#!/bin/blog

October 25, 2014

CentOS 7 on MD-RAID 1

Filed under: UNIX & Linux — Tags: , , , — martin @ 2:47 pm

Figuring this out took me quite a bit of time. In the end, I approached the starter of this hilariously useless CentOS mailing list thread, who assured me that indeed he had found a way to configure MD-RAID in the installer, and behold, here’s how to install CentOS 7 with glorious old-school software RAID.

In the “Installation Destination” screen, select the drives you want to install onto and “I will configure partitioning”. Then click “Done”:
20141025134323In the “Manual Partitioning” screen, let CentOS create the partitions automatically, or create your own partitioning layout. I will let CentOS create them automatically for this test. 20141025134926Apparently due to restrictions in the Installer, /boot is required, but can’t be on a logical volume, so it appears as primary partition /dev/sda1. The root and swap volumes are in a volume group named centos.
The centos volume group will need to be converted to RAID 1 first. Select the root volume and find the “Modify…” button next to the Volume Group selection drop-down. A window will open. In this window, make sure both drives are selected and select “RAID 1 (Redundancy)” from the “RAID Level” drop-down. Repeat this for all volumes in the centos volume group.  If you are using the automatic partition layout, note at this point, how, after this step, the file system sizes have been reduced to half their size.

20141025135637As the final step, select the /boot entry and use the “Device Type” drop-down to convert /boot to a “RAID” partition. A new menu will appear, with “RAID 1 (Redundancy)” pre-selected. The sda1 subscript below the /boot file system will change into the “boot” label once you click anywhere else in the list of file systems.
20141025140445Click “Done”, review the “Summary of Changes”, which should immediately make sense if you have ever configured MD-RAID, and the system will be ready for installation.

April 14, 2011

Bind OpenLDAP slapd to localhost only (on RHEL/CentOS)

Filed under: UNIX & Linux — Tags: , , — martin @ 9:24 am

Implemented on RHEL5.

In /etc/sysconfig/ldap, append:

SLAPD_OPTIONS="-h \"ldap://127.0.0.1 ldaps://127.0.0.1\""

Then issue /etc/init.d/ldap restart.

February 27, 2009

Packaging OpenSSH on CentOS

Filed under: Security, UNIX & Linux — Tags: , , , , — martin @ 8:29 am

March 30, 2010: It was pointed out to me that Redhat has backported chroot functionality into its OpenSSH 4.3 packages, so these directions may not be neccessary anymore.

My article on chrooted SFTP has turned out to be the most popular article on this blog. What a pity that its “companion article” on building current OpenSSH on CentOS 5 is such a bloody hell of a mess.

Fortunately, reader Simon pointed out a really simple method for building RPMs from current OpenSSH sources in a comment. We had the chance to try this out in a production deployment of chrooted SFTP the other day, and what can I say? It just works(tm)! Thanks a lot, dude! 🙂

# yum install gcc
# yum install openssl-devel
# yum install pam-devel
# yum install rpm-build

It certainly doesn’t hurt to make the GPG check a habit:

# wget http://ftp.bit.nl/mirror/openssh/openssh-5.2p1.tar.gz
# wget http://ftp.bit.nl/mirror/openssh/openssh-5.2p1.tar.gz.asc
# wget -O- http://ftp.bit.nl/mirror/openssh/DJM-GPG-KEY.asc | gpg –-import
# gpg openssh-5.2p1.tar.gz.asc
gpg: Signature made Mon 23 Feb 2009 01:18:28 AM CET using DSA key ID 86FF9C48
gpg: Good signature from "Damien Miller (Personal Key) "
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3981 992A 1523 ABA0 79DB FC66 CE8E CB03 86FF 9C48

Prepare, build and install the RPM. Disable the building of GUI components in the spec file. We don’t need these on a server:

# tar zxvf openssh-5.2p1.tar.gz
# cp openssh-5.2p1/contrib/redhat/openssh.spec /usr/src/redhat/SPECS/
# cp openssh-5.2p1.tar.gz /usr/src/redhat/SOURCES/
# cd /usr/src/redhat/SPECS
# perl -i.bak -pe 's/^(%define no_(gnome|x11)_askpass)\s+0$/$1 1/' openssh.spec
# rpmbuild -bb openssh.spec
# cd /usr/src/redhat/RPMS/`uname -i`
# ls -l
-rw-r--r-- 1 root root 275808 Feb 27 08:08 openssh-5.2p1-1.x86_64.rpm
-rw-r--r-- 1 root root 439875 Feb 27 08:08 openssh-clients-5.2p1-1.x86_64.rpm
-rw-r--r-- 1 root root 277714 Feb 27 08:08 openssh-server-5.2p1-1.x86_64.rpm
# rpm -Uvh openssh*rpm
Preparing... ########################################### [100%]
1:openssh ########################################### [ 33%]
2:openssh-clients ########################################### [ 67%]
3:openssh-server ########################################### [100%]
# service sshd restart

The RPM should install cleanly on CentOS 4. On CentOS 5, after installation, service ssh restart throws a warning that initlog is obsolete. I work around this by keeping a copy of the old /etc/init.d/sshd and restoring it after RPM installation.

April 6, 2008

Quick and dirty manual compile of OpenSSH on CentOS 5

Filed under: UNIX & Linux — Tags: , , — martin @ 7:58 am

(Update, February 27, 2009 – Please click here, for goodness’ sake: Packaging OpenSSH on CentOS)

I wanted to try the new chroot feature of OpenSSH (see the companion post) but didn’t want to invest in building an OpenSSH RPM. Here are my notes from how I did a quick replacement of the stock SSH packages by a hand-rolled installation:

# yum install gcc
# yum install openssl-devel
# yum install pam-devel
# wget http://ftp.bit.nl/mirror/openssh/openssh-5.0p1.tar.gz
# wget http://ftp.bit.nl/mirror/openssh/openssh-5.0p1.tar.gz.asc
# wget -O- http://ftp.bit.nl/mirror/openssh/DJM-GPG-KEY.asc | gpg --import
# gpg openssh-5.0p1.tar.gz.asc
gpg: Signature made Thu 03 Apr 2008 12:02:00 PM CEST using DSA key ID 86FF9C48
gpg: Good signature from "Damien Miller (Personal Key) <djm@****.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3981 992A 1523 ABA0 79DB  FC66 CE8E CB03 86FF 9C48
# tar zxvf openssh-5.0p1.tar.gz
# cd openssh-5.0p1
# ./configure --prefix=/usr/local --sysconfdir=/etc/openssh --with-md5-passwords --with-pam
# make
# make install
# cp /etc/ssh/* /etc/openssh/
# sed 's/^\(GSSAPI.*\)$/#\1/' < /etc/ssh/sshd_config > /etc/openssh/sshd_config
# sed 's/^ *\(GSSAPI.*\)$/#\1/' < /etc/ssh/ssh_config > /etc/openssh/ssh_config
# cp /etc/pam.d/sshd /etc/pam.d/openssh
# service sshd stop
# yum remove openssh
# ln -s openssh /etc/pam.d/sshd
# /usr/local/sbin/sshd
# echo "echo Starting ssh daemon." >> /etc/rc.local
# echo "/usr/local/sbin/sshd" >> /etc/rc.local

No: I’m not quite conviced that this should go anywhere beyond a test system. 😉 If you have a quick way for building proper OpenSSH replacement RPMs, you’re welcome to share it.

Create a free website or blog at WordPress.com.