Linux Professional Institute

Highest Level
Contents
▪ LPIC-3 Introduction
▪ Mixed Environments
▪ OpenLDAP
▪ SAMBA
▪ FreeIPA
▪ Security in Linux
▪ Security concepts, principles, and guidelines
▪ Account security
▪ Network security
▪ File System security
Contents
▪ Linux Virtualization
▪ KVM Virtualization
▪ libvirt and ovirt for Virtual Machine Management
▪ Linux High Availability Clustering
▪ High Availability Clustering and Its Architecture
▪ Configuring Storage
▪ Understanding Pacemaker Architecture and Management
LPIC-3 Introduction
Linux Mixed Environment
Open LDAP
History of LDAP

• Has it’s roots in X.500 (hence DAP)

• Developed initially at University of Michigan and is now an IETF standard

• Accepted standard for Directory services embraced by all the “big” players

• LDAP is a protocol not a database

• Client-server based ASN.1 encoding

Introduction to LDAP
• Information describing the various users, applications, files, printers, and other
resources accessible from a network is often collected into a special database
that is sometimes called a directory.
• The Lightweight Directory Access Protocol (LDAP) is an open industry standard
• Directory: A directory is a listing of information about objects arranged in some
order that gives details about each object
• Directory versus database
• The Lightweight Directory Access Protocol (LDAP) defines a message protocol
used by directory clients and directory servers.
LDAP Overview
Lightweight Directory Access Protocol (LDAP) is a directory access protocol
An entry is what we call a record in the LDAP server, it is the same as a record in the traditional
database. A LDAP entry is made up of many attributes. Attributes are divided into name/value pairs,
these attributes are the same as fields in a traditional database. An attribute will have only one
name but it can have more then one value, the value can be text or binary.
Each entry is uniquely identified by it's distinguished name (DN). The DN is made up of components
each of which is called a relative distinguished name (RDN). The components from the RDN are
taken from the attributes in the entry.
Object classes determine what attributes are available for an entry. They are the same as tables in a
traditional database. They differ from tables in a database because they are extensible. Basically this
means to can declare a new object class that extends from an earlier one.
Each server will have a schema. The schema is the blue print of the server and it specifies all the
object classes and attributes that are available to be searched and stored in a LDAP server.
The directory service is accessed like a tree and is referred to as a Directory Information tree (DIT).
The directory server itself is called a Directory Service Agent (DSA).
Directories Advantages
 The naming model
The LDAP naming model defines how entries are identified and
organized. Entries are organized in a tree-like structure called
the Directory Information Tree (DIT). Entries are arranged within
the DIT based on their distinguished name (DN)
Domain: The top level
organizational units: the branches, normally departments in an
company. These organizational units can then be sub-divided
into sub-divisions
entry that is neither a domain
or organizational unit is called a leaf.
Distinguished Names
• Each object in the LDAP directory has a DN

• uid=jheiss,ou=people,dc=example,dc=com

• cn=users,ou=group,dc=example,dc=com

• Notice that the DNS name is example.com (specified by DC=Domain Component entries) for the
domain

• OU is organizational unit

• Each domain subdomain could create a tree structure in LDAP (engr.example.com,

sales.example.com, pre.engr.example.com, support.engr.example.com, etc)
Sample DIT

• Branched by agency
• Agencies in this example have branches containing:
• Groups which contain people
• People in the organization
• Resources such as printers and conference
rooms.
• Applications (where application specific info
could be maintained)
Sample User Object
• Objects contain attributes, e.g.,
• uid (user ID)
• cn (common name)
• sn (surname)
• mail (e-mail address)
• Attributes can be multivalued, e.g., givenname of both James, Jim
• This object contains
• white-pages information
• X.509 certificate for PKI
ObjectClass
• A commonly used attribute is "objectClass".

