Linux Enterprise Cryptographic Filesystem : ecryptfs

eCryptfs is a stacked cryptographic filesystem embedded within the Linux kernel. Being a stacked filesystem, it can easily encrypt and decrypt the files on your Linux server as they are written to or read from the hard disk. The greatest advantage of eCryptfs is that all encryption is made at the file level. This means that you don’t have to create a fixed size container to hold your files.

Here are the steps how to use ecryptfs:

 

 

 

 

1. Install ecryptfs using yum
   
   [root@fedora01 ~]# yum install ecryptfs-utils
   
2. Load the ecryptfs module into the kernel, using modprobe
   
   [root@fedora01 ~]# modprobe ecryptfs
   
3. Now, I have to encrypt all my files that I read & write on /home/secretdata. So, mount /home/secretdata on a encrypted mount-point.
   
   

   [root@fedora01 ~]# mount -t ecryptfs /home/secretdata/ /encrypted
   Select key type to use for newly created files:
   1) tspi
   2) openssl
   3) passphrase
   Selection: 3
   Passphrase:
   Select cipher:
    1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
   2) blowfish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
   3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded)
   4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
   5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
   6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded)
   Selection [aes]:
   Select key bytes:
   1) 16
   2) 32
   3) 24
   Selection [16]:
   Enable plaintext passthrough (y/n) [n]:
   Attempting to mount with the following options:
     ecryptfs_unlink_sigs
     ecryptfs_key_bytes=16
     ecryptfs_cipher=aes
     ecryptfs_sig=35954df565c12fac
   Mounted eCryptfs
   
   

4. The directory /encrypted is an “encrypted one” now. What ever you write to this directory will be encrypted here. See the demo in below steps. Here I copied /etc/passwd to the encrypted filesystem. I am able to read the file till the encrypted filesystem is mounted.
   
   

   [root@fedora01 encrypted]# cp /etc/passwd /encrypted/
   

   [root@fedora01 encrypted]# head -1 /encrypted/passwd
   root:x:0:0:root:/root:/bin/bash
   [root@fedora01 encrypted]#
   
   Once the encrypted filesystem is out of action, we cannot read the file – as it is encrypted.
   
   

   [root@fedora01 ~]# umount /encrypted/
   

   [root@fedora01 ~]# file /home/secretdata/passwd
   /home/secretdata/passwd: data
   [root@fedora01 ~]#
   
   

5. Cool, huh? . Read more at https://launchpad.net/ecryptfs 

Dynamically detecting new disks in Linux

When you have new LUNs created on the SAN fabric, zoned & mapped it to the server; how can you detect the luns on the linux server online, without rebooting it?.

When you dynamically add new disks to a Linux VM running on ESX server, how do you detect that disks on the Linux virtual machine?.

Here are the steps to do that :

1. Install sg3_utils and lsscsi package.
   
   [root@fedora01 ~]# # yum install –y sg3_utils lsscsi
   
2. The “lsscsi” command will list the disks attached to it. If you have just attached a disk, you will not be able to see it. You can also list this using “fdisk –l”
   
   [root@fedora01 ~]# lsscsi
   [0:0:0:0]    disk    VMware   Virtual disk     1.0   /dev/sda
   [root@fedora01 ~]#
   
   As you can see above, I currently have one disk connected to the system. To scan for a new device I just added, we should run rescan-scsi-bus.sh from the host.
   
3. Run the command “/usr/bin/rescan-scsi-bus.sh” , to dynamically detect and activate the new disk.

[root@fedora01 ~]# /usr/bin/rescan-scsi-bus.sh -l
Host adapter 0 (mptspi) found.
Scanning SCSI subsystem for new devices
Scanning host 0 for  SCSI target IDs  0 1 2 3 4 5 6 7, LUNs  0 1 2 3 4 5 6 7
Scanning for device 0 0 0 0 ...
OLD: Host: scsi0 Channel: 00 Id: 00 Lun: 00
      Vendor: VMware   Model: Virtual disk   Rev: 1.0
      Type:   Direct-Access                  ANSI SCSI revision: 02
Scanning for device 0 0 1 0 ...
NEW: Host: scsi0 Channel: 00 Id: 01 Lun: 00
      Vendor: VMware   Model: Virtual disk   Rev: 1.0
      Type:   Direct-Access                  ANSI SCSI revision: 02
1 new device(s) found.
0 device(s) removed.
[root@fedora01 ~]#

