Olivier Maurashttp://www.mauras.ch/2023-10-03T23:53:14+02:00Senior system engineer // Linux consultantIntroducing dns-blackhole2017-09-05T23:34:00+02:002023-10-03T23:53:14+02:00Olivier Maurastag:www.mauras.ch,2017-09-05:/introducing-dns-blackhole.html<p>So the other day I wanted to remove ads on my Android phone, but apparently you can't install extensions on Android chromium and I didn't feel like using Firefox for that.<br />
Since I use non …</p><p>So the other day I wanted to remove ads on my Android phone, but apparently you can't install extensions on Android chromium and I didn't feel like using Firefox for that.<br />
Since I use non rooted <a href="https://copperhead.co/android/">CopperHeadOS</a> as my main mobile OS, solutions like <a href="https://f-droid.org/packages/org.adaway/">AdAway</a> that require root access were not possible either.... What to do then?<br />
Oh wait don't we have a recursive DNS resolver on this OpenVPN tunnel? We sure do! And wouldn't it be nice that it removes ads for us? Indeed it would! </p>
<p>On this particular setup I was using <a href="https://www.powerdns.com/recursor.html">PowerDNS Recursor</a> and so stumbled upon this <a href="https://blog.powerdns.com/2016/01/19/efficient-optional-filtering-of-domains-in-recursor-4-0-0/">nice blog article</a> from last year where they explain how to use the <a href="https://disconnect.me/">Disconnect</a> list used by the <a href="https://blog.mozilla.org/blog/2015/12/07/focus-by-firefox-content-blocking-for-the-open-web/">Mozilla Focus project</a> to efficiently block ads/tracking domains. </p>
<p>While the process is quite easy, after reading some of <a href="https://github.com/mozilla-mobile/focus-ios/tree/master/shavar-prod-lists">the project readme</a> it seemed even more simple to just get the domains from <a href="https://services.disconnect.me/disconnect-plaintext.json">the original list</a>.<br />
I thus wrote <a href="http://git.mauras.ch/Various/powerdns_recursor_ads_blocking/src/master/lua_blocking_from_disconnect.py">this tiny script</a> that would do the job for me, without even touching the <code>Git</code> repo from the blog post, and <a href="https://www.powerdns.com/recursor.html">PowerDNS Recursor</a> was now happily blocking DNS queries to <em>some</em> advertisement and tracking domains...<br />
<em>Some</em> seemed suddenly too few... With the ~1500 domains that the <a href="https://services.disconnect.me/disconnect-plaintext.json">Disconnect list</a> was offering, I was only blocking a tiny fraction of the trash that most of Internet has become today. We could surely do better :) </p>
<p>I decided that it would be interesting to include the content of several well known host lists and ended up with more than <strong>690000</strong> domains blocked!!<br />
That sure was some improvement, but this proved the lua method to be unable to cope with that many entries - recursor crashed at startup with a constant overflow - so I searched how to make recursor behave correctly while still be able to block all those bad domains.<br />
The idea has been to generate a <code>zone</code> file that would respect recursor's syntax and that could be fed through the <code>forward-zones-file</code> option.<br />
Syntax looks like this: </p>
<p><code><domain>=<where to forward the query></code> </p>
<p>The nice thing here is that if you don't specify any <code><where to forward the query></code>, recursor will directly reply with a <code>NXDOMAIN</code> answer.<br />
That's perfect! For all those bad domains my client would receive a <code>NXDOMAIN</code> return and wouldn't even try to connect anywhere. Exactly what was needed! </p>
<p>So basically if we can make a file with one domain per line for PowerDNS Recursor, we should be able to do so for other DNS servers... </p>
<p>After a major cleanup, here comes <a href="http://git.mauras.ch/Various/dns-blackhole">dns-blackhole</a>!</p>
<h2 id="features">Features</h2>
<ul>
<li>Not bound to a specific DNS server, generates a file format of your choice</li>
<li>Supports 3 different list format<ul>
<li>Host file</li>
<li><a href="https://easylist.to/">Easylist</a></li>
<li><a href="https://disconnect.me/">Disconnect</a></li>
</ul>
</li>
<li>Lets you whitelist/blacklist domains</li>
<li>YAML configuration file</li>
<li>Easy installation with <code>pip</code></li>
</ul>
<p>It has been successfully tested with:</p>
<ul>
<li><a href="https://www.unbound.net/">Unbound</a></li>
<li><a href="https://www.powerdns.com/recursor.html">PowerDNS recursor</a></li>
<li><a href="http://www.thekelleys.org.uk/dnsmasq/doc.html">Dnsmasq</a></li>
</ul>
<p>Even generating an agregated host file is possible.</p>
<p>The <a href="http://git.mauras.ch/Various/dns-blackhole/src/master/README.md">project's README</a> covers pretty much every details needed to use it, just keep in mind that without a whitelist your browsing sessions will lack a lot of content.<br />
Here's a short whitelist example:</p>
<div class="highlight"><pre><span></span><code>amazon.com
amazon.de
amazon.fr
amazonaws.com
cloudfront.net
freenode.net
google.ch
google.com
google.fr
googleapis.com
imgur.com
intel.com
licdn.com
linkedin.com
msecnd.net # Skype CDN
netdna-cdn.com # bootstrapcdn.com
reddit.com
redditstatic.com
search.ch
thetvdb.com
yahoo.com
yimg.com
youtube.com
</code></pre></div>
<p>And indeed you'll have to re-run <code>dns-blackhole</code> each time you add something to the whitelist. </p>
<p>I hope you'll find this tool useful, and as usual feel free to <a href="http://www.mauras.ch/pages/contact.html">contact me</a> should you have any questions.</p>devops REX 20162016-12-22T11:40:00+01:002023-10-03T22:43:30+02:00Olivier Maurastag:www.mauras.ch,2016-12-22:/devops-rex-2016.html<p><a href="https://www.youtube.com/watch?v=Il29C1tmfTk"><img src="/img/talks/devops_REX_2016_preview.jpg" alt="devops REX 2016"/></a>
<br/>
<br/>
Corrected slides are available <a href="http://www.slideshare.net/devopsrex/comment-lit-peut-arrter-de-se-faire-vanner-par-les-devs">on slideshare</a></p>Hope that we get in touch again next year :)2016-12-05T22:30:00+01:002023-10-03T22:43:30+02:00Olivier Maurastag:www.mauras.ch,2016-12-05:/hope-that-we-get-in-touch-again-next-year.html<p><img src='/img/devopsREX/badge.jpg'></img></p>Git replication: Part 2 - Now you can scale2016-12-01T20:00:00+01:002023-10-03T22:43:30+02:00Olivier Maurastag:www.mauras.ch,2016-12-01:/git-replication-part-2-now-you-can-scale.html<div class="toc">
<ul>
<li><a href="#main-features">Main features</a></li>
<li><a href="#prerequisites">Prerequisites</a></li>
<li><a href="#the-hook">The hook</a></li>
<li><a href="#the-consul-watch">The consul watch</a></li>
<li><a href="#the-reponame_sync-script">The ${REPONAME_SYNC} script</a></li>
<li><a href="#variants">Variants</a></li>
</ul>
</div>
<p>In my <a href="/git-replication-part-1-the-poor-mans-way.html">Part 1</a> - which I know is already more than a year old now - we saw that we could make it very …</p><div class="toc">
<ul>
<li><a href="#main-features">Main features</a></li>
<li><a href="#prerequisites">Prerequisites</a></li>
<li><a href="#the-hook">The hook</a></li>
<li><a href="#the-consul-watch">The consul watch</a></li>
<li><a href="#the-reponame_sync-script">The ${REPONAME_SYNC} script</a></li>
<li><a href="#variants">Variants</a></li>
</ul>
</div>
<p>In my <a href="/git-replication-part-1-the-poor-mans-way.html">Part 1</a> - which I know is already more than a year old now - we saw that we could make it very easy to replicate between a Git repo and another remote automatically using a <code>post-receive</code> hook. We also saw that it wasn't really scalable as it was looping over the remotes. </p>
<p>So what if we have like 20 different remote repositories that we want to keep in sync with our master repository? </p>
<p>Let's use <a href="https://www.consul.io/">Consul</a> to the rescue!</p>
<h4 id="main-features">Main features</h4>
<ul>
<li>It scales \o/</li>
<li>Notifies all remotes in near real time of the master modification</li>
</ul>
<h4 id="prerequisites">Prerequisites</h4>
<ul>
<li>You've got a Consul cluster available</li>
<li>All your Git repos are members of the Consul cluster</li>
<li>You've set the correct ACL to the key you wanna use for the notification - Check my <a href="/securing-consul.html">Securing Consul</a> article for that</li>
<li>Have <code>curl</code> binary available on master repo</li>
</ul>
<h4 id="the-hook">The hook</h4>
<div class="highlight"><pre><span></span><code><span class="ch">#!/bin/bash</span>
<span class="c1"># Get repo name</span>
<span class="nv">REPONAME</span><span class="o">=</span><span class="k">$(</span>basename<span class="w"> </span><span class="k">$(</span>dirname<span class="w"> </span><span class="k">$(</span><span class="nb">pwd</span><span class="k">)</span><span class="w"> </span>.git<span class="k">))</span>
<span class="nv">CONSUL_TOKEN</span><span class="o">=</span><span class="s2">"9c058400-8cfb-4dd0-ae75-698165a737ac"</span>
<span class="nv">CONSUL_URL</span><span class="o">=</span><span class="s2">"http://localhost:8500/v1/kv/git/</span><span class="si">${</span><span class="nv">REPONAME</span><span class="si">}</span><span class="s2">/id?token=</span><span class="si">${</span><span class="nv">CONSUL_TOKEN</span><span class="si">}</span><span class="s2">"</span>
<span class="nb">read</span><span class="w"> </span>oldrev<span class="w"> </span>newrev<span class="w"> </span>refname
curl<span class="w"> </span>-X<span class="w"> </span>PUT<span class="w"> </span>-d<span class="w"> </span><span class="nv">$newrev</span><span class="w"> </span><span class="si">${</span><span class="nv">CONSUL_URL</span><span class="si">}</span>
</code></pre></div>
<p>That's it, nothing more! Indeed if you don't have any ACL to write on the key <code>git/${REPONAME}/id</code> don't even bother with the token.</p>
<h4 id="the-consul-watch">The consul watch</h4>
<div class="highlight"><pre><span></span><code><span class="p">{</span>
<span class="w"> </span><span class="nt">"watches"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span>
<span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nt">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"key"</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"key"</span><span class="p">:</span><span class="w"> </span><span class="s2">"git/${REPONAME}/id"</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"handler"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/etc/consul/watch_scripts/${REPONAME_SYNC}.sh"</span>
<span class="w"> </span><span class="p">},</span>
<span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nt">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"key"</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"key"</span><span class="p">:</span><span class="w"> </span><span class="s2">"git/${ANOTHER_REPONAME}/id"</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"handler"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/etc/consul/watch_scripts/another_sync_script.sh"</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="p">]</span>
<span class="p">}</span>
</code></pre></div>
<p>With this configuration, a Consul agent started will constantly <code>watch</code> any modification happening on the configured <code>key</code>.<br />
Upon modification, it will execute the configured <code>handler</code>.<br />
You can indeed have multiple keys watched at the same time - Please see <a href="https://www.consul.io/docs/agent/watches.html">Consul watches documentation</a> for more details. </p>
<p>If you had followed my <a href="/securing-consul.html">Securing Consul</a> article, it means you're running the Consul agent with an unpriviledged user. <code>handler</code> will thus be executed using this account, think about it when debugging why your <code>handler</code> doesn't work.<br />
Also if you have set ACL on the <code>key</code>, mind to set the <code>acl_token</code> in your Consul agent config. </p>
<h4 id="the-reponame_sync-script">The ${REPONAME_SYNC} script</h4>
<div class="highlight"><pre><span></span><code><span class="ch">#!/bin/bash</span>
<span class="nv">PATH</span><span class="o">=</span>/sbin:/bin:/usr/sbin:/usr/bin
ssh-agent<span class="w"> </span>bash<span class="w"> </span>-c<span class="w"> </span><span class="s1">'ssh-add /home/git/.ssh/<your_key>.rsa; cd /srv/git/${REPONAME}; git fetch origin; git reset --hard origin/master; git clean -fd'</span>
</code></pre></div>
<p>This script is indeed just an example. You can pretty much do what you want in there and do all the Git voodo you need.<br />
This one is just making sure that the <code>master</code> branch of the clone in <code>/srv/git/${REPONAME}</code> is exactly as the <code>master</code> branch on the <code>origin</code> remote - Nothing fancy.<br />
Please note that <code>handlers</code> will be executed at agent start as well so depending of the script you run, a server down restarted could cope with missing key changes and just get synced again. </p>
<p>This somewhat simple setup lets you have all your Git backup repositories and clones get notified when a modification happens on master repository and act according to your needs.<br />
Here on a local network, it takes 1 second for my clones to be in sync with my master repository. </p>
<h4 id="variants">Variants</h4>
<p>While I use Consul there, it's indeed possible to mimic the same behaviour with any publish/subscribe system - Redis, MQTT, Saltstack events/reactors, and the list goes on.<br />
<br>
<br>
As usual, feel free to <a href="/pages/contact.html">contact me</a> if you have any questions.</p>New Alpine Linux repository, EL6 repositories discontinued2016-06-19T12:45:00+02:002023-10-03T23:53:14+02:00Olivier Maurastag:www.mauras.ch,2016-06-19:/new-alpine-linux-repository-el6-repositories-discontinued.html<p>I've decided to start a new <a href="http://alpinelinux.org/">Alpine Linux</a> repository, mainly to support latest <a href="https://grsecurity.net/">Grsecurity</a> with options that are disabled in defaut Alpine's kernel configuration.<br />
All sources and configurations can be found in their dedicated <a href="http://git.mauras.ch/repos.mauras.ch/aports">git …</a></p><p>I've decided to start a new <a href="http://alpinelinux.org/">Alpine Linux</a> repository, mainly to support latest <a href="https://grsecurity.net/">Grsecurity</a> with options that are disabled in defaut Alpine's kernel configuration.<br />
All sources and configurations can be found in their dedicated <a href="http://git.mauras.ch/repos.mauras.ch/aports">git repository</a>. </p>
<p>At the same time, I've decided to discontinue the EL6 repositories as I prefer to focus my time on Alpine. I removed all binary RPMs but SRPMS will stay available. </p>
<p>Please check <a href="http://www.mauras.ch/pages/repositories.html">repositories</a> page for details. </p>
<p>As usual feel free to <a href="http://www.mauras.ch/pages/contact.html">contact</a> me if you encounter any issues.</p>Kickstart: Securely save your Rudder/CFEngine's agent keys during installation2016-06-08T14:00:00+02:002023-10-03T22:43:30+02:00Olivier Maurastag:www.mauras.ch,2016-06-08:/kickstart-securely-save-your-ruddercfengines-agent-keys-during-installation.html<p>Reinstalling a server, be it for testing or upgrade, I'm sure you've had the need to.<br />
If you use <a href="http://www.rudder-project.org">Rudder</a>/CFEngine, you know you need to take care of those little agent keys if you …</p><p>Reinstalling a server, be it for testing or upgrade, I'm sure you've had the need to.<br />
If you use <a href="http://www.rudder-project.org">Rudder</a>/CFEngine, you know you need to take care of those little agent keys if you don't want to have problems with your configuration management. Indeed you could end up deleting your node in your <a href="http://www.rudder-project.org">Rudder</a> interface, but this is taking you a bit away of a fully automated process isn't it?<br />
I've noted that the less I mess up with my agent keys, the less I need to do manual tasks, so it would be nice if I could ensure a server keeps the same agent key for as long as it exists. </p>
<p>Now the main issue is that the kickstart file concerning a server is <em>publicly</em> available as it must be fetched by the machine when it starts its installation - One could try to put some address restrictions in place, but I felt like it would be a burden... I'm not sure I'll be on the correct subnet next time I need to verify a Kickstart file for a server - that means that the saving process will be in clear for everyone that gets access to the kickstart file.<br />
Having someone getting access to a server agent key could have dramatic results, so the saving process must be as secure as possible. </p>
<p>To summarize:</p>
<ul>
<li>Must be easy to save/retrieve the key during Kickstart process - No need to fire up a restore from a backup agent or anything, it's fully automated</li>
<li>Saving process logic is in clear for everyone</li>
<li>Secure enough that anyone can't just retrieve your server key</li>
<li>Server identifier must be unique so that keys can be retrieved easily across reinstallations</li>
<li>Lowest dependancy possible during Kickstart - curl, sha512sum</li>
<li>It's fine for Root user to be able to retrieve the saved server keys - If you're root on the server you can already access its CFEngine keys...</li>
</ul>
<p>I've decided to use the <em>system-uuid</em> that is contained in <code>/sys/class/dmi/id/product_uuid</code>. You can find it as well using <code>dmidecode</code> or <code>lshw</code> as Root.<br />
Mind you that depending of your setup, this may not work for you - especially on VMs where you could get duplicates if they're not centrally managed.<br />
<strong>Warning</strong>: Older distributions that still use <code>HAL</code> may let this information leak to non privileged users through <code>lshal</code>. It requires <code>HAL</code> to be installed and the service to be started though ... Beware of default installations! </p>
<p>Now that I have my system UUID, I'll make a hash of it - a long one - and upload/retrieve my keys from an HTTP server using my hash as filename/prefix.<br />
Why over HTTP ? Simply because it requires nothing else than <code>curl</code> to do so, and that it can be hosted pretty much anywhere you want. For that very specific need, I've made a tiny <a href="http://git.mauras.ch/Various/http_store">HTTP file server</a> that only does:</p>
<ul>
<li>Stores a file uploaded by its name</li>
<li>Cannot overwrite a file that already exists</li>
<li>Download a file by its name</li>
<li>Returns 404 if filename is unknown</li>
</ul>
<p>Please find below the Cobbler snippet that will do just that.</p>
<div class="highlight"><pre><span></span><code><span class="c1">#set $rudder_cf_path = '/var/rudder/CFEngine-community'</span>
<span class="c1">#set $rudder_opt_path = '/opt/rudder'</span>
<span class="c1">#set $rudder_keys_path = $rudder_cf_path + '/ppkeys'</span>
<span class="c1"># Generate server unique hash</span>
<span class="nv">SRV_UUID</span><span class="o">=</span><span class="se">\$</span><span class="o">(</span>cat<span class="w"> </span>/sys/class/dmi/id/product_uuid<span class="o">)</span>
<span class="nv">SRV_HASH</span><span class="o">=</span><span class="se">\$</span><span class="o">(</span><span class="nb">echo</span><span class="w"> </span>-n<span class="w"> </span><span class="se">\$</span>SRV_UUID<span class="w"> </span><span class="p">|</span><span class="w"> </span>sha512sum<span class="w"> </span><span class="p">|</span><span class="w"> </span>cut<span class="w"> </span>-f<span class="w"> </span><span class="m">1</span><span class="w"> </span>-d<span class="w"> </span><span class="s2">" "</span><span class="o">)</span>
<span class="c1"># Check if our hash exist</span>
curl<span class="w"> </span>-X<span class="w"> </span>GET<span class="w"> </span>https://<span class="nv">$http_store</span>:8080/get/<span class="se">\$</span>SRV_HASH.pub<span class="w"> </span>><span class="w"> </span>/tmp/localhost.pub
grep<span class="w"> </span><span class="s2">"404 page not found"</span><span class="w"> </span>/tmp/localhost.pub<span class="w"> </span><span class="p">&</span>><span class="w"> </span>/dev/null
<span class="nv">RET</span><span class="o">=</span><span class="se">\$</span>?
<span class="c1"># Process result</span>
<span class="k">if</span><span class="w"> </span><span class="o">[</span><span class="w"> </span><span class="se">\$</span><span class="nv">RET</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="m">0</span><span class="w"> </span><span class="o">]</span><span class="p">;</span><span class="w"> </span><span class="k">then</span>
<span class="w"> </span><span class="c1"># Keys doesn't exist upload them</span>
<span class="w"> </span>curl<span class="w"> </span>-s<span class="w"> </span>-X<span class="w"> </span>POST<span class="w"> </span>https://<span class="nv">$http_store</span>:8080/add/<span class="se">\$</span>SRV_HASH.priv<span class="w"> </span>-F<span class="w"> </span><span class="s2">"file=@</span><span class="nv">$rudder_keys_path</span><span class="s2">/localhost.priv"</span>
<span class="w"> </span>curl<span class="w"> </span>-s<span class="w"> </span>-X<span class="w"> </span>POST<span class="w"> </span>https://<span class="nv">$http_store</span>:8080/add/<span class="se">\$</span>SRV_HASH.pub<span class="w"> </span>-F<span class="w"> </span><span class="s2">"file=@</span><span class="nv">$rudder_keys_path</span><span class="s2">/localhost.pub"</span>
<span class="w"> </span>curl<span class="w"> </span>-s<span class="w"> </span>-X<span class="w"> </span>POST<span class="w"> </span>https://<span class="nv">$http_store</span>:8080/add/<span class="se">\$</span>SRV_HASH.hive<span class="w"> </span>-F<span class="w"> </span><span class="s2">"file=@</span><span class="nv">$rudder_opt_path</span><span class="s2">/etc/uuid.hive"</span>
<span class="k">else</span>
<span class="w"> </span><span class="c1"># They seem to exist download them </span>
<span class="w"> </span>curl<span class="w"> </span>-s<span class="w"> </span>-X<span class="w"> </span>GET<span class="w"> </span>https://<span class="nv">$http_store</span>:8080/get/<span class="se">\$</span>SRV_HASH.priv<span class="w"> </span>><span class="w"> </span><span class="nv">$rudder_keys_path</span>/localhost.priv
<span class="w"> </span>curl<span class="w"> </span>-s<span class="w"> </span>-X<span class="w"> </span>GET<span class="w"> </span>https://<span class="nv">$http_store</span>:8080/get/<span class="se">\$</span>SRV_HASH.pub<span class="w"> </span>><span class="w"> </span><span class="nv">$rudder_keys_path</span>/localhost.pub
<span class="w"> </span>curl<span class="w"> </span>-s<span class="w"> </span>-X<span class="w"> </span>GET<span class="w"> </span>https://<span class="nv">$http_store</span>:8080/get/<span class="se">\$</span>SRV_HASH.hive<span class="w"> </span>><span class="w"> </span><span class="nv">$rudder_opt_path</span>/etc/uuid.hive
<span class="k">fi</span>
</code></pre></div>
<p>So with this code you generate a hash that is never printed anywhere in the kickstart file nor on the installed system but only gets saved/retrieved remotely on/from a HTTP file server.<br />
This example uses <a href="http://www.rudder-project.org">Rudder</a> default path but by using Cobbler you could easily set the path based on a profil ksmeta to make it available for CFEngine as well.</p>
<div class="highlight"><pre><span></span><code><span class="c1">#set $ppkeys_path = $getVar('$ppkeys_path', '/var/lib/cfengine/ppkeys')</span>
</code></pre></div>
<p>The code will store files looking like this on your HTTP file server:</p>
<div class="highlight"><pre><span></span><code>0bc29c7d604b38c14c42b495c075e003e2b1cc36f92d60ad70eb9c5c2408175ff72d6038dfca6a2a1fe1a8c4032642650295a4bc7dab8d57177942092c83e78b.hive
0bc29c7d604b38c14c42b495c075e003e2b1cc36f92d60ad70eb9c5c2408175ff72d6038dfca6a2a1fe1a8c4032642650295a4bc7dab8d57177942092c83e78b.priv
0bc29c7d604b38c14c42b495c075e003e2b1cc36f92d60ad70eb9c5c2408175ff72d6038dfca6a2a1fe1a8c4032642650295a4bc7dab8d57177942092c83e78b.pub
906e84086789e32421a45622286e096a735c36cd636934bc91dcb8c280a8b4424958452903199bb133330721402fb12bbf175c78ea706d4f54d089dc15567863.hive
906e84086789e32421a45622286e096a735c36cd636934bc91dcb8c280a8b4424958452903199bb133330721402fb12bbf175c78ea706d4f54d089dc15567863.priv
906e84086789e32421a45622286e096a735c36cd636934bc91dcb8c280a8b4424958452903199bb133330721402fb12bbf175c78ea706d4f54d089dc15567863.pub
</code></pre></div>
<p>So that even you shouldn't know which file comes from which server. </p>
<p>Now your reinstallation should be as simple as wiping your disk boot sectors and reboot. </p>
<p>As usual, feel free to <a href="/pages/contact.html">contact</a> me if you have any question!</p>Systemd: Run it last ...2016-02-26T06:00:00+01:002023-10-03T22:43:30+02:00Olivier Maurastag:www.mauras.ch,2016-02-26:/systemd-run-it-last.html<p>You remember the good ol' days when running a command <em>last</em> was as easy as </p>
<div class="highlight"><pre><span></span><code><span class="nb">echo</span><span class="w"> </span><span class="s2">"last_command"</span><span class="w"> </span>>><span class="w"> </span>/etc/rc.local
</code></pre></div>
<p>Sure you do, and I bet you also know that now that <a href="https://www.freedesktop.org/wiki/Software/systemd/">systemd</a> has become …</p><p>You remember the good ol' days when running a command <em>last</em> was as easy as </p>
<div class="highlight"><pre><span></span><code><span class="nb">echo</span><span class="w"> </span><span class="s2">"last_command"</span><span class="w"> </span>>><span class="w"> </span>/etc/rc.local
</code></pre></div>
<p>Sure you do, and I bet you also know that now that <a href="https://www.freedesktop.org/wiki/Software/systemd/">systemd</a> has become the default init on pretty much all major distributions, it doesn't work anymore.<br />
Wait, <code>/etc/rc.local</code> still works and a lot of people will jump on the occasion to tell you, but <strong>NO</strong>, it doesn't work to run your command <em>last</em>. It's even written there in the file</p>
<div class="highlight"><pre><span></span><code>#!/bin/bash
# THIS FILE IS ADDED FOR COMPATIBILITY PURPOSES
#
# It is highly advisable to create own systemd services or udev rules
# to run scripts during boot instead of using this file.
#
# In contrast to previous versions due to parallel execution during boot
# this script will NOT be run after all other services.
#
# Please note that you must run 'chmod +x /etc/rc.d/rc.local' to ensure
# that this script will be executed during boot.
touch /var/lock/subsys/local
</code></pre></div>
<p>Yes that means that putting command there will have them run in parallel with the other services and you have no control over it. </p>
<p>Did it need improvement? Well maybe, I particularly like how <a href="https://wiki.gentoo.org/wiki/Project:OpenRC">openrc</a> has handled the local service. Let's look at the README in <code>/etc/local.d</code></p>
<div class="highlight"><pre><span></span><code>This directory should contain programs or scripts which are to be run
when the local service is started or stopped.
If a file in this directory is executable and it has a .start extension,
it will be run when the local service is started. If a file is
executable and it has a .stop extension, it will be run when the local
service is stopped.
All files are processed in lexical order.
Keep in mind that files in this directory are processed sequencially,
and the local service is not considered started or stopped until
everything is processed, so if you have a process which takes a long
time to run, it can delay your boot or shutdown processing.
</code></pre></div>
<p>Seems like a smart way of enhancing the feature to me. </p>
<p>But let's get back to our concern, how does one run a command <em>last</em> on <a href="https://www.freedesktop.org/wiki/Software/systemd/">systemd</a>?<br />
When you reach to people which are supposedly knowledgeable about <a href="https://www.freedesktop.org/wiki/Software/systemd/">systemd</a>, you often end up with this kind of discussion:</p>
<div class="highlight"><pre><span></span><code>you: Hello, I'm wondering what would be the best way to paint my car red?
them: Why don't you first start telling us why you think you need to paint your car red
you: ??? I want it red that's all ???
them: Well usually people think they _want_ their car red, but that's wrong, they just _need_ it black
you: Well I don't _need_ it black I _want_ it red
them: Yep, you _want_ it black
</code></pre></div>
<p>Yes, true story, people will try to make you think that you don't need/want to run anything <em>last</em>. Well aren't we using Linux because we like the idea of being able to do what we <em>want</em> with our systems? Seems like mentality is changing... </p>
<p>Come on there must be a way?! Yes there is, and this is how you do:</p>
<ul>
<li>Create a new custom target</li>
<li>Make this target <code>Requires</code> multi-user.target</li>
<li>Create a unit file for your command with <code>After</code> multi-user.target</li>
<li>Put the unit file in <code>custom.target.wants</code></li>
<li>Make this new custom target default</li>
</ul>
<p>Sounds easy right? Here's a bit more details. </p>
<h4 id="create-a-new-custom-target">Create a new custom target</h4>
<p>/etc/systemd/system/custom.target</p>
<div class="highlight"><pre><span></span><code><span class="k">[Unit]</span>
<span class="na">Description</span><span class="o">=</span><span class="s">Custom Target</span>
<span class="na">Requires</span><span class="o">=</span><span class="s">multi-user.target</span>
<span class="na">After</span><span class="o">=</span><span class="s">multi-user.target</span>
<span class="na">AllowIsolate</span><span class="o">=</span><span class="s">yes</span>
</code></pre></div>
<p>Here you have a new target that should run after multi-user.target that can be used in a similar way as a runlevel thanks to <a href="https://www.freedesktop.org/software/systemd/man/systemd.unit.html#AllowIsolate=">AllowIsolate</a> </p>
<h4 id="create-a-unit-file-for-your-command">Create a unit file for your command</h4>
<div class="highlight"><pre><span></span><code><span class="k">[Unit]</span>
<span class="na">Description</span><span class="o">=</span><span class="s">My last command</span>
<span class="na">After</span><span class="o">=</span><span class="s">multi-user.target</span>
<span class="k">[Service]</span>
<span class="na">Type</span><span class="o">=</span><span class="s">simple</span>
<span class="na">ExecStart</span><span class="o">=</span><span class="s">/sbin/last_command</span>
<span class="k">[Install]</span>
<span class="na">WantedBy</span><span class="o">=</span><span class="s">custom.target</span>
</code></pre></div>
<p><code>After</code> is important here else it'll be run in parallel with other services of multi-user.target.
