Posts Tagged ‘ Software Installations ’

Puppet Installation

How to Install a Puppet Master and Client Server on Centos 5.2

Puppet is an open-source next-generation server automation tool. It is composed of a declarative language for expressing system configuration, a client and server for distributing it, and a library for realizing the configuration.

IMPORTANT !!! Setup the EPEL repos for Centos – choose the correct package depending on your installation.

If i386 or i6886 (32 bit)

rpm -Uvh epel-release-5-4.noarch.rpm

If x86_64 (64 bit)

rpm -Uvh epel-release-5-4.noarch.rpm

Install puppet-server

yum install puppet-server

The 1.8.5 branch of Ruby shipped will RHEL5 can exhibit memory leaks. So install ruby 1.8.6++ (I did not on this server as it was test not a production server).

Install the help docs

yum install ruby-rdoc

If you are facing any problems while installing puppet, then it might be due to ruby installation. You need to remove the current ruby installation and use the following steps to install ruby and its dependencies.Please install the same in the following order

   Note: example is for centos 5 and 64 bit, change the rpms depends upon the OS version and architecture
   libselinux-ruby-1.33.4-5.7.el5  == >> wget ftp://mirror.switch.ch/pool/3/mirror/centos/5.7/os/x86_64/
   CentOS/libselinux-ruby-1.33.4-5.7.el5.x86_64.rpm
   rpm -Uvh libselinux-ruby-1.33.4-5.7.el5.x86_64.rpm
   ruby-libs-1.8.5-19.el5_6.1      == >> wget ftp://mirror.switch.ch/pool/1/mirror/scientificlinux/5rolling/
   x86_64/SL/ruby-ibs-1.8.5-19.el5_6.1.x86_64.rpm
   rpm -Uvh uby-ibs-1.8.5-19.el5_6.1.x86_64.rpm
   ruby-augeas-0.4.1-1.el5         == >> wget http://epel.mirror.freedomvoice.com/5/x86_64/ruby-augeas-0.4.1-1.el5.x86_64.rpm
   rpm -Uvh ruby-augeas-0.4.1-1.el5.x86_64.rpm
   ruby-shadow-1.4.1-7.el5         == >> wget http://epel.mirror.freedomvoice.com/5/x86_64/ruby-shadow-1.4.1-7.el5.x86_64.rpm
   rpm -Uvh ruby-shadow-1.4.1-7.el5.x86_64.rpm
   ruby-1.8.5-19.el5_6.1           == >> wget http://oss.oracle.com/ol5/SRPMS-updates/ruby-1.8.5-19.el5_6.1.src.rpm
   rpm -Uvh ruby-1.8.5-19.el5_6.1.src.rpm
   facter-1.5.8-1.el5              == >> wget http://epel.mirror.freedomvoice.com/5/x86_64/facter-1.6.1-1.el5.noarch.rpm
   rpm -Uvh facter-1.6.1-1.el5.noarch.rpm

Then download puppet rpm

   puppet rpm :-  wget http://epel.mirror.freedomvoice.com/5/x86_64/puppet-2.6.6-3.el5.noarch.rpm

Then install puppet

  rpm -Uvh puppet-2.6.6-3.el5.noarch.rpm

Create a manifest file at /etc/puppet/manifests/site.pp

vi /etc/puppet/manifests/site.pp

put this in it

# Create “/tmp/testfile” if it doesn’t exist.

class test_class {

file { “/tmp/testfile”:

ensure => present,

mode => 644,

owner => root,

group => root

}

}

# tell puppet on which client to run the class

node pclient {

include test_class

}

Start the puppet server

service puppetmaster start

Enable start on boot

chkconfig puppetmaster on

Now to install the Puppet Client on another server

IMPORTANT !!! Setup the EPEL repos for Centos – choose the correct package depending on your installation.

epel-release-5-4.noarch.rpm

Install ruby-libs, ruby, augeas-libs, ruby-augeas, ruby-shadow using rpm

Install puppet client

yum install puppet

Edit the file /etc/puppet/puppet.conf with the following. Replace “server = server.master.com” with your puppet server, if you are not using server.master.com as puppet server.

