Rackspace Cloud Monitoring Agent

The Rackspace cloud monitoring agent allows you to monitor CPU, memory, filesystem usage and system processes. It does this by collecting information about the system and pushing it out to Rackspace Cloud Monitoring web services, where they can be analyzed, graphed, and alerted on. It is this technology that the Rackspace monitoring checks are built upon.

Plus you get a nice pretty little bar graph in the server details section of the control panel 🙂

Rackspace monitoring agent

Install the Agent

While the instructions used here are for Ubuntu 14.04 LTS, this page lists the exact commands needed for all major distros.

wget http://meta.packages.cloudmonitoring.rackspace.com/ubuntu-14.04-x86_64/rackspace-cloud-monitoring-meta-stable_1.0_all.deb
dpkg -i rackspace-cloud-monitoring-meta-stable_1.0_all.deb
apt-get update
apt-get install rackspace-monitoring-agent

If your distribution of choice isn’t listed, you can always install from source.

Configure and Start Daemon

If the /etc/rackspace-monitoring-agent.cfg file isn’t present, you will need to choose one of the methods below to start the service.

Quick Method

Run the below commands, replacing the username and API key with your own.

rackspace-monitoring-agent --setup --username <your-username> --apikey <your-api-key>
rackspace-monitoring-agent start -D

Interactive Method

Alternatively you can simply run the below to interactively enter your username and your API key or password.

rackspace-monitoring-agent --setup

Followed by…

service rackspace-monitoring-agent start

Updating

The monitoring agent does not update itself. However, if you installed using a package manager, such as apt-get, agent updates will be pulled in and applied with regular system updates anyway.

apt-get update
apt-get dist-upgrade

Uninstalling the Agent

Assuming you didn’t install from source and you used your distros package manager, you will uninstall with the same method. I am using Ubuntu, so…

apt-get remove rackspace-monitoring-agent

Or if you’re using CentOS/RHEL.

yum remove rackspace-monitoring-agent

Related Documents

https://github.com/virgo-agent-toolkit/rackspace-monitoring-agent

http://www.rackspace.com/knowledge_center/article/install-and-configure-the-cloud-monitoring-agent#UpgradeAgent

http://meta.packages.cloudmonitoring.rackspace.com/

http://docs.rackspace.com/cm/api/v1.0/cm-devguide/content/install-configure.html

http://www.rackspace.com/knowledge_center/article/about-the-cloud-monitoring-agent

Protect Your Cloud Infrastructure Servers with Isolated Cloud Networks

Create a Private Cloud Network

Create an isolated cloud network. Here I am using the supernova client to communicate with the Rackspace OpenStack API.

supernova uk network-create "Infrastructure" "192.168.3.0/24"
+----------+--------------------------------------+
| Property | Value                                |
+----------+--------------------------------------+
| cidr     | 192.168.3.0/24                       |
| id       | 4d15b8ad-45c5-4169-a4fa-d36f1a776efd |
| label    | Infrastructure                       |
+----------+--------------------------------------+

Take note of the id – you’ll need it shortly!

Create a Proxy Server and Attach to the Private Network

supernova uk boot proxy-bast --flavor 2 --image 189678ca-fe2c-4b7a-a986-30c3660edfa5 --nic net-id=4d15b8ad-45c5-4169-a4fa-d36f1a776efd

The above creates a server using the CentOS 6.6 image. Other images of interest are:

+--------------------------------------+------------------------------------------+--------+
| ID                                   | Name                                     | Status |
+--------------------------------------+------------------------------------------+--------+
| 189678ca-fe2c-4b7a-a986-30c3660edfa5 | CentOS 6 (PVHVM)                         | ACTIVE |
| f8ae535e-67c0-41a5-bf55-b06d0ee40cc2 | CentOS 7 (PVHVM)                         | ACTIVE |
| 6909f56c-bd77-411a-8c0e-c37876b68d1d | Ubuntu 14.04 LTS (Trusty Tahr) (PVHVM)   | ACTIVE |
+--------------------------------------+------------------------------------------+--------+

Proxy Bastion Configuration

Later we create a cloud server with no public IP, which is protected by sitting behind our proxy bastion. From the bastion side, in order for our protected server to have access to the internet, we need to apply firewall rules for IP forwarding and Network Address Translation. This process differs depending on which distribution you use. Here I cover CentOS 6.6, CentOS 7 and Ubutnu 14.04.

CentOS 6.6

Under CentOS 6.6 and before, you need to configure IPTables to do the forwarding and the Network Address Translation (NAT). We will be forwarding the traffic from the eth2 interface, out through the eth0 interface. We also use Static NAT or MASQUERADE so that traffic coming from our protected infrastructure, takes on the public IP address of our proxy bastion.

