The Red Hat blog has a good post on setting up multi-factor authentication (MFA) on RHEL using the google-authenticator package. Of the several articles on this that I read, this was the most thorough.
How-to's and technical news about Linux and open computing, with a sprinkling of Python.
2022-02-17
2021-07-16
Podman and Shorewall
Bright Cluster Manager uses Shorewall to manage the various firewall rules on the head/management node. By default, this seems to prevent Podman and Docker from working right.
I am working through a simple example of running a pod with PostgreSQL and PGAdmin but the connection to the host port that forwards to the pgadmin container seemed to be blocked. Connection attempts using both curl and web browsers would hang.
There is additional configuration that needs to be done for Shorewall to work with Podman. Shorewall has instructions on making it work with Docker, and it seems to work for podman with minor modifications.
First, modify the systemd service to not clear firewall rules on service stop. Do:
sudo systemctl edit shorewall.service
which gives a blank file. Add these contents:
[Service]
# reset ExecStop
ExecStop=
# set ExecStop to "stop" instead of "clear"
ExecStop=/sbin/shorewall $OPTIONS stop
Then activate the changes with
sudo systemctl daemon-reload
Next, we need to know the name of the Podman network interface. Use “ip link list” to see it. On my RHEL 8 system, the interface is
10: cni-podman0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
And make the following modifications to the appropriate config files.
Enable Docker mode in /etc/shorewall/shorewall.conf:
DOCKER=Yes
Define a zone for Podman in /etc/shorewall/zones:
#ZONE TYPE OPTIONS
pod ipv4 # 'pod' is just an example -- call it anything you like
Define policies for this zone in /etc/shorewall/policy:
#SOURCE DEST POLICY LEVEL
pod $FW REJECT
pod all ACCEPT
And match the zone to the interface in /etc/shorewall/interfaces:
# Need to specify "?FORMAT 2"
?FORMAT 2
#ZONE INTERFACE OPTIONS
pod cni-podman0 bridge # Allow ICC (inter-container communication); bridge implies routeback=1
Then, restart shorewall. And start the pod; or restart if it was already running.
You many need additional rules to allow an external host to connect into the pod. E.g. a pod containing a pgadmin container and a postgresql container, where the pgadmin container serves on port 80. Say your administrative hosts will be in the address block 10.0.10.0/23. Then, add the following to /etc/shorewall/rules:
# Accept connections from admin hosts to the pgadmin container
# ACTION SOURCE DEST PROTO DEST
# PORT(S)
ACCEPT net:10.0.10.0/23 pod tcp 80
2021-01-28
MediaWiki with PostgreSQL using Buildah and Podman on RHEL7
- RHEL 7.8
- PostgreSQL 9.2.24-4.el7_8
- Apache 2.4 (via Red Hat Software Collections)
- PHP 7.3 (required by MediaWiki; via Red Hat Software Collections)
- MediaWiki 1.34.2
- one with PostgreSQL
- another with Apache, PHP, and MediaWiki
OUTLINE
- Build two local images with buildah: one for PostgreSQL, one for Apache + PHP-FPM + MediaWiki
- Run containers using local images
- Cleanup
BEFORE WE BEGIN
- container=$( buildah from image_url )
- buildah containers
- buildah rm $container
- buildah rmi image_id
BUILD CONTAINERS
[root@host ~]# yum install buildah podman
[root@host ~]# buildah login registry.redhat.io
PostgreSQL
[root@host ~]# container=$(buildah from registry.access.redhat.com/rhel7)[root@host ~]# echo $containerrhel7-working-container[root@host ~]# buildah copy $container /etc/yum.repos.d/redhat.repo \
/etc/yum.repos.d/redhat.repo1f302312276b6f60ca1189181159d8c8eba378d3ff76a6aff651220c8f8250f2
[root@host ~]# buildah run $container /bin/bash[root@psql /]# yum -y install postgresql-server tmux psmisc nc vim...
