msgbartop
A chronological documentation test project, nothing serious, really!
msgbarbottom

26 May 2015 Installing Open vSwitch on CentOS 7

This post describes how to install the most recent version of Open vSwitch (ovs) on CentOS 7 and might be the base for future posts about using KVM as virtualization platform.

openvswitch-diagramOpen vSwitch is a production quality open source software switch designed to be used as a vswitch in virtualized server environments. A vswitch forwards traffic between different VMs on the same physical host and also forwards traffic between VMs and the physical network.

Install the needed packages (as root user)

# yum -y install wget openssl-devel kernel-devel

Install development tools

# yum groupinstall "Development Tools"

Add a ovswitch user

# adduser ovswitch

Download and unpack the openvswitch source code (as ovswitch user)

$ su - ovswitch
$ mkdir -p ~/rpmbuild/SOURCES
$ cd ~/rpmbuild/SOURCES
$ wget http://openvswitch.org/releases/openvswitch-2.3.1.tar.gz
$ tar xfz openvswitch-2.3.1.tar.gz

We will modify the openvswitch spec-file and use the kernel module CentOS provides instead of creating a new one.

$ sed 's/openvswitch-kmod, //g' openvswitch-2.3.1/rhel/openvswitch.spec > openvswitch-2.3.1/rhel/openvswitch_no_kmod.spec

Create a RPM-file to ease future package operations like upgrade

$ rpmbuild -bb --nocheck ~/openvswitch-2.3.1/rhel/openvswitch_no_kmod.spec
$ exit

Now is the time to install the RPM-package (as root)

# yum localinstall /home/ovswitch/rpmbuild/RPMS/x86_64/openvswitch-2.3.1-1.x86_64.rpm

If you have not disabled SElinux then you will see the following SELinux issues when you try to start the openvswitch service

install: cannot change owner and permissions of ‘/etc/openvswitch': No such file or directory and Creating empty database /etc/openvswitch/conf.db ovsdb-tool: I/O error: /etc/openvswitch/conf.db: failed to lock lockfile (No such file or directory)

This is one way to fix this issue

# mkdir /etc/openvswitch
# semanage fcontext -a -t openvswitch_rw_t "/etc/openvswitch(/.*)?"
# restorecon -Rv /etc/openvswitch

We are now ready to start the openvswitch service

# service openvswitch start
# chkconfig openvswitch on

Verify that we have installed openvswitch and that it is available

# virsh version
Compiled against library: libvirt 1.2.8
Using library: libvirt 1.2.8
Using API: QEMU 1.2.8
Running hypervisor: QEMU 1.5.3
# lsmod |grep openvswitch
openvswitch            70611  0 
gre                    13796  1 openvswitch
vxlan                  37409  1 openvswitch
libcrc32c              12644  2 xfs,openvswitch
# ovs-vsctl show
...
    Bridge "ovsbr1"
        Port "ovsbr1"
            Interface "ovsbr1"
                type: internal
    Bridge "ovsbr0"
        Port "enp0s25"
            Interface "enp0s25"
        Port "ovsbr0"
            Interface "ovsbr0"
                type: internal
    ovs_version: "2.3.1"

We are now ready to create a network bridge, but that will (maybe) be described in a future post of mine.

Tags: , , , , , ,

Posted by

24 Jan 2007 How do I turn enforcing SELinux on/off at boot?

You can specify the SELinux mode using the configuration file /etc/sysconfig/selinux.

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= type of policy in use. Possible values are:
#       targeted - Only targeted network daemons are protected.
#       strict - Full SELinux protection.
SELINUXTYPE=targeted

Setting the value to enforcing is the same as adding enforcing=1 to your command line when booting the kernel to turn enforcing on, while setting the value to permissive is the same as adding enforcing=0 to turn enforcing off. Note that the command line kernel parameter overrides the configuration file.

However, setting the value to disabled is not the same as the selinux=0 kernel boot parameter. Rather than fully disabling SELinux in the kernel, the disabled setting instead turns enforcing off and skips loading a policy.

Source: http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#id2825945

Tags: , , ,

Posted by

22 Jan 2007 How do I make a user public_html directory work under SELinux?

This process presumes that you have enabled user public HTML directories in your Apache configuration file, /etc/httpd/conf/httpd.conf. This process only covers serving static Web content. For more information about Apache HTTP and SELinux, refer to http://fedora.redhat.com/docs/selinux-apache-fc3/.

If you do not already have a ~/public_html directory, create it and populate it with the files and folders to be served.

# cd ~
# mkdir public_html
# cp /path/to/content ~/public_html

At this point, httpd is configured to serve the contents, but you still receive a 403 forbidden error. This is because httpd is not allowed to read the security type for the directory and files as they are created in the user’s home directory. Change the security context of the folder and its contents recursively using the -R option:

#ls -Z -d public_html/

drwxrwxr-x  auser    auser    user_u:object_r:user_home_t      public_html

# chcon -R -t httpd_user_content_t public_html/
# ls -Z -d public_html/

drwxrwxr-x  auser    auser    user_u:object_r:httpd_user_content_t public_html/

# ls -Z public_html/
-rw-rw-r--  auser    auser    user_u:object_r:httpd_user_content_t bar.html
-rw-rw-r--  auser    auser    user_u:object_r:httpd_user_content_t baz.html
-rw-rw-r--  auser    auser    user_u:object_r:httpd_user_content_t foo.html

You may notice at a later date that the user field, set here to user_u, is changed to system_u. This does not affect how the targeted policy works. The field that matters is the type field.
Your static webpages should now be served correctly. If you continue to have errors, ensure that the Boolean which enables user home directories is enabled. You can set it using system-config-securitylevel. Select the SELinux tab, and then select the Modify SELinux Policy area. Select Allow HTTPD to read home directories. The changes take effect immediately.

Tags: , , , , ,

Posted by