月度归档:2020年04月

How to set DNS in CentOS/RHEL 7 & prevent NetworkManager from overwriting /etc/resolv.conf?

This guide shows you how to set custom DNS entries for CentOS 7 / RedHat 7 and ensure that the settings are persistent even after a reboot.

What you need

  • A CentOS 7 or a Red Hat Enterprise Linux (RHEL) 7 server
  • A couple of minutes

Overview

In CentOS and Red Hat Enterprise Linux (RHEL) 7, any custom DNS entries are stored in the file /etc/resolv.conf. However, if we simply go ahead and add our nameservers to this file, we’ll notice that after a reboot or a restart of the network.service, the file is overwritten by NetworkManager.

In this guide, we will first configure NetworkManager to not overwrite this file. Then, we will go ahead and actually add our custom nameservers to /etc/resolv.conf.

Step 1

The NetworkManager configuration is located here: /etc/NetworkManager/NetworkManager.conf Open this file using vim or your favorite text editor.

Search for the [main] section in this file. It should look something like this:

...
[main]
#plugins=ifcfg-rh,ibft
...

Add dns=none just after the [main] tag like this:

...
[main]
dns=none
#plugins=ifcfg-rh,ibft
...

Go ahead and save the file.

Step 2

Let’s restart the NetworkManager.service service so that it picks up the changes we made to the configuration.

sudo systemctl restart NetworkManager.service

Note that the service name NetworkManager.service is case-sensitive.

Step 3

Now, let’s add our nameservers to /etc/resolv.conf

Open this file in you favorite text editor and specify the name servers as follows:

# Generated by NetworkManager
nameserver 8.8.8.8
nameserver 8.8.4.4

That’s it! You’re done. The nameservers added to /etc/resolv.conf will now persist even after a reboot. NetworkManager will not longer overwrite this file.

Centos curl ssl 替换 NSS 为 OpenSSL

系统版本是 Centos 6/7 64位。

1、先安装常用的开发环境。

yum groupinstall Development tools

2、编译OpenSSL

1.下载 OpenSSL:

wget https://www.openssl.org/source/openssl-1.0.2l.tar.gz

2.解压 OpenSSL:

tar -xzvf openssl-1.0.2l.tar.gz

3.进入 OpenSSL目录:

cd openssl-1.0.2l

4.配置并编译 OpenSSL:

./config –shared
make && make install

3、编译配置curl

1.下载 curl 库:

wget https://curl.haxx.se/download/curl-7.55.1.tar.gz

2.解压 curl 库:

tar -xzvf curl-7.55.1.tar.gz

3.进入 curl 目录:

cd curl-7.55.1

4.设置动态库路径:

export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/ssl/lib

5.配置并编译 curl:

./configure –prefix=/usr/local/curl/ –without-nss –with-ssl=/usr/local/ssl/
make && make install

6.备份默认的 curl 二进制文件

mv /usr/bin/curl /usr/bin/curl.bak

7.做一个新的 curl 软链

ln -s /usr/local/curl/bin/curl /usr/bin/curl

总体的替换到此就完成,可以执行 curl –version 来进行确认。下边是我执行的结果:

curl 7.55.1 (x86_64-pc-linux-gnu) libcurl/7.55.1 OpenSSL/1.0.2l
Release-Date: 2017-08-14
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IPv6 Largefile NTLM NTLM_WB SSL TLS-SRP UnixSockets HTTPS-proxy

CentOs 6 64 Bit系统操作实例:

