After a bit of searching, I found quite a few options. This was simple and got the job done.
find /directoryName -type f | awk 'NR>5'|xargs rm -f
Monday, July 30, 2012
Friday, March 23, 2012
Setup cron job from command line
The following command will insert 0 22 * * * /opt/scripts/backup into the crontab
(crontab -l 2>/dev/null -u; echo "0 22 * * * /opt/scripts/backup") | crontab -
If it is a new crontab, 2>/dev/null will get past the message of "crontab does not exist"
If you need to add for a different users, create a script called backupjob
#!/bin/bash
(crontab -l 2>/dev/null ; echo "0 22 * * * /opt/scripts/backup") | crontab -
Then call the script sudo -u jimbob backupjob
(crontab -l 2>/dev/null -u; echo "0 22 * * * /opt/scripts/backup") | crontab -
If it is a new crontab, 2>/dev/null will get past the message of "crontab does not exist"
If you need to add for a different users, create a script called backupjob
#!/bin/bash
(crontab -l 2>/dev/null ; echo "0 22 * * * /opt/scripts/backup") | crontab -
Then call the script sudo -u jimbob backupjob
Wednesday, February 29, 2012
CentOS/RHEL AD Authentication
Most of the research for this was done by Cooby and found in this article
http://blog.skinkers.com/2010/07/28/how-to-use-winbind-to-authenticate-against-ad-on-rhelcentos-5-x-automated-scripts/
The author of the article gets the credit, I'm just going to add some notes and clarification for spots where I got stuck. I recently set this up with an Amazon Linux instance authenticating Windows Domain built on Amazon EC2. There were a few tweaks needed. Nothing major, but something I would like to share and do not want to forget for the future.
Build an Amazon Linux instance from the Amazon AMIs. Connect to the instance with the ec2user and ssh key. Run Yum update for the latest packages
Do the following as root or use sudo
1) Add the CentOS Base Repo (samba packages are currently not available in the preconfigured Amazon Linux repos)
vi /etc/yum.repos.d/centos.repo
[centOS]
name=CentOS-6 Base
baseurl=http://mirror.centos.org/centos/6/os/x86_64/
enabled=1
gpgcheck=1
gpgkey=http://mirror.centos.org/centos/6/os/x86_64/RPM-GPG-KEY-CentOS-6
2) yum install nscd samba samba-common samba-client samba-winbind
3) vi /etc/hosts
10.0.0.1 dc01.example.local dc01
4) Change the hostname, Amazon Linux by default will have a hostname like IP-10-248-246-135
That is more then 15 characters and is too log of a netbios name for joining to active directory
vi /etc/sysconfig/network
Change HOSTNAME=localhost.localdomain to a name shorter then 15 characters
5) Run authconfig-tui
Authentication Configuration - check Cache Information, Use Winbind, Use MD5 Passwords, Use Shadow Passwords, Use Winbind Authentication
Winbind Settings - check ads, type the short name of the domain, example.com needs to be just example in this field, enter FQDN of domain controllers, ADS realm is FQDN of primary DC, check /bin/bash
Click on Join Domain
Enter credentials for a domain administrator and make sure the server successfully joined the domain
6) vi /usr/local/bin/bash-wrapper - make it executable chmod +x
7) vi ad-phase2.sh - make it executable chmod +x
9)Try to login
ssh user@instance.DNS or ssh domain\\user@instance.DNS
The directory structure should be automatically created - /home/domain/user
10)Troubleshooting
Watch for any messages or errors along the way - make sure the instance has actually joined the domain
Make sure winbind is running - ps ax | grep winbind
There are changes between Linux distributions and slight changes from the original post
Example - samba-winbind is a relatively new package and is required
Another example - in ad-phase2.sh, ldap.conf is located at /etc/openldap instead of the root of /etc like in the original script
Time - A critical part of AD authentication, by default Amazon Windows and Linux instances talk to the Amazon NTP servers, I leave this as is and do not change any of it, but the servers must be in sync or AD authentication will fail
http://blog.skinkers.com/2010/07/28/how-to-use-winbind-to-authenticate-against-ad-on-rhelcentos-5-x-automated-scripts/
The author of the article gets the credit, I'm just going to add some notes and clarification for spots where I got stuck. I recently set this up with an Amazon Linux instance authenticating Windows Domain built on Amazon EC2. There were a few tweaks needed. Nothing major, but something I would like to share and do not want to forget for the future.
