Mysql quota for database using zfs on CentOS 7

Assume we have done Move mysql data folder to ZFS on CentOS 7.
Follow steps to create mysql database (run as root). (database files locate at /mysqldata)

// add fcontext for database storage folder. Only needs running once
semanage fcontext -a -t mysqld_db_t "/mysqldata(/.*)?"

// create folder for database
zfs create -o mountpoint=/mysqldata/test_quota -o quota=1gb mysqldata/test_quota
chown -R mysql:mysql /mysqldata/test_quota
chmod -R 700 /mysqldata/test_quota

cd /var/lib/mysql
mysql -e "create database test_quota;"
mv test_quota/db.opt /mysqldata/test_quota
mv test_quota /tmp
rm -rf /tmp/test_quota
ln -s /mysqldata/test_quota /var/lib/mysql
restorecon -R -v /mysqldata

Now the database space is only 1GB.
To delete mysql database

cd /var/lib/mysql
TABLES=$(mysql test_quota -e 'show tables' | awk '{ print $1}' | grep -v '^Tables' )

for t in $TABLES
do
	msg "Deleting $t table from ${dbname} database..."
	mysql ${dbname} -e "drop table $t"
done
echo "All tables have been dropped."
rm test_quota
mkdir test_quota
chown mysql:mysql test_quota
mysql -e "drop database test_quota"
zfs destroy mysqldata/test_quota
rm -rf /mysqldata/test_quota

Add static route on Mac OSX and Windows

Add static route on windows is very easy. Run command prompt as Administrator.

route -p add 10.10.120.0 mask 255.255.255.0 192.168.0.1

Add static route on OS x, need the following steps

  1. Find the network service which can access gateway
    mac-mini:~ ladmin$ networksetup -listallnetworkservices
    An asterisk (*) denotes that a network service is disabled.
    Internet
    LAN
    Backup-LAN
    Bluetooth DUN
    *FireWire
    *Bluetooth PAN 2
    Wi-Fi
     
    mac-mini:~ ladmin$ networksetup -getinfo LAN
    Manual Configuration
    IP address: 192.168.15.2
    Subnet mask: 255.255.255.0
    Router: 192.168.15.254
    IPv6: Automatic
    IPv6 IP address: none
    IPv6 Router: none
    Ethernet Address: 00:1f:5b:33:1d:75
  2. set additional gateway on the network service
    mac-mini:~ ladmin$ sudo networksetup -setadditionalroutes LAN 10.0.0.0 255.255.255.0 192.168.15.254
    Password:
    mac-mini:~ ladmin$ networksetup -getadditionalroutes LAN
    10.0.0.0 255.255.255.0 192.168.15.254
  3. Check the route list

    mac-mini:~ ladmin$ netstat -rn
    Routing tables
     
    Internet:
    Destination        Gateway            Flags        Refs      Use   Netif Expire
    default            213.125.227.185    UGSc           18        0   vlan0
    default            192.168.15.254     UGScI           0        0     en0
    default            192.168.15.254     UGScI           0        0     en1
    default            192.168.15.254     UGScI           0        0     en2
    10/24              192.168.15.254     UGSc            0        0     en1
    127                127.0.0.1          UCS             0        0     lo0
    127.0.0.1          127.0.0.1          UH             75  2330825     lo0
    169.254            link#8             UCS             1        0   vlan0
    169.254            link#4             UCSI            0        0     en0
    169.254            link#5             UCSI            0        0     en1
    

    Add more routing paths:

    iso@isoAir:/dev$ sudo networksetup -setadditionalroutes “Ethernet Pantalla Trabajo” 10.0.0.0 255.0.0.0 10.1.36.1 172.16.0.0 255.240.0.0 10.1.36.1 192.168.0.0 255.255.0.0 10.1.36.1
    iso@isoAir:/dev$ sudo networksetup -getadditionalroutes “Ethernet Pantalla Trabajo”
    10.0.0.0 255.0.0.0 10.1.36.1
    172.16.0.0 255.240.0.0 10.1.36.1
    192.168.0.0 255.255.0.0 10.1.36.1
    

    reference:

    http://www.marcoach.nl/persistent-static-routes-on-os-x/

    https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_tcpip_pro_addstaticroute.mspx?mfr=true

KVM access guest from outside host on CentOS

For default virbr0, it provides a way to help guest to access host (VM<–>host). But the guest cannot be accessed from outside host. But we can use the following commands to enable it temporally.

# iptables -D  FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
# iptables -D  FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable

The best way is to create another bridge for guest.

