Categories
Debian Linux Networking SysAdmin Ubuntu Uncategorized

Ubuntu 18.04 LTS – Setting a static IP Address

With this specific Ubuntu release, comes an entirely new way to set or change a static IP address. from 16.04 LTS. Let’s get started.

Open up a terminal window, and let’s get your network interface.

user@hostname:~# ip a
1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens160: mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:50:55:5e:f5:5f brd ff:ff:ff:ff:ff:ff inet 10.10.10.243/23 brd 10.10.11.255 scope global ens160 valid_lft forever preferred_lft forever inet6 fe85::250:565f:fe5e:fd5f/64 scope link valid_lft forever preferred_lft forever

Now that we have figured out what network interface we are going to work with, let’s change into the /etc/netplan directory.

user@hostname:~# cd /etc/netplan

Verify that there is no file named 01-netcfg.yaml in the directory.

user@hostname:~# ls -l

Create the 01-netcfg.yaml file. If this file exists, skip this step and edit it instead.

user@hostname:~# sudo touch 01-netcfg.yaml

Now that the file exists, let’s add our configuration.

user@hostname:~# sudo vi /etc/netplan/01-netcfg.yaml

Modify this config to your desired network details and network interface. YAML/YML files require indenting, and for the indenting to be consistent. VI will automatically indent correctly if you use the TAB key. Example below:

network:
        version: 2
        renderer: networkd
        ethernets:
                ens160:
                        dhcp4: no
                        addresses: [10.10.10.243/23]
                        gateway4: 10.10.10.1
                        nameservers:
                                addresses: [10.10.10.21,10.10.10.2]

Now, let’s restart the network stack.

user@hostname:~# sudo netplan apply

Now verify connectivity. For troubleshooting, try this command:

user@hostname:~# sudo netplan –debug apply
Categories
SysAdmin Windows Server

NETLOGON wait operation timed out when demoting a domain controller

When demoting a domain controller using dcpromo, you may run into the following error: Error The operation failed because:

Failed to configure the service NETLOGON as requested

“The wait operation timed out”

The error message is quite misleading as the real cause has got nothing to do with NETLOGON, but is in fact a DNS issue. You will most likely have the server’s primary DNS pointing to itself using loopback address (127.0.0.1) or its own IP address.

You can correct the issue by having the DNS point to remaining domain controllers, and remove any DNS pointing to itself (i.e. loopback address or any other IP owned by the server being demoted).

Categories
SysAdmin Windows Server

Updating Powershell on Server 2008R2

Download WMF 5.1 to a Windows Server 2008 R2 system
This also works with Windows Server 2012 and 2012 R2. By default Windows Server 2016 already has PowerShell 5.0 installed, so this is not required there. Note that to upgrade Windows Server 2008 R2 you must be using Service Pack 1 (SP1).

First we’ll confirm the verison of PowerShell on our 2008 R2 system. This can be done by opening PowerShell, and running $PSVersionTable, as shown below.

PS C:> $PSVersionTable

Name Value
—- —–
CLRVersion 2.0.50727.4927
BuildVersion 6.1.7600.16385
PSVersion 2.0
WSManStackVersion 2.0
PSCompatibleVersions {1.0, 2.0}
SerializationVersion 1.1.0.1
PSRemotingProtocolVersion 2.1
As expected we have PowerShell version 2.0, which is the default in this operating system.

WMF 5.0 or higher is needed to provide the just-enough administration (JEA) PowerShell feature implemented in Windows Server 2016 into the older 2008 R2 SP1 operating system.

Before we download and install WMF though, we must first install .NET Framework 4.5.2 or later, as this is a prerequisite for WMF 5.1 in Windows Server 2008 R2 SP1, and by default 2008 R2 SP1 comes with .NET 3.5. You can download a newer version of .NET from here: https://www.microsoft.com/net/download/framework

After installation has completed you’ll need to perform a system reboot to proceed.

Next download Windows Management Framework (WMF) 5.1 from Microsoft: https://www.microsoft.com/en-us/download/details.aspx?id=54616

A system reboot is not required after installing WMF.

