Quantcast
Channel: GoLinuxHub
Viewing all 392 articles
Browse latest View live

Interview Questions on Linux Servers

January 28, 2014, 6:46 am
$
0
0
1. How can you create a password less connection between multiple Linux machine?
How to create a password less authentication for ssh in Linux?

2. What are the types of authentication which can be used for ssh connection to any host?
RSA and DSA authentication

3. What is the difference between A record and CNAME record in BIND DNS servers?
What is the difference between DNS A and CNAME record?

4. How will you restrict anonymous users from accessing your ftp server?
anonymous_enable=NO inside vsftpd.conf

5. How does a dns lookup query works when you type a url on browser?
What happens in the backend when you type a url on the browser?

6. What is the command to check quota values for any user?
# repquota /partion/path | grep username
7. How many types of virtual hosting are their in apache?
There are 3 types of virtual hosting in Apache

  1. Port based
  2. Hostname based
  3. IP based

8. What are the port nos for DNS, DHCP, SMTP, POP3 and IMAP(with and without SSL)
DNS 53
DHCP 67
SMTP with ssl 465, 567
SMTP without SSL 25
POP3 with SSL 995
POP3 without ssl 110
IMAP with SSL 943
IMAP without SSL 143

9. What is the default port for ssh? How will you change it to some other random port no.?
SSH port no. by default is 22
To change the default port no. we need make required changes inside sshd_conf file in the below mentioned line
#Port 22
(Uncomment the above line and define the new port no.)
Restart the services for changes to take affect

10. Which command do you use to download a file from ftp or http website using CLI?
# wget path_to_the_file

11. How to disable root login via ssh?
Uncomment the below line inside sshd_config to "NO"
#PermitRootLogin yes
12. What if I have made a host entry in hosts.allow as well as hosts.deny file of my localhost. So will that remote host will be allowed to connect with my localhost machine? Explain
Yes, The host will be allowed to connect because their is a specific order which is followed before allowing or blocking any host/service.

Access  will  be  granted when a (daemon,client) pair matches an entry in the /etc/hosts.allow file.
Otherwise, access will be denied  when  a  (daemon,client)  pair matches an entry in the /etc/hosts.deny file. Otherwise, access will be granted.

Search

What is Virtual memory, paging and swap space ?

January 30, 2014, 6:33 am
$
0
0
Virtual memory is a memory management technique that is implemented using both hardware and software which gives an application program the impression that it has contiguous working memory (an address space).

In simple terms Virtual memory is a logical combination of RAM memory and swap space which is used by running process

NOTE: It is NOT just an additional space used in hard disk to make it act as physical memory

Paging
This is one of the memory management technique schemes by which a computer can store and retrieve data from secondary storage for use in main memory.

Swap space
This is a space on the hard disk which is used by the operating system to store data pages that are currently not needed. This swap sapce can be a partition as well as swap file.

Swapping
A process normally runs on physical memory where the memory is divided into sets of pages. A page is a 4kb area of memory and is the basic unit of memory with which both kernel and CPU deal.

There might be a situation when all the pages in physical memory goes full. In such cases all the inactive pages inside physical memory is shifted to the secondary storage or the swap space using the paging technique. By doing this physical memory gets free pages which can again be utilized by new processes. This entire process is termed as swapping.

NOTE: Swapping is a good idea as it gives you an additional space to store data files and programs when your physical memory is out of space but accessing a hard disk is hundred times slower than accessing memory.


Amount of RAM in the System Recommended Amount of Swap Space
4GB of RAM or less a minimum of 2GB of swap space
4GB to 16GB of RAM a minimum of 4GB of swap space
16GB to 64GB of RAM a minimum of 8GB of swap space
64GB to 256GB of RAM a minimum of 16GB of swap space
256GB to 512GB of RAM a minimum of 32GB of swap space

How to auto start service after reboot in Red Hat Linux?

January 30, 2014, 6:34 am
$
0
0
You can run the below command to auto start the service after reboot
# chkconfig service_name on
But the above command will enable the service only for the current run level so I always prefer using the below command
# chkconfig --level 35 service_name on
Using the level argument you can select the runlevel on which you want your service to be running
To view all the currently enabled services after reboot

The below command will show all the services enabled for run level 3 and 5
# chkconfig --list | awk '{print $1"\t\t", $5 , $7}' | grep on
acpid            3:on 5:on
anacron          3:on 5:on
atd              3:on 5:on
auditd           3:on 5:on
cimlistenerd     3:on 5:on
cimserverd       3:on 5:on
cpuspeed         3:on 5:on
crond            3:on 5:on
dcerpcd          3:on 5:on
eventlogd        3:on 5:on
haldaemon        3:on 5:on

Follow the below links for more tutorials

How to check all the currently running services in Linux

January 30, 2014, 6:36 am
$
0
0

To find the status of any single service
# service vsftpd status
vsftpd (pid 5909) is running...
To get the status of all the running services
# service --status-all | grep running
acpid (pid 5310) is running...
atd (pid  6528) is running...
auditd (pid  5012) is running...
Avahi daemon is not running
Avahi DNS daemon is not running
The Pegasus CIM Listener is running.
The Pegasus CIM Object Manager is running.
crond (pid  6242) is running...
dcerpcd (pid  5177) is running...
eventlogd (pid  5223) is running...
In case you don't use grep you will be able to see all the services on your machine
# service --status-all
NetworkManager is stopped
acpid (pid 5310) is running...
anacron is stopped
atd (pid  6528) is running...
auditd (pid  5012) is running...
automount is stopped
Avahi daemon is not running
Avahi DNS daemon is not running
hcid is stopped
sdpd is stopped
You can also check the active ports along with their services using
# netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address         Foreign Address     State       PID/Program name
tcp        0      0 0.0.0.0:52961         0.0.0.0:*           LISTEN      5223/eventlogd
tcp        0      0 0.0.0.0:5988          0.0.0.0:*           LISTEN      6116/cimserver
tcp        0      0 0.0.0.0:5989          0.0.0.0:*           LISTEN      6116/cimserver
tcp        0      0 0.0.0.0:678           0.0.0.0:*           LISTEN      5160/rpc.statd
tcp        0      0 0.0.0.0:14247         0.0.0.0:*           LISTEN      6460/java
tcp        0      0 127.0.0.1:199         0.0.0.0:*           LISTEN      5857/snmpd
tcp        0      0 0.0.0.0:135           0.0.0.0:*           LISTEN      5177/dcerpcd

Follow the below links for more tutorials

What are the s and k scripts in the etc rcx.d directories?

January 30, 2014, 6:36 am
$
0
0
To understand this you need to have a brief knowledge on the booting procedure of Linux machine.

Running all the scripts under /etc/rc.d is the last step of successful booting a Linux OS.
As per the 5th step /etc/inittab file is executed which tells the OS to boot into a particular level as defined in the config file.
# Default runlevel. The runlevels used by RHS are:
#   0 - halt (Do NOT set initdefault to this)
#   1 - Single user mode
#   2 - Multiuser, without NFS (The same as 3, if you do not have networking)
#   3 - Full multiuser mode
#   4 - unused
#   5 - X11
#   6 - reboot (Do NOT set initdefault to this)
#
id:3:initdefault:
As you can see above my Linux machine will boot into runlevel 3. So in the next and last step the OS will execute all the scripts stored under /etc/rc3.d where rc3.d is used for runlevel 3.

Similarly you will find one directory for each runlevel from rc0.d till rc6.d

All these directories contains executable scripts which has to be start at boot up of Linux OS.

If you look inside this directory, you will find scripts like as shown below
lrwxrwxrwx 1 root root 16 Feb 16  2010 K10psacct -> ../init.d/psacct
lrwxrwxrwx 1 root root 15 Sep 10  2010 K15httpd -> ../init.d/httpd
lrwxrwxrwx 1 root root 13 Sep 10  2010 K20nfs -> ../init.d/nfs
lrwxrwxrwx 1 root root 14 Feb 16  2010 K25sshd -> ../init.d/sshd
lrwxrwxrwx 1 root root 17 Feb 16  2010 K30postfix -> ../init.d/postfix
lrwxrwxrwx 1 root root 19 Oct 12  2010 S20eventlogd -> ../init.d/eventlogd
lrwxrwxrwx 1 root root 16 Jan 28  2013 S21lsassd -> ../init.d/lsassd
lrwxrwxrwx 1 root root 20 Sep 10  2010 S22messagebus -> ../init.d/messagebus
As you see all the scripts are nothing but a softlink pointing to their original scripts in some other directory.

All the scripts are either starting with S or K, now what does this means?
Here S means start and K means Kill

The numerical value specifies the order in which the script will be executed.

For example 
S20eventlogd will be executed before S21lsassd when the OS boots similarly K10psacct will be executed before K15httpd when the system starts to shut down.

Why symlinks are used rather than putting the script inside these directories?
Because of the following two reasons
1. You will have to put the same script in each runlevel directory of rcx.d
2. Even though you are will to do step 1, you won't be able to define the order as per which the script will be executed during startup and shutdown.

IMPORTANT NOTE: This is one good interview question when you might be asked the default location of all the rcx.d scripts.
Ans: /etc/rc.d/init.d or /etc/init.d as init.d inside /etc is just a symlink of /etc/init.d/rc.d

Follow the below links for more tutorials

How to log iptables messages in a different log file

January 30, 2014, 6:37 am
$
0
0
Generally all the info to error level messages are logged inside /var/log/messages but it makes hard to differentiate between long list of logs inside messages.

To separate the iptables related logs in different file follow the following procedure
NOTE: For RHEL 6 file name will be rsyslog.conf

To log all the iptables related messages
# vi /etc/syslog.conf
# Log all kernel messages to firewall.log.     
kern.*                                                          /var/log/frewall.log
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
# Don't log kernel related any messages
*.info;mail.none;authpriv.none;cron.none;kern.none                /var/log/messages
To log only warning level iptables messages
# Log all kernel messages to firewall.log.
kern.warn                                                 /var/log/frewall-warn.log
To log all the messages for info level to error level
kern.info;kern.!crit          /var/log/firewall.log
To log the messages as per their severity level in different files
kern.*                       /var/log/iptables.log
kern.crit                    /var/log/iptables-crit.log
kern.info                    /var/log/iptables-info.log
For more information on severity levels of syslog follow the below link
SYSLOG Tutorial

Once done restart the syslog services
For RHEL 6
# service rsyslog restart
For RHEL 5 or older
# service syslog restart
Please let me know your success and failures

What is swappiness and how do we change its value?

January 30, 2014, 6:37 am
$
0
0
It is a feature in Linux which controls the degree to which the kernel prefers to swap in the procedure of freeing memory. It can be set to values on a scale from 0 to 100. A low value means the kernel will try to avoid swapping as much as possible unless there is almost no free memory let on the RAM for any new process. On the other side a higher value would force kernel aggressivey to swap out pages from the physical memory.

The default value for Linux machines is 60. Using a higher value wiil affect the system negatively as accessing a hard disk(swap space) for each and every request by a application program is a very slow process as compared to doing the same from physical memory. So it should be avoided to transfer active pages to swap space aggressively.

To check the current swappiness value
$ cat /proc/sys/vm/swappiness
60
To change the value
# echo 40 > /proc/sys/vm/swappiness
To make the changes affect
# sysctl -p
Verify the new parameter
# sysctl -a | grep swappiness
vm.swappiness = 40

Follow the below links for more tutorials

What is the difference between "su" and "su -" ?

January 30, 2014, 6:38 am
$
0
0
If we check the man page for su
su - run a shell with substitute user and group IDs

which means that if you use
# su -
you are switching user to the root user and asking the system to change all the environment variables applicable to root and take me to the root's home directory

Using su - is same as logging into a fresh session on a terminal

For example
[deepak@server ~]$ pwd
/home/deepak

[deepak@server ~]$ echo $PATH
/usr/bin:/usr/sbin:/usr/local/bin:/bin:/usr/bin:/home/deepak/bin

[deepak@server ~]$ sudo su -
[root@server ~]# pwd
/root

[root@server deepak]# echo $PATH
/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
But when you type only su without a dash(-) in that case the session is switched to root(if any username is not mentioned along with su command) without applying any of the environment variable of the root user.