# curl -V

curl 7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2

Protocols: tftp ftp telnet dict ldap ldaps http file https ftps scp sftp

Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz

 # curl https://curl.haxx.se/download/curl-7.69.1.tar.gz

 # tar zxvf curl-7.69.1.tar.gz

 #  cd curl-7.69.1

 #  ./configure –prefix=/usr/local/curl/ –without-nss –with-ssl

 #  make && make install

 # /usr/local/curl/bin/curl -V

curl 7.69.1 (x86_64-pc-linux-gnu) libcurl/7.69.1 OpenSSL/1.0.1e-fips zlib/1.2.3

Release-Date: 2020-03-11

Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp

Features: AsynchDNS HTTPS-proxy IPv6 Largefile libz NTLM NTLM_WB SSL UnixSockets

# ldd /usr/local/curl/bin/curl

        linux-vdso.so.1 =>  (0x00007ffd0c5bf000)

        libcurl.so.4 => /usr/local/curl/lib/libcurl.so.4 (0x00007f6513ab3000)

        libssl.so.10 => /usr/lib64/libssl.so.10 (0x00007f6513837000)

        libcrypto.so.10 => /usr/lib64/libcrypto.so.10 (0x00007f6513454000)

        libz.so.1 => /lib64/libz.so.1 (0x00007f651323e000)

        librt.so.1 => /lib64/librt.so.1 (0x00007f6513035000)

        libc.so.6 => /lib64/libc.so.6 (0x00007f6512ca1000)

        libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007f6512a5d000)

        libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007f6512776000)

        libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007f6512572000)

        libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007f6512346000)

        libdl.so.2 => /lib64/libdl.so.2 (0x00007f6512141000)

        libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f6511f24000)

        /lib64/ld-linux-x86-64.so.2 (0x0000564ebdb90000)

        libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007f6511d19000)

        libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007f6511b15000)

        libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f65118fb000)

        libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f65116db000)

而此时,系统的

# curl -V

curl 7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2

Protocols: tftp ftp telnet dict ldap ldaps http file https ftps scp sftp

Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz

# ldd /usr/bin/curl          

        linux-vdso.so.1 =>  (0x00007ffde3fec000)

        libcurl.so.4 => /usr/lib64/libcurl.so.4 (0x00007fcbc9064000)

        libidn.so.11 => /lib64/libidn.so.11 (0x00007fcbc8e32000)

        libldap-2.4.so.2 => /lib64/libldap-2.4.so.2 (0x00007fcbc8be1000)

        librt.so.1 => /lib64/librt.so.1 (0x00007fcbc89d9000)

        libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007fcbc8795000)

        libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007fcbc84ae000)

        libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007fcbc8282000)

        libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007fcbc807e000)

        libssl3.so => /usr/lib64/libssl3.so (0x00007fcbc7e3e000)

        libsmime3.so => /usr/lib64/libsmime3.so (0x00007fcbc7c12000)

        libnss3.so => /usr/lib64/libnss3.so (0x00007fcbc78d3000)

        libnssutil3.so => /usr/lib64/libnssutil3.so (0x00007fcbc76a6000)

        libplds4.so => /lib64/libplds4.so (0x00007fcbc74a2000)

        libplc4.so => /lib64/libplc4.so (0x00007fcbc729d000)

        libnspr4.so => /lib64/libnspr4.so (0x00007fcbc705e000)

        libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fcbc6e41000)

        libdl.so.2 => /lib64/libdl.so.2 (0x00007fcbc6c3d000)

        libssh2.so.1 => /usr/lib64/libssh2.so.1 (0x00007fcbc6a14000)

        libz.so.1 => /lib64/libz.so.1 (0x00007fcbc67fe000)

        libc.so.6 => /lib64/libc.so.6 (0x00007fcbc646a000)

        liblber-2.4.so.2 => /lib64/liblber-2.4.so.2 (0x00007fcbc625a000)

        libresolv.so.2 => /lib64/libresolv.so.2 (0x00007fcbc6040000)

        libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00007fcbc5e26000)

        /lib64/ld-linux-x86-64.so.2 (0x000055a80dede000)

        libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007fcbc5c1a000)

        libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007fcbc5a17000)

        libssl.so.10 => /usr/lib64/libssl.so.10 (0x00007fcbc57aa000)

        libcrypto.so.10 => /usr/lib64/libcrypto.so.10 (0x00007fcbc53c7000)

        libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007fcbc5190000)

        libselinux.so.1 => /lib64/libselinux.so.1 (0x00007fcbc4f70000)

        libfreebl3.so => /lib64/libfreebl3.so (0x00007fcbc4cf7000)