Once installed open PowerShell and run $PSVersionTable again, we can now see that PSVersion is listed as 5.1 as expected.

PS C:> $PSVersionTable

Name Value
—- —–
PSVersion 5.1.14409.1005
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
BuildVersion 10.0.14409.1005
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
We will now be able to configure our Windows Server 2008 R2 SP1 system to use just-enough administration (JEA), as we’ll cover in future posts.

Summary
By first updating the .NET Framework and then installing either WMF 5.0 or 5.1, we can upgrade our PowerShell version to support Just-Enough Administration (JEA) in older versions of Windows, such as Windows Server 2008 R2, 2012, and 2012 R2.

Categories
CentOS Containers Docker Linux Podman RedHat SysAdmin

RHEL 7.6+/CENTOS 7.6+ Podman, Cockpit

For the last week or so, I have spent measurable time experimenting with RHEL’s Podman. A few months back with the RHEL 8 release, Red Hat officially dropped support for Docker. Podman is Red Hat’s answer to Docker. Podman is a daemon-less container runtime engine. There is however, very great news as from what I’ve noticed so far is that Podman’s CLI commands are compatible with Docker’s (Docker CLI reference). This means that with a simple alias for docker=podman, existing CLI that you may already know works perfectly as it would with Docker.

Simple alias:

alias docker=podman

Or to make the alias permanent:

echo “docker=’podman'” >> ~/.bash_aliases && source ~/.bash_aliases

So, Podman is a drop-in replacement for Docker, yet it does not have a daemon. It uses the same CLI as docker, and can even be alias’d so copy and pasting existing instructions work flawlessly. Another great feature is that if Red Hat does not have an image you are looking for, or you have an image from Docker Hub that you prefer, on creation if the image is not hosted by Red Hat podman will search Docker Hub next.

Another great tool is Red Hat’s Cockpit. Cockpit is a web-based admin console that even contains a terminal for controlling the system through your web browser. It reminds me of Windows Admin Center in a lot of ways. It also has a nifty Podman image and container management page that I like even more than Portainer.

Categories
Debian Linux SysAdmin Ubuntu

Adding Let’s Encrypt to Debian Web Servers

Let’s Encrypt is an automated certificate authority providing free of charge, domain-validated TLS certificates that are obtained using the ACME protocol.

Debian 8 (Jessie) Howto

Debian 9 (Stretch) Howto

You can install certbot from the main repository. You can also install some useful plugins to make the getting certificates for nginx or apache easier.

user@computeruser@computer$ sudo apt install certbot
user@computeruser@computer$ sudo apt install python-certbot-apache

or

user@computeruser@computer$ sudo apt install python-certbot-nginx

The default version of certbot that is available in the repository will result in the following error message if you try to run certbot –apache:

Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.

As discussed in the LetsEncrypt Forums this is due to a security issue that existed in the old client.

In order to make a certificate for apache you can use the following command:

sudo certbot –authenticator standalone –installer apache \
  -d  –pre-hook “service apache2 stop” –post-hook “service apache2 start”

In order to make a certificate for nginx you can use the following command:

sudo certbot –authenticator standalone –installer nginx \
-d <domain> –pre-hook “service nginx stop” –post-hook “service nginx start”
Categories
Debian Linux Networking SysAdmin Ubuntu

UFW List Rules

UFW is designed to be an easy to use firewall solution. It uses iptables and the underlying technology is pretty robust. Despite being the Uncomplicated FireWall, UFW, it still has a few misnomers and naming conventions might seem not so obvious to the first time user.

Probably the most obvious example of this is when you try to list all the rules. UFW has no dedicated command to list rules but uses its primary command ufw status to give you an overview of the firewall along with the list of rules. Moreover, you can’t list the rules when the firewall is inactive. The status shows the rules being enforced as of that moment. This makes it all the more difficult to edit the rules first and then enable the firewall, safely.

