7 Tools to Encrypt/Decrypt and Password Protect Files in Linux

Encryption is the process of encoding files in such a way that only those who are authorized can access it. Mankind is using encryption from ages even when computers were not in existence. During war they would pass some kind of message that only their tribe or those who are concerned were able to understand.

Linux distribution provides a few standard encryption/decryption tools that can prove to be handy at times. Here in this article we have covered 7 such tools with proper standard examples, which will help you to encrypt, decrypt and password protect your files.

If you are interested in knowing how to generate Random password in Linux as well as creating random password you may like to visit the below link:

Generate/Encrypt/Decrypt Random Passwords in Linux

1. GnuPG

GnuPG stands for GNU Privacy Guard and is often called as GPG which is a collection of cryptographic software. Written by GNU Project in C programming Language. Latest stable release is 2.0.27.

In most of the today’s Linux distributions, the gnupg package comes by default, if in-case it’s not installed you may apt or yum it from repository.

$ sudo apt-get install gnupg
# yum install gnupg

We have a text file (tecmint.txt) located at ~/Desktop/Tecmint/, which will be used in the examples that follows this article.

Before moving further, check the content of the text file.

$ cat ~/Desktop/Tecmint/tecmint.txt

Now encrypt tecmint.txt file using gpg. As soon as you run the gpc command with option -c (encryption only with symmetric cipher) it will create a file texmint.txt.gpg. You may list the content of the directory to verify.

$ gpg -c ~/Desktop/Tecmint/tecmint.txt
$ ls -l ~/Desktop/Tecmint

Note: Enter Paraphrase twice to encrypt the given file. The above encryption was done with CAST5 encryption algorithm automatically. You may specify a different algorithm optionally.

To see all the encryption algorithm present you may fire.

$ gpg --version

Now, if you want to decrypt the above encrypted file, you may use the following command, but before we start decrypting we will first remove the original file i.e., tecmint.txt and leave the encrypted file tecmint.txt.gpguntouched.

$ rm ~/Desktop/Tecmint/tecmint.txt
$ gpg ~/Desktop/Tecmint/tecmint.txt.gpg

Note: You need to provide the same password you gave at encryption to decrypt when prompted.

2. bcrypt

bcrypt is a key derivation function which is based upon Blowfish cipher. Blowfish cipher is not recommended since the time it was figured that the cipher algorithm can be attacked.

If you have not installed bcrypt, you may apt or yum the required package.

$ sudo apt-get install bcrypt
# yum install bcrypt

Encrypt the file using bcrypt.

$ bcrypt ~/Desktop/Tecmint/tecmint.txt

As soon as you fire the above command, a new file name texmint.txt.bfe is created and original file tecmint.txtgets replaced.

Decrypt the file using bcrypt.

$ bcrypt tecmint.txt.bfe

Note: bcrypt do not has a secure form of encryption and hence it’s support has been disabled at least on Debian Jessie.

3. ccrypt

Designed as a replacement of UNIX crypt, ccrypt is an utility for files and streams encryption and decryption. It uses Rijndael cypher.

If you have not installed ccrypt you may apt or yum it.

$ sudo apt-get install ccrypt
# yum install ccrypt

Encrypt a file using ccrypt. It uses ccencrypt to encrypt and ccdecrypt to decrypt. It is important to notice that at encryption, the original file (tecmint.txt) is replaced by (tecmint.txt.cpt) and at decryption the encrypted file (tecmint.txt.cpt) is replaced by original file (tecmint.txt). You may like to use ls command to check this.

Encrypt a file.

$ ccencrypt ~/Desktop/Tecmint/tecmint.txt

Decrypt a file.

$ ccdecrypt ~/Desktop/Tecmint/tecmint.txt.cpt

Provide the same password you gave during encryption to decrypt.

4. Zip

It is one of the most famous archive format and it is so much famous that we generally call archive files as zip files in day-to-day communication. It uses pkzip stream cipher algorithm.

If you have not installed zip you may like to apt or yum it.

$ sudo apt-get install zip
# yum install zip

Create a encrypted zip file (several files grouped together) using zip.

$ zip --password mypassword tecmint.zip tecmint.txt tecmint1.1txt tecmint2.txt

Here mypassword is the password used to encrypt it. A archive is created with the name tecmint.zip with zipped files tecmint.txt, tecmint1.txt and tecmint2.txt.

Decrypt the password protected zipped file using unzip.

$ unzip tecmint.zip

You need to provide the same password you provided at encryption.

5. Openssl

Openssl is a command line cryptographic toolkit which can be used to encrypt message as well as files.

You may like to install openssl, if it is not already installed.

$ sudo apt-get install openssl
# yum install openssl

Encrypt a file using openssl encryption.

$ openssl enc -aes-256-cbc -in ~/Desktop/Tecmint/tecmint.txt -out ~/Desktop/Tecmint/tecmint.dat

Explanation of each option used in the above command.

enc : encryption
-aes-256-cbc : the algorithm to be used.
-in : full path of file to be encrypted.
-out : full path where it will be decrypted.

Decrypt a file using openssl.

$ openssl enc -aes-256-cbc -d -in ~/Desktop/Tecmint/tecmint.dat > ~/Desktop/Tecmint/tecmint1.txt

6. 7-zip

The very famous open source 7-zip archiver written in C++ and able to compress and uncompress most of the known archive file format.

If you have not installed 7-zip you may like to apt or yum it.

$ sudo apt-get install p7zip-full
# yum install p7zip-full

Compress files into zip using 7-zip and encrypt it.

$ 7za a -tzip -p -mem=AES256 tecmint.zip tecmint.txt tecmint1.txt

Decompress encrypted zip file using 7-zip.

$ 7za e tecmint.zip

Note: Provide same password throughout in encryption and decryption process when prompted.

All the tools we have used till now are command based. There is a GUI based encryption tool provided by nautilus, which will help you to encrypt/decrypt files using Graphical interface.

7. Nautilus Encryption Utility

Steps to encrypt files in GUI using Nautilus encryption utility.

Encryption of file in GUI

1. Right click the file you want to encrypt.

2. Select format to zip and provide location to save. Provide password to encrypt as well.

Encrypt File Using Nautilus

3. Notice the message – encrypted zip created successfully.

Encrypted Zip File Confirmation

Decryption of file in GUI

1. Try opening the zip in GUI. Notice the LOCK-ICON next to file. It will prompt for password, Enter it.

Decryption of File

2. When successful, it will open the file for you.

Decryption Confirmation

That’s all for now. I’ll be here again with another interesting topic. Till then stay tuned and connected to Tecmint. Don’t forget to provide us with your valuable feedback in the comments below. Like and share us and help us get spread.

Source

March 21, 2019

The Mega Guide To Harden and Secure CentOS 7

This tutorial only covers general security tips for CentOS 7 which can be used to harden the system. The checklist tips are intended to be used mostly on various types of bare-metal servers or on machines (physical or virtual) that provides network services.

Security and Hardening of CentOS 7

However, some of tips can be successfully applied on general purpose machines too, such as Desktops, Laptops and card-sized single-board computers (Raspberry Pi).

Requirements

CentOS 7 Minimal Installation

1. Physical Protection

Lock down your server rooms access, use racks locking and video surveillance. Take into consideration that any physical access to server rooms can expose your machine to serious security issues.

BIOS passwords can be changed by resetting jumpers on the motherboard or by disconnecting the CMOS battery. Also, an intruder can steal the hard disks or directly attach new hard disks to the motherboard interfaces (SATA, SCSI etc), boot up with a Linux live distro and clone or copy data without leaving any software trace.

2. Reduce Spying Impact

In case of highly sensitive data you should probably use advanced physical protection such as placing and locking the server into a Faraday Cage or use a military TEMPEST solution in order to minimize the impact of spying the system via radio or electrical leaking emanations.

3. Secure BIOS/UEFI

Start the process of harden your machine by securing BIOS/UEFI settings, especially set a BIOS/UEFI password and disable boot media devices (CD, DVD, disable USB support) in order to prevent an unauthorized users from modifying the system BIOS settings or altering the boot device priority and booting the machine from an alternate medium.

In order to apply this type of changes to your machine you need to consult the motherboard manufacturer manual for specific instructions.

4. Secure Boot Loader

Set a GRUB password in order to prevent malicious users to tamper with kernel boot sequence or runlevels, edit kernel parameters or start the system into single user mode in order to harm your system and reset root password to gain privileged control.

5. Use Separate Disk Partitions

When installing CentOS on systems intended as production servers use dedicated partitions or dedicated hard disks for the following parts of the system:

/(root) 
/boot  
/home  
/tmp 
/var

6. Use LVM and RAID for Redundancy and File System Growth

The /var partition is the place where log messages are written to disk. This part of the system can exponential grow in size on heavily traffic servers which expose network services such as web servers or file servers.

Thus, use a large partition for /var or consider on setting up this partition using logical volumes (LVM) or combine several physical disks into one larger virtual RAID 0 device to sustain large amounts of data. For data redundancy consider on using LVM layout on top of RAID 1 level.

For setting up LVM or RAID on the disks, follow our useful guides:

7. Modify fstab Options to Secure Data Partitions

Separate partitions intended for storing data and prevent the execution of programs, device files or setuid bit on these type of partitions by adding the following options to fstab file as illustrated on the below excerpt:

/dev/sda5 	 /nas          ext4    defaults,nosuid,nodev,noexec 1 2

To prevent privilege-escalation and arbitrary script execution create a separate partition for /tmp and mount it as nosuid, nodev and noexec.

/dev/sda6  	/tmp         ext4    defaults,nosuid,nodev,noexec 0 0

8. Encrypt the Hard Disks at block level with LUKS

In order to protect sensitive data snooping in case of physical access to machine hard drives. I suggest you to learn how to encrypt disk by reading our article Linux Hard Disk Data Encryption with LUKS.

9. Use PGP and Public-Key Cryptography

In order to encrypt disks, use PGP and Public-Key Cryptography or openssl command to encrypt and decrypt sensitive files with a password as shown in this article Configure Encrypted Linux System Storage.

10. Install Only the Minimum Amount of Packages Required

Avoid installing unimportant or unnecessary programs, applications or services to avoid package vulnerabilities. This can decrease the risk that the compromise of a piece of software may lead to compromise other applications, parts of the system or even file systems, finally resulting in data corruption or data loss.

11. Update the system frequently

Update the system regularly. Keep Linux kernel in sync with the latest security patches and all the installed software up-to-date with the latest versions by issuing the below command:

# yum update

12. Disable Ctrl+Alt+Del

In order to prevent users to reboot the server once they have physical access to keyboard or via a Remote Console Application or a virtualized console (KVM, Virtualizing software interface) you should disable Ctrl+Alt+Del key sequence by executing the below command.

# systemctl mask ctrl-alt-del.target

13. Remove Unnecessary Software Packages

Install minimal software required for your machine. Never install extra programs or services. Install packages only from trusted or official repositories. Use minimal installation of the system in case the machine is destined to run its entire live as a server.

Verify installed packages using one of the following commands:

# rpm -qa

Make a local list of all installed packages.

# yum list installed >> installed.txt

Consult the list for useless software and delete a package by issuing the below command:

# yum remove package_name

14. Restart systemd services after daemon updates

Use the below command example to restart a systemd service in order to apply new updates.

# systemctl restart httpd.service

15. Remove Unneeded Services

Identify the services that are listening on specific ports using the following command.

# ss -tulpn

To list all installed services with their output status issue the below command:

# systemctl list-units -t service

For instance, CentOS 7 default minimal installation comes with Postfix daemon installed by default which runs by the name of master under port 25. Remove Postfix network service in case your machine will not be used as a mail server.

# yum remove postfix

16. Encrypt Transmitted Data

Do not use unsecure protocols for remote access or file transfer such as Telnet, FTP or other plain text high protocols such as SMTP, HTTP, NFS or SMB which, by default, does not encrypt the authentication sessions or sent data.

Use only sftp, scp for file transfers and SSH or VNC over SSH tunnels for remote console connections or GUI access.

In order to tunnel a VNC console via SSH use the below example which forwards the VNC port 5901 from the remote machine to your local machine:

# ssh -L 5902:localhost:5901 remote_machine

On local machine run the below command in order to virtual connect to the remote endpoint.

# vncviewer localhost:5902

17. Network Port Scanning

Conduct external port checks using the nmap tool from a remote system over the LAN. This type of scanning can be used to verify network vulnerabilities or test the firewall rules.

# nmap -sT -O 192.168.1.10

18. Packet-filtering Firewall

Use firewalld utility to protect the system ports, open or close specific services ports, especially well-known ports (<1024).

Install, start, enable and list the firewall rules by issuing the below commands:

# yum install firewalld
# systemctl start firewalld.service
# systemctl enable firewalld.service
# firewall-cmd --list-all

19. Inspect Protocol Packets with tcpdump

Use tcpdump utility in order to sniff network packets locally and inspect their content for suspicious traffic (source-destination ports, tcp/ip protocols, layer two traffic, unusual ARP requests).

For a better analysis of the tcpdump captured file use a more advanced program such as Wireshark.

# tcpdump -i eno16777736 -w tcpdump.pcap

20. Prevent DNS Attacks

Inspect the contents of your resolver, typically /etc/resolv.conf file, which defines the IP address of the DNS servers it should use to query for domain names, in order to avoid man-in-the-middle attacks, unnecessary traffic for root DNS servers, spoof or create a DOS attack.

This is just the first part. On the next part we’ll discuss other security tips for CentOS 7.

Continuing the previous tutorial on how to secure CentOS 7, in this article we’ll discuss other security tips that will be presented on the below checklist.

Hardening and Securing of CentOS 7 Server

Requirements

The Mega Guide To Harden and Secure CentOS 7 – Part 1

21. Disable Useless SUID and SGID Commands

If the setuid and setgid bits are set on binary programs, these commands can run tasks with other user or group rights, such as root privileges which can expose seriously security issues.

Often, buffer overrun attacks can exploit such executables binaries to run unauthorized code with the rights of a root power user.

# find /  -path /proc -prune -o -type f \( -perm -4000 -o -perm -2000 \) -exec ls -l {} \;

To unset the setuid bit execute the below command:

# chmod u-s /path/to/binary_file

To unset the setgid bit run the below command:

# chmod g-s /path/to/binary_file

22. Check for Unowned Files and Directories

Files or directories not owned by a valid account must be deleted or assigned with permissions from a user and group.

Issue the below command to list files or directories with no user and group.

# find / -nouser -o -nogroup -exec ls -l {} \;

23. List World-Writeable Files

Keeping word-writable file on the system can be dangerous due to the fact that anyone can modify them. Execute the below command in order to display word-writeable files, except Symlinks, which are always world-writeable.

# find / -path /proc -prune -o -perm -2 ! -type l –ls

24. Create Strong Passwords

Create a password of minimum of eight characters. The password must contain digits, special characters and uppercase letters. Use pwmake to generate a password of 128 bits from /dev/urandom file.

# pwmake 128

25. Apply Strong Password Policy

Force the system to use strong passwords by adding the below line in /etc/pam.d/passwd file.

password required pam_pwquality.so retry=3

Adding the above line, the password entered cannot contain more than 3 characters in a monotonic sequence, such as abcd, and more than 3 identical consecutive characters, such as 1111.

To force users to use a password with a minimum length of 8 characters, including all classes of characters, strength-check for character sequences and consecutive characters add the following lines to the /etc/security/pwquality.conf file.

minlen = 8
minclass = 4
maxsequence = 3
maxrepeat = 3

26. Use Password Aging

The chage command can be used for user password aging. To set a user’s password to expire in 45 days, use the following command:

# chage -M 45 username

To disable password expiration time use the command:

# chage -M -1 username

Force immediate password expiration (user must change password on next login) by running the following command:

# chage -d 0 username

27. Lock Accounts

User accounts can be locked by executing the passwd or usermod command:

# passwd -l username
# usermod -L username

To unlock accounts use the -u option for passwd command and -U option for usermod.

28. Prevent Accounts Shell Access

To prevent a system account (ordinary account or service account) to gain access to bash shell, change root shell to /usr/sbin/nologin or /bin/false in the /etc/passwd file by issuing the command below:

# usermod -s /bin/false username

To change the shell when creating a new user issue the following command:

# useradd -s /usr/sbin/nologin username

29. Lock Virtual User Console with vlock

vlock is a program used for locking one multiple sessions on Linux console. Install the program and start locking your terminal session by running the below commands:

# yum install vlock
# vlock

30. Use a Centralized System to Manage Accounts and Authentication

Using a centralized authentication system can greatly simplify account management and control. Services that can offer this type of account management are: IPA Server, LDAP, Kerberos, Microsoft Active Directory, Nis, Samba ADS or Winbind.

Some of these services are by default highly secured with cryptographic protocols and symmetric-key cryptography, such as Kerberos.

31. Force Read-Only Mounting of USB Media

Using blockdev utility you can force all removable media to be mounted as read-only. For instance, create a new udev configuration file named 80-readonly-usb.rules in the /etc/udev/rules.d/ directory with the following content:

SUBSYSTEM=="block",ATTRS{removable}=="1",RUN{program}="/sbin/blockdev --setro %N"

Then, apply the rule with the below command:

# udevadm control -reload

32. Disabling Root Access via TTY

To prevent the root account from performing system log-in via all console devices (tty), erase the contents of securetty file by typing the following command terminal prompt as root.

# cp /etc/securetty /etc/securetty.bak
# cat /dev/null > /etc/securetty

Remember that this rule does not apply to SSH login sessions
To prevent root login via SSH edit the file /etc/ssh/sshd_config and add the below line:

PermitRootLogin no

33. Use POSIX ACLs to Expand System Permissions

Access Control Lists can define access rights for more than just a single user or group and can specify rights for programs, processes, files, and directories. If you set ACL on a directory, its descendants will inherit the same rights automatically.

For example,

# setfacl -m u:user:rw file
# getfacl file

34. Setup SELinux in Enforce Mode

The SELinux enhancement to the Linux kernel implements the Mandatory Access Control (MAC) policy, allowing users to define a security policy that provides granular permissions for all users, programs, processes, files, and devices.

The kernel’s access control decisions are based on all the security relevant context and not on the authenticated user identity.

To get Selinux status and enforce policy run the below commands:

# getenforce
# setenforce 1
# sestatus

35. Install SELinux Additional Utilities

Install policycoreutils-python package which provides additional Python utilities for operating SELinux: audit2allow, audit2why, chcat, and semanage.

To display all boolean values together with a short description, use the following command:

# semanage boolean -l

For instance, to display and set the value of httpd_enable_ftp_server, run the below command:

# getsebool httpd_enable_ftp_server

To make the value of a boolean persist across reboots, specify the -P option to setsebool, as illustrated on the following example:

# setsebool -P httpd_enable_ftp_server on

36. Use Centralized Log Server

Configure rsyslog daemon to send sensitive utilities log messages to a centralized log server. Also, monitor log files with the help of logwatch utility.

Sending log messages to a remote server assures that once the system has been compromised, the malicious users cannot completely hide their activity, always leaving traces on remote log files.

37. Enable Process Accounting

Enable process accounting by installing psacct utility.

Use lastcomm command to displays information about previously executed commands as recorded in the system accounting file and sa to summarize information about previously executed commands as recorded in the system accounting file.

38. Hardening /etc/sysctl.conf

Use the following kernel parameters rules to protect the system:

Disabling Source Routing

net.ipv4.conf.all.accept_source_route=0

Disable IPv4 forwarding

ipv4.conf.all.forwarding=0

Disable IPv6

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

Disable the acceptance and sending of ICMP redirected packets unless specifically required.

net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.all.send_redirects=0

Disable Reverse Path Forwarding

net.ipv4.conf.all.rp_filter=2

Ignore all ICMP echo requests (set to 1 to enable)

net.ipv4.icmp_echo_ignore_all = 0

39. Use VPN Services to Access your Premises over Unprotected Public Networks

Always use VPN services for carriers to remotely access LAN premises over Internet. Such type of services can be configured using a free open source solution, such as OpenVPN, or using a proprietary solution, such as Cisco VPN (install vpnc command-line utility provided by Epel Repositories).

40. Perform External System Scan

Evaluate your system security for vulnerabilities by scanning the system from remote points over your LAN using specific tools such as:

Nmap – network scanner 29 Examples of Nmap Command
Nessus – security scanner
OpenVAS – used to scan for vulnerabilities and for comprehensive vulnerability management.
Nikto – an excellent common gateway interface (CGI) script scanner Scan Web Vulnerability in Linux

41. Protect System Internally

Use internal system protection against viruses, rootkits, malware and, as a good practice, install intrusion detection systems that can detect unauthorized activity (DDOS attacks, port scans), such as:

AIDE – Advanced Intrusion Detection Environment – http://aide.sourceforge.net/
ClamAV – Antivirus Scanner https://www.clamav.net
Rkhunter – Rootkit Dcanner
Lynis – Security Auditing and Scanning Tool for Linux
Tripwire – Security and Data Integrity http://www.tripwire.com/
Fail2Ban – Intrusion Network Prevention
OSSEC – (HIDS) Host-based Intrusion Detection System http://ossec.github.io/
Mod_Security – Protect Brute Force or DDoS Attacks

Append date and time format to store commands execution by issuing the below command:

# echo 'HISTTIMEFORMAT="%d/%m/%y  %T  "' >> .bashrc'

Force to instantly record HISTFILE every time a command is typed (instead of logout):

# echo ‘PROMPT_COMMAND="history -a"’ >> .bashrc

Limit timeout login session. Automatically tear-down the shell when no activity is performed during idle time period. Very useful to automatically disconnect SSH sessions.

