Mauritian living in the USA | Founding member of cyberstorm.mu | Creator of tunnelix.com | Devops Engineer | Hacker at IETF Hackathon | VCA & VCP | Love and Believe in OpenSource
A few days back, we have seen the installation of the Puppet server and Puppet Agent on the RHEL7 environment. In this article, we will focus on the technical part to administer and write manifests in the Puppet server to instruct the Agent. If you landed directly in this article, consider viewing the 10 steps to install the Puppet configuration management tool before continuing further in this article. Otherwise, I invite you all to continue on in this discovery of what Puppet is capable of.
The first keyword that someone should be familiar with is “resource”. In Puppet everything is a resource. The second keyword is “manifest”. To instruct the Puppet server, we have to write a file with the extension ‘.pp’ and it is called a manifest.
1. To check what are the resources in Puppet, you can use the following command:
puppet resource --type
2. You will notice a lot of resources. Let’s say you want to get more details about the resource called ‘file’, use the following command
puppet describe file
3. Let’s do something locally. let’s create a file in /tmp called test.txt. Create a file called file.pp as follows:
file {'/tmp/test.txt':ensure=> file,content=> "My first puppet file",}
This is very simple to grasp. ‘file’ here is an attribute, the /tmp/test is a ‘content’ and ensure is the ‘attribute’. The content inside the attribute is the ‘value’.
4. To apply it with puppet locally use the following command:
puppet apply file.pp
You would notice that the file has already been created in the /tmp directory with the content as well.
5. If you want to remove the file use puppet apply file.pp but instead of ensure => file use ensure => absent.
file {'/tmp/test.txt': ensure=> absent, content=> "My first puppet file",}
6. In the same manner, if you want to create a directory instead, use ensure => directory.
7. You can also check if you have any syntax error in your Manifest by using the following command:
puppet parser validate file_absent.pp
8. You can also create a user and at the same time add it in the same playbook of that of file. For example:
file {'/tmp/test.txt': ensure=> file, content=> "My first puppet file",}user {'tom': ensure=> present,}
9. The idea is to look at the documentation and understand the parameter for a certain module, for example, the module ‘user’ with the command ‘puppet describe user‘ and you will notice that you can also create the home directory and specify the shell.
user {'harry': ensure=> present, comment=> "Harry Bell", shell=> '/sbin/nologin', home=> "/home/harry",}
At this stage, it should be very clear how to create puppet manifest and execute locally. I create a Github repository to store all the Puppet Manifests. In the next blog post on Puppet, I will share more details. If you like it do comment below 🙂
Firewalld provides a dynamically managed firewall with support for network/firewall zones that define the trust level of network connections or interfaces. It has support for IPv4, IPv6 firewall settings, ethernet bridges, and IP sets. There is a separation of runtime and permanent configuration options. It also provides an interface for services or applications to add firewall rules directly. – Firewalld.org
Photo Credits: Cloudflare.com
IPtables VS Firewalld
In RHEL6, we had IPtables. Now, in RHEL7, the firewall mechanism or say, the firewall daemon changed to Firewalld. Both serve the same purpose, i.e; packet filtering using the Netfilter module inbuilt in the Linux kernel. However, it is important to know why the Firewalld took over the IPtables. In Firewalld, you can change settings dynamically whilst being on production compared to IPtables which needs to flush out the entire rules set once a change has been made. Another difference is that during the installation of firewalld, you have support for both IPv4 and IPv6 compared to IPtables, you will have to install Ip6tables for IPv6 support. For those who are not acquainted with IPv6, please check out the article on “Diving into the basics of IPv6“. To briefly describe Firewalld, it is a set of services and daemons that manage the Netfilter in the Linux kernel. Finally, it is important to understand that both RHEL6 and RHEL7 used the IPtables (commands) to talk to the Netfilter.
Photo Credits: 8gwifi.org
Zones concept in Firewalld
One of the important concepts in firewalld is ‘zones’. Zones are groups of rules which is managed by the firewalld. Zones are based on the level of trust a user has on the interface and traffic within a network. Zones are even defined from least trusted to most trusted. These are the types of zones:
Drop zones: This is where incoming connections are dropped without any messages.
Block zones: Same as block zone but the only difference is that it gives an ICMP reply.
Public zones: It is an untrusted zone, but may allow connections based on case to case basis.
External zones: It is used when your firewall is also a gateway or simply, configuration for NAT.
Internal zones: This is the other side of the gateway or simply the firewall configurations used inside your own network, usually in a private network.
Demilitarized zones: Demilitarized zones or say DMZ, is where only certain incoming connections are allowed.