Also the new user stays in the same directory as he was before using su
[deepak@server ~]$ echo $PATH
/usr/bin:/usr/sbin:/usr/local/bin:/bin:/usr/bin:/home/deepak/bin

[deepak@server ~]$ pwd
/home/deepak

[deepak@server ~]$ sudo su
[root@server deepak]# pwd
/home/deepak

[root@server deepak]# echo $PATH
/usr/bin:/usr/sbin:/usr/local/bin:/bin:/usr/bin:/home/deepak/bin

I hope I made my self clear.

Follow the below links for more tutorials
What is a Kernel in Linux?
How does a DNS query works when you type a URL on your browser?
How to create password less ssh connection for multiple non-root users
How to create user without useradd command in Linux
How to unlink/delete a symbolic in Linux
How to give normal user root privileges using sudo in Linux/Unix
How to do Ethernet/NIC bonding/teaming in Red Hat Linux
How to install/uninstall/upgrade rpm package with/without dependencies
How to extract files to different directory using tar in Unix/Linux
How to preserve Symbolic links with tar command in Unix/Linux
How to give permission to user to run some commands in Linux
How to set environment (PATH) variable permanently in Linux
How to mount windows share on linux


Search

Understanding Kernel-PAE in Linux

February 2, 2014, 3:43 am
$
0
0
The Physical Address Extension (PAE) is a feature implemented in modern x86 processors. PAE extends memory addressing capabilities, allowing more than 4 GB of random access memory (RAM) to be used.

NOTE: All the Linux machine with kernel version above 2.3.23 supports PAE kernel.

From Wiki
With PAE, IA-32 architecture is augmented with additional address lines used to select the additional memory, so physical address size increases from 32 bits to 36 bits. This increases the physical memory addressable by the system from 4 GB to 64 GB. The 32-bit size of the virtual address is not changed, so regular application software continues to use instructions with 32-bit addresses and (in a flat memory model) is limited to 4 gigabytes of virtual address space. Operating systems supporting this mode use page tables to map the regular 4 GB address space into the physical memory, which depending on the operating system may be as big as 64 GB. The mapping is typically applied separately for each process, so that the extra memory is useful even though no single regular application can access it all simultaneously.

You can verify whether your processor supports PAE using the below command
$ cat /proc/cpuinfo | grep flags | grep pae

flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss syscall nx rdtscp lm constant_tsc ida nonstop_tsc pni ssse3 cx16 sse4_1 sse4_2 popcnt lahf_lm
If you don't see an output it means PAE kernel is not supported by your processor. As you need to look for "pae"under flags.

How to upgrade your kernel to kernel-PAE?
Upgrading kernel to kernel-PAE in Linux

Follow the below links for more tutorials
How does a DNS query works when you type a URL on your browser?
How to create password less ssh connection for multiple non-root users
How to create user without useradd command in Linux
How to unlink/delete a symbolic in Linux
How to give normal user root privileges using sudo in Linux/Unix
How to do Ethernet/NIC bonding/teaming in Red Hat Linux
How to install/uninstall/upgrade rpm package with/without dependencies
How to extract files to different directory using tar in Unix/Linux
How to preserve Symbolic links with tar command in Unix/Linux
How to give permission to user to run some commands in Linux
How to set environment (PATH) variable permanently in Linux

Why is Linux more secure than windows and any other OS?

February 2, 2014, 9:42 pm
$
0
0
Now we hear many times from most of the people around us claiming that Linux is much more secure than Windows or Linux is very secure.

But what are the things in Linux that makes it secure than Windows or any other Operating System.

Here I will try to throw some light on some of the security features which I know in Linux and believe that these points add up to the construction of a much more secure wall all around the Linux Operating System.

1. Execshield
ExecShield is designed to prevent security breaches caused by software programs written to crawl
through the Internet looking for systems with common vulnerabilities such as worms and viruses. It is enabled in the kernel and works in a way that is non intrusive to the user.

Its goal is not to defend against the expert hacker who has broken into your local network or an employee inside the company who already has access to parts of the network instead its goal is to prevent against intruders using scripts that look for vulnerabilities in the way a program running with root privileges is written.

For more knowledge on Execshield follow the below link
Prevent security breaches with Execshield

2. SElinux (Security Enhanced Linux)
SELinux is an implementation of a flexible mandatory access control architecture in the Linux operating system.  The SELinux architecture provides general support for the enforcement of many kinds of  mandatory  access control  policies,including those based on the concepts of Type Enforcement(R), Role- Based Access Control, and Multi-Level Security.

SELinux can potentially control which activities a system allows each user, process and daemon, with very precise specifications. However, it is mostly used to confine daemons like database engines or web servers that have more clearly-defined data access and activity rights. This limits potential harm from a confined daemon that becomes compromised. Ordinary user-processes often run in the unconfined domain, not restricted by SELinux but still restricted by the classic Linux access rights.

3. IPtables
With the enhanced features available with the IPtables you can implement a greater level of security for your Linux machine.

IPtables  is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel.  Several different tables may be defined.  Each table contains a number of built-in chains and may also contain user-defined chains.

Each chain is a list of rules which can match a set of packets.  Each rule specifies what to do with a packet that matches.   This  is called a 'target', which may be a jump to a user-defined chain in the same table.

For more information on iptables please follow the below link
iptables tutorials for Linux I
iptables tutorial for Linux II

4. PAM (Pluggable Authentication Modules)
Linux-PAM is a system of libraries that handle the authentication tasks of applications (services) on the system.  The principal feature of the PAM approach is that the nature of the authentication is dynamically configurable. In other words, the system administrator is free to choose how individual service-providing applications will authenticate users.

Linux-PAM separates the tasks of authentication into four independent management groups: account management; authentication management; password management; and session management.

account - provide account verification types of service: has the user's password expired?; is this user permitted access to the requested service?

authentication - authenticate a user and set up user credentials. Typically this is via some challenge-response request that the user must satisfy: if you are who you claim to be please enter your password.

password - this group's responsibility is the task of updating authentication mechanisms. Typically, such services are strongly coupled to those of the auth group. Some authentication mechanisms lend themselves well to being updated with such a function. Standard UN*X password-based access is the obvious example: please enter a replacement password.

session - this group of tasks cover things that should be done prior to a service being given and after it is withdrawn. Such tasks include the maintenance of audit trails and the mounting of the user's home directory. The session management group is important as it provides both an opening and closing hook for modules to affect the services available to a user.

5. Audit
The 2.6 Linux kernel has the ability to log events such as system calls and file access. These logs can then be reviewed by the administrator to determine possible security breaches such as failed login attempts or a user failing to access system files. This functionality, called the Linux Auditing System.

auditd is  the  userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing the logs is done with the ausearch or aureport utilities. Configuring the audit rules is done with the auditctl utility.  During  startup, the  rules  in  /etc/audit/audit.rules are read by auditctl.

For more information please follow the below link
Using audit in Linux to track changes

These are some of the front level security features available in Linux for a better security. I would be glad if someone would like to review or add any of the missing points in this article.

Apart from these there are a numerous options which can be utilized to enhanced the level of security for your Linux machine. I will be discussing about them in a different article.

15 tips to enhance security of your Linux Server

February 2, 2014, 10:10 pm
$
0
0
It is not possible for me to tell you with all the possible features because that is out of my knoweldge level but I will try to put everything I know which can be used to make sure that your Linux server security is not compromised.

1. hosts.allow and hosts.deny
These two files are explicitly used in corporate environment to grant and deny access accordingly.

Now manually allow the list of hosts and services who can communicate with your machine

In the below file you are giving the subnet range of IP who are allowed to communicate with your machine and all other would be denied
# cat /etc/hosts.allow
# localhost
ALL: 127.0.0.1: umask 077: allow
ALL : 192.168.0.0/255.255.255.0: umask 077: allow
ALL : 10.0.0.0/255.0.0.0: umask 077: allow
ALL : 172.168.0.0/255.255.255.0: umask 077: allow
If you have a internal dns server like example.com

Here you are allowing all the machine in example.com domain
# cat /etc/hosts.allow
ALL: .example.com
Deny all other connections from any other hosts in hosts.deny file
# cat /etc/hosts.deny
ALL: ALL: deny

2. IPtables
In IPtables we have 3 chains INPUT, OUTPUT, FORWARD. By default all the incoming connections from any host or any service is allowed as shown below
# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:ssh
DROP       tcp  --  anywhere             anywhere            tcp dpt:telnet
which can not be a good idea in all the cases. So it is always a good idea to block all the incoming connections and allow the required host/services manually using iptables

You can manually BLOCK all the incoming connections
# iptables -P INPUT DROP
# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:ssh
DROP       tcp  --  anywhere             anywhere            tcp dpt:telnet
You can do the same for all the 3 chains in mangle table
# iptables -P FORWARD DROP
# iptables -P OUTPUT DROP
For more information on iptables follow the below links
Basic iptables tutorials I
Basic iptables tutorials II


3. Separate log file for iptables
Prefer to use separate log files for all iptables related logs as /var/log/messages can get flooded with unnecessary info messages reducing the chances of monitoring important kernel/iptables related logs

Follow the subsection Logging in the below link for more information
Basic iptables tutorials II


4. SElinux
Keep SElinux always in enforcing mode. It can sometimes become tricky to add extra acl to allow selinux for certain services but it is always a good practice to improve the security level for services like DNS, Apache, FTP etc
$ cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - SELinux is fully disabled.
SELINUX=enforcing
# SELINUXTYPE= type of policy in use. Possible values are:
#       targeted - Only targeted network daemons are protected.
#       strict - Full SELinux protection.
SELINUXTYPE=targeted

5. Separate partition
It is always a good exercise to create separate partition for different filesystem
For example
/dev/mapper/VolGroup00-root
                      4.4G  3.3G  879M  80% /
/dev/mapper/VolGroup00-var
                      3.0G  2.1G  740M  74% /var
/dev/mapper/VolGroup00-home
                      1.5G  804M  578M  59% /home
/dev/sda1              99M   26M   69M  28% /boot
tmpfs                 502M     0  502M   0% /dev/shm
/dev/mapper/VolGroup00-opt
                      2.0G  294M  1.6G  16% /opt
/dev/mapper/Applications-tmp
                      512M  224K  512M   1% /tmp
/dev/mapper/VolGroup00-usr
                      756M  407M  312M  57% /usr
Advantages:

  • In case of any accidents only one of your partition is likely to suffer the damage and all other partitions would have a higher probability to be saved or recover.
  • Individual permissions can be allotted to users as per their work for various partitions
  • Partition size can be increased/decreased whenever required (Possible when partitions are created using LVM)
  • Important data can be isolated in different partition and can be backed up separately
  • Third party software can be installed inside /opt without disturbing the files in other partitions(as per the user policy implemented and packages to be installed)


5. Do not share root password
In a corporate always encourage user to login using their local credential even though they have full sudo access. Because in that way it makes easier to keep track of any system changes made by a individual user for critical data.
# cat /var/log/secure
Jan 29 23:42:58 server1 sshd[23768]: Accepted keyboard-interactive/pam for deepak from 172.18.249.167 port 64883 ssh2
Jan 29 23:42:58 server1 sshd[23768]: pam_unix(sshd:session): session opened for user deepak by (uid=0)
Jan 30 00:26:41 server1 sshd[24695]: Accepted publickey for user1 from 10.26.1.143 port 54641 ssh2
Jan 30 00:26:41 server1 sshd[24695]: pam_unix(sshd:session): session opened for user user1 by (uid=0)
Jan 30 01:41:24 server1 unix_chkpwd[26197]: check pass; user unknown
Jan 30 01:41:24 server1 unix_chkpwd[26197]: password check failed for user (deepak)
Jan 30 01:41:24 server1 sudo: pam_unix(sudo:auth): authentication failure; logname=deepak uid=0 euid=0 tty=/dev/pts/96 ruser= rhost=  user=deepak
Jan 30 01:41:26 server1 sudo: deepak : TTY=pts/96 ; PWD=/home/deepak ; USER=root ; COMMAND=/bin/cat /var/log/secure

6. Running services
Always try to avoid unnecessary services from running (especially after reboot)
Disable the services which are not required for your Linux machine
You can do the same using chkconfig and netstat command

For more information please follow the below link
How to check all the currently running services


7. Open ports
Apart from running services you can also check for open ports on the localhost as well as remote machine which are critical in your environment
# nmap localhost
# nmap remote_machine

8 SSH related tweaks
  • change the default port
Everyone of us know that SSH runs on port 22 so in case you want to harden the security, change the port no. to a random no. so that it becomes harder to breach into your network for any ssh connection
[prasadee@aid-po ~]$ sudo cat /etc/ssh/sshd_config | grep Port
#Port 22
(Uncomment and change the port no. then restart the services)
  • Disable root ssh login
[prasadee@aid-po ~]$ sudo cat /etc/ssh/sshd_config | grep PermitRootLogin
#PermitRootLogin yes
(Uncomment and change it to "NO")
  • Allow individual users login
AllowUsers This keyword can be followed by a list of user name patterns, separated by spaces.

