Hot adding memory to a Linux VM

December 3, 2018 - Reading time: ~1 minute

After you have added more memory on your hypervisor level, you still have to get it online. Nicolas Hurion wrote this one-liner to enable all memory in one shot:

grep line /sys/devices/system/memory/*/state | grep -i offline | sed "s/:offline//g" | sed "s/\/sys\//echo online > \/sys\//g" | /bin/bash

And this is mine but it is still 21% slower :)

grep -l offline /sys/devices/system/memory/*/state | xargs -I % sh -c 'echo online > %'

User session recording using log-user-session

August 21, 2018 - Reading time: ~1 minute

Since I needed a good way to track what users do based on their IP/SSH fingerprint I started looking and found log-user-session to be a very neat tool. I created an RPM for RHEL7 and a DEB for Ubuntu 18.04 Bionic and aside from installing the RPM/DEB you just need to make sure these 2 lines are present in /etc/ssh/sshd_config and you are good to go.

LogLevel VERBOSE
ForceCommand /usr/bin/log-user-session

For fingerprint pairing, just use the date and IP and get the fingerprint out of the secure.log/auth.log.

The GitHub page of the project

RPM for Red Hat 7

DEB for Ubuntu 18.04


FPM2 for Ubuntu 18.04

August 6, 2018 - Reading time: ~1 minute

Today I built FPM2 (Figaro's Password Manager 2) for Ubuntu 18.04 Bionic Beaver because the package has been out of the standard repositories for years and the latest one stopped having a decent functioning copy mechanism.

How I built my package:

tar -zxvf source-app.tar.gz
cd source
./configure
make
checkinstall

My package for FPM 0.79 on Ubuntu 18.04 x86_64


No audio on direct redirect using SIP (external follow up numbers) on Asterisk

May 7, 2018 - Reading time: ~1 minute

I had a set up where incoming calls and outbound calls had audio but when a call was redirected without being picked up to an external number there was no audio. This is probably because direct media is not working through NAT. To work around this I did something like this:

[provider]
type=friend
host=93.184.216.34
disallow=all
nat=yes
qualify=yes
allow=alaw
allow=ulaw
context=in-provider
dtmfmode=rfc2833
deny=0.0.0.0/0
permit=93.184.216.34/32
directmediadeny=93.184.216.34/32

The directmediadeny will make sure direct media will not be used for the IP of the external SIP server. Most of the times this is a quick fix, direct media should work if your NAT set up is OK.

 


Addendum: SimpleHTTP(S) or how to get an SSL terminated file server with 5 lines of Python code...

April 24, 2018 - Reading time: 2 minutes

So in the previous post I already hinted at the possibility of using SimpleHTTP as a basic file server for your mirror. You can use this to publish any folder and I combined some tricks to get this SSL terminated SimpleHTTP server. This is a lot simpler than Apache and a good solution if your only goal is a simple file server.

 

The actual web server (simple-https-server.py)

import BaseHTTPServer, SimpleHTTPServer
import ssl

httpd = BaseHTTPServer.HTTPServer(('', 8443), SimpleHTTPServer.SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket (httpd.socket, certfile='../mirror.pem', keyfile='../mirror.key', server_side=True)
httpd.serve_forever()

The SystemD service. Make sure the user exists and please disable the shell for the simplehttp user in /etc/passwd. (/etc/systemd/system/simplehttp.service)

[Unit]
Description=Job that runs the python SimpleHTTPServer daemon
Documentation=man:SimpleHTTPServer(1)

[Service]
Type=simple
User=simplehttp
WorkingDirectory=/opt/data/mirror/
ExecStart=/usr/bin/python /opt/data/simple-https-server.py &
ExecStop=/bin/kill `/bin/ps aux | /bin/grep SimpleHTTPServer | /bin/grep -v grep | /usr/bin/awk '{ print $2 }'`

[Install]
WantedBy=multi-user.target

And of course, enable and start the service + create the right FW entries. In this example you have a redirect to HTTPS as well.

firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --zone=public --add-port=443/tcp --permanent
firewall-cmd --zone=public --add-masquerade --permanent
firewall-cmd --zone=public --add-forward-port=port=80:proto=tcp:toport=443 --permanent
firewall-cmd --zone=public --add-forward-port=port=443:proto=tcp:toport=8443 --permanent
systemctl enable simplehttp
service simplehttp start

 


Creating a local mirror for Red Hat based systems

April 16, 2018 - Reading time: 3 minutes

I created this script to create a local repository of RPM packages based on the repositories available to the system (very important, otherwise it won't work). To automate initial and further syncs I'm simply using Cron.

The machine is a basic system that is used as a webserver (apache, nginx or python SimpleHTTPServer)

I created a directory for RHEL7 (named "7"), you should do this for all versions, before running the script and started python SimpleHTTPServer in /var/www/html/ and opened port 80 in firewalld. This is just a proof-of-concept so nothing fancy.

This is the script:

#!/bin/bash
BASEDIRECTORY="/var/www/html/redhat/"
while read VERSION REPO; do
reposync --gpgcheck -l --repoid=$REPO --download_path=$BASEDIRECTORY/$VERSION/
if [ ! -d "$BASEDIRECTORY/$VERSION/$REPO/repodata" ]; then
createrepo -v $BASEDIRECTORY/$VERSION/$REPO/
else
createrepo --update -v $BASEDIRECTORY/$VERSION/$REPO/
fi
done <$1

This is the repos file:

7 rhel-7-server-extras-rpm
7 rhel-7-server-optional-rpms
7 rhel-7-server-rh-common-rpms
7 rhel-7-server-rpms
7 rhel-7-server-satellite-tools-6.3-rpms
7 rhel-server-rhscl-7-rpms

And to run it, just do:

sh /root/syncrepos.sh /var/www/repos

For older RHEL repositories, you should put them in the content view (when using Satellite) or make sure you can access them. Since they won't automagically appear in your yum repolist you will have to create a repo file yourself. Copy and adapt the snippet for all repositories and to keep things clean, create a repo file for every Red Hat version. (or CentOS, ...). SSLcerts should be just the same as the ones from a working RHEL7 entry.

/etc/yum.repos.d/rhel6.repo

[rhel-6-server-rpms]
metadata_expire = 1
sslclientcert = /etc/pki/entitlement/6369168190531272611.pem
baseurl = https://prhsv401.belgianrail.be/pulp/repos/YPTO/Library/Mirror/content/dist/rhel/server/6/6Server/$basearch/os
ui_repoid_vars = releasever basearch
sslverify = 1
name = Red Hat Enterprise Linux 6 Server (RPMs)
sslclientkey = /etc/pki/entitlement/6369168190531272611-key.pem
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
enabled = 1
sslcacert = /etc/rhsm/ca/katello-server-ca.pem
gpgcheck = 1

For simpleHTTP you can use these 2 neat tricks:

Run SimpleHTTP as a SystemD service

Enable SSL on SimpleHTTP


About

Koen Diels




I'm a freelance system and network engineer from Mechelen (BE) and I'm available for ad-hoc and long term projects.

>>my resume<<

Navigation