# ldd /usr/bin/curl

        linux-vdso.so.1 =>  (0x00007ffd715e1000)

        libcurl.so.4 => /usr/lib64/libcurl.so.4 (0x00007efcd84af000)

        libidn.so.11 => /lib64/libidn.so.11 (0x00007efcd827d000)

        libldap-2.4.so.2 => /lib64/libldap-2.4.so.2 (0x00007efcd802c000)

        librt.so.1 => /lib64/librt.so.1 (0x00007efcd7e24000)

        libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007efcd7be0000)

        libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007efcd78f9000)

        libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007efcd76cd000)

        libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007efcd74c9000)

        libssl3.so => /usr/lib64/libssl3.so (0x00007efcd7289000)

        libsmime3.so => /usr/lib64/libsmime3.so (0x00007efcd705d000)

        libnss3.so => /usr/lib64/libnss3.so (0x00007efcd6d1e000)

        libnssutil3.so => /usr/lib64/libnssutil3.so (0x00007efcd6af1000)

        libplds4.so => /lib64/libplds4.so (0x00007efcd68ed000)

        libplc4.so => /lib64/libplc4.so (0x00007efcd66e8000)

        libnspr4.so => /lib64/libnspr4.so (0x00007efcd64a9000)

        libpthread.so.0 => /lib64/libpthread.so.0 (0x00007efcd628c000)

        libdl.so.2 => /lib64/libdl.so.2 (0x00007efcd6088000)

        libssh2.so.1 => /usr/lib64/libssh2.so.1 (0x00007efcd5e5f000)

        libz.so.1 => /lib64/libz.so.1 (0x00007efcd5c49000)

        libc.so.6 => /lib64/libc.so.6 (0x00007efcd58b5000)

        liblber-2.4.so.2 => /lib64/liblber-2.4.so.2 (0x00007efcd56a5000)

        libresolv.so.2 => /lib64/libresolv.so.2 (0x00007efcd548b000)

        libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00007efcd5271000)

        /lib64/ld-linux-x86-64.so.2 (0x00005572fd9ce000)

        libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007efcd5065000)

        libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007efcd4e62000)

        libssl.so.10 => /usr/lib64/libssl.so.10 (0x00007efcd4bf5000)

        libcrypto.so.10 => /usr/lib64/libcrypto.so.10 (0x00007efcd4812000)

        libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007efcd45db000)

        libselinux.so.1 => /lib64/libselinux.so.1 (0x00007efcd43bb000)

        libfreebl3.so => /lib64/libfreebl3.so (0x00007efcd4142000)

# vi .bash_profile

# .bash_profile

# Get the aliases and functions

if [ -f ~/.bashrc ]; then

        . ~/.bashrc

fi

# User specific environment and startup programs

PATH=$PATH:$HOME/bin

LD_LIBRARY_PATH=/usr/local/curl/lib

export PATH LD_LIBRARY_PATH

# /usr/bin/curl -V

curl 7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.69.1 OpenSSL/1.0.1e-fips zlib/1.2.3

Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp

Features: AsynchDNS IPv6 Largefile NTLM SSL libz

# ldd /usr/bin/curl

        linux-vdso.so.1 =>  (0x00007fff7c777000)

        libcurl.so.4 => /usr/local/curl/lib/libcurl.so.4 (0x00007fb5ed9b4000)

        libidn.so.11 => /lib64/libidn.so.11 (0x00007fb5ed772000)

        libldap-2.4.so.2 => /lib64/libldap-2.4.so.2 (0x00007fb5ed522000)

        librt.so.1 => /lib64/librt.so.1 (0x00007fb5ed31a000)

        libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007fb5ed0d5000)

        libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007fb5ecdef000)

        libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007fb5ecbc3000)

        libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007fb5ec9be000)

        libssl3.so => /usr/lib64/libssl3.so (0x00007fb5ec77f000)

        libsmime3.so => /usr/lib64/libsmime3.so (0x00007fb5ec553000)

        libnss3.so => /usr/lib64/libnss3.so (0x00007fb5ec213000)

        libnssutil3.so => /usr/lib64/libnssutil3.so (0x00007fb5ebfe7000)

        libplds4.so => /lib64/libplds4.so (0x00007fb5ebde3000)

        libplc4.so => /lib64/libplc4.so (0x00007fb5ebbdd000)

        libnspr4.so => /lib64/libnspr4.so (0x00007fb5eb99f000)

        libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fb5eb782000)

        libdl.so.2 => /lib64/libdl.so.2 (0x00007fb5eb57d000)

        libssh2.so.1 => /usr/lib64/libssh2.so.1 (0x00007fb5eb355000)

        libz.so.1 => /lib64/libz.so.1 (0x00007fb5eb13f000)

        libc.so.6 => /lib64/libc.so.6 (0x00007fb5eadaa000)

        libssl.so.10 => /usr/lib64/libssl.so.10 (0x00007fb5eab3e000)

        libcrypto.so.10 => /usr/lib64/libcrypto.so.10 (0x00007fb5ea75b000)

        liblber-2.4.so.2 => /lib64/liblber-2.4.so.2 (0x00007fb5ea54b000)

        libresolv.so.2 => /lib64/libresolv.so.2 (0x00007fb5ea331000)

        libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00007fb5ea117000)

        /lib64/ld-linux-x86-64.so.2 (0x0000564abf25b000)

        libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007fb5e9f0b000)

        libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007fb5e9d08000)

        libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007fb5e9ad0000)

        libselinux.so.1 => /lib64/libselinux.so.1 (0x00007fb5e98b1000)

        libfreebl3.so => /lib64/libfreebl3.so (0x00007fb5e9637000)

Renew/Extend Puppet CA/puppetmasterd certs

Puppet CA/puppetmasterd cert renewal

While we’re still converting our puppet controlled infra to Ansible, we still have some nodes “controlled” by puppet, as converting some roles isn’t something that can be done in just one or two days. Add to that other items in your backlog that all have priority set to #1 and then time is flying, until you realize this for your existing legacy puppet environment (assuming false FQDN here, but you’ll get the idea):

Warning: Certificate 'Puppet CA: puppetmasterd.domain.com' will expire on 2019-05-06T12:12:56UTC
Warning: Certificate 'puppetmasterd.domain.com' will expire on 2019-05-06T12:12:56UTC

So, as long as your PKI setup for puppet is still valid, you can act in advance, resign/extend CA and puppetmasterd and distribute newer CA certs to agents, and go forward with other items in your backlog, while still converting from puppet to Ansible (at least for us)

Puppetmasterd/CA

Before anything else, (in case you don’t backup this, but you should), let’s take a backup on the Puppet CA (in our case, it’s a Foreman driven puppetmasterd, so foreman host is where all this will happen, YMMV)

tar cvzf /root/puppet-ssl-backup.tar.gz /var/lib/puppet/ssl/

CA itself

We first need to regenerate the CSR for the CA cert, and sign it again Ideally we confirm that the ca_key.pem and the existing ca_crt.pem “matches” through modulus (should be equals)

cd /var/lib/puppet/ssl/ca
( openssl rsa -noout -modulus -in ca_key.pem  2> /dev/null | openssl md5 ; openssl x509 -noout -modulus -in ca_crt.pem  2> /dev/null | openssl md5 ) 

(stdin)= cbc4d35f58b28ad7c4dca17bd4408403
(stdin)= cbc4d35f58b28ad7c4dca17bd4408403

As it’s the case, we can now Regenerate from that private key and existing crt a CSR

openssl x509 -x509toreq -in ca_crt.pem -signkey ca_key.pem -out ca_csr.pem
Getting request Private Key
Generating certificate request

