I had a new laptop, XP Pro SP2, IE6. Graphics in IE and in the start menu and taskbar were blocky, pixelated.
The problem was, Dell knew the display was hi-res and small, so they set a registry setting for me to automatically dumb-down the graphics, to make them more legible.
This made web pages render incorrectly, and it made the screen icons look bad. Change this key to fix it.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
change
"UseHR"=dword:00000000
Who says only Linux has silly things like this, or that Windows is more user-friendly? My grandma would never have found this fix.
2007/10/02
2007/09/27
PostgreSQL Tips and Tricks
# Log in to a postgreSQL database
psql -U username dbname
# Get list of databases.
SELECT datname FROM pg_database;
# or
\l
# or
psql -l
# Get size of tables, sorted in descending order.
SELECT relname, relpages,reltuples FROM pg_class ORDER BY relpages DESC;
# Show tables in a database.
select * from information_schema.tables where table_schema='public' and table_type='BASE TABLE';# or
\dt
# Show structure of a table.
\d tablename
psql Commands
General
\c[onnect] [DBNAME|- [USER]] | connect to new database (currently "dfdata") |
\cd [DIR] | change the current working directory |
\copyright | show PostgreSQL usage and distribution terms |
\encoding [ENCODING] | show or set client encoding |
\h [NAME] | help on syntax of SQL commands, * for all commands |
\q | quit psql |
\set [NAME [VALUE]] | set internal variable, or list all if no parameters |
\timing | toggle timing of commands (currently off) |
\unset NAME | unset (delete) internal variable |
\! [COMMAND] | execute command in shell or start interactive shell |
Query Buffer
\e [FILE] | edit the query buffer (or file) with external editor |
\g [FILE] | send query buffer to server (and results to file or pipe) |
\p | show the contents of the query buffer |
\r | reset (clear) the query buffer |
\s [FILE] | display history or save it to file |
\w FILE | write query buffer to file |
Input/Output
\echo [STRING] | write string to standard output |
\i FILE | execute commands from file |
\o [FILE] | send all query results to file or |pipe |
\qecho [STRING] | write string to query output stream (see \o) |
Informational||
\d [NAME] | describe table, index, sequence, or view |
\d{t|i|s|v|S} [PATTERN] (add "+" for more detail) | list tables/indexes/sequences/views/system tables |
\da [PATTERN] | list aggregate functions |
\db [PATTERN] | list tablespaces (add "+" for more detail) |
\dc [PATTERN] | list conversions |
\dC | list casts |
\dd [PATTERN] | show comment for object |
\dD [PATTERN] | list domains |
\df [PATTERN] | list functions (add "+" for more detail) |
\dg [PATTERN] | list groups |
\dn [PATTERN] | list schemas (add "+" for more detail) |
\do [NAME] | list operators |
\dl | list large objects, same as \lo_list |
\dp [PATTERN] | list table, view, and sequence access privileges |
\dT [PATTERN] | list data types (add "+" for more detail) |
\du [PATTERN] | list users |
\l | list all databases (add "+" for more detail) |
\z [PATTERN] | list table, view, and sequence access privileges (same as \dp) |
Formatting
\a | toggle between unaligned and aligned output mode | ||||||||||||
\C [STRING] | set table title, or unset if none | ||||||||||||
\f [STRING] | show or set field separator for unaligned query output | ||||||||||||
\H | toggle HTML output mode (currently off) | ||||||||||||
\pset NAME [VALUE] | set table output option (NAME := {format|border|expanded|fieldsep|footer|null| | |numericlocale|recordsep|tuples_only|title|tableattr|pager}) | ||||||||||||
\t | show only rows (currently off) | ||||||||||||
\T [STRING] | set HTML
Copy, Large Object
|
2007/09/14
Simple expect ssh example
This expect script would be called from a shell script, and would ssh to the host passed as an argument (argv), perform the command specified, and disconnect. (Thanks, Tiger O.)
#!/usr/bin/expect
set timeout 1
set cmd {uname -a}
spawn ssh root@$argv
expect_after eof { exit 0 }
## interact with SSH
expect "yes/no" { send "yes\r" }
expect "password:" { send "rootpasswd\r" }
expect "# "
send "$cmd\r"
expect "$cmd\r"
expect "(.*)\r"
send "exit\r
#!/usr/bin/expect
set timeout 1
set cmd {uname -a}
spawn ssh root@$argv
expect_after eof { exit 0 }
## interact with SSH
expect "yes/no" { send "yes\r" }
expect "password:" { send "rootpasswd\r" }
expect "# "
send "$cmd\r"
expect "$cmd\r"
expect "(.*)\r"
send "exit\r
2007/07/25
120 VAC Outlet / Plug wiring
First of all, don't follow this -- get a qualified electrician to do your work. Doing it yourself, or using this information, may get you or someone else killed. This is my personal reminder note.
The three slots/holes and their attachment points are:
Silver color screws, this is where your grounded leg {aka neutral} wire goes, this by North America standards should be a white wire, however it can be white or gray. (looking at the front face of an outlet, with the ground on bottom, this is the slot/screw on the left).
Equipment grounding screw, this is where the circuit grounding conductor wire will be attached, this on most general purpose circuits will be a bare wire (although an equipment grounding conductor can be bare or green), this bare or green wire is also connected to a grounding screw on the back of the electrical box (if the electrical box in use is metallic)
Brass color screws, this is where the ungrounded leg [aka hot conductor] wire is attached, the most frequently used wire colors are black & red but can be any color in rainbow but white, gray, bare or green.
Do a smoke-test with something unimportant; don't touch it while testing it. Measure potential between the new ground and a known good ground.
