Simplest Enterprise Continuous Integration Solutions: February 2011

NIS Server

Make sure portmap, yppasswdd, ypserv, yp-tools, ypbind, ypxfrd are installed
[root@linux64-server ~]# yum install ypserv -y
[root@linux64-server ~]# cat /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=linux64-server
DHCP_HOSTNAME=linux64-server
NISDOMAIN=MY-NIS-NETWORK
[root@linux64-server ~]# cat /etc/yp.conf
# /etc/yp.conf - ypbind configuration file
# Valid entries are
#
# domain NISDOMAIN server HOSTNAME
# Use server HOSTNAME for the domain NISDOMAIN.
#
# domain NISDOMAIN broadcast
# Use broadcast on the local net for domain NISDOMAIN
#
# domain NISDOMAIN slp
# Query local SLP server for ypserver supporting NISDOMAIN
#
# ypserver HOSTNAME
# Use server HOSTNAME for the local domain. The
# IP-address of server must be listed in /etc/hosts.
#
# broadcast
# If no server for the default domain is specified or
# none of them is rechable, try a broadcast call to
# find a server.
#
domain MY-NIS-NETWORK server 10.3.20.100
[root@linux64-server ~]# cat /etc/ypserv.conf
#
# ypserv.conf In this file you can set certain options for the NIS server,
# and you can deny or restrict access to certain maps based
# on the originating host.
#
# See ypserv.conf(5) for a description of the syntax.
#

# Some options for ypserv. This things are all not needed, if
# you have a Linux net.

# Should we do DNS lookups for hosts not found in the hosts table ?
# This option is ignored in the moment.
dns: no

# How many map file handles should be cached ?
files: 30

# Should we register ypserv with SLP ?
#slp: no
# After how many seconds we should re-register ypserv with SLP ?
#slp_timeout: 3600

# xfr requests are only allowed from ports < 1024
xfr_check_port: yes

# The following, when uncommented, will give you shadow like passwords.
# Note that it will not work if you have slave NIS servers in your
# network that do not run the same server as you.

# Host : Domain : Map : Security
#
# * : * : passwd.byname : port
# * : * : passwd.byuid : port

# Not everybody should see the shadow passwords, not secure, since
# under MSDOG everbody is root and can access ports < 1024 !!!
* : * : shadow.byname : port
* : * : passwd.adjunct.byname : port

# If you comment out the next rule, ypserv and rpc.ypxfrd will
# look for YP_SECURE and YP_AUTHDES in the maps. This will make
# the security check a little bit slower, but you only have to
# change the keys on the master server, not the configuration files
# on each NIS server.
# If you have maps with YP_SECURE or YP_AUTHDES, you should create
# a rule for them above, that's much faster.
# * : * : * : none
[root@linux64-server ~]# domainname MY-NIS-NETWORK
[root@linux64-server ~]# ypdomainname MY-NIS-NETWORK
[root@linux64-server yp]# cat /var/yp/securenets
host 127.0.0.1
255.255.255.0 10.3.20.0
[root@linux64-server ~]# service portmap restart
Stopping portmap: [ OK ]
Starting portmap: [ OK ]
[root@linux64-server ~]# chkconfig portmap on
[root@linux64-server ~]# service ypserv restart
Stopping YP server services: [ OK ]
Starting YP server services: [ OK ]
[root@linux64-server ~]# chkconfig ypserv on
[root@linux64-server ~]# rpcinfo -u localhost ypserv
program 100004 version 1 ready and waiting
program 100004 version 2 ready and waiting
[root@linux64-server ~]# /usr/lib64/yp/ypinit -m

At this point, we have to construct a list of the hosts which will run NIS
servers. linux64-server is in the list of NIS server hosts. Please continue to add
the names for the other hosts, one per line. When you are done with the
list, type a .
next host to add: linux64-server
next host to add:
The current list of NIS servers looks like this:

linux64-server

Is this correct? [y/n: y] y
We need a few minutes to build the databases...
Building /var/yp/MY-NIS-NETWORK/ypservers...
Running /var/yp/Makefile...
gmake[1]: Entering directory `/var/yp/MY-NIS-NETWORK'
Updating passwd.byname...
Updating passwd.byuid...
Updating group.byname...
Updating group.bygid...
Updating hosts.byname...
Updating hosts.byaddr...
Updating rpc.byname...
Updating rpc.bynumber...
Updating services.byname...
Updating services.byservicename...
Updating netid.byname...
Updating protocols.bynumber...
Updating protocols.byname...
Updating mail.aliases...
gmake[1]: Leaving directory `/var/yp/MY-NIS-NETWORK'

linux64-server has been set up as a NIS master server.

