Wednesday, 14 January 2015

Unattended Updates - Debian

To set up auto updates on Debian, do the following: 
apt-get install unattended-upgrades apt-listchanges
Edit /etc/apt/apt.conf.d/50unattended-upgrades and uncomment the line: 
Unattended-Upgrade::Mail "root";
Edit /etc/apt/apt.conf.d/20auto-upgrades, and add the following: 
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
Or run the following command as root: 
dpkg-reconfigure -plow unattended-upgrades
Posted by at No comments:

Tuesday, 13 January 2015

Creating an encrupted password for kickstart - CentOS

Use OpenSSL to generate an MD5 crypt: 
# openssl passwd -1 "password here"
$1$e/5d7DEs$bhFiuOQp8MMe785dzvBPv.
Use grub-crypt to generate a SHA256 crypt: 
# grub-crypt --sha-256
Password:
Retype password:
$5$W/DyB05xk2UIZz6k$YyBl36yKHVmaFmJHNS1m/b2/viRa6KnQe3dDQVZZ5n3
Put the password hash in your kickstart file: 
rootpw --iscrypted password_hash
Make sure your authconfig configuration matches the crypt: 
authconfig --enableshadow [--enablemd5|--passalgo=sha256]
Posted by at No comments:

Monday, 12 January 2015

INIT: Id “1” respawning too fast: disabled for 5 minutes

Console error message: 
INIT: Id “1” respawning too fast: disabled for 5 minutes
What causes this problem? Apparently, this is due to this line in my /etc/inittab file: 
1:2345:respawn:/sbin/getty 38400 tty1
Which says to spawn a terminal on a non existant serial port. You get a respawning too fast error when an inittab line makes no sense. So simptly comment it out: 
#1:2345:respawn:/sbin/getty 38400 tty1
Posted by at No comments:

Friday, 9 January 2015

Puppet List Installed Modules - Install non Puppetforge modules

To list Puppet modules downloaded from puppetforge: 
# puppet module list
/etc/puppet/modules
├── adrien-alternatives (v0.3.0)
├── alkivi-console_data (v0.0.1)
├── attachmentgenie-locales (v1.0.6)
├── example42-puppi (v2.1.10)
├── herculesteam-augeasproviders_core (v2.0.1)
├── herculesteam-augeasproviders_shellvar (v2.0.1)
├── pfmooney-mit_krb5 (v0.0.5)
├── puppetlabs-concat (v1.0.0)
├── puppetlabs-firewall (v1.2.0)
├── puppetlabs-inifile (v1.2.0)
├── puppetlabs-ntp (v3.3.0)
├── puppetlabs-stdlib (v4.3.2)
├── saz-ssh (v2.4.0)
├── ssm-munin (v0.0.5)
├── stahnma-epel (v1.0.2)
├── trlinkin-nsswitch (v1.0.0)
└── trlinkin-validate_multi (v0.1.0)
To install modules from elsewhere: 
cd /var/tmp
wget https://github.com/lermit/puppet-nslcd/archive/master.zip
cd /etc/puppet/environments/testing/
unzip /var/tmp/master.zip
Posted by at No comments:

Thursday, 8 January 2015

Calling a Puppet Module in your code

I installed a Puppet module called mit_krb5 so that I could configure Kerberos on my systems. Unfortunately, I was unable to get it to put the correct settings using Foreman, so I wrote some code to do this: 
class uobldap {
class { 'mit_krb5':
  default_realm    => 'ADS.BRIS.AC.UK',
  dns_lookup_realm => false,
  dns_lookup_kdc   => false,
  ticket_lifetime  => '24h',
  renew_lifetime   => '7d',
  forwardable      => true,
}
class { 'mit_krb5::logging':
  default      => 'FILE:/var/log/krb5libs.log',
  kdc          => 'FILE:/var/log/krb5kdc.log',
  admin_server => 'FILE:/var/log/kadmind.log'
}
mit_krb5::realm { 'ADS.BRIS.AC.UK':
  kdc          => 'ads.bris.ac.uk',
  admin_server => 'ads.bris.ac.uk'
}
mit_krb5::domain_realm { 'ADS.BRIS.AC.UK':
  domains => ['.ads.bris.ac.uk', 'ads.bris.ac.uk']
}