Complete![root@psql /]# yum -y updateLoaded plugins: ovl, product-id, search-disabled-repos, subscription-managerNo packages marked for update[root@psql /]# yum clean allLoaded plugins: ovl, product-id, search-disabled-repos, subscription-managerCleaning repos: rhel-7-server-extras-rpms rhel-7-server-optional-rpms rhel-7-server-rpms rhel-server-rhscl-7-rpms
[root@psql /]# cp /usr/bin/postgresql-setup \
/usr/bin/postgresql-setup2
PGDATA=/var/lib/pgsql/data
PGPORT=5432
[root@psql /]# su - postgres-bash-4.2$ /usr/bin/postgresql-setup2 initdbInitializing database ... OK-bash-4.2$ exit
[root@psql /]# sed -i 's/^host/#host/' /var/lib/pgsql/data/pg_hba.conf[root@psql /]# echo "host all all all md5" >> /var/lib/pgsql/data/pg_hba.conf[root@psql /]# echo "listen_addresses = '*'" >> /var/lib/pgsql/data/postgresql.conf[root@psql /]# exit # exit container
[root@host ~]# buildah config --cmd "su - postgres -c \
[root@host ~]# buildah commit $container localhost/postgres-testGetting image source signaturesCopying blob cacea99e9a8c skipped: already existsCopying blob f15a9d9f7ab3 skipped: already existsCopying blob d3e8e97ad524 doneCopying config 7614d3233c doneWriting manifest to image destinationStoring signatures7614d3233c71651cfba0ba4aa149424dd349db55bee18cf762aef7b37e691a31
[root@host ~]# buildah imagesREPOSITORY TAG IMAGE ID CREATED SIZElocalhost/postgres-test latest 8d75ec494b55 About a minute ago 340 MBregistry.access.redhat.com/rhel7 latest 1a9b6d0a58f8 6 weeks ago 215 MB
[root@host ~]# podman run -p 5432:5432 --name psql \
--hostname psql --detach postgres-test...outputs container id...
[root@host ~]# podman psCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES8651efee175f localhost/postgres-test:latest su - postgres -c ... 4 seconds ago Up 4 seconds ago 0.0.0.0:5432->5432/tcp psql
[root@host ~]# podman exec --interactive --tty psql bash[root@psql ~]# su - postgres[postgres@psql ~]$ createuser -S -D -R -P -E wikiuser # remember the password you use here[postgres@psql ~]$ createdb -O wikiuser wikidb[postgres@psql ~]$ exit # exit user postgres[root@psql ~]# exit # exit container
[root@host ~]# psql -h 127.0.0.1 -W wikidb wikiuserPassword for user wikiuser:psql (9.2.24)Type "help" for help.wikidb=>
Apache HTTPD, PHP, and MediaWiki
[root@host ~]# container=$( buildah from \
[root@host ~]# echo $containerrhel7-working-container-1
[root@host ~]# buildah copy $container /etc/yum.repos.d/redhat.repo \
/etc/yum.repos.d/redhat.repo1f302312276b6f60ca1189181159d8c8eba378d3ff76a6aff651220c8f8250f2
[root@host ~]# buildah copy $container /etc/yum.repos.d/epel.repo \
/etc/yum.repos.d/epel.repo15a7fc2ebe4c5260256294d2c890bc1ccb5f8097b1a25aa0c38f9b996fa5fc5b
[root@host ~]# buildah run $container -- /usr/bin/bash[root@apache /]# yum install -y wget less procps-ng lsof psmisc \
tmux openssl httpd24 httpd24-httpd httpd24-mod_ssl
[root@apache /]# yum install -y rh-php73 rh-php73-php \
rh-php73-php-gd rh-php73-php-gmp rh-php73-php-intl \
rh-php73-php-mbstring rh-php73-php-pgsql rh-php73-php-opcache \
[root@apache tmp]# scl enable rh-php73 /bin/bash[root@apache tmp]# which php/opt/rh/rh-php73/root/usr/bin/php[root@apache tmp]# php --versionPHP 7.3.11 (cli) (built: Oct 31 2019 08:30:29) ( NTS )Copyright (c) 1997-2018 The PHP GroupZend Engine v3.3.11, Copyright (c) 1998-2018 Zend Technologieswith Zend OPcache v7.3.11, Copyright (c) 1999-2018, by Zend Technologies
[root@apache tmp]# yum update -y tzdata
[root@apache tmp]# wget https://releases.wikimedia.org/mediawiki/1.34/mediawiki-1.34.2.tar.gz
[root@apache tmp]# cd /opt/rh/httpd24/root/var/www/html[root@apache tmp]# tar xvf /tmp/mediawiki-1.34.2.tar.gz[root@apache tmp]# mv mediawiki-1.34.2 testwiki[root@apache tmp]# exit # exits the rh-php73 environment[root@apache tmp]# exit # exits the container
[root@host ~]# buildah commit $container localhost/apache-test
