Root Password’s Hash Injection Into Linux Image File

.

Resetting-a-Forgotten-Root-Password-2Here i will show you how to set the root password permanently in the image. As an example i will use the following image: http://download.fedoraproject.org/pub/fedora/linux/releases/21/Cloud/Images/i386/Fedora-Cloud-Base-20141203-21.i386.qcow2. This image is cloud-aware image and it is in qcow2 format. You need to install the following: “guestfish” and “libguestfs-tools”:

# yum install guestfish libguestfs-tools

To generate an encrypted password:  # openssl passwd -1 Your-Password

I will set the root password as “binan” but you need to choose a strong password:

# openssl passwd -1 binan
$1$PNq4EoLe$EFwgE1BVdVG3uXqv05Pb5/

Now i will set the generated hash value in the file “/etc/shadow” in the image file. This is done by executing (guestfish –rw -a <image-name>):

# guestfish –rw -a /home/binan/Downloads/Fedora-Cloud-Base-20141203-21.i386.qcow2

><fs> run

><fs> list-filesystems

/dev/sda1: ext4

><fs> mount /dev/sda1 /

><fs> vi /etc/shadow

Now i will write the hash value of the password ($1$PNq4EoLe$EFwgE1BVdVG3uXqv05Pb5/) in its place:

root:$1$PNq4EoLe$EFwgE1BVdVG3uXqv05Pb5/::0:99999:7:::

If the root password in the image file is locked, replace the word “locked” with the generated hash. Now each instance created from this image will have “binan” as root password.

Note: After mounting the file system you can do whatever you want. This is not restricted to the “/etc/shadow” file.

To set different root passwords for different instances, use “cloud-init”.

 


Advertisements

Transferring Data Using cURL

.

Introduction

cURL is free and open source tool used to transfer data. I will show you as an example how to use it to transfer data with the cloud.  Here i will send the commands from Linux console to Openstack. The following are the steps:

Taking An Authentication Token

You need to send an authentication request to the cloud identity web service and get a token in the response upon successful authentication:

# curl -s https://YOUR-Cloud-Identity-Service-URL -X ‘POST’ -d ‘{“auth”:{“passwordCredentials”:{“username”:”YOUR-UserName”, “password”:”YOUR-Password”}}}’  -H “Content-Type: application/json” | python -m json.tool

Upon successful authentication, you will get the response in JSON format. To make the output easy to read, you can direct the output to the “json.tool” python tool as above.

One of the important information in the response is the authentication token which will be passed in the header “X-Auth-Token” in each request you send. You need to extract the token from the JSON respone. You can use the “jsawk” tool.

“jsawk” Installation

Follow these steps to install “jsawk”:

# yum install js, js-devel

# curl -L http://github.com/micha/jsawk/raw/master/jsawk > jsawk

# chmod 755 jsawk && mv jsawk /usr/bin/

Note curl is used here also.

 How To Use “jsawk”

You direct the response to “jsawk” and ask for a specific property in the JSON response. You can also do some modifications. See the examples in “jsawk” github page.


 More Information


Network Namespaces In Linux Kernel

 

Introduction

Each kernel network namespace has its own network devices (even the loopback interface), IP addresses, firewall rules, the “/proc/net” and /sys/class/net directory trees, sockets, IP routing tables, port numbers,…etc

indexclone() is a system call used to create a child process. If the CLONE_NEWNET flag is set, then the child process will be created in a new network namespace. Execute system(“ip link”) and system(“ip netns”) in the child process and in the parent to see the difference.

unshare() system call which creates a new namespace and adds the current process to it.

setns() system call is used to join an existing namespace.

You can define a virtual network device (veth) in the namespace and you can create a tunnel between two virtual network devices from different namespaces. The implementation of this is like creating a pipe. To connect the namespace to the internet, a bridge need to be created in the root namespace and the virtual device (veth) in the child namespace will be linked/bounded to the bridge. The physical network device can be assigned only to the root namespace. Instead of creating a bridge, you can use IP forwarding with NAT rules in the root namespace.

The namespace is addresses by it name or by PID of a process inside the namespace.

If a service in a namespace has been infected, this will not affect other services in other namespaces. This is due to the isolation property.

Add New Network Namespace

We can use the “ip” networking configuration tool to play with namespaces.  The namespace can persist even if it has not processes running in it. To add new empty namespace:

# ip netns add BinanNameSpace

“BinanNameSpace” is the name of the new created namespace. A bind mount is created for “BinanNameSpace” under “/var/run/netns”.