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether bc:76:4e:08:40:d8 brd ff:ff:ff:ff:ff:ff
    inet 95.138.163.75/24 brd 95.138.163.255 scope global eth0
    inet6 2a00:1a48:7805:113:be76:4eff:fe08:40d8/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::be76:4eff:fe08:40d8/64 scope link 
       valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether bc:76:4e:08:3d:31 brd ff:ff:ff:ff:ff:ff
    inet 192.168.3.1/24 brd 192.168.3.255 scope global eth2
    inet6 fe80::be76:4eff:fe08:3d31/64 scope link 
       valid_lft forever preferred_lft forever
Enable IP Forwarding

To enable forwarding, you need to enable it in two places. One in /proc/sys/net/ipv4/ip_forward.

echo 1 > /proc/sys/net/ipv4/ip_forward

And the other in /etc/sysctl.conf. The below uses grep check the value of net.ipv4.ip_forward.

grep net.ipv4.ip_forward /etc/sysctl.conf 
net.ipv4.ip_forward = 0

If zero, enable with a one as shown below.

net.ipv4.ip_forward = 1
Configure Static NAT and Forwarding Rules
iptables --table nat --append POSTROUTING --out-interface eth0 -j SNAT --to 95.138.163.75
iptables --append FORWARD --in-interface eth2 -j ACCEPT
service iptables save

We also need to remove the default reject rule on the FORWARD’ing table:

iptables -D FORWARD 1

Here I delete rule number one from the FORWARD table. Make sure you delete the correct line. To see the line numbers, use:

[root@proxy-bast ~]# iptables -vnL --line-number
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1    44444   62M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED 
2        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
3        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
4        1    60 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate NEW tcp dpt:22 
5        1    40 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT 8769 packets, 544K bytes)
num   pkts bytes target     prot opt in     out     source               destination

Make sure you have restarted everything.

service iptables restart
service network restart

Now configure the default gateway on the infrastructure server.

CentOS 7

With the introduction of firewalld, CentOS 7 now does things a little differently.

Method 1

This method uses the predefined zones available to us and is by far the easiest method to apply. The external zone has IP masquerading enabled by default so there should be little to do.

Define Your Zones

To view your zone setup.

[root@proxy-bast ~]# firewall-cmd --get-default-zone
public
[root@proxy-bast ~]# firewall-cmd --get-active-zones
public
  interfaces: eth0 eth1 eth2

To see the supported predefined zones , use the --get-zones–list-all-zones option.

firewall-cmd --list-all-zones

The zones I will be using are external, work and internal.

external
  interfaces: 
  sources: 
  services: ssh
  ports: 
  masquerade: yes
  forward-ports: 
  icmp-blocks: 
  rich rules:

work
  interfaces: 
  sources: 
  services: dhcpv6-client ipp-client ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 

internal
  interfaces: 
  sources: 
  services: dhcpv6-client ipp-client mdns samba-client ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 

My setup looks like this…

Port	Firewall Zone	Name						IPv4				
------------------------------------------------------------------------
eth0	external		PublicNet (Internet)		162.13.87.197		
eth1	work			ServiceNet (Rackspace)		10.179.198.73		
eth2	internal		Infrastructure				192.168.3.1

…and can be achieved with the below commands. Don’t forget to restart firewalld!

firewall-cmd --permanent --zone=external --change-interface=eth0
firewall-cmd --permanent --zone=work --change-interface=eth1
firewall-cmd --permanent --zone=internal --change-interface=eth2
firewall-cmd --reload
systemctl restart firewalld
Method 2

With this method we use the --direct option so we can include traditional iptable rules.

Enable IP Forwarding

This step is not needed if you are using the predefined “external” zone provided by firewalld, as masquerade is enabled by default already.

echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf

To check its enabled.

[root@proxy-bast ~]# sysctl -p
net.ipv4.conf.eth0.arp_notify = 1
vm.swappiness = 0
net.ipv4.ip_forward = 1
Configure Static NAT and Forwarding Rules
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -I POSTROUTING --out-interface eth0 -j SNAT --to 162.13.87.197
firewall-cmd --permanent --direct --passthrough ipv4 --append FORWARD --in-interface eth2 -j ACCEPT
firewall-cmd --reload

systemctl restart network
systemctl restart firewalld
Method 2

Revert back to the tried and tested iptables.

