Auto tar find results.

You’re a standard sysadmin. You get an alert that your filesystem is filling up (usually on /var.) You don’t need to spend a lot of time cleaning it up so like any good sysadmin you write a script. Here’s a couple of quick ones.
First, grab files a, but exclude set b. (Maybe you want to archive log_files.may.txt, but not log_files.june.txt.tgz.)
A little simpler. Grab anything that matches the wildcard and compress it.
Assuming the following:

 

You want to keep secure-20150315 but compress everything else.


What does this do?

Find files in /var/log with the name of secure-20150315 and exclude them from processing. Then (-o) search for anything not excluded with the name secure-2015*. The print0, and xargs options are really the neat thing here. Normally the results of find will be a hash. This iterates through each file individually instead. {} is the variable so {}.tgz will create a file called ‘secure-20150301.tgz’ containing all content in 20150301.tgz.

This is super useful if you’re trying to condense directories. All you have to change? type f to instead be type d.

 

Replacing Google Fiber’s Network Box

Google Fiber is amazing. Their network box does a pretty decent job but it lacks a lot of features for more advanced users. Their router does a good job with active connections and considering the bandwidth in use for the average person it’s fine. If, however, you are wishing to do more with it (DMZ, bridging, better port forwarding, or even just wanting to use your own router) it’s not currently possible with their modem.

There’s some projects in play (pfsense, etc) that allow you to connect your own hardware. Google doesn’t discourage your replacing their network box and even gives you some basic information on how to proceed:

https://support.google.com/fiber/answer/3333210?hl=en

The takeaway there is that you need to vlan a port, and set QoS bits on egress traffic. Once that is done, you can hook any Linux machine directly up to the fiber jack.

I’m using eth3 for WAN in this example. Replace the WAN port on your machine with whatever yours is.

You need to VLAN the interface that is connected to the fiber jack. If this is a single machine, this is easy. Typically eth0.

On EL systems:

Now create the VLAN:

Create the VLAN device:

Finally add the route:

The route here is necessary for TV services. If you just have internet… you won’t need to do it.

This gets all of your changes active. You should now have a new address on eth3.2.

Finally, set the QoS/CoS bit on egress traffic. Until this is done you will max out at roughly 10mb/s upload speed (I was getting 500mb/s down even here.)

Special thanks to my friends Josh Bergland and John Narron who helped me with some packet diving to get everything working!

Bash renaming utility

Ubuntu/Debian packages the rename utility with perl and regex. For distros that do not, this one-liner is handy:

As with anything Linux, there are many ways to accomplish this.

Putty Reverse forwarding command line options.

Port 80 is the port that you’re connecting to on the remote server. Port 12000 is the port you’re connecting to locally. Say this is a HTTP connection. The path to connecting is simply pulling up localhost:12000 in any web browser.

Installing Rocket on CentOS 7

Rocket is CoreOS’ answer to Docker. Their projects goal is enhanced security, a little more freedom, and possibly just to capture the value spot

So, a couple of quick things. First, they have a module up on Github. This is NOT considered production ready. This is heavily alpha/beta. They are making good progress on it though. Second, are you sure you want to run this on CentOS? They have management built into Docker that is more supported.

If you know what you’re doing, or you’re sure that you want this method (you know what you’re doing) forge ahead.

Final note before we start, either you need to roll with a kernel much newer than 2.6 on EL5/6 platforms – and you will not be using EL 5/6 at that point – or you need to outright use EL7. There’s not a ton of difference between RHEL, CentOS, Oracle Linux, Scientific Linux or any flavor that is a binary equivalent of RHEL.

Onto the code!

It will run for a bit and compile some things. Once that’s done:

rkt version

rkt version 0.3.2+git appc version 0.3.0+git

If you get something similar, you’ve got it working! I’ll update the blog this weekend with the next few stages of things, and a basic deploy.

VNC – automatic console sharing upon XFCE boot

There’s a lot of ways to share a screen in Linux. Messing with GDM, various windows managers and the like can be painful. Here’s one way to have XFCE automatically share the screen on boot – pre graphic login.

append:

Just enter your password here and you’re set!

Bash mass change permissions using find

A quick one-liner to recursively change all files in a directory to a set permission:

You can substitute chown if you want to set ownership:

This comes in handy when you want to give a group the ability to navigate through directories while not just blindly giving write/execute permissions.