You wanna put this service file in <code>/etc/systemd/system/custom.target.wants</code> directory. </p>
<h4 id="make-your-new-target-default">Make your new target default</h4>
<div class="highlight"><pre><span></span><code>systemctl<span class="w"> </span>list-units<span class="w"> </span>--type<span class="w"> </span>target<span class="w"> </span>--all
</code></pre></div>
<p>Should show you the complete list of available targets, with your custom.target being <code>inactive</code></p>
<div class="highlight"><pre><span></span><code>systemctl<span class="w"> </span>isolate<span class="w"> </span>custom.target
</code></pre></div>
<p>Will switch your current target to your custom.target. Good time to see if it's working and debug.</p>
<div class="highlight"><pre><span></span><code>ln<span class="w"> </span>-sf<span class="w"> </span>/etc/systemd/system/custom.target<span class="w"> </span>/etc/systemd/system/default.target
</code></pre></div>
<p>Will switch your custom target to the default. </p>
<p>You can now reboot and enjoy your "last_command" being run <em>last</em>, but note that services that take time to start, like a Java app, may very well still be starting when "last_command" will be executed.<br />
If this is an issue you'll have to play with <a href="https://www.freedesktop.org/software/systemd/man/systemd.service.html#ExecStartPre=">ExecStartPre=/ExecStartPost=</a> </p>
<p>When I have to do this to simply run a command <em>last</em> in my boot process, I clearly miss the good ol' days, and luckily there's still a bunch a excellent distributions that keep the <a href="https://en.wikipedia.org/wiki/KISS_principle">KISS principle</a> as a priority. </p>
<p>As usual, feel free to <a href="/pages/contact.html">contact</a> me!</p>Rudder 3.2: Default group classes2016-02-16T06:00:00+01:002023-10-03T22:43:30+02:00Olivier Maurastag:www.mauras.ch,2016-02-16:/rudder-32-default-group-classes.html<p>If you've followed the latest Rudder's release note, you've noted in <a href="http://www.rudder-project.org/foswiki/bin/view/System/Documentation:ChangeLog32">3.2 changelog</a> - amongst other nice stuff - this new feature: </p>
<ul>
<li>Add CFEngine classes for each group of a node </li>
</ul>
<p>Now in Rudder 3.2 …</p><p>If you've followed the latest Rudder's release note, you've noted in <a href="http://www.rudder-project.org/foswiki/bin/view/System/Documentation:ChangeLog32">3.2 changelog</a> - amongst other nice stuff - this new feature: </p>
<ul>
<li>Add CFEngine classes for each group of a node </li>
</ul>
<p>Now in Rudder 3.2 you have this new display in the group page:<br />
<img alt="Display group classes" src="/img/group_classes/display_cfengine_classes.png" /></p>
<p>In this example you have two available CFengine classes that you can use in your mustache templates - Or actually anywhere you need to match them:</p>
<ul>
<li>group_d57ff100_33c7_410f_82a5_a6098b6de321</li>
<li>group_test1</li>
</ul>
<p>As the group name can change, you also have the possibility to use the group UUID. </p>
<p>I believe you've already read <a href="https://www.normation.com/en/blog/2015/11/26/mustache-templating-with-ncf-and-cfengine/">this nice post</a> on Normation's blog about the usage of mustache templates with <a href="http://www.ncf.io/">NCF</a>.<br />
Let's see an example with /etc/resolv.conf</p>
<div class="highlight"><pre><span></span><code><span class="cp">{{</span><span class="nv">vars.parameters.rudder_header</span><span class="cp">}}</span>
<span class="x">search domain.com</span>
<span class="x">options timeout:1</span>
<span class="x">options attempts:2</span>
<span class="cp">{{</span><span class="m m-Attribute">#classes.group_test1</span><span class="cp">}}</span>
<span class="x">nameserver 192.168.1.10</span>
<span class="x">nameserver 192.168.1.11</span>
<span class="cp">{{</span><span class="m m-Attribute">/classes.group_test1</span><span class="cp">}}</span>
<span class="cp">{{</span><span class="m m-Attribute">#classes.group_test2</span><span class="cp">}}</span>
<span class="x">nameserver 10.10.0.10</span>
<span class="x">nameserver 10.10.0.11</span>
<span class="cp">{{</span><span class="m m-Attribute">/classes.group_test2</span><span class="cp">}}</span>
</code></pre></div>
<p>Group classes are already defined by Rudder now, it's just up to you to have them in your templates. </p>
<p>As usual, feel free to <a href="/pages/contact.html">contact</a> me if you have any question!</p>Speed up Rudder new node's detection - 2016 Update2016-02-16T06:00:00+01:002023-10-03T22:43:30+02:00Olivier Maurastag:www.mauras.ch,2016-02-16:/speed-up-rudder-new-nodes-detection-2016-update.html<p>In my <a href="/speed-up-rudder-new-nodes-detection.html">previous article</a>, I was proposing a way to update the new inventory list sent to <code>Rudder</code> more quickly.<br />
Upon upgrading to <a href="http://www.rudder-project.org/foswiki/bin/view/System/Documentation:ChangeLog32">Rudder 3.2</a> and <code>CentOS 7</code> at the same time, this was …</p><p>In my <a href="/speed-up-rudder-new-nodes-detection.html">previous article</a>, I was proposing a way to update the new inventory list sent to <code>Rudder</code> more quickly.<br />
Upon upgrading to <a href="http://www.rudder-project.org/foswiki/bin/view/System/Documentation:ChangeLog32">Rudder 3.2</a> and <code>CentOS 7</code> at the same time, this was not working anymore. It seemed that the way inventories are handled slightly changed and for some reasons <code>inotify</code> wasn't detecting the inventories creation anymore.<br />
After some digging, it appears that the inventories are renamed from a temporary <code>.davfs.xxxxx</code> instead of being created directly in <code>incoming</code> directory - Seems like a webdav behaviour change in Apache 2.4. </p>
<p>Please find below and updated version using <a href="http://man7.org/linux/man-pages/man7/inotify.7.html">IN_MOVED_TO</a> event to correctly detect new inventories sent to server - I've kept IN_CREATE event, but it shouldn't be matched anymore, you can safely remove it.</p>
<div class="highlight"><pre><span></span><code><span class="ch">#!/usr/bin/python</span>
<span class="kn">import</span> <span class="nn">os</span><span class="o">,</span> <span class="nn">datetime</span><span class="o">,</span> <span class="nn">subprocess</span><span class="o">,</span> <span class="nn">re</span><span class="o">,</span> <span class="nn">thread</span><span class="o">,</span> <span class="nn">sys</span>
<span class="kn">import</span> <span class="nn">pyinotify</span>
<span class="n">inventories_path</span> <span class="o">=</span> <span class="s2">"/var/rudder/inventories/"</span>
<span class="n">cmd_new_inv_to_cmdb</span> <span class="o">=</span> <span class="s2">"/opt/rudder/bin/rudder agent run -b sendInventoryToCmdb"</span>
<span class="n">wm</span> <span class="o">=</span> <span class="n">pyinotify</span><span class="o">.</span><span class="n">WatchManager</span><span class="p">()</span> <span class="c1"># Watch Manager</span>
<span class="n">mask</span> <span class="o">=</span> <span class="n">pyinotify</span><span class="o">.</span><span class="n">IN_DELETE</span> <span class="o">|</span> <span class="n">pyinotify</span><span class="o">.</span><span class="n">IN_CREATE</span> <span class="o">|</span> <span class="n">pyinotify</span><span class="o">.</span><span class="n">IN_MOVED_TO</span>
<span class="k">def</span> <span class="nf">exec_sendtocmdb</span><span class="p">(</span><span class="n">file</span><span class="p">,</span> <span class="n">dummy1</span><span class="p">):</span>
<span class="n">process</span> <span class="o">=</span> <span class="n">subprocess</span><span class="o">.</span><span class="n">Popen</span><span class="p">(</span><span class="n">cmd_new_inv_to_cmdb</span><span class="p">,</span> <span class="n">stdout</span><span class="o">=</span><span class="n">subprocess</span><span class="o">.</span><span class="n">PIPE</span><span class="p">,</span> <span class="n">stderr</span><span class="o">=</span><span class="kc">None</span><span class="p">,</span> <span class="n">shell</span><span class="o">=</span><span class="kc">True</span><span class="p">)</span>
<span class="n">output</span> <span class="o">=</span> <span class="n">process</span><span class="o">.</span><span class="n">communicate</span><span class="p">()</span>
<span class="n">date</span> <span class="o">=</span> <span class="n">datetime</span><span class="o">.</span><span class="n">datetime</span><span class="o">.</span><span class="n">now</span><span class="p">()</span>
<span class="nb">print</span><span class="p">(</span><span class="s2">"</span><span class="si">%s</span><span class="s2">: </span><span class="si">%s</span><span class="s2"> - </span><span class="si">%s</span><span class="se">\n</span><span class="s2">"</span> <span class="o">%</span> <span class="p">(</span><span class="n">date</span><span class="p">,</span> <span class="n">file</span><span class="p">,</span> <span class="n">output</span><span class="p">[</span><span class="mi">0</span><span class="p">]))</span>
<span class="k">class</span> <span class="nc">EventHandler</span><span class="p">(</span><span class="n">pyinotify</span><span class="o">.</span><span class="n">ProcessEvent</span><span class="p">):</span>
<span class="k">def</span> <span class="nf">process_IN_CREATE</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">event</span><span class="p">):</span>
<span class="n">date</span> <span class="o">=</span> <span class="n">datetime</span><span class="o">.</span><span class="n">datetime</span><span class="o">.</span><span class="n">now</span><span class="p">()</span>
<span class="nb">print</span><span class="p">(</span><span class="s2">"</span><span class="si">%s</span><span class="s2">: </span><span class="si">%s</span><span class="s2"> - </span><span class="si">%s</span><span class="s2"> created</span><span class="se">\n</span><span class="s2">"</span> <span class="o">%</span> <span class="p">(</span><span class="n">date</span><span class="p">,</span> <span class="n">event</span><span class="o">.</span><span class="n">path</span><span class="p">,</span> <span class="n">event</span><span class="o">.</span><span class="n">name</span><span class="p">))</span>
<span class="k">if</span> <span class="s2">"incoming"</span> <span class="ow">in</span> <span class="n">event</span><span class="o">.</span><span class="n">path</span><span class="p">:</span>
<span class="k">if</span> <span class="s2">".davfs"</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">event</span><span class="o">.</span><span class="n">name</span><span class="p">:</span>
<span class="n">dummy_tup</span> <span class="o">=</span> <span class="n">event</span><span class="o">.</span><span class="n">name</span><span class="p">,</span> <span class="s1">'null'</span>
<span class="n">thread</span><span class="o">.</span><span class="n">start_new_thread</span><span class="p">(</span><span class="n">exec_sendtocmdb</span><span class="p">,</span> <span class="n">dummy_tup</span><span class="p">)</span>
<span class="k">def</span> <span class="nf">process_IN_MOVED_TO</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">event</span><span class="p">):</span>
<span class="n">date</span> <span class="o">=</span> <span class="n">datetime</span><span class="o">.</span><span class="n">datetime</span><span class="o">.</span><span class="n">now</span><span class="p">()</span>
<span class="nb">print</span> <span class="s2">"</span><span class="si">%s</span><span class="s2">: </span><span class="si">%s</span><span class="s2"> - </span><span class="si">%s</span><span class="s2"> moved to"</span> <span class="o">%</span> <span class="p">(</span><span class="n">date</span><span class="p">,</span> <span class="n">event</span><span class="o">.</span><span class="n">path</span><span class="p">,</span> <span class="n">event</span><span class="o">.</span><span class="n">name</span><span class="p">)</span>
<span class="k">if</span> <span class="s2">"incoming"</span> <span class="ow">in</span> <span class="n">event</span><span class="o">.</span><span class="n">path</span><span class="p">:</span>
<span class="k">if</span> <span class="s2">".davfs"</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">event</span><span class="o">.</span><span class="n">name</span><span class="p">:</span>
<span class="n">dummy_tup</span> <span class="o">=</span> <span class="n">event</span><span class="o">.</span><span class="n">name</span><span class="p">,</span> <span class="s1">'null'</span>
<span class="n">thread</span><span class="o">.</span><span class="n">start_new_thread</span><span class="p">(</span><span class="n">exec_sendtocmdb</span><span class="p">,</span> <span class="n">dummy_tup</span><span class="p">)</span>
<span class="k">def</span> <span class="nf">process_IN_DELETE</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">event</span><span class="p">):</span>
<span class="n">date</span> <span class="o">=</span> <span class="n">datetime</span><span class="o">.</span><span class="n">datetime</span><span class="o">.</span><span class="n">now</span><span class="p">()</span>
<span class="nb">print</span><span class="p">(</span><span class="s2">"</span><span class="si">%s</span><span class="s2">: </span><span class="si">%s</span><span class="s2"> - </span><span class="si">%s</span><span class="s2"> deleted</span><span class="se">\n</span><span class="s2">"</span> <span class="o">%</span> <span class="p">(</span><span class="n">date</span><span class="p">,</span> <span class="n">event</span><span class="o">.</span><span class="n">path</span><span class="p">,</span> <span class="n">event</span><span class="o">.</span><span class="n">name</span><span class="p">))</span>
<span class="n">handler</span> <span class="o">=</span> <span class="n">EventHandler</span><span class="p">()</span>
<span class="n">notifier</span> <span class="o">=</span> <span class="n">pyinotify</span><span class="o">.</span><span class="n">Notifier</span><span class="p">(</span><span class="n">wm</span><span class="p">,</span> <span class="n">handler</span><span class="p">)</span>
<span class="n">wdd</span> <span class="o">=</span> <span class="n">wm</span><span class="o">.</span><span class="n">add_watch</span><span class="p">(</span><span class="n">inventories_path</span><span class="p">,</span> <span class="n">mask</span><span class="p">,</span> <span class="n">rec</span><span class="o">=</span><span class="kc">True</span><span class="p">)</span>
<span class="n">notifier</span><span class="o">.</span><span class="n">loop</span><span class="p">()</span>
</code></pre></div>
<p>And as we're now using <code>systemd</code>, here is the unit file to have it running as a service and be automatically respawned in case it should crash.</p>
<div class="highlight"><pre><span></span><code>[Unit]
Description=Rudder inventory watcher
After=syslog.target network.target
[Service]
Type=simple
Environment=PYTHONUNBUFFERED=true
ExecStart=/sbin/rudder-inventory-watcher
PrivateTmp=true
Restart=on-failure
RestartSec=5s
[Install]
WantedBy=multi-user.target
</code></pre></div>
<p>As usual, feel free to <a href="/pages/contact.html">contact</a> me if you have any question!</p>Introducing g2rudder2015-11-11T20:00:00+01:002023-10-03T23:53:14+02:00Olivier Maurastag:www.mauras.ch,2015-11-11:/introducing-g2rudder.html<p>Accessing a REST API without the proper tools is often bothersome, especially when you only have a shell and curl at hand - like in a kickstart %post part - and parsing JSON replies or building parameters …</p><p>Accessing a REST API without the proper tools is often bothersome, especially when you only have a shell and curl at hand - like in a kickstart %post part - and parsing JSON replies or building parameters can quickly become a mess.<br />
<a href="http://git.mauras.ch/Rudder/g2rudder">g2rudder</a> is here to help you cope with that issue in the form of a gateway written in Go that let's you use <a href="http://www.rudder-project.org/rudder-api-doc/">Rudder's API</a> easily in a consistent way. </p>
<h3 id="features">Features</h3>
<ul>
<li>Support Rudder server over HTTPS</li>
<li>Can disable SSL verification and/or provide a root CA certificate</li>
<li>Groups:<ul>
<li>Add hosts in Rudder groups</li>
<li>Automatically add regex if provided host contains the following characters: <code>*[]|</code></li>
</ul>
</li>
<li>Hosts:<ul>
<li>Check if hostname is pending</li>
<li>Check if hostname exists</li>
<li>Get node uuid from hostname</li>
<li>Accept pending node from hostname</li>
<li>Add/delete properties</li>
</ul>
</li>
</ul>
<h3 id="usage">Usage</h3>
<div class="highlight"><pre><span></span><code><span class="n">Groups</span><span class="o">:</span>
<span class="n">curl</span><span class="w"> </span><span class="o">-</span><span class="n">X</span><span class="w"> </span><span class="n">POST</span><span class="w"> </span><span class="n">http</span><span class="o">://</span><span class="n">localhost</span><span class="o">:</span><span class="mi">8181</span><span class="sr">/group/</span><span class="n">addHost</span><span class="w"> </span><span class="o">-</span><span class="n">d</span><span class="w"> </span><span class="s2">"g_uuid=5af30b6b-c8cd-4405-9d0c-410c2b05e220&host=test.domain.com"</span>
<span class="n">Hosts</span><span class="o">:</span>
<span class="n">curl</span><span class="w"> </span><span class="o">-</span><span class="n">X</span><span class="w"> </span><span class="n">GET</span><span class="w"> </span><span class="n">http</span><span class="o">://</span><span class="n">localhost</span><span class="o">:</span><span class="mi">8181</span><span class="sr">/host/is</span><span class="n">Exist</span><span class="o">?</span><span class="n">host</span><span class="o">=</span><span class="n">test</span><span class="o">.</span><span class="na">domain</span><span class="o">.</span><span class="na">com</span>
<span class="n">curl</span><span class="w"> </span><span class="o">-</span><span class="n">X</span><span class="w"> </span><span class="n">GET</span><span class="w"> </span><span class="n">http</span><span class="o">://</span><span class="n">localhost</span><span class="o">:</span><span class="mi">8181</span><span class="sr">/host/is</span><span class="n">Pending</span><span class="o">?</span><span class="n">host</span><span class="o">=</span><span class="n">test</span><span class="o">.</span><span class="na">domain</span><span class="o">.</span><span class="na">com</span>
<span class="n">curl</span><span class="w"> </span><span class="o">-</span><span class="n">X</span><span class="w"> </span><span class="n">GET</span><span class="w"> </span><span class="n">http</span><span class="o">://</span><span class="n">localhost</span><span class="o">:</span><span class="mi">8181</span><span class="sr">/host/g</span><span class="n">etId</span><span class="o">?</span><span class="n">host</span><span class="o">=</span><span class="n">test</span><span class="o">.</span><span class="na">domain</span><span class="o">.</span><span class="na">com</span>
<span class="n">curl</span><span class="w"> </span><span class="o">-</span><span class="n">X</span><span class="w"> </span><span class="n">POST</span><span class="w"> </span><span class="n">http</span><span class="o">://</span><span class="n">localhost</span><span class="o">:</span><span class="mi">8181</span><span class="sr">/host/</span><span class="n">addProperty</span><span class="w"> </span><span class="o">-</span><span class="n">d</span><span class="w"> </span><span class="s2">"host=demo-latest.rudder-project.org&key=KEY1&value=VALUE1"</span>
<span class="n">curl</span><span class="w"> </span><span class="o">-</span><span class="n">X</span><span class="w"> </span><span class="n">POST</span><span class="w"> </span><span class="n">http</span><span class="o">://</span><span class="n">localhost</span><span class="o">:</span><span class="mi">8181</span><span class="sr">/host/</span><span class="n">delProperty</span><span class="w"> </span><span class="o">-</span><span class="n">d</span><span class="w"> </span><span class="s2">"host=demo-latest.rudder-project.org&key=KEY1"</span>
<span class="n">curl</span><span class="w"> </span><span class="o">-</span><span class="n">X</span><span class="w"> </span><span class="n">POST</span><span class="w"> </span><span class="n">http</span><span class="o">://</span><span class="n">localhost</span><span class="o">:</span><span class="mi">8181</span><span class="sr">/host/</span><span class="n">accept</span><span class="w"> </span><span class="o">-</span><span class="n">d</span><span class="w"> </span><span class="s2">"host=demo-latest.rudder-project.org"</span>
</code></pre></div>
<p><br>
Project readme will be updated along with the addition of new features.<br />
Don't hesitate to <a href="http://www.mauras.ch/pages/contact.html">contact</a> me if you encounter any issue.</p>EL6 extras update and new package: Nginx and Nginx-modsecurity2015-06-26T14:35:00+02:002023-10-03T23:53:14+02:00Olivier Maurastag:www.mauras.ch,2015-06-26:/el6-extras-update-and-new-package-nginx-and-nginx-modsecurity.html<ul>
<li>Nginx - <a href="http://nginx.org/en/CHANGES-1.8">1.8.0</a><ul>
<li>Update to new stable release</li>
<li>Enable http_auth_request_module</li>
<li>Compile with GCC 4.9.1 from devtoolset-3 </li>
</ul>
</li>
<li>Nginx-modsecurity - <a href="http://nginx.org/en/CHANGES-1.8">1.8.0</a><ul>
<li>Update to new stable release</li>
<li>Enable http_auth_request_module</li>
<li>Add modsecurity module - <a href="https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.0">2.9 …</a></li></ul></li></ul><ul>
<li>Nginx - <a href="http://nginx.org/en/CHANGES-1.8">1.8.0</a><ul>
<li>Update to new stable release</li>
<li>Enable http_auth_request_module</li>
<li>Compile with GCC 4.9.1 from devtoolset-3 </li>
</ul>
</li>
<li>Nginx-modsecurity - <a href="http://nginx.org/en/CHANGES-1.8">1.8.0</a><ul>
<li>Update to new stable release</li>
<li>Enable http_auth_request_module</li>
<li>Add modsecurity module - <a href="https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.0">2.9.0</a></li>
<li>Compile with GCC 4.9.1 from devtoolset-3</li>
</ul>
</li>
</ul>
<p>No reason for those versions to not be identical, minor release may change on <code>-modsecurity</code> if modification is only on <a href="https://www.modsecurity.org/">ModSecurity</a>.<br />
As usual, you can install the package using my <a href="http://repos.mauras.ch/EL6/el6_extras.repo">el6_extras</a> repository, and feel free to <a href="http://www.mauras.ch/pages/contact.html">contact</a> me if you encounter any issues.</p>Git replication: Part 1 - The poor man's way2015-04-18T05:00:00+02:002023-10-03T22:43:30+02:00Olivier Maurastag:www.mauras.ch,2015-04-18:/git-replication-part-1-the-poor-mans-way.html<p>There's a lot of ressources about that on the web, it's a well covered topic already.<br />
Still I wanted to give out my own way of keeping Git repositories synchronized. </p>
<h5 id="main-features">Main features:</h5>
<ul>
<li>It's cheap :)</li>
<li>It …</li></ul><p>There's a lot of ressources about that on the web, it's a well covered topic already.<br />
Still I wanted to give out my own way of keeping Git repositories synchronized. </p>
<h5 id="main-features">Main features:</h5>
<ul>
<li>It's cheap :)</li>
<li>It doesn't scale</li>
<li>Supports pushing/deleting branches and tags</li>
<li>Uses Git remote to know the remote repositories, no config file needed</li>
</ul>
<h5 id="prerequisites">Prerequisites:</h5>
<ul>
<li>You've set your remotes correctly in your - bare - repository</li>
<li>You've set your SSH key(s) as needed</li>
</ul>
<h5 id="installation">Installation:</h5>
<p><code>cp <the following script> <your Git repo>/hooks/post-receive && chmod +x <your Git repo>/hooks/post-receive</code> </p>
<h5 id="the-hook">The hook:</h5>
<div class="highlight"><pre><span></span><code><span class="ch">#!/bin/bash</span>
<span class="c1"># Read commit values</span>
<span class="nb">read</span><span class="w"> </span>oldrev<span class="w"> </span>newrev<span class="w"> </span>refname
<span class="nb">echo</span><span class="w"> </span><span class="s2">"post-receive"</span>
<span class="c1"># Is the action a delete ?</span>
<span class="k">if</span><span class="w"> </span><span class="o">[</span><span class="w"> </span><span class="nv">$newrev</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="s2">"0000000000000000000000000000000000000000"</span><span class="w"> </span><span class="o">]</span><span class="p">;</span><span class="w"> </span><span class="k">then</span>
<span class="w"> </span><span class="nv">PUSH</span><span class="o">=</span><span class="s2">"push --delete"</span>
<span class="k">else</span>
<span class="w"> </span><span class="nv">PUSH</span><span class="o">=</span><span class="s2">"push"</span>
<span class="k">fi</span>
<span class="c1"># Get out if there's no remote set</span>
<span class="nv">REMOTE</span><span class="o">=</span><span class="k">$(</span>git<span class="w"> </span>remote<span class="k">)</span>
<span class="o">[[</span><span class="w"> </span>-z<span class="w"> </span><span class="nv">$REMOTE</span><span class="w"> </span><span class="o">]]</span><span class="w"> </span><span class="o">&&</span><span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"!! No remote set"</span><span class="w"> </span><span class="o">&&</span><span class="w"> </span><span class="nb">exit</span><span class="w"> </span><span class="m">0</span>
<span class="c1"># Else loop and push to them</span>
<span class="k">for</span><span class="w"> </span>remote<span class="w"> </span><span class="k">in</span><span class="w"> </span><span class="si">${</span><span class="nv">REMOTE</span><span class="si">}</span><span class="p">;</span><span class="w"> </span><span class="k">do</span>
<span class="w"> </span>git<span class="w"> </span><span class="nv">$PUSH</span><span class="w"> </span><span class="nv">$remote</span><span class="w"> </span><span class="nv">$refname</span>
<span class="k">done</span>
</code></pre></div>
<p>So you get it as it's looping over the remotes, having more than 2 or 3 will seriously make long pushes... Still works like a charm to keep an external copy of your repository.</p>EL6 extras updates: Nginx, Uwsgi and GeoIP2015-04-16T20:00:00+02:002023-10-03T23:53:14+02:00Olivier Maurastag:www.mauras.ch,2015-04-16:/el6-extras-updates-nginx-uwsgi-and-geoip.html<ul>
<li>Nginx - <a href="http://nginx.org/en/CHANGES-1.6">1.6.3</a></li>
<li>Uwsgi - <a href="https://github.com/unbit/uwsgi/releases/tag/2.0.10">2.0.10</a></li>
<li>GeoIP - <a href="https://github.com/maxmind/geoip-api-c/releases/tag/v1.6.5">1.6.5</a></li>
</ul>
<p>As usual, you can install the package using my <a href="http://repos.mauras.ch/EL6/el6_extras.repo">el6_extras</a> repository, and feel free to <a href="http://www.mauras.ch/pages/contact.html">contact</a> me if you encounter any issues.</p>Consul update - 0.5.02015-02-23T20:00:00+01:002023-10-03T23:53:14+02:00Olivier Maurastag:www.mauras.ch,2015-02-23:/consul-update-050.html<ul>
<li>Consul - <a href="https://github.com/hashicorp/consul/blob/master/CHANGELOG.md">0.5.0</a></li>
</ul>
<p>As usual, you can install the package using my <a href="http://repos.mauras.ch/EL6/el6_extras.repo">el6_extras</a> repository, and feel free to <a href="http://www.mauras.ch/pages/contact.html">contact</a> me if you encounter any issues.</p>Grsecurity update - 3.14.33-1002015-02-19T12:30:00+01:002023-10-03T22:43:30+02:00Olivier Maurastag:www.mauras.ch,2015-02-19:/grsecurity-update-31433-100.html<ul>
<li><code>3.14.33-100</code><ul>
<li>Update to grsecurity-3.0-3.14.33-201502181906</li>
<li>Upgrade to devtoolset 3 with GCC 4.9.1</li>
<li>Add overlayfs patch from <a href="https://github.com/openwrt-mirror/openwrt/blob/master/target/linux/generic/patches-3.14/100-overlayfs.patch">openwrt</a></li>
<li>Include kernel config in tarball
Diff from the previous version on <a href="http://git.mauras.ch/linux-grsecurity/diff/?id=linux-grsecurity-3.14.33-100&id2=linux-grsecurity-3.14.28-100">my …</a></li></ul></li></ul><ul>
<li><code>3.14.33-100</code><ul>
<li>Update to grsecurity-3.0-3.14.33-201502181906</li>
<li>Upgrade to devtoolset 3 with GCC 4.9.1</li>
<li>Add overlayfs patch from <a href="https://github.com/openwrt-mirror/openwrt/blob/master/target/linux/generic/patches-3.14/100-overlayfs.patch">openwrt</a></li>
<li>Include kernel config in tarball
Diff from the previous version on <a href="http://git.mauras.ch/linux-grsecurity/diff/?id=linux-grsecurity-3.14.33-100&id2=linux-grsecurity-3.14.28-100">my Git repo</a> </li>
</ul>
</li>
</ul>
<p>The biggest change is actually how I now handle the branches for package tagging on the <a href="http://git.mauras.ch/linux-grsecurity/">Git repo</a>.<br />
Up until now package tagging couldn't reflect any configuration change and the overrall numbering was then not so consistent. I'm now adding a branch <code>-coredumb</code> wich contains modifications on top of the <code>Grsecurity</code> patchset - Like <a href="https://github.com/openwrt-mirror/openwrt/blob/master/target/linux/generic/patches-3.14/100-overlayfs.patch">overlayfs</a> patch addition - as well as the full kernel configuration. All package tags will now be based on a <code>-coredumb</code> branch. </p>
<h4 id="warning">WARNING:</h4>
<p>At least on some servers - CPU related ? - <code>pcid</code> detection is still broken... </p>
