Minimalistic docker: starting from scratch

Introduction
Next generation Linux distributions are out. Significant changes create special flavour by comparing to other unix-like derivatives.
In spite of implementation of similar features, the distance and the diversity
are growing. Sounds good, isn’t? Not all share this opinion.

Docker is one result of the actual virtualization trends on Linux. The control
groups (aka cgroups) realize features which make sense to use operating
system level virtualization, the one kernel many containers scenario.

Conditions, environment
X86 virtual machine deployed on VMware ESXi 5.5 on HP DL360Pg8.
Minimal Oracle Enterprise Linux 7 installed on 2 CPU cores and 4 GB.
No RAID on VM level, LVM and xfs for the general filesystems (default).
Extra softwares added: screen, wget and vim.
EL7 contains systemd and the Oracle kernel is used 3.8.13-44.el7uek.x86_64, dtrace is available.

First steps and look
Installing and configuring docker on OEL7 is quite easy. Continue reading “Minimalistic docker: starting from scratch”

Advertisements

SSH key authentication not working under SELinux? Check this.

Just a short story after resolving a recently encountered problem: all our machines that are in the cloud, have SELinux enabled by default. Normally not a problem, but I found one interesting nuisance: one user could not log on using ssh key authentication.

It would have been found faster, but the developers stated, that _some_ users can’t use the key authentication method; had they told me from the get-go that they meant one user, I’d have been faster with the resolution.

First I confirmed the problem by adding my own ssh key to the .ssh/authorized_keys file in the affected user’s home directory, I checked all directory and file owners and permissions (644 on the .ssh, and 600 on the keyfile) – problem confirmed, I’m getting prompted for a password.

Using ssh -vvv I got this difference in logging in:

Unaffected user:

debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 279

Affected user:

debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,
gssapi-with-mic,password

My key is obviously denied, but without message? Why? Let’s look in the system’s logfiles.

In the audit.log is a hint at the culprit:

Nov 18 11:51:43 sa1ha2l kernel: type=1400 audit(1384771903.411:62597): avc:
denied  { search } for  pid=14683 comm="sshd" name="/" dev=dm-3 ino=2 scontext=
system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0
tclass=dir

My old “friend” the AVC denial, we meet again. At first I did a simple restorecon -v -R, but no luck, still got an AVC denied message. There was no difference in the SELinux permissions on the affected user’s and a random unaffected user’s .ssh directory, still a tclass=dir denial? What the …? Let’s look up one level!

[root@localhost ~]# ls -lZ /var/local/ | grep sa1user
drwx------. sai1usr sa1grp system_u:object_r:var_t:s0       sa1user
[root@localhost ~]# ls -lZ /home
drwxr-xr-x. root  root  unconfined_u:object_r:home_root_t:s0 chroot
drwx------. test1 test1 unconfined_u:object_r:user_home_dir_t:s0 test1

Gotcha! Although both users were created with the adduser command, the user in the nonstandard /var/local location did not have the user_home_dir context on its homedir.
Repair was easy:

chcon -v --type=user_home_dir_t /usr/local/sa1user

SSH key login began functioning immediately.

Putting MySQL into a chroot jail (CentOS 6.4 x86_64)

Hi Everyone,

today I got the interesting project: take a vanilla CentOS 6.4, install a chrooted MySQL onto it. How hard can it be? As it turned out, it is tricky at least. Here’s how I did it:

First, I did a bog standard

yum install mysql-server

and then I started it

service mysqld start

this creates an empty database (actually, the mysql-required grant tables are in it), which I’ve given a new password:

/usr/bin/mysqladmin -u root password 'start123'

then I stopped the db again

service mysql stop

So, now you have a fresh database in /var/lib/mysql to use. Now I set up the chroot jail – I expected to have to install chroot with yum, but it is already included in the minimal CentOS install, yeah.

You’ll need to copy this 3 RPMs to the directory where your chroot is going to be: (I’m using /opt/mysql)

 mysql-server-5.1.66-2.el6_3.x86_64
 mysql-libs-5.1.66-2.el6_3.x86_64
 mysql-5.1.66-2.el6_3.x86_64

(the versions can differ, I think the most actual is the 5.1.69)

Continue reading “Putting MySQL into a chroot jail (CentOS 6.4 x86_64)”

Installing nginx web server with php fpm and mysql on CentOS 6

In this article you will find a way to install NGINX web server and add php supporting.
PHP from version 5.3 got php-fpm included so now it’s relatively easy to get it work with nginx without additional scripting.

Continue reading “Installing nginx web server with php fpm and mysql on CentOS 6”