Build an Amazon Linux instance from the Amazon AMIs. Connect to the instance with the ec2user and ssh key. Run Yum update for the latest packages
Do the following as root or use sudo
1) Add the CentOS Base Repo (samba packages are currently not available in the preconfigured Amazon Linux repos)
vi /etc/yum.repos.d/centos.repo
[centOS]
name=CentOS-6 Base
baseurl=http://mirror.centos.org/centos/6/os/x86_64/
enabled=1
gpgcheck=1
gpgkey=http://mirror.centos.org/centos/6/os/x86_64/RPM-GPG-KEY-CentOS-6
2) yum install nscd samba samba-common samba-client samba-winbind
3) vi /etc/hosts
10.0.0.1 dc01.example.local dc01
4) Change the hostname, Amazon Linux by default will have a hostname like IP-10-248-246-135
That is more then 15 characters and is too log of a netbios name for joining to active directory
vi /etc/sysconfig/network
Change HOSTNAME=localhost.localdomain to a name shorter then 15 characters
5) Run authconfig-tui
Authentication Configuration - check Cache Information, Use Winbind, Use MD5 Passwords, Use Shadow Passwords, Use Winbind Authentication
Winbind Settings - check ads, type the short name of the domain, example.com needs to be just example in this field, enter FQDN of domain controllers, ADS realm is FQDN of primary DC, check /bin/bash
Click on Join Domain
Enter credentials for a domain administrator and make sure the server successfully joined the domain
6) vi /usr/local/bin/bash-wrapper - make it executable chmod +x
| #!/bin/sh # This script restricts shell access to privileged users. The "template shell" # option in the '/etc/samba/smb.conf' file should be set to call this wrapper. # Get group memberships for this user. BFN_ID=$(/usr/bin/id) # Grant shell access to users that are in the local wheel group. if /bin/echo "$BFN_ID" | /bin/grep -P '[=,][0-9]{1,8}\(wheel\)' > /dev/null then exec /bin/bash --login "$@" fi # Grant shell access to users that are in the domain administrators group. if /bin/echo "$BFN_ID" | /bin/grep -P '[=,][0-9]{1,8}\(domain\ admins\)' > /dev/null then exec /bin/bash --login "$@" fi # Else print a notice and just exit. echo "Shell access to this computer is disabled." # eof |
7) vi ad-phase2.sh - make it executable chmod +x
#!/bin/sh
# ad-phase2.sh - Phase 2
# Author: Max Sanna
# Description: This script automates the process of joining a linux box
# to an AD domain. The process is divided in two parts.
#
# Please edit the relevant parts of the script below prior running it
# This block doesn't need to be edited
#sed -i 's%protocols: files%protocols: files winbind%g' /etc/nsswitch.conf
#sed -i 's%rpc: files%rpc: files winbind%g' /etc/nsswitch.conf
#sed -i 's%netgroup: files%netgroup: files winbind%g' /etc/nsswitch.conf
#sed -i 's%automount: files%automount: files winbind%g' /etc/nsswitch.conf
# The following line allows users to logon without the ugly EXAMPLE\user syntax
#sed -i 's%winbind use default domain = false%winbind use default domain = true%g' /etc/samba/smb.conf
# More parameters to make life easier with UID and GID correspondances
#sed -i 's% template shell = /bin/bash% template shell = /usr/local/bin/bash-wrapper%g' /etc/samba/smb.conf
#sed -i '/ winbind offline logon = false/a winbind enum users = true' /etc/samba/smb.conf
#sed -i '/winbind enum users = true/a winbind enum groups = true' /etc/samba/smb.conf
#sed -i '/winbind enum groups = true/a winbind cache time = 5' /etc/samba/smb.conf
#sed -i '/winbind cache time = 5/a winbind nested groups = true' /etc/samba/smb.conf
# This line will allow for home folders to be created in /home/DOMAIN/username upon first login
#echo "session optional pam_mkhomedir.so skel=/etc/skel/ umask=0022" >> /etc/pam.d/system-auth
# The following line will allow all the users within the Domain Admins group to sudo on the server
#echo "%domain\ admins ALL=(ALL) ALL" >> /etc/sudoers
# Replace "base OU=Users,DC=example,DC=com" with the container of the users you want to allow on the box
sed -i 's%base dc=example,dc=com%base OU=Users,DC=example,DC=com%g' /etc/openldap/ldap.conf
service winbind restart
service nscd restart
8)Restart the instance9)Try to login
ssh user@instance.DNS or ssh domain\\user@instance.DNS
The directory structure should be automatically created - /home/domain/user
10)Troubleshooting
Watch for any messages or errors along the way - make sure the instance has actually joined the domain
Make sure winbind is running - ps ax | grep winbind
There are changes between Linux distributions and slight changes from the original post
Example - samba-winbind is a relatively new package and is required
Another example - in ad-phase2.sh, ldap.conf is located at /etc/openldap instead of the root of /etc like in the original script
Time - A critical part of AD authentication, by default Amazon Windows and Linux instances talk to the Amazon NTP servers, I leave this as is and do not change any of it, but the servers must be in sync or AD authentication will fail
Monday, February 27, 2012
elasticfox-ec2tag
There are many methods for managing AWS. The web based management console provided by Amazon is very nice. They are constantly changing and tweaking it. I find in most cases this leads to a better end user experience.