<p>As usual RPMs are available using the YUM <a href="http://repos.mauras.ch/grsecurity/grsecurity.repo">repository</a>, and don't hesitate to <a href="pages/contact.html">contact</a> me if you find any issue.</p>Update: Nginx + Uwsgi + Cgit2015-02-05T01:36:00+01:002023-10-03T23:53:14+02:00Olivier Maurastag:www.mauras.ch,2015-02-05:/update-nginx-uwsgi-cgit.html<h2 id="update">Update:</h2>
<p><a href="https://www.linkedin.com/profile/view?id=206424096">Steeve Chailloux</a> notified me that this howto wasn't updated to the latest release of the <code>uwsgi</code> package that now have all modules as plugins.<br />
You should read the following: </p>
<h4 id="install-the-packages">Install the packages</h4>
<p>Now that …</p><h2 id="update">Update:</h2>
<p><a href="https://www.linkedin.com/profile/view?id=206424096">Steeve Chailloux</a> notified me that this howto wasn't updated to the latest release of the <code>uwsgi</code> package that now have all modules as plugins.<br />
You should read the following: </p>
<h4 id="install-the-packages">Install the packages</h4>
<p>Now that you're good with the repository, install the packages:</p>
<div class="highlight"><pre><span></span><code># yum -y install nginx uwsgi uwsgi-cgi cgit
</code></pre></div>
<h4 id="configure-uwsgi">Configure Uwsgi</h4>
<p>Just add this simple conf</p>
<div class="highlight"><pre><span></span><code># mkdir /etc/uwsgi
# cat << EOF > /etc/uwsgi.d/cgit.ini
[uwsgi]
plugin = cgi
socket = 127.0.0.1:8080
uid = cgit
gid = cgit
processes = 1
threads = 2
cgi = /usr/libexec/cgit/cgit.cgi
EOF
</code></pre></div>
<p>There's no init script provided in my package yet, so just manually run - or any way you want</p>
<div class="highlight"><pre><span></span><code># uwsgi --plugins-dir /usr/lib64/uwsgi/ --ini /etc/uwsgi.d/cgit.ini &
</code></pre></div>
<hr />
<h2 id="original-post">Original post:</h2>
<p>As you've seen in my previous post, there's been some package updates in the <code>EL6 Extras</code> repository, so let's have some fun with them! </p>
<p>First you indeed need my <code>EL6 Extras</code> repository if it's not done yet, please start with the <a href="pages/repositories.html">repositories</a> page. </p>
<h4 id="install-the-packages_1">Install the packages</h4>
<p>Now that you're good with the repository, install the packages:</p>
<div class="highlight"><pre><span></span><code># yum -y install nginx uwsgi cgit
</code></pre></div>
<h4 id="configure-cgit">Configure Cgit</h4>
<p>The default config from the package is pretty sane, the only thing you'll need to add to your <code>/etc/gitrc</code> - And indeed your <code>Git</code> repositories config - is:</p>
<div class="highlight"><pre><span></span><code>virtual-root<span class="o">=</span>/
</code></pre></div>
<p>This will keep <code>cgit</code> from adding <code>cgit.cgi</code> to your URL.<br />
To enable syntax highlighting, uncomment the following line in your <code>/etc/cgitrc</code></p>
<div class="highlight"><pre><span></span><code>source-filter=/usr/libexec/cgit/filters/syntax-highlighting.py
</code></pre></div>
<p>Then install <code>pygments</code> package</p>
<div class="highlight"><pre><span></span><code># yum -y install python-pygments
</code></pre></div>
<h4 id="configure-uwsgi_1">Configure Uwsgi</h4>
<p>Just add this simple conf</p>
<div class="highlight"><pre><span></span><code># mkdir /etc/uwsgi
# cat << EOF > /etc/uwsgi/cgit.ini
[uwsgi]
socket = 127.0.0.1:8080
uid = cgit
gid = cgit
processes = 1
threads = 2
cgi = /usr/libexec/cgit/cgit.cgi
EOF
</code></pre></div>
<p>There's no init script provided in my package yet, so just manually run - or any way you want</p>
<div class="highlight"><pre><span></span><code># uwsgi --ini /etc/uwsgi/cgit.ini &
</code></pre></div>
<h4 id="configure-nginx">Configure Nginx</h4>
<p>Finally just add this simple <code>server</code> block to your Nginx config and customize it to your needs</p>
<div class="highlight"><pre><span></span><code>server {
# Change this to your taste
listen 80 default_server;
server_name _;
# We want to serve cgit static content from /usr/share/cgit and let Nginx cache it
location ~* ^.+(cgit.(css|png)|favicon.ico) {
root /usr/share/cgit;
expires 30d;
}
# Now forward everything else to our uwsgi instance
location / {
include uwsgi_params;
uwsgi_modifier1 9;
uwsgi_pass 127.0.0.1:8080;
}
}
</code></pre></div>
<p>Start Nginx, and enjoy your <code>Cgit</code> running on your <code>server_name</code></p>
<p>As usual, <a href="http://www.mauras.ch/pages/contact.html">contact me</a> if you have any question.</p>Securing Consul2015-02-02T23:00:00+01:002023-10-03T23:53:14+02:00Olivier Maurastag:www.mauras.ch,2015-02-02:/securing-consul.html<div class="toc">
<ul>
<li><a href="#consul">Consul</a><ul>
<li><a href="#binary-execution-rights-and-user-running-the-daemon">Binary execution rights and user running the daemon</a><ul>
<li><a href="#prevent-users-to-execute-their-own-consul-binary">Prevent users to execute their own Consul binary</a></li>
</ul>
</li>
<li><a href="#configuration-access-rights">Configuration access rights</a></li>
<li><a href="#prevent-rogue-nodes-joining-the-cluster">Prevent rogue nodes joining the cluster</a><ul>
<li><a href="#encrypt">Encrypt</a></li>
<li><a href="#tls">TLS</a></li>
</ul>
</li>
<li><a href="#disable-remote-execution">Disable remote execution</a></li>
</ul>
</li>
<li><a href="#prevent-http-api-from-clients">Prevent HTTP API from …</a></li></ul></div><div class="toc">
<ul>
<li><a href="#consul">Consul</a><ul>
<li><a href="#binary-execution-rights-and-user-running-the-daemon">Binary execution rights and user running the daemon</a><ul>
<li><a href="#prevent-users-to-execute-their-own-consul-binary">Prevent users to execute their own Consul binary</a></li>
</ul>
</li>
<li><a href="#configuration-access-rights">Configuration access rights</a></li>
<li><a href="#prevent-rogue-nodes-joining-the-cluster">Prevent rogue nodes joining the cluster</a><ul>
<li><a href="#encrypt">Encrypt</a></li>
<li><a href="#tls">TLS</a></li>
</ul>
</li>
<li><a href="#disable-remote-execution">Disable remote execution</a></li>
</ul>
</li>
<li><a href="#prevent-http-api-from-clients">Prevent HTTP API from clients</a><ul>
<li><a href="#completely">Completely</a></li>
<li><a href="#allow-some-users">Allow some users</a></li>
</ul>
</li>
<li><a href="#keyvalue-store-acls">Key/Value store ACLs</a><ul>
<li><a href="#deny-by-default">Deny by default</a></li>
<li><a href="#add-rights-per-key">Add rights per key</a></li>
</ul>
</li>
<li><a href="#actually-running-consul">Actually running Consul</a></li>
<li><a href="#wrap-it-all-up">Wrap it all up</a></li>
</ul>
</div>
<h2 id="consul">Consul</h2>
<p><a href="http://www.consul.io">Consul</a> is an excellent piece of software, really. I don't think I've been this excited by any other software for the last couple of years.<br />
As they state in their <a href="https://consul.io/intro/index.html">Intro</a> page : <em>Consul has multiple components, but as a whole, it is a tool for discovering and configuring services in your infrastructure</em><br />
<a href="http://www.consul.io">Consul</a> is well documented, robust, fast, replicated, datacenter aware, integrates a Key/Value store, etc... And their IRC community is very friendly. </p>
<p>The only major flaw I've found, is that by default, it is not <em>secure enough</em>.<br />
What I mean by not <em>secure enough</em>, is that you must take a good care of how you configure and run the service if you don't wish to let too much opened doors to a <em>harmful user</em>. </p>
<p>Here's a list of <em>threats</em> I've identified - Please mind that a threat for me may very well be a nice feature for you - followed by configuration to circumvent them: </p>
<ul>
<li>Any node could join your cluster and access sensitive information</li>
<li>Any user on any joined node can access cluster details/information</li>
<li>Any user on any joined node can execute cluster wide remote commands</li>
<li>Any user on any joined node can tamper with the HTTP API and<ul>
<li>Declare potentially harmful events</li>
<li>Declare watches with potentially harmful events</li>
</ul>
</li>
</ul>
<p><strong>Note:</strong><br />
All the commands and system details provided in this excerpt are with an <code>EL6</code> based distribution in mind. Configurations and data paths are purely based by choice.<br />
Please adapt accordingly :)</p>
<h3 id="binary-execution-rights-and-user-running-the-daemon">Binary execution rights and user running the daemon</h3>
<p>No surprise here, this is a rule of thumbs for any daemon running on Unix/Linux, privileges must be dropped as much as possible.<br />
Consul doesn't require you to run it as <code>root</code> and that's a good thing.<br />
The thing is, that by using RPC communication, any user on the joined node can run any cluster wide command as well as remote executing command on all your cluster's nodes. It is thus important that any user cannot execute your system wide Consul binary. </p>
<p>Start by creating a new dedicated user without any shell access with a dedicated home directory: </p>
<div class="highlight"><pre><span></span><code>useradd -d /srv/consul -s /sbin/nologin consul
</code></pre></div>
<p>On most distributions it will create a matching default group for your user as well, if not, do so. </p>
<p>Ensure that the home directory can only be accessed by the new <code>consul</code> user and its default group: </p>
<div class="highlight"><pre><span></span><code>chown -R consul: /srv/consul
chmod 750 /srv/consul
</code></pre></div>
<p>Ensure the Consul binary is executable only by <code>root</code> user and <code>consul</code> group:</p>
<div class="highlight"><pre><span></span><code>chown root:consul /usr/sbin/consul
chmod 750 /usr/sbin/consul
</code></pre></div>
<h4 id="prevent-users-to-execute-their-own-consul-binary">Prevent users to execute their own Consul binary</h4>
<p>This is a bit out of the Consul scope, and more a matter of user containment, but indeed you must prevent a user to be able to upload and execute his/her own Consul binary.<br />
The two main solutions i think of:</p>
<ul>
<li>Mount filesystems where local users have write access with <code>noexec</code> flag</li>
<li><a href="http://grsecurity.net/features.php#tpe">Trusted Path Execution</a> from the <a href="_http://grsecurity.net/">Grsecurity</a> patchset</li>
</ul>
<h3 id="configuration-access-rights">Configuration access rights</h3>
<p>It's important that you forbid any read access of your Consul configuration by other unprivileged user in order to not leak sensible settings. </p>
<div class="highlight"><pre><span></span><code>mkdir /etc/consul
chown root:consul /etc/consul
chmod 750 /etc/consul
</code></pre></div>
<h3 id="prevent-rogue-nodes-joining-the-cluster">Prevent rogue nodes joining the cluster</h3>
<p>As described in <a href="https://consul.io/docs/agent/encryption.html">this page</a> there's two major way to prevent that any untrusted node join your cluster</p>
<h4 id="encrypt">Encrypt</h4>
<p>With the help of <code>consul keygen</code> command, you can generate gossip encryption key that you can use in your server/agent configuration</p>
<div class="highlight"><pre><span></span><code><span class="p">{</span>
<span class="w"> </span><span class="nt">"encrypt"</span><span class="p">:</span><span class="w"> </span><span class="s2">"UgmMsZwR2XFNGGvJTnpHRg=="</span>
<span class="p">}</span>
</code></pre></div>
<p>This key must be used on both servers and clients for the communication to work.</p>
<h4 id="tls">TLS</h4>
<p>TLS can/<em>must</em> be used to verify servers and clients authenticity. Consul requires that all servers and clients have certificates signed by a certificate authority.<br />
You can leverage the use of your corporate PKI if you have one, just remember as per <a href="https://github.com/golang/go/issues/7423">this thread</a> that <a href="http://golang.org/">Go</a> requires the certificate to have <code>extendedKeyUsage clientAuth</code> enabled.<br />
Here's a sample configuration of enabling TLS:</p>
<ul>
<li>Servers:</li>
</ul>
<div class="highlight"><pre><span></span><code><span class="p">{</span>
<span class="w"> </span><span class="nt">"ca_file"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/etc/consul/ssl/ca_cert.pem"</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"cert_file"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/etc/consul/ssl/server.pem"</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"key_file"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/etc/consul/ssl/server.key"</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"verify_incoming"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"verify_outgoing"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span>
<span class="p">}</span>
</code></pre></div>
<ul>
<li>Clients:</li>
</ul>
<div class="highlight"><pre><span></span><code><span class="p">{</span>
<span class="w"> </span><span class="nt">"ca_file"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/etc/consul/ssl/ca_cert.pem"</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"cert_file"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/etc/consul/ssl/client.pem"</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"key_file"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/etc/consul/ssl/client.key"</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"verify_outgoing"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span>
<span class="p">}</span>
</code></pre></div>
<h3 id="disable-remote-execution">Disable remote execution</h3>
<p>Remote execution let's you execute commands and get the output of said command using<br />
<code>consul exec "command"</code><br />
So if you were running your Consul daemon as <code>root</code>, running the command <code>consul exec "shutdown -h now"</code> would have the tremendous effect of shutting down all your Consul servers as well as all the clients nodes joined to them...<br />
There's luckily a configuration option that should in my opinion be enabled by default:</p>
<div class="highlight"><pre><span></span><code><span class="p">{</span>
<span class="w"> </span><span class="nt">"disable_remote_exec"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span>
<span class="p">}</span>
</code></pre></div>
<p>Now this remote execution feature could prove itself useful... This is why you limit its availability per node - Consul servers should never have it enabled - as well as its execution rights, by running the Consul binary with the unprivileged <code>consul</code> user we created earlier which you can couple with <code>sudo</code>.</p>
<h2 id="prevent-http-api-from-clients">Prevent HTTP API from clients</h2>
<p>Consul <a href="https://consul.io/docs/agent/http.html">HTTP API</a> is by default available for all joined nodes on <code>http://localhost:8500</code>, this means that by default anyone connected on a cluster's node can use the API and/or K/V store to gather informations or change settings.</p>
<h3 id="completely">Completely</h3>
<p>Plain and simple, use <code>iptables</code> to prevent access to the port: </p>
<div class="highlight"><pre><span></span><code>iptables<span class="w"> </span>-A<span class="w"> </span>OUTPUT<span class="w"> </span>-p<span class="w"> </span>tcp<span class="w"> </span>-m<span class="w"> </span>tcp<span class="w"> </span>--dport<span class="w"> </span><span class="m">8500</span><span class="w"> </span>-j<span class="w"> </span>REJECT
</code></pre></div>
<h3 id="allow-some-users">Allow some users</h3>
<p>As you may require some of your nodes to be able to access the API and/or the K/V store, you can use the <code>ipt_owner</code> module of <code>iptables</code>: </p>
<div class="highlight"><pre><span></span><code>iptables<span class="w"> </span>-A<span class="w"> </span>OUTPUT<span class="w"> </span>-m<span class="w"> </span>tcp<span class="w"> </span>-p<span class="w"> </span>tcp<span class="w"> </span>--dport<span class="w"> </span><span class="m">8500</span><span class="w"> </span>-m<span class="w"> </span>owner<span class="w"> </span>--uid-owner<span class="w"> </span>consul<span class="w"> </span>-j<span class="w"> </span>ACCEPT
</code></pre></div>
<p>This would let only the <code>consul</code> user access the port locally, which is the user under which your daemon is running, and is unavailable to an unprivileged user.</p>
<h2 id="keyvalue-store-acls">Key/Value store ACLs</h2>
<p>I've found the ACL system for the key/value store quite unsettling, it can be broken out like this:</p>
<ul>
<li>Enable ACL at datacenter level</li>
<li>Set a master token - Not mandatory but i find it easier to manage</li>
<li>Chose a default policy</li>
<li>Set access rules to keys using API</li>
</ul>
<h3 id="deny-by-default">Deny by default</h3>
<p>As a habit, i found that denying by default is easier to manage and allow read and/or write accesses per clients.<br />
Enabling the ACL system is a server only configuration:</p>
<div class="highlight"><pre><span></span><code><span class="p">{</span>
<span class="w"> </span><span class="nt">"acl_datacenter"</span><span class="p">:</span><span class="w"> </span><span class="s2">"<your datacenter name>"</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"acl_master_token"</span><span class="p">:</span><span class="w"> </span><span class="s2">"f45cbd0b-5022-47ab-8640-4eaa7c1f40f1"</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"acl_default_policy"</span><span class="p">:</span><span class="w"> </span><span class="s2">"deny"</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"acl_down_policy"</span><span class="p">:</span><span class="w"> </span><span class="s2">"deny"</span>
<span class="p">}</span>
</code></pre></div>
<p><code>acl_master_token</code> can be easily generated with the <code>uuidgen</code> command but this is just to keep the same thing as Consul generates, it seems to accept any string format.</p>
<h3 id="add-rights-per-key">Add rights per key</h3>
<p>You can list the ACLs using this curl command
<code>curl "http://localhost:8500/v1/acl/list?token=f45cbd0b-5022-47ab-8640-4eaa7c1f40f1&pretty=true"</code> </p>
<p>As an example we'll add an ACL giving <code>read</code> only permission to the store key <code>git/lastcommit</code>. </p>
<ul>
<li>First create a text file containing the following <code>json</code> code:</li>
</ul>
<div class="highlight"><pre><span></span><code><span class="p">{</span><span class="w"> </span>
<span class="w"> </span><span class="nt">"Name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"git_slave"</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"Type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"client"</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"Rules"</span><span class="p">:</span><span class="w"> </span><span class="s2">"key git/lastcommit {policy = read}"</span>
<span class="p">}</span>
</code></pre></div>
<ul>
<li>Then create the ACL using your <code>acl_master_token</code>: </li>
</ul>
<div class="highlight"><pre><span></span><code>curl<span class="w"> </span>-X<span class="w"> </span>PUT<span class="w"> </span>-d<span class="w"> </span>@kv_create_rule.json<span class="w"> </span>http://localhost:8500/v1/acl/create?token<span class="o">=</span>f45cbd0b-5022-47ab-8640-4eaa7c1f40f1
</code></pre></div>
<ul>
<li>This <code>curl</code> command will return you a client token that you can reuse in your agent configurations that need to access - through <a href="http://www.consul.io/docs/agent/watches.html">watches</a> - to this key</li>
</ul>
<div class="highlight"><pre><span></span><code><span class="p">{</span>
<span class="w"> </span><span class="nt">"acl_token"</span><span class="p">:</span><span class="w"> </span><span class="s2">"d17fade7-2391-45a4-aa00-c9ed5e707e0b"</span>
<span class="p">}</span>
</code></pre></div>
<h2 id="actually-running-consul">Actually running Consul</h2>
<p>Here's an EL6 based init script to automatically start Consul with the correct user at startup:</p>
<div class="highlight"><pre><span></span><code><span class="ch">#!/bin/sh</span>
<span class="c1">#</span>
<span class="c1"># consul Start the consul daemon</span>
<span class="c1">#</span>
<span class="c1"># Author: Olivier Mauras <olivier@mauras.ch></span>
<span class="c1">#</span>
<span class="c1"># chkconfig: 345 99 10</span>
<span class="c1"># description: Starts the Consul daemon</span>
<span class="c1">#</span>
<span class="c1"># processname: consul</span>
<span class="c1"># Source function library.</span>
.<span class="w"> </span>/etc/rc.d/init.d/functions
<span class="nv">RETVAL</span><span class="o">=</span><span class="m">0</span>
<span class="c1"># Default variables</span>
<span class="nv">CONSUL_BIN</span><span class="o">=</span><span class="s2">"/usr/sbin/consul"</span>
<span class="nv">CONSUL_CONF</span><span class="o">=</span><span class="s2">"/etc/consul"</span>
<span class="nv">CONSUL_USER</span><span class="o">=</span><span class="s2">"consul"</span>
<span class="c1"># See how we were called.</span>
<span class="k">case</span><span class="w"> </span><span class="s2">"</span><span class="nv">$1</span><span class="s2">"</span><span class="w"> </span><span class="k">in</span>
<span class="w"> </span>start<span class="o">)</span>
<span class="w"> </span><span class="nb">echo</span><span class="w"> </span>-n<span class="w"> </span><span class="s2">"Starting Consul daemon: "</span>
<span class="w"> </span>daemon<span class="w"> </span>--check<span class="w"> </span>consul<span class="w"> </span>--user<span class="w"> </span><span class="nv">$CONSUL_USER</span><span class="w"> </span><span class="s2">"</span><span class="nv">$CONSUL_BIN</span><span class="s2"> agent -config-dir=</span><span class="nv">$CONSUL_CONF</span><span class="s2"> > /dev/null 2>&1 &"</span>
<span class="w"> </span><span class="nb">echo</span>
<span class="w"> </span><span class="p">;;</span>
<span class="w"> </span>stop<span class="o">)</span>
<span class="w"> </span><span class="nb">echo</span><span class="w"> </span>-n<span class="w"> </span><span class="s2">"Stopping Consul daemon: "</span>
<span class="w"> </span>killproc<span class="w"> </span>consul
<span class="w"> </span><span class="nb">echo</span>
<span class="w"> </span><span class="p">;;</span>
<span class="w"> </span>status<span class="o">)</span>
<span class="w"> </span>status<span class="w"> </span>consul
<span class="w"> </span><span class="nv">RETVAL</span><span class="o">=</span><span class="nv">$?</span>
<span class="w"> </span><span class="p">;;</span>
<span class="w"> </span>restart<span class="o">)</span>
<span class="w"> </span><span class="nv">$0</span><span class="w"> </span>stop
<span class="w"> </span><span class="nv">$0</span><span class="w"> </span>start
<span class="w"> </span><span class="nv">RETVAL</span><span class="o">=</span><span class="nv">$?</span>
<span class="w"> </span><span class="p">;;</span>
<span class="w"> </span>*<span class="o">)</span>
<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"Usage: consul {start|stop|status|restart}"</span>
<span class="w"> </span><span class="nb">exit</span><span class="w"> </span><span class="m">1</span>
<span class="k">esac</span>
<span class="nb">exit</span><span class="w"> </span><span class="nv">$REVAL</span>
</code></pre></div>
<h2 id="wrap-it-all-up">Wrap it all up</h2>
<p>I've made up an RPM package, that takes care of creating the <code>consul</code> user and setting up the correct rights, on the binary - It also includes the init script :). You can download the <a href="http://repos.mauras.ch/EL6/SRPMS/consul-0.5.0-1.el6.src.rpm">SRPM</a> directly or just use my <a href="http://repos.mauras.ch/EL6/el6_extras.repo">el6 extras</a> repository. </p>
<p>Use your favorite configuration management tool - <a href="http://www.rudder-project.org/site/">Rudder</a>? :) - to handle the configuration deployment and <code>/etc/consul</code> rights. </p>
<p>Don't hesitate to <a href="http://www.mauras.ch/pages/contact.html">contact</a> me if you find inconsistencies, or if you have questions about this guide. </p>New package - Consul 0.4.12015-02-02T21:40:00+01:002023-10-03T23:53:14+02:00Olivier Maurastag:www.mauras.ch,2015-02-02:/new-package-consul-041.html<p>A package addition to my <a href="http://repos.mauras.ch/EL6/el6_extras.repo">el6_extras</a> repository.</p>
<ul>
<li>Consul - 0.4.1</li>
</ul>
<p>As usual, you can install the package using my <a href="http://repos.mauras.ch/EL6/el6_extras.repo">el6_extras</a> repository, and feel free to <a href="http://www.mauras.ch/pages/contact.html">contact</a> me if you encounter any issues.</p>New package - tinc 1.0.252015-01-29T12:08:00+01:002023-10-03T23:53:14+02:00Olivier Maurastag:www.mauras.ch,2015-01-29:/new-package-tinc-1025.html<p>I've been suprised to see that EPEL wasn't providing any init script for their <code>tinc</code> package.<br />
Here's a version with an init script and PIE/Full RELRO support.</p>
<ul>
<li>Tinc - <a href="http://www.tinc-vpn.org/download/">1.0.25</a><ul>
<li>Version update - from …</li></ul></li></ul><p>I've been suprised to see that EPEL wasn't providing any init script for their <code>tinc</code> package.<br />
Here's a version with an init script and PIE/Full RELRO support.</p>
<ul>
<li>Tinc - <a href="http://www.tinc-vpn.org/download/">1.0.25</a><ul>
<li>Version update - from EPEL</li>
<li>Provide an init script and sysconfig file</li>
<li>Compile with the usual PIE and Full RELRO</li>
</ul>
</li>
</ul>
<p>One note about the init script. The goal of the script is to support multiple networks just like tinc does.<br />
In order to do so, you have to create a symbolic link of the init script matching your network name <code>ln -s /etc/init.d/tinc /etc/init.d/tinc.xxxx</code> </p>
<p>If you need to have different options - like enabling debug - or key size on this network, copy the <code>sysconfig</code> file with the network name suffix <code>cp /etc/sysconfig/tinc /etc/sysconfig/tinc.xxxx</code></p>
<p>So as usual, you can install the package using my <a href="http://repos.mauras.ch/EL6/el6_extras.repo">el6_extras</a> repository, and feel free to <a href="http://www.mauras.ch/pages/contact.html">contact</a> me if you encounter any issues.</p>Grsecurity update - 3.14.28-1002015-01-13T20:00:00+01:002023-10-03T22:43:30+02:00Olivier Maurastag:www.mauras.ch,2015-01-13:/grsecurity-update-31428-100.html<ul>
<li><code>3.14.28-100</code><ul>
<li>Update to grsecurity-3.0-3.14.28-201501120819<br />
Diff from the previous version on <a href="http://git.mauras.ch/linux-grsecurity/diff/?id=linux-grsecurity-3.14.28-100&id2=linux-grsecurity-3.14.22-100">my Git repo</a> </li>
</ul>
</li>
</ul>
<p>Sorry being slow during the holidays :) </p>
<h4 id="warning">WARNING:</h4>
<p>At least on some servers - CPU related ? - <code>pcid</code> detection is …</p><ul>
<li><code>3.14.28-100</code><ul>
<li>Update to grsecurity-3.0-3.14.28-201501120819<br />
Diff from the previous version on <a href="http://git.mauras.ch/linux-grsecurity/diff/?id=linux-grsecurity-3.14.28-100&id2=linux-grsecurity-3.14.22-100">my Git repo</a> </li>
</ul>
</li>
</ul>
<p>Sorry being slow during the holidays :) </p>
<h4 id="warning">WARNING:</h4>
<p>At least on some servers - CPU related ? - <code>pcid</code> detection is still broken... </p>
<p>As usual RPMs are available using the YUM <a href="http://repos.mauras.ch/grsecurity/grsecurity.repo">repository</a>, and don't hesitate to <a href="pages/contact.html">contact</a> me if you find any issue.</p>Grsecurity update - 3.14.22-1002014-10-31T01:10:00+01:002023-10-03T22:43:30+02:00Olivier Maurastag:www.mauras.ch,2014-10-31:/grsecurity-update-31422-100.html<ul>
<li><code>3.14.22-100</code><ul>
<li>Update to grsecurity-3.0-3.14.22-201410250026<br />
Diff from the previous version on <a href="http://git.mauras.ch/linux-grsecurity/diff/?id=linux-grsecurity-3.14.22-100&id2=linux-grsecurity-3.14.21-100">my Git repo</a> </li>
</ul>
</li>
</ul>
<p>This version fixes several <a href="http://www.openwall.com/lists/oss-security/2014/10/24/9">KVM issues</a> </p>
<h4 id="warning">WARNING:</h4>
<p>It appears that <code>pcid</code> detection is broken on latest 3 …</p><ul>
<li><code>3.14.22-100</code><ul>
<li>Update to grsecurity-3.0-3.14.22-201410250026<br />
Diff from the previous version on <a href="http://git.mauras.ch/linux-grsecurity/diff/?id=linux-grsecurity-3.14.22-100&id2=linux-grsecurity-3.14.21-100">my Git repo</a> </li>
</ul>
</li>
</ul>
<p>This version fixes several <a href="http://www.openwall.com/lists/oss-security/2014/10/24/9">KVM issues</a> </p>
<h4 id="warning">WARNING:</h4>
<p>It appears that <code>pcid</code> detection is broken on latest 3.14 tree. <code>UDEREF</code> will make <code>udev</code> segfault and make the init process exit before completing boot.<br />
The solution to fallback on <em>slow and weak <code>UDEREF</code></em> - which in my opinion is better than having no <code>UDEREF</code> at all - is to pass <code>nopcid</code> flag to your kernel command line.<br />
The issue has been reported to PAX team and we're waiting for a fix :) </p>
<div class="highlight"><pre><span></span><code># dmesg | grep UDEREF
PAX: slow and weak UDEREF enabled
</code></pre></div>
<p>As usual RPMs are available using the YUM <a href="http://repos.mauras.ch/grsecurity/grsecurity.repo">repository</a>, and don't hesitate to <a href="pages/contact.html">contact</a> me if you find any issue.</p>Qemu, libvirt and tmux updates2014-10-24T09:40:00+02:002023-10-03T23:53:14+02:00Olivier Maurastag:www.mauras.ch,2014-10-24:/qemu-libvirt-and-tmux-updates.html<p>I had not updated my <a href="http://repos.mauras.ch/virt/">virt</a> repository for more than a year now... Mostly because i had not needed to.<br />