Now that we have the CSR for CA, we need to sign it again, but we have to add extensions

cat > extension.cnf << EOF
[CA_extensions]
basicConstraints = critical,CA:TRUE
nsComment = "Puppet Ruby/OpenSSL Internal Certificate"
keyUsage = critical,keyCertSign,cRLSign
subjectKeyIdentifier = hash
EOF

And now archive old CA crt and sign (new) extended one

cp ca_crt.pem ca_crt.pem.old
openssl x509 -req -days 3650 -in ca_csr.pem -signkey ca_key.pem -out ca_crt.pem -extfile extension.cnf -extensions CA_extensions
Signature ok
subject=/CN=Puppet CA: puppetmasterd.domain.com
Getting Private key

openssl x509 -in ca_crt.pem -noout -text|grep -A 3 Validity
 Validity
            Not Before: Apr 29 08:25:49 2019 GMT
            Not After : Apr 26 08:25:49 2029 GMT

Puppetmasterd server

We have also to regen the CSR from the existing cert (assuming our fqdn for our cert is correctly also the currently set hostname)

cd /var/lib/puppet/ssl
openssl x509 -x509toreq -in certs/$(hostname).pem -signkey private_keys/$(hostname).pem -out certificate_requests/$(hostname)_csr.pem
Getting request Private Key
Generating certificate request

Now that we have CSR, we can sign with new CA

cp certs/$(hostname).pem certs/$(hostname).pem.old #Backing up
openssl x509 -req -days 3650 -in certificate_requests/$(hostname)_csr.pem -CA ca/ca_crt.pem \
  -CAkey ca/ca_key.pem -CAserial ca/serial -out certs/$(hostname).pem
Signature ok  

Validating that puppetmasted key and new certs are matching (so crt and private keys are ok)

( openssl rsa -noout -modulus -in private_keys/$(hostname).pem  2> /dev/null | openssl md5 ; openssl x509 -noout -modulus -in certs/$(hostname).pem 2> /dev/null | openssl md5 )

(stdin)= 0ab385eb2c6e9e65a4ed929a2dd0dbe5
(stdin)= 0ab385eb2c6e9e65a4ed929a2dd0dbe5

It seems all good, so let’s restart puppetmasterd/httpd (foremand launches puppetmasterd for us)

systemctl restart puppet

Puppet agents

From this point, puppet agents will not complain about the puppetmasterd cert, but still about the fact that CA itself will expire soon :

Warning: Certificate 'Puppet CA: puppetmasterd.domain.com' will expire on 2019-05-06T12:12:56GMT

But as we have now the new ca_crt.pem at the puppetmasterd/foreman side, we can just distribute it on clients (through puppet or ansible or whatever) and then it will continue to work

cd /var/lib/puppet/ssl/certs
mv ca.pem ca.pem.old

And now distribute the new ca_crt.pem as ca.pem here

puppet snippet for this (in our puppet::agent class)

 file { '/var/lib/puppet/ssl/certs/ca.pem': 
   source => 'puppet:///puppet/ca_crt.pem', 
   owner => 'puppet', 
   group => 'puppet', 
   require => Package['puppet'],
 }

Next time you’ll “puppet agent -t” or that puppet will contact puppetmasterd, it will apply the new cert on and on next call, no warning, issue anymore

Info: Computing checksum on file /var/lib/puppet/ssl/certs/ca.pem
Info: /Stage[main]/Puppet::Agent/File[/var/lib/puppet/ssl/certs/ca.pem]: Filebucketed /var/lib/puppet/ssl/certs/ca.pem to puppet with sum c63b1cc5a39489f5da7d272f00ec09fa
Notice: /Stage[main]/Puppet::Agent/File[/var/lib/puppet/ssl/certs/ca.pem]/content: content changed '{md5}c63b1cc5a39489f5da7d272f00ec09fa' to '{md5}e3d2e55edbe1ad45570eef3c9ade051f'

Hope it helps