• Each record represents an object, and the

attributes associated with that object are defined
according to it's objectClass

• The value of the objectClass attribute

• Examples of objectClass:

• organization (needs a name and address)

• person (needs name, email, phone &

address)
Entries, attributes and values
Schemas
• The schema defines the attribute types that directory entries can contain.
• An attribute definition includes a syntax, and most non-binary values in LDAPv3 use UTF-8 string syntax
• For example, a "mail" attribute might contain the value "[email protected]".
• A "jpegPhoto" attribute would contain photograph(s) in binary JPEG/JFIF format.
• A "member" attribute contains the DNs of other directory entries.
• The location will vary from Unix version to Linux version.
• Attribute definitions also include whether the attribute is single-valued or multi-valued, how to search/compare
the attribute.
• The schema defines object classes. Each entry must have an objectClass attribute, containing named classes
defined in the schema.
• e.g. a person, organization or domain.
• Server administrators can define their own schemas in addition to the standard ones.
Basic Operations
• Search - search for and/or retrieve directory entries

• Compare - test if a named entry contains a given attribute value

• Add a new entry

• Delete an entry

• Modify an entry

• Modify DN - move or rename an entry

• Abandon - abort a previous request

• Extended Operation - generic operation used to define other operations

Variations
• OpenLDAP
• Open Source LDAP v3 implementation
• SLAPD: Standalone server daemon
• MS Active Directory
• Microsoft Directory services
• Use LDAP & Kerberos 5
• Netscape Directory Server
• Very fast, powerful ACLs
• Cross platform
• Standards compliant
SAMBA & NFS
 File Sharing: SAMBA vs NFS
• The Samba Suite is a powerful and highly configurable package that manages the Server Message
Block/Common Internet File System (SMB/CIFS) protocol used on many Windows - dominated networks.
• The Network File System (NFS) protocol, which is Unix’s dominant file sharing protocol.
• Several Linux server programs exist to handle the File Transfer Protocol (FTP), which is a popular means
of cross - platform file sharing, particularly on the Internet.
SAMBA Configuration File
• Path: /etc/samba/smb.conf

• Reload configuration: #service smb reload

• Add new SAMBA user

• Add new system user: #useradd username

• Add user to SAMBA: #smbpasswd -a username

Common global Samba options
Common global Samba options
Common file share Samba options
Checking Your Configuration and Running Samba
# testparm

