Mar 13 2017

How to install vCenter Server Appliance 6.5

With the release of vSphere 6.5 VMware has provided new UI for the installation and more features are available in vCenter Appliance. Like we can backup vCenter appliance configuration at file level.

This backed up configuration can be restored to new vCenter Appliance if you should recover failed vCenter Appliance.

Also, you can migrate Windows based vCenter to vCenter Appliance using installation wizard of vCenter Appliance.

Also, vCenter Appliance can be easily upgraded with new features.

Step by Step vCenter Server Appliance Deployment

 

  1. Download vCenter Server Appliance 6.5 ISO and mount in Windows system.
  2. Open the cdrom drive and go to vcsa-ui-installer/Win32 folder.

Locate installer.exe file and execute it.

 

 

This will start vCenter Appliance installation wizard.

3. Click on Install to start the deployment of new vCenter Appliance.

 

This step is called as Stage 1 of vCenter Appliance deployment

4.Click Next

 

    5. Accept End user License agreement and Click Next

 

6. Select deployment type.

a. vCenter server with Embedded Platform Service Controller

With this option, all vCenter services and PSC services will be installed on same Appliance server. This is easy option and recommended for small setup.

b. External Platform Services Controller

With this option, you can choose to deploy PSC and vCenter services on different Appliance servers. First you need to deploy PSC server and then you can deploy vCenter Appliance if you choose external PSC option.

If you want to use Enhanced Linked Mode, then you need to have vCenter with external PSC.

For this lab, we are selecting vCenter with an Embedded PSC and then Click Next.

 

7. Appliance Deployment target, enter required details

Enter target ESXi host or vCenter server Name (any existing) where you want to deploy vCenter Appliance

https port default 443

Username

Password

Click Next

 

8. Accept SSL certificate warning if you received.

 

 

9. Set up appliance Vm – Enter name of appliance VM and password for root user. Then Click Next

 

10. Select Deployment size

Based on the size of your virtual infrastructure select the appliance size as Tiny, small or large. Based on the selection Appliance VMs resource like RAM, CPU, Disk will be configured.

 

11. Select datastore – select the datastore where vCenter Appliance VM will be stored.

 

Select checkbox for Enable Thin Disk mode if wish too.

12. vCenter network settings, enter the network IP address, system name and Click Next when ready.

 

13. Review all the configuration details and click on Finish.

 

 

Wait for the vCenter appliance process to get finished.

You can login to target ESXi host/vCenter and monitor the deployment progress.

 

 

14. Once the installation completes successfully Click on Continue to start the configuration of vCSA Appliance.

If you would like to configure vCenter later, you can visit vCenter Appliance configuration URL at later time to complete the configuration.

15. If you choose to continue the configuration, it will start Stage 2 of vCenter Appliance deployment.

Click on Next

 

15. Select Synchronize time with NTP servers and enter dns name or IP address of NTP servers.

Select Enable for SSH access if want to enable SSH for remote access.

 

16. SSO configuration – Enter SSO domain by default it can be vsphere.local and should not be same as your Active Directory domain.

Enter Password for SSO Domain Administrator and enter site Name. Click Next to proceed.

 

17. Select checkbox if you want to Join VMware customer Experience and Click Next.

 

 

18. Review all the configuration settings and Click Finish.

 

 

19. Click OK on the warning message to continue the configuration

 

 

Monitor the progress of vCenter configuration.

 

20. Once the vCenter Appliance configuration gets completed Close the installation wizard.

 

 

Login to vCenter web client by accessing https://<vCenter-IP-or-fqdn>/vsphere-client

Login to web client using Administrator@vsphere.local and its password set during configuration.

After login, you can, add vCenter to Active Directory domain, setup AD as identity source, Add vCenter permission to AD users.

 

Add vCenter Appliance in Active Directory ( vCSA 6 )

Add Active Directory as Identity Source

Add ESXi Host in vCenter

 

Sep 16 2016

Windows vCenter Migration to vCenter Appliance

Step by Step Migration of Windows based vCenter to vCenter Appliance

 

In my previous post we discussed the vCenter Migration Tool, Let’s see how we can do the Windows based vCenter migration to vCenter Appliance.

vCenter 5.5 LAB Setup

  • Operating System – Windows Server 2008 R2
  • vCenter – vCenter 5.5 update 1
    • any vCenter 5.5 build will work.
    • If you are running 5.1 or 5.0 then first upgrade vCenter to 5.5
  • Deployment – Simple …Distributed vCenter 5.5 deployment is also supported.
  • Database – Microsoft SQL 2012 64bit External server…. Any database supported by vCenter 5.5 is supported for migration. Database will be migrated to PostgreSQL.
  • Host – 2 ESXi 5.5 Hosts…. There any can be many hosts.
  • Network – Virtual standard Switch and Virtual Distributed Switch.

 

Download vCenter Server Migration Tool ISO file and mount it on any remote system or any windows management box.

Run Migration Assistant

  1. On the management box, brose the mounted ISO folders and Copy Migration-assistant folder to vCenter server.
  2. Login to vCenter server and run the VMware-Migraiton-assistant.exe, this will start migration assistant service. Do not close migration assistant command prompt or process.

vcs-to-vcsa-migration-1

 

3. Enter Administrator@vsphere.local account password and hit enter.

vcs-to-vcsa-migration-2

Read the source vCenter details collected by Migration assistant. You can see warning message if any plugin is not compatible with migration process.

vcs-to-vcsa-migration-19

Leave the migration process running on vCenter server and Run vCenter migration process form Remote management system.

If you Firewall is enabled on windows vCenter, exclude port 9123 or disable firewall.

