Open range ports via ufw or iptables

For UFW

ufw allow from any to any port 4000:4020 proto tcp

For iptables

iptables -A tableName -p tcp  --match multiport --dports port1,port2 -j ACCEPT
iptables -A tableName -p udp  --match multiport --dports port1,port2 -j DROP
iptables -A tableName -p protocol  --match multiport --dports portRange1:PortRange2 -j ACCEPT
iptables -A tableName -p tcp  --match multiport --sports port1,port2 -j ACCEPT
iptables -A tableName -p udp  --match multiport --sports port1,port2 -j DROP
iptables -A tableName -p protocol  --match multiport --sports portRange1:PortRange2 -j ACCEPT

Correct way to move kvm vm

I have a problem to do live migration between two host computers via virt manager. It is a permission issue but I don’t have time to fig it out. It is not a big deal. It is ok to move KVM vms offline.

  1. stop VM from gui or cli or guest console
  2. dump guest configuration as xml
    virsh dumpxml VMNAME > domxml.xml
  3. copy the guest images to another server with same path
  4. define a VM from the dump xml file
    virsh define domxml.xml
  5. Check the configuration and start VM on new host. Usually need to check the network configuration, CPU, and memory.

source: http://serverfault.com/questions/434064/correct-way-to-move-kvm-vm

Using docker and zfs to create limited size mysql database

Idea: Docker is run mysql server. Mysql data is stored on zfs volume and set the quota by zfs utility. Assume zpool name is zpool-mysql and mount point is /mysqldata

  1. Create volume for mysql data (test_quota)

    sudo zfs create -o quota=1.4gb -o mountpoint=/mysqldata/test_quota zpool-mysql/test_quota
    
  2. Create mysql instance. Port forwarding is from host 8306 to guest 3306. User can access database using host port 8306.

    docker run --name test_quota-db -e MYSQL_ROOT_PASSWORD=rootpassword -e MYSQL_DATABASE=my_test_quota -e MYSQL_USER=dbusername -e MYSQL_PASSWORD=dbuserpassword -v /mysqldata/test_quota:/var/lib/mysql -d  -p 8306:3306 mysql:latest
    
  3. Create systemd service for the container (test_quota-db.service)

    [Unit]
    Description=Mysql with quota setting
    After=docker.service
    Requires=docker.service
    
    [Service]
    User=
    Group=docker
    Restart=always
    ExecStart=/usr/bin/docker start -a test_quota-db
    ExecStop=/usr/bin/docker stop -t 2 test_quota-db
    
    
    [Install]
    WantedBy=multi-user.target
    Alias=test_quota-db.service
    

     

    sudo systemctl enable test_quota-db.service
    
  4. Using phpMyAdmin to manage database

    docker run --name test_quota-phpmyadmin --link test_quota-db:db -e MYSQL_ROOT_PASSWORD=rootpassword -d -p 8080:80 phpmyadmin/phpmyadmin:latest
    

     

    [Unit]
    Description=phpMyAdmin for test_quota-db service
    After=test_quota-db.service
    Requires=test_quota-db.service
    
    [Service]
    User=dockeradm
    Group=docker
    Restart=always
    ExecStart=/usr/bin/docker start -a test_quota-phpmyadmin
    ExecStop=/usr/bin/docker stop -t 2 test_quota-phpmyadmin
    
    
    [Install]
    WantedBy=multi-user.target
    Alias=test_quota-phpmyadmin.service
    

     

    sudo systemctl enable test_quota-phpmyadmin.service
    

Ubuntu 16.04 Winbind and Active Directory

Official SSSD and Active Directory guide doesn’t work. It is hard to find what’s wrong. Using Winbind works well.

Installation:

sudo apt install winbind samba
sudo apt install cups-common python-crypto-dbg python-crypto-doc bind9 bind9utils ctdb ldb-tools ntp smbldap-tools heimdal-clients libnss-winbind libpam-winbind

Configuration:

sudo vi /etc/samba/smb.conf
[global]

## Browsing/Identification ###

# Change this to the workgroup/NT-domain name your Samba server will part of
#   workgroup = GROUP

# server string is the equivalent of the NT Description field
  server string = %h server (Samba, Ubuntu)

        security = ads
        realm = MYDOMAIN.COM
# If the system doesn't find the domain controller automatically, you may need the following line
#        password server = 10.0.0.1
# note that workgroup is the 'short' domain name
        workgroup = MYDOMAIN
#       winbind separator = +
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind enum users = yes
        winbind enum groups = yes
        template homedir = /home/%D/%U
        template shell = /bin/bash
        client use spnego = yes
        client ntlmv2 auth = yes
        encrypt passwords = yes
        winbind use default domain = yes
        restrict anonymous = 2

Restart services:

sudo service winbind stop
sudo service samba-ad-dc restart
sudo service winbind start

