msgbartop
A chronological documentation test project, nothing serious, really!
msgbarbottom

20 Mar 2019 Installing Vagrant on CentOS 7

This short post describes how to install the latest version of Vagrant using the libvirt provider on a fresh CentOS 7 (Minimal install). I will not do any security measures to harden this config, anyway not in this post. Vagrant supports different providers in addition to libvirt, like VirtualBox and VMware. I prefer libvirt because I am used to use virt-manager and KVM.

I assume you know what Vagrant is and basic usage of it. If you do not know what Vagrant is, please visit the Hashicorp website.

I used vagrant as a sandbox for my Puppet development several years ago, but somewhere along the way I stopped using it. The interest to start using Vagrant back again came after doing some Ansible playbook development. The easy way of setting up and tearing server boxes really helps when you develop and test.

My code examples usually starts with # or $, # tells you that I am using the root user account and $ as a normal user.

First we need to get the latest packages on our installation and reboot the server.

# yum -y update && shutdown -r

We are now ready to add the prerequisites to the installation.

It is easier to work with a graphical interface (GUI) with Vagrant, so we are installing the “Server with GUI” packages.

# yum -y group install "Server with GUI"

This command takes a while to finish, take a short break while it finishes the installation.

Now we are going to determine the latest version of Vagrant and install it. Open your web browser and visit http://releases.hashicorp.com/vagrant/ and copy the URL to the latest version available. In my case version https://releases.hashicorp.com/vagrant/2.2.4/vagrant_2.2.4_x86_64.rpm

Installing Vagrant

# yum -y install https://releases.hashicorp.com/vagrant/2.2.4/vagrant_2.2.4_x86_64.rpm 

=========================================================================================================
Package Arch Version Repository Size
Installing:
vagrant x86_64 1:2.2.4-1 /vagrant_2.2.4_x86_64 110 M
Transaction Summary
Install 1 Package
Total size: 110 M
Installed size: 110 M
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : 1:vagrant-2.2.4-1.x86_64 1/1
Verifying : 1:vagrant-2.2.4-1.x86_64 1/1
Installed:
vagrant.x86_64 1:2.2.4-1

Please note that when we install a package using the yum command like this, there will not be any updates automatically available. You need to manually download a never version when desired.

Now we have Vagrant installed but we have not chosen the type provider type we would like to use running our VMs. I prefer libvirt (KVM) as a provider for my VMs based on stability. Installing KVM as provider.

# yum -y install libvirt libvirt-devel qemu-kvm virt-install virt-manager virt-top libguestfs-tools bridge-utils

The virt-manager package will give us a GUI to our VMs and gives us console access if needed.

Start the libvirt daemon and enable default KVM virtualization during startup.

# systemctl start libvirtd && systemctl enable libvirtd

As a convenience I usually install the Development Tools package as well

# yum -y group install "Development Tools"

It is now time to choose the Vagrant provider and start using Vagrant. We are using the vagrant-libvirt provider. Make sure to run the following command as the user you are going to use with vagrant. I am using a regular user to install the plugin.

$ vagrant plugin install vagrant-libvirt
Installing the 'vagrant-libvirt' plugin. This can take a few minutes…
Fetching: excon-0.62.0.gem (100%)
Fetching: formatador-0.2.5.gem (100%)
Fetching: fog-core-1.43.0.gem (100%)
Fetching: fog-json-1.2.0.gem (100%)
Fetching: mini_portile2-2.4.0.gem (100%)
Fetching: nokogiri-1.10.1.gem (100%)
Building native extensions. This could take a while…
Fetching: fog-xml-0.1.3.gem (100%)
Fetching: ruby-libvirt-0.7.1.gem (100%)
Building native extensions. This could take a while…
Fetching: fog-libvirt-0.6.0.gem (100%)
Fetching: vagrant-libvirt-0.0.45.gem (100%)
Installed the plugin 'vagrant-libvirt (0.0.45)'!

It is now time to download an OS-image and create a VM using Vagrant. You can search for boxes to add on URL https://app.vagrantup.com/boxes/search

It is now time to create an environment for our VMs to be configured.