9. Use password expiry
You can use chage command to set password exipiry date for all the users.
To view the expiry related information for a user
# chage -l username

  -d, --lastday LAST_DAY        set last password change to LAST_DAY
  -E, --expiredate EXPIRE_DATE  set account expiration date to EXPIRE_DATE
  -I, --inactive INACTIVE       set password inactive after expiration to INACTIVE
  -l, --list                    show account aging information
  -m, --mindays MIN_DAYS        set minimum number of days before password change to MIN_DAYS
  -M, --maxdays MAX_DAYS        set maximim number of days before password change to MAX_DAYS
  -W, --warndays WARN_DAYS      set expiration warning days to WARN_DAYS
To assign an expiry
# chage username

10. User account management
Delete or lock any user account which is no more in use. For example in case a user has left the organization but there are important files in his home directory which is still useful so lock the user account and do not delete it. So that atleast all the files under his ownership could still be accessible.

The below commands will disable him from logging in and will lock his account
# usermod -L username
or
# usermod -s /sbin/nologin username

11. Audit regularly
The 2.6 Linux kernel has the ability to log events such as system calls and file access. These logs can
then be reviewed by the administrator to determine possible security breaches such as failed login attempts or a user failing to access system files. This functionality, called the Linux Auditing System.

You can manually track a file or directory for any changes done by any user using audit.

The below command will list all the events which has occurred on your Linux machine (successful/failed/attempts..)
# aureport
For more information please follow the below link
Using audit in Linux to track all the logs


12. Monitor logs regularly
Apart from using audit you should manually check your logs especially kernel related and authentication related to make sure there was no attempt made for an unauthorized access
# less /var/log/secure

13. Regular Backup
Take regular backup of your critical data or partitions.

Backups can be taken using any of the below options

14. GRUB password
It is always safer to keep a password at GRUB menu during the Linux Boot Process
# vi /boot/grub/grub.conf
Add an extra parameter as shown below
password example@156
Change the permission of this file to 600 so that only root can access it and no other user
$ ll /boot/grub/grub.conf
-rw------- 1 root root 1160 Jan 21  2011 /boot/grub/grub.conf

15. chattr command
You can protect critical files from accidental deletions by any user. Once the attribut is set for any file, it can not be edited or deleted by any user including root unless attribute is again removed.

For more details follow the below link
Increase security with extended file attributes

These are just a glimpse of some security features which can be utilized by organisation for better security. But apart from these there can be many other steps which can be taken to enhance the security but that would again depend upon the type of environment and working parameters.

I would welcome any point from my readers if I missed in my article.

Follow the below links for more tutorials
What is the difference between "su" and "su -" in Linux?
What is swappiness and how do we change its value?
How to log iptables messages in different log file
What are the s and k scripts in the etc rcx.d directories
How to check all the currently running services in Linux
How to auto start service after reboot in Linux
What is virtual memory, paging and swap space?
What is the difference between DNS A record and CNAME record?
SYSLOG Tutorial
What is a Kernel in Linux?
How does a DNS query works when you type a URL on your browser?
How to create password less ssh connection for multiple non-root users

Red Hat Enterprise Linux 5.5 Installation Guide (Screenshots)

February 11, 2014, 4:53 am
$
0
0
Before you start installing Red hat Linux, You should know the pre-requisites for the same i.e. the system requirements


System Requirement for Red Hat Linux 5
Parameters
Requirements
CPU Type
Pentium 4 or higher, 2GHz or higher
Memory/RAM
1 GB minimum, upto the system limit
Hard Disk
4 GB minimum

Follow the screenshots to install Red Hat Linux 5

Insert the RHEL DVD into the machine and boot from it. The below page which you see is the first which comes on the screen.

This is the prompt which can be used to
  • Install using GUI (Graphics Mode)
  • Install using CLI (Text Mode)
  • Upgrade your RHEL version
  • Boot into Rescue Mode
Hit Enter and by default installation will begin using GUI setup


The next screen prompts you to verify the content of the DVD used. If you believe the DVD you are using is correct and not corrupt, you can skip this step as I did

As you see in the next step anaconda installer starts which is used to install Red Hat Linux and many other similar OS like Fedora, CentOS

Click Next to start the installation

Select the preferred Language for installation, as for me it is English
Select the keyboard Language you are using on your machine. (For most by default it is US or US International)

If you have a authorized installation no. provided by Red Hat, you can enter in the below shown box. As of now I don't have any such key so I will skip this step

Click YES to format the hard disk

Using the drop down arrow as shown below you can select the available options for creating partitions

As of now I will go with the "Create custom layout" option

The next screen shows you the available space on the disk along with any other available partitions. In my case I am installing on a fresh machine so it shows all the space as free.

Click on New to create partition

Create /boot partition as shown below. The maximum expected boot size is not more than 200-300 MB. So you can give space accordingly

Now again select New and create a LVM partition of all the available hard disk as shown below. Select the options as shown in RED

 Select LVM option

Now a new window will pop up where you can give a Volume Group name as per your requirement.
Next click on Add as shown below to create other LVM partitions such as root, home, var, tmp as per your requirement

Create the required partitions and allocate the space to each partition as shown in below screenshots


Create a swap partition. No mount point required for it. Just select a file system type as swap and allocate the size. For our case 2048 MB


Once done click on Next and move to the next screen

From here there are two methods to configure networking.

  • DHCP method
  • Static method


For DHCP follow the below screenshot
Using DHCP

For static method follow the below screenshots
Using Static I

Using Static II

Next screen will ask for the region you are installing your server. For me it is INDIA for which I will select Asia/Kolkata as shown below

Provide a password

Select Customize Now to select the list of rpms you want to include at the time of installation

Select the list of packages from the below shown options


Click Next to start the installation

Once the installation is done. Click on reboot to move ahead with the installation process as yet your Linux is not completely installed. Still some initial configuration is pending

Click on Forward

Accept the License and Agreement

You can enable or disable the firewall using the drop down menus. Also you have option to enable selective services through the firewall for your server as shown below

You can choose to enable or disable SELinux

If you want you can enable Kdump by checking the below check box

Set the date and time

In this step you can register your server with RHN so that it can get regular updates for all the patches and bug fixes regularly. As of now we will skip registering, I will show you to do the same from terminal in my next post.



In this step you can create a user(optional)



Since you made changes in SElinux settings, the system will go for a reboot to take the changes affect

After the reboot your system is ready for use

Follow the below articles for more tutorials
15 tips to enhance security of your Linux machine
Why is Linux more secure than windows and any other OS
What is the difference between "su" and "su -" in Linux?
What is swappiness and how do we change its value?
How to log iptables messages in different log file
What are the s and k scripts in the etc rcx.d directories
How to check all the currently running services in Linux
How to auto start service after reboot in Linux
What is virtual memory, paging and swap space?
What is the difference between DNS A record and CNAME record?
SYSLOG Tutorial

How to register Red Hat Linux with RHN ( Red Hat Network )

February 13, 2014, 7:09 am
$
0
0
I will show you simple steps to register your Red Hat Linux server with Red Hat Network (RHN).

NOTE: This is only possible if you have a valid subscription from Red Hat Linux

Login to your RHEL server and follow the below given steps
# rhn_register
The below screen will pop up. Click on Next


Provide the Red Hat Login subscription username and password provided to you by Red Hat

Give a suitable profile name for your machine. By default your hostname will be taken as profile name





This is the last step. Click on Finish.

To verify the changes you can login to your Red Hat Customer Portal. Under the entitlements section you should see the registered system as shown below


To view the available repositories entitled to your machine
[root@test ~]# yum repolist all
Loaded plugins: rhnplugin, security
repo id              repo name                                   status
rhel-debuginfo       Red Hat Enterprise Linux 5Server - x86_64 - disabled
rhel-debuginfo-beta  Red Hat Enterprise Linux 5Server Beta - x86 disabled
rhel-x86_64-server-5 Red Hat Enterprise Linux (v. 5 for 64-bit x enabled: 15,819
Let me know your success and failure.

Follow the below links for more tutorials
15 tips to enhance security of your Linux machine
Why is Linux more secure than windows and any other OS
What is the difference between "su" and "su -" in Linux?
What is swappiness and how do we change its value?
How to log iptables messages in different log file
What are the s and k scripts in the etc rcx.d directories
How to check all the currently running services in Linux
How to auto start service after reboot in Linux
What is virtual memory, paging and swap space?
What is a Kernel in Linux?
How does a DNS query works when you type a URL on your browser?
How to create password less ssh connection for multiple non-root users
How to create user without useradd command in Linux

How to secure Apache web server in Linux using password (.htaccess)

February 14, 2014, 1:32 am
$
0
0
Here I have provided simple steps to configure your webpage with login authentication. So that you can prevent unauthorized access to your pages on the website.

I have used Red Hat 6 machine for these commands so kindly check the same if planning to user other distribution of Linux.

These are the required attributes which has to be placed and used properly inside the main apache configuration file.

This option will disable the access to read .htaccess file
AllowOverride None
This option with enable the access to read .htaccess file
AllowOverride AuthConfig
This will signify the authentication file for required user
AuthUserfile /location/of/file
AuthGroupFile /location/of/group
This will give an output name which you want to be visible on the login prompt screen
AuthName "Restricted Area"
NOTE: Create a new .htaccess file inside the directory where you want the authentication. In our case it is inside /var/www.

Create a authentication file inside the directory you want to protect.
# htpasswd  /var/www/.htaccess  username
# htpasswd  /var/www/.htaccess  deepak
New password:
Re-type new password:
Adding password for user deepak
Give appropriate permission to prevent anauthorized access
# chmod 700 /var/www/.htaccess
Add these lines at the end of the config file for apache
# vi /etc/httpd/conf/httpd.conf
<Directory /var/www/html>
AllowOverride AuthConfig
Order allow,deny
AuthType Basic
AuthName "Login Message on the prompt screen"
AuthUserFile /var/www/.htaccess
Require user deepak
Allow from all
</Directory>
Restart the services
# service httpd restart
Now try to access your page on the browser, you will be prompted for login authentication
http://192.168.0.138



Please follow the below links for more helpful tutorials

RHEL: Kernel will not boot, system freeze at 'starting udev'

February 14, 2014, 10:54 pm
$
0
0
Error:
Linux machine does not boots and gets stucked at udev prompt

Explanation
This is a known bug in Red Hat. Please follow the belw link to reach out the bug details
Bug 645940 - Kernel will not boot, just sits at 'starting udev'

Clocksource is the name of the new time keeping subsystem introduced in linux 2.6 kernel. In the subsystem there are several clock sources that can be used to read the time. One of them is the tsc clocksource which uses the time stamp counter that is present on each processor and can be used to track how much time has elapsed. The TSCs on the different processor are not necessarily perfectly in sync with each other so time can appear to go backward if the TSC is read on one processor and then another processor. Early version of the TScs clock source did not handle this case, which can be lead to the guest operating system not responding. Due to the different timing behavior of running in a virtual machine this can be observed more frequently.



Solution
Append clocksource=acpi_pm in your grub.conf file with the kernel entry as shown in below screenshots


Follow the screenshots


Press the 'e' button to goto the edit option


Go to the kernel option and again press 'e' and add the following at the end of the line
clocksource=acpi_pm


Press enter to save and hit 'b' to boot your machine.

Make sure to add this entry in your grub.conf file to avoid future issues in the machine
# vi /etc/grub.conf
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title CentOS Linux Server (2.6.18-238.el5PAE)
    root (hd0,0)
    kernel /vmlinuz-2.6.18-238.el5PAE ro root=LABEL=/ rhgb quiet clocksource=acpi_pm
    initrd /initrd-2.6.18-238.el5PAE.img

Follow the below links for more tutorials

How to create password less ssh connection for multiple non-root users
How to create user without useradd command in Linux
How to unlink/delete a symbolic in Linux
How to give normal user root privileges using sudo in Linux/Unix
How to do Ethernet/NIC bonding/teaming in Red Hat Linux
How to install/uninstall/upgrade rpm package with/without dependencies
Multiple connections to a server or shared resource by same user
How to extract files to different directory using tar in Unix/Linux
How to preserve Symbolic links with tar command in Unix/Linux

Search

How to configure Samba 4 as Secondary Domain Controller

February 17, 2014, 11:52 pm
$
0
0
I started reading Samba4 Join a DC article with a belief that it shows the steps required to configure a backup domain controller for our PDC in Samba 4. (Please correct me if I am wrong).

