200
Inode : 133828 | 136751
SHA256 : F+aC8GC1+OR+oExcSFWQiwpa1hICImD+ | jUIZMGfiMdAlWFHu8mmmlml4qAGNQNL5
UOEeywzAq3Y= | 6NhzJ1sYFZE=
SHA512 : d+UmFKFBzvGadt5hk+nIRbjP//7PSXNl | ixn20lcEMDEtsJo3hO90Ea/wHWLCHcrz
Pl16XRIUUPq2FCiQ4PeUcVciukJX7ijL | seBWunbBysY0z3BWcfgnN2vH05WfRfvA
D045ZvGOEcnmL6a6vwp0jw== | QiNtQS1tStuEdB3Voq54zQ==
RMD160 : I6waxKN3rMx4WTz4VCUQXoNoxUg= | urTh1j1t3UHchnJGnBG4lUZnjI4=
TIGER : cwUYgfKHcJnWXcA0pr/OKuxuoxh+b9lA | prstKqCfMXL39aVGFPA0kX4Q9x7a+hUn
CRC32 : UD78Dw== | zoYiEA==
HAVAL : bdbKR9LvPgsYClViKiHx48fFixfIL/jA | ZdpdeMhw4MvKBgWsM4EeyUgerO86Rt82
F3tjdc2Gm8Y= | W94fJFRWbrM=
WHIRLPOOL : OLP0Y4oKcqW2yEvme8z419N1KE4TB9GJ | Xk8Ujo3IU2SzSqbJFegq7p1ockmrnxJF
biHn/9XgrBz4fQiDJ8eHpx+0exA9hXmY | R3Rfstd1jWSwLFNTEwfbRRw+TARtRK50
EbbakMJJdzLt1ipKWiV9gg== | iWJeHLsD5dZ+CzV0tf4sUg==
GOST : ystISzoeH/ZznYrrXmxe4rwmybWMpGuE | GhMWNxg7Is0svJ+5LP+DVWbgt+CDQO+3
0PzRnVEqnR8= | 08dwBuVAwB8=

File: /var/lib/fail2ban/fail2ban.sqlite3
Mtime : 2023-03-09 15:55:01 +0200 | 2023-03-09 18:45:01 +0200
Ctime : 2023-03-09 15:55:01 +0200 | 2023-03-09 18:45:01 +0200
SHA256 : lLilXNleqSgHIP1y4o7c+oG5XyUPGzgi | NCJJ2H6xgCw/NYys1LMA7hOWwoOoxI8Y
RHYH+zvlAL4= | 4SJygfqEioE=
SHA512 : iQj2pNT4NES4fBcujzdlEEGZhDnkhKgc | ClQZ5HMOSayUNb//++eZc813fiMJcXnj
QDlGFSAn6vi+RXesFCjCABT7/00eEm5/ | vTGs/2tANojoe6cqpsT/LaJ3QZXpmrfh
ILcaqlQtBSLJgHjMQehzdg== | syVak1I4n9yg8cDKEkZUvw==
RMD160 : Xg4YU8YI935L+DLvkRsDanS4DGo= | SYrQ27n+/1fvIZ7v+Sar/wQHulI=
TIGER : 2WhhPq9kuyeNJkOicDTDeOeJB8HR8zZe | o1LDZtRclri2KfZBe5J3D4YhM05UaP4E
CRC32 : NQmi4A== | tzIsqg==
HAVAL : t1ET+84+8WgfwqlLy4R1Qk9qGZQRUbJI | MwVnjtM3dad/RuN2BfgsySX2DpfYq4qi
z2J0ROGduXc= | H1pq6RYsA6o=
WHIRLPOOL : xKSn71gFIVhk5rWJIBaYQASl0V+pGn+3 | m5LEXfhBbhWFg/d8CFJhklOurmRSkDSG
N85R0tiCKsTZ2+LRkxDrzcVQdss2k8+z | LC/vICnbEWzLwrCuMwBi1/e5wDNIY8gK
oqExhoXtPsMaREjpCugd3Q== | mvGn40x+G4cCYNZ6lGT9Zg==
GOST : WptpUlfooIlUjzDHU8XGuOU2waRud5SR | i6K4COXU0nyZ1mL3ZBuGUPz/ZXTj8KKQ
E/tnoBqk+q0= | L6VNyS8/X2Y=

Directory: /var/lib/vnstat
Mtime : 2023-03-09 16:00:00 +0200 | 2023-03-09 18:45:01 +0200
Ctime : 2023-03-09 16:00:00 +0200 | 2023-03-09 18:45:01 +0200

File: /var/lib/vnstat/vnstat.db
Mtime : 2023-03-09 16:00:00 +0200 | 2023-03-09 18:45:00 +0200
Ctime : 2023-03-09 16:00:00 +0200 | 2023-03-09 18:45:00 +0200
SHA256 : X/lnJuuSo4jX4HRzxMBodnKHAjQFvugi | oqtY3HTNds/qDNFCRAEsfN5SuO0U5LRg
2sh2c0u69x8= | otc5z1y+eGY=
SHA512 : U/g8O6G8cuhsqCUCbrElxgiy+naJKPkI | y+sw4LX8mlDWkRJMX38TsYSo1DQzxPOS
hG7vdH9rBINjakL87UWajT0s6WSy0pvt | 068otnzw2FSSlM5X5j5EtyJiY6Hd5P+A
ALaTcDFKHBAmmFrl8df2nQ== | jFiWStMbx+dQidXYZ4XFAw==
RMD160 : F6YEjIIQu2J3ru7IaTvSemA9e34= | bmVSaRKN2qU7qpEWkzfXFoH4ZK4=
TIGER : UEwLoeR6Qlf2oOI58pUCEDaWk0pHDkcY | 0Qb4nUqe3cKh/g5CQUnOXGfjZwJHjeWa
CRC32 : Bv3/6A== | jvW6mg==
HAVAL : VD7tjHb8o8KTUo5xUH7eJEmTWgB9zjft | rumfiWJvy/sTK/09uj7XlmV3f7vj6KBM
kOkzKxFWqqU= | qeOuKvu0Zjc=
WHIRLPOOL : wR0qt8u4N8aQn8VQ+bmfrxB7CyCWVwHi | FVWDRE3uY6qHxLlJQLU9i9QggLW+neMj
ADHpMTUxBEKOpOBlHTWXIk13qYZiD+o/ | Wt+Dj9Rz92BG9EomgLUgUkxfiVFO8cMq
XtzTB4rMbxS4Z5PAdC/07A== | WaR/KKq3Z7R8f/50tc9GMQ==
GOST : l3ibqMkHMSPpQ+9ok51/xBthET9+JQMd | qn0GyyCg67KRGP13At52tnviZfZDgyAm
OZtiFGYXmgU= | c82NXSzeyV0=

—————————————————
The attributes of the (uncompressed) database(s):
—————————————————

/var/lib/aide/aide.db
SHA256 : sjCxyIkr0nC/gTkNmn7DNqAQWttreDF6
vSUV4jBoFY4=
SHA512 : vNMpb54qxrbOk6S1Z+m9r0UwGvRarkWY
0m50TfMvGElfZWR1I3SSaeTdORAZ4rQe
17Oapo5+Sc0E2E+STO93tA==
RMD160 : anhm5E6UlKmPYYJ4WYnWXk/LT3A=
TIGER : 5e1wycoF35/ABrRf7FNypZ45169VTuV4
CRC32 : EAJlFg==
HAVAL : R5imONWRYgNGEfhBTc096K+ABnMFkMmh
Hsqe9xt20NU=
WHIRLPOOL : c6zySLliXNgnOA2DkHUdLTCG2d/T18gE
4rdAuKaC+s7gqAGyA4p2bnDHhdd0v06I
xEGY7YXCOXiwx8BM8xHAvQ==
GOST : F5zO2Ovtvf+f7Lw0Ef++ign1znZAQMHM
AApQOiB9CqA=