Now you can run ypinit -s linux64-server on all slave server.
[root@linux64-server ~]# service ypbind start
Binding to the NIS domain: [ OK ]
Listening for an NIS domain server.
[root@linux64-server ~]# chkconfig ypbind on on[root@linux64-server ~]# service yppasswdd start
Starting YP passwd service: [ OK ]
[root@linux64-server ~]# chkconfig yppasswdd on on[root@linux64-server ~]# service ypxfrd start
Starting YP map server: [ OK ]
[root@linux64-server ~]# chkconfig ypxfrd on

NIS user

[root@linux64-server ~]# useradd -g users nisuser
[root@linux64-server ~]# passwd nisuser
Changing password for user nisuser.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[root@linux64-server ~]# cd /var/yp
[root@bigboy yp]# make
gmake[1]: Entering directory `/var/yp/MY-NIS-NETWORK'
Updating passwd.byname...
Updating passwd.byuid...
Updating netid.byname...
gmake[1]: Leaving directory `/var/yp/MY-NIS-NETWORK'

NIS Client

Make sure portmap, yppasswdd, yp-tools are installed
[root@linux64-client1 ~]# cat /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=linux64-client1
DHCP_HOSTNAME=linux64-client1
NISDOMAIN=MY-NIS-NETWORK
[root@linux64-client1 ~]# cat /etc/yp.conf
# /etc/yp.conf - ypbind configuration file
# Valid entries are
#
# domain NISDOMAIN server HOSTNAME
# Use server HOSTNAME for the domain NISDOMAIN.
#
# domain NISDOMAIN broadcast
# Use broadcast on the local net for domain NISDOMAIN
#
# domain NISDOMAIN slp
# Query local SLP server for ypserver supporting NISDOMAIN
#
# ypserver HOSTNAME
# Use server HOSTNAME for the local domain. The
# IP-address of server must be listed in /etc/hosts.
#
# broadcast
# If no server for the default domain is specified or
# none of them is rechable, try a broadcast call to
# find a server.
#
domain MY-NIS-NETWORK server 10.3.20.100
[root@linux64-client1 ~]# cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
10.3.20.100 linux64-server
[root@linux64-client1 ~]# domainname MY-NIS-NETWORK
[root@linux64-client1 ~]# ypdomainname MY-NIS-NETWORK
[root@linux64-client1 ~]# cat /etc/nsswitch.conf
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
# nisplus or nis+ Use NIS+ (NIS version 3)
# nis or yp Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#

# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis

passwd: files nis

shadow: files nis
group: files nis

#hosts: db files nisplus nis dns
hosts: files dns

# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files

netgroup: nisplus

publickey: nisplus

automount: files nisplus
aliases: files nisplus
[root@linux64-client1 ~]# service portmap start
Starting portmap: [ OK ]
[root@linux64-client1 ~]# chkconfig portmap on
[root@linux64-client1 ~]# service ypbind start
Binding to the NIS domain: [ OK ]
Listening for an NIS domain server.
[root@linux64-client1 ~]# chkconfig ypbind on
[root@linux64-client1 ~]# rpcinfo -u localhost ypbind
program 100007 version 1 ready and waiting
program 100007 version 2 ready and waiting
[root@linux64-client1 ~]# ypcat passwd

nisuser:$1$/iEACA7I$S.nInc1zfDgZk9wh0NgvN/:502:100::/home/nisuser:/bin/bash

Export the file system (i.e. /home) from the linux64-server (IP address 10.3.20.100) host and mount it on linux64-client1 (IP address 10.3.20.201) and linux64-client2 (IP address 10.3.20.202)