[main]
    # The Puppet log directory.
    # The default value is '$vardir/log'.
    logdir = /var/log/puppet

    # Where Puppet PID files are kept.
    # The default value is '$vardir/run'.
    rundir = /var/run/puppet

    # Where SSL certificates are kept.
    # The default value is '$confdir/ssl'.
    ssldir = $vardir/ssl

[agent]
    server = server.master.com
    # The file in which puppetd stores a list of the classes
    # associated with the retrieved configuratiion.  Can be loaded in
    # the separate ``puppet`` executable using the ``--loadclasses``
    # option.
    # The default value is '$confdir/classes.txt'.
    classfile = $vardir/classes.txt

    # Where puppetd caches the local configuration.  An
    # extension indicating the cache format is added automatically.
    # The default value is '$confdir/localconfig'.
    localconfig = $vardir/localconfig
    #listen = true

Setup puppet client to generate its own certificate request to the server.

/etc/init.d/puppet once -v

Sign the certificate request on the puppet master server. Use puppetca –list to see if any are available to sign.

puppetca –-sign puppet01

Puppet01 must be the fully qualified domain name (FQDN) of you client server.

Once this is done, check the client has been added to the puppet server fine. It should list it.

puppetca -la | grep hostname

Eg:

[root@im ~]# puppetca -la | grep clientserver.com
+ clientserver.com

Run this on the client server again to retrieve the certificate

/etc/init.d/puppet once -v

Make the puppet start with the system

chkconfig puppet on

Make sure it is working on the client server.

puppetd –-test

You should see a dialog that creates the file /tmp/testfile

Thats all folks !

Note:

To remove and re-add an already added puppet client to puppet server:

======================

You can use the following steps to remove and re-add an existing puppet client from the puppet master server

1. Command to remove the puppet client from the puppet master

  puppetca --clean clienthostname

2. Then you need to reinstall puppet client on client server

  To install puppet client, please refer the "puppet installation" KB entry

3. At puppet client generate certificate

  /etc/init.d/puppet once -v

4. Then use the following command to authorize the certificate

   puppetca --sign clienthostname

If it is not shown in the “puppetca –list –all” list then please add the server details in the client’s /etc/hosts file and clients details in the servers /etc/hosts file.

Then regenerate the certificate again

Then client should appear in the “puppetca –list –all” list

==================================

ERROR: If you see error like below when running puppetd –test follow the solution.

notice: Run of Puppet configuration client already in progress; skipping

Solution: Puppet believes that it is already running. If this isn’t the case then you may have a stale lock file. Check with “ps axf” to see if puppetd is running, if it isn’t then delete the lockfile (/var/lib/puppet/state/puppetdlock is likely location).

rm -rf /var/lib/puppet/state/puppetdlock

run puppetd –test now

Install Configserver firewall (CSF)

Install csf on the server.

cd /usr/src
wget http://www.configserver.com/free/csf.tgz
tar -zvxf csf.tgz
cd csf
sh install.sh

Open any custom ports running in the file /etc/csf/csf.conf. You can add the port number in the section TCP_IN.

start csf with TESTING = “0” in the file /etc/csf/csf.conf. Once the csf is running, try logging into the server ssh from another terminal. Do a basic check of all services and if all are listening fine and can be accessed from outside, edit TESTING = “1” in /etc/csf/csf.conf and restart csf.

Start csf

csf -s

retart csf

csf -r

Flush/Stop csf

csf -f

Disable csf

csf -x

Enable csf

csf -e

Check for server security from the WHM csf area. The following steps should not show warning. If you see warning here, do the steps told there.