# smbstatus
NFS Configuration File
• Path: /etc/exports

• Reload configuration: exportfs –r

• Access control using TCP Wrapper

• /etc/hosts.allow

portmap:192.168.1.1

• /etc/hosts.deny

portmap:ALL
FreeIPA
What is FreeIPA ?
• Acronym: Free Identity, Policy, Audit
• Purpose: Make it simpler to manage a complex problem
• Means: Use standard protocols and components
Why should I care?
• Organizations and companies need to manage their users and
resources
• So far IdM has been the realm of proprietary vendors
• That means the keys of our organizations are in their hands
• We can't have a fully free environment if the Identity space can't be
managed through Free Software
• Security + Freedom
The Identity Management Problem
• Needs:
• Single source for Identities (duplication = confusion)
• Single-Sign-On / Single-Password
• Single data store for auditing/reporting (compliance)
• Single point of Management (comprehensive view)
• Implementation problems:
• Synchronization and/or Integration
• Distribution of data/credentials
• Single points of failure
• Integrated Management Interfaces
FreeIPA Components
Why a Directory ?
• We need a storage mechanism to:
• store identity information
• perform fine grained access control
• organize Identities and allow group relationships
• distribute Information across all clients
• replicate Information on multiple servers
• Yes, but why LDAP ?
• Standard
• Extensible
• Flexible
FreeIPA Components
Why Kerberos ?
• We need an authentication system that:
• provides Single Sing On authentication
• allows administrators and users alike to carry on their identity while they
access various services
• is a tested standard and is a validated secure solution
• is extensible/extended to use new authentication technologies like Smart
Cards and new encryption algorithms as need arises.
• Is kerberos the only way within FreeIPA?
• Predominant
• Ldap binds as an alternative for some services
FreeIPA Components
FreeIPA (v1) components
Directory structure
The Kerberos/directory integration
Management Interfaces in v.1
Web Interface
Command Line Interface
• More than 20 distinct command line tools
• Examples:
• Ipa-adduser[group/service/delegation]
• ipa-deluser[group/service/delegation]
• ipa-finduser[group/service/delegation]
• ipa-moduser[group/service/delegation]
• ipa-passwd
• ipa-pwpolicy
• ipa-defaultoptions
• Ipa-change-master-key
• ...
Making it simpler ...
• Example: initial configuration made very simple
• Install packages
• Run ipa-server-install
• Answer a few questions:
• DNS Domain and Realm name (defaults suggested)
• Directory Manager password (required)
• Admin User Password (required)
• Done!
• The installation program configures all necessary components: NTP,
Directory Server, Kerberos, apache, ipa-kpasswd, ipa-gui, client side
bits
Basic IPA v1 network diagram
A little more complex: multiple servers.
Simplified IPA v2 network diagram
Client diagram
Linux Security
Section 1: Security concepts, principles, and
guidelines
Security concepts, principles, and guidelines
Security concepts, principles, and guidelines
Is Linux Secure?
Risk Assessment
Linux is only as secure as you make it!
Linux is only as secure as you make it!
What Makes Linux Secure?
Advantages to a Multiuser System
Advantages to a Multiuser System
Linux is Open Source
Centralized Software Management
Security Guidelines
Minimize Software and Services
Run Services on Separate Systems
Encrypt Data Transmissions
Avoid Shared Accounts
Avoid Direct root Logins
Maintain Accounts
Use Multifactor Authentication
The Principle of Least Privilege
Monitor System Activity
Use a Firewall
Encrypt Your Data
Section 2: Physical Security
Physical Security Is Linux Security
Physical Security Guidelines
Systems Under Your Control
Visitors
Systems Not Under Your Control
Data Centers
Cloud
 Protecting Linux
Against Physical Attacks
Gaining Access to a Linux System
 Single User Mode
and Blank Root Passwords
Securing the Boot Loader
Disk Encryption
Encryption
OS Needs Unencrypted Access
Disk Encryption for Linux
LUKS
Encrypt During Install
Setting up LUKS
on a New Device
Setting up LUKS on a New Device
 Converting a
Device to LUKS
Converting a Device to LUKS
Disabling Ctrl+Alt+Del
Disabling Ctrl+Alt+Del (Systemd)
Section 3: Account security
What You Will Learn
What You Will Learn
Linux Account Security
 PAM
Pluggable Authentication Modules
PAM Configuration files
PAM Module Interfaces
PAM Control Flags
PAM Configuration
Example
Linux Account Types
root, the superuser
Password Security
Use Shadow Passwords
Use Shadow Passwords
Converting Passwords
/etc/shadow format
Display user account expiry info with chage
Change user account expiry info with chage
/etc/login.defs
Password History
Controlling Account Access
Locking and Unlocking accounts
Locking with nologin as the Shell
Locking with nologin as the Shell
Centralized Authentication
Disable Logins
Monitoring Authentication Logs
Monitoring Authentication Logs
Intrusion Prevention with fail2ban
Multifactor Authentication
Multifactor Authentication
Security by Account Type
Account Security - root
Disabling root Logins
Disabling SSH root Logins
System / Application Accounts
User Accounts
Deleting Accounts
Using and Configuring Sudo
sudo vs su
Sudo
Sudo configuration
Sudoers Format
Sudo Authentication
NOPASSWD & PASSWD
Sudo Aliases
Sudo Aliases
Sudo Aliases
Sudo Aliases
Sudo Aliases
Sudo Aliases
Displaying the Sudo Configuration
Running Commands with sudo
Section 4: Network security
What You Will Learn
Network Services
Securing Network Services
Securing Network Services
Securing Network Services
Information Leakage
Web Server Information Leakage
Information Leakage
Displaying Services with systemctl
Stop and Disable Services
List Listening Programs with netstat
Port Scanning
Testing a Specific Port
Xinetd Controlled Services
Securing SSH
Securing SSH
Creating SSH Keys
Add the Public Key to the Remote Host
Force Key Authentication
Controlling Root Logins
Only Allow Certain Users SSH Access
Only Allow Certain Groups SSH Access
Deny Certain Users SSH Access
SSH Port Forwarding
SSH Port Forwarding
Reverse Port Forwarding
Disable TCP Port Forwarding
Use SSHv2 instead of SSHv1
Bind SSH to a Specific Address
Change the Default Port
Add the New Port to SELinux
Disable the Banner
Reload the Configuration
For More Information
 Linux Firewall
Netfilter and IPTables
Linux Firewall
Default Tables
Default Tables
Default Chains
Rules
Rules
Targets
iptables / ip6tables
List / View
Chain Policy / Default Target
Appending, Inserting, and Deleting Rules
Flushing rules
Rule Specification Options
Rule Specification Options
Target / Jump
TCP Wrappers
TCP Wrappers
TCP Wrappers
TCP Wrappers
Configuring TCP Wrappers
Access Rules
TCP Wrapper Examples
Deny All
Section 5: File system security
What You Will Learn
Setuid
Octal Permissions
Adding the Setuid Attribute
Removing the Setuid Attribute
Finding Setuid Files
Only the Owner Should Edit Setuid Files
Setgid
Finding Setgid Files
Adding the Setgid Attribute
Removing the Setgid Attribute
Setgid on Directories
Use an Integrity Checker
The Sticky Bit
Adding the Sticky Bit
Removing the Sticky Bit
File Attributes
File Attributes (xattr)
Attribute: i immutable
Attribute: a append
Viewing Attributes
Modifying Attributes
Examples
Access Control Lists
ACLs
ACLs
Types of ACLs
Creating ACLs
User ACLs / Rules
Group ACLs / Rules
Mask ACLs / Rules
Other ACLs / Rules
Creating Multiple ACLs at Once
Default ACLs
Setting ACLs Recursively (-R)
Removing ACLs
Viewing ACLs
Detecting Files with ACLs
Linux Virtualization
What you will learn!
• KVM Virtualization
• libvirt and ovirt for Virtual Machine Management
Section 1: KVM Virtualization
Understanding Linux Virtualization
• Types of virtualization
• Desktop virtualization (Virtual Desktop Infrastructuree (VDI)
• Server virtualization
• Application virtualization
• Network virtualization: Software-Defined Networking (SDN)
• Storage virtualization: Software-Defined Storage (SDS)
Type 1 and type 2 hypervisors

