Had to troubleshoot a Solaris box but couldn’t go by IP address since it wasn’t picking one up.
tshark -i eth1 -R "eth.addr == 00:03:ba:05:0d:60"
Author: termina
OpenSolaris mod_bw Apache2 Bandwidth Limiting
Install needed software
pkg install gsed wget SUNWapch22 sunstudioexpress
Yes, sunstudioexpress is really necessary. gcc will NOT work with mod_bw.
Download mod_bw
cd /tmp
wget http://ivn.cl/files/source/mod_bw-0.8.tgz
gunzip mod_bw-0.8.tgz
tar xf mod_bw-0.8.tar
cd mod_bw
Build/install the module. We need to make sure the SunStudioExpress binaries are chosen before anything else, so add it to the beginning of PATH.
export PATH=/opt/SunStudioExpress/bin:$PATH
We also need to make a symlink to /usr/ucb/echo (this is a bug with the apxs included in opensolaris, not with mod_bw)
mkdir /usr/ucb
ln -s /usr/bin/echo /usr/ucb/echo
Now cross your fingers and build the module
/usr/apache2/2.2/bin/apxs -i -a -c mod_bw.c
If it complains about .h files, you can find them here:
/usr/apache2/2.2/include
/usr/apr/1.3/include
/usr/apr-util/1.3/include
Once apxs finishes, it should automatically add the following entry to /etc/apache2/2.2/conf.d/modules-32.load
LoadModule bw_module /var/apache2/2.2/libexec/mod_bw.so
Add the following to /etc/apache2/2.2/httpd.conf
BandWidthModule On
BandWidth all 40000
MinBandWidth all 10000
ForceBandWidthModule On
Restart apache2 and check on it’s status
svcadm restart apache22
svcs -a | grep apache22
online 1:55:27 svc:/network/http:apache22
If it’s in maintenance mode, check the log file
/var/svc/log/network-http:apache22.log
Automate Restart of D-Link DCS-900 Cameras
I have some older D-Link DCS-900 cameras being used with ZoneMinder for a security system at home.
While these cameras are normally very stable (no lock-ups for weeks or months at a time) it still happens. To make things work more smoothly, I decided to find a way to restart the devices with cron.
I decided to have the cameras be reset twice a month (on the 1st and 15th of each month at 4am).
crontab -e0 4 1,15 * * wget –http-user=admin –http-password=YOUR-PASSWORD -O /dev/null –post-data=”Reset= Yes ” http://camera1/Reply.html
You can remove the –http-user and –http-password sections if you do not have an admin user/password set.
Ubuntu 9.10 PXE Boot
Ubuntu 9.10 uses initrd.lz instead of initrd.gz, so PXE booting like you did in previous versions does not work.
This article assumes you’ve already downloaded the iso and have a working PXE boot server.
First, copy the contents of the iso to a directory we can work with
mkdir /tmp/910mount -o loop ubuntu-9.10-desktop-i386.iso /tmp/910
cp -r /tmp/910 /tftpboot
Convert initrd.lz to initrd.gz
cd /tftpboot/910/caspermkdir initrd
cp initrd.lz initrd
cd initrd
lzma -dc -S .lz initrd.lz | cpio -id
rm initrd.lz
find . | cpio –quiet –dereference -o -H newc | gzip -9 > initrd.gz
cp initrd.gz /tftpboot/910/casper
Now add the appropriate lines to pxelinux (Example: /tftpboot/pxelinux.cfg/default)
LABEL Ubuntu 9.10 i386 Unmodified Livecd
KERNEL 910/casper/vmlinuz
APPEND root=/dev/nfs boot=casper netboot=nfs nfsroot=192.168.0.1:/home/tftpboot/910 initrd=910/casper/initrd.gz quiet splash --
Make sure /tftpboot is shared via nfs; in /etc/exports add the following line
/tftpboot/910 192.168.0.0/24(rw,async,no_subtree_check)
Reload the NFS server
/etc/init.d/nfs-kernel-server reload
OpenSolaris LDAP Client to Linux OpenLDAP Server
The following outlines how to set up a OpenSolaris client to work with a Linux OpenLDAP server.
The following is one line
ldapclient manual -a credentialLevel=proxy -a authenticationMethod=simple -a proxyDN=cn=admin,dc=server -a proxyPassword=yourpassword -a defaultSearchBase=dc=server -a defaultServerList=192.168.1.1:389 -a serviceSearchDescriptor=passwd:ou=People,dc=server -a
serviceSearchDescriptor=group:ou=Groups,dc=server
Add the following lines to their appropriate sections in /etc/pam.conf
login auth required pam_ldap.so.1
other auth required pam_ldap.so.1
passwd auth required pam_ldap.so.1
Test LDAP with
ldaplist -l passwd
Test user authentication using the following steps
mkdir /export/home/ldapuser
chown ldapuser /export/home/ldapuser
Edit /etc/auto_home and add the following BEFORE “+auto_home”
ldapuser localhost:/export/home/ldapuser
SSH to test
ssh ldapuser@localhost
You should be in! If not, you may have to change the following in /etc/ssh/sshd_config
PAMAuthenticationViaKBDInt no
#Change from yes to no
Restart SSH
svcadm restart ssh
If you are still unable to log in, your userPassword attribute probably needs to be changed from md5/md5crypt to crypt.
su – ldapuser
passwd
After changing your password you should be able to log in.