Start vCenter Migration Process

 

  1. Login to management system where you have mounted installer ISO. You cannot run the migration process from vCenter server as vCenter server will be powered off during migration.
  2. Browse the cdrom and Install VMware-ClientInegrationPlugin-6.0.0, Install program with Run As Administrator to avoid issues.

vcs-to-vcsa-migration-4

 

    1. Follow the wizard the to complete client plugin installation. Once installation is successful proceed further

3. Start the installer by launching vcsa-setup.html from installation folder.

vcs-to-vcsa-migration-5

    1. Click on allow, the allow the Client plugin to access your system

4. Click on Migrate to start the migration process.

vcs-to-vcsa-migration-6

 

5. Read the message and Click on OK, if you are running vCenter 5.0, 5.1 stop here and upgrade vCenter to 5.5.

vcs-to-vcsa-migration-7

 

6. Accept the License agreement and Click Next

7. Enter the details of target ESXi or vCenter server where you want to deploy vCenter Appliance VM and then Click Next.

vcs-to-vcsa-migration-8

 

    1. Make sure ESXi host is not in lock down mode or maintenance mode

During Testing, I was trying to deploy vCSA appliance on ESXi 6 Host, which failed with below error.

Error Cannot authenticate to the target server.  

Please verify it’s an ESXi host and that the credentials are correct. 

vcs-to-vcsa-migration-9

Workaround –

  • None as per VMware release notes but changing my management box fixed my issue.You can try below –
  • Change management box from here you are running migration process.
  • Uninstall previous all VMware Client Integration plugin and install new Client Integration Plugin from this installer ISO.

8. Accept the SSL certificate of ESXi/vCenter server by Clicking Yes

  9. Enter Appliance VM Name and password for root user account. Click on Enable SSH checkbox to enable SSH on vCenter Appliance VM. Click Next.

vcs-to-vcsa-migration-10

 

   10. Enter source windows based vCenter FQDN, SSO Administrator password and if you want to migrate performance data select the check box. Click Next

vcs-to-vcsa-migration-11

 

11. Accept SSL certificate warning by Clicking Yes.

12. Enter AD details to Join vCenter Appliance to AD domain and then click Next.

vcs-to-vcsa-migration-12

 

13. Appliance size, based on your current inventory size migration assistant will suggest you the appliance size. Also as per the appliance size or inventory size vCenter Appliance CPU, RAM, Disk configuration will change.

e.g. I have selected Tiny application size, so it will deploy vCenter VM with 2 vCPU, 8 Gb RAM and 120Gb of disk. This vCenter can support up to 10 ESXi Host and 100 VMs.

If you inventory size is big then other options like small, medium, large.

 

vcs-to-vcsa-migration-13

 

14. Select datastore where you want to store vCenter VM. Select check box to enable Thin disk mode and then Click Next

vcs-to-vcsa-migration-14

 

15. Setup temporary network IP address to connect appliance VM with old vCenter. Do not enter actual vCenter IP here. Click Next.

vcs-to-vcsa-migration-15

 

16. Join the VMware Customer Experience Improvement program if you wish too or deselect the checkbox and then Click Next

17. Review the migration process summery and Click on Finish to start migration.

Migration wizard will perform below task:

  • Deploy new VM for vCenter Appliance.
  • Install required software packages
  • Start vCenter services on new VM
  • Export data from old vCenter and import to new vCenter.
  • Power On Appliance Vm

vcs-to-vcsa-migration-16

 

Wait until the migration wizard says Migration Completed……wait.

 

vcs-to-vcsa-migration-17

 

Once the migration Process is completed, login to web client and review your ESXi Host, VMs, User permissions, vCenter IP Address, SSL certificates…..etc.

You will notice that old vCenter VM is powered off new vCenter appliance is running. 

Apply vCenter 6 License key to vCenter server.

You can see my vCenter appliance and All ESXi Host and VMs are running fine without any issues.

 

vcs-to-vcsa-migration-18

 

Process for migrating Distributed vCenter 5.5 to vCenter appliance is little different. Refer below document for detailed information.

http://pubs.vmware.com/vsphere-60/index.jsp#com.vmware.vsphere.migration.doc/GUID-7AD8ED97-EB36-4874-BA0C-B77D85F55195.html

 

 

 

Sep 16 2016

vCenter Migration Tool

vCenter Migration Tool

 

Finally, VMware has released vCenter migration tool to migrate Windows based vCenter server to vCenter Appliance. Using new tool, you can migrate vCenter 5.5 windows based to vCenter Appliance 6.0 update 2. If you have older version of Virtual or Physical vCenter system, then you need to upgrade it first to vCenter 5.5 in order to use this tool.

If you are already on vCenter 6 Windows based, then you need to wait for a while until Supported migration tool get released.

During Migration process old vCenter will be powered off and new vCenter server will be powered on.

No downtime is needed for your ESXi Host or any Virtual Machine. Only vCenter will be unavailable until new one comes online.

If for some reason your migration process gets failed, you can switch back to old vCenter. Migration tool don’t make any changes in old vCenter.

What will be migrated to vCenter Appliance

 

  • vCenter 5.5 to vCenter 6.0 update 2 Appliance
  • vCenter Database to PostgreSQL DB embedded in vCSA.
  • All ESXi hosts with all VMs, datastores.
  • Standard Switch, Virtual Distributed Switch and all PortGroups
  • Performance data
  • Resource Pools and Folders
  • SSL certificates
  • vCenter UUID, MoRef ID will be preserved.
  • Old vCenter DNS name and IP would be used to new vCenter.
  • ESXi License information
  • vCenter Roles and Users Permissions

What can’t be done

 

  • Update manager is not yet fully supported with vCenter 6.0 Appliance. So you need to uninstall update manager from vCenter system. If update manager is installed in different system then no action is needed.
  • You cannot change the vCenter deployment topology during migration. E.g. if you have deployed 5.5 in distributed install then all vCenter services will be migrated to vCenter with Embedded PSC.
  • After migrating to vCSA if needed you can point your vCenter to External PSC.
  • vCenter 6.x windows based cannot be migrated to vCSA using this tool
  • 3rd Party plugins will be migrated but if you face any issue after migration, re-register 3rd party plugins with vCenter server.
  • Local Windows users or groups are not migrated.
  • vCenter License, you need to License vCenter after completing migration process.