But when I studied in depth I came to the conclusion that it was guiding us to create a secondary domain controller and not a backup dc.

Still I tried to configure the same using the steps as provided on that article and as to my belief I ended up configuring a secondary dc rather than a backup dc.

NOTE: This article guides you to configure secondary domain controller rather than a primary domain controller.

But still I would like to show the steps which I followed and the fix to errors which I faced while configuring the same.
Primary DC: 192.168.1.5
Hostname: test.example.com

Secondary DC: 192.168.1.6
Hostname: test1.example.com
So let me assume that you already have a working primary dc. It can be Samba 4 or Windows Server 2008 AD.

Before you start always make sure to check the pre-requisites

On the primary domain controller (test.example.com)
Verify the entry of kerberos config file is as shown below on your PDC
[root@test ~]# cat /etc/krb5.conf
[libdefaults]
        default_realm = EXAMPLE.COM
        dns_lookup_realm = true
        dns_lookup_kdc = true
[root@test ~]# cat /etc/resolv.conf
search example.com
nameserver 192.168.1.6
On the secondary domain controller (test1.example.com)
Update your resolv.conf with the DNS server as used in your PDC (Primary Domain Controller)
[root@test1 ~]# cat /etc/resolv.conf
search example.com
nameserver 192.168.1.6
To prepare a SDC(Secondary Domain Controller) you will have to configure Samba 4.1 in your current server as well. These are the steps you need to do. You can follow the below article for configuring Samba 4.1
Samba 4.1 as Active Directory
  1. Download Samba 4.1
  2. Configure
  3. make && make install
  4. Remove /usr/local/samba/etc/smb.conf file
IMPORTANT NOTE: Do not run the provision step for Samba 4.1

Run the below command as root
[root@test1 samba-4.1.4]# samba-tool domain join example.com DC -Uadministrator --realm=example.com
Finding a writeable DC for domain 'example.com'
Found DC test.example.com
Password for [EXAMPLE\administrator]: [Give your PDC password]
NO DNS zone information found in source domain, not replicating DNS
workgroup is EXAMPLE
realm is example.com
checking sAMAccountName
Adding CN=TEST1,OU=Domain Controllers,DC=example,DC=com
Adding CN=TEST1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
Adding CN=NTDS Settings,CN=TEST1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
Adding SPNs to CN=TEST1,OU=Domain Controllers,DC=example,DC=com
Setting account password for TEST1$
Enabling account
Calling bare provision
No IPv6 address will be assigned
ldb: module schema_load initialization failed : No such object
ldb: module rootdse initialization failed : No such object
ldb: module samba_dsdb initialization failed : No such object
ldb: Unable to load modules for /usr/local/samba/private/sam.ldb: (null)
samdb_connect failed
VFS connect failed!
Join failed - cleaning up
checking sAMAccountName
Deleted CN=TEST1,OU=Domain Controllers,DC=example,DC=com
Deleted CN=NTDS Settings,CN=TEST1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
Deleted CN=TEST1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -ProvisioningError: Your filesystem or build does not support posix ACLs, which s3fs requires.  Try the mounting the filesystem with the 'acl' option.
File "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/__init__.py", line 175, in _run
return self.run(*args, **kwargs)
File "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/domain.py", line 552, in run
machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
File "/usr/local/samba/lib/python2.6/site-packages/samba/join.py", line 1172, in join_DC
ctx.do_join()
File "/usr/local/samba/lib/python2.6/site-packages/samba/join.py", line 1076, in do_join
ctx.join_provision()
File "/usr/local/samba/lib/python2.6/site-packages/samba/join.py", line 727, in join_provision
use_ntvfs=ctx.use_ntvfs, dns_backend=ctx.dns_backend)
File "/usr/local/samba/lib/python2.6/site-packages/samba/provision/__init__.py", line 2052, in provision
raise ProvisioningError("Your filesystem or build does not support posix ACLs, which s3fs requires.  Try the mounting the filesystem with the 'acl' option.")
In the first attempt I got the above error
Error:
Your filesystem or build does not support posix ACLs, which s3fs requires.  Try the mounting the filesystem with the 'acl' option."
There are two solutions for this

Solution 1:
Your filesystem does not supports acl so you will have to remount your fs with acl, user_xattr parameter

Make sure these two rpms are installed in your server
[root@test ~]# rpm -qa|grep libattr
libattr-2.4.44-7.el6.i686
libattr-devel-2.4.44-7.el6.i686

[root@test ~]# rpm -qa|grep libacl
libacl-2.2.49-6.el6.i686
libacl-devel-2.2.49-6.el6.i686
Secondly remount your filesystem (For me my root partition is /dev/mapper/VolGroup-root. Make necessary changes as per your partition)
# mount -o remount,user_xattr /dev/mapper/VolGroup-root
For making permanent changes update your fstab file
# cat /etc/fstab
/dev/mapper/VolGroup-root     /      ext4    defaults,acl,user_xattr     1 1
NOTE: Since this is something which you are making change in the kernel so the kernel has to boot to take the changes affect. Reboot your system and try again

Solution 2:
Use an extra parameter --use-ntvfs to skip the above work in case it is a production server as you will not be allowed to reboot a prod server.
[root@test1 ~]# samba-tool domain join example.com DC -Uadministrator --realm=example.com --use-ntvfs
Finding a writeable DC for domain 'example.com'
Found DC test.example.com
Password for [EXAMPLE\administrator]: [Give your PDC password]
NO DNS zone information found in source domain, not replicating DNS
workgroup is EXAMPLE
realm is example.com
checking sAMAccountName
Adding CN=TEST1,OU=Domain Controllers,DC=example,DC=com
Adding CN=TEST1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
Adding CN=NTDS Settings,CN=TEST1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
Adding SPNs to CN=TEST1,OU=Domain Controllers,DC=example,DC=com
Setting account password for TEST1$
Enabling account
Calling bare provision
No IPv6 address will be assigned
Provision OK for domain DN DC=example,DC=com
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=example,DC=com] objects[402/1653] linked_values[0/0]
Partition[CN=Configuration,DC=example,DC=com] objects[804/1653] linked_values[0/0]
Partition[CN=Configuration,DC=example,DC=com] objects[1206/1653] linked_values[0/0]
Partition[CN=Configuration,DC=example,DC=com] objects[1608/1653] linked_values[0/0]
Partition[CN=Configuration,DC=example,DC=com] objects[1653/1653] linked_values[20/0]
Replicating critical objects from the base DN of the domain
Partition[DC=example,DC=com] objects[98/98] linked_values[23/0]
Partition[DC=example,DC=com] objects[394/296] linked_values[23/0]
Done with always replicated NC (base, config, schema)
Committing SAM database
Sending DsReplicateUpdateRefs for all the replicated partitions
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain EXAMPLE (SID S-1-5-21-2036099725-333104617-2937475635) as a DC
As you see above we have successfully joined our PDC as a SDC.

Now next step is to make sure your hostname for SDC is resolvable on the DNS

On DNS server (192.168.1.5)
[root@test1 ~]# nslookup test1.example.con
Server:         192.168.1.6
Address:        192.168.1.6#53

** server can't find test1.example.con: NXDOMAIN
As you see currently our hostname for SDC is not resolvable so lets make an entry for the same on your samba4 dns server
[root@test ~]# vi /usr/local/samba/private/dns/example.com.zone
(Make an entry in last line)
test1           IN A    192.168.1.5
Save and exit

Restart the named services
[root@test ~]# service named restart
Stopping named: .                                          [  OK  ]
Starting named:                                            [  OK  ]

Now retry to resolve the hostname
[root@test1 ~]# nslookup test1.example.com
Server:         192.168.1.6
Address:        192.168.1.6#53

Name:   test1.example.com
Address: 192.168.1.5
So we are good to move to the next step now

Verify if the objectGUID is resolvable to the new hostname, Run the below command
[root@test1 ~]# ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationid=*)' --cross-ncs objectguid
# record 1
dn: CN=NTDS Settings,CN=TEST,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
objectGUID: 74b975bc-c25c-4ce7-9773-fe3f6eb1b903

record 2
dn: CN=NTDS Settings,CN=TEST1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
objectGUID: 607bc2dc-0754-49e3-aa37-9be403d0cc33
Here my objectUID for test1.example.com is record2 which is 607bc2dc-0754-49e3-aa37-9be403d0cc33

Now this objectUID should resolve using the below command
[root@test ~]# host -t CNAME 607bc2dc-0754-49e3-aa37-9be403d0cc33._msdcs.example.com.
Host 607bc2dc-0754-49e3-aa37-9be403d0cc33._msdcs.example.com. not found: 3(NXDOMAIN)
But since there is no DNS entry for the same it is not getting resolved. You can update your DNS record using the below command
# samba-tool dns add IP-of-your-DNS _msdcs.samdom.example.com 607bc2dc-0754-49e3-aa37-9be403d0cc33 CNAME test1.example.com -Uadministrator
But for me unfortunately the above command was throwing error so I had to manually update the DNS CNAME record. So In case you are also facing the same issue follow the below steps to manually update your zone file in DNS
[root@test ~]# vi /usr/local/samba/private/dns/example.com.zone
Make a new entry at the last line of the file
607bc2dc-0754-49e3-aa37-9be403d0cc33._msdcs.example.com. IN CNAME test1
[root@test ~]# service named restart
Stopping named: .                                          [  OK  ]
Starting named:                                            [  OK  ]

Now again retry to run the below command
[root@test ~]# host -t CNAME 607bc2dc-0754-49e3-aa37-9be403d0cc33._msdcs.example.com.
607bc2dc-0754-49e3-aa37-9be403d0cc33._msdcs.example.com is an alias for test1.example.com.
Well that fixed one of our problem so moving to the next step

Finally update the IP of your SDC in your resolv.conf of the same server which for our case is 192.168.1.5
[root@test1 ~]# cat /etc/resolv.conf
search example.com
nameserver 192.168.1.6
nameserver 192.168.1.5

Starting Samba

You have to follow the same step to start samba as used in PDC
# samba
# ps -ef | grep samba
[root@test1 ~]# ps -ef | grep samba
root      2957     1  0 11:06 ?        00:00:00 samba
root      2958  2957  0 11:06 ?        00:00:00 samba
root      2959  2957  0 11:06 ?        00:00:03 samba
root      2960  2957  0 11:06 ?        00:00:00 samba
root      2961  2957  0 11:06 ?        00:00:00 samba
root      2962  2957  0 11:06 ?        00:00:01 samba
root      2963  2957  0 11:06 ?        00:00:00 samba
root      2964  2957  0 11:06 ?        00:00:00 samba
root      2965  2958  0 11:06 ?        00:00:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
root      2966  2957  0 11:06 ?        00:00:00 samba
root      2967  2957  0 11:06 ?        00:00:00 samba
root      2968  2957  0 11:06 ?        00:00:00 samba
root      2969  2957  0 11:06 ?        00:00:00 samba
root      2970  2957  0 11:06 ?        00:00:00 samba
root      2973  2965  0 11:06 ?        00:00:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
root      3524  2703  0 11:18 pts/0    00:00:00 grep samba
# kinit administrator@EXAMPLE.COM
Password for administrator@EXAMPLE.COM:
Warning: Your password will expire in 41 days on Mon Mar 31 13:44:36 2014
Now it is time to see if the replication is working for both the domain controllers. So that if you make any change on one of the dc the same should reflect on the other dc.