# echo ‘TMOUT=120’ >> .bashrc

Apply all the rules by executing:

# source .bashrc

43. Backup Data

Use backup utilities, such as tar, cat, rsync, scp, LVM snapshots, etc in order to store a copy of your system, preferably offsite, in case of a system failure.

If the system gets compromised you can perform data restore from previous backups.

Finally, don’t forget that no matter how many security measures and contra-measures you take in order to keep your system safe, you will never be 100% completely secure as long as your machine is plugged-in and powered-on.

Source

March 21, 2019

25 Useful Apache ‘.htaccess’ Tricks to Secure and Customize Websites

Websites are important parts of our lives. They serve the means to expand businesses, share knowledge and lots more. Earlier restricted to providing only static contents, with introduction of dynamic client and server side scripting languages and continued advancement of existing static language like html to html5, adding every bit of dynamicity is possible to the websites and what left is expected to follow soon in near future.

With websites, comes the need of a unit that can display these websites to a huge set of audience all over the globe. This need is fulfilled by the servers that provide means to host a website. This includes a list of servers like: Apache HTTP Server, Joomla, and WordPress that allow one to host their websites.

25 htaccess Tricks

One who wants to host a website can create a local server of his own or can contact any of above mentioned or any another server administrator to host his website. But the actual issue starts from this point. Performance of a website depends mainly on following factors:

Bandwidth consumed by the website.
How secure is the website against hackers.
Optimism when it comes to data search through the database
User-friendliness when it comes to displaying navigation menus and providing more UI features.

Alongside this, various factors that govern success of servers in hosting websites are:

Amount of data compression achieved for a particular website.
Ability to simultaneously serve multiple clients asking for a same or different website.
Securing the confidential data entered on the websites like: emails, credit card details and so on.
Allowing more and more options to enhance dynamicity to a website.

This article deals with one such feature provided by the servers that help enhance performance of websites along with securing them from bad bots, hotlinks etc. i.e. ‘.htaccess‘ file.

What is .htaccess?

htaccess (or hypertext access) are the files that provide options for website owners to control the server environment variables and other parameters to enhance functionality of their websites. These files can reside in any and every directory in the directory tree of the website and provide features to the directory and the files and folders inside it.

What are these features? Well these are the server directives i.e. the lines that instruct server to perform a specific task, and these directives apply only to the files and folders inside the folder in which this file is placed. These files are hidden by default as all Operating System and the web servers are configured to ignore them by default but making the hidden files visible can make you see this very special file. What type of parameters can be controlled is the topic of discussion of subsequent sections.

Note: If .htaccess file is placed in /apache/home/www/Gunjit/ directory then it will provide directives for all the files and folders in that directory, but if this directory contains another folder namely: /Gunjit/images/ which again has another .htaccess file then the directives in this folder will override those provided by the master .htaccess file (or file in the folder up in hierarchy).

Apache Server and .htaccess files

Apache HTTP Server colloquially called Apache was named after a Native American Tribe Apache to respect its superior skills in warfare strategy. Build on C/C++ and XML it is cross-platform web server which is based on NCSA HTTPd server and has a key role in growth and advancement of World Wide Web.

Most commonly used on UNIX, Apache is available for wide variety of platforms including FreeBSD, Linux, Windows, Mac OS, Novel Netware etc. In 2009, Apache became the first server to serve more than 100 million websites.

Apache server has one .htaccess file per user in www/ directory. Although these files are hidden but can be made visible if required. In www/ directory there are a number of folders each pertaining to a website named on user’s or owner’s name. Apart from this you can have one .htaccess file in each folder which configured files in that folder as stated above.

How to configure htaccess file on Apache server is as follows…

Configuration on Apache Server

There can be two cases:

Hosting website on own server

In this case, if .htaccess files are not enabled, you can enable .htaccess files by simply going to httpd.conf(Default configuration file for Apache HTTP Daemon) and finding the <Directories> section.

<Directory "/var/www/htdocs">

And locate the line that says…

AllowOverride None

And correct it to.

AllowOverride All

Now, on restarting Apache, .htaccess will work.

Hosting website on different hosting provider server

In this case it is better to consult the hosting admin, if they allow access to .htaccess files.

25 ‘.htaccess’ Tricks of Apache Web Server for Websites

1. How to enable mod_rewrite in .htaccess file

mod_rewrite option allows you to use redirections and hiding your true URL with redirecting to some other URL. This option can prove very useful allowing you to replace the lengthy and long URL’s to short and easy to remember ones.

To allow mod_rewrite just have a practice to add the following line as the first line of your .htaccess file.

Options +FollowSymLinks

This option allows you to follow symbolic links and thus enable the mod_rewrite option on the website. Replacing the URL with short and crispy one is presented later on.

2. How to Allow or Deny Access to Websites

htaccess file can allow or deny access of website or a folder or files in the directory in which it is placed by using order, allow and deny keywords.

Allowing access to only 192.168.3.1 IP

Order Allow, Deny
Deny from All
Allow from 192.168.3.1

OR

Order Allow, Deny
Allow from 192.168.3.1

Order keyword here specifies the order in which allow, deny access would be processed. For the above ‘Order’ statement, the Allow statements would be processed first and then the deny statements would be processed.

Denying access to only one IP Address

The below lines provide the means to allow access of the website to all the users accept one with IP Address: 192.168.3.1.

rder Allow, Deny
Deny from 192.168.3.1
Allow from All

OR


Order Deny, Allow
Deny from 192.168.3.1

3. Generate Apache Error documents for different error codes.

Using some simple lines, we can fix the error document that run on different error codes generated by the server when user/client requests a page not available on the website like most of us would have seen the ‘404 Page not found’ page in their web browser. ‘.htaccess’ files specify what action to take in case of such error conditions.

To do this, the following lines are needed to be added to the ‘.htaccess’ files:

ErrorDocument <error-code> <path-of-document/string-representing-html-file-content>

‘ErrorDocument’ is a keyword, error-code can be any of 401, 403, 404, 500 or any valid error representing code and lastly, ‘path-of-document’ represents the path on the local machine (in case you are using your own local server) or on the server (in case you are using any other’s server to host your website).

Example:

ErrorDocument 404 /error-docs/error-404.html

The above line sets the document ‘error-404.html’ placed in error-docs folder to be displayed in case the 404 error is reported by the server for any invalid request for a page by the client.

rrorDocument 404 "<html><head><title>404 Page not found</title></head><body><p>The page you request is not present. Check the URL you have typed</p></body></html>"

The above representation is also correct which places the string representing a usual html file.

4. Setting/Unsetting Apache server environment variables

In .htaccess file you can set or unset the global environment variables that server allow to be modified by the hosters of the websites. For setting or unsetting the environment variables you need to add the following lines to your .htaccess files.

Setting the Environment variables

SetEnv OWNER “Gunjit Khera”

Unsetting the Environment variables

UnsetEnv OWNER

5. Defining different MIME types for files

MIME (Multipurpose Internet Multimedia Extensions) are the types that are recognized by the browser by default when running any web page. You can define MIME types for your website in .htaccess files, so that different types of files as defined by you can be recognized and run by the server.

<IfModule mod_mime.c>
	AddType	application/javascript		js
	AddType application/x-font-ttf		ttf ttc
</IfModule>

Here, mod_mime.c is the module for controlling definitions of different MIME types and if you have this module installed on your system then you can use this module to define different MIME types for different extensions used in your website so that server can understand them.

6. How to Limit the size of Uploads and Downloads in Apache

.htaccess files allow you the feature to control the amount of data being uploaded or downloaded by a particular client from your website. For this you just need to append the following lines to your .htaccess file:

php_value upload_max_filesize 20M
php_value post_max_size 20M
php_value max_execution_time 200
php_value max_input_time 200

The above lines set maximum upload size, maximum size of data being posted, maximum execution time i.e. the maximum time the a user is allowed to execute a website on his local machine, maximum time constrain within on the input time.

7. Making Users to download .mp3 and other files before playing on your website.

Mostly, people play songs on websites before downloading them to check the song quality etc. Being a smart seller you can add a feature that can come in very handy for you which will not let any user play songs or videos online and users have to download them for playing. This is very useful as online playing of songs and videos consumes a lot of bandwidth.

Following lines are needed to be added to be added to your .htaccess file:

AddType application/octet-stream .mp3 .zip

8. Setting Directory Index for Website

Most of website developers would already know that the first page that is displayed i.e. the home page of a website is named as ‘index.html’ .Many of us would have seen this also. But how is this set?

.htaccess file provides a way to list a set of pages which would be scanned in order when a client requests to visit home page of the website and accordingly any one of the listed set of pages if found would be listed as the home page of the website and displayed to the user.

Following line is needed to be added to produce the desired effect.

DirectoryIndex index.html index.php yourpage.php

The above line specifies that if any request for visiting the home page comes by any visitor then the above listed pages will be searched in order in the directory firstly: index.html which if found will be displayed as the sites home page, otherwise list will proceed to the next page i.e. index.php and so on till the last page you have entered in the list.

9. How to enable GZip compression for Files to save site’s bandwidth.

This is a common observation that heavy sites generally run bit slowly than light weight sites that take less amount of space. This is just because for a heavy site it takes time to load the huge script files and images before displaying them on the client’s web browser.

This is a common mechanism that when a browser requests a web page, server provides the browser with that webpage and now to locally display that web page, the browser has to download that page and then run the script inside that page.

What GZip compression does here is saving the time required to serve a single customer thus increasing the bandwidth. The source files of the website on the server are kept in compressed form and when the request comes from a user then these files are transferred in compressed form which are then uncompressed and executed on the server. This improves the bandwidth constrain.

Following lines can allow you to compress the source files of your website but this requires mod_deflate.cmodule to be installed on your server.

<IfModule mod_deflate.c>
	AddOutputFilterByType DEFLATE text/plain
	AddOutputFilterByType DEFLATE text/html
	AddOutputFilterByType DEFLATE text/xml
	AddOutputFilterByType DEFLATE application/html
	AddOutputFilterByType DEFLATE application/javascript
	AddOutputFilterByType DEFLATE application/x-javascript
</IfModule>

10. Playing with the File types.

There are certain conditions that the server assumes by default. Like: .php files are run on the server, similarly .txt files say for example are meant to be displayed. Like this we can make some executable cgi-scripts or files to be simply displayed as the source code on our website instead of being executed.

To do this observe the following lines from a .htaccess file.

RemoveHandler cgi-script .php .pl .py
AddType text/plain .php .pl .py

These lines tell the server that .pl (perl script), .php (PHP file) and .py (Python file) are meant to just be displayed and not executed as cgi-scripts.

11. Setting the Time Zone for Apache server

The power and importance of .htaccess files can be seen by the fact that this can be used to set the Time Zoneof the server accordingly. This can be done by setting a global Environment variable ‘TZ’ of the list of global environment variables that are provided by the server to each of the hosted website for modification.

Due to this reason only, we can see time on the websites (that display it) according to our time zone. May be some other person hosting his website on the server would have the timezone set according to the location where he lives.

Following lines set the Time Zone of the Server.

SetEnv TZ India/Kolkata

12. How to enable Cache Control on Website

A very interesting feature of browser, most have observed is that on opening one website simultaneously more than one time, the latter one opens fast as compared to the first time. But how is this possible? Well in this case, the browser stores some frequently visited pages in its cache for faster access later on.

But for how long? Well this answer depends on you i.e. on the time you set in your .htaccess file for Cache control. The .htaccess file can specify the amount of time for which the pages of website can stay in the browser’s cache and after expiration of time, it must revalidate i.e. pages would be deleted from the Cache and recreated the next time user visits the site.

Following lines implement Cache Control for your website.

<FilesMatch "\.(ico|png|jpeg|svg|ttf)$">
	Header Set Cache-Control "max-age=3600, public"
</FilesMatch>
<FilesMatch "\.(js|css)$">
	Header Set Cache-Control "public"
	Header Set Expires "Sat, 24 Jan 2015 16:00:00 GMT"
</FilesMatch>

The above lines allow caching of the pages which are inside the directory in which .htaccess files are placed for 1 hour.

13. Configuring a single file, the <files> option.

Usually the content in .htaccess files apply to all the files and folders inside the directory in which the file is placed, but you can also provide some special permissions to a special file, like denying access to that file only or so on.

For this you need to add <File> tag to your file in a way like this:

<files conf.html="">
Order allow, deny
Deny from 188.100.100.0
</files>

This is a simple case of denying a file ‘conf.html’ from access by IP 188.100.100.0, but you can add any or every feature described for .htaccess file till now including the features yet to be described to the file like: Cache-control, GZip compression.

This feature is used by most of the servers to secure .htaccess files which is the reason why we are not able to see the .htaccess files on the browsers. How the files are authenticated is demonstrated in subsequent heading.

14. Enabling CGI scripts to run outside of cgi-bin folder.

Usually servers run CGI scripts that are located inside the cgi-bin folder but, you can enable running of CGI scripts located in your desired folder but just adding following lines to .htaccess file located in the desired folder and if not, then creating one, appending following lines:

AddHandler cgi-script .cgi
Options +ExecCGI

15. How to enable SSI on Website with .htaccess

Server side includes as the name suggests would be related to something included at the server side. But what? Generally when we have many pages in our website and we have a navigation menu on our home page that displays links to other pages then, we can enable SSI (Server Size Includes) option that allows all the pages displayed in the navigation menu to be included with the home page completely.

The SSI allows inclusion of multiple pages as if content they contain is a part of a single page so that any editing needed to be done is done in one file only which saves a lot of disk space. This option is by default enabled on servers but for .shtml files.

In case you want to enable it for .html files you need to add following lines:

AddHandler server-parsed .html

After this following in the html file would lead to SSI.

<!--#inlcude virtual= “gk/document.html”-->

16. How to Prevent website Directory Listing

To prevent any client being able to list the directories of the website on the server at his local machine add following lines to the file inside the directory you don’t want to get listed.

Options -Indexes

17. Changing Default charset and language headers.

.htaccess files allow you to modify the character set used i.e. ASCII or UNICODE, UTF-8 etc. for your website along with the default language used for the display of content.

Following server’s global environment variables allow you to achieve above feature.

AddDefaultCharset UTF-8
DefaultLanguage en-US

Re-writing URL’s: Redirection Rules

Re-writing feature simply means replacing the long and un-rememberable URL’s with short and easy to remember ones. But, before going into this topic there are some rules and some conventions for special symbols used later on in this article.

Special Symbols:

Symbol	Meaning
^	Start of the string
$	End of the String
\|	Or [a\|b] – a or b
[a-z]	Any of the letter between a to z
+	One or more occurrence of previous letter
*	Zero or more occurrence of previous letter
?	Zero or one occurrence of previous letter

Constants and their meaning:

Constant	Meaning
NC	No-case or case sensitive
L	Last rule – stop processing further rules
R	Temporary redirect to new URL
R=301	Permanent redirect to new URL
F	Forbidden, send 403 header to the user
P	Proxy – grab remote content in substitution section and return it
G	Gone, no longer exists
S=x	Skip next x rules
T=mime-type	Force specified MIME type
E=var:value	Set environment variable var to value
H=handler	Set handler
PT	Pass through – in case of URL’s with additional headers.
QSA	Append query string from requested to substituted URL

18. Redirecting a non-www URL to a www URL.

Before starting with the explanation, lets first see the lines that are needed to be added to .htaccess file to enable this feature.

RewriteEngine ON
RewriteCond %{HTTP_HOST} ^abc\.net$
RewriteRule (.*) http://www.abc.net/$1 [R=301,L]

The above lines enable the Rewrite Engine and then in second line check all those URL’s that pertain to host abc.net or have the HTTP_HOST environment variable set to “abc.net”.

For all such URL’s the code permanently redirects them (as R=301 rule is enabled) to the new URL http://www.abc.net/$1 where $1 is the non-www URL having host as abc.net. The non-www URL is the one in bracket and is referred by $1.

19. Redirecting entire website to https.

Following lines will help you transfer entire website to https:

RewriteEngine ON
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

The above lines enable the re-write engine and then check the value of HTTPS environment variable. If it is on then re-write the entire pages of the website to https.

20. A custom redirection example

For example, redirect url ‘http://www.abc.net?p=100&q=20 ‘ to ‘http://www.abc.net/10020pq’.

RewriteEngine ON
RewriteRule ^http://www.abc.net/([0-9]+)([0-9]+)pq$ ^http://www.abc.net?p=$1&q=$2

In above lines, $1 represents the first bracket and $2 represents the second bracket.

21. Renaming the htaccess file

For preventing the .htaccess file from the intruders and other people from viewing those files you can rename that file so that it is not accessed by client’s browser. The line that does this is:

AccessFileName	htac.cess

22. How to Prevent Image Hotlinking for your Website

Another problem that is major factor of large bandwidth consumption by the websites is the problem of hot links which are links to your websites by other websites for display of images mostly of your website which consumes your bandwidth. This problem is also called as ‘bandwidth theft’.

A common observation is when a site displays the image contained in some other site due to this hot-linking your site needs to be loaded and at the stake of your site’s bandwidth, the other site’s images are displayed. To prevent this for like: images such as: .gif, .jpeg etc. following lines of code would help:

RewriteEngine ON
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERERER} !^http://(www\.)?mydomain.com/.*$ [NC]
RewriteRule \.(gif|jpeg|png)$ - [F].

The above lines check if the HTTP_REFERER is not set to blank or not set to any of the links in your websites. If this is happening then all the images in your page are replaced by 403 forbidden.

23. How to Redirect Users to Maintenance Page.

In case your website is down for maintenance and you want to notify all your clients that need to access your websites about this then for such cases you can add following lines to your .htaccess websites that allow only admin access and replace the site pages having links to any .jpg, .css, .gif, .js etc.

RewriteCond %{REQUEST_URI} !^/admin/ [NC]
RewriteCond %{REQUEST_URI} !^((.*).css|(.*).js|(.*).png|(.*).jpg)	 [NC]
RewriteRule ^(.*)$ /ErrorDocs/Maintainence_Page.html
[NC,L,U,QSA]

These lines check if the Requested URL contains any request for any admin page i.e. one starting with ‘/admin/’ or any request to ‘.png, .jpg, .js, .css’ pages and for any such requests it replaces that page to ‘ErrorDocs/Maintainence_Page.html’.

24. Mapping IP Address to Domain Name

Name servers are the servers that convert a specific IP Address to a domain name. This mapping can also be specified in the .htaccess files in the following manner.

For Mapping L.M.N.O address to a domain name www.hellovisit.com
RewriteCond %{HTTP_HOST} ^L\.M\.N\.O$ [NC]
RewriteRule ^(.*)$ http://www.hellovisit.com/$1 [L,R=301]

The above lines check if the host for any page is having the IP Address as: L.M.N.O and if so the page is mapped to the domain name http://www.hellovisit.com by the third line by permanent redirection.

25. FilesMatch Tag

Like <files> tag that is used to apply conditions to a single file, <FilesMatch> can be used to match to a group of files and apply some conditions to the group of files as below:

<FilesMatch “\.(png|jpg)$”>
Order Allow, Deny 
Deny from All
</FilesMatch>

Conclusion

The list of tricks that can be done with .htaccess files is much more. Thus, this gives us an idea how powerful this file is and how much security and dynamicity and other features it can give to your website.

We’ve tried our best to cover as much as htaccess tricks in this article, but incase if we’ve missed any important trick, or you most welcome to post your htaccess ideas and tricks that you know via comments section below – we will include those in our article too…

Source

March 21, 2019

How to Configure and Use PAM in Linux

Linux-PAM (short for Pluggable Authentication Modules which evolved from the Unix-PAM architecture) is a powerful suite of shared libraries used to dynamically authenticate a user to applications (or services) in a Linux system.

It integrates multiple low-level authentication modules into a high-level API that provides dynamic authentication support for applications. This allows developers to write applications that require authentication, independently of the underlying authentication system.

Many modern Linux distributions support Linux-PAM (hereinafter referred to as “PAM”) by default. In this article, we will explain how to configure advanced PAM in Ubuntu and CentOS systems.

Before we proceed any further, note that:

As a system administrator, the most important thing is to master how PAM configuration file(s) define the connection between applications (services) and the pluggable authentication modules (PAMs) that perform the actual authentication tasks. You don’t necessarily need to understand the internal working of PAM.
PAM has the potential to seriously alter the security of your Linux system. Erroneous configuration can disable access to your system partially, or completely. For instance an accidental deletion of a configuration file(s) under /etc/pam.d/* and/or /etc/pam.conf can lock you out of your own system!

How to Check a Program is PAM-aware

To employ PAM, an application/program needs to be “PAM aware“; it needs to have been written and compiled specifically to use PAM. To find out if a program is “PAM-aware” or not, check if it has been compiled with the PAM library using the ldd command.

