General posts from the webinterface
General posts from the webinterface
If you’re getting started with Ansible you’ll notice it can be slow on servers running CentOS (or Red Hat). The reason for this is that CentOS systems have Kerberos authentication for SSH enabled by default. If you set GSSAPIAuthentication to no in /etc/ssh/sshd_config then things will speed up. And since you’re editing the configuration file, also set the UseDNS value to nu to save another DNS-lookup. You shot notice Ansible isn’t as slow as before.
You can also set this configuration for the Ansible user in the ~/.ssh/config file of the ansible user in case you are using an IPA server and/or Kerberos authentication in your environment.
[ansible@ansible-server ~]$ cat ~/.ssh/config Host * GSSAPIAuthentication no
And since we’re working with Ansible, why not do it via a playbook:
name: "Disable GSSAPIAuthentication for SSH login" lineinfile: regexp: "^GSSAPIAuthentication" line: "GSSAPIAuthentication no" state: "present" dest: "/etc/sshd/sshd_config" name: "Disable reverse DNS lookup on SSH login" lineinfile: line: "useDNS no" state: "present" dest: "/etc/sshd/sshd_config"
Don’t forget to restart the SSH-server afterwards. You should be able to know how to automate this. Else, youse the Ansible Ad-hoc function :-).
If you want to pass one of the Red Hat Certificate of Expertise exams without thousands of dollars on the official Red Hat training (and not able to work for a week which will cost you another thousand dollars) then let me introduce the Linux Academy. They provide online courses for these Red Hat CoE exams, were 5 are needed to achieve Red Hat’s highest level of certification: Red Hat Certified Architect.
- Certificate of Expertise in Ansible Automation
- Certificate of Expertise in Server Hardening
- Certificate of Expertise in Containerized Application Development
- Certificate of Expertise in Platform-as-a-Service (soon)
- Certificate of Expertise in Configuration Management (soon)
- Red Hat Certified Systems Administrator in OpenStack
- Red Hat Certified Systems Engineer in OpenStack
Pricing is around $230 yearly which is very reasonable. You can get a 7-days trial directly but I hate ‘trials’ where it’s mandatory to provide payment details. However: you can get a free 60-day access voucher at Microsoft Visual Studio Dev Essentials. And as a bonus you’ll get a discount when subscribing afterwards. You don’t have access to the provided cloud servers and Hands on Labs in the trial but if gives you access to the training material and video’s so you’ll see the $199/year is absolutely worth it!
Last month, Red Hat announced Hyperconverged Infrastructure 1.0. This initial release is based on proven products like GlutserFS for storage, Ansible for provisioning, Cloudforms for orchestration and self-service and RHEV as virtualisation engine. The product will be sold as a single SKU. Red hat seems to aim at RoBo as customer target. Let’s see what this will bring us…
The Fedora Project, sponsored by Red Hat, releases version 26 of their operating system. In the past I was an active desktop user. The OS offers latest-and-greatest with 6-months release cycle and 18 months life-cycle. More important: Fedora releases are the base of Red Hat Enterprise LInux releases, which are the base of CentOS releases. And that’s why I mention this Fedora release in particular. Since Red Hat is busy releasing v7.4 of her Enterprise Linux, I guess engineers are also looking at the horizon to work on RHEL 8.0. I’m not the only one with this view. Fedora 26 could be the foundation of this OS. So let’s compare RHEL 7 with Fedora 26.
So what’s new in Fedora 26 compared to RHEL7:
- Yum is gone. Welcome DNF. In Fedora 26, DNF is rebased to v2.x;
- Anaconda had a new partitioner tool, including support for this provisioned LVM;
- Python is v3.6 by default. So all scripts are rebased from v2.x to v3.x;
- The old GCC6 compiler is gone. Welcome GCC7;
- Better (local) caching of users and groups using SSSD. A must for enterprises;
- OpenSSL 1.1.0. Which is required to support HTTP/2 (ALPN support);
So yes. I’m definitely going to test-drive Fedora 26 and gain hands-on experience with some features like DNF and HTTP/2 which is much, much faster for SSL-secured websites, which is more common these days due to the Let’s Encrypt initiative.
The usual issues (with 3rd party software):
- GPGtools don’t work
- Homebrew is broken. Fix:
- Download Xcode 9-beta, unzip and move in Applications
- sudo xcode-select –switch /Applications/Xcode-beta.app
- Use ‘brew doctor’ for debugging but the above step should fix the issues.
- In my case I had to re-add the TimeMachine disk. In my case back-ups still failed. I’ll try to make a new clean disk.
- Docker auto-starts. I didn’t find a way to disable this yet.
- VMware Fusion doesn’t work (more info)
- Python 2.7 (default), but 3.3, 3.4 and 3.5 are also available
- PHP 7.1.6 as default (without Zend OpCache)
- Perl v5.18.2 for those born before 1960 🙂
Keep in mind SIP (System Integrity Protection) is turned on in High Sierra.