If you want to avoid doing recursion, use –max-depth=x where x is the number of subdirectories to navigate:

This will only modify files in the path directory.

Ovirt, hosted engine, and cert problems.

I recently ran into a weird problem with Ovirt and the new hosted-engine. I created a new setup with 3.4 and am currently running 3.4.3. For whatever reason, the ca file was not copied over and ovirt-image-uploader isn’t designed to catch those sorts of things. That led to some really ugly, useless errors:

ERROR: ‘NoneType’ object is not iterable

What this is actually indicating (in this case) is that the cert file is missing. A quick copy:

rsync hosted_engine:/etc/pki/ovirt-engine/ca.pem /etc/pki/ovirt-engine/ -avrthP

then an attempt to upload again:

engine-iso-uploader -v -i iso_domain upload centos.iso –insecure

Progress! It begins copying. Though silently. Without a status message to indicate it’s not just hanging. If in doubt, use a ls -alh /path/to/iso/domain. The file will retain the filename you assigned, and be pre-pended with a dot.

A big thank you to Keith for the patch which actually gave a valid error message:

http://lists.ovirt.org/pipermail/users/2012-October/010268.html

SSL vuln script

This script helps determine what processes are open, the port they’re listening to, and the process name. This is intended for testing for the Poodle/CVE-2014-3566 SSLv3 vulnerability discovered recently.

#!/bin/bash

IFS=$'\n'
var=($(netstat -alntpu|grep LISTEN | awk '{print $4}'|sed 's/.*:\(.*\)/\1/g'))
sorted=($(sort <<<"${var[*]}"| sort -k 1n|uniq ))

sslcheck () {

  port="$2"

  if [[ "$1" =~ "::" ]]; then
    ip="127.0.0.1"
  else
    ip="$1"
  fi

  ret=$(echo Q | openssl s_client -connect "$ip:$port" -ssl3 2> /dev/null) 2> /dev/null
  servicename=($(netstat -tulpn |grep "$2" |grep "$1" | awk '{print $7}'| sed 's/.*\/\(.*\)/\1/g'))

  if [[ -z "$servicename" ]]; then
    servicename="null"
  elif [[ "$servicename" == "-" ]]; then
    servicename="null"
  fi

  if echo "${ret}" | grep -q 'Protocol.*SSLv3'; then
    if echo "${ret}" | grep -q 'Cipher.*0000'; then
      echo "$servicename,$ip,$port,SSL 3.0 disabled on port"
    else
      echo "$servicename,$ip,$port,SSL 3.0 enabled"
   fi
  else
    if [[ -n "$port" ]]; then
      echo "$servicename,$ip,$port,SSL disabled or other error"
    fi
  fi
}

scan_all_listening_ips () {
  IFS=$'\n'
  listenarray=($(netstat -tulpn |grep "$1" | awk '{print $4'}| sed 's/\(.*\):.*/\1/g'))
  sortedlistenarray=($(sort <<<"${listenarray[*]}"| sort -k 1n|uniq ))
  for ip in "${sortedlistenarray[@]}"; do
      if [[ "$ip" =~ "::" ]]; then
       ip="127.0.0.1"
      fi

    sslcheck $ip $1
  done
}

for i in "${sorted[@]}"; do
  scan_all_listening_ips $i
done

unset IFS
exit 0</code></pre>

Poodle, and SSL

After the Poodle SSL vulnerability was discovered many people started looking through their servers to discover things that need updates. One of the more unfortunate findings comes with CentOS, and RHEL 5 instances that use Exim. The options that allow you disable SSLv3 are directly tied to a build of Exim that doesn’t exist in base channels. While it’s possible to compile those in, or to install from a source that includes them it’s a better idea to upgrade the OS to EL6, or to switch to Postfix, which does have options.

To see which options are available on an EL6 instance:

etc.

If you run the same command on a EL5 instance, you will get:

This means that OpenSSL has no available ciphers list and unless you can disable SSLv3 directly as an option, limiting it via ciphers won’t work.

There’s a lot of guides on the internet that reference openssl_options, but that’s not possible in the base Exim.

Usually I’d leave this note with a workaround or guide, but in this case I just hope to save anyone the confusion of trying to figure out what is going on.