For example sshd:

$ sudo ldd /usr/sbin/sshd | grep libpam.so

	libpam.so.0 => /lib/x86_64-linux-gnu/libpam.so.0 (0x00007effddbe2000)

How to Configure PAM in Linux

The main configuration file for PAM is /etc/pam.conf and the /etc/pam.d/ directory contains the PAM configuration files for each PAM-aware application/services. PAM will ignore the file if the directory exists.

The syntax for the main configuration file is as follows. The file is made up of a list of rules written on a single line (you can extend rules using the “\” escape character) and comments are preceded with “#” marks and extend to the next end of line.

The format of each rule is a space separated collection of tokens (the first three are case-insensitive). We will explain the these tokens in subsequent sections.

service type control-flag module module-arguments

where:

service: actual application name.
type: module type/context/interface.
control-flag: indicates the behavior of the PAM-API should the module fail to succeed in its authentication task.
module: the absolute filename or relative pathname of the PAM.
module-arguments: space separated list of tokens for controlling module behavior.

The syntax of each file in /etc/pam.d/ is similar to that of the main file and is made up of lines of the following form:

type control-flag module module-arguments

This is a example of a rule definition (without module-arguments) found in the /etc/pam.d/sshd file, which disallows non-root logins when /etc/nologin exists:

account required pam_nologin.so

Understanding PAM Management Groups and Control-flags

PAM authentication tasks are separated into four independent management groups. These groups manage different aspects of a typical user’s request for a restricted service.

A module is associated to one these management group types:

account: provide services for account verification: has the user’s password expired?; is this user permitted access to the requested service?.
authentication: authenticate a user and set up user credentials.
password: are responsible for updating user passwords and work together with authentication modules.
session: manage actions performed at the beginning of a session and end of a session.

PAM loadable object files (the modules) are to be located in the following directory: /lib/security/ or /lib64/security depending on the architecture.

The supported control-flags are:

requisite: failure instantly returns control to the application indicating the nature of the first module failure.
required: all these modules are required to succeed for libpam to return success to the application.
sufficient: given that all preceding modules have succeeded, the success of this module leads to an immediate and successful return to the application (failure of this module is ignored).
optional: the success or failure of this module is generally not recorded.

In addition to the above are the keywords, there are two other valid control flags:

include: include all lines of given type from the configuration file specified as an argument to this control.
substack: include all lines of given type from the configuration file specified as an argument to this control.

How to Restrict root Access to SSH Service Via PAM

As an example, we will configure how to use PAM to disable root user access to a system via SSH and login programs. Here, we want to disable root user access to a system, by restricting access to login and sshd services.

We can use the /lib/security/pam_listfile.so module which offers great flexibility in limiting the privileges of specific accounts. Open and edit the file for the target service in the /etc/pam.d/ directory as shown.

$ sudo vim /etc/pam.d/sshd
OR
$ sudo vim /etc/pam.d/login

Add this rule in both files.

auth    required       pam_listfile.so \
        onerr=succeed  item=user  sense=deny  file=/etc/ssh/deniedusers

Explaining the tokens in the above rule:

auth: is the module type (or context).
required: is a control-flag that means if the module is used, it must pass or the overall result will be fail, regardless of the status of other modules.
pam_listfile.so: is a module which provides a way to deny or allow services based on an arbitrary file.
onerr=succeed: module argument.
item=user: module argument which specifies what is listed in the file and should be checked for.
sense=deny: module argument which specifies action to take if found in file, if the item is NOT found in the file, then the opposite action is requested.
file=/etc/ssh/deniedusers: module argument which specifies file containing one item per line.

Next, we need to create the file /etc/ssh/deniedusers and add the name root in it:

$ sudo vim /etc/ssh/deniedusers

Save the changes and close the file, then set the required permissions on it:

$ sudo chmod 600 /etc/ssh/deniedusers

From now on, the above rule will tell PAM to consult the /etc/ssh/deniedusers file and deny access to the SSH and login services for any listed user.

How to Configuring Advanced PAM in Linux

To write more complex PAM rules, you can use valid control-flags in the following form:

type [value1=action1 value2=action2 …] module module-arguments

Where valueN corresponds to the return code from the function invoked in the module for which the line is defined. You can find supported values from the on-line PAM Administrator’s Guide. A special value is default, which implies all valueN’s not mentioned explicitly.

The actionN can take one of the following forms:

ignore: if this action is used with a stack of modules, the module’s return status will not contribute to the return code the application obtains.
bad: indicates that the return code should be thought of as indicative of the module failing. If this module is the first in the stack to fail, its status value will be used for that of the whole stack.
die: equivalent to bad but may terminate the module stack and PAM immediately returning to the application.
ok: this instructs PAM that the system administrator thinks this return code should contribute directly to the return code of the full stack of modules.
done: equivalent to ok but may terminate the module stack and PAM immediately returning to the application.
N (an unsigned integer): equivalent to ok but may jump over the next N modules in the stack.
Reset: this action clears all memory of the state of the module stack and restart with the next stacked module.

Each of the four keywords: required; requisite; sufficient; and optional, have an equivalent expression in terms of the [...] syntax, which allow you to write more complicated rules and they are:

required: [success=ok new_authtok_reqd=ok ignore=ignore default=bad]
requisite: [success=ok new_authtok_reqd=ok ignore=ignore default=die]
sufficient: [success=done new_authtok_reqd=done default=ignore]
optional: [success=ok new_authtok_reqd=ok default=ignore]

The following is an example from a modern CentOS 7 system. Let’s consider these rules from the /etc/pam.d/postlogin PAM file:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
session     [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session     [default=1]   pam_lastlog.so nowtmp showfailed
session     optional      pam_lastlog.so silent noupdate showfailed

Here is another example configuration from the /etc/pam.d/smartcard-auth PAM file:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        [success=done ignore=ignore default=die] pam_pkcs11.so nodebug wait_for_card
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    required      pam_pkcs11.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

For more information, see the pam.d man page:

$ man pam.d

Lastly, a comprehensive description of the Configuration file syntax and all PAM modules can be found in the documentation for Linux-PAM.

Summary

PAM is a powerful high-level API that allows programs that rely on authentication to authentic users to applications in a Linux system. It’s powerful but very challenging to understand and use.

In this article, we’ve explained how to configure advanced features of PAM in Ubuntu and CentOS. If you have any questions or comments to share, use the feedback form below.

Source

March 21, 2019

How to Check Integrity of File and Directory Using “AIDE” in Linux

In our mega guide to hardening and securing CentOS 7, under the section “protect system internally”, one of the useful security tools we listed for internal system protection against viruses, rootkits, malware, and detection of unauthorized activities is AIDE.

AIDE (Advanced Intrusion Detection Environment) is a small yet powerful, free open source intrusion detection tool, that uses predefined rules to check file and directory integrity in Unix-like operating systems such as Linux. It is an independent static binary for simplified client/server monitoring configurations.

It is feature-rich: uses plain text configuration files and database making it easy to use; supports several message digest algorithms such as but not limited to md5, sha1, rmd160, tiger; supports common file attributes; also supports powerful regular expressions to selectively include or exclude files and directories to be scanned.

Also it can be compiled with exceptional support for Gzip compression, Posix ACL, SELinux, XAttrs and Extended file system attributes.

Aide works by creating a database (which is simply a snapshot of selected parts of the file system), from the regular expression rules defined in the configuration file(s). Once this database is initialized, you can verify the integrity of the system files against it. This guide will show how to install and use aide in Linux.

How to Install AIDE in Linux

Aide is packaged in official repositories of mainstream Linux distributions, to install it run the command for your distribution using a package manager.

# apt install aide 	   [On Debian/Ubuntu]
# yum install aide	   [On RHEL/CentOS] 	
# dnf install aide	   [On Fedora 22+]
# zypper install aide	   [On openSUSE]
# emerge aide 	           [On Gentoo]

After installing it, the main configuration file is /etc/aide.conf. To view the installed version as well as compile time parameters, run the command below on your terminal:

# aide -v

Sample Output

Aide 0.14

Compiled with the following options:

WITH_MMAP
WITH_POSIX_ACL
WITH_SELINUX
WITH_PRELINK
WITH_XATTR
WITH_LSTAT64
WITH_READDIR64
WITH_ZLIB
WITH_GCRYPT
WITH_AUDIT
CONFIG_FILE = "/etc/aide.conf"

You can open the configuration using your favorite editor.

# vi /etc/aide.conf

It has directives that define the database location, report location, default rules, the directories/files to be included in the database.

Understanding Default Aide Rules

AIDE Default Rules

Using the above default rules, you can define new custom rules in the aide.conf file for example.

PERMS = p+u+g+acl+selinux+xattrs

The PERMS rule is used for access control only, it will detect any changes to file or directories based on file/directory permissions, user, group, access control permissions, SELinux context and file attributes.

This will only check file content and file type.

CONTENT = sha256+ftype

This is an extended version of the previous rule, it checks extended content, file type and access.

CONTENT_EX = sha256+ftype+p+u+g+n+acl+selinux+xattrs

The DATAONLY rule below will help detect any changes in data inside all files/directory.

DATAONLY =  p+n+u+g+s+acl+selinux+xattrs+sha256

Configure Aide Rules

Defining Rules to Watch Files and Directories

Once you have defined rules, you can specify the file and directories to watch. Considering the PERMS rule above, this definition will check permissions for all files in root directory.

/root/\..*  PERMS

This will check all files in the /root directory for any changes.

/root/   CONTENT_EX

To help you detect any changes in data inside all files/directory under /etc/, use this.

/etc/   DATAONLY

Configure Aide Rules for Filesystem

Using AIDE to Check File and Directory Integrity in Linux

Start by constructing a database against the checks that will be performed using --init flag. This is expected to be done before your system is connected to a network.

The command below will create a database that contains all of the files that you selected in your configuration file.

# aide --init

Initialize Aide Database

Then rename the database to /var/lib/aide/aide.db.gz before proceeding, using this command.

# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

It is recommended to move the database to a secure location possibly in a read-only media or on another machines, but ensure that you update the configuration file to read it from there.

After the database is created, you can now check the integrity of the files and directories using the --checkflag.

# aide --check

It will read the snapshot in the database and compares it to the files/directories found you system disk. If it finds changes in places that you might not expect, it generates a report which you can then review.

Run File Integrity Check

Since no changes have been made to the file system, you will only get an output similar to the one above. Now try to create some files in the file system, in areas defined in the configuration file.

# vi /etc/script.sh
# touch all.txt

Then run a check once more, which should report the files added above. The output of this command depends on the parts of the file system you configured for checking, it can be lengthy overtime.

# aide --check

Check File System Changes

You need to run aide checks regularly, and in case of any changes to already selected files or addition of new file definitions in the configuration file, always update the database using the --update option:

# aide --update

After running a database update, to use the new database for future scans, always rename it to /var/lib/aide/aide.db.gz:

# mv /var/lib/aide/aide.db.new.gz  /var/lib/aide/aide.db.gz

That’s all for now! But take note of these important points:

One characteristic of most intrusion detection systems AIDE inclusive, is that they will not provide solutions to most security loop holes on a system. They however, assist in easing the the intrusion response process by helping system administrators examine any changes to system files/directories. So you should always be vigilant and keep updating your current security measures.
It it highly recommended to keep the newly created database, the configuration file and the AIDE binary in a secure location such as read-only media (possible if you install from source).
For additional security, consider signing the configuration and/or database.

For additional information and configurations, see its man page or check out the AIDE Homepage: http://aide.sourceforge.net/

Source

March 21, 2019

How to Create GUI Applications Under Linux Desktop Using PyGObject

Creating applications on Linux can be done using different ways, but there are a limited ways of doing, so using the simplest and the most functional programming languages and libraries, that’s why we’re going to have a quick look about creating applications under the Linux desktop using the GTK+ library with Python programming language which is called “PyGObject”.

PyGObject uses the GObject Introspection to create binding for programming languages like Python, PyGObject is the next generation from PyGTK, you can say that PyGObject = Python + GTK3.

Create GUI Applications in Linux – Part 1

Today, we’re going to start a series about creating GUI (Graphical User Interface) applications under the Linux desktop using GTK+ library and PyGobject language, the series will cover the following topics:

Part 1: How to Create GUI Applications Under Linux Desktop Using PyGObject

Part 2: Creating More Advance PyGobject Applications on Linux

Part 3: Create Your Own ‘Web Browser’ and ‘Desktop Recorder’ Applications Using PyGobject

Part 4: Packaging PyGobject Programs for the Linux Desktop

Part 5: Translating PyGobject Applications into Different Languages

About Python

First of all, you must have some basic knowledge in Python; Python is a very modern and easy to use programming language. It’s one of the most famous programming languages in the world, using Python, you will be able to create many great applications & tools. You may take some free courses like those at codeacademy.com or you may read some books about Python at:

GTK+ is an open-source cross-platform toolkit to create graphical user interfaces for desktop applications, it was first started in 1998 as a GUI toolkit for the GIMP, later, it was used in many other applications and soon became one of the most famous libraries to create GUIs. GTK+ is released under the LGPL license.

Creating GUI Applications Under Linux

There are 2 ways for creating the applications using GTK+ & Python:

Writing the graphical interface using code only.
Designing the graphical interface using the “Glade” program; which is RAD tool to design GTK+ interfaces easily, Glade generates the GUI as a XML file which can be used with any programming language to build the GUI, after exporting the GUI’s XML file, we’ll be able to link the XML file with our program to do the jobs we want.

We’ll explain both ways in short.

The Code-Only Way

Writing the GUI using code only can be little bit hard for noob programmer’s and very time-wasting, but using it, we can create very functional GUIs for our programs, more than those we create using some tools like Glade.

Let’s take the following example.

#!/usr/bin/python
# -*- coding: utf-8 -*-

from gi.repository import Gtk

class ourwindow(Gtk.Window):

    def __init__(self):
        Gtk.Window.__init__(self, title="My Hello World Program")
        Gtk.Window.set_default_size(self, 400,325)
        Gtk.Window.set_position(self, Gtk.WindowPosition.CENTER)

        button1 = Gtk.Button("Hello, World!")
        button1.connect("clicked", self.whenbutton1_clicked)

        self.add(button1)
        
    def whenbutton1_clicked(self, button):
      print "Hello, World!"

window = ourwindow()        
window.connect("delete-event", Gtk.main_quit)
window.show_all()
Gtk.main()

Copy the above code, paste it in a “test.py” file and set 755 permission on the test.py file and run the file later using “./test.py”, that’s what you will get.

# nano test.py
# chmod 755 test.py
# ./test.py

Hello World Script

By clicking the button, you see the “Hello, World!” sentence printed out in the terminal:

Test Python Script

Let me explain the code in detailed explanation.

#!/usr/bin/python: The default path for the Python interpreter (version 2.7 in most cases), this line must be the first line in every Python file.
# -*- coding: utf-8 -*-: Here we set the default coding for the file, UTF-8 is the best if you want to support non-English languages, leave it like that.

from gi.repository import Gtk: Here we are importing the GTK 3 library to use it in our program.
Class ourwindow(Gtk.Window): Here we are creating a new class, which is called “ourwindow”, we are also setting the class object type to a “Gtk.Window”.
def __init__(self): Nothing new, we’re defining the main window components here.
Gtk.Window.__init__(self, title=”My Hello World Program”): We’re using this line to set the “My Hello World Program” title to “ourwindow” window, you may change the title if you like.
Gtk.Window.set_default_size(self, 400,325): I don’t think that this line need explanation, here we’re setting the default width and height for our window.
Gtk.Window.set_position(self, Gtk.WindowPosition.CENTER): Using this line, we’ll be able to set the default position for the window, in this case, we set it to the center using the “Gtk.WindowPosition.CENTER” parameter, if you want, you can change it to “Gtk.WindowPosition.MOUSE” to open the window on the mouse pointer position.
button1 = Gtk.Button(“Hello, World!”): We created a new Gtk.Button, and we called it “button1”, the default text for the button is “Hello, World!”, you may create any Gtk widget if you want.
button1.connect(“clicked”, self.whenbutton1_clicked): Here we’re linking the “clicked” signal with the “whenbutton1_clicked” action, so that when the button is clicked, the “whenbutton1_clicked” action is activated.
self.add(button1): If we want our Gtk widgets to appear, we have to add them to the default window, this simple line adds the “button1” widget to the window, it’s very necessary to do this.
def whenbutton1_clicked(self, button): Now we’re defining the “whenbutton1_clicked” action here, we’re defining what’s going to happen when the “button1” widget is clicked, the “(self, button)” parameter is important in order to specific the signal parent object type.
print “Hello, World!”: I don’t have to explain more here.
window = ourwindow(): We have to create a new global variable and set it to ourwindow() class so that we can call it later using the GTK+ library.
window.connect(“delete-event”, Gtk.main_quit): Now we’re connecting the “delete-event” signal with the “Gtk.main_quit” action, this is important in order to delete all the widgets after we close our program window automatically.
window.show_all(): Showing the window.
Gtk.main(): Running the Gtk library.

That’s it, easy isn’t? And very functional if we want to create some large applications. For more information about creating GTK+ interfaces using the code-only way, you may visit the official documentation website at:

Python GTK3 Tutorials

The Glade Designer Way

Like I said in the beginning of the article, Glade is a very easy tool to create the interfaces we need for our programs, it’s very famous among developers and many great applications interfaces were created using it. This way is called “Rapid applications development”.

You have to install Glade in order to start using it, on Debian/Ubuntu/Mint run:

$ sudo apt-get install glade

On RedHat/Fedora/CentOS, run:

# yum install glade

After you download and install the program, and after you run it, you will see the available Gtk widgets on the left, click on the “window” widget in order to create a new window.

Create New Widget

You will notice that a new empty window is created.

New Window Widget

You can now add some widgets to it, on the left toolbar, click on the “button” widget, and click on the empty window in order to add the button to the window.

Add Widget

You will notice that the button ID is “button1”, now refer to the Signals tab in the right toolbar, and search for the “clicked” signal and enter “button1_clicked” under it.

Button Properties

Signals Tab

Now that we’ve created our GUI, let’s export it. Click on the “File” menu and choose “Save”, save the file in your home directory in the name “myprogram.glade” and exit.

Export Widget File

Now, create a new “test.py” file, and enter the following code inside it.

#!/usr/bin/python
# -*- coding: utf-8 -*-

from gi.repository import Gtk

class Handler:
    def button_1clicked(self, button):
      print "Hello, World!"

builder = Gtk.Builder()
builder.add_from_file("myprogram.glade")
builder.connect_signals(Handler())

ournewbutton = builder.get_object("button1")
ournewbutton.set_label("Hello, World!")

window = builder.get_object("window1")

window.connect("delete-event", Gtk.main_quit)
window.show_all()
Gtk.main()

Save the file, give it 755 permissions like before, and run it using “./test.py”, and that’s what you will get.

# nano test.py
# chmod 755 test.py
# ./test.py

Hello World Window

Click on the button, and you will notice that the “Hello, World!” sentence is printed in the terminal.

Now let’s explain the new things:

class Handler: Here we’re creating a class called “Handler” which will include the the definitions for the actions & signals, we create for the GUI.
builder = Gtk.Builder(): We created a new global variable called “builder” which is a Gtk.Builder widget, this is important in order to import the .glade file.
builder.add_from_file(“myprogram.glade”): Here we’re importing the “myprogram.glade” file to use it as a default GUI for our program.
builder.connect_signals(Handler()): This line connects the .glade file with the handler class, so that the actions and signals that we define under the “Handler” class work fine when we run the program.
ournewbutton = builder.get_object(“button1”): Now we’re importing the “button1” object from the .glade file, we’re also passing it to the global variable “ournewbutton” to use it later in our program.
ournewbutton.set_label(“Hello, World!”): We used the “set.label” method to set the default button text to the “Hello, World!” sentence.
window = builder.get_object(“window1”): Here we called the “window1” object from the .glade file in order to show it later in the program.

And that’s it! You have successfully created your first program under Linux!

Of course there are a lot more complicated things to do in order to create a real application that does something, that’s why I recommend you to take a look into the GTK+ documentation and GObject API at:

Have you developed any application before under the Linux desktop? What programming language and tools have used to do it? What do you think about creating applications using Python & GTK 3?

Create More Advance GUI Applications Using PyGobject Tool in Linux – Part 2

We continue our series about creating GUI applications under the Linux desktop using PyGObject, This is the second part of the series and today we’ll be talking about creating more functional applications using some advanced widgets.

Create Gui Applications in Linux- Part 2

Requirements

Create GUI Applications Under Linux Using PyGObject – Part 1

In the previous article we said that there are two ways for creating GUI applications using PyGObject: the code-only-way and the Glade designer way, but from now on, we’ll only be explaining the Glade designer way since it’s much easier for most users, you can learn the code-only-way by yourself using python-gtk3-tutorial.

Creating Advance GUI Applications in Linux

1. Let’s start programming! Open your Glade designer from the applications menu.

Glade Designer

2. Click on the “Window” button on the left sidebar in order to create a new one.

Create New Window

3. Click on the “Box” widget and release it on the empty window.

Select Box Widget

4. You will be prompted to enter the number of boxes you want, make it 3.

Create Boxes

And you’ll see that the boxes are created, those boxes are important for us in order to be able to add more than just 1 widget in a window.

