Mounting partitions with systemd

Example systemd mount unit:

[Unit]
Description = Backup logical volume
After = lvm2-monitor.service

[Mount]
What = UUID="a37505f4-46e7-4496-8926-deadbeef4a79"
#What = "/dev/vg_backup/lv_backup"
Where = /mnt/backup
Type = xfs
Options = nodev,nosuid,noexec

[Install]
WantedBy = multi-user.target

Note that the unit file name needs to match the Where = clause. This unit needs to be named mnt-backup.mount, and goes in /etc/systemd/system/.

Advertisements
Mounting partitions with systemd

Regex process check with Nagios/Adagios

Check Command:

define command {
 command_name check_nrpe_procs_regex
 command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -c check_procs_regex -a $_SERVICE_WARNING$ $_SERVICE_CRITICAL$ $_SERVICE_USER$ $_SERVICE_EREG_ARG_ARRAY$
}

NRPE command:

command[check_procs_regex]=/usr/lib64/nagios/plugins/check_procs -w $ARG1$ -c $ARG2$ -u $ARG3$ --ereg-argument-array "$ARG4$"

Nagios service:

define service {
 use okc-linux-check_proc
 host_name hostname.domain.com
 __NAME apache2
 __WARNING 1:100
 __CRITICAL 0:200
 service_description Process apache2
 check_command check_nrpe_procs_regex
 __EREG_ARG_ARRAY '/usr/sbin/apache2'
 __USER www-data
}
Regex process check with Nagios/Adagios

TUN/TAP device in lxc containers

To create tun/tap devices in Red Hat or Debian based distros inside lxc containers, create the following systemd unit:

/etc/systemd/system/tundev.service:
    [Unit]
    Description=Add tun device workaround
    Wants=network.target
 
    [Service]
    Type=oneshot
    RemainAfterExit=yes
    ExecStart=/usr/bin/mkdir /dev/net
    ExecStart=/usr/bin/mknod -m 666 /dev/net/tun c 10 200
 
    [Install]
    WantedBy=multi-user.target

To create the tun/tap device before certain units start (ex. OpenVpn) you can add

Before=openvpn@.service

under [Unit].

To allow the container to create the device, the following line must be in the lxc config file (/var/lib/lxc/100/config):

lxc.cgroup.devices.allow = c 10:200 rwm

For Proxmox, add the following line to the container config (ex. /etc/pve/lxc/100.conf):

lxc.cgroup.devices.allow: c 10:200 rwm
TUN/TAP device in lxc containers

Simple VPN network mesh with tinc

From Wikipedia:

Tinc is an open-source, self-routing, mesh networking protocol, used for compressed, encrypted, virtual private networks.

Network graph:

tinc mesh

 

Hosts:

storage-01:

public ip:   123.123.123.100
vpn ip:      10.0.0.1
connects to: media01, router01

media-01:

public ip:   123.123.123.200
vpn ip:      10.0.0.2
connects to: storage01, router01

router-01:

public ip:   123.123.123.300
vpn ip:      10.0.0.3
connects to: storage01, media01

Note: Using dashes (-) in tinc hostname files does not work.

VPN name:

myvpn

tinc setup:

Identical directory tree on all servers after setup:

/etc/tinc/
└── myvpn
     ├── hosts
     │   ├── media01
     │   ├── router01
     │   └── storage01
     ├── rsa_key.priv
     ├── tinc.conf
     ├── tinc-down
     └── tinc-up

storage-01 (centos 7):

# Install tinc
yum install tinc -y

# Create directories
mkdir -p /etc/tinc/myvpn/hosts/

/etc/tinc/myvpn/hosts/storage01:
    Address = 123.123.123.100
    Subnet = 10.0.0.1/32
    
/etc/tinc/myvpn/tinc.conf:
    Name = storage01
    Interface = tun8
    AddressFamily = ipv4
    ConnectTo = router01
    ConnectTo = media01

/etc/tinc/myvpn/tinc-up:
    #!/bin/sh
    ip link set $INTERFACE up
    ip addr add 10.0.0.1/32 dev $INTERFACE
    ip route add 10.0.0.0/24 dev $INTERFACE