Work zones: There is a trust in the majority of hosts on the network which makes it possible to allow more services.
Home zones: The trust here is more and more acceptable and much more restrictions are removed.
Trusted: Here, there is absolute trust. Note that this should be used carefully.
VIEW information on your firewall
1. You can check if your firewall is running from either of the following commands:
systemctl status firewalld
firewalld-cmd --state
2. Like we said earlier, we can also check in which zone is the interface card configured:
firewalld-cmd --get-default-zone
3. Now, to check which interface card is in which zone, simply do the following. As you can see below, both interface cards enp0s3 and enp0s8 is in the active zone:
firewalld-cmd --get-active-zone
4. To check which rules are in the zones:
firewalld-cmd --list-all
5. If you want to get all the existing zones, simply do the following:
firewalld-cmd --get-zones
6. To list all existing rules within each zone, use the following:
Currently, you will also know which zones are your interfaces.
firewalld-cmd --list-all
7. But, you can still list the rules for a specific zone, say, the ‘home’ zone.
firewall-cmd --zone=home --list-all
8. For more details of all zones:firewall-cmd –list-all-zones
9. We have also seen, for example, in part 4 that firewall-zone –get-active-zone also shows us the services associated with the zone. But, we can also see a list of services with the firewall-zone command:
firewall-cmd --get-services
The services are just XML file located in /usr/lib/firewalld/services
Change information on the Firewall
10. Let’s say you want to move one interface from one zone to another zone. In my case, I want to move enp0s3 from the public to the home zone.
You can verify same using firewall-cmd –list-all-zones
11. However, another way to made verifications can be done using the command:
firewall-cmd --get-active-zones
12. Please note that restarting the service firewalld will result in loss of the change carried out. To ensure it is effective even after a restart of the service, go on the configuration on the network card which is /etc/sysconfig/network-scripts/ifcfg-enp0s3 and add the following line to it.
ZONE=home
13. Also, note that you can always change the default zone from public to home directly with the command:
firewall-cmd --set-default-zone=home
14. To add a specific service to a zone, for example, adding https to the zone public.
firewall-cmd --zone=public --add-service=https
15. Please note that this is only temporarily and after a restart of the service, the https will not be anymore in the home zone. To make it permanent:
Always test your change with a firewall-cmd –reload
16. Most of the time, if you are running your own custom application, let’s say it is running on port 8080 and the services are not seen using firewall-cmd get-services, you can still add it to a zone by mentioning the port.
19. We can also block a specific IP Address from a zone. Let’s say we want to block IP 10.10.10.10/24 from the zone public. For that, we have to use the parameter –add-rich-rule.
20. You might also want a particular service to be allowed from a particular IP Address. Let’s say we want to allow IP 10.10.10.5 for the zone public and only for the FTP service. In this example below, limit value=”2/m” means to limit 2 connections per minute.
21. Let’s say you want to know which zone is a specific interface. You can use the following command:
firewall-cmd --get-zone-of-interface=enp0s3
22. You can also find how many particular interfaces are in a particular zone:
firewall-cmd --zone=public --list-interfaces
23. To stop all communications, let’s say during an attack, you can fire this command:
firewall-cmd --panic-on
24. You can also stop the panic using the following command:
firewall-cmd --panic-off
25. You can also check if you are in a query panic using the following command:
firewall-cmd --query-panic
NAT, Port Forwarding and Masquerading
Network Address Translation (NAT) means to use a strategy to hide an IP address space into another IP address by modifying the network address information in the IP header. The packets in the IP header will transit through a routing device.
Port Address Translation (PAT) sometimes called Port forwarding works the same fashion except that it works on port level. You can forward port 22 on from your IP address to port 8000 to your internal web server.
The word Masquerading itself means to use something fake. NAT masquerading is another strategy to allow a device that does not have an IP address to communicate with other computers on the internet. IP Masquerading means to set up an IP gateway for a device.
26. To check if masquerading is on or off, you can use the following command:
firewall-cmd --query-masquerade
27. Or say you want to query a particular zone if masquerade is on or off, simply use the –zone parameter:
firewall-cmd --zone=public --query-masquerade
28. To enable masquerade for the zone public
firewall-cmd --zone=public --add-masquerade
29. Before performing a port forwarding, we need to enable the masquerading:
33. You can also use firewalld on the graphic user interface. This can be done by installing the package firewall-config. The following command can be used:
yum install firewall firewalld-config
34. There are other ways to check if firewalld is running:
systemctl status firewalld
firewall-cmd --state
35. To active debug mode on firewalld logs enter the following parameter in the /etc/sysconfig/firewalld
FIREWALLD_ARGS='--debug'
After setting the parameter, the service need to be restarted.
