Category: Linux Networking

Linux Networking

Find command and Exclude subdirectory under searching with find command

Find command and Exclude subdirectory under searching with find command

mtime, ctime, and atime
Unix keeps 3 timestamps for each file: mtime, ctime, and atime. Most people seem to understand atime (access time), it is when the file was last read. There does seem to be some confusion between mtime and ctime though. ctime is the inode change time while mtime is the file modification time. “Change” and “modification” are pretty much synonymous. There is no clue to be had by pondering those words. Instead you need to focus on what is being changed. mtime changes when you write to the file. It is the age of the data in the file. Whenever mtime changes, so does ctime. But ctime changes a few extra times. For example, it will change if you change the owner or the permissions on the file.

Let’s look at a concrete example. We run a package called Samba that lets PC’s access files. To change the Samba configuration, I just edit a file called smb.conf. (This changes mtime and ctime.) I don’t need to take any other action to tell Samba that I changed that file. Every now and then Samba looks at the mtime on the file. If the mtime has changed, Samba rereads the file. Later that night our backup system runs. It uses ctime, which also changed so it backs up the file. But let’s say that a couple of days later I notice that the permissions on smb.conf are 666. That’s not good..anyone can edit the file. So I do a “chmod 644 smb.conf”. This changes only ctime. Samba will not reread the file. But later that night, our backup program notices that ctime has changes, so it backs up the file. That way, if we lose the system and need to reload our backups, we get the new improved permission setting.

Here is a second example. Let’s say that you have a data file called employees.txt which is a list of employees. And you have a program to print it out. The program not only prints the data, but it obtains the mtime and prints that too. Now someone has requested an employee list from the end of the year 2000 and you found a backup tape that has that file. Many restore programs will restore the mtime as well. When you run that program it will print an mtime from the end of the year 2000. But the ctime is today. So again, our backup program will see the file as needing to be backed up.

Suppose your restore program did not restore the mtime. You don’t want your program to print today’s date. Well no problem. mtime is under your control. You can set it to what ever you want. So just do:
$ touch -t 200012311800 employees.txt
This will set mtime back to the date you want and it sets ctime to now. You have complete control over mtime, but the system stays in control of ctime. So mtime is a little bit like the date on a letter while ctime is like the postmark on the envelope.

==========================

find command -mtime -ctime -atime
The find command uses arguments like:
-mtime -2
-mtime +2
-mtime 2

There are -ctime and -atime options as well. Since we now understand the differences among mtime, ctime, and atime, by understanding how find uses the -mtime option, the other two become understood as well. So I will describe find’s use of the -mtime option.

As you probably know, the find command can run for minutes or hours depending on the size of the filesystem being searched. The find command makes a note of its own start time. It then looks at a file’s mtime and computes how many seconds ago the file was modified. By dividing the seconds by 86,400 (and discarding any remainder), it can calculate the file’s age in days:
Code:

0 days in seconds:       0  –   86399
1 day in seconds:    86400  –  172799
2 days in seconds:  172800  –  259159

So now that we know how many days ago a file was modified, we can use stuff like “-mtime 2” which specifies files that are 172800 to 259159 seconds older than the instant that the find command was started.

“-mtime -2” means files that are less than 2 days old, such as a file that is 0 or 1 days old.

“-mtime +2” means files that are more than 2 days old… {3, 4, 5, …}

It may seem odd, but +0 is supposed to work and would mean files more than 0 days old. It is very important to recognize that find’s concept of a “day” has nothing to do with midnight.

 

================================================================================

mohit##find /var/lib/ganglia/rrds/* ! \( -name “__SummaryInfo__” -prune  \)  -mmin +30

Steps needed to create LUNs and to make them accessible by windows ISCSI initiators.

Steps needed to create LUNs and to make them accessible by windows ISCSI initiators.

Steps needed to create LUN and to make accessible by windows ISCSI initiators.

  • mohit_netapp02*> lun setup

This setup will take you through the steps needed to create LUNs
and to make them accessible by initiators. You can type ^C (Control-C)
at any time to abort the setup and no unconfirmed changes will be made
to the system.

  • Do you want to create a LUN? [y]: y
  • Multiprotocol type of LUN (solaris/windows/hpux/aix/linux/netware/vmware/windows_gpt)[linux]: windows

A LUN path must be absolute. A LUN can only reside in a volume or
qtree root. For example, to create a LUN with name “lun0” in the
qtree root /vol/vol1/q0, specify the path as “/vol/vol1/q0/lun0”.

  • Enter LUN path: /vol/test_vol/test_lun0

A LUN can be created with or without space reservations being enabled.
Space reservation guarantees that data writes to that LUN will never
fail.

  • Do you want the LUN to be space reserved? [y]: Object action: admin.util.true

Size for a LUN is specified in bytes. You can use single-character
multiplier suffixes: b(sectors), k(KB), m(MB), g(GB) or t(TB).

  • Enter LUN size: 55g

You can add a comment string to describe the contents of the LUN.
Please type a string (without quotes), or hit ENTER if you don’t
want to supply a comment.

  • Enter comment string:

The LUN will be accessible to an initiator group. You can use an
existing group name, or supply a new name to create a new initiator
group. Enter ‘?’ to see existing initiator group names.

  • Name of initiator group [windows]: Test_windows

Type of initiator group Test_windows (FCP/iSCSI) [iSCSI]: iSCSI
An iSCSI initiator group is a collection of initiator node names.Each
node name can begin with either ‘eui.’ or ‘iqn.’ and should be in the
following formats: eui.{EUI-64 address} or iqn.yyyy-mm.{reversed domain
name}:{optional string composed of alphanumeric characters, ‘-‘, ‘.’
and ‘:’}
Eg: iqn.2001-04.com.acme:storage.tape.sys1.xyz or eui.02004567A425678D
You can separate node names by commas. Enter ‘?’ to display a list of
connected initiators. Hit ENTER when you are done adding node names to
this group.

  • Enter comma separated nodenames: ?