/var/lib/aide/aide.db.new
SHA256 : QRwubXnz8md/08n28Ek6DOsSQKGkLvuc
gSZRsw6gRw8=
SHA512 : 238RmI1PHhd9pXhzcHqM4+VjNzR0es+3
6eiGNrXHAdDTz7GlAQQ4WfKeQJH9LdyT
1r5ho/oXRgzfa2BfhKvTHg==
RMD160 : GJWuX/nIPY05gz62YXxk4tWiH5I=
TIGER : l0aOjXlM4/HjyN9bhgBOvvCYeqoQyjpw
CRC32 : KFz6GA==
HAVAL : a//4jwVxF22URf2BRNA612WOOvOrScy7
OmI44KrNbBM=
WHIRLPOOL : MBf+NeXElUvscJ2khIuAp+NDu1dm4h1f
5tBQ0XrQ6dQPNA2HZfOShCBOPzEl/zrl
+Px3QFV4FqD0jggr5sHK2g==
GOST : EQnPh6jQLVUqaAK9B4/U4V89tanTI55N
K7XqZR9eMG4=

End timestamp: 2023-03-09 18:49:51 +0200 (run time: 4m 34s)

6. Substitute old aide database with the new that includes the modified files

As you see AIDE detected the changes in /root/test.txt

To apply the changes be known by AIDE for next time (e.g. this file was authorized and supposed to be written there) simply move the new generated database
to current aide database.

# copy generated DB to master DB
root@dlp:~# cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db

7. Check once again to make sure recently modified files are no longer seen as changed by AIDE

Recheck again the database to make sure the files you wanted to omit are no longer mentioned as changed

root@server:~# aide –check –config /etc/aide/aide.conf
Start timestamp: 2023-03-09 16:23:05 +0200 (AIDE 0.17.3)
AIDE found differences between database and filesystem!!

Summary:
Total number of entries: 66791
Added entries: 0
Removed entries: 0
Changed entries: 3

—————————————————
Changed entries:
—————————————————

f =…. mc..H.. . : /var/lib/fail2ban/fail2ban.sqlite3
d =…. mc.. .. . : /var/lib/vnstat
f =…. mc..H.. . : /var/lib/vnstat/vnstat.db

—————————————————
Detailed information about changes:
—————————————————

File: /var/lib/fail2ban/fail2ban.sqlite3
Mtime : 2023-03-09 15:55:01 +0200 | 2023-03-09 16:25:02 +0200
Ctime : 2023-03-09 15:55:01 +0200 | 2023-03-09 16:25:02 +0200
SHA256 : lLilXNleqSgHIP1y4o7c+oG5XyUPGzgi | MnWXC2rBMf7DNJ91kXtHXpM2c2xxF60X
RHYH+zvlAL4= | DfLUQLHiSiY=
SHA512 : iQj2pNT4NES4fBcujzdlEEGZhDnkhKgc | gxHVBxhGTKi0TjRE8/sn6/gtWsRw7Mfy
QDlGFSAn6vi+RXesFCjCABT7/00eEm5/ | /wCfPlDK0dkRZEbr8IE2BNUhBgwwocCq
ILcaqlQtBSLJgHjMQehzdg== | zuazTy4N4x6X8bwOzRmY0w==
RMD160 : Xg4YU8YI935L+DLvkRsDanS4DGo= | +ksl9kjDoSU9aL4tR7FFFOK3mqw=
TIGER : 2WhhPq9kuyeNJkOicDTDeOeJB8HR8zZe | 9cvXZNbU+cp5dA5PLiX6sGncXd1Ff5QO
CRC32 : NQmi4A== | y6Oixg==
HAVAL : t1ET+84+8WgfwqlLy4R1Qk9qGZQRUbJI | aPnCrHfmZAUm7QjROGEl6rd3776wO+Ep
z2J0ROGduXc= | s/TQn7tH1tY=
WHIRLPOOL : xKSn71gFIVhk5rWJIBaYQASl0V+pGn+3 | 9Hu6NBhz+puja7uandb21Nt6cEW6zEpm
N85R0tiCKsTZ2+LRkxDrzcVQdss2k8+z | bTsq4xYA09ekhDHMQJHj2WpKpzZbA+t0
oqExhoXtPsMaREjpCugd3Q== | cttMDX8J8M/UadqfL8KZkQ==
GOST : WptpUlfooIlUjzDHU8XGuOU2waRud5SR | WUQfAMtye4wADUepBvblvgO+vBodS0Ej
E/tnoBqk+q0= | cIbXy4vpPYc=

Directory: /var/lib/vnstat
Mtime : 2023-03-09 16:00:00 +0200 | 2023-03-09 16:25:01 +0200
Ctime : 2023-03-09 16:00:00 +0200 | 2023-03-09 16:25:01 +0200

File: /var/lib/vnstat/vnstat.db
Mtime : 2023-03-09 16:00:00 +0200 | 2023-03-09 16:25:01 +0200
Ctime : 2023-03-09 16:00:00 +0200 | 2023-03-09 16:25:01 +0200
SHA256 : X/lnJuuSo4jX4HRzxMBodnKHAjQFvugi | N1lzhV3+tkDBud3AVlmIpDkU1c3Rqhnt
2sh2c0u69x8= | YqE8naDicoM=
SHA512 : U/g8O6G8cuhsqCUCbrElxgiy+naJKPkI | +8B9HvHhOp1C/XdlOORjyd3J2RtTbRBF
hG7vdH9rBINjakL87UWajT0s6WSy0pvt | b0Moo2Gj+cIxaMCu5wOkgreMp6FloqJR
ALaTcDFKHBAmmFrl8df2nQ== | UH4cNES/bAWtonmbj4W7Vw==
RMD160 : F6YEjIIQu2J3ru7IaTvSemA9e34= | 8M6TIOHt0NWgR5Mo47DxU28cp+4=
TIGER : UEwLoeR6Qlf2oOI58pUCEDaWk0pHDkcY | Du9Ue0JA2URO2tiij31B/+663OaWKefR
CRC32 : Bv3/6A== | v0Ai4w==
HAVAL : VD7tjHb8o8KTUo5xUH7eJEmTWgB9zjft | XA+vRnMNdVGFrO+IZtEA0icunWqBGaCf
kOkzKxFWqqU= | leR27LN4ejc=
WHIRLPOOL : wR0qt8u4N8aQn8VQ+bmfrxB7CyCWVwHi | HG31dNEEcak2zZGR24W7FDJx8mh24MaJ
ADHpMTUxBEKOpOBlHTWXIk13qYZiD+o/ | BQNhqkuS6R/bmlhx+P+eQ/JimwPAPOaM
XtzTB4rMbxS4Z5PAdC/07A== | xWG7cMETIXdT9sUOUal8Sw==
GOST : l3ibqMkHMSPpQ+9ok51/xBthET9+JQMd | y6Ek/TyAMGV5egkfCu92Y4qqk1Xge8c0
OZtiFGYXmgU= | 3ONXRveOlr0=

—————————————————
The attributes of the (uncompressed) database(s):
—————————————————

/var/lib/aide/aide.db
SHA256 : sjCxyIkr0nC/gTkNmn7DNqAQWttreDF6
vSUV4jBoFY4=
SHA512 : vNMpb54qxrbOk6S1Z+m9r0UwGvRarkWY
0m50TfMvGElfZWR1I3SSaeTdORAZ4rQe
17Oapo5+Sc0E2E+STO93tA==
RMD160 : anhm5E6UlKmPYYJ4WYnWXk/LT3A=
TIGER : 5e1wycoF35/ABrRf7FNypZ45169VTuV4
CRC32 : EAJlFg==
HAVAL : R5imONWRYgNGEfhBTc096K+ABnMFkMmh
Hsqe9xt20NU=
WHIRLPOOL : c6zySLliXNgnOA2DkHUdLTCG2d/T18gE
4rdAuKaC+s7gqAGyA4p2bnDHhdd0v06I
xEGY7YXCOXiwx8BM8xHAvQ==
GOST : F5zO2Ovtvf+f7Lw0Ef++ign1znZAQMHM
AApQOiB9CqA=

End timestamp: 2023-03-09 16:27:33 +0200 (run time: 4m 28s)

As you can see there are no new added entries for /root/test.txt and some other changed records for vnstat service as well as fail2ban ones, so the Intrusion detection system works just as we expected it.