 

Migration Topology

Source Destination
vCenter Single Sign-On 5.5 (custom install) Platform Services Controller 6.0 Update 2 Appliance (external deployment)
vCenter Server 5.5 (custom install) vCenter Server Appliance 6.0 Update 2 with external Platform Services Controller
vCenter Single Sign-On 5.5 + vCenter Server 5.5 vCenter Server Appliance 6.0 Update 2 with embedded Platform Services Controller

 

Let’s see how to Step by step o Migrate Windows based vCenter to vCenter Appliance

Windows vCenter Migration to vCenter Appliance

See VMware post for detailed Information –

https://blogs.vmware.com/vsphere/2016/09/vcenter-server-migration-tool-vsphere-6-0-update-2m.html

 

Release notes –

http://pubs.vmware.com/Release_Notes/en/vsphere/60/vsphere-vcenter-server-60u2m-release-notes.html

 

Download Migration Tool –

https://my.vmware.com/web/vmware/details?downloadGroup=VC60U2M&productId=577&rPId=1240

 

Read Vmware Migration tool FAQ

https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2146439

 

Estimating vCenter Server 5.5 to vCenter Server Appliance 6.0 migration time

https://kb.vmware.com/selfservice/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=2146420

 

Follow below URL for the step by step migration of vCenter Windows based to vCenter Appliance.

Windows vCenter Migration to vCenter Appliance

 

Sep 13 2016

Objective 1.1 – Perform Advanced ESXi Host Configuration

Section 1 – Create and Deploy vSphere 6.x Infrastructure Components

 

Objective 1.1 – Perform Advanced ESXi Host Configuration

 

Required Skills and Abilities

  • Configure and Manage Auto Deploy configurations
    • Determine use case for Stateless vs Stateful installs
    • Create / Modify rules and rule sets
    • Create and associate Host Profiles for an Auto Deploy reference host
  • Configure Kernel Boot Parameters for scripted install according to a deployment plan:
    • Modify scripted weasel install (ks.cfg)
    • Create / Modify scripted installation
  • Configure Advanced System Settings according to a deployment plan:
    • Edit System Swap / Scratch Configuration
    • Configure ESXi host to use a central Syslog Server
  • Manage/Edit the Core Dump configuration of an ESXi host

 

LAB Time

let’s go through each topic one by one.

 

 

 

 

For Additional Information Please refer Documents and Tools suggested by VMware

 

 

Haridas

 

Sep 13 2016

VCAP6-DCV Deploy Study Guide

VCAP6-DCV Deploy Study Guide

 

As a first certification of My Journey to VMware Certifications on vSphere 6.

Before starting the preparation it’s good to learn from someone else experience to make your life easy.

Read David Stamen VCAP5-DCV Deploy Beta Experience. By the time I finish my exam there would be lot of people with their experience on this new exam. I will add links to other useful posts as I can.

Please leave a comment if you would like me to add, remove or correct any of the content of these posts.

 

About VCAP6-DCV Deploy Exam

VMware Certified Advanced Professional 6 – Data Center Virtualization Deployment Exam (VCAP6-DCV Deploy) is a LAB Based exam. Whatever task a Virtual Admins do in real life need to perform during exam within limited time.

  • Exam Number: 3V0-623.
  • Duration: 190 minutes
  • Number of Questions: 27
  • Passing Score: 300

Take a look at official certification page.

https://mylearn.vmware.com/mgrReg/plan.cfm?plan=89134&ui=www_cert

 https://mylearn.vmware.com/mgrReg/plan.cfm?plan=88753&ui=www_cert

 

Let’s go through the Blueprint and Study Guide. I will suggest to go through all the document suggested by VMware. I will be going though these documents, preparing the notes and doing required task to prepare for the exam.

 

VCAP6-DCV Deploy Study Guide

 

Below is the list of exam topics, follow the Links for Step by Step Study Guide of VCAP6-DCV Deploy Certification.

Section 1 – Create and Deploy vSphere 6.x Infrastructure Components

  • Objective 1.1 – Perform Advanced ESXi Host Configuration
  • Objective 1.2 – Deploy and Configure Core Management Infrastructure Components
  • Objective 1.3 – Deploy and Configure Update Manager Components
  • Objective 1.4 – Perform Advanced Virtual Machine Configurations

Section 2 – Deploy and Manage a vSphere 6.x Storage Infrastructure

  • Objective 2.1 – Implement Complex Storage Solutions
  • Objective 2.2 – Manage Complex Storage Solutions
  • Objective 2.3 – Troubleshoot Complex Storage Solutions

Section 3 – Deploy and Manage a vSphere 6.x Network Infrastructure

  • Objective 3.1 – Implement and Manage vSphere Standard Switch (vSS) Networks
  • Objective 3.2 – Implement and Manage vSphere 6.x Distributed Switch (vDS) Networks
  • Objective 3.3 – Scale a vSphere 6.x Network Implementation
  • Objective 3.4 – Troubleshoot a vSphere 6.x Network Implementation

Section 4 – Configure a vSphere Deployment for Availability and Scalability

  • Objective 4.1 – Implement and Maintain Complex vSphere Availability Solutions
  • Objective 4.2 – Implement and Manage Complex DRS solutions
  • Objective 4.3 – Troubleshoot vSphere clusters

