Saturday, 14 May 2016

Ubuntu automysqlbackup

There is a script called "automysqlbackup" which is a pretty straightforward shell script wrapping up routine MySQL backups. The Ubuntu package is mostly preconfigured so you would not necessarily even have to modify the stock configuration.
  • Gets the maintenance user from "/etc/mysql/debian.cnf" for credentials
  • Dynamically determines what databases are on the system
  • Has a default schedule and backup path (/var/lib/automysqlbackup)
You should consider changing a couple of the defaults found in "/etc/default/automysqlbackup".
  • BACKUPDIR to preferred backup path
  • MAILADDR to an appropriate recipient in case there are errors
It does not remove old backup files so you may want to make a basic script which does remove them. There's a "PREBACKUP" variable so you can hook in such a script. I like this because it runs before your backup so you don't accidentally nuke your fresh backups and keeps things simple:
  • PREBACKUP="find $BACKUPDIR -mtime +90 -delete"
Finally, remember to copy your backups offsite if appropriate. "rsync" to some remote system or otherwise. Use the "POSTBACKUP" script - again a good hook here because it will push out your backups right away after they have been created.

Ubuntu Man page:
http://manpages.ubuntu.com/manpages/wily/man8/automysqlbackup.8.html

Monday, 21 September 2015

CentOS 7

Having started an install for CentOS 7, this is my first time working with the Red Hat Enterprise Linux 7 based system and they've done a few things I'll have to learn.

Goodbye, Sys V init! What an era there's been with init scripts. The newer "systemd" system and service manager replaces the init system along with RedHat's chkconfig and similar tools. The "systemctl" command is kindof similar to "chkconfig", but takes the command name first and the new style service name second:


# systemctl status nfs-server.service

Overview of systemd for RHEL 7
https://access.redhat.com/articles/754933

The other is the new "firewalld" which provides more of set of front-ends to iptables. The command-line tool, firewalld-cmd, can generate the settings changes like to open ports. As the RedHat docs say, this mechanism can load firewall rule changes instead of dumping the whole rule set so you keep open connections and stats.

# firewall-cmd --zone=public --add-port=80/tcp --permanent
# firewall-cmd --reload

Using Firewalls
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html

I'm sure there's more but mostly cosmetic like how the installer works, which packages are bundled or not (like bind-utils not included in a base install? interesting). Sometimes hard to figure out what to do in a new system when there's big changes that aren't just drop-in replacements for older tools.

Ciao,
Arch

Thursday, 30 July 2015

Update to Password Generator

A couple years ago I created a simple password generator which was just a wrapper for "APG". While it worked fine for me, I did find that I needed passwords which fit a specific pattern so I've added support for the "mode" argument to APG.

https://alia.thenibble.org/passwords/

Voila!

Tuesday, 9 September 2014

Free Signed SSL Cert

I run a few things on an Ubuntu server sitting under my desk at home and have used self-signed certificates usually, but there are free Certificate Authorities including startssl.com which are readily available for personal use like running your ownCloud.

Here's a good write-up on how to do this in Ubuntu:

https://gist.github.com/mgedmin/7124635

And the results look swell:SSL Labs

/etc/apache2/sites-enabled/ssl

NameVirtualHost *:443
<VirtualHost *:443>
        SSLEngine On

        SSLProtocol all -SSLv2
        SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
        SSLCertificateChainFile /etc/apache2/ssl/sub.class1.server.ca.pem
        SSLCertificateFile /etc/apache2/ssl/alia.thenibble.org.crt
        SSLCertificateKeyFile /etc/apache2/ssl/alia.thenibble.org.pem

        DocumentRoot /var/www/

        ServerAdmin webmaster@thenibble.org

...

Saturday, 12 July 2014

Home network

I'm putting together a diagram of my home network, it may take me a couple passes... Here's a quick drawing made on my tablet.


