[[PageOutline|]]
====== HAL - Host machine to run VMs. ======
This should document the reconfiguration of HAL to provide a comparable service to Mystic.
===== Filesystem =====
[[https://trac.x0blr.com/#data-tracwysiwyg-link=https://xfs.org/index.php/Shrinking_Support|https://xfs.org/index.php/Shrinking_Support -]]"Currently XFS Filesystems can't be shrunk."
Process for moving around the LVM
- Login as root
- Create new LVM using some of the free extents to replace /home
- mount new /home temporarily
- rsync contents
- update fstab
- umount original home and mount new in place with mount -a (tests fstab)
LVM Space Allocation - now:
hal:/root ## df -ht xfs
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/cl-root 50G 6.4G 44G 13% /
/dev/sda1 1014M 181M 834M 18% /boot
/dev/mapper/cl-home 50G 33M 50G 1% /home
/dev/mapper/cl-libvirt 1.5T 33M 1.5T 1% /var/lib/libvirt
/dev/mapper/cl-log 10G 50M 10G 1% /var/log
Filesystems created:
hal:/ ## mkfs.xfs /dev/cl/home
meta-data=/dev/cl/home isize=512 agcount=4, agsize=3276800 blks
= sectsz=512 attr=2, projid32bit=1
= crc=1 finobt=0, sparse=0
data = bsize=4096 blocks=13107200, imaxpct=25
= sunit=0 swidth=0 blks
naming =version 2 bsize=4096 ascii-ci=0 ftype=1
log =internal log bsize=4096 blocks=6400, version=2
= sectsz=512 sunit=0 blks, lazy-count=1
realtime =none extsz=4096 blocks=0, rtextents=0
hal:/ ## mkfs.xfs /dev/cl/libvirt
meta-data=/dev/cl/libvirt isize=512 agcount=4, agsize=98304000 blks
= sectsz=512 attr=2, projid32bit=1
= crc=1 finobt=0, sparse=0
data = bsize=4096 blocks=393216000, imaxpct=5
= sunit=0 swidth=0 blks
naming =version 2 bsize=4096 ascii-ci=0 ftype=1
log =internal log bsize=4096 blocks=192000, version=2
= sectsz=512 sunit=0 blks, lazy-count=1
realtime =none extsz=4096 blocks=0, rtextents=0
hal:/ ## mkfs.xfs /dev/cl/log
meta-data=/dev/cl/log isize=512 agcount=4, agsize=655360 blks
= sectsz=512 attr=2, projid32bit=1
= crc=1 finobt=0, sparse=0
data = bsize=4096 blocks=2621440, imaxpct=25
= sunit=0 swidth=0 blks
naming =version 2 bsize=4096 ascii-ci=0 ftype=1
log =internal log bsize=4096 blocks=2560, version=2
= sectsz=512 sunit=0 blks, lazy-count=1
realtime =none extsz=4096 blocks=0, rtextents=0
Current state of space:
hal:/root ## vgdisplay cl
--- Volume group ---
VG Name cl
System ID
Format lvm2
Metadata Areas 1
Metadata Sequence No 10
VG Access read/write
VG Status resizable
MAX LV 0
Cur LV 5
Open LV 5
Max PV 0
Cur PV 1
Act PV 1
VG Size <1.82 TiB
PE Size 4.00 MiB
Total PE 475901
Alloc PE / Size 414176 / <1.58 TiB
Free PE / Size 61725 / 241.11 GiB
VG UUID EdHx5A-SkuN-5snE-IBbZ-g47D-qMmt-ocsVQA
(leaves us with ~240G free to allocate as we see fit.)
===== =====
===== Security =====
==== Password hash ====
===== =====
Updated with information here: [[https://trac.x0blr.com/#data-tracwysiwyg-link=https://trac.x0blr.com/hal/ticket/10|https://trac.x0blr.com/hal/ticket/10]]
==== SELinux ====
Enabled in PERMISSIVE mode.
==== Firewall: ====
\\ Firewalld currently installed but not set on autorestart (still configuring rules and a reboot permits re-entry after lockout)
hal:/root ## systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: active (running) since Sat 2020-04-18 17:48:48 BST; 16h ago
SSH (port 22022) and VNC currently permitted:
hal:/root ## firewall-cmd --list-services
dhcpv6-client ssh ssh-22022 vnc
New services are added to **/etc/firewalld/services**. Any ports opened by VMs running on HAL do not require similar rulesets opening ports on HAL also (VMs do not "sit inside" HAL, but alongside it)
----
==== Using FirewallD and ipsets. ====
This //is //possible. Experimentation shows that rules can be added and show up in config files, but require a firewall-cmd --reload before they take effect.
Examples are:
- create a new set
firewall-cmd --permanent --type=hash:ip --new-ipset=testblock ## creates /etc/firewalld/ipsets/testblock.xml
firewall-cmd --permanent --ipset=testblock --set-description="testing ipsets by Dave" ## can't do description on same line
firewall-cmd --permanent --ipset=testblock --get-description ## get info.
firewall-cmd --get-ipsets ## won't show it yet
firewall-cmd --reload
firewall-cmd --get-ipsets ## should now show up
ipset -L ## also should show up - no description, mind.