Section 5 – Configure a vSphere Deployment for Manageability

  • Objective 5.1 – Execute VMware Cmdlets and Customize Scripts Using PowerCLI
  • Objective 5.2 – Implement and Maintain Host Profiles
  • Objective 5.3 – Manage and analyze vSphere log files
  • Objective 5.4 – Configure and manage Content Library

Section 6 – Configure a vSphere Deployment for Performance

  • Objective 6.1 – Utilize Advanced vSphere Performance Monitoring Tools
  • Objective 6.2 – Optimize Virtual Machine resources

Section 7 – Configure a vSphere 6.x Environment for Recoverability

  • Objective 7.1- Deploy and manage vSphere Replication
  • Objective 7.2 – Deploy and Manage vSphere Data Protection
  • Objective 7.3 – Backup and Recover vSphere Configurations

Section 8 – Configure a vSphere 6.x Environment for Security

  • Objective 8.1 – Manage authentication and end-user security
  • Objective 8.2 – Manage SSL certificates
  • Objective 8.3 – Harden a vSphere 6.x Deployment

 

Haridas

 

 

Sep 05 2016

Reload VM with inaccessible and invalid status

Due to ESXi Host and storage connection issues my few VMs crashed and restarted, while few VMs status changed to invalid

With below Simple PowerCLI one-liner, you can find all VMs with invalid or inaccessible state and reload it.

Then you can power on all required VMs.

>Get-View -ViewType VirtualMachine |?{$_.Runtime.ConnectionState -eq “invalid”  –or $_.Runtime.ConnectionState -eq “inaccessible”} |%{$_.reload()}

Sep 05 2016

IPtables Configuration for Squid

In this post we will see how to configure IPTABLES firewall rules for SQUID proxy server.

Proxy server will also act as router for LAN network to forward specific ports to external servers.

While I have tested below configuration on CentOS 6.7, it will also work on other Linux based system with little modifications.

Replace IP address in below rule with your IPs.

LAN Ethernet – eth0                   #Interface Connected to LAN network

WAN Ethernet – eth1                 #Interface Connected to Internet Connection.

LAN Subnet – 192.168.2.0/24

Login to CentOS system which you need to configure as a squid proxy and act as a router for your LAN.

I assume that you have already configured SQUID on your system.

To know how you can get squid working with easy steps, see my previous post about squid configuration.

Enable IP forwarding.

To enable IP forwarding at runtime you can enter below command.

#echo 1 > /proc/sys/net/ipv4/ip_forward

Add below line in /etc/sysctl.conf to enable ip forward during system boot.

net.ipv4.ip_forward = 1

IPTABLES Configuration for SQUID

Backup current/default iptables configuration.

#service iptables save

#cp /etc/sysconfig/iptables /root/iptables.backup

Flush all existing iptables rules.

#iptables -F

#iptables -F -t nat

INPUT chain

Add all incoming connection rules in this chain

Allow SSH from your LAN network

#iptables -I INPUT -s 192.168.2.0/24 -i eth0 -p tcp -m state –state NEW -m tcp –dport 22 -j ACCEPT

Allow Ping from LAN Network

#iptables -I INPUT -s 192.168.2.0/24 -i eth0 -p icmp -j ACCEPT

Accept connection from LAN network for SQUID Port 8080

#iptables -A INPUT -s 192.168.2.0/24 -I eth0 -p tcp -m state –state NEW,ESTABLISHED -m tcp –dport 8080 -j ACCEPT

Allow everything on loop back interface

#iptables -A INPUT -i lo -j ACCEPT

Allow all incoming ESTABLISHED connections.

#iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT

Block all other incoming connections.

#iptables -A INPUT -j REJECT –reject-with icmp-host-prohibited

FORWARD chain

Forward all packets from LAN network to its destination external IP or servers.

Forward all outgoing SMTP request to its destination smtp server

#iptables -A FORWARD -s 192.168.2.0/24 -d smtp.example.com -i eth0 -o eth1 -p tcp -m state –state NEW,ESTABLISHED -m tcp –dport 25 -j ACCEPT

Forward all outgoing pop request to destination pop server.

#iptables -A FORWARD -s 192.168.2.0/24 -d pop.example.com -i eth0 -o eth1 -p tcp -m state –state NEW,ESTABLISHED -m tcp –dport 110 -j ACCEPT

Allow smtp and pop ports for gmail, outlook configuration.

#iptables -A FORWARD -s 192.168.2.0/24 -d pop.gmail.com -i eth0 -o eth1 -p tcp -m state –state NEW,ESTABLISHED -m tcp –dport 995 -j ACCEPT

#iptables -A FORWARD -s 192.168.2.0/24 -d smtp.gmail.com -i eth0 -o eth1 -p tcp -m state –state NEW,ESTABLISHED -m tcp –dport 465 -j ACCEPT

As gmail usages multiple IPs, you need to do nslookup and find all IPs for smtp.gmail.com and pop.gmail and allow in iptables.

Forward all outgoing FTP connection

#iptables -A FORWARD -s 192.168.2.9/32 -i eth0 -o eth1 -p tcp -m state –state NEW,ESTABLISHED -m tcp –dport 20 -j ACCEPT
#iptables -A FORWARD -s 192.168.2.9/32 -i eth0 -o eth1 -p tcp -m state –state NEW,ESTABLISHED -m tcp –dport 21 -j ACCEPT

Forward all outgoing ping request to external network.

#iptables -A FORWARD -s 192.168.2.0/24 -i eth0 -o eth1 -p icmp -m icmp –icmp-type 8 -j ACCEPT

Forward all outgoing DNS request to external DNS servers, for small office network, we have to use ISP DNS servers or we can use google open DNS.

