Forward a TCP port to another IP or port using NAT with nftables

Besides using NAT for accessing the internet with multiple machines using a single IP address, there are many other uses of NAT. One of them is to forward all traffic that is sent to a certain TCP port to another host. In practice, this technique can be used to test a service on a new host without adjusting anything on the client. The users or the clients do not need to be pointed to a new machine in order to test it. When the test would be unsuccessful, removing the NAT-rule is all it takes to switch back.

Continue reading

Install and use CentOS 8 or RHEL 8 as KVM virtualization host

There are many possibilities to turn your machine into a host for virtual machines, emulating one or more separate and isolated computers. Among the popular commercial products from VMWare or Hyper-V on Windows, KVM is a great and mature alternative for full virtualization with great stability and performance. This guide will explain you step by step, from the start how to get this up and running.

Continue reading

Install a newer kernel in CentOS 7

When using the latest version of CentOS 7, even with all updates installed, by default, you can’t get a very recent kernel via the standard repositories in your package manager. While the idea is to remain stable and rather conservative, there are several benefits with installing a newer kernel and in some cases it’s the only option to get the OS to support all your hardware. The risk and impact on stability is small and the process is rather simple.

Continue reading

Create a minimal SSH-accessible chroot jail with Dropbear and BusyBox on CentOS

Sometimes you just need some kind of setup which is not so standard. This was the case which lead to this post. For some testing, I needed a minimal environment containing only a BusyBox shell and that was accessible via Dropbear SSH-server. Probably this setup is quite useless for daily use but it can be used as a base for testing with a minimum set of libraries available. Using this setup gives you the flexibility to experiment with a minimal environment without rebuilding small Linux images.

Continue reading

Linux live kernel patching with kpatch on CentOS 7

Live or dynamic kernel patching allows you to patch a running kernel with no impact to running applications and without rebooting the system. Since the announcement and release of Linux kernel version 4, live kernel patching got got a lot of extra attention. Most probably this is because there weren’t a lot of big changes that one would expect with an increase in the version number. While v4 of the kernel does introduce some new stuff related to live or dynamic kernel patching, Live kernel patching was and is already available for earlier kernel releases. In this post, I’ll try to explain the differences between the new and old method and more important how to do live patching of a v3 kernel on CentOS 7.

Continue reading

SELinux in a practical way

SELinux is often seen as an evil, complex, unnecessary and especially annoying security component which exists in a lot of Linux distributions. Often you can hear something like: “Disable SELinux and try again” or , “The first thing I do on a new server is to disable SELinux”. The problem with SELinux is that it looks very complex and that it looks like you need to spend ages to understand it. In this post, I’ll try to explain a few basic SELinux principles and especially focus on daily, practical problems related to SELinux and their solutions. Don’t forget that there’s a very good reason for SELinux and it would be a shame to not use it.

Continue reading

Setup roundcube webmail as a proxy for Gmail

Recently, I was asked to find a solution or workaround for people using Gmail and are visiting countries where there’s limited or no access to Gmail. I’m not talking about bad internet connection quality but about an explicit (government) block on Gmail or related websites. An example is the block on Gmail by the Chinese Great Firewall. While there is a possibility to avoid the limitation by using a normal proxy or VPN connection, those methods are also actively blocked and monitored. A workaround is to setup your own webmail, as a proxy for Gmail.

Continue reading

Setup a redundant PostgreSQL database with repmgr and pgpool

Using a database to store information is very common. The more information gets stored in a database, the more critical it becomes. At a certain point, the need for a redundant, high(er) available database-setup raises. When you’re using PostgreSQL, you can setup streaming replication quite easily in order to have your data redundant on two or more nodes. But wouldn’t it be a shame if you wouldn’t use the copies of your data to balance the load of your primary database-server? In this post, I’ll try to explain how to setup a redundant PostgreSQL database with load balancing.

Continue reading

Complile and use a realtime kernel on CentOS 7 or RHEL 7

While the need for a realtime kernel or kernel-rt hasn’t been very high recently, there are these special cases where you really need one. A “standard” linux kernel is fast but also balanced in order to treat all workload fair and give each kind of task an equal share of the system resources. A realtime kernel allows you to squeeze that extra bit of performance out of the kernel. It basically allows you to tune it in a more aggressive way in regards to timing and priorities. Since I couldn’t find any clear instructions on how to get a realtime kernel for CentOS 7 and RHEL 7, I decided to write them myself.

Continue reading

Install and use Spacewalk 2.4 on CentOS 7 and RHEL 7

Spacewalk is the upstream-project for Redhat Satellite. It’s a tool which is mainly used to list, deploy and manage packages and updates to Fedora, CentOS, SLES and even Debian installations. Recently a new version, 2.4, came out, so let’s have a look at the installation procedure and how to perform some basic Spacewalk actions

Continue reading

Install oVirt on CentOS 7

Recently, as you could see in previous posts, oVirt got to my attention. oVirt is the upstream project of Red Hat Enterprise Visualization or RHEV. While oVirt it isn’t providing everything that competitor VMWare ESXi does, it comes close and is a very good alternative for smaller or home setups. For a long time, oVirt wasn’t supported on Enterprise Linux 7 (like RHEL 7 or CentOS 7) but since a short time it is. Here you can find how to install oVirt and get started.

