Tuesday, April 26, 2011

Do we really need to set partition type to fd(Linux auto raid) for Linux software RAID?

Almost all Linux RAID documents mandate that partition type must be fd(Linux auto raid)  before building Linux software RAID. Actually, this step is optional, it helps a little if your RAID device is /dev/md0 in Centos.
What is fd(Linux auto raid)?
As the name implies, it is for auto detection of  raid  when OS boots. If you have created /dev/md0 but didn't put it  in configuration file /etc/mdadm.conf, OS is able to detect the partitions and assemble /dev/md0.
But, this way of assembling RAID device only works for /dev/md0 in Centos by default.
It is because Centos only enable raidautorun for /dev/md0 by default. Any other md will be assembled by reading /etc/mdadm.conf
[Centos 5 ] $grep -A 3 raidautorun  /etc/rc.sysinit 
[ -x /sbin/nash ] && echo "raidautorun /dev/md0" | nash --quiet
if [ -f /etc/mdadm.conf ]; then
/sbin/mdadm -A -s
fi
#The auto detecting behavior is logged in kernel buffer
$ dmesg | grep -i auto
md: Autodetecting RAID arrays.
md: autorun ...
md: ... autorun DONE.
fd VS  RAID superblock
Don't confuse fd with RAID superblock,  fd is an optional flag recognized by  nash raidautorun command. But RAID superblock is, in every RAID device member, an essential piece of information, which contains RAID level, state and parent  MD device UUID (man 4 md).
#Examine superblock on logical device will encounter an error
#It is expected because superblock only exist in RAID member device
 $ mdadm --examine /dev/md0
mdadm: No md superblock detected on /dev/md0.

#Examine  superblock on RAID member
$ mdadm --examine /dev/sdb2
/dev/sdb2:
          Magic : a92b4efc
        Version : 0.90.00
           UUID : a31e6699:4360a3b7:38c544fa:f4e6faa9
  Creation Time : Wed Apr 27 11:19:34 2011
     Raid Level : raid1
  Used Dev Size : 104320 (101.89 MiB 106.82 MB)
     Array Size : 104320 (101.89 MiB 106.82 MB)
   Raid Devices : 2
  Total Devices : 2
Preferred Minor : 0

    Update Time : Wed Apr 27 12:51:58 2011
          State : clean
Internal Bitmap : present
 Active Devices : 2
Working Devices : 2
 Failed Devices : 0
  Spare Devices : 0
       Checksum : 58c72673 - correct
         Events : 20

#Scan  partitions superblock to find existing raid device.
$ mdadm --examine --brief --scan --config=partitions
ARRAY /dev/md1 level=raid1 num-devices=2 UUID=da55e1e2:c781a461:73d6dfa6:8c7cf6d6
##The above output can be saved to /etc/mdadm.conf; then mdadm -A -s will activate the RAID device.
##DEVICE member list is optional, because default is “DEVICE partitions”.
Conclusion
Partition type FD is a way of assembling raid used by nash raidautorun command and it only works for /dev/md0 in Centos by default.
If you use /etc/mdadm.conf  to assemble RAID, the FD flag is optional.  But setting this flag can help you to recognize RAID members from “fdisk -l”.