Check SSH UseDNS
Check Background Process Killer
Check exim for extended logging (log_selector)
Check apache for mod_security
Check Apache weak SSL/TLS Ciphers (SSLCipherSuite)
Check apache for TraceEnable
Check apache for ServerSignature
Check apache for ServerTokens
Check apache for FileETag
Check mod_userdir protection
Check php for disable_functions
Check php for ini_set disabled
Check php for register_globals
Check php open_basedir protection
Check Anonymous FTP Logins
Check Anonymous FTP Uploads
Check block common domains
Check package updates --> Here if there is custom config for AMP, the update config should be set to manual updates.
Check server startup for xfs
Check server startup for atd
Check server startup for nfslock
Check server startup for rpcidmapd
Check server startup for bluetooth
Check server startup for canna
Check server startup for FreeWnn
Check server startup for cups-config-daemon
Check server startup for iiim
Check server startup for mDNSResponder
Check server startup for nifd
Check server startup for anacron
Check server startup for gpm
Check server startup for saslauthd
Check server startup for avahi-daemon
Check server startup for avahi-dnsconfd
Check server startup for hidd
Check server startup for pcscd
Check server startup for sbadm
  • CSF variables that have some control over Mail Server Abuse.
################################################################################
# Relay Tracking. This allows you to track email that is relayed through the
# server. There are also options to send alerts and block external IP addresses
# if the number of emails relayed per hour exceeds configured limits. The
# blocks can be either permanent or temporary.
# The following information applies to each of the following types of relay
# check:
# RT_[relay type]_ALERT: 0 = disable, 1 = enable
# RT_[relay type]_LIMIT: the limit/hour afterwhich an email alert will be sent
# RT_[relay type]_BLOCK: 0 = no block;1 = perm block;nn=temp block for nn secs


# This option triggers for external email
RT_RELAY_ALERT = "1"
RT_RELAY_LIMIT = "100"
RT_RELAY_BLOCK = "0"

# This option triggers for email authenticated by SMTP AUTH
RT_AUTHRELAY_ALERT = "1"
RT_AUTHRELAY_LIMIT = "100"
RT_AUTHRELAY_BLOCK = "0"

# This option triggers for email authenticated by POP before SMTP
RT_POPRELAY_ALERT = "1"
RT_POPRELAY_LIMIT = "100"
RT_POPRELAY_BLOCK = "0"

# This option triggers for email sent via /usr/sbin/sendmail or /usr/sbin/exim
RT_LOCALRELAY_ALERT = "1"
RT_LOCALRELAY_LIMIT = "100"

# This option triggers for email sent via a local IP addresses
RT_LOCALHOSTRELAY_ALERT = "1"
RT_LOCALHOSTRELAY_LIMIT = "100"


# This is a temporary block for the rest of the hour, afterwhich the IP is
# unblocked
LT_POP3D = "60"

# Block IMAP logins if greater than LT_IMAPD times per hour per account per IP
# address (0=disabled) - not recommended for IMAP logins due to the ethos
# within which IMAP works. If you want to use this, setting it quite high is
# probably a good idea
#
# This is a temporary block for the rest of the hour, afterwhich the IP is
# unblocked
LT_IMAPD = "60"

# Send an email alert if an account exceeds LT_POP3D/LT_IMAPD logins per hour
# per IP
LT_EMAIL_ALERT = "1"

# If LF_PERMBLOCK is enabled but you do not want this to apply to
# LT_POP3D/LT_IMAPD, then enable this option
LT_SKIPPERMBLOCK = "0"

SMTP_BLOCK = "1"

# If SMTP_BLOCK is enabled but you want to allow local connections to port 25
# on the server (e.g. for webmail or web scripts) then enable this option to
# allow outgoing SMTP connections to the loopback device
SMTP_ALLOWLOCAL = "1"

# This is a comma separated list of the ports to block. You should list all
# ports that exim is configured to listen on
SMTP_PORTS = "25,26"

# Always allow the following comma separated users and groups to bypass
# SMTP_BLOCK
#
# Note: root (UID:0) is always allowed
SMTP_ALLOWUSER = "cpanel"
SMTP_ALLOWGROUP = "mail,mailman"


