Archive for the ‘Linux’ Category

RANCID – Really Awesome New Cisco config Differ monitors a router’s (or more generally a device’s) configuration, including software and hardware (cards, serial numbers, etc) and uses CVS (Concurrent Version System), Subversion or Git to maintain history of changes.

Rancid:

  • login to each device in the router table (router.db)
  • runs various commands to get the information that will be saved,
  • cook the output; re-format, remove oscillating or incrementing data,
  • email any differences (sample) from the previous collection to a mail list
  • commit those changes to the revision control system

Installing required components

dnf update -y
dnf install -y epel-release 
dns install -y python2 vim wget git mlocate 
dnf install dnf-utils http://rpms.remirepo.net/enterprise/remi-release-8.rpm 
dnf module reset php 
dnf module enable php:remi-7.4 
dnf install php php-opcache php-gd php-curl php-mysqlnd 
systemctl enable --now php-fpm 
rpm -ivh https://dev.mysql.com/get/mysql80-community-release-el8-1.noarch.rpm 
yum install -y wget ftp telnet mariadb-server mariadb perl tcl expect gcc cvs httpd autoconf php-common php-gd php-pear php-pecl-memcache php-mysql php-xml mod_ssl tar sendmail postfix  
pip2 install mysql-connector-python MySQL-Python 

If, during installing MySQL-Python you face following error:

Building wheels for collected packages: MySQL-python
Running setup.py bdist_wheel for MySQL-python ... error
Complete output from command /usr/bin/python -u -c "import setuptools, tokenize;file='/tmp/pip-build-3oXEzH/MySQL-python/setup.py';exec(compile(getattr( tokenize, 'open', open)(file).read().replace('\r\n', '\n'), file, 'exec'))" bdist_wheel -d /tmp/tmpXv05tnpip-wheel- --python-tag cp27:
running bdist_wheel
running build
running build_py
creating build
creating build/lib.linux-x86_64-2.7
copying mysql_exceptions.py -> build/lib.linux-x86_64-2.7
creating build/lib.linux-x86_64-2.7/MySQLdb
copying MySQLdb/init.py -> build/lib.linux-x86_64-2.7/MySQLdb
copying MySQLdb/converters.py -> build/lib.linux-x86_64-2.7/MySQLdb
copying MySQLdb/connections.py -> build/lib.linux-x86_64-2.7/MySQLdb
copying MySQLdb/cursors.py -> build/lib.linux-x86_64-2.7/MySQLdb
copying MySQLdb/release.py -> build/lib.linux-x86_64-2.7/MySQLdb
copying MySQLdb/times.py -> build/lib.linux-x86_64-2.7/MySQLdb
creating build/lib.linux-x86_64-2.7/MySQLdb/constants
copying MySQLdb/constants/init.py -> build/lib.linux-x86_64-2.7/MySQLdb/constants
copying MySQLdb/constants/CR.py -> build/lib.linux-x86_64-2.7/MySQLdb/constants
copying MySQLdb/constants/FIELD_TYPE.py -> build/lib.linux-x86_64-2.7/MySQLdb/constants
copying MySQLdb/constants/ER.py -> build/lib.linux-x86_64-2.7/MySQLdb/constants
copying MySQLdb/constants/FLAG.py -> build/lib.linux-x86_64-2.7/MySQLdb/constants
copying MySQLdb/constants/REFRESH.py -> build/lib.linux-x86_64-2.7/MySQLdb/constants
copying MySQLdb/constants/CLIENT.py -> build/lib.linux-x86_64-2.7/MySQLdb/constants
running build_ext
building 'mysql' extension
creating build/temp.linux-x86_64-2.7
x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -fno-strict-aliasing -Wdate-time -D_FORTIFY_SOURCE=2 -g -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Dversion_info=(1,2,5,'final',1) -D__version=1.2.5 -I/usr/include/mysql -I/usr/include/ python2.7 -c _mysql.c -o build/temp.linux-x86_64-2.7/_mysql.o
In file included from _mysql.c:44:0:
/usr/include/mysql/my_config.h:3:2: warning: #warning This file should not be included by clients, include only <mysql.h> [-Wcpp]
#warning This file should not be included by clients, include only <mysql.h>
^
In file included from _mysql.c:46:0:
/usr/include/mysql/mysql.h:440:3: warning: function declaration isn’t a prototype [-Wstrict-prototypes]
MYSQL_CLIENT_PLUGIN_HEADER
^
/usr/include/mysql/mysql.h:585:1: warning: function declaration isn’t a prototype [-Wstrict-prototypes]
my_bool STDCALL mysql_embedded();
^
_mysql.c: In function ‘_mysql_ConnectionObject_ping’:
_mysql.c:2005:41: error: ‘MYSQL {aka struct st_mysql}’ has no member named ‘reconnect’
if ( reconnect != -1 ) self->connection.reconnect = reconnect;
^
error: command 'x86_64-linux-gnu-gcc' failed with exit status 1