5. Now click on the box widget, and change the orientation type from vertical to horizontal.

Make Box Horizontal

6. In order to create a simple program, add a “Text Entry”, “Combo Box Text” and a “Button” widgets for each one of the boxes, you should have something like this.

Create Simple Program

7. Now click on the “window1” widget from the right sidebar, and change its position to “Center“.

Make Widget Center

Scroll down to the “Appearance” section.. And add a title for the window “My Program“.

Add Widget Title

8. You can also choose an icon for the window by clicking on the “Icon Name” box.

Set Widget Icon

9. You can also change the default height & width for the application.. After all of that, you should have something like this.

Set Widget Height Width

In any program, one of the most important thing is to create a “About” window, to do this, first we’ll have to change the normal button we created before into a stock button, look at the picture.

Create About Window

10. Now, we’ll have to modify some signals in order to run specific actions when any event occur on our widgets. Click on the text entry widget, switch to the “Signals” tab in the right sidebar, search for “activated” and change its handler to “enter_button_clicked”, the “activated” signal is the default signal that is sent when the “Enter” key is hit while focusing on the text entry widget.

Set Widget Signals

We’ll have to add another handler for the “clicked” signal for our about button widget, click on it and change the “clicked” signal to “button_is_clicked“.

Add Widget Handler

11. Go to the “Common” tab and mark on “Has Focus” as it follows (To give the default focus for the about button instead of the entry).

Set Default Focus

12. Now from the left sidebar, create a new “About Dialog” window.

Create About Dialog

And you will notice that the “About Dialog” window is created.

About Dialog

Let’s modify it.. Make sure that you insert the following settings for it from the right sidebar.

Add Program Attributes

Select License

Add About Authors

Set Window Appreance

Select Appreance Flags

After making above settings, you will get following about Window.

My Program about Window

In the above window, you will notice the empty space, but you can remove it by declining the number of boxes from 3 to 2 or you can add any widget to it if you want.

Change Window Boxes

13. Now save the file in your home folder in the name “ui.glade” and open a text editor and enter the following code inside it.

#!/usr/bin/python
# -*- coding: utf-8 -*-

from gi.repository import Gtk
class Handler:

    def button_is_clicked(self, button):
        ## The ".run()" method is used to launch the about window.
         ouraboutwindow.run()
        ## This is just a workaround to enable closing the about window.
         ouraboutwindow.hide()

    def enter_button_clicked(self, button):
        ## The ".get_text()" method is used to grab the text from the entry box. The "get_active_text()" method is used to get the selected item from the Combo Box Text widget, here, we merged both texts together".
         print ourentry.get_text() + ourcomboboxtext.get_active_text()

## Nothing new here.. We just imported the 'ui.glade' file.
builder = Gtk.Builder()
builder.add_from_file("ui.glade")
builder.connect_signals(Handler())

ournewbutton = builder.get_object("button1")

window = builder.get_object("window1")

## Here we imported the Combo Box widget in order to add some change on it.
ourcomboboxtext = builder.get_object("comboboxtext1")

## Here we defined a list called 'default_text' which will contain all the possible items in the Combo Box Text widget.
default_text = [" World ", " Earth ", " All "]

## This is a for loop that adds every single item of the 'default_text' list to the Combo Box Text widget using the '.append_text()' method.
for x in default_text:
  ourcomboboxtext.append_text(x)

## The '.set.active(n)' method is used to set the default item in the Combo Box Text widget, while n = the index of that item.
ourcomboboxtext.set_active(0)
ourentry = builder.get_object("entry1")

## This line doesn't need an explanation :D
ourentry.set_max_length(15)

## Nor this do.
ourentry.set_placeholder_text("Enter A Text Here..")

## We just imported the about window here to the 'ouraboutwindow' global variable.
ouraboutwindow = builder.get_object("aboutdialog1")

## Give that developer a cookie !
window.connect("delete-event", Gtk.main_quit)
window.show_all()
Gtk.main

Save the file in your home directory under that name “myprogram.py”, and give it the execute permission and run it.

$ chmod 755 myprogram.py
$ ./myprogram.py

This is what you will get, after running above script.

My Program Window

Enter a text in the entry box, hit the “Enter” key on the keyboard, and you will notice that the sentence is printed at the shell.

Box Output Text

That’s all for now, it’s not a complete application, but I just wanted to show you how to link things together using PyGObject, you can view all methods for all GTK widgets at gtkobjects.

Just learn the methods, create the widgets using Glade, and connect the signals using the Python file, That’s it! It’s not hard at all my friend.

We’ll explain more new things about PyGObject in the next parts of the series, till then stay updated and don’t forget to give us your comments about the article.

Create Your Own ‘Web Browser’ and ‘Desktop Recorder’ Applications Using PyGobject – Part 3

This is the 3rd part of the series about creating GUI applications under the Linux desktop using PyGObject. Today we’ll talk about using some advanced Python modules & libraries in our programs like ‘os‘, ‘WebKit‘, ‘requests‘ and others, beside some other useful information for programming.

Create Own Web Browser and Recorder – Part 3

Requirements

You must go through all these previous parts of the series from here, to continue further instructions on creating more advance applications:

Modules & libraries in Python are very useful, instead of writing many sub-programs to do some complicated jobs which will take a lot of time and work, you can just import them ! Yes, just import the modules & libraries you need to your program and you will be able to save a lot of time and effort to complete your program.

There are many famous modules for Python, which you can find at Python Module Index.

You can import libraries as well for your Python program, from “gi.repository import Gtk” this line imports the GTK library into the Python program, there are many other libraries like Gdk, WebKit.. etc.

Creating Advance GUI Applications

Today, we’ll create 2 programs:

A simple web browser; which will use the WebKit library.
A desktop recorder using the ‘avconv‘ command; which will use the ‘os’ module from Python.

I won’t explain how to drag & drop widgets in the Glade designer from now on, I will just tell you the name of the widgets that you need to create, additionally I will give you the .glade file for each program, and the Python file for sure.

Creating a Simple Web Browser

In order to create a web browser, we’ll have to use the “WebKit” engine, which is an open-source rendering engine for the web, it’s the same one which is used in Chrome/Chromium, for more info about it you may refer to the official Webkit.org website.

First, we’ll have to create the GUI, open the Glade designer and add the following widgets. For more information on how to create widgets, follow the Part 1 and Part 2 of this series (links given above).

Create ‘window1’ widget.
Create ‘box1’ and ‘box2’ widget.
Create ‘button1’ and ‘button2’ widget.
Create ‘entry1’ widget.
Create ‘scrolledwindow1’ widget.

Add Widgets

After creating widgets, you will get the following interface.

Glade Interface

There’s nothing new, except the “Scrolled Window” widget; this widget is important in order to allow the WebKitengine to be implanted inside it, using the “Scrolled Window” widget you will also be able to scroll horizontally and vertically while you browse the websites.

You will have now to add “backbutton_clicked” handler to the Back button “clicked” signal, “refreshbutton_clicked” handler to the Refresh button “clicked signal” and “enterkey_clicked” handler to the “activated” signal for the entry.

The complete .glade file for the interface is here.

<?xml version="1.0" encoding="UTF-8"?>
<!-- Generated with glade 3.16.1 -->
<interface>
  <requires lib="gtk+" version="3.10"/>
  <object class="GtkWindow" id="window1">
    <property name="can_focus">False</property>
    <property name="title" translatable="yes">Our Simple Browser</property>
    <property name="window_position">center</property>
    <property name="default_width">1000</property>
    <property name="default_height">600</property>
    <property name="icon_name">applications-internet</property>
    <child>
      <object class="GtkBox" id="box1">
        <property name="visible">True</property>
        <property name="can_focus">False</property>
        <property name="orientation">vertical</property>
        <child>
          <object class="GtkBox" id="box2">
            <property name="visible">True</property>
            <property name="can_focus">False</property>
            <child>
              <object class="GtkButton" id="button1">
                <property name="label">gtk-go-back</property>
                <property name="visible">True</property>
                <property name="can_focus">True</property>
                <property name="receives_default">True</property>
                <property name="relief">half</property>
                <property name="use_stock">True</property>
                <property name="always_show_image">True</property>
                <signal name="clicked" handler="backbutton_clicked" swapped="no"/>
              </object>
              <packing>
                <property name="expand">False</property>
                <property name="fill">True</property>
                <property name="position">0</property>
              </packing>
            </child>
            <child>
              <object class="GtkButton" id="button2">
                <property name="label">gtk-refresh</property>
                <property name="visible">True</property>
                <property name="can_focus">True</property>
                <property name="receives_default">True</property>
                <property name="relief">half</property>
                <property name="use_stock">True</property>
                <property name="always_show_image">True</property>
                <signal name="clicked" handler="refreshbutton_clicked" swapped="no"/>
              </object>
              <packing>
                <property name="expand">False</property>
                <property name="fill">True</property>
                <property name="position">1</property>
              </packing>
            </child>
            <child>
              <object class="GtkEntry" id="entry1">
                <property name="visible">True</property>
                <property name="can_focus">True</property>
                <signal name="activate" handler="enterkey_clicked" swapped="no"/>
              </object>
              <packing>
                <property name="expand">True</property>
                <property name="fill">True</property>
                <property name="position">2</property>
              </packing>
            </child>
          </object>
          <packing>
            <property name="expand">False</property>
            <property name="fill">True</property>
            <property name="position">0</property>
          </packing>
        </child>
        <child>
          <object class="GtkScrolledWindow" id="scrolledwindow1">
            <property name="visible">True</property>
            <property name="can_focus">True</property>
            <property name="hscrollbar_policy">always</property>
            <property name="shadow_type">in</property>
            <child>
              <placeholder/>
            </child>
          </object>
          <packing>
            <property name="expand">True</property>
            <property name="fill">True</property>
            <property name="position">1</property>
          </packing>
        </child>
      </object>
    </child>
  </object>
</interface>

Now copy the above code and paste it in the “ui.glade” file in your home folder. Now create a new file called “mywebbrowser.py” and enter the following code inside it, all the explanation is in the comments.

#!/usr/bin/python 
# -*- coding: utf-8 -*- 

## Here we imported both Gtk library and the WebKit engine. 
from gi.repository import Gtk, WebKit 

class Handler: 
  
  def backbutton_clicked(self, button): 
  ## When the user clicks on the Back button, the '.go_back()' method is activated, which will send the user to the previous page automatically, this method is part from the WebKit engine. 
    browserholder.go_back() 

  def refreshbutton_clicked(self, button): 
  ## Same thing here, the '.reload()' method is activated when the 'Refresh' button is clicked. 
    browserholder.reload() 
    
  def enterkey_clicked(self, button): 
  ## To load the URL automatically when the "Enter" key is hit from the keyboard while focusing on the entry box, we have to use the '.load_uri()' method and grab the URL from the entry box. 
    browserholder.load_uri(urlentry.get_text()) 
    
## Nothing new here.. We just imported the 'ui.glade' file. 
builder = Gtk.Builder() 
builder.add_from_file("ui.glade") 
builder.connect_signals(Handler()) 

window = builder.get_object("window1") 

## Here's the new part.. We created a global object called 'browserholder' which will contain the WebKit rendering engine, and we set it to 'WebKit.WebView()' which is the default thing to do if you want to add a WebKit engine to your program. 
browserholder = WebKit.WebView() 

## To disallow editing the webpage. 
browserholder.set_editable(False) 

## The default URL to be loaded, we used the 'load_uri()' method. 
browserholder.load_uri("https://tecmint.com") 

urlentry = builder.get_object("entry1") 
urlentry.set_text("https://tecmint.com") 

## Here we imported the scrolledwindow1 object from the ui.glade file. 
scrolled_window = builder.get_object("scrolledwindow1") 

## We used the '.add()' method to add the 'browserholder' object to the scrolled window, which contains our WebKit browser. 
scrolled_window.add(browserholder) 

## And finally, we showed the 'browserholder' object using the '.show()' method. 
browserholder.show() 
 
## Give that developer a cookie ! 
window.connect("delete-event", Gtk.main_quit) 
window.show_all() 
Gtk.main()

Save the file, and run it.

$ chmod 755 mywebbrowser.py
$ ./mywebbrowser.py

And this is what you will get.

Create Own Web Browser

You may refer for the WebKitGtk official documentation in order to discover more options.

Creating a Simple Desktop Recorder

In this section, we’ll learn how to run local system commands or shell scripts from the Python file using the ‘os‘ module, which will help us to create a simple screen recorder for the desktop using the ‘avconv‘ command.

Open the Glade designer, and create the following widgets:

Create ‘window1’ widget.
Create ‘box1’ widget.
Create ‘button1’, ‘button2’ and ‘button3’ widgets.
Create ‘entry1’ widget.

Create Widgets

After creating above said widgets, you will get below interface.

Glade UI Interface

Here’s the complete ui.glade file.

<?xml version="1.0" encoding="UTF-8"?> 
<!-- Generated with glade 3.16.1 --> 
<interface> 
  <requires lib="gtk+" version="3.10"/> 
  <object class="GtkWindow" id="window1"> 
    <property name="can_focus">False</property> 
    <property name="title" translatable="yes">Our Simple Recorder</property> 
    <property name="window_position">center</property> 
    <property name="default_width">300</property> 
    <property name="default_height">30</property> 
    <property name="icon_name">applications-multimedia</property> 
    <child> 
      <object class="GtkBox" id="box1"> 
        <property name="visible">True</property> 
        <property name="can_focus">False</property> 
        <child> 
          <object class="GtkEntry" id="entry1"> 
            <property name="visible">True</property> 
            <property name="can_focus">True</property> 
          </object> 
          <packing> 
            <property name="expand">False</property> 
            <property name="fill">True</property> 
            <property name="position">0</property> 
          </packing> 
        </child> 
        <child> 
          <object class="GtkButton" id="button1"> 
            <property name="label">gtk-media-record</property> 
            <property name="visible">True</property> 
            <property name="can_focus">True</property> 
            <property name="receives_default">True</property> 
            <property name="use_stock">True</property> 
            <property name="always_show_image">True</property> 
            <signal name="clicked" handler="recordbutton" swapped="no"/> 
          </object> 
          <packing> 
            <property name="expand">True</property> 
            <property name="fill">True</property> 
            <property name="position">1</property> 
          </packing> 
        </child> 
        <child> 
          <object class="GtkButton" id="button2"> 
            <property name="label">gtk-media-stop</property> 
            <property name="visible">True</property> 
            <property name="can_focus">True</property> 
            <property name="receives_default">True</property> 
            <property name="use_stock">True</property> 
            <property name="always_show_image">True</property> 
            <signal name="clicked" handler="stopbutton" swapped="no"/> 
          </object> 
          <packing> 
            <property name="expand">True</property> 
            <property name="fill">True</property> 
            <property name="position">2</property> 
          </packing> 
        </child> 
        <child> 
          <object class="GtkButton" id="button3"> 
            <property name="label">gtk-media-play</property> 
            <property name="visible">True</property> 
            <property name="can_focus">True</property> 
            <property name="receives_default">True</property> 
            <property name="use_stock">True</property> 
            <property name="always_show_image">True</property> 
            <signal name="clicked" handler="playbutton" swapped="no"/> 
          </object> 
          <packing> 
            <property name="expand">True</property> 
            <property name="fill">True</property> 
            <property name="position">3</property> 
          </packing> 
        </child> 
      </object> 
    </child> 
  </object> 
</interface>

As usual, copy the above code and paste it in the file “ui.glade” in your home directory, create a new “myrecorder.py” file and enter the following code inside it (Every new line is explained in the comments).

#!/usr/bin/python 
# -*- coding: utf-8 -*- 

## Here we imported both Gtk library and the os module. 
from gi.repository import Gtk 
import os 
        
class Handler: 
  def recordbutton(self, button): 
    ## We defined a variable: 'filepathandname', we assigned the bash local variable '$HOME' to it + "/" + the file name from the text entry box. 
    filepathandname = os.environ["HOME"] + "/" + entry.get_text() 
    
    ## Here exported the 'filepathandname' variable from Python to the 'filename' variable in the shell. 
    os.environ["filename"] = filepathandname 
    
    ## Using 'os.system(COMMAND)' we can execute any shell command or shell script, here we executed the 'avconv' command to record the desktop video & audio. 
    os.system("avconv -f x11grab -r 25 -s `xdpyinfo | grep 'dimensions:'|awk '{print $2}'` -i :0.0 -vcodec libx264 -threads 4 $filename -y & ") 
    
    
  def stopbutton(self, button): 
    ## Run the 'killall avconv' command when the stop button is clicked. 
    os.system("killall avconv") 
    
  def playbutton(self, button): 
  ## Run the 'avplay' command in the shell to play the recorded file when the play button is clicked. 
    os.system("avplay $filename &") 
    
    
## Nothing new here.. We just imported the 'ui.glade' file. 
builder = Gtk.Builder() 
builder.add_from_file("ui.glade") 
builder.connect_signals(Handler()) 

window = builder.get_object("window1") 
entry = builder.get_object("entry1") 
entry.set_text("myrecording-file.avi") 

## Give that developer a cookie ! 
window.connect("delete-event", Gtk.main_quit) 
window.show_all() 
Gtk.main()

Now run the file by applying the following commands in the terminal.

$ chmod 755 myrecorder.py
$ ./myrecorder.py

And you got your first desktop recorder.

Create Desktop Recorder

You can find more information about the ‘os‘ module at Python OS Library.

And that’s it, creating applications for the Linux desktop isn’t hard using PyGObject, you just have to create the GUI, import some modules and link the Python file with the GUI, nothing more, nothing less. There are many useful tutorials about doing this in the PyGObject website:

Have you tried creating applications using PyGObject? What do you think about doing so? What applications have you developed before?

Package PyGObject Applications and Programs as “.deb” Package for the Linux Desktop – Part 4

We continue the PyGObject programming series with you on the Linux desktop, in the 4th part of the series we’ll explain how to package the programs and applications that we created for the Linux desktop using PyGObject as a Debian package.

Packaging Applications as Deb Package

Debian packages (.deb) are the most used format to install programs under Linux, the “dpkg” system which deals with .deb packages is the default on all Debian-based Linux distributions like Ubuntu and Linux Mint. That’s why we’ll be only explaining how to package our programs for Debian.

Create a Debian Package from your PyGObject Applications

First, you should have some basic knowledge about creating Debian packages, this following guide will help you a lot.

Introduction to Debian Packaging

In brief, if you have project called “myprogram” it must contain the following files and folders so that you can package it.

Create Deb Package

debian (Folder): This folder includes all information about the Debian package divided to many sub-files.
po (Folder): The po folder includes the translation files for the program (We’ll explain it in part 5).
myprogram (File): This is the Python file we created using PyGObject, it’s the main file of the project.
ui.glade (File): The graphical user interface file.. If you created the application’s interface using Glade, you must include this file in
your project.
bMyprogram.desktop (File): This is the responsible file for showing the application in the applications menu.
setup.py (File): This file is the responsible for installing any Python program into the local system, it’s very important in any Python program, it has many other ways of usage as well.

Of course.. There are many other files and folders that you can include in your project (in fact you can include anything you want) but those are the basic ones.

Now, let’s start packaging a project. Create a new folder called “myprogram”, create a file called “myprogram” and add the following code to it.

#!/usr/bin/python 
# -*- coding: utf-8 -*- 

## Replace your name and email. 
# My Name <myemail@email.com> 

## Here you must add the license of the file, replace "MyProgram" with your program name. 
# License: 
#    MyProgram is free software: you can redistribute it and/or modify 
#    it under the terms of the GNU General Public License as published by 
#    the Free Software Foundation, either version 3 of the License, or 
#    (at your option) any later version. 
# 
#    MyProgram is distributed in the hope that it will be useful, 
#    but WITHOUT ANY WARRANTY; without even the implied warranty of 
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the 
#    GNU General Public License for more details. 
# 
#    You should have received a copy of the GNU General Public License 
#    along with MyProgram.  If not, see <http://www.gnu.org/licenses/>. 

from gi.repository import Gtk 
import os 

class Handler: 
  
  def openterminal(self, button): 
    ## When the user clicks on the first button, the terminal will be opened. 
    os.system("x-terminal-emulator ") 
  
  def closeprogram(self, button): 
    Gtk.main_quit() 
    
# Nothing new here.. We just imported the 'ui.glade' file. 
builder = Gtk.Builder() 
builder.add_from_file("/usr/lib/myprogram/ui.glade") 
builder.connect_signals(Handler()) 
window = builder.get_object("window1") 
window.connect("delete-event", Gtk.main_quit) 
window.show_all() 
Gtk.main()

Create a ui.glade file and fill it up with this code.

