Archive for September, 2010

Miscellaneous useful websites about xen

Monday, September 27th, 2010

Useful Links :
Live Migration:
http://www.linux.com/archive/feed/55773

Linux:How to force puppet client to download updates from puppet server

Friday, September 17th, 2010

By default puppetd (puppet server) applies the client configuration; in 1800 seconds. If you have some emergency updates which has to be apply to every puppet clients instanly , you can do followings :

(a) puppetrun (This commands run from the puppet server)

 SYNOPSIS
Trigger a puppetd run on a set of hosts.
 
USAGE
puppetrun [-a|--all] [-c|--class ] [-d|--debug] [-f|--fore-
ground]
[-h|--help] [--host ] [--no-fqdn] [--ignoreschedules]
[-t|--tag ] [--test] [-p|--ping]

If you dont have LDAP support then -a(–all) and -c(–class) is useless . In that case ,if you want to force update every hosts, you will have to define all your hosts with puppetrun command ,
Eample :

According to puppetrun man pages, then uses is :
EXAMPLE
sudo puppetrun -p 10 --host host1 --host host2 -t remotefile -t web-server
 
or
puppetrun --host host1 --host host2

(b) func
If you have loads of server then its not practical to add all the hosts with puppetrun command!!.
in that case we can use func command .
how to install and use func

After install func in master and all rest of the server.
we can execute the bellow command :
Note : Please dont run puppetd daemon in clients if you want to update by calling func .

http://docs.puppetlabs.com/guides/scaling.html#triggered_selective_updates

func "*" call command run "puppetd --onetime"

This command will execute puppetd command one time only and it will download all the updates from puppet server.

Last updates : 17th September 2010

Linux:InnoDB: Unable to lock ./ibdata1, error: 37

Tuesday, September 14th, 2010

Ref: http://bugs.mysql.com/bug.php?id=47769
Database is located on the remote storage that mount via NFS. During mysql startup the
following entries appear in the .err file:
InnoDB: Unable to lock ./ibdata1, error: 37

Solution: mount -t nfs -o nolock IP:/data /data

Linux: Troubleshooting Redhat Cluster Suite

Wednesday, September 8th, 2010

Ref:http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Configuration_Example_-_NFS_Over_GFS/NFS_GFS_Troubleshoot.html

If you find that you are seeing error messages when you try to configure your system, or if after configuration your system does not behave as expected, you can perform the following checks and examine the following areas.

*
Connect to one of the nodes in the cluster and execute the clustat(8) command. This command runs a utility that displays the status of the cluster. It shows membership information, quorum view, and the state of all configured user services.
The following example shows the output of the clustat(8) command.

      [root@clusternode4 ~]# clustat
      Cluster Status for nfsclust @ Wed Dec  3 12:37:22 2008
      Member Status: Quorate
 
       Member Name                              ID   Status
       ------ ----                              ---- ------
       clusternode5.example.com          1 Online, rgmanager
       clusternode4.example.com          2 Online, Local, rgmanager
       clusternode3.example.com          3 Online, rgmanager
       clusternode2.example.com          4 Online, rgmanager
       clusternode1.example.com          5 Online, rgmanager
 
       Service Name             Owner (Last)                     State
       ------- ---              ----- ------                     -----
       service:nfssvc           clusternode2.example.com         starting

In this example, clusternode4 is the local node since it is the host from which the command was run. If rgmanager did not appear in the Status category, it could indicate that cluster services are not running on the node.
*
Connect to one of the nodes in the cluster and execute the group_tool(8) command. This command provides information that you may find helpful in debugging your system. The following example shows the output of the group_tool(8) command.

      [root@clusternode1 ~]# group_tool
      type             level name       id       state
      fence            0     default    00010005 none
      [1 2 3 4 5]
      dlm              1     clvmd      00020005 none
      [1 2 3 4 5]
      dlm              1     rgmanager  00030005 none
      [3 4 5]
      dlm              1     mygfs      007f0005 none
      [5]
      gfs              2     mygfs      007e0005 none
      [5]

The state of the group should be none. The numbers in the brackets are the node ID numbers of the cluster nodes in the group. The clustat shows which node IDs are associated with which nodes. If you do not see a node number in the group, it is not a member of that group. For example, if a node ID is not in dlm/rgmanager group, it is not using the rgmanager dlm lock space (and probably is not running rgmanager).
The level of a group indicates the recovery ordering. 0 is recovered first, 1 is recovered second, and so forth.
*
Connect to one of the nodes in the cluster and execute the cman_tool nodes -f command This command provides information about the cluster nodes that you may want to look at. The following example shows the output of the cman_tool nodes -f command.