The command line based tools are also useful. If you have a Amazon Linux instance, the tools are installed and updated by default. Setting up the tools for use in the Windows scripts is also straightforward. Developers also have many options with numerous SDKs.
I found ElasticFox is very helpful from a systems administration viewpoint. ElasticFox is a plugin for Firefox. There are many versions of this floating around, but I feel ElasticFox-ec2Tag is by far the best. They keep it updated and keep it working for the constantly updating Firefox.
It can be downloaded here:
https://github.com/cookpad/elasticfox-ec2tag/downloads
Download the xpi, Open Firefox and go to Tools > Add-Ons
Drag the xpi file onto the page and follow the instructions. Firefox will prompt for a restart
The command line based tools are also useful. If you have a Amazon Linux instance, the tools are installed and updated by default. Setting up the tools for use in the Windows scripts is also straightforward. Developers also have many options with numerous SDKs.
I found ElasticFox is very helpful from a systems administration viewpoint. ElasticFox is a plugin for Firefox. There are many versions of this floating around, but I feel ElasticFox-ec2Tag is by far the best. They keep it updated and keep it working for the constantly updating Firefox.
It can be downloaded here:
https://github.com/cookpad/elasticfox-ec2tag/downloads
Download the xpi, Open Firefox and go to Tools > Add-Ons
Drag the xpi file onto the page and follow the instructions. Firefox will prompt for a restart
Friday, February 24, 2012
Glassfish 3 Password Alias
In the previous post, there is a function to change admin authentication from local to active directory. It works great, but the password for the service account performing active directory lookups is in plain text. Best practices for security says that password should be hidden.
1)
Add
AS_ADMIN_ALIASPASSWORD=thepassword
to the password file located at /tmp/password
This file needs to be manually created to automate the GF install
2) Add the password to Glassfish's secure password store
3) Set the search-bind-password field - that "\" is quite important - lots of time spent trying to get that to work
/opt/AppSrv/glassfish3/glassfish/bin/asadmin -W /tmp/password set server.security-service.auth-realm.admin-realm.property.search-bind-password="\${ALIAS=ldapbind}"
Restart Glassfish and delete /tmp/password
1)
Add
AS_ADMIN_ALIASPASSWORD=thepassword
to the password file located at /tmp/password
This file needs to be manually created to automate the GF install
2) Add the password to Glassfish's secure password store
/opt/AppSrv/glassfish3/glassfish/bin/asadmin -W /tmp/password --secure create-password-alias ldapbind
3) Set the search-bind-password field - that "\" is quite important - lots of time spent trying to get that to work
/opt/AppSrv/glassfish3/glassfish/bin/asadmin -W /tmp/password set server.security-service.auth-realm.admin-realm.property.search-bind-password="\${ALIAS=ldapbind}"
Restart Glassfish and delete /tmp/password
Monday, February 6, 2012
GlassFish 3 Install Script
I have a new application to manage in 2012. GlassFish is an Oracle driven product to host Java applications. I have been tasked with helping to build new servers to upgrade from version 2 to version 3. To help with the deployment process, I created a bash script to automate the installation.