The three slots/holes and their attachment points are:
Silver color screws, this is where your grounded leg {aka neutral} wire goes, this by North America standards should be a white wire, however it can be white or gray. (looking at the front face of an outlet, with the ground on bottom, this is the slot/screw on the left).
Equipment grounding screw, this is where the circuit grounding conductor wire will be attached, this on most general purpose circuits will be a bare wire (although an equipment grounding conductor can be bare or green), this bare or green wire is also connected to a grounding screw on the back of the electrical box (if the electrical box in use is metallic)
Brass color screws, this is where the ungrounded leg [aka hot conductor] wire is attached, the most frequently used wire colors are black & red but can be any color in rainbow but white, gray, bare or green.
Do a smoke-test with something unimportant; don't touch it while testing it. Measure potential between the new ground and a known good ground.
2007/07/18
Windows Updates from the command line with wuauclt.exe
wuauclt.exe has these parameters (not all are verified. gleaned from various posts on the web.)
/configlist - lists WUAUCLT configuration./installAUclient - Install the correct AU client by force
/installAUclientFromMicrosoft - This option causes the system to contact either the confiugred WSUS server, or Microsoft's WU server, and to reinstall forefully the latest version of the AU client.
/clearlogfile - clears the client update log file
/clearandsavelogfile - saves the current client update log file to a named file, then clears the update log.
/downloadnow - initiates an immiate downoad of any requried update using BITS
/downloanowfast - initiates an initiates an immiate downoad of any requried update using HTTP.
/stopdownload - stops any AU updates being downloaded (either using HTTP, or BITS).
/TestWSUSServer - checks connection with configured WU Server
/DetectNow
/ResetAuthorization
/RunHandlerComServer
/RunStoreAsComServer
/ShowSettingsDialog
/ResetEulas
/DemoUI
/FastCountdown
/FakeData
/FakeReboot
/SkipEulas
2007/07/12
Samba with idmap RID on CentOS
For some reason, the CentOS authconfig-tui never works for me out of the box. And there doesn't appear to be correct error handling for it, such as "failed to join domain" -- it acts like everything is okay, and then it doesn't work.
I use the IDMAP_RID option to map user accounts within a single AD to unix user ID's.
Ensure that you have krb5-libs, samba-common, pam_krb5, krb5-workstation, samba-client, and krb5-auth-dialog installed.
Most of these are case-sensitive. The example NETBIOS domain name is "mydomain". Full DNS domain name is "mydomain.com". DC's/KDC's are dc1.mydomain.com, dc2.mydomain.com, etc.
/etc/pam_smb.conf
MYDOMAIN
dc1.mydomain.com
dc2.mydomain.com
Then run "ln -sf system-auth-ac /etc/pam.d/system-auth"
mkdir /var/cache/samba/smb_krb5
/etc/pam.d/system-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so use_first_pass
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required pam_permit.so
assword requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_krb5.so use_authtok
password sufficient pam_winbind.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so
/etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files nisplus
publickey: nisplus
automount: files nisplus
aliases: files nisplus
/etc/krb.conf
MYDOMAIN.COM
MYDOMAIN.COM dc1.mydomain.com:88
MyDOMAIN.COM dc2.mydomain.com:88
MYDOMAIN.COM dc1.mydomain.com:749 admin server
/etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MYDOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
MYDOMAIN.COM = {
kdc = dc1.mydomain.com:88
kdc = dc2.mydomain.com:88
admin_server = dc1.mydomain.com:749
}
[domain_realm]
domain.com = MYDOMAIN.COM
.domain.com = MYDOMAIN.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
/etc/samba/smb.conf
#=======Global Settings =================
[global]
# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
workgroup = MYDOMAIN
netbios name = FILESERVER
realm = MYDOMAIN.COM
# server string is the equivalent of the NT Description field
server string = File Server
# Security mode. Defines in which mode Samba will operate
security = ADS
allow trusted domains = No
idmap backend = rid:DOMAIN=1000000-10000000
idmap uid = 1000000-10000000
idmap gid = 1000000-10000000
template shell = /sbin/nologin
winbind use default domain = Yes
winbind enum users = Yes
winbind enum groups = Yes
winbind nested groups = Yes
smb ports = 139
# Restrict what subnets can access this server
hosts allow = 192.168.1. 192.168.2. 192.168.3. 192.168.4. 192.168.5. 192.168.0. 127.
# If you want to automatically load your printer list rather
# than setting them up individually then you'll need this
load printers = no
domain master = no
preferred master = no
domain logons = no
wins support = no
wins proxy = no
dns proxy = no
password server = dc1.mydomain.com
# SHARE DEFINITIONS
[users]
path = /var/export/users
comment = user home dirs
public = no
writeable = yes
browseable = no
guest ok = no
printable = no
[team]
path = /var/export/team
comment = Team and Departmental Share
public = no
writeable = yes
browseable = yes
guest ok = no
write list = @Domain\ Users
valid users = +"DOMAIN\Domain Users" jdoe
#invalid users = @acc_T_Drive_Deny mdc
printable = no
Now, run "ntpdate dc1.mydomain.com", then configure and start ntpd (configure it to sync time from your DC's). Use ntpd -q and look for an asterisk to know when it has synchronized to the DC; it may take a few minutes. If your system clock gets more than 5 minutes out of sync with the DC's, then kerberos (and your authentication) will stop working.
TESTING
To test Kerberos functionality for authentication, run kinit" where is a user name on your AD domain.
To test ntpd functionality, run ntpd -q and look for an asterisk next to your DC.
