Category: Linux

How to Install ffmpeg static build

FFmpeg binary static build available for download from

To install ffmpeg static build, run

cd /usr/local/src
wget https://johnvansickle.com/ffmpeg/releases/ffmpeg-release-amd64-static.tar.xz
tar xvf ffmpeg-release-amd64-static.tar.xz
cd ffmpeg-*-amd64-static/
cp ffmpeg ffprobe qt-faststart /usr/bin/
cp -r model /usr/local/share/

See ffmpeg

December 29, 2022

grubby
grubby is provided by package grubby on RHEL based systems. To install grubby, run
```
yum install grubby
```
To list all kernels, run
```
grubby --info=ALL
```
To view the default kernel, run
```
grubby --default-kernel
```
To set a kernel default, you need to specify the vmlinux file, example
```
grubby --set-default  /boot/vmlinuz-3.10.0-962.3.2.lve1.5.73.el7.x86_64
```
Or specify the index
```
grubby --set-default-index 2
```
Back to grub
December 13, 2022
How to list iptables rules
To view all rules in iptables, run
```
iptables -L
```
Or
```
iptables --list
```
To list iptables rules without resolving IP to hostname
```
iptables -L -n
```
To show the line number
```
iptables -L -n --line-number
```
To list NAT rules
```
iptables -t nat -L -n --line-number
iptables -t nat -L -n -v
```
If you run iptables-save command, it will list all iptables rules
```
iptables-save
```
You can redirect the result of the iptables-save command to a file. You can restore with iptables-restore command.

Back to iptables
December 13, 2022
How to change varnish port in Ubuntu
To change the varnish port, run the command
```
systemctl edit varnish
```
It opens an editor, in the editor, paste the following
```
[Service]
ExecStart=
ExecStart=/usr/sbin/varnishd -j unix,user=vcache -F -a :80 -T localhost:6082 -f /etc/varnish/default.vcl -S /etc/varnish/secret -s malloc,256m
```
This will change varnish listening port to 80. If you need to change to another port, change “-a :80” to whatever port you want to use. Save and exit the editot.

Now resart varnish
```
systemctl restart varnish
```
Back to Varnish
December 8, 2022
Mounting partition stored inside Logical Volume
On a KVM Virtual machine using LVM storage, the LVM disk is partitioned as follows.
```
root@mail:~# parted /dev/vg1/iredmail print
Model: Linux device-mapper (linear) (dm)
Disk /dev/dm-1: 64.4GB
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Disk Flags: 

Number  Start   End     Size    File system  Name  Flags
 1      1049kB  2097kB  1049kB                     bios_grub
 2      2097kB  1076MB  1074MB  ext4
 3      1076MB  64.4GB  63.3GB

root@mail:~# 
```
I want to mount partition number 2 on the host machine.
```
 2      2097kB  1076MB  1074MB  ext4
```
To make the partition available to mount, you need to use kpartx utility. Install kpartx with
```
apt install kpartx
```
To make the partitions inside the Logical volume available to mount, use the command
```
kpartx -a LVM_DEIVE_NAME
```
In this case, I used
```
kpartx -a /dev/vg1/iredmail
```
Now lvscan command will display the new device
```
root@mail:~# lvscan
  ACTIVE            '/dev/vg1/win10' [100.00 GiB] inherit
  ACTIVE            '/dev/vg1/iredmail' [60.00 GiB] inherit
  ACTIVE            '/dev/ubuntu-vg/ubuntu-lv' [29.50 GiB] inherit
root@mail:~# 
```
To mount the device, you can use the command
```
mount /dev/ubuntu-vg/ubuntu-lv /mnt
```
IMPORTANT: do not mount the device on the host if it is used in the guest VM as it will result in data corruption. I mounted the disk on the host machine and created some files, but it did not show in the guest. After I reboot the guest VM, it did not boot back, I had to do fsck to get the VM to work again.

Back to LVM
December 4, 2022

Configure multiple SSL certificates in nuster

Nuster is a high performance HTTP proxy cache server. It is based on haproxy.

To configure multiple SSL certificates in nuster, create SSL in PEM format.

Edit nuster.cfg, you will see something like the following.

global
    nuster cache on dir /cache
    nuster manager on uri /internal/nuster purge-method PURGEX
frontend fe
    bind *:443 ssl crt /etc/ssl/ssl1.pem alpn h2,http/1.1
    mode http
    default_backend ssl_443
backend ssl_443
    mode http
    nuster cache off
    nuster rule all disk on ttl 7d
    http-request set-header X-Client-IP %[src]
    server s1 128.1.2.9:443 ssl verify none

SSL is configured in the line

    bind *:443 ssl crt /etc/ssl/ssl1.pem alpn h2,http/1.1

To add another domain SSL certificate, modify the line as follows

    bind *:443 ssl crt /etc/ssl/ssl1.pem crt /etc/ssl/ssl2.pem alpn h2,http/1.1

You can add as many SSL certificate in the format

crt /etc/ssl/SSL_FILE_NAME.pem

Back to nuster

November 22, 2022

How to Remove a logical volume

To remove a logical volume, you can use the command

lvremove /dev/vg-name/lv-name

Example

lvremove /dev/vg1/win10

This will remove logical volume with the name “win10” from volume group “vg1”.

