Author Archive

Error: Cannot retrieve repository metadata (repomd.xml) for repository: epel. Please verify its path and try again

Wednesday, April 18th, 2018
yum --disablerepo="epel" update nss

old nss library cant connect to fedora  via curl. 
By updating nss library it will solve the issues.

How to create bonding with bridge network ( Linux Kvm)

Thursday, November 21st, 2013

Package needed :

rpm -qa | grep bridge-utils
bridge-utils-1.2-10.el6.x86_64

Create Bondig :

cat /etc/sysconfig/network-scripts/ifcfg-bond0
 
DEVICE=bond0
ONBOOT=yes
BONDING_OPTS='mode=1 miimon=100'
BRIDGE=br0

Create Bride network:

DEVICE=br0
TYPE=Bridge
IPADDR=192.168.0.50
NETMASK=255.255.255.0
ONBOOT=yes
BOOTPROTO=static
NM_CONTROLLED=no
DELAY=0

configure eth0:

DEVICE=eth0
HWADDR=00:1D:09:66:8A:7A
TYPE=Ethernet
UUID=5e76d7f6-7526-4b6e-baf3-cde82362a914
ONBOOT=yes
NM_CONTROLLED=no
BOOTPROTO=none
USERCTL=no
SLAVE=yes
MASTER=bond0

Configure eth1:

DEVICE=eth1
HWADDR=00:1D:09:66:8A:7C
TYPE=Ethernet
UUID=ef4ef437-73c7-4c42-8552-6777a789c5a6
ONBOOT=yes
NM_CONTROLLED=no
BOOTPROTO=no
USERCTL=no
SLAVE=yes
MASTER=bond0

Note : Please make sure that both eth0 and eth1 has HWADDR defined in the respective file , its needed for Virtualization and bridging.

Further Reading :NetWork Bridge

Troubleshooting: Client not getting IP from dhcp server

Saturday, September 28th, 2013

(1) If your dhcp server running fine and it has enough free IP to lease , try bellow command :

dhclient eth0

Mysql Errors and solutions

Tuesday, May 14th, 2013

(a)Last_Errno: 1008

mysql>STOP SLAVE; SET GLOBAL SQL_SLAVE_SKIP_COUNTER=1; START SLAVE;

Reason :
Error: 1008 SQLSTATE: HY000 (ER_DB_DROP_EXISTS)
Message: Can’t drop database ‘%s’; database doesn’t exist

apache puppet module (example)

Monday, April 29th, 2013

(a)
init.pp (/etc/puppet/modules/apache/manifests)

class apache {
 
	package {
			'apache2':
			ensure => installed
 
		}
 
	package {
			'libapache2-mod-python':
			ensure => installed,
			notify =>  Exec["reload-apache2"],
			require => Package["apache2"],
 
		}
 
	service { "apache2":
		ensure => running,
		hasstatus => true,
		hasrestart => true,
		require => Package["apache2"],
 
                }
 
	file { "/etc/apache2/sites-available/debian.fosiul.lan":
 
		ensure => present,
		source => "puppet://$servername/modules/apache/scripts/debian.fosiul.lan",
		owner => root,
                group => root,
		replace => true,
		force =>true
 
		}
 
	file { "/etc/apache2/sites-available/web1.fosiul.lan":
 
                ensure => present,
                source => "puppet://$servername/modules/apache/scripts/web1.fosiul.lan",
                owner => root,
                group => root,
                replace => true,
                force =>true
 
                }
 
		define module ( $ensure = 'present', $require = 'apache2' ) {
      		case $ensure {
         'present' : {
            exec { "/usr/sbin/a2enmod $name":
               unless => "/bin/readlink -e ${apache2_mods}-enabled/${name}.load",
               notify => Exec["force-reload-apache2"],
               require => Package[$require],
            }
         }
         'absent': {
            exec { "/usr/sbin/a2dismod $name":
               onlyif => "/bin/readlink -e ${apache2_mods}-enabled/${name}.load",
               notify => Exec["force-reload-apache2"],
               require => Package["apache2"],
            }
         }
         default: { err ( "Unknown ensure value: '$ensure'" ) }
      }
   }
 
	exec {
		"reload-apache2":
			command => "/etc/init.d/apache2 reload",
			refreshonly =>true,
 
