A basic MySQL Cluster setup

The easiest way to have MySQL Cluster installed on Linux is to get the official “server” RPM package and unpack it on every cluster node to be. Ta-dam, service binaries for all node types are deployed and ready to be used – right after you compiled a cluster configuration, created proper sys-V services, added firewall rules and tweaked selinux. Continue reading “A basic MySQL Cluster setup”

What is syslog and what is it used for?

Introduction

Logging from Wikipedia:

“Logging is the cutting, skidding, on-site processing, and loading of trees or logs onto trucks or skeleton cars.”  /Wikipedia/
No, it’s a different industry. Again:
“In computing, a log file is a file that records either the events which happen while an operating system or other software runs, or the personal messages between different users of a communication software. The act of keeping a log is called logging.” /Wikipedia/

Event logging

Recording events on the specified system for different purposes. E.g. monitorting, debugging, audit etc.

Continue reading “What is syslog and what is it used for?”

How to limit memory usage of a process under Linux

In various cases a process can easily eat up the memory of a server. This can happen fast and slowly(within weeks) as well. This article will show you how to find this process and how to limit its memory usage. The Linux itself does not limit the physichal memory usage of a process, either running under root privileges, or not.

Continue reading “How to limit memory usage of a process under Linux”

Minimalistic docker: starting from scratch

Introduction
Next generation Linux distributions are out. Significant changes create special flavour by comparing to other unix-like derivatives.
In spite of implementation of similar features, the distance and the diversity
are growing. Sounds good, isn’t? Not all share this opinion.

Docker is one result of the actual virtualization trends on Linux. The control
groups (aka cgroups) realize features which make sense to use operating
system level virtualization, the one kernel many containers scenario.

Conditions, environment
X86 virtual machine deployed on VMware ESXi 5.5 on HP DL360Pg8.
Minimal Oracle Enterprise Linux 7 installed on 2 CPU cores and 4 GB.
No RAID on VM level, LVM and xfs for the general filesystems (default).
Extra softwares added: screen, wget and vim.
EL7 contains systemd and the Oracle kernel is used 3.8.13-44.el7uek.x86_64, dtrace is available.

First steps and look
Installing and configuring docker on OEL7 is quite easy. Continue reading “Minimalistic docker: starting from scratch”

Custom snmpd extension for port checking

As weird as it sounds, recently I had a task to accomplish port checks without access to the LAN on which daemons listen for connections. Speaking of a monitoring solution, the obvious choice was SNMP, which is the most widespread means of getting health information from network-attached devices, anyway. We perform an “indirect” port check, meaning that it’s sufficient for us to know that a process is listening on a given port without trying to communicate with it. Continue reading “Custom snmpd extension for port checking”

SSH key authentication not working under SELinux? Check this.

Just a short story after resolving a recently encountered problem: all our machines that are in the cloud, have SELinux enabled by default. Normally not a problem, but I found one interesting nuisance: one user could not log on using ssh key authentication.

It would have been found faster, but the developers stated, that _some_ users can’t use the key authentication method; had they told me from the get-go that they meant one user, I’d have been faster with the resolution.

First I confirmed the problem by adding my own ssh key to the .ssh/authorized_keys file in the affected user’s home directory, I checked all directory and file owners and permissions (644 on the .ssh, and 600 on the keyfile) – problem confirmed, I’m getting prompted for a password.

Using ssh -vvv I got this difference in logging in:

Unaffected user:

debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 279

Affected user:

debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,
gssapi-with-mic,password

My key is obviously denied, but without message? Why? Let’s look in the system’s logfiles.

In the audit.log is a hint at the culprit:

Nov 18 11:51:43 sa1ha2l kernel: type=1400 audit(1384771903.411:62597): avc:
denied  { search } for  pid=14683 comm="sshd" name="/" dev=dm-3 ino=2 scontext=
system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0
tclass=dir

My old “friend” the AVC denial, we meet again. At first I did a simple restorecon -v -R, but no luck, still got an AVC denied message. There was no difference in the SELinux permissions on the affected user’s and a random unaffected user’s .ssh directory, still a tclass=dir denial? What the …? Let’s look up one level!

[root@localhost ~]# ls -lZ /var/local/ | grep sa1user
drwx------. sai1usr sa1grp system_u:object_r:var_t:s0       sa1user
[root@localhost ~]# ls -lZ /home
drwxr-xr-x. root  root  unconfined_u:object_r:home_root_t:s0 chroot
drwx------. test1 test1 unconfined_u:object_r:user_home_dir_t:s0 test1

Gotcha! Although both users were created with the adduser command, the user in the nonstandard /var/local location did not have the user_home_dir context on its homedir.
Repair was easy:

chcon -v --type=user_home_dir_t /usr/local/sa1user

SSH key login began functioning immediately.

Say bye-bye to the old trusty MD5

It is official: Microsoft is one of the big ones who’ll be retiring the venerable-but-vulnerable MD5 algorithm. Don’t worry, you’ll still be able to create MD5 hashes for your documents and verify them, but not for authentication and code signing anymore.

md5_logo_n1
The first chink in MD5’s armor was discovered in 1996; while not critical (MD5 creates 128-bit hashes – the vulnerability is in one of the 64 steps to create the hash value) security experts began recommending alternate algorithms. Both recommended replacement hash functions became obsolete since then.

How big of a security risk was the 1996 announcement? When something like this comes up, cryptoanalysts begin investigating, and creating scenarios, how the fuction can be compromised. It took 8 years, and an unimaginable increase in computing power to crack the MD5 hashing algorithm. The server the chinese analysts demonstrated on (a pSeries IBM) reportedly had 24 Power processors and 1TB RAM – to find a collision with a randomly given MD5 hash took less, than 1 hour.

power6
What is a collision? Basically you take two files which differ in size and (obviously) content, you run your favourite md5sum command on them, and surprise-surpise, the files got identical hashes. No big deal, really? Imagine then what horror Adobe’s programmers felt, when _all_ their user data, passwords, hints, everything was leaked. The passwords were of course left encrypted, but savvy users soon found by sorting the data by password hash, that there were many similarities, even when the password hints indicated completely different. In MySQL databases you have the option to have your fields be MD5 encrypted, and many authentication algorithms simply create a hash when you put your password in the password field, and then compare it to the stored value in the sql database.

login_field

Using the cracking method outlined in the 2004 announcement, and some (cheap!) hardware, a password can be created from an MD5 hash value. It won’t be the original password, but since the hashed value will be the same – you’re in like Flynn. The hardware required is really not on the same level as in 2004 – today you can use the just about anything with a processor in it, a powerful GPU is one way, or use your bitcoin-mining FPGAs to create a program that just runs the blocks over and over, hundered million times a second. The only good thing about the published methods is, that you won’t be able to decode the orignal password, just replicate it with something that will be accepted as your password.

Read about the update in more detail on Microsoft’s website: Technet
Read about the MD5 function, its history, and the vulnerability: Wikipedia
Check if your personal data was leaked: ZDNet