Git through apache, anonymous pull but authenticated push

Posted on January 11, 2012 by tommi

I have been having this annoying issue where I needed to open ssh up to the internet in order to allow authenticated push with a centralized git server. After hours and hours of trying to master anonymous pull and authenticated push over http I finally made it, here goes:

Set the project root, where your git repositories are and you want to export everything:

SetEnv GIT_PROJECT_ROOT /var/www/git
SetEnv GIT_HTTP_EXPORT_ALL

Next we have to map the git http backend to a URL

# Enable git-http-backend
ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/

Get mod_rewrite to set a environment variable on push

# Enable mod_rewrite
RewriteEngine On

# Detect git push
RewriteCond %{QUERY_STRING} service=git-receive-pack [OR,NC]
RewriteCond %{REQUEST_URI} ^/git/.*/git-receive-pack$ [NC]
RewriteRule .* - [E=AUTHREQUIRED:yes]

Demand auth on /git when pushing through Location

<Location /git>
        # If any deny clause matches, if authrequired is set
        Order Allow,Deny
        Deny from env=AUTHREQUIRED
        Allow from all
        # Satisfy either Allow/Deny or Require valid-user
        Satisfy Any
        # Auth info
        AuthType Basic
        AuthName "Git Access"
        # Password file created with htpasswd
        AuthUserFile /etc/httpd/conf.d/passwd
        Require valid-user
</Location>

Happy git push’ing!

Share
Posted in Open Source, open source | Tagged , , , , , , , | Leave a comment

Kickstarting RHEL 6.1 or newer, registering with subscription-manager

Posted on January 9, 2012 by tommi

I’ve been spending the last few hours trying to register a Red Hat Enterprise Linux machine during kickstart. What I wanted to achieve:

The really short version

This all goes into your anaconda kickstart file. Replace USERNAME and PASSWORD or use activation key (haven’t tested):

# register
echo "registering with redhat using certificate method"
subscription-manager register --username=USERNAME --password=PASSWORD --autosubscribe

# update all the base packages from the updates repository, also important since
# yum-config-manager doesn't function until you do something with yum!
echo "updating machine"
yum -t -y -e 0 update

# add optional red hat repository needed for puppet
echo "adding optional repository"
yum-config-manager --enable rhel-6-server-optional-rpms

# install epel if we can
echo "configuring epel repository"
rpm -Uvh http://download.fedora.redhat.com/pub/epel/beta/6/x86_64/epel-release-6-5.noarch.rpm

# install puppet
echo "installing puppet"
yum -t -y -e 0 install puppet

The LONG version

Why certificate based?

I haven’t confirmed yet, but hoping that the new content delivery framework “cdn.redhat.com” is a lot faster here in Iceland (currently ~200-300KBps).

On with the butter! (Icelandic saying)

The old way used to be:

rhnreg-ks --username <username> --password <password>

New way, autosubscribe tries to enable to correct subscription automatically:

subscription-manager register --username=<username> --password=<password> --autosubscribe

OK Great, now I’m subscribed, on to installing puppet

First we need the epel repository to get puppet

The EPEL repository contains lots of extra package for rhel including puppet.

rpm -Uvh http://download.fedora.redhat.com/pub/epel/beta/6/x86_64/epel-release-6-5.noarch.rpm

On to the tricky stuff

puppet is in the epel repo, check. But it requires libselinux-ruby which is in the rhel-6-server-optional-rpms repository so installing puppet without enabling it will blow up because of dependency problems.

