Header Shadow Image


OpenWRT: Disable invalid default gateway selection

It indeed happened that the default GW provided on various network interfaces was the router that we do not want to be the GW.  In our case the OpenWRT Raspberry Pi 2 became the GW for any hosts dynamically getting an IP.  So all requests, were sent via the Raspberry Pi 2, which is not what we want.  To fix this, check your device if it is running a DHCP server:

root@OWRT01:~# ps | grep -Ei dhcp
  547 root      1240 S    /usr/sbin/odhcpd
 1556 root      1072 S    grep -Ei dhcp
root@OWRT01:~#

To disable this, you can do so in the Luci interfaces panel ( Luci -> Network -> Interfaces -> LAN ) then Edit then disable the DHCP server in the right most tab:

https://i0.wp.com/www.microdevsys.com/WordPressImages/OpenWRT01-Configure-Disable-DHCP-Server-Default-Gateway.png?ssl=1

Save and restart the device.  

Cheers,
Tom

OpenWRT: Resolving the /etc/resolv.conf lack of proper DNS resolution.

OpenWRT links /etc/resolv.conf to /tmp/resolv.conf and only adjust entries in /tmp/resov.conf if $localuse is enabled in the UI:

https://i0.wp.com/www.microdevsys.com/WordPressImages/OpenWRT01-Configure-resolv-conf.PNG?ssl=1

The above entered as text, is:


 

Your connection is not private: Trusting your own LAB SelfSigned Certificates in Kaspersky, Windows and Chrome

This use case scenario is aimed at those folks who are developing on their local environment and need to trust a set of certificates. This is so they are not always prompted for verification to a domain they know is already trusted and safe.  Despite that site having self signed certificates as is the case in many labs. Here's how to suppress these for specific sites.

Your connection is not private

The steps below assume you are running on Windows 10 and using a non previlieged account.  As of this writing, Chrome appears to make use of it's own Trust Root Certificate Authorities which could not be updated using import in that category.

1) Chrome  ( First 4 steps may not work )

  • Export the certificate to a file by clicking the Lock or Not Secure text that may appear to the left of your URL. 
  • Select View Certificate -> Details tab then Copy to File... Then save the certificate.  Name the file something easily descernable to prevent confusion later on. https://i0.wp.com/www.microdevsys.com/WordPressImages/Trusting-Self-Signed-Certificates-Allow-In-Chrome.PNG?ssl=1
  • in chrome://settings, or using the three dot menu from the top right, search for SSL in the search field then select Security -> Manage Certificates .
  • Import your certificate under the 
  • If the above doesn't work, on the error page type thisisunsafe .to bypass the prompt in the future.  The site will still be marked as insecure however it will no longer prompt for a pass.

2) Kaspersky Total Security

  • Add the sites to the list of Trusted Addresses to bypass the above Kaspersky warning.
    https://i2.wp.com/www.microdevsys.com/WordPressImages/Trusting-Self-Signed-Certificates-Allow-In-Kaspersky.PNG?ssl=1

3) Enjoy!

TK

 

 

Adjusting Memory in Atlassian Confluence

Adjusted the bolded lines for optimum startup and performance:


# pwd
?/atlas/atlassian/confluence/bin
# cat setenv.sh
# Set the JVM arguments used to start Confluence.
# For a description of the vm options of jdk 8, see:
# http://www.oracle.com/technetwork/java/javase/tech/vmoptions-jsp-140102.html
# For a description of the vm options of jdk 11, see:
# https://docs.oracle.com/en/java/javase/11/tools/java.html
CATALINA_OPTS="-XX:+IgnoreUnrecognizedVMOptions ${CATALINA_OPTS}"
CATALINA_OPTS="-XX:-PrintGCDetails -XX:+PrintGCDateStamps -XX:-PrintTenuringDistribution ${CATALINA_OPTS}"
CATALINA_OPTS="-Xlog:gc+age=debug:file=$LOGBASEABS/logs/gc-`date +%F_%H-%M-%S`.log::filecount=5,filesize=2M ${CATALINA_OPTS}"
CATALINA_OPTS="-Xloggc:$LOGBASEABS/logs/gc-`date +%F_%H-%M-%S`.log -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=5 -XX:GCLogFileSize=2M ${CATALINA_OPTS}"
CATALINA_OPTS="-XX:G1ReservePercent=20 ${CATALINA_OPTS}"
CATALINA_OPTS="-Djava.awt.headless=true ${CATALINA_OPTS}"
CATALINA_OPTS="-Datlassian.plugins.enable.wait=300 ${CATALINA_OPTS}"
CATALINA_OPTS="-Xms1024m -Xmx6144m -XX:+UseG1GC ${CATALINA_OPTS}"
CATALINA_OPTS="-Dsynchrony.enable.xhr.fallback=true ${CATALINA_OPTS}"
CATALINA_OPTS="-Dorg.apache.tomcat.websocket.DEFAULT_BUFFER_SIZE=32768 ${CATALINA_OPTS}"
CATALINA_OPTS="-Djava.locale.providers=JRE,SPI,CLDR ${CATALINA_OPTS}"
CATALINA_OPTS="${START_CONFLUENCE_JAVA_OPTS} ${CATALINA_OPTS}"
CATALINA_OPTS="-Dconfluence.context.path=${CONFLUENCE_CONTEXT_PATH} ${CATALINA_OPTS}"
CATALINA_OPTS="-Djdk.tls.server.protocols=TLSv1.1,TLSv1.2 -Djdk.tls.client.protocols=TLSv1.1,TLSv1.2 ${CATALINA_OPTS}"
CATALINA_OPTS="-XX:ReservedCodeCacheSize=256m -XX:+UseCodeCacheFlushing ${CATALINA_OPTS}"


