Install and Configure Grafana in RHEL 7

Install and Configure Grafana in RHEL 7

Step 1 – Download & Install Grafana
Download Grafana RPM file RPM for Linux from https://grafana.com/grafana/download?platform=linux

# RHEL 7

$ sudo yum install initscripts fontconfig -y
$ wget https://s3-us-west-2.amazonaws.com/grafana-releases/release/grafana-5.2.2-1.x86_64.rpm
$ sudo yum localinstall grafana-5.2.2-1.x86_64.rpm

Step 2 – Understand Grafana Installation details in RHEL/CENTOS

  1. Installs binary to /usr/sbin/grafana-server
  2. Copies init.d script to /etc/init.d/grafana-server
  3. Installs default file (environment vars) to /etc/sysconfig/grafana-server
  4. Copies configuration file to /etc/grafana/grafana.ini
  5. Installs systemd service (if systemd is available) name grafana-server.service
  6. The default configuration uses a log file at /var/log/grafana/grafana.log
  7. The default configuration specifies an sqlite3 database at /var/lib/grafana/grafana.db

Step 3 – Start the server (init.d service)

$ sudo service grafana-server start

This will start the grafana-server process as the grafana user, which is created during package installation. The default HTTP port is 3000, and default user and group is admin.

Step 4 – Configure the Grafana server to start at boot time

$ sudo /sbin/chkconfig --add grafana-server
$ sudo systemctl enable grafana-server.service
$ systemctl daemon-reload
$ systemctl start grafana-server
$ systemctl status grafana-server

Step 5 – Grafana server Environment file
The systemd service file and init.d script both use the file located at /etc/sysconfig/grafana-server for environment variables used when starting the back-end. Here you can override log directory, data directory and other variables.

Step 6 – Grafana server Log
By default Grafana will log to /var/log/grafana

Step 7 – Grafana Database
The default configuration specifies a sqlite3 database located at /var/lib/grafana/grafana.db. Please backup this database before upgrades.

You can also use MySQL or Postgres as the Grafana database, as detailed on
http://docs.grafana.org/installation/configuration/#database

Step 8 – Grafana configuration
The configuration file is located at /etc/grafana/grafana.ini. Go the Configuration page for details on all those options. You can add following data sources

  1. Graphite
  2. InfluxDB
  3. OpenTSDB
  4. Prometheus

Step 9 – Server side image rendering
Server side image (png) rendering is a feature that is optional but very useful when sharing visualizations, for example in alert notifications.

$ sudo yum install fontconfig -y
$ sudo yum install freetype* -y
$ sudo yum install urw-fonts -y


Step 10 – Browse the dashboard
http://X.X.X.X.:3000/
Username – admin
Password – admin

Tagged : / / / / /

What is SELinux and how its SELinux used in Docker?

What is SELinux and how its SELinux used in Docker?

There are three popular solutions for implementing access control in Linux:

  1. SELinux
  2. AppArmor
  3. GrSecurity

Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies. It is a security feature of the Linux kernel. It is designed to protect the server against misconfigurations and/or compromised daemons. It put limits and instructs server daemons or programs what files they can access and what actions they can take by defining a security policy.

SELinux is an implementation of a MAC security mechanism. MAC is an acronym for Mandatory Access Control (MAC). It is built into the Linux kernel and enabled by default on Fedora, CentOS, RHEL and a few other Linux distributions. SELinux allows server admin to define various permissions for all process. It defines how all processes can interact with other parts of the server such as:

  • Pipes
  • Files
  • Network ports
  • Sockets
  • Directories
  • Other process

SELinux puts restrictions on each of the above object according to a policy. For example, an apache user with full permission can only access /var/www/html directory, but can not touch other parts of the system such as /etc directory without policy modification. If an attacker managed to gain access to sendmail mail or bind dns or apache web server, would only have access to exploited server and the files normally has access as defined in the policy for the server. An attacker can not access the other parts of the system or internal LAN. In other words, damage can be now restricted to the particular server and files. The cracker will not able to get a shell on your server via common daemons such as Apache / BIND / Sendmail as SELinux offers the following security features:

  • Protect users’ data from unauthorized access.
  • Protect other daemons or programs from unauthorized access.
  • Protect network ports / sockets / files from unauthorized access.
  • Protect server against exploits.
  • Avoid privilege escalation and much more.

Please note that SELinux is not a silver bullet for protecting the server. You must follow other security practices such as

  • Implementing firewalls policy.
  • Server monitoring.
  • Patching the system on time.
  • Writing and securing cgi/php/python/perl scripts.

The /etc/selinux/config configuration file controls whether SELinux is enabled or disabled, and if enabled, whether SELinux operates in permissive mode or enforc-ing mode.

SETTING OF SELINUX
SELinux is set in three modes.

Enforcing – SELinux security policy is enforced. IF this is set SELinux is enabled and will try to enforce the SELinux policies strictly

Permissive – SELinux prints warnings instead of enforcing. This setting will just give warning when any SELinux policy setting is breached

Disabled – No SELinux policy is loaded. This will totally disable SELinux policies.