Some days ago a guy asked me why I do not blog anything on Puppet configuration management tool and prefer Ansible over Puppet. True it is that I prefer Ansible because it is agentless and very easy to use. However, we agreed that there are certain situations that Puppet wins over Ansible. I decided to blog about this configuration management tool so as to enhance my knowledge and that of my readers. Puppet provides several services such as Windows automation, cloud management, configuration management, etc. However, in this blog post, we will talk about puppet as a configuration management tool. Puppet provides the ability to define which software and configuration a system requires and then maintain a specified state after the initial setup. The nodes that Puppet control must have the Puppet agent installed. In this blog post, we will focus on the installation of the Puppet Server and the Agent as well.
1. For that, I created two VMs (puppet-server and puppet-client) on my Virtual Box labs which are Puppet-Server and Pupper-Client. I have also mentioned each hostname and IP Address in the /etc/hosts file of each server.
2. You can get the repository on yum.puppetlabs.com. I downloaded it with the following commands on both servers:
3. On the puppet-server, install the puppet-server package.
yum install puppetserver
4. Since I am on a virtual machine with very low memory assigned, I tweak the memory Xms and Xmx value (heap size). The Xms is the initial minimum heap size when the service start whilst the Xmx is the maximum heap size. On the puppet-server, I edited the file /etc/sysconfig/puppetserver and change the heap value to this:
5. Add the puppet binary to your environment. I edited the bash_profile file for that.
PATH=$PATH:$HOME/bin:/opt/puppetlabs/bin
Also launched the following command:
source bash_profile
6. Also, install the puppet-agent on the puppetclient machine.
yum install puppet-agent -y
7. On the puppetserver, you can start the service with the following command:
systemctl start puppetserver
8. And, on the puppetclient you can start the service as follows:
systemctl start puppet
9. Now, that we have seen how to install the Puppet server and the agent. Let’s now see other directories related to Puppet.
/etc/puppetlabs/puppet – contain several configuration files
/etc/puppetlabs/puppet/ssl – contain the certificate
/etc/sysconfig/puppetserver – file that contain the java configuration such as heap size, start timeout etc.
/etc/puppetlabs/code/environments/production – Default production environment available to write the codes.
10. In Puppet, whatever instructions you give the Puppet agent is called a ‘resource’. This is the fundamentals to write the manifest where instructions are given to manage Puppet. To know the resources available you need to launch the following command:
puppet resource --type
11. To understand the syntax of the resource, for example, the resource ‘file’, use the following command:
puppet describe file
In the next article, I will describe how to use the Puppet configuration management tool to administer or to instruct the puppet agent to perform specific tasks. Remember, Puppet file extension ends with ‘.pp’ and I will focus a lot more on that. At the same time, this is a good way to refresh my memory when using Puppet. I hope you liked this article when it comes to the basic installation and configuration when using Puppet.
The Internet is growing. In case you are not on IPv6, for sure one day, you might need to migrate from IPv4 to IPv6. Now what kind of methodology you would apply whether a dual stack or a direct changeover depends upon a rigid observation and analysis of the network infrastructure. But, it should no more be taken as a complexity. Since a few years, many companies, government bodies, ISPs, and others are moving towards IPv6. Some are adopting dual stack. IPv6 can be said to be version 2 of the Internet. In this blog post, I will make my best to shed some basics and simple way to understand the features and benefits when using IPv6. I will also contrast it with IPv4. For research purpose, I have perused several books and blogs over the Internet and, same are referenced below. One of the challenges in Africa is to enable the smooth transition to IPv6. Whilst others are doing dual stack, others have successfully migrated the whole network infrastructure to IPv6. IPv4 has been created in the early ’80s. The Internet growth which is so huge and it will definitely need to move ahead with modern technology IPv6 running at its core. I had always admired one of the modern futurist physicist, Dr. Michio Kaku who said that “In the future, the Internet might become a brain“.
So why do we really need IPv6?
Besides, from the growth of the Internet and the scarcity of IPv4 addresses, we all knew that in IPv4, the network has been divided into two parts which are the Private IPs and the Public IPs allocation. And, those two segments which are Interconnected required NAT configuration. This breaks the contiguous of the Internet. Another reason is that there is no security in IPv4 at its core. Of course, there are other strategies to secure an IPv4 network. When it comes to data prioritization, it cannot be done at the core of IPv4 which means that there is not much of Quality of Service (QoS). In IPv4, we can configure or assigned an IP to a device or simply use an address configuration mechanism such as DHCP. But, the moment DHCP is down, we land into a problem. Here is the catch, this means that there is no way to make a device to be assigned a globally unique address. So, that’s why we need IPv6. Well, wait… What happened to IPv5 ? and what about IPv1, IPv2, and IPv3?
