• Skip to main content

Uly.me

cloud engineer

  • Home
  • About
  • Search

Archives for January 2021

Install OpenJDK 8

January 31, 2021

Here’s the installation instructions for OpenJDK 8.

For Fedora, Redhat and Oracle Linux.

yum install java-1.8.0-openjdk

yum install java-1.8.0-openjdk

For Debian and Ubuntu.

apt-get install openjdk-8-jre

apt-get install openjdk-8-jre

To see if the packages (symbolic links) are there, they can be found in /etc/alternatives/, at least in Redhat 7.

ls -l /etc/alternatives/

ls -l /etc/alternatives/

Filed Under: Misc Tagged With: 1.8.0, centos, java, jdk, jre, redhat, ubuntu

Restart RPC GSSD Service

January 31, 2021

If a Linux user is having an access problem with a NFS share, and particularly with key expiration, then check if the RPC GSSD service is up and running. NFS clients uses the RPCSEC_GSS protocol to establish security credentials with a NFS server using Kerberos authentication.

Here’s an example of a key expire error due to a NFS client not authenticated properly.

df -h
df: '/data/dir1': Key has expired
df: '/data/dir2': Key has expired
df: '/data/dir3': Key has expired

df -h df: '/data/dir1': Key has expired df: '/data/dir2': Key has expired df: '/data/dir3': Key has expired

Check if RPC GSSD service is healthy. Restart the service if there are credential errors.

service rpc-gssd status

service rpc-gssd status

Here’s one with an authentication issue.

[root@server ~]# service rpc-gssd status
Redirecting to /bin/systemctl status rpc-gssd.service
● rpc-gssd.service - RPC security service for NFS client and server
   Loaded: loaded (/usr/lib/systemd/system/rpc-gssd.service; static; vendor preset: disabled)
   Active: active (running) since Sun 2021-01-31 03:16:43 CST; 2h 14min ago
 Main PID: 710 (rpc.gssd)
   Memory: 1.6M
   CGroup: /system.slice/rpc-gssd.service
           └─710 /usr/sbin/rpc.gssd
 
Jan 31 03:17:10 server.domain.com rpc.gssd[710]: ERROR: gssd_refresh_krb5_machine_credential: no usable keytab entry found
Jan 31 03:17:10 server.domain.com rpc.gssd[710]: ERROR: No credentials found for connection to server nas.domain.com
Jan 31 03:17:10 server.domain.com rpc.gssd[710]: ERROR: gssd_refresh_krb5_machine_credential: no usable keytab entry found
Jan 31 03:17:10 server.domain.com rpc.gssd[710]: ERROR: No credentials found for connection to server nas.domain.com

[root@server ~]# service rpc-gssd status Redirecting to /bin/systemctl status rpc-gssd.service ● rpc-gssd.service - RPC security service for NFS client and server Loaded: loaded (/usr/lib/systemd/system/rpc-gssd.service; static; vendor preset: disabled) Active: active (running) since Sun 2021-01-31 03:16:43 CST; 2h 14min ago Main PID: 710 (rpc.gssd) Memory: 1.6M CGroup: /system.slice/rpc-gssd.service └─710 /usr/sbin/rpc.gssd Jan 31 03:17:10 server.domain.com rpc.gssd[710]: ERROR: gssd_refresh_krb5_machine_credential: no usable keytab entry found Jan 31 03:17:10 server.domain.com rpc.gssd[710]: ERROR: No credentials found for connection to server nas.domain.com Jan 31 03:17:10 server.domain.com rpc.gssd[710]: ERROR: gssd_refresh_krb5_machine_credential: no usable keytab entry found Jan 31 03:17:10 server.domain.com rpc.gssd[710]: ERROR: No credentials found for connection to server nas.domain.com

Restart the service.

service rpc-gssd stop
service rpc-gssd start

service rpc-gssd stop service rpc-gssd start

Here’s a service that’s healthy.

[root@server ~]# service rpc-gssd status
Redirecting to /bin/systemctl status rpc-gssd.service
● rpc-gssd.service - RPC security service for NFS client and server
   Loaded: loaded (/usr/lib/systemd/system/rpc-gssd.service; static; vendor preset: disabled)
   Active: active (running) since Sun 2021-01-31 05:33:54 CST; 28min ago
  Process: 9809 ExecStart=/usr/sbin/rpc.gssd $GSSDARGS (code=exited, status=0/SUCCESS)
 Main PID: 9810 (rpc.gssd)
   Memory: 804.0K
   CGroup: /system.slice/rpc-gssd.service
           └─9810 /usr/sbin/rpc.gssd
 
Jan 31 05:33:54 server.domain.com systemd[1]: Starting RPC security service for NFS client and server...
Jan 31 05:33:54 server.domain.com systemd[1]: Started RPC security service for NFS client and server.

