Redhat & Fedora – Page 2

Adding and Removing swap on Linux

By Ravi Bhure | December 15, 2010 | Comments 1 comment

Introduction –

Here we are going to create 4G swap file using cmd ‘dd’, later we will activate it.
we are named and create ‘/extraswap’ swap file for additional swap

dd command options
if = input file (read from FILE instead of stdin)
of = output file name (write to FILE instead of stdout)
bs = BYTES rate
count = BLOCKS (copy only number of block)

dd if=/dev/zero of=/extraswap bs=1024 count=4096000

***Adding extraswap Swap file

[root@ravi ~]# dd if=/dev/zero of=/extraswap bs=1024 count=4096000
4096000+0 records in
4096000+0 records out
4194304000 bytes (4.2 GB) copied, 162.277 seconds, 25.8 MB/s

Set up a Linux swap area using ‘mkswap’ command

[root@ravi ~]# mkswap /extraswap
Setting up swapspace version 1, size = 4194299 kB

Activate swap using ‘swapon’ command

[root@ravi ~]# swapon /extraswap

[root@ravi ~]# free -m
total       used       free     shared    buffers     cached
Mem:         16053       6148       9905          0        293       5488
-/+ buffers/cache:        367      15686
Swap:         3999          0       3999

Edit /etc/fstab and put below entry into it to swap on automatic after reboot server

/extraswap none swap defaults 0 0

*** Remove /extraswap file

[root@ravi ~]# swapoff /extraswap

Remove /extraswap swap file entry from /etc/fstab and run ‘mount -a‘

Delete /extraswap

[root@ravi ~]# rm /extraswap

-Ravi

Secure FTP using rssh or scponly with chroot

By Arun Bagul | August 18, 2010 | Comments 0 Comment

Introduction –

In this article we will setup SFTP using rssh with chroot ….

A] How to configure rssh + chroot for SFTP

Step 1) Install RSSH Shell ~

* Ubuntu –

root@me:/home/arunb# apt-get install scponly rssh coreutils17

* Redhat/CentOS

[root@arun.me chroot]# yum install rssh
[root@arun.me chroot]# rpm -qa | grep rssh
rssh-2.3.2-1.2.el5.rf
[root@arun.me chroot]#

Step 2) Your Chroot Setting –

[root@arun.me ~]# cat /etc/rssh.conf
# This is the default rssh config file

logfacility = LOG_USER
###### arun ########
allowsftp
# set the default umask
umask = 022
chrootpath =”/home/chroot”
###### end ########

Step 3) Create user ~

[root@arun.me ~]# mkdir /home/chroot/
[root@arun.me ~]# useradd -d /home/chroot/home/sftp_test -s /usr/bin/rssh sftp_test
[root@arun.me ~]# passwd sftp_test

* Now add following line in “/etc/rssh.conf” file…

user =”sftp_test:022:00010:/home/chroot/sftp_test”

*** [root@arun.me ~]# tail /etc/passwd

sftp_test:x:503:503::/home/chroot/home/sftp_test:/usr/bin/rssh

Step 4) Chroot allow to log via syslogd ~

add following entry in file “/etc/sysconfig/syslog” and restart syslogd

SYSLOGD_OPTIONS=”-m 0 -a /home/chroot/dev/log -a /dev/log”

root@arun.me ~]# /etc/init.d/syslog restart

Step 5) Now setup Chroot ENV –

[root@arun.me ~]# /var/src/arun_rssh_mkchroot.sh /home/chroot/

[root@arun.me ~]# cd /home/chroot/

[root@arun.me chroot]# mknod –mode=600 dev/console c 5 1
[root@arun.me chroot]# mknod –mode=666 dev/null c 1 3

[root@arun.me chroot]# /var/src/arun_shared_lib.sh usr/libexec/openssh/sftp-server

[root@arun.me chroot]# cp /lib/libnss_files.so.2 lib/libnss_files.so.2
[root@arun.me chroot]# cp /lib64/libnss_files.so.2 lib64/libnss_files.so.2

Step 6) Test now ~

arunb@me:~$ sftp sftp_test@192.168.0.1
Connecting to 192.168.0.1…
sftp_test@192.168.0.1’s password:
sftp> pwd
Remote working directory: /home/sftp_test
sftp> ls
arun manoj mayur ravi
sftp>

sftp> ls /
/dev /etc /home /lib /lib64 /usr
sftp>

Step 7) Process for New user ~

a) [root@arun.me chroot]# useradd -d /home/chroot/home/sftp_tmp -s /usr/bin/rssh sftp_tmp
[root@arun.me chroot]# passwd sftp_tmp

b) Add line in file “/etc/rssh.conf”

user =”sftp_tmp:022:00010:/home/chroot”

c) Copy user entry from /etc/{passwd,group,shadow} files TO CHROOT {passwd,group,shadow} files ~

NOTE ~ be careful…

[root@arun.me chroot]# grep sftp_tmp /etc/passwd >> /home/chroot/etc/passwd
[root@arun.me chroot]# grep sftp_tmp /etc/group >> /home/chroot/etc/group
[root@arun.me chroot]# grep sftp_tmp /etc/shadow >> /home/chroot/etc/shadow

[root@arun.me ~]# cat /home/chroot/etc/{passwd,group,shadow}

sftp_tmp:x:504:504::/home/chroot/home/sftp_tmp:/usr/bin/rssh
bin:x:1:bin,daemon
daemon:x:2:bin,daemon
sftp_test:x:503:
sftp_tmp:x:504:
bin:*:14797:0:99999:7:::
daemon:*:14797:0:99999:7:::
sftp_test:$1$Ei5oj.yu$P5FDHHI1POxIIv5562BIm/:14798:0:99999:7:::
sftp_tmp:$1$wZ6Qk3R/$ANRx5MkBA91pjzE/Dr3vK.:14798:0:99999:7:::
[root@arun.me chroot]#