Enabling rhel-6-server-optional-rpms

Old version (pre 6.1) used rhn-channel, we use the new tools. Now here is what cost me quite some time. When you run “subscription-manager register” I think that the /etc/yum.repos.d/redhat.repo is not created. Not untill you run some yum commands, so that’s why I update here but I suspect any (install/update) command will do:

yum -y -e 0 update
yum-config-manager --enable rhel-6-server-optional-rpms

Finally, ready to rock and roll!

yum -y -e 0 install puppet

You should have a puppet ready on RHEL 6.1<

Decided to attach a picture of the damage that problems like these do to my hairstyle! ;-)

Share
Posted in open source | Tagged , , , , , , | Leave a comment

SElinux and Proliant Support Pack (PSP) on RHEL or Centos 5

Posted on January 4, 2010 by tommi

I’ve been getting these annoying messages in the audit log, /var/log/audit/audit.log after installing the Proliant Support Pack on RHEL5.

type=AVC msg=audit(1262639482.789:2027381): avc:  denied  { read write } for  pid=18916 comm=”ethtool” path=”/dev/hpilo/d0ccb5″ dev=tmpfs ino=6784 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1262639482.789:2027381): avc:  denied  { read write } for  pid=18916 comm=”ethtool” path=”socket:[22602]” dev=sockfs ino=22602 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=netlink_route_socket

I don’t know what this is but I DON’T want to allow it and I don’t want to see this in the audit log anymore

First off 3 terms:

So basicly what I did to get rid of these messages is that I wrote a new module called pspignore to ignore, without allowing them. Here’s what I did:

Make a local directory for my modules

mkdir -p /etc/selinux/local

cd /etc/selinux/local

Download my custom module which include “dontaudit” for these conditions.

wget http://tommi.org/static/ignorepsp.te

Build the module and install it

checkmodule -M -m -o ignorepsp.mod ignorepsp.te

semodule_package -o ignorepsp.pp -m ignorepsp.mod

semodule -i ignorepsp.pp

That should be it. The main thing can be found at the bottom of ignorepsp.te:

dontaudit ifconfig_t device_t:chr_file { read write };
dontaudit ifconfig_t initrc_t:netlink_route_socket { read write };

Hope this is helpfull.

Share
Posted in open source | Tagged , , , , , , , , | 1 Comment

RocketRaid on Red Hat / CentOS 5

Posted on November 23, 2009 by tommi

Been dabbling with getting RocketRaid 1740 to work on Centos 5. It was not as easy as I had hoped but below you can view the steps needed for the implmentation.

HighPoint RocketRaid 1740 is only supported on Red Hat / CentOS 5.2 so you have to install it first.

Download the driver from http://highpoint-tech.com/USA/bios_rr1740.htm

You can download the media for CentOS 5.2 at http://vault.centos.org/5.2/isos/

Now you need to go through the Install guide http://highpoint-tech.com/BIOS_Driver/rr1740/Linux/newformat/Install_RHEL_CentOS_RR174x.pdf

To shortly go over what you need to do:

  • Untar the contents of the driver onto a USB flash drive
  • Boot 5.2 with the boot params “linux nostorage”
  • When the graphical X look is up and running, hit CTRL-ALT-F2
  • Mount the USB flash drive
  • copy the contents of the driver to /tmp/hptdd
  • unmount the flash drive
  • run sh /tmp/hptdd/rhel-install-step1.sh
  • Go back to the install, CTRL-ALT-F6
  • Setup the OS as usual all the way till all packages are installed, it says “Congratulations, the installation is complete.”
  • Hit CTRL-ALT-F2 again
  • cp -r /tmp/hptdd /mnt/sysimage/tmp/hptdd
  • chroot /mnt/sysimage
  • sh /tmp/hptdd/rhel-install-step2.sh
  • exit
  • Hit CTRL-ALT-F6 and hit Reboot
  • Voila, the machine should boot normally

Kernel updates can also be problematic, so here’s how I do it

Download the latest Open Source driver version from http://highpoint-tech.com/USA/bios_rr1740.htm

I untar it into /usr/src and you need to modify the script below if you change the path

cd /usr/src
tar zxvf rr174x-linux-src-v2.4-091009-1434.tar.gz

Now, I have a special script to build for the latest kernel

So, if you haven’t already, do yum -y update

Download my build script from http://tommi.org/static/update-rr17xx.sh

cd /usr/local/bin
wget http://tommi.org/static/update-rr17xx.sh
chmod 750 /usr/local/bin/update-rr17xx.sh
/usr/local/bin/update-rr17xx.sh

