How to Safely Reduce the Size of a Logical Volume

Do not attempt to shrink a volume if the partition is mounted!  Always unmount first! If it is the root volume you need to reduce in size, use a Live DVD/USB instead. You should also take a backup first too 😉

So here we can see I have one Physical Volume, /dev/md0, attached to my one volume group, RAIDVG.

[andy@home-pc ~]$ sudo pvs
  PV         VG     Fmt  Attr PSize PFree
  /dev/md0   RAIDVG lvm2 a--  1.91t    0

We can also see there is zero space left on the volume group.  You can use sudo pvdisplay to see a more detailed output.

As we can see, all this space is being used up by two Logical Volumes.

[andy@home-pc ~]$ sudo lvs
  LV        VG     Attr       LSize   Pool Origin Data%  Meta%  Move Log Cpy%Sync Convert
  MediaLV   RAIDVG -wi-ao----   1.32t                                                    
  StorageLV RAIDVG -wi-ao---- 600.00g

I can see the filesystem reports I have 664G available.  I am going to play it nice and safe and only attempt to reduce the size of my LV by 400G.

[andy@home-pc ~]$ sudo df -h /dev/RAIDVG/MediaLV 
Filesystem                  Size  Used Avail Use% Mounted on
/dev/mapper/RAIDVG-MediaLV  1.4T  603G  664G  48% /plex

Don’t forget to unmount!

[andy@home-pc ~]$ sudo umount -v /dev/RAIDVG/MediaLV
umount: /plex (/dev/mapper/RAIDVG-MediaLV) unmounted

Check for potential issues.

[andy@home-pc ~]$ sudo e2fsck -f /dev/RAIDVG/MediaLV
e2fsck 1.43.4 (31-Jan-2017)
Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information
/dev/RAIDVG/MediaLV: 35668/88866816 files (11.1% non-contiguous), 163854225/355446784 blocks

It is very important that you run the --reseizefs operand at the same time.

[andy@home-pc ~]$ sudo lvreduce -L -400G /dev/RAIDVG/MediaLV --resizefs
fsck from util-linux 2.29.2
/dev/mapper/RAIDVG-MediaLV: clean, 35668/88866816 files, 163854225/355446784 blocks
resize2fs 1.43.4 (31-Jan-2017)
Resizing the filesystem on /dev/mapper/RAIDVG-MediaLV to 250589184 (4k) blocks.
The filesystem on /dev/mapper/RAIDVG-MediaLV is now 250589184 (4k) blocks long.

  Size of logical volume RAIDVG/MediaLV changed from 1.32 TiB (347116 extents) to 955.92 GiB (244716 extents).
  Logical volume RAIDVG/MediaLV successfully resized.

Note the (minus) -400G. This means reduce by 400G. If I had used 400G instead, LVM would have made the LV 400G, reducing it from 1.3T.  I would have lost over 200G of actual data. Ouch!

And finally I now have 400G available in my VG.

[andy@home-pc ~]$ sudo pvs
  PV         VG     Fmt  Attr PSize PFree  
  /dev/md0   RAIDVG lvm2 a--  1.91t 400.00g

Be careful and remember to take a backup!

openssl

The OpenSSL project is an open-source general purpose cryptography library that implements the SSL and TLS protocols.

Configuration File

The configuration file for OpenSSL is openssl.cnf. The location of which will probably vary across Linux distributions. On Red Hat systems the configuration file is as shown below.

/etc/pki/tls/openssl.cnf

You can use this file to define certain default values. For example, editing the dir variable sets the default directory for saving your certificates. You will need to first create the directory if you change this value.

dir = /certs/ssl/ca

Some additional variables I like to set are as shown below. You might also want to consider entering in this information if you generate a lot of self-signed certificates.

default_days = 3650
default_bits = 2048
countryName_default = US
stateOrProvinceName_default = Washington
localityName_default = Seattle
0.organizationName_default = My Company
commonName_default = example.com
emailAddress_default = root@example.com

By replacing these details with your own, will prevent you from having to enter this information in manually each and every time you create a new CSR (Certificate Signing Request).

More stuff here…

More stuff here…

openssl ....

Resources

OpenSSL: Cryptography and SSL/TLS toolkit
http://www.openssl.org

Wikipedia: OpenSSL
http://en.wikipedia.org/wiki/OpenSSL

locate

The locate command can be used to find files by name.

As usual you can find out everything you could possibly want to know about the the locate command in the manual pages.

man locate

Essentially, locate, at set periods runs a cron job indexing each file name into a database. The locate command simply searches the database for a given file name. If you know the file you are searching for is new, you might first need to update the locate database with updatedb.

In its simplest form, to find a file called myfile.txt, run.

locate myfile.txt

find

You can use the find command to search a system for files or directories. The find command can be quite resource intensive as it trawls recursively through your file structure. Often a more suitable command is locate. See here for more information about the locate command.

