LinuXamination

Friday, November 6, 2020

System has not been booted with systemd as init system (PID 1). Can't operate - Docker Error

If you are starting a service in a docker container using systemctl command or you are configuring any service and you are getting above error, then you should check the output of the command

ps aux

in your docker container. If PID 1 process is not systemd then this is the issue.

In above image, PID 1 process is bash because I launched the container using bash command.

While launching your container, you might have started the container with command bash or some other command. You should have launched the container with systemd command.

If you launch a container using systemd and your container is stopped after sometimes and you are not able to run it again, it means the image from which you are launching a container is not created for PID 1 systemd container.

You need an image which is created to handle such issue.

Solution :

Pull following image from docker repository.

docker run -d --name linuxamination --privileged -v /sys/fs/cgroup:/sys/fs/cgroup:ro jrei/systemd-ubuntu:20.04

I needed ubuntu 20.04 for my service, if you need Ubuntu 18.04 or Ubuntu 16.04, you can simply replace 20.04 with 18.04 or 16.04 in above command and it will pull the requested image.

Once you run above command, you do not need to launch container from this image as it is already launched and running. You need to log into the container using following command.

docker exec -it linuxamination bash

Once you are inside the container, your PID 1 prcess will be systemd

Now if you run the systemctl command or configure any service you will not get the same error again which you were getting before.

Systemd Error solution for different Docker Images :

𝐚) 𝗦𝗼𝗹𝘂𝘁𝗶𝗼𝗻 𝗳𝗼𝗿 𝗨𝗯𝘂𝗻𝘁𝘂
𝐏𝐮𝐥𝐥 𝐈𝐦𝐚𝐠𝐞 𝐜𝐨𝐦𝐦𝐚𝐧𝐝 :
docker run -d --name Linuxamination --privileged -v /sys/fs/cgroup:/sys/fs/cgroup:ro jrei/systemd-ubuntu:20.04
𝐋𝐨𝐠 𝐢𝐧𝐭𝐨 𝐭𝐡𝐞 𝐂𝐨𝐧𝐭𝐚𝐢𝐧𝐞𝐫 :
docker exec -it Linuxamination bash

𝐛) 𝗦𝗼𝗹𝘂𝘁𝗶𝗼𝗻 𝗳𝗼𝗿 𝗖𝗲𝗻𝘁𝗢𝗦
𝐏𝐮𝐥𝐥 𝐈𝐦𝐚𝐠𝐞 𝐜𝐨𝐦𝐦𝐚𝐧𝐝 :
docker run -d --name linuxaminationC8 --privileged -v /sys/fs/cgroup:/sys/fs/cgroup:ro alekseychudov/centos8-systemd
𝐋𝐨𝐠 𝐢𝐧𝐭𝐨 𝐭𝐡𝐞 𝐂𝐨𝐧𝐭𝐚𝐢𝐧𝐞𝐫 :
docker exec -it linuxaminationC8 bash

𝐜) 𝗦𝗼𝗹𝘂𝘁𝗶𝗼𝗻 𝗳𝗼𝗿 𝐃𝐞𝐛𝐢𝐚𝐧
𝐏𝐮𝐥𝐥 𝐈𝐦𝐚𝐠𝐞 𝐜𝐨𝐦𝐦𝐚𝐧𝐝 :
sudo docker run -d --name systemd-debian --privileged -v /sys/fs/cgroup:/sys/fs/cgroup:ro jrei/systemd-debian:11
𝐋𝐨𝐠 𝐢𝐧𝐭𝐨 𝐭𝐡𝐞 𝐂𝐨𝐧𝐭𝐚𝐢𝐧𝐞𝐫 :
sudo docker exec -it systemd-debian bash

𝐝) 𝗦𝗼𝗹𝘂𝘁𝗶𝗼𝗻 𝗳𝗼𝗿 𝗳𝗲𝗱𝗼𝗿𝗮
𝐏𝐮𝐥𝐥 𝐈𝐦𝐚𝐠𝐞 𝐜𝐨𝐦𝐦𝐚𝐧𝐝 :
sudo docker run -d --name systemd-fedora --privileged -v /sys/fs/cgroup:/sys/fs/cgroup:ro jrei/systemd-fedora
𝐋𝐨𝐠 𝐢𝐧𝐭𝐨 𝐭𝐡𝐞 𝐂𝐨𝐧𝐭𝐚𝐢𝐧𝐞𝐫 :
sudo docker exec -it systemd-fedora bash

𝗲) 𝗦𝗼𝗹𝘂𝘁𝗶𝗼𝗻 𝗳𝗼𝗿 𝗥𝗲𝗱𝗵𝗮𝘁 𝗟𝗶𝗻𝘂𝘅
𝐏𝐮𝐥𝐥 𝐈𝐦𝐚𝐠𝐞 𝐜𝐨𝐦𝐦𝐚𝐧𝐝 :
sudo docker run -d --name linuxamination --privileged -v /sys/fs/cgroup:/sys/fs/cgroup:ro registry.access.redhat.com/ubi8/ubi-init:8.1
𝐋𝐨𝐠 𝐢𝐧𝐭𝐨 𝐭𝐡𝐞 𝐂𝐨𝐧𝐭𝐚𝐢𝐧𝐞𝐫 :
sudo docker exec -it linuxamination bash

