Saturday, May 9, 2015

Fixing Gummi "Compilation program is missing" error

I use LaTeX, mostly beamer, for my slides. I really like the Warsaw theme and it has been the default for almost all my presentations since quite some time now. Gummi is my choice of editor for this since it is dead simple and I can see the preview as the slides develop in the side pane.
However installing Gummi in Fedora never pulls all the dependencies for me. So I always get a compilation error on a fresh installation. In this tutorial I am going to write about how to setup Gummi to fix that issue.



Step 1: Install Gummi
# yum install gummi

Step 2: Install compilation tools
# yum install rubber latexmk texlive-xetex

Step 3: Install beamer for the warsaw and other themes
# yum install beamer

Step 4: For presentations, I usually need SI units.
# yum install texlive-siunitx-svn31333.2.5s

And this is about it!

Saturday, April 25, 2015

Setting up Yubikey for SSH two-factor with public key authentication

I just bought a Yubikey Neo. It is a tiny usb device which can be used for multi-factor authentication with many application. But setting it up can become tricky at times due to lack of documentation. Here is what I did to setup ssh with Yubikey two-factor for my Fedora 20 and Fedora 21:

Step1: Install the pam module for yubikey auth.
# yum install pam_yubico

Step 2: We need to create a mapping of user and the yubikey associated with it. We'll need the key id of the yubikey. To obtain that, we just need to open any text editor, plug the key in a usb slot and touch the golden button on the Yubikey. The first 12 characters is the id. Also note that, there can be multiple keys associated with one user. We'll create a file /etc/yubi-map:
# cat /etc/yubi-map
aditya:scwechdueeuv

Step 3: Now we have to add the yubico pam module to the sshd auth. Change the /etc/pam.d/sshd so that first few lines look like this:
#%PAM-1.0
auth       required     pam_sepermit.so use_first_pass
auth sufficient pam_yubico.so id=1 authfile=/etc/yubi-map debug


Note that I have added the pam_yubico as a sufficient auth and also modified the pam_sepermit to use the user's initial password.

Step 4: We'll modify the /etc/ssh/sshd_config to allow challenge response and define the authentication method.
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive

Optionally, disable the password auth as well
PasswordAuthentication no

Restart the sshd.
# systemctl sshd restart

Step 5: Now, here is the real catch. Yubikey needs to contact an authentication server before it can process. As far as I understand, we cannot use Yubikey when there is no internet (alternatively, you can run an authentication server in your own infra but more on that later). This also creates a problem, which is, that SELinux denies any network request during authentication. To handle the situation, Yubikey docs suggests setting a boolen.
# setsebool -P authlogin_yubikey 1

Wednesday, March 4, 2015

How to check for SSL FREAK Vulnerability?

A research group named SMACK has released a vulnerability known as FREAK which can be used for man-in-the-middle (MITM) attack. The vulnerability is due to an old ghost created by USA Government (NSA, more specifically) where in, years ago, they convinced several organizations to use weaker keys, known as export-grade keys for any software that was to be used outside the borders of USA. While the use of strong keys is wide spread now, several servers still have support for the weaker keys.

The group discovered that this vulnerability can be exploited by using a client and making a connection via a weak key. Once the key is generated by the server, it is reused until the server is restarted which can potentially be months. The group was able to crack this weak server key in 7.5 hours using Amazon EC2. Once this is cracked, potentially all the communication can be downgraded to use weak keys and MITM'ed.

How to check if a server vulnerable or not?
Fire the following command:
$ openssl s_client -connect www.google.com:443 -cipher EXPORT

A handshake failure signifies that EXPORT cipher is not active on the server and it is safe.

Hacker News: Discuss and upvote on Hacker News.

Monday, January 5, 2015

Basic Docker Orchestration with Google Kubernetes on Fedora

Kubernetes is new framework by Google to manage Linux container clusters. I started playing with it today and it seems like a cool, powerful tool to manage a huge barrage of containers and to ensure that a predefined number of containers are always running. Installation and configuration on Fedora and many other distributions can be found at these Getting Started Guides. I recommend using two machines for this experiment (one physical and one VM is fine). Kubelet (or Minion) is the one where Docker containers will run, so use more powerful machine for that.

