New Relic APM on Fedora/CentOS/RedHat with SELinux Enforcing: Solved

I found the solution for getting the New Relic APM Agent to run on a CentOS 7 system with SELinux Enforcing. The only SELinux modification you have to make is to change the context of the log file directory /var/log/newrelic. You can temporarily make these changes with the chcon command:

chcon -R -t httpd_log_t /var/log/newrelic/

Kill any running instances of newrelic-daemon. If you’re using New Relic’s recommended default setup, make sure that the file /etc/newrelic/newrelic.cfg does not exist. Verify that all required values in /etc/php.d/newrelic.ini are correct (especially the license key and the application name). Finally, restart httpd:

systemctl restart httpd

Continue reading New Relic APM on Fedora/CentOS/RedHat with SELinux Enforcing: Solved

Advertisements

Internet Service Comparison: Spectrum Cable Modem vs AT&T Fiber

I’m moving to a new address in Central Florida which has multiple Internet Service Providers (ISPs) available. Spectrum (formerly BrightHouse) provides speeds up to 100Mbps via cable modem. AT&T just installed fiber in the neighborhood, so I was excited to find out what they would offer.

Spectrum Cable Internet

Here’s a cost breakdown by service:

  • Lightning Internet (200Mbps download data rate, 30Mbps upload): $90/month
  • Static IP address: $10/month
  • Modem rental: $4/month  (you must rent a modem to get a static IP)
  • Taxes: $0.26
  • Total monthly bill: $104.26

It was very easy to move my service to a new physical address, and my static IP address will move with me. I’m fortunate to be “grandfathered in” on a BrightHouse plan that permits me to have a static IP address on a residential plan. Going forward, you’ll be required to choose a business plan if you want a static IP address (probably for substantially more money). Continue reading Internet Service Comparison: Spectrum Cable Modem vs AT&T Fiber

Configure CentOS/RedHat VMs with Kickstart files on Virtualbox

Kickstart is a type of file that’s used to automatically install RedHat or CentOS Linux on a physical or virtual server. If you are managing more than a few servers, it’s a good idea to configure the servers via kickstart files instead of logging in and configuring each one manually. However, some unfortunate choices were made when defining the Kickstart file format, and it’s not the easiest thing to use. When creating a new Kickstart or making major changes, it’s good to have way to quickly iterate and test your changes. Iterating on a Kickstart file is slow and inconvenient in an enterprise environment in which a freshly booted server obtains an image and Kickstarter file via PXEboot. To speed up Kickstart testing and debugging, I’ve developed a simple way to use Kickstart files with CentOS/RedHat guest virtual machines that run in VirtualBox on my Mac. This process should also work with Windows or Linux hosts.

Continue reading Configure CentOS/RedHat VMs with Kickstart files on Virtualbox

Upgrade Ubiquiti UniFi Access Points (WAP) now to avoid KrackAttack

On October 15, 2017, security researcher Mathy Vanhoef announced the discovery of KrackAttacks, a serious flaw in the WPA2 encryption protocol that encrypts most WiFi connections. Using this method, an attacker can decrypt traffic from almost any wireless access point (WAP) and clients. Every WiFi access point will need to be upgraded with patch that prevents this attack.

Ubiquiti has already released a patch for UniFi access points that addresses this vulnerability. However, the upgrade process may not be straightforward, depending on the age of your access points. The following process will ensure that you are running a safe version of the firmware (3.9.3.7537 or later). Note that any upgrade will result in downtime for each access point as it is upgraded, so you will want to perform a rolling upgrade if you have multiple devices that will be upgraded while people are using them. Continue reading Upgrade Ubiquiti UniFi Access Points (WAP) now to avoid KrackAttack

Warning: CentOS/RedHat 7.4 installs FreeRADIUS 3 with breaking changes

When you run yum upgrade on a CentOS/RedHat 7 instance, you will be upgraded to 7.4. If you have a FreeRADIUS server, you will be upgraded from version 2 to 3, and your server will likely stop authenticating! Good times! Fortunately, the solution was not complicated for us, because we had good documentation.

Symptoms

Your radius server suddenly starts denying logins.

Continue reading Warning: CentOS/RedHat 7.4 installs FreeRADIUS 3 with breaking changes

Managing persistent disks on Google Compute Engine

It can confusing when you have multiple persistent disks on an instance running on Google Compute Engine. For example, a server may have separate disks for the filesystem root, MySQL data, logs, and /tmp. Once you’ve created the Compute Engine disks and attached each one to the instance, how do you know which Compute Engine disk maps to each volume on the instance?

Continue reading Managing persistent disks on Google Compute Engine

Is there a “Primary Domain Controller” in Active Directory?

The Historical Answer

With Windows NT, prior to the advent of Active Directory, there was one Primary Domain Controller (DC) per domain, and every other DC was a Backup.

The Modern Answer

When Active Directory was introduced with Windows 2000, domain controllers became fully multi-master. There is no primary domain controller. However, there are two caveats that may confuse you.

Continue reading Is there a “Primary Domain Controller” in Active Directory?

Making Windows work for Linux and OS X admins

If you are a Linux or OS X power user, then you’re used to having all the necessary tools built into your OS. When you log into a Windows system (What! No command line?) you may feel lost. These tools and shortcuts will help you be productive on Windows systems.

Windows Shortcuts

  • Alt-x is a magic shortcut key on Windows 8 and Server 2012. It pops up a little menu in the lower right corner of the screen which contains just the items that an admin needs. Try it!

Continue reading Making Windows work for Linux and OS X admins

Monitoring with SNMP, Part 2: Command-line tools for active SNMP

In Part 1, I summarized the basic concepts of SNMP and defined the terms and acronyms used in this post. Now, I will show how to use SNMP to monitor actual devices. As an example, I will monitor an enterprise-grade uninterruptible power supply (UPS) and power distribution unit (PDUs) from Tripp-Lite. These devices have an SNMPWEBCARD installed to support communication over Ethernet.

Command-line tools for SNMP communication should be available for any Linux distribution (or any other UNIX-derived OS). Documentation for the basic SNMP tools is available online. The challenge with SNMP is figuring out what parameters are supported by a particular device. Most devices support a set of standard OIDs that return basic information such as device name, uptime, etc.
Continue reading Monitoring with SNMP, Part 2: Command-line tools for active SNMP

Monitoring with SNMP, Part 1: Fundamentals of SNMP

SNMP is a protocol for conveying information and controlling devices over a network. SNMP can be used in two ways:

  • Active: a device sends a command to set a parameter or request information for another device
  • Passive: a device sends an alert (called a trap) to another device, which is configured to receive traps and do something with the information.

The “payload” of an SNMP message is called an Object Identifier, or OID. An OID is an ordered list of non-negative numbers, such as:

1.3.6.1.2.1.1.3.0

The sequence is hierarchical, starting with the highest-level object and progressing to lower-level objects. The above sequence corresponds to:

iso(1) org(3) dod(6) internet(1) mgmt(2) mib-2(1) system(1) sysUpTime(3) 0

When this command is sent to a device, it will return the uptime of the device.

The translation between the numerical sequence and the human-readable form is stored in a text file called a Management Information Base, or MIB. The format of the MIB is defined in RFC 2578. Some MIB files are standard and contain object IDs that are recognized by almost all devices. Device manufacturers also provide custom MIB files in which they define specialized object IDs for a particular device. Unfortunately, some devices don’t have MIB files, and you will have to query the device to see what objects it supports and decipher what they mean.

In Part 2 of this series, I will use active SNMP to monitor infrastructure.