Here's two major updates today!</p>
<ul>
<li>Qemu - <a href="http://wiki.qemu.org/ChangeLog/2.1">2.1.2</a><ul>
<li>Compiled against ceph-0.80 and glusterfs-3 …</li></ul></li></ul><p>I had not updated my <a href="http://repos.mauras.ch/virt/">virt</a> repository for more than a year now... Mostly because i had not needed to.<br />
Here's two major updates today!</p>
<ul>
<li>Qemu - <a href="http://wiki.qemu.org/ChangeLog/2.1">2.1.2</a><ul>
<li>Compiled against ceph-0.80 and glusterfs-3.5.2</li>
<li>Enable LZO and RDMA support</li>
<li>Compiled with GCC 4.8 from devtoolset 2 </li>
</ul>
</li>
<li>Libvirt - <a href="http://libvirt.org/news.html">1.2.9</a><ul>
<li>Enable PIE, Full relro </li>
</ul>
</li>
</ul>
<p>Please mind that both <code>qemu</code> and <code>libvirtd</code> binaries require to disable PAX <code>mprotect</code>
<code>paxctl -cm /usr/bin/qemu* /usr/sbin/libvirtd</code></p>
<ul>
<li>Tmux - <a href="http://sourceforge.net/p/tmux/tmux-code/ci/master/tree/CHANGES">1.9a</a></li>
</ul>
<p>As usual, i'm dogfooding all my packages, but it may happen that i miss a bug on an option or something, so <a href="http://www.mauras.ch/pages/contact.html">contact me</a> if you encounter any issues.</p>Grsecurity - Kernel Panic on UDP traffic2014-10-24T09:30:00+02:002023-10-03T22:43:30+02:00Olivier Maurastag:www.mauras.ch,2014-10-24:/grsecurity-kernel-panic-on-udp-traffic.html<p>So it appears that the issue doesn't come from the <code>e1000</code> driver, but from a <a href="http://cwe.mitre.org/data/definitions/416.html">use-after-free</a> in the udp protocol structure.<br />
I've made <a href="http://git.mauras.ch/linux-grsecurity/patch/?id=5e71707811ce0c38c3861eecb6a2f6761251880b">a patch</a> available that disables slab sanitization in udp protocol structure.<br />
I've …</p><p>So it appears that the issue doesn't come from the <code>e1000</code> driver, but from a <a href="http://cwe.mitre.org/data/definitions/416.html">use-after-free</a> in the udp protocol structure.<br />
I've made <a href="http://git.mauras.ch/linux-grsecurity/patch/?id=5e71707811ce0c38c3861eecb6a2f6761251880b">a patch</a> available that disables slab sanitization in udp protocol structure.<br />
I've been toroughly testing it under <strong>heavy</strong> DNS load for two weeks and can confirm it's working well. </p>
<p>Indeed the drawback is that it lowers the protections on the udp protocol, that's why i won't include this patch in my default builds, just use it if you need it - I guess it will be long before we see it fixed upstream...</p>Grsecurity update - 3.14.21-1002014-10-14T23:00:00+02:002023-10-03T22:43:30+02:00Olivier Maurastag:www.mauras.ch,2014-10-14:/grsecurity-update-31421-100.html<ul>
<li><code>3.14.21-100</code><ul>
<li>Update to grsecurity-3.0-3.14.22-201410192047<br />
Diff from the previous version on <a href="http://git.mauras.ch/linux-grsecurity/diff/?id=linux-grsecurity-3.14.21-100&id2=linux-grsecurity-3.14.19-101">my Git repo</a> </li>
</ul>
</li>
</ul>
<h4 id="warning">WARNING:</h4>
<p>It appears that <code>pcid</code> detection is broken on latest 3.14 tree. <code>UDEREF</code> will make <code>udev …</code></p><ul>
<li><code>3.14.21-100</code><ul>
<li>Update to grsecurity-3.0-3.14.22-201410192047<br />
Diff from the previous version on <a href="http://git.mauras.ch/linux-grsecurity/diff/?id=linux-grsecurity-3.14.21-100&id2=linux-grsecurity-3.14.19-101">my Git repo</a> </li>
</ul>
</li>
</ul>
<h4 id="warning">WARNING:</h4>
<p>It appears that <code>pcid</code> detection is broken on latest 3.14 tree. <code>UDEREF</code> will make <code>udev</code> segfault and make the init process exit before completing boot.<br />
The solution to fallback on <em>slow and weak <code>UDEREF</code></em> - which in my opinion is better than having no <code>UDEREF</code> at all - is to pass <code>nopcid</code> flag to your kernel command line.<br />
The issue has been reported to PAX team and we're waiting for a fix :) </p>
<div class="highlight"><pre><span></span><code># dmesg | grep UDEREF
PAX: slow and weak UDEREF enabled
</code></pre></div>
<p>As usual RPMs are available using the YUM <a href="http://repos.mauras.ch/grsecurity/grsecurity.repo">repository</a>, and don't hesitate to <a href="pages/contact.html">contact</a> me if you find any issue.</p>Grsecurity update - 3.14.19-1012014-10-06T23:54:00+02:002023-10-03T22:43:30+02:00Olivier Maurastag:www.mauras.ch,2014-10-06:/grsecurity-update-31419-101.html<ul>
<li><code>3.14.19-101</code><ul>
<li>Update to grsecurity-3.0-3.14.19-201409282024
Diff from the previous version on <a href="http://git.mauras.ch/linux-grsecurity/diff/?id=linux-grsecurity-3.14.19-101&id2=linux-grsecurity-3.14.19-100">my Git repo</a> </li>
</ul>
</li>
</ul>
<h4 id="note">Note:</h4>
<p>If you're running <code>e1000</code> driver with intensive UDP traffic, you surely have encountered kernel panics.<br />
I've …</p><ul>
<li><code>3.14.19-101</code><ul>
<li>Update to grsecurity-3.0-3.14.19-201409282024
Diff from the previous version on <a href="http://git.mauras.ch/linux-grsecurity/diff/?id=linux-grsecurity-3.14.19-101&id2=linux-grsecurity-3.14.19-100">my Git repo</a> </li>
</ul>
</li>
</ul>
<h4 id="note">Note:</h4>
<p>If you're running <code>e1000</code> driver with intensive UDP traffic, you surely have encountered kernel panics.<br />
I've <a href="https://forums.grsecurity.net/viewtopic.php?f=3&t=4037">reported the issue</a>, which seems to be an upstream bug. Hope to see a patch soon. </p>
<h4 id="warning">WARNING:</h4>
<p>It appears that <code>pcid</code> detection is broken on latest 3.14 tree. <code>UDEREF</code> will make <code>udev</code> segfault and make the init process exit before completing boot.<br />
The solution to fallback on <em>slow and weak <code>UDEREF</code></em> - which in my opinion is better than having no <code>UDEREF</code> at all - is to pass <code>nopcid</code> flag to your kernel command line.<br />
The issue has been reported to PAX team and we're waiting for a fix :) </p>
<div class="highlight"><pre><span></span><code># dmesg | grep UDEREF
PAX: slow and weak UDEREF enabled
</code></pre></div>
<p>As usual RPMs are available using the YUM <a href="http://repos.mauras.ch/grsecurity/grsecurity.repo">repository</a>, and don't hesitate to <a href="pages/contact.html">contact</a> me if you find any issue.</p>Nginx update - 1.62-22014-09-26T00:45:00+02:002023-10-03T23:53:14+02:00Olivier Maurastag:www.mauras.ch,2014-09-26:/nginx-update-162-2.html<ul>
<li>Nginx - 1.62<ul>
<li>Compile with kernel 4.8 from devtoolset2 to enable PIE</li>
<li>Remove Perl RPATH</li>
</ul>
</li>
</ul>
<p>As usual, i'm dogfooding all my packages, but it may happen that i miss a bug on an option …</p><ul>
<li>Nginx - 1.62<ul>
<li>Compile with kernel 4.8 from devtoolset2 to enable PIE</li>
<li>Remove Perl RPATH</li>
</ul>
</li>
</ul>
<p>As usual, i'm dogfooding all my packages, but it may happen that i miss a bug on an option or something, so <a href="http://www.mauras.ch/pages/contact.html">contact me</a> if you encounter any issues.</p>Exim update - 4.84-12014-09-20T15:55:00+02:002023-10-03T23:53:14+02:00Olivier Maurastag:www.mauras.ch,2014-09-20:/exim-update-484-1.html<ul>
<li>Exim - <a href="http://git.exim.org/exim.git/blob/exim-4_84:/doc/doc-txt/ChangeLog">4.84</a><ul>
<li>latest stable version </li>
</ul>
</li>
</ul>
<p>As usual, i'm dogfooding all my packages, but it may happen that i miss a bug on an option or something, so <a href="http://www.mauras.ch/pages/contact.html">contact me</a> if you encounter any issues …</p><ul>
<li>Exim - <a href="http://git.exim.org/exim.git/blob/exim-4_84:/doc/doc-txt/ChangeLog">4.84</a><ul>
<li>latest stable version </li>
</ul>
</li>
</ul>
<p>As usual, i'm dogfooding all my packages, but it may happen that i miss a bug on an option or something, so <a href="http://www.mauras.ch/pages/contact.html">contact me</a> if you encounter any issues.</p>Grsecurity update - 3.14.19-1002014-09-18T23:50:00+02:002023-10-03T22:43:30+02:00Olivier Maurastag:www.mauras.ch,2014-09-18:/grsecurity-update-31419-100.html<ul>
<li>
<p><code>3.14.18-100</code></p>
<ul>
<li>Update to grsecurity-3.0-3.14.18-201409141906<br />
Diff from the previous version on <a href="http://git.mauras.ch/linux-grsecurity/diff/?id=linux-grsecurity-3.14.18-100&id2=linux-grsecurity-3.14.17-100">my Git repo</a><br />
I just had compiled this package when <code>3.14.19</code> release got out, so this version is …</li></ul></li></ul><ul>
<li>
<p><code>3.14.18-100</code></p>
<ul>
<li>Update to grsecurity-3.0-3.14.18-201409141906<br />
Diff from the previous version on <a href="http://git.mauras.ch/linux-grsecurity/diff/?id=linux-grsecurity-3.14.18-100&id2=linux-grsecurity-3.14.17-100">my Git repo</a><br />
I just had compiled this package when <code>3.14.19</code> release got out, so this version is untested</li>
</ul>
</li>
<li>
<p><code>3.14.19-100</code></p>
<ul>
<li>Update to grsecurity-3.0-3.14.19-201409180900<br />
Diff from the previous version on <a href="http://git.mauras.ch/linux-grsecurity/diff/?id=linux-grsecurity-3.14.19-100&id2=linux-grsecurity-3.14.18-100">my Git repo</a> </li>
</ul>
</li>
</ul>
<p>I've jumped the packaging of several versions since <code>3.14.17-100</code> but as usual, all the branches are available in <a href="http://git.mauras.ch/linux-grsecurity/">my Git repo</a> </p>
<h4 id="note">Note:</h4>
<p>If you're running <code>e1000</code> driver with intensive UDP traffic, you surely have encountered kernel panics.<br />
I've <a href="https://forums.grsecurity.net/viewtopic.php?f=3&t=4037">reported the issue</a>, which seems to be an upstream bug. Hope to see a patch soon. </p>
<h4 id="warning">WARNING:</h4>
<p>It appears that <code>pcid</code> detection is broken on latest 3.14 tree. <code>UDEREF</code> will make <code>udev</code> segfault and make the init process exit before completing boot.<br />
The solution to fallback on <em>slow and weak <code>UDEREF</code></em> - which in my opinion is better than having no <code>UDEREF</code> at all - is to pass <code>nopcid</code> flag to your kernel command line.<br />
The issue has been reported to PAX team and we're waiting for a fix :) </p>
<div class="highlight"><pre><span></span><code># dmesg | grep UDEREF
PAX: slow and weak UDEREF enabled
</code></pre></div>
<p>As usual RPMs are available using the YUM <a href="http://repos.mauras.ch/grsecurity/grsecurity.repo">repository</a>, and don't hesitate to <a href="pages/contact.html">contact</a> me if you find any issue.</p>EL6 Extras updates and new packages2014-09-18T23:30:00+02:002023-10-03T23:53:14+02:00Olivier Maurastag:www.mauras.ch,2014-09-18:/el6-extras-updates-and-new-packages.html<p>A bunch of new packages/versions:</p>
<ul>
<li>Nginx - <a href="http://nginx.org/en/CHANGES-1.6">1.6.2</a><ul>
<li>latest stable version fixing CVE-2014-3616</li>
</ul>
</li>
<li>Uwsgi - 2.0.6<ul>
<li>New modular build with multiple language support<ul>
<li>Lua 5.1 - lua plugin</li>
<li>Python 2.6 - python …</li></ul></li></ul></li></ul><p>A bunch of new packages/versions:</p>
<ul>
<li>Nginx - <a href="http://nginx.org/en/CHANGES-1.6">1.6.2</a><ul>
<li>latest stable version fixing CVE-2014-3616</li>
</ul>
</li>
<li>Uwsgi - 2.0.6<ul>
<li>New modular build with multiple language support<ul>
<li>Lua 5.1 - lua plugin</li>
<li>Python 2.6 - python plugin</li>
<li>Python 2.7 - python27 plugin</li>
<li>Python 2.6 - python33 plugin</li>
<li>PHP 5.3 - php plugin</li>
<li>PHP 5.4 - php54 plugin <em>please see below</em></li>
<li>CGI is now a plugin as well<br />
Python 2.7 and 3.3 requires that you enable the <code>software collections</code> repository<br />
Next version will contain init script and perl support</li>
</ul>
</li>
</ul>
</li>
<li>PHP 5.4 - 5.4.16-116<ul>
<li>Include mcrypt module</li>
<li>Include -embedded package<br />
I was kinda pissed off by RH purposely removing the support of PHP embedded library in their <code>software collections</code> versions, as well as still not supporting mcrypt module, so i just rebuilded it with a higher release number (+100).<br />
You still need to enable <code>software collections</code> repository for <code>php54-php-pear*</code> dependancies.</li>
</ul>
</li>
<li>Libmcrypt - 2.5.8<br />
Basically a rebuild of <a href="http://springdale.princeton.edu/data/puias/unsupported/6">PUIAS</a> SRPM </li>
</ul>
<p>As usual, i'm dogfooding all my packages, but it may happen that i miss a bug on an option or something, so <a href="http://www.mauras.ch/pages/contact.html">contact me</a> if you encounter any issues.</p>Grsecurity update - 3.14.17-1002014-08-22T00:00:00+02:002023-10-03T22:43:30+02:00Olivier Maurastag:www.mauras.ch,2014-08-22:/grsecurity-update-31417-100.html<ul>
<li><code>3.14.17-100</code><ul>
<li>Update to grsecurity-3.0-3.14.17-201408212334<br />
Diff from the previous version on <a href="http://git.mauras.ch/linux-grsecurity/diff/?id=linux-grsecurity-3.14.17-100&id2=linux-grsecurity-3.14.15-102">my Git repo</a> </li>
</ul>
</li>
</ul>
<p>I've jumped the packaging of several versions since <code>3.14.15-102</code> but all the branches are available …</p><ul>
<li><code>3.14.17-100</code><ul>
<li>Update to grsecurity-3.0-3.14.17-201408212334<br />
Diff from the previous version on <a href="http://git.mauras.ch/linux-grsecurity/diff/?id=linux-grsecurity-3.14.17-100&id2=linux-grsecurity-3.14.15-102">my Git repo</a> </li>
</ul>
</li>
</ul>
<p>I've jumped the packaging of several versions since <code>3.14.15-102</code> but all the branches are available in <a href="http://git.mauras.ch/linux-grsecurity/">my Git repo</a> </p>
<h4 id="warning">WARNING:</h4>
<p>It appears that <code>pcid</code> detection is broken on latest 3.14 tree. <code>UDEREF</code> will make <code>udev</code> segfault and make the init process exit before completing boot.<br />
The solution to fallback on <em>slow and weak <code>UDEREF</code></em> - which in my opinion is better than having no <code>UDEREF</code> at all - is to pass <code>nopcid</code> flag to your kernel command line.<br />
The issue has been reported to PAX team and we're waiting for a fix :) </p>
<div class="highlight"><pre><span></span><code># dmesg | grep UDEREF
PAX: slow and weak UDEREF enabled
</code></pre></div>
<p>As usual RPMs are available using the YUM <a href="http://repos.mauras.ch/grsecurity/grsecurity.repo">repository</a>, and don't hesitate to <a href="pages/contact.html">contact</a> me if you find any issue.</p>Grsecurity update - 3.14.15-1022014-08-05T19:41:00+02:002023-10-03T22:43:30+02:00Olivier Maurastag:www.mauras.ch,2014-08-05:/grsecurity-update-31415-102.html<ul>
<li><code>3.14.15-102</code><ul>
<li>Update to grsecurity-3.0-3.14.15-201408032014<br />
Diff from the previous version on <a href="http://git.mauras.ch/linux-grsecurity/diff/?id=linux-grsecurity-3.14.15-102&id2=linux-grsecurity-3.14.15-101">my Git repo</a> </li>
</ul>
</li>
</ul>
<h4 id="warning">WARNING:</h4>
<p>It appears that <code>pcid</code> detection is broken on latest 3.14 tree. <code>UDEREF</code> will make <code>udev …</code></p><ul>
<li><code>3.14.15-102</code><ul>
<li>Update to grsecurity-3.0-3.14.15-201408032014<br />
Diff from the previous version on <a href="http://git.mauras.ch/linux-grsecurity/diff/?id=linux-grsecurity-3.14.15-102&id2=linux-grsecurity-3.14.15-101">my Git repo</a> </li>
</ul>
</li>
</ul>
<h4 id="warning">WARNING:</h4>
<p>It appears that <code>pcid</code> detection is broken on latest 3.14 tree. <code>UDEREF</code> will make <code>udev</code> segfault and make the init process exit before completing boot.<br />
The solution to fallback on <em>slow and weak <code>UDEREF</code></em> - which in my opinion is better than having no <code>UDEREF</code> at all - is to pass <code>nopcid</code> flag to your kernel command line.<br />
The issue has been reported to PAX team and we're waiting for a fix :) </p>
<div class="highlight"><pre><span></span><code># dmesg | grep UDEREF
PAX: slow and weak UDEREF enabled
</code></pre></div>
<p>As usual RPMs are available using the YUM <a href="http://repos.mauras.ch/grsecurity/grsecurity.repo">repository</a>, and don't hesitate to <a href="pages/contact.html">contact</a> me if you find any issue.</p>Grsecurity update - 3.14.15-1012014-08-01T22:40:00+02:002023-10-03T22:43:30+02:00Olivier Maurastag:www.mauras.ch,2014-08-01:/grsecurity-update-31415-101.html<ul>
<li><code>3.14.15-101</code><ul>
<li>Update to grsecurity-3.0-3.14.15-201408010644<br />
Diff from the previous version on <a href="http://git.mauras.ch/linux-grsecurity/diff/?id=linux-grsecurity-3.14.15-101&id2=linux-grsecurity-3.14.15-100">my Git repo</a> </li>
</ul>
</li>
</ul>
<p>Even if i haven't built the last two <code>Grsecurity</code> versions, their branches are up in <a href="http://git.mauras.ch/linux-grsecurity/">my Git …</a></p><ul>
<li><code>3.14.15-101</code><ul>
<li>Update to grsecurity-3.0-3.14.15-201408010644<br />
Diff from the previous version on <a href="http://git.mauras.ch/linux-grsecurity/diff/?id=linux-grsecurity-3.14.15-101&id2=linux-grsecurity-3.14.15-100">my Git repo</a> </li>
</ul>
</li>
</ul>
<p>Even if i haven't built the last two <code>Grsecurity</code> versions, their branches are up in <a href="http://git.mauras.ch/linux-grsecurity/">my Git repo</a> </p>
<h4 id="warning">WARNING:</h4>
<p>It appears that <code>pcid</code> detection is broken on latest 3.14 tree. <code>UDEREF</code> will make <code>udev</code> segfault and make the init process exit before completing boot.<br />
The solution to fallback on <em>slow and weak <code>UDEREF</code></em> - which in my opinion is better than having no <code>UDEREF</code> at all - is to pass <code>nopcid</code> flag to your kernel command line.<br />
The issue has been reported to PAX team and we're waiting for a fix :) </p>
<div class="highlight"><pre><span></span><code># dmesg | grep UDEREF
PAX: slow and weak UDEREF enabled
</code></pre></div>
<p>As usual RPMs are available using the YUM <a href="http://repos.mauras.ch/grsecurity/grsecurity.repo">repository</a>, and don't hesitate to <a href="pages/contact.html">contact</a> me if you find any issue.</p>Grsecurity update - 3.14.13-1002014-07-24T06:00:00+02:002023-10-03T22:43:30+02:00Olivier Maurastag:www.mauras.ch,2014-07-24:/grsecurity-update-31413-100.html<ul>
<li>
<p><code>3.14.12-102</code></p>
<ul>
<li>Update to grsecurity-3.0-3.14.12-201407170638<br />
Diff from the previous version on <a href="http://git.mauras.ch/linux-grsecurity/diff/?id=linux-grsecurity-3.14.12-102&id2=linux-grsecurity-3.14.12-101">my Git repo</a> </li>
</ul>
</li>
<li>
<p><code>3.14.13-100</code></p>
<ul>
<li>Update to grsecurity-3.0-3.14.13-201407232159<br />
Diff from the previous version on <a href="http://git.mauras.ch/linux-grsecurity/diff/?id=linux-grsecurity-3.14.13-100&id2=linux-grsecurity-3.14.12-102">my Git …</a></li></ul></li></ul><ul>
<li>
<p><code>3.14.12-102</code></p>
<ul>
<li>Update to grsecurity-3.0-3.14.12-201407170638<br />
Diff from the previous version on <a href="http://git.mauras.ch/linux-grsecurity/diff/?id=linux-grsecurity-3.14.12-102&id2=linux-grsecurity-3.14.12-101">my Git repo</a> </li>
</ul>
</li>
<li>
<p><code>3.14.13-100</code></p>
<ul>
<li>Update to grsecurity-3.0-3.14.13-201407232159<br />
Diff from the previous version on <a href="http://git.mauras.ch/linux-grsecurity/diff/?id=linux-grsecurity-3.14.13-100&id2=linux-grsecurity-3.14.12-102">my Git repo</a> </li>
</ul>
</li>
</ul>
<h4 id="warning">WARNING:</h4>
<p>It appears that <code>pcid</code> detection is broken on latest 3.14 tree. <code>UDEREF</code> will make <code>udev</code> segfault and make the init process exit before completing boot.<br />
The solution to fallback on <em>slow and weak <code>UDEREF</code></em> - which in my opinion is better than having no <code>UDEREF</code> at all - is to pass <code>nopcid</code> flag to your kernel command line.<br />
The issue has been reported to PAX team and we're waiting for a fix :) </p>
<div class="highlight"><pre><span></span><code># dmesg | grep UDEREF
PAX: slow and weak UDEREF enabled
</code></pre></div>
<p>As usual RPMs are available using the YUM <a href="http://repos.mauras.ch/grsecurity/grsecurity.repo">repository</a>, and don't hesitate to <a href="pages/contact.html">contact</a> me if you find any issue.</p>Gradm update2014-07-17T04:55:00+02:002023-10-03T22:43:30+02:00Olivier Maurastag:www.mauras.ch,2014-07-17:/gradm-update.html<ul>
<li><code>3.0-201405281853_1</code><ul>
<li>Version bump</li>
</ul>
</li>
</ul>
<p>Complete changelog can be found <a href="https://grsecurity.net/gradm3-changelog.txt">here</a> </p>
<p>As usual RPMs are available using the YUM <a href="http://repos.mauras.ch/grsecurity/grsecurity.repo">repository</a>, and don't hesitate to <a href="pages/contact.html">contact</a> me if you find any issue.</p>Grsecurity update - 3.14.12-1012014-07-16T19:00:00+02:002023-10-03T22:43:30+02:00Olivier Maurastag:www.mauras.ch,2014-07-16:/grsecurity-update-31412-101.html<ul>
<li><code>3.14.12-101</code><ul>
<li>Update to grsecurity-3.0-3.14.12-201407151838</li>
</ul>
</li>
</ul>
<p>You can see a diff from the previous version on <a href="http://git.mauras.ch/linux-grsecurity/diff/?id=linux-grsecurity-3.14.12-101&id2=linux-grsecurity-3.14.12-100">my Git repo</a> </p>
<h4 id="warning">WARNING:</h4>
<p>It appears that <code>pcid</code> detection is broken on latest 3.14 tree …</p><ul>
<li><code>3.14.12-101</code><ul>
<li>Update to grsecurity-3.0-3.14.12-201407151838</li>
</ul>
</li>
</ul>
<p>You can see a diff from the previous version on <a href="http://git.mauras.ch/linux-grsecurity/diff/?id=linux-grsecurity-3.14.12-101&id2=linux-grsecurity-3.14.12-100">my Git repo</a> </p>
<h4 id="warning">WARNING:</h4>
<p>It appears that <code>pcid</code> detection is broken on latest 3.14 tree. <code>UDEREF</code> will make <code>udev</code> segfault and make the init process exit before completing boot.<br />
The solution to fallback on <em>slow and weak <code>UDEREF</code></em> - which in my opinion is better than having no <code>UDEREF</code> at all - is to pass <code>nopcid</code> flag to your kernel command line.<br />
The issue has been reported to PAX team and we're waiting for a fix :) </p>
<div class="highlight"><pre><span></span><code># dmesg | grep UDEREF
PAX: slow and weak UDEREF enabled
</code></pre></div>
<p>As usual RPMs are available using the YUM <a href="http://repos.mauras.ch/grsecurity/grsecurity.repo">repository</a>, and don't hesitate to <a href="pages/contact.html">contact</a> me if you find any issue.</p>Grsecurity update - 3.14.12-1002014-07-10T13:00:00+02:002023-10-03T22:43:30+02:00Olivier Maurastag:www.mauras.ch,2014-07-10:/grsecurity-update-31412-100.html<ul>
<li><code>3.14.12-100</code><ul>
<li>Update to grsecurity-3.0-3.14.12-201407100035</li>
</ul>
</li>
</ul>
<p>You can see a diff from the previous version on <a href="http://git.mauras.ch/linux-grsecurity/diff/?id=linux-grsecurity-3.14.12-201407100035&id2=linux-grsecurity-3.14.11-201407081919">my Git repo</a> </p>
<h4 id="warning">WARNING:</h4>
<p>It appears that <code>pcid</code> detection is broken on latest 3.14 tree …</p><ul>
<li><code>3.14.12-100</code><ul>
<li>Update to grsecurity-3.0-3.14.12-201407100035</li>
</ul>
</li>
</ul>
<p>You can see a diff from the previous version on <a href="http://git.mauras.ch/linux-grsecurity/diff/?id=linux-grsecurity-3.14.12-201407100035&id2=linux-grsecurity-3.14.11-201407081919">my Git repo</a> </p>
<h4 id="warning">WARNING:</h4>
<p>It appears that <code>pcid</code> detection is broken on latest 3.14 tree. <code>UDEREF</code> will make <code>udev</code> segfault and make the init process exit before completing boot.<br />
The solution to fallback on <em>slow and weak <code>UDEREF</code></em> - which in my opinion is better than having no <code>UDEREF</code> at all - is to pass <code>nopcid</code> flag to your kernel command line.<br />
The issue has been reported to PAX team and we're waiting for a fix :) </p>
<div class="highlight"><pre><span></span><code># dmesg | grep UDEREF
PAX: slow and weak UDEREF enabled
</code></pre></div>
<p>As usual RPMs are available using the YUM <a href="http://repos.mauras.ch/grsecurity/grsecurity.repo">repository</a>, and don't hesitate to <a href="pages/contact.html">contact</a> me if you find any issue.</p>Grsecurity update - 3.14.11-1012014-07-09T16:10:00+02:002023-10-03T22:43:30+02:00Olivier Maurastag:www.mauras.ch,2014-07-09:/grsecurity-update-31411-101.html<ul>
<li><code>3.14.11-101</code><ul>
<li>Update grsecurity-3.0-3.14.11-201407081919</li>
</ul>
</li>
</ul>
<p>You can see a diff from the previous version on <a href="http://git.mauras.ch/linux-grsecurity/diff/?id=linux-grsecurity-3.14.11-201407081919&id2=linux-grsecurity-3.14.11-201407072045">my Git repo</a> </p>
<h4 id="warning">WARNING:</h4>
<p>It appears that <code>pcid</code> detection is broken on latest 3.14 tree. <code>UDEREF …</code></p><ul>
<li><code>3.14.11-101</code><ul>
<li>Update grsecurity-3.0-3.14.11-201407081919</li>
</ul>
</li>
</ul>
<p>You can see a diff from the previous version on <a href="http://git.mauras.ch/linux-grsecurity/diff/?id=linux-grsecurity-3.14.11-201407081919&id2=linux-grsecurity-3.14.11-201407072045">my Git repo</a> </p>
<h4 id="warning">WARNING:</h4>
<p>It appears that <code>pcid</code> detection is broken on latest 3.14 tree. <code>UDEREF</code> will make <code>udev</code> segfault and make the init process exit before completing boot.<br />
The solution to fallback on <em>slow and weak <code>UDEREF</code></em> - which in my opinion is better than having no <code>UDEREF</code> at all - is to pass <code>nopcid</code> flag to your kernel command line.<br />
The issue has been reported to PAX team and we're waiting for a fix :) </p>
<div class="highlight"><pre><span></span><code># dmesg | grep UDEREF
PAX: slow and weak UDEREF enabled
</code></pre></div>
<p>As usual RPMs are available using the YUM <a href="http://repos.mauras.ch/grsecurity/grsecurity.repo">repository</a>, and don't hesitate to <a href="pages/contact.html">contact</a> me if you find any issue.</p>Grsecurity update - 3.14.10-1012014-07-06T15:01:00+02:002023-10-03T22:43:30+02:00Olivier Maurastag:www.mauras.ch,2014-07-06:/grsecurity-update-31410-101.html<ul>
<li><code>3.14.10-101</code><ul>
<li>Update grsecurity-3.0-3.14.10-201407052031</li>
</ul>
</li>
</ul>
<p>You can see a diff from the previous version on <a href="http://git.mauras.ch/linux-grsecurity/diff/?id=linux-grsecurity-3.14.10-201407052031&id2=linux-grsecurity-3.14.10-201407012152">my Git repo</a> </p>
<h4 id="warning">WARNING:</h4>
<p>It appears that <code>pcid</code> detection is broken on latest 3.14 tree. <code>UDEREF …</code></p><ul>
<li><code>3.14.10-101</code><ul>
<li>Update grsecurity-3.0-3.14.10-201407052031</li>
</ul>
</li>
</ul>
<p>You can see a diff from the previous version on <a href="http://git.mauras.ch/linux-grsecurity/diff/?id=linux-grsecurity-3.14.10-201407052031&id2=linux-grsecurity-3.14.10-201407012152">my Git repo</a> </p>
<h4 id="warning">WARNING:</h4>
<p>It appears that <code>pcid</code> detection is broken on latest 3.14 tree. <code>UDEREF</code> will make <code>udev</code> segfault and make the init process exit before completing boot.<br />
The solution to fallback on <em>slow and weak <code>UDEREF</code></em> - which in my opinion is better than having no <code>UDEREF</code> at all - is to pass <code>nopcid</code> flag to your kernel command line.<br />
The issue has been reported to PAX team and we're waiting for a fix :) </p>
<div class="highlight"><pre><span></span><code># dmesg | grep UDEREF
PAX: slow and weak UDEREF enabled
</code></pre></div>
<p>As usual RPMs are available using the YUM <a href="http://repos.mauras.ch/grsecurity/grsecurity.repo">repository</a>, and don't hesitate to <a href="pages/contact.html">contact</a> me if you find any issue.</p>Nginx update to new stable2014-07-05T20:49:00+02:002023-10-03T23:53:14+02:00Olivier Maurastag:www.mauras.ch,2014-07-05:/nginx-update-to-new-stable.html<p>Nginx latest stable version - <a href="http://nginx.org/en/CHANGES-1.6">1.6.0</a></p>
<p>As usual, <a href="http://www.mauras.ch/pages/contact.html">contact me</a> if you encounter any issues.</p>Grsecurity update - 3.14.102014-07-02T20:00:00+02:002023-10-03T22:43:30+02:00Olivier Maurastag:www.mauras.ch,2014-07-02:/grsecurity-update-31410.html<p>And there's another one today :) </p>
<ul>
<li><code>3.14.10-100</code><ul>
<li>Update grsecurity-3.14.10-201407012152</li>
</ul>
</li>
</ul>
<p>You can see a diff from the previous version on <a href="http://git.mauras.ch/linux-grsecurity/diff/?id=linux-grsecurity-3.14.10-201407012152&id2=linux-grsecurity-3.14.9-201406262057">my Git repo</a></p>
<p>As usual RPMs are available using the YUM <a href="http://repos.mauras.ch/grsecurity/grsecurity.repo">repository</a>, and …</p><p>And there's another one today :) </p>
<ul>
<li><code>3.14.10-100</code><ul>
<li>Update grsecurity-3.14.10-201407012152</li>
</ul>
</li>
</ul>
<p>You can see a diff from the previous version on <a href="http://git.mauras.ch/linux-grsecurity/diff/?id=linux-grsecurity-3.14.10-201407012152&id2=linux-grsecurity-3.14.9-201406262057">my Git repo</a></p>
<p>As usual RPMs are available using the YUM <a href="http://repos.mauras.ch/grsecurity/grsecurity.repo">repository</a>, and don't hesitate to <a href="pages/contact.html">contact</a> me if you find any issue.</p>Grsecurity update - 3.14.92014-06-27T20:00:00+02:002023-10-03T22:43:30+02:00Olivier Maurastag:www.mauras.ch,2014-06-27:/grsecurity-update-3149.html<p>And there's another one today :) </p>