8. Configure Email AIDE changed files alerting Email recipient address

From here on aide package has set its own cron job which is automatically doing the check operation every day and any new file modifications will be captured and alerts sent to local root@localhost mailbox account, so you can check it out later with mail command.

If you want to sent the Email alert for any files modifications occured to another email, assuming that you have a locally running SMTP server with a mail relay to send to external mails, you can do it via /etc/default/aide via:

MAILTO=root

For example change it to a FQDN email address

MAILTO=external_mail@your-mail.com

9.Force AIDE to run AIDE at specitic more frequent time intervals

You can as well install a cron job to execute AIDE at specific time intervals, as of your choice

Lets say you want to run a custom prepared set of files to monitor in /etc/aide/aide_custom_config.conf configure a new cronjob like below:

root@server:~# crontab -u root -e
*/5 * * * * aide -c /etc/aide/aide_custom_config.conf -u && cp /var/lib/custom-aide/aide.db{.new,}

This will execute AIDE system check every 5 minutse and email the report to ealier configured email username@whatever-your-smtp.com via /etc/default/aide

10. Check the output of AIDE for changes – useful for getting a files changes from aide from scripts

Check the command exit status.

root@server:~# echo $?

According to AIDE man pages, the AIDE’s exit status is normally 0 if no errors occurred. Except when the –check, –compare or –update command was requested, in which case the exit status is defined as:

1 * (new files detected?) +

2 * (removed files detected?) +

4 * (changed files detected?)

Since those three cases can occur together, the respective error codes are added. For example, if there are new files and removed files detected, the exit status will be 1 + 2 = 3.

Additionally, the following exit codes are defined for generic error conditions in aide help manual:

14 Error writing error

15 Invalid argument error

16 Unimplemented function error

17 Invalid configureline error

18 IO error

19 Version mismatch error

PLEASE CONSIDER

That AIDE checks might be resource intensive
and could cause a peak in CPU use and have a negative effect on lets very loaded application server machines,
thus causing a performance issuea during integrity checks !
If you are scanning file system wide and you do it frequent, be sure to provide “enough” resources or schedule the scan at a times that the Linux host will be less used !
Whenever you made any AIDE configuration changes, remember to initialize the database to create a baseline !

Tags: address, AIDE, checker, conf, deb package, How to, Initialize, Install, ips, lib, mail command, mc, monitor, root server, scripts, Start, timestamp, various, vnstat
Posted in Computer Security, Debian, Linux | 1 Comment »

Howto convert KVM QCOW2 format Virtual Machine to Vmdk to migrate to VMware ESXi

Thursday, November 17th, 2022

Why you would want to convert qcow2 to vmdk?

When managing the heterogeneous virtual environment or changing the virtualization solutions that become so common nowadays, you might need to migrate qcow2 from a Linux based KVM virtualization solution to VMWare's proprietary vmdk – the file format in which a VMWare does keep stored it's VMs, especially if you have a small business or work in a small start-up company where you cannot afford to buy something professional as VMware vCenter Converter Standalone or Microsoft virtual machine converter (MVMC)- usually used to to migrate VMware hosts to Hyper-V hosts, but also capable to migrate .qcow2 to .vmdk. The reason is that your old datacenter based on Linux OS custom KVM virtual machines might be moved to VMWare ESX to guarantee better and more systemized management (which though is very questionable, since most of my experiences with VMWare was that though the software was a great one, the people who manage it was not very much specialists in managing it).

Another common reason is that running a separate Linux virtual machine, costs you more than a well organized VMWare farm because you need more qualified Linux specialists to manage the KVMs thus KVM to VMWare management as in most big corporations nowadays’s main target is to cut the costs.
Even with successful migrations like that, though you might often expect a drop in the quality of the service when your VM ends in the VMWare farm.

Nomatter what’s the reason to migrate qcow2 to VMDK So lets proceed with how the .QCOW2 to .VMDK can be easily done.

1. Get information about the VM you would like to migrate to VMDK

In QEMU-KVM environment, the popular image format is qcow2, which outperforms the first generation of qcow format and raw format. You can find the files of virtual disks by checking the information of virtual machine by virsh command:

[root@hypervisor-machine ~]# virsh dominfo virtual-machine-name

INFO
ID: {e59ae416-9314-4e4b-af07-21c31d91b3fb}
EnvID: 1704649750
Name: CentOS7minimal
Description:
Type: VM
State: stopped
OS: centos7
Template: no
Uptime: 00:00:00 (since 2019-04-25 13:04:11)
Home: /vz/vmprivate/e39ae416-9314-4e4b-af05-21c31d91b3fb/
Owner: root@.
GuestTools: state=not_installed
GuestTools autoupdate: on
Autostart: off
Autostop: shutdown
Autocompact: off
Boot order: hdd0 cdrom0
EFI boot: off
Allow select boot device: off
External boot device:
On guest crash: restart
Remote display: mode=manual port=6903 address=0.0.0.0
Remote display state: stopped
Hardware:
cpu sockets=1 cpus=2 cores=2 VT-x accl=high mode=64 ioprio=4 iolimit='0'
memory 2048Mb
video 32Mb 3d acceleration=off vertical sync=yes
memory_guarantee auto
hdd0 (+) scsi:0 image='/vz/vmprivate/e59ae415-9314-4e4b-af05-21c31d91b3fb/harddisk.hdd' type='expanded' 5120Mb subtype=virtio-scsi
cdrom0 (+) scsi:1 image='/home/CentOS-7-x86_64-Minimal-1611.iso' state=disconnected subtype=virtio-scsi
usb (+)
net0 (+) dev='vme42bef5f3' network='Bridged' mac=001C42BEF5F3 card=virtio ips='10.50.50.27/255.255.255.192 ' gw='10.50.50.1'
SmartMount: (-)
Disabled Windows logo: on
Nested virtualization: off
Offline management: (-)
Hostname: kvmhost.fqdn.com

2. Convert the harddrive to VMDK

[root@hypervisor-machine e59ae415-9314-4e4b-af05-21c31d91b3fb]# ls -lsah

1.3G -rw-r—– 1 root root 1.3G Apr 25 14:43 harddisk.hdd

a. Converstion with qemu:

You can use qemu-img tool that is installable via cmds:

yum install quemu-img / apt install qemu-img / zipper install qemu-img (depending on the distribution RedHat / Debian / SuSE Linux)

-f: format of the source image

-O: format of the target image

[root@hypervisor-machine ~]# qemu-img convert -f qcow2 -O vmdk \-o adapter_type=lsilogic,subformat=streamOptimized,compat6 harddisk.hdd harddisklsilogic.vmdk

[root@ hypervisor-machine e59ae415-9314-4e4b-af05-21c31d91b3fb]# ls -lsah

1.3G -rw-r—– 1 root root 1.3G Apr 25 14:43 harddisk.hdd

536M -rw-r–r– 1 root root 536M Apr 26 14:52 harddisklsilogic.vmdk

3. Upload the new harddrive to the ESXi Hypervisor and adapt it to ESX

This vmdk might not be able to used on ESXi, but you can use it on VMware Workstation. To let it work on ESXi, you need to use vmkfstools to convert it again.

a. Adapt the filesystem to ESXi

[root@hypervisor-machine ~]# vmkfstools -i harddisklsilogic.vmdk -d thin harddisk.vmdk

4. Create a VM and add the converted harddrive to the machine.

Futher

Recreate the initramfs

But of course this won’t work directly as it often happens with Linux 🙂 !!.
We need to make adjustments to the virtual machine as well with few manual interventions:

1. Start the machine from the VMWare interface

2. Grub CentOS Linux rescue will appear from the prompt

3. Run command

dracut –regenerate-all –force

to Recreate the initramfs.