<?xml version="1.0" encoding="UTF-8"?> 
<!-- Generated with glade 3.16.1 --> 
<interface> 
  <requires lib="gtk+" version="3.10"/> 
  <object class="GtkWindow" id="window1"> 
    <property name="can_focus">False</property> 
    <property name="title" translatable="yes">My Program</property> 
    <property name="window_position">center</property> 
    <property name="icon_name">applications-utilities</property> 
    <property name="gravity">center</property> 
    <child> 
      <object class="GtkBox" id="box1"> 
        <property name="visible">True</property> 
        <property name="can_focus">False</property> 
        <property name="margin_left">5</property> 
        <property name="margin_right">5</property> 
        <property name="margin_top">5</property> 
        <property name="margin_bottom">5</property> 
        <property name="orientation">vertical</property> 
        <property name="homogeneous">True</property> 
        <child> 
          <object class="GtkLabel" id="label1"> 
            <property name="visible">True</property> 
            <property name="can_focus">False</property> 
            <property name="label" translatable="yes">Welcome to this Test Program !</property> 
          </object> 
          <packing> 
            <property name="expand">False</property> 
            <property name="fill">True</property> 
            <property name="position">0</property> 
          </packing> 
        </child> 
        <child> 
          <object class="GtkButton" id="button2"> 
            <property name="label" translatable="yes">Click on me to open the Terminal</property> 
            <property name="visible">True</property> 
            <property name="can_focus">True</property> 
            <property name="receives_default">True</property> 
            <signal name="clicked" handler="openterminal" swapped="no"/> 
          </object> 
          <packing> 
            <property name="expand">False</property> 
            <property name="fill">True</property> 
            <property name="position">1</property> 
          </packing> 
        </child> 
        <child> 
          <object class="GtkButton" id="button3"> 
            <property name="label">gtk-preferences</property> 
            <property name="visible">True</property> 
            <property name="can_focus">True</property> 
            <property name="receives_default">True</property> 
            <property name="use_stock">True</property> 
          </object> 
          <packing> 
            <property name="expand">False</property> 
            <property name="fill">True</property> 
            <property name="position">2</property> 
          </packing> 
        </child> 
        <child> 
          <object class="GtkButton" id="button4"> 
            <property name="label">gtk-about</property> 
            <property name="visible">True</property> 
            <property name="can_focus">True</property> 
            <property name="receives_default">True</property> 
            <property name="use_stock">True</property> 
          </object> 
          <packing> 
            <property name="expand">False</property> 
            <property name="fill">True</property> 
            <property name="position">3</property> 
          </packing> 
        </child> 
        <child> 
          <object class="GtkButton" id="button1"> 
            <property name="label">gtk-close</property> 
            <property name="visible">True</property> 
            <property name="can_focus">True</property> 
            <property name="receives_default">True</property> 
            <property name="use_stock">True</property> 
            <signal name="clicked" handler="closeprogram" swapped="no"/> 
          </object> 
          <packing> 
            <property name="expand">False</property> 
            <property name="fill">True</property> 
            <property name="position">4</property> 
          </packing> 
        </child> 
      </object> 
    </child> 
  </object> 
</interface>

There’s nothing new until now.. We just created a Python file and its interface file. Now create a “setup.py” file in the same folder, and add the following code to it, every line is explained in the comments.

# Here we imported the 'setup' module which allows us to install Python scripts to the local system beside performing some other tasks, you can find the documentation here: https://docs.python.org/2/distutils/apiref.html 
from distutils.core import setup 

setup(name = "myprogram", # Name of the program. 
      version = "1.0", # Version of the program. 
      description = "An easy-to-use web interface to create & share pastes easily", # You don't need any help here. 
      author = "TecMint", # Nor here. 
      author_email = "myemail@mail.com",# Nor here :D 
      url = "http://example.com", # If you have a website for you program.. put it here. 
      license='GPLv3', # The license of the program. 
      scripts=['myprogram'], # This is the name of the main Python script file, in our case it's "myprogram", it's the file that we added under the "myprogram" folder. 

# Here you can choose where do you want to install your files on the local system, the "myprogram" file will be automatically installed in its correct place later, so you have only to choose where do you want to install the optional files that you shape with the Python script 
      data_files = [ ("lib/myprogram", ["ui.glade"]), # This is going to install the "ui.glade" file under the /usr/lib/myprogram path. 
                     ("share/applications", ["myprogram.desktop"]) ] ) # And this is going to install the .desktop file under the /usr/share/applications folder, all the folder are automatically installed under the /usr folder in your root partition, you don't need to add "/usr/ to the path.

Now create a “myprogram.desktop” file in the same folder, and add the following code, it’s explained as well in the comments.

# This is the .desktop file, this file is the responsible file about showing your application in the applications menu in any desktop interface, it's important to add this file to your project, you can view more details about this file from here: https://developer.gnome.org/integration-guide/stable/desktop-files.html.en
[Desktop Entry]
# The default name of the program.
Name=My Program
# The name of the program in the Arabic language, this name will be used to display the application under the applications menu when the default language of the system is Arabic, use the languages codes to change the name for each language.
Name[ar]=برنامجي
# Description of the file.
Comment=A simple test program developed by me.
# Description of the file in Arabic.
Comment[ar]=برنامج تجريبي بسيط تم تطويره بواسطتي.
# The command that's going to be executed when the application is launched from the applications menu, you can enter the name of the Python script or the full path if you want like /usr/bin/myprogram
Exec=myprogram
# Do you want to run your program from the terminal?
Terminal=false
# Leave this like that.
Type=Application
# Enter the name of the icon you want to use for the application, you can enter a path for the icon as well like /usr/share/pixmaps/icon.png but make sure to include the icon.png file in your project folder first and in the setup.py file as well. Here we'll use the "system" icon for now.
Icon=system
# The category of the file, you can view the available categories from the freedesktop website.
Categories=GNOME;GTK;Utility;
StartupNotify=false

We’re almost done here now.. We just have to create some small files under the “debian” folder in order to provide information about our package for the “dpkg” system.

Open the “debian” folder, and create a the following files.

control
compat
changelog
rules

Project Files For Deb Package

control: This file provides the basic information about the Debian package, for more details, please visit Debian Package Control Fields.

Source: myprogram
Maintainer: My Name <myemail@email.com> 
Section: utils 
Priority: optional 
Standards-Version: 3.9.2 
Build-Depends: debhelper (>= 9), python2.7 

Package: myprogram 
Architecture: all 
Depends: python-gi 
Description: My Program 
Here you can add a short description about your program.

compat: This is just an important file for the dpkg system, it just includes the magical 9 number, leave it like that.

changelog: Here you’ll be able to add the changes you do on your program, for more information, please visit Debian Package Changelog Source.

myprogram (1.0) trusty; urgency=medium 

  * Add the new features here. 
  * Continue adding new changes here. 
  * And here. 

 -- My Name Here <myemail@mail.com>  Sat, 27 Dec 2014 21:36:33 +0200

rules: This file is responsible about running the installation process on the local machine to install the package, you can view more information
about this file from here: Debian Package Default Rules.

Though you won’t need anything more for your Python program.

#!/usr/bin/make -f 
# This file is responsible about running the installation process on the local machine to install the package, you can view more information about this file from here: https://www.debian.org/doc/manuals/maint-guide/dreq.en.html#defaultrules Though you won't need anything more for your Python program. 
%: 
    dh $@ 
override_dh_auto_install: 
    python setup.py install --root=debian/myprogram --install-layout=deb --install-scripts=/usr/bin/ # This is going to run the setup.py file to install the program as a Python script on the system, it's also going to install the "myprogram" script under /usr/bin/ using the --install-scripts option, DON'T FORGET TO REPLACE "myprogram" WITH YOUR PROGRAM NAME. 
override_dh_auto_build:

Now thats we created all the necessary files for our program successfully, now let’s start packaging it. First, make sure that you have installed some dependences for the build process before you start.

$ sudo apt-get update
$ sudo apt-get install devscripts

Now imagine that the “myprogram” folder is in your home folder (/home/user/myprogram) in order to package it as a Debian package, run the following commands.

$ cd /home/user/myprogram
$ debuild -us -uc

Sample Output

hanny@hanny-HP-Pavilion-15-Notebook-PC:~/Projects/myprogram$
debuild -us -uc dpkg-buildpackage -rfakeroot -D -us -uc
dpkg-buildpackage: source package myprogram
dpkg-buildpackage: source version 1.0
dpkg-buildpackage: source distribution trusty
dpkg-buildpackage: source changed by My Name Here
<myemail@email.com>
dpkg-source --before-build myprogram
dpkg-buildpackage: host architecture i386
fakeroot debian/rules clean
dh clean
dh_testdir
dh_auto_clean
....
.....
Finished running lintian.

And that’s it ! Your Debian package was created successfully:

Created Debian Package

In order to install it on any Debian-based distribution, run.

$ sudo dpkg -i myprogram_1.0_all.deb

Don’t forget to replace the above file with the name of the package.. Now after you install the package, you can run the program from the applications menu.

Run Program

And it will work..

First Packaged Program

Here ends the 4th part of our series about PyGObject.. In the next lesson we’ll explain how to localize the PyGObject application easily, till then stay tunned for it…

Translating PyGObject Applications into Different Languages – Part 5

We continue the PyGObject programming series with you and here in this 5th part, we’ll learn how to translate our PyGObject applications into different languages. Translating your applications is important if you’re going to publish it for the world, it’ll be more user friendly for end-users because not everybody understands English.

Translating PyGObject Application Language

How the Translation Process Works

We can summarize the steps of translating any program under the Linux desktop using these steps:

Extract the translatable strings from the Python file.
Save the strings into a .pot file which is format that allows you to translate it later to other languages.
Start translating the strings.
Export the new translated strings into a .po file which will be automatically used when system language is changed.
Add some small programmatic changes to the main Python file and the .desktop file.

And that’s it! After doing these steps your application will be ready for use for end-users from all around the globe (will.. You have to translate your program to all languages around the globe, though !), Sounds easy doesn’t it? 🙂

First, to save some time, download the project files from below link and extract the file in your home directory.

https://copy.com/TjyZAaNgeQ6BB7yn

Open the “setup.py” file and notice the changes that we did:

Translation Code

# Here we imported the 'setup' module which allows us to install Python scripts to the local system beside performing some other tasks, you can find the documentation here: https://docs.python.org/2/distutils/apiref.html
from distutils.core import setup

# Those modules will help us in creating the translation files for the program automatically.
from subprocess import call
from glob import glob
from os.path import splitext, split

# DON'T FOTGET TO REPLACE 'myprogram' WITH THE NAME OF YOUR PROGRAM IN EVERY FILE IN THIS PROJECT.

data_files = [ ("lib/myprogram", ["ui.glade"]), # This is going to install the "ui.glade" file under the /usr/lib/myprogram path.
                     ("share/applications", ["myprogram.desktop"]) ] 

# This code does everything needed for creating the translation files, first it will look for all the .po files inside the po folder, then it will define the default path for where to install the translation files (.mo) on the local system, then it's going to create the directory on the local system for the translation files of our program and finally it's going to convert all the .po files into .mo files using the "msgfmt" command.
po_files = glob("po/*.po")
for po_file in po_files:
  lang = splitext(split(po_file)[1])[0]
  mo_path = "locale/{}/LC_MESSAGES/myprogram.mo".format(lang)
# Make locale directories
  call("mkdir -p locale/{}/LC_MESSAGES/".format(lang), shell=True)
# Generate mo files
  call("msgfmt {} -o {}".format(po_file, mo_path), shell=True)
  locales = map(lambda i: ('share/'+i, [i+'/myprogram.mo', ]), glob('locale/*/LC_MESSAGES'))

# Here, the installer will automatically add the .mo files to the data files to install them later.
  data_files.extend(locales)

setup(name = "myprogram", # Name of the program.
      version = "1.0", # Version of the program.
      description = "An easy-to-use web interface to create & share pastes easily", # You don't need any help here.
      author = "TecMint", # Nor here.
      author_email = "myemail@mail.com",# Nor here :D
      url = "http://example.com", # If you have a website for you program.. put it here.
      license='GPLv3', # The license of the program.
      scripts=['myprogram'], # This is the name of the main Python script file, in our case it's "myprogram", it's the file that we added under the "myprogram" folder.

# Here you can choose where do you want to install your files on the local system, the "myprogram" file will be automatically installed in its correct place later, so you have only to choose where do you want to install the optional files that you shape with the Python script
      data_files=data_files) # And this is going to install the .desktop file under the /usr/share/applications folder, all the folder are automatically installed under the /usr folder in your root partition, you don't need to add "/usr/ to the path.

Also open the “myprogram” file and see the programmatic changes that we did, all the changes are explained in the comments:

#!/usr/bin/python 
# -*- coding: utf-8 -*- 

## Replace your name and email.
# My Name <myemail@email.com>

## Here you must add the license of the file, replace "MyProgram" with your program name.
# License:
#    MyProgram is free software: you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation, either version 3 of the License, or
#    (at your option) any later version.
#
#    MyProgram is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License
#    along with MyProgram.  If not, see <http://www.gnu.org/licenses/>.

from gi.repository import Gtk 
import os, gettext, locale

## This is the programmatic change that you need to add to the Python file, just replace "myprogram" with the name of your program. The "locale" and "gettext" modules will take care about the rest of the operation.
locale.setlocale(locale.LC_ALL, '')
gettext.bindtextdomain('myprogram', '/usr/share/locale')
gettext.textdomain('myprogram')
_ = gettext.gettext
gettext.install("myprogram", "/usr/share/locale")

class Handler: 
  
  def openterminal(self, button): 
    ## When the user clicks on the first button, the terminal will be opened.
    os.system("x-terminal-emulator ")
  
  def closeprogram(self, button):
    Gtk.main_quit()
    
# Nothing new here.. We just imported the 'ui.glade' file. 
builder = Gtk.Builder() 
builder.add_from_file("/usr/lib/myprogram/ui.glade") 
builder.connect_signals(Handler()) 

label = builder.get_object("label1")
# Here's another small change, instead of setting the text to ("Welcome to my Test program!") we must add a "_" char before it in order to allow the responsible scripts about the translation process to recognize that it's a translatable string.
label.set_text(_("Welcome to my Test program !"))

button = builder.get_object("button2")
# And here's the same thing.. You must do this for all the texts in your program, elsewhere, they won't be translated.
button.set_label(_("Click on me to open the Terminal"))


window = builder.get_object("window1") 
window.connect("delete-event", Gtk.main_quit)
window.show_all() 
Gtk.main()

Now.. Let’s start translating our program. First create the .pot file (a file that contains all the translatable strings in the program) so that you
can start translating using the following command:

$ cd myprogram
$ xgettext --language=Python --keyword=_ -o po/myprogram.pot myprogram

This is going to create the “myprogram.pot” file inside the “po” folder in the main project folder which contains the following code:

# SOME DESCRIPTIVE TITLE.
# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
# This file is distributed under the same license as the PACKAGE package.
# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
#
#, fuzzy
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2014-12-29 21:28+0200\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
"Language: \n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=CHARSET\n"
"Content-Transfer-Encoding: 8bit\n"

#: myprogram:48
msgid "Welcome to my Test program !"
msgstr ""

#: myprogram:52
msgid "Click on me to open the Terminal"
msgstr ""

Now in order to start translating the strings.. Create a separated file for each language that you want to translate your program to using the “ISO-639-1” languages codes inside the “po” folder, for example, if you want to translate your program to Arabic, create a file called “ar.po” and copy the contents from the “myprogram.pot” file to it.

If you want to translate your program to German, create a “de.po” file and copy the contents from the “myprogram.pot” file to it.. and so one, you must create a file for each language that you want to translate your program to.

Now, we’ll work on the “ar.po” file, copy the contents from the “myprogram.pot” file and put it inside that file and edit the following:

SOME DESCRIPTIVE TITLE: you can enter the title of your project here if you want.
YEAR THE PACKAGE’S COPYRIGHT HOLDER: replace it with the year that you’ve created the project.
PACKAGE: replace it with the name of the package.
FIRST AUTHOR <EMAIL@ADDRESS>, YEAR: replace this with your real name, Email and the year that you translated the file.
PACKAGE VERSION: replace it with the package version from the debian/control file.
YEAR-MO-DA HO:MI+ZONE: doesn’t need explanation, you can change it to any date you want.
FULL NAME <EMAIL@ADDRESS>: also replace it your your name and Email.
Language-Team: replace it with the name of the language that you’re translating to, for example “Arabic” or “French”.
Language: here, you must insert the ISO-639-1 code for the language that you’re translating to, for example “ar”, “fr”, “de”..etc, you can find a complete list here.
CHARSET: this step is important, replace this string with “UTF-8” (without the quotes) which supports most languages.

Now start translating! Add your translation for each string after the quotes in “msgstr”. Save the file and exit. A good translation file for the
Arabic language as an example should look like this:

# My Program
# Copyright (C) 2014
# This file is distributed under the same license as the myprogram package.
# Hanny Helal <youremail@mail.com<, 2014.
#
#, fuzzy
msgid ""
msgstr ""
"Project-Id-Version: 1.0\n"
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2014-12-29 21:28+0200\n"
"PO-Revision-Date: 2014-12-29 22:28+0200\n"
"Last-Translator: M.Hanny Sabbagh <hannysabbagh<@hotmail.com<\n"
"Language-Team: Arabic <LL@li.org<\n"
"Language: ar\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"

#: myprogram:48
msgid "Welcome to my Test program !"
msgstr "أهلًا بك إلى برنامجي الاختباري!"

#: myprogram:52
msgid "Click on me to open the Terminal"
msgstr "اضغط عليّ لفتح الطرفية"

There’s nothing more to do, just package the program using the following command:

$ debuild -us -uc

Now try to install the new created package using the following command.

$ sudo dpkg -i myprogram_1.0_all.deb

And change the system language using the “Language Support” program or using any other program to Arabic(or the language the you’ve translated your file to):

Language Support

After selecting, your program will be translated to Arabic language.

Translated to Arabic

Here ends our series about PyGObject programming for the Linux desktop, of course there are many other things that you can learn from the official documentation and the Python GI API reference..

What do you think about the series? Do you find it useful? Were you able to create your first application by following this series? Share us your thoughts!

Source

March 21, 2019

How to Install RedHat Enterprise Virtualization (RHEV) 3.5

In this series we are discussing RHEV3.5 administration topics. RHEV is the RedHat Enterprise Virtualization solution, which is based on oVirt project [open-source Virtualization project].

Red Hat Enterprise Virtualization is a complete virtualization management solution for virtualized servers and desktops.

This series will discuss (How to) administration topics including the RHCVA exam objectives.

Part 1: How to Install RedHat Enterprise Virtualization (RHEV) 3.5

Part 2: How to Deploy RedHat Enterprise Virtualization Hypervisor (RHEV-H)

Part 3: How to Deploy Data-Centers with Cluster and Add ISCSI Storage in RHEV Environment

Part 4: How to Deploy ‘Linux’ and ‘Windows’ Virtual Machines under ISO Domains in RHEV

Part 5: RHEV Clustering and RHEL Hypervisors Installation

Part 6: How to Manage RedHat Enterprise Virtualization (RHEV) Virtual Machines Operations and Tasks

Part 7: How to Manage RedHat Enterprise Virtualization Environment Users and Groups

In our first article, we are discussing RHEV environment and basic deployment. RHEV consists of two main components, like Hypervisor and Management system.

RHEV-H is the Hypervisor of RHEV platform, it is a bare-metal hypervisor which used to host virtual machines. It’s also based on KVM and RHEL.

RHEVM is the management system of the environment which controls the environment hypervisors. It’s also used to create, migrate, modify and control virtual machines hosted by hypervisrors and a lot of other many tasks will be discussed later.

RHEV3.5 Features

Open source solution based on the Red Hat Enterprise Linux kernel with the Kernel-based Virtual Machine (KVM) hypervisor technology.
Supported limit of up to 160 logical CPUs and 4TB per host and up to 160 vCPU and 4TB vRAM per virtual machine.
OpenStack integration.
Supported Daily missions like offline migration, High availability, Clustering, etc..

For more features and details read: RedHat Enterprise Virtualization Guide

Prerequisites

During our series, we will work on two nodes ‘hypervisors’ and ‘hosts’ with one manager and one iscsi storage node. In the future we will add one IPA and DNS server to our environment.

For deployment scenarios we have two:

Physical Deployment – Real environment, so you will need at least three or physical machines.
Virtual deployment – Test labs/environment, so you will need one physical machine with high resources e.g. i3 or i5 processor with 8G or 12G ram. Additional to another virtualization software e.g. Vmware workstation.

In this series we are working on the second scenario:

Physical Host OS : Fedora 21 x86_64 with kernel 3.18.9-200
RHEV-M  machine OS : RHEL6.6 x86_64
RHEV-H  machines hypervisor : RHEV-H 6.6 
Virtualization software : Vmware workstation 11
Virtual Network interface : vmnet3
Network : 11.0.0.0/24
Physical Host IP : 11.0.0.1
RHEV-M machine : 11.0.0.3

RedHat Enterprise Virtualization Diagram

In the future articles, we will add additional components like storage nodes and IPA server so make your environment scalable as possible.

For RHEV-M machine take care about this prerequisites:

RHEL/CentOS6.6 x86_64 new minimal installation [Clean installation].
Make sure your system is up-to-date.
Static IP for your network configuration.
Your host-name something like machine.domain.com.
Update your local /etc/hosts file with host-name and IP [Make sure the host-name is resolvable].
The minimum requirement is 4G for memory and 25GB for hard disk.
Mozilla Firefox 37 is recommended browser to access WUI.