Failed building wheel for MySQL-python
Running setup.py clean for MySQL-python
Failed to build MySQL-python

Edit  /usr/include/mysql/mysql.h. Add a line with unsigned int reconnect; after the line unsigned int warning_count;

Installing Rancid

groupadd netadm 
useradd -g netadm -c "Networking Backups" -d /home/rancid rancid 
mkdir /home/rancid/tar 
cd /home/rancid/tar/ 
wget ftp://ftp.shrubbery.net/pub/rancid/rancid-3.9.tar.gz 
tar -xzvf rancid-3.9.tar.gz 
cd rancid-3.9 
./configure --prefix=/usr/local/rancid 
make && make install

Configuring Rancid

Copy over the ‘cloginrc.sample into path /home/rancid/.cloginrc’ file. Then set the ownership and and permissions on the rancid files and directories.

cp cloginrc.sample /home/rancid/.cloginrc 
chmod 0640 /home/rancid/.cloginrc 
chown -R rancid:netadm /home/rancid/.cloginrc 
chown -R rancid:netadm /usr/local/rancid/ 
chmod 775 /usr/local/rancid/ 

Create folders “Routers Switches Firewalls”,you will see when you first log into the ViewVC web front end.

vim /usr/local/rancid/etc/rancid.conf 
Uncomment and add your groups, i.e. 
LIST_OF_GROUPS="Routers Switches Firewalls" 

Apply changes:

su - rancid 
/usr/local/rancid/bin/rancid-cvs
exit

Anytime when /usr/local/rancid/etc/rancid.conf is edited, above command needs to be executed.

Installing ViewVC

ViewVC is a browser interface for CVS and Subversion version control repositories. It generates templatized HTML to present navigable directory, revision, and change log listings. It can display specific versions of files as well as diffs between those versions.

cd /home/rancid/tar/ 
wget http://www.viewvc.org/downloads/viewvc-1.1.27.tar.gz 
tar -xzvf viewvc-1.1.27.tar.gz 
cd viewvc-1.1.27 
./viewvc-install 

Configuring ViewVC

vim /usr/local/viewvc-1.1.27/viewvc.conf 
#Uncomment and change the values, (as shown bellow)# 
root_parents = /usr/local/rancid/var/CVS : cvs 
rcs_dir = /usr/local/bin 
use_rcsparse = 1 

Enable ViewVC to work with Apache httpd, we need to copy over some CGI, and set some permissions.

cp /usr/local/viewvc-1.1.27/bin/cgi/*.cgi /var/www/cgi-bin/ 
chmod +x /var/www/cgi-bin/*.cgi 
chown apache:apache /var/www/cgi-bin/*.cgi 

MariaDB configuration

systemctl enable mariadb 
systemctl start mariadb 
mysql_secure_installation

We need to create a user in MariaDB SQL that ViewVC will use, to do this we need to log into SQL using the root password set up in previous step (mysql_secure_installation)

mysql -u root -p 
Enter your SQL root password 
CREATE USER 'VIEWVC'@'localhost' IDENTIFIED BY 'MyP4ssW0rd'; 
GRANT ALL PRIVILEGES ON *.* TO 'VIEWVC'@'localhost' WITH GRANT OPTION; 
FLUSH PRIVILEGES; 
quit 

Now we can setup database and get ViewVC to create its database.

cd /usr/local/viewvc-1.1.27/bin/ 
./make-database 

Create another user in MariaDB, that will be a ‘read-only’ user.

mysql -u root -p 
CREATE USER 'VIEWVCRO'@'localhost' IDENTIFIED BY 'MyP4ssW0rd'; 
GRANT SELECT ON ViewVC.* TO 'VIEWVCRO'@'localhost' WITH GRANT OPTION; 
FLUSH PRIVILEGES; 
quit 

Edit the ViewVC configuration so that it uses all the parameters you have setup.

vim /usr/local/viewvc-1.1.27/viewvc.conf

enabled = 1 
host = localhost 
port = 3306 
database_name = ViewVC 
user = VIEWVC 
passwd = MyP4ssW0rd 
readonly_user = VIEWVCRO 
readonly_passwd = MyP4ssW0rd

