Broadsoft, Adtran, and Centos

Thursday, August 20, 2015

Centos 7 and Asterisk using fail2ban

I punched holes in my firewall for SIP and RTP so I could get to my asterisk server off net on my softphone. I quickly noticed I was getting attacked. Although I am using very cryptic passwords for my extensions, best practices is to not let this go on, and I have limited bandwidth at my house with COX home service 50/5.

At the time of this post I am behind a Linksys EA5400 router. I have a new pfSense I built the other day on a fanless mini ITX platform but I want to play with it more before I move it in front of my COX MTA. Yes I have COX home as well J

Replacing the router will not affect my network or Asterisk setup as I will use the same IP’s as the Linksys when I replace it, and yes, add the port forward rules for SIP and RTP.

Install iptables

# systemctl stop firewalld

# systemctl mask firewalld

# yum –y install iptables-services

# systemctl enable iptables

Edit the

/etc/sysconfig/iptables file. Below is mine. Very
basic allowing for web, ssh, SIP, and RTP.

# vi /etc/sysconfig/iptables

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [214:43782]

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

-A INPUT -p udp -m udp --dport 5060 -j ACCEPT

-A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT

-A INPUT -i lo -j ACCEPT

COMMIT

Start iptables with:

# systemctl restart iptables

Make sure it is running with:

# systemctl status iptables

Check your rules with:

# iptables –L

Install fail2ban

Make sure you have the epel for Centos 7 installed for use in yum. As user root:

# yum –y install fail2ban

Setup conf file. Don’t use jail.conf, but rather jail.local

# vi /etc/fail2ban/jail.local

[DEFAULT]

bantime = 3600

findtime = 21600

maxretry = 3

backend = auto

[asterisk-iptables]

# if more than 4 attempts are made within 6 hours, ban for 24 hours

enabled  = true

filter   = asterisk

action   = iptables-allports[name=ASTERISK, protocol=all]

              sendmail[name=ASTERISK, dest=you@yourmail.co.uk, sender=fail2ban@local.local]

logpath  = /var/log/asterisk/messages

maxretry = 4

findtime = 21600

bantime = 86400

Make sure your logpath is correct under the [asterisk-iptables] context above. If not it will not be able to read log and ban the bad guys.

Enable fail2ban and start service:

# systemctl enable fail2ban

# systemctl start fail2ban

# systemctl status fail2ban

Log file is /var/log/fail2ban.log

Enjoy!

Tuesday, August 18, 2015

Asterisk behind NAT - on home network with dynamic IP

Asterisk behind NAT - on home network with dynamic IP

Here is what I did to get my Asterisk 100% functional behind NAT in my home network, without static IP.

First a little background. I am running Asterisk 13.4.0 on Centos 7. It uses 192.168.10.100 behind a Cisco/Linksys EA5400 router. Internet is provided by COX communications with 50 down and 5 up. this is a residential COX account so I do not get a static IP. My Asterisk is using a SIP Trunk to Vitelity. I have a few phones attached to my asterisk but for this wiki I will use the Yealink T19 I have and set it up as extension 100, and IP 192.168.10.2, for simplicity. I have the latest firmware on this Yealink as of 8/18/2015, version 31.72.0.75. My DID i got from Vitelity is 480-555-2222 (That's fake, but you get it)

From your PC go to http://checkip.amazonaws.com/ and get your external IP. You will need this IP later.

In my EA5400 router I did a few port forwards to my Asterisk server. They are:

SIP 5060 - 5062 UDP
RTP 10000 - 20000 UDP

Make sure the RTP range matches up with your Asterisk server. You can see this in rtp.conf. I also rebooted my router after this port forwarding was added.

Setup Asterisk with the Vitelity SIP Trunk. In sip.conf I made the following entry:

[general]
register => myaccount:mypassword@inbound32.vitelity.net:5060
alwaysauthreject=yes
nat=yes
externip=x.x.x.x       ;Your real external IP goes here
localnet=192.168.10.0/255.255.255.0     ;Your real local net goes here with /subnet_mask
transport=udp
context=internal                ; Default context for incoming calls. Defaults to 'default'

[vitel-outbound]
type=friend
dtmfmode=auto
host=outbound.vitelity.net
username=myaccount
fromuser=myaccount
secret=mypassword
trustrpid=yes
sendrpid=yes
allow=all
canreinvite=no

A sip reload from the Asterisk console and then check things.