Installation of RedHat Enterprise Virtualization Manager 3.5

1. To get access for RHEV packages and updates, you should get a free 60-day trial subscription from the redhat official site using co-prorate mail from here:

RedHat Enterprise Virtualization 60-Day Evaluation

Note: After 60-day your environment will work fine, but without availability to update your system if there is new updates.

2. Then register your machine to redhat channels. Steps explained here.

3. Lets install rhevm package and its dependencies using yum command.

[root@rhevm ~]# yum install rhevm

4. Now its time to configure rhevm by runing “engine-setup” command, which will check the status of rhevm and any available updates with asking a series of questions.

We could summarize the questions in main sections :

Product Options
Packages
Network Configuration
DataBase Configuration
oVirt Engine Configuration
PKI Configuration
Apache Configuration
System Configuration
Configuration Preview

Hint: Suggested configuration defaults are provided in square brackets; if the suggested value is acceptable for a given step, press Enter to accept that value.

To run the command:

[root@rhevm ~]# engine-setup

Product Options

First thing you will be asked about is to install and configure the engine on the same host. For our tutorial, keep the default value (Yes). If you want WebSocket Proxy to be configured on your machine, keep the default value (yes).

Product Options

Packages

Script will check any updates are available for the packages linked to the Manager. No user input is required at this stage.

Package Updates

Network Configuration

Let script configures your iptables firewall automatically. For now we won’t use DNS, so make sure that your host-name is fully qualified name by updating /etc/hosts as we did previously.

Network Configuration

Database Configuration

The default database for RHEV3.5 is PostgreSQL. You have the option to configure it on the same machine or remotely. For our tutorial will use the local one and let script to configure it automatically.

Database Configuration

Ovirt Configuration

In this section you will provide the admin password and the application mode for you environment.

Ovirt Configuration

PKI Configuration

RHEVM uses certificates to communicate securely with its hosts. You provide the organization name for the certificate.

PKI Configuration

Apache Configuration

For RHEVM web user interface, manager needs Apache web-server to be installed and configured, lets make setup configure it automatically.

Apache Configuration

System configuration

RHEV environment has ISO library which you could store many OS ISO in. This ISO lib called also ISO domain, this domain is a network shared path, usually it shared by NFS. This domain/path will be on the same RHEVM machine so you could create it manually or let script configures it automatically.

System Configuration

Configuration Review

In this section you will review all previous configuration and confirm if everything is OK.

Configuration Review

Summery

This is the last stage which show additional information about how to access the admin panel and starting the services.

Summary

Hint: Warning may appears, if the memory used is low than the minimum requirement. For test-environment it’s not very important just keep on.

To access RHEVM web user interface:

http://$your-ip/ovirt-engine

RedHat Enterprise Virtualization Manager

Then select Administrator Portal and provide your credentials Username:admin and the password you entered during the installation. Click Login.

RedHat Enterprise Virtualization Administrator Portal

This is the administration portal which will be discussed later. You will notice that hosts tab is empty as we didn’t add any host/hypervisor to our environment yet.

Administrator Dashboard

Conclusion

This is first article in our RHEV3.5 administration series. We just introduce the solution, its features and its main components then we installed RHEV-M for our RHEV environment. In next article we will discuses RHEV-Hinstallation and adding them to RHEV environment under RHEVM management.

How to Deploy RedHat Enterprise Virtualization Hypervisor (RHEV-H) – Part 2

In this second part, we are discussing the deployment of RHEVH or the Hypervisor nodes of our environment with some tips and tricks for your virtual lab or virtual environment.

Deploy RedHat Enterprise Virtualization Hypervisor – Part 2

As we discussed before, in our scenario which including two hyprvisors with separate RHEVM machine. The reason to deploy the manager in separate machine is more reliable than deploying it on one of the environment hosts/nodes. If you try to deploy it (as a virtual machine/appliance) on one of environment nodes/hosts and for any reason this node becomes down, the RHEVM machine/appliance will become down due to the node failure, on other words, we wont RHEVM depends on environment nodes so we will deploy it over separate machine which doesn’t belong to DataCenter/Environment nodes.

Deploying RedHat Enterprise Virtualization Hypervisor

1. For our virtual environment, you should now have this network virtual interface “vmnet3” with this specification at VMware workstation 11.

Virtual Network Editor

2. Lets deploy our nodes, you will need to create normal virtual machine with some customization as presented in screen-shots.

Create New Machine

Select Hardware Compatibility

Select Install Source

3. Make sure about OS type in next step : Other, Other64-bit.

Select Guest OS Type

4. Select your suitable name and path for your virtual machine.

Set Name of OS

5. If you have more resources, increase the number of cores/processors on demand.

Processor Configuration

6. For memory, don’t choose less than 2G, we won’t to suffer later.

Select VM Memory

7. For now, select NAT connection, it isn’t make different as we will change it later.

Select Network Type

8. It is very important point to select SAS controller.

Select I/O Controller Types

9. Choose SCSI Disk Type.

Select Disk Type

10. We will work with shared storage later, so 20 G is more than suitable.

Select Storage Capacity

Select Storage Drive

11. Before finishing, lets make some additional modification…click Customize Hardware.

Customize Hardware

First modification will be for Processor as we will check the two options to enable virtualization features in our Processor.

Enable Virtualization

Second modification will be for Network Configuration… change it to be Custom and insert the path of “vmnet3”.

Network Configuration

Last modification will be our Hypervisor-ISO path, then close, review and finishing.

Select Hypervisor ISO Path

Virtual Machine Summary

12. Before starting your virtual machine, we should make some manual modification in vm configuration file. Go to the path of you virtual machine, you will find file with “vmx” extension.

Virtual Machine Configuration

13. Open it with your preferred editor and add those two option at the end of file.

vcpu.hotadd = "FALSE"
apic.xapic.enable = "FALSE"

Configure VM

Then save and go back to our virtual machine as its time to start it.

Start VM

Press any button, DON’T continue with Automatic boot. This list will appear…

VM Boot Menu

Make sure you selected the 1st line the press “tab” to edit some options.

Change Boot Options

Remove “quiet” from booting options and Press enter to continue.

Remove Quiet Option

VM Booting

14. In the start console make sure about INFO which talking Virtualzation H/W was detected and enabled. Don’t continue with anything else..

Install Hypervisor

15. Check you preferred language and continue with your local storage.

Select Language

Select Disk Storage

Hint: Use arrows keys to change and space to select and deselect options.

Selected Disk Storage

16. There is no need to change the default values of storage volumes and system portions, so keep it as defaults and make sure to review and confirm settings.

Storage Volumes

Confirm Disk Selection

17. For security reasons, root account isn’t available directly by-default as you should login with admin account, which have full privilege – then switch to root account. So take care about admin password as its equivalent to root password in importance.

Mainly, root account be needed for maintenance and troubleshoot proposals. Any configuration or customization done be admin account only.

Enter Login Details

Wait minutes until installation finishes and then “Reboot” the system.

Hypervisor Installation

RHEV H Installation

18. After rebooting, provide admin credentials to login.

Root Login

This is the default console to manage the basic configuration of your hypervisor.

RHEV H Console

Hint: Review the status of your hypervisor and make sure it looks like the above.

19. Now, we will make three major, basic and important configuration.

Network
Security
RHEV-M

Network:

Select Network tab [using arrows].

Network

Change you hypervisor hostname and add DNS IP address.

Set Hostname and DNS

Hint: For our VMware workstation environment, we will provide the gateway IP address.

Next, configure Static IP for your NIC.

Configure IP Address

Then save and close ‘wait few minuets‘…

Network Interface Configuration

Test your connectivity with internet using ping.

Test Network Connectivity

Important: Check the connectivity between hypervisors nodes and manager machines using ping.

Security

Select security tab. By default ssh is disabled enable it [by check it using ‘space‘] and then save and close.

Enable SSH

Security Configuration

RHEV-M

The last and important thing is establish connection between hypervisors and manager then registration them under the manager.

RHEV-M Configuration

Due to SSL connection you should compare SSL Finger print with Internal CA from RHEVM.

Check RHEV-M Fingerprint

Hint: If you reviewed it with Install RedHat Enterprise Virtualization – Part 1 article, we will find them identical.

Then accept and close the tab, next go to status tab and review everything.

Configuring RHEV-M

RHEV-H Summary

20. Final check, using RHEVM web interface. If you reviewed previous article, you will find there is no hosts under hosts tab.

RHEV Interface

You will find node is registered successfully and ready for admin approval to be included under data-center.

Conclusion

We’ve discussed how to deploy our environment hypervisors and connect them to manager, in our next upcoming article we will see how to deploy to general datacenter with clusters using shared storage. Last thing, If you working over real environment, skip VMware preparation section.

Reference Links:

How to Deploy Data-Centers with Cluster and Add ISCSI Storage in RHEV Environment

In this part, we are going to discuss how to deploy data-center with one cluster which contains our two hosts in the RHEV environment. Both of two hosts connected to shared storage, additional to previous preparation, we will add another CentOS6.6 virtual machine acts as storage node.

Create Data-Centers and Cluster in RHEV – Part 3

Data Center is a terminology describes the RHEV environment resources such as logical, network and storage resources.

Data Center consists of Clusters which include a set of node or nodes, which host virtual machines and its related snapshots, templates and pools. Storage domains are mandatory attached to Data Center to make it working effectively in enterprise environments. Multiple data centers in the same infrastructure could be managed separately by the same RHEVM portal.

Data Center Diagram

Red Hat Enterprise Virtualization uses a centralized storage system for virtual machine disk images, ISO files and snapshots.

Storage networking can be implemented using:

Network File System (NFS)
GlusterFS
Internet Small Computer System Interface (iSCSI)
Local storage attached directly to the virtualization hosts
Fibre Channel Protocol (FCP)

Setting up storage is a prerequisite for a new data center because a data center cannot be initialized unless storage domains are attached and activated. For clustering features and enterprise deployment needs, its recommended to deploy shared-storage in your environment instead of host-based local storage.

In general, storage node will be accessible by Data Center hosts to create, store and snapshot virtual machines beside other important tasks.

Red Hat Enterprise Virtualization platform has three types of storage domains:

Data Domain: used to hold the virtual hard disks and OVF files of all the virtual machines and templates in a data center. In addition, snapshots of the virtual machines are also stored in the data domain. You must attach a data domain to a data center before you can attach domains of other types to it.
ISO Domain: used to store ISO files which are needed to install and boot operating systems and applications for the virtual machines.
Export Domain: temporary storage repositories that are used to copy and move images between data centers in Red Hat Enterprise Virtualization environments.

In this part we are going to deploy Data Domain with following storage node specifications for our tutorial:

IP Address : 11.0.0.6
Hostname : storage.mydomain.org
Virtual Network : vmnet3
OS : CentOS6.6 x86_64 [Minimal Installation]
RAM : 512M
Number of Hard disks : 2 Disk  [1st: 10G for the entire system,  2nd : 50G to be shared by ISCSI]
Type of shared storage : ISCSI

Note: You could change the above specs as per your environment needs.

Step 1: Creating New Data Center with Cluster of Two Nodes

By default, RHEVM create default data-center contains one empty cluster with name Default in our RHEV environment. We will create new one and add the two (Pending Approval) Hosts under it.

Check the current data-centers, by selecting Data centers tab.

Data Centers

1. Click on New to add new Data center to your environment. Wizard window like this will appear, Fill it as shown:

Create New Data Center

2. You will be asked to create new cluster as apart of “Data-Center1”. Click (Configure Cluster) and fill it as shown..

Configure Cluster

Configure Cluster for Data Center

Important: Make sure that CPU Type is correct one and ALL nodes have the same CPU Type. You can modify any setting as per your environment needs. Some settings will be discussed in details later..

3. Click (Configure Later) to exit the wizard.

Configure Cluster Later

4. Switch to Hosts tab to approve and add (Pending Approval) node to our environment. Select your first node and click Approve.

Add Pending Node

5. Fill the appeared wizard with the new created “Data-Center1” and its first cluster as shown:

Configure Data Center and Cluster

Important: You may see warning about Power Management just skip it by clicking OK, repeat the same steps with the second node..

If everything goes well, status should be changed from “Pending Approval” to (Installing).

Installing Data Centers

Wait another few minutes, status should be changed from “Installing” to (Up).

Data Centers Up

Also you could check which cluster and data center are assigned to the two node..

Step 2: Prepare ISCSI Storage for RHEV Environment

Lets switch to storage node to configure ISCSI storage.

6. First you need to install some needed packages to configure ISCSI target.

[root@storage ~]# yum install scsi-target-utils

7. For this tutorial we use sdb as our backing device, so we should add the below section to the configurationfile targets.conf.

[root@storage ~]# vim /etc/tgt/targets.conf

Add the following lines to this file, save and close it.

<target iqn.2015-07.org.mydomain:server.target1>
    backing-store /dev/sdb
</target>

Important: Make sure that sdb is a raw device.8. Start tgtd service and make up with system booting.

[root@storage ~]# service tgtd start
[root@storage ~]# chkconfig tgtd on

Important: Make sure that ports 860 and 3260 are opened in firewall or flush it (Not recommended).

Fore more details about ISCSI configuration and deployment, check tecmint’s iscsi series.

Step 3: Add ISCSI storage Node to RHEV Environment

The Red Hat Enterprise Virtualization platform enables you to assign and manage storage using the Administration Portal’s Storage tab. The Storage results list displays all the storage domains, and the details pane shows general information about the domain.

9. Select Data-Center1 from Left tree, then select storage tab as shown.

Select Storage Tab

10. Click on New Domain to add new storage domain for our data-center1 then fill the wizard as shown.

Add New Domain to Data Center

Important: Make sure you select Storage Type “iSCSI” in the type list.

11. Then click Discover, here you will find the target name of our storage node. Click the arrow button to go on.

Target Name

12. You will find our storage is discovered. Check it then Click OK as shown, then wait a while and check our new storage domain under Storage tab.

Discovered Storage

Storage Domain

13. Review and check size, Status and attaching Data Center.

Review All Settings

Conclusion

Now, our RHEV environment has active Data Center with one cluster which contains two active and ready nodes with active ISCSI shared storage. So, we are ready to deploy server and desktop virtual machines with visualization features such as HA, Snapshots , Pools, etc. that will be discussed in next articles…

References: RHEV Storage Administration Guide

Don’t Miss:

How to Deploy Virtual Machines in RHEV Environment – Part 4

Our environment consist of one datacenter attached with ISCSI shared storage. This datacenter included one cluster with two hosts/nodes which will be used to host our virtual machine.

Deploy Virtual Machines in RHEV ISO Domain – Part 4

Basically in any environment, we could deploy physical/virtual machines by using popular methods such as From ISO/DVD, Network, Kickstart and so on. For our environment, there is no huge difference about previous fact, as we will use the same methods/installation types.

As a start we are discussing VM deployment using ISO file/image. RHEV entertainment is very organized one, so it has special domain used only for this target, store ISO files used to create virtual machines, this domain is storage one called ISO Domain.

Step 1: Deploy New ISO Domain

Actually, RHEVM creates ISO Domain during installation process. To check that, just navigate storage tab for the environment.

Confirm ISO Domains

We could use the exist one and attach it to our datacenter, but lets create new one for more practice.

Note: The exist one is used NFS shared storage on the rhevm machine IP:11.0.0.3. The new created one will use NFS shared storage on our storage node IP:11.0.0.6.

1. To Deploy NFS service on our storage node,

[root@storage ~]# yum install nfs-utils -y
[root@storage ~]# chkconfig nfs on 
[root@storage ~]# service rpcbind start
[root@storage ~]# service nfs start

2. We should create new directory to be shared using NFS.

[root@storage ~]# mkdir /ISO_Domain

3. Share the directory by add this line to /etc/exports file and then apply changes.

/ISO_Domain     11.0.0.0/24(rw)

[root@storage ~]# exportfs -a

Important: Change the ownership of the directory to be with uid:36 and gid:36.

[root@storage ~]# chown 36:36 /ISO_Domain/

Note: The 36 is the uid for vdsm user “RHEVM agent” and the gid of kvm group.

It is mandatory to make the exported directory is accessible be RHEVM. So, your NFS should be ready to be attached as ISO Domain to our environment.

4. To create New ISO domain with NFS type… choose Data-Center1 From system tab, then click on New Domainfrom storage tab.

Create New ISO Domain

5. Then Fill the appeared window as shown:

New Domain Details

Note: Make sure about the Domain function/Storage type is ISO / NFS.

Wait a moment and check again under storage tab.

Confirm New ISO Domain

Now, our ISO Domain is successfully created and attached. So, lets upload some ISO’s to it for VM’s deploying.

6. Make sure you have ISO file on your RHEVM server. We will work with two ISO’s one for Linux {CentOS_6.6} and the other one for windows {Windows_7}.

Confirm ISO Files

7. RHEVM provides tool called (rhevm-iso-uploader). It used to upload ISO’s to ISO Domains beside useful tasks.

First, we will use it to list all available ISO Doamins.

Check ISO Domains

Hint: The upload operation supports multiple files (separated by spaces) and wildcards. Second, we will use it to upload ISO’s to our iso domain “ISO_Domain”.

Upload Files ISO Domain

Note: Uploading process takes some time as it depends on your network.

Hint: ISO domain could be on the RHEVM machine, its recommended in some cases, any way its totally depend on your environment and infrastructure needs.

8. Check the uploaded ISO’s from web interface.

Check Uploaded ISO Files

Its time for second section “Virtual Machines Deployment”.

Step 2: Virtual Machines Deployment – Linux

11. Switch to Virtual Machines tab and click “New VM”.

Create New Virtual Machine

12. Then fill the appeared windows as shown:

New VM Details

To modify some options like memory allocation and boot options, press “Show Advanced Options”.

13. Select “System” to modify Memory and vCPU’s.

Configure Memory CPU

14. Select Boot Options to attach our ISO image to virtual machines, then press OK.

Select Boot Options

15. Before starting your virtual machine, you should create and attach virtual disk. So, press “Configure Virtual Disks“ in the automatically appeared window.

Configure Virtual Disks

16. Then Fill the next appeared window as shown and press OK.

Add Virtual Disk Details

Hint: We discussed the difference between “Pre-allocated” and “Thin Provision” previously in this article from kvm series at Manage KVM Storage Volumes and Pools – Part 3.

17. Close the window asks about adding another virtual disk. Now, Lets check our virtual machine.

Check New Virtual Machine

Hint: You may need to install SPICE plug-in to make sure virtual machine console will work fine.

For Redhat based Distro’s

# yum install spice-xpi

For Debian based Distro’s

# apt-get install browser-plugin-spice

Then restart your Firefox browser.

18. For first time, we will run virtual machine from “Run once”…just click on it and then change the order of boot options – make First one is CD-ROM.

Run Virtual Machines

Note: Run once is used for modify vm setting just for one time (Not Permanent) for testing or installation.

19. After Clicking (OK), you will notice the state of virtual machine is changed to starting then to up!!.

20. Click on icon open Virtual Machine’s Console.

Open Virtual Machine

Basically, we created a linux-server virtual machine successfully which hosted on node1 {RHEVHN1}.

Step 3: Virtual Machines Deployment – Windows

So, lets complete the journey with deploying another virtual machine acts as desktop machine, we will discuss the difference between server and desktop type later, this desktop virtual machine will be Windows7.

Generally, we will repeat almost previous steps with some additional ones. Follow steps as shown in next screens:

21. Click New VM and then fill the requested information.

New Virtual Machine

Add Information about New VM

22. Create a new disk and confirm that the windows VM is created.

Add Windows Virtual Disk

Confirm Windows VM

Before continue to next steps, windows virtual machines needs some special paravirtualization drivers and tools to be installed successfully…you can find them under:

/usr/share/virtio-win/
/usr/share/rhev-guest-tools-iso/

For this ISO used in this tutorial, we will need to upload those files to our ISO Domain and confirm from web interface.

/usr/share/rhev-guest-tools-iso/RHEV-toolsSetup_3.5_9.iso
/usr/share/virtio-win/virtio-win_amd64.vfd

Upload Windows ISO

Confirm Windows ISO Files

23. Click Run once and Don’t forget to attach the virtual floppy disk to open VM console.

Run Windows Virtual Machine

Open Windows VM Console

24. Follow windows instruction to complete the installation. At Disk partitioning stage, you will notice there is no appeared disks. Click on ”Load Driver” then ”Browse”.

Windows Driver Errors

Load Windows Drivers

25. Then locate the path of drivers on the virtual floppy disk and select the two drivers related to Ethernet and SCSI controller.

Browse Drivers

Install Drivers

26. Then Next and wait some time to load our 10G virtual disk is appeared.

Installing Drivers

Loaded Disk Drive

Complete the installation process until it finished successfully. Once it finished successfully, go to RHEVM web interface and change the attached CD.

Change CD Drive

27. Now attach RHEV tools CD and then go back to windows virtual machine, you will find tools CD is attached. Install RHEV tools as shown..

RHEV Tools Setup

Install RHEV Tools on Windows

Follow the sequentially steps until it finished successfully then reboot the system.

