Cloud Knowledge Base and DevOps Admin Tutorials

Configure Email Alerts in VMware vCenter

Posted on May 7, 2018 by Gopalakrishnan S Leave a comment

The monitoring of VMware vSphere should be a combination of proactive benchmarking and reactive alarm-based actions. vCenter Server provides both methods to help the administrator keep tabs on each of the virtual machines and hosts as well as the hierarchical objects in the inventory. Using both methods ensures that the administrator is not caught unaware of performance issues or lack of capacity. How to Configure Email Alerts in VMware vCenter.

vCenter comes with a few default alarms such as ESX host connection state and usage alarms. Use the following steps to create alarms and how to send email notifications.

Make sure you have the permission to edit this vCenter configuration

In the vSphere Web Client,

navigate to the vCenter Server instance.
Click on the Manage tab.
Under Settings, select General.
Click Edit.

Select Mail.

In Mail server,

type the SMTP server information.

The SMTP server is the DNS name or IP address of the SMTP gateway to use for sending email messages.
Example,
smtp.gmail.com

In Mail sender,

type the sender account information.

The sender account is the email address of the sender.
Example,
gopkris2000@gmail.com

Click OK.

Now as you have successfully configured the email settings in vCenter.

To test the mail settings, create an alarm that can be triggered by a user action, such as by powering off a virtual machine and check the emails.

Solution and Patch for Meltdown Spectre CPU Vulnerability

Posted on March 14, 2018 by Gopalakrishnan S Leave a comment

A very serious security problem has been found and patched in the Linux kernel. It was announced on 3rd January 2018. Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware vulnerabilities allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents. Learn more how this Solution and Patch for Meltdown Spectre CPU Vulnerability.

We need to update fixes to mitigate all 3 variants CVE-2017-5753 (variant 1), CVE-2017-5715 (variant 2), and CVE-2017-5754 (variant 3) on your machine.

Variant 1: bounds check bypass (CVE-2017-5753)
Variant 2: branch target injection (CVE-2017-5715)
Variant 3: rogue data cache load (CVE-2017-5754)

A list of affected Linux distro by Spectre Vulnerabilities.

Red Hat Enterprise Linux 5 (including clones such as CentOS/Oracle/Scientific Linux 5)
Red Hat Enterprise Linux 6 (including clones such as CentOS/Oracle/Scientific Linux 6)
Red Hat Enterprise Linux 7 (including clones such as CentOS/Oracle/Scientific Linux 7)
RHEV-M 4.0
RHEV-M for Servers
Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7
Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7
Red Hat Enterprise MRG 2
Red Hat OpenStack Platform v 8/9/10/11/12
Debian Linux wheezy
Debian Linux jessie
Debian Linux stretch
Deiban Linux buster, sid
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2
SUSE OpenStack Cloud 6
Openstack Cloud Magnum Orchestration 7
SUSE Container as a Service Platform ALL
SUSE Linux Enterprise High Availability 12 SP2/SP3
SUSE Linux Enterprise Live Patching 12
SUSE Linux Enterprise Module for Public Cloud 12
SUSE Linux Enterprise Server 11 SP3-LTSS
SUSE Linux Enterprise Server 11 SP4
SUSE Linux Enterprise Software Development Kit 11/12 SP3/SP4
SUSE Linux Enterprise for SAP 12 SP1
SUSE Linux Enterprise 11
SUSE Linux Enterprise 12
OpenSuse Linux based upon SUSE 12/11
Fedora Linux 26
Fedora Linux 27
Amazon Linux AMI (Bulletin ID: ALAS-2018-939)

How to fix Meltdown Spectre CPU Vulnerability on CentOS/RHEL/Fedora/Oracle

run yum update command, Note: This will upgrade your OS version

# sudo uname -r
3.10.0-327.10.1.el7.x86_64

# sudo yum update -y
# sudo reboot

Once rebooted, verify your kernel version

# sudo uname -r
3.10.0-693.21.1.el7.x86_64

Use below command to verify the patchs in kernel.