Note that You might also have to edit your network configuration since your network device usually get’s a different name.

Finally reboot the host:

[root@hypervisor-machine ~]# reboot

And voila you’re ready to play the VM inside the ESX after some testing, you might switch off the KVM Hypervisor hosted VM and reroute the network to point to the ESX Cluster.

Tags: command, Convert, External, MVMC, Offline, qemu, Remote, shutdown, Start, video
Posted in Linux, Migration, System Administration, Virtual Machines | No Comments »

Install Zabbix Agent client on CentOS 9 Stream Linux, Disable Selinux and Firewalld on CentOS9 to make zabbix-agentd send data to server

Thursday, April 14th, 2022

Installing Zabbix is usually a trivial stuff, you either use the embedded distribution built packages if such are available this is for example defetch the right zabbix release repository that configures the Zabbix official repo in the system, configure the Zabbix server or Proxy if such is used inside /etc/zabbix/zabbix_agentd.conf and start the client, i.e. I expected that it will be a simple and straight forward also on the freshly installed CentOS 9 Linux cause placing a zabbix-agent monitroing is a trivial stuff however installing came to error:

Key import failed (code 2). Failing package is: zabbix-agent-6.0.3-1.el8.x86_64

This is what I've done

1. Download and install zabbix-release-6.0-1.el8.noarch.rpm directly from zabbix

I've followed the official documentation from zabbix.com and ran:

[root@centos9 /root ]# rpm -Uvh https://repo.zabbix.com/zabbix/6.0/rhel/8/x86_64/zabbix-release-6.0-1.el8.noarch.rpm

…

2. Install the zabbix-agent RPM package from the repositry

[root@centos9 rpm-gpg]# yum install zabbix-agent -y
Last metadata expiration check: 0:02:46 ago on Tue 12 Apr 2022 08:49:34 AM EDT.
Dependencies resolved.
=============================================
Package Architecture Version Repository Size
=============================================
Installing:
zabbix-agent x86_64 6.0.3-1.el8 zabbix 526 k
Installing dependencies:
compat-openssl11 x86_64 1:1.1.1k-3.el9 appstream 1.5 M
openldap-compat x86_64 2.4.59-4.el9 baseos 14 k

Transaction Summary
==============================================
Install 3 PackagesTotal size: 2.0 M
Installed size: 6.1 M
Downloading Packages:
[SKIPPED] openldap-compat-2.4.59-4.el9.x86_64.rpm: Already downloaded
[SKIPPED] compat-openssl11-1.1.1k-3.el9.x86_64.rpm: Already downloaded
[SKIPPED] zabbix-agent-6.0.3-1.el8.x86_64.rpm: Already downloaded
Zabbix Official Repository – x86_64 1.6 MB/s | 1.7 kB 00:00
Importing GPG key 0xA14FE591:
Userid : "Zabbix LLC <packager@zabbix.com>"
Fingerprint: A184 8F53 52D0 22B9 471D 83D0 082A B56B A14F E591
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-ZABBIX-A14FE591
Key import failed (code 2). Failing package is: zabbix-agent-6.0.3-1.el8.x86_64
GPG Keys are configured as: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-ZABBIX-A14FE591
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by e
xecuting 'yum clean packages'.
Error: GPG check FAILED

3. Work around to skip GPG to install zabbix-agent 6 on CentOS 9

With Linux everything becomes more and more of a hack …
The logical thing to was to first, check and it assure that the missing RPM GPG key is at place

[root@centos9 rpm-gpg]# ls -al /etc/pki/rpm-gpg/RPM-GPG-KEY-ZABBIX-A14FE591
-rw-r–r– 1 root root 1719 Feb 11 16:29 /etc/pki/rpm-gpg/RPM-GPG-KEY-ZABBIX-A14FE591

Strangely the key was in place.

Hence to have the key loaded I've tried to import the gpg key manually with gpg command:

[root@centos9 rpm-gpg]# gpg –import /etc/pki/rpm-gpg/RPM-GPG-KEY-ZABBIX-A14FE591

And attempted install again zabbix-agent once again:

[root@centos9 rpm-gpg]# yum install zabbix-agent -y
Last metadata expiration check: 0:02:46 ago on Tue 12 Apr 2022 08:49:34 AM EDT.
Dependencies resolved.
==============================================
Package Architecture Version Repository Size
==============================================
Installing:
zabbix-agent x86_64 6.0.3-1.el8 zabbix 526 k
Installing dependencies:
compat-openssl11 x86_64 1:1.1.1k-3.el9 appstream 1.5 M
openldap-compat x86_64 2.4.59-4.el9 baseos 14 k

Transaction Summary
==============================================
Install 3 Packages

Total size: 2.0 M
Installed size: 6.1 M
Downloading Packages:
[SKIPPED] openldap-compat-2.4.59-4.el9.x86_64.rpm: Already downloaded
[SKIPPED] compat-openssl11-1.1.1k-3.el9.x86_64.rpm: Already downloaded
[SKIPPED] zabbix-agent-6.0.3-1.el8.x86_64.rpm: Already downloaded
Zabbix Official Repository – x86_64 1.6 MB/s | 1.7 kB 00:00
Importing GPG key 0xA14FE591:
Userid : "Zabbix LLC <packager@zabbix.com>"
Fingerprint: A184 8F53 52D0 22B9 471D 83D0 082A B56B A14F E591
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-ZABBIX-A14FE591
Key import failed (code 2). Failing package is: zabbix-agent-6.0.3-1.el8.x86_64
GPG Keys are configured as: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-ZABBIX-A14FE591
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'yum clean packages'.
Error: GPG check FAILED

Unfortunately that was not a go, so totally pissed off I've disabled the gpgcheck for packages completely as a very raw bad and unrecommended work-around to eventually install the zabbix-agentd like that.

Usually the RPM gpg key failures check on RPM packages could be could be workaround with in dnf, so I've tried that one without success.

[root@centos9 rpm-gpg]# dnf update –nogpgcheck
Total 181 kB/s | 526 kB 00:02
Zabbix Official Repository – x86_64 1.6 MB/s | 1.7 kB 00:00
Importing GPG key 0xA14FE591:
Userid : "Zabbix LLC <packager@zabbix.com>"
Fingerprint: A184 8F53 52D0 22B9 471D 83D0 082A B56B A14F E591
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-ZABBIX-A14FE591
Is this ok [y/N]: y
Key import failed (code 2). Failing package is: zabbix-agent-6.0.3-1.el8.x86_64
GPG Keys are configured as: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-ZABBIX-A14FE591
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED

Further tried to use the –nogpgpcheck
which according to its man page:

–nogpgpcheck
Skip checking GPG signatures on packages (if RPM policy allows).

In yum the nogpgcheck option according to its man yum does exactly the same thing

[root@centos9 rpm-gpg]# yum install zabbix-agent –nogpgcheck -y

Dependencies resolved.
===============================================
Package Architecture Version Repository Size
===============================================
Installing:
zabbix-agent x86_64 6.0.3-1.el8 zabbix 526 k

Transaction Summary
===============================================

Total size: 526 k
Installed size: 2.3 M
Is this ok [y/N]: y
Downloading Packages:
…
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Running scriptlet: zabbix-agent-6.0.3-1.el8.x86_64 1/2
Reinstalling : zabbix-agent-6.0.3-1.el8.x86_64 1/2
Running scriptlet: zabbix-agent-6.0.3-1.el8.x86_64 1/2
Running scriptlet: zabbix-agent-6.0.3-1.el8.x86_64 2/2
Cleanup : zabbix-agent-6.0.3-1.el8.x86_64 2/2
Running scriptlet: zabbix-agent-6.0.3-1.el8.x86_64 2/2
Verifying : zabbix-agent-6.0.3-1.el8.x86_64 1/2
Verifying : zabbix-agent-6.0.3-1.el8.x86_64 2/2

Installed:
zabbix-agent-6.0.3-1.el8.x86_64

Complete!
[root@centos9 ~]#

Voila! zabbix-agentd on CentOS 9 Install succeeded!