[root@Alma-85-amd64-base ~]# lvremove  vg1/data1
Do you really want to remove active logical volume vg1/data1? [y/n]: y
  Logical volume "data1" successfully removed.
[root@Alma-85-amd64-base ~]#

back to LVM

November 21, 2022

systemd-networkd

systemd-networkd configuration files are stored in /etc/systemd/network/

Example

/etc/systemd/network/05-eth0.network

Here is a sample config

[Match]
Name=eth0

[Network]
DHCP=no
DNS=172.105.170.5 172.105.161.5 172.105.171.5
Domains=members.linode.com
IPv6PrivacyExtensions=false

Gateway=194.195.127.1
Address=194.195.127.150/24

To restart systemd-networkd

systemctl restart systemd-networkd

See IP

November 14, 2022

How to disable a rule in ModSecurity Apache

To disable a rule in ModSecurity, edit Apache configuration, add

SecRuleRemoveById RULE_ID_SEPERATED_BY_SPACE

This needed to be added after all rules were loaded.

On Ubuntu, I edited the file

/etc/apache2/mods-enabled/security2.conf

Here is what I have in a server which disables rules 941180 949110 980130

<IfModule security2_module>
	# Default Debian dir for modsecurity's persistent data
	SecDataDir /var/cache/modsecurity

	# Include all the *.conf files in /etc/modsecurity.
	# Keeping your local configuration in that directory
	# will allow for an easy upgrade of THIS file and
	# make your life easier
        IncludeOptional /etc/modsecurity/*.conf

	# Include OWASP ModSecurity CRS rules if installed
	IncludeOptional /usr/share/modsecurity-crs/*.load
        SecRuleRemoveById 941180 949110 980130
</IfModule>

Back to ModSecurity

November 11, 2022

access denied: tty ‘tty1’ is not secure

On a CentOS 7 server, when login as user root on the console, login fails. If I log in as a normal user, then I am able to switch to user root with the command “su – root”.

On checking /var/log/secure, I found the following error.

Nov 10 03:44:42 localhost login: pam_securetty(login:auth): access denied: tty 'tty1' is not secure !
Nov 10 03:44:45 localhost login: pam_succeed_if(login:auth): requirement "uid >= 1000" not met by user "root"
Nov 10 03:44:47 localhost login: FAILED LOGIN 1 FROM tty1 FOR root, Authentication failure

To fix the error, edit the file

vi /etc/securetty

In the file, add

tty1

On CentOS 7 server, the contents of the file are

[root@localhost ~]# cat /etc/securetty 
console
vc/1
vc/2
vc/3
vc/4
vc/5
vc/6
vc/7
vc/8
vc/9
vc/10
vc/11
tty1
tty2
tty3
tty4
tty5
tty6
tty7
tty8
tty9
tty10
tty11
ttyS0
ttysclp0
sclp_line0
3270/tty1
hvc0
hvc1
hvc2
hvc3
hvc4
hvc5
hvc6
hvc7
hvsi0
hvsi1
hvsi2
xvc0
[root@localhost ~]#

Permission for the file is 600, in case you have the wrong permission, change it with

chmod 600 /etc/securetty

Back to CentOS 7

November 10, 2022

How to install cwebp on CentOS 7
cwebp is a command line program used to convert images into webp format.

To install cwebp on CentOS 7, run
```
sudo yum -y install libwebp-tools
```
WebP is an image format that does lossy compression of digital photographic images. WebP consists of a codec based on VP8, and a container based on RIFF. Webmasters, web developers and browser developers can use WebP to compress, archive and distribute digital images more efficiently.

To see files in this package, run the command “rpm -q –filesbypkg libwebp-tools”
```
[root@ns540127 ~]# rpm -q --filesbypkg libwebp-tools
libwebp-tools             /usr/bin/cwebp
libwebp-tools             /usr/bin/dwebp
libwebp-tools             /usr/bin/gif2webp
libwebp-tools             /usr/bin/webpmux
libwebp-tools             /usr/share/man/man1/cwebp.1.gz
libwebp-tools             /usr/share/man/man1/dwebp.1.gz
libwebp-tools             /usr/share/man/man1/gif2webp.1.gz
libwebp-tools             /usr/share/man/man1/webpmux.1.gz
[root@ns540127 ~]# 
```
Back to CentOS 7
November 8, 2022
How to reset CentOS 7 root password using console
If you have lost the root password of your CentOS 7 system and have access to the console directly or using KVM, you can reset the password following the instructions below.

1) Reboot the server, you will see the grub menu.

2) Press “e” to edit. You will see the edit screen as shown below.

3) Find the line starting with linux16
```
linux16 /boot/vmlinuz-3.10.0-1160.76.1.el7.x86_64 root=UUID=1c419d6c-5064-4a2b-953c-05b2c67edb15 ro no_timer_check console=tty0 console=ttyS0,115200n8 net.ifnames=0 biosdevname=0 elevator=noop crashkernel=auto LANG=en_US.UTF-8
```
In the fine, find
```
ro
```
Delete everything after that and replace with “rd.break”, so the line looks like the following
```
linux16 /boot/vmlinuz-3.10.0-1160.76.1.el7.x86_64 root=UUID=1c419d6c-5064-4a2b-953c-05b2c67edb15 ro rd.break
```
4) Boot the system to the emergency mode by pressing CTRL + X, you will get a prompt like the following

5) Mount /sysroot in read-write mode. and chroot to the file system
```
mount -o remount,rw /sysroot
chroot /sysroot
```
6) Reset the root password with passwd command
```
passwd
```
7) SELinux won’t allow modifying system files like /etc/shadow, to allow the change, create a file
```
touch /.autorelabel
```
7) Now reboot the system by typing the “exit” command two times
```
exit
exit
```
After rebooting, you will be able to log in to the system with the new root password.

Back to CentOS 7
November 8, 2022