After the installation we'll see something like below when we look for minions from kube master:
master# kubectl get minions
NAME                LABELS
fed-minion          <none>


Now we would move to Kubernetes 101 Walkthrough where we will run a container using the yaml from the Intro section.
master# kubectl create -f kubeintro.yaml

.. except, (as on 25 Dec 2014) it won't run. It will give an error like this:
the provided version "v1beta1" and kind "" cannot be mapped to a supported object

Turns out that a field "kind" is empty. So the kubectl won't be able to run the container. Correct this so that kubeintro looks like this:

master# cat kubeintro.yaml
apiVersion: v1beta1
kind: Pod
id: www
desiredState:
  replicas: 2
  manifest:
    version: v1beta1
    id: www
    containers:
      - name: nginx
        image: dockerfile/nginx


Optional: Now, I do not exactly know what is there inside the image "dockerfile/nginx". So I would replace it with something that I want to spawn like "adimania/flask" image. The dockerfile for my flask image can be found in Fedora-Dockerfiles repo.

Once the kubeintro.yaml is fixed, we can run it on the master and we'll see that a container is started on the minion. We can stop the container on the minion using docker stop command and we'll see the kubernetes will start the container again.

The example above doesn't do much. We need to publish the ports of the container so that we can access the webpage served by it. Modify the kubeintro.yml to tell it to publish ports like this:

master# cat kubeintro.yaml
apiVersion: v1beta1
kind: Pod
id: www
desiredState:
  replicas: 2
  manifest:
    version: v1beta1
    id: www
    containers:
      - name: nginx
        image: dockerfile/nginx
        ports:
          - containerPort: 80
            hostPort: 8080


Now delete the older pod named www and start a new one from the new kubeintro.yaml file.
master# kubectl delete pod www
master# kubectl create -f kubeintro.yaml


We can browse via a browser to localhost:8080 and we'll see Nginx serving the default page. (If we would have used "adimania/flask" image, we would have seen "Hello from Fedora!" instead.)

Sunday, December 7, 2014

Docker Quick Start Guide

Here is a short and sweet guide to Docker for absolute beginners. I have added a few FAQs as well.

Q. What is a container?
A. Container is an isolated Linux system running on a Linux machine itself. They are lightweight and consume less resources than a virtual machine. They rely on kernels cgroups and namespace features to create isolation for CPU, memory etc..

Q. What is Docker?
A. Docker is a container based platform to build and ship applications. Docker makes containers easy to use by providing a lot of automation and tools for container management.

Q. Why would I use Docker?
A. If you have any of the following concerns then you should use Docker:
  • My production needs to be homogeneous
  • I need to ship entire environment to my colleague
  • My hypervisor ate all the CPU (or RAM)
  • .. it works on my machine, but not in production  ..

How to play with Docker
Step1: Let us install and run the Docker first:
# yum install docker-io
# systemctl start docker

Step2: Docker has something called registries. A registry stores container images from which we can download and run containers. These registries can be public or private. Docker.io maintains a public registry which is the default if we want to download an image. The command below will download an image with name fedora-busybox, contributed by user adimania:
# docker pull adimania/fedora-busybox
Pulling repository adimania/fedora-busybox
605bfcc0af5d: Download complete

Step3: Let us check out the image that we just downloaded.
# docker images
REPOSITORY                   TAG                 IMAGE ID            CREATED             VIRTUAL SIZE

adimania/fedora-busybox      latest              605bfcc0af5d        7 minutes ago        1.309 MB


Step4: Once we have the image, we would want to run a container off it. The command below will take care of that and drop us in the container's shell:
# docker run -i -t adimania/fedora-busybox /sbin/sh

The run command takes certain parameters and run the image provided as argument. The arguments "-i" and "-t" tells run command to open STDIN and allocate a pseudo-TTY. Last argument is the command that is runs inside the container in foreground. One thing to note here is that docker always need a process to run in foreground. As soon as this process exits, the docker container shuts down. For certain containers, this foreground process is implicit and we may not need to tell docker what to run. However for certain other containers, like the one which we are using, we specify "/sbin/sh" to run as foreground process. docker run command supports several other arguments and flags. It is advisable to fire docker run --help to check out all the options.

Step5: We can see more information about this containers that are currently running by using docker ps command:
# docker ps
CONTAINER ID    IMAGE                      COMMAND          CREATED             STATUS              PORTS            NAMES
3af04d663b3d      adimania/fedora-busybox:latest   "/sbin/sh"         25 seconds ago      Up 24 seconds          furious_leakey

docker ps commands shows all the containers that are running along with other useful info like uptime, foreground command etc.. This command takes an optional argument "-a" which shows all the containers, including the stopped ones. 

Step6: Let us stop and start the container again. We'll need the container id obtained from the docker ps command
# docker stop 3af04d663b3d
3af04d663b3d

# docker start 3af04d663b3d
3af04d663b3d

Above commands are a part of workshop which I have conducted before at Flock and CentOS Dojo. Check out the slides here.