However, if the firewall is active and is running a few rules, you will get an output like this:

user@computer$ ufw status
Status: active
 
To                         Action      From
—                          ——          —–
22/tcp                     ALLOW       Anywhere
80/tcp                     ALLOW       Anywhere
443/tcp                    ALLOW       Anywhere
22/tcp (v6)                ALLOW       Anywhere (v6)
80/tcp (v6)                ALLOW       Anywhere (v6)
443/tcp (v6)               ALLOW       Anywhere (v6)

Of course, this list is not exhaustive. There are default rules too, which are applied to packets that don’t fall under any of the specified rules in the list above. This default behavior can be listed by adding a verbose subcommand.

user@computer$ ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip
 
To                         Action      From
—                          ——          —–
22/tcp                     ALLOW IN    Anywhere
80/tcp                     ALLOW IN    Anywhere
443/tcp                    ALLOW IN    Anywhere
22/tcp (v6)                ALLOW IN    Anywhere (v6)
80/tcp (v6)                ALLOW IN    Anywhere (v6)
443/tcp (v6)               ALLOW IN    Anywhere (v6)

You can see the default in this case is to deny any incoming traffic (ingress), like listening for http traffic on port 8000. On the other hand, it allows outgoing traffic (egress) required, for example, to query the software repositories and update the packages as well as installing new packages.

Also the listed rules themselves are now much more explicit. Stating whether rule is for ingress (ALLOW IN or DENY IN) or egress (ALLOW OUT or DENY OUT).

Editing the Rules

If you wish to delete the rules, you can do so by referring to rule’s corresponding number. The rules can be listed with their numbers, as shown below:

user@computer$  ufw status numbered
Status: active
 
To                         Action      From
—                          ——          —–
[ 1] 22/tcp                ALLOW IN    Anywhere
[ 2] 80/tcp                ALLOW IN    Anywhere
[ 3] 443/tcp               ALLOW IN    Anywhere
[ 4] 25/tcp                DENY IN     Anywhere
[ 5] 25/tcp                DENY OUT    Anywhere
[ 6] 22/tcp (v6)           ALLOW IN    Anywhere (v6)
[ 7] 80/tcp (v6)           ALLOW IN    Anywhere (v6)
[ 8] 443/tcp (v6)          ALLOW IN    Anywhere (v6)
[ 9] 25/tcp (v6)           DENY IN     Anywhere (v6)
[10] 25/tcp (v6)           DENY OUT    Anywhere (v6)

You can then delete rules using the command:

user@computer$ ufw delete NUM

Where NUM is the rule numbered. For example, ufw delete 5,would remove the fifth rule blocking port 25 outgoing connections. Now the default behavior would kick in for port 25, allowing outgoing connections on port 25. Deleting rule number 4 would do nothing since default behavior of the firewall would still block incoming connections on port 25.

Categories
CentOS Debian Fedora Linux RedHat SysAdmin Ubuntu

Linux Package Management Basics

Introduction

Most modern Unix-like operating systems offer a centralized mechanism for finding and installing software. Software is usually distributed in the form of packages, kept in repositories. Working with packages is known as package management. Packages provide the basic components of an operating system, along with shared libraries, applications, services, and documentation.

A package management system does much more than one-time installation of software. It also provides tools for upgrading already-installed packages. Package repositories help to ensure that code has been vetted for use on your system, and that the installed versions of software have been approved by developers and package maintainers.

When configuring servers or development environments, it’s often necessary look beyond official repositories. Packages in the stable release of a distribution may be out of date, especially where new or rapidly-changing software is concerned. Nevertheless, package management is a vital skill for system administrators and developers, and the wealth of packaged software for major distributions is a tremendous resource.

This guide is intended as a quick reference for the fundamentals of finding, installing, and upgrading packages on a variety of distributions, and should help you translate that knowledge between systems.

Package Management Systems: A Brief Overview

Most package systems are built around collections of package files. A package file is usually an archive which contains compiled binaries and other resources making up the software, along with installation scripts. Packages also contain valuable metadata, including their dependencies, a list of other packages required to install and run them.