Step 8) Test it now from other linux host

bagul@me:~$ sftp sftp_tmp@192.168.0.1
Connecting to 192.168.0.1…
sftp_tmp@192.168.0.1’s password:
sftp> pwd
Remote working directory: /home/sftp_tmp
sftp>
sftp> ls
sftp> ls
1 2 3 a b c
sftp> pwd
Remote working directory: /home/sftp_tmp
sftp>
sftp>
sftp> ls /
/dev /etc /home /lib /lib64 /usr
sftp> cd /etc
sftp> pwd
Remote working directory: /etc
sftp> ls
group ld.so.cache ld.so.conf localtime nsswitch.conf passwd shadow
sftp>
sftp> get 1
Fetching /home/sftp_tmp/1 to 1
/home/sftp_tmp/1 100% 14 0.0KB/s 00:00
sftp> mkdir arun
sftp> ls
1 2 3 a arun b c
sftp> version
SFTP protocol version 3
sftp> rm c
Removing /home/sftp_tmp/c
sftp>

Step 9) What is required for CHROOT ~

[root@arun.me chroot]# pwd
/home/chroot
[root@arun.me chroot]# ll
drwxr-xr-x 2 root root 4096 Jul 8 07:50 dev
drwxr-xr-x 2 root root 4096 Jul 8 07:50 etc
drwxr-xr-x 4 root root 4096 Jul 8 07:51 home
drwxr-xr-x 2 root root 4096 Jul 8 07:05 lib
drwxr-xr-x 2 root root 4096 Jul 8 07:28 lib64
drwxr-xr-x 5 root root 4096 Jul 8 07:05 usr
[root@arun.me chroot]# ll -ld /home/
drwxr-xr-x 6 root root 4096 Jul 8 08:00 /home/
[root@arun.me chroot]# ll dev/
crw——- 1 root root 5, 1 Jul 8 07:13 console
srw-rw-rw- 1 root root 0 Jul 8 07:50 log
crw-rw-rw- 1 root root 1, 3 Jul 8 07:14 null
[root@arun.me chroot]# ll etc/
-rw-r–r– 1 root root 74 Jul 8 07:55 group
-rw-r–r– 1 root root 81321 Jul 8 07:05 ld.so.cache
-rw-r–r– 1 root root 28 Jul 8 07:05 ld.so.conf
-rw-r–r– 1 root root 3519 Jul 8 07:16 localtime
-rw-r–r– 1 root root 1696 Jul 8 07:16 nsswitch.conf
-rw-r–r– 1 root root 192 Jul 8 07:55 passwd
-r——– 1 root root 180 Jul 8 07:55 shadow
[root@arun.me chroot]# ll lib
-rwxr-xr-x 1 root root 46680 Jul 8 07:28 libnss_files-2.5.so
lrwxrwxrwx 1 root root 19 Jul 8 07:05 libnss_files.so.2 -> libnss_files-2.5.so
[root@arun.me chroot]# ll lib64
-rwxr-xr-x 1 root root 139416 Jul 8 07:10 ld-linux-x86-64.so.2
-rwxr-xr-x 1 root root 10000 Jul 8 07:18 libcom_err.so.2
-rwxr-xr-x 1 root root 1366176 Jul 8 07:18 libcrypto.so.6
-rwxr-xr-x 1 root root 48600 Jul 8 07:18 libcrypt.so.1
-rwxr-xr-x 1 root root 1717800 Jul 8 07:18 libc.so.6
-rwxr-xr-x 1 root root 23360 Jul 8 07:18 libdl.so.2
-rwxr-xr-x 1 root root 9472 Jul 8 07:18 libkeyutils.so.1
-rwxr-xr-x 1 root root 114352 Jul 8 07:18 libnsl.so.1
-rwxr-xr-x 1 root root 53880 Jul 8 07:28 libnss_files.so.2
-rwxr-xr-x 1 root root 145824 Jul 8 07:18 libpthread.so.0
-rwxr-xr-x 1 root root 92736 Jul 8 07:18 libresolv.so.2
-rwxr-xr-x 1 root root 95464 Jul 8 07:18 libselinux.so.1
-rwxr-xr-x 1 root root 247496 Jul 8 07:18 libsepol.so.1
-rwxr-xr-x 1 root root 18152 Jul 8 07:18 libutil.so.1
[root@arun.me chroot]# ll usr/
drwxr-xr-x 2 root root 4096 Jul 8 07:05 bin
drwxr-xr-x 2 root root 4096 Jul 8 07:05 lib64
drwxr-xr-x 3 root root 4096 Jul 8 07:05 libexec
[root@arun.me chroot]# ll usr/bin
-rwxr-xr-x 1 root root 33265 Jul 8 07:05 rssh
-rwxr-xr-x 1 root root 53384 Jul 8 07:05 scp
[root@arun.me chroot]# ll usr/lib64
-rwxr-xr-x 1 root root 190976 Jul 8 07:18 libgssapi_krb5.so.2
-rwxr-xr-x 1 root root 153464 Jul 8 07:18 libk5crypto.so.3
-rwxr-xr-x 1 root root 613896 Jul 8 07:18 libkrb5.so.3
-rwxr-xr-x 1 root root 35728 Jul 8 07:18 libkrb5support.so.0
-rwxr-xr-x 1 root root 229272 Jul 8 07:18 libnspr4.so
-rwxr-xr-x 1 root root 1221496 Jul 8 07:18 libnss3.so
-rwxr-xr-x 1 root root 119696 Jul 8 07:18 libnssutil3.so
-rwxr-xr-x 1 root root 17736 Jul 8 07:18 libplc4.so
-rwxr-xr-x 1 root root 13800 Jul 8 07:18 libplds4.so
-rwxr-xr-x 1 root root 85608 Jul 8 07:18 libz.so.1
[root@arun.me chroot]# ll usr/libexec
drwxr-xr-x 2 root root 4096 Jul 8 07:05 openssh
-rwsr-xr-x 1 root root 69892 Jul 8 07:05 rssh_chroot_helper
[root@arun.me chroot]# ll usr/libexec/openssh
total 56
-rwxr-xr-x 1 root root 53080 Jul 8 07:05 sftp-server
[root@arun.me chroot]#