CLI> sip reload
CLI> sip show peers
vitel-outbound/myaccount 64.2.142.17                       Yes        Yes            5060     Unmonitored
CLI> sip show registry
inbound32.vitelity.net:5060     N      myaccount      45 Registered           Tue, 18 Aug 2015 14:40:39

As you can see we have both inbound and outbound set for Vitelity now.

For the phone setup for extension 100 I added the following in sip.conf:

[100]
type=friend
callerid=100
secret=myphoneregverysecretpassword
context=internal
host=dynamic
allow=all
dtmfmode=rfc2833
canreinvite=no

In the extensions.conf file I made the following entries:

[internal]
;used for in-bound DID to go to extension 100. If no answer then go to voicemail.
;after voice mail i play the goodbye message and then hangup
exten => 4805552222,1,Dial(SIP/100,20)
exten => 4805552222,n,VoiceMail(100@internal,u)
exten => 4805552222,n,Playback(vm-goodbye)
exten => 4805552222,n,Hangup

;used for extension to extension dialing
exten => 100,1,Dial(SIP/100,15)
exten => 100,n,VoiceMail(100@internal,u)
exten => 100,n,Playback(vm-goodbye)
exten => 100,n,Hangup
; used to dial outside line through our vitelity SIP Trunk
exten => _1NXXNXXXXXX,1,Dial(SIP/${EXTEN}@vitel-outbound)

Do a "core reload" from the asterisk console and you should be operational at this point for both in-bound/out-bound calls and have two way audio on your extension 100.

Now lets cover what happens when your external IP changes, as it will if you don't have a static IP, and how do you get an external client registered (like your soft phone when your outside your LAN). We fix these issues with a free service from duckdns.org and a couple scripts that run in cron every 5 minutes.

Since we don't have a static IP we can use an IP address for off net client registrations. We need to use a fqdn and make sure that is resolved to whatever IP COX has given us for that day/week/month.

Go to http://www.duckdns.org and sign up. Its free and takes like 5 seconds. From there you can chose a name for your domain. lets say you choose myhomeasterisk, then your fqdn will be myhomeasterisk.duckdns.org. After you have done this then click install at the top of there page, choose Linux cron, then select your domain you just created. You now get the script to run and all the instructions for getting it to run in cron. I wont redo the instructions here. They are really simple though.

With the duckdns solution in place we can now set our off net clients to register to our new domain we got with duckdns. If COX changes the IP on us then it will be updated within 5 minutes for us. Cox normally sets a lease time for a week, and then it is in the evening, so you should really never have a problem with this.

One last thing though. If COX changes the IP on us, and they will :) . Then we need to also update the Asterisk server sip.conf with our new external IP. I searched the web and found a script for this. Just a few mods to make it work for default Asterisk installs and it works like a charm.

In your /etc/asterisk directory create a file named updateexternalip.sh with the contents of:

#!/bin/bash

ip_url="http://checkip.amazonaws.com/"

oldip=`grep externip /etc/asterisk/sip.conf |sed 's/;.*//' |grep -v ^$ |sed s/.*=\ *//`
ip=`curl -s "$ip_url" |head -n 1`

echo $oldip
echo $ip

if [ "$oldip" != "$ip" ]
then
        echo "Updating IP"
        sed -i "s/externip=$oldip/externip=$ip/" /etc/asterisk/sip.conf
        asterisk -r -x "core reload"

fi

Set this file as executable with:

# chmod +x /etc/asterisk/updateexternalip.sh

Run this file for a test with:

# /etc/asterisk/updateexternalip.sh

It should echo your externip from sip.conf and also show you what your real external IP is. If these are different it will update your sip.conf file and reload asterisk for you.