The script has supporting files including the latest version of GlassFish and Java JDK. The files need to be copied to a directory called /tmp/gf_install The script itself can be run from any location - user's home directory makes the most sense
The script has supporting files including the latest version of GlassFish and Java JDK. The files need to be copied to a directory called /tmp/gf_install The script itself can be run from any location - user's home directory makes the most sense
#!/bin/bash
DOMAIN_NAME=`hostname --short`
#read -p "Enter domain name " DOMAIN_NAME
TMP_DIR="/tmp/gf_install"
# Use with AD Authentication
#ASADMIN="sudo -u appadmin /opt/AppSrv/glassfish3/glassfish/bin/asadmin -W ${TMP_DIR}/password"
# Use without AD Authentication
ASADMIN="/opt/AppSrv/glassfish3/glassfish/bin/asadmin -W ${TMP_DIR}/password"
KEYSTORE_FILE="/opt/AppSrv/glassfish3/glassfish/domains/${DOMAIN_NAME}/config"
svn_prep (){
cd /opt
sudo svn checkout http://svn.fbfs.com/midtierscripts/
sudo chown -R appadmin:users /opt/midtierscripts
mkdir /tmp/gf_install
cd /opt/midtierscripts/serverInstall
cp answer password password2 glassfish /tmp/gf_install
cp /mnt/midtier_devtools/midtier/gfinstall/* /tmp/gf_install
}
edit_answer (){
sed -i -silent s/newdomain/${DOMAIN_NAME}/g ${TMP_DIR}/answer
}
java_install (){
sudo mkdir /opt/java ;
tar zxf ${TMP_DIR}/jdk-7u3-linux-x64.tar.gz -C ${TMP_DIR}
sudo mv ${TMP_DIR}/jdk1.7.0_03/* /opt/java
#sudo cp ${TMP_DIR}/jdk.sh /etc/profile.d/jdk.sh
#source /etc/profile.d/jdk.sh
sudo chown -R appadmin:users /opt/java/
}
gf_install (){
chmod +x ${TMP_DIR}/glassfish-3.1.2.2-unix.sh
# Use with AD Authentication
#sudo ${TMP_DIR}/glassfish-3.1.2-unix.sh -s -j /opt/java -a ${TMP_DIR}/answer
# Use without AD Authentication
${TMP_DIR}/glassfish-3.1.2.2-unix.sh -s -j /opt/java -a ${TMP_DIR}/answer
sudo chown -R appadmin:users /opt/AppSrv/
$ASADMIN start-domain
}
gf_restart (){
$ASADMIN stop-domain
$ASADMIN start-domain
}
enable_secure_admin (){
$ASADMIN enable-secure-admin
gf_restart
}
gf_config (){
wget https://localhost:4848 --no-check-certificate --delete-after -q
$ASADMIN set server-config.admin-service.jmx-connector.system.security-enabled=true
$ASADMIN set server-config.network-config.protocols.protocol.http-listener-2.security-enabled=true
$ASADMIN set server-config.network-config.protocols.protocol.sec-admin-listener.security-enabled=true
$ASADMIN set server-config.network-config.protocols.protocol.sec-admin-listener.ssl.cert-nickname=s1as
$ASADMIN deploy ${TMP_DIR}/wmq.jmsra.rar
$ASADMIN create-resource-adapter-config --property logWriterEnabled=true:maxConnections=4:traceLevel=3:traceEnabled=false:reconnectionRetryCount=5:reconnectionRetryInterval=300000:connectionConcurrency=1 wmq.jmsra
sudo -u appadmin /opt/AppSrv/glassfish3/glassfish/bin/asadmin -W ${TMP_DIR}/password2 --secure create-password-alias jenkins
sudo -u appadmin mkdir /mnt/midtier_logs/domain
$ASADMIN set-log-attributes --target server com.sun.enterprise.server.logging.GFFileHandler.file=/mnt/midtier_logs/domain/server.log
$ASADMIN set-log-attributes --target server com.sun.enterprise.server.logging.GFFileHandler.rotationTimelimitInMinutes=1440
sudo mkdir /opt/AppSrv/glassfish3/glassfish/nodes
sudo chown -R appadmin:users /opt/AppSrv
sed -i -silent s/org.glassfish.admingui.level=INFO/org.glassfish.admingui.level=FINE/g /opt/AppSrv/glassfish3/glassfish/domains/${DOMAIN_NAME}/config/logging.properties
gf_restart
}
cert_install (){
sudo -u appadmin keytool -import -noprompt -alias root -keystore ${KEYSTORE_FILE}/keystore.jks -trustcacerts -file ${TMP_DIR}/Root.cer -storepass changeit