If everything looked alright, you should be ready to boot into your new kernel

Nagios plugin as an added bonus

I decided to write up a Nagios plugin as an added bonus and you can get it at http://tommi.org/static/rr-state.pl

It should grab broken raid arrays and if the machine is rebuilding

OK, everything is great

Warning, Logical disk is rebuilding

Critical, Failed drive

Share
Posted in open source | Leave a comment

Making Oracle work with SELinux on Red Hat Enterprise Linux 5

Posted on December 23, 2008 by tommi

I wanted to put up for easy reference, how to setup the Oracle Instant Client packages on a SELinux enabled Red Hat Enterprise Linux 5 machine, the documentation was created on a x86_64 machine but should work on the 32 bit version as well.

Install packages:

oracle-instantclient11.1-basic-11.1.0.7.0-1.x86_64.rpm
oracle-instantclient11.1-devel-11.1.0.7.0-1.x86_64.rpm
oracle-instantclient11.1-sqlplus-11.1.0.7.0-1.x86_64.rpm

Put the relevant libraries into the textrel_shlib_t context:

semanage fcontext -a -t textrel_shlib_t /usr/lib/oracle/11.1/client64 /lib/libnnz11.so
semanage fcontext -a -t textrel_shlib_t /usr/lib/oracle/11.1/client64/lib/libclntsh.so.11.1
semanage fcontext -a -t textrel_shlib_t /usr/lib/oracle/11.1/client64/lib/libsqlplus.so
semanage fcontext -a -t textrel_shlib_t /usr/lib/oracle/11.1/client64/lib/libociei.so
semanage fcontext -a -t textrel_shlib_t /usr/lib/oracle/11.1/client64/lib/libsqlplusic.so
restorecon -R -v /usr/lib/oracle/11.1/client64/lib/

Put the libraries into the path of the dynamic library loader

echo "export ORACLE_HOME=/usr/lib/oracle/11.1/client64" > /etc/profile.d/oracle.sh

Set the path to the tnsnames.ora, I like /etc/tnsnames.ora

echo “export TNS_ADMIN=/etc/tnsnames.ora” >> /etc/profile.d/oracle.sh

Of course you have to have a valid tnsnames.ora file available.

Logout and login to update your environment and voila, you should be able to run sqlplus, install perl-DBD-Oracle or php-oci8, python, whatever your flavor is..

Ohh, and merry christmas! :)

Share
Posted in open source | Tagged , , , , , | 1 Comment

Fedora 10, a real treat

Posted on December 1, 2008 by tommi

Installed Fedora 10 a couple of days ago and I must say I’m very pleasantly surprised. Install went smoothly as ever and getting everything up and running was pretty much painless. Here’s pretty much what I needed to do to get it working on my HP nw9440 laptop:

  • Installed from the DVD install media
  • Setup RPMFusion – rpm -Uvh http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-stable.noarch.rpm http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-stable.noarch.rpm
  • Installed nvidia drivers,yum install xorg-x11-drv-nvidia
  • Installed a few of my favorites, gnome-do, mplayer, networkmanager-vpnc, rdesktop, gnucash

A nice surprise was that rhythmbox now automaticly invites me to download and install the needed rpms for mp3 playback and others, finally!

Also, suspend and hibernate now works perfectly.

NetworkManager now works out of the box with my iwl3945 wifi card.

OpenOffice.org 3.0, now opens evil Microsoft Office 2007 files.

Conclusion, haven’t stumbled across a single annoying thing so I’m extremely happy with the quality of this release!

Share
Posted in open source | Tagged , | Leave a comment

VMware Server 2.0 and Fedora 9 or Fedora 10

Posted on September 28, 2008 by tommi

*Update* This also affects Fedora 10

Just ran into quite a bit of trouble trying to get VMware Server 2.0 to run on Fedora 9. After quite a bit of digging I found that vmware-hostd calls PAM and unix_chkpwd seems to cause a problem in hostd. The error message from the VMware Management Web:

The server is not responding. Please check that the server is running and accepting connections.