To get this to run automatically every 5 minutes just add it to your contab file. The line to insert for this would be:

*/5 * * * * /etc/asterisk/updateexternalip.sh >/dev/null 2>&1

That's it. Enjoy !

Friday, July 24, 2015

Centos 7 Install phpMyAdmin

Centos 7 Install phpMyAdmin

My base install has selinux=disabled, iptables off, eth0 interface setup for static , ntp working, httpd installed, MariaDB (MySQL) installed, and PHP installed. All of those things have been verified as working 100%. I have how to do all those things in this blog.

login as root

Add the the repository that is for your OS. Do this in your home directory. if root then it should be /root

# yum -y localinstall --nogpgcheck https://download.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm

Install phpMyAdmin

# yum -y install phpMyAdmin

phpMyAdmin by default allowed to access from localhost only. If you want to make it accessible from remote computers edit

# vi /etc/httpd/conf.d/phpMyAdmin.conf

and update all Require ip 127.0.0.1 and Allow from 127.0.0.1 with your network like below or enable phpMyAdmin access for everyone.

Example:

<Directory /usr/share/phpMyAdmin/>
    <IfModule !mod_authz_core.c>
     Order Deny,Allow
     Deny from All
     Allow from 192.168.1.0/24
     Allow from ::1
   </IfModule>
</Directory>

Now restart httpd

# systemctl restart httpd.service

Now login into your phpMyAdmin console with your web browser with:

http://my_ip_address/phpMyAdmin

Of course that means use the IP address of the server you just installed phpMyAdmin on.

When I setup MySQL I allowed root login and gave it a password. You must use a MySQL account with a password when accessing your MySQL through phpMyAdmin.

If your still getting denied:

You need to follow the following steps:

Find lines that read follows

Require ip 127.0.0.1

Replace with your workstation IP address:

Again find the following lines:

Allow from 127.0.0.1

Replace as follows:

Allow from 10.1.3.53

Also find deny from all and comment it in the entire file.
Save and close the file. Restart Apache httpd server

Thanks!

Centos 7 LAMP install

Centos 7 LAMP install

Install Apache

# yum -y install httpd
# systemctl enable httpd.service
# systemctl start httpd.service
# systemctl status httpd.service

Make sure it works with:

http://your_server_IP_address/

Install MySQL (MariaDB)

# yum -y install mariadb-server mariadb
# systemctl enable mariadb
# systemctl start mariadb
# systemctl status mariadb

Run the secure install for MySQL and answer the questions

# mysql_secure_installation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none):

OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.

Set root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!

By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y
... Success!

Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] n
... skipping.

By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] y
... Success!

Cleaning up...

All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!

Install PHP

# yum -y install php php-mysql
# systemctl restart httpd.service

Test PHP Processing

# vi /var/www/html/info.php

add the following to the file

<?php phpinfo(); ?>

Navigate to your new file in a web browser

http://your_server_IP_address/info.php

You should see your Purple and grey PHP version and info page

Enjoy!

Thursday, July 23, 2015

Centos 7 Show Startup Messages and change Console Screen Resolution

Centos 7 Show Startup Messages and change Console Screen Resolution

# vi /etc/default/grub

Change line below minus the rhgb quiet at the end

#GRUB_CMDLINE_LINUX="rd.lvm.lv=centos/root rd.lvm.lv=centos/swap crashkernel=auto rhgb quiet"
GRUB_CMDLINE_LINUX="rd.lvm.lv=centos/root rd.lvm.lv=centos/swap crashkernel=auto"

Also add the following lines to end of file to change to 1024x768

GRUB_CMDLINE_LINUX_DEFAULT="video=1024x768"
GRUB_GFXMODE=1024x768
GRUB_GFXPAYLOAD_LINUX=keep

Now update /boot/grub2/grub.cfg for next boot

# grub2-mkconfig -o /boot/grub2/grub.cfg

# grub2-mkconfig -o /boot/efi/EFI/centos/grub.cfg

Saturday, June 6, 2015

Centos 7 Samba Setup on

Centos 7 Samba Setup on

I did this in Centos 7 with kernel 4.0.4

Since I am behind a firewall in my local LAN I have disabled SELINUX and turned firewall off. i am also fully up to date on packages as of 4/1/2015.