SELinux policies
SELinux allows for multiple policies to be installed on the system, but only one policy may be active at any given time. At present, two kinds of SELinux policy exist:

Targeted – The targeted policy is designed as a policy where most processes operate without restrictions, and only specific ser-vices are placed into distinct security domains that are confined by the policy.

Strict – The strict policy is designed as a policy where all processes are partitioned
into fine-grained security domains and confined by policy.

To put SELinux into enforcing mode:

$ sudo setenforce 1

To query the SELinux status:

$ getenforce

To see SELinux status in simplified way you can use sestatus

$ sestatus

To get elobrated info on difference status of SELinux on different services use -b option along sestatus

$ sestatus -b

How to disable SElinux?

We can do it in two ways
1)Permanent way : edit /etc/selinux/config
change the status of SELINUX from enforcing to disabled
SELINUX=enforcing
to
SELINUX=disabled
Save the file and exit.

2)Temporary way : Execute below command
echo 0 > /selinux/enforce
or
setenforce 0

How about enabling SELinux?

1)Permanent way : edit /etc/selinux/config
change the status of SELINUX from disabled to enforcing
SELINUX=disabled
to
SELINUX=enforcing
Save the file and exit.

2)Temporary way : Execute below command
echo 1 > /selinux/enforce
or
setenforce 1

Now lets understand Docker with SELinux?
The interaction between SELinux policy and Docker is focused on two concerns: protection of the host, and protection of containers from one another.

SELinux labels consist of 4 parts:

User:Role:Type:level.

SELinux controls access to processes by Type and Level. Docker offers two forms of SELinux protection: type enforcement and multi-category security (MCS) separation.

Docker has the –selinux-enabled flag by default in CentOS 7.4.1708. However, in case your image or your configuration management tool is disabling it, as was the case for our puppet module verify this, you verify by running the following comman

$ docker info | grep 'Security Options'

[root@ip-172-31-80-30 ec2-user]# more /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are pro
tected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted

Refernece
https://www.cyberciti.biz/faq/what-is-selinux/
https://en.wikipedia.org/wiki/Security-Enhanced_Linux
http://jaormx.github.io/2018/selinux-and-docker-notes/

Tagged : / /

Configuring NFS to access the files from remote Linux machine as a mount point

I have a 2Tb of storage on a linux box, and i want to use that storage as a mount point from another machine.
As a root user on the remote machine, specify the mount point details
$cat /etc/exports
/scratch *(rw)
/fusionapps *(rw,no_root_squash)
And restart the NFS
sudo /etc/rc.d/init.d/nfs restart (All services should be in  running condition)
sudo /etc/rc.d/init.d/nfs status (All services should be  in running condition)
And on the local machine, perfrom the following steps
1. Create the stage dir under / as a root user and assign 777 permissions
2. Ad the entry to /etc/fstab file
slcai664.us.oracle.com:/fusionapps /stage nfs rw,hard,nointr,rsize=131072,wsize=131072,timeo=600,noacl,noatime,nodiratime,lock 0 0
3. Then try “mount -a”
If there are any mount point issues, say even as root user, you are not able to modify the files

Unable to mount Read-Only file System

then use

sudo mount -n -o remount,rw /
Tagged : / / / / /

Linux User Management

ac Print statistics about users’ connect time.
accton Turn on accounting of processes. To turn it on type “accton /var/log/pacct”.
adduser Ex: adduser mark – Effect: Adds a user to the system named mark
chage Used to change the time the user’s password will expire.
chfn Change the user full name field finger information
chgrp Changes the group ownership of files.
chown Change the owner of file(s ) to another user.
chpasswd Update password file in batch.
chroot Run command or interactive shell with special root directory.
chsh Change the login shell.
edquota Used to edit user or group quotas. This program uses the vi editor to edit the quota.user and quota.group files. If the environment variable EDITOR is set to emacs, the emacs editor will be used. Type “export EDITOR=emacs” to set that variable.
faillog Examine faillog and set login failure limits.
finger See what users are running on a system.
gpasswd Administer the /etc/group file.
groupadd Create a new group.
grpck Verify the integrity of group files.
grpconv Creates /etc/gshadow from the file /etc/group which converts to shadow passwords.
grpunconv Uses the files /etc/passwd and /etc/shadow to create /etc/passwd, then deletes /etc/shadow which converts from shadow passwords.
groupdel Delete a group.
groupmod Modify a group.
groups Print the groups a user is in
id Print real and effective user id and group ids.
last Display the last users logged on and how long.
lastb Shows failed login attempts. This command requires the file /var/log/btmp to exist in order to work. Type “touch /var/log/btmp” to begin logging to this file.
lastcomm Display information about previous commands in reverse order. Works only if process accounting is on.
lastlog Formats and prints the contents of the last login.
logname Print user’s login name.
newgrp Lets a suer log in to a new group.
newusers Update and create newusers in batch.
passwd Set a user’s pass word.
pwck Verify integrity of password files.
pwconv Convert to and from shadow passwords and groups.
quota Display users’ limits and current disk usage.
quotaoff Turns system quotas off.
quotaon Turns system quotas on.
quotacheck Used to check a filesystem for usage, and update the quota.user file.
repquota Lists a summary of quota information on filesystems.
sa Generates a summary of information about users’ processes that are stored in the /var/log/pacct file.
smbclient Works similar to an ftp client enabling the user to transfer files to and from a windows based computer.
smbmount Allows a shared directory on a windows machine to be mounted on the Linux machine.
smbpasswd Program to change users passwords for samba.
su Ex: su mark – Effect: changes the user to mark, If not root will need marks password.
sulogin Single user login.
ulimit A bash builtin command for setting the processes a user can run.
useradd Create a new user or update default new user information.
userdel Delete a user account and related files.
usermod Modify a user account.
users Print the user names of users currently logged in.
utmpdump Used for debugging.
vigr Edit the password or group files.
vipw Edit the password or group files.
w Display users logged in and what they are doing.
wall Send a message to everybody’s terminal.
who Display the users logged in.
whoami Print effective user id.
Tagged : /