Initiators connected on adapter ism_sw1:
iSCSI Initiator Name                  Group
iqn.1991-05.com.microsoft:appoms2   windows
iqn.1991-05.com.microsoft:colodc1.projecty.com   windows
iqn.1991-05.com.microsoft:appoff1
Enter comma separated nodenames: iqn.1991-05.com.microsoft:appoms2
Enter comma separated nodenames:
The initiator group has an associated OS type. The following are
currently supported: solaris, windows, hpux, aix, linux, netware
or vmware.

  • OS type of initiator group “Test_windows” [windows]: windows

The LUN will be accessible to all the initiators in the
initiator group. Enter ‘?’ to display LUNs already in use
by one or more initiators in group “Test_windows”.

  • LUN ID at which initiator group “Test_windows” sees “/vol/test_vol/test_lun0” [0]: 1

LUN 1 is already mapped to by initiator iqn.1991-05.com.microsoft:appoms2
in group windows
LUN ID at which initiator group “Test_windows” sees “/vol/test_vol/test_lun0” [0]: 2
LUN Path                : /vol/test_vol/test_lun0
OS Type                 : windows
Size                    : 55.0g (59057510400)
Initiator Group         : Test_windows
Initiator Group Type    : iSCSI
Initiator Group Members : iqn.1991-05.com.microsoft:appoms2
Mapped to LUN-ID        : 2

  • Do you want to accept this configuration? [y]: y
  • Do you want to create another LUN? [n]: n
  • mohit_netapp02*> lun showq

lun: unrecognized command “showq”
The following commands are available; for more information
type “lun help <command>”
aluadb              destroy             move                set
attribute           df                  offline             setup
clone               geometry            online              share
comment             help                rescan              show
config              hist                resize              snap
config_check        map                 select              stats
create              maxsize             serial              unmap
dbedit

  • mohit_netapp02*> lun show

/vol/bod_iscsi/asm1            5g (5368709120)    (r/w, online, mapped)
/vol/mohitsnap/lun0         502.0g (539019048960)  (r/w, online, mapped)
/vol/test_vol/test_lun0     55.0g (59057510400)   (r/w, online, mapped)

 

 

Maximum LUN resize limits on NetApp

Be aware there are some limits to resize the Netapp size. Due to the geometry of the LUN at the time it was created it can only be resized to a maximum of ~10 times the original size of the LUN.

One way to see this is at the command line, for the command to be available you need to run ‘priv set diag‘ and then you will have access to the ‘lun geometry‘ command. From there you can see the LUN size as well as the maximum LUN size that is available.

 

Here is a table of some of the results:

LUN Size Maximum Resize
< 50g 502g
51-100g 1004g
101-150g 1506g
151-200g 2008g
201-251g 2510g
252-301g 3012g
302-351g 3514g
352-401g 4016g

etc..

How to Test Network performance and Bandwidth

How to Test Network performance and Bandwidth

Introduction –

Network latency
and Bandwidth are the two metrics most likely to be of interest when you benchmark a network. Even though most service and product advertising focuses on bandwidth, at times the latency can be a more important metric.

** What is Bandwidth?

Bandwidth (BW) in computer networking refers to the data rate supported by a network connection or interface. BW is measured in terms of bits per second (bps).

** What is Network latency?

Latency is a measure of time delay experienced in a system. Network latency is simply defined as the time delay observed as data transmits from one point to another. There are a number of factors that contribute to network latency. These include transmission(medium of connectivity), Distance, Routers and computer hardware delays.

List of Projects used to test Network performance and Bandwidth –

1) bmon – Bandwidth monitor and rate estimator, it is console based,live BW
2) bwbar – Bandwidth usage in Text and Graphical format
3) bwm-ng – Bandwidth Monitor NG (Next Generation, live BW, console based
4) dstat – Dstat is a replacement for vmstat, iostat and ifstat.
5) iftop – Bandwidth usage on an interface, console based
6) iperf – Perform Network throughput tests bet two host
7) ifstat – Report InterFace STATistics
8) cbm – Color Bandwidth Meter ,console based
9) etherape – Graphical network traffic browser
10) iptraf – Interactive Colorful IP LAN Monitor, console and GUI based
11) netmrg – It is daemon based, mySQL support, Gathers data from devices.
12) nuttcp – Network performance measurement tool
13) nepim – network performance

NOTE ~ For some of them rpm or deb packages are not available!

Step 1] How to install on Redhat/RHCE,CentOS based system and Dibian based system –

root@me:~# yum install netperf iperf nuttcp nepim lmbench

** Ubuntu –

root@me:~# apt-get install  bmon bwbar bwm-ng dstat cbm etherape iftop iperf ifstat iptraf netmrg

Step 2] How to use – bmon, bwm-ng, dstat, ifstat –

root@me:~# bmon
interface: lo at me.arun.host
#   Interface                RX Rate         RX #     TX Rate         TX #
────────────────────────────────────────
me.arun.host (source: local)
0   lo                         0.00B            0       0.00B            0
1   eth0                       0.00B            0       0.00B            0
2   eth2                       0.00B            0       0.00B            0
3   vboxnet0                   0.00B            0       0.00B            0
4   pan0                       0.00B            0       0.00B            0
5   ppp0                      69.39KiB         61       7.49KiB         44

root@me:~# bwm-ng

bwm-ng v0.6 (probing every 0.500s), press ‘h’ for help
input: /proc/net/dev type: rate
\         iface                   Rx                   Tx                Total
==============================================================================
lo:           0.00 KB/s            0.00 KB/s            0.00 KB/s
eth0:           0.00 KB/s            0.00 KB/s            0.00 KB/s
eth2:           0.00 KB/s            0.00 KB/s            0.00 KB/s
ppp0:          64.39 KB/s            7.92 KB/s           72.31 KB/s
——————————————————————————
total:          64.39 KB/s            7.92 KB/s           72.31 KB/s

