Centos7 cleaning boot partition

March 20th, 2018 No comments

Boot partition might be full as it stores old kernels etc.

To clean it up and store only the latest 2 kernels do the below

Take a backup of your /boot partition somewhere first

edit /etc/yum.conf and set installonly_limit=2 

# install yum utilities 
yum install yum-utils

# cleanup old kernels 
package-cleanup --oldkernels --count=2
Categories: Linux Tags:

Self Signed Certificates ( with SAN )

May 8th, 2017 No comments

This is a post on creating self signed certificates that include SAN ( Subject Alternative Name )

As of Google Chrome Version 58, if you do not have SAN in your self signed certificates, you will get an error similar to this

Subject Alternative Name Missing The certificate for this site does not contain a Subject Alternative Name extension containing a domain name or IP address.

Certificate Error There are issues with the site’s certificate chain (net::ERR_CERT_COMMON_NAME_INVALID).

So we are going to do these

  • Make some config changes to openssl.cnf
  • Re-generate SSL key and Certificates
  • Update apache with the location to the new keys and restart apache
  • Remove old trusted root cert from chrome and import the new one

I am doing this on CentOS 7 with the below openssl lib installed

  • CentOS Linux release 7.3.1611 (Core)
  • OpenSSL 1.0.1e-fips 11 Feb 2013
  • OpenSSL config file:  /etc/pki/tls/openssl.cnf

To make sure you are modifying the right config file, put some garbage into it and run the openssl command. It it fails, you got the right file.

Openssl Config changes 

under [ CA_default ] section – un-comment

# Extension copying option: use with caution.
copy_extensions = copy

under [ req ] section, check the value of x509_extensions ( mine says x509_extensions = v3_ca )

search for the [ v3_ca ] ( or whatever the section from x509_extensions ) and add the below line to it

subjectAltName = @alt_names

create a new section [alt_names] and put this ( change localhost.com to your local domain )

DNS.1 = localhost.com

if you want to use IP address instead of DNS name, then do the following

IP.1 =

save and exit

Re-generate SSL key and Certificates 

openssl genrsa -out server.key 3072

# modify number of days as required and provide details of Country, CN etc
 openssl req -new -x509 -key server.key -sha256 -out certificate.pem -days 730

# You can check the certificate using
 openssl x509 -in certificate.pem -text -noout

You should be able to see below lines
Version: 3 (0x2)
X509v3 Subject Alternative Name:

Wrapping up

  • On chrome, go to settings, SSL and remove any previous certificates
  • Then visit your site using https
  • Chrome will throw a warning
  • We need to add our self signed cert to Chromes Root authority so that chrome will trust it
  • Press F12 – Security – View Certificate – Copy to File – Save it to your computer
  • Go to Settings – SSL – Manage Certificates – Trusted Root Certificate Authorities – Import
  • Import the certificate you just saved.
  • Completely close chrome and open again and try the https site
  • Try rebooting the machine if chrome still complains.
  • If it still did not work, then something went wrong somewhere.
  • Please see what OS and package versions you are using and check if the commands/paths require a change


  • https://alexanderzeitler.com/articles/Fixing-Chrome-missing_subjectAltName-selfsigned-cert-openssl/
  • http://stackoverflow.com/questions/21488845/how-can-i-generate-a-self-signed-certificate-with-subjectaltname-using-openssl
Categories: Linux Tags: ,

Rsync and details on what has changed

January 13th, 2017 No comments


# create a directoy and a couple of files 
mkdir /tmp/mydir1;
mkdir /tmp/mydir1/data;
echo "hello" > /tmp/mydir1/hello.txt;
echo "name is john" > /tmp/mydir1/name.txt;
mkdir -p /tmp/mydir1/dir1/dir2/dir3/dir4/dir5;

# copy the directory with all permissions etc to a new directory 
# -a : copy exactly with owner, group, permissions etc
# -r : recursive
cp -ar /tmp/mydir1 /tmp/mydir2

Some rsync options 

  • –dry-run : only do a simulation – don not perform the actual action
  • -v : verbose
  • -a : archive mode – this is equal to specifying all these options ( -r -l -p -t -g -o – D )
  • -r : recursive
  • -l : copy symlinks as symlinks
  • -p : preserve permissions
  • -t : preserve file timestamps
  • -g: preserve group
  • -o: preserve owner
  • -D: preserve device files and special files
  • -c : compare file checksum instead of timestamp and filesize
  • -i : format the output
  • –delete: delete any files in destination that are not in the source

First try – simple dry run 

# rsync --dry-run -avc --delete /tmp/mydir1/ /tmp/mydir2/
sending incremental file list


Nothing has changed as we have exactly copied the two directories.
Now lets make some changes to mydir2

echo "hello again" >> /tmp/mydir2/hello.txt;
touch /tmp/mydir2/newfile.txt;
chmod o+rwx /tmp/mydir2/dir1;
mkdir /tmp/mydir2/newdir;
chgrp nobody /tmp/mydir2/dir1/dir2;
chown nobody /tmp/mydir2/dir1/dir2/dir3;

