Warning: A non-numeric value encountered in /var/www/clients/client1/web1/web/templates/as002043free/includes/includes.php on line 78
Linux
My next few blogs will be taking different confined domains and writing about the types and booleans related to that domain, I will be updating the man pages for these confined domains.  And then showing how the policy for the domain works.

samba has had a man page available for some time named samba_selinux, here is my rewrite for Fedora 7/8

> man samba_selinux

samba_selinux(8)      Samba Selinux Policy documentation      samba_selinux(8)

NAME
       samba_selinux - Securing Samba with SELinux

DESCRIPTION
       Security-Enhanced  Linux  secures  the Samba server via flexible mandatory access control.  SELinux Samba policy defaults to least privilege access.  Several Booleans and file contexts are available to customize the way Samba SELinux works.

SHARING FILES
       SELinux requires files be labeled with an extended attribute to define the file type.  Policy governs the access daemons have to these files. When sharing files with Samba you have many options  on  how  to label the files.  If you want to share files/directories other than home directories or standard directory.  You should label these files/directories as samba_share_t.  For example if you created the directory /var/eng, you can label the directory and its contents with the chcon tool.

       # chcon -R -t samba_share_t /var/eng

       This label will not survive a relabel.  A better solution to make the change permanent, you must tell the SELinux system about the label customization.  The semanage command can customize the  default  file contexts on your machine. restorecon will read the file_context and apply it to the files and directories..

       # semanage fcontext -a -t samba_share_t ’/var/eng(/.*)?’
       # restorecon -R -v /var/eng

SHARING HOME DIRECTORIES
       By  default  SELinux  policy  turns  off  SELinux  sharing  of  home  directories  If  you  are  setting  up  this  machine  as  a  Samba  server  and wish to share the home directories, you need to set the        samba_enable_home_dirs boolean.

       # setsebool -P samba_enable_home_dirs 1

SHARING PUBLIC FILES
       If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t.  These context allow any of the above  domains  to  read
       the content.  If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.  allow_DOMAIN_anon_write.  So for samba you would execute:

       # semanage fcontext -a -t public_content_rw_t ’/var/eng(/.*)?’
       # restorecon -R -v /var/eng
       # setsebool -P allow_smbd_anon_write 1

SHARING FILES SYSTEM FILES
       Note:  You  should  not  do  the above for standard directories or home directories!  For example directories owned by an RPM.  If you wanted to share /usr via Samba, changing its context and all of the sub directories  to samba_share_t would be a bad idea.  Other confined domains would no longer be able to read /usr and this would cause havoc on the machine.  There are two booleans that you can set  to  allow the sharing of standard directories.  If you want to share any standard directory read/only you can set the boolean samba_export_all_ro.

       # setsebool -P samba_export_all_ro 1

       This boolean will allow Samba to read every file on the system.Similarly if you want to share all files and directories via Samba, you set the samba_export_all_rw

       # setsebool -P samba_export_all_rw 1

       This boolean would allow Samba to read and write every file on your system.  So a compromised Samba server would be very dangerous.

SHARING PUBLIC NFS FILES
       SELinux prevents the Samba daemons from reading/writing nfs shares by default.  If you are using samba to share NFS file systems you need to turn on the samba_share_nfs boolean

       # setsebool -P samba_share_nfs 1

USING CIFS/SAMBA HOME DIRECTORIES
       Samba  SELinux  policy will not allow any confined applications to access remote samba shares mounted on your machine.  If you want to use a remote Samba server for the home directories on this machine, you must set the use_samba_home_dirs boolean.

       # setsebool -P use_samba_home_dirs 1

SAMBA Scripts
       Samba can be setup to run user defined scripts, by default if you install these scripts /var/lib/samba/scripts they will be labeled samba_unconfined_script_exec_t.  Since these scripts  can  do  just  about  anything on the system you can run them as unconfined.  But you need to turn on the samba_run_unconfined boolean

       # setsebool -P samba_run_unconfined 1

       If  you  are  willing  to  write  policy  an  interface  exists  in  samba.if  called  samba_helper_template(APP).   This  interface  will  create  a file context of samba_APP_script_exec_t, and a domain of samba_APP_script_t. Samba will transition scripts labeled samba_app_script_exec_t to samba_APP_script_t, you can then user audit2allow to write policy to confine your script.

USING SAMBA AS A DOMAIN CONTROLLER
       If you want to run samba as a domain controller, IE Add machines to the passwd file on a Linux box, you need to turn on the samba_domain_controller boolean.  This allows the Samba daemon to run and  transition to the passwd, useradd, and groupadd utilities.  These tools can manipulate the passwd database.

GUI system-config-selinux
       system-config-selinux is a GUI tool available to customize all of the SELinux booleans and file context described above.