Yes I know disabling a GPG check is not really secure and seems to be an ugly solution but since I'm cut of time in the moment and it is just for experimental install of zabbix-agent on CentOS
plus we already trusted the zabbix package repository anyways, I guess it doesn't much matter.

4. Configure Zabbix-agent on the machine

Once you choose how the zabbix-agent should sent the data to the zabbix-server (e.g. Active or Passive) mode the The minimum set of configuration you should
have at place should be something like mine:

[root@centos9 ~]# grep -v '\#' /etc/zabbix/zabbix_agentd.conf | sed /^$/d
PidFile=/var/run/zabbix/zabbix_agentd.pid
LogFile=/var/log/zabbix/zabbix_agentd.log
LogFileSize=0
Server=192.168.1.70,127.0.0.1
ServerActive=192.168.1.70,127.0.0.1
Hostname=centos9
Include=/etc/zabbix/zabbix_agentd.d/*.conf

5. Start and Enable zabbix-agent client

To have it up and running

[root@centos9 ~]# systemct start zabbix-agent
[root@centos9 ~]# systemctl enable zabbix-agent

6. Disable SELinux to prevent it interfere with zabbix-agentd

Other amazement was that even though I've now had configured Active check and a Server and correct configuration the Zabbix-Server could not reach the zabbix-agent for some weird reason.
I thought that it might be selinux and checked it and seems by default in the fresh installed CentOS 9 Linux selinux is already automatically set to enabled.

After stopping it i made sure, SeLinux would block for security reasons client connectivity to the zabbix-server until you either allow zabbix exception in SeLinux or until completely disable it.

[root@centos9 ~]# sestatus

SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 31

To temporarily change the mode from its default targeted to permissive mode

[root@centos9 ~]# setenforce 0

[root@centos9 ~]# sestatus

SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 31

That would work for current session but won't take affect on next reboot, thus it is much better to disable selinux on next boot:

[root@centos9 ~]# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing – SELinux security policy is enforced.
# permissive – SELinux prints warnings instead of enforcing.
# disabled – No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these three values:
# targeted – Targeted processes are protected,
# minimum – Modification of targeted policy. Only selected processes are protected.
# mls – Multi Level Security protection.
SELINUXTYPE=targeted

To disable selinux change:

SELINUXTYPE=disabled

[root@centos9 ~]# grep -v \# /etc/selinux/config

SELINUX=disabled
SELINUXTYPE=targeted

To make the OS disable selinux and test it is disabled you will have to reboot

[root@centos9 ~]# reboot

Check its status again, it should be:

[root@centos9 ~]# sestatus
SELinux status: disabled

7. Enable zabbix-agent through firewall or disable firewalld service completely

By default CentOS 9 has the firewalld also enabled and either you have to enable zabbix to communicate to the remote server host.

To enable access for from and to zabbix-agentd in both Active / Passive mode:

#firewall settings:
[root@centos9 rpm-gpg]# firewall-cmd –permanent –add-port=10050/tcp
[root@centos9 rpm-gpg]# firewall-cmd –permanent –add-port=10051/tcp
[root@centos9 rpm-gpg]# firewall-cmd –reload
[root@centos9 rpm-gpg]# systemctl restart firewalld
[root@centos9 rpm-gpg]# systemctl restart zabbix-agent

If the machine is in a local DMZ-ed network with tightly configured firewall router in front of it, you could completely disable firewalld.

[root@centos9 rpm-gpg]# systemctl stop firewalld
[root@centos9 rpm-gpg]# systemctl disable firewalld
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.

Next login to Zabbix-server web interface with administrator and from Configuration -> Hosts -> Create the centos9 hostname and add it a template of choice. The data from the added machine should shortly appear after another zabbix restart:

[root@centos9 rpm-gpg]# systemctl restart zabbix-agentd

8. Tracking other oddities with the zabbix-agent through log

If anyways still zabbix have issues connectin to remote node, increase the debug log level section

[root@centos9 rpm-gpg]# vim /etc/zabbix/zabbix_agentd.conf
DebugLevel 5

### Option: DebugLevel
# Specifies debug level:
# 0 – basic information about starting and stopping of Zabbix processes
# 1 – critical information
# 2 – error information
# 3 – warnings
# 4 – for debugging (produces lots of information)
# 5 – extended debugging (produces even more information)
#
# Mandatory: no
# Range: 0-5
# Default:
# DebugLevel=3

[root@centos9 rpm-gpg]# systemctl restart zabbix-agent

Keep in mind that debugging will be too verbose, so once you make the machine being seen in zabbix, don't forget to comment out the line and restart agent to turn it off.

9. Testing zabbix-agent, How to send an alert to specific item key

Usually when writting userparameter scripts, data collected from scripts is being sent to zabbix serveria via Item keys.
Thus one way to check the zabbix-agent -> zabbix server data send works fine is to send some simultaneous data via a key
Once zabbix-agent is configured on the machine

In this case we will use something like ApplicationSupport-Item as an item.

[root@centos9 rpm-gpg]# /usr/bin/zabbix_sender -c "/etc/zabbix/zabbix_agentd.conf" -k "ApplicationSupport-Item" -o "here is the message"

Assuming you have created the newly prepared zabbix-agent host into Zabbix Server, you should be shortly able to see the data come in Latest data.

Tags: boot, centos 9, command, dnf, Downloading Packages, Failing, firewalld, gpg error resolve, howto, Install Zabbix Agent, Installing Zabbix, linux?, man page, Mode, selinux disable, SELINUXTYPE, something, Start, Strangely, Stream Linux, yum
Posted in CentOS, Linux, Monitoring, Zabbix | No Comments »

Exaltation of the Holy Cross day in the Bulgarian Orthodox Church / Veneration of the Holy cross church feast

Saturday, April 3rd, 2021

The Universal Exaltation of the precious and life-giving Cross XVII century – icon from village of Belovo Trqvna region

he Universal Exaltation of the Precious and Life-Giving Cross (Elevation of the Cross)'s day is feted on 14th of September each year in accordance to the new calendar order, according to old church calendar, the Church celebrated it on 27th of September.

The day is marked by a strong fasting, for short we refer in Bulgarian to this big Church feast as (The day of the Cross / Krystov den).
The Holy Orthodox Christian Church does worship the cross 4 times a year on:

Third Sunday after the start of the Great Lent
Holy Friday (Good Friday)
1st of August
and
14th of September – The Exaltation of the Holy life giving Cross

On this day, we the orthodox christians go to the Church and admirationally bow and kiss the Holy Cross on which our Saviour Jesus Christ suffered for our salvation.Through his cross suffering our Lord has granted to all of us the Christians an unbeatable "weapon" against evil and sin.
Through cross Christ has been victorious over sin and death.

According to old Church tradition, on the day Christian people were asking for the priest to go to their homes and do vodosvet (sprinkle their houses with a blessed holy water).Vodosvet is one of the Orthodox Church mystics, there is a specific prayers begging God for forgiveness of sins, asking for good health and blessing. The prayers are being red over a vessel containing clean water. Finally he blesses the vessel with Water with the life Giving cross 3 times (as a symbol of the Holy Trinity). Then the priest uses a the cross and a tiny piece of twig to sprinkle all the people and objects in the house.

On the holy exaltation of the holy cross feast we also celebrate also the following 3 events:

1. The miraculous appearance of the Holy Cross to emper st. Constantine
2. The finding in Jerusalem of the Holy life-giving cross in Golgotha
3. The return of the Life-giving cross from persian captivity
On 14th of September, according to Church tradition saint John of John Chrysostom has give away his spirit and joined the assembly of saints of God, however because of the Exaltation great significance, the church holy fathers decided that this is celebrated on 13th of September.