# [*]Enable login failure detection of pop3 connections
LF_POP3D = "10"
LF_POP3D_PERM = "1"

# [*]Enable login failure detection of imap connections
LF_IMAPD = "10"
LF_IMAPD_PERM = "1"

#This option will notify you when a large amount of email is sent from a  particular 
#script on the server, helping track down spam scripts

 LF_SCRIPT_ALERT = 1

# The limit afterwhich the email alert for email scripts is sent. Care should
# be taken with this value if you allow clients to use web scripts to maintain
# pseudo-mailing lists which have large recipients

LF_SCRIPT_LIMIT = "100"

# Checks the length of the exim queue and sends an alert email if the value of
# settings is exceeded.

LF_QUEUE_ALERT = "2000"

# The interval between mail queue checks in seconds.

LF_QUEUE_INTERVAL = "300"
################################################################################

Upgrade Openssl and Openssh

When you install openssh on a linux machine, use portable version. The version name will contain “p” in it. Eg: openssh-5.3p1.tar.gz — OpenSSH_5.3p1

First we will upgrade openssl

cd /usr/src

wget http://www.openssl.org/source/openssl-0.9.8l.tar.gz

tar -zxf openssl-0.9.8l.tar.gz

cd openssl-0.9.8l

./config

make

make test

make install

openssl version

If it shows old version do the steps below.

mv /usr/bin/openssl /root/

ln -s /usr/local/bin/openssl /usr/bin/openssl

[root@test2 lib]# openssl version OpenSSL 0.9.8l 5 Nov 2009

Now get the latest source from an official mirror:

cd /usr/local/src/

wget ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-5.3p1.tar.gz

tar -zxf openssh-5.3p1.tar.gz

cd openssh-5.3p1

./configure –prefix=/usr –sysconfdir=/etc/ssh –with-ssl-dir=/usr/src/openssl-0.9.8l –with-pam –with-libs=-ldl –without-zlib-version-check –with-tcp-wrappers

make

make install

/sbin/service sshd restart

If you get a user error you need to add a sshd user. Do that by running this command:

adduser sshd -s /sbin/nologin

If you don’t get any error about a user you do not have to worry about adding the user. Open another ssh window and make sure ssh works ok, if running the following command returns something with

[root@server /]# sshd -V sshd: illegal option — V OpenSSH_5.3p1, OpenSSL 0.9.8l 5 Nov 2009

R1soft Installation

Installing CDP server (On Backup Server)

Login to the backup server.

Check whether any rpm for r1soft is installed on the server

rpm -qa |grep r1soft

Check the server archetecture and download the zip file.

wget http://repo.r1soft.com/release/trials/R1Soft-EnterpriseEdition-linux32.zip
wget http://repo.r1soft.com/release/trials/R1Soft-EnterpriseEdition-linux64.zip

Unzip the file.

unzip R1Soft-EnterpriseEdition-linux64.zip

cd enterprise-rpm

Install all the rpm files.

rpm -i *.rpm

Run the following command with admin username and password.

r1soft-setup –user DESIRED_USERNAME –pass DESIRED_PASSWORD

Restart the CDP server

/etc/init.d/cdp-server restart

Assign ports for http and https.

r1soft-setup –http-port 8080 –https-port 8443

/etc/init.d/cdp-server restart

[edit] ======================================================================

Installing cdp agent (On Data Server)

Login to the data server.

rpm -qa |grep r1soft

wget http://repo.r1soft.com/release/trials/R1Soft-EnterpriseEdition-linux32.zip
wget http://repo.r1soft.com/release/trials/R1Soft-EnterpriseEdition-linux64.zip

unzip R1Soft-EnterpriseEdition-linux64.zip

cd rpm-linux64/

rpm -i *.rpm

make sure that port 8443 & are allowed in the csf.

Enter the following command to get key from the CDP server.

r1soft-setup –get-key https://IP_of_CDP_server:8080

Take the interface from browser

http://IP:8080

Enter using username & password.

Now you can add the agent to the CDP server and can create volume and disk safe and also the policies and schedule backup.