AUTHOR
       This manual page was written by Dan Walsh <This email address is being protected from spambots. You need JavaScript enabled to view it.>.

SEE ALSO
       selinux(8), semanage(8), samba(7), chcon(1), setsebool(8), restorecon(8),

This email address is being protected from spambots. You need JavaScript enabled to view it.                 9 Nov 2007                  samba_selinux(8)

 

 

Nguồn: https://danwalsh.livejournal.com/14195.html

Bạn có một Server, VPS và muốn sử dụng nó như là một máy chủ lưu trữ dữ liệu đám mây của bạn (giống Google Driver, OneDriver ...) một cách nhanh chóng và hiệu quả thì sử dụng mã nguồn ownCloud là giải pháp rất tốt. Phần này hướng dẫn bạn cài đặt và sử dụng ownCloude chạy với công nghệ Docker. Nên máy chủ cần có Docker, nếu chưa có cài đặt đơn giản theo hướng dẫn: Cài đặt Docker

Giới thiệu ownCloud

ownCloud là một hệ thống phần mềm dạng client/server, nó là mã nguồn mở, với chức năng chính là lưu trữ file từ xa. ownCloud cung cấp các chức năng giống với Dropbox, Google Drive ... mà bạn đã quen thuộc.

Nếu đang sử dụng các dịch vụ Google Drive, Dropbox ... để lưu trữ, đồng bộ dữ liệu nhiều máy thì bạn có thể bị hạn chế dung lượng miễn phí mà tài chính chưa cho phép mua có phí, thì ownCloud riêng bạn giới hạn của bạn là dung lương ổ cứng ở máy chủ thôi.

Khi đã có ownCloud rồi bạn chỉ việc sử dụng chương trình nó cung cấp chạy ở máy client (có đầy đủ cho các nền tảng Windows, Linux, macOS, iOS, Android) và lưu trữ, đồng bộ dữ liệu nhanh chóng, tiện lợi.

Cài đặt ownCloud trên Server

Image Docker chính thức của ownCloud cung cấp với tên owncloud:laste, có thể thấy có rất nhiều lượt tải về cho thấy mức độ phổ biến của nó.

Trước khi cài đặt điểm qua một chút về mặt công nghệ nó dùng:

  • ownCloud chạy với mã nguồn PHP
  • Sử dụng công nghệ truyền, sửa đổi, cập nhật file với WebDAV
  • Cơ sở dữ liệu thông tin hỗ trợ SQLite, MySQL/MariaDB, PostgreSql ở đây chọn MySQL cho nó thông dụng (nếu chọn SQLite có thể hiệu năng kém khi dữ liệu trở lên nhiều).

Giải pháp lựa chọn cài đặt sẽ như sau:

  • ownCloud sẽ chạy trong một container Docker đặt tên là c-owncloud, lắng nghe ở cổng tôi chọn là 9898, dữ liệu file lưu tại một thư mục tôi chọn là /owncloud/files (nên trên Server bạn tạo thư mục này trước, bạn có thể tạo bất kỳ đầu, miễn là chia sẻ để Docker lưu được dữ liệu. Nếu test ở máy bạn vào Docker và thiết lập chia sẻ thư mục xong khởi động lại Docker Engine).
  • Server MySQL chạy ở một container đặt tên là c-mysql-owncloud, database lưu ở thư mục của máy HOST là /owncloud/db (tạo thư mục này trước)

Cho phép Docker truy cập thư mục /owncloud/ (trong đó có filesdb).

sudo chmod -R 777 /owncloud/

Giờ dùng tới kỹ thuật với Docker Compose, bạn tạo một docker-compose.yml ở thư mục máy host /owncloud/ với nội dung như sau:

version: '3.1'

services:
  owncloud:
    image: owncloud # tạo container c-owncloud
    restart: always
    container_name: c-owncloud
    ports:
      - 9898:80
    volumes:
      - /owncloud/files:/var/www/html  # ánh xạ thư mục /home/ownclode-files vào container
    networks:
      - owncloud-network

  mysql:
    image: mysql
    restart: always
    container_name: c-mysql-owncloud
    environment:
      MYSQL_ROOT_PASSWORD: abcxyz         # password root, thay bằng pass tự đặt
    networks:
      - owncloud-network
    volumes:
      - /owncloud/db:/var/lib/mysql  # ánh xạ thư mục /home/ownclode-db vào container


networks:
  owncloud-network: # tạo network
    driver: bridge

Giờ đang đứng ở thư mục owncloud gõ lệnh triển khai:

docker-compose up

Sau lệnh này 2 container có tên c-owncloudc-mysql-owncloud tạo và chạy. Bạn có thể nhấn CTRL + C thoát theo dõi logs. Nếu container bị dừng gõ ngay

docker-compose start

Kiểm tra xem 2 container đang chạy với docker ps

owncloud container

Bạn thấy 2 container đang chạy, trong đó container c-owncloud đang public cổng 9898 ánh xạ vào cổng 80, vậy bạn có thể truy cập bằng cổng này (http://ip:9898 hoặc http://yourdomain.com:9898, http://localhost:9898). Còn MySQL thì không public cổng, nó chỉ lắng nghe cổng 3306 và nội mạng mới liên hệ được đến cổng này.