Rebuild the database

/usr/local/viewvc-1.1.27/bin/cvsdbadmin rebuild /usr/local/rancid/var/CVS/CVSROOT/

Apache configuration

Following configuration will:

  • enable SSL/https connection by self-signed certificate
  • will redirect http to https
  • will configure Active directory authentication
dnf install mod_ldap
# create self-signed certificate
cd /etc/ssl/certs
sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout rancid.key -out rancid.crt

Configure SSL Virtual host

vi /etc/httpd/conf.d/ssl.conf

SSLCertificateFile /etc/ssl/certs/rancid.crt 
SSLCertificateKeyFile /etc/ssl/certs/rancid.key 
<VirtualHost _default_:443> 
DocumentRoot "/var/www" 
ScriptAlias /cgi-bin/ "/var/www/cgi-bin" 
ScriptAlias /viewvc /var/www/cgi-bin/viewvc.cgi 
ScriptAlias /query /var/www/cgi-bin/query.cgi 
ServerName rancid.test.com:443 

<Directory "/var/www/cgi-bin"> 
    AllowOverride None 
    Options None 
    Order allow,deny 
    Allow from all 
    AuthType Basic 
    AuthName "login to continue" 
    AuthBasicProvider ldap 
    AuthLDAPBindAuthoritative off 
    AuthLDAPURL "ldap://test.com/dc=test,dc=com?sAMAccountName 
    AuthLDAPBindDN "test@test.com" 
    AuthLDAPBindPassword "somepassword" 
    require valid-user  
</Directory> 

Create virtual host and configure http to https redirection

vi /etc/httpd/conf.d/viewvc.conf

<VirtualHost *:80> 
        ServerAlias * 
        DocumentRoot /var/www 
        ScriptAlias /cgi-bin/ "/var/www/cgi-bin" 
        ScriptAlias /viewvc /var/www/cgi-bin/viewvc.cgi 
        ScriptAlias /query /var/www/cgi-bin/query.cgi 
        RewriteEngine on 
        RewriteRule "^/?(.*)"  "https://%{HTTP_HOST}/$1" [R=301] 
</VirtualHost> 

systemctl enable httpd && systemctl start httpd

Type http://ip/viewvc, you should be automatically forwarded to https/ip/viewvc, credentials pop-up will ask for username/password and following page should be seen

Adding devices to Rancid

Rancid groups are represented by respective folders in /usr/local/rancid/var folder

In this example switch will be added

vi /usr/local/rancid/var/Switches/router.db

Fileformat: ip-or-hostname;vendor;up

In this case content would be

1.1.1.1;cisco,up

Adding credentials

vi /home/rancid/.cloginrc

add user {ip-or-hostname} {username}
add password {ip-or-hostname} {password}
add method {ip-or-hostname} {ssh or telnet}
add autoenable {ip-or-hostname} 1

Applying changes

su rancid
/usr/local/rancid/bin/rancid-run

Above command won’t give any output, in case of errors examine logs

cd /usrcd /usr/local/rancid/var/logs/
ls
cat {log-name}

# or interactively debugging

/usr/local/rancid/bin/clogin -c "sh run" IP/or host name

Configuring notifications

which sendmail
/sbin

Edit /usr/local/rancid/bin/control_rancid

SENDMAIL=${SENDMAIL:=/sbin/sendmail};

Rancid uses groups in following format:

rancid-"group_name" 
rancid-admin-"group_name"

The first group will receive a report after a configuration change, the second one when there is error messages.Vi need to create those aliases so postfix can use it for sending emails.

vi /etc/aliases

rancid-Switches:        email@test.com
rancid-admin-Switches:  email@test.com 

Apply aliases, start sendmail and postfix:

newaliases
systemctl enable postfix && systemctl start postfix
systemctl enable sendmail && systemctl start sendmail

Recently i got long list of linux machines and had to check which of them support password authentication.

I found a tool Hydra , if it finds machine which do not support password authentication, it will print it in output

Hydra v8.2-dev (c) 2016 by van Hauser/THC - Please do not use in military
or secret service organizations, or for illegal purposes. Hydra
(http://www.thc.org/thc-hydra) starting at 2019-11-25 14:49:59 [DATA]
max 4 tasks per 4 servers, overall 64 tasks, 5 login tries (l:1/p:5),
~0 tries

per task [DATA] attacking service ssh on port 22
[ERROR] target ssh://1.1.1.1:22/ does not support password authentication.
[ERROR] target ssh://2.2.2.2:22/ does not support password authentication.

