Category Archives: General

Oracle Enterprise Linux 6.x networking

Lately I got many questions regarding the network configuration of Oracle Enterprise Linux 6 (Red Hat Enterprise Linux 6).
Enough to write a little article about it.

It seems that some of the network configuration was altered in OEL6. The reason as far as I know is the implementation of the NetworkManager daemon. I don’t know why they are using CamelCase for the daemon name, but mind that. Even though the NetworkManager should make the configuration as painless as possible (at least thats what the manual page said), it seems to actually make the configuration more of a pain for some.

Below I will cover some topics in an effort to get you going and remove the pain ūüôā

Configuring eth0 for manual operation

  • Step 1: disable the NetworkManager daemon
    service NetworkManager stop
  • Step 2: remove the NetworkManager from Init (start-up)
    chkconfig --level 2345 NetworkManager off
  • Step 3: open the ifcfg-eth0 config file (alter the suffix ‘eth0’ to match the adapter of your choice)
    vi /etc/sysconfig/network-scripts/ifcfg-eth0
  • Step 4: Alter the following to match your environment…
    DEVICE=eth0
    TYPE=Ethernet
    HWADDR={Your MAC address here}
    ONBOOT=yes
    NM_CONTROLLED=no
    BOOTPROTO=static
    IPADDR=192.168.1.10
    #PREFIX=24    [can be used alternativly to NETMASK=]
    NETMASK=255.255.255.0
    NETWORK=192.168.1.0
    BROADCAST=192.168.1.255
    GATEWAY=192.168.1.1
    
  • Step 5: Write/close the configuration file¬†(:wq in vi)
  • Step 6: Restart the network service
    service network restart
  • TIP 0: Obviously match the configuration above to match your home network.
  • TIP 1: NetworkManager is not always present in which case you can obviously skip step 1 – 2.
  • TIP 2: There are reports that NETMASK=xxx.xxx.xxx.xxx is actually more stable then PREFIX=xx notation.
    My advice, use NETMASK= which is also better understood by non networking guys.
  • TIP 3: Not sure about the correct NETWORK, NETMASK, BROADCAST or PREFIX¬†settings, give ipcalc a try:
    ipcalc --netmask {IPADDR}
    ipcalc --prefix {IPADDR} {NETMASK}
    ipcalc --broadcast {IPADDR} {NETMASK}
    ipcalc --network {IPADDR} {NETMASK}
    

Configuring DNS

DNS always seems to be a bugger and a hard one to understand. Do note that DNS is JUST A IP PHONEBOOK. Nothing fancy there. Also there are various ways of configuring DNS. One way is by adding the DNS configuration in the ifcfg-suffix configuration file with the DNS1=ip.ip.ip.ip DNS2=ip.ip.ip.ip keywords.¬†As an¬†effect, the networking service will update the appropriate¬†configuration files.¬†To¬†be frank,¬†I find this to be confusing and do not like duplicate configurations everywhere in my -has to be clean- environment. My advice is to configure the DNS is the appropriate files directly like this…

  • Step 1: Edit¬†the¬†resolve.conf where DNS is configured.
    vi /etc/resolv.conf
  • Step 2: Add or Alter the following to match your environment
    search mydomain.home
    nameserver 192.168.1.1
    nameserver 8.8.8.8
    
  • Step 3: Test to see if name resolution works
    nslookup
    set debug
    www.google.com
    
  • TIP 1: Linux actually tries to find the ip in the /etc/hosts file first. If you know the hostnamename and FQDN to an certain IP and it can be classified as static. Consider using the hostsfile instead of a centralized DNS. This will boost performance if the name is resolved often. If multiple systems use and depend on a machine reference, use centralized DNS in order to lighten the administrative tasks.
    vi /etc/hosts
  • TIP 2: Experiencing slow log on times or slow application performance? A faulty DNS configuration might just be the¬†cause. A quick way to test this is by¬†temp. disabling DNS all together. This can be done by editing the /etc/nsswitch.conf file.
    vi /etc/nsswitch.conf
    • alter the line
      hosts:     files dns
    • to the line
      hosts: files
    • write the file and test if the performance has improved.
  • The reason for this is that DNS is often used to register user logon or session information based on the visitors IP address. Examples are the ssh daemon, ftp servers, webservers, linux logon, etc.

STATIC ROUTES

In some case you want linux to use alternative routes to access certain Linux resources. The way to go in these cases are creating routes. In most cases you want these to be presistant in which case ‘route add –‘ wont suffice. In our example we will create two new routes. On describing a route to a specific host, the other describing the route to a specific network. Alter the example to match your needs.

