LINICKX.com

RPM SPECS for Python CiscoConfParse

Nick Bettison — Mon, 30 Mar 2015 15:59:00 +0100

Recently I have been using ciscoconfparse to loop through Cisco configs, installing on my local laptop is straightforward with pip however getting it onto a customers linux jump server can be a bit more tricky (proxies, build deps and the like).

For Redhat/Centos (6) boxes I found an out of date .src.rpm therefore I have updated the SPEC file:

python-ciscoconfparse.spec

I have made two changes, I updated to the ciscoconfparse 1.2.16 and added the python-ipaddr dependency.

To build your own yo will also need:

python-setuptools_hg.spec

The only change I have made there is to add the correct download URL to the Source so that it build without the human having to put the package in the right directory.... other than that all other build deps should be in the standard base repositories.

Building them is straight forward with rebuild -ba, I have an old post here... fedora have a much more comprehensive one here... I haven't uploaded pre-built RPMs to my repo as I haven't found the need to for years, maybe this is a good excuse to resurrect it!

CentOS/Redhat IPSEC and EC2

nick — Thu, 27 Jan 2011 20:17:00 +0000

So it turns out my 5 minute vpn doesn't work in EC2 because the ESP/AH protocols (50 and 51) are blocked on the AWS network.

This is no big deal tho, as NAT-T allows one to tunnel IPSEC over UDP... however getting it to work on CentOS required a bit of a hack.

If you have already tried setting up an IPSEC vpn, shut it down with ifdown ipsec1 and remove your /etc/racoon/192.168.56.101.conf (or whatever IP yours is).

To start the hack on BOTH boxes, you need to edit /etc/sysconfig/network-scripts/ifup-ipsec. Around line 215 you need to insert nat_traversal force;... like this....

BEFORE:

#!/bin/bash
        case "$IKE_METHOD" in
           PSK)
              cat >> /etc/racoon/$DST.conf << EOF
        my_identifier address;
        proposal {
                encryption_algorithm $IKE_ENC;
                hash_algorithm $IKE_AUTH;
                authentication_method pre_shared_key;
                dh_group $IKE_DHGROUP;
        }
}

AFTER:

#!/bin/bash
        case "$IKE_METHOD" in
           PSK)
              cat >> /etc/racoon/$DST.conf << EOF
        my_identifier address;
        nat_traversal force;
        proposal {
                encryption_algorithm $IKE_ENC;
                hash_algorithm $IKE_AUTH;
                authentication_method pre_shared_key;
                dh_group $IKE_DHGROUP;
        }
}

Again, on both boxes update your /etc/sysconfig/network-scripts/ifcfg-ipsec1 files so that AH is disabled... because AH doesn't like NAT... like this....

#!/bin/bash

[root@CentOS2 ~]# cat /etc/sysconfig/network-scripts/ifcfg-ipsec1 
DST=192.168.56.101
TYPE=IPSEC
ONBOOT=yes
IKE_METHOD=PSK
AH_PROTO=none
[root@CentOS2 ~]#

On your iptables policy make sure that UDP 500 and UDP 4500 are permitted and volia.

# tcpdump -n -i eth1 port not 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
20:26:49.257590 IP 192.168.56.101.ipsec-nat-t > 192.168.56.102.ipsec-nat-t: UDP-encap: ESP(spi=0x08de7c32,seq=0xa), length 116
20:26:49.261076 IP 192.168.56.102.ipsec-nat-t > 192.168.56.101.ipsec-nat-t: UDP-encap: ESP(spi=0x03787bd0,seq=0xa), length 116
20:26:50.260942 IP 192.168.56.101.ipsec-nat-t > 192.168.56.102.ipsec-nat-t: UDP-encap: ESP(spi=0x08de7c32,seq=0xb), length 116
20:26:50.262939 IP 192.168.56.102.ipsec-nat-t > 192.168.56.101.ipsec-nat-t: UDP-encap: ESP(spi=0x03787bd0,seq=0xb), length 116
20:26:51.261298 IP 192.168.56.101.ipsec-nat-t > 192.168.56.102.ipsec-nat-t: UDP-encap: ESP(spi=0x08de7c32,seq=0xc), length 116
20:26:51.264974 IP 192.168.56.102.ipsec-nat-t > 192.168.56.101.ipsec-nat-t: UDP-encap: ESP(spi=0x03787bd0,seq=0xc), length 116
20:26:52.262289 IP 192.168.56.101.ipsec-nat-t > 192.168.56.102.ipsec-nat-t: UDP-encap: ESP(spi=0x08de7c32,seq=0xd), length 116
20:26:52.265488 IP 192.168.56.102.ipsec-nat-t > 192.168.56.101.ipsec-nat-t: UDP-encap: ESP(spi=0x03787bd0,seq=0xd), length 116
20:26:53.264008 IP 192.168.56.101.ipsec-nat-t > 192.168.56.102.ipsec-nat-t: UDP-encap: ESP(spi=0x08de7c32,seq=0xe), length 116
20:26:53.267003 IP 192.168.56.102.ipsec-nat-t > 192.168.56.101.ipsec-nat-t: UDP-encap: ESP(spi=0x03787bd0,seq=0xe), length 116
20:26:54.265655 IP 192.168.56.101.ipsec-nat-t > 192.168.56.102.ipsec-nat-t: UDP-encap: ESP(spi=0x08de7c32,seq=0xf), length 116
20:26:54.267264 IP 192.168.56.102.ipsec-nat-t > 192.168.56.101.ipsec-nat-t: UDP-encap: ESP(spi=0x03787bd0,seq=0xf), length 116
20:26:55.267459 IP 192.168.56.101.ipsec-nat-t > 192.168.56.102.ipsec-nat-t: UDP-encap: ESP(spi=0x08de7c32,seq=0x10), length 116
20:26:55.269678 IP 192.168.56.102.ipsec-nat-t > 192.168.56.101.ipsec-nat-t: UDP-encap: ESP(spi=0x03787bd0,seq=0x10), length 116
14 packets captured
14 packets received by filter
0 packets dropped by kernel
#

