There is a tool available that does a verification of the replication of each FreeIPA host:

yum install git -y; git clone https://github.com/peterpakos/checkipaconsistency.git

# ./cipa -d mws.mds.xyz -W "SECRET"
+——————–+————+————-+——-+
| FreeIPA servers:   | idmipa03   | idmipa04    | STATE |
+——————–+————+————-+——-+
| Active Users       | 1          | 1           | OK    |
| Stage Users        | 0          | 0           | OK    |
| Preserved Users    | 0          | 0           | OK    |
| Hosts              | 2          | 2           | OK    |
| Services           | 11         | 11          | OK    |
| User Groups        | 10         | 10          | OK    |
| Host Groups        | 1          | 1           | OK    |
| Netgroups          | 0          | 0           | OK    |
| HBAC Rules         | 1          | 1           | OK    |
| SUDO Rules         | 0          | 0           | OK    |
| DNS Zones          | 3          | 3           | OK    |
| Certificates       | 17         | 17          | OK    |
| LDAP Conflicts     | 0          | 0           | OK    |
| Ghost Replicas     | 0          | 0           | OK    |
| Anonymous BIND     | ON         | ON          | OK    |
| Microsoft ADTrust  | True       | False       | FAIL  |
| Replication Status | idmipa04 0 | idmipa03 18 | OK    |
+——————–+————+————-+——-+
#

Cheers,
TK

Zabbix error:

[Z3001] connection to database ‘zabbix’ failed: [2003] Can't connect to MySQL server on 'mysql-01.abc.xyz.123' (13)

related to:

audit.log:type=AVC msg=audit(1549949080.977:11328): avc:  denied  { name_connect } for  pid=9115 comm="zabbix_server" dest=3306 scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket

is solved by:

# grep AVC /var/log/audit/audit.log | audit2allow -M systemd-allow; semodule -i systemd-allow.pp

Cheers,
TK

Zabbix error:

 10272:20190212:003104.073 cannot start preprocessing service: Cannot bind socket to "/var/run/zabbix/zabbix_server_preprocessing.sock": [98] Address already in use.
 10239:20190212:003104.078 One child process died (PID:10272,exitcode/signal:1). Exiting …

related to:

# cat ../audit/audit.log|grep -Ei denied|tail
type=AVC msg=audit(1549949530.062:12551): avc:  denied  { unlink } for  pid=10521 comm="zabbix_server" name="zabbix_server_preprocessing.sock" dev="tmpfs" ino=3998803 scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zabbix_var_run_t:s0 tclass=sock_file

is solved by:

# grep AVC /var/log/audit/audit.log* | audit2allow -M systemd-allow; semodule -i systemd-allow.pp

Cheers,
TK

Zabbix error:

 10587:20190212:003514.676 using configuration file: /etc/zabbix/zabbix_server.conf
 10587:20190212:003514.676 cannot set resource limit: [13] Permission denied

relates to:

[root@host01 zabbix]# cat ../audit/audit.log|grep -Ei denied|tail
type=AVC msg=audit(1549949714.675:12570): avc:  denied  { setrlimit } for  pid=10587 comm="zabbix_server" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:system_r:zabbix_t:s0 tclass=process
[root@host01 zabbix]#

and is solved by:

[root@host01 zabbix]# grep AVC /var/log/audit/audit.log* | audit2allow -M systemd-allow; semodule -i systemd-allow.pp

Cheers,
TK

AWX / Ansible High Availability Configuration on CENTOS 7 . So we want a highly available and scalable AWX and Ansible cluster solution. 

Here's how we'll plan things out:

Read the rest of this entry »

This is how to get detailed TCP dumps of your network traffic while avoiding your own PuTTY traffic in the output:

tcpdump -w trace.dat -s 0 port not 22
tcpdump -r trace.dat -nnvvveXXS > trace.dat.txt

Cheers,
TK

You're getting this message:

[root@mysql01 /]# mount -v nfs03:/n /m
mount.nfs: timeout set for Thu Nov  8 23:37:04 2018
mount.nfs: trying text-based options 'vers=4.1,addr=192.168.0.125,clientaddr=192.168.0.126'
mount.nfs: mount(2): No such file or directory
mount.nfs: trying text-based options 'addr=192.168.0.125'
mount.nfs: prog 100003, trying vers=3, prot=6
mount.nfs: trying 192.168.0.125 prog 100003 vers 3 prot TCP port 2049
mount.nfs: prog 100005, trying vers=3, prot=17
mount.nfs: trying 192.168.0.125 prog 100005 vers 3 prot UDP port 20048
mount.nfs: mount(2): Permission denied
mount.nfs: access denied by server while mounting nfs03:/n
[root@mysql01 /]#

It's probably because you might be using Haproxy and it's configured like this for the backends when nfs01 is down:

    server      nfs01.nix.mds.xyz    nfs01.nix.mds.xyz:2049 check
    server      nfs02.nix.mds.xyz    nfs01.nix.mds.xyz:2049 check
    server      nfs03.nix.mds.xyz    nfs01.nix.mds.xyz:2049 check

Notice how each one was pointing to the same nfs01 that was down.  Needed to change this to nfs02 and nfs03 for the second and third line.  

Oh well, shit happens.  Worked pretty good after that fix.

Cheers,
TK

We will be keeping the Postgres SQL HA Cluster configuration / setup very very brief using only the bare essentials to get it up and running.

Before we begin, we need to plan things out on our CentOS 7.X servers.  First, fill in this table of what your cluster is supposed to look like when done:

Read the rest of this entry »

So you get the following message when installing and configuring your HTTPD server?  Despite the right configuration you still receive the following:

Forbidden

You don't have permission to access /repos/ on this server.

Read the rest of this entry »

When seeing this:

krb5_child.log:(Tue May 22 02:06:15 2018) [[sssd[krb5_child[1605]]]] [map_krb5_error] (0x0020): 1657: [-1765328228][Cannot contact any KDC for realm ‘MDS.XYZ’]

Access denied
Using keyboard-interactive authentication.
Password:

reverse the order of your DNS hosts in /etc/resolv.conf to this:

[root@cm-r01dn07 sssd]# cat /etc/resolv.conf
search mds.xyz nix.mds.xyz
nameserver 192.168.0.224
nameserver 192.168.0.44
nameserver 192.168.0.45
[root@cm-r01dn07 sssd]#

from this:

[root@cm-r01dn07 sssd]# cat /etc/resolv.conf
search mds.xyz nix.mds.xyz
nameserver 192.168.0.44
nameserver 192.168.0.45
nameserver 192.168.0.224
[root@cm-r01dn07 sssd]#

And that solved it.

Cheers,
TK