To test that winbind is getting user and group info from AD, and that the system can use it, run "getent passwd" and "getent groups", and you should see your AD users and groups in there.
Note: for VMware server to work, you'll need a manual password entry for any user who will run vmware to be in /etc/passwd.
I use the IDMAP_RID option to map user accounts within a single AD to unix user ID's.
Ensure that you have krb5-libs, samba-common, pam_krb5, krb5-workstation, samba-client, and krb5-auth-dialog installed.
Most of these are case-sensitive. The example NETBIOS domain name is "mydomain". Full DNS domain name is "mydomain.com". DC's/KDC's are dc1.mydomain.com, dc2.mydomain.com, etc.
/etc/pam_smb.conf
MYDOMAIN
dc1.mydomain.com
dc2.mydomain.com
Then run "ln -sf system-auth-ac /etc/pam.d/system-auth"
mkdir /var/cache/samba/smb_krb5
/etc/pam.d/system-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so use_first_pass
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required pam_permit.so
assword requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_krb5.so use_authtok
password sufficient pam_winbind.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so
/etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files nisplus
publickey: nisplus
automount: files nisplus
aliases: files nisplus
/etc/krb.conf
MYDOMAIN.COM
MYDOMAIN.COM dc1.mydomain.com:88
MyDOMAIN.COM dc2.mydomain.com:88
MYDOMAIN.COM dc1.mydomain.com:749 admin server
/etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MYDOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
MYDOMAIN.COM = {
kdc = dc1.mydomain.com:88
kdc = dc2.mydomain.com:88
admin_server = dc1.mydomain.com:749
}
[domain_realm]
domain.com = MYDOMAIN.COM
.domain.com = MYDOMAIN.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
/etc/samba/smb.conf
#=======Global Settings =================
[global]
# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
workgroup = MYDOMAIN
netbios name = FILESERVER
realm = MYDOMAIN.COM
# server string is the equivalent of the NT Description field
server string = File Server
# Security mode. Defines in which mode Samba will operate
security = ADS
allow trusted domains = No
idmap backend = rid:DOMAIN=1000000-10000000
idmap uid = 1000000-10000000
idmap gid = 1000000-10000000
template shell = /sbin/nologin
winbind use default domain = Yes
winbind enum users = Yes
winbind enum groups = Yes
winbind nested groups = Yes
smb ports = 139
# Restrict what subnets can access this server
hosts allow = 192.168.1. 192.168.2. 192.168.3. 192.168.4. 192.168.5. 192.168.0. 127.
# If you want to automatically load your printer list rather
# than setting them up individually then you'll need this
load printers = no
domain master = no
preferred master = no
domain logons = no
wins support = no
wins proxy = no
dns proxy = no
password server = dc1.mydomain.com
# SHARE DEFINITIONS
[users]
path = /var/export/users
comment = user home dirs
public = no
writeable = yes
browseable = no
guest ok = no
printable = no
[team]
path = /var/export/team
comment = Team and Departmental Share
public = no
writeable = yes
browseable = yes
guest ok = no
write list = @Domain\ Users
valid users = +"DOMAIN\Domain Users" jdoe
#invalid users = @acc_T_Drive_Deny mdc
printable = no
Now, run "ntpdate dc1.mydomain.com", then configure and start ntpd (configure it to sync time from your DC's). Use ntpd -q and look for an asterisk to know when it has synchronized to the DC; it may take a few minutes. If your system clock gets more than 5 minutes out of sync with the DC's, then kerberos (and your authentication) will stop working.
TESTING
To test Kerberos functionality for authentication, run kinit
To test ntpd functionality, run ntpd -q and look for an asterisk next to your DC.
To test that winbind is getting user and group info from AD, and that the system can use it, run "getent passwd" and "getent groups", and you should see your AD users and groups in there.
Note: for VMware server to work, you'll need a manual password entry for any user who will run vmware to be in /etc/passwd.
Labels:
AD,
authentication,
CentOS,
Linux,
nested groups,
samba,
winbind
2007/06/28
How to process command-line args in bash scripts
while [ $# -gt 0 ]; do
case $1 in
--somevar)
SOMEVAR=$2
SOMEVARSTR="--somevar $2"
shift; shift
;;
--othervar)
OTHERVAR=$2
shift; shift
;;
--version)
VERSION=$2
shift; shift
;;
--debug)
DEBUGSTR="--debug"
shift
;;
*)
if [ -n "$TARGET" -o ! -d $1 ]; then
usage
fi
TARGET=$1
shift
;;
esac
done
case $1 in
--somevar)
SOMEVAR=$2
SOMEVARSTR="--somevar $2"
shift; shift
;;
--othervar)
OTHERVAR=$2
shift; shift
;;
--version)
VERSION=$2
shift; shift
;;
--debug)
DEBUGSTR="--debug"
shift
;;
*)
if [ -n "$TARGET" -o ! -d $1 ]; then
usage
fi
TARGET=$1
shift
;;
esac
done
2007/06/05
Gathering information on Windows Servers
Some of these tools require you to download the Windows (2003) support tools and install them on a Windows XP or 2003 computer that is a member of the domain; download the tools from http://support.microsoft.com/kb/892777 .