[root@host ~]# buildah run $container -- /usr/bin/bash
[root@apache ~]# openssl req -new -newkey rsa:4096 > new.cert.csr[root@apache ~]# openssl rsa -in privkey.pem -out new.cert.key[root@apache ~]# openssl x509 -in new.cert.csr -out /etc/pki/tls/certs/localhost.crt \-req -signkey new.cert.key -days 730[root@apache ~]# cp new.cert.key /etc/pki/tls/private/localhost.key[root@apache ~]# openssl req -new -newkey rsa:4096 > new.cert.csrGenerating a 4096 bit RSA private key.............................++......................................................................................................................................................................................................................................................++writing new private key to 'privkey.pem'Enter PEM pass phrase: ***
Verifying - Enter PEM pass phrase: ***
-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:USState or Province Name (full name) []:CaliforniaLocality Name (eg, city) [Default City]:RiversideOrganization Name (eg, company) [Default Company Ltd]:ACME Corp.Organizational Unit Name (eg, section) []:ITCommon Name (eg, your name or your server's hostname) []:myservernameEmail Address []:web@acmecorp.comPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:[root@apache /]# openssl rsa -in privkey.pem -out new.cert.keyEnter pass phrase for privkey.pem:writing RSA key[root@apache /]# openssl x509 -in new.cert.csr -out /etc/pki/tls/certs/localhost.crt \> -req -signkey new.cert.key -days 730Signature oksubject=/C=US/ST=Pennsylvania/L=Philadelphia/O=Drexel University/OU=URCF/CN=urcfstora-apache/emailAddress=dwc62@drexel.eduGetting Private key[root@apache /]# cp new.cert.key /etc/pki/tls/private/localhost.keycp: overwrite '/etc/pki/tls/private/localhost.key'? y[root@apache /]# exit
[root@host /]# buildah commit $container localhost/apache-test
2019-12-12
RHEL7 on VirtualBox graphics controller
Taking a stab, I changed the Graphics Controller for the VM from VMSVGA to VBoxVGA, and it launched the GUI just fine.
2019-11-20
Even more about SSSD + PAM + LDAP -- password is still expired even right after being changed by user
This is for RHEL6.
Here is the issue: my users kept running into the instance when upon logging in, they were shown:
WARNING: Your password has expired.And then it automatically logs you out, which is expected behavior.
You must change your password now and login again!
Changing password for foouser.
Current password:
However, when they login again (with the password that they just set), they are again presented with the same password expiration warning. This repeats ad infinitum.
When I check the OpenLDAP server, and ldapsearch for the user record, it does show that the password was changed by that user on the correct date.
The key bit that I seem to have missed: a setting in /etc/pam_ldap.conf You have to set the secure LDAP URI since SSSD password transmissions must be encrypted.
uri ldaps://10.9.8.7/This should match the URI specified in /etc/openldap/ldap.conf
URI ldaps://10.9.8.7/And the setting in /etc/sssd/sssd.conf
[domain/default]
...
ldap_uri = ldaps://10.9.8.7/
...
And that fixed it.
I RTFMed: "sha512" is not an option for pam_password. This is to hash the password locally, before passing on to the LDAP server. The default is "clear", i.e. transmit the password in the clear to the LDAP server, and assume the LDAP server will hash if necessary. Another option is "crypt" which uses crypt(3).pam_password sha512
pam_password cryptHowever, there does not seem to be a way to specify which hash algorithm is to be used.
I do not think this is a big issue because the connection to the LDAP server is encrypted, any way.
Why was this a surprise? Well, because in /etc/nsswitch.conf we specified sss as the source for the passwd, shadow, and group name services:
passwd: files sss
shadow: files sss
group: files sss