What happened to IPv1, IPv2, IPv3, and IPv5?
Have a look at the diagram below which makes it pretty easy to understand:
Photo Credits: tutorialspoint.com
So, IPv0, IPv1, IPv2, and IPv3 were used in the development testing phase. Ipv5 was used while doing the Stream experimentation of the Internet.
Features of IPv6
There is no backward compatibility when using IPv6, but, the basic functions remain the same, and the features have been changed completely. Since IPv4 is a 32-bit address and IPv6 is a 128-bit address, just imagine how much bigger it is. When compared to an IPv4 address bit, IPv6 has four times more bits. We can say that there are more than 1500 IP addresses per square meter on earth.
Photo credits: transition.fcc.gov
Another feature of the IPv6 is about the header which is twice the size of IPv4.
Photo Credits: radioworld.com
In IPv6, there is also end-to-end connectivity which means that NAT is not required for the continuity of the Internet. Every host can reach another host over the Internet.
Photo Credits: concurrency.com
Other features are “auto-configuration” which can be either stateful or stateless. Stateless is a mechanism that does not require any intermediate support in the form of DHCP for IP assignment whereas Stateful serves IP addresses from a pool. Also to take into consideration is “faster routing”. In IPv6, the routing information is stored in the first part of the header which makes routing decisions faster by the router. Another feature is IPSec (IP Security). It creates an end-to-end tunnel between the source and the target though it is optional. “No Broadcast” is another feature within IPv6. Using an IPv4 network, you will notice during the IP Address configuration, the clients need to broadcast to the DHCP. In IPv6, the client doesn’t need to broadcast and instead will multicast to communicate with machines over the network. It is important to understand the difference between ‘broadcast’ (one-to-all) and ‘multicast'(one-to-many). In broadcast, clients will send messages to all hosts on the network, whereas in multicast, messages are sent to a group of stations. This allows the building of distribution networks where group management is required. IPv6 does not limits itself to multicast but also bring the ‘unicast’ (one-to-one) feature. This is used especially between routers which need to communicate to a specific router. However, if you have several routers nearby and you can choose any routers for communication, let’s say for a CDN purpose, we can use the anycast method to process efficiency packet routing.
Photo Credits: techiemaster.wordpress.com
Reading IPv6 addressing
Now, that you have grasped the basic concepts of IPv6 and why we need it, let’s see how to read IPv6. An IPv6 address is made up of 128-bits divided into 16-bits blocks. Each block is then converted into 4-digits hexadecimal numbers separated by colon symbol. For example, this is an IPv6 address in binary:
Since we have three series of zeros, it can be escaped between the two colons symbols. Leading zeros in the third block will result in 30. In case, you had one block of zeros, use one zero in the hexadecimal IP address. When converted to hexadecimal it is:
2606:4700:30::6812:2860
Let’s get into more details. There are two rules when reading an IPv6 address.
Rule1: Leading zeros should be discarded. As we can see in the 3rd block of the IPv6 address above i.e; 0000000000110000 when converted it is written as 30, because it can be read as 110000. Here is a video on how to convert Binary to Hexadecimal.
Rule2: If two or more blocks contain consecutive zeros, omit them all and replace by double colons signs. Example the three blocks of zeros in purple above have been replaced as “::“, However, if there is a single block of zero, use 0 in the IPv6 address.
Assignment of IPv6 address
Similar to IPv4, we need to understand how to identify the number of networks and hosts in IPv6. Let’s take an example from a generic unicast address which uses 64-bits as network ID and 64-bits as hosts ID. Please note from the picture below the 64-bits in the network has been shared in three distinctive fields in the IPv6 packet structure.
Photo Credits: www.networkworld.com
At this stage, it should be clear how a generic unicast address has been designed. Now, another important point is the IPv6 address scope. A scope is a region where an IPv6 address can be defined as a unique identifier of a network interface. As we can see below, there are three scopes, Global Unicast Address, Unique Local, and Link Local.
Photo Credits: steves-internet-guide.com
The Global Unicast Addressis routed and is reachable across the Internet. Also. the prefix for global routing prefix in IPv6 has been assigned by the Internet Assigned Number Authority – IANA, so that by only looking at the prefix of an IPv6 address, you can determine if its global or not. In the picture below, you can see the first 3 bits within the global prefix. Remember, that this is unique globally.
