OMD on CentOS 7 Internal Server Error

Installing OMD on CentOS is a simple process but will result in a mod_python error on later CentOS 7 installations.

Dig around in the OMD Apache logs and there is a good chance you will find the following:

[Sun Aug 14 12:27:27.736000 2016] [:error] [pid 1526] make_obcallback: could not import mod_python.apache.\n
Traceback (most recent call last):
File "/omd/versions/1.30/lib/python/mod_python/apache.py", line 29, in <module>
import cgi
File "/usr/lib64/python2.7/cgi.py", line 50, in
import mimetools
File "/usr/lib64/python2.7/mimetools.py", line 6, in
import tempfile
File "/usr/lib64/python2.7/tempfile.py", line 35, in
from random import Random as _Random
File "/usr/lib64/python2.7/random.py", line 49, in
import hashlib as _hashlib
File "/omd/versions/1.30/lib/python/hashlib.py", line 115, in
f()
TypeError: 'frozenset' object is not callable

It took some searching and translating of German posts but I tracked down the error to the hashlib Python module.  The version that ships with OMD 1.3 does not work with the updated Python in CentOS 7.2+.

The fix is as simple as replacing the hashlib module that ships with OMD with those that shipped with CentOS.

  1. Backup the existing version of hashlib in /opt/omd/versions/1.30/lib/python.
    mkdir ~/omd-backup
    cd /opt/omd/version/1.30/lib/python
    cp ./hashlib* ~/omd-backup
  2. Copying the hashlib.py module from /usr/lib64/python to /opt/omd/versions/1.30/lib/python.
    cp /usr/lib64/python2.7/hashlib.py* .

Securing /etc/puppet on CentOS

I’ve recently delved in to the world of Puppet to manage some CentOS servers. In the process I noticed something. The /etc/puppet directory is owned by root:root but puppet runs as the user puppet. What does this mean? A couple of things:

  • To edit the manifests or modules I either have to be root or constantly be typing sudo (annoying).
  • For the puppetmaster process, which runs as puppet:puppet to access the files, the manifest and modules must be world readable.  This means a lot of information is visible to the world, encrypted or not.
  • I can’t use my favorite editor to edit files over ssh. (I know, a personal gripe, but valid in my books.)

So I’m trying an experiment that I hope will secure the data a bit more and make editing the files more hastle free.

  • Recursively changed the group of /etc/puppet to puppet.
  • Put myself in the puppet group.  I can now edit the files without being root.  (See newgrp(1).)
  • I’ll slowly begin to set the Other permission bits to 0, hiding the files and their contents from prying eyes.

 

 

 

Test your Docker image builds on multiple Linux distributions

Test your Docker image builds on multiple Linux distributions.

Why? It seems things behave differently on different distos. Here is a situation I just ran into.

I have been working on a new Docker image for an up coming post. The post uses CentOS and I generally use CentOS on my servers so I naturally built the image on a CentOS host. Once everything was way I wanted it I committed the changes to Github and had Dockerhub pull and build the image. To my surprise the build failed with the error

Could not find 'which' command, make sure it's available first before continuing installation.

I went back to my CentOS host and built the image again.  No errors.  On a hunch, I created an Ubuntu VM to build the image. Bingo! While the image built cleanly on CentOS, under Ubuntu it would fail with the error above.

While the fix was as simple as explicitly installing the which package as part of the build process, it showed me two things.

  1. Don’t assume your images build on all Linux distributions.
  2. Don’t assume Docker behaves the same on all Linux Distributions.

Happy image building!

