Flashcache initscripts

Filed in Linux Leave a comment

Just want to share my initscripts for flashcache.

Download [ here ].

Flashcache initscripts from original git repo is full of crap. And intend for use in only one scenario where it use as writeback and need to be mount. So I decided to rewrite the script to fit my requirements. This script can also use writeback/writethrugh mode and optionally can setup LVM and mount it.

In my setup I use flashcache as libvirt datastore backend based on LVM. The script will setup flashcache in writethough mode then run vgscan and vgchange on the configured volume group.

CAUTION!

IF YOU WANT TO USE LVM PV ON TOP OF FLASHCACHE.
MAKE SURE YOU EXCLUDE BACKEND/CACHE DEVICES FROM LVM SCANNING
BY EDIT /etc/lvm/lvm.conf.

For CentOS, add this line in devices {} section. In this example /dev/sda3 is backend device and /dev/sdb is SSD cache.

filter = [ "r|/dev/sda3|","r|/dev/sdb|" ]

and comment

# filter = [ "a/.*/" ]
ANOTHER CAUTION!

qemu/kvm with flashcache backend have problems about data corruption on flashcache. If data get writes to disk with ‘cache=none’ on qemu/kvm with windows guests. Don’t use cache=none on windows guests. This seems to related to DirectIO or FUA which bypass cache mechanism used by flashcache that causes corruption.

, , , , ,

OpenVPN custom ports and bridge with SELinux enabled

Filed in Linux | Networking Leave a comment

By default, SELinux policy on RHEL/CentOS only allow OpenVPN to work only on port 1194, and also without ability to execute brctl for setup bridge (even you configured script-security 2 in config)

You need to create SELinux plugins module to enable OpenVPN to execute brctl from external script and also able to connect any ports, but not listen (read bottom of this article, there is the way to enable allow listen to specific ports that not already defined by other SELinux policy).

here is how …

First, install required package

  • checkpolicy
  • policycoreutils
  • policycoreutils-python

create folder for store plugins such as /etc/selinux/local, cd to that folder

create openvpn-local.te files

module openvpn-local 1.0;

require {
        type openvpn_t;
        type port_t;
        type brctl_exec_t;
        class file { read getattr open execute execute_no_trans };
        class tcp_socket { name_connect };
}

#============= openvpn_t ==============
allow openvpn_t brctl_exec_t:file { read getattr open execute execute_no_trans };
allow openvpn_t port_t:tcp_socket { name_connect };

then compile module with

# checkmodule -M -m openvpn-local.te -o openvpn-local.mod

Then package selinux module with

# semodule_package -o openvpn-local.pp -m openvpn-local.mod

You can also download my prepackaged plugin here.

Now module is compiled, you can install by run

# semodule -i openvpn-local.pp

From now on, you should able to connect to OpenVPN and can execute brctl for interface setup scripts from OpenVPN.
Actually we can also enable OpenVPN script to execute any binary, but it too risky and not recommended (I will not talk into details here, it can complete by adjust above policy a bit).

But if you want OpenVPN to be able to listen to other port other than 1194. Create policy for listen to any ports is too risk, the safe way is to edit SELinux policy openvpn_t port lists. This archived by using this command to list ports allow by current openvpn SELinux policy.

# semanage port -l | grep openvpn_port_t
openvpn_port_t                 tcp      1194
openvpn_port_t                 udp      1194

This show only tcp/udp 1194. Now add the ports you want, but SELinux only allow port not defined by others type (see output of ‘semanage port -l’ to check which ports already defined).

This command add TCP port 11940 to openvpn_port_t to SELinux Policy

# semanage port -a -t openvpn_port_t -p tcp 11940

Your OpenVPN now should able listen on TCP port 11940.

I usually use this to test captive-portal remotely using VM bridged to OpenVPN interface that bridged to hotspot network on remote side.
This is example of my openvpn configuration that bridge to vlan10 bridge. (I did not include any encryption here, just for testing).

hotspot.conf

port 11940
proto tcp-server
dev-type tap
dev vpn.hotspot
persist-tun
script-security 2
up /etc/openvpn/hotspot.up

hotspot.up (remember to chmod +x)

#!/bin/bash

/sbin/ip link set dev vpn.hotspot up
/usr/sbin/brctl addif vlan10 vpn.hotspot

, , , , , ,

TOP