      [root@clusternode1 ~]# cman_tool nodes -f
      Node  Sts   Inc   Joined               Name
         1   M    752   2008-10-27 11:17:15  clusternode5.example.com
         2   M    752   2008-10-27 11:17:15  clusternode4.example.com
         3   M    760   2008-12-03 11:28:44  clusternode3.example.com
         4   M    756   2008-12-03 11:28:26  clusternode2.example.com
         5   M    744   2008-10-27 11:17:15  clusternode1.example.com

The Sts heading indicates the status of a node. A status of M indicates the node is a member of the cluster. A status of X indicates that the node is dead. The Inc heading indicating the incarnation number of a node, which is for debugging purposes only.
*
Check whether the cluster.conf is identical in each node of the cluster. If you configure your system with Conga, as in the example provided in this document, these files should be identical, but one of the files may have accidentally been deleted or altered.
*
In addition to using Conga to fence a node in order to test whether failover is working properly as described in Chapter 6, Testing the NFS Cluster Service, you could disconnect the ethernet connection between cluster members. You might try disconnecting one, two, or three nodes, for example. This could help isolate where the problem is.
*
If you are having trouble mounting or modifying an NFS volume, check whether the cause is one of the following:
o
The network between server and client is down.
o
The storage devices are not connected to the system.
o
More than half of the nodes in the cluster have crashed, rendering the cluster inquorate. This stops the cluster.
o
The GFS file system is not mounted on the cluster nodes.
o
The GFS file system is not writable.
o
The IP address you defined in the cluster.conf is not bounded to the correct interface / NIC (sometimes the ip.sh script does not perform as expected).
*
Execute a showmount -e command on the node running the cluster service. If it shows up the right 5 exports, check your firewall configuration for all necessary ports for using NFS.
*
If SELinux is currently in enforcing mode on your system, check your /var/log/audit.log file for any relevant messages. If you are using NFS to serve home directories, check whether the correct SELinux boolean value for nfs_home_dirs has been set to 1; this is required if you want to use NFS-based home directories on a client that is running SELinux. If you do not set this value on, you can mount the directories as root but cannot use them as home directories for your users.
*
Check the /var/log/messages file for error messages from the NFS daemon.
*
If you see the expected results locally at the cluster nodes and between the cluster nodes but not at the defined clients, check the firewall configuration at the clients.

Troubleshooting Red Hat Cluster Suite Networking
Ref : http://people.redhat.com/ccaulfie/docs/CSNetworking.pdf

Linux:named: transfer of ‘domain.com/IN’ from #53: failed while receiving responses: permission denied

Friday, September 3rd, 2010

When you setup a Slave Dns server and trying to transfer zone from master server, you might see problem as bellow :

Sep  3 09:52:37 publicdns1.domani.local named[13635]: dumping master file: tmp-PKhZ6y6rRp: open: permission denied
Sep  3 09:52:37 publicdns1.domain.local named[13635]: transfer of 'domain.com/IN' from 11.22.33.44#53: failed while receiving responses: permission denied
Sep  3 09:52:37 publicdns1.domain.local named[13635]: transfer of 'domain.com/IN' from 11.22.33.44#53: end of transfer

Solutions :
Make sure slave server is trying to create the zone file under /slave directory .( file “slaves/domain.com.zone”;)
Setting in named.conf for slave server would be like bellow

### Add Authoritiative zone for domain.com#######
        zone "domain.com" IN {
        type slave;
        file "slaves/domain.com.zone";
        masters {11.22.33.44; };
 
};

How to run perl/Python script from Linux Apache server

Thursday, September 2nd, 2010

For httpd.conf ( /usr/local/apache/conf – if you compile by source OR /etc/httpd/conf/httpd -: if you compile by yum)

ScriptAlias /cgi-bin/ "/usr/local/apache/cgi-bin/"

If you want to run cgi script from under your domain , example , www.fosiul.com/cgi-bin/test.cgi , do as bellow

<VirtualHost *:80>
ServerAdmin fosiul@example.co.uk
DocumentRoot /usr/local/apache/htdocs/example/
ServerName www.example.co.uk
ServerAlias example.co.uk
......................................
......................................
 