ERROR] target ssh://3.3.3.3:22/ does not support password authentication.

[ERROR] target ssh://4.4.4.4:22/ does not support password authentication.

4 of 4 targets completed, 0 valid passwords found Hydra 

(http://www.thc.org/thc-hydra) finished at 2019-11-25 14:50:01

So i created simple batch script which captures Hydra output into $command variable, then get string between [ERROR] target ssh:// and :22/ does not support into $out variable.

Then get IP address of masines – $filtered variable. Then print every IP into new line and write it to output.txt file.

Installing hydra (CentOS 7)

rpm -Uvh http://www6.atomicorp.com/channels/atomic/centos/7/x86_64/RPMS/atomic-release-1.0-21.art.noarch.rpm
yum install hydra

Put all your passwords to file pws.txt and machines IP into targets.txt

file: put every password/IP into new line

command=$((hydra -l root -P pws.txt -M targets.txt ssh -t 4) 2>&1)
echo $command
out=$(echo $command | grep -oP '(?<=ERROR] target ssh://).*(?=:22/ does not support)')
filtered=$(echo "$out" | sed 's|does not support password authentication.||g ; s|/||g ; s|ERROR||g ; s|target ssh||g ; s|:22||g ; s/[][]//g ; s|/||g ; s|:||g')
echo $filtered | xargs -n1 > output.txt

output.txt will contain IPs of machine which don’t support password authentication.

Keepalived is used for HA. Keepalived is a service that can monitor servers or processes in order to implement high availability on your infrastructure.

In this example Active-Passive HA is implemented. Nagios secondary will monitor connectivity to primary, when disruption is detected, Nagios secondary will start nagios and postfix service and will serve requests until nagios master is available, when connection to nagios master is restored, nagios secondary will stop nagios and postfix service. Both servers are reachable via keepalived virtual IP:192.168.0.30

Install rsync on nagios secondary:

dnf install rsync
systemctl start rsyncd && systemctl enable rsyncd

On both servers install keepalived

dnf install keepalived
systemctl start keepalived && systemctl enable keepalived

retention.dat file holds information about downtime, acknowledgement and comments. This file is read by CGI and shown in dashboard. This file (along with cfg files) will be regularly copied from master to slave nagios

On slave edit /usr/local/nagios/etc/nagios.cfg and set retention_update_interval=1 .It determines how often (in minutes) Nagios will automatically save retention data during normal operation (default is 60 minutes).

In /etc/keepalived create file exclude-list.txt to specify folder/files which don’t need to be synchronized with nagios slave

/etc/keepalived/exclude-list.txt

bin/
etc/cgi.cfg
etc/htpasswd.users
include/
libexec/
sbin/
share/
var/nagios.log
var/objects.cache
var/status.dat
var/archives/
var/rw/
var/spool/
var/spool/checkresults/

Keepalived config on Nagios master

set role to BACKUP, priority to 9, set virtual IP to 192.168.0.30 /etc/keepalived/keeplaived.conf:

! Configuration File for keepalived

global_defs {

    enable_script_security 1
    script_user root
   }
vrrp_instance VI_1 {
    debug 4
    interface eth0
    state BACKUP
    virtual_router_id 51
    advert_int 1
    priority 9
    virtual_ipaddress {
            192.168.0.30 dev eth0    # the virtual IP
       }
    unicast_src_ip 192.168.0.26 # Local IP
    unicast_peer {
      192.168.0.27 # Peer IP
    }
    authentication {
        auth_type PASS
        auth_pass XXXX
    }
 
}

Keepalived config on nagios_secondary

Set role to MASTER, priority to 10, detect failure (fall) and OK (rise) state on 2 attempts, define check script – track_script, (it will be bash script which will copy files from Nagios_master and report state: 0 if all is good, 1 if there is failure), reduce priority by 2 on check script failure (weight), when nagios_secondary becomes MASTER start nagios and postfix services (notify_master /etc/keepalived/stop_nagios.sh), and when becomes BACKUP (notify_backup /etc/keepalived/start_nagios.sh), start nagios and postfix service.