RHEV Tools Installation

and finally, your windows virtual machine is healthy up and running..:)

Conclusion

We discussed in this part, ISO Domain importance and deployment then how to use for storing ISO files which be used later to deploy virtual machines. Linux and windows virtual machines have been deployed and fine working. In next part, we will discuss Clustering importance and tasks with how to use clustering features in our environment.

RHEV Clustering and RHEL Hypervisors Installation – Part 5

In this part we are going to discuss some important points related to our RHEV series. In Part-2 of this series, we’ve discussed RHEV Hypervisor deployments and installations. In this part we will discuss another ways to install RHEV Hypervisor.

RHEV Series: RHEV Clustering and RHEL Hypervisors Installation – Part 5

The First way was done by using dedicated RHEVH which customized by RedHat itself without any modification or change from admin side. The other way, we will use a normal RHEL server [Minimal installation] that will act as a RHEV Hypervisor.

Step 1: Add RHEL Hypervisor to the Environment

1. Install subscribed RHEL6 server [Minimal installation]. You may increase your virtual environment by adding additional subscribed RHEL6 server [Minimal installation] acts as hypervisor.

Virtual Machine Specification

OS: RHEL6.6 x86_64
Number of processors: 2
Number of cores : 1
Memory : 3G
Network : vmnet3
I/O Controller : LSI Logic SAS
Virtual Disk : SCSI
Disk Size : 20G
IP: 11.0.0.7
Hostname: rhel.mydomain.org

and make sure you checked the virtualization option in vm processor settings.

Hint : Make sure your system is subscribed to redhat channels and up-to-date, if you don’t know how to subscribe to redhat subscription channel, you may read the article Enable Red Hat Subscription Channel.

Tip : To save your resources you can shutdown one of the both currently up and running hypervisors.

2. To turn your server into hypervisor {use it as a hypervisor} you may need install the RHEVM agent on it.

# yum install vdsm

After packages installation complete, Go to RHEVM web interface to add it.

3. In against of RHEVH hypervisor, you can add RHEL hypervisor from one way from RHEM using the root credential of the RHEL hypervisor. So, from rhevm WUI switch to Hosts tab and click new.

Add RHEL Hypervisor

Then Provide your host information as shown.

Add Host Information

Next, ignore Power mgmt warning and finish then wait for a few minutes and check the status of the newly added host.

New Host Status

Confirm Host Information

For more details about adding RHEL based Host, check out RedHat official RHEV documentation.

Step 2: Managing RHEV Clustering

Clustering in RHEV describes a group of the same CPU type hosts are sharing the same storage [e.g. over network] and are using to do specific task [e.g. High Availability ]

Clustering in general has a lot of additional tasks you can check out the article that explains What is Clustering and Advantages/Disadvantages of it.

The main advantage of clustering in RHEV is to enable and manage virtual machines migration between hosts that belong to the same cluster.

So, How virtual machines migrate between hosts ?

RHEV has two strategies:

1. Live Migration
2. High Availability

1. Live Migration

Live Migration used in non-critical situation which mean everything is working fine in general but you have to do some load balancing tasks (e.g. you found there is host is loaded by virtual machine over another. So, you may Live migrate virtual machine from host to another to achieve load balancing).

Note : There is no interruption to services, application or users running inside VM during Live Migration. Live migration also called as resources re-allocation.

Live migration can be processed manually or automatic according to pre-defined policy:

Manually: Force selecting the the destination host then migrate VM to it manually using WUI.
Automatic : Using one of Cluster policies to manage Live migration according to RAM usage, CPU utilization, etc.

Switch to Clusters tab and select Cluster1 the click on edit.

Clustering Tab

From window tabs, switch to Cluster Policy tab.

Cluster Policy

Select evenly_distributed policy. This policy allows you to configure Max threshold for CPU utilization on the host and the allowed time for the load before starting Live migration.

Hint

As shown I configured the max threshold to be 50% and duration to be 1 min.

Configure Cluster Properties

Then OK and switch to VM’s tab.

Select Linux vm [Previously created] then click edit and check this points.

1. From Host tab : Check Manual and Automatic Live Migration is allowed for this VM.

Cluster Migration Options

2. From HA tab : Check the Priority degree of your virtual-machine. In our case, its not very important as we are playing with only one vm. But it will be important to set priorities for your vms in large environment.

Cluster VM Priorities

Then start Linux VM.

First, we will use the Manually Live Migration. Linux VM in now running on rhel.mydomain.org.

Linux VM Status

Lets run the following command over vm console, before starting migration.

# ls -lRZ /

Then select Linux VM and click Migrate.

Linux VM Migrate

If you select automatically, system will check the most responsible host to be destination under the cluster policy. We will test this without any interference from administrator.

Migrate Virtual Machines

So, after selecting manually and choose the destination, Click OK and go to console and monitor the running command. You can also check the vm status.

Monitor VM Status

You may need to monitor Task events.

Monitor Task Events

After a few seconds, you will find a change in he vm Hostname.

Confirm VM Changes

Your VM is manually Live migrated successfully !!

Lets try automatic Live Migration, our target is to make CPU Load on the rhevhn1 Host is exceeded 50%. We will do that by increasing the load on the vm itself, so from console write this command:

# dd if=/dev/urandom of=/dev/null

and monitor the load on Host.

Monitor VM Load

After few minutes, the load on Host will exceeds 50%.

VM Load Alert

Just wait another few more minutes then live migration will start automatically as shown.

VM Live Migration

You can also check the tasks tab, and after little waiting, your virtual machine is automatically Live Migrated to rhel Host.

Monitor VM

VM RHEL Migration

Important: Make sure that one of your hosts have resources more than the other one. If the two hosts are identical in resources. VM won’t be migrated because there will be no difference !!

Hint: Putting Host into Maintenance Mode will automatically Live Migration Up and running VM’s to other hosts in the same cluster.

For further information about VM Migrations, read Migrating Virtual Machines Between Hosts.

Hint: Live Migration between different clusters isn’t officially supported expect one case you can check it here.

2. High Availability

In the against of Live Migration, HA is used to Cover Critical Situation not just load balancing tasks. The common section that your VM will also migrated to another host but with rebooting down time.

If you have Failure, Non-Operational or Non-responsive Host in your cluster, Live Migration Cannot help you. HA will power-off the virtual-machine and restart it on another up and running host in the same cluster.

To Enable HA in your environment, you must have at least one power management device [e.g. power switch] in your environment.

Unfortunately, we aren’t able to do that in our virtual environment. So for more about HA in RHEV please check out Improving Uptime with VM High Availability.

Remember: Live Migration and High Availability are working with hosts in the same cluster with same type of CPU and connected to shared Storage.

Conclusion:

We reached peak point in our series as we discussed one of the important features in RHEV Clustering as we described it and its importance. Also we discussed the second type [method] to deploy RHEV hypervisors which based on RHEL [at least 6.6 x86_64].

In next article, we will be able to make some operations on virtual-machines such as snapshots, sealing, cloning, exporting and pools.

How to Manage RedHat Enterprise Virtualization (RHEV) Virtual Machines Operations and Tasks – Part 6

In this part of our tutorial we are going to discuss the operations and tasks such as Taking Snaphots, Creating Pools, Making Templates and Cloning are the main operations which could be performed on RHEV virtual machines hosted by RHEV environment.

Before going further, I request you to read the rest of the articles from this RHEV series here:

RedHat Enterprise Virtualization (RHEV) Administration Series – Part 1-7

Manage RHEV VM Operations and Tasks – Part 6

Snapshots

Snapshot is used to save VM’s state at specific Point-Time. This is very useful and helpful during software testing process or revert something going wrong on your system as you could return back to the Point-Time which you took snapshot at.

1. Start your linux-vm machine and verify the OS version and type before taking snapshot.

Img 01: Check Linux OS Version

2. Click on “Create Snapshot”.

Img 02: Create RHEV Snapshot

3. Add the description and select disks and saving memory then OK.

Img 03: Add Snapshot Description

Check the status of snapshot and task status from tasks bar.

Img 04: Confirm Created Snapshot Status

After finishing, you will note that status of snapshot changed from Lock to OK, which meaning that your snapshot is ready and created successfully.

Img 05: Check Snapshot Status

4. Lets go to the VM console and delete /etc/issue file.

Img 06: Delete Issue File

5. For reverting/restoring process, your virtual machine should be at down state. Make sure its powered off and then click “Preview” to check the snapshot and reverting on-fly to it.

Img 07: Shut Down Snapshot

Now confirm Memory restoring.

Img 08: Restore Snapshot Memory

Wait for Previewing to be finished and after few minuets, you will noted that snapshot status is “In preview”.

Img 09: Snapshot In Preview State

Now we have two ways:

6. First one to directly “Commit” the restored snapshot to the original virtual machine and finishing the total reverting process.

Second one to check the reverted changes before commit the restored snapshot to original vm. After checking we will go to the first way “Commit”.

For this article, we will start via second way. So, we will need to power up the virtual machine and then check the /etc/issue file. You will find it without any changes.

Img 10: Check Issue File

7. Your VM should be powered off for reverting process. After powering off, Commit your snapshot to vm.

Img 11: Commit VM Snapshot

Then watch restoring commit process, after finishing commit process, you will find snapshot status is “OK”.

Img 12: Confirm Commit Snapshot

Hints : 1. If you don’t want to confirm reverting to snapshot after preview stage, just click on “Undo” to skip snapshot. Its always recommended to take snapshot of power down VM instead of be running. You can create new VM from current snapshot, just select your preferred snapshot and click on “Clone”.

Img 13: Create VM Snapshot Clone

Templates:

Actually, template is a very normal virtual machine copy, but without any pre-configuration related to the original vm operating system. Templates are used to improve the speed and decrease time of vm operating system installation.

Creating templates has two main process:

A. Sealing the original virtual machine.
B. Taking copy [Create Template] of the sealed vm to be separated template.

A. Sealing Process:

To seal RHEL6 Virtual Machine you should make sure about this points :

8. Flagging system for pre-configuration for next booting by creating this empty hidden file.

# touch /.unconfigured

9. Remove any ssh host keys and set hostname to be localhost.localdomain in /etc/sysconfig/network file and also remove system udev rules.

# rm -rf /etc/ssh/ssh_host_*
# rm -rf /etc/udev/rules.d/70-*

10. Remove MAC address from Network interface configuration file eg. [/etc/sysconfig/network-scripts/ifcfg-eth0] and delete all system logs under /var/log/ and finally Power off your virtual machine.

Img 14: Commands to Follow

B. Creating Templates

11. Select the sealed vm and click “Create Template”.

Img 15: Create New VM Template

12. Provide details and proprieties about your new template.

Img 16: Add Template Details

Now, you can check the process from tasks and also you could switch Templates tab to monitor the status of your new templates.

Img 16: Check Template Information

Img 17: Monitor Template Status

Wait a few minutes, then check template status again.

Img 18: Check VM Template Again

You will note that its converted from lock to OK. Now our new template is ready to be used. Actually we will use it in the next section.

Creating Pools:

Pool is a group of identical virtual machines. Pooling is used to create a given number of identical virtual machines in one step. Those virtual machines could be based on pre-created template.

Creating New Pool

13. Switch to Pools tab and click New then fill the appeared wizard windows.

Img 19: Create New Pool

14. Now check the status of created Pool vms and wait few minutes, you will note the status of virtual machines changed from Lock to Down.

Img 20: VM Pool Status Locked

Img 21: VM Pool Status Down

You could also check the status from Virtual Machines tab.

Img 22: Check Pool Status from VM

15. Lets try to run one of Pool virtual machines.

Img 22: Run Virtual Machine

That’s right, you will be asked for new root password and also you will be asked about basic authentication configuration. Once finished your new vm is now ready for use.

23: Select Basic Authentication

Monitor VMs also from pools tab.

Img 24: Monitor Virtual Machine

Notes:

To delete Pool, You should detach all of VMs from the Pool.
To detach VM from Pool, VM must be at down state.
Compare VM installation time [Normal way VS. Template using].

Create VM Clones:

Cloning is normal Copy Process without any change to the Original Source. Cloning could done from Original VM or Snapshot.

To take Clone:

16. Select the Original source [VM or Snapshot] then click “Clone VM”.

Img 25: Create VM Clone

Hint: If you will take clone from VM, VM must be at down state.

17. Provide name to your cloned VM and wait few minutes, you will find the cloning process is done and the new vm now is ready to be used.

Img 26: Give VM Clone Name

Img 27: VM Clone Details

Conclusion

As a RHEV administrator, there some main tasks to be done on environment virtual machines. Cloning, Creating Pools, Making Templates and Taking snapshots are basic and important tasks should be done by RHEV admin. This tasks also considered as the core tasks of any virtualization environment, So make sure you understood it well then do more and more,,, and more practical labs in your private environment.

Resources: RHEV Administration Guide

Source

March 20, 2019

Understanding Shell Initialization Files and User Profiles in Linux

Linux is a multi-user, time sharing system, implying that more than one user can log in and use a system. And system administrators have the task of managing various aspects of how different users can operate a system in terms of installing/updating/removing software, programs they can run, files they can view/edit and so on.

Linux also allows users’ environments to be created or maintained in two major ways: using system-wide (global) and user-specific (personal) configurations. Normally, the basic method of working with a Linux system is the shell, and the shell creates an environment depending on certain files it reads during its initialization after a successful user login.

Suggested Read: How to Set Environment Variables in Linux

In this article, we will explain shell initialization files in relation to user profiles for local user management in Linux. We will let you know where to keep custom shell functions, aliases, variables as well as startup programs.

Important: For the purpose of this article, we will focus on bash, a sh compatible shell which is the most popular/used shell on Linux systems out there.

If you are using a different shell (zsh, ash, fish etc..) program, read through its documentation to find out more about some of the related files we will talk about here.

Shell Initialization in Linux

When the shell is invoked, there are certain initialization/startup files it reads which help to setup an environment for the shell itself and the system user; that is predefined (and customized) functions, variables, aliases and so on.

There are two categories of initialization files read by the shell:

system-wide startup files – theses contain global configurations that apply to all users on the system, and are usually located in the /etc directory. They include: /etc/profiles and /etc/bashrc or /etc/bash.bashrc.
user-specific startup files – these store configurations that apply to a single user on the system and are normally located in the users home directory as dot files. They can override the system-wide configurations. They include: .profiles, .bash_profile, .bashrc and .bash_login.

Again, the shell can be invoked in three possible modes:

1. Interactive Login Shell

The shell is invoked after a user successfully login into the system, using /bin/login, after reading credentials stored in the /etc/passwd file.

When the shell is started as an interactive login shell, it reads the /etc/profile and its user-specific equivalent ~/.bash_profile.

Linux Interactive Login Shell

2. Interactive non-login Shell

The shell is started at the command-line using a shell program for example $/bin/bash or $/bin/zsh. It can as well be started by running the /bin/su command.

Additionally, an interactive non-login shell can as well be invoked with a terminal program such as konsole, terminator or xterm from within a graphical environment.

When the shell is started in this state, it copies the environment of the parent shell, and reads the user-specific ~/.bashrc file for additional startup configuration instructions.

$ su
# ls -la

Interactive Non-Login Shell

3. Non-interactive Shell

The shell is invoked when a shell script is running. In this mode, it’s processing a script (set of shell or generic system commands/functions) and doesn’t require user input between commands unless otherwise. It operates using the environment inherited from the parent shell.

Understanding System-wide Shell Startup Files

In this section, we will shade more light on shell startup files that store configurations for all users on the system and these include:

The /etc/profile file – it stores system-wide environment configurations and startup programs for login setup. All configurations that you want to apply to all system users’ environments should be added in this file.

For instance, you can set your the global PATH environment variable here.

# cat /etc/profile

System Wide Configuration File

Note: In certain systems like RHEL/CentOS 7, you’ll get such warnings as “It’s not recommended to change this file unless you know what you are doing. It’s much better to create a custom .sh shell script in /etc/profile.d/ to make custom changes to your environment, as this will prevent the need for merging in future updates”.

The /etc/profile.d/ directory – stores shell scripts used to make custom changes to your environment:

# cd /etc/profile.d/
# ls  -l

Stores Custom Shell Scripts

The /etc/bashrc or /etc/bash.bashrc file – contains system-wide functions and aliases including other configurations that apply to all system users.

If your system has multiple types of shells, it is a good idea to put bash-specific configurations in this file.

# cat /etc/bashrc

System Wide Functions and Aliases

Understanding User-specific Shell Startup Files

Next, we will explain more concerning user-specific shell (bash) startup dot files, that store configurations for a particular user on the system, they are located in a user’s home directory and they include:

# ls -la

User Specific Configuration Files

The ~/.bash_profile file – this stores user specific environment and startup programs configurations. You can set your custom PATH environment variable here, as shown in the screenshot below:

# cat ~/.bash_profile

User Bash Profile

The ~/.bashrc file – this file stores user specific aliases and functions.

# cat ~/.bashrc

User Bashrc File

The ~/.bash_login file – it contains specific configurations that are normally only executed when you log in to the system. When the ~/.bash_profile is absent, this file will be read by bash.

The ~/.profile file – this file is read in the absence of ~/.bash_profile and ~/.bash_login; it can store the same configurations, which are can also be accessible by other shells on the system. Because we have mainly talked about bash here, take note that other shells might not understand the bash syntax.

Next, we will also explain two other important user specific files which are not necessarily bash initialization files:

The ~/.bash_history file – bash maintains a history of commands that have been entered by a user on the system. This list of commands is kept in a user’s home directory in the ~/.bash_history file.

To view this list, type:

$ history 
or 
$ history | less

View Last Executed Commands

The ~/.bash_logout file – it’s not used for shell startup, but stores user specific instructions for the logout procedure. It is read and executed when a user exits from an interactive login shell.

One practical example would by clearing the terminal window upon logout. This is important for remote connections, which will leave a clean window after closing them:

# cat bash_logout

Clear History After Logout

For additional insights, checkout the contents of these shell initialization files on various Linux distros and also read through the bash man page.

Source

March 20, 2019

Understand Linux Shell and Basic Shell Scripting Language Tips (I,II,III parts)

Picture speak more than words and the below picture says all about the working of Linux.

Understanding Linux Shell

Read Also

Understanding Linux Shell

Shell: A Command-Line Interpretor that connects a user to Operating System and allows to execute the commands or by creating text script.
Process: Any task that a user run in the system is called a process. A process is little more complex than just a task.
File: It resides on hard disk (hdd) and contains data owned by a user.
X-windows aka windows: A mode of Linux where screen (monitor) can be split in small “parts” called windows, that allow a user to do several things at the same time and/or switch from one task to another easily and view graphics in a nice way.
Text terminal: A monitor that has only the capability of displaying text stuff, no graphics or a very basic graphics display.
Session: Time between logging on and logging out of the system.

Types of Shell on a Standard Linux Distribution

Bourne shell : The Bourne shell was one of the major shells used in early versions and became a de facto standard. It was written by Stephen Bourne at Bell Labs. Every Unix-like system has at least one shell compatible with the Bourne shell. The Bourne shell program name is “sh” and it is typically located in the file system hierarchy at /bin/sh.

C shell: The C shell was developed by Bill Joy for the Berkeley Software Distribution. Its syntax is modelled after the C programming language. It is used primarily for interactive terminal use, but less frequently for scripting and operating system control. C shell has many interactive commands.

Beginning the Fun! (Linux Shell)

There exist thousands of commands for command-line user, how about remembering all of them? Hmmm! Simply you can not. The real power of computer is to ease the ease your work, you need to automate the process and hence you need scripts.

Scripts are collections of commands, stored in a file. The shell can read this file and act on the commands as if they were typed at the keyboard. The shell also provides a variety of useful programming features to make scripts truly powerful.

Basics of Shell Programming

To get a Linux shell, you need to start a terminal.
To see what shell you have, run: echo $SHELL.
In Linux, the dollar sign ($) stands for a shell variable.
The ‘echo‘ command just returns whatever you type in.
The pipeline instruction (|) comes to rescue, when chaining several commands.
Linux commands have their own syntax, Linux won’t forgive you whatsoever is the mistakes. If you get a command wrong, you won’t flunk or damage anything, but it won’t work.
#!/bin/sh – It is called shebang. It is written at the top of a shell script and it passes the instruction to the program /bin/sh.

About shell Script

Shell script is just a simple text file with “.sh” extension, having executable permission.

Process of writing and executing a script

Open terminal.
Navigate to the place where you want to create script using ‘cd‘ command.
Cd (enter) [This will bring the prompt at Your home Directory].
touch hello.sh (Here we named the script as hello, remember the ‘.sh‘ extension is compulsory).
vi hello.sh (nano hello.sh) [You can use your favourite editor, to edit the script].
chmod 744 hello.sh (making the script executable).
sh hello.sh or ./hello.sh (running the script)

Writing your First Script

#!/bin/bash
# My first script

echo "Hello World!"

Save the above lines on a text file, make it executable and run it, as described above.

Sample Output

Hello World!

In the above code.

#!/bin/bash (is the shebang.)
# My first script (is comment, anything following '#' is a comment)
echo “Hello World!” (is the main part of this script)

Writing your Second Script

OK time to move to the next script. This script will tell you, your’s “username” and list the running processes.