Get your system ready.

Turn off firewall and iptables if they are on.

# systemctl disable firewalld.service
# systemctl stop firewalld.service
# systemctl disable iptables.service
# systemctl stop iptables.service

Disable selinux if it is enforced.

# vi /etc/sysconfig/selinux
    SELINUX=disabled

reboot if you have changed these

# reboot

NOTE** I fought with this for day so beware! I am on Centos 6.6 I have the epel repo active in my repo list. When I used yum for the install of samaba, I think it got it from there. All worked well with using \\ip_addr_of_samba_server\ but I could never get my samba server to show up in windows network browser. I discovered nmb was NOT running on the samba server. Not good if you want windows to discover it automatically. So I completely removed samba using “yum –y remove samba*” (notice the * at the end of samba. And leave out the quotes). I then removed the epel repo with “rpm -e your-epel-package-name-here” Now you can install samba with the steps below and have it work 100%.

Install samba

# yum -y install samba*

Create user and set password for samba share use

# useradd samba -s /sbin/nologin
# smbpasswd -a samba
            Supply a password
            Retype the password

mkdir for the shared files and set permissions

# mkdir /share
# chown -R samba:root /share/

Now config samba for the share and share user

# vi /etc/samba/smb.conf

Add/edit this under the [global] section

[global]
workgroup = WORKGROUP ;use name of your workgroup here
server string = Samba Server Version %v
netbios name = SAMBA

Add this to botton of /etc/samba/smb.conf file

[share]
comment = Share
path = /share
writable = yes
valid users = samba

Now start samaba and make sure it is on after boot

# service smb start
# chkconfig smb on
# service nmb start
# chkconfig nmb on

Now test your setup with

# testparm

Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[printers]"
Processing section "[share]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions
[global]
server string = Samba Server Version %v
log file = /var/log/samba/log.%m
max log size = 50
cups options = raw
[homes]
comment = Home Directories
read only = No
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
[share]
comment = Share
path = /share
valid users = samba
read only = No

NOTE** make sure your workgroup = is the actual name of your Windows workgroup, smb service is running, and nmb service is running, or you won’t see your samba server when windows machines browse the network.

NOTE: ** when accessing your samba server from windows 8.1 there is a problem with accessing the same server with two sets of credentials. Meaning if you login to a samba share as one user you will not be able to login to another share as another user. If you need to change users you can relogin into Windows OS (not cool) or use:

C:\> net use * /DELETE

Say yes to remove the connection(s) you already have, thus saving a reboot :)

Thanks to:

http://www.if-not-true-then-false.com/2010/yum-remove-repo-repository-yum-disable-repo-repository/

http://www.krizna.com/centos/installing-configuring-samba-centos-6/

The end!

Centos 7 Systemd

This was taken from

http://www.tejasbarot.com/2014/07/22/rhel-7-centos-7-how-to-get-started-with-systemd/#axzz3cIJAIqNe

Presentation

As the Systemd now replaces SysVinit, it is time to get familiar with it and learn new commands.
Systemd is quicker because it uses fewer scripts and tries to run more tasks in parallel (Systemd calls them units).

The Systemd configuration is stored in the /etc/systemd directory.

Boot process

Systemd primary task is to manage the boot process and provides informations about it.
To get the boot process duration, type:

# systemd-analyze
Startup finished in 422ms (kernel) + 2.722s (initrd) + 9.674s (userspace) = 12.820s

To get the time spent by each task during the boot process, type:

# systemd-analyze blame
7.029s network.service
2.241s plymouth-start.service
1.293s kdump.service
1.156s plymouth-quit-wait.service
1.048s firewalld.service
632ms postfix.service
621ms tuned.service
460ms iprupdate.service
446ms iprinit.service
344ms accounts-daemon.service
...
7ms systemd-update-utmp-runlevel.service
5ms systemd-random-seed.service
5ms sys-kernel-config.mount

Note: You will find additional information on this point in the Lennart Poettering’s blog.