sudo -u appadmin keytool -import -noprompt -alias intermediate_1 -keystore ${KEYSTORE_FILE}/keystore.jks -trustcacerts -file ${TMP_DIR}/Intermediate_1.cer -storepass changeit
sudo -u appadmin keytool -import -noprompt -alias issue -keystore ${KEYSTORE_FILE}/keystore.jks -trustcacerts -file ${TMP_DIR}/Issue.cer -storepass changeit
sudo -u appadmin keytool -import -noprompt -alias root -keystore ${KEYSTORE_FILE}/cacerts.jks -trustcacerts -file ${TMP_DIR}/Root.cer -storepass changeit
sudo -u appadmin keytool -import -noprompt -alias intermediate_1 -keystore ${KEYSTORE_FILE}/cacerts.jks -trustcacerts -file ${TMP_DIR}/FBL_Intermediate_1.cer -storepass changeit
sudo -u appadmin keytool -import -noprompt -alias issue -keystore ${KEYSTORE_FILE}/cacerts.jks -trustcacerts -file ${TMP_DIR}/Issue.cer -storepass changeit
sudo -u appadmin keytool -importkeystore -noprompt -deststorepass changeit -destkeypass changeit -destkeystore ${KEYSTORE_FILE}/keystore.jks -srckeystore ${TMP_DIR}/generic.p12 -srcstoretype PKCS12 -srcstorepass password -alias generic.domain.com
sudo -u appadmin sed -i -silent 's/s1as/generic.domain.com/g' ${KEYSTORE_FILE}/domain.xml
gf_restart
}
create_service (){
sudo mv ${TMP_DIR}/glassfish /etc/init.d/glassfish
cd /etc/init.d
sudo chmod +x glassfish
sudo chown root:root glassfish
sudo chkconfig --add glassfish
sudo chkconfig glassfish on
}
ldap_authentication (){
$ASADMIN --secure create-password-alias ldapbind
$ASADMIN set server.security-service.auth-realm.admin-realm.property.base-dn="dc=domain,dc=com"
$ASADMIN set server.security-service.auth-realm.admin-realm.property.directory=ldap://ldap.domain.com:389
$ASADMIN set server.security-service.auth-realm.admin-realm.property.search-bind-password="\${ALIAS=ldapbind}"
$ASADMIN set server.security-service.auth-realm.admin-realm.property.jaas-context=ldapRealm
$ASADMIN set server.security-service.auth-realm.admin-realm.property.group-search-filter="(&(member=%d)(objectcategory=group))"
$ASADMIN set server.security-service.auth-realm.admin-realm.property.search-bind-dn="cn=user user,OU=Service Accounts,DC=domain,DC=com"
$ASADMIN set server.security-service.auth-realm.admin-realm.property.search-filter="(&(objectClass=user)(memberOf=CN=Group,OU=Domain Groups,DC=domain,DC=com)(sAMAccountName=%s))"
$ASADMIN set server.security-service.auth-realm.admin-realm.property.assign-groups=asadmin
$ASADMIN set server.security-service.auth-realm.admin-realm.property.group-base-dn="ou=Domain Groups,dc=domain,dc=com"
$ASADMIN set server.security-service.auth-realm.admin-realm.classname=com.sun.enterprise.security.auth.realm.ldap.LDAPRealm
gf_restart
}
glassfish_update (){
$ASADMIN stop-domain
cd /opt/AppSrv/glassfish3/bin
sudo ./pkg image-update
$ASADMIN start-domain
sudo mkdir /opt/AppSrv/glassfish3/glassfish/nodes
sudo chown -R appadmin:users /opt/AppSrv
}
copy_drivers (){
cd ${TMP_DIR}
sudo cp db2jcc.jar db2jcc_license_cisuz.jar db2java.zip sqljdbc4.jar ojdbc6.jar WebSEAL_SAM.jar /opt/AppSrv/glassfish3/glassfish/lib/
gf_restart
}
cron (){
echo '#!/bin/bash' > $TMP_DIR/backup_cron
echo '(crontab -l 2>/dev/null -u appadmin; echo "0 21 * * * svn update /opt/midtierscripts"; echo "00 01 1 1,4,7,10 * /opt/midtierscripts/utility/devel_cert/cert_report.sh";) | crontab -' >> $TMP_DIR/backup_cron
sudo chmod +x $TMP_DIR/backup_cron
sudo -u appadmin $TMP_DIR/backup_cron
}
delete_tmp_dir (){
cd ~
rm -rf ${TMP_DIR}
}
svn_prep
edit_answer
java_install
gf_install
enable_secure_admin
gf_config
cert_install
create_service
ldap_authentication
glassfish_update
copy_drivers
cron
delete_tmp_dir
Subscribe to:
Posts (Atom)