root@me:~# dstat
—-total-cpu-usage—- -dsk/total- -net/total- —paging– —system–
usr sys idl wai hiq siq| read  writ| recv  send|  in   out | int   csw
7   4  85   4   0   0| 281k  110k|   0     0 |   0     0 | 865  3013
8   4  88   0   0   0|   0     0 |7027B 1261B|   0     0 | 956  4505
8   5  86   0   0   0|   0     0 |  14k 1867B|   0     0 |1144  3332
9   5  86   0   1   0|   0     0 |  79k 2496B|   0     0 |1360  3366
18   8  74   0   0   0|   0     0 |  52k 6511B|   0     0 |1299  3618
8   6  85   0   1   0|   0     0 |  35k 5339B|   0     0 |1094  4231
6   4  90   0   0   0|   0     0 |   0  3164B|   0     0 | 953  2750 ^C
root@me:~#

root@me:~# ifstat
eth0                eth2                ppp0
KB/s in  KB/s out   KB/s in  KB/s out   KB/s in  KB/s out
0.00      0.00      0.00      0.00     95.73      4.31
0.00      0.00      0.00      0.00     67.93      8.17
0.00      0.00      0.00      0.00    106.77     13.70

** start “iperf” server on one host(A) and client on another host(B)- to measure Network throughput between two hosts.

* Host -A

root@me:~# iperf -s
————————————————————
Server listening on TCP port 5001
TCP window size: 85.3 KByte (default)
————————————————————
[  4] local 192.168.0.1 port 5001 connected with 192.168.0.2 port 56171
[ ID] Interval       Transfer     Bandwidth
[  4]  0.0-10.0 sec  9.11 GBytes  7.82 Gbits/sec

* Host -B
test@hostB:~$ iperf -c 192.168.0.1
————————————————————
Client connecting to 192.168.0.1, TCP port 5001
TCP window size: 49.5 KByte (default)
————————————————————
[  3] local 192.168.0.2 port 56171 connected with 192.168.0.1 port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.0 sec  9.11 GBytes  7.82 Gbits/sec
test@hostB:~$

root@me:~# iftop
root@me:~# cbm

Thank you,
Arun Bagul

How to use socat with haproxy stat

How to use socat with haproxy stat

*** Introduction –

All you know about the haproxy, that its the one of the good opensource load balancing software and to check the fun stats of haproxy here we using ‘socat’ – Multipurpose relay (SOcket CAT)


* What is socat?

Socat  is  a  command  line based utility that establishes two bidirectional byte streams and transfers data between them. Because the streams can be constructed from a large set of different types of data sinks and sources (see address  types),  and  because  lots  of address options may be applied to the streams, socat can be used for many different purposes. (see more info at ‘man socat’ 🙂 or at http://www.dest-unreach.org/socat/)
* How to use ‘socat’ with haproxy stat

Step 1) Download ‘socat’ from http://www.dest-unreach.org/socat/download/  latest version ~ “socat-2.0.0-b3.tar.gz”

ravi@arun:~$ wget http://www.dest-unreach.org/socat/download/socat-1.7.1.2.tar.gz

ravi@arun:~$ tar xvzf socat-1.7.1.2.tar.gz

ravi@arun:~$ cd socat-1.7.1.2

NOTE ~ No need to install the ‘fipsld’ package if you got the below msg after running the ‘make’ just following steps for

compiling socat….

FIPSLD_CC=gcc fipsld -O -D_GNU_SOURCE -Wall -Wno-parentheses  -DHAVE_CONFIG_H -I.  -I.   -c -o socat.o socat.c
/bin/sh: fipsld: command not found
make: *** [socat.o] Error 127

ravi@arun:~$ ./configure –disable-fips
ravi@arun:~$ make

To install it login as root
ravi@arun:~$ su –

ravi@arun:~# make install

Step 2) Now you need to add stats socket PATH in Haproxy configuration and restart haproxy as per shown in following example,

where I have added it under in ‘global’ setting –

ravi@arun:~# more /etc/haproxy/myhaproxy.cfg

#———–Start of haproxy Config file————–
global
log 127.0.0.1   local0
log 127.0.0.1   local1 notice
#log loghost    local0 info
maxconn 25000
#debug
#quiet
user ravi
group ravi
stats socket    /tmp/haproxy
defaults
option          contstats
timeout         connect 5s
timeout         client 25s
timeout         server 25s
maxconn         100

listen ravitestbed      0.0.0.0:80 ##ravi.com IP
mode            tcp
balance         roundrobin
server          web1 192.168.19.117
server          web2 192.168.19.122

listen stats
bind            0.0.0.0:8081
mode            http
#stats          uri /stat  #Comment this if you need to specify diff stat path for viewing stat page
stats enable
stats auth admin:admin ##Auth user pass

#———–End of haproxy Config file————–

Step 3) Used /tmp/haproxy. Now you can send the commands to get stats from HAProxy –

Now time to use socat

ravi@arun:~# echo “”  | socat unix-connect:/tmp/haproxy stdio
Unknown command. Please enter one of the following commands only :
show info   : report information about the running process
show stat   : report counters for each proxy and server
show errors : report last request and response errors for each proxy
show sess   : report the list of current sessions

This will dump (possibly huge) info about all know sessions.