  • STEP 1: Create a new file called static-routes in the¬†/etc/sysconfig/ directory
    vi /etc/sysconfig/static-routes
  • STEP 2: Add the following, obviously matching your specific needs
    any net 192.168.2.0/24 gw 192.168.1.254 metric 1
    any host 192.168.2.254 gw 192.168.1.254 metric 1
  • STEP 3: Restart the network service
    service network restart
  • TIP 1: SIOCADDRT: No such process means the designated gateway doesnt exsist on any known interface. (typo?)
  • TIP 2: view the route information usint the route command
  • TIP 3: use the ipcalc –prefix {IPADDR} {NETMASK} command to determin the right /prefix for your environment.
  • TIP 4: In older environments the ifup-routes is used, this shscript still exsists in the /etc/sysconfig/network-scripts/ifup-routes

Locate my mac address

The ifcfg-eth# config allows you to configure the specific mac address to guarantee the IP is bound to the right adapter. In virtualized environments this might save you a lot of trouble in the situation where the virtualized domain is altered. On the other hand it might cause trouble when the staticly configured MAC is migrated in virtual environments. Either case, you might want to know the MAC linux sees belonging to an certain adapter. You can find the MAC address in the following location:

 cat /sys/class/net/eth0/address

Obviously you need to alter eth0 in the path to match the adapter you are looking for. Not sure? The change directory to /sys/class/net and perform a list to see all discovered and registered adapters.

IPTables (Linux firewall)

By default IPtables (which is the linux firewall) is enabled. You can view the running configuration by checking the service status like this.

 service iptables status

You can simply turn the firewall off by modifying and applying steps 1-2 of the first configuring eth0 instruction. This will reduce the security of your linux platform significantly. My advice, add the ports you need for your services and let IPtables protect you. The easiest way is by simply editing the iptables configuration file.

 vi /etc/sysconfig/iptables 

Adding a port is as easy as copy/pasting the always present firewall rule that allowes port 22 (ssh). Copy past it and alter the -p (protocol) -dport (destination port) to match your needs. For example, allowing HTTP/HTTPS.

-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT

afterward restart iptables

service iptables restart

TIP: If you are experimenting with IPv6 (then your Instant COOL!), mind that the ipv6 firewall is called ip6tables and the configuration is called the same. The basic iptables doesnt handle ipv6 at all.

TIP: If you are using ipv6 code your IPv4 ip to ease administration. Example:

ipv4: 192.168.10.1/32
ipv6: 2001::0192:0168:0010:0001/64
Then route on the nibble of choice.

Additional questions?

Just post it below and maybe ill respond in due time ūüôā

Advertisements

Fix the inline images -bug- in glpi knowledgebase (htmLawed.php)

GLPI-0-84-8 FIX

GLPI uses the htmLawed filter to clean inserted HTML code. Documentation on this framework can be found here: http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/

Problem with this framework in GLPI is that it does not match image tags properly when they contain inline base64 information.

Here is a simple fix to overcome this problem. The htmLawed.php file can be located in %glpi_root%/lib/htmlawed/htmLawed.php. Open it with your favorite editor. Next locate line: 47. Somewhere arround that area you should find the following.

Web - sftp___nagios@glpi.amis.nl_var_www_glpi_prod_lib_htmlawed_htmLawed.php - A_2013-10-29_12-34-30

Add ‘data’ at the end of the marked line.

$x = (isset($C['schemes'][2]) && strpos($C['schemes'], ':')) ? strtolower($C['schemes']) : 'href: aim, feed, file, ftp, gopher, http, https, irc, mailto, news, nntp, sftp, ssh, telnet; *:file, http, https, data';

The above will stop htmLawed from adding disabled: to the data: in the src=”” tag.

The next step is a bit trickier.

Now we need to actually change the hl_tag function. In the file locate the hl_tag($t) function somewhere around line:407. In this codeblock we are looking for the regular expression marked in the image below:

Web - sftp___nagios@glpi.amis.nl_var_www_glpi_prod_lib_htmlawed_htmLawed.php - A_2013-10-29_12-38-10

This is the expression that doenst match the valid <img> tags within the htmLawed. We dont want to create leaks here, so all we need to do is introduce an exception for our images. You can do so by replacing the text with the following:

Web - sftp___nagios@glpi.amis.nl_var_www_glpi_test_lib_htmlawed_htmLawed.php - A_2013-10-29_12-49-27

In code:


if(!preg_match('`^&lt;(/?)([a-zA-Z][a-zA-Z1-6]*)([^&gt;]*?)\s?&gt;$`m', $t, $m)){
if(strstr($t, 'data:image')){
return $t;
}else{
return str_replace(array('&lt;', '&gt;'), array('&amp;lt;', '&amp;gt;'), $t);
}
}elseif(!isset($C['elements'][($e = strtolower($m[2]))])){
return (($C['keep_bad']%2) ? str_replace(array('&lt;', '&gt;'), array('&amp;lt;', '&amp;gt;'), $t) : '');
}

After this, the images should show up just fine

GLPI - Knowledge base_2013-10-29_12-50-51

I hope this was helpfull ūüôā

Update GLPI tickets with requesters group

When using GLPI it can be very usefull to automatically assign a group based on the ticket requester. This allows you to use the reporting module and report for instance based on dept group. The problem is that GLPI does allow this using the Behaviour plugin, but it will not report tickets that couldnt be assigned a group. This will actually render reports unusable because you might miss unassigned tickets. For this reason we wrote a little script to process this AND report any ticket that couldnt be assigned (the requester isnt assigned a group)

Business Rules:
0. GLPI version : 0.83.7
1. GLPI uses the mailgate that creates tickets of known users.
2. All known users are assigned to at least one group
4. Script seeks groups and then assigns them uniquely to the ticket.
5. Script will be triggered by cron
6. All actions will/can be reported in a mail
7. If no actions where executed, no mail will be send.