Thiết lập MySQL

Trước khi chạy cài đặt ownCloud cần thiết lập lại để MySQL sử dụng cơ chế xác thực mysql_native_password (vì đây là MySQL 8 nên nó dùng cơ chế mới).

Bạn vào container MySQL và thi hành các lệnh:

docker exec -it c-mysql-owncloud bash
apt-get update && apt-get install vim -y    # cài vim
vim /etc/mysql/my.cnf                       # vào chỉnh sửa my.cnf

#Thêm vào my.cnf, rồi lưu lại
[mysqld]
default-authentication-plugin=mysql_native_password

# vào mysql với passowrd abcxyz
mysql -pabcxyz

# chạy các query
ALTER USER 'root'@'%' IDENTIFIED WITH mysql_native_password BY 'abcxyz';
FLUSH PRIVILEGES;
exit;

# Ra khỏi container và gõ để khởi động lại
docker-compose restart

Tiến hành cài đặt ownCloud, vào trình duyệt gõ truy cập đến host với cổng 9898 đã thiết lập ở trên.

Bạn nhập các thông tin:

  • Tên tài khoản admin sẽ tạo ví dụ admin, và passowrd muốn đặt
  • Bấm vào Storage & Database để nhập thông tin kết nối đến MySQL: chọn MySQL, tài tên tài khoản root, pasword là abcxyz (do đặt ở trên), nhập tên database muốn tạo ví dụ owncloud, thông tin kết nối host nhập: c-mysql-owncloud:3306
owncloud container

Các thông tin đã chính xác thì bấm vào Cài đặt hoàn tất, đợi cho nó cài xong thì được chuyển đến trang đăng nhập. Đăng nhập với tài khoản admin ở trên, vậy là đã có một Cloud Drive, chỉ việc chia sẻ - đồng bộ file.

owncloud container ownCloud Desktop Client

Cài đặt ownCloud Destop Client

Đã có ownCloud server, nếu muốn dữ liệu tự động đồng bộ (giống các phần mềm client của Google Driver, OneDrive ...) thì vào trang Tải ownCloud Desktop Client, tìm đến mục ownCloud Desktop Client

 

Nguồn: https://xuanthulab.net/cai-dat-owncloud-tao-dich-vu-luu-tru-dam-may-rieng-voi-docker.html

 

 

Cách tốt nhất là sử dụng câu lệnh:

ipmipower --on -h hostname/oripaddressofidrac -u root -p password

 

imipower có trong gói freeipmi:

dnf install freeipmi

 

 

Can I schedule machine boot via Dell iDRAC?

 
1

I have a Dell PowerEdge R410 with iDRAC 6 configured and accessible.

I know we'll be losing power at some point this weekend and I have a time that I would like to power on the machine again.

From the iDRAC GUI, can I schedule a boot up time, or would I have to use an combination of ssh script + the racadm commands from another machine to pull that off?

I've been looking around but I can't seem to find anything for it in the iDRAC GUI, which makes me think it may not be possible there.

Another possibility: does the iDRAC MAC respond well to WOL requests? If so, I could maybe have a powershell script run the Start-Computer command to send the WOL magic packets to the iDRAC? Not sure if this is a workable/best method.

Clarifications

  • In short, my goal is to bring this server up at a specified date/time.
  • The tools that I have at my disposal are:
    • Maybe a linux box in a failover building that could SSH in (not sure I'll have access to it)
    • My Win7 desktop (which may not be up)
    • I am familiar with PowerShell Scripting
    • I am minimally familiar with ssh (I understand it enough for basic tasks but have never had to automate it)
    • The iDRAC controller on the machine, which will presumably be up as soon as power returns.
    • anything available via the R410 BIOS (not sure if there is something like this)
  • I know the DRAC doesn't power management -- I'm looking for a way to possibly use it to start up the machine (having a scheduled boot option in an iDRAC seems like it would naturally be a good fit, but I guess not)
 
2
 

As far as I know, iDRAC has no WOL, there is however a WOL on other network interfaces, but I wouldn't enable it if your machine is connected to the internet. I also doubt that iDRAC supports scheduled reboot. You idea to use an SSH script is seemingly the best way to go.

