Sunday, August 2, 2020

File system extend on LUKS encrypted file system

File system extend on LUKS

encrypted file system


Scenario: I have run CentOS 7 server with the LVM and LUKS encrypted partitions. Java based application runs on the server with tomcat and mariadb as back end applications. Alerting system has been notified 0% disk space left in the /var directory.

It has used separate partition for /var, /home, /root, /var/log mount points. Thus the mission is to increase the /var file system while maintaining the same key for LUKS encryption.

Most important to understand is that you do not need consider about LUKS encryption as a separate domain since when you decrypt the LUKS encrypted partition it act like a normal file systems. When ever you extend the LVM partition it will automatically consider extended portion into the LUKS encryption. Yet, it is recommended to take backup of the data before do any changes to the file system or LVM.

Steps you need to follow in order to extend the file system are as follows.


  • If you does not mount the file system first it is required to mount the file system by giving the LUKS encrypted password. Optionally it is possible to use below commands to mount the file system. In our case since /var is mandate file system to run the OS it has already mounted.
         cryptsetup luksOpen /dev/centos/var var
  • To start the extending process of the file system first you required to add new physical volume.

         pvcreate /dev/sdb1

  • Then extend the Volume Group (vg)

    vgextend centos /dev/sdb1
  • Finally increase the Logical Volume (lv)
    
      lvextend -L +30G /dev/centos/var
      
  • Now you have completed the capacity extend on LVM, to complete the work it is required to resize the file system. Since /var directory is busy while the server in use, it is not possible to resize the /var file system on the fly. Thus it is required to boot the CentOS machine to “rescue target”. Otherwise no other ways which you can resize the file system in use. Once you boot the machine to rescue target run the below mention command.

         resize2fs -p /dev/centos/var ( For ext4 file system )

         xfs_growfs /dev/centos/var ( Foe xfs file system )

Now reboot the machine to boot to normal target.

Sunday, March 29, 2020

Migrate LDAP server from CentOS 6 to CentOS 7


Migrate LDAP server from CentOS 6 to CentOS 7



First It should need to install the openldap services. Run the below command to install it.
# yum -y install openldap openldap-clients openldap-servers openldap-devel


Start and enable the LDAP daemon from the boot.
# systemctl start slapd.service
# systemctl enable slapd.service


Then take the backup from the existing LDAP server. It is required to take configuration file backup (slapd.conf) and ldif database backup.
To take the ldif backup it is possible to use slapcat tool. Below command depicts the example of taking backup.
slapcat -n 1 -l /<dir_location>/Latest_2020.ldif
You must take the backup of slapd.conf file, but there might be changes need to do when you migrating it to the CentOS 7 operating systems. The major change I have done there is database type, changed from “bdb” to “mdb”. If you are using TLS for communication either you need to create new TLS certificate or you can take the old server key and related certificate from the locations. Rest of the configuration file can be placed as it is.
Then it should required to restore the ldif database. For that it should required to follow the given steps.
  • Stop the LDAP service. : systemctl stop slapd.service
  • Remove the existing databases in /var/lib/ldap directory : rm -rf /var/lib/ldap/*
  • The configuration file contain slapd.d directory, since this is not going to use in the live environment and we have already restore the slapd.conf file remove the slapd.d directory : rm -rf /etc/openldap/slapd.d
  • Then before restoring the ldif database start the slapd service : systemctl start slapd.service
  • Then try to restore with the ldapadd tool : ldapadd -x -D "cn=admin,dc=testdomain,dc=com" -f Latest-2020.ldif -W
It will prompt for the LDAP admin user password. Sometime due to old strings restore might not success. Error will produce the exact string which are not compatible with the latest openldap server. If it is the case remove the incompatible strings from the ldif file. Below command can be used for remove the incompatible strings.
sed '/structuralObjectClass/d' Latest-2020.ldif > mod.ldif
Then again it can run the restore command again. Once you successfully restore the LDAP database restart the slapd service.
systemctl restart slapd.service

Configure Chroot Jail SFTP Server


Configure Chroot Jail SFTP Server

Problem Statement: By using one of the article publish in the internet I have configured the SFTP server with the chrooted environment. The SFTP server is catering to several customers to upload their content and user’s home directories are shared.
When ever the users logged in, it will direct to their home folder but still the users can browse entire directory architecture. Even the users can change the directory location to /var directory and access the content there since it can be readable by any user.
Below depicts the sshd_config file configuration for SFTP server.

Subsystem sftp internal-sftp
Match group ftpaccess
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

Solutions: I have referred several sites to find out proper solution to configure SFTP in a chroot jail environment. Below are the links which I used.


By referencing I have configured the sshd_config file in the below way.


Subsystem sftp /usr/libexec/openssh/sftp-server
Match user dave
ChrootDirectory /home/dave
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

Match user anne
ChrootDirectory /home/anne
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

Match user sam
ChrootDirectory /home/sam
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

But once I configured it there was issue with the login. When I checked the /var/log/secure there was an error stating the bad permission.
“fatal: bad ownership or modes for chroot directory "/home/dave" [postauth]

Since it was configured to used with the chroot, the folder should be owned by the root and it should have the 755 permission on it. Therefore I have run the below commands to set it.
chown root:root /home/dave
chmod 755 /home/dave
These permissions should not be change at any cost. If there is minor change in the permission it would again give you the bad permission error.
It has arised another issue that since the folder is not owned by the user who is going to do SFTP, the user can not perform any upload to folder location. I have tried with adding ACL, but then again bad permission error occurred. The only workaround which remain is to create a folder inside the shared folder and set the relevant permissions.
mkdir /home/dave/dave
chown dave:dave /home/dave/dave

with that everything has resolved and now users who are logged in through SFTP is restricted to their own home directory.