/etc/keepalived/keeplaived.conf:

! Configuration File for keepalived

global_defs {

   enable_script_security 1
   script_user root
   }


vrrp_script chk_service_health {
    script /etc/keepalived/check.sh
    interval 15
    fall 2
    rise 2
    weight -2
}

vrrp_instance VI_1 {
    debug 4

    interface eth0

    state MASTER

    virtual_router_id 51
    advert_int 1
    priority 10

    virtual_ipaddress {
            192.168.0.30 dev eth0    # the virtual IP
        }

    unicast_src_ip 192.168.0.27 # Local IP

    unicast_peer {
        192.168.0.21 # Peer IP
    }

    authentication {
        auth_type PASS
        auth_pass XXXX
    }

    track_script {
        chk_service_health
    }
    notify_master /etc/keepalived/stop_nagios.sh
    notify_backup /etc/keepalived/start_nagios.sh

}

/etc/keepalived/check.sh:

#!/bin/bash

 rsync -armzv --timeout=5 --delete 192.168.0.26:/usr/local/nagios /usr/local/nagios --exclude-from /etc/keepalived/exclude-list.txt 

 if [ "$?" -eq "0" ]
then
   exit 0 # All good. Nagios master reachable
else
  exit 1 # Failover trigger
fi

/etc/keepalived/stop_nagios.sh:

#!/bin/bash

logfile=/var/log/stop_nagios.txt
exec >> $logfile
exec 2>&1

# Define an array of processes to be checked.
# If properly quoted, these may contain spaces

check_process=("nagios" "postfix" )

for p in "${check_process[@]}"; do

   if (systemctl -q is-active $p)
    then
      echo "$p is running, stopping it"
      date
      systemctl stop $p
   fi
done
exit 0

/etc/keepalived/start_nagios.sh:

#!/bin/bash

logfile=/var/log/start_nagios.txt
exec >> $logfile
exec 2>&1
# Define an array of processes to be checked.
# If properly quoted, these may contain spaces

check_process=("nagios" "postfix" )

for p in "${check_process[@]}"; do

   if (systemctl -q is-active $p)
    then
      echo "$p is running"

   else
      date
      echo "Staring $p..."
      systemctl start $p
   fi
done
exit 0

Install Nagios Core on CentOS 8

Posted: November 4, 2019 in Linux

I disabled SELinux

sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config
setenforce 0

 

Install python and other prerequisities

 

dnf install -y compat-openssl10 python3 perl gcc glibc glibc-common wget unzip httpd php gd gd-devel perl postfix 
alternatives --set python /usr/bin/python3 

Add nagios user and group

useradd nagios
groupadd nagcmd 

Add both the nagios user and the apache user to the nagcmd group 

usermod -G nagcmd nagios
usermod -G nagcmd apache

Download nagios setup

mkdir setup 
cd setup 
wget https://assets.nagios.com/downloads/nagioscore/releases/nagios-4.4.5.tar.gz 
tar xvf nagios-4.4.5.tar.gz

Install nagios

cd nagios-4.4.5 
./configure --with-command-group=nagcmd 
make all 
make install 
make install-init 
make install-commandmode 
make install-config 
make install-webconf 
# set nagiosadmin password 
htpasswd -s -c /usr/local/nagios/etc/htpasswd.users nagiosadmin 

Setup EventHandlers

cp -R contrib/eventhandlers/ /usr/local/nagios/libexec/ 
chown -R nagios:nagios /usr/local/nagios/libexec/eventhandlers

 

 

Download and install nagios plugins

yum install -y gcc glibc glibc-common make gettext automake autoconf wget openssl-devel net-snmp net-snmp-utils
cd /tmp
wget --no-check-certificate -O nagios-plugins.tar.gz https://github.com/nagios-plugins/nagios-plugins/archive/release-2.2.1.tar.gz
tar zxf nagios-plugins.tar.gz
cd /tmp/nagios-plugins-release-2.2.1/
./tools/setup
./configure --with-openssl --with-nagios-user=nagios --with-nagios-group=nagios
make
make install

 

Install NRPE

NRPE allows you to remotely execute Nagios plugins on other Linux/Unix machines. This allows you to monitor remote machine metrics (disk usage, CPU load, etc.). NRPE can also communicate with some of the Windows agent addons, so you can execute scripts and check metrics on remote Windows machines as well.

# install nrpe 
dnf install openssl-devel 
wget https://github.com/NagiosEnterprises/nrpe/releases/download/nrpe-3.2.1/nrpe-3.2.1.tar.gz 
tar -xvf nrpe-3.2.1.tar.gz 
cd nrpe-3.2.1 
./configure --disable-ssl --with-nrpe-user=nagios --with-nrpe-group=nagios --with-nagios-user=nagios --with-nagios-group=nagios --libexecdir=/usr/local/nagios/libexec/ --bindir=/usr/local/nagios/bin/ --prefix=/usr/local/nagios 
make 
make install 
cp src/check_nrpe /usr/local/nagios/libexec/

Install NCPA 

NCPA is a cross-platform monitoring agent that runs on Windows, Linux/Unix, and Mac OS/X machines. Its features include both active and passive checks, remote management, and a local monitoring interface.