&lt;?php
$usr = 'john'; $pas = 'doe'; $db = 'glpi_0837';&lt;/pre&gt;
$db = new mysqli(&quot;localhost&quot;, $usr, $pas, $db);
if(mysqli_connect_errno()){
 printf(&quot;Connect Failed %s\n&quot;, mysqli_connect_error());
 exit();
}&lt;/pre&gt;
/* Get all the tickets */
$s1 = 'select t.id, t.users_id_recipient from glpi_tickets t';
$r1 = $db-&gt;query($s1);
while($row = $r1-&gt;fetch_array(MYSQLI_ASSOC)){
 // check to see if ticket has a group assigned //
 $s2 = &quot;select * from glpi_groups_tickets where tickets_id = '{$row['id']}' and type = '1'&quot;;
 $res1 = $db-&gt;query($s2);
 // Update the tickets without a group assignment.
 if($res1-&gt;num_rows == 0){
 // There is no group for this ticket so find the applicable group and assign it
 $s3 = &quot;select ti.id as tid,
 ti.users_id_recipient,
 tu.id as tuid,
 tu.tickets_id,
 tu.users_id,
 tu.type,
 us.id,
 us.name,
 gr.id as gid,
 gr.name as group_name,
 gu.users_id,
 gu.groups_id
 FROM glpi_tickets ti, glpi_tickets_users tu, glpi_groups gr, glpi_users us, glpi_groups_users gu
 WHERE ti.id = tu.tickets_id
 AND tu.type = 1
 AND tu.users_id = us.id
 AND tu.users_id = gu.users_id
 AND gu.groups_id = gr.id
 AND ti.id = '{$row['id']}'&quot;;
 if($res2 = $db-&gt;query($s3)){
 if($res2-&gt;num_rows &gt; 0){
 while($row1 = $res2-&gt;fetch_array(MYSQLI_ASSOC)){
 $groups[$row1['tid']][$row1['gid']] = $row1['group_name'];
 $messages[$row['id']][] = &quot;INFO: Updated ticket:{$row1['tid']} with group {$row1['gid']}:{$row1['group_name']}&quot;;
 }
 }else{
 $messages[$row['id']][] = 'ERROR: No group assigned to requester!';
 $messages[$row['id']][] = &quot;INFO: Please assign groups to the requester in this ticket.&quot;;
 }
 }else{
 $messages[$row['id']][] = &quot;ERROR: SQL errorno: {$db-&gt;errno} met melding: {$db-&gt;error} is opgetreden&quot;;
 }
 }else{
 //$messages[$row['id']][] = 'INFO: Ticket allready has a group assigned';
 }
}

// Generate a mailmessage
$message = 'INFO: Script running at: https://glpi.amis.nl/salami/automated_tasks/assign_actor_groups.php &lt;br/&gt;';
$ecount = 0;
if(isset($messages)){
 foreach($messages as $key =&gt; $val){
 foreach($val as $k =&gt; $v){
 $message .= &quot;ON Ticket: $key : {$v} &lt;br/&gt;&quot;;
 $ecount ++;
 }
 }
 $mail = true;
}else{
 $mail = false;
}

// Insert the associations
if(isset($groups)){
 foreach($groups as $key =&gt; $val){
 foreach($val as $k =&gt; $v){
 $sql = &quot;insert into glpi_groups_tickets(tickets_id, groups_id, type) values('{$key}','{$k}','1');&quot;;
 if($db-&gt;query($sql)){
 //$message .= &quot;INFO: Group $k:$v assigned to ticket $key&lt;br/&gt;&quot;;
 }else{
 $message .= &quot;ERROR: Failed to associate $k:$v to ticket $key&lt;br/&gt;&quot;;
 }
 }
 }
 $message .= &quot;ON General : Finished... &lt;br/&gt;&quot;;
}else{
 $message .= &quot;ON General : Did nothing, but finished with succes... &lt;br/&gt;&quot;;
}
if($ecount &gt; 0){
 $message .= &quot;ON General : INFO: Please correct the reported errors &lt;br/&gt;&quot;;
}

$to = 'AMIS Support &lt;support@amis.nl&gt;';

$subject = 'Automated ticket - groups assignment';

// To send HTML mail, the Content-type header must be set
$headers = 'MIME-Version: 1.0' . &quot;\r\n&quot;;
$headers .= 'Content-type: text/html; charset=iso-8859-1' . &quot;\r\n&quot;;

// Additional headers
$headers .= 'From: Monitor &lt;monitor@amis.nl&gt;' . &quot;\r\n&quot;;

// Mail it
if($mail){
 mail($to, $subject, $message, $headers);
}
//echo $message;
&lt;pre&gt;

?&gt;

Simply run this script
(AFTER YOU HAVE TESTED IT AGAINST YOUR TEST ENVIRONMENT)