Continue reading

Install the Cinnamon desktop environment on CentOS 7

As you might know, Linux is everything about diversity. With the numerous desktop environments available nothing is different in that area. Besides Mate and XFCE, Cinnamon is one of my favorite desktop environments on Linux. Honestly, I can’t really choose. Cinnamon is fast, (not too) fancy, customizable and familiar in some way. Here is how to install Cinnamon on a fresh minimal CentOS 7 installation.

Continue reading

Create a PXE bootserver to install multiple Linux distributions

When regularly installing Linux hosts or VM’s, it easily becomes annoying to constantly burn CD’s/DVD’s or mount ISO’s for all the Linux distributions that you want to deploy. Especially if you want to keep them current or customize them you’ll end up with a whole lot of discs. Booting your installations from the network, using a PXE boot server, makes life a lot easier and isn’t very hard to setup. In this post I’ll explain how to setup such a PXE boot server that is able to provide multiple Linux distribution installations for deployment over the network.

Continue reading

Setup an FTP-server with quotas on RHEL or CentOS 6 or 7 with proftpd

Using FTP actually should be avoided whenever that’s possible but sometimes it’s just the most handy and convenient way of transferring files. In most cases, your FTP-users will be able to upload files to the FTP-server. To avoid that some users would fill up the complete machine, you can use quotas. In this post, I’ll describe how to setup a basic proftpd FTP-server with quotas on RHEL or CentOS 6 and 7.

Continue reading

Monitor oVirt or libvirt with SNMP and Zabbix

Somehow, I expected to have little to no work when I wanted to monitor an oVirt host over SNMP. One would expect this since oVirt is the upstream project for Red Hat’s Enterprise Virtualization (RHEV) which seems to be quite strong in the market. While it isn’t that hard to get information about using SNMP for oVirt or libvirt the outcome can be disappointing. There is some documentation about it but here you can find a more hands-on explanation.

Continue reading

Configure two network cards in a different subnet on RHEL 6, RHEL 7, CentOS 6 and CentOS 7

When configuring a Linux host running either Red Hat Linux 6, Red Hat Linux 7, CentOS 6 or CentOS7 with two network interface cards (NIC) that each have an IP address in a different network or subnet, you could end up in a situation where one of the IP addresses isn’t reachable outside it’s own network. Both IP’s will be responding to a ping from another host in the same network as those IP addresses but only one is responding to ping from another network. On most other distributions, like Debian, this issue, which is caused by asymmetric routing, doesn’t seem to exist.

Continue reading

Compile the Huawei ES3000 PCIe SSD driver for CentOS 7 or RHEL7

The Huawei ES3000 is an SSD accelerator card connected to the PCIe bus which delivers exceptional performance. Today, I found out that Huawei doesn’t provide any ready made drivers to use a Huawei ES3000 PCIe SSD on a system running a Linux kernel > 3.x. This means that it’s not possible to use it on RHEL 7 or CentOS 7 or any other modern Linux distribution that uses a kernel newer than version 2.6.32.63. Fortunately it’s not difficult to compile the driver, install it and start to use the SSD accelerator with a newer kernel.

Continue reading

Install and use the openlava job scheduler and openlava web GUI on CentOS

Scheduling on Linux mostly happens with cron or any of it’s variations. Although cron is very powerful, it lacks a few features to use it in a flexible way and especially when you want to create dependencies or “communicate” with jobs running on other hosts, it has it’s shortcomings. Cron wasn’t really designed with those features in mind. Fortunately there are a few nice schedulers out there which can be used to overcome those limitations. A few of them are SOS Jobscheduler, GNUBatch and openlava. Openlava is a limited open source fork of LSF which is now owned by IBM. Openlava doesn’t come with a GUI but there is another project, Openlava web which enables control over openlava via a web interface.

Continue reading

Write to and manage syslog messages with logger and rsyslog

Syslog is the target where you want all log message to go on all systems that you manage. Almost all Linux distributions use a syslog implementation to gather messages. Recently, rsyslog became the most used syslog-implementation for Linux. Messages can be saved locally or sent to a remote syslog server. When creating your own applications or tools or when you want to log messages coming from processes that don’t support writing to syslog directly, you can use Logger.

Continue reading

Use DRBD in a cluster with Corosync and Pacemaker on CentOS 7

When configuring a cluster, you want tot keep managing the server as simple as possible. Theoretically, the results given by any node in the cluster should be equal as you want the cluster to be transparent to the end-user. Part of doing this, is having the same data available on every node of the cluster when it’s active. One way to do this, is using a central file-share, for example over NFS but this also has disadvantages. Another way is to have a distributed file system that stays on the nodes itself. DRBD is one of them. This post explains how to integrate DRBD in a cluster with Corosync and Pacemaker.