IPSEC VPN Tunnelling over UDP.... done!

RedHat Cluster - How to Disable Fencing

nick — Tue, 25 Jan 2011 19:37:00 +0000

I've spent far too long googling how to disable fencing.... I can only guess that because you shouldn't really disable fencing no-one wants to post a how to... so for the hard of hearing.

Do NOT disable fencing on your RedHat Cluster unless you really know what you're doing! Fencing is designed to protect your data from corruption, if you disable fencing your data is at RISK, you have been warned!

I however am working on building a GFS DRBD cluster, as far as I can gather DRBD doesn't need fencing, and the bottom line is my data is personal data not mission critical and if my website goes down due to my disabling fencing then it's no big deal.

Rant over, here we go..... To disable fencing, create a custom fence agent.

Fence agents are simply scripts in /sbin, I've created /sbin/myfence and here are the contents.

#!/bin.bash
echo "success: myfence $2"
exit 0

Next, change your cluster.conf...

If you're running SELINUX don't forget to update that! ... start with restorecon /sbin/myfence then update your policy.

This is the policy I've created...

module fenced 1.0;

require {
        type fenced_t;
        type shell_exec_t;
        class file { read execute };
}

#============= fenced_t ==============
allow fenced_t shell_exec_t:file { read execute };

If you save the above as fenced.te, then run this to install it..

checkmodule -M -m -o fenced.mod fenced.te
semodule_package -o fenced.pp -m fenced.mod
semodule -i fenced.pp

You should now be able to start cman, fencing will start but will return success for any fencing issues without actually doing anything!

Happy non-fencing!

GRE example for CentOS/RHEL

nick — Mon, 24 Jan 2011 18:02:00 +0000

I'm not sure why GRE isn't in RedHat's Documentation, but setting up a GRE tunnel between two RedHat boxes is quite straight forward...

On Host1 (192.168.56.101)...

#!/bin/bash
[root@CentOS1 ~]# cat /etc/sysconfig/network-scripts/ifcfg-tun0 
DEVICE=tun0
BOOTPROTO=none
ONBOOT=no
TYPE=GRE
PEER_OUTER_IPADDR=192.168.56.102
PEER_INNER_IPADDR=192.168.168.2
MY_INNER_IPADDR=192.168.168.1
[root@CentOS1 ~]#

On host2 (192.168.56.102) ....

#!/bin/bash
[root@CentOS2 ~]# cat /etc/sysconfig/network-scripts/ifcfg-tun0 
DEVICE=tun0
BOOTPROTO=none
ONBOOT=no
TYPE=GRE
PEER_OUTER_IPADDR=192.168.56.101
PEER_INNER_IPADDR=192.168.168.1
MY_INNER_IPADDR=192.168.168.2
[root@CentOS1 ~]#

Bring the interfaces up....

#!/bin/bash
[root@CentOS1 ~]# ifup tun0

.. on host2...

#!/bin/bash
[root@CentOS2 ~]# ifup tun0

And we're done! ... see the proof in the pudding below....