#iptables -A FORWARD -s 192.168.2.0/24 -d 8.8.8.8/32 -i eth0 -o eth1 -p udp -m state –state NEW,ESTABLISHED -m udp –dport 53 -j ACCEPT
#iptables -A FORWARD -s 192.168.2.0/24 -d 8.8.4.4/32 -i eth0 -o eth1 -p udp -m state –state NEW,ESTABLISHED -m udp –dport 53 -j ACCEPT

Forward all ESTABLISHED,RELATED connections from Internet to internal LAN network

#iptables -A FORWARD -i eth1 -o eth0 -m state –state RELATED,ESTABLISHED -j ACCEPT

Reject all other FORWARD request

#iptables -A FORWARD -j REJECT –reject-with icmp-host-prohibited

Mask all outgoing connection with Internet IP

#iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

With this all outgoing packets will use public IP address and hide internal LAN IP.

Save iptables configuration

#service iptables save

By default iptables service start at system boot, however make sure it is set start to avoid any issues.

Sep 05 2016

How to Configure SQUID proxy on Linux

In this post we will see how to configure SQUID Proxy server on CentOS.

Operating system – CentOS 6.7

Do the minimal installation of CentOS.

Install squid package

#yum install squid

if internet is not working on this system, you can install squid rpm from installation dvd/iso.

once squid installation gets completed, edit the squid.conf file.

LAN Subnet – 192.168.1.0/23

LAN Ethernet – eth0

WAN Ethernet – eth1

Edit squid.conf file add below lines.

You can define ACL and allow/deny access to LAN computers to websites as per your requirements.

Below is my working squid.conf file, you adjust configuration as per your requirements.

#####################

#

# Recommended minimum configuration:

#

acl manager proto cache_object

acl localhost src 127.0.0.1/32 ::1

acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

# Example rule allowing access from your local networks.

# Adapt to list your (internal) IP networks from where browsing

# should be allowed

acl localnet src 192.168.1.0/24 # RFC1918 possible internal network

#Configure ACL in SQUID

#My Access List

#ACL for FTP Protocol
acl FTP proto FTP

#ACL for my LOCAL Subnet
acl localnet src 192.168.1.0/24

#ACL for manager’s who need full access. This ACL usages MAC address.
acl master1 arp “/etc/squid/acl/master-arp.lst”

#ACL for specific Computers.
acl searchpc arp “/etc/squid/acl/search-arp.lst”

#ACL for Support Team’s PC
acl supportpc src “/etc/squid/acl/support-ip.lst”

#ACL for specific IP
acl masterip src 192.168.1.9

#ACL to allow internet access based on time.

acl evening time 16:00-18:00

#ACL to bloack websites.
acl badsites dstdomain “/etc/squid/acl/badsites.lst”

#ACL to allow specific sites for Support Users.

acl supportsites dstdomain “/etc/squid/acl/supportsites.lst”

#ACL to allow specific sites to ALL LAN users.

acl opentoall dstdomain “/etc/squid/acl/open-to-all.lst”

acl all1 src all

no_cache deny all1

icp_port 0

htcp_port 0

icp_access deny all1

htcp_access deny all1

acl SSL_ports port 443

acl Safe_ports port 80  # http

acl Safe_ports port 21  # ftp

acl Safe_ports port 20  # ftp

acl Safe_ports port 443  # https

acl Safe_ports port 70  # gopher

acl Safe_ports port 210  # wais

acl Safe_ports port 1025-65535 # unregistered ports

acl Safe_ports port 280  # http-mgmt

acl Safe_ports port 488  # gss-http

acl Safe_ports port 591  # filemaker

acl Safe_ports port 777  # multiling http

acl CONNECT method CONNECT

#

# Recommended minimum Access Permission configuration:

#

# Only allow cachemgr access from localhost

http_access allow manager localhost

http_access deny manager

# Deny requests to certain unsafe ports

http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports

http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent

# web applications running on the proxy server who think the only

# one who can access services on “localhost” is a local user

#http_access deny to_localhost

#

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

#

# Example rule allowing access from your local networks.

# Adapt localnet in the ACL section to list your (internal) IP networks

# from where browsing should be allowed

http_access allow localhost

always_direct allow FTP

# And finally deny all other access to this proxy

#Allow or deny configured ACL in squid

#Allow/deny Access List

#

#Allow FULL Access PC/Systems added master1 ACL

http_access allow master1

#Blocked ‘badsites’ to all
http_access deny badsites

#Allow Full internet access to ‘searchPC’ during evening 4 PM to 6 PM.
http_access allow evening searchpc

#Allow Specific SupportSites to Support PC.
http_access allow supportsites supportpc

#Allow Specific sites to all LAN, all the time.

http_access allow opentoall localnet

#Deny everything to LAN systems

http_access deny localnet
http_access deny all

# Change default squid port to 8080
http_port 8080

cache_mem 512 MB
maximum_object_size_in_memory 56 MB
logfile_rotate 20
cache_mgr
SystemAdmin@vprh.org

visible_hostname proxyrouter.vprh.blogspot.com

#Add your DNS servers here.
dns_nameservers 8.8.8.8 8.8.4.4 192.168.1.100

#Download restriction based on ACL

#Allow download up to 10GB to masterip

reply_body_max_size 10240 MB masterip

#Limit download to 20 MB to all other LAN PC

reply_body_max_size 20 MB

#cahce size

cache_dir aufs /var/spool/squid 4000 16 256

coredump_dir /var/spool/squid

cache_swap_low 90

cache_swap_high 95

#Limit file upload

request_body_max_size 10240 MB masterip

request_body_max_size 20 MB localnet

# And finally deny all other access to this proxy

http_access deny all

# Uncomment and adjust the following to add a disk cache directory.

#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir

coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.

refresh_pattern ^ftp:  1440 20% 10080

refresh_pattern ^gopher: 1440 0% 1440

refresh_pattern -i (/cgi-bin/|\?) 0 0% 0

refresh_pattern .  0 20% 4320

#####################

Save the squid configuration file by adding/updating ACL as per your network requirements.

