Good information, always like to see more about selinux.

@scottalanmiller said in XenServer Import Disk Failure:

But unlike ESXi that simply blocks things that they don't want you to do, XS just stops making it easy.

Well, if none of the stuff anyone tried to do works, maybe they SHOULD block it! 🙂

@dafyre said in Open Text to buy Dell-EMC enterprise Content Division:

@stacksofplates said in Open Text to buy Dell-EMC enterprise Content Division:

Right but with our software, they only support the default which is Gnome 3. And at $70K per seat per year for some of it, we don't stray too far away from that.

Okay, yeah. That's understandable. Set up Gnome 3 on one of your Home VMs and see how painful or not it is, lol.

Ha I've got a couple running here and I've tried different ways to get in. We can run apps with X2Go with the published apps list, but just no desktop. It's not a big deal, but some people like having the full desktop to work with.

So I found out that a couple of the other failures I had were due to misspellings in their check scripts. Without going back through everything, I'm assuming that's what's happening here.

Things like this line

user-administration-disabled=true

failing because the check was looking for

user-administratrion-enabled=true

Both a misspelling and the wrong key value.

Thanks!

@stacksofplates said in VM Image Directory nodev:

@JaredBusch said in VM Image Directory nodev:

@stacksofplates said in VM Image Directory nodev:

Hmm. Can't select the correct answer again. Weird.

I was able to do it on one of my own posts in a thread i made. Can you select one of your own as BA? That would narrow down the issue.

Ya I'm able to select my own. This happened the other day also. I could select my own but no one else's. An admin had to select the correct answer.

That means it is an issue with permissions. Either a bug or incorrectly setup permissions on users in the plugin.

@stacksofplates said in Replication cable:

Finally took some time and Gluster is running on both nodes. I get local speed and network replication :).

Nice

@scottalanmiller said in Fairly Hardened Jump Box:

@coliver said in Fairly Hardened Jump Box:

@Dashrender said in Fairly Hardened Jump Box:

@stacksofplates said in Fairly Hardened Jump Box:

Keys are required along with long password and OTP to get into system

And? So you're requiring Keys, a long password and One Time Passwords? Are you trying to protect the nuclear football?

I thought Scott normally stopped at using only keys? or was it keys and passwords.

I know he also recently setup Two Factor Authentication with Google Authenticator.

Keys and passwords are basically the same thing. A key is just a really long password.

But a password locked key is kind of different. Because it's two factor, a password you have AND one that you know. In some form, ALL forms of authentication are passwords. That's all a one time pin is, that's all biometric is, etc.

I guess I should have explained better. The key will be encrypted, but SSH will require the key and the system password also. So if you don't have the key it won't prompt you at all, but with the key then you enter your system password + the OTP.

@stacksofplates said in Quick DNS Question:

I can't believe I didn't do this a while back. No more chroots to run real applications. I also have my home folder on a 128GB USB 3 flash drive that's pretty tiny. It's a pretty nice and cheap setup.

Unless you are an actual end users, I can't imagine wanting to use ChromeOS instead of a "real" OS.

@scottalanmiller said in XenServer Disable Root:

@Jason said in XenServer Disable Root:

@DustinB3403 said in XenServer Disable Root:

Then do a sweep of your network ensuring no one has XenCenter that isn't supposed to.

Fail! Not installing software is not a form of access control. You can find probable exe's and ways around just about any of that.

Instead, lock down the XS machine to ensure that only the selected XO host has any kind of access to it.

Gah, where was my head all day long.

@travisdh1 Thanks for the advice.

So as is with most things. I actually did set an address for Bind in named.conf. I just needed to add the ip address to listen on and add the zone for recursion and it's working now. Thanks!

@thwr said in Kickstart with LUKS:

@scottalanmiller said in Kickstart with LUKS:

@thwr said in Kickstart with LUKS:

@thwr said in Kickstart with LUKS:

But if the server walks, the TPM walks with it and the security has been totally bypassed. In fact, IMHO, if you have the key on TPM and it decrypts automatically on start up and you had to state if the system was encrypted or not, at best you could say "sort of." While you might get away with saying that it is encrypted, if asked the other way "is the data wide open", the answer would also be yes because it's not encrypted when someone looks at it.

Ah, sorry, misunderstood your posting in the first place. Well, that's chicken-egg. You can either have it decrypt automatically or not. If going for automatic decryption, we have to make sure the machine can't decrypt e.g. when it gets stolen or sold.

For this, storing the key on the host alone, even with TPM, may not be enough (don't know enough about TPM at this point. Sealing to system state seems quite safe, but...). Thus, we need to bring in another factor. Let's call it "location awareness", e.g. pulling the actual key from the network and TPM stores just something to authenticate against the "key server". Server offsite -> no decryption.

Past boot, it is up to you to secure the server by traditional means. Strong passwords, no or strongly secured RS232 TTY and so on.

Exactly, something externally has to trust that the system is where it is supposed to be physically so that it will release the key. We considered using this but decided that security trumped downtime and kept the system requiring human intervention and just accepted large downtimes in the event of a reboot.

Agree, downtime due to a misconfiguration, some failure on the network or the key server would be an issue. What if we look at some back approach: If some removeable storage with a key is present at boot, LUKS will use this key. Otherwise, it tries to pull it from the key server as described above? Should be pretty solid and a backup is in place (key on USB stick) in case something goes south.

This surely is an approach for environments requiring a very high level of security, but I like the idea.

I've seen places do that, pop in a key and use that, but you have to trust that people will remove it immediately and store it somewhere.

thanks!

@Dashrender said in KVM Backups:

You're right.. I have to keep reminding myself of that. But SMB's don't want to be chasing down dozens of little pieces all over the place to make these pieces work.

It's one thing or a larger company to have a team who's job it is to do just that - Scott's been talking about using Xen for decade plus. I have to assume that Scott the one man who is equal to nearly 10 normal mortals, has managed to collect and put together all of those parts.

The simplicity of XS and XO are what really give Xen any teeth in the SMB market, a la Windows style, everything in one place.

The bad thing about these groupings though, as we found out with the use of VHDs in XS, are the limitations those packages place upon us.

This is exactly correct. They want some hardware on-site (if they can't move to public cloud for some good reason) and they want somebody who owns the hardware also babysit it. Playing LEGO game with hardware and software isn't what most of the people can do EASILY (and one of the proves I'm right is why products like vRanger and AppAss still exist).

Well I figured it out in case anyone cares. The /etc/grub.conf wasn't being copied to the /boot/grub/grub.conf file. Not really sure why, but we have a password on grub so that might possibly be it. I didn't create this kickstart, so I'm not sure what post install junk is happening that might limit this also.

Well it worked for a while. It was running for 15-16 days and it was at 33% finished. Then I logged in again and I got the error. Not sure when it broke in the timeline.