Create LVM without partition table

Earlier I had written a blog to create LVM using partition table Create File system with Linux LVM

In this blog, I will show you how to create LVM without using partition table. This is useful when you want to use a full disk for the volume instead of portion of the disk. 

This procedure will be relevant to the data disk that you will add to your system rather than the OS Disk/Partition. Also its very helpful in later stage when you need to extend the same disk instead of adding new disk in the virtual environment/cloud, LVM without partition will be very easy to handle as you can directly resize your PV and LV instead of destroying and recreating the disk and partition table. 

Lets go with creating the disk after adding new disk on vm. We have covered about how to re-scan the scsi bus in the earlier blog - Create File system with Linux LVM

To rescan the new disk - my setup has the new disk in host2 adapter.

#echo "- - -" /sys/class/scsi_host/host2/scan

1.1 Scanning SCSI Host adapter

We have now got a new disk that we added on the VM that is /dev/sdb, Let's continue to create this disk as physical volume directly instead of create a partition table with parted or fdisk.

#pvcreate /dev/sdb

Syntax - pvcreate disk_name/partition_name

1.2 Create PV

Now you can see we have a physical volume (PV) created /dev/sdb as shown above,

To create Volume Group(VG) on this new PV, you need to use vgcreate command, 

#vgcreate data_vg /dev/sdb

Where data_vg is the volume group name. 

Syntax - vgcreate VG_new PV1 PV2 ...

1.3 Create VG

LV can be created on top of this VG using lvcreate comamnd, 

Syntax - lvcreate -l +100%FREE -n LV_name vg_name

1.4 Create LV

From lsblk you can see that lvm is created successfully. 

1.5 lsblk output

Now you can create Filesystem to this Logical volume and mount it as per your requirement. 

I have formatted with XFS and mounted to /data mount point. 

1.6 XFS Format

1.7 Mount FS

I will write procedure to extend same disk and LV without having downtime in another blog.  

Linux User SSH Access Control

Technology growth is rapid, implementing solutions without proper restriction would cause data leak, cyberattacks. First line of defence for any solution would be its users. Granting granular privilege and role based access is one of the critical task that should be implemented.

SSH is Secure SHELL protocol works on port 22. In Linux, Users over remote connect to administer and manage daily activities on the server. There are multiple security ways of handling user access. In this blog I will be writing how we will restrict SSH access to server. 

Create a Group in Linux that will contain all the users who will be provided SSH access to the server. 

#groupadd ssh-users

You can also specify a group id for this group and maintain it across your environment to manage it with config automation tools like ansible and others in a large scale in future. 

#groupadd -g 3000 ssh-users

Create user and add to the ssh-users group 

# useradd -c "SSH Allowed user" -m -d /home/karthick -s /bin/bash -aG ssh-users karthick 

where, 

-c is comment for a administrator to identify what user or a brief about the user. 

-d is mention home directory of the user 

-s is login shell that the user will be using. 

-a is to append user to the mentioned group

-G is to add user to the secondary groups mentioned.

SSH Restriction

Edit the sshd_config file under /etc/ssh/sshd and add the following line in the end.

AllowGroups ssh-users

Restart the sshd service. 

#systemctl restart sshd

Now, ssh will be restricted to all users, except for those who are added in this ssh-users group.

Ansible Automation

I have written a sample ansible play to automate these tasks in my git - SSH-Restriction

Best Practices: 

Never allow any Privileged/Admin accounts Remote SSH Access.

Always provide SSH access to normal user and then allow sudo escalation or su to privileged user with password. 

References:

https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_handlers.html

OS: 

RHEL, SUSE Linux, Centos

Azure Fence agent in Azure China for Pacemaker cluster

Microsoft has provided extensive documents for Pacemaker cluster on azure. They are efficient and easy to follow. 

On Azure china, so many things are different in terms of infrastructure connectivity. we see a lot of restrictions and security added. So in this blog I will be writing a small topic which is not covered in the global azure document. This topic would be in specific to government/China azure instances. 

For a Pacemaker cluster to operate in expected manner, we would need the STONITH device as you all know. On Azure there is fencing agent(fence_azure_arm)  to provide this feature. 

Fencing agent is created with python and it is granted with azure service principle rights or MSI(Managed system identity) roles to perform fence operation.  

Ideally this agent would communicate with the Azure AD and get authenticated to perform the stop/start/restart operation for a VM. All of this communication for global azure happens through the management.azure.com, however in china this api is different, and the fence agent script will need to be configured to inform which cloud api it needs to communicate explicitly. 

While configuring fence agent as cluster resource you will need to add additional option called cloud with value as china. This will ensure fence agent is communicating to the correct api and bring up the fence agent online.

The following is the Eg: to create fencing device for a pacemaker cluster in SUSE Linux

# replace the bold strings with your subscription ID and resource group of the VM

sudo crm configure primitive rsc_st_azure stonith:fence_azure_arm params msi=true subscriptionId="subscription ID" resourceGroup="resource group"  cloud=china pcmk_monitor_retries=4 pcmk_action_limit=3 power_timeout=240 pcmk_reboot_timeout=900 pcmk_delay_max=15 op monitor interval=3600 timeout=120

References -

Azure high-availability-guide-suse-pacemaker

GitHub azure-docs

Hope this topic is useful for you !!