Thank you,
Arun Bagul

Xen virtualization on CentOS linux

By Arun Bagul | May 14, 2010 | Comments 0 Comment

Introduction ~

What is Virtualization? ~ virtualization is technique of running multiple operating system (OS) on same physical hardware at same time.
There are three types of Virtualization technologies

1) Full virtualization –
a) Hardware emulation – KQEMU
b) Binary translation – VirtualBox
c) Classic virtualization – OpenVZ
2) Para-virtualization
3) OS-level virtualization – Linux-VServer and OpenVZ

** Xen is an open-source para-virtualizing virtual machine monitor (VMM), or “hypervisor”,for a variety of processor. Xen can securely execute multiple virtual machines on a single physical system with near native performance.

** Xen Prerequisites –

1) iproute2 package
2) Linux bridge-utils (/sbin/brctl)
3) Linux hotplug system (/sbin/hotplug and related scripts)

Step 1) How to install Xen on Centos ~

[root@arun ~]# yum install xen.i386 xen-devel.i386 xen-libs.i386 libvirt.i386 libvirt-devel.i386 libvirt-python.i386 virt-manager.i386 virt-clone.i386

Step 2) How to install Xen Kernel for Centos ~

[root@arun ~]# yum install kernel-xen.i686 kernel-xen-devel.i686

* Once installation is completed; Please check the CentOS boot loader configuration file ie “/boot/grub/grub.conf”… and make sure that the first boot entry should look like this…

title CentOS (2.6.18-164.15.1.el5xen)
root (hd0,4)
kernel /boot/xen.gz-2.6.18-164.15.1.el5
module /boot/vmlinuz-2.6.18-164.15.1.el5xen ro root=LABEL=/ rhgb quiet
module /boot/initrd-2.6.18-164.15.1.el5xen.img

Step 3) Reboot the system so that system will boot with Xen Kernel….

That’s it Xen infrastructure is installed on CentOS.

[[root@arun ~]# rpm -qa | egrep “xen|virt” | sort
kernel-xen-2.6.18-164.15.1.el5
kernel-xen-devel-2.6.18-164.15.1.el5
libvirt-0.6.3-20.1.el5_4
libvirt-devel-0.6.3-20.1.el5_4
libvirt-python-0.6.3-20.1.el5_4
python-virtinst-0.400.3-5.el5
virt-manager-0.6.1-8.el5
xen-3.0.3-94.el5_4.3
xen-devel-3.0.3-94.el5_4.3
xen-libs-3.0.3-94.el5_4.3
[[root@arun ~]#
Step 4 ) Test Xen setup – make sure that “libvirtd” service is running

Step 5) Install first Guest CentOS –

* Create Disk as file as shown below….

[[root@arun ~]# dd if=/dev/zero of=/var/xen-disk/centOS.hdd bs=4k seek=2048k count=0
0+0 records in
0+0 records out
0 bytes (0 B) copied, 0.000191 seconds, 0.0 kB/s
[[root@arun ~]# mke2fs -j /var/xen-disk/centOS.hdd
mke2fs 1.39 (29-May-2006)
/var/xen-disk/centOS.hdd is not a block special device.
Proceed anyway? (y,n) y
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
1048576 inodes, 2097152 blocks
104857 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=2147483648
64 block groups
32768 blocks per group, 32768 fragments per group
16384 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632

Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 30 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.
[[root@arun ~]# mount -o loop /var/xen-disk/centOS.hdd /mnt/
[[root@arun ~]# df -h
Filesystem            Size Used Avail Use% Mounted on
/dev/sda5              55G   12G   41G 22% /
tmpfs                 829M   12K 829M   1% /dev/shm
/dev/sda2              23G   15G 7.8G 65% /mydata
none                  829M 104K 829M   1% /var/lib/xenstored
/var/xen-disk/centOS.hdd
7.9G 147M 7.4G   2% /mnt
[[root@arun ~]#

* We are going to install guestOS from CD/DVD image so we will export this image via FTP so let us
configure ftp server….

* We have copied Centos CD/DVD in “/home/CentOS5.0/” location….

[root@arun ~]# ls /home/CentOS5.0/
CentOS            RELEASE-NOTES-cz.html RELEASE-NOTES-fr       RELEASE-NOTES-nl.html     repodata
EULA              RELEASE-NOTES-de       RELEASE-NOTES-fr.html RELEASE-NOTES-pt          RPM-GPG-KEY-beta
GPL               RELEASE-NOTES-de.html RELEASE-NOTES-it       RELEASE-NOTES-pt_BR       RPM-GPG-KEY-CentOS-5
images            RELEASE-NOTES-en       RELEASE-NOTES-it.html RELEASE-NOTES-pt_BR.html TRANS.TBL
isolinux          RELEASE-NOTES-en.html RELEASE-NOTES-ja       RELEASE-NOTES-pt.html
NOTES             RELEASE-NOTES-es       RELEASE-NOTES-ja.html RELEASE-NOTES-ru
RELEASE-NOTES-cz RELEASE-NOTES-es.html RELEASE-NOTES-nl       RELEASE-NOTES-ru.html
[root@arun ~]#

* I have changed anonymous FTP home from default one to “/home/CentOS5.0/” Please details below….