}
Posted by at No comments:

Wednesday, 7 January 2015

PAM configurations - RedHat/CentOS

PAM On RedHat/CentOS systems linked to LDAP, users with UIDs smaller than 500 are not allowed to log on. Change the settings in /etc/pam.d/system-auth file: 
 #%PAM-1.0
 # This file is auto-generated.
 # User changes will be destroyed the next time authconfig is run.
 auth        required      pam_env.so
 auth        sufficient    pam_unix.so nullok try_first_pass
 auth        requisite     pam_succeed_if.so uid >= 500 quiet
 auth        sufficient    pam_ldap.so use_first_pass
 auth        required      pam_deny.so

 account     required      pam_unix.so broken_shadow
 account     sufficient    pam_succeed_if.so uid < 500 quiet
 account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
 account     required      pam_permit.so

 password    requisite     pam_cracklib.so try_first_pass retry=3
 password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
 password    sufficient    pam_ldap.so use_authtok
 password    required      pam_deny.so

 session     optional      pam_keyinit.so revoke
 session     required      pam_limits.so
 session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
 session     required      pam_unix.so
 session     optional      pam_ldap.so
Change 500 to 100 or some smaller number in the first (3rd) line and change the 'uid < 500' to 'uid > 100' in the second (7th). To allow a user's directory to be automatic created on login, add this line to /etc/pam.d/common-account file: 
# and here are more per-package modules (the "Additional" block)
session   required      pam_mkhomedir.so        umask=077
account      required      pam_krb5.so minimum_uid=1000
# end of pam-auth-update config
Posted by at No comments:

Tuesday, 6 January 2015

Installing Puppet Module break foreman(proxy) - uninstall to fix! 

#  puppet module install IvanBayan-krb5
Notice: Preparing to install into /etc/puppet/modules ...
Notice: Downloading from https://forgeapi.puppetlabs.com ...
Warning: Cannot consider release puppet-krb5-0.0.2: Malformed dependency: ripienaar/concat. Exception was: Invalid 'version_range' field in metadata.json: Unparsable version range: ">=1"
Notice: Installing -- do not interrupt ...
/etc/puppet/modules
└─┬ IvanBayan-krb5 (v0.0.3)
  └── puppetlabs-concat (v1.0.0)
Oops, we're sorry but something went wrong Warning! ERF12-4115 [ProxyAPI::ProxyException]: Unable to get classes from Puppet for testing ([RestClient::NotAcceptable]: 406 Not Acceptable) for proxy If you feel this is an error with Foreman itself, please open a new issue with Foreman ticketing system, You would probably need to attach the Full trace and relevant log entries. Back Just uninstall it! 
#  puppet module uninstall IvanBayan-krb5
Notice: Preparing to uninstall 'IvanBayan-krb5' ...
Removed 'IvanBayan-krb5' (v0.0.3) from /etc/puppet/modules
What to do when you can't uninstall? 
# puppet module install myrond-auto_update_debian
Notice: Preparing to install into /etc/puppet/modules ...
Notice: Downloading from https://forgeapi.puppetlabs.com ...
Notice: Installing -- do not interrupt ...
/etc/puppet/modules
└── myrond-auto_update_debian (v1.0.1)
You have new mail in /var/spool/mail/root
# puppet module uninstall myrond-auto_update_debian
Notice: Preparing to uninstall 'myrond-auto_update_debian' ...
Error: Could not uninstall module 'myrond-auto_update_debian' (v1.0.1)
  Installed module has had changes made locally
    Use `puppet module uninstall --ignore-changes` to uninstall this module anyway
# puppet module uninstall --ignore-changes myrond-auto_update_debian
Notice: Preparing to uninstall 'myrond-auto_update_debian' ...
Removed 'myrond-auto_update_debian' (v1.0.1) from /etc/puppet/modules
#
Posted by at No comments:
Subscribe to: Posts (Atom)