Journal analysis

In addition, Systemd handles the system event log, a syslog daemon is not mandatory any more.

To get the content of the Systemd journal, type:

# journalctl

To get all the events related to the crond process in the journal, type:

# journalctl /sbin/crond

Note: You can replace /sbin/crond by `which crond`.

To get all the events since the last boot, type:

# journalctl -b

To get all the events that appeared today in the journal, type:

# journalctl --since=today

To get all the events with a syslog priority of err, type:

# journalctl -p err

To get the 10 last events and wait for any new one (like “tail -f /var/Log/messages”), type:

# journalctl -f

Note: You will find additional information on this point in the Lennart Poettering’s blog or Lennart Poettering’s video (44min: the first ten minutes are very interesting concerning security issues).

Control groups

Systemd organizes tasks in control groups. For example, all the processes started by an apache webserver will be in the same control group, CGI scripts included.

To get the full hierarchy of control groups, type:

# systemd-cgls
├─user.slice
│ └─user-1000.slice
│ └─session-1.scope
│ ├─2889 gdm-session-worker [pam/gdm-password]
│ ├─2899 /usr/bin/gnome-keyring-daemon --daemonize --login
│ ├─2901 gnome-session --session gnome-classic
. .
└─iprupdate.service
└─785 /sbin/iprupdate --daemon

To get the list of control group ordered by CPU, memory and disk I/O load, type:

# systemd-cgtop
Path Tasks %CPU Memory Input/s Output/s
/ 213 3.9 829.7M - -
/system.slice 1 - - - -
/system.slice/ModemManager.service 1 - - - -

To kill all the processes associated with an apache server (CGI scripts included), type:

# systemctl kill httpd

To put resource limits on a service (here 500 CPUShares), type:

# systemctl set-property httpd.service CPUShares=500

Note1: The change is written into the service unit file. Use the –runtime option to avoid this behavior.

Note2: By default, each service owns 1024 CPUShares. Nothing prevents you from giving a value smaller or bigger.

To get the current CPUShares service value, type:

# systemctl show -p CPUShares httpd.service

Sources: New control group interface, Systemd 205 announcement.

Service management

Systemd deals with all the aspects of the service management. The systemctl command replaces the chkconfig and the service commands. The old commands are now a link to the systemctl command.

To activate the NTP service at boot, type:

# systemctl enable ntpd

Note1: You should specify ntpd.service but by default the .service suffix will be added.

Note2: If you specify a path, the .mount suffix will be added.

Note3: If you mention a device, the .device suffix will be added.

To deactivate it, start it, stop it, restart it, reload it, type:

# systemctl disable ntpd
# systemctl start ntpd
# systemctl stop ntpd
# systemctl restart ntpd
# systemctl reload ntpd

To know if the NTP service is activated at boot, type:

# systemctl is-enabled ntpd
enabled

To know if the NTP service is running, type:

# systemctl is-active ntpd
inactive

To get the status of the NTP service, type:

# systemctl status ntpd
ntpd.service
   Loaded: not-found (Reason: No such file or directory)
   Active: inactive (dead)

If you change a service configuration, you will need to reload it:

# systemctl daemon-reload

To get the list of all the units (services, mount points, devices) with their status and description, type:

# systemctl

To get a more readable list, type:

# systemctl list-unit-files

To get the list of services that failed at boot, type:

# systemctl --failed

To get the status of a process (here httpd) on a remote server (here rhel7.example.com), type:

# systemctl -H root@rhel7.example.com status httpd.service

Run levels

Systemd also deals with run levels. As everything is represented by files in Systemd, target files replace run levels.

To move to single user mode, type:

# systemctl rescue

To move to the level 3 (equivalent to the previous level 3), type:

# systemctl isolate runlevel3.target

Or:

# systemctl isolate multi-user.target

To move to the graphical level (equivalent to the previous level 5), type:

# systemctl isolate graphical.target

To set the default run level to non-graphical mode, type:

# systemctl set-default multi-user.target

To set the default run level to graphical mode, type:

# systemctl set-default graphical.target

To get the current default run level, type:

# systemctl get-default
graphical.target

To stop a server, type:

# systemctl poweroff

Note: You can still use the poweroff command, a link to the systemctl command has been created (the same thing is true for the halt and reboot commands).