<Directory "/usr/local/apache/htdocs/example/">
Options FollowSymLinks ExecCGI
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<Directory "/usr/local/apache/htdocs/example/cgi-bin/">
        Order deny,allow
        Allow from all                
       Allow from xx.xx.xx.xx # If you just want to run cgi script from certain Ips , then you need to disable "Allow from All" options
       #Deny from all  # if you only want to allow cgi script from certain ip then you need to enable "Deny from all" options
        </Directory>
 
ScriptAlias /cgi-bin/ /usr/local/apache/htdocs/example/cgi-bin/

Now create a directory under : /usr/local/apache/example/cgi-bin
Create a cgi script

#!/usr/bin/perl -T
use strict;
use CGI;
my $cgi = new CGI;
print $cgi->header;
print $cgi->start_html('test world');
print $cgi->h1('Hellow test');
print $cgi->li('list');
print $cgi->end_html();

run this cgi script : http://www.example.co.uk/cgi-bin/test.cgi

How to run a python under cgi script

create a cgi script (testpy.cgi) as bellow to run python

#!/usr/bin/python
print "Content-Type: text/plain\n\n"
print "Hello, World!\n"

Now run this script as , www.example.co.uk/cgi-bin/testpy.cgi

Linux:How to configure/secure public primary/secondary bind dns server

Wednesday, September 1st, 2010

Localhost Resolver :
(a) install bind

yum install bind bind-chroot bind-devel

(b) Copy named.conf and related files from /usr/share/doc/bind-9.3.6/sample/etc/

cp /usr/share/doc/bind-9.3.6/sample/etc/* /var/named/chroot/etc/

(c) File lists in /var/named/chroot/etc are as bellows :

[root@publicdns1 etc]# ls
localtime   named.rfc1912.zones  rndc.conf
named.conf  named.root.hints     rndc.key

Check the Ownership of files. Ownership should be root:named as
bellow:

[root@publicdns1 etc]# pwd
/var/named/chroot/etc
[root@publicdns1 etc]# ls -al
total 64
drwxr-x--- 2 root named 4096 Aug 28 13:38 .
drwxr-x--- 6 root named 4096 Aug 28 13:37 ..
-rw-r--r-- 1 root root  3661 Aug 24 12:53 localtime
-rw-r--r-- 1 root named 5299 Aug 28 13:38 named.conf
-rw-r--r-- 1 root named  775 Aug 28 12:20 named.rfc1912.zones
-rw-r--r-- 1 root named  524 Aug 28 12:20 named.root.hints
-rw-r--r-- 1 root named    0 Aug 28 12:20 rndc.conf
-rw-r----- 1 root named  113 Aug 28 12:12 rndc.key
[root@publicdns1 etc]#

If the ownership is not right then we can change it as follows :

chown root:named named.conf  named.rfc1912.zones named.root.hints rndc.conf  rndc.key

(d) Copy named.root into /var/named/chroot/var/named directory

cp /usr/share/doc/bind-9.3.6/sample/var/named/named.root  /var/named/chroot/var/named/

File lists are :

[root@publicdns1 named]# ls
data  domain.co.uk.zone  named.root  slaves
[root@publicdns1 named]#

(e) For allowing internal pc’s to resolve dns request and for internal host name , we need to work on “view “localhost_resolver” ” section as bellow

view "localhost_resolver"
{
/* This view sets up named to be a localhost resolver ( caching only nameserver                                              ).
 * If all you want is a caching-only nameserver, then you need only define this                                              view:
 */
        match-clients           { localhost;10.0.0.0/24; };
        match-destinations      { localhost;10.0.0.0/24; };
        recursion yes;
        # all views must contain the root hints zone:
        include "/etc/named.root.hints";
 
        /* these are zones that contain definitions for all the localhost
         * names and addresses, as recommended in RFC1912 - these names should
         * ONLY be served to localhost clients:
         */
        include "/etc/named.rfc1912.zones";
};

Note : all the internal zone information will be placed on named.rfc1912.zones files

(f) Now edit named.rfc1912.zones which is located /var/named/chroot/etc
and enter bellow lines

zone “internaldomain.local” IN {

type master;
file “internaldomain.local.zone”;
};

So the Edited named.rfc1912.zones file be like bellow

// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
//zone "." IN {
//      type hint;
//      file "named.ca";
//};
zone "internaldomain.local" IN {
 
        type master;
        file "internaldomain.local.zone";
 
};
 
zone "localdomain" IN {
        type master;
        file "localdomain.zone";
        allow-update { none; };
};
 
zone "localhost" IN {
        type master;
        file "localhost.zone";
        allow-update { none; };
};
 
zone "0.0.127.in-addr.arpa" IN {
        type master;
        file "named.local";
        allow-update { none; };
};
 
zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
        type master;
        file "named.ip6.local";
        allow-update { none; };
};
 
zone "255.in-addr.arpa" IN {
        type master;
        file "named.broadcast";
        allow-update { none; };
};
 
zone "0.in-addr.arpa" IN {
        type master;
        file "named.zero";
        allow-update { none; };
};