#!/bin/bash
[root@CentOS1 ~]# ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-05-08-80-3C-00-00-00-00-00-00-00-00  
          inet addr:192.168.168.1  P-t-P:192.168.168.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP  MTU:1476  Metric:1
          RX packets:2 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:168 (168.0 b)  TX bytes:756 (756.0 b)

[root@CentOS1 ~]# ping 192.168.168.2
PING 192.168.168.2 (192.168.168.2) 56(84) bytes of data.
64 bytes from 192.168.168.2: icmp_seq=1 ttl=64 time=1.51 ms
64 bytes from 192.168.168.2: icmp_seq=2 ttl=64 time=2.13 ms
64 bytes from 192.168.168.2: icmp_seq=3 ttl=64 time=2.12 ms

--- 192.168.168.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2004ms
rtt min/avg/max/mdev = 1.511/1.921/2.132/0.289 ms
[root@CentOS1 ~]#

The other end...

#!/bin/bash
[root@CentOS2 ~]# ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-05-08-80-4C-00-00-00-00-00-00-00-00  
          inet addr:192.168.168.2  P-t-P:192.168.168.1  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP  MTU:1476  Metric:1
          RX packets:42 errors:0 dropped:0 overruns:0 frame:0
          TX packets:42 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:3528 (3.4 KiB)  TX bytes:4536 (4.4 KiB)

[root@CentOS2 ~]# ping 192.168.168.1
PING 192.168.168.1 (192.168.168.1) 56(84) bytes of data.
64 bytes from 192.168.168.1: icmp_seq=1 ttl=64 time=4.39 ms
64 bytes from 192.168.168.1: icmp_seq=2 ttl=64 time=1.41 ms
64 bytes from 192.168.168.1: icmp_seq=3 ttl=64 time=2.57 ms

--- 192.168.168.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2005ms
rtt min/avg/max/mdev = 1.419/2.795/4.393/1.224 ms
[root@CentOS2 ~]#

Here we show the tunnelled packets...

#!/bin/bash
[root@CentOS1 ~]# tcpdump -n -i eth1 proto 47
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
13:45:59.429315 IP 192.168.56.102 > 192.168.56.101: GREv0, length 88: IP 192.168.168.2 > 192.168.168.1: ICMP echo request, id 55053, seq 7, length 64
13:45:59.429315 IP 192.168.56.101 > 192.168.56.102: GREv0, length 88: IP 192.168.168.1 > 192.168.168.2: ICMP echo reply, id 55053, seq 7, length 64
13:46:00.530528 IP 192.168.56.102 > 192.168.56.101: GREv0, length 88: IP 192.168.168.2 > 192.168.168.1: ICMP echo request, id 55053, seq 8, length 64
13:46:00.530686 IP 192.168.56.101 > 192.168.56.102: GREv0, length 88: IP 192.168.168.1 > 192.168.168.2: ICMP echo reply, id 55053, seq 8, length 64
13:46:01.418447 IP 192.168.56.102 > 192.168.56.101: GREv0, length 88: IP 192.168.168.2 > 192.168.168.1: ICMP echo request, id 55053, seq 9, length 64
13:46:01.418526 IP 192.168.56.101 > 192.168.56.102: GREv0, length 88: IP 192.168.168.1 > 192.168.168.2: ICMP echo reply, id 55053, seq 9, length 64

6 packets captured
6 packets received by filter
0 packets dropped by kernel
[root@CentOS1 ~]#

Since we can see the ICMP packets inside the GRE tunnel that show's us that GRE is in clear text... to add some security setup a simple IPSEC VPN :)

Reference: http://juliano.info/en/Blog:Memory_Leak/Bridges_and_tunnels_in_Fedora

Security updates only for Fedora 7 / RHEL & Centos 5

nick — Mon, 24 Sep 2007 15:32:00 +0100

I found this on redhat.comthe other day....

It is now possible to limit yum to install security updates only. To do so, simply install the yum-security plugin and run the following command:

yum update --security

Hopefully this will allow fedora users to have the option of running a "stable" install :)

USB Networking with Fedora 7 & n800

nick — Fri, 14 Sep 2007 18:14:00 +0100

There are times where you cannot use WiFi, for example my workplace's WLAN uses LEAP, which maemo doesn't support. I found that setting up USB networking on my n800 was a bit of a pain since there isn't a single document... if you check my del.icio.us feed you'll see I bookmarked all I could find with a usbnet tag.

These are the steps I ran through to enable usb networking between my nokia n800 and my fedora 7 laptop.