 

wget https://assets.nagios.com/downloads/ncpa/check_ncpa.tar.gz 
tar -zxf check_ncpa.tar.gz 
mv check_ncpa.py /usr/local/nagios/libexec/ 
chown nagios:nagios /usr/local/nagios/libexec/check_ncpa.py 
chmod 775 /usr/local/nagios/libexec/check_ncpa.py 

Next add your command (ncpa into commands.cfg) 

vim /usr/local/nagios/etc/objects/commands.cfg 

define command { 

    command_name    check_ncpa 

    command_line    $USER1$/check_ncpa.py -H $HOSTADDRESS$ $ARG1$ 

} 

Adding contact

edit contacts.cfg and change email address

define contact{
        contact_name            nagiosadmin             ; Short name of user
        use                     generic-contact         ; Inherit default values from generic-contact template (defined above)
        alias                   Nagios Admin            ; Full name of user
        email                   dragan.vucanovic@hotmail.com       ; <<***** CHANGE THIS TO YOUR EMAIL ADDRESS ******
        }

Enable and start nagios and httpd

systemctl start nagios
systemctl enable nagios
systemctl enable httpd
systemctl start httpd

Recently i create new CentOS 7 Hyper-V VM, i set disk type to Dynamic with 127 GB, during installation, set automatic partition, but soon i realized i only have 50 GB of root partition, copied bunch of files to /opt directory and i left out of disk space.

First, on Hyper-V console, turn off VM and expand disk space

Turn VM and partition unallocated disk space. Check the name(s) of your scsi devices

ls /sys/class/scsi_device/
0:0:0:0  2:0:0:0

Then rescan the scsi bus. Replace the ‘0\:0\:0\:0’ with the actual SCSI bus name found with the previous command.

echo 1 > /sys/class/scsi_device/0\:0\:0\:0/device/rescan
echo 1 > /sys/class/scsi_device/2\:0\:0\:0/device/rescan

Create new partition

fdisk /dev/sda

Enter n, to create a new partition, then choose p to create a new primary partition, Choose partition number. I have /dev/sda1 and /dev/sda2, so the number would be 3,confirm  first and last cylinder,  type t to change the partition type. When prompted, enter the number of the partition you’ve just created in the previous steps. When you’re asked to enter the “Hex code”, enter 8e,  type w to write your partitions to the disk.

The device presents a logical sector size that is smaller than
the physical sector size. Aligning to a physical sector (or optimal
I/O) size boundary is recommended, or performance may be impacted.
Welcome to fdisk (util-linux 2.23.2).

Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.


Command (m for help): n
Partition type:
   p   primary (2 primary, 0 extended, 2 free)
   e   extended
Select (default p): p
Partition number (3,4, default 3): 3
First sector (266338304-838860799, default 266338304):
Using default value 266338304
Last sector, +sectors or +size{K,M,G} (266338304-838860799, default 838860799):
Using default value 838860799
Partition 3 of type Linux and of size 273 GiB is set

Command (m for help): t
Partition number (1-3, default 3): 3
Hex code (type L to list all codes): 8e
Changed type of partition 'Linux' to 'Linux LVM'

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.

WARNING: Re-reading the partition table failed with error 16: Device or resource busy.
The kernel still uses the old table. The new table will be used at
the next reboot or after you run partprobe(8) or kpartx(8)
Syncing disks.

Scan new partition

partprobe -s

And confirm partition is created

fdisk -l

Create the physical volume,replace /dev/sda3 with the newly created partition.

 pvcreate /dev/sda3

Extend logical volume with new partition, first find out volume group:

vgdisplay

Extend volume group by adding new partition

vgextend centos /dev/sda3

If getting “Device /dev/sda3 not found.” reboot VM

See newly added physical volume:

pvscan

Extend logical volume

lvextend /dev/mapper/centos-root /dev/sda3
Size of logical volume centos/root changed from 50.00 GiB (12800 extents) to <323.00 GiB (82687 extents).
Logical volume centos/root successfully resized.