Thursday, April 21, 2011

Setup Postfix SMTP password authentication with SASL

Simple Authentication and Security Layer(SASL) is a framework for authentication and data security in Internet protocols.
Postfix can relay the SASL framework to provide SMTP password authentication.
SMTP password authentication is suitable for roaming users who are outside of trusted network. They are still allowed to send email without relaxing SMTP restrictions , which could introduce spam emails. 
Postfix version 2.3 onwards  supports two SASL implementations(This post will discuss cryus)
[Centos 5.5 ] $ postconf -a
cyrus
dovecot 
SASL Mechanisms
- SASL mechanisms: DIGEST-MD5 CRAM-MD5 use encrypted password , but they are only supported in saslauthd mechanism:sasldb,sql,ldapdb
cyrus-sasl-md5 package provides library for DIGEST-MD5 CRAM-MD5
- SASL mechanisms: PLAIN LOGIN use clear  text password,  it is supported saslauthd mechanism: pam, but the clear text can be protected by TLS
cyrus-sasl-plain package provides library for  PLAIN LOGIN
NOTE:
  - This post only discuss SASL    PLAIN LOGIN    in saslauthd    PAM
  - make sure  you already have a basic working Postfix before continue next steps
1. Install and configure  saslauthd
$rpm -qa | grep sas
cyrus-sasl-2.1.22-5.el5_4.3
cyrus-sasl-plain-2.1.22-5.el5_4.3                
cyrus-sasl-lib-2.1.22-5.el5_4.3
#saslauthd should be configured to use pam mechanism 
$ grep MECH /etc/sysconfig/saslauthd
MECH=pam
#start /etc/init.dd/saslauthd and test it
#smtp is service name /etc/pam.d/smtp
$testsaslauthd -u guest01 -p Pass001  -s smtp
0: OK "Success."
2. Enable SASL in postfix
$cat /etc/postfix/main.cf
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtp_sasl_security_options = noanonymous
smtpd_recipient_restrictions =   permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
3.Restart postfix and test the authentication
#First test:  telnet to check if   PLAIN LOGIN   is shown
$(echo "ehlo localhost"; sleep 2; echo "quit") | telnet localhost 25
250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5
## you can limit  mechanism  type 
$cat /usr/lib64/sasl2/smtpd.conf
pwcheck_method: saslauthd
mech_list: plain login
#Second test: test username and password by converting them to base64
$ printf  "\0guest01\0Pass001" |openssl base64
AGd1ZXN0MDEAUGFzczAwMQ==
$ (echo "AUTH PLAIN AGd1ZXN0MDEAUGFzczAwMQ=="; sleep 2 )| telnet localhost 25
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
Escape character is '^]'.
220 mail.example.com ESMTP Postfix
235 2.0.0 Authentication successful
Connection closed by foreign host.
4. Enable TLS (Optional) to protect clear text password in PLAIN LOGIN
$cat /etc/postfix/main.cf
smtpd_use_tls = yes
smtpd_tls_CAfile =  /etc/postfix/certs/ca.pem
smtpd_tls_cert_file = /etc/postfix/certs/postfix.pem
smtpd_tls_key_file = /etc/postfix/certs/postfix.key
smtpd_tls_loglevel = 1

Friday, April 15, 2011

Passed 1/5 RHCA: EX442 System Monitoring and Performance Tuning

I passed the first exam,EX442 System Monitoring and Performance Tuning,in my road to RHCA (Red Hat Certified Architect) today.
Here are some tips I can share, I think, without violating confidential agreement.
Document Source.
EX442 is very heavy on theory, you simply can't remember every bit ( and  its different unit: kb,byte,sector, block, bit,million secs, secs). The key is to  get them in the system documents without Googling.
#Man pages e.g
man 5 proc
#man pages keyword search
$ man -k semget
semget               (2)  - get a semaphore set identifier
semget               (3p)  - get set of XSI semaphores
#man pages full text search
$man -w -K SEMMNI
/usr/share/man/man5/proc.5.gz
/usr/share/man/man2/semget.2.gz
#/usr/share/doc, full text search
$yum install kernel-doc
$grep -ri isolcpus /usr/share/doc/kernel-doc*/Documentation/.* 
/usr/share/doc/kernel-doc-2.6.18/Documentation/kernel-parameters.txt:   isolcpus=       [KNL,SMP] Isolate CPUs from the general scheduler.
#Other documentations in html/pdf/info/ps format
$rpm -ql valgrind | grep /usr/share
..
/usr/share/doc/valgrind-3.5.0/html/index.html
..
$elinks /usr/share/doc/valgrind-3.5.0/html/index.html
Make the change persistent
#always put the change in configuration file first, then run the command to activate the change 
- Startup service: chkconfig svc-name on; service svc-name start
- User auto start script: edit /etc/rc.local;  execute “/etc/rc.local”
- Kernel Parameter: edit /etc/sysctl.conf; execute “sysctl -p
- File system: edit /etc/fstab ; mount -a
- Kernel modules: edit /etc/sysconfig/modules/XXX.modules;   execute  “/etc/sysconfig/modules/XXX.modules”
Calculator:
#You got to know how to use bc.
#Always start with bc with “-l” option to support floating  point.
#e.g 1Gibit=131072KiByte
$ bc -l
1*2^30/1024/8
131072.00000000000000000000
#if there are too many to be added up, you got to use awk
#e.g  sum and average value calculated from 1 to 1000
$ echo {1..1000} | sed "s/ /\n/g" | awk ' {x=$1+x} END {print $1,x,x/NR } '
1000 500500 500.5
#convert  hexadecimal  value  to decimal  
#the hex letter must be in upper case
$echo -e " obase=10 \n ibase=16 \n 0F0" | bc -l
240
Time is essence, every minute counts, you got to master bash command line.
Check this: http://honglus.blogspot.com/2010/07/master-bash-command-line.html
lastly, the Exam day
 - take your RHCE number with you
 - there are a couple of tricky questions, I finished all, I thought I could get 90, but I only got 80. I don't know what went wrong.
 - Unlike RHCE exam, which has 2 sessions with a break for lunch, the EX442  only has 1 morning  session  last for 4 hours
 - Exam result will be emailed in 2 business days, but I got mine in 2 hours.


