linux
External Mapping of LDAP attributes in CAS
One of the features that is attractive about CAS is it’s ability to pass LDAP attributes to a specified application via SAML. This functionality is starting to become more heavily used by our web developers, creating demand for more and more attributes to mapped. An issue arose from this; CAS must be rebuilt every time a new attribute is to be mapped. The solution was to externalize the resultAttributeMapping property to a configuration file. This can be achieved through the use of the util schema.
Add the schema to deployerConfigContext.xml:
xmlns:util="http://www.springframework.org/schema/util"
Append the following to schemaLocation:
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.0.xsd
The resultAttributeMapping property (in deployerConfigContext) will look like this:
<property name="resultAttributeMapping"> <util:properties id="attr" location="file:/etc/cas/ldap.attributes" /> </property>
Your attributes file cannot contain other property configurations, due to how the file is referenced. It is a collection that follows the form: key=value, with each entry placed on its own line. Here is an example ldap.attributes property file:
cn=cn uid=ssoid givenname=givenName mail=email
External Mapping of LDAP attributes in CAS
One of the features that is attractive about CAS is it’s ability to pass LDAP attributes to a specified application via SAML. This functionality is starting to become more heavily used by our web developers, creating demand for more and more attributes to mapped. An issue arose from this; CAS must be rebuilt every time a new attribute is to be mapped. The solution was to externalize the resultAttributeMapping property to a configuration file. This can be achieved through the use of the util schema.
Add the schema to deployerConfigContext.xml:
xmlns:util="http://www.springframework.org/schema/util"
Append the following to schemaLocation:
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.0.xsd
The resultAttributeMapping property (in deployerConfigContext) will look like this:
<property name="resultAttributeMapping"> <util:properties id="attr" location="file:/etc/cas/ldap.attributes" /> </property>
Your attributes file cannot contain other property configurations, due to how the file is referenced. It is a collection that follows the form: key=value, with each entry placed on its own line. Here is an example ldap.attributes property file:
cn=cn uid=ssoid givenname=givenName mail=email
OpenLDAP: Bootstrapping a minimal cn=config
Here is how to bootstrap OpenLDAP’s slapd with an absolutely minimal configuration, without needing an intermediate slapd.conf, with one feature — the local root user (uid=0/gid=0) has “manage” access. From this point, ldapmodify can be used via ldapi to continue making configuration changes. This is a good way to start a new server configuration.
Bootstrap:
$> echo 'dn: cn=config
objectClass: olcGlobal
cn: config
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: to dn.subtree="cn=config" by dn=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * none
' | slapadd -n0 -F slapd.d
Start slapd:
#> slapd -F slapd.d -h ldapi://foo
Make changes via ldapmodify:
#> ldapmodify -Y EXTERNAL -H ldapi://foo ...
Need a quick proxy via SSH?
Need access to a web site, tucked behind a firewall? Do you already have a public SSH server set up to allow access, but not sure how to tunnel your HTTP session? It’s easy!
ssh -N -D 127.0.0.1:8000 <user>@<ssh server fqdn>
That command sets up a SOCKS4/SOCKS5 proxy. Just configure your Browser/OS settings to use 127.0.0.1:8000 as a SOCKS proxy, and you can now access any site that your SSH server can reach.
When Linux Hangs or Completely Freezes
There’s a great post about using special keyboard combinations to unjam a frozen Linux box here. Also, the same information is available in Wikipedia.
When Linux Hangs or Completely Freezes
There’s a great post about using special keyboard combinations to unjam a frozen Linux box here. Also, the same information is available in Wikipedia.
July 1 2012 Linux problems? High CPU/Load? Probably caused by the Leap Second!
