Dobrev.EU Blog

Things I want to share

CentOS 7 First Impressions

| Comments

The CentOS Project finally announced version 7 of their RHEL derivative. I gave it a try on a VirtualBox VM and I must admit the changes are significant.

What’s new?

According to the official release notes CentOS 7 comes packed with the following major changes:

  • Kernel updated to 3.10.0
  • Support for Linux Containers
  • Open VMware Tools and 3D graphics drivers out of the box
  • OpenJDK-7 as default JDK
  • In Place Upgrade from 6.5 to 7.0 (as already mentioned)
  • LVM-snapshots with ext4 and XFS
  • Switch to systemd, firewalld and GRUB2
  • XFS as default file system
  • iSCSI and FCoE in kernel space
  • Support for PTPv2
  • Support for 40G Ethernet Cards
  • Supports installations in UEFI Secure Boot mode on compatible hardware

Extensive list of changes can be found here

Managing Users and SSH Keys With Puppet and Hiera

| Comments

A while back I stumbled upon a very untidy way of managing keys with Hiera and Puppet.

Legacy SSH Key management
1
2
3
4
---
sshkeys:
   "johndoe@john.doe.dev": //1024 bit key hash
   "johndoe@johnny.other.doe.dev": //1024 bit key hash

The only possible option it accepts is the key. No type, no additional info, nothing at all besides the key. What this meant to me: obviously here the idea is to be as straight-minded as possible limiting the variations of SSH key types to just one hard-coded value. Fine with this concept but how do I find out what type of key I’m allowed to use then? The more I questioned myself the stronger the feeling I need to dive in Puppet for an answer. I won’t ever bother describing you how “well-organized” in Puppet it all was but eventually I was lucky enough to just realize that this type of SSH key management is the perfect example of how NOT to do things.

The solution? A full rewrite from scratch.

Adding Custom Parser Functions to Puppet

| Comments

In two consecutive jobs I had to look at a way to manage Linux user names and passwords via Puppet. This is one of mostly discussed topics and there are plenty of solutions around. And exactly this fact confused me the most! Which way should I take? Of course my own…

DMARC or How Social Networks Are Figthting SPAM

| Comments

I received recently a notification from Yahoo that customers of the company I work for use our own SMTP servers to “forge” mails that come from their own Yahoo account.

Hello,

Yahoo Mail recently enabled a DMARC reject policy to protect users from increasing email spam that uses Yahoo users email addresses from other mail servers (you can read about it here).

We are reaching out to you regarding the domain “our domain” because we noticed a number of your customers’ emails are being rejected. This is due to the fact that these emails are from your customers with “@yahoo.com” in their “From” address and are originating from your servers. With our recent policy change, DMARC compliant systems will reject such emails.

To help you assist your customers through this change, we have outlined the remediation in your case. You should follow the applicable recommendations from those we have listed below:

Small Business Owners / ESPs / ISPs / Domain Hosting

1. If you are sending the email on behalf of a business:
a. then the customer is best served if they move to sending email from their own domain; OR
b. Use an address you control, which could be a dedicated address at your site. E.g. If you are “b2b.example” then “From: “Example Sender” <example-sender@b2b,example>”; OR
c. Use a single address for different senders E.g. If you are “b2b.example” then you could do
i. “Reply-to: “Example Sender” <example-sender@yahoo.com>”; AND
ii. “From: “Example Sender” <noreply@b2b.example>”
2. If you are an ISP or an email provider and your users want to use Yahoo addresses; then
a. Consider allowing customers to connect directly to Yahoo SMTP servers; OR
b. Contact us at dmarc-help@yahoo-inc.com to discuss authentication and configuration options.

Websites allowing visitors to share links

If your website provides the ability to share items in email, we recommend that you send these emails from your own domain. You can set a Reply-To: header with their address so that people can reply to the sharer instead of replying to you.

E.g. If you are “sharing.example”
1. Reply to: “Example Sender” <example-sender@yahoo.com>;” AND
2. From: “Example Sender” <noreply@sharing.example>

For additional details, please click here.

If you need any clarifications or further information on how to assist your customers, please feel free to reach out to dmarc-help@yahoo-inc.com

Thank you
The Yahoo Mail Team

Long story short – our customers use their Yahoo accounts in From: field when sending mails out from our shop-applications to their customers over our SMTP servers and this makes Yahoo unhappy about it, because they’re the only company allowed to do that from their own SMTP servers. But how did they came to this conclusion and decission to mail us about the problem? One term was unknown to me up to this mail: DMARC

Going Public

For the past 13 years I was gathering experience with various technologies. Over time I made a significant collection of useful scripts, knowledge-bases, tutorials etc. In some cases I had to develop my own solutions from scratch spending sleepless nights. For that reason I was documenting as much as possible. But all these solutions were spread on vast amount of systems so keeping track on them got harder for me. Meanwhile I felt the need to share that knowledge with the open-source community. This blog is my third and hopefully last attempt to do so thanks to OctoPress. Whenever possible I’ll transfer the information from the first two here as-well so don’t be surprised if articles from the past show up.

Applying Patches to XenServer

| Comments

Introduction

With the release of XenServer 6.2 automated patch management via XenCenter is not possible any more as long as you don’t have a license. So in order to keep your XenServers up-to-date you need to apply them manually on the CLI.

Releasing Stale VDI

| Comments

So you are now trying to boot a VM in XenServer but you are getting the error “VDI is not Available”. This means that VM crashed, Xen Host crashed, or something just bad happen. Either way you need your server back.

Find the UUID of the VDI in question

Step 1
1
[root@UK2SR114 ~]# xe vdi-list

Note exactly what UUID maps to which drive is on your server. This is going to remove the VDI from the VM so we can reattach it correctly. So drive order does matter, you don’t want to switch an OS VDI with a data VDI.

Step 2
1
[root@UK2SR114 ~]# xe vdi-forget uuid=<VDI UUID we found in step 1>

Open XenCenter and navigate to the SR with your VDI. Hit rescan Now goto your VM with issues and attach the VDI via the storage tab Boot your VM

In case you’re not exactly sure which VDI is the failing one you can always try to start the VM from the CLI first

Get failed VDI UUID
1
2
3
4
5
6
7
8
[root@UK2SR114 ~]# xe vm-list | grep -B 1 -A 1 -i myvm 
uuid ( RO)           : 31a684e4-34bc-2a3e-6b61-c98ca33a1681
  name-label ( RW): MyVM (10.0.0.80)
 power-state ( RO): halted
[root@UK2SR114 ~]# xe vm-start uuid=31a684e4-34bc-2a3e-6b61-c98ca33a1681 
Error code: SR_BACKEND_FAILURE_46
Error parameters: , The VDI is not available [opterr=VDI 605ad751-e626-4a5d-99ae-79829e0ff8b7 already attached RW],
[root@UK2SR114 ~]# xe vdi-forget uuid=605ad751-e626-4a5d-99ae-79829e0ff8b7

Dynamic Primary/backup DNS Resource Records Using BIND9 and Bash

| Comments

There is no sysadmin in the world that didn’t have to deal with dynamic DNS services like UltraDNS in order to automatically fall-back to alternative set of IPs in case of a network outage of the primary ISP line(s). Unlucky such services are not for free so I’ve created a small Bash script in order to achive similar functionality.