<ul>
<li><code>3.14.9-100</code><ul>
<li>Update grsecurity-3.0-3.14.9-201406262057</li>
</ul>
</li>
</ul>
<p>You surely have noted that the two latest kernels come only in <code>nozfs</code> flavor. This is indeed correct, and that's because i'm …</p><p>And there's another one today :) </p>
<ul>
<li><code>3.14.9-100</code><ul>
<li>Update grsecurity-3.0-3.14.9-201406262057</li>
</ul>
</li>
</ul>
<p>You surely have noted that the two latest kernels come only in <code>nozfs</code> flavor. This is indeed correct, and that's because i'm wondering if it makes any sense to continue supporting both at the same time... I'm not so sure about it.</p>
<p>As usual RPMs are available using the YUM <a href="http://repos.mauras.ch/grsecurity/grsecurity.repo">repository</a>, and don't hsitate to <a href="pages/contact.html">contact</a> me if you find any issue.</p>Grsecurity update to new stable kernel2014-06-26T21:00:00+02:002023-10-03T22:43:30+02:00Olivier Maurastag:www.mauras.ch,2014-06-26:/grsecurity-update-to-new-stable-kernel.html<p>It's here!! Grsecurity finally chose <code>Kernel 3.14</code> as the new stable kernel.<br />
I know i could have updated the <code>3.2</code> branch while waiting, but i secretely hopped for the decision to come sooner …</p><p>It's here!! Grsecurity finally chose <code>Kernel 3.14</code> as the new stable kernel.<br />
I know i could have updated the <code>3.2</code> branch while waiting, but i secretely hopped for the decision to come sooner ;) </p>
<p>Here's the changelog compared to my latest <code>3.2</code> kernel.</p>
<ul>
<li><code>3.14.8-100</code><ul>
<li>Update to devtoolset 2 with GCC 4.8</li>
<li>Don't apply grsecurity patch anymore use http://git.mauras.ch/linux-grsecurity/ tagged archives</li>
<li>Enable CONFIG_PAX_RANDKSTACK and CONFIG_GRKERNSEC_KSTACKOVERFLOW</li>
<li>Force dracut's detection of virtio_blk module - see <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1103455">bug</a></li>
</ul>
</li>
</ul>
<p>Yes, aside the version, the biggest change is the way i will now handle kernel archives.<br />
I'll now track all the Grsecurity patches in separate branches in my <a href="http://git.mauras.ch/linux-grsecurity/">Git repo</a>. This makes packaging easier, aswell as comparing patch versions.<br />
I'm still thinking of doing a repo containing all my <code>RPM spec</code> files to make <em>your</em> life easier, just have to find the correct way to have something nice and well sorted. </p>
<p>As usual RPMs are available using the YUM <a href="http://repos.mauras.ch/grsecurity/grsecurity.repo">repository</a>, and don't hsitate to <a href="pages/contact.html">contact</a> me if you find any issue.</p>Nginx + Uwsgi + Cgit2014-06-25T01:36:00+02:002023-10-03T23:53:14+02:00Olivier Maurastag:www.mauras.ch,2014-06-25:/nginx-uwsgi-cgit.html<p>As you've seen in my previous post, there's been some package updates in the <code>EL6 Extras</code> repository, so let's have some fun with them! </p>
<p>First you indeed need my <code>EL6 Extras</code> repository if it's not …</p><p>As you've seen in my previous post, there's been some package updates in the <code>EL6 Extras</code> repository, so let's have some fun with them! </p>
<p>First you indeed need my <code>EL6 Extras</code> repository if it's not done yet, please start with the <a href="pages/repositories.html">repositories</a> page. </p>
<h4 id="install-the-packages">Install the packages</h4>
<p>Now that you're good with the repository, install the packages:</p>
<div class="highlight"><pre><span></span><code># yum -y install nginx uwsgi cgit
</code></pre></div>
<h4 id="configure-cgit">Configure Cgit</h4>
<p>The default config from the package is pretty sane, the only thing you'll need to add to your <code>/etc/gitrc</code> - And indeed your <code>Git</code> repositories config - is:</p>
<div class="highlight"><pre><span></span><code>virtual-root<span class="o">=</span>/
</code></pre></div>
<p>This will keep <code>cgit</code> from adding <code>cgit.cgi</code> to your URL.<br />
To enable syntax highlighting, uncomment the following line in your <code>/etc/cgitrc</code></p>
<div class="highlight"><pre><span></span><code>source-filter=/usr/libexec/cgit/filters/syntax-highlighting.py
</code></pre></div>
<p>Then install <code>pygments</code> package</p>
<div class="highlight"><pre><span></span><code># yum -y install python-pygments
</code></pre></div>
<h4 id="configure-uwsgi">Configure Uwsgi</h4>
<p>Just add this simple conf</p>
<div class="highlight"><pre><span></span><code># mkdir /etc/uwsgi
# cat << EOF > /etc/uwsgi/cgit.ini
[uwsgi]
socket = 127.0.0.1:8080
uid = cgit
gid = cgit
processes = 1
threads = 2
cgi = /usr/libexec/cgit/cgit.cgi
EOF
</code></pre></div>
<p>There's no init script provided in my package yet, so just manually run - or any way you want</p>
<div class="highlight"><pre><span></span><code># uwsgi --ini /etc/uwsgi/cgit.ini &
</code></pre></div>
<h4 id="configure-nginx">Configure Nginx</h4>
<p>Finally just add this simple <code>server</code> block to your Nginx config and customize it to your needs</p>
<div class="highlight"><pre><span></span><code>server {
# Change this to your taste
listen 80 default_server;
server_name _;
# We want to serve cgit static content from /usr/share/cgit and let Nginx cache it
location ~* ^.+(cgit.(css|png)|favicon.ico) {
root /usr/share/cgit;
expires 30d;
}
# Now forward everything else to our uwsgi instance
location / {
include uwsgi_params;
uwsgi_modifier1 9;
uwsgi_pass 127.0.0.1:8080;
}
}
</code></pre></div>
<p>Start Nginx, and enjoy your <code>Cgit</code> running on your <code>server_name</code></p>
<p>As usual, <a href="http://www.mauras.ch/pages/contact.html">contact me</a> if you have any question.</p>EL6 Extras updates2014-06-25T01:20:00+02:002023-10-03T23:53:14+02:00Olivier Maurastag:www.mauras.ch,2014-06-25:/el6-extras-updates.html<p>I've been quite slow to keep up with updates for the last 3 months.<br />
Here's a bunch of updates:</p>
<ul>
<li>Nginx - Update to latest stable release <a href="http://nginx.org/en/CHANGES-1.4">1.4.7</a></li>
<li>Uwsgi<ul>
<li>Update to latest release <a href="https://github.com/unbit/uwsgi-docs/blob/master/Changelog-2.0.5.rst">2.0 …</a></li></ul></li></ul><p>I've been quite slow to keep up with updates for the last 3 months.<br />
Here's a bunch of updates:</p>
<ul>
<li>Nginx - Update to latest stable release <a href="http://nginx.org/en/CHANGES-1.4">1.4.7</a></li>
<li>Uwsgi<ul>
<li>Update to latest release <a href="https://github.com/unbit/uwsgi-docs/blob/master/Changelog-2.0.5.rst">2.0.5.1</a></li>
<li>Now also support CGI plugin</li>
</ul>
</li>
<li>Cgit<ul>
<li>Update to latest release <a href="http://git.zx2c4.com/cgit/diff/?id=v0.10.1&id2=v0.10">0.10.1</a></li>
<li>Major refactoring of the package<ul>
<li>Add /var/cache/cgit directory</li>
<li>Fix syntax-highlight.py</li>
<li>Modify cgitrc for a saner default config</li>
<li>Create cgit user and group</li>
<li>Overral files/paths cleanup</li>
</ul>
</li>
</ul>
</li>
</ul>
<p>As usual, <a href="http://www.mauras.ch/pages/contact.html">contact me</a> if you encounter any issues.</p>Rudder: Fun with variables2014-06-19T02:41:00+02:002023-10-03T22:43:30+02:00Olivier Maurastag:www.mauras.ch,2014-06-19:/rudder-fun-with-variables.html<p>How many different configuration files do you maintain for the same service spread over your different <code>Rudder</code> groups?<br />
Personnaly only one! </p>
<p>I hate having to maintain multiple - almost - identical configuration files, it's counterproductive and definitely …</p><p>How many different configuration files do you maintain for the same service spread over your different <code>Rudder</code> groups?<br />
Personnaly only one! </p>
<p>I hate having to maintain multiple - almost - identical configuration files, it's counterproductive and definitely prone to errors. Having to change one setting in twenty files is always a painful task.<br />
Hopefully <code>Rudder</code> let's you easily manage your config file by keeping the relevant parts of it as variables and i'll show you how to get the most out of it. </p>
<h4 id="modifying-default-technique">Modifying default technique</h4>
<p>I started this post so long ago that this point is not even needed anymore. <a href="https://github.com/Normation/rudder-techniques/commit/6eb99e651d288a4af8f307a37ea01566af212020">This commit</a> merged it so you should have it by default on any latest <code>Rudder</code> minor version - <code>2.10.2, 2.9.5 and 2.6.14</code>. </p>
<p>While, in this example, we're going to mainly use <code>genericVariableDefinition</code> and <code>checkGenericFileContent</code> techniques, since <code>Rudder 2.7</code>, you can also set <code>parameters</code> and reuse them as variables inside directives.</p>
<h4 id="using-variables-to-dynamically-change-settings-in-enforced-files">Using variables to dynamically change settings in enforced files</h4>
<p><code>sshd_config</code> seems like a good example, i use the same default configuration - applied on all nodes - everywhere with only slight changes in <code>AllowGroups</code> section depending in which group the managed node is located. </p>
<p>Without using variables, i'd have to use at least 10 different directives to apply to my node groups, with actually only a tiny part of a line different from the default...<br />
If for some reason i'd want to change a default setting - not related to my <code>AllowGroups</code> section, let's say <code>PermitRootLogin</code> - i'd then have to modify 10 directives, and this would be painful...<br />
Modifying a directive is at least 3 manual actions + 1 rule generation, so i would end up with <strong>30</strong> manual actions + <strong>10</strong> rule generations.<br />
Not really efficient is it ? And along the way I could just mess one of the file syntax, rendering <code>sshd</code> unavailable for some of my nodes. </p>
<h4 id="how-does-it-look-like">How does it look like?</h4>
<p>First what do we want to achieve? We want that our <code>sshd_config AllowGroups</code> always contain the group <code>admins</code> and that some node groups also contain the group <code>not_admins</code>. </p>
<p>Let's start by creating a <code>default_admin_group</code> parameter - It's the default you should find everywhere on all your nodes, it makes sense to have it as a parameter.<br />
<em>click on images to get them in fullscreen</em> </p>
<p><a href=/img/rudder_fun_with_variables/parameters.png><img alt="Rudder parameters" src="/img/rudder_fun_with_variables/parameters.png" /></a></p>
<p>Now create a new <code>Generic CFEngine variable definition</code> directive with the default priority - <code>5</code>.<br />
This one will be applied to <em>all</em> your nodes.
<a href=/img/rudder_fun_with_variables/gen_var_5.png><img alt="Generic variable definition 5" src="/img/rudder_fun_with_variables/gen_var_5.png" /></a></p>
<p>Create a second one with priority set to <code>9</code> this time - Actually anything higher than <code>5</code>.<br />
This one will be applied <em>only</em> to the node groups where you want the group <code>not_admins</code>
<a href=/img/rudder_fun_with_variables/gen_var_9.png><img alt="Generic variable definition 9" src="/img/rudder_fun_with_variables/gen_var_9.png" /></a>
The higher priority means that this directive will be applied <em>after</em> the first one and consequently override <code>${generic_variable_definition.SSH_ALLOWED}</code>. </p>
<p>Finally create your default <code>Enforce a file content</code> directive.<br />
<a href=/img/rudder_fun_with_variables/enforce_file_content.png><img alt="Rudder parameters" src="/img/rudder_fun_with_variables/enforce_file_content.png" /></a></p>
<p><em>In plain text</em></p>
<div class="highlight"><pre><span></span><code>${rudder.rudder_file_edit_header}
# stripped down default sshd config for the sake of example
LoginGraceTime 30s
PermitRootLogin no
StrictModes yes
MaxAuthTries 3
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
X11Forwarding yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem sftp /usr/libexec/openssh/sftp-server
AllowGroups ${generic_variable_definition.SSH_ALLOWED}
</code></pre></div>
<p>Once applied on your nodes you'll get this</p>
<div class="highlight"><pre><span></span><code>#########################################
### Managed by Rudder, edit with care ###
#########################################
# stripped down default sshd config for the sake of example
LoginGraceTime 30s
PermitRootLogin no
StrictModes yes
MaxAuthTries 3
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
X11Forwarding yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem sftp /usr/libexec/openssh/sftp-server
AllowGroups admins
</code></pre></div>
<p>Or depending if you apply the second generic variable directive with the priority <code>9</code></p>
<div class="highlight"><pre><span></span><code>#########################################
### Managed by Rudder, edit with care ###
#########################################
# stripped down default sshd config for the sake of example
LoginGraceTime 30s
PermitRootLogin no
StrictModes yes
MaxAuthTries 3
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
X11Forwarding yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem sftp /usr/libexec/openssh/sftp-server
AllowGroups admins not_admins
</code></pre></div>
<p>Now you can just easily add/change settings of your <code>sshd</code> service in a single location. </p>
<h4 id="even-more-fun">Even more fun?</h4>
<p>You can also set empty values for your variables in the <code>Generic CFEngine variable definition</code>, this will let you insert <em>default</em> empty values replaced by actual content when needed. </p>
<p><em>Default variable</em></p>
<div class="highlight"><pre><span></span><code>variable name: SFTP
variable content:
</code></pre></div>
<p>You set an empty variable here because you need your <em>default</em> configuration to have <em>nothing</em> set. In this example only your SFTP nodes group will have something configured. </p>
<p><em>For your SFTP nodes group</em></p>
<div class="highlight"><pre><span></span><code>variable name: SFTP
variable content: Match group sftpusers$(const.n)$(const.t)ChrootDirectory /sftp/$(const.n)$(const.t)ForceCommand internal-sftp
</code></pre></div>
<p><em>Your default <code>Enforce a file content</code> directive</em></p>
<div class="highlight"><pre><span></span><code>${rudder.rudder_file_edit_header}
# stripped down default sshd config for the sake of example
LoginGraceTime 30s
PermitRootLogin no
StrictModes yes
MaxAuthTries 3
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
X11Forwarding yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem sftp /usr/libexec/openssh/sftp-server
AllowGroups ${generic_variable_definition.SSH_ALLOWED}
# Only populated on SFTP servers
${generic_variable_definition.SFTP}
</code></pre></div>
<p>Which would be expanded to</p>
<div class="highlight"><pre><span></span><code>#########################################
### Managed by Rudder, edit with care ###
#########################################
# stripped down default sshd config for the sake of example
LoginGraceTime 30s
PermitRootLogin no
StrictModes yes
MaxAuthTries 3
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
X11Forwarding yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem sftp /usr/libexec/openssh/sftp-server
AllowGroups admins not_admins
# Only populated on SFTP servers
Match group sftpusers
ChrootDirectory /sftp/
ForceCommand internal-sftp
</code></pre></div>
<p>Hope you'll find this article useful and as usual, feel free to <a href="/pages/contact.html">contact</a> me if you have any question!</p>Grsecurity updates and kernel-test "EOL"2014-04-05T00:00:00+02:002023-10-03T22:43:30+02:00Olivier Maurastag:www.mauras.ch,2014-04-05:/grsecurity-updates-and-kernel-test-eol.html<p>New versions of my grsecurity kernels.</p>
<ul>
<li><code>3.2.55-4</code> and <code>3.2.55-104</code><ul>
<li>Upgrade to grsecurity-3.0-3.2.55-201403252026.patch</li>
<li>Set CONFIG_GRKERNSEC_FLOODBURST=1000</li>
</ul>
</li>
</ul>
<p>Yes they were actually available in the repo since end of march …</p><p>New versions of my grsecurity kernels.</p>
<ul>
<li><code>3.2.55-4</code> and <code>3.2.55-104</code><ul>
<li>Upgrade to grsecurity-3.0-3.2.55-201403252026.patch</li>
<li>Set CONFIG_GRKERNSEC_FLOODBURST=1000</li>
</ul>
</li>
</ul>
<p>Yes they were actually available in the repo since end of march but i hadn't time to blog about it.<br />
Please also note that i'm not gonna update <code>kernel-test</code> anymore. It takes too much time to keep up, and <code>Grsecurity</code> stable kernel should soon switch to 3.13 or 3.14 - Depending what Canonical decides for their 14.04 LTS.<br />
I'll let the reposiroty as it is for those interested in SRPMs. </p>
<p>As usual RPMs are available using the YUM <a href="http://repos.mauras.ch/grsecurity/grsecurity.repo">repository</a> </p>
<p>Don't hesitate to <a href="pages/contact.html">contact</a> me if you find any issue.</p>Unbound update - Now with pythonmodule!2014-03-22T12:45:00+01:002023-10-03T23:53:14+02:00Olivier Maurastag:www.mauras.ch,2014-03-22:/unbound-update-now-with-pythonmodule.html<p>Unbound latest version - <a href="http://www.unbound.net/download.html">1.4.22</a><br />
Notable differences:</p>
<ul>
<li>Doesn't depend on <code>ldns</code> anymore - <code>yum -y update unbound && yum -y remove ldns</code></li>
<li>Built with pythonmodule support</li>
</ul>
<p>Init script will populate <code>chroot</code> with your <code>python2.6</code> directory …</p><p>Unbound latest version - <a href="http://www.unbound.net/download.html">1.4.22</a><br />
Notable differences:</p>
<ul>
<li>Doesn't depend on <code>ldns</code> anymore - <code>yum -y update unbound && yum -y remove ldns</code></li>
<li>Built with pythonmodule support</li>
</ul>
<p>Init script will populate <code>chroot</code> with your <code>python2.6</code> directory so that <a href="http://www.mauras.ch/tag/python.html">python</a> scripts can be fully usable. </p>
<p>As usual, <a href="http://www.mauras.ch/pages/contact.html">contact me</a> if you encounter any issues.</p>Nginx update2014-03-07T17:00:00+01:002023-10-03T23:53:14+02:00Olivier Maurastag:www.mauras.ch,2014-03-07:/nginx-update.html<p>Nginx latest stable version - <a href="http://nginx.org/en/CHANGES-1.4">1.4.6</a></p>
<p>As usual, <a href="http://www.mauras.ch/pages/contact.html">contact me</a> if you encounter any issues.</p>EL6 Extras update2014-03-01T15:47:00+01:002023-10-03T23:53:14+02:00Olivier Maurastag:www.mauras.ch,2014-03-01:/el6-extras-update.html<p>Keeping up with non up to date packages. Please find latest version 2.68 of <a href="http://www.thekelleys.org.uk/dnsmasq/doc.html">dnsmasq</a> </p>
<p>As usual, <a href="http://www.mauras.ch/pages/contact.html">contact me</a> if you encounter any issues.</p>EL6 Extras additions and Grsecurity kernels2014-02-26T20:00:00+01:002023-10-03T23:53:14+02:00Olivier Maurastag:www.mauras.ch,2014-02-26:/el6-extras-additions-and-grsecurity-kernels.html<h4 id="el6-extras">El6 Extras</h4>
<ul>
<li>Updates:<ul>
<li>Nginx 1.4.5</li>
</ul>
</li>
<li>Additions:<ul>
<li>Exim 4.82</li>
<li>Libgsasl 1.8.0 - needed by exim</li>
<li>Unbound 1.4.21</li>
<li>Ldns 1.6.17 - needed by unbound</li>
</ul>
</li>
</ul>
<p>The usual, Full RELRO, PIE, no …</p><h4 id="el6-extras">El6 Extras</h4>
<ul>
<li>Updates:<ul>
<li>Nginx 1.4.5</li>
</ul>
</li>
<li>Additions:<ul>
<li>Exim 4.82</li>
<li>Libgsasl 1.8.0 - needed by exim</li>
<li>Unbound 1.4.21</li>
<li>Ldns 1.6.17 - needed by unbound</li>
</ul>
</li>
</ul>
<p>The usual, Full RELRO, PIE, no RPATH and up to date builds. </p>
<h4 id="grsecurity">Grsecurity</h4>
<ul>
<li>Completely re-arranged the repository, please update your <a href="http://repos.mauras.ch/grsecurity/grsecurity.repo">repo file</a></li>
<li>I added a new kernel without ZFS compatibility. It will be numbered starting 100 to differenciate from the classic stable with ZFS kernel. Please enable <a href="http://repos.mauras.ch/RPM-GPG-KEY-build_at_mauras.ch">kernel-nozfs</a> repo in your <code>grsecurity.repo</code> file.</li>
<li>Updates:<ul>
<li>Kernel stable 3.2.55 to grsecurity-3.0-3.2.55-201402152203.patch<ul>
<li><code>kernel-nozfs</code> has the <a href="http://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options#Randomize_layout_of_sensitive_kernel_structures">RANDSTRUCT option</a> enabled</li>
</ul>
</li>
<li>ZFS modules now synced from the git master repo of <code>zfsonlinux</code> - Still have snapshot automount issue.</li>
</ul>
</li>
</ul>
<p>As usual please <a href="http://www.mauras.ch/pages/contact.html">contact me</a> if you encounter any issues with these packages.</p>EL6 Extras package additions2014-01-31T07:00:00+01:002023-10-03T22:43:30+02:00Olivier Maurastag:www.mauras.ch,2014-01-31:/el6-extras-package-additions.html<p>I forgot to port my old <a href="http://tmux.sourceforge.net/">tmux</a> package over the new <a href="http://repos.mauras.ch/EL6/el6_extras.repo">EL6 Extras</a> repo, so here comes the addition. </p>
<p>Please note that i updated it to version 1.8 which now requires the use of …</p><p>I forgot to port my old <a href="http://tmux.sourceforge.net/">tmux</a> package over the new <a href="http://repos.mauras.ch/EL6/el6_extras.repo">EL6 Extras</a> repo, so here comes the addition. </p>
<p>Please note that i updated it to version 1.8 which now requires the use of libevent 2 - since version 1.7 actually, tmux 1.6 was the last version compatible with libevent 1.4 that you may find on EPEL.<br />
To keep compatibility between libevent versions, libevent2 package will install itself in <code>/opt/el6_extras</code>.<br />
Starting from now, i'll use this directory to support multiple versions of apps/libs. </p>
<p>As usual you'll have to use the <a href="http://repos.mauras.ch/RPM-GPG-KEY-build_at_mauras.ch">GPG public key</a> to verify packages signature.</p>Grsecurity updates2014-01-24T00:00:00+01:002023-10-03T22:43:30+02:00Olivier Maurastag:www.mauras.ch,2014-01-24:/grsecurity-updates.html<p>I've been quite busy during December with holidays and all, so here's my attempt to keep up with up to date grsecurity patches. </p>
<ul>
<li>Stable 3.2.54 kernel</li>
<li>Test 3.12.8 kernel</li>
<li>Gradm 201401231926 …</li></ul><p>I've been quite busy during December with holidays and all, so here's my attempt to keep up with up to date grsecurity patches. </p>
<ul>
<li>Stable 3.2.54 kernel</li>
<li>Test 3.12.8 kernel</li>
<li>Gradm 201401231926</li>
<li>spl/zfs <a href="https://github.com/ryao">Ryao</a>'s gentoo-next branch</li>
</ul>
<p><a href="https://github.com/ryao">Ryao</a> is one of the main <code>zfsonlinux</code> developpers which is also maintaining <code>Gentoo</code>'s ZFS port with <code>hardened</code> profile in mind. Switching to <a href="https://github.com/ryao">Ryao</a>'s gentoo-next branch thus makes more sense as <a href="https://github.com/ryao">Ryao</a> tightly follows <code>Grsecurity</code> changes that could break ZFS.<br />
These new ZFS packages are fixing the <code>failed user helper</code> error introduced by the new restrictions in <code>Grsecurity</code> 3.0. It still doesn't fix the ZFS snapshot automount functionnality though, but i did report it to <a href="https://github.com/ryao">Ryao</a> and hope to be able to quickly provide a fixed package. </p>
<p>As usual RPMs are available using the YUM <a href="http://repos.mauras.ch/grsecurity/grsecurity.repo">repository</a> </p>
<p>Changelog:
Grsecurity changelogs can be found here: <a href="http://grsecurity.net/changelog-stable2.txt">stable</a> and <a href="http://grsecurity.net/changelog-test.txt">test</a><br />
spl/zfs gentoo-next diff are there: <a href="https://github.com/ryao/spl/compare/gentoo-next">spl</a> and <a href="https://github.com/ryao/zfs/compare/gentoo-next">zfs</a></p>
<p>Don't hesitate to <a href="pages/contact.html">contact</a> me if you find any issue.</p>Rudder agent configuration at node first boot2014-01-24T00:00:00+01:002023-10-03T23:53:14+02:00Olivier Maurastag:www.mauras.ch,2014-01-24:/rudder-agent-configuration-at-node-first-boot.html<p>After migrating all my rules from <code>Cfengine</code> to <code>Rudder</code>, i was still missing something. All my freshly kickstarted nodes weren't by default integrated to <code>Rudder</code>.<br />
While it was fairly easy on my <code>Cfengine</code> installation to …</p><p>After migrating all my rules from <code>Cfengine</code> to <code>Rudder</code>, i was still missing something. All my freshly kickstarted nodes weren't by default integrated to <code>Rudder</code>.<br />
While it was fairly easy on my <code>Cfengine</code> installation to fetch rules for a new node during the kickstart phase, the fact that <code>Rudder</code> requires the node to be accepted first, was kind of breaking my server provisioning workflow. </p>
<p>Hopefully <code>Rudder API</code> provides everything's needed to programatically accept a new node on your <code>Rudder</code> server.<br />
The following init script is to be used at your node's first boot. It will send its inventory to the server, accept it from the pending nodes list and then fetch and apply the rules. </p>
<p>I consider that you've been able to install <code>rudder-agent</code> and activate this script from you kickstart install prior to the node's first boot. </p>
<p><code>rudder-installer</code> init script:</p>
<div class="highlight"><pre><span></span><code><span class="ch">#!/bin/bash</span>
<span class="c1">## BEGIN INIT INFO</span>
<span class="c1"># Provides: rudder-installer</span>
<span class="c1"># Default-Start: 3 4 5</span>
<span class="c1"># Default-Stop: 0 1 2 3 4 6</span>
<span class="c1"># Required-Start:</span>
<span class="c1">#</span>
<span class="c1">## END INIT INFO</span>
<span class="c1"># rudder-installer: Configure rudder agent</span>
<span class="c1"># chkconfig: 345 70 99</span>
<span class="c1"># description: Configure rudder agent</span>
<span class="c1"># Source function library.</span>
.<span class="w"> </span>/etc/init.d/functions
<span class="c1"># Variables</span>
<span class="nv">PATH</span><span class="o">=</span>/sbin:/bin:/usr/sbin:/usr/bin:/root/bin:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin
<span class="nv">API_TOKEN</span><span class="o">=</span><span class="s2">"<YOUR API TOKEN>"</span>
<span class="nv">RUDDER_SRV</span><span class="o">=</span><span class="s2">"<YOUR RUDDER SERVER URL>"</span>
<span class="nv">RUDDER_SRV_HOSTNAME</span><span class="o">=</span><span class="s2">"<YOUR RUDDER SERVER HOSTNAME>"</span>
<span class="c1"># This will remove the script if configuration ended up correctly</span>
clean<span class="o">()</span><span class="w"> </span><span class="o">{</span>
<span class="w"> </span><span class="nb">echo</span><span class="w"> </span>-n<span class="w"> </span><span class="s2">"Removing starting script"</span>
<span class="w"> </span>chkconfig<span class="w"> </span>--del<span class="w"> </span>rudder-installer
<span class="w"> </span>rm<span class="w"> </span>-f<span class="w"> </span>/etc/init.d/rudder-installer<span class="w"> </span><span class="p">&</span>><span class="w"> </span>/dev/null
<span class="w"> </span><span class="nv">RETVAL</span><span class="o">=</span><span class="nv">$?</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nv">$RETVAL</span>
<span class="o">}</span>
<span class="c1"># Configuration of agent</span>
start<span class="o">()</span><span class="w"> </span><span class="o">{</span>
<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"Configuring rudder agent"</span>
<span class="w"> </span><span class="c1"># Configure server</span>
<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="nv">$RUDDER_SRV_HOSTNAME</span><span class="w"> </span>><span class="w"> </span>/var/rudder/cfengine-community/policy_server.dat
<span class="w"> </span><span class="c1"># Now declare host on server</span>
<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">" - Sending node inventory to the server - Can take up to 10mn please be patient..."</span>
<span class="w"> </span>/opt/rudder/bin/cf-agent<span class="w"> </span>-KI<span class="w"> </span>-D<span class="w"> </span>force_inventory<span class="w"> </span><span class="p">&</span>>><span class="w"> </span>/root/rudder.log
<span class="w"> </span><span class="c1"># My inotify script will process the new inventory in far less than 10s, but better safe than sorry</span>
<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">" - Actually sleeps 10s as it's the needed time to process inventory"</span>
<span class="w"> </span>sleep<span class="w"> </span><span class="m">10</span>
<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">" - Verify that node is now pending on the server"</span>
<span class="w"> </span><span class="c1"># Ask server using API</span>
<span class="w"> </span><span class="nv">I</span><span class="o">=</span><span class="m">0</span>