Photo Credits: cisco.com
Then, comes the Site level aggregator – SLA which is the subnet ID assigned to the customer by the service provider. This follows by the LAN id that is used by the customer and is free to manipulate. This address is globally unique.
Let’s take a look at a Unique Local Unicast Address. It looks like private IP addresses and is used for local communication intersite usually in a LAN and for VPN purpose. It is not routable on the Internet.
Photo Credits: cisco.com
The last one is the link local unicast address. This is used for communication between two IPv6 devices on the same link. By default, it is automatically assigned by the device as soon as IPv6 is enabled, and it is not routable. These types of IP addresses are identified by the first 10-bits of the address, i.e; FE80.
Photo Credits: cisco.com
In this blog post, I took an example from only Unicast addresses. Remember, there are also Multicast and Anycast address ranges. Let’s now create some servers and perform some IPv6 configurations.
Goodbye IPv4 and, say Hello to IPv6
I created a CentOS7 machine on my VirtualBox. As you can see, the interface card enp0s8 have the IP Address 192.168.100.9 as well as fe80::9ef3:b9d3:8b87:4940. Remember, the fe80 is the Link Local Address.
You can also see the connection using the following command:
To create a connection using nmcli use the following command and check back the connection. You will notice that the connection has been created without any device attached to it.
I am now modifying ipv6-tunnelix and attached it to enp0s9. I will also assign it to an IPv6 address. (For learning and testing purpose, this IPv6 address has not been assigned to me, it’s that of Facebook’s public IPv6)
As you can see, the address has been assigned. But remember, same as you can assign a public IPv4 address on a virtual machine, you will need to route it for connectivity. In this example, I took an example of Facebook public IP Address.
Are your blog’s IPv6 ready?
In 2016, during migration on Cloudflare, tunnelix.com became dual stack i.e; both compatible for IPv4 and IPv6. You can test any website for IPv6 support at this link.
Getting certified on IPv6 is really interesting as it can demonstrate comprehensibility. You can participate in free IPv6 training and get certified from Hurricane Electric. It is important to read the IPv6 primer.
There is also a service from Hurricane Electric, called Tunnel Broker which can facilitate you for creating a tunnel from your IPv4 static IP address to free IPv6 tunnels. In future blog posts on IPv6, I will get into more details about it. If you like the article, please comment, and share.
Have you ever deleted a logical volume by accident? Can you recover it looking into the backups? Well, the answer is YES. For those who are not familiar with Logical Volume Management (LVM) is a device mapper target that provides logical volume management for the Linux kernel.- Wikipedia. It is an abstraction layer or software that has been placed on top of your hard drive for flexible manipulation of the disk space. Some of the articles published in the past on LVM are:
All test carried out on this blog post have been tested on a CentOS machine. Please don’t make a live test on a production server.
Image Credits: Redhat.com
1. So, as you can see below I have an lv called lvopt which is from a vg called centos.
2. Same is mounted on the /opt
3. There are some data in that partition as well:
4. I created a directory inside the /opt directory
5. Now, let’s pretend to remove the lvm lvopt. Or say, someone did it by accident because it was unmounted. The command lvremove will be used here to remove the lv. Note: that the lv need to be unmounted.
6. If you make an lvs, lvdisplay or vgs or even mount again the partition, you cannot do it. The data is lost. But you can still recover it. This is because the lvm contains the archive of your lv inside the folder /etc/lvm/archive. But, you cannot read the files directly.
7. But you can still, interpret part of the files. Since we deleted the volume group called “centos”, we knew that it is referenced in the file centos_… The question that arises here is which file is relevant for you. Right? So to understand which archive you want to restore, you need to use the command vgcfgrestore –list <name of volume group>. Here is an example:
8. If you observe carefully, each archive has been backup at a certain time. In my case, I deleted the LV on 18-Apr-2019 at 11:17:17 2019:
9. So, I want to restore from that last archive. You will need to copy the full patch of the vg file. In my case it is /etc/lvm/archive/centos_00004-1870674349.vg. The goal here is to restore the lv before this specific time, or simply restore back the lv before the command lvremove was fired. Here is the command:
10. If you launch the command lvs, you will notice the presence of the lv.
11. But, mounting back the lv won’t result in anything. This is because the lv is inactive. You can see it with the command lvscan. Please take note below that the lvopt is inactive.
12. To activate it you simply need to use the command lvchange.
13. Mount it back and you are done.
I believe this can be very useful especially when you have encountered a situation where someone deleted an lv. I hope you enjoy this blog post. Please share and comment below if you like it.