Create squid configuration files as defined in ACL

#mkdir /etc/squid/acl

#cd /etc/squid/acl

In this file add Ethernet MAC of systems which need full Internet Access ( physical address of LAN Card)

#vi master-arp.lst

ee:xx:rr:44:55:cc    #mac of manager PC

Add MAC of searchPC which need full access during evening 4 – 6 PM

#vi search-arp.lst

ee:xx:rr:44:55:cd     #mac of search user pc

Add list of support sites, which are accessed by SupportTeam.

#vi supportsites.lst

.teamviewer.com

.ShowMyPC.com

Add IP address of support users system

#vi support-ip.lst

192.168.1.100

Add websites which are allowed to everyone and all the time.

#vi open-to-all.lst

.google.com

.example.com

#vi badsites.lst

#add sites which you want to block all the time.

.youtube.com

.video.com

.xyz.com

Start squid service

#service squid start

Later on if you make any changes in squid configuration or any other squid acl files, then you have to restart squid service to take affect new configuration.

#service squid restart

If the squid service do not end with OK status, then review the error message or undo your last changes and restart squid service.

IPTABLES configuration for squid.

#Accept Connections on squid port 8080

iptables -I INPUT -s 192.168.1.0/24 -p tcp -m state –state NEW,ESTABLISHED -m tcp –dport 8080 -j ACCEPT

#Enable IP forwarding

echo 1 > /proc/sys/net/ipv4/ip_forward

Read my post on IPTABLES to configure iptables firewall rules for squid and systems which are in befind proxy/Linux firewall.

 

Sep 05 2016

Linux Iptables Examples

Below iptables rules will configure Linux system as simple router.

This will forward all packets to internal and external network.

LAN Ethernet – eth0

WAN Ethernet – eth1

Enable IP Forwarding

echo 1 > /proc/sys/net/ipv4/ip_forward

Forward all LAN request to external network

#iptables -I FORWARD -i eth0 -o eth1 -j ACCEPT

Forward all ESTABLISHED connections from external network to internal network.

#iptables -I FORWARD -i eth1 -o eth0 -m state –state RELATED,ESTABLISHED -j ACCEPT

Append external IP to all outgoing packets to hide internal Network IPs.

#iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

Above configuration is not recommended to production servers or Linux system connected to internet. This configuration is useful for internal dev or lab network only.

Iptables rules for ShowMyPc

Free version of ShowMyPC usages p2p connections and do not support proxy connections.

In this post, we will see how you can use free version of ShowMyPC behind Linux firewall.

first make sure your Linux system is configured to forward ports and iptables rules are configured to act as router.

ShowMyPC has many servers, for each new connection its connects to random servers.

So you need to find all ShowMyPC servers IP and add it in iptables rules.

How to find which Servers or IPs used by ShowMyPC?

You can start ShowMyPC application and run TCPview from Microsoft sysinternal tools to find out to which IP ShowMyPC is trying to connect.

Find all ShowMyPC IPs and add forward rule as above for each IP

Below is example iptables rule to forward all connections from LAN to ShowMyPC servers.

#iptables -A FORWARD -s 192.168.2.0/24 -d x.x.x.x -i eth0 -o eth1 -j ACCEPT

Find all IPs of ShowMyPC and configure rules like above for each IP.

Free version of ShowMyPC usages p2p connections for desktop sharing, so I just allowed everything to ShowMyPC from my lan Network.

See my previous post for detailed configuration about iptables rules for Squid and make Linux system as router for rest of the LAN for specific protocol.

Sep 05 2016

How to Create Local Yum Repository for Red Hat Linux with Security Errata

Local YUM repository is useful when you do not have internet access on all Linux system.

In my environment some system don’t have internet access and some systems has issues with RHN registration.

Redhat has provided reposync command to sync RHN repositories and I was able to do so.

I configured web server to make my repo available using web/http server.

Then I pointed to another RHEL system to get updates from local yum.

I was able to see the updates but I could not see the security updates available.

“No packages needed for security; 45 packages available”

By default createrepo command does not include security errata information in repodata and it does not make it available for client system to download updateinfo.xml which contains security errata.

Also I am running x86_64 OS but Yum was making i686 packages where available to system.

  • # yum check-update –security

Loaded plugins: downloadonly, product-id, security, subscription-manager

Limiting package lists to security relevant ones

No packages needed for security; 45 packages available

bind-libs.i686                32:9.8.2-0.30.rc1.el6_6.1 rhel6repo-dc1-nixmgmt01

device-mapper-event-libs.i686 1.02.90-2.el6_6.1         rhel6repo-dc1-nixmgmt01

device-mapper-libs.i686       1.02.90-2.el6_6.1         rhel6repo-dc1-nixmgmt01

glibc-devel.i686              2.12-1.149.el6_6.5        rhel6repo-dc1-nixmgmt01

jasper-libs.i686              1.900.1-16.el6_6.3        rhel6repo-dc1-nixmgmt01

libcurl.i686                  7.19.7-40.el6_6.4         rhel6repo-dc1-nixmgmt01

libssh2.i686                  1.4.2-1.el6_6.1           rhel6repo-dc1-nixmgmt01

lvm2-libs.i686                2.02.111-2.el6_6.1        rhel6repo-dc1-nixmgmt01

nss.i686                      3.16.2.3-3.el6_6          rhel6repo-dc1-nixmgmt01

nss-softokn.i686              3.14.3-22.el6_6           rhel6repo-dc1-nixmgmt01

nss-util.i686                 3.16.2.3-2.el6_6          rhel6repo-dc1-nixmgmt01

openssl.i686                  1.0.1e-30.el6_6.5         rhel6repo-dc1-nixmgmt01

I found lot of article’s which explains how to create local yum repository using RHN repo or using DVD’s but did not found anything useful which explain how to include security Errata in local repo.