Resize the file system to the volume group

xfs_growfs /dev/mapper/centos-root

xfs_growfs /dev/mapper/centos-root
meta-data=/dev/mapper/centos-root isize=512    agcount=4, agsize=3276800 blks
         =                       sectsz=4096  attr=2, projid32bit=1
         =                       crc=1        finobt=0 spinodes=0
data     =                       bsize=4096   blocks=13107200, imaxpct=25
         =                       sunit=0      swidth=0 blks
naming   =version 2              bsize=4096   ascii-ci=0 ftype=1
log      =internal               bsize=4096   blocks=6400, version=2
         =                       sectsz=4096  sunit=1 blks, lazy-count=1
realtime =none                   extsz=4096   blocks=0, rtextents=0
data blocks changed from 13107200 to 84671488

Root partition is resized

phpIPAM is an open-source web IP address management application (IPAM). Its goal is to provide light, modern and useful IP address management. It is php-based application with MySQL database backend, using jQuery libraries, ajax and HTML5/CSS3 features.

Features:

• IPv4/IPv6 IP address management

• Section / Subnet management

• Automatic free space display for subnets • Visual subnet display

• Automatic subnet scanning / IP status checks • PowerDNS integration

• NAT support • RACK management

• Domain authentication (AD, LDAP, Radius)

• Per-group section/subnet permissions

• Device / device types management

• RIPE subnets import

• XLS / CVS subnets import • IP request module

• REST API

• Locations module

• VLAN management

• VRF Management – Virtual routing and forwarding (VRF) is a technology included in IP (Internet Protocol) network routers that allows multiple instances of a routing table to exist in a router and work simultaneously. This increases functionality by allowing network paths to be segmented without using multiple devices. Because traffic is automatically segregated, VRF also increases network security and can eliminate the need for encryption and authentication. Internet service providers (ISPs) often take advantage of VRF to create separate virtual private networks (VPNs) for customers; thus the technology is also referred to as VPN routing and forwarding. (Ne znam koliko nam je ovo bitno) • IPv4 / IPv6 calculator

• IP database search

• E-mail notifications

Installation

It’s presumed SELinux and firewall are disabled.Set locales:

more /etc/environment
LC_ALL=en_US.utf-8
LANG=en_US.utf-8

Install all required packages

yum install httpd mariadb-server php php-cli php-gd php-common php-ldap php-pdo php-pear php-snmp php-xml php-mysql php-mbstring git
yum install epel-release
yum install php-mcrypt

Configuring Apache

Edit /etc/httpd/conf/httpd.conf

DocumentRoot "/var/www/html"
#
# Relax access to content within /var/www.
#
<Directory "/var/www">
    AllowOverride None
    # Allow open access:
    Require all granted
</Directory>
# Further relax access to the default document root:
<Directory "/var/www/html">
    #
    # Possible values for the Options directive are "None", "All",
    # or any combination of:
    #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
    #
    # Note that "MultiViews" must be named *explicitly* --- "Options All"
    # doesn't give it to you.
    #
    # The Options directive is both complicated and important.  Please see
    # http://httpd.apache.org/docs/2.4/mod/core.html#options
    # for more information.
    #
    Options FollowSymLinks
    #
    # AllowOverride controls what directives may be placed in .htaccess files.
    # It can be "All", "None", or any combination of the keywords:
    #   Options FileInfo AuthConfig Limit
    #
    AllowOverride all
    Order allow,deny
    Allow from all

    #
    # Controls who can get stuff from this server.
    #
    #Require all granted
</Directory>

Set correct timezone to php.ini to avoid php warnings:

grep timezone /etc/php.ini
; Defines the default timezone used by the date functions
; http://php.net/date.timezone
date.timezone = Europe/Belgrade

Start Apache and MariaDB

systemctl start httpd
systemctl enable httpd
systemctl start mariadb
systemctl enable mariadb

Harden MariaDB server:

mysql_secure_installation

Download PHP installation files and set correct permissions

cd /var/www/html/
git clone https://github.com/phpipam/phpipam.git .
git checkout 1.4
chown apache:apache -R /var/www/html/
find . -type f -exec chmod 0644 {} \;
find . -type d -exec chmod 0755 {} \;
cp config.dist.php config.php

Installing phpIPAM

Open browser and type http://IP address – Click Automatic database installation

Then type MariaDB username/password (set when hardening MariDB)

On next screen set admin password, phpIPAM now should be installed, login to access GUI.

Configuring logs

edit /etc/rsyslog.conf

auth.alert;auth.warning;auth.debug              /var/log/auth.log
if $programname == 'phpipam' then /var/log/phpipam.log
if $programname == 'phpipam-changelog' then /var/log/phpipam-changelog.log

On IPAM console Administration-phpIPAM Server settingsSyslog-Syslog and local database

Email settings

Install SMTP PHP module

cd /var/www/html/
git submodule update --init --recursive

Set admin name and email address: Administration – phpIPAM settings

Administration – Mail Settings

Server type: SMTP

Server address: smtp.office365.com

Port: 587

Set username/password and admin email (set in previous step)

Creating Section

In a Section,you can organize yours subnets in differents folders.