#! /bin/bash
echo "Hello $USER"
echo "Hey i am" $USER "and will be telling you about the current processes"
echo "Running processes List"
ps

Create a file with above codes, save it to anything you want, but with extension “.sh“, make it executable and run it, from you terminal.

Sample Output

Hello tecmint
Hey i am tecmint and will be telling you about the current processes
Running processes List
  PID TTY          TIME CMD
 1111 pts/0    00:00:00 bash
 1287 pts/0    00:00:00 sh
 1288 pts/0    00:00:00 ps

Was this cool? Writing script is as simple as getting an idea and writing pipelined commands. There are some restrictions, too. Shell scripts are excellent for concise filesystem operations and scripting the combination of existing functionality in filters and command line tools via pipes.

When your needs are greater – whether in functionality, robustness, performance, efficiency etc – then you can move to a more full-featured language.

If you already know C/Perl/Python programming language or any other programming language, learning the scripting language won’t be much difficult.

Writing your Third Script

Moving to, write our third and last script for this article. This script acts as an interactive script. Why don’t you, yourself execute this simple yet interactive script and tell us how you felt.

#! /bin/bash
echo "Hey what's Your First Name?";
read a;
echo "welcome Mr./Mrs. $a, would you like to tell us, Your Last Name";
read b;
echo "Thanks Mr./Mrs. $a $b for telling us your name";
echo "*******************"
echo "Mr./Mrs. $b, it's time to say you good bye"

Sample Output

Hey what's Your First Name?
Avishek
welcome Mr./Mrs. Avishek, would you like to tell us, Your Last Name
Kumar
Thanks Mr./Mrs. Avishek Kumar for telling us your name
******************************************************
Mr./Mrs. Kumar, it's time to say you good bye

Well this is not an end. We tried to bring a taste of scripting to you. In our future article we will elaborate this scripting language topic, rather a never ending scripting language topic, to be more perfect.

5 Shell Scripts for Linux Newbies to Learn Shell Programming – Part II

To Learn something you need to do it, without the fear of being unsuccessful. I believe in practicality and hence will be accompanying you to the practical world of Scripting Language.

Learn Basic Shell Scripting

This article is an extension of our First article Understand Linux Shell and Basic Shell Scripting – Part I, where we gave you a taste of Scripting, continuing that we won’t disappoint you in this article.

Script 1: Drawing a Special Pattern

#!/bin/bash
MAX_NO=0
echo -n "Enter Number between (5 to 9) : "
read MAX_NO
if ! [ $MAX_NO -ge 5 -a $MAX_NO -le 9 ] ; then
   echo "WTF... I ask to enter number between 5 and 9, Try Again"
   exit 1
fi
clear
for (( i=1; i<=MAX_NO; i++ )) do     for (( s=MAX_NO; s>=i; s-- ))
    do
       echo -n " "
    done
    for (( j=1; j<=i;  j++ ))     do      echo -n " ."      done     echo "" done ###### Second stage ###################### for (( i=MAX_NO; i>=1; i-- ))
do
    for (( s=i; s<=MAX_NO; s++ ))
    do
       echo -n " "
    done
    for (( j=1; j<=i;  j++ ))
    do
     echo -n " ."
    done
    echo ""
done
echo -e "\n\n\t\t\t Whenever you need help, Tecmint.com is always there"

Most of the above ‘key words‘ would be known to you and most of them are self explanatory. e.g., MAX sets the maximum value of the variable, for is a loop and anything within the loop gets on executing again and again till the loop is valid for given value of input.

Sample Output

[root@tecmint ~]# chmod 755 Special_Pattern.sh
[root@tecmint ~]# ./Special_Pattern.sh
Enter Number between (5 to 9) : 6
       .
      . .
     . . .
    . . . .
   . . . . .
  . . . . . .
  . . . . . .
   . . . . .
    . . . .
     . . .
      . .
       .

                         Whenever you need help, Tecmint.com is always there

If you are a little aware of any programming language, learning the above script is not difficult, even if you are new to computation, programming and Linux it is not going to be much difficult.

Download Special_Pattern.sh

Script 2: Creating Colorful Script

Who says, Linux is colorless and boring, save the codes below to anything [dot] sh, make it executable and Run it, don’t forget to tell me how it was, Think what you can achieve, implementing it somewhere.

#!/bin/bash
clear 
echo -e "33[1m Hello World"
# bold effect
echo -e "33[5m Blink"
# blink effect
echo -e "33[0m Hello World"
# back to normal
echo -e "33[31m Hello World"
# Red color
echo -e "33[32m Hello World"
# Green color
echo -e "33[33m Hello World"
# See remaining on screen
echo -e "33[34m Hello World"
echo -e "33[35m Hello World"
echo -e "33[36m Hello World"
echo -e -n "33[0m"
# back to normal
echo -e "33[41m Hello World"
echo -e "33[42m Hello World"
echo -e "33[43m Hello World"
echo -e "33[44m Hello World"
echo -e "33[45m Hello World"
echo -e "33[46m Hello World"
echo -e "33[0m Hello World"

Note: Don’t bother about the color code now, Those important to you will be at your tongue, gradually.

Warning: Your terminal might not have the facility of blinking.

Sample Output

[root@tecmint ~]# chmod 755 Colorfull.sh
[root@tecmint ~]# ./Colorfull.sh

Hello World
Blink
Hello World
Hello World
Hello World
Hello World
Hello World
Hello World
Hello World
Hello World
Hello World
Hello World
Hello World
Hello World
Hello World
Hello World

Download Colorfull.sh

Script 3: Encrypt a File/Directory

This script will encrypt a file (remember? directory/driver/…. everything is treated as file, in Linux). The current limitation of the above script is that it don’t support auto completion of name using TAB. Moreover, you need to place the script and file to be encrypted in the same folder. You may need to install “pinentry-gui”, using yum or apt the package, if required.

[root@midstage ~]# yum install pinentry-gui
[root@midstage ~]# apt-get install pinentry-gui

Crete a file called “Encrypt.sh” and place the following script, make it executable and run it as shown.

#!/bin/bash
echo "Welcome, I am ready to encrypt a file/folder for you"
echo "currently I have a limitation, Place me to thh same folder, where a file to be 
encrypted is present"
echo "Enter the Exact File Name with extension"
read file;
gpg -c $file
echo "I have encrypted the file successfully..."
echo "Now I will be removing the original file"
rm -rf $file

Sample Output

[root@tecmint ~]# chmod 755 Encrypt.sh
[root@tecmint ~]# ./Encrypt.sh

Welcome, I am ready to encrypt a file/folder for you
currently I have a limitation, Place me to the same folder, where a file to be

encrypted is present
Enter the Exact File Name with extension

package.xml

                                                   ┌─────────────────────────────────────────────────────┐
                                                   │ Enter passphrase                                    │
                                                   │                                                     │
                                                   │                                                     │
                                                   │ Passphrase *******_________________________________ │
                                                   │                                                     │
                                                   │       <OK>                             <Cancel>     │
                                                   └─────────────────────────────────────────────────────┘

Please re-enter this passphrase

                                                   ┌─────────────────────────────────────────────────────┐
                                                   │ Please re-enter this passphrase                     │
                                                   │                                                     │
                                                   │ Passphrase ********________________________________ │
                                                   │                                                     │
                                                   │       <OK>                             <Cancel>     │
                                                   └─────────────────────────────────────────────────────┘

I have encrypted the file successfully...
Now I will be removing the original file
</pre>

gpg -c : This will encrypt your file, using a passkey aka password. In this process of learning you would have never thought that the actual process of learning could be that much easy. So after encrypting a file what you need? Obviously! decrypting the file. And I want you – the learner, the reader to write the decryption script yourself, don’t worry I am not leaving you in the middle, I just want you to gain something out of this article.

Note: gpg -d filename.gpg > filename is what you need to implement in your decryption script. You may post you script in comment if successful, if not you may ask me to write it for you.

Download Encrypt.sh

Script 4: Checking Server Utilization

Checking the server utilization is one of the important task of an administrator, and a good administrator is one who knows how to automate his day to day task. Below is the script that will give many such information about your server. Check it yourself.

#!/bin/bash
    date;
    echo "uptime:"
    uptime
    echo "Currently connected:"
    w
    echo "--------------------"
    echo "Last logins:"
    last -a |head -3
    echo "--------------------"
    echo "Disk and memory usage:"
    df -h | xargs | awk '{print "Free/total disk: " $11 " / " $9}'
    free -m | xargs | awk '{print "Free/total memory: " $17 " / " $8 " MB"}'
    echo "--------------------"
    start_log=`head -1 /var/log/messages |cut -c 1-12`
    oom=`grep -ci kill /var/log/messages`
    echo -n "OOM errors since $start_log :" $oom
    echo ""
    echo "--------------------"
    echo "Utilization and most expensive processes:"
    top -b |head -3
    echo
	top -b |head -10 |tail -4
    echo "--------------------"
    echo "Open TCP ports:"
    nmap -p- -T4 127.0.0.1
    echo "--------------------"
    echo "Current connections:"
    ss -s
    echo "--------------------"
    echo "processes:"
    ps auxf --width=200
    echo "--------------------"
    echo "vmstat:"
    vmstat 1 5

Sample Output

[root@tecmint ~]# chmod 755 Server-Health.sh
[root@tecmint ~]# ./Server-Health.sh

Tue Jul 16 22:01:06 IST 2013
uptime:
 22:01:06 up 174 days,  4:42,  1 user,  load average: 0.36, 0.25, 0.18
Currently connected:
 22:01:06 up 174 days,  4:42,  1 user,  load average: 0.36, 0.25, 0.18
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
tecmint   pts/0    116.72.134.162   21:48    0.00s  0.03s  0.03s sshd: tecmint [priv]
--------------------
Last logins:
tecmint   pts/0        Tue Jul 16 21:48   still logged in    116.72.134.162
tecmint   pts/0        Tue Jul 16 21:24 - 21:43  (00:19)     116.72.134.162
--------------------
Disk and memory usage:
Free/total disk: 292G / 457G
Free/total memory: 3510 / 3838 MB
--------------------
OOM errors since Jul 14 03:37 : 0
--------------------
Utilization and most expensive processes:
top - 22:01:07 up 174 days,  4:42,  1 user,  load average: 0.36, 0.25, 0.18
Tasks: 149 total,   1 running, 148 sleeping,   0 stopped,   0 zombie
Cpu(s):  0.1%us,  0.0%sy,  0.0%ni, 99.3%id,  0.6%wa,  0.0%hi,  0.0%si,  0.0%st

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
    1 root      20   0  3788 1128  932 S  0.0  0.0   0:32.94 init
    2 root      20   0     0    0    0 S  0.0  0.0   0:00.00 kthreadd
    3 root      RT   0     0    0    0 S  0.0  0.0   0:14.07 migration/0

Note: I have given you the script that gives the output in the terminal itself, how about getting the output in a file for future reference. Implement it using redirect operator.

‘>‘ : the redirection operator causes a file creation, and if it does exist, the contents are overwritten.
‘>>‘ : when you use >>, you are adding information, rather than replacing it.
‘>>‘ is safe, as compared to ‘>‘

Download Server-Health.sh

Script 5: Check Disk Space and Sends an Email Alert

How about getting an email when disk use in partition PART is bigger than Maximum allowed, it is a life saver script for web administrators with little modification.

MAX=95
EMAIL=USER@domain.com
PART=sda1
USE=`df -h |grep $PART | awk '{ print $5 }' | cut -d'%' -f1`
if [ $USE -gt $MAX ]; then
  echo "Percent used: $USE" | mail -s "Running out of disk space" $EMAIL
fi

Note: Remove “USER” with your user name. You can check mail using using ‘mail‘ command.

Download Check-Disk-Space.sh

Script writing and programming is beyond boundaries, anything and everything could be implemented as required. That’s all for now, In my very next article I will be giving your some different flavors of scripting. Till then stay cool and tuned, enjoy.

Sailing Through The World of Linux BASH Scripting – Part III

The Previous following articles of ‘Shell Scripting‘ series were highly appreciated and hence I am writing this article to extend the never ending process of learning.

Basic Shell Scripting Part-3

Bash Keywords

A keyword is a word or symbol that has a special meaning to a computer language. The following symbols and words have special meanings to Bash when they are unquoted and the first word of a command.

! 			esac 			select 		} 
case 			fi 			then 		[[ 
do 			for 			until 		]] 
done 			function 		while 		elif
if 			time 			else 		in 		{

Unlike most computer languages, Bash allows keywords to be used as variable names even though this can make scripts difficult to read. To keep scripts understandable, key-words should not be used for variable names.

A command is implemented in shell as $(command). You might have to include the full path of command. e.g., $(/bin/date), for correct execution.

You may know the path of specific program using ‘whereis‘ command. e.g., whereis date

[root@tecmint /]# whereis date
date: /bin/date /usr/share/man/man1/date.1.gz

That’s enough for now. We won’t be talking much about these theory now. Coming to Scripts.

Move Current Working Directory

Move from current working directory to any level up by just providing the numerical value at the end of script while executing.

#! /bin/bash 
LEVEL=$1 
for ((i = 1; i <= LEVEL; i++)) 
do 
CDIR=../$CDIR 
done 
cd $CDIR 
echo "You are in: "$PWD 
exec /bin/bash

Save the above codes as “up.sh“, on your desktop. Make it executable (chmod 755 up.sh). Run:

./up.sh 2 (will Move the current working directory to two level up).
./up.sh 4 (will Move the current working directory to four level up).

Use and Area of Application

In larger scripts which contains folder inside folder inside… containing libraries, binaries, icons, executables, etc at different location, You as a developer can implement this script to move to the desired location in a very automated fashion.

Note: For is a loop in the above script and it will continue to execute till the values are true for the loop.

Sample Output

[root@tecmint /]# chmod 755 up
[root@tecmint /]# ./up.sh 2
You are in: /

[root@tecmint /]# ./up.sh 4 
You are in: / 

[root@tecmint /]#

Download up.sh

Create a Random File or Folder

Create a random file (folder) with no chance of duplication.

#! /bin/bash

echo "Hello $USER";
echo "$(uptime)" >> "$(date)".txt
echo "Your File is being saved to $(pwd)"

This is a Simple script but it’s working is not that much simple.

‘echo‘ : Prints everything written within the quotes.
‘$‘ : Is a shell variable.
‘>>‘ : The output is redirected to the output of date command followed by txt extension.

We know the output of date command is date, and time in hour, minute, second along with year. Hence we could get output on an organised file name without the chance of filename duplication. It could be very much useful when user needs the file created with time stamp for future reference.

Sample Output

[root@tecmint /]# ./randomfile.sh  
Hello server 
Your File is being saved to /home/server/Desktop

You can view the file which is created on desktop with Today’s Date and current time.

[root@tecmint /]# nano Sat\ Jul\ 20\ 13\:51\:52\ IST\ 2013.txt 
13:51:52 up  3:54,  1 user,  load average: 0.09, 0.12, 0.08

A more detailed implementation of the above script is given below, which works on the above principle and is very useful in gathering the network information of a Linux server.

Download randomfile.sh

Script to Collect Network Information

Gathers network information on a Linux server. The script is too large and it’s not possible to post the whole code and output of the script here. So, it’s better you can download the script using below download link and test it yourself.

Note: You might need to install lsb-core package and other required packages and dependency. Apt or Yum the required packages. Obviously you need to be root to run the script because most of the commands used here are configured to be run as root.

Sample Output

[root@tecmint /]# ./collectnetworkinfo.sh  

The Network Configuration Info Written To network.20-07-13.info.txt. Please email this file to your_name@service_provider.com. ktop

You can change the above email address in your script to get it being mailed to you. The Automatically generated file can be viewed.

Download collectnetworkinfo.sh

Script to Converts UPPERCASE to lowercase

A script that converts UPPERCASE to lowercase and redirects the output to a text file “small.txt” which can be modified as required.

#!/bin/bash 

echo -n "Enter File Name : " 
read fileName 

if [ ! -f $fileName ]; then 
  echo "Filename $fileName does not exists" 
  exit 1 
fi 

tr '[A-Z]' '[a-z]' < $fileName >> small.txt

This above script can convert the case of a file of any length with a single click from uppercase to lowercaseand vice-versa if required, with little modification.

Sample Output

[root@tecmint /]# ./convertlowercase.sh  
Enter File Name : a.txt 

Initial File: 
A
B
C
D
E
F
G
H
I
J
K
...

New File (small.txt) output:

a
b
c
d
e
f
g
h
i
j
k
...

Download convertlowercase.sh

Simple Calculator Program

#! /bin/bash 
clear 
sum=0 
i="y" 

echo " Enter one no." 
read n1 
echo "Enter second no." 
read n2 
while [ $i = "y" ] 
do 
echo "1.Addition" 
echo "2.Subtraction" 
echo "3.Multiplication" 
echo "4.Division" 
echo "Enter your choice" 
read ch 
case $ch in 
    1)sum=`expr $n1 + $n2` 
     echo "Sum ="$sum;; 
        2)sum=`expr $n1 - $n2` 
     echo "Sub = "$sum;; 
    3)sum=`expr $n1 \* $n2` 
     echo "Mul = "$sum;; 
    4)sum=`expr $n1 / $n2` 
     echo "Div = "$sum;; 
    *)echo "Invalid choice";; 
esac 
echo "Do u want to continue (y/n)) ?" 
read i 
if [ $i != "y" ] 
then 
    exit 
fi 
done

Sample Output

[root@tecmint /]# ./simplecalc.sh 

Enter one no. 
12 
Enter second no. 
14 
1.Addition 
2.Subtraction 
3.Multiplication 
4.Division 
Enter your choice 
1 
Sum =26 
Do u want to continue (y/n)) ? 
y
1.Addition 
2.Subtraction 
3.Multiplication 
4.Division 
Enter your choice 
3 
mul = 14812
Do u want to continue (y/n)) ? 
n

Download simplecalc.sh

So did you saw how easy it was to create a powerful program as calculations such a simple way. Its’ not the end. We will be comping up with at least one more article of this series, covering broad perspective from administration view.

That’s all for now. Being the reader and the best critic don’t forget to tell us how much and what you enjoyed in this article and what you want to see in the future article. Any question is highly welcome in comment. Till then stay healthy, safe and tuned. Like and Share us and help us spread.

Source

March 19, 2019April 1, 2019

How to Change the SSH Port in Linux

By default, SSH listens on port 22. Changing the default SSH port adds an extra layer of security to your server by reducing the risk of automated attacks.

Instead of changing the port is much simpler and secure to configure your firewall to allow access to port 22 only from specific hosts.

This tutorial explains how to change the default SSH port in Linux. We will also show you how to configure your firewall to allow access to the new SSH port.

Changing the SSH Port

Follow the steps below to change the SSH Port on your Linux system:

1. Choosing a New Port Number

In Linux, port numbers below 1024 are reserved for well-known services and can only be bound to by root. Although you can use a port within 1-1024 range for the SSH service to avoid issues with port allocation in the future it is recommended to choose a port above 1024.

In this example will change the SSH port to 5522, you can choose any port you like.

2. Adjusting Firewall

Before changing the SSH port, first you’ll need to adjust your firewall to allow traffic on the new SSH port.

If you are using UFW, the default firewall configuration tool for Ubuntu run the following command to open the new SSH port:

In CentOS the default firewall management tool is FirewallD. To open the new port run the following commands:

sudo firewall-cmd –permanent –zone=public –add-port=5522/tcp
sudo firewall-cmd –reload

CentOS users will also need to adjust the SELinux rules to allows the new SSH port:

sudo semanage port -a -t ssh_port_t -p tcp 5522

If you are using iptables as your firewall, the following command will open the new SSH port:

sudo iptables -A INPUT -p tcp –dport 22 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT

3. Editing the SSH Configuration

Open the SSH configuration file /etc/ssh/sshd_config with your text editor:

sudo nano /etc/ssh/sshd_config

Search for the line starting with Port 22. In most cases, this line will start with a hash #. Remove the hash # and enter your new SSH port number that will be used instead of the standard SSH port 22.

/etc/ssh/sshd_config

Be extra careful when modifying the SSH configuration file. The incorrect configuration may cause the SSH service to fail to start.

Once you are done save the file and restart the SSH service to apply the changes:

sudo systemctl restart ssh

In CentOS the ssh service is named sshd:

sudo systemctl restart sshd

To verify that SSH daemon is listening on the new port 5522 type:

The output should look something like this:

tcp LISTEN 0 128 0.0.0.0:5522 0.0.0.0:*
tcp ESTAB 0 0 192.168.121.108:5522 192.168.121.1:57638
tcp LISTEN 0 128 [::]:5522 [::]:*

Using the New SSH Port

Now that you changed the SSH port when login to the remote machine you’ll need to specify the new port.

Use the -p <port_number> option specify the port:

Conclusion

In this tutorial, you have learned how to change the SSH port on your Linux server. You may also want to setup an SSH key-based authentication and connect to your Linux servers without entering a password.

If you are regularly connecting to multiple systems, you can simplify your workflow by defining all of your connections in the SSH config file.

If you have any question or feedback feel free to leave a comment.

Source