To verify the same run the below command
[root@test1 ~]# samba-tool drs showrepl
Failed to connect host 192.168.1.5 on port 135 - NT_STATUS_CONNECTION_REFUSED
Failed to connect host 192.168.1.5 (test1.example.com) on port 135 - NT_STATUS_CONNECTION_REFUSED.
ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to test1.example.com failed - drsException: DRS connection to test1.example.com failed: (-1073741258, 'The connection was refused')
  File "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/drs.py", line 39, in drsuapi_connect
    (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) = drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
  File "/usr/local/samba/lib/python2.6/site-packages/samba/drs_utils.py", line 54, in drsuapi_connect
    raise drsException("DRS connection to %s failed: %s" % (server, e))

Now first time when I ran this command I got the above error so I did a little bit of dug up to look out for possible reason
[root@test1 ~]# cat /var/log/messages | grep 135

Feb 17 15:15:58 test samba[1207]: Failed to connect host 192.168.1.6 on port 135 - NT_STATUS_CONNECTION_REFUSED
Feb 17 15:15:58 test samba[1207]: Failed to connect host 192.168.1.6 (74b975bc-c25c-4ce7-9773-fe3f6eb1b903._msdcs.example.com) on port 135 - NT_STATUS_CONNECTION_REFUSED.
Then just to be sure
[root@test1 ~]# telnet localhost 135
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused
Then I checked my selinux which was in enforcing mode.
[root@test1 ~]# cat /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

Change it to disabled state and reboot the system
Now retry the same
[root@test1 ~]# telnet localhost 135
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
^]
telnet> quit
Connection closed.
So now port 135 is in listening state

Also check the below link to configure iptable rules for your Samba 4.1

Again I ran the below command
[root@test1 ~]# samba-tool drs showrepl
Default-First-Site-Name\TEST1
DSA Options: 0x00000001
DSA object GUID: 607bc2dc-0754-49e3-aa37-9be403d0cc33
DSA invocationId: 7899d780-9c0c-4cfc-adae-ba8c63790cf0

==== INBOUND NEIGHBORS ====

ERROR(runtime): DsReplicaGetInfo of type 0 failed - (-1073610723, 'NT_STATUS_RPC_PROTOCOL_ERROR')
Next time I was getting the above error

Error:
NT_STATUS_RPC_PROTOCOL_ERROR

Solution:
It looked like my samba services were not started properly when I checked the running processes. So I restarted my samba services and everything worked fine then
[root@test1 ~]# samba-tool drs showrepl
Default-First-Site-Name\TEST1
DSA Options: 0x00000001
DSA object GUID: 607bc2dc-0754-49e3-aa37-9be403d0cc33
DSA invocationId: 7899d780-9c0c-4cfc-adae-ba8c63790cf0

==== INBOUND NEIGHBORS ====

DC=example,DC=com
Default-First-Site-Name\TEST via RPC
DSA object GUID: 74b975bc-c25c-4ce7-9773-fe3f6eb1b903
Last attempt @ Tue Feb 18 10:59:58 2014 IST failed, result 2 (WERR_BADFILE)
1 consecutive failure(s).
Last success @ Tue Feb 18 10:35:58 2014 IST

CN=Configuration,DC=example,DC=com
Default-First-Site-Name\TEST via RPC
DSA object GUID: 74b975bc-c25c-4ce7-9773-fe3f6eb1b903
Last attempt @ Tue Feb 18 10:59:58 2014 IST failed, result 2 (WERR_BADFILE)
1 consecutive failure(s).
Last success @ Tue Feb 18 10:35:57 2014 IST

CN=Schema,CN=Configuration,DC=example,DC=com
Default-First-Site-Name\TEST via RPC
DSA object GUID: 74b975bc-c25c-4ce7-9773-fe3f6eb1b903
Last attempt @ Tue Feb 18 10:59:58 2014 IST failed, result 2 (WERR_BADFILE)
1 consecutive failure(s).
Last success @ Tue Feb 18 10:35:53 2014 IST

==== OUTBOUND NEIGHBORS ====

==== KCC CONNECTION OBJECTS ====

Connection --
Connection name: 77f4ad2e-ddca-4584-8d8c-7efbd1f7d93c
Enabled        : TRUE
Server DNS name : test.example.com
Server DN name  : CN=NTDS Settings,CN=TEST,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
TransportType: RPC
options: 0x00000001
So, all looks good to verify our configuration.

On Windows client machine

Open the Active Directory User management console

You should be connected to the domain example.com
Click on Action and select "Change Domain Controller" as shown below

Here you should be able to see your available domain controllers and their status as shown below for my case both my dc are online.

You can switch to either dc using these steps

Now I tried to add a user on SDC(test1.example.com) using CLI
[root@test1 ~]# samba-tool user add test
New Password:
Retype Password:
User 'test' created successfully

[root@test1 ~]# samba-tool user list
Administrator
dns-test
krbtgt
Guest
test

On PDC (test.example.com)
[root@test ~]# samba-tool user list
Administrator
dns-test
krbtgt
Guest
test
So the same user appeared on my PDC as well so our replication is working good. The same you can test from either domain controller.

But again as I had told in the beginning of this article this is NOT a backup domain controller, it is a secondary domain controller. I am waiting for Samba 4 developers to come up with a backup domain controller option as well.

Please let me know your success and failures.

Tutorial for Monitoring Tools SAR and KSAR with examples in Linux

February 21, 2014, 9:58 pm
$
0
0
sar is a short term abbreviation for System Activity Report.

Important points for sar

  • It can be used for realtime monitoring of Linux system performance.
  • The  sar command writes to standard output based on the values in  the  count  and  interval parameters
  • The  collected  data  can also  be saved in the file specified by the -o filename flag, in addition to being displayed onto the screen.
  • You can select information about specific system activities using flags. Not specifying any flags selects  only  CPU activity.
  • The sar command extracts and writes to standard output records previously saved in a  file.  This file  can be either the one specified by the -f flag.
  • All data is captured in binary form and saved to a file (datafile) with default location /var/log/sa/saXX where XX specified the day of the month

Package required (Sysstat)

Before you start running the sar command make sure that the required package for the same is installed in your machine i.e.sysstat package

For Red Hat Linux
Check if the rpm exists already
# rpm -qa | grep sysstat
If it is not installed you can install the same using
# yum install sysstat

If we try to query the installed packages for sysstat
[deepak@test1 ~]$ rpm -ql sysstat
/etc/cron.d/sysstat 
/usr/bin/iostat  
/usr/bin/mpstat
/usr/bin/sadf
/usr/bin/sar
/usr/lib64/sa
/usr/lib64/sa/sa1
/usr/lib64/sa/sa2
/usr/lib64/sa/sadc
Package
Usage
sysstat
To define the maximum no. of days to save sar reports
iostat
Report Central Processing Unit (CPU) statistics and input/output statistics
mpstat
Report processors related statistics
sadf
Display data collected by sar in multiple formats
sar
Collect, report, or save system activity information
sa
summarizes accounting information
sa1
Collect and store binary data in the system activity daily data file
Sa2
Write a daily report in the /var/log/sa directory
sadc
System activity data collector
So as you see now sar has been installed

To check the version
[deepak@test1 ~]$ sar -V
sysstat version 7.0.2
(C) Sebastien Godard
Collect sar reports on a daily basis using cron jobs (This entry is made by default as soon as you install sysstat package)
[root@test1 ~]# cat /etc/cron.d/sysstat
# run system activity accounting tool every 10 minutes
*/10 * * * * root /usr/lib64/sa/sa1 1 1
# generate a daily summary of process accounting at 23:53
53 23 * * * root /usr/lib64/sa/sa2 -A
IMPORTANT NOTE: Do not confuse when I say sa1 and sa2 both creates a file inside /var/log/sa/. The important difference is that sa1 creates a binary file with the syntax saXX and sa2 creates a report(normal file) at the end of the day as provided in the cron job. This file is human readable and its syntax will be sarXX where XX is the day of the month in both the cases.

Syntax:
# sar {argument} {interval} {count}

CPU usage reports

Even if you don't use any argument along with sar command it will show you the overall CPU utilization. But the best part about sar is that you can use it to view realtime activity for any performance related feature in Linux using the count and interval parameter along with sar command

For example:
[deepak@test1 ~]$ sar
Linux 2.6.18-348.el5 (test1)   02/20/14

00:00:01          CPU     %user     %nice   %system   %iowait    %steal     %idle
00:10:01          all     18.03      0.00      9.38      2.24      0.00     70.35
00:20:02          all     17.04      0.00      6.90      2.70      0.00     73.37
00:30:01          all     11.90      0.00      4.33      1.76      0.00     82.01
00:40:01          all      8.67      0.00      2.60      0.21      0.00     88.51
00:50:01          all      7.99      0.00      2.35      0.62      0.00     89.04
01:00:01          all      8.78      0.00      2.54      0.29      0.00     88.38
01:10:01          all      9.44      0.00      4.71      0.65      0.00     85.19
01:20:01          all     14.26      0.00      4.69      0.50      0.00     80.55
01:30:01          all      7.94      0.00      4.52      0.36      0.00     87.18
01:40:01          all     27.02      0.00      6.04      0.30      0.00     66.64

Average:          all     17.90      0.00     10.60      1.54      0.00     69.96
Explanation: CPU utilization reports using (-u) argument. Since no interval and count argument is specified, it will show the report activity for complete day.

For example:
[deepak@test1 ~]$ sar -u 2 5
Linux 2.6.18-348.el5 (test1)   02/20/14

05:24:03          CPU     %user     %nice   %system   %iowait    %steal     %idle
05:24:05          all     20.05      0.00      4.24      3.50      0.00     72.21
05:24:07          all     19.88      0.00      5.72      3.12      0.00     71.28
05:24:09          all     11.22      0.00      7.72      1.94      0.00     79.12
05:24:11          all     21.12      0.00      4.45      3.37      0.00     71.05
05:24:13          all     20.45      0.00      4.44      3.61      0.00     71.49
Average:          all     18.54      0.00      5.32      3.11      0.00     73.03Explanation: In the above command we have specified an interval argument of 2 and count argument of 5 so it will give us a realtime report of cpu utilization for every 2 seconds for a total of 5 output along with average of all.

Value
Meaning
%user
Percentage of CPU utilization that occurred while executing at the user level (application).
%nice
Percentage of CPU utilization that occurred while executing at the user level with nice priority.
%system
Percentage of CPU utilization that occurred while executing at the system level (kernel).
%iowait
Percentage of time that the CPU or CPUs were idle during which the system had an outstanding disk I/O request.
%steal
Show the percentage of time spent in involuntary wait by the virtual CPU or CPUs while the hypervisor was servicing another virtual processor.
%idle
Percentage of time that the CPU or CPUs were idle and the system did not have an outstanding disk I/O request.

Individual CPU reports

[deepak@test1 ~]$ sar -P ALL | less
2Linux 2.6.18-348.el5 (test1)     02/20/14

00:00:01          CPU     %user     %nice   %system   %iowait    %steal     %idle
00:10:01          all     18.03      0.00      9.38      2.24      0.00     70.35
00:10:01            0      7.37      0.00     11.23      0.94      0.00     80.46
00:10:01            1      8.29      0.00      6.42      0.87      0.00     84.41
00:10:01            2      6.17      0.00      8.05      1.24      0.00     84.53
00:10:01            3      8.40      0.00      6.62      1.31      0.00     83.68
00:10:01            4      7.51      0.00      6.40      0.56      0.00     85.53

Average:          CPU     %user     %nice   %system   %iowait    %steal     %idle
Average:          all     17.90      0.00     10.60      1.54      0.00     69.96
Average:            0      9.69      0.00      8.76      0.39      0.00     81.16
Average:            1     11.33      0.00      7.51      0.57      0.00     80.59
Average:            2     11.28      0.00      7.30      0.54      0.00     80.88
Average:            3     10.96      0.00      7.14      0.68      0.00     81.22
Average:            4     10.66      0.00      7.30      0.45      0.00     81.58Explanation: Report CPU utilization for all the processors (If no interval and count value is specified it will show the statistics of complete day from the time monitoring started)

[deepak@test1 ~]$ sar -P 1 2 4
Linux 2.6.18-348.el5 (test1)   02/20/14

05:31:27          CPU     %user     %nice   %system   %iowait    %steal     %idle
05:31:29            1      0.00      0.00      0.00      0.00      0.00    100.00
05:31:31            1      0.00      0.00      0.00      0.00      0.00    100.00
05:31:33            1      0.00      0.00      0.50      0.00      0.00     99.50
05:31:35            1      1.49      0.00      0.00      0.00      0.00     98.51
Average:            1      0.37      0.00      0.12      0.00      0.00     99.50Explanation: Report CPU utilization for an interval of 2 seconds (count = 4) along with an average value

Memory and swap space usage Reports

[deepak@test1 ~]$ sar -r 2 4
Linux 2.6.18-348.el5 (test1)   02/20/14

05:43:01    kbmemfree kbmemused  %memused kbbuffers  kbcached kbswpfree kbswpused  %swpused  kbswpcad
05:43:03     18146452 245967972     93.13    256956 225320936  33548444      5980      0.02       264
05:43:05     18085944 246028480     93.15    257016 225376624  33548444      5980      0.02       264
05:43:07     18027132 246087292     93.17    257016 225433756  33548444      5980      0.02       264
05:43:09     17964680 246149744     93.20    257040 225494048  33548444      5980      0.02       264
Average:     18056052 246058372     93.16    257007 225406341  33548444      5980      0.02       264Explanation: The above command will show 4 consecutive outputs for memory and swap space utilization statistics at an interval of 2 seconds.