export CATALINA_OPTS


# ps -ef|grep -Ei confluence
conflue+ 22167     1 99 22:18 ?        00:00:35 /atlas/atlassian/confluence/jre//bin/java -Djava.util.logging.config.file=/atlas/atlassian/confluence/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -XX:ReservedCodeCacheSize=256m -XX:+UseCodeCacheFlushing -Djdk.tls.server.protocols=TLSv1.1,TLSv1.2 -Djdk.tls.client.protocols=TLSv1.1,TLSv1.2 -Dconfluence.context.path= -Datlassian.plugins.startup.options= -Djava.locale.providers=JRE,SPI,CLDR -Dorg.apache.tomcat.websocket.DEFAULT_BUFFER_SIZE=32768 -Dsynchrony.enable.xhr.fallback=true -Xms1024m -Xmx6144m -XX:+UseG1GC -Datlassian.plugins.enable.wait=300 -Djava.awt.headless=true -XX:G1ReservePercent=20 -Xloggc:/atlas/atlassian/confluence/logs/gc-2021-07-13_22-18-48.log -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=5 -XX:GCLogFileSize=2M -Xlog:gc+age=debug:file=/atlas/atlassian/confluence/logs/gc-2021-07-13_22-18-48.log::filecount=5,filesize=2M -XX:-PrintGCDetails -XX:+PrintGCDateStamps -XX:-PrintTenuringDistribution -XX:+IgnoreUnrecognizedVMOptions -Dignore.endorsed.dirs= -classpath /atlas/atlassian/confluence/bin/bootstrap.jar:/atlas/atlassian/confluence/bin/tomcat-juli.jar -Dcatalina.base=/atlas/atlassian/confluence -Dcatalina.home=/atlas/atlassian/confluence -Djava.io.tmpdir=/atlas/atlassian/confluence/temp org.apache.catalina.startup.Bootstrap start
root     22391 12708  0 22:19 pts/0    00:00:00 grep –color=auto -Ei confluence
# pwd
/atlas/atlassian/confluence/bin
# cat setenv.sh

 

HF!
 

 

ERR – dse_check_file – The backup file /etc/dirsrv/slapd-NIX-MDS-XYZ/dse.ldif.bak has zero length, refusing to restore it.

Recover the backup from the OK copy, literally:

/etc/dirsrv/slapd-NIX-MDS-XYZ# ls -altri
total 1904
     2076 -rw——-. 1 dirsrv root   197845 May 24  2020 dse.ldif.ipa.b22658eb606be0d2
   249372 -rw-r–r–. 1 dirsrv root   197954 May 24  2020 dse.ldif.modified.out
   130281 -rw——-. 1 dirsrv dirsrv 197835 Mar  7 15:50 dse.ldif.startOK
   456855 -rw——-. 1 dirsrv dirsrv      0 May 17 03:12 dse.ldif.bak-backup
/etc/dirsrv/slapd-NIX-MDS-XYZ# cp -ip dse.ldif.startOK dse.ldif.bak

Result:

/etc/dirsrv/slapd-NIX-MDS-XYZ#ipactl start
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting httpd Service
Starting ipa-custodia Service
Starting ntpd Service
Starting pki-tomcatd Service
Starting smb Service
Starting winbind Service
Starting ipa-otpd Service
Starting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful

HTH,
 

OpenVpn: Can’t browse web when connected and VPN is active.

Configured your OpenVPN, however now you can't browse the web when connected?  Turns out the following NAT rule was missing from the F/W configuration on the OpenVPN router:

iptables -t nat -I POSTROUTING -s 10.1.1.0/24 -j SNAT --to $(nvram get wan_ipaddr)

Our VPN subnet is 10.1.1.0/24 but no rule existed to route traffic to the WAN interface.  Meaning no external traffic was passed to the external IP address resulting in no web connectivity with the outside world.  The rule above fixes this.  In case you're wondering what nvram get wan_ipaddress does.  It is busy box ( DD-WRT ) custom firmware command used on various routers.  It is a replacement for the standard Web UI on routers.  If DD-WRT is not used, the default external IP of the router will do.