First we'll start with the basic setup... I'll assume you've read a getting started article similar to mine and already have root & xterm. By default n800 has a usb interface configured, you just need to enable it, so on your n800 type:

sudo gainroot insmod /mnt/initfs/lib/modules/2.6.18-omap1/g_ether.ko ifup usb0
The default settings add an interface with a static ip of 192.168.2.15/24 with a default gateway of 192.168.2.14.

Now lets set up something similar on Fedora, you need to create a file in /etc/sysconfig/network-scripts called ifcfg-usb0 with the following...

DEVICE=usb0 BOOTPROTO=static IPADDR=192.168.2.14 BROADCAST=192.168.2.255 NETMASK=255.255.255.0 NETWORK=192.168.2.0 ONBOOT=no MII_NOT_SUPPORTED=no
Now plug the usb cable into both devices, and on your fedora box (as root) type
ifup usb0
You now have connectivity, of course if you have a default fedora install pinging 192.168.2.15 will fail because of the firewall, it is probably best to temporarily disable the firewall (/etc/init.d/iptables stop) to see if it works, if so move onto configuring your firewall correctly (/etc/init.d/iptables start starts it again) :) You may also get usb conflicts, you can try

rmmod uhci_hcd

but it will disable any USB devices, you have been warned.

With this basic connectivity setup you'll have two issues; you only have connectivity between fedora & n800 nothing else works, and opening any application on n800 causes it to try and connect to your wifi, so lets look at those....

I'm going to assume you used system-config-securitylevel to configure your firewall, its worth noting that any changes you make now will be overwritten by any future use of system-config-securitylevel so it's probably best to take a backup of /etc/sysconfig/ipatbles now and later when you're finished.

So as root type:

iptables -I RH-Firewall-1-INPUT 2 -i usb -j ACCEPT iptables -I FORWARD 1 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -I FORWARD 1 -s 192.168.2.0/24 -j ACCEPT iptables --table nat --append POSTROUTING --out-interface eth0 -s 192.168.2.0/24 -j MASQUERADE /etc/init.d/iptables save
This will allow all connectivity in from the usb interface allowing the n800 to send packets into the fedora box whilst the firewall is running, it will also NAT any traffic from the usb network hiding the n800 behind fedora so that you get onward connectivity. To get the NAT to work you need to enable ip forwarding, this allows fedora to pass pakets between interfaces, to do that type

echo 1 > /proc/sys/net/ipv4/ip_forward

and to get it to survive a reboot update /etc/sysctl.conf with

net.ipv4.ip_forward = 1

The final part is to enable name resolution (DNS), on n800, I updated /etc/resolv.conf with the opendns servers...
nameserver 208.67.222.222 nameserver 208.67.220.220
All things being equal you should now be able to ping www.google.com from your n800 :cool:

To get applications to connect, I found on the latest version of ITOS that the DUMMY IAP didn't work, so I stumbled across this solution.

Create an "ad hoc" wifi connection with static IPs... anything it doesn't matter, and when that's connected in xterm (as root) type ifconfig wlan0 down , you should now be able to connect to the web with your browser / skype etc over your usb network... sweet!

Smolt RPM for CentOS, RHEL, etc

nick — Fri, 06 Jul 2007 10:00:00 +0100

I after installing Fedora7 I thought I'd take a look at the stats the project had gathered, I saw some centos devices, but couldn't find a rpm.

I've had a go at building one, it mostly works (this is my nagios box), it's a rebuild of the f7 source, I have to frig about with the spec file, so I've published my source rpm here, search for Nick in the .spec file, you'll see my bodge.

The smolt rpms are in my yum repo, feel free to download the packages and have a go.

HTTP Compression on Redhat / CentOS / Fedora

nick — Thu, 21 Jun 2007 16:37:00 +0100

I was doing some testing on my server the other day, and realised that http compression within apache (httpd) was not enabled by default. Further digging showed me that mod_defate was what I needed, and infact it was installed by default on my CentOS box.

How to enable mod_default on Centos: Create /etc/httpd/conf.d/deflate.conf with the following contents

     # Insert filter
     SetOutputFilter DEFLATE

     # Netscape 4.x has some problems...
     BrowserMatch ^Mozilla/4 gzip-only-text/html

     # Netscape 4.06-4.08 have some more problems
     BrowserMatch ^Mozilla/4.0[678] no-gzip

     # MSIE masquerades as Netscape, but it is fine
     BrowserMatch bMSIE !no-gzip !gzip-only-text/html

     # Don't compress images
     SetEnvIfNoCase Request_URI .(?:gif|jpe?g|png)$ no-gzip dont-vary

        # Don't compress already compressed stuff !
        SetEnvIfNoCase Request_URI .(?:exe|t?gz|zip|bz2|sit|rar)$ no-gzip dont-vary
        SetEnvIfNoCase Request_URI .pdf$ no-gzip dont-vary