<span class="w"> </span><span class="nv">RESULT</span><span class="o">=</span><span class="k">$(</span>curl<span class="w"> </span>-k<span class="w"> </span>-X<span class="w"> </span>GET<span class="w"> </span>-H<span class="w"> </span><span class="s1">'Content-Type: application/json'</span><span class="w"> </span>-H<span class="w"> </span><span class="s2">"X-API-Token: </span><span class="si">${</span><span class="nv">API_TOKEN</span><span class="si">}</span><span class="s2">"</span><span class="w"> </span>-H<span class="w"> </span><span class="s2">"X-API-Version: 2"</span><span class="w"> </span><span class="si">${</span><span class="nv">RUDDER_SRV</span><span class="si">}</span>/rudder/api/nodes/pending<span class="w"> </span><span class="m">2</span>>><span class="w"> </span>/root/rudder.log<span class="w"> </span><span class="p">|</span><span class="w"> </span>sed<span class="w"> </span><span class="s1">'s/,/\n/g'</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>grep<span class="w"> </span><span class="nv">$HOSTNAME</span><span class="w"> </span>-B<span class="w"> </span><span class="m">2</span><span class="k">)</span>
<span class="w"> </span><span class="nv">RET</span><span class="o">=</span><span class="nv">$?</span>
<span class="w"> </span><span class="c1"># Looping to check if node is in pending list</span>
<span class="w"> </span><span class="k">while</span><span class="w"> </span><span class="o">[</span><span class="w"> </span><span class="nv">$RET</span><span class="w"> </span>!<span class="o">=</span><span class="w"> </span><span class="m">0</span><span class="w"> </span><span class="o">]</span><span class="p">;</span><span class="w"> </span><span class="k">do</span>
<span class="w"> </span>sleep<span class="w"> </span><span class="m">1</span>
<span class="w"> </span><span class="nv">I</span><span class="o">=</span><span class="k">$((</span><span class="si">${</span><span class="nv">I</span><span class="si">}</span><span class="o">+</span><span class="m">1</span><span class="k">))</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="o">[</span><span class="w"> </span><span class="nv">$I</span><span class="w"> </span>-lt<span class="w"> </span><span class="m">30</span><span class="w"> </span><span class="o">]</span><span class="p">;</span><span class="w"> </span><span class="k">then</span>
<span class="w"> </span><span class="nv">RESULT</span><span class="o">=</span><span class="k">$(</span>curl<span class="w"> </span>-k<span class="w"> </span>-X<span class="w"> </span>GET<span class="w"> </span>-H<span class="w"> </span><span class="s1">'Content-Type: application/json'</span><span class="w"> </span>-H<span class="w"> </span><span class="s2">"X-API-Token: </span><span class="si">${</span><span class="nv">API_TOKEN</span><span class="si">}</span><span class="s2">"</span><span class="w"> </span>-H<span class="w"> </span><span class="s2">"X-API-Version: 2"</span><span class="w"> </span><span class="si">${</span><span class="nv">RUDDER_SRV</span><span class="si">}</span>/rudder/api/nodes/pending<span class="w"> </span><span class="m">2</span>>><span class="w"> </span>/root/rudder.log<span class="w"> </span><span class="p">|</span><span class="w"> </span>sed<span class="w"> </span><span class="s1">'s/,/\n/g'</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>grep<span class="w"> </span><span class="nv">$HOSTNAME</span><span class="w"> </span>-B<span class="w"> </span><span class="m">2</span><span class="k">)</span>
<span class="w"> </span><span class="nv">RET</span><span class="o">=</span><span class="nv">$?</span>
<span class="w"> </span><span class="k">else</span>
<span class="w"> </span><span class="c1"># We exit if the node is still not in pending list</span>
<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"!! Inventory discovery took too long, something must have fail - Exiting"</span>
<span class="w"> </span>sleep<span class="w"> </span><span class="m">5</span>
<span class="w"> </span><span class="nb">exit</span>
<span class="w"> </span><span class="k">fi</span>
<span class="w"> </span><span class="k">done</span>
<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">" - Get the node ID from the server"</span>
<span class="w"> </span><span class="nv">NODEID</span><span class="o">=</span><span class="k">$(</span><span class="nb">echo</span><span class="w"> </span><span class="nv">$RESULT</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>sed<span class="w"> </span><span class="s1">'s/.*id\":\"//;s/\".*//'</span><span class="k">)</span>
<span class="w"> </span><span class="nv">RET</span><span class="o">=</span><span class="nv">$?</span>
<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">" - Auto accept node"</span>
<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"Accepting node"</span><span class="w"> </span>>><span class="w"> </span>/root/rudder.log
<span class="w"> </span>curl<span class="w"> </span>-k<span class="w"> </span>-X<span class="w"> </span>POST<span class="w"> </span>-H<span class="w"> </span><span class="s2">"X-API-Version: latest"</span><span class="w"> </span>-H<span class="w"> </span><span class="s2">"X-API-Token: </span><span class="si">${</span><span class="nv">API_TOKEN</span><span class="si">}</span><span class="s2">"</span><span class="w"> </span><span class="si">${</span><span class="nv">RUDDER_SRV</span><span class="si">}</span>/rudder/api/nodes/pending/<span class="si">${</span><span class="nv">NODEID</span><span class="si">}</span><span class="w"> </span>-d<span class="w"> </span><span class="s2">"status=accepted"</span><span class="w"> </span><span class="p">&</span>>><span class="w"> </span>/root/rudder.log
<span class="w"> </span><span class="c1"># At least should have :)</span>
<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">" - Node has been accepted!"</span>
<span class="w"> </span><span class="c1"># Yes 6mn is a safe waiting time on my server which takes ~4mn30 to process new server rules</span>
<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">" - Now that the node is accepted wait for 6 mn while Rudder server rebuilds rules"</span>
<span class="w"> </span><span class="nv">i</span><span class="o">=</span><span class="m">0</span>
<span class="w"> </span><span class="c1"># Here's the ugly "Make the user wait" timer</span>
<span class="w"> </span><span class="k">while</span><span class="w"> </span><span class="o">[</span><span class="w"> </span><span class="nv">$i</span><span class="w"> </span>-lt<span class="w"> </span><span class="m">360</span><span class="w"> </span><span class="o">]</span><span class="p">;</span><span class="w"> </span><span class="k">do</span>
<span class="w"> </span><span class="nv">i</span><span class="o">=</span><span class="k">$((</span><span class="nv">$i</span><span class="o">+</span><span class="m">1</span><span class="k">))</span>
<span class="w"> </span>sleep<span class="w"> </span><span class="m">1</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="o">[</span><span class="w"> </span><span class="nv">$i</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="m">30</span><span class="w"> </span><span class="o">]</span><span class="p">;</span><span class="w"> </span><span class="k">then</span>
<span class="w"> </span><span class="nb">echo</span><span class="w"> </span>-ne<span class="w"> </span><span class="s2">"</span><span class="nv">$i</span><span class="s2">"</span>
<span class="w"> </span><span class="k">elif</span><span class="w"> </span><span class="o">[</span><span class="w"> </span><span class="nv">$i</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="m">60</span><span class="w"> </span><span class="o">]</span><span class="p">;</span><span class="w"> </span><span class="k">then</span>
<span class="w"> </span><span class="nb">echo</span><span class="w"> </span>-ne<span class="w"> </span><span class="s2">"</span><span class="nv">$i</span><span class="s2">"</span>
<span class="w"> </span><span class="k">elif</span><span class="w"> </span><span class="o">[</span><span class="w"> </span><span class="nv">$i</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="m">90</span><span class="w"> </span><span class="o">]</span><span class="p">;</span><span class="w"> </span><span class="k">then</span>
<span class="w"> </span><span class="nb">echo</span><span class="w"> </span>-ne<span class="w"> </span><span class="s2">"</span><span class="nv">$i</span><span class="s2">"</span>
<span class="w"> </span><span class="k">elif</span><span class="w"> </span><span class="o">[</span><span class="w"> </span><span class="nv">$i</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="m">120</span><span class="w"> </span><span class="o">]</span><span class="p">;</span><span class="w"> </span><span class="k">then</span>
<span class="w"> </span><span class="nb">echo</span><span class="w"> </span>-ne<span class="w"> </span><span class="s2">"</span><span class="nv">$i</span><span class="s2">"</span>
<span class="w"> </span><span class="k">elif</span><span class="w"> </span><span class="o">[</span><span class="w"> </span><span class="nv">$i</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="m">150</span><span class="w"> </span><span class="o">]</span><span class="p">;</span><span class="w"> </span><span class="k">then</span>
<span class="w"> </span><span class="nb">echo</span><span class="w"> </span>-ne<span class="w"> </span><span class="s2">"</span><span class="nv">$i</span><span class="s2">"</span>
<span class="w"> </span><span class="k">elif</span><span class="w"> </span><span class="o">[</span><span class="w"> </span><span class="nv">$i</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="m">180</span><span class="w"> </span><span class="o">]</span><span class="p">;</span><span class="w"> </span><span class="k">then</span>
<span class="w"> </span><span class="nb">echo</span><span class="w"> </span>-ne<span class="w"> </span><span class="s2">"</span><span class="nv">$i</span><span class="s2">"</span>
<span class="w"> </span><span class="k">elif</span><span class="w"> </span><span class="o">[</span><span class="w"> </span><span class="nv">$i</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="m">210</span><span class="w"> </span><span class="o">]</span><span class="p">;</span><span class="w"> </span><span class="k">then</span>
<span class="w"> </span><span class="nb">echo</span><span class="w"> </span>-ne<span class="w"> </span><span class="s2">"</span><span class="nv">$i</span><span class="s2">"</span>
<span class="w"> </span><span class="k">elif</span><span class="w"> </span><span class="o">[</span><span class="w"> </span><span class="nv">$i</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="m">240</span><span class="w"> </span><span class="o">]</span><span class="p">;</span><span class="w"> </span><span class="k">then</span>
<span class="w"> </span><span class="nb">echo</span><span class="w"> </span>-ne<span class="w"> </span><span class="s2">"</span><span class="nv">$i</span><span class="s2">"</span>
<span class="w"> </span><span class="k">elif</span><span class="w"> </span><span class="o">[</span><span class="w"> </span><span class="nv">$i</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="m">270</span><span class="w"> </span><span class="o">]</span><span class="p">;</span><span class="w"> </span><span class="k">then</span>
<span class="w"> </span><span class="nb">echo</span><span class="w"> </span>-ne<span class="w"> </span><span class="s2">"</span><span class="nv">$i</span><span class="s2">"</span>
<span class="w"> </span><span class="k">elif</span><span class="w"> </span><span class="o">[</span><span class="w"> </span><span class="nv">$i</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="m">300</span><span class="w"> </span><span class="o">]</span><span class="p">;</span><span class="w"> </span><span class="k">then</span>
<span class="w"> </span><span class="nb">echo</span><span class="w"> </span>-ne<span class="w"> </span><span class="s2">"</span><span class="nv">$i</span><span class="s2">"</span>
<span class="w"> </span><span class="k">elif</span><span class="w"> </span><span class="o">[</span><span class="w"> </span><span class="nv">$i</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="m">330</span><span class="w"> </span><span class="o">]</span><span class="p">;</span><span class="w"> </span><span class="k">then</span>
<span class="w"> </span><span class="nb">echo</span><span class="w"> </span>-ne<span class="w"> </span><span class="s2">"</span><span class="nv">$i</span><span class="s2">"</span>
<span class="w"> </span><span class="k">else</span>
<span class="w"> </span><span class="nb">echo</span><span class="w"> </span>-ne<span class="w"> </span><span class="s2">"."</span>
<span class="w"> </span><span class="k">fi</span>
<span class="w"> </span><span class="k">done</span>
<span class="w"> </span><span class="c1"># Ok rules should be generated now let's apply them on the node</span>
<span class="w"> </span><span class="c1"># I run two first command twice to ensure everything's good - once should be sufficient</span>
<span class="w"> </span><span class="nb">echo</span><span class="w"> </span>-e<span class="w"> </span><span class="s2">"\n - Updating rules"</span>
<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"### Ensure UUID is correctly detected by the node ###"</span><span class="w"> </span>>><span class="w"> </span>/root/rudder.log
<span class="w"> </span>/opt/rudder/bin/cf-agent<span class="w"> </span>-KI<span class="w"> </span><span class="p">&</span>>><span class="w"> </span>/root/rudder.log
<span class="w"> </span>/opt/rudder/bin/cf-agent<span class="w"> </span>-KI<span class="w"> </span><span class="p">&</span>>><span class="w"> </span>/root/rudder.log
<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"### Update rules ###"</span><span class="w"> </span>>><span class="w"> </span>/root/rudder.log
<span class="w"> </span>/opt/rudder/bin/cf-agent<span class="w"> </span>-KI<span class="w"> </span>-b<span class="w"> </span>update<span class="w"> </span><span class="p">&</span>>><span class="w"> </span>/root/rudder.log
<span class="w"> </span>/opt/rudder/bin/cf-agent<span class="w"> </span>-KI<span class="w"> </span>-b<span class="w"> </span>update<span class="w"> </span><span class="p">&</span>>><span class="w"> </span>/root/rudder.log
<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"### Now apply them ###"</span><span class="w"> </span>>><span class="w"> </span>/root/rudder.log
<span class="w"> </span>/opt/rudder/bin/cf-agent<span class="w"> </span>-KI<span class="w"> </span><span class="p">&</span>>><span class="w"> </span>/root/rudder.log
<span class="w"> </span><span class="nv">RETVAL</span><span class="o">=</span><span class="nv">$?</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nv">$RETVAL</span>
<span class="o">}</span>
<span class="c1"># Init script parameters stuff</span>
<span class="k">case</span><span class="w"> </span><span class="s2">"</span><span class="nv">$1</span><span class="s2">"</span><span class="w"> </span><span class="k">in</span>
<span class="w"> </span>start<span class="o">)</span>
<span class="w"> </span>start<span class="w"> </span><span class="o">&&</span><span class="w"> </span>success<span class="w"> </span><span class="o">||</span><span class="w"> </span>failure
<span class="w"> </span><span class="o">[[</span><span class="w"> </span><span class="nv">$?</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="m">0</span><span class="w"> </span><span class="o">]]</span><span class="w"> </span><span class="o">&&</span><span class="w"> </span>clean<span class="w"> </span><span class="o">&&</span><span class="w"> </span>success<span class="w"> </span><span class="o">||</span><span class="w"> </span>failure
<span class="w"> </span><span class="nb">echo</span>
<span class="w"> </span><span class="p">;;</span>
<span class="w"> </span>*<span class="o">)</span>
<span class="w"> </span><span class="nb">echo</span><span class="w"> </span>$<span class="s2">"Usage: </span><span class="nv">$0</span><span class="s2"> start"</span>
<span class="w"> </span><span class="nb">exit</span><span class="w"> </span><span class="m">3</span>
<span class="w"> </span><span class="p">;;</span>
<span class="k">esac</span>
</code></pre></div>
<p>So upon completion, the script will remove itself from the init sequence and your freshly installed node should have all required rules applied. If not, consult <code>/root/rudder.log</code> for details.<br />
You have to use my <a href="http://www.mauras.ch/speed-up-rudder-new-nodes-detection.html">inotify script</a> on the server, as if you don't you will encounter the infamous "5mn delay" before your node appears in the <code>Rudder</code> new nodes pending list which would render this init script completely useless as it would exit without applying any rules. </p>
<p>As usual, don't hesitate to <a href="http://www.mauras.ch/pages/contact.html">contact me</a> if you have any question.</p>What's using swap2014-01-14T21:00:00+01:002023-10-03T23:53:14+02:00Olivier Maurastag:www.mauras.ch,2014-01-14:/whats-using-swap.html<p>If like me you're bored of looping over all <code>/proc/<pid>/status</code> files to find which application is actually using swap, here a tiny <code>python</code> script to ease the task. </p>
<p>The script outputs a list …</p><p>If like me you're bored of looping over all <code>/proc/<pid>/status</code> files to find which application is actually using swap, here a tiny <code>python</code> script to ease the task. </p>
<p>The script outputs a list of processes using swap with the following format: <code><name> <uid> <swap usage></code></p>
<p>Here's an example of what you can expect of the output of <code>vmswap.py | sort -nk3</code>:</p>
<div class="highlight"><pre><span></span><code>pampd 501 4060kB
spampd 501 4100kB
spampd 501 4228kB
rsyslogd 0 4328kB
spampd 501 4368kB
spampd 501 7576kB
spampd 501 7612kB
httpd 48 10100kB
httpd 48 10140kB
httpd 48 10188kB
httpd 48 10216kB
httpd 48 10284kB
httpd 48 10308kB
httpd 48 10332kB
httpd 48 10388kB
httpd 48 10616kB
httpd 48 10628kB
httpd 48 10636kB
httpd 48 10848kB
httpd 48 10908kB
httpd 48 10916kB
httpd 48 10972kB
httpd 48 10980kB
httpd 48 11000kB
httpd 0 11084kB
httpd 48 11276kB
httpd 48 13056kB
httpd 48 14076kB
miniserv.pl 0 17412kB
memcached 496 23796kB
named 25 42388kB
mysqld 27 46292kB
</code></pre></div>
<p>And here's <code>vmswap.py</code>:</p>
<div class="highlight"><pre><span></span><code><span class="ch">#!/bin/env python2</span>
<span class="kn">import</span> <span class="nn">os</span>
<span class="kn">import</span> <span class="nn">types</span>
<span class="kn">import</span> <span class="nn">subprocess</span>
<span class="k">def</span> <span class="nf">get_command_output</span><span class="p">(</span><span class="n">cmd</span><span class="p">):</span>
<span class="c1"># Get its output </span>
<span class="n">process</span> <span class="o">=</span> <span class="n">subprocess</span><span class="o">.</span><span class="n">Popen</span><span class="p">(</span><span class="n">cmd</span><span class="o">.</span><span class="n">split</span><span class="p">(),</span> <span class="n">stdout</span><span class="o">=</span><span class="n">subprocess</span><span class="o">.</span><span class="n">PIPE</span><span class="p">,</span> <span class="n">stderr</span><span class="o">=</span><span class="kc">None</span><span class="p">,</span> <span class="n">shell</span><span class="o">=</span><span class="kc">False</span><span class="p">)</span>
<span class="n">output</span> <span class="o">=</span> <span class="n">process</span><span class="o">.</span><span class="n">communicate</span><span class="p">()</span>
<span class="k">return</span> <span class="n">output</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span><span class="o">.</span><span class="n">split</span><span class="p">(</span><span class="s1">'</span><span class="se">\n</span><span class="s1">'</span><span class="p">)</span>
<span class="k">def</span> <span class="nf">main</span><span class="p">():</span>
<span class="c1"># Defaults ps command and arguments</span>
<span class="n">ps_cmd</span> <span class="o">=</span> <span class="s1">'ps'</span>
<span class="n">ps_args</span> <span class="o">=</span> <span class="s1">'axcu'</span>
<span class="c1"># Build ps command</span>
<span class="n">ps_cmd</span> <span class="o">=</span> <span class="s1">'</span><span class="si">%s</span><span class="s1"> </span><span class="si">%s</span><span class="s1">'</span> <span class="o">%</span> <span class="p">(</span><span class="n">ps_cmd</span><span class="p">,</span> <span class="n">ps_args</span><span class="p">)</span>
<span class="c1"># Get command output</span>
<span class="n">plist</span> <span class="o">=</span> <span class="n">get_command_output</span><span class="p">(</span><span class="n">ps_cmd</span><span class="p">)</span>
<span class="c1"># Declare final list</span>
<span class="n">flist</span> <span class="o">=</span> <span class="p">[]</span>
<span class="n">fadd</span> <span class="o">=</span> <span class="n">flist</span><span class="o">.</span><span class="n">append</span>
<span class="n">proc</span> <span class="o">=</span> <span class="p">{}</span>
<span class="c1"># Loop on output list</span>
<span class="k">for</span> <span class="n">pline</span> <span class="ow">in</span> <span class="n">plist</span><span class="p">:</span>
<span class="c1"># Make a list out of each line</span>
<span class="n">proc_list</span> <span class="o">=</span> <span class="n">pline</span><span class="o">.</span><span class="n">split</span><span class="p">()</span>
<span class="k">if</span> <span class="n">proc_list</span> <span class="ow">and</span> <span class="n">os</span><span class="o">.</span><span class="n">path</span><span class="o">.</span><span class="n">isfile</span><span class="p">(</span><span class="n">os</span><span class="o">.</span><span class="n">path</span><span class="o">.</span><span class="n">join</span><span class="p">(</span><span class="s1">'/proc'</span><span class="p">,</span> <span class="n">proc_list</span><span class="p">[</span><span class="mi">1</span><span class="p">],</span> <span class="s1">'status'</span><span class="p">)):</span>
<span class="n">proc</span><span class="p">[</span><span class="n">proc_list</span><span class="p">[</span><span class="mi">1</span><span class="p">]]</span> <span class="o">=</span> <span class="p">{}</span>
<span class="k">for</span> <span class="n">line</span> <span class="ow">in</span> <span class="nb">open</span><span class="p">(</span><span class="n">os</span><span class="o">.</span><span class="n">path</span><span class="o">.</span><span class="n">join</span><span class="p">(</span><span class="s1">'/proc'</span><span class="p">,</span> <span class="n">proc_list</span><span class="p">[</span><span class="mi">1</span><span class="p">],</span> <span class="s1">'status'</span><span class="p">),</span> <span class="s1">'rb'</span><span class="p">):</span>
<span class="k">if</span> <span class="s1">'Name:'</span> <span class="ow">in</span> <span class="n">line</span><span class="p">:</span>
<span class="n">pname</span> <span class="o">=</span> <span class="n">line</span><span class="o">.</span><span class="n">strip</span><span class="p">(</span><span class="s1">'</span><span class="se">\n</span><span class="s1">'</span><span class="p">)</span>
<span class="n">pname</span> <span class="o">=</span> <span class="n">pname</span><span class="o">.</span><span class="n">split</span><span class="p">(</span><span class="s1">'</span><span class="se">\t</span><span class="s1">'</span><span class="p">)[</span><span class="mi">1</span><span class="p">]</span>
<span class="n">proc</span><span class="p">[</span><span class="n">proc_list</span><span class="p">[</span><span class="mi">1</span><span class="p">]][</span><span class="s1">'name'</span><span class="p">]</span> <span class="o">=</span> <span class="n">pname</span>
<span class="k">elif</span> <span class="s1">'Uid:'</span> <span class="ow">in</span> <span class="n">line</span><span class="p">:</span>
<span class="n">puid</span> <span class="o">=</span> <span class="n">line</span><span class="o">.</span><span class="n">split</span><span class="p">(</span><span class="s1">'</span><span class="se">\t</span><span class="s1">'</span><span class="p">)[</span><span class="mi">1</span><span class="p">]</span>
<span class="n">proc</span><span class="p">[</span><span class="n">proc_list</span><span class="p">[</span><span class="mi">1</span><span class="p">]][</span><span class="s1">'uid'</span><span class="p">]</span> <span class="o">=</span> <span class="n">puid</span>
<span class="k">elif</span> <span class="s1">'VmSwap:'</span> <span class="ow">in</span> <span class="n">line</span><span class="p">:</span>
<span class="n">pswap</span> <span class="o">=</span> <span class="n">line</span><span class="o">.</span><span class="n">strip</span><span class="p">(</span><span class="s1">'</span><span class="se">\n</span><span class="s1">'</span><span class="p">)</span>
<span class="n">pswap</span> <span class="o">=</span> <span class="n">pswap</span><span class="o">.</span><span class="n">split</span><span class="p">(</span><span class="s1">'</span><span class="se">\t</span><span class="s1">'</span><span class="p">)[</span><span class="mi">1</span><span class="p">]</span>
<span class="n">proc</span><span class="p">[</span><span class="n">proc_list</span><span class="p">[</span><span class="mi">1</span><span class="p">]][</span><span class="s1">'swap'</span><span class="p">]</span> <span class="o">=</span> <span class="s2">" "</span><span class="o">.</span><span class="n">join</span><span class="p">(</span><span class="n">pswap</span><span class="o">.</span><span class="n">split</span><span class="p">())</span>
<span class="k">for</span> <span class="n">pid</span> <span class="ow">in</span> <span class="n">proc</span><span class="p">:</span>
<span class="k">if</span> <span class="s1">'swap'</span> <span class="ow">in</span> <span class="n">proc</span><span class="p">[</span><span class="n">pid</span><span class="p">]:</span>
<span class="k">if</span> <span class="n">proc</span><span class="p">[</span><span class="n">pid</span><span class="p">][</span><span class="s1">'swap'</span><span class="p">]</span> <span class="o">!=</span> <span class="s1">'0 kB'</span><span class="p">:</span>
<span class="n">output</span> <span class="o">=</span> <span class="s1">'</span><span class="si">%s</span><span class="s1"> </span><span class="si">%s</span><span class="s1"> </span><span class="si">%s</span><span class="s1">'</span> <span class="o">%</span> <span class="p">(</span><span class="n">proc</span><span class="p">[</span><span class="n">pid</span><span class="p">][</span><span class="s1">'name'</span><span class="p">],</span> <span class="n">proc</span><span class="p">[</span><span class="n">pid</span><span class="p">][</span><span class="s1">'uid'</span><span class="p">],</span> <span class="n">proc</span><span class="p">[</span><span class="n">pid</span><span class="p">][</span><span class="s1">'swap'</span><span class="p">]</span><span class="o">.</span><span class="n">replace</span><span class="p">(</span><span class="s2">" "</span><span class="p">,</span> <span class="s2">""</span><span class="p">))</span>
<span class="nb">print</span><span class="p">(</span><span class="n">output</span><span class="p">)</span>
<span class="k">if</span> <span class="vm">__name__</span> <span class="o">==</span> <span class="s1">'__main__'</span><span class="p">:</span>
<span class="n">main</span><span class="p">()</span>
</code></pre></div>
<p>Don't hesitate to <a href="http://www.mauras.ch/pages/contact.html">contact me</a> if you have any question or suggestion.</p>Grsecurity kernels update2013-12-02T00:00:00+01:002023-10-03T22:43:30+02:00Olivier Maurastag:www.mauras.ch,2013-12-02:/grsecurity-kernels-update.html<p>Second grsecurity patch in less than a week :)</p>
<ul>
<li>Stable 3.2.53 kernel</li>
<li>Test 3.12.2 kernel</li>
</ul>
<h4 id="warning">WARNING!</h4>
<p>Please don't use 3.2.52 package. It was built without important <code>virtio</code> drivers which would …</p><p>Second grsecurity patch in less than a week :)</p>
<ul>
<li>Stable 3.2.53 kernel</li>
<li>Test 3.12.2 kernel</li>
</ul>
<h4 id="warning">WARNING!</h4>
<p>Please don't use 3.2.52 package. It was built without important <code>virtio</code> drivers which would make it kernel panic under a KVM guest.<br />
Please also be aware that this Grsecurity patch enforcing kernel helpers in <code>/sbin</code> will prevent <code>zfs</code> automounting snapshots. </p>
<p>As usual RPMs are available using the YUM <a href="http://repos.mauras.ch/grsecurity/grsecurity.repo">repository</a> </p>
<p>Changelog:
Grsecurity changelogs can be found here: <a href="http://grsecurity.net/changelog-stable2.txt">stable</a> and <a href="http://grsecurity.net/changelog-test.txt">test</a></p>
<p>Don't hesitate to <a href="pages/contact.html">contact</a> me if you find any issue.</p>Grsecurity update to latest 3.0 patch2013-11-29T00:00:00+01:002023-10-03T22:43:30+02:00Olivier Maurastag:www.mauras.ch,2013-11-29:/grsecurity-update-to-latest-30-patch.html<p>Here comes the new packages supporting the new Grsecurity patch version!<br />
This mean:</p>
<ul>
<li>Stable 3.2.52 kernel<ul>
<li>And its 0.6.2 ZFS modules</li>
</ul>
</li>
<li>Test 3.12.1 kernel<ul>
<li>ZFS modules has been updated …</li></ul></li></ul><p>Here comes the new packages supporting the new Grsecurity patch version!<br />
This mean:</p>
<ul>
<li>Stable 3.2.52 kernel<ul>
<li>And its 0.6.2 ZFS modules</li>
</ul>
</li>
<li>Test 3.12.1 kernel<ul>
<li>ZFS modules has been updated latest master git branch for 3.12 compatibility</li>
</ul>
</li>
<li>Gradm 3.0</li>
</ul>
<p>You can note the return - if you ever noticed it was gone - of the stable kernel. Finally had time to catch up with the stable releases and add the configuration improvement made on the test kernels. </p>