As usual you should head to the manual pages to find out more.

man find

In its simplest form, you can use the find command like this.

find / -name myfile.txt

The ‘/’ is the directory to start recursively searching from. We use the ‘-name’ command line option to indicate we are searching on the files name. In this case the string we are searching for is myfile.txt.

Create a Self-Signed Certificate for Apache

Contained within an SSL certificate is information that pertains to you and your secured domain. Lets imaging that you have a web hosting company called Spider and the details for which are shown below.

Country Name (2 letter code):		UK
State or Province Name (full name):	Surrey
Location Name (city):			Camberley
Organisation Name (company):		Spider Web Hosting
Organisation Unit Name (section):	IT Support
Common Name (your domain name):		spiderwebhosting.com
Email Address ():			webmaster@spiderwebhosting.com

A challenge password: 			leave blank
An optional company name: 		leave blank

Generate a Private Key and Certificate Signing Request

Here we generate a Certificate Signing Request and populate it with our details. The -nodes flag tells openssl to create a private key that does not require a pass-phrase. Emitting this flag will prompt for a pass-phrase every time you use it. If installing it on Apache, this will mean entering it every time the Apache service is restarted.

openssl req -new -nodes > spiderwebhosting.com.csr

The above command will generate the CSR and the private key in your current directory.


spiderwebhosting.com.csr
privkey.pem

Generate the Certificate

To generate a certificate, you need a Certificate Signing Request and a private key. The output of the below command will create a certificate valid for 365 days, called spiderwebhosting.com.cert within your current working directory.

openssl x509 -in spiderwebhosting.com.csr -out spiderwebhosting.com.cert -req -signkey privkey.pem -days 365

Make sure that the private key is not world-readable but the certificate is.

chmod go-rwx spiderwebhosting.com.cert

The above command removes read, write and execute permissions from the group and other users.

Resources

Linux.com: Creating Self-Signed SSL Certificates for Apache on Linux
http://www.linux.com/learn/tutorials/392099-creating-self-signed-ssl-certificates-for-apache-on-linux

Hosting.com: Generate a Self-signed SSL in Linux
http://www.hosting.com/support/ssl/generate-a-self-signed-ssl-in-linux

Unix and Linux System Administration, fourth edition; Nemeth Snyder Hein Whaley.
pages 971-973

The Most Common OpenSSL Commands
http://www.sslshopper.com/article-most-common-openssl-commands.html

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?
http://serverfault.com/questions/9708/what-is-a-pem-file-and-how-does-it-differ-from-other-openssl-generated-key-file

Generating 2048-bit CSR with OpenSSL
http://blogs.digitss.com/apache/openssl/generating-2048-bit-csr-with-openssl/

Gentoo: Temporarily Configure Networking

This can be useful if your working from a LiveCD or testing the network. Note, “temporary” means it will not survive a reboot! To configure networking, adjust the below command for your own environment.

ifconfig eth0 192.168.1.109 broadcast 192.168.1.255 netmask 255.255.255.0 up
route add default gw 192.168.1.254

The above commands assign the static IP address of 192.168.1.109 to the eth0 interface and defines the default gateway as 192.168.1.254.

You might also need to add some nameservers to your /etc/resolv.conf configuration file.

nameserver 192.168.1.254
nameserver 1.2.3.4

Again, this configuration will be lost after a reboot. To permanently create these rules, use the /etc/conf.d/net configuration file.

Unable to Install mkpasswd on CentOS 6.4

I was surprised to find the mkpasswd utility missing from my new installation of CentOS 6.4.

Yum has a feature called whatprovides, which can be used to find out which installable package provides some feature, utility or file. The below demonstrates its use. You just need to prefix ‘*/’ to the utility name that your searching for.

[root@server ~]# yum whatprovides */mkpasswd
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
base/filelists_db                                                                                                                     | 5.9 MB     00:00     
extras/filelists_db                                                                                                                   |  10 kB     00:00     
updates/filelists_db                                                                                                                  | 2.8 MB     00:00     
expect-5.44.1.15-4.el6.x86_64 : A program-script interaction and testing utility
Repo        : base
Matched from:
Filename    : /usr/bin/mkpasswd

[root@server ~]# 

The output shows us that the expect package contains the mkpasswd utility.

[root@server ~]# yum install expect

Now I can quickly and easily generate strong passwords from the Linux command line. For example, the following command produces a password using the default set of arguments.

[root@server ~]# mkpasswd
N5cZ8v*dq

A default password is 9 characters long. Each password will have at least 2 digits (numbers); 2 upper and 2 lowercase alphabetic characters; plus 1 special character, which in our example is an asterisk (‘*‘).