/etc/tinc/myvpn/tinc-down:
    #!/bin/sh
    ip route del 10.0.0.0/24 dev $INTERFACE
    ip addr del 10.0.0.1/32 dev $INTERFACE
    ip link set $INTERFACE down

media-01 (centos 7):

# Install tinc
yum install tinc -y

# Create directories
mkdir -p /etc/tinc/myvpn/hosts/

/etc/tinc/myvpn/hosts/media01:
    Address = 123.123.123.200
    Subnet = 10.0.0.2/32

/etc/tinc/myvpn/tinc.conf:
    Name = media01
    Interface = tun8
    AddressFamily = ipv4
    ConnectTo = storage01
    ConnectTo = router01

/etc/tinc/myvpn/tinc-up:
    #!/bin/sh
    ip link set $INTERFACE up
    ip addr add 10.0.0.2/32 dev $INTERFACE
    ip route add 10.0.0.0/24 dev $INTERFACE

/etc/tinc/myvpn/tinc-down:
    #!/bin/sh
    ip route del 10.0.0.0/24 dev $INTERFACE
    ip addr del 10.0.0.2/32 dev $INTERFACE
    ip link set $INTERFACE down

router-01 (centos 7):

# Install tinc
yum install tinc -y

# Create directories
mkdir -p /etc/tinc/myvpn/hosts/
    
/etc/tinc/myvpn/hosts/router01:
    Address = 123.123.123.300
    Subnet = 10.0.0.3/32
    
/etc/tinc/myvpn/tinc.conf:
    Name = router01
    Interface = tun8
    AddressFamily = ipv4
    ConnectTo = storage01
    ConnectTo = media01

/etc/tinc/myvpn/tinc-up:
    #!/bin/sh
    ip link set $INTERFACE up
    ip addr add 10.0.0.3/32 dev $INTERFACE
    ip route add 10.0.0.0/24 dev $INTERFACE

/etc/tinc/myvpn/tinc-down:
    ip route del 10.0.0.0/24 dev $INTERFACE
    ip addr del 10.0.0.3/32 dev $INTERFACE
    ip link set $INTERFACE down

On all servers:

# Create private/public keypair
tincd -n myvpn -K4096

/etc/firewalld/services/tinc.xml:
    <?xml version="1.0" encoding="utf-8"?>
    <service>
        <short>tinc</short>
        <description>tinc VPN daemon</description>
        <port protocol="udp" port="655"/>
        <port protocol="tcp" port="655"/>
    </service>

firewall-cmd --add-service=tinc --permanent
firewall-cmd --reload

All servers should have a copy of all host files with the public keys, so copy them.

[root@media-01 ~]# rsync /etc/tinc/myvpn/hosts/ router-01:/etc/tinc/myvpn/hosts/ -av
[root@media-01 ~]# rsync /etc/tinc/myvpn/hosts/ storage-01:/etc/tinc/myvpn/hosts/ -av
[root@router-01 ~]# rsync /etc/tinc/myvpn/hosts/ media-01:/etc/tinc/myvpn/hosts/ -av 
[root@router-01 ~]# rsync /etc/tinc/myvpn/hosts/ storage-01:/etc/tinc/myvpn/hosts/ -av
[root@storage-01 ~]# rsync /etc/tinc/myvpn/hosts/ media-01:/etc/tinc/myvpn/hosts/ -av
[root@storage-01 ~]# rsync /etc/tinc/myvpn/hosts/ router-01:/etc/tinc/myvpn/hosts/ -av

On all servers:

# Set executable bit on tinc-up and tinc-down
chmod +x /etc/tinc/myvpn/tinc-up
chmod +x /etc/tinc/myvpn/tinc-down
# Enable and start tinc:
systemctl enable tinc@myvpn
systemctl start tinc@myvpn

Now all three servers should be able to communicate on 10.0.0.0/24.
If communication between any two drops, it’ll route through the third one.