The Antiphon for the Exaltation of the Cross feast is singed and translated from Slavonic its meaning goes like this:

Troparion of the Exaltation of the Holy Cross voice 1 / Тропар на светия Кръст, глас 1

Спаси, Господи, люди Твоя и благослови достояние Твое, победы на сопротивныя даруя, и Твое сохраняя Крестом Твоим жительство.

Troparion voice 1

Save Oh Lord, your people and bless possession, grant us oh Lord a victory over our enemies and save your inheritance with your Cross

Troparion voice 2

You've been lifted willingly on the cross, grant you mercies to your inheritance oh Christ our Lord, stregthen the spirits of the pious king and to your people, grant us victory against our enemies, Surround us with peace and with peace give us unbeatable victory

In the Glorification part of the Holy Liturgy feast service its singed:

We magnify you, oh Christ life giver, and your Holy cross, because you have saved us from the enemy.

What does the Church tradition says about the finding of the holy cross of Christs sufferings?

After the Church crucifixion of Christ, according to the tradition of that times, the weapon for punishment from this kinds – the cross tree was buried in the ground on the same place, where the punishment was executed.
Following the tradition on Gologthas where Christ was crucified was buried the cross used for crucifixion.
In later times, emperor Adrian in his attempt to destroy christianity and the place of pilgrimage of Golgotha has issued an order to built a pagan shrine on the same place.
Later under the reign of Emperor st. Constantine the cross appeared in the sky in a miraculous way and again under his reign the Golgotha place which means literally translated( the place of the Skulls) was discovered.

Third Sunday after start of the Great Lent – Sunday of the Veneration of the Holy Cross

Today 03.04.2021 we the orthodox are in the blessed period of the Great Lent. It is no coincidence the Church has set this feast on exactly this date. It is set on 3rd week of the 43 days (7 Weeks) that lasts the fasting period on the Eastern Orthodox Christian church because this is a little bit less than the half of the lent period. We know by the experience of spiritual fathers that once we start the job the hardest periods are nearby in 40% once the work is done and in that times it is a desire of the person to leave and quit the job but if he perseveres suddenly when the set goal is progressing this is overcome but then again in the end of the period of the goal to complete we start desiring to quit the started job and loose all energy put together, as a plan of the evil which wants us to always loose energy (both spiritual and physical) and never gain anything. Thus the Church set the feast of the Exaltation of the Cross to give us a way to attain new energy for the cross to be able to goodly continue in the deed of the lent. By the cross and his glorious power hence the spirit of despondency is crashed down and we're strenghtened and rejoice for the great glory our God has given us.

The exaltation of the cross is also a feast of everyone celebrating his own cross. The victory over death and everything was once fulfilled by Christ on the Cross. The humanity is saved already but it is up to everyone's free will to accept this salvation or not. The path is set it is the path of the Cross of Christ, meaning acceptance (humility) of all the unpleasant life events and situations, accepting everydays unexpected changes believing that this is God's providence and cross for each one of us, accepting the pain and suffering that is part of the personal cross we hold, accepting that one day our beloved and friends will pass away from this life, accepting the fact we age and the aging guarantees sufferings of the body but the spirit is refreshed by the grace of God, accepting all and enduring everyhing for the sake of the cross …

The cross is a holder of the Universe and there is no power that will ever overwhelm it as it is said in the Church singings The Cross is the Holder (binds together) the whole universe. It is by the Cross all the evil has been conquered and life eternal has been giving. The path of the cross is the suffering, this is hard for the modern man to accept as we have been set to believe the only measure for success is prosperity, personal well being, physical health, posessing things. On the contrary the Christian says the most blessed and best thing one can have is the cross meaning personal suffering for and with Christ. By the suffering of the Cross Christ has glorified the bodily flesh he was possessing while being on earth in the body. By the Cross Christ has become the one begotten of all the sons of God. By the cross saints has conquered all evils and has sanctified, by the cross we still continue to progress in the goodness.
Let with the Holy miracle making power of our Saviour's cross by the prayers of all the Saints and our Theotokos (Holy Virgin Merry) God grant to all of us christians victory of our enemies! Amen

Tags: bulgarian orthodox church, church calendar, church tradition, constantine 2, crosson, death, elevation of the cross, exaltation of the holy cross feast, feast, forgiveness of sins, Golgotha, good friday, good health, Great, health, holy cross church, holy trinity, holy water, life, Lord, mystics, orthodox christian church, place, priest, saviour jesus christ, Start, Third, tiny piece, troparion, twig, Universal, veneration, vessel, victory, village, worship, xvii century, year
Posted in Christianity, Everyday Life | 1 Comment »

Howto Upgrade IBM Spectrum Protect Backup Client TSM 7.X to 8.1.8, Update Tivoli 8.1.8 to 8.1.11 on CentOS and Redhat Linux

Thursday, December 3rd, 2020

Having another day of a system administrator boredom, we had a task to upgrade some Tivoli TSM Backup clients running on a 20+ machines powered by CentOS and RHEL Linux to prepare the systems to be on the latest patched IBM Spectrum Backup client version available from IBM. For the task of patching I've used a central server where, I've initially downloaded the provided TSM client binaries archives. From this machine, we have copied TivSM*.tar to each and every system that needs to be patched and then patched. The task is not too complex as the running TSM in the machines are all at the same version and all running a recent patched version of Linux. Hence to make sure all works as expected we have tested TSM is upgraded from 7.X.X to 8.X.X on one machine and then test 8.1.8 to 8.1.11 upgrade on another one. Once having confirmed that Backups works as expected after upgrade. We have proceeded to do it massively on each of the rest 20+ hosts.
Below article's goal is to help some lazy sysadmin with the task to prepare an TSM Backup upgrade procedure to standartize TSM Upgrade, which as many of the IBM's softwares is very specific and its upgrade requires, a bit of manual work and extra cautious as there seems to be no easy way (or at least I don't know it), to do the upgrade by simply adding an RPM repository and doing, something like yum install tivsm*.

0. Check if there is at least 2G free of space

According to documentation the minimum space you need to a functional install without having it half installed or filling up your filesystem is 2 Gigabytes of Free Memory on a filesystem where the .tar and rpms will be living.

Thus check what is the situation with your filesystem where you wills store the .tar archice and extract .RPM files / install the RPM files.

# df -h

1. Download the correct tarball with 8.1 Client

On one central machine you would need to download the Tivoli you can do that via wget / curl / lynx whatever is at hand on the Linux server.

As of time of writting this article TSM's 8.1.11 location is at
URL:

http://public.dhe.ibm.com/storage/tivoli-storage-management/maintenance/client/v8r1/Linux/LinuxX86/BA/v8111/

I've made a local download mirror of Tivoli TSM 8.1.11 here.
In case you need to install IBM Spectrum Backup Client to a PCI secured environment to a DMZ-ed LAN network from a work PC you can Download it first from your local PC and via Citrix client upload program or WinSCP upload it to a central replication host from where you will later copy to each of the other server nodes that needs to be upgraded.

Lets Copy archive to all Server hosts where you want it later installed, using a small hack

Assuming you already have an Excel document or a Plain text document with all the IPs of the affected hosts where you will need to get TSM upgraded. Extract this data and from it create a plain text file /home/user/hosts.txt containing all the machine IPs lined up separated with carriage return separations (\n), so you can loop over each one and use scp to send the files.