Puppet-lint Plugins List

Based on the Puppet-lint Plugins list available at the Puppet Community site, I’ve added the gem command line and Gemfile commands for easy installation.

absolute_classname

  • Check relative class name inclusions.
  • gem install puppet-lint-absolute_classname-check

absolute_template

  • Check if paths to the template() function are relative.
  • gem install puppet-lint-absolute_template_path

alias

  • Check for alias parameters in resources.
  • gem install puppet-lint-alias-check
  • gem 'puppet-lint-alias-check', :require =&gt; false

appends

  • Check that the appends operator (+=) is not used (removed in Puppet 4.0.0).
  • gem install puppet-lint-appends-check
  • gem 'puppet-lint-appends-check', :require =&gt; false

classes_and_types_beginning_with_digits

  • Check for types and class names that begin with digits.
  • gem install puppet-lint-classes_and_types_beginning_with_digits-check
  • gem 'puppet-lint-classes_and_types_beginning_with_digits-check', :require =&gt; false

empty_string

  • Check for variables assigned to the empty string.
  • gem install puppet-lint-classes_and_types_beginning_with_digits-check
  • gem 'puppet-lint-empty_string-check', :require =&gt; false

file_ensure

  • Check the ensure attribute on file resources.
  • gem install puppet-lint-file_ensure-check
  • gem 'puppet-lint-file_ensure-check', :require =&gt; false

file_source_rights

  • Check file rights when providing a source.
  • gem install puppet-lint-file_source_rights-check
  • gem 'puppet-lint-file_source_rights-check', :require =&gt; false

fileserver

  • Check if puppet:/// is used instead of file().
  • gem install puppet-lint-fileserver-check

global_resource

  • Ensure that your manifests have no global resources.
  • gem install puppet-lint-global_resource-check

leading_zero

  • Check for unquoted numbers with leading zero.
  • gem install puppet-lint-leading_zero-check
  • gem 'puppet-lint-leading_zero-check', :require =&gt;; false

newmericvariable

  • Extends puppet-lint to ensure that your variables are not numeric.
  • gem install puppet-lint-numericvariable

package_ensure

  • Check the ensure attribute on package resources.
  • gem install puppet-lint-package_ensure-check
  • gem 'puppet-lint-package_ensure-check'

param_docs

  • Check that validates all parameters are documented.
  • gem install puppet-lint-param-docs

resource_outside_class

  • Check if resources exist outside of a class or defined type.
  • gem install puppet-lint-resource_outside_class-check

resource_reference_syntax

  • Ensure that the reference syntax follows Puppet 4 style.
  • gem install puppet-lint-resource_reference_syntax
  • gem 'puppet-lint-resource_reference_syntax'

roles_and_profiles

  • Check that a node definition declares only a role, a role class does not have any param and only declares profiles, and a profiles class can declare anything but a role. gem install puppet-lint-roles_and_profiles-check
  • gem install puppet-lint-roles_and_profiles-check
  • gem 'puppet-lint-roles_and_profiles-check'

security

  • Checks puppet manifests for security related problems.
  • gem install puppet-lint-security-plugins

spaceship_operator_without_tag

  • Check that spaceship operator is called with a tag.
  • gem install puppet-lint-spaceship_operator_without_tag-check
  • gem 'puppet-lint-spaceship_operator_without_tag-check', :require =&gt; false

strict_indent

  • Ensure that your manifests follow a strict indentation pattern.
  • gem install puppet-lint-strict_indent-check

trailing_comma

  • Check for missing trailing commas.
  • gem install puppet-lint-trailing_comma-check
  • gem 'puppet-lint-trailing_comma-check', :require =&gt; false

trailing_newline

  • Ensure that your manifest files end with newlines.
  • gem install puppet-lint-trailing_newline-check

undef_in_function

  • Check for undef in function calls.
  • gem install puppet-lint-undef_in_function-check

unquoted_string

  • Check that selectors and case statements cases are quoted.
  • gem install puppet-lint-unquoted_string-check
  • gem 'puppet-lint-unquoted_string-check', :require =&gt; false

usascii_format

  • Check that manifest files contain only US ASCII.
  • gem install puppet-lint-usascii_format-check

variable_contains_upcase

  • Ensure that your variables are all lower case.
  • gem install puppet-lint-variable_contains_upcase

version_comparison

  • Check for versions compared as numbers.
  • gem install puppet-lint-version_comparison-check
  • gem 'puppet-lint-version_comparison-check', :require =&gt; false

vim_modeline

  • Check for vim comment (modeline) as the last line in a manifest.
  • gem install puppet-lint-vim_modeline-check