Revert back to Using IPTables
systemctl stop firewalld
systemctl disable firewalld

iptables-service

touch /etc/sysconfig/iptables
systemctl start iptables
systemctl enable iptables

touch /etc/sysconfig/ip6tables
systemctl start ip6tables
systemctl enable ip6table

Now you can follow the instructions for CentOS 6.6.

Ubuntu 14.04 LTS

In Ubuntu we use the Uncomplicated Firewall (UFW).

Enable IP Forwarding

Use a text editor to open up the below file as root…

nano /etc/default/ufw

…and enable the default forward policy – change to ACCEPT.

DEFAULT_FORWARD_POLICY="ACCEPT"

We also need to edit the below…

nano /etc/ufw/sysctl.conf

…and uncomment the following lines.

net/ipv4/ip_forward=1
net/ipv6/conf/default/forwarding=1
Configure Static NAT and Forwarding Rules

As root, open the below file.

nano /etc/ufw/before.rules

From the top, my configuration file looks like the below. I inserted the lines in bold.

#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
#   ufw-before-input
#   ufw-before-output
#   ufw-before-forward
#
# nat Table rules
*nat
:POSTROUTING ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]

-A POSTROUTING -s 192.168.3.0/24 -o eth0 -j SNAT --to-source 162.13.87.197
-A PREROUTING -i eth2 -j ACCEPT
COMMIT


# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
# End required lines


# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT

...

You will need to restart ufw for the changes to take effect.

ufw disable && sudo ufw enable

For some reason this wiped my SSH rule:

ufw allow ssh
ufw reload
ufw status verbose

Create Infrastructure Server

Here we spin-up a server connected to our isolated cloud network and no public interface. All communications must go via the proxy-bast server.

supernova uk boot protected --flavor 2 --image 189678ca-fe2c-4b7a-a986-30c3660edfa5 --nic net-id=4d15b8ad-45c5-4169-a4fa-d36f1a776efd --no-service-net --no-public

Configure Internet Gateway

Here we simply need to route the traffic through the proxy bastion. We do this by defining it as our default gateway. We also need to set our DNS servers.

CentOS 6.6

Simplicity!

echo "GATEWAY=192.168.3.1" >> /etc/sysconfig/network
echo "nameserver 83.138.151.80" >> /etc/resolv.conf
echo "nameserver 83.138.151.81" >> /etc/resolv.conf
service network restart

CentOS 7

The default image provided by Rackspace comes with nmcli disabled. As such the process is similar to previous releases.

echo "GATEWAY=192.168.3.1" >> /etc/sysconfig/network
echo "nameserver 83.138.151.80" >> /etc/resolv.conf
echo "nameserver 83.138.151.81" >> /etc/resolv.conf
echo "DNS1=83.138.151.80" >> /etc/sysconfig/network-scripts/ifcfg-eth0
echo "DNS2=83.138.151.81" >> /etc/sysconfig/network-scripts/ifcfg-eth0
systemctl restart network

Ubuntu 14.04 LTS

To define the default gateway, you need to edit the /etc/network/interfaces file.

nano /etc/network/interfaces

Mine looks like this. Make sure to add the gateway.

auto eth0
iface eth0 inet static
    address 192.168.3.4
    netmask 255.255.255.0
    gateway 192.168.3.1

You will need to manually add Rackspaces name servers to your resolv.conf. However on Ubuntu this file is automatically generated. Instead we editing /etc/resolvconf/resolv.conf.d/base and regenerate the file using the resolvconf command.

root@protected:~# cat /etc/resolv.conf 
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
root@protected:~# echo "nameserver 83.138.151.80" >> /etc/resolvconf/resolv.conf.d/base
root@protected:~# echo "nameserver 83.138.151.81" >> /etc/resolvconf/resolv.conf.d/base
root@protected:~# resolvconf -u
root@protected:~# cat /etc/resolv.conf 
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 83.138.151.80
nameserver 83.138.151.81

I needed to reboot for the changes to take effect.

reboot

Related Documents

Rackspace Developer Blog: Protect your Infrastructure Servers with Bastion Hosts and Isolated Cloud Networks

Rackspace Developer Blog: Supernova: Managing OpenStack Environments Made Easy

Rackspace Knowledge Centre: Using OnMetal Cloud Servers through API

Fedora: Firewalld

Oracle-Base: Linux Firewall (firewalld, firewall-cmd, firewall-config)

Kevin’s Cheat Sheet: Configure iptables to act as a NAT gateway

Rackspace Developer Blog: Getting Started: Using rackspace-novaclient to manage Cloud Servers