– Replicate Tivoli tar to all machine hosts where you want to get IBM Spectrum installed or upgraded.
Do it with a loop like this:

# for i in $(cat hosts.txt); do scp 8.1.11.0-TIV-TSMBAC-LinuxX86.tar user@$i:/home/user/; done

Copy to a Copy buffer temporary your server password assuming all your passwords to each machine are identical and paste your login user pass for each host to initiate transfer

2. SSH to each of the Machine hosts IPs

Once you login to the host you want to upgrade
Go to your user $HOME /home/user and create files where we'll temporary store Tivoli archive files and extract RPMs

[root@linux-server user]# mkdir -p ~/tsm/TSM_BCK/
[root@linux-server user]# mv 8.1.11.0-TIV-TSMBAC-LinuxX86.tar ~/tsm
[root@linux-server user]# cd tsm
[root@linux-server user]# tar -xvvf 8.1.11.0-TIV-TSMBAC-LinuxX86.tar
gskcrypt64-8.0.55.17.linux.x86_64.rpm
GSKit.pub.pgp
gskssl64-8.0.55.17.linux.x86_64.rpm
README_api.htm
README.htm
RPM-GPG-KEY-ibmpkg
TIVsm-API64.x86_64.rpm
TIVsm-APIcit.x86_64.rpm
TIVsm-BAcit.x86_64.rpm
TIVsm-BAhdw.x86_64.rpm
TIVsm-BA.x86_64.rpm
TIVsm-filepath-source.tar.gz
TIVsm-JBB.x86_64.rpm
TIVsm-WEBGUI.x86_64.rpm
update.txt

3. Create backup of old backup files

It is always a good idea to keep old backup files

[root@linux-server tsm]# cp -av /opt/tivoli/tsm/client/ba/bin/dsm.opt ~/tsm/TSM_BCK/dsm.opt_bak_$(date +'%Y_%M_%H')
[root@linux-server tsm]# cp -av /opt/tivoli/tsm/client/ba/bin/dsm.sys ~/tsm/TSM_BCK/dsm.sys_bak_$(date +'%Y_%M_%H')

[root@linux-server tsm]# [[ -f /etc/adsm/TSM.PWD ]] && cp -av /etc/adsm/TSM.PWD ~/TSM_BCK/ || echo 'file doesnt exist'

/etc/adsm/TSM.PWD this file is only there as legacy for TSM it contained encrypted passwords inver 7 for updates. In TSM v.8 encryption file is not there as new mechanism for sensitive data was introduced.
Be aware that from Tivoli 8.X it will return error
exist'

!! Note – if dsm.opt , dsm.sys files are on different locations – please use correct full path locations !!

4. Stop dsmcad – TSM Service daemon

[root@linux-server tsm]# systemctl stop dsmcad

5. Locate and deinstall all old Clients

Depending on the version to upgrade if you're upgrading from TSM version 7 to 8, you will get output like.

[root@linux-server tsm]# rpm -qa | grep 'TIVsm-'
TIVsm-BA-7.1.6-2.x86_64
TIVsm-API64-7.1.6-2.x86_64

If you're one of this paranoid admins you can remove TIVsm packs one by one.

[root@linux-server tsm]# rpm -e TIVsm-BA-7.1.6-2.x86_64
[root@linux-server tsm]# rpm -e TIVsm-API64-7.1.6-2.x86_64

Instead if upgrading from version 8.1.8 to 8.1.11 due to the Security CVE advisory recently published by IBM e.g. (IBM Runtime Vulnerability affects IBM Spectrum Backup archive Client) and vulnerability in Apache Commons Log4J affecting IBM Spectrum Protect Backup Archive Client.

[root@linux-server tsm]# rpm -qa | grep 'TIVsm-'
TIVsm-API64-8.1.8-0.x86_64
TIVsm-BA-8.1.8-0.x86_64

Assuming you're not scared of a bit automation you can straight do it with below one liner too 🙂

# rpm -e $(rpm -qa | grep TIVsm)

[root@linux-server tsm]# rpm -qa | grep gsk
[root@linux-server tsm]# rpm -e gskcrypt64 gskssl64

6. Check uninstallation success:

[root@linux-server tsm]# rpm -qa | grep TIVsm
[root@linux-server tsm]# rpm -qa | grep gsk

Here you should an Empty output, if packages are not on the system, e.g. Empty output is good output ! 🙂

7. Install new client IBM Spectrum Client (Tivoli Storage Manager) and lib dependencies

[root@linux-server tsm]# rpm -ivh gskcrypt64-8.0.55.4.linux.x86_64.rpm
[root@linux-server tsm]# rpm -ivh gskssl64-8.0.55.4.linux.x86_64.rpm

If you're lazy to type you can do as well

[root@linux-server tsm]# rpm -Uvh gsk*

Next step is to install main Tivoli SM components the the API files and BA (The Backup Archive Client)

[root@linux-server tsm]# rpm -ivh TIVsm-API64.x86_64.rpm
[root@linux-server tsm]# rpm -ivh TIVsm-BA.x86_64.rpm

If you have to do it on multiple servers and you do it manually following a guide like this, you might instead want to install them with one liner.

[root@linux-server tsm]# rpm -ivh TIVsm-API64.x86_64.rpm TIVsm-BA.x86_64.rpm

There are some Not mandatory "Common Inventory Technology" components (at some cases if you're using the API install it we did not need that), just for the sake if you need them on your servers due to backup architecture, install also below commented rpm files.

## rpm -ivh TIVsm-APIcit.x86_64.rpm

## rpm -ivh TIVsm-BAcit.x86_64.rpm

These packages not needed only for operation WebGUI TSM GUI management, (JBB) Journal Based Backup, BAhdw (the ONTAP library)

— TIVsm-WEBGUI.x86_64.rpm
— TIVsm-JBB.x86_64.rpm
— TIVsm-BAhdw.x86_64.rpm

8. Start and enable dsmcad service

[root@linux-server tsm]# systemctl stop dsmcad

You will get

##Warning: dsmcad.service changed on disk. Run 'systemctl daemon-reload' to reload units.

[root@linux-server tsm]# systemctl daemon-reload

[root@linux-server tsm]# systemctl start dsmcad

## enable dsmcad – it is disabled by default after install

[root@linux-server ~]# systemctl enable dsmcad

[root@linux-server tsm]# systemctl status dsmcad

9. Check dmscad service is really running

Once enabled IBM TSM will spawn a process in the bacground dmscad if it started properly you should have the process backgrounded.

[root@linux-server tsm]# ps -ef|grep -i dsm|grep -v grep
root 2881 1 0 18:05 ? 00:00:01 /usr/bin/dsmcad

If process is not there there might be some library or something not at place preventing the process to start …

10. Check DSMCAD /var/tsm logs for errors

After having dsmcad process enabled and running in background

[root@linux-server tsm]# grep -i Version /var/tsm/sched.log|tail -1
12/03/2020 18:06:29 Server Version 8, Release 1, Level 10.000

[root@linux-server tsm]# cat /var/tsm/dsmerror.log

To see the current TSM configuration files we can grep out comments *

[root@linux-server tsm]# grep -v '*' /opt/tivoli/tsm/client/ba/bin/dsm.sys

Example Configuration of the agent:
—————————————————-
   *TSM SERVER NODE Location
   Servername           tsm_server
   COMMmethod           TCPip
   TCPPort              1400
   TCPServeraddress     tsmserver2.backuphost.com
   NodeName             NODE.SERVER-TO-BACKUP-HOSTNAME.COM
   Passwordaccess       generate
   SCHEDLOGNAME         /var/tsm/sched.log
   SCHEDLOGRETENTION    21 D
   SCHEDMODE            POLLING
   MANAGEDServices      schedule
   ERRORLOGNAME         /var/tsm/dsmerror.log
   ERRORLOGRETENTION    30 D
   INCLEXCL             /opt/tivoli/tsm/client/ba/bin/inclexcl.tsm

11. Remove tsm install directory tar ball and rpms to save space on system

The current version of Tivoli service manager is 586 Megabytes.

[root@linux-server tsm]# du -hsc 8.1.11.0-TIV-TSMBAC-LinuxX86.tar
586M 8.1.11.0-TIV-TSMBAC-LinuxX86.tar

Some systems are on purpose configured to have less space under their /home directory,
hence it is a good idea to clear up unnecessery files after completion.

Lets get rid of all the IBM Spectrum archive source files and the rest of RPMs used for installation.