  •  
    This does appear to be the case. I found an internal cloud datacenter to throw a management VM on and am using an SSH script on this to remote into the idrac and use racadm to send a powerup command to the server. It's working perfectly manually; working on the scheduled task aspect of it now. Thanks for the straightforward answer! This did end up being the way to go. – SeanKilleen Feb 7 '13 at 20:32

 
1
 

If power is cut hard in your environment, the UPS and your systems should return to their last power state... E.g. your servers should come up when power is restored... Unless you're talking about powering them off manually ahead of the power cut... but at that point (and if you know that timing), you should be able to schedule the power up again.

As for out-of-band management like the DRAC or HP's ILO, they are active on AC. There's no need for wake-on-LAN.

  •  
    I should clarify: Not worried about OOB on the DRAC -- looking to use the DRAC connection to power up the box itself in a scheduled manner. We are powering them off ahead of time and I do know when I want them to come up, but I won't be there, hence trying to schedule them to come up in the easiest way possible. – SeanKilleen Feb 7 '13 at 16:51

 
1
 

I have setup WOL on the R410 / IDRAC6 servers for similar reasons. The WOL is activated via a powershell script which wakes the servers in a very specific order as we have clusters and servers which depend on other systems being available first. While unable to schedule a power up on individual servers I accomplish this by having a Locally connected workstation with this ability which in turn can then run the WOL powershell script to manage the power up and monitor progess of service / node startup. WOL was configured on one the system NICs on each server and the MAC address recorded in a hosts file with the server ID. This was done through the BIOS NIC menus. The powershell script also logs progress and emails updates. While in ideal conditions all runs well I have come across enough issues which have led me to insisting on being on site, some of these issues included elcectricians not completing work on time (late or partial power up) and system faults which only became visible following system power down and power up. The automated power up is still very valuable though as it reduces to risk of failure from human error - a possible issue at 3AM! Hope this helps.

 
1
 

I know you mentioned WOL Magic Packets, but you also mentioned you have SSH at your disposal. Here's a way to power on a Dell with iDRAC using SSH:

http://www.bartsp34ks.nl/networking/how-turn-on-your-dell-server-with-a-script-using-idrac-and-putty/

Establish an SSH session (the example had the command in a script file):

putty.exe -ssh admin@10.0.0.99 -m C:\putty\PowerOn.sh

Once the SSH session is established, run this command:

racadm serveraction powerup

 
0
 

Yes you can. It may be simple as setting a cronjob from another Linux box. Use the remote IPMI features of modern servers (iDRAC is complaint in that) and send the power on command:

ipmipower --on -h hostname/oripaddressofidrac -u root -p password

  •  
    It's not possible to create schedules directly from the iDRAC GUI, but the iDRAC is a mini linux system, I think some hacking might get you something that could work, but that some advanced stuff :) – Martino Dino Feb 7 '13 at 16:10

 
0
 

Some thoughts-

  1. You don't need to WOL an iDRAC - it's up as long as you have a working power cord and network cable. It doesn't need to be turned on - it's always on.

  2. I don't know of any scheduling for power, so it would have to be done via script job from another machine

  3. How is that machine (the one running the script) going to be turned on, if you lost power? Chicken and egg, I'm thinking

  4. Actual solution 1 : when power is resumed, connect remotely to your network, SSH or browse to the DRAC, and manually power up the server. The DRAC will be awake if your power and LAN are working, remember.

  5. Actual solution 2a and 2b : assuming you do have a working machine on the inside to run scheduled scripts, you could either run an SSH script against the DRAC to power up the server, or to send a WOL packet to the server itself, assuming it is configured to respond to these.

  •  
    thanks for the response. 1) I'm referring to turning the machine on via an idrac which will come up automatically when the machine regains power. 2) thanks, i'll probably have to script it 3) we have many buildings/datacenters; only one is going down 4) I know how to do it manually, I'm looking to script it so I don't have to get up at 3am :) 4) that's the direction I'm going I think. Thanks! – SeanKilleen Feb 7 '13 at 16:27

 
0
 

Connecting with WSMan you can connect to the iDRAC of the server(s) and get their powerstate. This then can then determine if you need to poweron the box or leave it as is. PowerShell can help with making this connection but you need to know the commands. The WOL dosn't apply being that it is an Out-of-Band Management device the iDRAC as it is always on as long as the server has power. I hate pointing to resources on other sites but in this case Dell has put together a doc to help with something close to what you are talking about. It uses PowerShell v3 to accomplish the task. http://en.community.dell.com/cfs-file.ashx/__key/communityserver-components-postattachments/00-20-18-70-55/Microsoft-Windows-PowerShell-Cim-Cmdlets-with-Dell-iDRAC.pdf

I hope this helps. We use iDRAC accross our 5k servers with much success.

 

Nguồn: https://serverfault.com/questions/476471/can-i-schedule-machine-boot-via-dell-idrac

NguoNguô