		}
 
}

Ref : http://projects.puppetlabs.com/projects/1/wiki/Debian_Apache2_Recipe_Patterns

(b) Create related file under /etc/puppet/modules/apache/files/scripts

boot a system from command line when grub.cfg file is missing (debian)

Monday, April 29th, 2013

(a) if you know where is the grub.cfg located then you can run like this

configfile /boot/grub/grub.cfg or configfile (hdX,Y)/boot/grub/grub.cfg

(b) if you dont know where is grub.cfg then follow the bellow steps:

(a) set root='(hdo0,msdos1)'
(b) linux /vmlinuz root=/dev/sda1
(c) initrd /initrd.img
(d) boot

miscellaneous date output (bash)

Monday, April 22nd, 2013

(1)

DATE=`/bin/date --utc "+%Y%m%d%H%M%S"`
echo $DATE

Output : 20130422134138

Screen commands

Sunday, April 21st, 2013

1) setup tab in screen
Edit .screenrc and Edit bellow :

caption always "%{= kw}%-w%{= BW}%n %t%{-}%+w %-= @%H - %LD %d %LM - %c"

git basic commands

Saturday, June 23rd, 2012

(1) Set the Identity

$ git config --global user.name "John Doe"
$ git config --global user.email johndoe@example.com

(2) Set Editor

git config --global core.editor nano

(3) Check Your settings

git config --list

(4) Initializing a Repository in an Existing Directory

git init

(5) Add Files into Existing repository

git add testfile.txt
git commit -m "Initial Commit"
(6) Clone existing repository
<pre lang="GNU">
git clone git://github.com/schacon/grit.git

How to install spacewalk in Server and client

Sunday, June 17th, 2012

Installing Spacewalk in Server:
Ref: https://fedorahosted.org/spacewalk/wiki/HowToInstall

Installing Spacewalk in client(Registering client with spacewalk server):
Ref: https://fedorahosted.org/spacewalk/wiki/RegisteringClients

(1) Install the bellow repo

# rpm -Uvh http://spacewalk.redhat.com/yum/1.7/RHEL/5/i386/spacewalk-client-repo-1.7-5.el5.noarch.rpm
also
 
# BASEARCH=$(uname -i)
# rpm -Uvh http://dl.fedoraproject.org/pub/epel/5/$BASEARCH/epel-release-5-4.noarch.rpm

(2) Install bellow rpm

yum install rhn-client-tools rhn-check rhn-setup rhnsd m2crypto yum-rhn-plugin

(3) Register the client with server

rhnreg_ks --serverUrl=http://YourSpacewalk.example.org/XMLRPC --activationkey=<key-with-fedora-custom-channel>

Invalid command ‘WSGIScriptAliasMatch’, perhaps misspelled \ or defined by a module not included in the server configuration(Spacewalk)

Friday, June 15th, 2012

You can enable this module by editing /etc/httpd/conf.d/wsgi.conf and un-commenting the “LoadModule wsgi_module modules/mod_wsgi.so” line.

Turn off FSCK at booting time

Friday, June 15th, 2012
$sudo tune2fs -c -1 `mount | awk '$3 == "/" {print $1}'`
or
$sudo tune2fs -c -1 /dev/yourhdd

or
set the last field of /etc/fstab to 0:
/dev/sda1 / ext4 defaults 1 0

Github and Git commands

Wednesday, June 6th, 2012

1)How to clone a git repo into a new computer
Ref:https://help.github.com/articles/fork-a-repo

git clone git@github.com:username/Spoon-Knife.git

2) push code from cloned repo

git push origin master

3)

windows miscellaneous commands

Wednesday, June 6th, 2012

1. See which accounts are disabled

 
C:\Users\Administrator>dsquery user OU=_IT,OU=_Departments,OU=_BedFord,DC=aac-domain,DC=lan -disabled

Protected: Bash script learning(essential notes)

Monday, April 2nd, 2012

This content is password protected. To view it please enter your password below:

How add a cronjob under user apache

Thursday, March 22nd, 2012

if you want to setup a cron job under different user or under apache, find out who is the owner of apache process

ps aux | grep apache

in my case the owner of apache process is “daemon”.
now create a cron job under “demon” user

crontab -u daemon -e

Now insert any cron job

* * * * *  cd /usr/local/apache/htdocs/website; /usr/local/bin/php webpage.php  > /dev/null 2>&1

References

Monday, March 5th, 2012

(a)Restarting the Management agents on an ESX or ESXi Server

Ref: http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=1003490

Log in to your ESX host as root from either an SSH session or directly from the console.
Run this command:
 
service mgmt-vmware restart
 
Caution: Ensure Automatic Startup/Shutdown of virtual machines is disabled before running this command or you risk rebooting the virtual machines. For more information, see Restarting hostd (mgmt-vmware) on ESX hosts restarts hosted virtual machines where virtual machine Startup/Shutdown is enabled (1003312) and Determining whether virtual machines are configured to autostart (1000163).
Press Enter.
Run this command:
 
service vmware-vpxa restart
 
Press Enter.
Type logout and press Enter to disconnect from the ESX host.
 
If this process is successful, it appears as:
 
[root@server]# service mgmt-vmware restart
Stopping VMware ESX Server Management services:
VMware ESX Server Host Agent Watchdog [ OK ]
VMware ESX Server Host Agent [ OK ]
Starting VMware ESX Server Management services:
VMware ESX Server Host Agent (background) [ OK ]
Availability report startup (background) [ OK ]
[root@server]# service vmware-vpxa restart
Stopping vmware-vpxa: [ OK ]
Starting vmware-vpxa: [ OK ]
[root@server]#

How to install snmp in centos/debian

Wednesday, December 21st, 2011

In centos

yum install net-snmp-utils

In debian

apt-get install snmpd

Take a Backup of Original Configuration file and Create a new one

cd /etc/snmp
mv snmp.conf snmp.bk
mcedit snmp.conf

Create a new config file from scratch

agentAddress udp:192.0.0.xxx:161
rocommunity  public 192.0.0.0/24
syslocation  "MysqlServer, unit1"

Now Restart the snmpd server

In Centos

/etc/init.d/snmpd start

In Debian

 /etc/init.d/snmpd start

Check if snmp server is running or not (From the server itself)

 pgrep snmpd
19946
snmpwalk -v1 -cpublic 192.0.0.ip-of-server

Centos:Yum behind a proxy

Wednesday, November 2nd, 2011

if your servers are behind a proxy and you need to provide username and password for the proxy server , then you need to configure yum.conf file with bellow syntax

http_proxy=http://username:password@proxyaddress:port/
proxy_username=username
proxy_password=password
<pre lang="GNU">
 
if you dont need to provide username and password for proxy server then :
<pre lang="GNU">
http_proxy=http://proxyserveraddress:port/
 
<pre lang="GNU">
also  add bellow lines into .bashrc file
 
<pre lang="GNU">
http_proxy="http://proxyserveraddress:3128"
export http_proxy

Centos:How to add newly created logical volume into fstab

Wednesday, November 2nd, 2011

When you create a Logical volume , you need to add it into /etc/fstab file for it to stay as mounted when server reboot.
suppose you have create a logical volume like bellow

 
 lvdisplay
  --- Logical volume ---
  LV Name                /dev/POSREP-DB/DB
  VG Name                POSREP-DB
  LV UUID                0IEKZw-tEoI-jJWt-OGXT-F0B7-hEic-hCbteW
  LV Write Access        read/write
  LV Status              available
  # open                 1
  LV Size                1.17 GB
  Current LE             300
  Segments               1
  Allocation             inherit
  Read ahead sectors     auto
  - currently set to     256
  Block device           253:2

now you’ll need to set the label for this directory with the following command:

# e2label /dev/POSREP-DB/DB  DB

Now add this one into /etc/fstab

LABEL=DB                /DB                     ext3    defaults        0 1

at last, create a directory with bellow command

mkdir /DB

now if you reboot the server , the logical volument will be mounted automatically in /DB directory.