[root@arun ~]# grep ftp /etc/passwd
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
[root@arun ~]# vi /etc/passwd
[root@arun ~]# grep ftp /etc/passwd
ftp:x:14:50:FTP User:/home/CentOS5.0:/sbin/nologin
[root@arun ~]#

* Now, restart FTP server and try to access to ftp with IPaddress assigned to bridge “virbr0”. In my case it is “ftp://192.168.122.1”

* Start installation now using “virt-install”

[root@arun ~]# virt-install –name arunOS –os-type=linux –ram=300 –file /var/xen-disk/centOS.hdd –location ftp://192.168.122.1 –nographics –bridge=virbr0

Starting install…

* Welcome to CentOS

<Tab>/<Alt-Tab> between elements | <Space> selects | <F12> next screen

* Welcome to CentOS

<Tab>/<Alt-Tab> between elements | <Space> selects | <F12> next screen

* Welcome to CentOS

<Space>,<+>,<-> selection | <F2> Add drive | <F12> next screen

* Welcome to CentOS

+—————————-+ Partitioning +—————————-+
|                                                                        |
|      Device        Start    End     Size       Type     Mount Point    |
| /dev/xvda                                                            ^ |
|   Free space            1    1045    8192M Free space               # |
|                                                                      : |
|                                                                      : |
|                                                                      : |
|                                                                      : |
|                                                                      : |
|                                                                      : |
|                                                                      : |
|                                                                      v |
|                                                                        |
|    +—–+   +——+   +——–+   +——+   +—-+   +——+      |
|    | New |   | Edit |   | Delete |   | RAID |   | OK |   | Back |      |
|    +—–+   +——+   +——–+   +——+   +—-+   +——+      |
|                                                                        |
|                                                                        |
+————————————————————————+

F1-Help F2-New F3-Edit F4-Delete F5-Reset F12-OK

* Welcome to CentOS

+—————————-+ Partitioning +—————————-+
|                                                                        |
|      Device        Start    End     Size       Type     Mount Point    |
| /dev/xvda                                                            ^ |
|   xvda1                 1     829    6502M ext3        /            # |
|   xvda2               830     893     502M swap                     : |
|   Free space          894    1044    1184M Free space               : |
|                                                                      : |
|                                                                      : |
|                                                                      : |
|                                                                      : |
|                                                                      : |
|                                                                      v |
|                                                                        |
|    +—–+   +——+   +——–+   +——+   +—-+   +——+      |
|    | New |   | Edit |   | Delete |   | RAID |   | OK |   | Back |      |
|    +—–+   +——+   +——–+   +——+   +—-+   +——+      |
|                                                                        |
|                                                                        |
+————————————————————————+

F1-Help F2-New F3-Edit F4-Delete F5-Reset F12-OK

* Same way configure TZ,root password,packages,boot loader options etc…

* Welcome to CentOS

+———————+ Formatting +———————-+
|                                                         |
| Formatting / file system…                             |
|                                                         |
|                           70%                           |
|                                                         |
+———————————————————+

<Tab>/<Alt-Tab> between elements | <Space> selects | <F12> next screen

That’s it!

Thank you,
Arun Bagul

What’s new in GRUB-2?

By Arun Bagul | April 19, 2010 | Comments 0 Comment

Introduction ~ GRUB is perfect boot loader for Linux/Unix system! GRUB-2 supports several features that are important for every system admin.

* Platform support – GRUB 2 is intended to work across a wider range of architectures.
* Partition tables – GRUB-2 supports MBR partitioning scheme and GUID Partition Table (GPT).
* RAID and LVM – Now GRUB is supports both redundant array of independent disks (RAID) and Logical Volume Manager (LVM).
* File system support – GRUB 2 supports some additional non-Linux file systems, such as Apple’s Hierarchical File System Plus, NTFS and ZFS file systems…

* Configuring GRUB 2 –

GRUB 2 configuration file is different from legacy GRUB….

The default location for the GRUB 2 configuration file is /boot/grub/grub.cfg

* Sample GRUB 2 configuration file

root@me:~# cat /boot/grub/grub.cfg

set timeout=10
set default=0

menuentry “Ubuntu, Linux 2.6.31-20-generic” {
set quiet=1
insmod ext2
set root=(hd0,6)
search –no-floppy –fs-uuid –set 7699852c-2a04-4da2-82e8-a69969f16bf2
linux /boot/vmlinuz-2.6.31-20-generic root=UUID=7699852c-2a04-4da2-82e8-a69969f16bf2 ro quiet splash
initrd /boot/initrd.img-2.6.31-20-generic
}

Thanks,
Arun Bagul

How to use socat with haproxy stat

By Ravi Bhure | February 25, 2010 | Comments 0 Comment

*** Introduction –

All you know about the haproxy, that its the one of the good opensource load balancing software and to check the fun stats of haproxy here we using ‘socat’ – Multipurpose relay (SOcket CAT)

* What is socat?

Socat is a command line based utility that establishes two bidirectional byte streams and transfers data between them. Because the streams can be constructed from a large set of different types of data sinks and sources (see address types), and because lots of address options may be applied to the streams, socat can be used for many different purposes. (see more info at ‘man socat’ 🙂 or at http://www.dest-unreach.org/socat/)
* How to use ‘socat’ with haproxy stat

Step 1) Download ‘socat’ from http://www.dest-unreach.org/socat/download/ latest version ~ “socat-2.0.0-b3.tar.gz”

ravi@arun:~$ wget http://www.dest-unreach.org/socat/download/socat-1.7.1.2.tar.gz

ravi@arun:~$ tar xvzf socat-1.7.1.2.tar.gz

ravi@arun:~$ cd socat-1.7.1.2

NOTE ~ No need to install the ‘fipsld’ package if you got the below msg after running the ‘make’ just following steps for

compiling socat….