[root@server ~]# service rpc-gssd status Redirecting to /bin/systemctl status rpc-gssd.service ● rpc-gssd.service - RPC security service for NFS client and server Loaded: loaded (/usr/lib/systemd/system/rpc-gssd.service; static; vendor preset: disabled) Active: active (running) since Sun 2021-01-31 05:33:54 CST; 28min ago Process: 9809 ExecStart=/usr/sbin/rpc.gssd $GSSDARGS (code=exited, status=0/SUCCESS) Main PID: 9810 (rpc.gssd) Memory: 804.0K CGroup: /system.slice/rpc-gssd.service └─9810 /usr/sbin/rpc.gssd Jan 31 05:33:54 server.domain.com systemd[1]: Starting RPC security service for NFS client and server... Jan 31 05:33:54 server.domain.com systemd[1]: Started RPC security service for NFS client and server.

Filed Under: Linux Tagged With: client, gssd, kerberos, nfs, rpc

AWS EC2 List Firewall Rules

January 26, 2021

AWS EC2 Firewall rules are defined within security groups. Security groups are attached to an instance. An instance can have up to 5 security groups. Essentially, this script gathers all the security groups associated with an instance, loops through them, and then outputs the ingress and egress rules of each security group to a file in a text format.

#!/bin/bash
# set variables
instanceid='i-xxxxxxxxxxxxxxxx'
region='us-east-1'
profile='sample'
# log and temp files
output="ec2-sg.log"
tmpfil="ec2-sg.tmp"
# empty log at start
> $output
# get sg ids
aws ec2 describe-instances \
--instance-ids $instanceid \
--region $region \
--profile $profile \
--query 'Reservations[*].Instances[*].SecurityGroups[*].[GroupId]' --output text > $tmpfil
while read -r id; do
  echo '============================================' >> $output
  echo $id >> $output
  echo '============================================' >> $output
  echo '---------------- INGRESS -------------------' >> $output
  aws ec2 describe-security-groups \
  --group-ids $id \
  --profile $profile \
  --region $region \
  --output text \
  --query 'SecurityGroups[].IpPermissions[].[FromPort,ToPort,IpProtocol,IpRanges[].CidrIp[]|[0]]' >> $output
  echo '---------------- EGRESS --------------------' >> $output
  aws ec2 describe-security-groups \
  --group-ids $id \
  --profile $profile \
  --region $region \
  --output text \
  --query 'SecurityGroups[].IpPermissionsEgress[].[FromPort,ToPort,IpProtocol,IpRanges[].CidrIp[]|[0]]' >> $output
done < $tmpfil

#!/bin/bash # set variables instanceid='i-xxxxxxxxxxxxxxxx' region='us-east-1' profile='sample' # log and temp files output="ec2-sg.log" tmpfil="ec2-sg.tmp" # empty log at start > $output # get sg ids aws ec2 describe-instances \ --instance-ids $instanceid \ --region $region \ --profile $profile \ --query 'Reservations[*].Instances[*].SecurityGroups[*].[GroupId]' --output text > $tmpfil while read -r id; do echo '============================================' >> $output echo $id >> $output echo '============================================' >> $output echo '---------------- INGRESS -------------------' >> $output aws ec2 describe-security-groups \ --group-ids $id \ --profile $profile \ --region $region \ --output text \ --query 'SecurityGroups[].IpPermissions[].[FromPort,ToPort,IpProtocol,IpRanges[].CidrIp[]|[0]]' >> $output echo '---------------- EGRESS --------------------' >> $output aws ec2 describe-security-groups \ --group-ids $id \ --profile $profile \ --region $region \ --output text \ --query 'SecurityGroups[].IpPermissionsEgress[].[FromPort,ToPort,IpProtocol,IpRanges[].CidrIp[]|[0]]' >> $output done < $tmpfil

Here’s a sample output.

============================================
sg-xxxxxxxxxxxxxxx
============================================
---------------- INGRESS -------------------
5985    5985    tcp     10.0.0.220/32
10005   10005   tcp     10.0.0.164/32
---------------- EGRESS --------------------
80      80      tcp     10.0.0.14/32
40000   65535   udp     10.0.0.0/8
3389    3389    tcp     10.0.0.96/32
9389    9389    tcp     10.0.0.0/8
5985    5986    tcp     10.0.0.96/32

============================================ sg-xxxxxxxxxxxxxxx ============================================ ---------------- INGRESS ------------------- 5985 5985 tcp 10.0.0.220/32 10005 10005 tcp 10.0.0.164/32 ---------------- EGRESS -------------------- 80 80 tcp 10.0.0.14/32 40000 65535 udp 10.0.0.0/8 3389 3389 tcp 10.0.0.96/32 9389 9389 tcp 10.0.0.0/8 5985 5986 tcp 10.0.0.96/32

Filed Under: Cloud Tagged With: aws, cli, ec2, firewall, output, security groups, text

  • Go to page 1
  • Go to page 2
  • Go to page 3
  • Interim pages omitted …
  • Go to page 8
  • Go to Next Page »
  • Home
  • About
  • Search

Copyright © 2023