Citrix:Useful link

Thursday, October 20th, 2011

(a) How to create local lvm in Citrix Xen

To create a local lvm SR on /dev/sdb use the following command.
 
xe sr-create host-uuid=<valid_uuid> content-type=user \
name-label=<"Example Local LVM SR"> shared=false \
device-config:device=/dev/sdb type=lvm

(b) How to Create a Raw Logical Volume Manager Virtual Disk Infrastructure

xe vdi-create sm-config:type=raw sr-uuid=687a023b-0b20-5e5f-d1ef-3db777ce7ae4 name-label="My Raw LVM VDI" virtual-size=8GiB type=user

(c)How to attach a new hardirve and make it available for citrix xen >
Suppose We have a attach a new hard drive /dev/sdb and we want to attach this one with the existing citrix xen server. Before we do anything, we need to create a new Sr by using bellow command.

xe sr-create host-uuid=fb187e42-d757-4c81-a996-84f7054f1f49 content-type=user name-label="posrep" shared=false device-config:device=/dev/sdb type=lvm

it will create a new Sr and from XenCenter you will see the new storage as posrep.

(d) How to find the host-uuid

xe host-list
uuid ( RO)                :  
          name-label ( RW): xen2.local.lan
    name-description ( RW): Default install of XenServer

the valid-uuid is : fb187e42-d757-4c81-a996-84f7054f1f49
(e)How to Adjust Virtual CPU Count for Domain0 on XenServer 5.6 Feature Pack 1

Note: A maximum of eight vCPU’s can be assigned.
 
   1. Use a text editor at the console of your XenServer  to edit the following file:
      /etc/sysconfig/unplug-vcpus
   2. Change the value in this line from 4 to the number of vCPUs you would like assigned to Dom0.
 
      Before:
      NR_DOMAIN0_VCPUS=4
 
      After:
      NR_DOMAIN0_VCPUS=1
 
      This change leaves one vCPU assigned to Dom0
   3. Run the following command for the change to take effect:
      service unplug-vcpus start
 
      Rebooting is NOT required when DECREASING the vCPU count.
 
      Reboot IS required when INCREASING the vCPU count.
   4. To verify that the adjustment is active, run the following command:
      cat /proc/cpuinfo

(f)
how to update the static memory range of a virtual machine:

get the Uid of the vm

xe vm-list
 
 xe vm-list
uuid ( RO)           : e203d2f0-ceb1-db50-d9d0-1dcd4854db32
     name-label ( RW): posrep
    power-state ( RO): running

Now set the static-min,dynamic-min , dynamic-max and static-max

xe vm-memory-limits-set \
uuid=<uuid> \
static-min=<value> \
dynamic-min=<value> \
dynamic-max=<value> static-max=<value>
 
example :
 
xe vm-memory-limits-set uuid=e203d2f0-ceb1-db50-d9d0-1dcd4854db32 static-min=20480MiB dynamic-min=20480MiB dynamic-max=20480MiB static-max=20480MiB

check if it has been effected by bellow command

 xe vm-param-get uuid=e203d2f0-ceb1-db50-d9d0-1dcd4854db32 param-name=memory-dynamic-max;

(g) Citirx Live motion
http://support.citrix.com/article/CTX115813
(h)How to add snmp
http://support.citrix.com/article/CTX116187

Linux:how to clone hardrive over network

Wednesday, August 24th, 2011

Purpose :
I want to clone a hardrive “/dev/sda” over network.
Server A will get the clone data and Server B will will sent the clone data.

disk space of Server B is :

 fdisk -l
 
Disk /dev/sda: 20.0 GB, 20020396032 bytes
255 heads, 63 sectors/track, 2434 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00083b1c
 
   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *           1        2329    18705408   83  Linux
/dev/sda2            2329        2434      842753    5  Extended
/dev/sda5            2329        2434      842752   82  Linux swap / Solaris

step 1:
Receving Serer (Sever A) :

nc -l -p 1234 | dd of=/dev/sda

step 2:
Sending Serer (Sever B) :

dd if=/dev/sda | nc 192.168.1.220 1234

it will start to clone hardirve.

it can take up to 3 to 4 hours depends on hardrive size.