To reboot a server, suspend it or put it into hibernation, type:

# systemctl reboot
# systemctl suspend
# systemctl hibernate

Linux standardization

Systemd‘s authors have decided to help Linux standardization among distributions. Through Systemd, changes happen in the localization of some configuration files.

Miscellaneous

To get the server hostnames, type:

# hostnamectl
Static hostname: rhel7.example.com
Icon name: computer-laptop
Chassis: laptop
Machine ID: bcdc71f1943f4d859aa37e54a422938d
Boot ID: f84556924b4e4bbf9c4a82fef4ac26d0
Operating System: Red Hat Enterprise Linux Everything 7.0 (Maipo)
CPE OS Name: cpe:/o:redhat:enterprise_linux:7.0:beta:everything
Kernel: Linux 3.10.0-54.0.1.el7.x86_64
Architecture: x86_64

Note: There are three kinds of hostnames: static, pretty, and transient.
“The static host name is the traditional hostname, which can be chosen by the user, and is stored in the /etc/hostname file. The “transient” hostname is a dynamic host name maintained by the kernel. It is initialized to the static host name by default, whose value defaults to “localhost”. It can be changed by DHCP or mDNS at runtime. The pretty hostname is a free-form UTF8 host name for presentation to the user.” Source: RHEL 7 Networking Guide.

To assign the rhel7 hostname permanently to the server, type:

# hostnamectl set-hostname rhel7

Note: With this syntax all three hostnames (static, pretty, and transient) take the rhel7 value at the same time. However, it is possible to set the three hostnames separately by using the –pretty, –static, and –transient options.

To get the current locale, virtual console keymap and X11 layout, type:

# localectl
System Locale: LANG=en_US.UTF-8
VC Keymap: en_US
X11 Layout: en_US

To assign the en_GB.utf8 value to the locale, type:

# localectl set-locale LANG=en_GB.utf8

To assign the en_GB value to the virtual console keymap, type:

# localectl set-keymap en_GB

To assign the en_GB value to the X11 layout, type:

# localectl set-x11-keymap en_GB

To get the current date and time, type:

# timedatectl
Local time: Fri 2014-01-24 22:34:05 CET
Universal time: Fri 2014-01-24 21:34:05 UTC
RTC time: Fri 2014-01-24 21:34:05
Timezone: Europe/Madrid (CET, +0100)
NTP enabled: yes
NTP synchronized: yes
RTC in local TZ: no
DST active: no
Last DST change: DST ended at
Sun 2013-10-27 02:59:59 CEST
Sun 2013-10-27 02:00:00 CET
Next DST change: DST begins (the clock jumps one hour forward) at
Sun 2014-03-30 01:59:59 CET
Sun 2014-03-30 03:00:00 CEST

To set the current date, type:

# timedatectl set-time YYYY-MM-DD

To set the current time, type:

# timedatectl set-time HH:MM:SS

To get the list of time zones, type:

# timedatectl list-timezones

To change the time zone to America/New_York, type:

# timedatectl set-timezone America/New_York

To get the users’ list, type:

# loginctl list-users
UID USER
42 gdm
1000 tom
0 root

To get the list of all current user sessions, type:

# loginctl list-sessions
SESSION UID USER SEAT
1 1000 tom seat0

1 sessions listed.

To get the properties of the user tom, type:

# loginctl show-user tom
UID=1000
GID=1000
Name=tom
Timestamp=Fri 2014-01-24 21:53:43 CET
TimestampMonotonic=160754102
RuntimePath=/run/user/1000
Slice=user-1000.slice
Display=1
State=active
Sessions=1
IdleHint=no
IdleSinceHint=0
IdleSinceHintMonotonic=0

For a better understanding, you can additionally read Bob Cromwell’s blog about Systemd.

Thanks to Original Author for explaining it very nicely.