Get The Current Namespaces

To get the current namespaces, execute: “ip netns” or “ls /var/run/netns

BinanNameSpace
qdhcp-ae4d3669-d1ab-4133-8ea6-059611dc524e
qrouter-f96c719a-56e9-4b52-b2cb-da326fc1a429

List The Interfaces In The Namespace

To list the interfaces inside the namespace, execute:

# ip netns exec BinanNameSpace ip link list

1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

Note we have only loopback interface and it is down so we cannot ping it:

# ip netns exec BinanNameSpace ping 127.0.0.1

connect: Network is unreachable

To make the loopback interface up: # ip netns exec BinanNameSpace ip link set dev lo up

# ip netns exec BinanNameSpace ping 127.0.0.1

PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.044 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.035 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.034 ms
^C
— 127.0.0.1 ping statistics —
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 0.034/0.037/0.044/0.008 ms

Create Virtual Network Device In The Namespace

To create a virtual network device (veth1) in the “BinanNamespace” and make it as a peer to veth0 in the root namespace:

# ip link add veth0 type veth peer name veth1

# ip link set veth1 netns BinanNameSpace

Set IP addresses To The Virtual Network Devices

For the veth0 in the root namespace: # ifconfig veth0 11.0.0.2/24 up

For the veth1 in the “BinanNameSpace”: # ip netns exec BinanNameSpace ifconfig veth1 11.0.0.1/24 up

Now to check the interface veth0:

# ifconfig veth0

veth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
inet 11.0.0.2  netmask 255.255.255.0  broadcast 11.0.0.255
…..

To check the interface eth1:

# ip netns exec BinanNameSpace ifconfig veth1
veth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
inet 11.0.0.1  netmask 255.255.255.0  broadcast 11.0.0.255
……

Connection Test

To test the connection between the root namespace and “BinanNameSpace”, we ping in both direction:

From the root(veth0: 11.0.0.2) to BinanNameSpace(veth1:11.0.0.1):

# ping 11.0.0.1
PING 11.0.0.1 (11.0.0.1) 56(84) bytes of data.
64 bytes from 11.0.0.1: icmp_seq=1 ttl=64 time=0.042 ms
64 bytes from 11.0.0.1: icmp_seq=2 ttl=64 time=0.036 ms
64 bytes from 11.0.0.1: icmp_seq=3 ttl=64 time=0.044 ms
^C
— 11.0.0.1 ping statistics —
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.036/0.040/0.044/0.008 ms

From BinanNameSpace (veth1:11.0.0.1) to the root namespace (veth0: 11.0.0.2):

# ip netns exec BinanNameSpace ping 11.0.0.2

PING 11.0.0.2 (11.0.0.2) 56(84) bytes of data.
64 bytes from 11.0.0.2: icmp_seq=1 ttl=64 time=0.042 ms
64 bytes from 11.0.0.2: icmp_seq=2 ttl=64 time=0.034 ms
64 bytes from 11.0.0.2: icmp_seq=3 ttl=64 time=0.038 ms
^C
— 11.0.0.2 ping statistics —
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.034/0.038/0.042/0.003 ms

Delete A Namespace

To delete the namespace, execute: # ip netns delete BinanNameSpace


 More Information


Root Password Injection Into Openstack Instance

.

To inject a root password into Openstack instance on Nova boot, you need to enable it. Follow these simple steps:

  • Install “libguestfs” on Nova compute node:

# yum install libguestfs python-libguestfs libguestfs-tools-c

  • Open the file “/etc/nova/nova.conf ” and update these lines:

inject_password=true
inject_key=true
inject_partition=-1

  • Restart nove-compute: # service openstack-nova-compute restart
  • Open the file “/usr/share/openstack-dashboard/openstack_dashboard/loal/local_settings.py” and enable setting root password:

OPENSTACK_HYPERVISOR_FEATURES = {
…..
‘can_set_password’: True,
}

Now you can set root password on dashboard when you launch your instance under “Access & Security” tab.

Screenshot from 2015-03-16 16:20:45


Linux NAT Using Conntrack and IPtables

.

Doing the Network Address Translation (NAT) into Linux kernel scales the performance up. This mechanism consists of two parts:

The Connection Tracking/Conntrack Modules

It is a tracking technique of the connections. It is used to know how the packets that pass through the system are related to their connections. The connection tracking does NOT manipulate the packets and It works independently of the NAT module. The conntrack entry looks like:

udp 17 170 src=192.168.1.2 dst=192.168.1.5 sport=137 dport=1025 src=192.168.1.5 dst=192.168.1.2 sport=1025 dport=137 [ASSURED] use=1

The conntrack entry is stored into two separate tuples (one for the original direction (red) and another for the reply direction (blue)). Tuples could belong to different linked lists/buckets in conntrack hash table. The connection tracking modules is responsible for creating and removing the tuples.

Note: The tracking of the connections is ALSO used by iptables to do packet matching based on the connection state.

The NAT Modules

The NAT modules do the NATing itself. They use the tuples and modify them based on the NATing rules. In this way the tuples in the connection tracking table remains in consistent state.

nat

If the packet belongs to an existing connection, this means there is already a conntrack entry (two tuples) in the conntrack table. The NAT module knows this by checking a field in the tuple created for the new arrived packet. Then the packet manipulation is done based on the conntrack entry (The manipulation is determined previously).

If the received packet represents a start of a new connection (first packet), the NAT module looks for a rule in the “NAT” table. If a rule is found, the NAT manipulation will be applied based on the rule and the tuples in the conntrack table will be changed. The tuples are created by conntrack at local outtput hook point before NAT for SNAT (Source NAT) so they need to be updated after doing the NAT for the first packet.