ravi@arun:~$ echo “show sess” | socat unix-connect:/tmp/haproxy stdio
0x9ee3520: proto=tcpv4 src=192.168.19.117:4721 fe=ravitestbed be=ravitestbed srv=arun as=0 ts=08 age=4s calls=3
rq[f=009202h,l=0,an=00h,rx=20s,wx=,ax=] rp[f=009202h,l=0,an=00h,rx=20s,wx=,ax=] s0=[7,8h,fd=1,ex=] s1=[7,8h,fd=2,ex=] exp=20s
0x9eeb8e8: proto=tcpv4 src=192.168.19.117:4723 fe=ravitestbed be=ravitestbed srv=arun as=0 ts=08 age=4s calls=3
rq[f=009000h,l=0,an=00h,rx=20s,wx=,ax=] rp[f=009202h,l=0,an=00h,rx=20s,wx=,ax=] s0=[7,8h,fd=8,ex=] s1=[7,8h,fd=9,ex=] exp=20s
0x9ef3d08: proto=tcpv4 src=192.168.19.117:4725 fe=ravitestbed be=ravitestbed srv=arun as=0 ts=08 age=4s calls=3
rq[f=009000h,l=0,an=00h,rx=20s,wx=,ax=] rp[f=009202h,l=0,an=00h,rx=20s,wx=,ax=] s0=[7,8h,fd=12,ex=] s1=[7,8h,fd=13,ex=]
exp=20s
0x9f04548: proto=unix_stream as=2 ts=09 age=0s calls=2 rq[f=00e042h,l=10,an=20h,rx=10s,wx=,ax=]

rp[f=048060h,l=716,an=00h,rx=,wx=10s,ax=] s0=[7,0h,fd=3,ex=] s1=[0,0h,fd=-1,ex=] exp=9s

This will give you information about the running HAProxy process such as pid, uptime and etc.

ravi@arun:~$ echo “show info” | socat unix-connect:/tmp/haproxy stdio
Name: HAProxy
Version: 1.3.23
Release_date: 2010/01/28
Nbproc: 1
Process_num: 1
Pid: 11829
Uptime: 0d 0h42m53s
Uptime_sec: 2573
Memmax_MB: 0
Ulimit-n: 50013
Maxsock: 50013
Maxconn: 25000
Maxpipes: 0
CurrConns: 1
PipesUsed: 0
PipesFree: 0
Tasks: 1
Run_queue: 1
node: ravi.world
description:

This will give you stats on all of your backends and frontends, some of the same stuff you see on the stats page enabled by the stats uri configuration. As an added bonus it’s all in CSV.

ravi@arun:~$ echo “show stat” | socat unix-connect:/tmp/haproxy stdio
#
pxname,svname,qcur,qmax,scur,smax,slim,stot,bin,bout,dreq,dresp,ereq,econ,eresp,wretr,wredis,status,weight,act,bck,chkfail,ch
kdown,lastchg,downtime,qlimit,pid,iid,sid,throttle,lbtot,tracked,type,rate,rate_lim,rate_max,
ravitestbed,FRONTEND,,,0,5,100,30,32582,50616,0,0,0,,,,,OPEN,,,,,,,,,1,1,0,,,,0,0,0,5,
ravitestbed,trupti,0,0,0,2,,15,7020,22722,,0,,0,0,0,0,no check,1,1,0,,,,,,1,1,1,,15,,2,0,,2,
ravitestbed,arun,0,0,0,5,,15,25562,27894,,0,,0,0,0,0,no check,1,1,0,,,,,,1,1,2,,15,,2,0,,3,
ravitestbed,BACKEND,0,0,0,5,100,30,32582,50616,0,0,,0,0,0,0,UP,2,2,0,,0,2710,0,,1,1,0,,30,,1,0,,5,
stats,FRONTEND,,,0,1,100,21,9605,152357,0,0,0,,,,,OPEN,,,,,,,,,1,2,0,,,,0,0,0,9,
stats,BACKEND,0,0,0,1,100,5,9605,152357,0,0,,5,0,0,0,UP,0,0,0,,0,2710,0,,1,2,0,,0,,1,0,,4,

show errors will give you a capture of last error on each backend/frontend.

ravi@arun:~$ echo “show errors” | socat unix-connect:/tmp/haproxy stdio

Reffer:
http://www.dest-unreach.org/socat/
http://haproxy.1wt.eu/download/1.3/doc/configuration.txt

Thanks to Joe (http://www.joeandmotorboat.com)

Thank you,
Ravi

How to use TCP Wrappers for system security

How to use TCP Wrappers for system security

Introduction:-

Access control to services compiled with TCP wrappers support is implemented by the /etc/hosts.allow and /etc/hosts.deny files. When a connection attempt is made, the hosts.allow file is checked. If a line is matched, the connection is allowed. Then the hosts.deny file is consulted, if a line is matched, the connection is denied. If no matches have occurred in either file, the connection is allowed.

Create Authorized Use Only Banners

If configured as described below, TCP wrappers will display a warning banner to any user attempting to connect to a service it monitors. The following set of commands generate the directory /etc/banners, and the files therein contain warning banner text for each service. In this example, the banner text is “Use of this system is restricted to authorized users.” Note that exact wording of a warning banner is site specific; however, it should at least emphasize that the use of the system is restricted to authorized persons and that consent to monitor activities is implied by logging in to the system.

[root@localhost]# /bin/mkdir -p /etc/banners
[root@localhost]# /bin/echo “Use of this system is restricted to authorized users” > /etc/banners/
prototype
[root@localhost]# cd /etc/banners ; /usr/bin/make -f /usr/share/doc/tcp_wrappers-7.6/Banners.Makefile

Deny Everything Except What is Explicitly Allowed

In order to implement the security best practice stance of deny everything except what is explicitly allowed, issue the following command.
[root@localhost]# echo ‘ALL: ALL: spawn (/bin/echo -e ‘/bin/date'”\n%c attempted connection to %s
and was denied” \
> | /bin/mail -s “Connection attempt to %s” root) &’ > /etc/hosts.deny

Any connection attempt not listed in the hosts.allow file will be denied, a message will be logged to the syslog auth facility, and an email will be sent to root.
Allow Access to Those Who Require It

Edit the hosts.allow file and add a line for each service to which access should be allowed. A few examples are shown below (See the man pages for hosts.allow for more detail).

ALL: LOCAL : banners /etc/banners            # All services from local clients (hostnames with no “.”)
sshd: 10.1.1.0/255.255.254.0 : banners /etc/banners # SSH connections from host IP addresses  between 10.1.1.0 and 10.1.2.0

Thanks
Manoj Chauhan

Haproxy + apache dropping the connections

Haproxy + apache dropping the connections

Many times  haproxy and apache does not reliable to serve the connections without tune or we say we need to set system as well some kernel parameters to work it better.

