Archive for September, 2007

Bonding configuration is ‘ specific

Posted in Linux SysAdmin on September 19th, 2007 by Johan Huysmans – Be the first to comment

I was configuring a bonding interface on one of the machines here, but i couldn’t connect to the host after a reboot or network restart.
The bond0 interface was up and running but no eth interfaces where marked as slave for that bond interface.
If I manually ran ifup eth0 the eth0 comes up and is marked as slave of bond0 and the connection to the outside can be established.
I started to debug the /etc/init.d/network script and also the ifup script. In that ifup script i noticed following lines of code:

if [ "${TYPE}" = "Bonding" ] || ethtool -i $DEVICE 2>/dev/null| grep -q "driver: bonding" ; then  for device in `LANG=C grep -l "^[[:space:]]*MASTER=${DEVICE}" /etc/sysconfig/network-scripts/ifcfg-*` ; do
    /sbin/ifup ${device##*/}
  done
fi

So it will grep for MASTER=bond0 and not for MASTER=’bond0′ (note the quotes around bond0).
When i removed the quotes from bond0 in the ifcfg-eth0 file the network started correctly.

For reference, here is my config:
ifcfg-bond0
DEVICE='bond0'
BOOTPROTO='static'
IPADDR='10.0.10.2'
NETWORK='10.0.10.0'
NETMASK='255.255.255.0'
BROADCAST='10.0.10.255'
STARTMODE='onboot'

ifcfg-eth0
DEVICE='eth0'
BOOTPROTO='none'
ONBOOT='yes'
SLAVE='yes'
MASTER=bond0

ifcfg-eth1
DEVICE='eth1'
BOOTPROTO='none'
ONBOOT='yes'
SLAVE='yes'
MASTER=bond0

Manual encrypting your shadow password

Posted in Linux SysAdmin on September 15th, 2007 by Johan Huysmans – 3 Comments

Your passwords are stored encrypted in the /etc/shadow file. This encryption is normally done by the passwd command, but for some cases you want to produce your own encrypted password for manually placing it in the shadow file.

With following perl oneliner you can produce encrypt your password:
# echo "EnterHereYourNonEncryptedPassword" | perl -nle 'print crypt($_, "\$1\$".join "", (".", "/", 0..9, "A".."Z", "a".."z")[rand 64, rand 64, rand 64, rand 64, rand 64, rand 64, rand 64, rand 64]);'
This will print an ecrypted string on the screen:
$1$UckA8UmW$Ck0rISvkyk2rDutFT4nU20

Let’s split the oneliner in different pieces so it is easier to understand. The most important perl function, which does the actual encrypting, used in the oneliner is:
crypt("password", "salt");
The “salt” is a random string starting with $1$. Following join will produce such 8 charachters long random string:
join "", (".", "/", 0..9, "A".."Z", "a".."z")[rand 64, rand 64, rand 64, rand 64, rand 64, rand 64, rand 64, rand 64];

More information about the crypt function can be found here: http://perldoc.perl.org/functions/crypt.html.
As you can notice the join is also listed on that page ;)

Managing user passwords with Puppet on CentOs

Posted in puppet on September 10th, 2007 by Johan Huysmans – 5 Comments

If you try to manage users and there passwords with puppet on CentOs you will receive the error explained by “Known issues” on following page: Puppet on RedHat/CentOS. That page also describes the solution: install the libshadow package on the client.
It is not that easy because there is not yet an rpm of the ruby shadow libraries for CentOs.

“Not yet” because there IS a ruby-shadow rpm available in fedora (see: https://bugzilla.redhat.com/show_bug.cgi?id=240008).

So we only need to download and rebuild it:
wget http://download.fedora.redhat.com/pub/fedora/linux/extras/6/SRPMS/ruby-shadow-1.4.1-6.fc6.src.rpm
rpmbuild --rebuild ruby-shadow-1.4.1-6.fc6.src.rpm

Once we have that rebuilded rpm we can install it on all our puppet-clients. Off course we are not going to do this manually but use puppet for it :) .
If you have a local repository you can just add the package, but this is not yet the case for my setup so we need some extra rules.
Here is a snippet of puppet manifest:

class ruby-shadow {
   package {
      "ruby-shadow":
         ensure   => installed,
         provider => rpm,
         source   => "/tmp/ruby-shadow-1.4.1-6.i386.rpm",
         require  => file["/tmp/ruby-shadow-1.4.1-6.i386.rpm"],
   }

   file {
      "/tmp/ruby-shadow-1.4.1-6.i386.rpm":
         source => "puppet://puppetmaster/files/ALL/tmp/ruby-shadow-1.4.1-6.i386.rpm"
   }
}

class users {
   include ruby-shadow
   user {
      "root":
         ensure   => present,
         name     => "root",
         password => "SomeAlreadyEncryptedPassword";
   }
}

With this code it will require 2 runs of the puppet client. Even if you add a require in the user section for the ruby-shadow package 2 runs are necessary. Don’t know if this is a bug or a feature…