# rpm -q --changelog kernel | egrep 'CVE-2017-5715|CVE-2017-5753|CVE-2017-5754'

The solution for the Meltdown and Spectre Vulnerability on a Debian/Ubuntu Linux

# sudo apt-get update
# sudo apt-get dist-upgrade
# sudo reboot

The solution for the Meltdown and Spectre Vulnerability on Amazon Linux running on AWS

run yum command:
# yum update kernel
# reboot

The solution for the Meltdown and Spectre Vulnerability on Arch Linux

run pacman command:
# pacman -Syu
# reboot

The solution for the Meltdown and Spectre Vulnerability on Suse Enterprise Linux Server 12-SP3

Execute the zypper command:
# zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-12=1
### [ To bring your system up-to-date ] ###
# zypper patch
# reboot

How to patch Meltdown and Spectre Vulnerability in existing OS version.

Upgrade kernel version on CentOS 7.2. First, check the kernel dependencies and update it.

Example

[root@localhost ~]# rpm -ivh kernel-3.10.0-693.21.1.el7.x86_64.rpm
error: Failed dependencies:
dracut >= 033-502 is needed by kernel-3.10.0-693.21.1.el7.x86_64
linux-firmware >= 20170606-55 is needed by kernel-3.10.0-693.21.1.el7.x86_64
xfsprogs < 4.3.0 conflicts with kernel-3.10.0-693.21.1.el7.x86_64
kmod < 20-9 conflicts with kernel-3.10.0-693.21.1.el7.x86_64
kexec-tools < 2.0.14-3 conflicts with kernel-3.10.0-693.21.1.el7.x86_64

Solution

[root@localhost ~]# yum update dracut linux-firmware xfsprogs kmod kexec-tools kernel-3.10.0-693.21.1.el7.x86_64 -y
[root@localhost ~]# reboot

[root@localhost ~]# uname -r
3.10.0-693.21.1.el7.x86_64

[root@localhost ~]# cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)

Upgrade kernel version on CentOS 7.3. First, check the kernel dependencies and update it.

[root@localhost ~]# rpm -ivh kernel-3.10.0-693.21.1.el7.x86_64.rpm
error: Failed dependencies:
dracut >= 033-502 is needed by kernel-3.10.0-693.21.1.el7.x86_64
linux-firmware >= 20170606-55 is needed by kernel-3.10.0-693.21.1.el7.x86_64
kexec-tools < 2.0.14-3 conflicts with kernel-3.10.0-693.21.1.el7.x86_64

[root@localhost ~]# yum update dracut linux-firmware kexec-tools kernel-3.10.0-693.21.1.el7.x86_64 -y
[root@localhost ~]# reboot

[root@localhost ~]# cat /etc/redhat-release
CentOS Linux release 7.3.1611 (Core)

[root@localhost ~]# uname -r
3.10.0-693.21.1.el7.x86_64

You can verify the Meltdown security bug patch in kernel.

[root@localhost ~]# rpm -q --changelog kernel | egrep 'CVE-2017-5715|CVE-2017-5753|CVE-2017-5754'

How to Expose Docker API on CentOS

Posted on February 1, 2018 by Gopalakrishnan S Leave a comment

Docker provides an API for interacting with the Docker daemon (called the Docker Engine API), as well as SDKs for Go and Python. The SDKs allow you to build and scale Docker apps and solutions quickly and easily. If Go or Python don’t work for you, you can use the Docker Engine API directly.

The Docker Engine API is a RESTful API accessed by an HTTP client such as wget or curl, or the HTTP library which is part of most modern programming languages.

The version of the Docker Engine API you should use depends upon the version of your Docker daemon and Docker client.
The Docker API is backward-compatible, so you do not need to update code that uses the API unless you need to take advantage of new features.

How to Expose Docker API on Centos 7

– Check your docker daemon service loaded the file.

# sudo systemctl status docker

[centos@test]# sudo systemctl status docker
● docker.service – Docker Application Container Engine
Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2018-01-30 12:55:41 PST; 1 day 3h ago
Docs: https://docs.docker.com

– Open that file using your favorite editor

# sudo vi /usr/lib/systemd/system/docker.service

– Add -H tcp://0.0.0.0:4243 this code where starts with ExecStart. You can also expose different port and IPs.

ExecStart=/usr/bin/docker daemon -H fd:// -H tcp://0.0.0.0:4243

– Save the modified file.

– Make sure the Docker service notices the modified configuration

# sudo systemctl daemon-reload

– Restart the Docker service

# sudo service docker restart

Test that the Docker API is accessible from outside.

# sudo curl <server-ip>:2375/images/json

It could be the security problem if we enabled the docker API via the public network and default port. Review the security concerns.

Cloud Knowledge Base and Cloud Admin Tutorials

Cloud Knowledge Base Articles with Example