View processes (PID) using disk I/O
Install the sysstat package
apt-get install sysstat
# iostat -m
Linux 2.6.27-14-generic (slowaris) 07/28/2009 _x86_64_
avg-cpu: %user %nice %system %iowait %steal %idle
4.88 6.65 3.03 1.49 0.00 83.95
Device: tps MB_read/s MB_wrtn/s MB_read MB_wrtn
md0 221.24 0.64 0.78 1765002 2159490
We can see that I/O isn’t terribly high here, but there are 221 transfers per second going on.
To check what processes are causing I/O
echo 1 > /proc/sys/vm/block_dump
tail -f /var/log/syslog | grep md0
Jul 28 08:20:12 server kernel: [2752582.434647] kvm(17362): READ block 1017744552 on md0
Jul 28 08:20:12 server kernel: [2752582.502401] kvm(17362): READ block 615283608 on md0
Jul 28 08:20:13 server kernel: [2752582.634622] kvm(17362): READ block 1017744576 on md0
Jul 28 08:20:14 server kernel: [2752583.964709] kvm(17362): READ block 1017744608 on md0
Jul 28 08:20:14 server kernel: [2752584.372889] kvm(1868): dirtied inode 17367041 (live-default-32.img) on md0
Jul 28 08:20:14 server kernel: [2752584.372908] kvm(1868): dirtied inode 17367041 (live-default-32.img) on md0
We see that kvm is causing some disk I/O; now where know where to start investigating!
To turn off these messages
echo 0 > /proc/sys/vm/block_dump
OpenVZ on Ubuntu 8.10
Other OpenVZ Ubuntu 8.10 guides that I’ve seen have you use the old lenny repository; since this no longer exists let’s try another way!
I used a 64-bit machine; steps will be the same for 32-bit. If you have 64-bit and just want to download the kernel I used: http://bbis.us/~will/openvz-ubuntu810.tar.gz
Now let’s build the kernel.
cd /usr/src
wget http://kernel.org/pub/linux/kernel/v2.6/linux-2.6.27.tar.bz2
tar xjf linux-2.6.27.tar.bz2
cd linux-2.6.27
wget http://download.openvz.org/kernel/branches/2.6.27/2.6.27-briullov.1/patches/patch-briullov.1-combined.gz
gunzip patch-briullov.1-combined.gz
wget http://download.openvz.org/kernel/branches/2.6.27/2.6.27-briullov.1/configs/kernel-2.6.27-x86_64.config.ovz
#OR
wget http://download.openvz.org/kernel/branches/2.6.27/2.6.27-briullov.1/configs/kernel-2.6.27-i686.config.ovz
cp kernel-2.6.27-*.config.ovz .config
patch -p1 < patch*
make oldconfig
make
make modules_install install
cd /boot
mkinitramfs -o /boot/initrd.img-2.6.27 2.6.27
vi /boot/grub/menu.lst
#Replace uuid entries with your disks uuid
title Ubuntu 8.10 OpenVZ 2.6.27
uuid 2d5b2466-4bdf-44c7-b8e5-4d46a9f927c8
kernel /boot/vmlinuz-2.6.27 root=UUID=2d5b2466-4bdf-44c7-b8e5-4d46a9f927c8 ro quiet splash
initrd /boot/initrd.img-2.6.27
quiet
grub-install /dev/sda
apt-get install vzctl vzquota
reboot
If everything went according to plan, you’ll boot into your new kernel. If you get a kernel panic, or things are not working as expected, you may have to
make menuconfig
Once the kernel is working, let’s create a container.
cd /var/lib/vz/private
mkdir 1
debootstrap hardy 1
When you see:
#I: Base system installed successfully.
You can continue.
vi /etc/vz/dists/default
#Change redhat to debian OR copy ubuntu.conf to default
Create the container and set an IP
vzctl set 1 –applyconfig vps.basic –save
vzctl set 1 –ipadd 192.168.100.7 –save
vzctl set 1 –nameserver 192.168.100.1 –save
vzctl start 1
At this time you cannot enter the container. You will receive the error
Unable to open pty: No such file or directory
To fix this:
vzctl exec 1 update-rc.d -f udev remove
Restart and enter the container
vzctl restart 1
vzctl enter 1
If network doesn’t work add to /etc/sysctl.conf on server (not container):
net.ipv4.conf.default.forwarding=1
net.ipv4.conf.all.forwarding=1
Ubuntu 8.10 LDAP Server with TLS
This should also work with Ubuntu 9.04
apt-get install slapd ldap-utils libnss-ldap libpam-ldap migrationtools
Much like Debian, we must perform an extra step to make our changes permanent.