Thanks,

OpenShift w/ Kubernetes Setup: Installing using the UPI Method

Building an OpenShift Kubernetes Cluster. Method used here will be the UPI installation method.  Start off by loading the official page from RedHat:

https://i1.wp.com/www.microdevsys.com/WordPressIMages/KubernetesAndOpenShift.PNG?ssl=1

Before you begin, ensure the following files are downloaded off the RedHat OpenShift pages (see links in the above document):

/root/openshift # ls -altri
total 439680
201572861 -rw-r–r–.  1 root        root              706 Apr 25 04:15 README.md
201572704 -rwxr-xr-x.  1 root        root        360710144 Apr 25 04:15 openshift-install
201572859 -rw-rw-r–.  1 tom@mds.xyz tom@mds.xyz      2775 May  8 22:53 pull-secret.txt
201572858 -rw-rw-r–.  1 tom@mds.xyz tom@mds.xyz  89491042 May  8 22:55 openshift-install-linux.tar.gz
201572850 drwxr-xr-x.  3 root        root             4096 May  8 23:58 .
201326721 dr-xr-x—. 12 root        root             4096 May  9 08:43 ..

Extract the .tar.gz using:

tar -zxf openshift-install-linux.tar.gz

Read the rest of this entry »

Firewalld. Add VLAN’s to allowed trusted / public zone rules.

Short list of commands for adding VLAN's to trusted zones:

firewall-cmd –zone=trusted –add-source=192.168.0.0/24
firewall-cmd –zone=trusted –add-source=10.0.0.0/24
firewall-cmd –zone=trusted –add-source=10.1.0.0/24
firewall-cmd –zone=trusted –add-source=10.2.0.0/24
firewall-cmd –zone=trusted –add-source=10.3.0.0/24
cat /etc/firewalld/zones/public.xml
firewall-cmd –runtime-to-permanent
cat /etc/firewalld/zones/public.xml

Result of this is:

cat /etc/firewalld/zones/trusted.xml
<?xml version="1.0" encoding="utf-8"?>
<zone target="ACCEPT">
  <short>Trusted</short>
  <description>All network connections are accepted.</description>
  <source address="192.168.0.0/24"/>
  <source address="10.0.0.0/24"/>
  <source address="10.1.0.0/24"/>
  <source address="10.2.0.0/24"/>
  <source address="10.3.0.0/24"/>
</zone>

 

Thx,

ImportError: cannot import name ‘setup’

Getting this?

[root@rmq01 ~]# pip3 install –user git+https://github.com/powerline/powerline.git@master
WARNING: Running pip install with root privileges is generally not a good idea. Try `pip3 install –user` instead.
Collecting git+https://github.com/powerline/powerline.git@master
  Cloning https://github.com/powerline/powerline.git (to master) to /tmp/pip-i_onc12r-build
    Complete output from command python setup.py egg_info:
    Traceback (most recent call last):
      File "<string>", line 1, in <module>
      File "/tmp/pip-i_onc12r-build/setup.py", line 11, in <module>
        from setuptools import setup, find_packages
    ImportError: cannot import name 'setup'

Solve it by running this:

[root@rmq01 ~]# yum reinstall python3-setuptools.noarch

Seems package files were corrupted.  

Cheers,
Tom

User is not allowed to run sudo on server.  This incident will be reported.

Receiving the following when using FreeIPA to manage sudo rules?

-sh-4.2$ sudo su –
[sudo] password for tom@mds.xyz: 
tom@mds.xyz is not allowed to run sudo on idmipa04.  This incident will be reported.
-sh-4.2$

On a working node:

# ipa-compat-manage status
Directory Manager password: 

Plugin Enabled

and on a non-working node:

# ipa-compat-manage status
Directory Manager password: 

Plugin Disabled
# ipa-compat-manage enable
Directory Manager password: 

Enabling plugin
This setting will not take effect until you restart Directory Server.
# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting ntpd Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful

ipa-compat-manage status
Directory Manager password: 

Plugin Disabled

Enable the plugin:

# ipa-compat-manage enable
Directory Manager password: 

Enabling plugin
This setting will not take effect until you restart Directory Server.
# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting ntpd Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful
#

And try the sudo to root again:  All sudo rules should be visible using the following commands:

dapsearch -Y GSSAPI -b "dc=mws,dc=mds,dc=xyz" dn |grep -Ei sudo|grep -v "#"

ipa sudorule-find All

on both servers.  Verify on clients:

$ sudo su –
[sudo] password for tom@mds.xyz: 
tom@mds.xyz is not allowed to run sudo on azure-r01wn01.  This incident will be reported.
$ su –
Password: 
Last login: Thu Jan 28 21:53:55 EST 2021 on pts/0
[root@azure-r01wn01 ~]# systemctl restart sssd^C
[root@azure-r01wn01 ~]# rm -f /var/lib/sss/db/*
[root@azure-r01wn01 ~]# systemctl restart sssd
[root@azure-r01wn01 ~]# logout
$ sudo su –
[sudo] password for tom@mds.xyz: 
Last login: Fri Jan 29 00:51:40 EST 2021 on pts/1
[root@azure-r01wn01 ~]# 

Thanks,


     
  Copyright © 2003 - 2013 Tom Kacperski (microdevsys.com). All rights reserved.

Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 Unported License