Here haproxy gives an errors to connect to apache, at that time it logs the errors into ‘dmesg | tail’ or in ‘/var/log/messages’ “kernel: ip_conntrack: table full, dropping packet” that is related to ip_conntrack kernel module.

Conntrack table is hash table (hash map) of fixed size (8192 entries by default), which is used for primary lookup. When the slot in the table is found it points to list of conntrack structures, so secondary lookup is done using list traversal. 65536/8192 gives 8 – the average list length. You may want to experiment with this value on heavily loaded systems.

If this error founds into /var/log/messages or dmesg you have to apply following steps to resolve.

Here I have done this to changes and added few settings in kernel also we will do it to set apache MPM and Haproxy tunning with sysctl.conf

Note: I have tried all this workaround and apply on CentOS-5.2, but don’t worry ip_conntrack module is default in kernel 2.6 +

1) To check ip_contrack is compiled with your kernel

[root@ravi.com ~]# modinfo ip_conntrack
filename:       /lib/modules/2.6.18-128.el5/kernel/net/ipv4/netfilter/ip_conntrack.ko
license:        GPL
srcversion:     F1390E605BBFB05078B78E8
depends:        nfnetlink
vermagic:       2.6.18-128.el5 SMP mod_unload gcc-4.1
module_sig:     883f350497747c575ed35fe9471dce112565509f4b58f4f3e440c6bcc05c2fba9bbdd224bdeb8209e293da385133a876e44a7b449ba59a882a8282b

2) Probe ip_conntrack kernel module or add it in /etc/modprobe.conf

[root@ravi.com ~]# modprobe ip_conntrack hashsize=131072

or

open /etc/modprobe.conf and add below lines at the end of file

options ip_conntrack hashsize=131072

3) before go to apply the 4th step, just check the ip_conntrack setting is into /etc/sysctl.conf

grep “ip_conntrack” /etc/sysctl.conf

if its found then apply 4th step or edit the /etc/sysctl.conf and add the given two lines at the end of file and save it then go for 4th step
(the value is compare to your RAM and set it to below)

net.ipv4.ip_conntrack_max = 16777216
net.ipv4.netfilter.ip_conntrack_max = 16777216

4) To apply the sysctl parameters run ‘sysctl -p’

[root@ravi.com ~]# sysctl -p

5) Now check the ip_conntrack is logging the connections and check not dropping any more

[root@ravi.com ~]# cat /proc/slabinfo | grep conn
ip_conntrack_expect      0      0    136   28    1 : tunables  120   60    8 : slabdata      0      0      0
ip_conntrack      216053 231335    304   13    1 : tunables   54   27    8 : slabdata  17795  17795    216

6) Also you can check how much memory utilized by ip_conntrack module per connection.

[root@ravi.com ~]# grep ip_conntrack /var/log/messages

/var/log/messages.2:Jan 14 21:46:04 ravi kernel: ip_conntrack version 2.4 (8192 buckets, 65536 max) – 304 bytes per conntrack

1M connections would require 304MB of kernel memory.

Thanks
Ravi

How to install & configure VNC server on CentOS

How to install & configure VNC server on CentOS

How to install VNCSERVER on CentOS

yum groupinstall “GNOME Desktop Environment”
yum install xterm vnc-server vnc

remove the existing file & edit with ‘/etc/sysconfig/vncservers‘ and put the following lines in it

VNCSERVERS=”2:root”
VNCSERVERARGS[2]=”-geometry 800×600 -nolisten tcp -nohttpd -localhost”

set the vnc password to open the vnc for user root (you have to login as a root)
vncpasswd

set the vnc password to open the vnc for user (you have to login as a normal user that way it will create the file xstartup in $home/.vnc)
vncpasswd

Now start the vncserver as root user
/etc/init.d/vncserver start

Now kill the vncserver proocesses using ‘ps aux | grep vnc | xargs kill -9’

and start vnc server by following command
vncserver

check the given path to open the vnc display as given in example
New ‘appserver.ravi.com:3 (root)’ desktop is appserver.ravi.com:3

before open the vncviewer remove the file ‘/tmp/.X1-lock’

Now open the vnc display you will get the default ‘xterm’ open on it.

How to install Network Driver in Linux system

How to install Network Driver in Linux system

Introduction –

“Attansic Technology Corp. L1 Gigabit Ethernet Adapte” network (NIC) card or Adapter was not detected by RHEL4 (redhat) system. I tried running kudzu and other commands to detect device, but no use. So finally I have to install drivers for my network card…

Step 1] Device status (network card) –

* See below device status from hardware conf file ~ “/etc/sysconfig/hwconf”
* Attansic Technology Corp. L1 Gigabit Ethernet Adapter  not detected – Unknown device 8226

03:00.0 Ethernet controller: Attansic Technology Corp. L1 Gigabit Ethernet Adapter (rev b0)
Subsystem: ASUSTeK Computer Inc.: Unknown device 8226
Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR+ FastB2B-
Status: Cap+ 66Mhz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR+ <PERR-
Latency: 0, Cache Line Size 10
Interrupt: pin A routed to IRQ 201

…..

[root@desktop ~]# lspci

03:00.0 Ethernet controller: Attansic Technology Corp. L1 Gigabit Ethernet Adapter (rev b0)

…..
[root@desktop ~]# lspci -n

03:00.0 Class 0200: 1969:1048 (rev b0)

…..
[root@desktop ~]#

* Make sure to download drivers for above  venderID & deviceId “1969:1048″….