- Remotely get replication info on a Windows server
- repadmin /showattr
ncobj:domain: - Remotely get the OS version and SP level of a Windows server (enter on one line)
- repadmin /showattr
ncobj:domain: /filter:"(&(objectCategory=computer)(primaryGroupID=516))" /subtree /atts:operatingSystem,operatingSystemVersion,operatingSystemServicePack - Verify DC replication
REPADMIN /REPLSUM /BYSRC /BYDEST /SORT:DELTAdcdiag
- Verify DC configuration of all DCs in a forest:
- dcdiag /v /e /n:domain_name
- more to come
2007/05/07
Troubleshooting library issues in Linux
Linux (like Windows) programs can either be linked:
A few of the tools you might use in troubleshooting library problems are:
ldd
ldconfig
objdump
A few environment variables to consider:
LD_LIBRARY_PATH
LD_PRELOAD
- statically
- can create much larger binaries
- won't get stuck with problems about a library dependency not being met
- any time an important fix is applied to the library against which it was compiled, you theoretically should rebuild all the binaries you built from it, to make sure they get the fix
- dynamically (like a windows .dll, but they usually have a .so.* extension)
- smaller binaries
- sometimes have library/version dependency problems
- updating the library has the effect of "fixing" all the binaries that use it dynamically
A few of the tools you might use in troubleshooting library problems are:
ldd
ldconfig
objdump
A few environment variables to consider:
LD_LIBRARY_PATH
LD_PRELOAD
2007/04/19
Create a minimal Xen domU template for CentOS
Create partitions for the domU. With LVM:
lvcreate --size 6G --name LV-server-root VG00
lvcreate --size 512M --name LV-server-swap VG00
mkfs.ext3 /dev/VG00/LV-server-root
mkswap /dev/VG00/LV-server-swap
mkdir /mnt/server
mount /dev/VG00/LV-server-root /mnt/server
mkdir -p /mnt/server/dev /mnt/server/etc /mnt/server/proc /mnt/server/var/lock/rpm /mnt/server/var/lib/rpm /mnt/server/var/log
MAKEDEV -d /mnt/server/dev -x random
MAKEDEV -d /mnt/server/dev -x console
MAKEDEV -d /mnt/server/dev -x zero
MAKEDEV -d /mnt/server/dev -x null
mount -t proc none /mnt/server/proc
wget http://isoredirect.centos.org/centos-5/5/os/x86_64/CentOS/centos-release-5-0.0.el5.centos.2.x86_64.rpm
rpm --initdb --root=/mnt/server
rpm -ivh --root=/mnt/server --nodeps centos-release*.rpm
yum groupinstall Core --installroot=/mnt/server
cd /mnt/server
vi etc/fstab etc/resolv.conf etc/sysconfig/network etc/sysconfig/network-scripts/ifcfg-eth0 etc/hosts
(hint: make those files look similar to the ones in the dom0)
cd /; umount /mnt/server
edit your domU config file, in /etc/xen.
lvcreate --size 6G --name LV-server-root VG00
lvcreate --size 512M --name LV-server-swap VG00
mkfs.ext3 /dev/VG00/LV-server-root
mkswap /dev/VG00/LV-server-swap
mkdir /mnt/server
mount /dev/VG00/LV-server-root /mnt/server
mkdir -p /mnt/server/dev /mnt/server/etc /mnt/server/proc /mnt/server/var/lock/rpm /mnt/server/var/lib/rpm /mnt/server/var/log
MAKEDEV -d /mnt/server/dev -x random
MAKEDEV -d /mnt/server/dev -x console
MAKEDEV -d /mnt/server/dev -x zero
MAKEDEV -d /mnt/server/dev -x null
mount -t proc none /mnt/server/proc
wget http://isoredirect.centos.org/centos-5/5/os/x86_64/CentOS/centos-release-5-0.0.el5.centos.2.x86_64.rpm
rpm --initdb --root=/mnt/server
rpm -ivh --root=/mnt/server --nodeps centos-release*.rpm
yum groupinstall Core --installroot=/mnt/server
cd /mnt/server
vi etc/fstab etc/resolv.conf etc/sysconfig/network etc/sysconfig/network-scripts/ifcfg-eth0 etc/hosts
(hint: make those files look similar to the ones in the dom0)
cd /; umount /mnt/server
edit your domU config file, in /etc/xen.
2007/04/05
CentOS / RHEL Unsupported RAID/SATA/SCSI Controllers
So, I've got a Promise SuperTrak RAID controller. It uses the stex kernel module, which was supposedly added to CentOS 4.4. Well, when I went to install CentOS 4.4, and later CentOS 5 beta, the installer wouldn't load the driver, and so the array was not usable. Very frustrating. The vendor only has driver binaries for certain versions of certain OSes. It's a chicken-egg situation, if you don't want to first install to an IDE disk and then RSync it over.
The good news is, yes, the module (stex) is included in the RPM on the install CD, and you can load that module before the installer detects available disks.
To manually load the module, go in the installer to the screen just before you are presented with available disks and partitioning options. Then, press Ctrl-alt-f2, I think, to bring up a sh# prompt. Look at your mounted filesystems ("mount"). One of them points to the current running environment (I forget what it's called), and one of them points to the install media. Go to the install media, and find the kernel-*.rpm. install it with rpm -ivh --nodeps kernel-*.rpm (you may have to do the --root= option and specify the root of the running environment.). Then, cd to the lib/modules/`uname -r`/kernel/drivers/scsi directory, and either insmod stex.ko or modprobe stex.ko (or whatever module you're trying to use) . Voila, the module is loaded and your raid array/controller should have been detected now. Press Ctrl-Alt-F6 to get back to the (graphical) installation, and press "next" to detect available disks/partitions.
Wait until the scre
The good news is, yes, the module (stex) is included in the RPM on the install CD, and you can load that module before the installer detects available disks.