<h4 id="warning">WARNING!</h4>
<p>Please note that size overflow plugin has been modified to have more coverage. This could mean that something working on a previous kernel could be broken on this new one - modules compilation etc...<br />
It seems to impact only the stable 3.2.52 kernel though but <strong>USE AT YOUR OWN RISK!</strong></p>
<p>As usual RPMs are available using the YUM <a href="http://repos.mauras.ch/grsecurity/grsecurity.repo">repository</a> </p>
<p>Changelog:</p>
<div class="highlight"><pre><span></span><code>Kernel 3.12.1:
- Update to grsecurity-3.0-3.12.1-201311261522.patch
- Add option CONFIG_GRKERNSEC_JIT_HARDEN
- Add option CONFIG_GRKERNSEC_HARDEN_IPC
Kernel 3.2.52:
- Upgrade to grsecurity-3.0-3.2.52-201311261520.patch
- Add all options added to test
- Remove overlayfs patch
- Add option CONFIG_GRKERNSEC_JIT_HARDEN
ZFS/SPL modules - kernel-test only:
- Update to git master branch - 16_g30607d9
Gradm:
- Update to 3.0
- Remove management of /dev/grsec through the package
</code></pre></div>
<p>Don't hesitate to <a href="pages/contact.html">contact</a> me if you find any issue.</p>Nginx package update2013-11-19T20:25:00+01:002023-10-03T22:43:30+02:00Olivier Maurastag:www.mauras.ch,2013-11-19:/nginx-package-update.html<p>I guess you've heard about <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4547">CVE-2013-4547</a>, so <a href="http://repos.mauras.ch/EL6/SRPMS/nginx-1.4.4-1.el6.src.rpm">here's</a> version 1.4.4 of Nginx.<br />
As usual it's available directly from my <a href="http://repos.mauras.ch/EL6/el6_extras.repo">EL6 extras repository</a> and you'll have to use the <a href="http://repos.mauras.ch/RPM-GPG-KEY-build_at_mauras.ch">GPG public key</a> to verify …</p><p>I guess you've heard about <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4547">CVE-2013-4547</a>, so <a href="http://repos.mauras.ch/EL6/SRPMS/nginx-1.4.4-1.el6.src.rpm">here's</a> version 1.4.4 of Nginx.<br />
As usual it's available directly from my <a href="http://repos.mauras.ch/EL6/el6_extras.repo">EL6 extras repository</a> and you'll have to use the <a href="http://repos.mauras.ch/RPM-GPG-KEY-build_at_mauras.ch">GPG public key</a> to verify packages signature.</p>Easy git access control - Part 2 - more granularity2013-11-11T21:00:00+01:002023-10-03T22:43:30+02:00Olivier Maurastag:www.mauras.ch,2013-11-11:/easy-git-access-control-part-2-more-granularity.html<p>In my <a href="../easy-git-access-control.html">previous post</a> i talked about how to easily manage write permissions on a <code>git</code> repository.<br />
As i said, the script could easily be extented to provide more granularity.<br />
Here comes an improved version …</p><p>In my <a href="../easy-git-access-control.html">previous post</a> i talked about how to easily manage write permissions on a <code>git</code> repository.<br />
As i said, the script could easily be extented to provide more granularity.<br />
Here comes an improved version!</p>
<p>Features: </p>
<ul>
<li>Support groups</li>
<li>Support nested groups</li>
<li>Let's you name the admin group</li>
<li>Let's you give full rights to admin group</li>
<li>Let's you give user the right to push to his/her own branch - branch named after user name</li>
</ul>
<p>Here's an example <code>git.acl</code>:</p>
<div class="highlight"><pre><span></span><code><span class="o">[</span>global<span class="o">]</span>
<span class="c1"># Name of the admin group</span>
<span class="nv">admin_group</span><span class="w"> </span><span class="o">=</span><span class="w"> </span>admin
<span class="c1"># Is admin group able to push everything? 0|1</span>
<span class="nv">full_admin</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="m">1</span>
<span class="c1"># Is user able to push in his named branch? 0|1</span>
<span class="nv">owner_branch</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="m">1</span>
<span class="o">[</span>groups<span class="o">]</span>
<span class="nv">admin</span><span class="w"> </span><span class="o">=</span><span class="w"> </span>olivier<span class="w"> </span>joe
<span class="nv">commiters</span><span class="w"> </span><span class="o">=</span><span class="w"> </span>@admin<span class="w"> </span>jane<span class="w"> </span>jim
<span class="nv">project1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span>@admin<span class="w"> </span>@commiters<span class="w"> </span>@project2
<span class="nv">project2</span><span class="w"> </span><span class="o">=</span><span class="w"> </span>@admin<span class="w"> </span>john<span class="w"> </span>mickael
<span class="o">[</span>branches<span class="o">]</span>
<span class="nv">master</span><span class="w"> </span><span class="o">=</span><span class="w"> </span>@admin
<span class="nv">project1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span>@project1
<span class="nv">test_branch</span><span class="w"> </span><span class="o">=</span><span class="w"> </span>sam
</code></pre></div>
<p>And here is the updated <code>update</code> hook:</p>
<div class="highlight"><pre><span></span><code><span class="ch">#!/bin/env python2</span>
<span class="kn">import</span> <span class="nn">os</span>
<span class="kn">import</span> <span class="nn">sys</span>
<span class="kn">import</span> <span class="nn">subprocess</span>
<span class="kn">import</span> <span class="nn">ConfigParser</span>
<span class="c1">#from pprint import pprint</span>
<span class="c1"># Exit on error</span>
<span class="k">def</span> <span class="nf">error_exit</span><span class="p">(</span><span class="n">string</span><span class="p">):</span>
<span class="nb">print</span> <span class="n">string</span>
<span class="n">sys</span><span class="o">.</span><span class="n">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span>
<span class="c1"># Exit on success</span>
<span class="k">def</span> <span class="nf">ok_exit</span><span class="p">(</span><span class="n">string</span><span class="p">):</span>
<span class="nb">print</span> <span class="n">string</span>
<span class="n">sys</span><span class="o">.</span><span class="n">exit</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span>
<span class="c1"># Recursively get all users from a group</span>
<span class="k">def</span> <span class="nf">expand_nested_groups</span><span class="p">(</span><span class="n">groups</span><span class="p">,</span> <span class="n">group</span><span class="p">,</span> <span class="n">user</span><span class="p">,</span> <span class="n">parsed_groups</span><span class="o">=</span><span class="p">[]):</span>
<span class="n">parsed_groups</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="n">group</span><span class="p">)</span>
<span class="k">if</span> <span class="n">user</span><span class="o">.</span><span class="n">startswith</span><span class="p">(</span><span class="s1">'@'</span><span class="p">):</span>
<span class="n">group_name</span> <span class="o">=</span> <span class="n">user</span><span class="p">[</span><span class="mi">1</span><span class="p">:]</span>
<span class="k">if</span> <span class="n">group_name</span> <span class="ow">in</span> <span class="n">parsed_groups</span><span class="p">:</span>
<span class="k">return</span> <span class="p">[]</span>
<span class="n">res</span> <span class="o">=</span> <span class="nb">set</span><span class="p">()</span>
<span class="k">for</span> <span class="n">u</span> <span class="ow">in</span> <span class="n">groups</span><span class="p">[</span><span class="n">group_name</span><span class="p">]:</span>
<span class="n">res</span><span class="o">.</span><span class="n">update</span><span class="p">(</span><span class="n">expand_nested_groups</span><span class="p">(</span>
<span class="n">groups</span><span class="p">,</span>
<span class="n">group_name</span><span class="p">,</span>
<span class="n">u</span><span class="p">,</span>
<span class="n">parsed_groups</span><span class="p">))</span>
<span class="k">return</span> <span class="n">res</span>
<span class="k">return</span> <span class="p">[</span><span class="n">user</span><span class="p">]</span>
<span class="c1"># Verify that acl_file exists before reading it</span>
<span class="k">def</span> <span class="nf">_config</span><span class="p">():</span>
<span class="c1"># Fix acl file path if needed</span>
<span class="n">exec_path</span> <span class="o">=</span> <span class="n">os</span><span class="o">.</span><span class="n">getcwd</span><span class="p">()</span>
<span class="k">if</span> <span class="s1">'/hooks/'</span> <span class="ow">in</span> <span class="n">exec_path</span><span class="p">:</span>
<span class="n">acl_file</span> <span class="o">=</span> <span class="s1">'./git.acl'</span>
<span class="k">else</span><span class="p">:</span>
<span class="n">acl_file</span> <span class="o">=</span> <span class="s1">'./hooks/git.acl'</span>
<span class="c1"># Open and read acl file if exists</span>
<span class="k">if</span> <span class="n">os</span><span class="o">.</span><span class="n">path</span><span class="o">.</span><span class="n">isfile</span><span class="p">(</span><span class="n">acl_file</span><span class="p">):</span>
<span class="n">config</span> <span class="o">=</span> <span class="n">ConfigParser</span><span class="o">.</span><span class="n">RawConfigParser</span><span class="p">()</span>
<span class="k">if</span> <span class="ow">not</span> <span class="n">config</span><span class="o">.</span><span class="n">read</span><span class="p">(</span><span class="n">acl_file</span><span class="p">):</span>
<span class="n">error_exit</span><span class="p">(</span><span class="n">acl_file</span><span class="o">+</span><span class="s2">" doesn't seem to be a valid config file!"</span><span class="p">)</span>
<span class="k">return</span> <span class="n">config</span>
<span class="k">else</span><span class="p">:</span>
<span class="n">error_exit</span><span class="p">(</span><span class="n">acl_file</span><span class="o">+</span><span class="s2">" is missing!"</span><span class="p">)</span>
<span class="c1"># Returns global settings </span>
<span class="k">def</span> <span class="nf">_config_global</span><span class="p">(</span><span class="n">config</span><span class="p">,</span> <span class="n">option</span><span class="p">,</span> <span class="n">is_int</span><span class="p">):</span>
<span class="c1"># Verify if global section exists</span>
<span class="k">if</span> <span class="n">config</span><span class="o">.</span><span class="n">has_section</span><span class="p">(</span><span class="s1">'global'</span><span class="p">):</span>
<span class="k">if</span> <span class="n">config</span><span class="o">.</span><span class="n">has_option</span><span class="p">(</span><span class="s1">'global'</span><span class="p">,</span> <span class="n">option</span><span class="p">):</span>
<span class="k">if</span> <span class="n">is_int</span><span class="p">:</span>
<span class="k">return</span> <span class="n">config</span><span class="o">.</span><span class="n">getint</span><span class="p">(</span><span class="s1">'global'</span><span class="p">,</span> <span class="n">option</span><span class="p">)</span>
<span class="k">else</span><span class="p">:</span>
<span class="k">return</span> <span class="n">config</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="s1">'global'</span><span class="p">,</span> <span class="n">option</span><span class="p">)</span>
<span class="k">else</span><span class="p">:</span>
<span class="n">error_exit</span><span class="p">(</span><span class="nb">str</span><span class="p">(</span><span class="n">option</span><span class="p">)</span><span class="o">+</span><span class="s2">" option doesn't exists in 'global' section!"</span><span class="p">)</span>
<span class="k">else</span><span class="p">:</span>
<span class="n">error_exit</span><span class="p">(</span><span class="s2">"'[global]' section not found in your acl file!"</span><span class="p">)</span>
<span class="c1"># Retuns a dict of groups</span>
<span class="k">def</span> <span class="nf">_config_groups</span><span class="p">(</span><span class="n">config</span><span class="p">):</span>
<span class="k">if</span> <span class="n">config</span><span class="o">.</span><span class="n">has_section</span><span class="p">(</span><span class="s1">'groups'</span><span class="p">):</span>
<span class="n">group_list</span> <span class="o">=</span> <span class="n">config</span><span class="o">.</span><span class="n">items</span><span class="p">(</span><span class="s1">'groups'</span><span class="p">)</span>
<span class="k">if</span> <span class="n">group_list</span><span class="p">:</span>
<span class="n">group_dict</span> <span class="o">=</span> <span class="nb">dict</span><span class="p">((</span><span class="n">e</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="n">e</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span><span class="o">.</span><span class="n">split</span><span class="p">())</span> <span class="k">for</span> <span class="n">e</span> <span class="ow">in</span> <span class="n">group_list</span><span class="p">)</span>
<span class="c1">#pprint(group_dict)</span>
<span class="c1"># Let's expand groups</span>
<span class="n">expanded_groups</span> <span class="o">=</span> <span class="p">{}</span>
<span class="k">for</span> <span class="n">group</span><span class="p">,</span> <span class="n">users</span> <span class="ow">in</span> <span class="n">group_dict</span><span class="o">.</span><span class="n">iteritems</span><span class="p">():</span>
<span class="n">expanded_groups</span><span class="p">[</span><span class="n">group</span><span class="p">]</span> <span class="o">=</span> <span class="nb">set</span><span class="p">()</span>
<span class="k">for</span> <span class="n">user</span> <span class="ow">in</span> <span class="n">users</span><span class="p">:</span>
<span class="n">expanded_users</span> <span class="o">=</span> <span class="n">expand_nested_groups</span><span class="p">(</span>
<span class="n">group_dict</span><span class="p">,</span>
<span class="n">group</span><span class="p">,</span>
<span class="n">user</span><span class="p">,</span>
<span class="p">[])</span>
<span class="n">expanded_groups</span><span class="p">[</span><span class="n">group</span><span class="p">]</span><span class="o">.</span><span class="n">update</span><span class="p">(</span><span class="n">expanded_users</span><span class="p">)</span>
<span class="k">return</span> <span class="n">expanded_groups</span>
<span class="k">else</span><span class="p">:</span>
<span class="n">error_exit</span><span class="p">(</span><span class="s2">"Your '[groups]' section seems to have no options..."</span><span class="p">)</span>
<span class="k">else</span><span class="p">:</span>
<span class="n">error_exit</span><span class="p">(</span><span class="s2">"'[groups]' section not found in your acl file!"</span><span class="p">)</span>
<span class="c1"># Returns a list of users allowed for a branch</span>
<span class="k">def</span> <span class="nf">_config_branch</span><span class="p">(</span><span class="n">config</span><span class="p">,</span> <span class="n">branch</span><span class="p">):</span>
<span class="k">if</span> <span class="n">config</span><span class="o">.</span><span class="n">has_section</span><span class="p">(</span><span class="s1">'branches'</span><span class="p">):</span>
<span class="k">if</span> <span class="n">config</span><span class="o">.</span><span class="n">has_option</span><span class="p">(</span><span class="s1">'branches'</span><span class="p">,</span> <span class="n">branch</span><span class="p">):</span>
<span class="k">return</span> <span class="n">config</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="s1">'branches'</span><span class="p">,</span> <span class="n">branch</span><span class="p">)</span><span class="o">.</span><span class="n">split</span><span class="p">()</span>
<span class="k">else</span><span class="p">:</span>
<span class="n">error_exit</span><span class="p">(</span><span class="s2">"This branch doesn't have any right set!"</span><span class="p">)</span>
<span class="k">else</span><span class="p">:</span>
<span class="n">error_exit</span><span class="p">(</span><span class="s2">"'[branches]' section not found in your acl file!"</span><span class="p">)</span>
<span class="k">def</span> <span class="nf">main</span><span class="p">():</span>
<span class="c1"># Get arguments</span>
<span class="n">refname</span> <span class="o">=</span> <span class="n">sys</span><span class="o">.</span><span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span>
<span class="n">oldrev</span> <span class="o">=</span> <span class="n">sys</span><span class="o">.</span><span class="n">argv</span><span class="p">[</span><span class="mi">2</span><span class="p">]</span>
<span class="n">newrev</span> <span class="o">=</span> <span class="n">sys</span><span class="o">.</span><span class="n">argv</span><span class="p">[</span><span class="mi">3</span><span class="p">]</span>
<span class="n">gituser</span> <span class="o">=</span> <span class="n">os</span><span class="o">.</span><span class="n">getenv</span><span class="p">(</span><span class="s1">'USER'</span><span class="p">)</span>
<span class="c1"># Declare object types</span>
<span class="n">objtype</span> <span class="o">=</span> <span class="p">[</span><span class="s1">'commit'</span><span class="p">,</span> <span class="s1">'delete'</span><span class="p">,</span> <span class="s1">'tag'</span><span class="p">]</span>
<span class="c1"># Init acl file reading</span>
<span class="n">acl_config</span> <span class="o">=</span> <span class="n">_config</span><span class="p">()</span>
<span class="c1"># Get global settings</span>
<span class="n">admin_group</span> <span class="o">=</span> <span class="n">_config_global</span><span class="p">(</span><span class="n">acl_config</span><span class="p">,</span> <span class="s1">'admin_group'</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span>
<span class="n">full_admin</span> <span class="o">=</span> <span class="n">_config_global</span><span class="p">(</span><span class="n">acl_config</span><span class="p">,</span> <span class="s1">'full_admin'</span><span class="p">,</span> <span class="mi">1</span><span class="p">)</span>
<span class="n">owner_branch</span> <span class="o">=</span> <span class="n">_config_global</span><span class="p">(</span><span class="n">acl_config</span><span class="p">,</span> <span class="s1">'owner_branch'</span><span class="p">,</span> <span class="mi">1</span><span class="p">)</span>
<span class="c1"># Get group list</span>
<span class="n">g</span> <span class="o">=</span> <span class="n">_config_groups</span><span class="p">(</span><span class="n">acl_config</span><span class="p">)</span>
<span class="c1">#pprint(g)</span>
<span class="c1"># Get branch name</span>
<span class="n">exp_refname</span> <span class="o">=</span> <span class="n">refname</span><span class="o">.</span><span class="n">split</span><span class="p">(</span><span class="s1">'/'</span><span class="p">)</span>
<span class="n">branch_name</span> <span class="o">=</span> <span class="n">exp_refname</span><span class="p">[</span><span class="mi">2</span><span class="p">]</span>
<span class="c1"># Printing this only for information</span>
<span class="nb">print</span> <span class="s2">"branch="</span><span class="o">+</span><span class="n">branch_name</span>
<span class="nb">print</span> <span class="s2">"oldrev="</span><span class="o">+</span><span class="n">oldrev</span>
<span class="nb">print</span> <span class="s2">"newrev="</span><span class="o">+</span><span class="n">newrev</span>
<span class="nb">print</span> <span class="s2">"user="</span><span class="o">+</span><span class="n">gituser</span>
<span class="c1"># Get object type</span>
<span class="n">cmd</span> <span class="o">=</span> <span class="s1">'git cat-file -t </span><span class="si">%s</span><span class="s1">'</span> <span class="o">%</span> <span class="p">(</span><span class="n">newrev</span><span class="p">)</span>
<span class="n">process</span> <span class="o">=</span> <span class="n">subprocess</span><span class="o">.</span><span class="n">Popen</span><span class="p">(</span><span class="n">cmd</span><span class="p">,</span> <span class="n">stdout</span><span class="o">=</span><span class="n">subprocess</span><span class="o">.</span><span class="n">PIPE</span><span class="p">,</span> <span class="n">stderr</span><span class="o">=</span><span class="kc">None</span><span class="p">,</span> <span class="n">shell</span><span class="o">=</span><span class="kc">True</span><span class="p">)</span>
<span class="n">output</span> <span class="o">=</span> <span class="n">process</span><span class="o">.</span><span class="n">communicate</span><span class="p">()</span>
<span class="n">thistype</span> <span class="o">=</span> <span class="n">output</span><span class="p">[</span><span class="mi">0</span><span class="p">][:</span><span class="o">-</span><span class="mi">1</span><span class="p">]</span>
<span class="nb">print</span> <span class="s2">"object="</span><span class="o">+</span><span class="n">thistype</span>
<span class="c1"># Reject unknown object types </span>
<span class="k">if</span> <span class="n">thistype</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">objtype</span><span class="p">:</span>
<span class="n">error_exit</span><span class="p">(</span><span class="s2">"You can't push this type of objects"</span><span class="p">)</span>
<span class="c1">### Access right checking ###</span>
<span class="c1"># Admin processing</span>
<span class="k">if</span> <span class="n">full_admin</span> <span class="ow">and</span> <span class="n">gituser</span> <span class="ow">in</span> <span class="n">g</span><span class="p">[</span><span class="n">admin_group</span><span class="p">]:</span>
<span class="n">ok_exit</span><span class="p">(</span><span class="s1">'ADMIN ACCESS GRANTED'</span><span class="p">)</span>
<span class="c1"># user writes to his own branch</span>
<span class="k">if</span> <span class="n">owner_branch</span> <span class="ow">and</span> <span class="n">gituser</span> <span class="o">==</span> <span class="n">branch_name</span><span class="p">:</span>
<span class="n">ok_exit</span><span class="p">(</span><span class="s1">'BRANCH OWNER ACCESS GRANTED'</span><span class="p">)</span>
<span class="c1"># Not admin nor branch owner</span>
<span class="c1"># Get branch access rights</span>
<span class="n">branch_access</span> <span class="o">=</span> <span class="n">_config_branch</span><span class="p">(</span><span class="n">acl_config</span><span class="p">,</span> <span class="n">branch_name</span><span class="p">)</span>
<span class="c1"># Branch exists in git.acl check if user has rights</span>
<span class="c1"># Start with group</span>
<span class="k">for</span> <span class="n">right</span> <span class="ow">in</span> <span class="n">branch_access</span><span class="p">:</span>
<span class="k">if</span> <span class="s1">'@'</span> <span class="ow">in</span> <span class="n">right</span> <span class="ow">and</span> <span class="n">gituser</span> <span class="ow">in</span> <span class="n">g</span><span class="p">[</span><span class="n">right</span><span class="o">.</span><span class="n">strip</span><span class="p">(</span><span class="s1">'@'</span><span class="p">)]:</span>
<span class="n">ok_exit</span><span class="p">(</span><span class="s1">'BRANCH ACCESS GRANTED'</span><span class="p">)</span>
<span class="c1"># Not in a group so do a basic check</span>
<span class="k">if</span> <span class="n">gituser</span> <span class="ow">in</span> <span class="n">branch_access</span><span class="p">:</span>
<span class="n">ok_exit</span><span class="p">(</span><span class="s1">'BRANCH ACCESS GRANTED'</span><span class="p">)</span>
<span class="k">else</span><span class="p">:</span>
<span class="n">error_exit</span><span class="p">(</span><span class="s1">'BRANCH ACCESS DENIED'</span><span class="p">)</span>
<span class="c1"># Catchall exit, means we haven't match any case...</span>
<span class="n">sys</span><span class="o">.</span><span class="n">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span>
<span class="k">if</span> <span class="vm">__name__</span> <span class="o">==</span> <span class="s1">'__main__'</span><span class="p">:</span>
<span class="n">main</span><span class="p">()</span>
</code></pre></div>
<p>Thanks to <a href="http://www.linkedin.com/pub/steeve-chailloux/59/16a/480">Steeve Chailloux</a> for his group expansion function which was way better than mine :) </p>
<p>Next time let's support rights on tags ;)</p>Package addition in EL6 repo2013-10-25T15:00:00+02:002023-10-03T22:43:30+02:00Olivier Maurastag:www.mauras.ch,2013-10-25:/package-addition-in-el6-repo.html<p>I've added some new packages in the <a href="http://repos.mauras.ch/EL6/el6_extras.repo">EL6 extras repository</a></p>
<ul>
<li>GeoIP 1.5.1</li>
<li>nginx 1.4.3</li>
<li>libyaml 0.1.4</li>
<li>PyYAML 3.10 </li>
<li>uwsgi 1.9.18.2</li>
</ul>
<p>As usual please use the …</p><p>I've added some new packages in the <a href="http://repos.mauras.ch/EL6/el6_extras.repo">EL6 extras repository</a></p>
<ul>
<li>GeoIP 1.5.1</li>
<li>nginx 1.4.3</li>
<li>libyaml 0.1.4</li>
<li>PyYAML 3.10 </li>
<li>uwsgi 1.9.18.2</li>
</ul>
<p>As usual please use the <a href="http://repos.mauras.ch/RPM-GPG-KEY-build_at_mauras.ch">GPG public key</a> to verify packages signatures.</p>Easy git access control2013-10-21T09:25:00+02:002023-10-03T22:43:30+02:00Olivier Maurastag:www.mauras.ch,2013-10-21:/easy-git-access-control.html<p>Basic access to a <code>git</code> repository is fairly easy.<br />
You specify <code>--shared</code> when initializing your <code>bare</code> repository, <code>chgrp <your group></code> to the repository directory and your done. Now everyone in <code><your group></code> has read and …</p><p>Basic access to a <code>git</code> repository is fairly easy.<br />
You specify <code>--shared</code> when initializing your <code>bare</code> repository, <code>chgrp <your group></code> to the repository directory and your done. Now everyone in <code><your group></code> has read and write access to the repository with their account. </p>
<h4 id="so-what-do-i-need">So what do I need?</h4>
<ul>
<li>An easy way to tell which user can actually write or not</li>
<li>A solution easy to integrate with my actual configuration manager - Here rudder/cfengine</li>
</ul>
<p>Gitolite - to name the widely used tool for this kind of case - requires to install a bunch of script files, set a common git user, and store all its settings in a specific <code>git</code> repository. Definitely not practical to integrate in a configuration management tool. </p>
<h4 id="how-to-do-it-then">How to do it then?</h4>
<p>It is actually very easy to achieve these requirements with only basic linux settings and <code>git</code> hooks. </p>
<ul>
<li>Read access:<ul>
<li>ssh + user group</li>
</ul>
</li>
<li>Write access:<ul>
<li><code>git</code> hook + acl file</li>
</ul>
</li>
</ul>
<p>Create your new <code>git</code> repository: </p>
<div class="highlight"><pre><span></span><code>git init --bare --shared <repo>
chgrp -R <your group> <repo>
chmod o-rx <repo>
ls -ld <repo>
drwxrws--- 7 root <your group> 10 Oct 21 09:40 <repo>
</code></pre></div>
<p>Replace <code><repo>/hooks/update</code> by the following <code>python</code> script.<br />
This script checks the type of command you're sending and validates if your username is listed in the <code>git.acl</code> file and exits accordingly.</p>
<div class="highlight"><pre><span></span><code><span class="ch">#!/bin/env python</span>
<span class="kn">import</span> <span class="nn">os</span><span class="o">,</span> <span class="nn">sys</span><span class="o">,</span> <span class="nn">subprocess</span><span class="o">,</span> <span class="nn">ConfigParser</span>
<span class="n">refname</span> <span class="o">=</span> <span class="n">sys</span><span class="o">.</span><span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span>
<span class="n">oldrev</span> <span class="o">=</span> <span class="n">sys</span><span class="o">.</span><span class="n">argv</span><span class="p">[</span><span class="mi">2</span><span class="p">]</span>
<span class="n">newrev</span> <span class="o">=</span> <span class="n">sys</span><span class="o">.</span><span class="n">argv</span><span class="p">[</span><span class="mi">3</span><span class="p">]</span>
<span class="n">user</span> <span class="o">=</span> <span class="n">os</span><span class="o">.</span><span class="n">getenv</span><span class="p">(</span><span class="s1">'USER'</span><span class="p">)</span>
<span class="n">revtype</span> <span class="o">=</span> <span class="p">[</span><span class="s1">'commit'</span><span class="p">,</span> <span class="s1">'delete'</span><span class="p">,</span> <span class="s1">'tag'</span><span class="p">]</span>
<span class="n">config</span> <span class="o">=</span> <span class="n">ConfigParser</span><span class="o">.</span><span class="n">RawConfigParser</span><span class="p">()</span>
<span class="n">config</span><span class="o">.</span><span class="n">read</span><span class="p">(</span><span class="s1">'./git.acl'</span><span class="p">)</span>
<span class="n">users</span> <span class="o">=</span> <span class="n">config</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="s1">'users'</span><span class="p">,</span> <span class="s1">'write'</span><span class="p">)</span><span class="o">.</span><span class="n">split</span><span class="p">()</span>
