Creating virtual disks using dd and losetup.

To create an image file, in this case a “virtual disk”, use “dd” command. The below command will write zeros to a file of a specified size.

dd if=/dev/zero of=1GB_disk.img bs=1M count=1024

Once completed, a partition can be created using cfdisk or fdisk command. Then the filesystem should be created using mkfs.ext4

cfdisk 1GB_disk.img

Now, you can proceed to setup a loop device for you image. This requires the use of “losetup”. This command will assign an available loop device (-f option to find one) to the partition on the image, and show the name a loop device (–show option):​

losetup -Pf --show 1GB_disk.img

If successful, you should be able to access the partition by mounting the image.

[root@s1 disk]# lsblk|grep loop
loop0 7:0 0 1G 0 loop /mnt/disk
[root@s1 disk]#

mount /dev/loop0 /mnt/disk

[root@s1 disk]# df -hP /mnt/disk/
Filesystem Size Used Avail Use% Mounted on
/dev/loop0 976M 46M 863M 6% /mnt/disk
[root@s1 disk]#

To remove a loop device just run:

losetup -d /dev/loop0

XFS (dm-0): unknown mount option [acl].

System goes into read-only mode after upgrading to CentOS 7.4.

"kernel: XFS (dm-0): unknown mount option [acl]"

Remove acl option for xfs filesystem.

/dev/mapper/centos-root / xfs defaults,acl 0 0

In XFS file-system acl is enabled by default. Therefore, it is not needed to mention it explicitly in /etc/fstab file. Prior to CentOS 7.4, acl option was being ignored by systemd daemon even if it was added in /etc/fstab for xfs file-system.

Alternative, what it not recommended but it works, change “ro” read-only to “rw” read-write in /etc/grub2.cfg file.

linux16 /vmlinuz-3.10.0-693.11.6.el7.x86_64 root=/dev/mapper/centos-root rw rd.lvm.lv=centos/root rd.lvm.lv=centos/swap crashkernel=auto rhgb quiet

SNMP request timeouts when NFS share on remote server is hanging

SNMP request timeouts when NFS share on remote server is hanging.

root# snmpwalk -v2c -cpublic localhost
Timeout: No Response from localhost
root#

A feature called skipNFSInHostResources was added to skip NFS mounts from filesystem lookup to prevent issues in case the remote resource is not available, from manpage of snmpd.conf:

skipNFSInHostResources true
controls whether NFS and NFS-like file systems should be omitted from the hrStorageTable (true or 1) or not (false or 0, which is the default).
If the Net-SNMP agent gets hung on NFS-mounted filesystems, you can try setting this to ‘1’.

The solution is to add the following entry “skipNFSInHostResources true” in /etc/snmp/snmpd.conf and restart snmpd service.

Add optional channels via mgr-sync SUSE Manager

I have found no way to add an optional channel via the web interface of SUMA 2.1. I needed to add Debuginfo-Pool for Kdump analysis which use crash. Crash utility is used to analyze the core file captured by kdump. It can also be used to analyze the core files created by other dump utilities like netdump, diskdump, xendump. You need to ensure the “kernel-debuginfo” package is present and it is at the same level as the kernel. So, I had to use a command line of SUMA.

suma:~ # mgr-sync list channels

--cut--
[I] SLES12-Pool for x86_64 SUSE Linux Enterprise Server 12 x86_64 [sles12-pool-x86_64]
[ ] SLE-Manager-Tools12-Debuginfo-Pool x86_64 SUSE Manager Tools [sle-manager-tools12-debuginfo-pool-x86_64]
[ ] SLE-Manager-Tools12-Debuginfo-Updates x86_64 SUSE Manager Tools [sle-manager-tools12-debuginfo-updates-x86_64]
[I] SLE-Manager-Tools12-Pool x86_64 SUSE Manager Tools [sle-manager-tools12-pool-x86_64]
[I] SLE-Manager-Tools12-Updates x86_64 SUSE Manager Tools [sle-manager-tools12-updates-x86_64]
--cut--

