Docker Installation

.

Follow these steps to install Docker. I have Fedora 23:

  • Add Docker  repo. I will use the baseurl for Fedora 22 because Fedora 23 is new and no Docker repo for it:

cat >/etc/yum.repos.d/docker.repo <<-EOF

[dockerrepo]

name=Docker Repository

baseurl=https://yum.dockerproject.org/repo/main/fedora/22

enabled=1

gpgcheck=1

gpgkey=https://yum.dockerproject.org/gpg

EOF

  • Use dnf to install Docker (yum is deprecated): # sudo dnf -y -q install docker-engine
  • Start the daemon: # sudo systemctl start docker-engine
  • Enable the daemon so it will start on boot: # sudo systemctl enable docker
  • By default, docker listens on a UNIX socket (more secure): “unix:///var/run/docker.sock”. This allows only local connections. To list the permissions of the docker socket file:

ls -l  /var/run/docker.sock
srw-rw—-. 1 root docker 0 Nov 19 09:36 /var/run/docker.sock

As we see this file is readable and writable by the user (root) and the group (docker). So to send command to docker daemon from the docker client, we need to be either root user (directly or as sudo user) or add your user to the group “docker” (NOT secure). To add a user to the group “docker”, execute: # sudo usermod -aG docker your_username

To allow remote connections from docker clients (NOT Secure), we can use the option “-H”. Open the unit file of the docker service “/usr/lib/systemd/system/docker.service” and update the line “ExecStart=/usr/bin/docker daemon -H fd://” using “-H host:port”. If you update the unit file you need to restart the docker.

  • Log out and in or even reboot the system.
  • Verify the installation: # docker run hello-world

 Output:

Hello from Docker.
This message shows that your installation appears to be working correctly.

…..


First Steps In Securing Your Linux Server

.

Some notes here to keep it in mind when you manage your Linux server security:

  • Keep your system clean: Install ONLY the packages you need.
  • Check the enabled services and disable the services that you don’t need. The disabled services will NOT run automatically when system boot. To display the enabled services, execute this:

# systemctl list-unit-files –type=service | grep enabled

The unit files of the enabled services exist in “/usr/lib/systemd/system/”. To stop a running service, execute: # systemd stop $serviceName. To disable a service: # systemd disable $serviceName

  • Change the port of the sshd:
    • Edit the configuration file of the SSH daemon: # vim /etc/ssh/sshd_config
    • For Example, change the port to 1866:  “Port 1866” in the configuration file.
    •  If SELinux is enabled,  you have to tell SELinux about this change:
      # semanage port -a -t ssh_port_t -p tcp
    • Restart sshd : # systemctl restart sshd
    • By doing that, you need to use the option -p1866 when you login.
  • Disable sshing as root:
    • Disable Root Login:
      • Edit the configuration file of the SSH daemon: # vim /etc/ssh/sshd_config
      • Uncomment and change yes to no in the line “PermitRootLogin no”
      • Restart the SSH daemon: # systemctl restart sshd
    • Create an admin user so you can ssh into the server as an administrator:  As a root, do these: Create a new user and its password  using useradd and passwd. Then to make the new user (lets say it is binan) an administrator, execute visudo and do one of these:
      • Search for the line “%wheel  ALL=(ALL)       ALL” and uncomment it (delete the # at the begining of the line). This allows people in group wheel to run all commands. Add the user binan to the group wheel so the user binan can execute all commands using sudo: # usermod -aG wheel binan.
      • OR Instead of adding the user binan to the group wheel, you can add “binan ALL=(ALL) ALL”.  

Everything sudo users do will be logged so “who did what” is determined (that’s why we disable logging as root).

  • Generate SSH key pair on your machine:  # ssh-keygen  -t rsa. The generated private and the public keys will be stored in the .ssh directory in the home directory (e.g. private key: ~/.ssh/id_rsa and public key: ~/.ssh/id_rsa.pub).
  • You must have the public key installed on the server (appended in ~/.ssh/authorized_keys). To copy the public key to the server, you can temporarily enable the sshing using passwords (“PasswordAuthentication yes” in the /etc/ssh/sshd_config and restart the sshd daemon).  Now copy the public key to the server as following: # cat ~/.ssh/id_rsa.pub | ssh -p 1866 binan@Hostname/IP-Address “mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys
  • Disable sshing using passwords: “PasswordAuthentication no” in the /etc/ssh/sshd_config. Restart the daemon. Now the login will be using public key authentication.
  • Check that you can login from another terminal using : Assuming you have the key pair (the public and private keys) on your local machine:

# ssh -p 1866 binan@Hostname/IP-Address
Last login: Wed Nov  4 09:40:00 2015
-bash-4.2$


Root Password’s Hash Injection Into Linux Image File

.

Resetting-a-Forgotten-Root-Password-2Here i will show you how to set the root password permanently in the image. As an example i will use the following image: http://download.fedoraproject.org/pub/fedora/linux/releases/21/Cloud/Images/i386/Fedora-Cloud-Base-20141203-21.i386.qcow2. This image is cloud-aware image and it is in qcow2 format. You need to install the following: “guestfish” and “libguestfs-tools”:

# yum install guestfish libguestfs-tools

To generate an encrypted password:  # openssl passwd -1 Your-Password

I will set the root password as “binan” but you need to choose a strong password:

# openssl passwd -1 binan
$1$PNq4EoLe$EFwgE1BVdVG3uXqv05Pb5/

Now i will set the generated hash value in the file “/etc/shadow” in the image file. This is done by executing (guestfish –rw -a <image-name>):

# guestfish –rw -a /home/binan/Downloads/Fedora-Cloud-Base-20141203-21.i386.qcow2

><fs> run

><fs> list-filesystems

/dev/sda1: ext4

><fs> mount /dev/sda1 /

><fs> vi /etc/shadow

Now i will write the hash value of the password ($1$PNq4EoLe$EFwgE1BVdVG3uXqv05Pb5/) in its place:

root:$1$PNq4EoLe$EFwgE1BVdVG3uXqv05Pb5/::0:99999:7:::

If the root password in the image file is locked, replace the word “locked” with the generated hash. Now each instance created from this image will have “binan” as root password.

Note: After mounting the file system you can do whatever you want. This is not restricted to the “/etc/shadow” file.

To set different root passwords for different instances, use “cloud-init”.

 


Root Password Injection Into Openstack Instance

.

To inject a root password into Openstack instance on Nova boot, you need to enable it. Follow these simple steps:

  • Install “libguestfs” on Nova compute node:

# yum install libguestfs python-libguestfs libguestfs-tools-c

  • Open the file “/etc/nova/nova.conf ” and update these lines:

inject_password=true
inject_key=true
inject_partition=-1

  • Restart nove-compute: # service openstack-nova-compute restart
  • Open the file “/usr/share/openstack-dashboard/openstack_dashboard/loal/local_settings.py” and enable setting root password:

OPENSTACK_HYPERVISOR_FEATURES = {
…..
‘can_set_password’: True,
}

Now you can set root password on dashboard when you launch your instance under “Access & Security” tab.

Screenshot from 2015-03-16 16:20:45