The contents of /etc/firewalld/ipsets/testblock.xmlread:
testing ipsets by Dave
2. Add this set to a zone to define whitelist/blacklist. In this case, add it to the DROP zone:
firewall-cmd --get-active-zones # see which zones are in use
firewall-cmd --permanent --zone=drop --add-source=ipset:testblock # adds this entry to /etc/firewalld/zones/drop.xml
firewall-cmd --reload
firewall-cmd --get-active-zones # should now show as a zone.
3. Remove an ipset from a FirewallD zone:
firewall-cmd --get-ipsets ## shows current ipsets
firewall-cmd --permanent --delete-ipset=testblock ## no need to mention the zone
firewall-cmd --reload
firewall-cmd --get-ipsets ## no longer listed
ipset -L ## may still show, but not as part of FirewallD
4. add entries to the set:
firewall-cmd --permanent --ipset=testblock --add-entry=1.2.3.4
firewall-cmd --permanent --ipset=testblock --add-entry=2.3.4.5
ipset -L # noshow yet - but added to /etc/firewalld/ipsets/testblock.xml
firewall-cmd --reload
ipset -L # shows
The contents of /etc/firewalld/ipsets/testblock.xmlwill now read:
testing ipsets by Dave
1.2.3.4
2.3.4.5
- removing entries from ipsets.
firewall-cmd --permanent --ipset=testblock --remove-entry=1.2.3.4 ## deletes an entry from "testblock"
ipset -L ## still shows in ipset but not in /etc/firewalld/ipsets/testblock.xml
firewall-cmd --reload
ipset -L ## removed from ipset, XML file also updated
Of note is that DROP rules appear to apply to NEW connections, not ESTABLISHED ones - it's possible to add a block to an incoming SSH rule that IPTables would immediately slam down upon, but FirewallD won't stop the current session.
Additional change: whitelisting trusted IPs. Steps are:
firewall-cmd --permanent --type=hash:ip --new-ipset=whitelisted
firewall-cmd --permanent --ipset=whitelisted --set-description="Whitelisted IPs"
firewall-cmd --permanent --ipset=whitelisted --get-description
firewall-cmd --reload
firewall-cmd --get-ipsets
ipset -L
## Adding the new IPset to FirewallD
firewall-cmd --permanent --zone=trusted --add-source=ipset:whitelisted
firewall-cmd --reload
firewall-cmd --get-active-zones
## manipulate IPset rules through FirewallD
firewall-cmd --permanent --ipset=whitelisted --add-entry=1.2.3.4
firewall-cmd --permanent --ipset=whitelisted --add-entry=2.3.4.5
## Don't forget to reload to embed the rules.
firewall-cmd --reload
## Viewing the rules, use either:
cat /etc/firewalld/ipsets/whitelisted.xml
ipset -L whitelisted
==== Fail2Ban ====
\\ Currently installed and closely mirrors the settings mentioned for [[https://trac.x0blr.com/#data-tracwysiwyg-link=https://trac.x0blr.com/hal/wiki/albert|ALBERT]]. Observations are:
* add individual F2B configuration settings to **/etc/fail2ban/jail.d/**//SETTING//**.conf**
- the actual name isn't important, but will need [DEFAULTS] to override the default settings.
* add jails to **/etc/fail2ban/jail.d/**//JAILNAME//**.conf**
* **ipsets** are configured to DROP connections (edited **/etc/fail2ban/action.d/firewallcmd-common.conf**)
Currently added is only **/etc/fail2ban/jail.d/50-sshd.conf** which adds a DROP rule to 3 failed SSH connections - apache rules are not (currently) needed for HAL.
----
==== Postfix ====
Intention is to install as an MTA to forward messages on (so that outbound notifications can be made via email) but not permit incoming connections. Most configuration settings comply with [[https://trac.x0blr.com/#data-tracwysiwyg-link=https://trac.x0blr.com/hal/wiki/albert#E.ConfiguringemailPostfix|work done on ALBERT]].
The important lines in **main.cf **are:
myhostname = hal.server
mydomain = $myhostname
myorigin = $myhostname
inet_interfaces = localhost
mydestination = $myhostname, localhost.$mydomain, localhost
alias_maps = hash:/etc/aliases
sender_canonical_maps = hash:/etc/postfix/outbound.sender_canonical
/etc/postfix/outbound.sender_canonical(used to rewrite "local" address to real postboxes) reads:
## this rewrites fred@hal.server -> fred@proper.fq.dn
#
#
root@hal.server hal-root@tombstones.org.uk
dave@hal.server dave@hal.tombstones.org.uk
logwatch@hal.server hal-logwatch@tombstones.org.uk
/etc/aliases(used to accept locally-delivered mail then forward it off) currently looks like:
## -- this is where mails get forwarded off..
root: security@tombstones.org.uk
dave: dave@tombstones.org.uk
----
===== Virtual Machines =====
[[https://trac.x0blr.com/#data-tracwysiwyg-link=wiki:baseos-roadmap|All Information about KVM and VMs can be found here]]
**Backups**