And after looking through the proccess list I found the following:

root      9817  9741  0 17:26 ?        00:00:00 [unix_chkpwd] <defunct>

My fix was to turn off password authentication in PAM for VMware and hope for a fix from VMware soon. This fix was suggested in this post.

Turning off authentication:

# cat /etc/pam.d/vmware-authd
#%PAM-1.0
auth       required    pam_permit.so
account    required    pam_permit.so

After that I suggest closing out connections to the vmware ports using iptables if you have disabled the default firewall which should keep you safe. Addition to /etc/sysconfig/iptables follows:

-A INPUT -i ! lo -m tcp -p tcp -m multiport --dports 8009,8222,8308,8333 -j REJECT

Hope this helps..

Share
Posted in Uncategorized | Tagged , | 9 Comments

Update to AsteriskJA because of changes of CallerID Lookup Sources

Posted on September 3, 2008 by tommi

There was a change in recent module for FreePBX where the lookup source uri could not contain cid=${CALLERID(num)}. The fix for that is to change it to cid=[NUMBER].

See the AsteriskJA page.

Share
Posted in open source | Tagged , | Leave a comment

Automaticly blacklisting password attempts

Posted on August 19, 2008 by tommi

I’ve tried quite a few methods to block password guessers from guessing passwords on machines that have open SSH, POP, IMAP… What I usually used was iptables and the recent module “iptables -m recent –help” if you are interested in that. The main problem with the iptables approach is it blocks a number of new connections from the same host whether they are invalid password attempts or just a user opening many ssh connections.

In comes pam_abl which enables blacklisting on unsuccesfull password attempts. I’ve installed this on a few Red Hat Enterprise Linux machines, you can download rpm’s for RHEL at Dag Wieers site.

Download pam_abl

# wget http://dag.wieers.com/rpm/packages/pam_abl/pam_abl-0.2.3-1.el5.rf.x86_64.rpm

Install

# rpm -Uvh pam_abl-0.2.3-1.el5.rf.x86_64.rpm

Configure pam_abl in /etc/pam.d/system-auth

auth        required      pam_env.so
auth        required      pam_abl.so config=/etc/security/pam_abl.conf
auth        sufficient    pam_unix.so nullok try_first_pass

Configure /etc/security/pam_abl.conf according to your own paranoia.. ;) Here’s mine:

# /etc/security/pam_abl.conf
# debug
host_db=/var/lib/abl/hosts.db
host_purge=2d
host_rule=*:4/1h,30/1d
user_db=/var/lib/abl/users.db
user_purge=2d
user_rule=!root:4/1h,30/1d

You can check the state of pam_abl and manipulate it with the command pam_abl

# pam_abl
Failed users:
tommi (5)
Blocking users [!root]
Failed hosts:
evil.tommi.org (5)
Blocking users [*]

Now you have Auto Blacklisting for ftp, ssh, imap, pop, basicly anything that uses PAM for authentication. You can also just use it for one and one service for instance putting the pam line in /etc/pam.d/sshd instead of /etc/pam.d/system-auth.

Share
Posted in open source | Tagged , , | Leave a comment

New version of tv_grab_is for Icelandic program listings

Posted on June 11, 2008 by admin

I just finished updating my tv_grab_is script to use the xml interfaces which every Icelandic broadcasting company has.

I changed the xmltv id’s to reflect changes of names at 365. Sýn became Stöð 2 Sport, Sýn2 became Stöð 2 Sport 2, etc…

If you are using mythtv you need to update your xmltvid’s for channels and also the ~/.mythtv/FILENAME.xmltv. Run

tv_grab_is –list-channels

You can always get my newest version from my trac.

You will need to install the perl module XML::Simple until I rewrite the xml handling code but I’m too lazy right now, install methods:

yum install perl-XML-Simple

apt-get perl-XML-Simple

cpan perl-XML-SImple

Share
Posted in open source | Tagged , , , | 1 Comment