NFS Server

Make sure nfslock, nfs, portmap are installed and daemons are running.
Verify filesystems
[root@linux64-server ~]# cat /proc/filesystems
nodev sysfs
nodev rootfs
nodev bdev
nodev proc
nodev cgroup
nodev cpuset
nodev tmpfs
nodev binfmt_misc
nodev debugfs
nodev securityfs
nodev sockfs
nodev usbfs
nodev pipefs
nodev anon_inodefs
nodev inotifyfs
nodev devpts
ext3
ext4
nodev ramfs
nodev hugetlbfs
iso9660
nodev mqueue
nodev rpc_pipefs
nodev autofs
nodev nfsd
Verify portmap tcp/udp port
[root@linux64-server ~]# cat /etc/services | grep 111
sunrpc 111/tcp portmapper # RPC 4.0 portmapper TCP
sunrpc 111/udp portmapper # RPC 4.0 portmapper UDP
nfsd-status 1110/tcp # Cluster status info
Verify nfsd tcp/udp port
[root@linux64-server ~]# cat /etc/services | grep 2049
nfs 2049/tcp nfsd
nfs 2049/udp nfsd
Verify nfs functioning
[root@linux64-server ~]# rpcinfo -p
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 649 status
100024 1 tcp 652 status
100011 1 udp 980 rquotad
100011 2 udp 980 rquotad
100011 1 tcp 983 rquotad
100011 2 tcp 983 rquotad
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100021 1 udp 52604 nlockmgr
100021 3 udp 52604 nlockmgr
100021 4 udp 52604 nlockmgr
100021 1 tcp 34614 nlockmgr
100021 3 tcp 34614 nlockmgr
100021 4 tcp 34614 nlockmgr
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100005 1 udp 1003 mountd
100005 1 tcp 1006 mountd
100005 2 udp 1003 mountd
100005 2 tcp 1006 mountd
100005 3 udp 1003 mountd
100005 3 tcp 1006 mountd
Server exports file

By default, NFS shares change the root user to the nfsnobody user, an unprivileged user account. In this way, all root-created files are owned by nfsnobody, which prevents uploading of programs with the setuid bit set.
If no_root_squash is used, remote root users are able to change any file on the shared file system and leave trojaned applications for other users to inadvertently execute.
[root@linux64-server ~]# cat /etc/exports

/home 10.3.20.201(rw,sync) 10.3.23.202(rw,sync)

[root@linux64-server ~]# exportfs -a

Start daemons

[root@linux64-server ~]# chkconfig nfslock on
[root@linux64-server ~]# service nfslock start
Starting NFS statd:                                        [  OK  ]
[root@linux64-server ~]# chkconfig portmap on
[root@linux64-server ~]# service portmap start
Starting portmapper:                                       [  OK  ]

[root@linux64-server ~]# chkconfig nfs on
[root@linux64-server ~]# service nfs restart

Shutting down NFS mountd: [ OK ]
Shutting down NFS daemon: [ OK ]
Shutting down NFS quotas: [ OK ]
Shutting down NFS services: [ OK ]
Starting NFS services: [ OK ]
Starting NFS quotas: [ OK ]
Starting NFS daemon: [ OK ]
Starting NFS mountd: [ OK ]

NFS Client

Make sure netfs, nfslock, portmap are installed and daemons are running.

[root@linux64-client1 ~]# chkconfig nfslock on
[root@linux64-client1 ~]# service nfslock start 
Starting NFS statd:                                        [  OK  ]
[root@linux64-client1 ~]# chkconfig portmap on
[root@linux64-client1 ~]# service portmap start
Starting portmapper:                                       [  OK  ]
[root@linux64-client1 ~]# chkconfig netfs on
[root@linux64-client1 ~]# service netfs start
Mounting other filesystems:                                [  OK  ]

[root@linux64-client1 ~]# mv /home /home.save
[root@linux64-client1 ~]mkdir /home
Manual mount
[root@linux64-client1 ~]# mount 10.3.20.100:/home /home
[root@linux64-client1 ~]# umount /home
Configure /etc/fstab automount
[root@linux64-client1 ~]# echo "10.3.20.100:/home /home nfs defaults 0 0" >> /etc/fstab
[root@linux64-client1 ~]# mount -a

[root@linux64-client1 ~]# mount
/dev/mapper/VolGroup00-LogVol00 on / type ext3 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
/dev/sda1 on /boot type ext3 (rw)
tmpfs on /dev/shm type tmpfs (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
10.3.20.100:/home on /home type nfs (rw,addr=10.3.20.100)

Simplest Enterprise Continuous Integration Solutions

Saturday, February 26, 2011

Enterprise Linux - NIS Configuration

Saturday, February 5, 2011

Enterprise Linux - NFS Configuration