To manually load the module, go in the installer to the screen just before you are presented with available disks and partitioning options. Then, press Ctrl-alt-f2, I think, to bring up a sh# prompt. Look at your mounted filesystems ("mount"). One of them points to the current running environment (I forget what it's called), and one of them points to the install media. Go to the install media, and find the kernel-*.rpm. install it with rpm -ivh --nodeps kernel-*.rpm (you may have to do the --root= option and specify the root of the running environment.). Then, cd to the lib/modules/`uname -r`/kernel/drivers/scsi directory, and either insmod stex.ko or modprobe stex.ko (or whatever module you're trying to use) . Voila, the module is loaded and your raid array/controller should have been detected now. Press Ctrl-Alt-F6 to get back to the (graphical) installation, and press "next" to detect available disks/partitions.
Wait until the scre
Xen Tips and Tricks
- Xen can host Linux, Solaris, and OpenBSD domU's with a modified kernel in each. If the CPU's have built-in hardware virtualization technology (Intel's VT chips, and AMD Pacific), then you may run unmodified OS'es, including Windows.
- When you assign a MAC address to a domU, be sure the second digit is an even number – 00 or AA or some such. This is because 16th bit of the MAC address as a "1" (which makes that an odd number) designates a "multicast" MAC address; your stuff won't work, you won't be able to figure out why, and it will generally be very frustrating. Also, as PIX ARP entries don't expire for 30 minutes, you'll probably save yourself some grief if the MAC mimics the ip address, e.g., IP of 172.31.17.136 = MAC of 00:23:11:71:36 . That way, each domU has a unique MAC, and a re-IP of a system gives it a new MAC, which the PIX will immediately recognize.
- The easiest to install Xen (for me) has been the from-source install. This has the following prerequisites, which may be installed with "yum install" followed by the names below:
- ncurses-devel
- ncurses
- bridge-utils
- gcc
- zlib-devel
- python-devel
- iproute
- bison
- flex
- It is possible to present specific PCI devices directly to domU's, and to mask specific PCI devices from the dom0. Read the manual for details.
- For a source install of Xen, follow the README at the top level of the source. It is short, easy, and works. Don't forget to run the depmod and initrd as instructed at the end of the file.
- /etc/modprobe.conf: The name of the kernel module that drives the LSI SCSI controllers in some servers (notably Sun v20z and v40z) was changed. you need lines something like the following in your /etc/modprobe.conf before you run the mkinitrd; remove the other "mpt" lines in /etc/modprobe.conf and add these:
{{alias scsi_hostadapter mptbase
alias scsi_hostadapter1 mptspi}} - Xen is very slow if it uses the native tls libraries. To make it not use those, rename/move the tls libraries in the dom0 and the domU:
mv /lib/tls /lib/tls.disabled
...and on a 64-bit dom0 also run:
mv /lib64/tls /lib64/tls.disabled
The other "gotcha" is that updating the OS may cause new versions of those libraries to be installed. Check often and rename them, or, better yet, make a cron script to notify you if they appear again. - VMware cannot be installed on a Xen domU or dom0. This is because there is at least one kernel module for VMware that expects to run at CPU ring 0; Xen dom0's and domU's do not run at ring0 – only Xen itself runs at ring0, and the VMware module is not compatible with Xen. It may work with virtualization-enabled CPU's, though.
- i386 (32-bit) and x86_64 (64-bit) domU's can be mixed on an x86_64 dom0, but a x86_64 domU cannot run on an i386 dom0.
- Live migration of domU's is only supported if the domU's filesystems are either:
- present as the same local device (e.g. /dev/sdc1) on both the source and destination dom0, with for example, drbd or dom0 iSCSI initiators and/or a clustered filesystem.
- accessible over the network at the same address from both dom0's, as with an iSCSI, GFS, or NFS root.
- Always leave the non-Xen and the last-used Xen kernel on the system and in grub.conf; this way, if there's a problem, your system is still bootable from the hard disk.
- Change the line in your dom0 /etc/sysconfig/kernel to UPDATEDEFAULT=no so that your Xen kernel won't be replaced in the grub.conf each time yum updates the kernel.
- Dom0 security – The dom0 is a critical host, as it offers access to console, filesystems, and other resources of all of the domU's it hosts.
- selinux – selinux appears to work fine in dom0 without hindering domU's. Go ahead and set it in "active" mode.
- iptables – You should probably enable iptables on the dom0, and only allow ssh inbound. Add specific ports only if you want to allow, for example, live migration; even those should only accept connections from certain ip addresses.
- root login over ssh – probably better to create an external access account and disable root logins in /etc/ssh/sshd_config.
*kernel download/build time – the Xen source install will download a version of the Linux kernel (for Xen 3.0.2-2, it downloads kernel 2.6.16), and compile it completely. The kernel download is about 40-50 MB, so it will take at least 10 minutes probably; building the kernels – Xen and xen-modified Linux kernel – will take another 20-50 minutes. Just know that it will take a little while.
*python-twisted – The Xen management tools use the Python "twisted" libraries for XML communication. If you use python-twisted-1.3.0-1.2.el4.rf.i386.rpm , which is on rootstore under software\Xen, you can get away without having to install additional dependencies. If you go for a more recent python twisted, you'll find yourself in dependency hell.
- DomU template – It can be handy to create a domU template, stripped of non-essential packages, with your admin scripts and configuration info already entered. You can then make an archive of the template, and each time you need to add a new server, just copy the template to the domU's filesystems.