Type 1 hypervisor design Type 2 hypervisor design

Open source virtualization projects
KVM as a Virtualization
Solution
Contents
• Virtualization as a concept
• The internal workings of libvirt, QEMU, and KVM
• How all these communicate with each other to provide virtualization
Virtualization as a concept
The internal workings of libvirt, QEMU, and
KVM
• Libvirt
• Application Programming Interface (API)
• Management tool for different hypervisors
• virt-manager: a Gnome-based graphical utility that you can use to manage various
aspects of your local and remote hypervisors
• libvirt's CLI utility is called virsh
QEMU
KVM
• There is a common kernel module called kvm.ko and also hardware-
based kernel modules such as kvm-intel.ko (Intel-based systems) and
kvm-amd.ko (AMD-based systems).
• KVM is not a full hypervisor; however, with the help of QEMU and
emulators
• QEMU makes use of this device file to talk with KVM and create,
initialize, and manage the kernel-mode context of virtual machines.
Section 2: libvirt and ovirt for Virtual Machine
Management
Contents
• Installing KVM Hypervisor, libvirt, and ovirt
• Libvirt Networking
• Libvirt Storage
• Virtual Machines Installation, Configuration, and Life Cycle
Management
• Creating and Modifying VM Disks, Templates, and Snapshots
Installing KVM Hypervisor, libvirt, and ovirt
• QEMU will be used so that we can create and run our virtual
machines on any supported platform – be it as an emulator or
virtualizer.
• The oVirt engine is the centralized service that can be used to
perform anything that we need in a virtualized environment –
manage virtual machines, move them, create images, storage
administration, virtual network administration, and so on.
Installing KVM Hypervisor, libvirt, and ovirt
• Some of the available advanced functionalities of the oVirt engine
include the following:
• Live migration of virtual machines
• Image management
• Export and import of virtual machines (OVF format)
• Virtual-to-virtual conversion (V2V)
• High availability (restart virtual machines from failed hosts on remaining hosts
in the cluster)
• Resource monitoring
In graphical terms, this is what the architecture of oVirt looks like:
Installing KVM Hypervisor, libvirt, and ovirt
Installing KVM Hypervisor, libvirt, and ovirt
• Installing the first virtual machine in KVM
Installing KVM Hypervisor, libvirt, and ovirt
Installing KVM Hypervisor, libvirt, and ovirt