$ mkdir vagrant-example
$ cd vagrant-example

We are now ready to start using Vagrant and it is time to get the OS of our choice. You can search for the available boxes in https://app.vagrantup.com/boxes/search

I will download Ubuntu 18.04 (generic unmodified image) and CentOS 7 box images by issuing the following commands

$ vagrant box add generic/ubuntu1804 
==> box: Loading metadata for box 'generic/ubuntu1804'
box: URL: https://vagrantcloud.com/generic/ubuntu1804
This box can work with multiple providers! The providers that it
can work with are listed below. Please review the list and choose
the provider you will be working with.
1) hyperv
2) libvirt
3) parallels
4) virtualbox
5) vmware_desktop
Enter your choice: 2

Choose option 2) libvirt as provider since that is what I installed earlier in this post.

==> box: Adding box 'generic/ubuntu1804' (v1.9.6) for provider: libvirt
box: Downloading: https://vagrantcloud.com/generic/boxes/ubuntu1804/versions/1.9.6/providers/libvirt.box
box: Download redirected to host: vagrantcloud-files-production.s3.amazonaws.com
==> box: Successfully added box 'generic/ubuntu1804' (v1.9.6) for 'libvirt'!

Next we add a CentOS 7 box image

$ vagrant box add centos/7

==> box: Loading metadata for box 'centos/7'
box: URL: https://vagrantcloud.com/centos/7
This box can work with multiple providers! The providers that it
can work with are listed below. Please review the list and choose
the provider you will be working with.
1) hyperv
2) libvirt
3) virtualbox
4) vmware_desktop

Choose option 2) libvirt

==> box: Adding box 'centos/7' (v1902.01) for provider: libvirt
box: Downloading: https://vagrantcloud.com/centos/boxes/7/versions/1902.01/providers/libvirt.box
box: Download redirected to host: cloud.centos.org
==> box: Successfully added box 'centos/7' (v1902.01) for 'libvirt'!

If you are behind a proxy, tell Vagrant to use it. If not, ignore the next line.

$ export https_proxy=proxy.example.com:8080

To create a Vagrant file and get starting with the Centos 7 image we just added

$ vagrant init centos/7
A Vagrantfile has been placed in this directory.
You are now ready to vagrant up your first virtual environment! Please read the comments in the Vagrantfile as well as documentation on
https://vagrantup.com for more information on using Vagrant.

The content of the Vagrantfile

Vagrant.configure("2") do |config|
config.vm.box = "centos/7"
end

It is now time to start our first virtual machine using Vagrant, but first we list the available boxes.

To start up our CentOS 7 box we run the following command

$ vagrant up

Bringing machine 'default' up with 'libvirt' provider…
==> default: Checking if box 'centos/7' version '1902.01' is up to date…
==> default: Uploading base box image as volume into libvirt storage…
==> default: Creating image (snapshot of base box volume).
==> default: Creating domain with the following settings…
==> default: -- Name: vagrant-example_default
==> default: -- Domain type: kvm
==> default: -- Cpus: 1
==> default: -- Feature: acpi
==> default: -- Feature: apic
==> default: -- Feature: pae
==> default: -- Memory: 512M
==> default: -- Management MAC:
==> default: -- Loader:
==> default: -- Nvram:
==> default: -- Base box: centos/7
==> default: -- Storage pool: default
==> default: -- Image: /var/lib/libvirt/images/vagrant-example_default.img (41G)
==> default: -- Volume Cache: default
==> default: -- Kernel:
==> default: -- Initrd:
==> default: -- Graphics Type: vnc
==> default: -- Graphics Port: -1
==> default: -- Graphics IP: 127.0.0.1
==> default: -- Graphics Password: Not defined
==> default: -- Video Type: cirrus
==> default: -- Video VRAM: 9216
==> default: -- Sound Type:
==> default: -- Keymap: en-us
==> default: -- TPM Path:
==> default: -- INPUT: type=mouse, bus=ps2
==> default: Creating shared folders metadata…
==> default: Starting domain.
==> default: Waiting for domain to get an IP address…
==> default: Waiting for SSH to become available…
default:
default: Vagrant insecure key detected. Vagrant will automatically replace
default: this with a newly generated keypair for better security.
default:
default: Inserting generated public key within guest…
default: Removing insecure key from the guest if it's present…
default: Key inserted! Disconnecting and reconnecting using new SSH key…
==> default: Configuring and enabling network interfaces…
default: SSH address: 192.168.121.32:22
default: SSH username: vagrant
default: SSH auth method: private key
==> default: Rsyncing folder: /home/hanshj/vagrant-example/ => /vagrant