Try again 

# rsync --dry-run -avc --delete /tmp/mydir1/ /tmp/mydir2/
sending incremental file list
deleting newdir/
deleting newfile.txt

You will see what changes will be done in this list

To see more details use the  –itemize-changes( -i ) option.
This will tell in detail what attribute has changed

Second try – lets format the output 

# rsync --dry-run -avci --delete /tmp/mydir1/ /tmp/mydir2/
sending incremental file list
.d..t...... ./
*deleting newdir/
*deleting newfile.txt
>fcst...... hello.txt
.d...p..... dir1/
.d.....g... dir1/dir2/
.d....o.... dir1/dir2/dir3/

We can now see that some things have been appended to the list of files – explanation are ( see man rsync for more details on –itemize-changes )

  • (>) means file is being transferred
  • (c) means a change is happening or file is being created
  • (*deleting) means file will be deleted on destination
  • (p) means permission changed
  • (g) means group changed
  • (o) means owner changed




Categories: Linux Tags:

PHP Remote CLI Script Debugging with PHPStorm

February 9th, 2016 No comments

PHPStorm is one of the best IDE’s to develop in PHP. I recently came across tons complex php cli scripts and needed a way to debug them.

Follow this PHPStorm Docs post first to set up php storm and the server.

Most important things to configure are

  • Set up xdebug correctly on the remote server. Dont use xdebug.remote_connect_back. Instead use xdebug.remote_host
  • Xdebug must be set up for php cli – check with the command php -i | grep xdebug and you should see many entries
  • Set up deployment path mapping correctly in your project settings – a lot of people miss this and wonder why debug is not working
  • Check your firewalls on both machines, make sure required ports are open, especially port 9000
  • Check debugger settings in phpstorm and make sure you have break at first line set up

In the PHPStorm tutorial, it asks you to set up SSH tunnel. If you are not doing tunneling, you should set these environment variables on the remote server

Eg, if my remote server is centos, i will set these 2 variables

export PHP_IDE_CONFIG="serverName=myDeploymentServerName";

serverName is the name of the server you set up for deployment in phpstorm deployment settings

these variables are valid for the session, if you logout and log in, you have to set them again.

You can add these to your .bashrc file in your home folder to make them permanent

In case you want to use xdebug.remote_connect_back, you might have to run your php scripts on the command line with additional args like this

php -dxdebug.remote_enable=1  -dxdebug.remote_host= -dxdebug.remote_connect_back=0 /path-to-php-script


Installing VirtualBox Guest Addition on CentOS 7 server – no GUI

January 19th, 2016 3 comments

I am doing this on

  • VirtualBox 5.0.12
  • Windows 8.1 64 bit Host
  • CentOS 7 server 64 bit guest up to date


  • Start CentOS 7 guest
  • From the Devices Menu,go to Optical Drives and remove previous CD/DVD using the Remove Disk from VirtualDrive
  • Then click on Devices and select Insert Guest AdditionsCD Image.
  • This will put the Guest addition cd into /dev/cdrom in CentOS
  • SSH into CentOS and mount the cdrom with the command
mount /dev/cdrom /mnt
  • Install required libraries
sudo yum install bzip2 gcc kernel-devel dkms
  • install the guest addition, nox11 is to indicate that we dont have a GUI
bash /mnt/VBoxLinuxAdditions.run --nox11
  • It will install and finally give some messages like below
Verifying archive integrity... All good.
Uncompressing VirtualBox 5.0.12 Guest Additions for Linux............
VirtualBox Guest Additions installer
Removing installed version 5.0.12 of VirtualBox Guest Additions...
Removing existing VirtualBox DKMS kernel modules[ OK ]
Removing existing VirtualBox non-DKMS kernel modules[ OK ]
Copying additional installer modules ...
Installing additional modules ...
Removing existing VirtualBox DKMS kernel modules[ OK ]
Removing existing VirtualBox non-DKMS kernel modules[ OK ]
Building the VirtualBox Guest Additions kernel modules[ OK ]
Doing non-kernel setup of the Guest Additions[ OK ]
You should restart your guest to make sure the new modules are actually used
Installing the Window System drivers
Could not find the X.Org or XFree86 Window System, skipping.

  • Shutdown the CentOS VM and add shared folders and select Auto Mount
  • Start the CentOS VM and the shared folder should be available at /media on CentOS


Setting the default editor to nano Linux

January 14th, 2016 No comments

In CentOS, the default system editor is VI
If you want to edit the crontab with crontab -e command, the text editor that opens up is VI

In order to change the system wide default text editor to nano, edit /etc/bashrc and put the below line in it at the bottom

export EDITOR="nano"

Exit and login again for the changes to take effect

Categories: Linux Tags: ,

Disabling SELinux on CentOS 7

January 14th, 2016 No comments

Security-Enhanced Linux (SE Linux) is a Linux kernel security module that provides a mechanism for supporting access control security policies. It controls which applications can access what directories in the system

For example, the default rules for apache is to only be allowed to access /var/www and /var/logs/httpd and some other configuration directories. If apache tries to access any other directory, then SELinux will not permit it if it is enabled.