- JK

Privilege escalation with sudo

Privilege escalation with sudo

Normal user in Linux can be allowed to execute privileged commands with sudo rights.

Sudoers configuration file is /etc/sudoers, however editing this file directly is not advisable either you can use visudo to edit this file or create a template file under /etc/sudoers.d. 

I would suggest use template file under /etc/sudoers.d which will be more easier to manage multiple user privileges and it can me efficient in managing granular access. 

Syntax - Who Where = (Runas-Who:group) What_Commands

Who - which user you want to give sudo rights/privilege.

where - In what server you want to grant the user access to execute mentioned commands.

Runas-Who:group - As which user will the user execute the granted commands. 

What_commands - Finally the commands that you want to provide access to user for executing. 

User Shiva is a normal user here and he is now allowed to list the repositories on the server without providing root password. 

NOPSSWD directive may be a security issue as it will not ask for a password when elevating privilege to execute the command. 

To over come this security issue you may use the line "defaults     !targetpw" - This will ask for the users password when elevating privilege.

Example: 

# visudo /etc/sudoers.d/shiva

defaults !targetpw

shiva ALL = (ALL:ALL) /usr/sbin/yum repolist

You can also enforce asking for root users password when elevating privilege. 

"defaults targetpw" 

Best practice:

Edit sudoers file with visudo which will validate the content when exiting and if anything wrong in the format it will show you error and you can edit the file to fix the issues. 

While editing the sudoers template, ensure you have two session opened with root rights and let one session be running with TOP command. After implementing sudoers config make sure that sudo command is working without any problem on a new session and then you can terminate the top command and its session. It would be helpful if the sudoers went wrong and you are locked out of root. 

This situation can occur when you have wrong sudo file and there is no root user login allowed directly. 

To validate the sudoers configuration you created using visudo -vf %s if it is formatted correctly

Linux - HA Cluster Maintenance

Linux - HA Cluster Maintenance

What is a cluster ? 

A group or collection of servers that is providing same service/application. 

In this blog we will see about setting cluster into maintenance mode and releasing cluster out of maintenance mode. 

What is Maintenance mode ? 

Maintenance mode is when the server is not available to service the customers and is currently undergoing a maintenance task. 

With HA Cluster enabled, If we need to perform some activity on the cluster managed pools/servers, we will need to enable cluster maintenance mode so that you do not see any unexpected behaviors from the system.

To enable cluster Maintenance following command is used. 

For SUSE Clusters 

crm configure property maintenance-mode=true

For Redhat Cluster

pcs property set maintenance-mode=true

When you have enabled/set the Maintenance mode you can perform start/stop or any config update on the cluster managed resources. During this period cluster will not interfere with these resources. 

Once we have completed the required activity to release cluster from maintenance mode following command is used. 

For SUSE Clusters 

crm configure property maintenance-mode=false

For Redhat Cluster

pcs property set maintenance-mode=false

Creating and modifying user in Linux

Creating and modifying user in Linux

    By default when you Install Linux Operating system a user will be created and that user will have full sudo privilege. However when ever you create a user after installing OS, you will need to provision required privilege for that user. In this blog i will show you few commands with useradd and usermod. 

    The following user karthick has been created when OS was installed and this user is added to the Wheel group to get the sudo privilege. User karthick can run privileged commands with his password. 

    To create a normal user in command line providing the users home directory and UID we will use as -d to specify user home directory and -u for UID.

#useradd -d <Path_To_User's_HomeDirectory> -u UID

UID is a unique identifier number used to identify the user. 

    This user does not have privilege to execute root level commands. However if we need to provide root access we will need to add this user to wheel group. To do so we will use usermod command

Adding users to this wheel group will gain complete root access for the user. 

    If you do not want user to have complete root access and instead provide granular or role based access we can provision that through sudo template. you can create a sudoers template/drop-in file under /etc/sudoers.d directory. 

We will see about sudoers template file in much more detail in upcoming blogs. 

zmprov commands in zimbra

zmprov commands in zimbra

zmprov commands are used for provisioning in zimbra.

syntax - zmprov command argument

gaà Get account – gets current value

maà Modify account – modifies current value to specified value.

gcfà get configuration – gets current configuration

mcfà modify configuration – Modifies current configuration to specified configuration.

 

1. To Change display name for a single user

$zmprov ga user@domain.com | grep displayName

displayName: User Name

$zmprov ma user@domain.com displayName "User Name1"

$zmprov ga user@domain.com | grep displayName

displayName: User Name1

$zmprov ga user@domain.com | grep zimbraPrefFromDisplay

2. To Modify Mail attachment size  

Check current value

zmprov gcf zimbraMtaMaxMessageSize

zmprov gcf zimbraFileUploadMaxSize

zmprov gcf zimbraMailContentMaxSize

Modify size

zmprov mcf zimbraMtaMaxMessageSize 20971520

zmprov mcf zimbraFileUploadMaxSize 20971520

zmprov mcf zimbraMailContentMaxSize 52428800

3.  To get &Modify Mail forwarding address.

zmprov ga user@domain.com zimbraPrefMailForwardingAddress

zmprov ma user@domain.com zimbraPrefMailForwardingAddressforward@domain.com