(g)

create a zone file internaldomain.local.zone file in /var/named/chroot/var/named like bellow:

$TTL    86400
@               IN SOA  @       root (
                                        42              ; serial (d. adams)
                                        3H              ; refresh
                                        15M             ; retry
                                        1W              ; expiry
                                        1D )            ; minimum
 
                          IN NS           internaldns
                          IN MX   10     internalmailserver
                          IN        A      10.0.0.20
internaldns            IN        A      10.0.0.9
Account               IN        A       10.0.0.6
internalmailserver   IN        A   10.0.0.10
www                    IN        A       10.0.0.20

Note : make sure you have permission as bellow or bind would not be able to read it.

chown root:named internaldomain.local.zone

Primary Server:

(A)
Create zone entries in named.conf
Since This server will work as public dns server,We will create zone entries for example.co.uk under external views.

view    "external"
{
/* This view will contain zones you want to serve only to "external" clients
 * that have addresses that are not on your directly attached LAN interface subnets:
 */
        match-clients           { any; };
        match-destinations      { any; };
 
        recursion no;
        // you'd probably want to deny recursion to external clients, so you don't
        // end up providing free DNS service to all takers
 
    allow-query-cache { none; };
        // Disable lookups for any cached data and root hints
 
        // all views must contain the root hints zone:
        include "/etc/named.root.hints";
 
        // These are your "authoritative" external zones, and would probably
        // contain entries for just your web and mail servers:
 
        ### Add Authoritiative zone for example.co.uk#######
        zone "example.co.uk" IN {
        type master;
        file "example.co.uk.zone";
        allow-update { none; };
        allow-transfer { 22.33.44.55; };//only this host will received updates from this master server.
 
};
 
};

Secondary Server :

Follow every steps from beginning . We just need to make changes on named.conf file to allow slave to download zone file, updates from master server.

view    "external"
{
/* This view will contain zones you want to serve only to "external" clients
 * that have addresses that are not on your directly attached LAN interface subnets:
 */
        match-clients           { any; };
        match-destinations      { any; };
 
        recursion no;
        // you'd probably want to deny recursion to external clients, so you don't
        // end up providing free DNS service to all takers
 
    allow-query-cache { none; };
        // Disable lookups for any cached data and root hints
 
        // all views must contain the root hints zone:
        include "/etc/named.root.hints";
 
        // These are your "authoritative" external zones, and would probably
        // contain entries for just your web and mail servers:
 
        ### Add Authoritiative zone for example.co.uk#######
      zone "example.co.uk" IN {
        type slave;
        file "slaves/example.co.uk.zone";
        masters { 55.55.55.55 ;};
};
 
};

Full named.conf file for Primary Name server(Public + Local host resolver :

 cat named.conf
//
// Sample named.conf BIND DNS server 'named' configuration file
// for the Red Hat BIND distribution.
//
// See the BIND Administrator's Reference Manual (ARM) for details, in:
//   file:///usr/share/doc/bind-*/arm/Bv9ARM.html
// Also see the BIND Configuration GUI : /usr/bin/system-config-bind and
// its manual.
//
options
{
        // Those options should be used carefully because they disable port
        // randomization
        // query-source    port 53;
        // query-source-v6 port 53;
 
        // Put files that named is allowed to write in the data/ directory:
        directory "/var/named"; // the default
        dump-file               "data/cache_dump.db";
        statistics-file         "data/named_stats.txt";
        memstatistics-file      "data/named_mem_stats.txt";
 
};
logging
{
/*      If you want to enable debugging, eg. using the 'rndc trace' command,
 *      named will try to write the 'named.run' file in the $directory (/var/nam                                             ed).
 *      By default, SELinux policy does not allow named to modify the /var/named                                              directory,
 *      so put the default debug log file in data/ :
 */
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
//
// All BIND 9 zones are in a "view", which allow different zones to be served
// to different types of client addresses, and for options to be set for groups
// of zones.
//
// By default, if named.conf contains no "view" clauses, all zones are in the
// "default" view, which matches all clients.
//
// If named.conf contains any "view" clause, then all zones MUST be in a view;
// so it is recommended to start off using views to avoid having to restructure
// your configuration files in the future.
//
view "localhost_resolver"
{
/* This view sets up named to be a localhost resolver ( caching only nameserver                                              ).
 * If all you want is a caching-only nameserver, then you need only define this                                              view:
 */
        match-clients           { localhost;10.0.0.0/24; };
        match-destinations      { localhost;10.0.0.0/24; };
        recursion yes;
        # all views must contain the root hints zone:
        include "/etc/named.root.hints";
 