- In order to use 2 or more virtual network interfaces (with Xen bridge) on your domU, add a script "my-network-script" such as the following to /etc/xen/scripts, and be sure to run chmod +x /etc/xen/my-network-script to make it executable:
#!/bin/sh
# start bridges on both eth0 and eth1
XENDIR="/etc/xen/scripts"
$XENDIR/network-bridge "$@" netdev=eth0 bridge=xenbr0 vifnum=0
$XENDIR/network-bridge "$@" netdev=eth1 bridge=xenbr1 vifnum=1
#$XENDIR/network-bridge "$@" netdev=eth2 bridge=xenbr2 vifnum=2
...and change this line in /etc/xen/xend-config.sxp:
(network-script my-network-script) - After Xen is installed, here is a summary of commands that may prove useful; each must be run as root:
Command Use / Notes xm list see running domains (vm's), their status, memory usage, domain ID, and what ports to telnet to (e.g. 9607) to get a console on each. xm console attach to the console on a domU. xm create -c start a domain and view its console, then type "^]" to disconnect. Note: Be sure to log off root before disconnecting!!! xm top list realtime auto-updating stats on each domain's cpu, memory, and network usage, as well as other info. xm create start a domU. Note that this should actually be a file name (e.g., /etc/xen/www3), not a domU name. xm shutdown shut a domU down. - It doesn't work well to lvm-snapshot a domU filesystem from a dom0. This is because the lvm snapshot mechanism uses the dm-snapshot module, which upon snapshot creation, sends a "sync" to the filesystem driver to cause the filesystem to flush out its cache. The filesystem of a domU is not accessible by the dom0 kernel, where the snapshot would be created. You can, however, make snapshots within a domU of that domU's filesystems. However, it seems to be easier and just as clean to do a rsync --archive --stats --delete --hard-links --numeric-ids --exclude=/tmp/** --exclude=/proc/** --exclude=/sys/** root@domU_name:/ Local_path/domU_name/ to back up the domU filesystem from the dom0 or another host.
- Certain enabled-by-default services don't make much sense in a Xen domU, and some probably hurt. Here are some services you probably want to disable (or uninstall, if possible) in your domU's:
- acpid, auditd, autofs, cpuspeed, diskdump, gpm, haldaemon, ipmi, irqbalance, kudzu, mdmonitor, mdmpd, messagebus, microcode_ctl, netfs, netplugd, ntpd, openibd, portmap, readahead, readahead_early, xinetd
- Kernel modules in domU's – some processes will log an error when they can't find the proper kernel module. An example might be httpd trying to load an IPv6 module by default. Most domU's seem to do okay without having the kernel modules available, but if you want to keep the logs cleaner or have an additional capability that requires the kernel module, you may have to rsync /lib/modules/
from dom0 to domU (rsync and preserve hardlinks, to keep the kernel modules tree from growing a lot). - NTP / Time – domU's use the same hwclock as the dom0, and therefore have the potential to screw things up if they access it directly.
- Don't run ntpd or ntpdate on domU's. Instead, run it in the dom0 and that will keep all your domU's up to date automatically.
- In each domU, replace /sbin/hwclock with an executable script that has only the line /bin/true. You'll have to watch this, as some OS updates may replace it with a new binary, and you'll need to make it the script again. Try making it read-only(?).
- On CentOS 5 beta, you have to mkinitrd and include and preload certain xen devices (networking and block device, respectively), else you won't be able to mount your root partition if you're exporting a partition / LV directly from dom0 to domU.
2007/03/06
Update your system for new DST changes
mkdir tz
cd tz
wget ftp://elsie.nci.nih.gov/pub/tzcode2006p.tar.gz
tar -xzf tzdata2006p.tar.gz
zic northamerica
cp /usr/share/zoneinfo/America/Chicago /etc/localtime
zdump -v /etc/localtime |grep 2007
(if the date is March 11 and not April, then it worked).
shutdown -r now
cd tz
wget ftp://elsie.nci.nih.gov/pub/tzcode2006p.tar.gz
tar -xzf tzdata2006p.tar.gz
zic northamerica
cp /usr/share/zoneinfo/America/Chicago /etc/localtime
zdump -v /etc/localtime |grep 2007
(if the date is March 11 and not April, then it worked).
shutdown -r now
2007/02/22
Solaris rescue cd to change forgotten root password
1) Boot off Device Configuration Assistant with
CD in.
2) When the install process gets to "choose type of installation"
1) Interactive
2) Jump Start
3) Web Start
type: boot cdrom -s
(or, if all you can do is get to the prom with stop-A or Ctrl-Break) type boot cdrom -s
3) When you get the root prompt you are in single user mode.
4) Create a mount point: # mkdir /mnt
5) Mount the root slice: # mount /dev/dsk/c0d0s0 /mnt
(or whatever the device is called).
5b) If the filesystem is corrupted, you may need to fsck /dev/rdsk/c0d0s0... before you can mount
(/dev/dsk/* for mount, /dev/rdsk/* for fsck. /etc/vfstab will tell you which device name to use.)
6) Set up TERM variable: # TERM=AT386;export TERM
7) Go to /etc/shadow and clear the password entry for root.
# vi /mnt/etc/shadow
e.g. root:sdfgsdSDGS3832:6445:::::: remove everything between the first two colons.
8) # sync;umount /mnt; sync;reboot
9) When the system comes back up you should be able to log in as root without a
password.
10) Use # passwd to set a new password for root.
CD in.
2) When the install process gets to "choose type of installation"
1) Interactive
2) Jump Start
3) Web Start
type: boot cdrom -s
(or, if all you can do is get to the prom with stop-A or Ctrl-Break) type boot cdrom -s
3) When you get the root prompt you are in single user mode.
4) Create a mount point: # mkdir /mnt
5) Mount the root slice: # mount /dev/dsk/c0d0s0 /mnt
(or whatever the device is called).