[root@linux-server tsm]# rm -rf ~/tsm/{*.tar,*.rpm,*.gpg,*.htm,*.txt}

12. Check backups are really created on the configured remote Central backup server

To make sure after the upgrade the backups are continuously created and properly stored on the IBM Tivoly remote central backup server, either manually initiate a backup or wait for lets say a day and run dsmc client to show all created backups from previous day. To make sure you'll not get empty output you can on purpose modify some file by simply opening it and writting over without chaning anything e.g. modify your ~/.bashrc or ~/.bash_profile

## List all backups for '/' root directory from -fromdate='DD/MM/YY'

[root@linux-server tsm]# dsmc
Protect>
IBM Spectrum Protect
Command Line Backup-Archive Client Interface
Client Version 8, Release 1, Level 11.0
Client date/time: 12/03/2020 18:14:03
(c) Copyright by IBM Corporation and other(s) 1990, 2020. All Rights Reserved.

Node Name: NODE.SERVER-TO-BACKUP-HOSTNAME.COM
Session established with server TSM2_SERVER: AIX
Server Version 8, Release 1, Level 10.000
Server date/time: 12/03/2020 18:14:04 Last access: 12/03/2020 18:06:29

Protect> query backup -subdir=yes "/" -fromdate=12/3/2020
           Size        Backup Date                Mgmt Class           A/I File
           —-        ———–                ———-           — —-
         6,776 B 12/03/2020 01:26:53             DEFAULT              A /etc/freshclam.conf
         6,685 B 12/03/2020 01:26:53             DEFAULT              A /etc/freshclam.conf-2020-12-02
         5,602 B 12/03/2020 01:26:53             DEFAULT              A /etc/hosts
         5,506 B 12/03/2020 01:26:53             DEFAULT              A /etc/hosts-2020-12-02            398 B 12/03/2020 01:26:53             DEFAULT              A /opt/tivoli/tsm/client/ba/bin/tsmstats.ini
       114,328 B 12/03/2020 01:26:53             DEFAULT              A /root/.bash_history
           403 B 12/03/2020 01:26:53             DEFAULT              A /root/.lesshst

Tags: backup files, CentOS, Client Version, completion, curl, dependencies, errors, home directory, hosts, node, Redhat Linux, rpm, servers, Start, systemctl
Posted in Linux, Linux and FreeBSD Desktop, Linux Backup tools | 1 Comment »

Windows 7 fix menu messed up cyrillic – How to fix cyrillic text in Windows

Friday, July 22nd, 2016

How to fix Cyrillic text on Windows 7

I've reinstalled my HP provided company work notebook with Windows 7 Enterprise x86 and had troubles with seeing Cyrillic written text, letters and fonts.
The result after installing some programs and selecting as a default language Bulgarian during installation setup prompt let me to see in some programs and in some of my old written text file names and Cyrillic WIN CP1251 content to be showing a cryptic letters like in above screenshot.

If you're being curious what is causing the broken encoding cyrillic text, it is the fact that in past a lot of cyrillic default encoding was written in KOI-8R and WIN-CP1251 encoding which is not unicode e.g. not compatible with the newer standard encoding for cyrillic UTF-8. Of course the authors of some old programs and documents are not really responsbie for the messed up cyrillic as noone expected that every Cyrillic text will be in UTF-8 in newer times.

Thanksfully there is a way to fix the unreadable / broken encoding cyrillic text by:

Going too menus:

Start menu -> Control Panel -> Change display language -> Clock, Language and Religion

Once there click the Administratibe tab

and choose

Change system locale.

Here if you're not logged in with administrator user you will be prompted for administrative privileges.

Being there choose your language (country) to be:

Bulgarian (Bulgaria) – if you're like me a Bulgarian or Russian (if you're Russian / Belarusian / Ukrainian) or someone from the countries of ex-USSR.
Click OK

And reboot (restart) your computer in order to make the new settings active.

This should be it from now on all cyrillic letters in all programs / documents and file names on your PC should visualize fine just as it was intended more or less by the cyrillic assumed creator Saint Climent Ohridski who was a who reformed Cyrillic from Glagolic alphabet.

Tags: administrator, Bulgarian, default, file names, make, menu, Russian Belarusian Ukrainian, Start, text, work notebook
Posted in Curious Facts, Everyday Life, System Administration, Various, Windows | 1 Comment »

☩ Walking in Light with Christ – Faith, Computing, Diary

Posts Tagged ‘Start’

Exaltation of the Holy Cross day in the Bulgarian Orthodox Church / Veneration of the Holy cross church feast

Troparion of the Exaltation of the Holy Cross voice 1 / Тропар на светия Кръст, глас 1

Windows 7 fix menu messed up cyrillic – How to fix cyrillic text in Windows

Daily Bible quote

GET ARTICLE UPDATES

Useful blog? Help it:

Links to Other Places

Recent Posts

Ads

Categories

About Myself

Recent Comments

Top Post Views

blogtopsites

Posts Tagged ‘Start’

1. Install the Required Packages

2. Create a User Secret File

3. Add the Key to Your Authenticator App

5. Configure SSH Daemon to Ask for OTP

6. Restart SSH and Test It

7. Test Locally and Secure the Secrets

How to Enable 2FA Only for Certain Users

Troubleshooting

Why Choose libpam-oath?

Conclusion

What is Domain Authentication?

1. Update System and Set proper Hostname

2. Install Samba and Required Packages

5. Configure DNS (Optional but Recommended)

6. Add Users and Join Client Machines

7. Managing the Domain

8. Managing Samba AD Samba Linux Domain easily with UI

8.1. [Cockpit + 389 Directory Server or FreeIPA (for LDAP-based domains)]

8.2. [LDAP Account Manager (LAM)] – RECOMMENDED FOR SAMBA + AD

8.3. Samba Web Administration Tool (SWAT) ❌ Deprecated

8.4. Webmin (Partial Support)

Can You really Use RSAT Instead ?

Summary: Web UI for Samba Domain Management

Security Considerations

Conclusion

References

Gotchas on Debian to be aware of

1. Update system to the latest

2. Install FreeIPA Server Packages

3. Configure FreeIPA server

4. Start and Enable FreeIPA Services

5. Access FreeIPA Web Interface

6. Add Users and Groups

7. Join Client Machines to the FreeIPA Domain

8. Test Authentication

Conclusion

Scenario: Centralized Authentication in a DevOps Environment

Tech Problem

Solution Walkthrough

1. Set up FreeIPA server

2. Add User Accounts

3. Create Groups and Roles necessery

4. Configure Sudo Rules

5. Control Access with HBAC Rules

6. Join Client Servers to FreeIPA

7. What Happens When Alice Leaves the Company?

Summary

Prerequisites

1. Install NFS Server Package

On Ubuntu / Debian based Linux systems:

On CentOS/REL-based systems:

2. Install the NFS server package

3. Create Shared Directory for file sharing

4. Configure NFS Exports ( /etc/exports file)

5. Export the NFS Shares with exportfs command

6. Start and Enable NFS Services

On Ubuntu / Debian Linux run the following commands:

On CentOS / RHEL Linux:

7. Allow NFS Traffic Through the Firewall

On Ubuntu/Debian (assuming you are using ufw [UNCOMPLICATED FIREWALL]):

8. Verify NFS Server is Running

9. Test the NFS Share (Client-Side)

10. Configure Auto-Mount at Boot (Optional)

Sum it up what learned ?

1. Install aide deb package

2. Prepare AIDE configuration and geenrate (initialize) database

For details on configuration of aide.conf accepted options "man aide.conf"

!/var/log !/home/ !/var/lib !/proc

Initialize the aide database first time

3. Test aide detects file changes

4. Limiting AIDES Integrity Checks to Specific Files / Directories

5. Add the modified /root/test.txt to AIDE list of known modified files database

6. Substitute old aide database with the new that includes the modified files

7. Check once again to make sure recently modified files are no longer seen as changed by AIDE

8. Configure Email AIDE changed files alerting Email recipient address

9.Force AIDE to run AIDE at specitic more frequent time intervals

10. Check the output of AIDE for changes – useful for getting a files changes from aide from scripts

1. Get information about the VM you would like to migrate to VMDK

2. Convert the harddrive to VMDK

!/var/log
!/home/
!/var/lib
!/proc