𝐟) 𝗦𝗼𝗹𝘂𝘁𝗶𝗼𝗻 𝗳𝗼𝗿 𝐀𝐥𝐦𝐚𝐋𝐢𝐧𝐮𝐱
𝐏𝐮𝐥𝐥 𝐈𝐦𝐚𝐠𝐞 𝐜𝐨𝐦𝐦𝐚𝐧𝐝 :
sudo docker run -d --name almalinuxamination --privileged -v /sys/fs/cgroup:/sys/fs/cgroup:ro almalinux/8-init
𝐋𝐨𝐠 𝐢𝐧𝐭𝐨 𝐭𝐡𝐞 𝐂𝐨𝐧𝐭𝐚𝐢𝐧𝐞𝐫 :
sudo docker exec -it almalinuxamination bash

You can see the solution in the following video.

Monday, October 19, 2020

fail2ban to secure ssh server

SSH is a network protocol for operating network services securely over an unsecured network but there is a word secure in the name, it doesn't mean it cannot be broken. Admins need to configure it securely.

If you are forced to provide ssh access globally, I would suggest to not use passwords as a login method. RSA keys are more secured way to login and it is hard to take unauthorized access of the server.

But if there is a case and you cannot use RSA keys as a login method, you should install fail2ban on your server. It protects you in certain ways to prevent unauthorized access.

If you are under impression that no body is trying to log into your server, you can try this on dummy server. Open 22 port for ssh login and check /var/log/auth.log or /var/log/secure after an hour or two, you will find uncountable number of ssh login requests. People are trying very hard from every point of the earth to get inside of your server.

Here is the way to secure your server, if your ssh login method is password.

1) Install fail2ban on your linux system.

apt install fail2ban
or
yum install fail2ban

2) Configure jail.local

nano /etc/fail2ban/jail.local
	[DEFAULT]
	 ignoreip = 127.0.0.1/8 ::1
	 bantime = 7200
	 findtime = 900
	 maxretry = 5
	[sshd]
	 enabled = true
     
service fail2ban restart

Now fail2ban is configured on your server. Now you want to know, is it working or not? Your concern is valid. Read following steps.

A) If you want to know number of jails you have created in fail2ban, here is the command. Check number of jails.

sudo fail2ban-client status

In above configuration, we created only one jail, so it will list only one jail i.e. 'sshd'.

B) Now you want to check, how many IPs have been blocked. It will show you total number of blocked IPs as well as the list of IPs which are in blocked status currently. Check status of current blocked IPs

sudo fail2ban-client status <jailname>
sudo fail2ban-client status sshd

You gave bantime 7200 in your config, it means it will block an IP for 2 hours if failed login attempts are 5 or more. You can reduce failed number of login attempts and increase bantime depends on your requirement.

C) If you want to block an IP or a whole IP range manually, here is the command, Block ip or ip range manually.

sudo fail2ban-client -vvv set sshd banip 141.98.10.0/24
sudo fail2ban-client -vvv set sshd banip 222.141.207.246

First command will block an IP range from 141.98.10.0 to 141.98.10.255. It includes all 256 IPs. Second command blocks only one IP i.e. 222.141.207.246

D) If you think, nobody wants to log into your server as those files are useless for them, try below command. If you put just one blank file a.txt in your server and if people will get access of your server, they will write in the file that how many bitcoins they want or they will simply remove the file with other OS files which can be removed by your user.

Check all fail login attempts

 cat /var/log/auth.log | grep rhost

SSH unauthorized access can be a biggest damage for you and your server. Do not take it lightly.

1) Always use key login method for your ssh user and do not open port 22 globally.

2) If you are forced to open it globally, use key login method and that is too RSA only.

3) If you are forced to use password login method with global access, then you must choose super strong password for your user and configure fail2ban.

Yandex New Account - Enable 'Create Organization' Option to add multiple Organizations under one account

If you have registered a new account on Yandex to connect your domain to Yandex mail, you might face an issue to add multiple organizations under one account.
You are not able to find Organization dropdown in your Admin Tools of Yandex Account. Here are the steps to active Organization dropdown in your Yandex Account.

1) Register new account on Yandex
https://connect.yandex.com > Try out > Register
or
https://passport.yandex.com/registration

2) After registration and log into new account, you can add your domain in the Domains section.

3) Once it is verified and if you want to add another domain under same account. You should add it as a different organization.

If you add under same organization, it may create issue. Best option is you can create another organization but this option may not be visible in new Yandex account.

4) To make it visible, connect.yandex.com > login > Admin Tools > Your username/image icon at top right > Add new business
https://connect.yandex.com/portal/registration?action=add&source=connect&preset=&retpath=https%3A%2F%2Fconnect.yandex.com%2Fportal%2Fhome
Click on Create an organization.

5) Now new organization will be created with new organization id which can be renamed in the profile section.
Similar way you can create as many organizations upu want and you do not need 'top left menu' option to create new organization.