You have to type your password to complete this command.

We have now created a new VM using Vagrant and ut is available to our disposal. The access it we can run the command

$ vagrant ssh
[vagrant@localhost ~]$

We are now presented with the Vagrant box prompt logged in as the user vagrant. Default for all Vagrant boxes is username vagrant and password vagrant.

To exit the SSH session to the Vagrant box just press Ctrl+D or just logout as you normally do.

To list the available boxes that we have downloaded

$ vagrant box list
centos/7 (libvirt, 1902.01)
generic/ubuntu1804 (libvirt, 1.9.6

To get a list of all VMs running on libvirt run the following command

$ sudo virsh list --all
----------------------------------------------------------------
1 vagrant-example_default running

The Vagrantfile can be modified to add extra disks, nics, memory, several VMs. There are many options available but here are some of the basics I usually add.

Vagrant.configure("2") do |config|
config.vm.box = "centos/7"
config.vm.hostname = "centos7-01.acme"
config.vm.define "centos7.acme"
end

When you have done some tests on your VM and you would like to start all over with a fresh VM, just destroy it and start all over.

$ vagrant destroy
default: Are you sure you want to destroy the 'default' VM? [y/N] y
==> default: Removing domain…

To start the VM again, fresh and ready just issue the command

$ vagrant up

Tags: , , , ,

Posted by

30 Oct 2018 Email notification on SSH login using PAM

There are cases where you are interested in getting a email message on every successful login through SSH. This could have been solved by adding a simple line in .bash_profile for every user, but this solution does not catch all SSH logins. The preferred way of doing it is by using PAM and a custom email notify script.

Add the following line to the bottom of file /etc/pam.d/sshd

session optional pam_exec.so seteuid /usr/local/bin/login-notify.sh

This is the contents of /usr/local/bin/login-notify.sh

#!/bin/sh

# Change these two lines:
sender="root@example.com"
recepient="root"

if [ "$PAM_TYPE" != "close_session" ]; then
    host="`hostname`"
    subject="SSH Login: $PAM_USER from $PAM_RHOST on $host"
    # Message to send, e.g. the current environment variables.
    message="`env`"
    echo "$message" | mailx -r "$sender" -s "$subject" "$recepient"
fi

Make the script executable

# chmod 0700 /usr/local/bin/login-notify.sh

This is the email message you receive the next time you or someone else log in using SSH

SSH Login: username from hostname-remote.user.com on target-host.example.com

XDG_SESSION_ID=775
SELINUX_ROLE_REQUESTED=
PAM_SERVICE=sshd
SELINUX_USE_CURRENT_RANGE=
PAM_RHOST=hostname-remote.user.com
PAM_USER=username
PWD=/
SELINUX_LEVEL_REQUESTED=
SHLVL=1
PAM_TYPE=open_session
PAM_TTY=ssh
XDG_RUNTIME_DIR=/run/user/9000
_=/usr/bin/env

This has been tested on CentOS 7 and Ubuntu 18.04, but I guess most recent distributions supports this.

DATA PRIVACY
Sending emails on login may conflict with data privacy on multiuser systems. This can be circumvented by just sending emails for specific users or root (if at all accessible via SSH). I might cover that in a later post.

Tags: , , ,

Posted by

15 Jul 2015 Using KVM as hypervisor on CentOS 7

This post describes how to use a CentOS 7 installation as hypervisor for a virtual machine running Ubuntu 14.04 LTS.