How to install apache2 php mysql in debian

Thursday, August 18th, 2011

Install apache2 and php modules

apt-get install apache2 php5 libapache2-mod-php5 php5-mysql

Install mysql server

apt-get install mysql-server

Restart apache2

/etc/init.d/apache2 restart

How to allow root to login in debian desktop

Wednesday, August 17th, 2011

(a) edit gdm3 file

nano /etc/pam.d/gdm3

(b) disable bellow line

auth   required        pam_succeed_if.so user != root quiet_success

Linux:how to setup openvpn in centos or debain

Sunday, May 1st, 2011

In debain

apt-get install openvpn

In Centos

yum install openvpn

Create Certificate in debain

(a) The default directory for easy-rsa certificates is "/usr/share/doc/openvpn/examples/easy-rsa/2.0/". Now copy that directory into /etc/openvpn 
 
#cp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn/
# cd /etc/openvpn/2.0/
 
(b). Now we will create the certificate for CA
 
#. ./vars
 
#./clean-all
 
#./build-ca
 
7. Then we will create the certificate for server
 
#./build-key-server server
 
(c). Then we will create the certificate for client
 
#./build-key client
 
(d). We will build diffie hellman
 
#./build-dh
 
(e). now all the keys should be created in /keys
 
#cd /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/
 
#ls -al
ca.key ca.crt server.key server.csr server.crt client.key client.crt client.csr

Note :
Now we have the keys and certificates. So we will send them to our clients who want to connect OPENVPN Server. Just be sure that:

ca.key-> only,must be in CA Server

client.crt-> only,must be in Client

client.key-> only,must be in Client

server.crt-> only,must be in OPENVPN Server

server.key-> only,must be in OPENVPN Server

ca.crt-> must be in CA Server and all of the clients.

Openvpn server file configuration : (In debain)

(a) create a file in /etc/openvpn/server.conf
#vim /etc/openvpn/server.conf

and past the following :

port 1194
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
 
#Note:
#(it should be a network that you DONT currently use)
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
#Note
#(whatever the network is that you want the VPN client to connect to)
push "route 192.168.2.0 255.255.255.0"
#push "redirect-gateway def1"
push "dhcp-option DNS 192.168.2.1"
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log /var/log/openvpn.log
log-append /var/log/openvpn.log
verb 3

Now Restart the openvpn server

/etc/init.d/openvpn restart

Make sure firewall can forward port 1194 to your openvpn server

Linux:Iptables rules for different services

Sunday, March 20th, 2011

Bellow information for nfs server:

 vi /etc/sysconfig/nfs
LOCKD_TCPPORT=32803
LOCKD_UDPPORT=32769
MOUNTD_PORT=892
RQUOTAD_PORT=875
STATD_PORT=662
STATD_OUTGOING_PORT=2020

Now reboot the services

# service portmap restart
# service nfs restart
# service rpcsvcgssd restart

Now add rules into iptables

-A RH-Firewall-1-INPUT -s 192.168.2.0/24 -p udp -m udp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.2.0/24 -p tcp -m tcp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.2.0/24 -p tcp -m tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.2.0/24 -p tcp -m tcp --dport 32803 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.2.0/24 -p udp -m udp --dport 32769 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.2.0/24 -p tcp -m tcp --dport 892 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.2.0/24 -p udp -m udp --dport 892 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.2.0/24 -p tcp -m tcp --dport 875 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.2.0/24 -p udp -m udp --dport 875 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.2.0/24 -p tcp -m tcp --dport 662 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.2.0/24 -p udp -m udp --dport 662 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Selinux commands for services

Saturday, March 5th, 2011

(a)Selinux Requirement for NIS Clients

setsebool -P allow_ypbind=1 ypbind_disable_trans=1 yppasswdd_disable_trans=1

Use getsebool command to verify :

getsebool allow_ypbind ypbind_disable_trans yppasswdd_disabled _trans

allow_ypbind -> on
ypbind_disable_trans –>on
yppasswdd_disable_trans –> on

b) Selinux for vsftpd

getsebool -a | grep ftp
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off

allow user to read and write to their own home directory

setsebool -P ftp_home_dir 1

(c) Selinux for Samba Share

If you want to share /data via samba

chcon -R -t samba_share_t /data

If you want to share home directory

setsebool -P samba_enable_home_dirs 1

Linux: Mutt(How to attach file from command line)

Wednesday, January 5th, 2011

If you want to attach a file in mutt from command line :

 echo "Body of email" | mutt -a attach.txt -s "subject" user@gmail.com

-a : please provide the full path for attachment.