Note on Debian 8:

Debian 8 dosen’t have a systemd unit for tinc yet, so to get tinc up and running /etc/tinc/nets.boot should contain names of all networks to be started. You can then start it normally with init/systemd.

For example:

/etc/tinc/
 ├── myvpn
 │   ├── hosts
 │   │   ├── media01
 │   │   ├── router01
 │   │   ├── storage01
 │   ├── rsa_key.priv
 │   ├── tinc.conf
 │   ├── tinc-down
 │   └── tinc-up
 └── nets.boot
/etc/tinc/nets.boot:
    myvpn
# Enable and start tinc
systemctl enable tinc
systemctl start tinc

# Check the status
systemctl status tinc
Simple VPN network mesh with tinc

Server has a weak, ephermal Diffie-Hellman public key (Zimbra 7)

Chrome error:

weak dh key error in chrome

Firefox error:

weak dh key error in firefox

The recommended workaround is to update Zimbra, but there’s an easy workaround: Disabling the insecure ciphers.

/opt/zimbra/bin/zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA
/opt/zimbra/bin/zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_256_CBC_SHA
/opt/zimbra/bin/zmprov mcf +zimbraSSLExcludeCipherSuites SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
/opt/zimbra/bin/zmmailboxdctl restart

Source:
https://wiki.zimbra.com/wiki/Disabling_the_use_of_weak_DH_keys_in_Zimbra_Collaboration_mailboxd

Server has a weak, ephermal Diffie-Hellman public key (Zimbra 7)

ERROR 2006 (HY000) at line 749: MySQL server has gone away (MariaDB/MySQL)

OS:CentOS Linux release 7.1.1503
DB: MariaDB 5.5.44

Importing a big mysql dump file resulted in the following error:

ERROR 2006 (HY000) at line 749: MySQL server has gone away

Line 749 was a very big INSERT query. To fix this, place the following into /etc/my.cnf.d/large.cnf

[mysqld]
max_allowed_packet = 64M
wait_timeout = 6000

[mysqldump]
max_allowed_packet = 64M

Then restart mariadb/mysqld:

systemctl restart mariadb
ERROR 2006 (HY000) at line 749: MySQL server has gone away (MariaDB/MySQL)

Monitoring free inodes on Linux with Nagios/Adagios

This howto assumes:

  • nrpe is installed and working on the client
  • CentOS 6/7 on both sides
  • Nagios/Adagios server with pynag installed and working

On the server you want to monitor:

Install the check_disk plugin for nrpe:

yum install nagios-plugins-disk

Add the following to /etc/nrpe.d/check_disk_inodes.cfg:

command[check_disk_inodes]=/usr/lib64/nagios/plugins/check_disk -W "$ARG1$" -C "$ARG2$" "$ARG3$"

Restart NRPE (NOTE: Use systemctl if using CentOS 7):

service nrpe restart

On the Nagios server:

Add a check command:

pynag add command command_name="2ks-check_nrpe_disk_inodes" command_line='$USER1$/check_nrpe -H $HOSTADDRESS$ -c check_disk_inodes -a "$_SERVICE_WARNING$" "$_SERVICE_CRITICAL$" "$_SERVICE_OPTIONAL_ARGUMENTS$"'

NOTE: In my case pynag placed the cfg file in /etc/nagios/commands/, but it was not included as a cfg_dir in nagios.cfg. To fix that, run:

pynag config --append cfg_dir=/etc/nagios/commands/

Add the service to the host:

pynag add service service_description="Disk inodes" use="generic-service" host_name="host.domain.com" check_command="2ks-check_nrpe_disk_inodes" __CRITICAL="5%" __WARNING="10%"

Reload nagios (NOTE: Use systemctl if using CentOS 7):

service nagios reload

The check output should now show something like:

DISK OK - free space: / 1613 MB (35% inode=95%): /boot 53 MB (57% inode=99%): /dev/shm 1004 MB (100% inode=99%): /var/spool 8682 MB (53% inode=11%):
Monitoring free inodes on Linux with Nagios/Adagios