FIPSLD_CC=gcc fipsld -O -D_GNU_SOURCE -Wall -Wno-parentheses -DHAVE_CONFIG_H -I. -I. -c -o socat.o socat.c
/bin/sh: fipsld: command not found
make: *** [socat.o] Error 127

ravi@arun:~$ ./configure –disable-fips
ravi@arun:~$ make

To install it login as root
ravi@arun:~$ su –

ravi@arun:~# make install

Step 2) Now you need to add stats socket PATH in Haproxy configuration and restart haproxy as per shown in following example,

where I have added it under in ‘global’ setting –

ravi@arun:~# more /etc/haproxy/myhaproxy.cfg

#———–Start of haproxy Config file————–
global
log 127.0.0.1   local0
log 127.0.0.1   local1 notice
#log loghost    local0 info
maxconn 25000
#debug
#quiet
user ravi
group ravi
stats socket    /tmp/haproxy
defaults
option          contstats
timeout         connect 5s
timeout         client 25s
timeout         server 25s
maxconn         100

listen ravitestbed      0.0.0.0:80 ##ravi.com IP
mode            tcp
balance         roundrobin
server          web1 192.168.19.117
server          web2 192.168.19.122

listen stats
bind            0.0.0.0:8081
mode            http
#stats          uri /stat #Comment this if you need to specify diff stat path for viewing stat page
stats enable
stats auth admin:admin ##Auth user pass

#———–End of haproxy Config file————–

Step 3) Used /tmp/haproxy. Now you can send the commands to get stats from HAProxy –

Now time to use socat

ravi@arun:~# echo “” | socat unix-connect:/tmp/haproxy stdio
Unknown command. Please enter one of the following commands only :
show info   : report information about the running process
show stat   : report counters for each proxy and server
show errors : report last request and response errors for each proxy
show sess   : report the list of current sessions

This will dump (possibly huge) info about all know sessions.

ravi@arun:~$ echo “show sess” | socat unix-connect:/tmp/haproxy stdio
0x9ee3520: proto=tcpv4 src=192.168.19.117:4721 fe=ravitestbed be=ravitestbed srv=arun as=0 ts=08 age=4s calls=3
rq[f=009202h,l=0,an=00h,rx=20s,wx=,ax=] rp[f=009202h,l=0,an=00h,rx=20s,wx=,ax=] s0=[7,8h,fd=1,ex=] s1=[7,8h,fd=2,ex=] exp=20s
0x9eeb8e8: proto=tcpv4 src=192.168.19.117:4723 fe=ravitestbed be=ravitestbed srv=arun as=0 ts=08 age=4s calls=3
rq[f=009000h,l=0,an=00h,rx=20s,wx=,ax=] rp[f=009202h,l=0,an=00h,rx=20s,wx=,ax=] s0=[7,8h,fd=8,ex=] s1=[7,8h,fd=9,ex=] exp=20s
0x9ef3d08: proto=tcpv4 src=192.168.19.117:4725 fe=ravitestbed be=ravitestbed srv=arun as=0 ts=08 age=4s calls=3
rq[f=009000h,l=0,an=00h,rx=20s,wx=,ax=] rp[f=009202h,l=0,an=00h,rx=20s,wx=,ax=] s0=[7,8h,fd=12,ex=] s1=[7,8h,fd=13,ex=]
exp=20s
0x9f04548: proto=unix_stream as=2 ts=09 age=0s calls=2 rq[f=00e042h,l=10,an=20h,rx=10s,wx=,ax=]

rp[f=048060h,l=716,an=00h,rx=,wx=10s,ax=] s0=[7,0h,fd=3,ex=] s1=[0,0h,fd=-1,ex=] exp=9s

This will give you information about the running HAProxy process such as pid, uptime and etc.

ravi@arun:~$ echo “show info” | socat unix-connect:/tmp/haproxy stdio
Name: HAProxy
Version: 1.3.23
Release_date: 2010/01/28
Nbproc: 1
Process_num: 1
Pid: 11829
Uptime: 0d 0h42m53s
Uptime_sec: 2573
Memmax_MB: 0
Ulimit-n: 50013
Maxsock: 50013
Maxconn: 25000
Maxpipes: 0
CurrConns: 1
PipesUsed: 0
PipesFree: 0
Tasks: 1
Run_queue: 1
node: ravi.world
description:

This will give you stats on all of your backends and frontends, some of the same stuff you see on the stats page enabled by the stats uri configuration. As an added bonus it’s all in CSV.

ravi@arun:~$ echo “show stat” | socat unix-connect:/tmp/haproxy stdio
#
pxname,svname,qcur,qmax,scur,smax,slim,stot,bin,bout,dreq,dresp,ereq,econ,eresp,wretr,wredis,status,weight,act,bck,chkfail,ch
kdown,lastchg,downtime,qlimit,pid,iid,sid,throttle,lbtot,tracked,type,rate,rate_lim,rate_max,
ravitestbed,FRONTEND,,,0,5,100,30,32582,50616,0,0,0,,,,,OPEN,,,,,,,,,1,1,0,,,,0,0,0,5,
ravitestbed,trupti,0,0,0,2,,15,7020,22722,,0,,0,0,0,0,no check,1,1,0,,,,,,1,1,1,,15,,2,0,,2,
ravitestbed,arun,0,0,0,5,,15,25562,27894,,0,,0,0,0,0,no check,1,1,0,,,,,,1,1,2,,15,,2,0,,3,
ravitestbed,BACKEND,0,0,0,5,100,30,32582,50616,0,0,,0,0,0,0,UP,2,2,0,,0,2710,0,,1,1,0,,30,,1,0,,5,
stats,FRONTEND,,,0,1,100,21,9605,152357,0,0,0,,,,,OPEN,,,,,,,,,1,2,0,,,,0,0,0,9,
stats,BACKEND,0,0,0,1,100,5,9605,152357,0,0,,5,0,0,0,UP,0,0,0,,0,2710,0,,1,2,0,,0,,1,0,,4,

show errors will give you a capture of last error on each backend/frontend.