James Rossiter: Forward ports in Ubuntu Server 12.04 using ufw

Ubuntu Documentation: Firewall

Github: UFW

Code Ghar: Ubuntu 12.04 IPv4 NAT Gateway and DHCP Server

Linux Gateway: A More Complex Firewall

netfilter.org: Saying How to Mangle the Packets

Ubuntu Documentation: IptablesHowTo

Major.io: Delete single iptables rules

iptables.info: Iptables

snipt.net: Insert an iptables rule on a specific line number with a comment, and restore all rules after reboot

stackexchange.com: How do I set my DNS on Ubuntu 14.04?

thesimplesynthesis.com: How to Set a Static IP and DNS in Ubuntu 14.04

Rackspace Knowledge Centre: Ubuntu – Setup

Rackspace Knowledge Centre: Introduction to iptables

Rackspace Knowledge Centre: Sample iptables ruleset

Ubuntu Geek: Howto add permanent static routes in Ubuntu

NixCraft: Debian / Ubuntu Linux Setting a Default Gateway

Ask Ubuntu: Set up permanent routing (Ubuntu 13.04)

cviorel.com: How to set up a VPN server on Ubuntu

Redhat Support: 10.4. Static Routes and the Default Gateway

Install and Configure fail2ban on CentOS 7

To install fail2ban on CentOS/RHEL 7, you first need to make sure you have the EPEL repository enabled. Then you can simply install it with yum as usual.

# yum install fail2ban

Configure fail2ban

You will need to create a file call jail.local. To do this, make a copy of jail.conf (do not edit this file), and edit that.

# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
# vim /etc/fail2ban/jail.local

To enable fail2ban to work with SSH, make sure enabled=true is somewhere under the [sshd] section.

[sshd]
enabled = true

To make sure fail2ban is started and has picked up your changes, run the below.

# systemctl enable fail2ban.service
# systemctl restart fail2ban.service

Check Service

You should always check the service you have installed is working correctly. Fail2ban logs its messages to /var/log/fail2ban.log, so you can check its working by tailing the log file.

tail -f /var/log/fail2ban.log

You should hopefully see something like this if you watch it for long enough.

2015-02-21 16:39:34,644 fail2ban.filter         [4609]: INFO    [sshd] Found 115.230.126.151
2015-02-21 16:39:36,658 fail2ban.filter         [4609]: INFO    [sshd] Found 115.230.126.151
2015-02-21 16:39:39,671 fail2ban.filter         [4609]: INFO    [sshd] Found 115.230.126.151
2015-02-21 16:39:41,679 fail2ban.filter         [4609]: INFO    [sshd] Found 115.230.126.151
2015-02-21 16:39:45,694 fail2ban.filter         [4609]: INFO    [sshd] Found 115.230.126.151
2015-02-21 16:39:46,658 fail2ban.actions        [4609]: NOTICE  [sshd] Ban 115.230.126.151
2015-02-21 16:39:47,712 fail2ban.filter         [4609]: INFO    [sshd] Found 115.230.126.151

If your log file fills up with messages like the below, you will either have to create PTR record that matches your servers FQDN or disable fail2ban from using DNS.

...
2015-02-21 16:23:30,756 fail2ban.filter         [4609]: WARNING Determined IP using DNS Lookup: pc-cerc-249.upc.edu = ['147.83.135.249']
2015-02-21 16:23:30,771 fail2ban.filter         [4609]: WARNING Determined IP using DNS Lookup: pc-cerc-249.upc.edu = ['147.83.135.249']
2015-02-21 16:23:30,784 fail2ban.filter         [4609]: WARNING Determined IP using DNS Lookup: pc-cerc-249.upc.edu = ['147.83.135.249']
2015-02-21 16:23:30,823 fail2ban.filter         [4609]: WARNING Determined IP using DNS Lookup: pc-cerc-249.upc.edu = ['147.83.135.249']
2015-02-21 16:23:30,836 fail2ban.filter         [4609]: WARNING Determined IP using DNS Lookup: pc-cerc-249.upc.edu = ['147.83.135.249']
2015-02-21 16:23:30,980 fail2ban.filter         [4609]: WARNING Determined IP using DNS Lookup: pc-cerc-249.upc.edu = ['147.83.135.249']
2015-02-21 16:23:30,993 fail2ban.filter         [4609]: WARNING Determined IP using DNS Lookup: pc-cerc-249.upc.edu = ['147.83.135.249']
2015-02-21 16:23:31,888 fail2ban.filter         [4609]: WARNING Determined IP using DNS Lookup: pc-cerc-249.upc.edu = ['147.83.135.249']
2015-02-21 16:23:31,934 fail2ban.filter         [4609]: WARNING Determined IP using DNS Lookup: pc-cerc-249.upc.edu = ['147.83.135.249']
...