Example, default web root for apache is /var/www, if you change it to /home/code, then SELinux will not allow apache to access files in /home/code and the application will fail to load on the web page

You have 2 options,

  • manually add the new location to SELinux apache rules by giving appropriate groups ( recommended )
  • disable SELinux permanently

Similary if you change the data directory for mysql, you will come across this issue

Sometimes you need a quick fix and might need to disable SELinux

This is not recommended on production systems. Do it on your own risk.

Command to check if SELinux is active is sestatus

[root@ip-172-30-0-220:/]$ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28

Current Mode is set to enforcing, which means SELinux is active

Temporarily Disabling SELinux

To temporarily disable SELinux, use the command

sudo setenforce 0

Then check with sestatus and Current Mode should be permissive. This will revert back on boot to enforcing

To enable SELinux again, use

setenforce 1


Permanently Disabling SELinux

edit /etc/selinux/config

change SELINUX=enforcing to SELINUX=disabled

restart the server and check with sestatus command

Categories: Linux Tags:

Changing MySQL data directory CentOS 7

January 14th, 2016 No comments

Doing this on CentOS 7 64 bit and MySQL 5.6 community edition

Sometimes it is better to put mysql in a separate partition than its regular location

Typically the mysql database are located in /var/lib/mysql

I want to change it to /var/data/mysql 

Modify the paths as required in the below commands

stop mysql

systemctl stop mysqld.service

create new mysql data directory

mkdir /var/data/mysql

modify /etc/my.cnf and point to new data directory – add the client section to the top



copy all files from /var/lib/mysql to the new directory /var/data/mysql

cp -r /var/lib/mysql/* /var/data/mysql

permissions for the new directory

chown -R mysql /var/data/mysql;
chgrp -R mysql /var/data/mysql;
chmod -R g+rw /var/data/mysql;

also modify SELINUX settings to allow mysql to use the different path

# add context and make it permanent 
semanage fcontext -a -s system_u -t mysqld_db_t "/var/data/mysql(/.*)?"
restorecon -Rv /var/data/mysql

start mysql

systemctl start mysqld.service


MySQL should start cleanly.
You can verify the change by creating a test database.
Then go to /var/data/mysql and you should be able to see the new database there

Categories: MySQL Tags: ,

Adding a Self Signed Certificate to Trusted Certificate on Linux

January 14th, 2016 No comments

Some times, when we generate self signed certificates, some libraries need it to be a part of the operating systems trusted certificates

I am doing this on CentOS 7 and for openSSL

This will only work for apps/libraries that use OpenSSLs trusted certificate list

I already have my self signed certificate in /etc/pki/tls/certs/my-self-signed-cert.crt

cp /etc/pki/tls/certs/devinviteright.crt /etc/pki/ca-trust/source/anchors

sudo update-ca-trust

Better Putty Color Scheme for existing Sessions on Windows

December 18th, 2015 No comments

Putty is a versatile tool for remote SSH access – however the color schemes are not too impressive. The blue especially is really bad. You can change the blue color in the settings but what if you already have a ton of putty Saved Sessions. You will have to painfully modify each. There is a better way by directly modifying the registry entry for all sessions at once.

I am doing this on Windows 7.
A word of caution, we will be modifying registry entries. I have done this many times without problems, however I will still say, do it at your own risk.

Right, lets get to it then.

Press Windows Key + R to get the Run prompt
Enter regedit and press Ok. This will open the registry editor
Navigate to HKEY_CURRENT_USER -> Software -> Simontatham -> PuTTY
Expand Sessions and you should see all your Saved Sessions listed there
Right Click on Sessions and select Export
Save the file as putty-original.reg somewhere where you can locate it
Dont modify this file, this is your backup file
If something goes wrong or you dont like the changes, you re-import this file and you are back where you started
Make a copy of the file call it putty-new.reg
Open putty-new.reg in your text editor ( i am using notepad++ or sublime )
This will have color value blocks for all your Saved Sessions.
You have to replace the entire color block with the new color block

Replace the color blocks with this new color block – do this for all color blocks


Once you have replaced blocks for all sessions in the file, save putty-new.reg
Double click on putty-new.reg to import the new settings.
Windows will ask for permissions and display warnings, go ahead click ok

Exit out of your current putty sessions and re connect.
You should see the new colors and color scheme.

If something went wrong, or you did not like the color scheme, double click putty-original.reg to get back to your old settings.
Keep putty-original.reg safely.

There are many links on the web which will let you build your own color schemes – try them


This color scheme I found here

Categories: Tips and Tricks Tags: ,