Step 2] download and extract the source  –

First, download vendor* driver from here

ftp://ftp.hogchain.net/pub/linux/attansic/vendor_driver/l1-linux-v1.2.40.3.tar.gz

OR
open-source (http://atl1.sourceforge.net/)

[root@desktop ~]# tar xvfz l1-linux-v1.2.40.3.tar.gz

[root@desktop ~]# cd  l1-linux-v1.2.40.3

[root@desktop src]# ls
at_ethtool.c  at.h  at_hw.c  at_hw.h  at_main.c  at_osdep.h  at_param.c  kcompat.c  kcompat_ethtool.c  kcompat.h  Makefile
[root@desktop src]#

* Now compile and install the drivers

[root@desktop src]# make
make -C /lib/modules/2.6.9-78.ELsmp/build SUBDIRS=/root/l1-linux-v1.2.40.3/src modules
make[1]: Entering directory `/usr/src/kernels/2.6.9-78.EL-smp-i686′

…..
make[1]: Leaving directory `/usr/src/kernels/2.6.9-78.EL-smp-i686′
[root@desktop src]# echo $?
0

[root@desktop src]# make install
make -C /lib/modules/2.6.9-78.ELsmp/build SUBDIRS=/root/l1-linux-v1.2.40.3/src modules

…..
man -c -P’cat > /dev/null’ atl1 || true
[root@desktop src]# echo $?
0

* Now load the kernel module….

[root@desktop src]# modprobe   atl1

Step 3] Now verify whether kernel driver is working or not  –

[root@desktop src]# modinfo   atl1
filename:       /lib/modules/2.6.9-78.ELsmp/kernel/drivers/net/atl1/atl1.ko
author:         Atheros Corporation, <xiong.huang@atheros.com>
description:    Atheros 1000M Ethernet Network Driver
license:        GPL
version:        1.2.40.3 1FC4E58EBDF31F49BFD33E8
parm:           TxDescriptors:Number of transmit descriptors
parm:           RxDescriptors:Number of receive descriptors
parm:           MediaType:MediaType Select
parm:           IntModTimer:Interrupt Moderator Timer
parm:           FlashVendor:SPI Flash Vendor
vermagic:       2.6.9-78.ELsmp SMP 686 REGPARM 4KSTACKS gcc-3.4
depends:
alias:          pci:v00001969d00001048sv*sd*bc*sc*i*
[root@desktop src]#

[root@desktop src]# netconfig
[root@desktop src]# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:AD:54:0A:XX:WW
inet addr:192.168.0.2  Bcast:192.168.0.255  Mask:255.255.255.0
inet6 addr: fe80::223:54ff:fe0a:616b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:7 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b)  TX bytes:498 (498.0 b)
Memory:feac0000-feb00000

…..

[root@desktop src]#

[root@desktop ~]# vi /etc/sysconfig/hwconf

class: NETWORK
bus: PCI
detached: 0
device: eth0
driver: atl1
desc: “Attansic Technology Corp. L1 Gigabit Ethernet Adapter”
network.hwaddr: 00:AD:54:0A:XX:WW
vendorId: 1969
deviceId: 1048

subVendorId: 1043
subDeviceId: 8226
pciType: 1
pcidom:    0
pcibus:  3
pcidev:  0
pcifn:  0
[root@desktop ~]#

Enjoy,
Arun Bagul

How to configure TATA Indicom/BSNL/Reliance Broadband+ Netconnect ( EDVO usb modem ) on Ubuntu Linux

How to configure TATA Indicom/BSNL/Reliance Broadband+ Netconnect ( EDVO usb modem ) on Ubuntu Linux

Introduction ~

This article is about how to configure TATA Indicom,BSNL and Reliance Broadband+ Netconnect ( EDVO usb modem ) on Ubuntu Linux.

To configure Reliance,BSNL and Tataindicom epi valley usb modem please refer the following article ~

http://www.indiangnu.org/2008/tata-indicom-usb-modem-epi-valley-on-ubuntu-linux/

To configure Tataindicom,Reliance Huawei datacard refer the following article ~

http://www.indiangnu.org/2008/tata-indicom-datacard-huawei-cdma-on-linuxubuntu/

** EVDO ?

EVolution-Data Optimized (EVDO) is a telecommunications standard for the wireless transmission of data through radio signals, typically for broadband Internet access. It uses multiplexing techniques including code division multiple access (CDMA) as well as time division multiple access (TDMA)
to maximize both individual user’s throughput and the overall system throughput. It is standardized by (3G) 3rd Generation Partnership Project 2 (3GPP2) as part of the CDMA2000 family of standards and has been adopted by many mobile phone service providers around the world – particularly those previously employing CDMA networks.

How to configure Reliance Broadband+ Netconnect –

Step 1] Mount USB file system to “/proc/bus/usb” –

root@laptop:~# ls  /proc/bus/usb/
root@laptop:~#

* It shows that usbfs is not mounted on “/proc/bus/usb”. To mount run following command….

root@laptop:/var/src/usb_modeswitch-1.0.5# mount -t usbfs  none /proc/bus/usb
root@laptop:/var/src/usb_modeswitch-1.0.5# ls /proc/bus/usb/
001  002  003  004  005  006  007  devices
root@laptop:/var/src/usb_modeswitch-1.0.5#

Step 2] Get the status of Reliance Broadband+ USB device ~

* lsusb list USB devices connected to PC as well as information about USB buses in the system and the devices connected to them.