dpkg-reconfigure slapd
Omit OpenLDAP server configuration? No
DNS domain name: your-server
Organization name: whatever
Database backend to use: HDB
Do you want the database to be removed when slapd is purged? No
Move old database? Yes
Admin password: <password>
Confirm: <password>
Allow LDAPv2 protocol: No
Now we will populate LDAP. You should probably add a temporary LDAP user for testing. After we populate LDAP we’ll remove it.
adduser test
cd /usr/share/migrationtools
Edit migrate_common.ph and replace “padl.com” with your domain and dc=padl,dc=com with dc=YOUR,dc=DOMAIN
./migrate_base.pl > /tmp/base.ldif./migrate_passwd.pl /etc/passwd /tmp/passwd.ldif
./migrate_group.pl /etc/group /tmp/group.ldif
Remove the top section of /tmp/base.ldif
dn: dc=dev
dc: dev
objectClass: top
objectClass: domain
Restart LDAP and add our information to LDAP
/etc/init.d/slapd restartldapadd -x -W -D 'cn=admin,dc=example,dc=net' < /tmp/base.ldif
ldapadd -x -W -D 'cn=admin,dc=example,dc=net' < /tmp/passwd.ldif
ldapadd -x -W -D 'cn=admin,dc=example,dc=net' < /tmp/group.ldif
To enable PAM I suggest
cd /tmp
wget http://st0rage.org/files/pam.d.tar
tar xf pam.d.tar -C /etc
Alternativly, you can try the following Ubuntu specific method:
auth-client-config -t nss -p lac_ldap
pam-auth-update ldap
Please note that I was unable to change user passwords with ‘passwd’ using this method.
Remove the test user
userdel test
Set up TLS Certificate
mkdir /etc/ldap/ssl
cd /etc/ldap/sslopenssl req -new -nodes -out req.pem -keyout key.pem
#No challenge password, leave empty
openssl rsa -in key.pem -out new.key.pem
openssl x509 -in req.pem -out ca-cert -req -signkey new.key.pem -days 9999
mv new.key.pem server.pem
cat ca-cert >> server.pem
Enable TLS on server
ldapmodify -x -D cn=admin,cn=config -W
Paste in the following:
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/ssl/server.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/ssl/server.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/ssl/server.pem
Press ENTER a few times to finish modifying and then Control+C when you see:
modifying entry "cn=config"
Edit /etc/default/slapd and add
SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"
Restart slapd
/etc/init.d/slapd restart
If it fails, try:
chown -R openldap /etc/ldap/ssl
/etc/init.d/slapd restart
Client configuration
vi /etc/ldap.confuri ldaps://server
port 636
ssl start_tls
ssl on
tls_checkpeer no
tls_cacertfile /etc/ldap/ssl/server.pem
vi /etc/nsswitch.confpasswd: compat ldap
group: compat ldap
shadow: compat ldap
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: ldap
Now test! Make sure to stop nscd if you’re using it
/etc/init.d/nscd stop
Test LDAP
$ id test
uid=1001(test) gid=1001(test) groups=1001(test)
Remember to keep an eye on /var/log/auth.log if you run into any problems
Enable network virtio (Gigabit) in libvirt/kvm Virtual Machine Ubuntu 8.10
If you create a domain with virt-manager, it does not always add the appropriate ‘virtio’ entry to the xml file for your VM.
If this is the case, you will notice that network speeds on the VM will not break 10/100 speeds.
To fix this, edit the xml file
vi /etc/libvirt/qemu/vm.xml
Make sure your network block looks like this (keep your MAC address the same)
<interface type='network'>
<mac address='00:16:36:0b:4c:9c'/>
<source network='default'/>
<model type='virtio'/>
</interface>
Shut down the VM and confirm it’s shut down
virsh shutdown vm
# virsh list
Connecting to uri: qemu:///system
Id Name State
----------------------------------
If you do not see your vm “running” you can proceed. If it’s still running you need to shut it down another way.
Update the xml definition
virsh define /etc/libvirt/qemu/vm.xml
Start the domain
virsh start vm
Log into the VM and test with a 1GB file
dd if=/dev/zero of=/tmp/test bs=1M count=1000
scp /tmp/test [email protected]:/tmp
You should see transfer speeds above 11-12 megabytes/second.
Apache2 hangs with ‘Digest: generating secret for digest authentication’
I’m running Apache2+SSL inside a libvirtd (kvm) Virtual Machine.
After enabling SSL and trying to add another SSL site, apache should refuse to restart and the following error would show up in /var/log/apache2.log
Digest: generating secret for digest authentication
After doing some research, it turns out that the VM did not have enough entropy to generate much of anything. Increasing this is easy, but may not be completely secure.
# cat /proc/sys/kernel/random/entropy_avail
139
# apt-get install rng-tools
# rngd -r /dev/urandom -o /dev/random
# cat /proc/sys/kernel/random/entropy_avail
2220
After running rngd, the entropy will increase at a gradual rate.
If you want this to survive a reboot, you’ll need to put it in a startup script.