suma:~ # mgr-sync add channel sle-manager-tools12-debuginfo-pool-x86_64
Adding 'sle-manager-tools12-debuginfo-pool-x86_64' channel
Scheduling reposync for 'sle-manager-tools12-debuginfo-pool-x86_64' channel

suma:~ # mgr-sync add channel sle-manager-tools12-debuginfo-updates-x86_64
Adding 'sle-manager-tools12-debuginfo-updates-x86_64' channel
Scheduling reposync for 'sle-manager-tools12-debuginfo-updates-x86_64' channel
suma:~ #

suma:~ # mgr-sync refresh --refresh-channels
Refreshing Channels [DONE]
Refreshing Channel families [DONE]
Refreshing SUSE products [DONE]
Refreshing SUSE Product channels [DONE]
Refreshing Subscriptions [DONE]

Scheduling refresh of all the available channels
Scheduling reposync for 'sles11-sp3-pool-x86_64' channel
Scheduling reposync for 'sle11-sdk-sp3-pool-x86_64' channel
Scheduling reposync for 'sle11-sdk-sp3-updates-x86_64' channel
--cut--

Veeam unable to connect to a client machine, unable to negotiate with a client

When Veeam connects to a Linux machine, its use Diffie-Helman key exchange capabilities for successful secure connections and to reduce the possibility that a password will not be intercepted when authenticating to the storage.

If the client and server are unable to agree on a mutual set of parameters then the connection will fail. OpenSSH (7.0 and greater) will produce an error message like this:

sshd[11344]: fatal: Unable to negotiate with XXX.XXX.XXX.XXX port 36929: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]

In this case, the client and server were unable to agree on the key exchange algorithm. OpenSSH supports this method, but does not enable it by default because is weak and within theoretical range of the so-called Logjam attack. OpenSSH only disables algorithms that we actively recommend against using because they are known to be weak. In some cases, this might not be immediately possible so you may need to temporarily re-enable the weak algorithms to retain access.
Query SSH for the supported ciphers, key exchange algorithms and keyed-hash message authentication codes using the following command: “sshd -T | grep kexa

server:~ # sshd -T | grep kexa
kexalgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
server:~ #

And if there is no “diffie-hellman-group1-sha1” just add these:

KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

to your /etc/ssh/sshd_config file, and restart SSH.

server:~ # sshd -T | grep kexa
kexalgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
server:~ #

As you can see the only new added algorithm is called “diffie-hellman-group1-sha1”.

Find installation date and time of rpm package(s)

List all rpm package with date and time information, use the below given command to list all rpm package with date-stamp information:

rpm -qa --last

–cut
iotop-0.4.3-7.8.1 Fri Aug 7 12:24:02 2015
libgtop-lang-2.28.0-1.9.24 Fri Aug 7 12:20:57 2015
libgtop-2.28.0-1.9.24 Fri Aug 7 12:20:10 2015
libgtop-2_0-7-2.28.0-1.9.24 Fri Aug 7 12:20:06 2015
–cut

and for a single package:

rpm -q --last package-name

SUSE 12 – enable SSL and Create a Self-Signed Certificate

The SSL module is enabled by default in the global server configuration. In case it has been disabled on your host, activate it with the following command: a2enmod ssl. To finally enable SSL, the server needs to be started with the flag “SSL”. To do so, call a2enflag SSL (case-sensitive!). If you have chosen to encrypt your server certificate with a password, you should also increase the value for APACHE_TIMEOUT in /etc/sysconfig/apache2, so you have enough time to enter the passphrase when Apache starts. Restart the server to make these changes active. A reload is not sufficient.

Creating a Self-Signed Certificate on SUSE 12:

root# openssl req -new > vhostname.csr
root# openssl rsa -in privkey.pem -out vhostname.key
root# openssl x509 -in vhostname.csr -out journal.crt -req -signkey vhostname.key -days 3650

Copy the certificate files to the relevant directories, so that the Apache server can read them. Make sure that the private key /etc/apache2/ssl.key/vhostname.key is not world-readable, while the public PEM certificate /etc/apache2/ssl.crt/vhostname.crt is.