Values
Meaning
kbmemfree
Amount of free memory available in kilobytes
kbmemused
Amount of used memory in kilobytes
%memused
Percentage of used memory
kbbuffers
Amount of memory used as buffers by the kernel in kilobytes
kbcached
Amount of memory used to cache data by the kernel in kilobytes
kbswpfree
Amount of free swap space in kilobytes
kbswpused
Amount of used swap space in kilobytes
%swpused
Percentage of used swap space
kbswpcad
Amount of cached swap memory in kilobytes.

Network Utilization Statistics

[deepak@test1 ~]$ sar -n DEV 1 1
Linux 2.6.18-348.el5 (test1)   02/20/14

06:07:37   IFACE   rxpck/s   txpck/s   rxbyt/s   txbyt/s   rxcmp/s   txcmp/s  rxmcst/s
06:07:38      lo    125.00    125.00    288.00    288.00      0.00      0.00      0.00
06:07:38    eth0    671.00    794.00    387.00    437.00      0.00      0.00      1.00
06:07:38    eth1      0.00      0.00      0.00      0.00      0.00      0.00      1.00
06:07:38    eth2      0.00      0.00      0.00      0.00      0.00      0.00      0.00
06:07:38    eth3    384.00    651.00    413.00    730.00      0.00      0.00      0.00
6:07:38    bond0    671.00    794.00    387.00    437.00      0.00      0.00      2.00
06:07:38   bond1     70.00     74.00    213.00    593.00      0.00      0.00      2.00

Average:   IFACE   rxpck/s   txpck/s   rxbyt/s   txbyt/s   rxcmp/s   txcmp/s  rxmcst/s
Average:      lo    125.00    125.00    288.00    288.00      0.00      0.00      0.00
Average:    eth0    671.00    794.00    387.00    437.00      0.00      0.00      1.00
Average:    eth1      0.00      0.00      0.00      0.00      0.00      0.00      1.00
Average:    eth2      0.00      0.00      0.00      0.00      0.00      0.00      0.00
Average:    eth3    384.00   4651.00    413.00    730.00      0.00      0.00      0.00
Average:   bond0    671.00    794.00    387.00    437.00      0.00      0.00      2.00
Average:   bond1     70.00     74.00    213.00    593.00      0.00      0.00      2.00
Explanation: Report network statistics. With the DEV keyword, statistics from the network devices are reported.

Value
Meaning
IFACE
Name of the network interface for which statistics are reported
rxpck/s
Total number of packets received per second
txpck/s
Total number of packets transmitted per second
rxbyt/s
Total number of bytes received per second
txbyt/s
Total number of bytes transmitted per second
rxcmp/s
Number of compressed packets received per second (for cslip etc.)
txcmp/s
Number of compressed packets transmitted per second
rxmcst/s
Number of multicast packets received per second

No. of Process created per second Reports

[deepak@test1 ~]$ sar -c 1 3
Linux 2.6.18-348.el5 (test1)   02/20/14

06:10:29       proc/s
06:10:30      1152.00
06:10:31      1059.00
06:10:32      1082.18
Average:      1097.67Explanation: Report process creation activity using -c argument. The above command shows 3 consecuitve output for every second.

Load Average Reports

[deepak@test1 ~]$ sar -q 2 4
Linux 2.6.18-348.el5 (test1)   02/20/14

06:20:19      runq-sz  plist-sz   ldavg-1   ldavg-5  ldavg-15
06:20:21            7      2464      8.40      9.63     10.46
06:20:23           13      2467      8.21      9.57     10.44
06:20:25            7      2465      8.21      9.57     10.44
06:20:27            7      2460      8.21      9.57     10.44
Average:            8      2464      8.26      9.59     10.45Explanation: Report queue length and load averages with 4 output at an interval of 2 seconds for each output.

Value
Meaning
runq-sz
Run queue length (number of processes waiting for run time)
plist-sz
Number of processes and threads in the process list
ldavg-1
System load average for the last minute
ldavg-5
System load average for the past 5 minutes
ldavg-15
System load average for the past 15 minutes

Store the sar output to a file

[root@test1 ~]# sar -u 1 3 -o test.txt
Linux 2.6.18-194.26.1.el5 (test1)     02/20/14

05:50:26          CPU     %user     %nice   %system   %iowait    %steal     %idle
05:50:27          all      0.00      0.00      0.06      0.12      0.00     99.81
05:50:28          all      0.00      0.00      0.06      0.12      0.00     99.81
05:50:29          all      0.00      0.00      0.06      0.56      0.00     99.38
Average:          all      0.00      0.00      0.06      0.27      0.00     99.67Explanation: You can save the readings to a file in binary form which can be viewed again using sar -f parameter

Collect report from a file (created above)

[root@test1 ~]# sar -f test.txt
Linux 2.6.18-194.26.1.el5 (test1)     02/20/14

05:50:26          CPU     %user     %nice   %system   %iowait    %steal     %idle
05:50:27          all      0.00      0.00      0.06      0.12      0.00     99.81
05:50:28          all      0.00      0.00      0.06      0.12      0.00     99.81
05:50:29          all      0.00      0.00      0.06      0.56      0.00     99.38
Average:          all      0.00      0.00      0.06      0.27      0.00     99.67

Collect sar reports from file for specific date

By default all the sar reports are stored inside /var/lg/sa/saXX as binary file. To read those files use the below command with show arguments
[deepak@test1 ~]$ sar -f  /var/log/sa/sa19  -q
Linux 2.6.18-348.el5 (test1)   02/19/14

00:00:01      runq-sz  plist-sz   ldavg-1   ldavg-5  ldavg-15
00:10:01           14      3319     14.28     16.29     15.79
00:20:01            9      3230     18.34     17.97     16.63
00:30:01           15      3174     11.57     11.52     13.80
00:40:01            7      2949     12.50     12.58     13.07
23:30:01            6      2499     10.09     11.53     12.10
23:40:02            7      2591     19.20     16.10     13.74
23:50:01           19      3515     29.81     22.92     18.09
Average:            7      2510      9.79      9.72      9.66Explanation: Using the above command you are collecting report for load average (-q) for 19th day(sa19) of the current month. I have skimmed the output here. Now since I have not used any other time related argument it will show me the load average output for the complete day.

Collect sar reports from file for specific date and specific time

[deepak@test1 ~]$ sar -f  /var/log/sa/sa19  -q -s 19:00:00 -e 20:00:00
Linux 2.6.18-348.el5 (test1)   02/19/14

19:00:01     runq-sz  plist-sz   ldavg-1   ldavg-5  ldavg-15
19:10:01           1      2286      2.36      1.81      1.59
19:20:01           0      2284      0.48      1.32      1.55
19:30:01           2      2286      0.39      0.48      0.97
19:40:01           1      2290      2.72      2.13      1.54
19:50:01           0      2288      2.13      2.58      2.08
Average:            1      2287      1.62      1.66      1.55Explanation: Using the above command I have given a time argument with start(-s) and end(-e) time to get the reports only for that particular time interval

Collect Monthly reports

By default you can view reports for only the current month or as it is set inside /etc/sysconfig/sysstat

To view the default settings
[deepak@test1 ~]$ cat /etc/sysconfig/sysstat
# How long to keep log files (days), maximum is a month
HISTORY=7
So as you see the maximum time you can keep your report is for 1 month but still if you want to save reports for more than a month follow the below steps.
[root@test1 201404]# cat /etc/sysconfig/sysstat
# sysstat-9.0.4 configuration file.
# How long to keep log files (in days).

# If value is greater than 28, then log files are kept in
# multiple directories, one for each month.
HISTORY=30
# cd /var/log/sa/
[root@test1 sa]# ls -l
total 8
drwxr-xr-x 2 root root 4096 Apr  2 10:10 201403
drwxr-xr-x 2 root root 4096 Apr  2 10:10 201404
lrwxrwxrwx 1 root root   11 Apr  2 10:10 sa02 -> 201404/sa02
lrwxrwxrwx 1 root root   12 Apr  2 10:10 sar02 -> 201404/sar02
As you can see different directories are getting created for different month and also separate sa and sar files (softlinks) are created inside sa directory pointing to their respective paths.

Collect Graphical reports using ksar

If you do not feel comfortable using CLI interface then there is an alternate option to use Graphical interface for all the reports.

For this purpose you will have to download kar package which can be done using the belw link
KSAR download

Once the package is downloaded. Extract it at any preferred location.
Move into the ksar directory created after extraction step, you should see the below directories/file.

Double click "Ksar.jar" java file. After which the below windows should come up.
Click on Data and select "Launch SSH Command.."

In the next pop up window provide the host name you want to connect using the below mentioned syntax
username@server-name
For exampledeepak@192.168.0.5

Click Yes to establish a connection with the host

Provide the password for the host you want to connect

Use the shown command as it will give you the complete graphical report for the whole day

Once the data import is finished you will see the below popup window. Click OK

Now you can select different parameters as shown in the left panel of the ksar to view all the reports. I have shown few examples using few screenshots

Interface traffic for eth0

Load average Statistics

Memory usage Statistics

CPU usage Statistics

Swap Memory usage statistics


References:
Linux man page for sar

Follow the below links for more tutorials:


Configure Red Hat Cluster using VMware, Quorum Disk, GFS2, Openfiler

February 25, 2014, 10:18 pm
$
0
0
In this article I will be showing you step by step guide to install and configure Red Hat Cluster using VMware Workstation 10.

These are the things which I would be using as per my lab setup:

  • VMware Workstation 10 (any version is fine above 8)
  • CentOS 6.5 - 64 bit (You can use either 32 or 64 bit and also if you use earlier versions, some rpm and packages would differ for any version below 6.0)
  • Openfiler 2.99 - 64 bit
Brief intro of what we are trying to accomplish

  1. Configure a 2 node Red Hat Cluster using CentOS 6.5 (64 bit)
  2. One node will be used for management purpose of cluster with luci using CentOS 6.5 (64 bit)
  3. Openfiler will be used to configure a shared iSCSI storage for the cluster
  4. Configure failver for both the nodes
  5. Configure a Quorum disk with 1 one vote to test the failover
  6. Create a common service GFS2 which will run on any one node of our cluster with failover policy
NOTE: I will not be able to configure fencing related settings as it is not supported on vmware. For more information please visit this site Fence Device and Agent Information for Red Hat Enterprise Linux

IMPORTANT NOTE: In this article I will not be able to explain properly all the terms used, for that you can always refer the Official Guide from Red Hat on Cluster Administration for further clarification

Lab Setup

2 nodes with CentOS 6.5 - 64 bit
Node 1
Hostname: node1.cluster
IP Address: 192.168.1.5

Node 2
Hostname: node2.cluster
IP Address: 192.168.1.6

1 Node for Management Interface with CentOS 6.5 - 64 bit
Node 1
Hostname: node3.mgmt
IP Address: 192.168.1.7

Openfiler
Hostname: of.storage
IP Address: 192.168.1.8 

Before moving to start with the configuration of cluster and cluster nodes let us prepare our openfiler with iSCSI storage.

Login to the web console of your openfiler storage (assuming that you have successfully installed openfiler with sufficient free space for cluster storage)

Here I have written one more article on configuration of openfiler which you can use for reference if you face any issues understanding me here as I will be very brief
Configuring iSCSI storage using openfiler


1. Configure iSCSI Target using Openfiler

Click on Block Management and select the partition where you want to create Physical Volume.