ravi@arun:~$ echo “show errors” | socat unix-connect:/tmp/haproxy stdio

Reffer:
http://www.dest-unreach.org/socat/
http://haproxy.1wt.eu/download/1.3/doc/configuration.txt

Thanks to Joe (http://www.joeandmotorboat.com)

Thank you,
Ravi

Good practices for apache & php

By Manoj Chauhan | February 19, 2010 | Comments 1 comment

Introduction –

To conclude the discussion about session management, here are some best practices to demonstrate that a robust scheme requires serious thinking:
•   Create a session token upon first visit.
•   When performing authentication, destroy the old session and create a new one.
•   Limit session lifetime to a short period (a few hours).
•   Destroy inactive sessions regularly.
•   Destroy sessions after users log out.
•   Ask users to re-authenticate before an important task is performed (e.g., an order is placed).
•   Do not use the same session for a non-SSL part of the site as for the SSL part of the site because non-SSL traffic can be intercepted and the session token obtained from it. Treat them as two different servers.
•   If cookies are used to transport session tokens in an SSL application, they should be marked “secure.” Secure cookies are never sent over a non-SSL connection.
•   Regenerate session tokens from time to time.
•   Monitor client parameters (IP address, the User-Agent request header) and send warnings to the error log when they change. Some information (e.g., the contents of the User-Agent header) should not change for the lifetime of a session. Invalidate the session if it does.
•   If you know where your users are coming from, attach each session to a single IP address, and do not allow the address to change.
•   If you can, do not accept users coming through web proxies. This will be difficult to do for most public sites but easier for internal applications.
•   If you can, do not accept users coming through open web proxies. Open proxies are used when users want to stay anonymous or otherwise hide their tracks. You can detect which proxies are open by extracting the IP address of the proxy from each proxied request and having a script automatically test whether the proxy is open or not.
•   If you do allow web proxies, consider using Java applets or Flash movies (probably a better choice since such movies can pretend to be regular animations) to detect the users’ real IP addresses. It’s a long shot but may work in some cases.
•   Web users can upload only jpeg, gif, png files not php extension
•   We can place a blank index page in each directory in question and users can not execute php etc scripts from the image folders or image/document upload folders.
•   Upgrade apache current version (2.0) to newer version (2.2)

Thanks
Manoj Chauhan

Haproxy + apache dropping the connections

By Ravi Bhure | January 24, 2010 | Comments 0 Comment

Many times haproxy and apache does not reliable to serve the connections without tune or we say we need to set system as well some kernel parameters to work it better.

Here haproxy gives an errors to connect to apache, at that time it logs the errors into ‘dmesg | tail’ or in ‘/var/log/messages’ “kernel: ip_conntrack: table full, dropping packet” that is related to ip_conntrack kernel module.

Conntrack table is hash table (hash map) of fixed size (8192 entries by default), which is used for primary lookup. When the slot in the table is found it points to list of conntrack structures, so secondary lookup is done using list traversal. 65536/8192 gives 8 – the average list length. You may want to experiment with this value on heavily loaded systems.

If this error founds into /var/log/messages or dmesg you have to apply following steps to resolve.

Here I have done this to changes and added few settings in kernel also we will do it to set apache MPM and Haproxy tunning with sysctl.conf

Note: I have tried all this workaround and apply on CentOS-5.2, but don’t worry ip_conntrack module is default in kernel 2.6 +

1) To check ip_contrack is compiled with your kernel

[root@ravi.com ~]# modinfo ip_conntrack
filename:       /lib/modules/2.6.18-128.el5/kernel/net/ipv4/netfilter/ip_conntrack.ko
license:        GPL
srcversion:     F1390E605BBFB05078B78E8
depends:        nfnetlink
vermagic:       2.6.18-128.el5 SMP mod_unload gcc-4.1
module_sig:     883f350497747c575ed35fe9471dce112565509f4b58f4f3e440c6bcc05c2fba9bbdd224bdeb8209e293da385133a876e44a7b449ba59a882a8282b

2) Probe ip_conntrack kernel module or add it in /etc/modprobe.conf

[root@ravi.com ~]# modprobe ip_conntrack hashsize=131072

open /etc/modprobe.conf and add below lines at the end of file

options ip_conntrack hashsize=131072

3) before go to apply the 4th step, just check the ip_conntrack setting is into /etc/sysctl.conf

grep “ip_conntrack” /etc/sysctl.conf

if its found then apply 4th step or edit the /etc/sysctl.conf and add the given two lines at the end of file and save it then go for 4th step
(the value is compare to your RAM and set it to below)

net.ipv4.ip_conntrack_max = 16777216
net.ipv4.netfilter.ip_conntrack_max = 16777216

4) To apply the sysctl parameters run ‘sysctl -p’

[root@ravi.com ~]# sysctl -p

5) Now check the ip_conntrack is logging the connections and check not dropping any more

[root@ravi.com ~]# cat /proc/slabinfo | grep conn
ip_conntrack_expect 0 0 136 28 1 : tunables 120 60 8 : slabdata 0 0 0
ip_conntrack 216053 231335 304 13 1 : tunables 54 27 8 : slabdata 17795 17795 216

6) Also you can check how much memory utilized by ip_conntrack module per connection.