<span class="nb">print</span> <span class="n">refname</span>
<span class="nb">print</span> <span class="s2">"oldrev="</span><span class="o">+</span><span class="n">oldrev</span>
<span class="nb">print</span> <span class="s2">"newrev="</span><span class="o">+</span><span class="n">newrev</span>
<span class="nb">print</span> <span class="n">user</span>
<span class="n">cmd</span> <span class="o">=</span> <span class="s1">'git cat-file -t </span><span class="si">%s</span><span class="s1">'</span> <span class="o">%</span> <span class="p">(</span><span class="n">newrev</span><span class="p">)</span>
<span class="n">process</span> <span class="o">=</span> <span class="n">subprocess</span><span class="o">.</span><span class="n">Popen</span><span class="p">(</span><span class="n">cmd</span><span class="p">,</span> <span class="n">stdout</span><span class="o">=</span><span class="n">subprocess</span><span class="o">.</span><span class="n">PIPE</span><span class="p">,</span> <span class="n">stderr</span><span class="o">=</span><span class="kc">None</span><span class="p">,</span> <span class="n">shell</span><span class="o">=</span><span class="kc">True</span><span class="p">)</span>
<span class="n">output</span> <span class="o">=</span> <span class="n">process</span><span class="o">.</span><span class="n">communicate</span><span class="p">()</span>
<span class="n">thistype</span> <span class="o">=</span> <span class="n">output</span><span class="p">[</span><span class="mi">0</span><span class="p">][:</span><span class="o">-</span><span class="mi">1</span><span class="p">]</span>
<span class="k">if</span> <span class="p">(</span> <span class="n">thistype</span> <span class="ow">in</span> <span class="n">revtype</span> <span class="ow">and</span> <span class="ow">not</span> <span class="n">user</span> <span class="ow">in</span> <span class="n">users</span><span class="p">):</span>
<span class="nb">print</span> <span class="s2">"!!! You're not authorized to push code to this repo"</span>
<span class="n">sys</span><span class="o">.</span><span class="n">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span>
<span class="n">sys</span><span class="o">.</span><span class="n">exit</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span>
</code></pre></div>
<p>Here is <code><repo>/hooks/git.acl</code></p>
<div class="highlight"><pre><span></span><code>[users]
write = admin joe bob brad
</code></pre></div>
<p>The script could easily be extented to do more granular rights - allow pushing to branches but not to master, which branches a user could push to, etc... - while still being very easy to deploy using your favorite configuration management tool. </p>Grsecurity 3.11.6 kernel available2013-10-19T09:20:00+02:002023-10-03T22:43:30+02:00Olivier Maurastag:www.mauras.ch,2013-10-19:/grsecurity-3116-kernel-available.html<p>Grsecurity test kernel is now available as RPM in the <a href="http://repos.mauras.ch/grsecurity/grsecurity.repo">repository</a><br />
You can fetch the SRPM <a href="http://repos.mauras.ch/grsecurity/kernel-test/SRPMS/kernel-3.11.6-1.el6.src.rpm">here</a> </p>
<p>Changelog:</p>
<div class="highlight"><pre><span></span><code>- Update to kernel 3.11.6
- Update to grsecurity-2.9.1-3.11.6-201310191259.patch
- Add new grsec …</code></pre></div><p>Grsecurity test kernel is now available as RPM in the <a href="http://repos.mauras.ch/grsecurity/grsecurity.repo">repository</a><br />
You can fetch the SRPM <a href="http://repos.mauras.ch/grsecurity/kernel-test/SRPMS/kernel-3.11.6-1.el6.src.rpm">here</a> </p>
<p>Changelog:</p>
<div class="highlight"><pre><span></span><code>- Update to kernel 3.11.6
- Update to grsecurity-2.9.1-3.11.6-201310191259.patch
- Add new grsec option: CONFIG_GRKERNSEC_DENYUSB
- overlayfs patch is removed
</code></pre></div>
<p>At the same time, zfs modules have been recompiled for it.<br />
You can also install them by using the yum repository.</p>
<p>Please note that now all packages are signed using GPG. You can import the signing GPG public key from <a href="http://repos.mauras.ch/RPM-GPG-KEY-build_at_mauras.ch">here</a><br />
Until i create RPM packages to deploy my repository configs, you can import the key using:
<code>rpm --import http://repos.mauras.ch/RPM-GPG-KEY-build_at_mauras.ch</code></p>Rudder: Migrate from cfengine2013-09-10T00:00:00+02:002023-10-03T22:43:30+02:00Olivier Maurastag:www.mauras.ch,2013-09-10:/rudder-migrate-from-cfengine.html<p>The following standalone promise installs <code>rudder-agent</code> on a currently managed <code>cfengine</code> host.<br />
The <code>container</code> class is here only for me to identify <code>OpenVZ</code> guests. </p>
<p>Use at your own risk and modify it at your convenience …</p><p>The following standalone promise installs <code>rudder-agent</code> on a currently managed <code>cfengine</code> host.<br />
The <code>container</code> class is here only for me to identify <code>OpenVZ</code> guests. </p>
<p>Use at your own risk and modify it at your convenience.</p>
<div class="highlight"><pre><span></span><code>bundle<span class="w"> </span>agent<span class="w"> </span>rudder_agent_install<span class="w"> </span><span class="o">{</span>
<span class="w"> </span>vars:
<span class="w"> </span>container::
<span class="w"> </span><span class="s2">"repo_content"</span><span class="w"> </span><span class="nv">string</span><span class="w"> </span><span class="o">=</span>><span class="w"> </span><span class="s2">"[Rudder]</span>
<span class="s2">name=Rudder 2.7 Repository</span>
<span class="s2">baseurl=http://repos/rudder/test/RHEL_6/</span>
<span class="s2">gpgcheck=0</span>
<span class="s2">"</span><span class="p">;</span>
<span class="w"> </span>files:
<span class="w"> </span>container::
<span class="w"> </span><span class="s2">"/etc/yum.repos.d/rudder.repo"</span>
<span class="w"> </span><span class="nv">create</span><span class="w"> </span><span class="o">=</span>><span class="w"> </span><span class="s2">"true"</span>,
<span class="w"> </span><span class="nv">edit_line</span><span class="w"> </span><span class="o">=</span>><span class="w"> </span>append_to_repo_file<span class="o">(</span><span class="s2">"</span><span class="k">$(</span>repo_content<span class="k">)</span><span class="s2">"</span><span class="o">)</span><span class="p">;</span>
<span class="w"> </span>packages:
<span class="w"> </span>container::
<span class="w"> </span><span class="s2">"rudder-agent"</span>
<span class="w"> </span><span class="nv">package_policy</span><span class="w"> </span><span class="o">=</span>><span class="w"> </span><span class="s2">"add"</span>,
<span class="w"> </span><span class="nv">package_method</span><span class="w"> </span><span class="o">=</span>><span class="w"> </span>yum_rpm_sta,
<span class="w"> </span><span class="nv">classes</span><span class="w"> </span><span class="o">=</span>><span class="w"> </span>repaired_<span class="o">(</span><span class="s2">"kick_inventory"</span><span class="o">)</span><span class="p">;</span>
<span class="w"> </span>methods:
<span class="w"> </span>kick_inventory::
<span class="w"> </span><span class="s2">"any"</span><span class="w"> </span><span class="nv">usebundle</span><span class="w"> </span><span class="o">=</span>><span class="w"> </span>rudder_config<span class="p">;</span>
<span class="o">}</span>
bundle<span class="w"> </span>agent<span class="w"> </span>rudder_config<span class="w"> </span><span class="o">{</span>
<span class="w"> </span>files:
<span class="w"> </span><span class="s2">"/var/rudder/cfengine-community/policy_server.dat"</span>
<span class="w"> </span><span class="nv">create</span><span class="w"> </span><span class="o">=</span>><span class="w"> </span><span class="s2">"true"</span>,
<span class="w"> </span><span class="nv">edit_line</span><span class="w"> </span><span class="o">=</span>><span class="w"> </span>append_to_repo_file<span class="o">(</span><span class="s2">"rudder"</span><span class="o">)</span><span class="p">;</span>
<span class="w"> </span>commands:
<span class="w"> </span><span class="s2">"/opt/rudder/bin/cf-agent -KI -D force_inventory"</span><span class="p">;</span>
<span class="w"> </span><span class="s2">"/etc/init.d/cf-serverd stop"</span><span class="p">;</span>
<span class="w"> </span><span class="s2">"/etc/init.d/cf-execd stop"</span><span class="p">;</span>
<span class="o">}</span>
bundle<span class="w"> </span>edit_line<span class="w"> </span>append_to_repo_file<span class="o">(</span>list<span class="o">)</span><span class="w"> </span><span class="o">{</span>
<span class="w"> </span>insert_lines:
<span class="w"> </span><span class="s2">"</span><span class="k">$(</span>list<span class="k">)</span><span class="s2">"</span><span class="p">;</span>
<span class="o">}</span>
body<span class="w"> </span>delete<span class="w"> </span>tidyfiles_<span class="w"> </span><span class="o">{</span>
<span class="w"> </span><span class="nv">rmdirs</span><span class="w"> </span><span class="o">=</span>><span class="w"> </span><span class="s2">"true"</span><span class="p">;</span>
<span class="w"> </span><span class="nv">dirlinks</span><span class="w"> </span><span class="o">=</span>><span class="w"> </span><span class="s2">"delete"</span><span class="p">;</span>
<span class="o">}</span>
body<span class="w"> </span>classes<span class="w"> </span>repaired_<span class="o">(</span>new_class<span class="o">)</span><span class="w"> </span><span class="o">{</span>
<span class="w"> </span><span class="nv">promise_repaired</span><span class="w"> </span><span class="o">=</span>><span class="w"> </span><span class="o">{</span><span class="w"> </span><span class="s2">"</span><span class="k">$(</span>new_class<span class="k">)</span><span class="s2">"</span><span class="o">}</span><span class="p">;</span>
<span class="o">}</span>
body<span class="w"> </span>package_method<span class="w"> </span>yum_rpm_sta<span class="w"> </span><span class="o">{</span>
<span class="w"> </span><span class="nv">package_changes</span><span class="w"> </span><span class="o">=</span>><span class="w"> </span><span class="s2">"bulk"</span><span class="p">;</span>
<span class="w"> </span><span class="nv">package_list_command</span><span class="w"> </span><span class="o">=</span>><span class="w"> </span><span class="s2">"/bin/rpm -qa --qf '%{name} %{version}-%{release} %{arch}\n'"</span><span class="p">;</span>
<span class="w"> </span><span class="nv">package_patch_list_command</span><span class="w"> </span><span class="o">=</span>><span class="w"> </span><span class="s2">"/usr/bin/yum --quiet check-update"</span><span class="p">;</span>
<span class="w"> </span><span class="nv">package_list_name_regex</span><span class="w"> </span><span class="o">=</span>><span class="w"> </span><span class="s2">"^(\S+?)\s\S+?\s\S+</span>$<span class="s2">"</span><span class="p">;</span>
<span class="w"> </span><span class="nv">package_list_version_regex</span><span class="w"> </span><span class="o">=</span>><span class="w"> </span><span class="s2">"^\S+?\s(\S+?)\s\S+</span>$<span class="s2">"</span><span class="p">;</span>
<span class="w"> </span><span class="nv">package_list_arch_regex</span><span class="w"> </span><span class="o">=</span>><span class="w"> </span><span class="s2">"^\S+?\s\S+?\s(\S+)</span>$<span class="s2">"</span><span class="p">;</span>
<span class="w"> </span><span class="nv">package_installed_regex</span><span class="w"> </span><span class="o">=</span>><span class="w"> </span><span class="s2">".*"</span><span class="p">;</span>
<span class="w"> </span><span class="nv">package_name_convention</span><span class="w"> </span><span class="o">=</span>><span class="w"> </span><span class="s2">"</span><span class="k">$(</span>name<span class="k">)</span><span class="s2">"</span><span class="p">;</span>
<span class="w"> </span><span class="c1"># set it to "0" to avoid caching of list during upgrade</span>
<span class="w"> </span><span class="nv">package_list_update_command</span><span class="w"> </span><span class="o">=</span>><span class="w"> </span><span class="s2">"/usr/bin/yum --quiet check-update"</span><span class="p">;</span>
<span class="w"> </span><span class="nv">package_list_update_ifelapsed</span><span class="w"> </span><span class="o">=</span>><span class="w"> </span><span class="s2">"240"</span><span class="p">;</span>
<span class="w"> </span><span class="nv">package_patch_installed_regex</span><span class="w"> </span><span class="o">=</span>><span class="w"> </span><span class="s2">"^\s.*"</span><span class="p">;</span>
<span class="w"> </span><span class="nv">package_patch_name_regex</span><span class="w"> </span><span class="o">=</span>><span class="w"> </span><span class="s2">"([^.]+).*"</span><span class="p">;</span>
<span class="w"> </span><span class="nv">package_patch_version_regex</span><span class="w"> </span><span class="o">=</span>><span class="w"> </span><span class="s2">"[^\s]\s+([^\s]+).*"</span><span class="p">;</span>
<span class="w"> </span><span class="nv">package_patch_arch_regex</span><span class="w"> </span><span class="o">=</span>><span class="w"> </span><span class="s2">"[^.]+\.([^\s]+).*"</span><span class="p">;</span>
<span class="w"> </span><span class="nv">package_add_command</span><span class="w"> </span><span class="o">=</span>><span class="w"> </span><span class="s2">"/usr/bin/yum -y install"</span><span class="p">;</span>
<span class="w"> </span><span class="nv">package_update_command</span><span class="w"> </span><span class="o">=</span>><span class="w"> </span><span class="s2">"/usr/bin/yum -y update"</span><span class="p">;</span>
<span class="w"> </span><span class="nv">package_patch_command</span><span class="w"> </span><span class="o">=</span>><span class="w"> </span><span class="s2">"/usr/bin/yum -y update"</span><span class="p">;</span>
<span class="w"> </span><span class="nv">package_delete_command</span><span class="w"> </span><span class="o">=</span>><span class="w"> </span><span class="s2">"/bin/rpm -e --nodeps --allmatches"</span><span class="p">;</span>
<span class="w"> </span><span class="nv">package_verify_command</span><span class="w"> </span><span class="o">=</span>><span class="w"> </span><span class="s2">"/bin/rpm -V"</span><span class="p">;</span>
<span class="o">}</span>
</code></pre></div>
<p>Let's see the code in details. </p>
<p>First install the repo file and install <code>rudder-agent</code> package:</p>
<div class="highlight"><pre><span></span><code><span class="w"> </span>vars:
<span class="w"> </span>container::
<span class="w"> </span><span class="s2">"repo_content"</span><span class="w"> </span><span class="nv">string</span><span class="w"> </span><span class="o">=</span>><span class="w"> </span><span class="s2">"[Rudder]</span>
<span class="s2">name=Rudder 2.7 Repository</span>
<span class="s2">baseurl=http://repos/rudder/test/RHEL_6/</span>
<span class="s2">gpgcheck=0</span>
<span class="s2">"</span><span class="p">;</span>
<span class="w"> </span>files:
<span class="w"> </span>container::
<span class="w"> </span><span class="s2">"/etc/yum.repos.d/rudder.repo"</span>
<span class="w"> </span><span class="nv">create</span><span class="w"> </span><span class="o">=</span>><span class="w"> </span><span class="s2">"true"</span>,
<span class="w"> </span><span class="nv">edit_line</span><span class="w"> </span><span class="o">=</span>><span class="w"> </span>append_to_repo_file<span class="o">(</span><span class="s2">"</span><span class="k">$(</span>repo_content<span class="k">)</span><span class="s2">"</span><span class="o">)</span><span class="p">;</span>
<span class="w"> </span>packages:
<span class="w"> </span>container::
<span class="w"> </span><span class="s2">"rudder-agent"</span>
<span class="w"> </span><span class="nv">package_policy</span><span class="w"> </span><span class="o">=</span>><span class="w"> </span><span class="s2">"add"</span>,
<span class="w"> </span><span class="nv">package_method</span><span class="w"> </span><span class="o">=</span>><span class="w"> </span>yum_rpm_sta,
<span class="w"> </span><span class="nv">classes</span><span class="w"> </span><span class="o">=</span>><span class="w"> </span>repaired_<span class="o">(</span><span class="s2">"kick_inventory"</span><span class="o">)</span><span class="p">;</span>
</code></pre></div>
<p>Then if package has been installed, call the bundle <code>rudder_config</code>:</p>
<div class="highlight"><pre><span></span><code>methods:
<span class="w"> </span>kick_inventory::
<span class="w"> </span><span class="s2">"any"</span><span class="w"> </span><span class="nv">usebundle</span><span class="w"> </span><span class="o">=</span>><span class="w"> </span>rudder_config<span class="p">;</span>
</code></pre></div>
<p>Populate <code>/var/rudder/cfengine-community/policy_server.dat</code> with your Rudder server name <code>rudder</code> then run the Rudder agent with <code>force_inventory</code> class to force node to send its inventory to the server, then stop running <code>cfengine</code> processes.</p>
<div class="highlight"><pre><span></span><code>bundle<span class="w"> </span>agent<span class="w"> </span>rudder_config<span class="w"> </span><span class="o">{</span>
<span class="w"> </span>files:
<span class="w"> </span><span class="s2">"/var/rudder/cfengine-community/policy_server.dat"</span>
<span class="w"> </span><span class="nv">create</span><span class="w"> </span><span class="o">=</span>><span class="w"> </span><span class="s2">"true"</span>,
<span class="w"> </span><span class="nv">edit_line</span><span class="w"> </span><span class="o">=</span>><span class="w"> </span>append_to_repo_file<span class="o">(</span><span class="s2">"rudder"</span><span class="o">)</span><span class="p">;</span>
<span class="w"> </span>commands:
<span class="w"> </span><span class="s2">"/opt/rudder/bin/cf-agent -KI -D force_inventory"</span><span class="p">;</span>
<span class="w"> </span><span class="s2">"/etc/init.d/cf-serverd stop"</span><span class="p">;</span>
<span class="w"> </span><span class="s2">"/etc/init.d/cf-execd stop"</span><span class="p">;</span>
<span class="o">}</span>
</code></pre></div>
<p>Everything else is <code>cfengine</code> functions to make all that work.<br />
Finally use <code>cf-agent -b rudder_install -D container -f /path/to/the/promise.cf</code> to actually run this promise. </p>
<p>Rudder agent sets a cron job in <code>/etc/cron.d/rudder-agent</code> which should take care of starting itself in the following 5 minutes. </p>Grsecurity 3.10.10 kernel available2013-09-01T00:00:00+02:002023-10-03T22:43:30+02:00Olivier Maurastag:www.mauras.ch,2013-09-01:/grsecurity-31010-kernel-available.html<p>Grsecurity test kernel is now available as RPM in the <a href="http://repos.mauras.ch/grsecurity/grsecurity.repo">repository</a><br />
You can fetch the SRPM <a href="http://repos.mauras.ch/grsecurity/kernel-test/SRPMS/kernel-3.10.10-1.el6.src.rpm">here</a> </p>
<p>Changelog:</p>
<div class="highlight"><pre><span></span><code>- Update to kernel 3.10.10
- Update to grsecurity-2.9.1-3.10.10-201309011630.patch
</code></pre></div>
<p>At the same …</p><p>Grsecurity test kernel is now available as RPM in the <a href="http://repos.mauras.ch/grsecurity/grsecurity.repo">repository</a><br />
You can fetch the SRPM <a href="http://repos.mauras.ch/grsecurity/kernel-test/SRPMS/kernel-3.10.10-1.el6.src.rpm">here</a> </p>
<p>Changelog:</p>
<div class="highlight"><pre><span></span><code>- Update to kernel 3.10.10
- Update to grsecurity-2.9.1-3.10.10-201309011630.patch
</code></pre></div>
<p>At the same time, zfs modules have been recompiled for it.<br />
You can also install them by using the yum repository.</p>Speed up Rudder new node's detection2013-08-27T00:00:00+02:002023-10-03T22:43:30+02:00Olivier Maurastag:www.mauras.ch,2013-08-27:/speed-up-rudder-new-nodes-detection.html<p>By default, a new node sending its inventory to the Rudder server, won't appear in the "Accept new nodes" menu before the next <code>cf-agent</code> run on the server.<br />
In the worst case scenario, you'll have …</p><p>By default, a new node sending its inventory to the Rudder server, won't appear in the "Accept new nodes" menu before the next <code>cf-agent</code> run on the server.<br />
In the worst case scenario, you'll have to wait 5 minutes for the node to appear. My issue was that i needed this process to be as quick as possible as i'm deploying <code>rudder-agent</code> through a kickstart post-install script, and i whished for the deployed node to have all the rudder rules applied before reboot. </p>
<p>As the inventory creation can be tracked in <code>/var/rudder/inventories/incoming</code>, a small python script using pyinotify to the rescue. </p>
<div class="highlight"><pre><span></span><code><span class="ch">#!/usr/bin/python</span>
<span class="kn">import</span> <span class="nn">os</span><span class="o">,</span> <span class="nn">datetime</span><span class="o">,</span> <span class="nn">subprocess</span><span class="o">,</span> <span class="nn">re</span><span class="o">,</span> <span class="nn">thread</span>
<span class="kn">import</span> <span class="nn">pyinotify</span>
<span class="n">command</span> <span class="o">=</span> <span class="s2">"/opt/rudder/bin/cf-agent -K -b sendInventoryToCmdb -f /var/rudder/cfengine-community/inputs/promises.cf"</span>
<span class="n">report_re</span> <span class="o">=</span> <span class="n">re</span><span class="o">.</span><span class="n">compile</span><span class="p">(</span><span class="s1">'R:.*'</span><span class="p">)</span>
<span class="n">wm</span> <span class="o">=</span> <span class="n">pyinotify</span><span class="o">.</span><span class="n">WatchManager</span><span class="p">()</span> <span class="c1"># Watch Manager</span>
<span class="n">mask</span> <span class="o">=</span> <span class="n">pyinotify</span><span class="o">.</span><span class="n">IN_DELETE</span> <span class="o">|</span> <span class="n">pyinotify</span><span class="o">.</span><span class="n">IN_CREATE</span> <span class="c1"># watched events</span>
<span class="k">def</span> <span class="nf">exec_proc</span><span class="p">(</span><span class="n">file</span><span class="p">,</span> <span class="n">dummy1</span><span class="p">):</span>
<span class="n">process</span> <span class="o">=</span> <span class="n">subprocess</span><span class="o">.</span><span class="n">Popen</span><span class="p">(</span><span class="n">command</span><span class="p">,</span> <span class="n">stdout</span><span class="o">=</span><span class="n">subprocess</span><span class="o">.</span><span class="n">PIPE</span><span class="p">,</span> <span class="n">stderr</span><span class="o">=</span><span class="kc">None</span><span class="p">,</span> <span class="n">shell</span><span class="o">=</span><span class="kc">True</span><span class="p">)</span>
<span class="n">output</span> <span class="o">=</span> <span class="n">process</span><span class="o">.</span><span class="n">communicate</span><span class="p">()</span>
<span class="n">date</span> <span class="o">=</span> <span class="n">datetime</span><span class="o">.</span><span class="n">datetime</span><span class="o">.</span><span class="n">now</span><span class="p">()</span>
<span class="n">report_line</span> <span class="o">=</span> <span class="n">report_re</span><span class="o">.</span><span class="n">search</span><span class="p">(</span><span class="n">output</span><span class="p">[</span><span class="mi">0</span><span class="p">])</span>
<span class="nb">print</span> <span class="s2">"</span><span class="si">%s</span><span class="s2">: </span><span class="si">%s</span><span class="s2"> - </span><span class="si">%s</span><span class="s2">"</span> <span class="o">%</span> <span class="p">(</span><span class="n">date</span><span class="p">,</span> <span class="n">file</span><span class="p">,</span> <span class="n">report_line</span><span class="o">.</span><span class="n">group</span><span class="p">())</span>
<span class="k">class</span> <span class="nc">EventHandler</span><span class="p">(</span><span class="n">pyinotify</span><span class="o">.</span><span class="n">ProcessEvent</span><span class="p">):</span>
<span class="k">def</span> <span class="nf">process_IN_CREATE</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">event</span><span class="p">):</span>
<span class="n">date</span> <span class="o">=</span> <span class="n">datetime</span><span class="o">.</span><span class="n">datetime</span><span class="o">.</span><span class="n">now</span><span class="p">()</span>
<span class="nb">print</span> <span class="s2">"</span><span class="si">%s</span><span class="s2">: </span><span class="si">%s</span><span class="s2"> - </span><span class="si">%s</span><span class="s2"> created"</span> <span class="o">%</span> <span class="p">(</span><span class="n">date</span><span class="p">,</span> <span class="n">event</span><span class="o">.</span><span class="n">path</span><span class="p">,</span> <span class="n">event</span><span class="o">.</span><span class="n">name</span><span class="p">)</span>
<span class="k">if</span> <span class="s2">"incoming"</span> <span class="ow">in</span> <span class="n">event</span><span class="o">.</span><span class="n">path</span><span class="p">:</span>
<span class="n">dummy_tup</span> <span class="o">=</span> <span class="n">event</span><span class="o">.</span><span class="n">name</span><span class="p">,</span> <span class="s1">'null'</span>
<span class="n">thread</span><span class="o">.</span><span class="n">start_new_thread</span><span class="p">(</span><span class="n">exec_proc</span><span class="p">,</span> <span class="n">dummy_tup</span><span class="p">)</span>
<span class="k">def</span> <span class="nf">process_IN_DELETE</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">event</span><span class="p">):</span>
<span class="n">date</span> <span class="o">=</span> <span class="n">datetime</span><span class="o">.</span><span class="n">datetime</span><span class="o">.</span><span class="n">now</span><span class="p">()</span>
<span class="nb">print</span> <span class="s2">"</span><span class="si">%s</span><span class="s2">: </span><span class="si">%s</span><span class="s2"> - </span><span class="si">%s</span><span class="s2"> deleted"</span> <span class="o">%</span> <span class="p">(</span><span class="n">date</span><span class="p">,</span> <span class="n">event</span><span class="o">.</span><span class="n">path</span><span class="p">,</span> <span class="n">event</span><span class="o">.</span><span class="n">name</span><span class="p">)</span>
<span class="n">handler</span> <span class="o">=</span> <span class="n">EventHandler</span><span class="p">()</span>
<span class="n">notifier</span> <span class="o">=</span> <span class="n">pyinotify</span><span class="o">.</span><span class="n">Notifier</span><span class="p">(</span><span class="n">wm</span><span class="p">,</span> <span class="n">handler</span><span class="p">)</span>
<span class="n">wdd</span> <span class="o">=</span> <span class="n">wm</span><span class="o">.</span><span class="n">add_watch</span><span class="p">(</span><span class="s1">'/var/rudder/inventories/'</span><span class="p">,</span> <span class="n">mask</span><span class="p">,</span> <span class="n">rec</span><span class="o">=</span><span class="kc">True</span><span class="p">)</span>
<span class="n">notifier</span><span class="o">.</span><span class="n">loop</span><span class="p">()</span>
</code></pre></div>
<p>So what performance gain do we have ?</p>
<div class="highlight"><pre><span></span><code># python bin/rudder_inv_notify.py
2013-08-27 17:26:51.051183: /var/rudder/inventories/incoming - itclient-01-2013-09-04-17-26-46.ocs created
2013-08-27 17:26:54.616183: p4itclient-01-2013-09-04-17-26-46.ocs - R: @@DistributePolicy@@result_success@@root-DP@@root-distributePolicy@@20@@Send inventories to CMDB@@None@@2013-09-04 17:26:54+02:00##root@#Incoming inventories were successfully added to Rudder
2013-08-27 17:26:54.932790: /var/rudder/inventories/historical - 9530ce39-6699-49bc-819e-d8b72ae35a55 created
</code></pre></div>
<p>Around 3 seconds to have the node available in pending list. This let us use API to accept it ... I'll detail this further in another post.</p>Grsecurity 3.10.9 kernel available2013-08-25T00:00:00+02:002023-10-03T22:43:30+02:00Olivier Maurastag:www.mauras.ch,2013-08-25:/grsecurity-3109-kernel-available.html<p>Grsecurity test kernel is now available as RPM in the <a href="http://repos.mauras.ch/grsecurity/grsecurity.repo">repository</a><br />
You can fetch the SRPM <a href="http://repos.mauras.ch/grsecurity/kernel-test/SRPMS/kernel-3.10.9-1.el6.src.rpm">here</a> </p>
<p>Changelog:</p>
<div class="highlight"><pre><span></span><code>- Update to kernel 3.10.9
- Update to grsecurity-2.9.1-3.10.9-201308202015.patch
- Add variables for …</code></pre></div><p>Grsecurity test kernel is now available as RPM in the <a href="http://repos.mauras.ch/grsecurity/grsecurity.repo">repository</a><br />
You can fetch the SRPM <a href="http://repos.mauras.ch/grsecurity/kernel-test/SRPMS/kernel-3.10.9-1.el6.src.rpm">here</a> </p>
<p>Changelog:</p>
<div class="highlight"><pre><span></span><code>- Update to kernel 3.10.9
- Update to grsecurity-2.9.1-3.10.9-201308202015.patch
- Add variables for easier version update
- Add config CONFIG_SECCOMP
</code></pre></div>
<p>At the same time, zfs modules have been updated to 0.6.2.<br />
You can also install them by using the yum repository.</p>