My Blog posts for EX442 study notes
Load kernel modules at boot time on Redhat/Centos Linux.
Tune Interrupt and Process CPU affinity
Understanding Linux CPU scheduling priority
Setup SNMP V3 USM with encryption.

Sunday, April 10, 2011

Load kernel modules at boot time on Redhat/Centos Linux.

In Centos 5, /etc/rc.d/rc.sysinit looking for two locations to load modules
# Load other user-defined modules
for file in /etc/sysconfig/modules/*.modules ; do
[ -x $file ] && $file
done
# Load modules (for backward compatibility with VARs)
if [ -f /etc/rc.modules ]; then
/etc/rc.modules
fi
As you can see, you can put load module commands in /etc/sysconfig/modules/*.modules  or /etc/rc.modules.
Putting in /etc/rc.local might not work, because rc.local is executed very late.
#e.g loading dummy network module "dummy"
echo "modprobe dummy" >/etc/sysconfig/modules/my.modules
chmod +x /etc/sysconfig/modules/my.modules
Understanding /etc/modprobe.conf
/etc/modprobe.conf is the configration file for modprobe command, it DOESN'T  load module itself.
#Increase dummy interfaces to 3 when "modprobe dummy" is called
#it is equivalent to specify the option in command line  "modprobe dummy numdummies=3"
$cat /etc/modprobe.conf
options dummy numdummies=3
##"install" command tells modprobe to run your command instead of inserting the module in the kernel as normal
##it can be used to disable particular module
##disable ipv6 module by changing normal install to a dummy command /bin/true
install ipv6 /bin/true
###NODE: If modprobe is invoked with "--ignore-install" option, the customized install command will be ignored

Saturday, April 2, 2011

Authenticate BIND zone transfer with TSIG key

TSIG (Transaction SIGnature) can provide authentication and data integrity for DNS zone transfer and Dynamic DNS (DDNS ) update, but  it CAN'T provide encryption, the data still sent in clear text , just integrity checks detects data modification by middle-man.
The common practice to restrict  BIND zone transfer is IP access-list, since IP can be easily forged, authenticating  zone transfer  by shared secret: TSIG key is more secure than IP method. Unfortunately, BIND, as of 9.3.6, can't support  combination of both methods, only TSIG key  is effective when both methods applied.
Generating TSIG key:
TSIG key is encoded in BASE64, any BASE64  tool can create TSIG key.
# [1] BIND dns-keygen utility
$ dns-keygen
5TyOwB1gbs4wpYKDeGKHvA5sfBPR6L4ItQpavUXGSaTnD9xMdlb5hciBlEvV
# [2] openssl base64 encoding tool
$echo $(date) | openssl base64
U2F0IEFwciAyIDE1OjU5OjQwIEVTVCAyMDExCg==
# [3]  BIND dnssec-keygen utility, it is mainly used for secure DNS, so generating TSIG key a bit complex, but you can define key s
$dnssec-keygen -a HMAC-MD5 -b 256 -n HOST transfer
Ktransfer.+157+39609
$ cat Ktransfer.+157+39609.private
Private-key-format: v1.2
Algorithm: 157 (HMAC_MD5)
Key: BMSri735ohiGYK4qT1Ursh7se8vnx2ltjajRGsJ6x/w=
Configure named.conf
Generate TSIG key with the method of your choice, then paste the key string to a file, which is NOT world-wide readable, then embedding  the key file to named.conf

##Master DNS Server
##Key name is arbitrary, but must be same in both peers
$ cat /var/named/chroot/etc/transfer.key
key "HOST1-HOST2" {
algorithm       hmac-md5;
secret          "1B+FL8t42RXx+mELfUYkEg==";
};
$cat /var/named/chroot/etc/named.conf
include "/etc/transfer.key";
$cat /var/named/chroot/etc/named-my.zones
zone "myexample.com" IN {
type master;
file "myexample.zone";
allow-transfer { keys “HOST1-HOST2” ;};   // Can't restrict IP and  use key at the same time
};
## Slave DNS Server
##Key name is arbitrary, but must be same in both peers
$ cat /var/named/chroot/etc/transfer.key
key "HOST1-HOST2" {
algorithm       hmac-md5;
secret          "1B+FL8t42RXx+mELfUYkEg==";
};
$ cat /var/named/chroot/etc/named.conf
include "/etc/transfer.key";
server 172.16.1.1  { keys "HOST1-HOST2" ;};  // Tell Master DNS server 172.16.1.1 to use the TSIG  key
$cat /var/named/chroot/etc/named-my.zones
zone "myexample.com" IN {
type slave;
masters { 172.16.1.1 ;};
file "slaves/myexample.zone";
};

TSIG Limitations:- difficult to manage TSIG keys in large scale
- only provides security to next-hop peer
- don't provide data encryption
- BIND,as of 9.3.6, can't provide additional level security such as IP access-list on top of  TSIG key