Red Hat released the beta version of its 7.4 Enterprise Linux. Amongst others, new features are:
- Ansible is included in the extra reporitory from not. Please not that these packages are FIPS140 compliant. Previous installed packaged need to be removed first.
- Identity Management now supports FIPS. With this enhancement, Identity Management (IdM) supports the Federal Information Processing Standard (FIPS). This enables you to run IdM in environments that must meet the FIPS criteria. To run IdM with FIPS mode enabled, you must set up all servers in the IdM environment using Red Hat Enterprise Linux 7.4 with FIPS mode enabled.
- Beter Active Directory support now let’s users login to the WebUI of an IPA server. Previously only kinit was supported.
- usbguard is now included. You can whitelist and blacklist USB-devices to achieve better security.
- openssh rebased to version 7.4, which provides a number of enhancements, new features, and bug fixes. This includes support for the resumption of interrupted uploads in SFTP and a new fingerprint type that uses the SHA-256 algorithm.
- Standards Compliance. OpenSCAP scanner NIST certified, DISA STIG profile included
- Support added in LVM for RAID level takeover now provides full support for RAID takeover, previously available as a Technology Preview, which allows users to convert a RAID logical volume from one RAID level to another. LVM also now provides support for RAID reshaping, which allows users to reshape properties such as the RAID algorithm, stripe size, or number of images.
To update your standalone lab box to the latest ESXi version, first enable SSH. Then put all the VM’s into maintenance mode and log in via SSH. Use the esxcli command to update to the latest version (mind the build numbers) by using your internet connection. So no hassle with packages, downloads, etc.
Open the firewall if needed:
esxcli network firewall ruleset set -e true -r httpClient
Update the box (this will take 5-10 minutes if using slow USB stick as storage)
esxcli software profile update -p ESXi-6.5.0-4564106-standard -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml
Reboot the box, get coffee and login afterwards. You’re box is updated to latest-and-greatest. Don’t forget to update VMware Tools on the guests if needed.
If you want to start testing CentOS 6.9 without the official release is there (re-packaging to fit all on one DVD) then install the CentOS CR (Continues Release) repository by: yum install centos-release-cr. After this, yum update will install CentOS 6.9.
Installation instructions for CentOS 7: The repository configuration file is included in the newest centos-release package. First update your system with yum update to get the new centos-release package, then run yum-config-manager –enable cr to enable the CR repository.
Last week, Red Hat released the beta of Enterprise Linux 6.9. This new version of RHEL supports Transport Layer Security (TLS) 1.2. This gives RHEL 6.9 complete support for TLS 1.2 in the shipped security libraries. TLS 1.2 is recommended by modern security standards. Simultaneously, insecure cryptographic protocols and algorithms, such as MD5, SHA0, RC4, or 512-bit DH, have been deprecated. For this reason alone, you’ll want to upgrade to RHEL 6.9 as soon as possible.
Remember all those times Microsoft, Microsoft MVPs, and others said “YOU MUST LEARN POWERSHELL” like there was no avoiding it?? Well, in case you didn’t start to learn, now is your last change. Microsoft released the latest insider build of Windows 10 and removed the 30-year old DOS command box. So, learn PowerShell (which celebrates it’s 10th birthday). Have a look at the Microsoft Virtual Academy for free courses.
A cool new, but optional feature has landed in Windows Server 2016: Soft Restart. Once installed, it provides the capability to initiate a soft restart, which skips hardware initialisation. In other words, it restarts the operating system without restarting the whole machine. After installation, there are two ways to initiate Soft Restart:
Command Line: shutdown /r /soft /t 0
PowerShell: Restart-Computer -Soft
The new (to be implemented) feature sounds very handy for physical servers with large amounts of memory and/or raid-controllers, eliminating the need to check these components. This will save minutes. This might, in particular, be handy when an unscheduled restart is needed during production hours. Well don’t, Microsoft.
Last week, Red Hat released version 7.3 of her Enterprise Linux. CentOS builds will follow soon. There are a number of features introduced as Technology Preview. The complete release notes can be found on the Red Hat website.
- The SELinux userspace has been rebased and provides various enhancements and performance improvements. Notably, the new SELinux module store supports priorities, and the SELinux Common Intermediate Language (CIL) has been introduced.
- OpenSCAP workbench now provides a new SCAP Security Guide integration dialog and enables modification of SCAP policies using a graphical tool.
- The OpenSCAP suite now includes support for scanning containers using the atomic scan command.
- Upgraded firewalld starts and restarts significantly faster due to a new transaction model. It also provides improved management of connections, interfaces, and sources, a new default logging option, and ipset support.
- The audit daemon introduces a new flush technique, which significantly improves performance. Audit policy, configuration, and logging have been enhanced and now support a number of new options.
- Media Access Control Security (MACsec) encryption over Ethernet is now supported.