Create a new partition with the below shown options for the available disk. Mention a cylinder value for the partition

Once done you should see a new partition added

Similarly create a new partition for next disk /dev/sdb

Select Physical Volume in the Partition Type

So our one more partition is created as you see below

Configure a Volume Group for both the partition you created

So, we have successfully create a new Volume Group SAN

Next is to create a new Logical Volume. Create 2 Logical Volumes with custom size as per your requirement.

For my case I will create two volumes
1. quorum with size 1400 MB (Quorum disk does not requires disk space more than 1GB)
2. SAN with all the left size which will be used for GFS2 filesystem in our cluster


Start the iSCSI Target services

On the home page of system create a ACL for the subnet which will try to access the openfiler storage. For my case the subnet is 192.168.1.0 so I will add a new entry for the same with relative subnet mask.

Next Add iscsi target for the first disk i.e. quorum volume. You can edit the iscsi target value with custom name as I have done for my case so that it becomes easier for me to understand

Next map the volume to the iSCSI target. For quorum target select quorum partition and click on Map as shown below

Next allow the iSCSI target in the Network ACL section

Do the same steps for SAN volume also as we did for quorum volume above. Edit the target value as shown below

Map the volume to the iSCSI target as shown in the figure below. Be sure to the map the correct volume


Allow the ACL for that particular target in Network ACL section

2. Let us start configuring our Cluster

We are going to use luci also known as Conga for Administering and management purpose for the cluster.

What is Conga?

Conga is an integrated set of software components that provides centralized configuration and management of Red Hat clusters and storage. Conga provides the following major features:
  • One Web interface for managing cluster and storage
  • Automated Deployment of Cluster Data and Supporting Packages
  • Easy Integration with Existing Clusters
  • No Need to Re-Authenticate
  • Integration of Cluster Status and Logs
  • Fine-Grained Control over User Permissions
The primary components in Conga are luci and ricci, which are separately installable. luci is a server that runs on one computer and communicates with multiple clusters and computers viaricci. ricci is an agent that runs on each computer (either a cluster member or a standalone computer) managed by Conga

On node3:
Run the below command to install all the Clustering related packages
[root@node3 ~]# yum groupinstall "High Availability Management""High Availability"
On node1 and node2:
Install the below given packages to start building your cluster nodes and connect to the iSCSI Targets as we will create in openfiler
[root@node1 ~]# yum groupinstall "iSCSI Storage Client""High Availability"

[root@node2 ~]# yum groupinstall "iSCSI Storage Client""High Availability"

3. Add iSCSI targets using iSCSi initiator

Once the Clustering packages are installed let us move to next step to add iSCSi storage in our cluster nodes (Here 192.168.1.8 is the IP f my openfiler)
[root@node1 ~]# iscsiadm -m discovery -t sendtargets -p 192.168.1.8
Starting iscsid:                                           [  OK  ]
192.168.1.8:3260,1 iqn.2006-01.com.openfiler:san
192.168.1.8:3260,1 iqn.2006-01.com.openfiler:quorumAs you see as soon as we gave the discovery command with openfiler IP address, the  iSCSi targets got discovered automatically as configured on openfiler

Now restart the iscsi service once again to refresh the settings
[root@node1 ~]# service iscsi restart
Stopping iscsi:                                            [  OK  ]
Starting iscsi:                                            [  OK  ]
Verify the added iSCSI storage on your node1
[root@node1 ~]# fdisk -l

Disk /dev/sdb: 1476 MB, 1476395008 bytes
46 heads, 62 sectors/track, 1011 cylinders
Units = cylinders of 2852 * 512 = 1460224 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000

Disk /dev/sdc: 11.1 GB, 11106516992 bytes
64 heads, 32 sectors/track, 10592 cylinders
Units = cylinders of 2048 * 512 = 1048576 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000
Now perform the same steps on node2
[root@node2 ~]# iscsiadm -m discovery -t sendtargets -p 192.168.1.8
192.168.1.8:3260,1 iqn.2006-01.com.openfiler:san
192.168.1.8:3260,1 iqn.2006-01.com.openfiler:quorum
Restart iscsi services
[root@node2 ~]# service iscsi restart
Stopping iscsi:                                            [  OK  ]
Starting iscsi:                                            [  OK  ]
Verify the added iscsi storage as reflected on node1
[root@node2 ~]# fdisk -l

Disk /dev/sdb: 1476 MB, 1476395008 bytes
46 heads, 62 sectors/track, 1011 cylinders
Units = cylinders of 2852 * 512 = 1460224 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000

Disk /dev/sdc: 11.1 GB, 11106516992 bytes
64 heads, 32 sectors/track, 10592 cylinders
Units = cylinders of 2048 * 512 = 1048576 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000

4. Configure Quorum disk

You need to do this step on both the nodes.
NOTE: Before you do this step be VERY sure of the partition you use as it should not be used by any one since the below step will destroy all the data in that partition

For me I will use the iSCSI quorum partition which is /dev/sdb
Here we are useing label name as "quorum"
NOTE: This label will be used in further steps so remember the name which you use

On node1
[root@node1 ~]# mkqdisk -c /dev/sdb -l quorum
mkqdisk v3.0.12.1

Writing new quorum disk label 'quorum' to /dev/sdb.
WARNING: About to destroy all data on /dev/sdb; proceed [N/y] ?y
Warning: Initializing previously initialized partition
Initializing status block for node 1...
Initializing status block for node 2...
Initializing status block for node 3...
Initializing status block for node 4...
Initializing status block for node 5...
Initializing status block for node 6...
Initializing status block for node 7...
Initializing status block for node 8...
Initializing status block for node 9...
Initializing status block for node 10...
Initializing status block for node 11...
Initializing status block for node 12...
Initializing status block for node 13...
Initializing status block for node 14...
Initializing status block for node 15...
Initializing status block for node 16...
On node2
[root@node2 ~]#  mkqdisk -c /dev/sdb -l quorum
mkqdisk v3.0.12.1

Writing new quorum disk label 'quorum' to /dev/sdb.
WARNING: About to destroy all data on /dev/sdb; proceed [N/y] ?y
Warning: Initializing previously initialized partition
Initializing status block for node 1...
Initializing status block for node 2...
Initializing status block for node 3...
Initializing status block for node 4...
Initializing status block for node 5...
Initializing status block for node 6...
Initializing status block for node 7...
Initializing status block for node 8...
Initializing status block for node 9...
Initializing status block for node 10...
Initializing status block for node 11...
Initializing status block for node 12...
Initializing status block for node 13...
Initializing status block for node 14...
Initializing status block for node 15...
Initializing status block for node 16...

5. Format a GFS2 partition

Since we want GFS services to be running on our cluster so let us format the iSCSI san target which we mapped on the cluster nodes i.e. /dev/sdc

Explanation: 
Formatting filesystem: GFS2
Locking Protocol: lock_dlm
Cluster Name: cluster1
Service name: GFS
Journal: 4
Partition: /dev/sdc

Run the below command on both the nodes
[root@node1 ~]# mkfs.gfs2 -p lock_dlm -t cluster1:GFS -j 4 /dev/sdc
This will destroy any data on /dev/sdc.
It appears to contain: Linux GFS2 Filesystem (blocksize 4096, lockproto lock_dlm)

Are you sure you want to proceed? [y/n]y

Device:                    /dev/sdc
Blocksize:                 4096
Device Size                10.34 GB (2711552 blocks)
Filesystem Size:           10.34 GB (2711552 blocks)
Journals:                  4
Resource Groups:           42
Locking Protocol:          "lock_dlm"
Lock Table:                "cluster1:GFS"
UUID:                      2ff81375-31f9-c57d-59d1-7573cdfaff42
[root@node2 ~]# mkfs.gfs2 -p lock_dlm -t cluster1:GFS -j 4 /dev/sdc
This will destroy any data on /dev/sdc.
It appears to contain: Linux GFS2 Filesystem (blocksize 4096, lockproto lock_dlm)

Are you sure you want to proceed? [y/n]y

Device:                    /dev/sdc
Blocksize:                 4096
Device Size                10.34 GB (2711552 blocks)
Filesystem Size:           10.34 GB (2711552 blocks)
Journals:                  4
Resource Groups:           42
Locking Protocol:          "lock_dlm"
Lock Table:                "cluster1:GFS"
UUID:                      9b1cae02-c357-3634-51a3-d5c35e79ab58

6. Assign password to ricci

As explained earlier ricci is the agent which is used by luci to connect to each cluster node. So we need to assign a password to the same. This has to be performed on both node1 and node2
[root@node1 ~]# passwd ricci
Changing password for user ricci.
New password:
BAD PASSWORD: it is based on a dictionary word
BAD PASSWORD: is too simple
Retype new password:
passwd: all authentication tokens updated successfully.
Restart the ricci services to take the changes affect
[root@node1 ~]# /etc/init.d/ricci start
Starting oddjobd:                                          [  OK  ]
generating SSL certificates...  done
Generating NSS database...  done
Starting ricci:                                            [  OK  ]
Make sure the ricci services comes up after reboot
[root@node1 ~]# chkconfig ricci on
[root@node2 ~]# passwd ricci
Changing password for user ricci.
New password:
BAD PASSWORD: it is based on a dictionary word
BAD PASSWORD: is too simple
Retype new password:
passwd: all authentication tokens updated successfully.

[root@node2 ~]# /etc/init.d/ricci start
Starting oddjobd:                                          [  OK  ]
generating SSL certificates...  done
Generating NSS database...  done
Starting ricci:                                            [  OK  ]
[root@node2 ~]# chkconfig ricci on

7. Starting conga services

Since node3 is your management server, start luci services on it using the below command
[root@node3 ~]# /etc/init.d/luci start
Adding following auto-detected host IDs (IP addresses/domain names), corresponding to `node3.example' address, to the configuration of self-managed certificate `/var/lib/luci/etc/cacert.config' (you can change them by editing `/var/lib/luci/etc/cacert.config', removing the generated certificate `/var/lib/luci/certs/host.pem' and restarting luci):         (none suitable found, you can still do it manually as mentioned above)

Generating a 2048 bit RSA private key
writing new private key to '/var/lib/luci/certs/host.pem'
Starting saslauthd:                                        [  OK  ]
Start luci...                                              [  OK  ]
Point your web browser to https://node3.mgmt:8084 (or equivalent) to access luci

8. Accessing luci console

The default login credential will be your node3 username/password i.e.
username: root
password: Your root password

Click on Manage Clusters to create a new cluster

Click on Create

Provide the following details for the clusterCluster name: Cluster1(As provided above)
Node Name: node1.cluster (192.168.1.5) Make sure that hostname is resolvable
                     node2.cluster (192.168.1.6) Make sure that hostname is resolvable
Password: As provided for agent ricci in Step 6
Check Shared storage box as we are using GFS2

Once you click on submit, the nodes will start the procedure to add the nodes (if everything goes correct or else it will throw the error)

Now the nodes are added but they are shown in red color. Let us check the reason behind it. Click on any of the nodes for more details

So the reason looks like most of the services are not running . Let us login to the console and start the services

[root@node1 ~]# /etc/init.d/cman start
Starting cluster:
   Checking if cluster has been disabled at boot...        [  OK  ]
   Checking Network Manager...
Network Manager is either running or configured to run. Please disable it in the cluster.
                                                           [FAILED]
Stopping cluster:
   Leaving fence domain...                                 [  OK  ]
   Stopping gfs_controld...                                [  OK  ]
   Stopping dlm_controld...                                [  OK  ]
   Stopping fenced...                                      [  OK  ]
   Stopping cman...                                        [  OK  ]
   Unloading kernel modules...                             [  OK  ]
   Unmounting configfs...                                  [  OK  ]
IMPORTANT NOTE: If you are planning to configure Red Hat Cluster then make sure NetworkManager service is not running
[root@node1 ~]# service NetworkManager stop
Stopping NetworkManager daemon:                            [  OK  ]

[root@node1 ~]# chkconfig NetworkManager off


start the cman services
[root@node1 ~]# /etc/init.d/cman start
Starting cluster:
   Checking if cluster has been disabled at boot...        [  OK  ]
   Checking Network Manager...                             [  OK  ]
   Global setup...                                         [  OK  ]
   Loading kernel modules...                               [  OK  ]
   Mounting configfs...                                    [  OK  ]
   Starting cman...                                        [  OK  ]
   Waiting for quorum...                                   [  OK  ]
   Starting fenced...                                      [  OK  ]
   Starting dlm_controld...                                [  OK  ]
   Tuning DLM kernel config...                             [  OK  ]
   Starting gfs_controld...                                [  OK  ]
   Unfencing self...                                       [  OK  ]
   Joining fence domain...                                 [  OK  ]
start clvmd service
[root@node1 ~]# /etc/init.d/clvmd start
Activating VG(s):   2 logical volume(s) in volume group "VolGroup" now active
                                                           [  OK  ]
[root@node1 ~]# chkconfig  clvmd on
Start rgmanager and modclusterd service
[root@node1 ~]# /etc/init.d/rgmanager start
Starting Cluster Service Manager:                          [ OK ]