Tuesday, 29 April 2014

Partitioning with parted for LVM

Disk partitioning and volume management can be complicated like when you've got disks in RAID groups carved into LUNs connected via fiber channel to a NAS which is pooling the LUNs and then creating file systems and then sharing NFS to VMware hosts which is creating virtual disk files which the guests see as local disks which they can then partition and add them as physical volumes to volume groups carved into logical volumes which are then formatted with file systems and mounted before you can finally start storing some files... And changes are done online.

Now I've written about LVM before (http://archangel.thenibble.org/2010/11/disk-management-with-logical-volume.html) and to re-iterate, if you're using any main GNU Linux distro, you should use LVM.

Skipping the SAN, NAS, and virtual layers, when adding a new local disk, general practice is to create a partition on that disk with "parted" and add that partition as a PV (rather than doing a whole disk which can be harder to resize for LVM). With parted, create "GPT" partition tables instead of DOS as GPT will work for all drive (partition) sizes. Partition sizes can also be given in percentage which is useful both for the start of the disk which automatically aligns the partition as well as for the end of the disk to use all available space.

Example session:

# parted /dev/sdc
GNU Parted 2.1
Using /dev/sdc
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted) mklabel
New disk label type? gpt
(parted) mkpart
Partition name?  []?
File system type?  [ext2]?
Start? 0%
End? 100%
(parted) set
Partition number? 1
Flag to Invert? lvm
New state?  [on]/off?
(parted) p
Model: VMware Virtual disk (scsi)
Disk /dev/sdc: 53.7GB
Sector size (logical/physical): 512B/512B
Partition Table: gpt

Number  Start   End     Size    File system  Name  Flags
 1      1049kB  53.7GB  53.7GB                     lvm

(parted) q
Information: You may need to update /etc/fstab.

# pvcreate /dev/sdc1
  Physical volume "/dev/sdc1" successfully created

... vgcreate / vgextend, lvcreate, mke2fs, and so on.

Ciao

Wednesday, 12 March 2014

Squid Proxy and WCCP

The last few days I've been struggling to get a transparent proxy setup for our network using WCCP from our Cisco ASA firewall to a Squid proxy.



I had a hard time getting my Squid proxy handling transparent caching from our Cisco ASA with WCCP(2), mostly with getting the GRE working. I was working mostly with this page:


The biggest confusion for me was that the GRE was not a point-to-point tunnel. In the end it was working as a sort of pseudo interface to handle the GRE encapsulation and the NAT redirection pushed packets through that interface as the glue.

“modprobe ip_gre”

This creates a generic GRE tunnel gre0; which you can see with “ip tunnel”. Load this module on boot. With CentOS and other RedHats

echo modprobe ip_gre >> /etc/rc.modules
chmod +x /etc/rc.modules

An IP interface needs to be brought up for gre0, but doesn’t have to connect to anything. Many examples I saw used a localnet address like 127.0.0.2. I used the following (no 172.16.x.x in my network, it’s a dummy address):

/etc/sysconfig/network-scripts/ifcfg-gre0
DEVICE=gre0
BOOTPROTO=static
IPADDR=172.16.1.6
NETMASK=255.255.255.252
LOCAL_DEVICE=eth0
ONBOOT=yes
IPV6INIT=no

Lastly iptables glues the GRE to Squid (we use 10.x.x.x addresses for our network):

cat /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Tue Mar 11 15:45:13 2014
*nat
:PREROUTING ACCEPT [26:6791]
:POSTROUTING ACCEPT [86:5532]
:OUTPUT ACCEPT [86:5532]
-A PREROUTING -s 10.0.0.0/255.0.0.0 -d ! 10.0.0.0/255.0.0.0 -i gre0 -p tcp -m tcp --dport 80 -j DNAT --to-destination $HOST-IP:$SQUID-PORT
COMMIT

Rp_filter disabled and ipforwarding enabled as indicated in the document.

And Bob’s your uncle!

Popular Posts