Continue reading

Forward a TCP port to another IP or port using NAT with Iptables

Besides using NAT for accessing the internet with multiple machines using a single IP address, there are many other uses of NAT. One of them is to forward all traffic that is sent to a certain TCP port to another host. In practice, this technique can be used to test a service on a new host without adjusting anything on the client. The users or the clients do not need to be pointed to a new machine in order to test it. When the test would be unsuccessful, removing the NAT-rule is all it takes to switch back.

Continue reading

Find and recover space used by deleted files, shown by df but not by du

When you’re running low on space on a file system, that can cause various unexpected behavior of the system, depending on which file system is filling up. For me, when that happens, I usually first issue a disk free (df) to see which is the file system that is almost full. Once I know which file system, I go and search which files take up the most space in that file system and take action. Sometimes, df show that a file system is almost full while, when summing up all the space by all files doesn’t even come near that value.

Continue reading

Start with a simple 2-node OpenStack setup with KVM

OpenStack is something that gets more and more in the picture and even if you’re only a little interested in the latest technologies, you must have heard from OpenStack here or there. But what is it exactly and more important, how does it work practically. The best way to figure that out is just to get going with it and try to install it and play around. Here you can find a brief explanation and a tutorial or waltrough to deploy a small OpenStack environment on top of CentOS 7 or RHEL 7.

Continue reading

Use inotify-tools on CentOS 7 or RHEL 7 to watch files and directories for events

Today, I discovered that the package inotify-tools is nowhere to be found in standard CentOS7 or RHEL7 repositories. Alternatives like incron seem to be absent as well. The inotify-tools can be used to watch a directory or file for activity and take an action when a file is changed, added, edited or simply read. You can find a workaround (or call it solution) for the absence of the inotify-tools in the repositories here.

Continue reading

Mount Windows (CIFS) shares on Linux with credentials in a secure way

In almost all cases, when mounting a CIFS-share on a Linux host, you will need to supply some credentials. Either you could enter the credentials by hand every time you need the share or add the credentials to /etc/fstab to automatically mount the share. Entering the password manually is secure but not comfortable, leaving the password in /etc/fstab is comfortable but not secure since the file /etc/fstab is world readable.

Continue reading

Spacewalk 2.2 installation on CentOS 7

Spacewalk is the upstream-project for Redhat Satellite. It’s a tool which is mainly used to list, deploy and manage packages and updates to Fedora, CentOS, SLE and even Debian installations. Currently, there is no official documentation on how to run Spacewalk on a el7 based installation like CentOS 7. The installation is not a straightforward as one might think but it is possible.

Continue reading

Install and use CentOS 7 or RHEL 7 as KVM virtualization host

When thinking about virtualization, everybody immediately thinks about VMWare. And it must be said, the product they offer is very decent but also comes with a “decent” price. As an alternative, it’s worth looking into KVM for your virtualization. As with the VMWare product range, KVM offers full virtualization and it can compete with VMWare regarding stability and performance.

Continue reading

Building a high-available failover cluster with Pacemaker, Corosync & PCS

When running mission-critical services, you don’t want to depend on a single (virtual) machine to provide those services. Even when your systems would never crash or hang, from time to time you will need to do some maintenance and restart some services or even the whole machine. Fortunately, clusters were designed to overcome these problems and give the ability to reach a near 100% uptime for your services.

Continue reading

Install MATE or XFCE on CentOS 7

Which desktop environment you prefer is very personal. Each of them has its advantages and, unfortunately, also its disadvantages.

Recently, I started to like MATE since it’s lightweight and customizable in a way I personally like. Before, I was a fan of XFCE for similar reasons but somehow I got a little tired and irritated of it’s shortcomings.

This post covers how to install any of those on top of a minimal install since this means it can be installed on top of almost every type of installation in regards to package selection and dependencies.

Continue reading

Use iptables instead of firewalld in RHEL 7 or CentOS 7

If you, like me, can’t get used to the “new” firewalld in RHEL/CentOS 7 or you have some automation scripts that expect iptables, then I’ve got good news for you :) It’s rather easy to disable firewalld and go back to a “normal” iptables configuration as it used to be.

There are no special tricks involved and/or custom actions that would break your system or put it in a way that you have to be affraid of updating.

Continue reading

Migrate RHEL7 to CentOS7

A migration from RHEL7 to CentOS7 could be something that is needed in certain cases. While re-installing the OS and tranferring your files and settings is not undoable, it creates a lot of effort and possible chance for downtime. Therefor it’s much more handy when an in-place migration between the two can be done. CentOS uses the same package-source as RHEL and tries to be as close as it can be to Red Hat with their distribution. It’s basically RHEL without logo’s, support and licensing.

Continue reading

Install a newer kernel in Debian 7.5 (Wheezy) or CentOS 6.5

When using the latest version of Debian Wheezy or CentOS 6.5, even with all updates installed, by default, you can’t get a very recent kernel via the standard repositories in your package manager. While the idea of both distributions is to remain stable and rather conservative, there are several benefits with installing a newer kernel and in some cases it’s the only option to run one of these distributions. The risk and impact on stability is small and the process is rather simple.

Continue reading