     # Make sure proxies don't deliver the wrong content
     Header append Vary User-Agent env=!dont-vary

        # Log Stuff !
#        DeflateFilterNote Input input_info
#        DeflateFilterNote Output output_info
#        DeflateFilterNote Ratio ratio_info
#        LogFormat '"%r" %{output_info}n/%{input_info}n (%{ratio_info}n%%)' deflate
#        CustomLog /var/log/httpd/deflate_log deflate

restart httpd (/etc/init.d/httpd restart) and your done :-)

References:

Intel 3945ABG Wireless / WiFi Card on CentOS 5

nick — Thu, 24 May 2007 10:39:00 +0100

I've taken to using CentOS on my servers, and fedora on my Laptop. New job, means new laptop, and to avoid fedora update hell, I thought I'd try CentOS on my laptop.

All seems good other than my wifi card not being detected, and for some reason googling for "centos 5 intel 3945" didn't provide a working anserwer, actually I found the answer by googling for "supplementary disk centos 5" which finds this thread that says...

Install dag's repo (this rpm), and then install dkms-ipw3945 (yum will pick up the dependancies)

yum install dkms-ipw3945

Next enable network manager...

chkconfig --level 345 NetworkManager on
chkconfig --level 345 NetworkManagerDispatcher on

reboot (seriously) and when you next log in you'll get a little icon in you system tray where you can manage your WiFi :)

A Linux / Command line: how to upload to wordpress wp-plugins.org via subversion ( SVN )

nick — Sun, 06 May 2007 16:47:00 +0100

Could that title get any longer !

Hopefully you get the point, sometimes you need different tools for different jobs, if you want a full development platform with SVN support I suggest you take a look at eclipse (with subclipse ) but what if you already have done the development and you just want to do a quick upload.

My phpbb_recent_topics plugin is hosted here, and when the nice guys at wordpress gave me an svn account, I just wanted a quick way to upload what I've done. Now I must stress this may not be the "proper" way to use svn (there's a book for that) but it is enough to achieve what we want, a straight forward upload.

I'm using redhat, so the 1st step was to install dag's subversion rpm , I also needed to setup an "editor" variable for commenting.

SVN_EDITOR=vi
export SVN_EDITOR

Then, I went into a directory onto my server, and downloaded a copy of the existing subversion directory structure.

[nick@SERVER wp_plugins]$ svn checkout https://svn.wp-plugins.org/phpbb-recent-topics/
A    phpbb-recent-topics/trunk
A    phpbb-recent-topics/branches
A    phpbb-recent-topics/tags
Checked out revision 9232.
[nick@SERVER wp_plugins]$

My plugin (at the time) was on version 1, so my 1st steps were to create a version 1 tag, add it to svn, get the stable copy of my plugin, add that to svn.

[nick@SERVER wp_plugins]$ cd phpbb-recent-topics/
[nick@SERVER phpbb-recent-topics]$ ls
branches  tags  trunk
[nick@SERVER phpbb-recent-topics]$ cd tags/
[nick@SERVER tags]$ mkdir 0.1
[nick@SERVER tags]$ cd ..
[nick@SERVER wp_plugins]$ svn add phpbb-recent-topics/tags/*
A         phpbb-recent-topics/tags/0.1
[nick@SERVER wp_plugins]$ cd phpbb-recent-topics/tags/0.1/
[nick@SERVER 0.1]$ wget https://www.linickx.com/files/php/phpbb_recent_topics.txt
[nick@SERVER 0.1]$ mv phpbb_recent_topics.txt phpbb_recent_topics.php
[nick@SERVER 0.1]$ svn add phpbb_recent_topics.php
A         phpbb_recent_topics.php
[nick@SERVER 0.1]$

Finally I updated everything, and uploaded (committed) my files.

[nick@SERVER 0.1]$ cd ../../../
[nick@SERVER wp_plugins]$ svn update phpbb-recent-topics/
At revision 9232.
[nick@SERVER wp_plugins]$ svn --username linickx commit phpbb-recent-topics/
Adding         phpbb-recent-topics/tags/0.1
Adding         phpbb-recent-topics/tags/0.1/phpbb_recent_topics.php
Transmitting file data .......
Committed revision 9233.
[nick@SERVER wp_plugins]$

Remember this doesn't publish your plugin on wordpress.org, to do that you need a valid readme.txt in the trunk directory, but as you can see once you've created all the files on your local box, it's just a few commands to get your work uploaded.

Did you notice that the wordpress svn supports SSL ?