* Output before connecting Reliance Broadband+ Netconnect usb modem –

root@laptop:~# lsusb
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 007 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 006 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
…..
root@laptop:~#

* Let’s connect Reliance Broadband+ Netconnect! usb modem –

root@laptop:~# lsusb
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 007 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 006 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 005 Device 004: ID 19d2:fff5
Bus 005 Device 003: ID 08ff:2580 AuthenTec, Inc. AES2501 Fingerprint Sensor
…..
root@laptop:~#

* Bus 005 Device 004: ID 19d2:fff5  – This shows that the Reliance (EVDO) usb device is detected with Vendor_id  19d2  and product_id fff5

root@laptop:~# cat /proc/bus/usb/devices

T:  Bus=07 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 23 Spd=12  MxCh= 0
D:  Ver= 1.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
P:  Vendor=19d2 ProdID=fff5 Rev= 0.00
S:  Manufacturer=ZTE, Incorporated
S:  Product=USB Storage
S:  SerialNumber=000000000002
C:* #Ifs= 1 Cfg#= 1 Atr=c0 MxPwr=100mA
I:* If#= 0 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usbserial_generic
E:  Ad=89(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
E:  Ad=0a(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms

root@laptop:~# dmesg | tail
[15035.656075] usb 7-2: new full speed USB device using uhci_hcd and address 24
[15035.814188] usb 7-2: configuration #1 chosen from 1 choice
[15035.827708] scsi10 : SCSI emulation for USB Mass Storage devices
[15035.828851] usb-storage: device found at 24
[15035.828856] usb-storage: waiting for device to settle before scanning
[15040.831095] usb-storage: device scan complete
[15040.834105] scsi 10:0:0:0: Direct-Access     ZTE      USB Storage FFF1 2.31 PQ: 0 ANSI: 2
[15040.839233] sd 10:0:0:0: [sdb] Attached SCSI removable disk
[15040.839378] sd 10:0:0:0: Attached scsi generic sg2 type 0
root@laptop:~#

*** Reliance Broadband+ EVDO USB is detected as “USB storage device” as shown above…

Step 3] How to use Reliance Broadband+ Netconnect as USB Modem –

To use Reliance Broadband+ usb as USB Modem. We need to switch the usb mode of this device with the help of “usb_modeswitch” tool.

Download ~ http://www.draisberghof.de/usb_modeswitch/usb_modeswitch-1.0.5.tar.bz2

Help – http://www.draisberghof.de/usb_modeswitch/

* Download and extract the “usb_modeswitch” –

root@laptop:/var/src# wget -c  http://www.draisberghof.de/usb_modeswitch/usb_modeswitch-1.0.5.tar.bz2

root@laptop:/var/src# tar xvfj usb_modeswitch-1.0.5.tar.bz2

* Now compile and install –

root@laptop:/var/src/usb_modeswitch-1.0.5# gcc -l usb -o usb_modeswitch usb_modeswitch.c
root@laptop:/var/src/usb_modeswitch-1.0.5# make install
mkdir -p /usr/sbin
install ./usb_modeswitch /usr/sbin
mkdir -p /etc
install –mode=644 ./usb_modeswitch.conf /etc
root@laptop:/var/src/usb_modeswitch-1.0.5#

**** Now configure USB mode switching –

a) Edit configuration file “/etc/usb_modeswitch.conf” –

Just search for vendor and product id eg (19d2 and fff5) in config “/etc/usb_modeswitch.conf” file….
This file contains most of the details. I choose following setting and that work’s for me

root@laptop:~# cat  /etc/usb_modeswitch.conf

###################
# ZTE AC8710
#

DefaultVendor=  0x19d2
DefaultProduct= 0xfff5

TargetVendor=   0x19d2
TargetProduct=  0xfff1

MessageContent=”5553424312345678c00000008000069f030000000000000000000000000000″

root@laptop:~#

b) Now run “usb_modeswitch” command to switch the mode of USB device

root@laptop:~# usb_modeswitch -c /etc/usb_modeswitch.conf

Step 4] Load “usbserial” module

* Remember in Ubuntu 09.04 the “usbserial” is buildin kernel. To load that module we need to modify “grub.conf” or “menu.lst” GRUB config file

root@laptop:~# cat /boot/grub/menu.lst

title        Ubuntu 9.04, kernel 2.6.28-11-generic
uuid        c98db8a7-0a2e-4cea-b9d5-43a30c892fb0
kernel        /vmlinuz-2.6.28-11-generic root=/dev/sda5  ro quiet splash  usbserial.vendor=0x19d2  usbserial.product=0xfff1
initrd        /initrd.img-2.6.28-11-generic
quiet
….
……
root@laptop:~#

**** Reboot the machine and run the following command

* Output before switch….

root@laptop:~# lsusb
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 007 Device 023: ID 19d2:fff5
Bus 007 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
…..
root@laptop:~#

root@laptop:~# usb_modeswitch -c /etc/usb_modeswitch.conf

* Output after switch….

root@laptop:~# lsusb
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 007 Device 024: ID 19d2:fff1
Bus 007 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
…..
root@laptop:~#

root@laptop:~# usb_modeswitch  -v 19d2 -p fff1

Looking for default devices …
Found default devices (1)
Accessing device 004 on bus 005 …
Using endpoints 0x02 (out) and 0x82 (in)
Not a storage device, skipping SCSI inquiry

Device description data (identification)
————————-
Manufacturer: ZTE, Incorporated
Product: ZTE CDMA Tech
Serial No.: not provided
————————-
Warning: no switching method given.
-> Run lsusb to note any changes. Bye.

root@laptop:~#

root@laptop:~# cat /proc/bus/usb/devices

T:  Bus=07 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 24 Spd=12  MxCh= 0
D:  Ver= 1.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
P:  Vendor=19d2 ProdID=fff1 Rev= 0.00
S:  Manufacturer=ZTE, Incorporated
S:  Product=ZTE CDMA Tech

C:* #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
I:* If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E:  Ad=81(I) Atr=03(Int.) MxPS=  16 Ivl=128ms

root@laptop:~# dmesg  | tail
[   70.985075] usbserial_generic 5-1:1.1: generic converter detected
[   70.985109] usb 5-1: generic converter now attached to ttyUSB1
[   70.987028] usbserial_generic 5-1:1.2: generic converter detected
[   70.987064] usb 5-1: generic converter now attached to ttyUSB2
[   70.989589] usbserial_generic 5-1:1.3: generic converter detected
[   70.989623] usb 5-1: generic converter now attached to ttyUSB3
[   70.991023] usbserial_generic 5-1:1.4: generic converter detected
[   70.991061] usb 5-1: generic converter now attached to ttyUSB4
[   70.993066] usbserial_generic 5-1:1.5: generic converter detected
[   70.993109] usb 5-1: generic converter now attached to ttyUSB5
root@laptop:~#