Configure Local Yum server:

My Setup:

Local YUM Server:

  • Operating System – RHEL 6.6 x86_64
  • RAM – 2 GB
  • vCPU – 1
  • OS DIsk – 30 GB
  • Disk to Store Repo’s = 100GB
  • Internet access is available and system is registered with RHN.

Yum Client:

  • Operating System – RHEL 6.6 x86_64
  • RAM – 2 GB
  • vCPU – 1
  • Also now am using this repo to update many other production and non-prod systems.
  • Considering you have root access server and client systems.

Packages required  on server:

  • yum-utils
  • createrepo

Install above packages if not installed

  • #yum install yum-utils
  • #yum install createrepo

List repo’s which are made available to server. f you do not see required repo’s, Login to RHN portal and subscribe your system to different channels.

  • #yum repolist

Note down the repo name which you need to sync with and download all packages from it.

My setup is simple so I need to have updates only for operating system, so I would be downloading only updates from rhel-x86_64-server-6 repository.

As per your environment you may consider to download additional repo’s locally.

Create directory to save repository packages.

  • #mkdir /repo/repositories/rhel6

Make sure you have at lease 30 GB free on this disk to sync one repo.

Run below command to synchronize Base operating system RHN repository Locally.

  • #reposync   –gpgcheck -l –repoid=rhel-x86_64-server-6 –download_path=/repo/repositories/rhel6  –download-metadata

It will download all available packages with metadata like security errata and package group information file comps.xml.

Above command will download all the available packages from RHN channel. In my setup it took 25 GB space to download all packages.

If you would like save some space and time, you may consider to download only latest available packages by adding -n switch to above command.

Sync only latest packages

  • #reposync   –gpgcheck -l –repoid=rhel-x86_64-server-6 –download_path=/repo/repositories/rhel6  –download-metadata -n

Once reposync command completed successfully, run below command to create repodata.

  • #createrepo -v /repo/repositories/rhel6/rhel-x86_64-server-6 -g /repo/repositories/rhel6/rhel-x86_64-server-6/comps.xml

This will create repodata with local packages information and provide comps.xml path to repodata so that it can include group package information such X Windows.

When next time you run createrepo add –update switch to above command to save some time.

  • #createrepo –update -v /repo/repositories/rhel6/rhel-x86_64-server-6 -g /repo/repositories/rhel6/rhel-x86_64-server-6/comps.xml

Adding Security Errata to repodata

Decompress update information file.

Update info file name would be –

e.g. df95e702822e2ca2eec71b11e3d4f34cd36f33af0645e44c1f8ab21c7d2fea6f-updateinfo.xml.gz

  •  #gzip -d /repo/repositories/rhel6/rhel-x86_64-server-6/*-updateinfo.xml.gz

Rename file to keep only name as updateinfo.xml

  • #mv /repo/repositories/rhel6/rhel-x86_64-server-6/*-updateinfo.xml /repo/repositories/rhel6/rhel-x86_64-server-6/updateinfo.xml

Modify repodata to add security errata/update info to repodata

  • #modifyrepo /repo/repositories/rhel6/rhel-x86_64-server-6/updateinfo.xml /repo/repositories/rhel6/rhel-x86_64-server-6/repodata

Configure Yum repository in web server for Clients

I have used httpd to configure virtual web server and make this repo available to client systems.

Install required httpd packages, if already not installed.

Modify httpd.conf

Enable name based virtual hosting & add virtual web host/site

  • #vi /etc/httpd/conf/httpd.conf

NameVirtualHost 10.x.x.x:80      # Use name-based virtual hosting. ( find it in file)

#At end of the file add virtual host.

###  —> Redhat Linux 6 Repository –> ###

<VirtualHost 10.x.x.x:80>

ServerAdmin Haridas.Vhadade@outlook.com

DocumentRoot /repo/repositories/rhel6/rhel-x86_64-server-6

ServerName rhel6repo.virtualprh.com

ErrorLog logs/rhel6repo-error_log

CustomLog logs/rhel6repo-access_log common

<Directory “/repo/repositories/rhel6/rhel-x86_64-server-6” >

Options All Indexes FollowSymLinks

Order allow,deny

Allow from all

</Directory>

</VirtualHost>

Save file and quit.

Start web server and make auto start after system restart.

  • #service httpd start
  • #chkconfig httpd on

So now users can configure http://rhel6repo.virtualprh.com to get packages from repository.

Yum Client configuration

create yum repo file & add below lines

  • #cd /etc/yum.repos.d
  • #vi rhel6repo.repo
[rhel6repo-dc1-nixmgmt01]

name= Redhat Linux 6 Repo dc1-nixmgmt01

baseurl=http://rhel6repo.virtualorh.com

enabled=1

gpgcheck=0

gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release

protect=1

save file and quit.

If your client system is registered with RHN disable it.

Make enabled 0 from 1 to disable rhn

  • #vi /etc/yum/pluginconf.d/rhnplugin.conf
[main]

enabled = 0

gpgcheck = 1

Now can run yum commands to view new local repository available and install required packages or security updates.