These examples is just to show the basics on getting KVM virtualization up and running and should not be put in to production before considering the added value SElinux gives.

Example 1
Since this VM is planned to be a webserver, the VM will only have access to a text console (headless) and there will not be any graphical consoles available through VGA, VNC, Spice or QXL. The VM will be connected to the default network, meaning network traffic from the VM will be NAT based through the host.

Using virt-install to create a headless VM
$ sudo virt-install -n vm-name –description “server for example.com” –os-type=Linux –os-variant=generic –ram=2048 –vcpus=1 –disk path=/var/lib/libvirt/images/vm-hhj.qcow2,bus=virtio,size=10 –graphics none –console pty,target_type=serial –location=/var/lib/libvirt/images/ubuntu-14.04.2-server-amd64.iso –extra-args=console=ttyS0,115200n8 serial –network default

To exit this console view you can use the key combination CTRL + Alt gr + 9
If you are using Putty as SSH client from Windows you can use the key combination CTRL+5 on the Norwegian, Swedish and Finnish keyboard layout.

Example 2
VM with graphical console available through SSH using port forwarding and VNC.

From your local workstation
Create a SSH tunnel from you workstation to the hypervisor server
$ ssh servername.example.com -L 5903:127.0.0.1:5903

Description of the SSH -L option
-L [bind_address:]port:host:hostport
Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side.

On the hypervisor server
Create a VM with a graphical VNC console
$ sudo virt-install –graphics vnc,port=5903 –noautoconsole –network default –name TestVM –ram 2048 –vcpus=1 –disk path=/var/lib/libvirt/images/TestVM.img,size=5 –location=/var/lib/libvirt/images/ubuntu-14.04.2-server-amd64.iso -v –accelerate –noreboot

From your local workstation (while you have a active SSH session with port forwarding)
Start a VNC connection to localhost port 5903 using krdc or other VNC clients.
The VNC path would then be like
vnc://localhost:5903

Or you can test virt-viewer
$ virt-viewer –connect qemu+ssh://username@example.com/system TestVM

Create file
/etc/polkit-1/localauthority/50-local.d/50-org.example-libvirt-remote-access.pkla

[Remote libvirt SSH access]
Identity=unix-group:wheel
Action=org.libvirt.unix.manage
ResultAny=yes
ResultInactive=yes
ResultActive=yes

You should now be able to install your desired operation system on your new VM.

virsh
Here is a list of useful virsh commands that might come handy when using CentOS as hypervisor.

Start VM
# virsh start vm-name

Stop VM (ACPI)
# virsh shutdown vm-name

If shutdown does not work you can try the destroy command. It is like using the power button on a physical server.
# virsh destroy vm-name

Connecting to the VM and start the installation
# virsh console vm-name

List networks
# virsh net-list

If the network is not active, start it by doing:
# virsh net-start default

List all VMs
# virsh list –all

Remove VM from list
# virsh undefine vm-name

Sources
https://snippets.webaware.com.au/howto/running-qemu-with-port-redirection-through-libvirt/
http://forum.proxmox.com/threads/21194-Port-Forward-with-built-in-NAT-and-PVE-Firewall
http://wiki.libvirt.org/page/SSHPolicyKitSetup
https://www.jethrocarr.com/2012/08/04/virt-viewer-remote-access-tricks/
https://virt-manager.org/download/

Tags: , , , , ,

Posted by

17 May 2013 Howto enter VMware ESXi license key after it has expired

vmware-esxi-5-license-has-expired“Disable VMware ESX” is the warning message that is displayed when you open your VMware vSphere Client after the 60-day evaluation period has expired without typing in a new license key for your free VMware vSphere Hypervisor 5 install. You cannot type in the license key in the vSphere Client after the evaluation period has expired. If you do not type in the key before it expires you will not be able to power on VMs after they have been powered down.