Source : http://www.certdepot.net/rhel7-get-started-systemd/

Monday, June 1, 2015

pfSense setting up bridge networks for use in KVM

pfSense setting up bridge networks for use in KVM

My KVM host is Centos 6.6 with kernel upgrade to 3.19.8. I have an on-board and an add on PCIe 1GB NIC's for use.

I use this setup to install pfSense as a KVM guest using the two physical NIC's in my KVM host.

My first interface eth0 is a Qualcomm® Atheros 1GB on-board NIC with HWADDR=74:d4:35:ea:90:1f and using IP addr of 192.168.10.100 and network of 192.168.10.0/24
This interface is behind a 1GB switch then to my router attached to the Internet.

My second interface eth1 is a TP Link 1GB add on card with HWADDR=30:B5:C2:02:77:2B and using IP addr of 192.168.100.100 and network of 192.168.100.0/24
This interface is plugged into a standalone 1GB switch and has no other connectivity or networks attached.

My object is to be able to build guest images in my KVM host that can use either, or both, interfaces.
I want to install a pfSense guest image using both interfaces, eth0 as WAN and eth1 and LAN.
Then I can build two more Centos guest images, one with just eth0 and the other with eth1, and use the pfSense image as the router between the two.

First I make sure network manager is off, and stays off on reboot.

# chkconfig NetworkManager off
# service NetworkManager stop

Verify your resolv.conf file. Should look something like

# vi /etc/resolv.conf
search whittenberg.domain
nameserver 192.168.10.1

Verify your networks file

# vi /etc/networks
default 0.0.0.0
loopback 127.0.0.0
link-local 169.254.0.0

Verify your network file

# vi /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=nas.whittenberg.domain
GATEWAY=192.168.10.1
NETWORKING_IPV6=no

Setup your ifcfg-eth0 file. Notice I rem out the IP numbers and add BRIDGE=br0 at the bottom .

# vi /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
HWADDR=74:d4:35:ea:90:1f
ONBOOT=yes
TYPE=Ethernet
BOOTPROTO=none
NETWORKING_IPV6=no
IPV6_AUTOCONF=no
#IPADDR=192.168.10.100
#NETMASK=255.255.255.0
#BROADCAST=192.168.10.255
#NETWORK=192.168.10.0
#GATEWAY=192.168.10.1
BRIDGE=br0

Setup your ifcfg-eth1 file. Notice I rem out the IP numbers and add BRIDGE=br1 at the bottom .

# vi /etc/sysconfig/network-scripts/ifcfg-eth1
DEVICE=eth1
HWADDR=30:B5:C2:02:77:2B
ONBOOT=yes
TYPE=Ethernet
BOOTPROTO=none
NETWORKING_IPV6=no
IPV6_AUTOCONF=no
#IPADDR=192.168.100.100
#NETMASK=255.255.255.0
#BROADCAST=192.168.100.255
#NETWORK=192.168.100.0
#GATEWAY=192.168.10.1
BRIDGE=br1

Build a new ifcfg-br0 file. Notice this has the IP numbers in it and not rem'd out, DEVICE=br0, and TYPE=Bridge (Use upper-case B in Bridge or will not work)

# vi /etc/sysconfig/network-scripts/ifcfg-br0
DEVICE=br0
TYPE=Bridge
ONBOOT=yes
BOOTPROTO=static
NETWORKING_IPV6=no
IPV6_AUTOCONF=no
STP=yes
DELAY=0
IPADDR=192.168.10.100
NETMASK=255.255.255.0
BROADCAST=192.168.10.255
NETWORK=192.168.10.0
GATEWAY=192.168.10.1

Build a new ifcfg-br1 file. Notice this has the IP numbers in it and not rem'd out, DEVICE=br1, and TYPE=Bridge (Use upper-case B in Bridge or will not work)
I also have my GATEWAY at 192.168.10.1 so I can route out on the KVM host from either interface

# vi /etc/sysconfig/network-scripts/ifcfg-br1
DEVICE=br1
TYPE=Bridge
ONBOOT=yes
BOOTPROTO=static
NETWORKING_IPV6=no
IPV6_AUTOCONF=no
STP=yes
DELAY=0
IPADDR=192.168.100.100
NETMASK=255.255.255.0
BROADCAST=192.168.100.255
NETWORK=192.168.100.0
GATEWAY=192.168.10.1