  1. create new bridge xml file (routeNetwork.xml)

    <network>
      <name>examplenetwork</name>
      <bridge name="virbr100" />
      <forward mode="route" />
      <ip address="10.10.120.1" netmask="255.255.255.0" />
    </network>
  2. create new bridge
    # virsh net-create routeNetwork.xml
  3. edit the bridge to enable dhcp (I think if we define DHCP at the first step, no need this one. If we don’t do this step, the persistent state is no. Not sure what the impact is.)
    # virsh net-edit routenetwork
    
    <network>
      <name>routenetwork</name>
      <uuid>62b9b9a9-2865-466c-9a3d-ab003441bc8b</uuid>
      <forward mode='route'/>
      <bridge name='virbr100' stp='on' delay='0'/>
      <mac address='52:54:00:cc:3b:aa'/>
      <ip address='10.10.120.1' netmask='255.255.255.0'>
        <dhcp>
          <range start='10.10.120.128' end='10.10.120.254'/>
        </dhcp>
      </ip>
    </network>
  4. Set the bridge autostart
    # virsh net-autostart routenetwork
  5. Check virtual networks
    # virsh net-list
     Name                 State      Autostart     Persistent
    ----------------------------------------------------------
     default              active     yes           yes
     routenetwork         active     yes           yes
    
  6. add masquerade to firewalld
    # firewall-cmd --permanent --add-masquerade
  7. change guest network type
    # virsh --connect qemu:///system
    virsh # edit <VM's name>
    ...
    <interface type='bridge'>
      <mac address='52:54:00:ea:98:1a'/>
      <source bridge='virbr100'/>
      <model type='e1000'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
    </interface>
    ...
    
  8. shutdown and start the guest again
  9. add route on your router
    # sudo route -n add 10.10.120.0/24 <host ip>

    Now the guest can access from your network via it ip 10.10.120.x.

    Other virsh commands used in managing virtual networks are:

    • virsh net-list — list virtual networks
    • virsh net-autostart [network name] — Autostart a network specified as [network name]
    • virsh net-create [XML file] — Generates and starts a new network using a preexisting XML file
    • virsh net-define [XML file] — Generates a new network from a preexisting XML file without starting it
    • virsh net-destroy [network name] — Destroy a network specified as [network name]
    • virsh net-name [network UUID] — Convert a specified [network UUID] to a network name
    • virsh net-uuid [network name — Convert a specified [network name] to a network UUID
    • virsh net-start [name of an inactive network] — Starts a previously undefined inactive network
    • virsh net-undefine [name of an inactive network] — Undefine an inactive network
    • virsh net-dumpxml [network name] — Dump network as xml file

How to edit KVM VM profile which is created by virt-manager and add port-forwarding function?

Virt-manager hides some functions such as port-forwarding. We can edit the VM profile form terminal.

# virsh --connect qemu:///system

List all VMs in virsh envrionment

virsh # list --all

Edit VM’s profile

virsh # edit <VM's name>

Add qemu namespace

old:
<domain type='kvm'>
new:
<domain type='kvm' xmlns:qemu='http://libvirt.org/schemas/domain/qemu/1.0'>

Change network type from network to user

old:
   <interface type='network'>
      <mac address='xx:xx:xx:xx:xx:xx'/>
      <model type='e1000'/>
      <source network='default'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
    </interface>
new:
  <interface type='user'>
    <mac address='xx:xx:xx:xx:xx:xx'/>
    <model type='e1000'/>
    <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
  </interface>

Add port-forwarding arguments before tag </domain>

 <qemu:commandline>
    <qemu:arg value='-redir'/>
    <qemu:arg value='tcp:2001::3389'/>
    <qemu:arg value='-redir'/>
    <qemu:arg value='tcp:2002::80'/>
</qemu:commandline>

 

 

Drupal security modules

Base security modules for drupal:

  1. Login security http://drupal.org/project/login_security
  2. Password policy https://www.drupal.org/project/password_policy
  3. Update manager https://www.drupal.org/documentation/modules/update
  4. Captcha https://www.drupal.org/project/captcha
  5. Flood Control https://www.drupal.org/project/flood_control
  6. Secure Pages Hijack Prevention    https://www.drupal.org/project/securepages_prevent_hijack
  7. XFS (cross frame scripting) https://www.drupal.org/project/seckit
  8. Idle Session Timeout https://www.drupal.org/project/autologout
  9. Concurrent Sessions https://www.drupal.org/project/session_limit
  10. ACL https://www.drupal.org/project/acl
  11. Two-factor Authentication (TFA) https://www.drupal.org/project/tfa
  12. Paranoia https://www.drupal.org/project/paranoia
  13. Coder https://www.drupal.org/project/coder
  14. Security Review https://www.drupal.org/project/security_review
  15. SpamSpan filter https://www.drupal.org/project/spamspan

source: http://resources.infosecinstitute.com/15-security-modules-for-drupal-to-make-website-secure/