Developers Club geek daily blog

Replication of LDAP

1 year, 3 months ago
Would like to write a small note about that how to configure replication of OpenLDAP between several servers. So …

It is given:
1. The organization with branches. At the main office and in each branch there is a LDAP server which stores at itself(himself) logins/passwords of users.

Task:
To make so that between main "single name space" that is what each LDAP server would "know" about logins/passwords of all other branches and the main office was office and branches.

Solution:
1. I will not describe the installation Linux, OpenLDAP, the OpenVPN setup (the main office and branches are connected through OpenVPN). Let's consider that at you it is already set and configured.
2. We have three servers. Main 192.168.1.1, and two branches 192.168.1.2 and 192.168.1.3 respectively. All of them are connected with each other through OpenVPN.

2. Now OpenLDAP setup. At the main office (192.168.1.1) in LDAP all logins / passwords which are necessary are brought.

Read more »


Freeradius. Support of different types of authentication of users at the same time

1 year, 3 months ago
It would be desirable to share the experience in this article on the freeradius setup regarding support of different types of authentication of users.

Unfortunately, having faced this problem, I could not find a ready solution on open spaces of gugl and other yandeks and therefore I lit up a manna independently.

Read more »


One more virtual interface

1 year, 3 months ago
In the previous note Linux kernel module code sketch for creation of the additional virtual network interface was shown. It was the simplified fragment from the real project which fulfilled several years without failures and claims so it can quite serve as a template for further improvement, correction and development.

But such approach to implementation, first, not only, and, secondly, in some situations it can be and unacceptable (for example, in the built-in system with a kernel is younger 2.6.36 where there is no netdev_rx_handler_register challenge yet ()). Below the alternative option with the same functionality but implementing it on absolutely other layer of a network stack of TCP/IP will be considered.

Read more »


Docker 1.9 + Weave 1.2.1 bridge mode

1 year, 3 months ago
Today, after updating on Docker 1.9 at me it is quite expected the working Weave broke earlier fine.
The description of the arisen problems and their solution under a cat.

Read more »


Linux-containers: when containers become more

1 year, 3 months ago


In last article I in brief told about what is container virtualization, LXC in particular why it is necessary and as quickly to configure all this.

In the course of use, the number of containers gradually grows. At the same time, one can be clones of others, and plus to everything, are constructed on snapshota. There is a natural desire: to facilitate to itself procedure of management of this container warehouse.

Read more »


Observation system in the car behind it on Raspberry Pi. Part 2

1 year, 3 months ago
In last article I described:
creation on one Raspberry Pi of the home VPN server;
installation and setup on the second Raspberry Pi OpenVPN-client, Node.JS and the 3G-modem.
This time we will configure and we will connect the GPS receiver and the Webcam (both devices – USB).

Read more »


Let's Encrypt: receipt of the certificate on steps

1 year, 3 months ago
In this article the real method of receipt of the certificate from Let's Encrypt in the manual mode for its further installation on the Windows Web server (IIS/Microsoft Azure) or Linux (completely manual mode) will be described. Because of the absence of the official client under Windows for generation of the certificate the Linux distribution kit will be used.

image

Background: from the very beginning for the website of our Moscow company (according to the link the test beta certificate of Let's Encrypt is already set) the "simple" SSL certificate was necessary for confirmation of the domain and data encryption.

In the first opening days of requests for beta testing the decision to register was also made and recently the letter which reports that now the ACME program will generate the valid certificate for our domain came:



Further we decided to publish article with the step-by-step instruction of process that by the time of release you could already quickly create and begin to use the certificate.

Read more »


We isolate demons with systemd or "you do not need Docker for this purpose!"

1 year, 3 months ago
Recently I see how quite large number of people applies container virtualization only to lock potentially unsafe application in the container. As a rule, use for this Docker because of its prevalence, and do not know anything better. Really, many demons are originally started on behalf of root, and further or lower the privileges, or master-process generates the processing processes with the lowered privileges. And is also such which work only from root. If in the demon find vulnerability which allows to get access with the maximum privileges, it will be not really pleasant to find the malefactors who were already in time to download all data and to leave viruses.

The containerization provided to Docker and other similar software really rescues from this problem, but also and introduces new: it is necessary to create the container for each demon, to care for safety of the changed files, to update a basic image and containers are often based on different OS which need to be stored on a disk though they, in general, also are not especially necessary to you. What to do if you do not need containers per se, in Docker Hub the application is collected not as it is necessary for you and the version became outdated, SELinux and AppArmor seem to you too difficult, and you would like to start it in your environment, but using the same isolation which is used by Docker?

Capabilities


In what difference of the normal user from root? Why root can manage a network, load kernel modules, mount file systems, kill processes of any users, and the normal user is deprived of such opportunities? It is all about capabilities — means for management of privileges. All these privileges are given to the user with UID 0 (i.e. root) by default, and the normal user has no of them. The privilege can both be given, and to select. So, for example, the usual ping command demands creation of a RAW socket that it is impossible to make on behalf of the normal user. Historically, on ping put a SUID flag which just started the program on behalf of the superuser, but now all modern distribution kits expose CAP_NET_RAW capability which allows to start ping from under any account.

It is possible to receive the list of the set file capabilities command getcap from structure of libcap.

% getcap $(which ping)
/usr/bin/ping = cap_net_raw+ep

P flag means permitted here, i.e. the application has an opportunity to use the set capability, e means effective — it will use the application, and there is still a flag of i — inheritable that gives the chance to save the capabilities list at function call execve().

Capabilities can be set as at the level of FS, and just at a separate flow of the program. It is impossible to receive capability which was not available since launch, i.e. privileges can only be lowered, but not to raise.

Also there are bits of safety (Secure Bits), their three: KEEP_CAPS allows to save capability by a challenge of setuid, NO_SETUID_FIXUP turns off reconfiguration of capability by setuid challenge, and NOROOT prohibits issue of additional privileges at start of suid-programs.

Read more »


Virtual network interface

1 year, 3 months ago
It is well-known that Linux drivers are modules of a kernel. All drivers are modules, but not all modules — drivers. An example of one of such groups of the modules which are not drivers, and much more rare appearing in discussions, surge filters at the different levels of a network stack Linux are.

Sometimes, and it is even rather frequent, it would be desirable to have the network interface which could operate with a traffic of any other interface, but somehow in addition "color" this traffic. It can it is required for the additional analysis, either traffic observation, or its enciphering, …

The idea is extremely simple: to canalize a traffic of already existing network interface in the newly created interface with absolutely other characteristics (a name, IP, a mask, a subnet, …). We will also discuss one of methods of execution of such actions in the form of Linux kernel module (it not only, but we will discuss other methods separately another time).

Read more »


Multi-colored terminals

1 year, 3 months ago


In this publication I will tell about some tricks which will decorate everyday life of any Linux system administrator (and not only). All of them are connected with bash cover PS1 variable. The PS1 variable defines how the invitation for input of new commands will look. And each user can redefine it as will wish, for example, in the file ~ / .bashrc (which is executed at start of bash and is used for including for a configuration).

For a start we will consider simple option, my favourite format of the command line.

Read more »