        /* these are zones that contain definitions for all the localhost
         * names and addresses, as recommended in RFC1912 - these names should
         * ONLY be served to localhost clients:
         */
        include "/etc/named.rfc1912.zones";
};
view    "external"
{
/* This view will contain zones you want to serve only to "external" clients
 * that have addresses that are not on your directly attached LAN interface subn                                             ets:
 */
        match-clients           { any; };
        match-destinations      { any; };
 
        recursion no;
        // you'd probably want to deny recursion to external clients, so you don                                             't
        // end up providing free DNS service to all takers
 
        allow-query-cache { none; };
        // Disable lookups for any cached data and root hints
 
        // all views must contain the root hints zone:
        include "/etc/named.root.hints";
 
        // These are your "authoritative" external zones, and would probably
        // contain entries for just your web and mail servers:
 
            zone "example.co.uk" IN {
        type master;
        file "example.co.uk.zone";
        allow-update { none; };
        allow-transfer { 22.33.44.55; };//only this host will received updates from this master server.
 
};
 
};

Full named.conf for Public Slave server

 cat named.conf
//
// Sample named.conf BIND DNS server 'named' configuration file
// for the Red Hat BIND distribution.
//
// See the BIND Administrator's Reference Manual (ARM) for details, in:
//   file:///usr/share/doc/bind-*/arm/Bv9ARM.html
// Also see the BIND Configuration GUI : /usr/bin/system-config-bind and
// its manual.
//
options
{
        // Those options should be used carefully because they disable port
        // randomization
        // query-source    port 53;
        // query-source-v6 port 53;
 
        // Put files that named is allowed to write in the data/ directory:
        directory "/var/named"; // the default
        dump-file               "data/cache_dump.db";
        statistics-file         "data/named_stats.txt";
        memstatistics-file      "data/named_mem_stats.txt";
 
};
logging
{
/*      If you want to enable debugging, eg. using the 'rndc trace' command,
 *      named will try to write the 'named.run' file in the $directory (/var/nam                                             ed).
 *      By default, SELinux policy does not allow named to modify the /var/named                                              directory,
 *      so put the default debug log file in data/ :
 */
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
//
// All BIND 9 zones are in a "view", which allow different zones to be served
// to different types of client addresses, and for options to be set for groups
// of zones.
//
// By default, if named.conf contains no "view" clauses, all zones are in the
// "default" view, which matches all clients.
//
// If named.conf contains any "view" clause, then all zones MUST be in a view;
// so it is recommended to start off using views to avoid having to restructure
// your configuration files in the future.
//
view "localhost_resolver"
{
/* This view sets up named to be a localhost resolver ( caching only nameserver                                              ).
 * If all you want is a caching-only nameserver, then you need only define this                                              view:
 */
        match-clients           { localhost;10.0.0.0/24; };
        match-destinations      { localhost;10.0.0.0/24; };
        recursion yes;
        # all views must contain the root hints zone:
        include "/etc/named.root.hints";
 
        /* these are zones that contain definitions for all the localhost
         * names and addresses, as recommended in RFC1912 - these names should
         * ONLY be served to localhost clients:
         */
        include "/etc/named.rfc1912.zones";
};
view    "external"
{
/* This view will contain zones you want to serve only to "external" clients
 * that have addresses that are not on your directly attached LAN interface subn                                             ets:
 */
        match-clients           { any; };
        match-destinations      { any; };
 
        recursion no;
        // you'd probably want to deny recursion to external clients, so you don                                             't
        // end up providing free DNS service to all takers
 
        allow-query-cache { none; };
        // Disable lookups for any cached data and root hints
 
        // all views must contain the root hints zone:
        include "/etc/named.root.hints";
 
        // These are your "authoritative" external zones, and would probably
        // contain entries for just your web and mail servers:
 
        zone "example.co.uk" IN {
        type slave;
        file "slaves/example.co.uk.zone";
        masters { 55.55.55.55 ;};
};
 
};

Securing Name server :
(a) Dont End up providing free dns service for every one

options {
     recursion no;
};

(b)

options {
      fetch-glue no;
};

(c)Allow zone transfer from specific host

 ### Add Authoritiative zone for example.co.uk#######
        zone "example.co.uk" IN {
        type master;
        file "example.co.uk.zone";
        allow-update { none; };
        allow-transfer { 22.33.44.55; };//only this host will received updates from this master server.

(d) Don’t disclose Bind version

options {
     version "Not disclosed";
 
};