Disable IPv6 and Enable IPv4 in Red Hat Linux

rajeshkumar created the topic: Disable IPv6 and Enable IPv4 in Red Hat Linux
Disable IPv6 and Enable IPv4 in Red Hat Linux

check “disable_ipv6″ file to check if IPv6 is disabled,enter:
[root@devops ~]# cat /proc/sys/net/ipv6/conf/all/disable_ipv6
0
if you get “0” value, it means that IPv6 is enabled and “1” means it is disabled.

How to Disable IPv6 in linux system?
vim /etc/sysctl.conf

Adding the below lines into that file:

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

Save and close that file, then restart sysctl with the following command:

[root@devops ~]# sysctl -p

Now you can rerun the “ifconfig” command to check if IPv6 lines have been removed.

To Enabled IPv4

Edit “/etc/sysconfig/network-scripts/ifcfg-eth0″ file, which is your defualt first NIC configuration file.

If you are using DHCP server to take IP then, edit it like this;

#vi /etc/sysconfig/network-scripts/ifcfg-eth0

ONBOOT=”yes”
BOOTPROTO=”dhcp”

Save & restart networking service,

#service network restart OR
#/etc/init.d/network restart
Regards,
Rajesh Kumar
Twitt me @ twitter.com/RajeshKumarIn

Tagged :

How to access windows share folder from linux

scmuser created the topic: How to access windows share folder from linux

Hi,

Can you tell me How to access windows share folder from linux?

Reagrs,
scm

scmuser replied the topic: Re:How to access windows share folder from linux

I found solution 1:

Press Alt+f2 and put following shared link such as smb://10.4.40.88/Share in the text box and Run…

scmuser replied the topic: Re:How to access windows share folder from linux

To test whether Samba is installed or not…

type following command…
testparm /etc/samba/smb.conf

Testparm will parse your configuration file and report any unknown parameters or incorrect syntax. It also performs a check for common misconfigurations and will issue a warning if one is found.

chidamla replied the topic: Re:How to access windows share folder from linux
Samba is one method.

Another method is to execute an ftp service in any Windows server and configure the Windows share drive as the home folder in the ftp service. Connect Linux server to the ftp service to transfer files. This set-up is worth it when there needs to be frequent transfer of files.

For one time transfers use, winscp tools.

Tagged :

List all the Grups and users in linux

scmuser created the topic: List all the Grups and users in linux
Hi,

How can we list our all the users in Linux?

How to list all the users created in linuz machine?

rajeshkumar replied the topic: Re: List all the Grups and users in linux

Following command will work for you….

less /etc/passwd
less /etc/group

Regards,
Rajesh Kumar
Twitt me @ twitter.com/RajeshKumarIn

Tagged :

Nested for loop in Linux Shell Script

scmuser created the topic: Nested for loop in Linux Shell Script

As you see the if statement can nested, similarly loop statement can be nested. You can nest the for loop. To understand the nesting of for loop see the following shell script.
$ vi nestedfor.sh
for (( i = 1; i <= 5; i++ )) ### Outer for loop ### do for (( j = 1 ; j <= 5; j++ )) ### Inner for loop ### do echo -n "$i " done echo "" #### print the new line ### done Run the above script as follows: $ chmod +x nestedfor.sh $ ./nestefor.sh 1 1 1 1 1 2 2 2 2 2 3 3 3 3 3 4 4 4 4 4 5 5 5 5 5 Here, for each value of i the inner loop is cycled through 5 times, with the varible j taking values from 1 to 5. The inner for loop terminates when the value of j exceeds 5, and the outer loop terminets when the value of i exceeds 5. Following script is quite intresting, it prints the chess board on screen. $ vi chessboard for (( i = 1; i <= 9; i++ )) ### Outer for loop ### do for (( j = 1 ; j <= 9; j++ )) ### Inner for loop ### do tot=`expr $i + $j` tmp=`expr $tot % 2` if [ $tmp -eq 0 ]; then echo -e -n "\033[47m " else echo -e -n "\033[40m " fi done echo -e -n "\033[40m" #### set back background colour to black echo "" #### print the new line ### done Run the above script as follows: $ chmod +x chessboard $ ./chessboard Above shell script cab be explained as follows:

Tagged :