oVirt
Starting a virtual machine using QEMU and
libvirt
Libvirt Networking
• Virtual networking
• Bridge: Layer 2 interface for (virtual machine) networking
• Bond: For combining network interfaces to a single interface (for balancing and
failover reasons) into one logical interface.
• Team: Different to bonding, teaming doesn't create one logical interface, but can still
do balancing and failover
• MACVLAN: Creates multiple MAC addresses on a single physical interface (creates
sub-interfaces) on Layer 2.
• IPVLAN: Unlike MACVLAN, IPVLAN uses the same MAC address and multiplexes on
Layer 3.
• MACVTAP/IPVTAP: Newer drivers that should simplify virtual networking by
combining TUN, TAP, and bridge as a single module.
• VXLAN: A commonly used cloud overlay network
• VETH: A virtual Ethernet interface that can be used in a variety of ways for local
tunneling.
Libvirt Networking

libvirt networking in NAT mode

Libvirt Networking

libvirt networking in routed mode

Libvirt Networking

libvirt networking in isolated mode

Libvirt Networking

libvirt default network in NAT mode

Implementing Linux bridging

Virtual machines connected to a virtual switch (bridge)

Understanding and using SR-IOV
• Can partition PCI resources into virtual PCI functions and inject them
into a virtual machine
Libvirt Storage
Contents
• Introduction to storage
• Storage pools
• NFS storage
• iSCSI and SAN storage
• Gluster and Ceph as a storage backend for KVM
Storage pools
• Logical Volume Manager (LVM)-based storage pools
• Directory-based storage pools
• Partition-based storage pools
• GlusterFS-based storage pools
• iSCSI-based storage pools
• Disk-based storage pools
• HBA-based storage pools, which use SCSI devices
Libvirt storage pools
iSCSI and SAN storage
• iSCSI Qualified Name (IQN): This is a unique name that all initiators
and targets have in iSCSI communication.
• IP address: Every initiator will have a different IP address that it uses
to connect to the target
• MAC address: Every initiator has a different MAC address on Layer 2.
• Fully Qualified Domain Name (FQDN): This represents the name of
the server as it's resolved by a DNS service
iSCSI and SAN storage
iSCSI and SAN storage
iSCSI and SAN storage
iSCSI and SAN storage
iSCSI and SAN storage

vi /etc/iscsi/initiatorname.iscsi file
iSCSI and SAN storage
The end result look like:
Storage Cluster
• GlusterFS
Storage Cluster
• Ceph
Virtual Machines Installation, Configuration,
and Life Cycle Management
Contents
• Creating a new VM using virt-manager, using virt commands
• Creating a new VM using oVirt
• Configuring your VM
• Adding and removing virtual hardware from your VM
• Migrating VMs
Creating a new VM using virt-manager
Using virt commands
Creating a new VM using oVirt
Configuring your VM
Migrating VMs
Offline migration
Migrating VMs
Live or online migration
Linux High Availability Clustering
High Availability Clustering and Its
Architecture
Different Kinds of Clustering
• High performance: Different computers work together to host one or
more tasks that require lots of computing resources
• Load balancing: A load balancer serves as a front end and receives
requests from end users. The load balancer distributes the request to
different servers.
• High availability: Different servers work together to make sure that
the downtime of critical resources is reduced to a minimum
High Performance
Load Balancing Cluster
High Availability Cluster
The Components That Build a High Availability
Cluster
• Shared storage
• Different networks
• Bonded network devices
• Multipathing
• Fencing/STONITH devices
Configuring Storage
Configuring Storage - SAN
Understanding iSCSI
Active – Active Cluster
Active – Passive Cluster
Example
Openstack Cluster
Example
Galera Cluster
Example
Ceph Cluster
Pacemaker Architect
Pacemaker Components
Pacemaker Scenarios
Pacemaker Scenarios
Pacemaker Scenarios