(Update posted, see below)
As posted in multiple places around the web:
Debian
/etc/init.d/ntp stop date `date +"%m%d%H%M%C%y.%S"`
Red Hat
/etc/init.d/ntpd stop date `date +"%m%d%H%M%C%y.%S"`
Update:
This first manifested itself for us in our Java stacks — all of our (dual processor) Tomcat servers were running at a load of 30-40. However, this is a known (and fixed) kernel bug:
Apparently, simply forcing a reset of the date is enough to fix the problem:
date -s "`date`"
Build a PaaS using Open Source Software
Discussion about OpenShift. OpenShift has been fully open-sourced, available on GitHub for local deployment, or directly usable as a hosted solution.
Rule #1: IaaS != PaaS
Virtual machines : Application is not necessarily 1:1
Rule #2: PaaS is not a silver bullet
Great for Self-service deployment of applications, varied volatile workloads (development, testing, scale-up/out), with tightly constrained application rules — which implies standardized deployments from template.
Rule #3: PaaS is about developers — AND OPERATIONS!!!!
Operations becomes about capacity planning, not ticket-drive activities.
Rule #4: Be ready to learn
Developers want languages variety, scaling models, integration models — and they want it automagically
Operations want multi-tenancy, familiar installation, and sane configurations — all reproducible.
What is an application?
Runtime (OpenShift cartridges)
Code (One Git repository per application)
Creating an App
The rhc tools are used to create a namespace (domain), then an application space which includes a name and cartridge type, and push the code.
What do you get from public OpenShift?
A slice of the server, a private Git repository, deployment access.
The PaaS service is comprised of a Broker (director front-end, RESTful) and Nodes. Each node has multiple “gears” (containers secured with SELinux, constrained with cgroups, and isolated with Kernel namespaces and Bind Mounts).
Extending OpenShift
Custom DNS plugins, auth plugs, security policies, and community cartridges. Quick-start frameworks can be offered to community too.
LXC and SELinux are the future for isolating and securing OpenShift…
… but right now, there are a many moving parts being used to provide isolation and security.
PaaS demans a new security model
DAC just won’t cut-it, too complicated for PaaS. MAC (SELinux!) is necessary.
Step 1 – Unlearn this (and embrace SELinux)!
setenforce 0
Step 2 – Learn the ‘Z’ (to see SELinux contexts)
ls -lZ ps -efZ
(Review of SELinux contexts and syntax provided)
http://fedoraproject.org/wiki/SELinux
Demo – deployment of WordPress to OpenShift, in a VirtualBox LiveCD
The OpenShift QuickStart is available here: https://github.com/openshift/wordpress-example
KVM Technology Review and Roadmap Update
- KVM is a relatively small piece of code, leveraging Linux for much functionality. This makes KVM easy to secure and very flexible in meeting future needs.
- Leveraging Linux means that KVM automatically gains the power of Linux’s hardware support, memory management, network utilities, cgroups, SELinux, etc.
- Features: RHEL6.3 KVM has all the features of modern hypervisors, without needing 3rd party tools: live snapshots, virtualized disk drivers (VIRTIO), live migration, live block migration, USB passthrough, guest power management, etc.
- Performance: RHEL 6.3 + KVM holds the top 7 SPECvirt spots on HP and IBM hardware, with metrics showing ~20%+ better performance than VMWare.
- Single Guest Scalability: Now supports 160 vCPUs and 2TB RAM per guest (with no additional licensing costs!)
- RHEL 7.0 will include virtual PCI bridges and will have a new Virtio-SCSI block device, enabling thousands of devices per virtual machine.
- RHEV scales up to 200 host nodes per cluster.
- Compare the above numbers with VMWare
- KVM has achieved World Record IOPS: 1,402,720 IOPS on a IBM x3850 X5 for 8KB request using 7 SCSI pass-through devices.. For 1 KB requests, can achieve 1.65M IOPS.
- RHEV 7 will support Windows power virtualization
- RHEL 6.3 brings vCPU and memory hotplug to guests
- KVM has achieved CC-EAL4+ certification with RHEV 5, and is in process of certification with RHEV 6, with sVirt (SELinux wrapped around guests).
- Decommissioned guest storage can be scrubbed, meeting PCI-DSS standards.
- Open Virtualization Alliance promotes open source virtualization and KVM ecosystem.