Assume the packets are leaving on network interface “eth1″(-o means “output”) to the internet and the interface “eth0” is connected to the local network. To change the source addresses to 1.2.3.4  and the ports 1-1023, you can add this rule:

# iptables -t nat -A POSTROUTING -p tcp -o eth1 -j SNAT –to 1.2.3.4:1-1023

You can specify a range of IP addresses as well (SNAT –to 1.2.3.4-1.2.3.6).

You can also use what is called MASQUERADE where the the sender’s address is replaced by the router’s address.

# iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

Note: Here i am doing SNAT (Source NAT). You can also do Destination NAT (DNAT) where the conntrack hooks into pre routing hook point. To write DNAT rules, use the chain  PREROUTING and the target DNAT.

NAT Settings

  • You need to load the “nf_conntrack”: # modprobe nf_conntrack
  • You need to start iptables service: # systemctl start iptables
  • You need to enable IP_Forwarding:
    • Temporarily: # echo “1” > /proc/sys/net/ipv4/ip_forward
    • Permanently:  Write net.ipv4.ip_forward = 1 in the file “/etc/sysctl.conf ” and reload (# sysctl -p).
  • Then set NATing rules as mentioned above.
  • Add Forwarding rules to forward packets from one interface to another in both direction:

From the public (interface:eth1) to private(interface eth0):

# iptables -A FORWARD -i eth1 -o eth0 -m state –state RELATED,ESTABLISHED -j ACCEPT

From private(eth0) to public(eth1):

# iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

  • Finally you need to save the IPtables rules to be persistent: # iptables-save

Note

  • If you got this error “nf_conntrack: table full, dropping packet“ and you have enough free memory , you can expand the size of conntrack table, click here.

More Information


First Step In WebRTC

.

Introduction

Here i will show you how to execute very simple WebRTC demo served by Apache web server . The example is how to get the media stream of the local device. I will take as an example the WebRTC “getUserMedia” example from the book “Real-Time Communication with WebRTC by Salvatore Loreto and Simon Pietro(O’Reilly)”. You can find the source code on the book’s GitHub page. Follow these steps:

  • Create a folder for your WebRTC project: # mkdir /var/www/html/webrtc
  • Create subdirector for Javascript files: # mkdir /var/www/html/webrtc/js
  • Open Apache configuration file “/etc/httpd/conf/httpd.conf” and add this line:

Alias  /webc  /var/www/html/webrtc

    Restart Apache: # systemctl restart httpd.service

Screenshot from 2015-03-08 20:20:28To debug your project, open the browser console (e.g. Chrome: More tools –> Javascript Console).

JSFIDDLE Framework

You can use jsfiddle framework to write, save, validate, and run your application online.

Notes

  • Update your browser (bug fixes). Using the developer edition is a good choice (e.g. Firefox Developer Edition).
  • Test your application on different browsers

How To Change OpenStack’s Dashboard Root URL

.

Horizon is the canonical implementation of OpenStack’s Dashboard which provides web interface to OpenStack services like Nova, Swift, …. To access Horizon, you browse to “http://Your-IP-Address/dashboard/” and you get this page:

But what if you have multiple applications and you want to have the URL like this “http://Your-IP-Address/Something/dashboard“.  Follow these steps:

Usually the Apache main configuration file is “/etc/httpd/conf/httpd.conf“. In this file you have this statement: IncludeOptional “/etc/httpd/conf.d/*.conf”. This means the configuration files in this folder “/etc/httpd/conf.d/” are included. Open the file “/etc/httpd/conf.d/15-horizon_vhost.conf” :

# vi /etc/httpd/conf.d/15-horizon_vhost.conf

Lets say you want to add /openstack to the original URL. So you want to browse the dashboard as following “http://Your-IP-Address/openstack/dashboard“. Change this line:

WSGIScriptAlias /dashboard “/usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi”

To

WSGIScriptAlias /openstack/dashboard “/usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi”

Now open the file “/usr/share/openstack-dashboard/openstack_dashboard/local/local_settings.py” and customize the following lines to use “/openstack/dashboard” instead of just “/dashboard”:

LOGIN_REDIRECT_URL=”Your-IP-Address/dashboard”

LOGIN_URL = ‘/dashboard/auth/login/’
LOGOUT_URL = ‘/dashboard/auth/logout/’
LOGIN_REDIRECT_URL = ‘/dashboard’

Now you need to restart Apache:

# systemctl restart httpd.service

Now browse to “http://Your-IP-Address/openstack/dashboard” and you will get this page again. Congratulation !

Click on the picture below and look at the URL. It is changed.

And this is the page you get after successful login. Click on the picture and look at the URL:

Screenshot from 2015-03-10 21:29:51You can also make it like this “http://Your-IP-Address/openstack/horizon-dashboard“. In this case the WSGIScriptAlias will be /openstack/horizon-dashboard. The same for other parameters customization.