[root@ravi.com ~]# grep ip_conntrack /var/log/messages

/var/log/messages.2:Jan 14 21:46:04 ravi kernel: ip_conntrack version 2.4 (8192 buckets, 65536 max) – 304 bytes per conntrack

1M connections would require 304MB of kernel memory.

Thanks
Ravi

How to configure-add java extension for php on CentOS 5

By Ravi Bhure | January 22, 2010 | Comments 2 comments

Here I have used php version 5.2.11 and to jdk-6u18-linux-x64.bin

( from given JAVA download link)

[root@ravi.com ~]# yum -y install httpd php php-devel php-gd php-cli php-xml php-ldap php-common php-pear php-pdo

Install java jdk and set env in ~/.bashrc also run this on CLI to verify before next step.

export JAVA_HOME=//usr/java/jdk1.6.0_18
export PATH=/usr/java/jdk1.6.0_18/bin:$PATH

[root@ravi.com ~]# echo $JAVA_HOME

Now set the dynamic linker library path into /etc/ld.so.conf

/usr/java/jdk1.6.0_18/jre/lib/amd64
/usr/java/jdk1.6.0_18/jre/lib/amd64/server

[root@ravi.com ~]# ldconfig

Now download php-java-bridge source rpm

[root@ravi.com ~]# wget ftp://195.220.108.108/linux/sourceforge/p/project/ph/php-java-bridge/OldFiles/php-java-bridge-4.1.8-1.src.rpm

unpack the php-java-bridge rpm

[root@ravi.com ~]# rpm2cpio php-java-bridge-4.1.8-1.src.rpm | cpio -ivd
php-java-bridge.spec
php-java-bridge_4.1.8.tar.gz
16155 blocks

untar the php-java-bridge and configure the module

[root@ravi.com ~]# tar xzf php-java-bridge_4.1.8.tar.gz && cd php-java-bridge-4.1.8

[root@ravi.com ~]# phpize

[root@ravi.com ~]# ./configure –with-java=$JAVA_HOME && make && make install

[root@ravi.com ~]# echo “extension=java.so” > /etc/php.d/java.ini

open the php.ini and edit the at the end of file

[java]
java.class.path=/usr/lib64/php/modules/
java.library=/usr/java/jdk1.6.0_18/jre/lib/amd64/server/libjvm.so

Now restart apache
[root@ravi.com ~]# /etc/init.d/httpd restart

[root@ravi.com ~]# php -i | grep java
/etc/php.d/java.ini,
java
java support => Enabled
java bridge => 4.1.8
java.java_home =>
java.java => java
java.log_file => <stderr>
java.log_level => no value (use back-end’s default level)
java.security_policy => Off
java command => LD_LIBRARY_PATH=/usr/lib64/php/modules:/usr/lib/10.2.0.3/client64/lib java -Djava.library.path=/usr/lib64/php/modules -Djava.class.path=/usr/lib64/php/modules/JavaBridge.jar -Djava.awt.headless=true -Dphp.java.bridge.base=/usr/lib64/php/modules php.java.bridge.Standalone LOCAL:9267 1
java status => running
java server => 9267
PATH => /usr/java/jdk1.6.0_18/bin:/usr/java/jdk1.6.0_18/bin:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
JAVA_HOME => /usr/java/jdk1.6.0_18
_SERVER[“PATH”] => /usr/java/jdk1.6.0_18/bin:/usr/java/jdk1.6.0_18/bin:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
_SERVER[“JAVA_HOME”] => /usr/java/jdk1.6.0_18
_ENV[“PATH”] => /usr/java/jdk1.6.0_18/bin:/usr/java/jdk1.6.0_18/bin:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
_ENV[“JAVA_HOME”] => /usr/java/jdk1.6.0_18

Test your code in test.php and run to check
<?php
// get instance of Java class java.lang.System in PHP
$system = new Java(‘java.lang.System’); // demonstrate property access
print ‘Java version=’.$system->getProperty(‘java.version’).’ ‘;
print ‘Java vendor=’ .$system->getProperty(‘java.vendor’).’ ‘;
print ‘OS=’.$system->getProperty(‘os.name’).’ ‘.
$system->getProperty(‘os.version’).’ on ‘.
$system->getProperty(‘os.arch’).’ ‘; // java.util.Date example
$formatter = new Java(‘java.text.SimpleDateFormat’,
“EEEE, MMMM dd, yyyy ‘at’ h:mm:ss a zzzz”); print $formatter->format(new Java(‘java.util.Date’));
?>

[root@ravi.com ~]# php test.php
Java version=1.6.0_18 Java vendor=Sun Microsystems Inc. OS=Linux 2.6.18-53.el5xen on amd64 Friday, January 22, 2010 at 4:44:48 AM Pacific Standard Time
Thanks

Ravi

Installing PDO_OCI extension for php5

By Ravi Bhure | January 19, 2010 | Comments 0 Comment

To enable pdo_oci module you may need to install oracle client and oci8 module is require. I have installed oracle 10g client here.