*** It shows that Reliance Broadband+ EVDO usb  is detected as CDMA modem

Step 5] Configure wvdail –

* Run “wvdialconf” to detect and edit “/etc/wvdial.conf” confile

root@laptop:~# wvdialconf
Editing `/etc/wvdial.conf’.
Scanning your serial ports for a modem.
Modem Port Scan<*1>: S0   S1

root@laptop:~# cat /etc/wvdial.conf

[Dialer Defaults]
Init1 = ATZ
Init2 = ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0
Password = your_mobile_no
Username = your_mobile_no
Phone = #777
PPPP Path = /usr/sbin/pppd
Modem Type = Analog Modem
Stupid Mode = 1
Tonline = 0
Baud = 9600
New PPPD = 1
Modem = /dev/ttyUSB0
ISDN = 0
root@laptop:~#

* Now it’s time to start surfing…..

root@laptop:~# wvdial &
[1] 21710
root@laptop:~#

root@laptop:~# ifconfig

ppp0 Link encap:Point-to-Point Protocol
inet addr:115.184.XX.BB  P-t-P:220.224.CC.DD  Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
RX packets:4310 errors:0 dropped:0 overruns:0 frame:0
TX packets:4347 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:2268618 (2.2 MB)  TX bytes:445276 (445.2 KB)

Enjoy,
Arun Bagul

HAProxy Load Balancer

HAProxy Load Balancer

IT infra going day to day very critical and costly, So for that we need simple IP based load balancing solution that handles ssl traffic. Basically it’s very easy and secure way to manage your server load balancing.
This example will shows you how we use this with easy steps

The Configuration =
* Load Balancer:  <10.0.0.77>  // will be our haproxy server # This will listen on many ports that we will bind as per requirement
* Web Server 1: <10.0.1.209>  // web application server 1    #This will listen on tcp mode
* Web Server 2: <10.0.1.210>  // web application server 2   #This will listen on tcp mode
* Web Server 3: <10.0.1.227>  // web application server 3   #This will listen on http mode
* Admin Panel Port 8088: <10.0.0.77>  // Statistics Panel on port 8080  #This will listen on http mode

Get and Install haproxy
We’ll be using the 1.3.17 src files to install haproxy. You can get them from http://haproxy.1wt.eu/

wget http://haproxy.1wt.eu/download/1.3/src/haproxy-1.3.19.tar.gz

tar xvzf haproxy-1.3.19.tar.gz

cd haproxy-1.3.19

make TARGET=linux26 ARCH=x86_64

make install

Now add user haproxy or what ever need to run config

[root@ravi.com ~]# useradd haproxy

cp /path/to/haproxy-1.3.19/examples/haproxy.init /etc/init.d/haproxy

chmod +x /etc/init.d/haproxy

create the /etc/haproxy folder and create haproxy.cfg config file in it.

mkdir /etc/haproxy

Now Please add your config file haproxy.cfg in /etc/haproxy

Configure /etc/haproxy/haproxy.cfg

#[root@app71 haproxy]# more haproxy.cfg
global
log 127.0.0.1   local0
log 127.0.0.1   local1 notice
#log loghost    local0 info
maxconn 25000    # count about 1 GB per 25000 connections
#debug
#quiet
user ravi
group ravi

defaults
log         global
mode        tcp
option      dontlognull
retries 3
option         redispatch
maxconn     20000
contimeout      5000
clitimeout      50000
srvtimeout      50000

#Configuration for www.ravi.com
listen VIP:www.ravi.com:10.0.0.77:80
bind            10.0.0.77:80    # or any other IP:port combination we listen to.
bind            10.0.0.77:443    # or any other IP:port combination we listen to.
mode            tcp
option          ssl-hello-chk
option          forwardfor    # set the client’s IP in X-Forwarded-For.
balance         roundrobin
# set the maxconn parameter below to match Apache’s MaxClients minus
# one or two connections so that you can still directly connect to it.
# you have to set server health check it it’s down it showing you on stat
# Set server weights normally it should be 1 for all
server          app139:10.0.1.209:80 10.0.1.209 weight 1 maxconn 5000 check
server          app140:10.0.1.210:80 10.0.1.210 weight 1 maxconn 5000 check

listen VIP:www.ravi.com:10.0.0.77:8080
bind            10.0.0.77:8080    # or any other IP:port combination we listen to.
mode            http
option          forwardfor    # set the client’s IP in X-Forwarded-For.
balance         roundrobin
# set the maxconn parameter below to match Apache’s MaxClients minus
# one or two connections so that you can still directly connect to it.
# you have to set server health check it it’s down it showing you on stat
# Set server weights normally it should be 1 for all
server          app127:10.0.1.227:8080 10.0.1.227 weight 1 maxconn 5000 check

# Enable the stats page on a dedicated port (8088). Monitoring request errors
# on the frontend will tell us how many potential attacks were blocked.
listen  ha_stats 10.0.0.77:8088
mode            http
stats enable
stats auth user:password ##Auth user pass

edit the /etc/sysctl.conf and add the end of file then run sysctl -p to load the setting

net.ipv4.tcp_tw_reuse = 1
net.ipv4.ip_local_port_range = 1024 65023
net.ipv4.tcp_max_syn_backlog = 10240
net.ipv4.tcp_max_tw_buckets = 400000
net.core.somaxconn = 10000

start haproxy using (/etc/init.d/haproxy start or /usr/sbin/haproxy -D -f /etc/haproxy/haproxy.cfg -p /var/run/haproxy.pid)

Configuring logging

Edit /etc/sysconfig/syslog

1.SYSLOGD_OPTIONS=”-m 0 -r”

Edit /etc/syslog.conf. Add the following:

1.local0.* /var/log/haproxy/haproxy.log
2.local1.* /var/log/haproxy/haproxy-1.log

Restart Syslog

service syslog restart

Now check with

ps auxwww | grep haproxy

Thanks

Ravi