While their functionality and benefits are broadly similar, packaging formats and tools vary by platform:

Operating SystemFormatTool(s)
Debian.debaptapt-cacheapt-getdpkg
Ubuntu.debaptapt-cacheapt-getdpkg
CentOS.rpmyum
Fedora.rpmdnf
FreeBSD Ports.txzmakepkg

In Debian and systems based on it, like Ubuntu, Linux Mint, and Raspbian, the package format is the .deb file. APT, the Advanced Packaging Tool, provides commands used for most common operations: Searching repositories, installing collections of packages and their dependencies, and managing upgrades. APT commands operate as a front-end to the lower-level dpkg utility, which handles the installation of individual .deb files on the local system, and is sometimes invoked directly.

Recent releases of most Debian-derived distributions include the apt command, which offers a concise and unified interface to common operations that have traditionally been handled by the more-specific apt-get and apt-cache. Its use is optional, but may simplify some tasks.

CentOS, Fedora, and other members of the Red Hat family use RPM files. In CentOS, yum is used to interact with both individual package files and repositories.

In recent versions of Fedora, yum has been supplanted by dnf, a modernized fork which retains most of yum‘s interface.

FreeBSD’s binary package system is administered with the pkg command. FreeBSD also offers the Ports Collection, a local directory structure and tools which allow the user to fetch, compile, and install packages directly from source using Makefiles. It’s usually much more convenient to use pkg, but occasionally a pre-compiled package is unavailable, or you may need to change compile-time options.

Update Package Lists

Most systems keep a local database of the packages available from remote repositories. It’s best to update this database before installing or upgrading packages. As a partial exception to this pattern, yum and dnf will check for updates before performing some operations, but you can ask them at any time whether updates are available.

SystemCommand
Debian / Ubuntusudo apt-get update
sudo apt update
CentOSyum check-update
Fedoradnf check-update
FreeBSD Packagessudo pkg update
FreeBSD Portssudo portsnap fetch update

Upgrade Installed Packages

Making sure that all of the installed software on a machine stays up to date would be an enormous undertaking without a package system. You would have to track upstream changes and security alerts for hundreds of different packages. While a package manager doesn’t solve every problem you’ll encounter when upgrading software, it does enable you to maintain most system components with a few commands.

On FreeBSD, upgrading installed ports can introduce breaking changes or require manual configuration steps. It’s best to read /usr/ports/UPDATING before upgrading with portmaster.

SystemCommandNotes
Debian / Ubuntusudo apt-get upgradeOnly upgrades installed packages, where possible.
sudo apt-get dist-upgradeMay add or remove packages to satisfy new dependencies.
sudo apt upgradeLike apt-get upgrade.
sudo apt full-upgradeLike apt-get dist-upgrade.
CentOSsudo yum update
Fedorasudo dnf upgrade
FreeBSD Packagessudo pkg upgrade
FreeBSD Portsless /usr/ports/UPDATINGUses less to view update notes for ports (use arrow keys to scroll, press qto quit).
cd /usr/ports/ports-mgmt/portmaster && sudo make install && sudo portmaster -aInstalls portmaster and uses it to update installed ports.

Find a Package

Most distributions offer a graphical or menu-driven front end to package collections. These can be a good way to browse by category and discover new software. Often, however, the quickest and most effective way to locate a package is to search with command-line tools.

SystemCommandNotes
Debian / Ubuntuapt-cache search search_string
apt search search_string
CentOSyum search search_string
yum search all search_stringSearches all fields, including description.
Fedoradnf search search_string
dnf search all search_stringSearches all fields, including description.
FreeBSD Packagespkg search search_stringSearches by name.
pkg search -f search_stringSearches by name, returning full descriptions.
pkg search -D search_stringSearches description.
FreeBSD Portscd /usr/ports && make search name=packageSearches by name.
cd /usr/ports && make search key=search_stringSearches comments, descriptions, and dependencies.

View Info About a Specific Package

When deciding what to install, it’s often helpful to read detailed descriptions of packages. Along with human-readable text, these often include metadata like version numbers and a list of the package’s dependencies.

SystemCommandNotes
Debian / Ubuntuapt-cache show packageShows locally-cached info about a package.
apt show package
dpkg -s packageShows the current installed status of a package.
CentOSyum info package
yum deplist packageLists dependencies for a package.
Fedoradnf info package
dnf repoquery --requires packageLists dependencies for a package.
FreeBSD Packagespkg info packageShows info for an installed package.
FreeBSD Portscd /usr/ports/category/port && cat pkg-descr

Install a Package from Repositories

Once you know the name of a package, you can usually install it and its dependencies with a single command. In general, you can supply multiple packages to install simply by listing them all.