Join the AD (see “net ads help”):

sudo kinit Admin@MYDOMAIN.COM
# check klist
sudo klist
# join (ignore the dns error messages)
sudo net ads join -k

OR
sudo net ads join -U Admin@MYDOMAIN.COM

Setup Authentication

sudo vi /etc/nsswitch.conf

 

passwd:         compat winbind
group:          compat winbind
shadow:         compat

Restart Winbind

sudo service winbind restart

PAM Configuration

sudo pam-auth-update

Create Home directory

sudo mkdir /home/MYDOMAIN

Add sudo users

sudo vi /etc/sudoers.d/MYDOMAIN

 

# replace adgroup as real domain group name
%adgroup        ALL=(ALL) NOPASSWD: ALL

Test

wbinfo -u
wbinfo -g

Login as a domain user and enjoy…

Ubuntu keeps running when laptop lid is closed

Keep running after closed lid

$ sudo vi /etc/systemd/logind.conf
...
HandleLidSwitch=ignore
...

$ sudo service systemd-logind restart

The values of HandleLidSwitch are ignore, suspend, hibernate, and poweroff.

Keep console screen always on:

$ sudo vi /etc/default/grub
...
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash consoleblank=0"
...

$ sudo update-grub
$ sudo shutdown -r now

Turn off console screen after 1 minute:

$ sudo vi /etc/default/grub
...
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash consoleblank=60"
...

$ sudo update-grub
$ sudo shutdown -r now

LXD images and multiple hosts

Remote operations require the following two commands having been run on the remote server:

lxc config set core.https_address "[::]:8443"
lxc config set core.trust_password some-password

Add a remote server:

lxc remote add <server alias> <ip address or DNS>

And after that, use all the same command as above but prefixing the container and images name with the remote host like:

lxc exec host-a:first -- apt-get update

Manually import images example:

lxc image copy images:gentoo/current/amd64 local: --alias gentoo --auto-update
lxc image import <tarball> --alias random-image
lxc image import https://dl.stgraber.org/lxd --alias busybox-amd64

List images:

lxc image list
lxc image list <remote server alias>:

Editing image:

lxc image edit <alias or fingerprint>

Deleting image:

lxc image delete <alias or fingerprint>

Create you own image from a container:

lxc publish my-container/some-snapshot --alias some-image

 

 

Reference:
Installing LXD and the command line tool
LXD 2.0: Image management [5/12]

Install nodejs on ubuntu

Installing nodejs

sudo apt install nodejs
sudo apt-get install npm

Installing pm2

sudo npm install pm2@latest -g
cd /usr/bin
sudo ln -s nodejs node

Create user to run nodejs

sudo useradd nodeuser
sudo passwd nodeuser
sudo addgroup nodejs
sudo adduser nodeuser nodejs

Using pm2 to start nodejs app

pm2 start hello.js

Using pm2 to autostart nodejs apps

sudo env PATH=$PATH:/usr/local/bin pm2 startup -u nodeuser
sudo su -c "chmod +x /etc/init.d/pm2-init.sh && update-rc.d pm2-init.sh defaults"
pm2 save

Secure Apache2 and PHP on Ubuntu 16.04

Create /etc/apache2/sites-available/000-security.conf

$ sudo vi /etc/apache2/sites-available/000-security.conf
# Secure apache website

# Disable Trace HTTP Request
TraceEnable off

# Disable Signature
ServerSignature Off

# Disable Banner
ServerTokens Prod

# If enabled ssl (sudo a2enmod ssl)
# Use only TLS, Disable SSLv2, SSLv3
# SSLProtocol -ALL +TLSv1

# Disable Null and Weak Ciphers
# SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

# Disable Directory Listing
Options all -Indexes

# If enabled headers (sudo a2enmod headers)
# Disable x-powered by
Header always unset X-Powered-By
$ sudo a2ensite 000-security.conf

On ubuntu 16.04. The default php settings is good. Please make sure settings in php.ini

/etc/php/7.0/fpm/php.ini

/etc/php/7.0/apache2/php.ini

expose_php = Off
display_errors = Off

Reference: https://www.unixmen.com/ways-to-secure-your-ubuntu-14-04-server-running-lamp/

Install apache2, php, mysql client, drush on ubuntu 16.04

Install mysql-client

sudo apt install mysql-client

Install php7

sudo apt install php php-xml php-gd php-curl php-mcrypt php-mbstring php7.0-mbstring php-gettext php-mysql

Install apache2

sudo apt install apache2 libapache2-mod-php mod_dbd
sudo a2enmod rewrite

Install drush

$ php -r "readfile('https://s3.amazonaws.com/files.drush.org/drush.phar');" > drush
$ php drush core-status
$ chmod +x drush
$ sudo mv drush /usr/local/bin
$ drush init