I resolved this issue by creating a PTR. However, the alternative is to make sure fail2ban does not use DNS:

# vim /etc/fail2ban/jail.local

Make sure the usedns = no is present within the [DEFAULT] section.

[DEFAULT]
usedns = no

And as usual, restart the service.

# systemctl restart fail2ban.service

Related Documents

How to Install Fail2Ban on CentOS
fail2ban on CentOS 7 for ssh access
Hostnames or IP Addresses

Repodata is over 2 weeks old

In Red Hat 7 / CentOS 7, you may need to clear your repository cache if you see the below message when using yum.

Repodata is over 2 weeks old. Install yum-cron? Or run: yum makecache fast

To clear your cache simply run the below.

[root@bashful ~]# yum clean all
Loaded plugins: fastestmirror, langpacks
Repodata is over 2 weeks old. Install yum-cron? Or run: yum makecache fast
Cleaning repos: base epel extras updates
Cleaning up everything
Cleaning up list of fastest mirrors
[root@bashful ~]# 

Securing an SSH Server

Nobody likes to log into their server and see this!

[andy@bashful ~]$ ssh root@ssh.dummydomains.org.uk
Last failed login: Sun Feb  8 16:31:28 UTC 2015 from 218.65.30.73 on ssh:notty
There were 31673 failed login attempts since the last successful login.
Last login: Tue Feb  3 19:26:42 2015
[root@bashful ~]# 

Over 31,00 failed root login attempts in just a few days!!

Disable Root Logins

By default (on my system atleast), root logins are enabled. Before you disable root logins, make sure you have setup a regular user and can successfully login with that user using either a strong password or key-based authentication.

[root@bashful ~]# vim /etc/ssh/sshd_config

To change the default setting, search for the following and remove the comment….

#PermitRootLogin yes

…and change the value to no like so.

PermitRootLogin no

Don’t forget to restart SSH.

[root@bashful ~]# systemctl restart sshd.service

Lock-down SSH by User

Add each user that is allowed to login using SSH to the AllowUsers list.

[root@bashful ~]# vim /etc/ssh/sshd_config

Add the AllowUsers directive followed by a list of users.

AllowUsers andy james phil sally sarah harry

Again, you need to restart the service.

[root@bashful ~]# systemctl restart sshd.service

For additional security you could of course change the port to something other than the default TCP 22, but in this example, I simply don’t bother.

Related Documents

Disable or Enable SSH Root Login and Limit SSH Access in Linux

Getting Started with the Rackspace Nova Client

You will need to export some environment variables used by the Nova client.

$ vim ~/.bash.profile

If you have a UK-based Rackspace cloud account, you will need to enter something like this:

OS_USERNAME=username
OS_TENANT_NAME=accountnumber
OS_AUTH_SYSTEM=rackspace
OS_PASSWORD=apikey
OS_AUTH_URL=https://lon.identity.api.rackspacecloud.com/v2.0/
OS_REGION_NAME=LON
OS_NO_CACHE=1
export OS_USERNAME OS_TENANT_NAME OS_AUTH_SYSTEM OS_PASSWORD OS_AUTH_URL OS_REGION_NAME OS_NO_CACHE

…And if you have a US, Hong Kong and Sydney (based) account:

OS_USERNAME=username
OS_TENANT_NAME=accountnumber
OS_AUTH_SYSTEM=rackspace
OS_PASSWORD=apikey
OS_AUTH_URL=https://lon.identity.api.rackspacecloud.com/v2.0/
OS_REGION_NAME=LON
OS_NO_CACHE=1
export OS_USERNAME OS_TENANT_NAME OS_AUTH_SYSTEM OS_PASSWORD OS_AUTH_URL OS_REGION_NAME OS_NO_CACHE

Because we have our password in a plain text file, it is recommended that we at least lock down the permissions so no other system users can see it:

$ chmod 600 ~/.bash_profile

Don’t forget that whenever you make changes to your bash profile that you need to run the below command first for the changes to take affect on your current users (without logging out/in of course).

$ source ~/.bash_profile

Check the command works by running something like:

$ nova image-list

Related Documents

Installing python-novaclient on Linux and Mac OS

Step 2. Install the nova Client with the Cloud Networks Extension

Installing the Rackspace Nova Client on CentOS 7

Installing the Rackspace Nova client should just be as simple as installing the below packages.

$ sudo yum install python-setuptools
$ sudo easy_install pip
$ sudo pip install rackspace-novaclient

However, you will first need to make sure you have the development tools or the installation will fail with messages about not being able to find the GCC compiler.

sudo yum group install "Development Tools"