SystemCommandNotes
Debian / Ubuntusudo apt-get install package
sudo apt-get install package1 package2 ...Installs all listed packages.
sudo apt-get install -y packageAssumes “yes” where apt would usually prompt to continue.
sudo apt install packageDisplays a colored progress bar.
CentOSsudo yum install package
sudo yum install package1 package2 ...Installs all listed packages.
sudo yum install -y packageAssumes “yes” where yum would usually prompt to continue.
Fedorasudo dnf install package
sudo dnf install package1 package2 ...Installs all listed packages.
sudo dnf install -y packageAssumes “yes” where dnf would usually prompt to continue.
FreeBSD Packagessudo pkg install package
sudo pkg install package1 package2 ...Installs all listed packages.
FreeBSD Portscd /usr/ports/category/port && sudo make installBuilds and installs a port from source.

Install a Package from the Local Filesystem

Sometimes, even though software isn’t officially packaged for a given operating system, a developer or vendor will offer package files for download. You can usually retrieve these with your web browser, or via curl on the command line. Once a package is on the target system, it can often be installed with a single command.

On Debian-derived systems, dpkg handles individual package files. If a package has unmet dependencies, gdebi can often be used to retrieve them from official repositories.

On CentOS and Fedora systems, yum and dnf are used to install individual files, and will also handle needed dependencies.

SystemCommandNotes
Debian / Ubuntusudo dpkg -i package.deb
sudo apt-get install -ygdebi && sudo gdebipackage.debInstalls and uses gdebi to install package.deband retrieve any missing dependencies.
CentOSsudo yum install package.rpm
Fedorasudo dnf install package.rpm
FreeBSD Packagessudo pkg add package.txz
sudo pkg add -f package.txzInstalls package even if already installed.

Remove One or More Installed Packages

Since a package manager knows what files are provided by a given package, it can usually remove them cleanly from a system if the software is no longer needed.

SystemCommandNotes
Debian / Ubuntusudo apt-get remove package
sudo apt remove package
sudo apt-get autoremoveRemoves unneeded packages.
CentOSsudo yum remove package
Fedorasudo dnf erase package
FreeBSD Packagessudo pkg delete package
sudo pkg autoremoveRemoves unneeded packages.
FreeBSD Portssudo pkg delete package
cd /usr/ports/path_to_port && make deinstallDe-installs an installed port.

The apt Command

Administrators of Debian-family distributions are generally familiar with apt-get and apt-cache. Less widely known is the simplified apt interface, designed specifically for interactive use.

Traditional Commandapt Equivalent
apt-get updateapt update
apt-get dist-upgradeapt full-upgrade
apt-cache search stringapt search string
apt-get install packageapt install package
apt-get remove packageapt remove package
apt-get purge packageapt purge package

While apt is often a quicker shorthand for a given operation, it’s not intended as a complete replacement for the traditional tools, and its interface may change between versions to improve usability. If you are using package management commands inside a script or a shell pipeline, it’s a good idea to stick with apt-get and apt-cache.

Get Help

In addition to web-based documentation, keep in mind that Unix manual pages (usually referred to as man pages) are available for most commands from the shell. To read a page, use man:

man page

In man, you can navigate with the arrow keys. Press / to search for text within the page, and q to quit.

SystemCommandNotes
Debian / Ubuntuman apt-getUpdating the local package database and working with packages.
man apt-cacheQuerying the local package database.
man dpkgWorking with individual package files and querying installed packages.
man aptWorking with a more concise, user-friendly interface to most basic operations.
CentOSman yum
Fedoraman dnf
FreeBSD Packagesman pkgWorking with pre-compiled binary packages.
FreeBSD Portsman portsWorking with the Ports Collection.

Conclusion and Further Reading

This guide provides an overview of basic operations that can be cross-referenced between systems, but only scratches the surface of a complex topic. For greater detail on a given system, you can consult the following resources: