Archive for the ‘RedHat’ Category

Rsync bug

rsync

rsync


Bitten by the rsync bug? I was. Apparently in the new RHEL 5.7, and I am sure the RH clones like CentOS, Scientific Linux and ClearOS(?) as well, there is a bug in rsync when you use it with ssh transport like so:

rsync -avz -e ssh remotehost:/data /data

The fix is to make sure to append a username to your host and then it magically starts working properly again.

rsync -avz -e ssh username@remotehost:/data /data

Enjoy!

Wednesday, July 27th, 2011

RHEL 5 quick and dirty samba primer

samba

samba


A friend asked me for a quick primer on how to set up a windows accessible share under RHEL 5, so I thought I would include it here for the benefit of anyone interested.

  • sudo yum -y install samba
  • sudo vim /etc/samba/smb.conf
  • replace the file with something like so:

[global]
workgroup = SOMEWORKGROUPNAME
server string = SERVERHOSTNAME Samba Server Version %v
security = user
netbios name = CALLMESOMETHING
[data]
comment = my data share
path = /data
read only = no
writable = yes
guest ok = no
available = yes
valid users = USERNAME

  • add a local user to the box: sudo useradd USERNAME
  • add the local user to samba and give password: sudo smbpaswd -a USERNAME
  • restart samba service: sudo service smb restart
  • make sure samba starts at boot: sudo chkconfig smb on
  • adjust your firewall settings if necessary

At this point you should be able to access the share at //servername/data.
Have fun!

Tuesday, March 22nd, 2011

Server Build

Last night on the TechShow I was asked about providing some info on a decent default server build. Here are some quick notes to get people going. Adjust as necessary.

Just for ease, here, lets assume you are installing CentOS 5, a nice robust enterprise class Linux for your server needs.

CentOS 5 / RHEL 5 / Scientific Linux, etc., does a really great job picking the defaults, so sticking with those is just fine and has worked well for me on literally hundreds of servers.

  • I let the partitioner remove all existing partitions and chose the default layout without modification.
  • Configure your networking appropriately, make sure to set your system clock for the appropriate timezone (no I do not generally leave my hardware clock set to UTC).
  • When picking general server packages I go for web server and software devel. I do not, generally, pick virtualization unless there is a specific reason to. I find that the web and devel meta server choices provide a robust background with all the tools I need to set up almost any kind of server I want without having to dredge for hundreds of packages later on.
  • The install itself at this point should take you about 15 minutes depending on the speed of your hardware.
  • Once installed, reboot the server and you should come to a setup agent prompt. Select the firewall configuration. Disable the firewall and SELinux completely (trust me here). Once that is done, exit the setup agent (no need to change anything else here), login to the machine as root and reboot it. This is necessary to completely disable SELinux.

From this point on it’s all post install config…:

  • Add any software repositories you need to.
    I not only have my own repo for custom applications, but also have a local RedHat repo for faster updates and lower network strain/congestion.
  • Install your firewall.
    I use an ingress and egress firewall built on iptables. While mine is a custom written app, there are several iptables firewall generator apps out there you can try.
  • Install your backup software.
    Doesn’t matter if this is a big company backup software like TSM or CommVault, or you are just using tar in a script. Make sure your system is not only being backed up regularly, but that you can actually restore data from those backups if you need to.
  • Add your local admin account(s).
    Don’t be an idiot and log into your server all the time as root. Make a local account and give yourself sudo access (and use it).
  • Fix your mail forwarding.
    Create a .forward file in your root directory and put your email address in there. You will get your servers root emails delivered to you so you can watch the logwatch reports and any cron results and errors. This is important sysadmin stuff to look at when it hits your inbox.
  • Stop unnecessary services.
    Yes, if you are running a server you can probably safely stop the bluetooth and cups services. Check through what you are running with a “service –status-all” or a “chkconfig –list” (according to your runlevel) and turn off / stop those services you are not and will not be using. This will go a long way toward securing your server as well.
  • Install OSSEC and configure it to email you alerts.
  • No root ssh.
    Change your /etc/ssh/sshd_config and set “PermitRootLogin no”. Remember, you just added an admin account for yourself, you don’t need to ssh into this thing as root anymore. Restart your sshd service after making the change in order to apply it.
  • Set runlevel 3 as default.
    You do not need to have a GUI desktop running on your server. Run the gui on your workstation and save your server resources for serving stuff. Make the change in /etc/inittab “id:3:initdefault:”.
  • Fix your syslog.
    You really should consider having a separate syslog server. They are easy to set up (hey, Splunk is FREE up to so much usage) and it makes keeping track of whats happening on multiple servers much easier (try that Splunk stuff – you’ll like it).
  • Set up NTPD.
    Your server needs to know what time it is. ‘Nuff said.
  • Install ClamAV.
    Hey, it’s free and it works. If you do ANYTHING at all with handling emails or fileshares for windows folks on this machine, you owe it to yourself and your users to run Clam on there to help keep them safer.
  • Do all your updates now.
    Before you go letting the world in on your new server, make sure to run all the available updates. No sense starting a new server instance with out of date and potentially dangerous software.
  • Lastly, update your logbook.
    You should have SOME mechanism for keeping track of server changes, whether it be on paper or in a wiki or whathaveyou. Use it RELIGIOUSLY. You will be glad someday you did.

Thursday, February 24th, 2011

Resize iscsi volume on RHEL 5

I have this ISCSI volume mounted on a RHEL 5 system that is running out of space. How do you grow your mounted iscsi volume? Good question!

* Unmount the volume. In this case it was /dev/sdb1 for me.
umount /dev/sdb1

* Grow the volume size on your san/nas (however your san/nas does this).
In my case - "Hey SanAdmin, can you add another 100gb of space to $volume?"

* In order to resize, your server needs to see that there is more volume space available, so you need to “service iscsi restart”.
[root@nile ~]# service iscsi restart
Logging out of session [sid: 1, target: iqn.2001-05.com.equallogic:0-8a0906-4cb5c3602-e9b001184684cc04-nile-splunk-index-archive, portal: nnn.nnn.nnn.nnn,3260]
Logout of [sid: 1, target: iqn.2001-05.com.equallogic:0-8a0906-4cb5c3602-e9b001184684cc04-nile-splunk-index-archive, portal: nnn.nnn.nnn.nnn,3260]: successful
Stopping iSCSI daemon:
iscsid dead but pid file exists [ OK ]
Starting iSCSI daemon: [ OK ]
[ OK ]
Setting up iSCSI targets: Logging in to [iface: default, target: iqn.2001-05.com.equallogic:0-8a0906-4cb5c3602-e9b001184684cc04-nile-splunk-index-archive, portal: nnn.nnn.nnn.nnn,3260]
Login to [iface: default, target: iqn.2001-05.com.equallogic:0-8a0906-4cb5c3602-e9b001184684cc04-nile-splunk-index-archive, portal: nnn.nnn.nnn.nnn,3260]: successful
[ OK ]

* fdisk /dev/sdb and delete the old partition (yes, delete it).
fdisk /dev/sdb
Command (m for help): d
Selected partition 1

* Create a new bigger partition over top / in place of the original.
Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4): 1
First cylinder (1-26109, default 1):
Using default value 1
Last cylinder or +size or +sizeM or +sizeK (1-26109, default 26109):
Using default value 26109

* Run e2fsck on the partition.
e2fsck -f /dev/sdb1

* Resize it.
resize2fs /dev/sdb1

* Finally, mount it back up!
mount -a (yes mine was listed in fstab)

Thursday, December 9th, 2010

RHEL 6 is here!

As many of you know, RedHat released RHEL 6 recently. I just finally got a chance to install the production version and thought I would share some of my immediate notes:

RHEL 6 Installation Notes: (text/net install)

No boot.iso available. Must use the ENTIRE installation DVD to boot, even for a network install.

Press tab at the boot splash to enter extra parameters – “linux text askmethod” worked appropriately.

Askmethod prompts for URL rather than http or ftp and has you put the entire URL in one line instead of splitting into server / location like RHEL 5 did.

Installer does not ask for registration number – must be done through rhn_register *after* installation has completed.

Install does not ask you for “types” like RHEL 5 did (webserver, virtualization, development).

Post install does not have configuration menu where you can change authentication, firewall/selinux, system services, etc..

That’s about where I am with this right now. The install is reminiscent of RHEL 4 in a lot of ways. I am sure things will change and improve like they always do. The one clearly needed addition right now, though, as far as I am concerned is a boot/netinstall.iso image.

Tuesday, November 16th, 2010

Diagnosis: Paranoia


You know, there are just some things you do not need first thing on a Monday morning. This was one of them…

I came and and started reviewing my reports and was looking at an access report, which is basically a “last | grep $TheDateIWant” from over the weekend. I keep a pretty tight ship and want to know who is accessing what servers and when (and sometimes why). What I saw was monstrously suspicious! I saw MYSELF logged in to 3 different servers 3 times each around 5am on Sunday morning – while I was sleeping.

This is the kind of thing to throw you into an immediate panic first thing on a Monday morning, but I decided to give myself 10 minutes to investigate before completely freaking out.

The first thing I noticed was that the access/login times looked suspiciously like the same times I ran my daily reports on the machines, however, the previous week I had changed the user that runs those reports and this was still saying it was me. I double, triple and quadruple checked and searched all the report programs to make absolutely sure there was no indication that they were still using my personal account (which was probably bad practice to begin with btw). Then I scoured all the cron logs to see what was actually running at those times, and oddly enough, it was just those reports.

I looked through the command line history on those machines and checked again the “last | head” to see who was logging on those machines. Nothing out of place BUT with the “last| head” I was NOT listed as being on the machine on that date! So I ran the entire report command again “last | grep $TheDateIWant” and there I was again, listed right under the logins of the report user.

Anyone catching this yet?

What I had stumbled upon were a few machines that are used so infrequently that the wtmp file, which is what the “last” command uses for data, had over 1 year of entries. My search of “last | grep ‘Oct 31′” was returning not only this year, but my own logins from last year as well.

WHEW!

Moral of the story? Mondays stink – Just stay home!

Monday, November 1st, 2010

PHP 5.3.X on RHEL 5 / CentOS 5

PHP

PHP

Another one for posterity here. I was asked to find out how to upgrade on PHP RHEL 5 / CentOS 5 to v 5.3.x and to test the procedure. It turns out to work pretty well and is not as difficult as you might think as long as you have the right repositories enabled:

wget http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm
wget http://rpms.famillecollet.com/enterprise/remi-release-5.rpm
rpm -Uvh epel-release-5-4.noarch.rpm
rpm -Uvh remi-release-5.rpm
yum –enablerepo=remi update php php-* mysql

This, of course, assumes that your LAMP stack is already installed. If not, you would change the “update” to “install” and away you go. This will currently set you to php v 5.3.3 and mysql 5.1.51..

Thursday, October 7th, 2010

EncFs

EncFs

EncFs


I had the opportunity to check out some encrypted filesystem stuffs recently. The one that really stood out as easy to install. manage and use, for me, was EncFs. Now this post is mostly for posterity, but I wanted to share that, unless you are trying to get it running on RHEL, it’s pretty easy to get set up. I mostly referred to this site and had it up and going lickety-split.. I really am thrilled with how easy this actually was…

Until….

I tried getting it running on RHEL 5. I will spare you all the gory details about how it took hours of peeling through the dependency issues with nonstandard RHEL packages, but you get the idea. What I will leave you with here is what actually made it work:

yum -y install fuse fuse-devel fuse-libs
wget http://packages.sw.be/rlog/rlog-1.3.7-1.el5.rf.i386.rpm
wget http://packages.sw.be/fuse-encfs/fuse-encfs-1.4.1-1.el5.rf.i386.rpm
rpm -Uvh rlog-1.3.7-1.el5.rf.i386.rpm
rpm -Uvh fuse-encfs-1.4.1-1.el5.rf.i386.rpm
modprobe fuse
useradd -G fuse your_user_name

And that was it! Bask in the glory!!!

Tuesday, October 5th, 2010

Updates

updates

updates


i just love cssh. This is the way updates should be run.

Wednesday, March 17th, 2010

Book Review

Practical Guide to Fedora and Red Hat Enterprise Linux, A (5th Edition)

Practical Guide to Fedora and Red Hat Enterprise Linux, A (5th Edition)


A Practical Guide to Fedora and Red Hat Enterprise Linux (5th Ed)

Wow. Mark Sobell hits another one out of the park.

Comprehensive can hardly describe this book, although I am hard pressed to come up with a more appropriate word. This massive volume covers all things Fedora and Redhat, from the common to the esoteric, but do not be daunt about the amount of information there. In true Sobell fashion, each topic is explained thoroughly in a manner that could easily be used to teach a novice with. In fact, in the review quote on the front cover, Eric Hartwell says the same. This book is a keeper and its pages will surely be well thumbed, at least until the next revision comes out!

Monday, March 8th, 2010