[root@ravi.com ~]# export ORACLE_HOME=/usr/lib/oracle/10.2.0.3/client64/ ; export LD_LIBRARY_PATH=/usr/lib/oracle/10.2.0.3/client64/
[root@ravi.com ~]# cd /tmp
[root@ravi.com tmp]# pecl download pdo_oci
[root@ravi.com tmp]# tar xvzf PDO_OCI-1.0.tar.gz
[root@ravi.com tmp]# cd PDO_OCI-1.0 && phpize
[root@ravi.com tmp]# ./configure
[root@ravi.com PDO_OCI-1.0]# make
/bin/sh /tmp/PDO_OCI-1.0/libtool –mode=compile gcc -I/usr/include/php/ext -I. -I/tmp/PDO_OCI-1.0 -DPHP_ATOM_INC -I/tmp/PDO_OCI-1.0/include -I/tmp/PDO_OCI-1.0/main -I/tmp/PDO_OCI-1.0 -I/usr/include/php -I/usr/include/php/main -I/usr/include/php/TSRM -I/usr/include/php/Zend -I/usr/include/php/ext -DHAVE_CONFIG_H -g -O2 -c /tmp/PDO_OCI-1.0/pdo_oci.c -o pdo_oci.lo
mkdir .libs
gcc -I/usr/include/php/ext -I. -I/tmp/PDO_OCI-1.0 -DPHP_ATOM_INC -I/tmp/PDO_OCI-1.0/include -I/tmp/PDO_OCI-1.0/main -I/tmp/PDO_OCI-1.0 -I/usr/include/php -I/usr/include/php/main -I/usr/include/php/TSRM -I/usr/include/php/Zend -I/usr/include/php/ext -DHAVE_CONFIG_H -g -O2 -c /tmp/PDO_OCI-1.0/pdo_oci.c -fPIC -DPIC -o .libs/pdo_oci.o
In file included from /tmp/PDO_OCI-1.0/pdo_oci.c:31:
/tmp/PDO_OCI-1.0/php_pdo_oci_int.h:21:17: error: oci.h: No such file or directory
In file included from /tmp/PDO_OCI-1.0/pdo_oci.c:31:
/tmp/PDO_OCI-1.0/php_pdo_oci_int.h:26: error: expected specifier-qualifier-list before ‘sb4’
/tmp/PDO_OCI-1.0/php_pdo_oci_int.h:32: error: expected specifier-qualifier-list before ‘OCIServer’
/tmp/PDO_OCI-1.0/php_pdo_oci_int.h:48: error: expected specifier-qualifier-list before ‘OCIDefine’
/tmp/PDO_OCI-1.0/php_pdo_oci_int.h:62: error: expected specifier-qualifier-list before ‘OCIStmt’
/tmp/PDO_OCI-1.0/php_pdo_oci_int.h:73: error: expected specifier-qualifier-list before ‘OCIBind’
/tmp/PDO_OCI-1.0/php_pdo_oci_int.h:85: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘PDO_OCI_INIT_MODE’
/tmp/PDO_OCI-1.0/php_pdo_oci_int.h:87: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘*’ token
/tmp/PDO_OCI-1.0/php_pdo_oci_int.h:89: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘_oci_error’
/tmp/PDO_OCI-1.0/pdo_oci.c:71: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘PDO_OCI_INIT_MODE’
/tmp/PDO_OCI-1.0/pdo_oci.c:87: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘*’ token
/tmp/PDO_OCI-1.0/pdo_oci.c: In function ‘zm_startup_pdo_oci’:
/tmp/PDO_OCI-1.0/pdo_oci.c:96: error: ‘pdo_oci_Env’ undeclared (first use in this function)
/tmp/PDO_OCI-1.0/pdo_oci.c:96: error: (Each undeclared identifier is reported only once
/tmp/PDO_OCI-1.0/pdo_oci.c:96: error: for each function it appears in.)
/tmp/PDO_OCI-1.0/pdo_oci.c:96: error: ‘PDO_OCI_INIT_MODE’ undeclared (first use in this function)
/tmp/PDO_OCI-1.0/pdo_oci.c: In function ‘zm_shutdown_pdo_oci’:
/tmp/PDO_OCI-1.0/pdo_oci.c:111: error: ‘dvoid’ undeclared (first use in this function)
/tmp/PDO_OCI-1.0/pdo_oci.c:111: error: expected expression before ‘)’ token
make: *** [pdo_oci.lo] Error 1

Is this the error that pdo does not connect to oci library and its find these into include subfolder, so you may need to copy all the files into include folder.

[root@ravi.com PDO_OCI-1.0]# cp -f /usr/include/oracle/10.2.0.3/client64/* /tmp/PDO_OCI-1.0/include/

Now run make & make install to compile and install the module.

[root@ravi.com PDO_OCI-1.0]# make && make install

enable the pdo_oci extension with php.

[root@ravi.com PDO_OCI-1.0]# echo “extension=pdo_oci.so” > /etc/php.d/pdo_oci.ini

[root@ravi.com PDO_OCI-1.0]# php -m | grep pdo_oci

To work pdo_oci properly you have to restart apache.

Thanks

Ravi

How to install & configure VNC server on CentOS

By Ravi Bhure | January 14, 2010 | Comments 0 Comment

How to install VNCSERVER on CentOS

yum groupinstall “GNOME Desktop Environment”
yum install xterm vnc-server vnc

remove the existing file & edit with ‘/etc/sysconfig/vncservers‘ and put the following lines in it

VNCSERVERS=”2:root”
VNCSERVERARGS[2]=”-geometry 800×600 -nolisten tcp -nohttpd -localhost”

set the vnc password to open the vnc for user root (you have to login as a root)
vncpasswd

set the vnc password to open the vnc for user (you have to login as a normal user that way it will create the file xstartup in $home/.vnc)
vncpasswd

Now start the vncserver as root user
/etc/init.d/vncserver start

Now kill the vncserver proocesses using ‘ps aux | grep vnc | xargs kill -9’

and start vnc server by following command
vncserver

check the given path to open the vnc display as given in example
New ‘appserver.ravi.com:3 (root)’ desktop is appserver.ravi.com:3

before open the vncviewer remove the file ‘/tmp/.X1-lock’

Now open the vnc display you will get the default ‘xterm’ open on it.