5b) If the filesystem is corrupted, you may need to fsck /dev/rdsk/c0d0s0... before you can mount
(/dev/dsk/* for mount, /dev/rdsk/* for fsck. /etc/vfstab will tell you which device name to use.)
6) Set up TERM variable: # TERM=AT386;export TERM
7) Go to /etc/shadow and clear the password entry for root.
# vi /mnt/etc/shadow
e.g. root:sdfgsdSDGS3832:6445:::::: remove everything between the first two colons.
8) # sync;umount /mnt; sync;reboot
9) When the system comes back up you should be able to log in as root without a
password.
10) Use # passwd to set a new password for root.
2007/02/16
sudo: sudoers examples
Sudo can be used allow users to execute certain commands as other users (including root) on certain machines, with logging.
Edit the sudoers file with visudo. Note that to execute many system commands, your PATH will need to include /sbin:/usr/sbin
See what access is allowed with "sudo -l".
The best example file I found was at http://www.gratisoft.us/sudo/sample.sudoers , except that is uses "!", which is pointless (commands can be copied).
## Sample sudoers file ##
# *** Host_Alias specifications ***
# Host_Alias seems not to be useful, unless you have a
# global sudoers file that is replicated across multiple hosts.
# make LOCAL mean localhost (probably a bad idea, as this will allow it to run on any machine that has the sudoers file)
Host_Alias LOCAL = 127.0.0.1
# Anywhere that "LAN" is specified, these hosts apply:
Host_Alias LAN = ahost.mycompany.com, anotherhost.mycompany.com
# *** User_Alias specifications ***
# User_Alias allows you to group users. (better to use AD/NIS groups, for global/central management?)
# MAILADMINS user alias refers to users dick and jane
User_Alias MAILADMINS = dick, jane
# *** Runas_Alias specifications ***
# This specifies an alias or grouping of whom a command can be run as.
Runas_Alias SOMEONE = larry, tom
# *** Cmd_Alias specifications ***
# alias or group commands with full paths, to make things easier to read later.
Cmnd_Alias SU = /bin/su
Cmnd_Alias SMTP = /sbin/service postfix stop, /sbin/service postfix start, /sbin/service postfix status
Cmnd_Alias REBOOT = /usr/bin/reboot, /sbin/shutdown -r now
# *** Defaults specification ***
# make user john.doe not have to enter a password to run commands as another user
Default:john.doe nopasswd
# make user kate have no timeout, and add env variable "GOO" to the sudo environment, and run as linda by default, but always require the root password
# make user jim have to enter the password of whoever he's running a command as, every time, with 1 attempt allowed
# *** User Privilege specification ***
# This is where we actually say who and where (as whom) can do what
# user/%group hostname = (user) command
# by default, root can do all commands as all users
root ALL=(ALL) ALL
# users jake and jim, on localhost, can execute crond without entering a password. (probably a bad idea)
jake,jim LOCAL = NOPASSWD: /sbin/service crond restart
# allow MAILADMINS on hosts LAN to run as root the commands SMTP and REBOOT.
MAILADMINS LAN = (root) SMTP, (SOMEONE) REBOOT
# members of the group "wheel" can run, on all hosts, all commands as all users
%wheel ALL=(ALL) ALL
Edit the sudoers file with visudo. Note that to execute many system commands, your PATH will need to include /sbin:/usr/sbin
See what access is allowed with "sudo -l".
The best example file I found was at http://www.gratisoft.us/sudo/sample.sudoers , except that is uses "!", which is pointless (commands can be copied).
## Sample sudoers file ##
# *** Host_Alias specifications ***
# Host_Alias seems not to be useful, unless you have a
# global sudoers file that is replicated across multiple hosts.
# make LOCAL mean localhost (probably a bad idea, as this will allow it to run on any machine that has the sudoers file)
Host_Alias LOCAL = 127.0.0.1
# Anywhere that "LAN" is specified, these hosts apply:
Host_Alias LAN = ahost.mycompany.com, anotherhost.mycompany.com
# *** User_Alias specifications ***
# User_Alias allows you to group users. (better to use AD/NIS groups, for global/central management?)
# MAILADMINS user alias refers to users dick and jane
User_Alias MAILADMINS = dick, jane
# *** Runas_Alias specifications ***
# This specifies an alias or grouping of whom a command can be run as.
Runas_Alias SOMEONE = larry, tom
# *** Cmd_Alias specifications ***
# alias or group commands with full paths, to make things easier to read later.
Cmnd_Alias SU = /bin/su
Cmnd_Alias SMTP = /sbin/service postfix stop, /sbin/service postfix start, /sbin/service postfix status
Cmnd_Alias REBOOT = /usr/bin/reboot, /sbin/shutdown -r now
# *** Defaults specification ***
# make user john.doe not have to enter a password to run commands as another user
Default:john.doe nopasswd
# make user kate have no timeout, and add env variable "GOO" to the sudo environment, and run as linda by default, but always require the root password
Defaults:kate timestamp_timeout=-1, env_delete+="GOO", runas_default=linda, rootpw
# make user jim have to enter the password of whoever he's running a command as, every time, with 1 attempt allowed
Defaults:jim timestamp_timeout=0, runaspw, passwd_tries=1
# global defaults - log to a specific file.
Defaults logfile=/var/log/sudo.log, log_year# *** User Privilege specification ***
# This is where we actually say who and where (as whom) can do what
# user/%group hostname = (user) command
# by default, root can do all commands as all users
root ALL=(ALL) ALL
# users jake and jim, on localhost, can execute crond without entering a password. (probably a bad idea)
jake,jim LOCAL = NOPASSWD: /sbin/service crond restart
# allow MAILADMINS on hosts LAN to run as root the commands SMTP and REBOOT.
MAILADMINS LAN = (root) SMTP, (SOMEONE) REBOOT
# members of the group "wheel" can run, on all hosts, all commands as all users
%wheel ALL=(ALL) ALL
Silver Bullet for booting Linux on legacy hardware
My friend, Jake ( aka the |-,@[V](V)3|2 ), gave me this tip for booting newer linux kernels on older hardware:
Enter this at the boot prompt, instead of pressing to boot:
linux acpi=off noapic nolapic
Enter this at the boot prompt, instead of pressing
linux acpi=off noapic nolapic
2007/02/14
Selinux tips
Here are some really good SElinux resources:
http://www.linuxsecurity.com/content/view/120567/49/ http://www.linuxsecurity.com/content/view/120622/49/
http://www.linuxsecurity.com/content/view/120700/49/http://www.linuxsecurity.com/content/view/120837/169/
http://www.it-observer.com/articles.php?id=1013
Touch up a folder for apache to access (change file context labels recursively):
chcon -R -t httpd_sys_content_t
Touch up a folder for samba to access (change file context labels recursively):
chcon -R -t samba_share_t /backups
To reset the labels on all mounted filesystems:
restorecon -Rv /
If you need the filesystems to be relabeled on bootup, do this and then reboot:
touch /.autorelabel
To boot once with SELinux enforcement disabled, add the enforcing=0 flag to the kernel boot line.
To get the kernel's enforcement status:
getenforce
To change the kernel's enforcement status to "permissive" (aka log-only):
setenforce 0
To change the kernel's enforcement status to "Enforcing" (aka block access):
setenforce 1
(edit /etc/selinux/config to make the changes persistent across reboots)
2007/01/29
How to send mail manually through a smtp telnet session
First, connect to the mail server.
A successful connection will produce
Next, specify the email source domain:
This should result in:
Specify the email source address:
This should result in:
Specify the recipient address:
This should result in:
Then start the message with this command
To specify a Subject, CC: list, etc., add for example:
Then type the rest of your message:
.
To close the SMTP connection:
telnet myserver.com 25
A successful connection will produce
...
Connected to myserver.com
Escape character is '^]'.
220 myserver.com ESMTP Sendmail
Next, specify the email source domain:
HELO local.domain.com
This should result in:
250 myserver.com Hello local.domain.com [1.2.3.4]
Specify the email source address:
MAIL FROM: myaddress@domain.com
This should result in:
250 2.1.0 myaddress@domain.com... Sender ok
Specify the recipient address:
RCPT TO: otheraddress@myserver.com
This should result in:
250 2.1.0 otheraddress@myserver.com... Recipient ok
Then start the message with this command
DATA
To specify a Subject, CC: list, etc., add for example:
Subject:my subject
followed by the enter key twice, to conform to RFC 882.Then type the rest of your message:
Hello, world
Then, close your message with .
To close the SMTP connection:
QUIT
2007/01/09
MySQL recipes
To perform any of these, log in to the server with credentials that are authorized to perform the commands on the databases you want to look at:
mysql -u username -p
SET PASSWORD FOR foo=PASSWORD('rubberchicken');
INSERT new_table_name SELECT * FROM old_database_name.table_name;
mysql -V
Dump all contents of a database to a .sql file; will prompt for password:
mysqldump -u username -p database_name > /tmp/backup.sql
Restore all contents of a database from a .sql file (user must have access to do so; database must exist but be empty, I think; if tables already exist, this will not overwrite them):
mysql -u username -p database_name < /tmp/backup.sql
Change your mysql password (hostname matters?), will prompt for old password:
mysqladm -u username -p password newpassword
mysql -u username -p
- show databases on a server:
- show status of a database server:
- get user account info for a database server:
- show tables in a database:
- get information about a table in a database:
- get all contents of a table in a database:
- get the number of rows of a table in a database:
- create an account on database with a given password:
- Change user's password
SET PASSWORD FOR foo=PASSWORD('rubberchicken');
- Flush / reload grant tables (after changing table permissions):
- Conditionally drop a table, if it exists:
- Create a database:
- Copy a table from one database to another:
INSERT new_table_name SELECT * FROM old_database_name.table_name;
- Rename a table name:
- Eliminate duplicate results from a SELECT:
- Use Regular Expressions in a SELECT:
- Drop a column from a table:
- Check consistency of MyISAM database tables (must be in data dir), first flush the tables, then make sure nobody is accessing the tables, then run the command below (see http://www.lampspot.net/linux/how-to-guide-database-table-corruption-recognise-repair-and-prevent-by-jeng/):
- Flush database tables:
- Check database table status:
- Switch MyISAM tables to InnoDB tables (or switch to MyISAM if you have problems with InnoDB). (You must of course start mysqld with InnoDB support, which can be done by adding innodb options from the distributed my-medium.cnf file to your my.cnf file. This can be done with your table as long as you are not using two part autoincrement or FULLTEXT indexes.):
ALTER TABLE problem_table TYPE=INNODB
Get mysql version:mysql -V
Dump all contents of a database to a .sql file; will prompt for password:
mysqldump -u username -p database_name > /tmp/backup.sql
Restore all contents of a database from a .sql file (user must have access to do so; database must exist but be empty, I think; if tables already exist, this will not overwrite them):
mysql -u username -p database_name < /tmp/backup.sql
Change your mysql password (hostname matters?), will prompt for old password:
mysqladm -u username -p password newpassword
Subscribe to:
Posts (Atom)