Folder is a block or a group a subnets , like a folder on disk.
To create Section click on Administration – Sections

type name and set other options.

Creating VLANs

To create VLANS, L2 Domain needs to be created first (this is not necessary when creating VLANs via API calls)

Administration – VLAN

Add L2 Domain

Type name and select section

Type VLAN ID and description

Creating subnets

Administration – Subnets

Select section created in previous step

Create folder by clicking on folder icon

Type CIDR, select VLAN,nameserver…..

Set Check host status and Disover new hosts to Yes

Scanning subnet and discovering new hosts

Manually scan subnet:

/bin/php /var/www/html/functions/scripts/pingCheck.php
/bin/php /var/www/html/functions/scripts/discoveryCheck.php

Automatically scan subnets every 15 minutes- /etc/crontab

*/15 * * * * root /bin/php /var/www/html/functions/scripts/pingCheck.php
*/15 * * * * root /bin/php /var/www/html/functions/scripts/discoveryCheck.php

REST API

Enable API (Administration – phpIPAM settings)

In this example HTTP access is used so we must enable http support in /var/www/htmp/config.php file

$api_allow_unsafe = true;

Create API ID

Type:User token

Set App Permission

Get token

yum install jq -y
curl -X POST --user admin:pass http://localhost/api/myapi/user/ | jq "."
{
  "code": 200,
  "success": true,
  "data": {
    "token": "token",
    "expires": "2019-09-16 15:15:55"
  },
  "time": 0.015
}

Now we can use token to search for data or to create new objects

Following methods are available:

  • GET – Reads object(s) details and returns it in requested format
  • POST – Creates new object
  • PUT – Changes object values
  • PATCH – Alias to PUT method
  • DELETE – Deletes an object

Following objects (controllers are available)

  • Sections
  • Subnets
  • Folders
  • VLANs
  • Addresses
  • L2 domains
  • VRFs
  • Devices
  • Tools
  • Prefix

Request structure:

<HTTP_METHOD> /api/<APP_NAME>/<CONTROLLER>

Searching objects

Searching subnets

curl -X GET  http://192.168.1.18/api/myapi/subnets/ --header "token: token" | jq '.'

Searching VLANs

curl -X GET  http://192.168.1.18/api/myapi/subnets/ --header "token: token" | jq '.'

Search for specific section

curl -X GET  "http://192.168.1.18/api/myapi/Sections/?filter_by=name&filter_value=test" --header "token: token" | jq '.'

Deafult REST API output is in JSON format, if output is too lengthy, it can be tedious and troublesome to scroll whole output in PuTTY windows, so maybe better approach would be using Postman. Make sure, in Header section to create key named token and in Value paste token.

Creating VLAN

Creating VLAN 88

curl -X POST --header 'token: token' --header "Content-Type: application/json" http://localhost/api/myapi/vlans/ --data '{"number": "88","name": "vlan_88","description": "VLAN 88"}' | jq "." 

To execute same API in Postman: Import- Paste Raw Text – Paste same command as in previous example.

Create new subnet:

In this example subnet 10.0.90.0 is created in Devtech section (SectionID:4) and assigned to VLAN 87 (vlanId:4)
To get Section and VLan Id, first run GET API for subnets and vlan controllers to get those IDs

curl -X POST --header 'token: MOOG3gikXMPF9htSjY56S-1i' --header "Content-Type:application/json" http://localhost/api/myapi/subnets/ --data '{"subnet": "10.0.90.0","sectionId": 1,"description": "Test","masterSubnetId": 0,"mask": 24,"vlanId":"4"}' | jq "."

After packaging VBox VM

vagrant package --base ""
vagrant box add mypackagedbox package.box

, and after provisioning exported/packaged machine,
i started getting errors:”Warning: Authentication failure. Retrying… ”

The solution (at least for me), was specifying config.ssh.insert_key = false on both Vagrantfile (when provisioning “original” and “packaged” VM).

  1. log in to original box and fill disk empty space with zeroes
yum -y clean all
 rm -rf /var/cache/yum
 dd if=/dev/zero of=/EMPTY bs=1M
 rm -f /EMPTY
 sync

2. shutdown the VM

shutdown -h 0

3. delete file insecure_private_key from Vagrant directory

vagrant.PNG

4. export the box

vagrant package --base     vm_id_as_it_is_in_virtualbox --output box_file_name