[root@fedora01 ~]# lsscsi
[0:0:0:0]    disk    VMware   Virtual disk     1.0   /dev/sda
[0:0:1:0]    disk    VMware   Virtual disk     1.0   /dev/sdb
[root@fedora01 ~]#

You see the new disk is visible. Now you can create a partition or filesystem on it.

After running those commands, check dmesg and /var/log/messages to see if there are any device detections. You can also do "fdisk -l" or "cat /proc/scsi/scsi" to see the attached LUNs. This works fine in RHEL5, SuSE 10, CentOS5, OEL5.

OCFS2 cluster – quick setup guide

OCFS2 is a POSIX-compliant shared-disk cluster file system for Linux capable of providing both high performance and high availability.  Cluster-aware applications can make use of parallel I/O for higher performance. OCFS2 is mostly used to host Oracle Real application clusters (RAC) database on Linux clusters.

The below steps shows how to create ocfs2 filesystem on top a multipath'd SAN lun and mount it on Linux clusters.

1. Identify the nodes that will be part of your cluster.
2. Export/Zone the LUNs on the SAN end and check whether they are accessible on all the hosts of the cluster. (fdisk -l or multipath -ll)
3. If you need multipathing, configure multipath and the multipathing policy based on your requirement. For Linux multipath setup, refer Redhat’s multipath guide.
4. Create OCFS2 configuration file (/etc/ocfs2/cluster.conf) on all the cluster nodes.
5. The example presents you a sample cluster.conf for a 3 node pool. If you have heartbeat IP configured on these cluster nodes, use the heartbeat IP for ocfs2 cluster communication and specify the hostname (without FQDN). Copy the same file to all the hosts in the cluster.
   
   

   [root@oracle-cluster-1 ~]# cat /etc/ocfs2/cluster.conf
   node:
           ip_port = 7777
           ip_address = 203.21.2.101
           number = 0
           name = oracle-cluster-1
           cluster = ocfs2

   node:
           ip_port = 7777
           ip_address = 203.21.2.102
           number = 1
           name = oracle-cluster-2
           cluster = ocfs2

   node:
           ip_port = 7777
           ip_address = 203.21.2.103
           number = 2
           name = oracle-cluster-3
           cluster = ocfs2

   cluster:
           node_count = 3
           name = ocfs2

   [root@oracle-cluster-1 ~]#
   

6. On each node check the status of OCFS2 cluster service and stop "o2cb" if the service is already running.
   
   # service o2cb status
   # service o2cb stop
    
7. On each node, load the OCFS2 module.
   
   # service o2cb load
    
8. Make the OCFS2 service online on all the nodes.
   
   # service o2cb online
   
9. Now your OCFS2 cluster is ready.
10. Format the SAN lun device from any one of the cluster node.
    
    # mkfs.ocfs2 -b 4k -C 32k -L oraclerac /dev/mapper/mpath0

    -b : Block size (values are 512, 1K, 2K and 4K bytes per block)
    -C : Cluster size (values are 4K, 8K, 16K, 32K, 64K, 128K, 256K, 512K and 1M)
    -L : Label

    
    Note : Replace /dev/mapper/mpath0 with your device name.
    
11. Update /etc/fstab on all the nodes in the cluster with the mount point.
    
    Like : /dev/mapper/mpath0 /u01 ocfs2 _netdev 0 0
    
12. Mount the /u01 volume using mount command
    
    # mount /u01
     
13. Enable ocfs and o2b service at runlevel 3.
    
    # chkconfig --level 345 o2cb on ; chkconfig --level 345 ocfs2 on
    
14. The /u01 repository setup on a SAN Lun is done.
15. You can now configure Oracle RAC database on this filesystem.