[root@node1 ~]# chkconfig rgmanager on

[root@node1 ~]# /etc/init.d/modclusterd start
Starting Cluster Module - cluster monitor:

[root@node1 ~]# chkconfig modclusterd on

We need to start all these services on node2 as well
[root@node2 ~]# /etc/init.d/cman start
Starting cluster:
   Checking if cluster has been disabled at boot...        [  OK  ]
   Checking Network Manager...                             [  OK  ]
   Global setup...                                         [  OK  ]
   Loading kernel modules...                               [  OK  ]
   Mounting configfs...                                    [  OK  ]
   Starting cman...                                        [  OK  ]
   Waiting for quorum...                                   [  OK  ]
   Starting fenced...                                      [  OK  ]
   Starting dlm_controld...                                [  OK  ]
   Tuning DLM kernel config...                             [  OK  ]
   Starting gfs_controld...                                [  OK  ]
   Unfencing self...                                       [  OK  ]
   Joining fence domain...                                 [  OK  ]

[root@node2 ~]# chkconfig cman on
[root@node2 ~]# /etc/init.d/clvmd start
Starting clvmd:
Activating VG(s):   2 logical volume(s) in volume group "VolGroup" now active
                                                           [  OK  ]
[root@node2 ~]# /etc/init.d/rgmanager start
Starting Cluster Service Manager:                          [  OK  ]

[root@node2 ~]# chkconfig rgmanager on
[root@node2 ~]# chkconfig modclusterd on
[root@node2 ~]# /etc/init.d/modclusterd start
Starting Cluster Module - cluster monitor:
Now once all the services have started, let us refresh the web console and see the changes

So all the services are running and there is no more warning message on either cluster or the nodes


9. Configure Quorum Disk

Click on Configure from the TAB menu as shown below and select QDisk
Fill in the details as shown below
Check the box with "Use a Quorum Disk"
Provide the label name used in above steps while formatting Quorum disk in Step 4
Provide the command to be run to check the quorum status between all the nodes and the interval time
Click on Apply once done

If everything goes fine you should be able to see the below message

10. Configure Failover Domain

Select Failover Domain option from the TAB menu and Add a new Failover Domain

Give a name to your failover domain and follow the setting as shown below

11. Create Resources

Click on Resources TAB from the top menu and select Add

Select GFS2 from the drop down menu and fill in the details
Name:Give any name
Mount Point:Before giving the mount point make sure it exists on both the nodes

Let us create these mount points on node1 and node2
[root@node1 ~]# mkdir /GFS
[root@node2 ~]# mkdir /GFS
Next fill in the device details which we formatted for GFS2 i.e. /dev/sdc
Check the Force Unmount box and click on Submit

12. Create Service Group

Select Service Group TAB from the top menu and click on Add

Give a name to your service
Check the box to automatically start your service
Select the failover which we created in Step 10
Select relocate from the drop down menu for Recovery Policy
Once done click on "Add resource"

You will see the below box on your screen. Select the Resource we created in Step 11.

As soon as you select GFS, all the saved setting under GFS resource will be visible under service group section as shown below. Click on Submit to save the changes

Once you click on submit, refresh the web console and you should be able to see the GFS service running on your cluster on any of the node as shown below

You can verify the same from CLI also

13. Verification

On node1
[root@node1 ~]# clustat
Cluster Status for cluster1 @ Wed Feb 26 00:49:04 2014
Member Status: Quorate

 Member Name                                            ID   Status
 ------ ----                                            ---- ------
 node1.cluster                                          1 Online,  Local, rgmanager
 node2.cluster                                           2 Online,  rgmanager
 /dev/block/8:16                                         0 Online, Quorum Disk

 Service Name                                   State             Owner (Last)                                                 
 ------- ----                                   -----             ----- ------                                                
 service:GFS                                    started           node1.cluster                                                   

So, if GFS is running on node1 then GFS should be mounted on /GFS on node1. Let us verify
[root@node1 ~]# df -h
Filesystem                 Size  Used Avail Use% Mounted on
/dev/mapper/VolGroup-root  8.7G  3.4G  5.0G  41% /
tmpfs                      495M   32M  464M   7% /dev/shm
/dev/sda1                  194M   30M  155M  16% /boot
/dev/sr0                   4.2G  4.2G     0 100% /media/CentOS_6.5_Final
/dev/sdc                    11G  518M  9.9G   5% /GFS

Now let me try to relocate the GFS service on node2
[root@node1 ~]# clusvcadm -r GFS -m node2
'node2' not in membership list
Closest match: 'node2.cluster'
Trying to relocate service:GFS to node2.cluster...Success
service:GFS is now running on node2.cluster
Let us see if the changes are reflected on cluster
[root@node1 ~]# clustat
Cluster Status for cluster1 @ Wed Feb 26 00:50:42 2014
Member Status: Quorate

 Member Name                                                ID   Status
 ------ ----                                                ---- ------
 node1.cluster                                               1 Online, Local, rgmanager
 node2.cluster                                               2 Online, rgmanager
 /dev/block/8:16                                             0 Online, Quorum Disk

 Service Name                                 State                  Owner (Last)                                                     
 ------- ----                                 -----                  ----- ------                                                     
 service:GFS                                 started                 node2.cluster                                                   
Again to reverify on the available partitions
[root@node1 ~]# df -h
Filesystem                 Size  Used Avail Use% Mounted on
/dev/mapper/VolGroup-root  8.7G  3.4G  5.0G  41% /
tmpfs                      495M   26M  470M   6% /dev/shm
/dev/sda1                  194M   30M  155M  16% /boot
/dev/sr0                   4.2G  4.2G     0 100% /media/CentOS_6.5_Final

On node2

[root@node2 ~]# df -h
Filesystem                 Size  Used Avail Use% Mounted on
/dev/mapper/VolGroup-root  8.7G  3.4G  5.0G  41% /
tmpfs                      495M   32M  464M   7% /dev/shm
/dev/sda1                  194M   30M  155M  16% /boot
/dev/sr0                   4.2G  4.2G     0 100% /media/CentOS_6.5_Final
/dev/sdc                    11G  518M  9.9G   5% /GFS

Restarting Cluster Manually

In case you plan to restart your cluster manually then there is a pre-defined order in which you will have to stop and start the services

Stopping Cluster services
On one node only, disable services listed in clustat # clusvcadm -d GFS

Verify that all services in clustat are showing disabled
On each node: # service rgmanager stop
On each node: # service clvmd stop
On each node: # service cman stop
Starting Cluster services
On each node: # service cman start
On each node: # service clvmd start
On each node: # service rgmanager start
Enable the GFS service in any of the node
# clusvcadm -e GFS

References
Red Hat Enterprise Cluster

Follow the below links for more tutorials

Tutorial for Monitoring Tools SAR and KSAR with examples in Linux
How to configure Samba 4 Secondary Domain Controller
How does a DNS query works when you type a URL on your browser?
How to create password less ssh connection for multiple non-root users
How to secure Apache web server in Linux using password (.htaccess)
How to register Red Hat Linux with RHN (Red Hat Network )
Red hat Enterprise Linux 5.5 Installation Guide (Screenshots)
15 tips to enhance security of your Linux machine
Why is Linux more secure than windows and any other OS
What is the difference between "su" and "su -" in Linux?
What is swappiness and how do we change its value?
How to log iptables messages in different log file
What are the s and k scripts in the etc rcx.d directories
How to check all the currently running services in Linux
How to auto start service after reboot in Linux
What is virtual memory, paging and swap space?

Script to take backup of any critical directory in Unix/Linux

March 1, 2014, 2:20 pm
$
0
0
This is a script which can be used to backup of  your home directory on a day basis where a compressed backup of your home directory /home will be saved inside /backup directory.

You can put this script in the cron file to take backup regularly as per your requirements.(Replace the parameters in blue as per your requirement)
#!/bin/bash
BACKUPDIR=~/backup
HOMEDIR="/home"
BACKUPFILE=scripts.backup.`date +%F`.tar.gz
THRESHOLD=7
if [ ! -e $BACKUPDIR ];
then
echo Creating backup directory it does not exist
mkdir /backup
exit 0
else
COUNT=`ls $BACKUPDIR/home.* | wc -l`
fi
if [ $COUNT -le $THRESHOLD ];
then
tar -czvf $BACKUPDIR/$BACKUPFILE $HOMEDIR
if [ $? != 0 ]; then echo Problems creating backup file; fi
fi

Follow the below links for more tutorials

Configure Red Hat Cluster using VMware, Quorum Disk, GFS2, Openfiler
Tutorial for Monitoring Tools SAR and KSAR with examples in Linux
How to configure Samba 4 Secondary Domain Controller
How to secure Apache web server in Linux using password (.htaccess)
How to register Red Hat Linux with RHN (Red Hat Network )
Red hat Enterprise Linux 5.5 Installation Guide (Screenshots)
15 tips to enhance security of your Linux machine
Why is Linux more secure than windows and any other OS
What is the difference between "su" and "su -" in Linux?
What is swappiness and how do we change its value?
How to log iptables messages in different log file
What are the s and k scripts in the etc rcx.d directories
How to check all the currently running services in Linux
How to auto start service after reboot in Linux
What is virtual memory, paging and swap space?

Fix "error while loading shared libraries *:No such file or directory"

March 1, 2014, 2:31 pm
$
0
0
It happens many time when you are trying to execute some command an error pops out like
the one shown below
error while loading shared libraries: libacl.so: cannot open shared object file: No such file or directory

It happened to me when I was working on HP-UX machine but it can happen in any Linux machine as well. I had to search alot to overcome this issue but finally i got one solution which I will upload here.

It is not related with this particular library file. This is something with defining the shared library path variable.

These are the steps you need to follow to fix this issue:

In Linux/Unix machine

# find / -name "library file name" -type f
# find -name libacl.so -type f
/usr/lib
So now once you get the location of the directory
# export LD_LIBRARY_PATH=/usr/lib:$LD_LIBRARY_PATH
This command is session dependent so if you change the terminal or session again you might face the same issue so it is better to make permanent changes.
# vi /root/.bash_profile
export LD_LIBRARY_PATH=/usr/lib:$LD_LIBRARY_PATH
#. /root/.bash_profile
This will update your machine with the new variables as defined in .bash_profile

Now what if you DON'T get any match for that library file in your machine. In that case you will have to download the rpm file responsible for the installation of that library file.

NOTE: This command is tested on RedHat and CentOS

Here is what you need to do
# yum whatprovides libacl.so
libacl-devel-2.2.49-6.el6.i686 : Access control list static libraries and
: headers
Repo : base
Matched from:
Filename : /usr/lib/libacl.so
Filename : /lib/libacl.so
Now once you find the rpm file you can install it in your machine using yum
# yum -y install libacl-devel

In HP-UX machine

You need to follow the same step except for the shared library location where you will save the path
# export SHLIB_PATH=/usr/lib:$SHLIB_PATH
Update the same in your .bash_profile for making permanent changes.

Follow the below links for more tutorials

Configure Red Hat Cluster using VMware, Quorum Disk, GFS2, Openfiler
Tutorial for Monitoring Tools SAR and KSAR with examples in Linux
How to configure Samba 4 Secondary Domain Controller
How to secure Apache web server in Linux using password (.htaccess)
How to register Red Hat Linux with RHN (Red Hat Network )
Red hat Enterprise Linux 5.5 Installation Guide (Screenshots)
15 tips to enhance security of your Linux machine
Why is Linux more secure than windows and any other OS
What is the difference between "su" and "su -" in Linux?
What is swappiness and how do we change its value?
How to log iptables messages in different log file
What are the s and k scripts in the etc rcx.d directories
How to check all the currently running services in Linux
How to auto start service after reboot in Linux
What is virtual memory, paging and swap space?

Viewing all 392 articles
Browse latest View live
Search