  • # yum repolist

Loaded plugins: downloadonly, product-id, security, subscription-manager

rhel6repo-dc1-nixmgmt01                                      | 4.1 kB     00:00

repo id                  repo name                           status

rhel6repo-dc1-nixmgmt01  Redhat Linux 6 Repo dc1-nixmgmt01   14,589

repolist: 14,589

Check available security updates

  • # yum check-update –security

Loaded plugins: downloadonly, product-id,

security, subscription-manager

Limiting package lists to security relevant ones

rhel6repo-dc1-nixmgmt01/updateinfo                       | 2.5 MB     00:02

20 package(s) needed for security, out of 44 available

curl.x86_64                    7.19.7-40.el6_6.3   rhel6repo-dc1-nixmgmt01

device-mapper-event-libs.i686  1.02.90-2.el6_6.1   rhel6repo-dc1-nixmgmt01

device-mapper-libs.i686        1.02.90-2.el6_6.1   rhel6repo-dc1-nixmgmt01

glibc.i686                     2.12-1.149.el6_6.5  rhel6repo-dc1-nixmgmt01

glibc.x86_64                   2.12-1.149.el6_6.5  rhel6repo-dc1-nixmgmt01

glibc-common.x86_64            2.12-1.149.el6_6.5  rhel6repo-dc1-nixmgmt01

glibc-devel.x86_64             2.12-1.149.el6_6.5  rhel6repo-dc1-nixmgmt01

glibc-headers.x86_64           2.12-1.149.el6_6.5  rhel6repo-dc1-nixmgmt01

jasper-libs.x86_64             1.900.1-16.el6_6.3  rhel6repo-dc1-nixmgmt01

kernel.x86_64                  2.6.32-504.8.1.el6  rhel6repo-dc1-nixmgmt01

kernel-firmware.noarch         2.6.32-504.8.1.el6  rhel6repo-dc1-nixmgmt01

kernel-headers.x86_64          2.6.32-504.8.1.el6  rhel6repo-dc1-nixmgmt01

………….output truncated……………………..

Install  security updates

  • #yum update –security

You can also install any specific package as required

  • #yum install <package Name>

With this your local yum server & client configuration is completed.

Create repo file for your local repository to use it on multiple servers:

on Yum server inside repository directory which also a document root for our website create below file and save it.

  • #vi rhel6repo.repo
[rhel6repo-dc1-nixmgmt01]

name= Redhat Linux 6 Repo dc1-nixmgmt01

baseurl=http://rhel6repo.virtualprh.com

enabled=1

gpgcheck=0

gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release

protect=1

To configure local yum repo client on any new server, run below commands

This will copy repository configuration on client system and then you can start using local yum repository.

Bash script to update Local yum repository

I have created below shell script to do:

  • Download updated packages from RHN.
  • Create repodata
  • Update repodata with security Errata information
  • Send email to me if any steps get failed.

What you need to use it:

  • Save this file as .sh
  • Register your server with RHN
  • Create directory to save package and modify path in below script if needed.
  • Schedule this script to run every day and download latest available packages.

Download script from this link – rhel-syncrepo.sh

________________________________________________________________________________

#!/bin/bash

#Log File –

today=$(date +”%d-%m-%Y”)

LOG=/tmp/reposync-$today.log

my_hostname=$(hostname)

FatalRecipient=’Haridas.Vhadade@virtualprh.com’

FatalSubject=”Error received while RHN repo sync $my_hostname”

function Fatal () {

echo -e “$@” | mail -s “$FatalSubject” “$FatalRecipient”

exit 1

}

echo “———————————————————————————–” &> $LOG

echo -e “###\t\tStarting RHEL 6 Repo Sync from RHN at `date +”%k:%M %d/%m/%Y”`\t\t###” &>> $LOG

echo “———————————————————————————–” &>> $LOG

#Clean Yum Cache

yum clean all &>> $LOG

if [  $? -ne 0 ]

then

echo “Error rceived while yum clean ” &>> $LOG

Fatal “Error rceived while running yum clean ”

exit 1

fi

#Sync RHEL 6 x86_64 Repo from RHN

/usr/bin/reposync   –gpgcheck -l –repoid=rhel-x86_64-server-6 –download_path=/repo/repositories/rhel6  –download-metadata  &>> $LOG

if [  $? -ne 0 ]

then

echo “Error rceived while reposync ” &>> $LOG

Fatal “Error rceived while running reposync ”

exit 1

fi

#Update repodata

createrepo –update -v /repo/repositories/rhel6/rhel-x86_64-server-6 -g /repo/repositories/rhel6/rhel-x86_64-server-6/comps.xml &>> $LOG

if [  $? -ne 0 ]

then

echo “Error rceived while running update repodata ” &>> $LOG

Fatal “Error rceived while running update repodata ”

exit 1

fi

#Delete old updateinfo.xml

rm -f /repo/repositories/rhel6/rhel-x86_64-server-6/updateinfo.xml &>> $LOG

#extract updateinfo.xml

gzip -d /repo/repositories/rhel6/rhel-x86_64-server-6/*-updateinfo.xml.gz &>> $LOG

if [  $? -ne 0 ]

then

echo “Error rceived while extracting gzip updateinfo xml ” &>> $LOG

Fatal “Error rceived while extracting gzip update info xml ”

exit 1

fi

#Rename xml file to updateinfo.xml

mv /repo/repositories/rhel6/rhel-x86_64-server-6/*-updateinfo.xml /repo/repositories/rhel6/rhel-x86_64-server-6/updateinfo.xml &>> $LOG

#Modify repodata with update info

modifyrepo /repo/repositories/rhel6/rhel-x86_64-server-6/updateinfo.xml /repo/repositories/rhel6/rhel-x86_64-server-6/repodata &>> $LOG

if [  $? -ne 0 ]

then

echo “Error rceived while updating repodata with updateinfo xml ” &>> $LOG

Fatal “Error rceived while updating repodata with update info xml ”

exit 1

fi

echo “———————————————————————————–” &> $LOG

echo -e “###\t\tCompleted RHEL 6 Repo Sync from RHN at `date +”%k:%M %d/%m/%Y”`\t\t###” &>> $LOG

echo “———————————————————————————–” &>> $LOG

echo “RHEL 6 Repo Sync from RHN Completed”  | mail -s “RepoSync RHEL 6 x86_64 Completed” “$FatalRecipient”

________________________________________________________________________________

Older posts «