This is a short howto describing how you can type in the license key for you free VMware Hypervisor after it has expired, since you cannot use the vSphere Client.
This requires that you have enabled the SSH service on your host before it expired and you can access it using your favourite SSH client to your ESXi host.
The file should look something like this if you have not entered any license information 00000-00000-00000-00000-00000.
This key should be replaced with the key you have gotten from VMware http://www.vmware.com/products/vsphere-hypervisor/ when you downloaded the installer file.

This is a step by step description of how you can update the license file

  1. Start a SSH session to your ESXi host using your favourite SSH client like Putty
  2. Log in with the username root (unless you have changed it to something else)
  3. Open the file /etc/vmware/vmware.lic using the vi editor
    ~# vi /etc/vmware/vmware.lic
    vmware-esxi-5-license-has-expired
  4. Delete the old license key with the dd command
    vmware-esxi-5-license-has-expired-putty02
  5. Insert a new license key by with the i command
    vmware-esxi-5-license-has-expired-putty03
    vmware-esxi-5-license-has-expired-putty04

    The key above is just an example and is not a valid key. Replace the key used above with the evaluation license key you received from VMware.

  6. Save the file using the write command w
    vmware-esxi-5-license-has-expired-putty05
  7. Now you can open a new vSphere Client window and see if the license warning windows appears again. If it does not, then you have successfully updated the license key. If not, then you need to check if the license key is typed in correctly.

All this can be done without a reboot of the ESXi host.

Tags: , , , , , , ,

Posted by

13 Jan 2012 Using Lsyncd to perform “live” syncronization of a local directory to a remote directory

This post is a short HOWTO and describes how you can install and run lsyncd to perform a rsync syncronization from local to a remote server using SSH.
Lsyncd is a daemon to continuously synchronize directory trees and relies on inotify. If you need real live syncronization DRBD might be a better alternative since it is a block level syncronization.

Installing Lsyncd 2.0 from source on CentOS 6
Lsyncd is not included as a package in CentOS 6, so you need to download the source file from http://code.google.com/p/lsyncd/downloads/list.
You should have rsync, GCC and lua-devel installed on your system before you continue installing Lsyncd.

# yum install rsync lua-devel

Unpack the lsyncd source file and run the following commands from the unpacked file

# configure 
# make
# make install

make install copies the compiled files and install them to the right directories in your system.

I need to configure a non password SSH communication between the two servers with a shared SSH key.
On the source server run the following command to generate a SSH key, if you have not done this already.
Remember to do this as the user you are going to perform the sync with.

# ssh-keygen

Secure copy the generated SSH key from the source server to your target server

# scp ~/.ssh/id_rsa.pub root@remoteserver:/tmp

On the target server you need to add the copied SSH key to your existing authorized keys file.
Also remember to do this with the user you are going to connect with from the source server.

# cat /tmp/id_rsa.pub >> ~/.ssh/authorized_keys

If you do not have this file, just create it using the touch command described below

# touch ~/.ssh/authorized_keys

Test if you can ssh without a password from your source server to the target server.

I have made a config file, /root/scripts/lsyncd.conf that tells Lsyncd where to put the log- and statusfile. That it should be running as a daemon in the background, and a sync should occur after 900 seconds (15 minutes) if there have not been any filesystem changes and there should not be more than 6 parallell Lsyncd processes.

settings = {
   logfile      = "/tmp/lsyncd.log",
   statusFile   = "/tmp/lsyncd.status",
   nodaemon     = false,
   maxDelays    = 900,
   maxProcesses = 6,
}

sync{default.rsyncssh, source="/path/on/source/", host="hostnam.target.server.tld", targetdir="/path/on/target/"}

To start lsyncd you run the command

# lsyncd /root/scripts/lsyncd.conf

You should now see a Lsyncd process running as a daemon on your system. It performs a sync when you start and then waits for any filesystem changes or sync after 900 seconds.

If you would like Lsyncd to start at boot, just add the following line to the bottom of file /etc/rc.local

lsyncd /root/scripts/lsyncd.conf

You do now have a working secure rsync syncronization between two servers.

What directories you are syncing

# tail -f /tmp/lsyncd.status

What is happening now

# tail -f /tmp/lsyncd.log

Tags: , , , , ,

Posted by