Now restart the network

# service network restart

Verify your setup

# ifconfig
br0       Link encap:Ethernet HWaddr 74:D4:35:EA:90:1F
          inet addr:192.168.10.100 Bcast:192.168.10.255 Mask:255.255.255.0
          inet6 addr: fe80::76d4:35ff:feea:901f/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:4364 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2023 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:742025 (724.6 KiB) TX bytes:255958 (249.9 KiB)

br1       Link encap:Ethernet HWaddr 30:B5:C2:02:77:2B
          inet addr:192.168.100.100 Bcast:192.168.100.255 Mask:255.255.255.0
          inet6 addr: fe80::32b5:c2ff:fe02:772b/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:2381 errors:0 dropped:0 overruns:0 frame:0
          TX packets:535 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:291677 (284.8 KiB) TX bytes:38805 (37.8 KiB)

eth0      Link encap:Ethernet HWaddr 74:D4:35:EA:90:1F
          inet6 addr: fe80::76d4:35ff:feea:901f/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:10464 errors:0 dropped:34 overruns:0 frame:0
          TX packets:3595 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2023784 (1.9 MiB) TX bytes:481595 (470.3 KiB)
          Interrupt:18

eth1      Link encap:Ethernet HWaddr 30:B5:C2:02:77:2B
          inet6 addr: fe80::32b5:c2ff:fe02:772b/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:5202 errors:0 dropped:34 overruns:0 frame:0
          TX packets:2479 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1166588 (1.1 MiB) TX bytes:157098 (153.4 KiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1 Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING MTU:65536 Metric:1
          RX packets:2951 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2951 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:646709 (631.5 KiB) TX bytes:646709 (631.5 KiB)


Verify the bridge

# brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.74d435ea901f       yes             eth0
br1             8000.30b5c202772b       yes             eth1
pan0            8000.000000000000       no

Check your routes

# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         TEW-731BR       0.0.0.0         UG    0      0        0 br0
link-local      *               255.255.0.0     U     1011   0        0 br0
link-local      *               255.255.0.0     U     1012   0        0 br1
192.168.10.0    *               255.255.255.0   U     0      0        0 br0
192.168.100.0   *               255.255.255.0   U     0      0        0 br1

Notice my default gateway. TEW-731BR is my router name on 192.168.10.1 IP addr.

Test we have internet access bot FQDN and IP addr

# ping www.google.com
PING www.google.com (74.125.21.99) 56(84) bytes of data.
64 bytes from yv-in-f99.1e100.net (74.125.21.99): icmp_seq=1 ttl=42 time=90.1 ms

# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=57 time=24.4 ms

Now you should be able to use br0 and br1 in your KVM guest images.

I will setup br0 as my WAN interface in pfSense guest image and give it IP addr of 192.168.10.10 with a route out of 192.168.10.1

I will also setup br1 as my LAN interface in pfSense guest image and give it IP addr of 192.168.100.10

Now any other guest image I build using the br1 interface I can set that image for a route out on 192.168.100.10 and it will go through the pfSense router for all request off the 192.168.100.0/24 network.

Hope this helps!

Added 6/1/2015 18:18 AZ
Well it worked! I used the e1000 NIC adapter on both interfaces when I built my pfSense image. The max transfer speed I was able to get out of it was 50MBs across the router. I think this may be do to the fact I am using the same zfs pool for source and destination file. My pfSense image is on the zfs pool. My test Centos image I put on 192.168.100.0 network is on the zfs pool. And the file I was retrieving is also on the zfs pool, but on a 192.168.10.0 network. I will try and get a share off the pool, and on my SSD, from the 192.168.10.0 network and trying the transfer again. BTW cpu was at 45% during the transfer. I used all 4 cores for all images. This is shared with the Host of course that was serving up the file off the zfs pool on 192.168.10.0 network. I may need another physical machine on the 192.168.10.0 network to get into the 100MB's (That's my goal).