Web-Based Guacamole tool

Guacamole website: https://guacamole.incubator.apache.org/

Create database for Guacamole: (DB name is guacamole_db)

$ mysql -u root -p

mysql> create database guacamole_db;
mysql> grant all privileges on guacamole_db.* to guacamole_user@localhost identified by 'secure password';
mysql> flush  privileges;

Initializing the MySQL database

$ docker run --rm guacamole/guacamole /opt/guacamole/bin/initdb.sh --mysql > initdb.sql

$ mysql -u guacamole_user -p guacamole_db < initdb.sql

Create my-guacd docker container

$ docker run --name my-guacd -d guacamole/guacd

Create my-guacamole docker container

docker run --name my-guacamole \
  --link my-guacd:guacd \
  -e MYSQL_HOSTNAME=${DB_HOST} \
  -e MYSQL_PORT=${DB_PORT} \
  -e MYSQL_DATABASE=${DB_NAME} \
  -e MYSQL_USER=${DB_USER} \
  -e MYSQL_PASSWORD=${DB_PASS} \
  -d -p 8080:8080 guacamole/guacamole

Test:

http://<server ip>:8080/guacamole/

Logs:

$ docker logs my-guacamole

Behind apache proxy:

<Location /guacamole/>
    Order allow,deny
    Allow from all
    ProxyPass http://HOSTNAME:8080/guacamole/ flushpackets=on
    ProxyPassReverse http://HOSTNAME:8080/guacamole/
</Location>

<Location /guacamole/websocket-tunnel>
    Order allow,deny
    Allow from all
    ProxyPass ws://HOSTNAME:8080/guacamole/websocket-tunnel
    ProxyPassReverse ws://HOSTNAME:8080/guacamole/websocket-tunnel
</Location>

Docker USER and named volume

To secure docker, we use a specific user instead of root. We add the following code in Dockerfile.

RUN useradd -u 2000 wwwuser
USER wwwuser

Those code create user with uid=2000.
Since host volume is mounted as root user, all files and folders is readonly for user wwwuser. If the wwwuser needs to write files to volume, we can create a named volume for it.

docker volume create --driver local --opt type=tmpfs --opt device=tmpfs  --opt o=uid=2000,gid=2000,size=2g,mode=0750 myHomeVolume

Use the following command to run container

docker run -d -v myHomeVolume:/home/wwwuser --name myapps <image>

TO backup the data, taring all files at ‘/var/lib/docker/volumes/myHomeVolume/_data’ with root.

Using AWK

//print the first column
awk -F":" ' { print $1 } ' /etc/passwd  
// print 1st column and last column
awk -F":" ' { print $1, $NF} ' /etc/passwd 
//print 1st column of 1st ten records
awk -F":" ' NR==1,NR==10 { print $1 } ' /etc/passwd
//print 1st column length of 1st ten records 
awk -F":" ' NR==1,NR==10 { print length($1) } ' /etc/passwd 
// using printf to format output
awk -F":" ' NR==1,NR==10 { printf "%-8s %3d\n" , $1,$3 } ' /etc/passwd 
// add header and footer for output
awk -F":" '
BEGIN { printf "%-8s %-3s\n" , "User", "UID" }
NR==1,NR==10 { printf "%-8s %3d\n" , $1,$3 } 
END { print "============== END ============="} ' /etc/passwd
// add output filed separator between columns
awk -F":" ' { OFS="|";print $1, $NF } ' /etc/passwd
// condition
awk -F":" ' /^root/ { print $1, $NF } ' /etc/passwd
awk -F":" ' { if($1 ~ /root/) { print $1, $NF } }' /etc/passwd

 

Linux Job Interview Questions

  1. How can you see which kernel version a system is currently running?
uname -a  // Show hostname, current version, current release

uname -v  //Show current version

uname -r  // Show current release

2.How can you check a system’s current IP address?

ifconfig
ip addr show
ip addr show eth0

3. How do you check for free disk space?

df -ah

4. How dow you manage services on a system?

service <service name> status
systemctl status <service name>

5. How would you check the size of a directory’s contents on disk?

du -sh <directory name>

6. How would you check for open ports on a Linux machine?

netstat
sudo netstat  -tulpn

7. How do you check CPU usage for a process?

ps aux |grep <process name> 
top
htop

8. Dealing with Mounts

ls /mnt
mount <device/network drive> <mount point>
/etc/fstab

9. How do you look up something you don’t know?

man <command>
<command> --h
google

 

Open range ports via ufw or iptables

For UFW

ufw allow from any to any port 4000:4020 proto tcp

For iptables

iptables -A tableName -p tcp  --match multiport --dports port1,port2 -j ACCEPT
iptables -A tableName -p udp  --match multiport --dports port1,port2 -j DROP
iptables -A tableName -p protocol  --match multiport --dports portRange1:PortRange2 -j ACCEPT
iptables -A tableName -p tcp  --match multiport --sports port1,port2 -j ACCEPT
iptables -A tableName -p udp  --match multiport --sports port1,port2 -j DROP
iptables -A tableName -p protocol  --match multiport --sports portRange1:PortRange2 -j ACCEPT

Correct way to move kvm vm

I have a problem to do live migration between two host computers via virt manager. It is a permission issue but I don’t have time to fig it out. It is not a big deal. It is ok to move KVM vms offline.

  1. stop VM from gui or cli or guest console
  2. dump guest configuration as xml
    virsh dumpxml VMNAME > domxml.xml
  3. copy the guest images to another server with same path
  4. define a VM from the dump xml file
    virsh define domxml.xml
  5. Check the configuration and start VM on new host. Usually need to check the network configuration, CPU, and memory.

source: http://serverfault.com/questions/434064/correct-way-to-move-kvm-vm

UFW command examples

sudo ufw status
sudo ufw status verbose
sudo ufw status numbered

sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
sudo ufw allow mysql

sudo ufw delete allow https

sudo ufw allow to any port 2345
sudo ufw delete allow to any port 2345

sudo ufw allow to any port 2345 proto udp
sudo ufw delete allow to any port 2345 proto udp

sudo ufw allow from 192.168.0.5 to any port 2345
sudo ufw delete allow from 192.168.0.5 to any port 2345

sudo ufw allow from 192.168.0.0/24 to any port 2345
sudo ufw delete allow from 192.168.0.0/24 to any port 2345

UFW, IPTABLES and IP FORWARDING

BY Default, UFW blocks IP Forwarding. To enable packet forwarding, two configuration files will need to be adjusted, in /etc/default/ufw change the DEFAULT_FORWARD_POLICY to “ACCEPT”:

DEFAULT_FORWARD_POLICY="ACCEPT"

Then edit /etc/ufw/sysctl.conf and uncomment:

net/ipv4/ip_forward=1
#for IPv6 forwarding uncomment:
net/ipv6/conf/default/forwarding=1

To enable IPv4 packet forwarding by editing /etc/sysctl.conf and uncomment the following line:

net.ipv4.ip_forward=1
# If you wish to enable IPv6 forwarding also uncomment:
net.ipv6.conf.default.forwarding=1

Execute the sysctl command to enable the new settings in the configuration file:

sudo sysctl -p

Create my-iptables-rules:

$ sudo vi /etc/network/if-up.d/my-iptables-rules
#!/bin/bash
FLAG="/tmp/my-iptables-settings"
if [ -f ${FLAG} ]; then
  echo "Already set my iptables rules. Skip it."
  exit 0
fi

#sample iptables rules
iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o ppp0 -j MASQUERADE

touch ${FLAG}
exit 0

Reference:https://help.ubuntu.com/lts/serverguide/firewall.html