Linux:How to exclude packages from yum update

Tuesday, January 4th, 2011

If you want to exclude packages from yum update then you can type –exclude command as bellow :

 yum update --exclude=openssl,openssl-devel,bind,bind-chroot,bind-utils,bind-libs

Or

 yum update --exclude=openssl --exclude=openssl-devel --exclude=bind --exclude=bind-chroot --exclude=bind-utils --exclude=bind-libs

Or

Unable to access VMware on port 8333

Thursday, December 30th, 2010

For Windows Xp
Solution : Please make sure vmware host agent service is running.

Please check the picture.

Vmware Host agent

Linux:How to compile php with mysqli support

Thursday, December 23rd, 2010

While installing php from source with mysqli support could be big trouble , Most of the time it through bellow errors

configure: error: Cannot find libmysqlclient under /usr.

if you see this kind of error, try to find out where is libmysqlclient into your server, by typing

locate libmysqlclient

you might see output like this :

/usr/lib64/mysql/libmysqlclient.a
/usr/lib64/mysql/libmysqlclient.la
/usr/lib64/mysql/libmysqlclient_r.a
/usr/lib64/mysql/libmysqlclient_r.la

Resolution is to tell php where is your lib directory is ,
for a 64 bit server, its /usr/lib64. so configure your php like bellow

 ./configure --with-apxs2=/usr/local/apache/bin/apxs --with-mysql=/var/lib/mysql --with-libdir=/lib64 --with-mysqli --enable-mbstring --with-gd --with-zlib --with-jpeg-dir --with-png-dir --with-openssl --with-curl --with-mcrypt --with-imap --with-kerberos --with-imap-ssl

Hope this will help.

Linux: How to configure sendmail to receive email (Basic Steps)

Monday, December 13th, 2010

Ref:http://www.sendmail.org/tips/virtualHosting

(a) Edit /etc/mail/sendmail.mc and modify bellow lines , It will allow sendmail to received email from outside of localhost.

DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
to
 
DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl

(b) Edit /etc/mail/virtualtable type , this will map virtual addresses into real addresses

joe@yourdomain.com jschmoe

Here, sendmail will receive email , and any email comming with address joe@yourdomain.com will be delivered into to jschmoe’s inbox

(c) Edit /etc/mail/local-host-names and insert the domain name. This lets Sendmail know that you will provide it with a list of domains for which it may accept mail

fosiul.com
domain1.com
domain2.com

(d) Now restart sendmail

service sendmail restart

e) Open the port 25 in your firewall or iptables

Linux:How to configure centralized yum repo server (Centos)

Friday, November 26th, 2010

Local yum repository is used for local network and to make sure that all your server has same rpm for benchmarking and patching purpose.Its also save bandwidth because all the rpm will be store in one server(Central Repo Server) and rest of the servers will install those rpm from local repo server. Hence they don’t have to download from public server.

For Creating Central Repo server, you will need a Apache server .

In our organization I have created Yum server directory under (Its for 64 bit server)
/usr/local/apache/htdocs/install/centos64/
But you can chose any Directory .

    Building the Base Repository:

Step 1 :# Copy all content from CD/DVD to Repository Directory

Copy all the files and directory from Centos 5.5 DVD or CD into /usr/local/apache/htdocs/install/centos64/
So your directory should look like bellow

[root@controlserver1 centos64]# ls
CentOS                 RELEASE-NOTES-de.html     RELEASE-NOTES-nl
EULA                   RELEASE-NOTES-en          RELEASE-NOTES-nl.html
GPL                    RELEASE-NOTES-en.html     RELEASE-NOTES-pt_BR
images                 RELEASE-NOTES-en_US       RELEASE-NOTES-pt_BR.html
isolinux               RELEASE-NOTES-en_US.html  RELEASE-NOTES-ro
kicks                  RELEASE-NOTES-es          RELEASE-NOTES-ro.html
ks.cfg                 RELEASE-NOTES-es.html     repodata
NOTES                  RELEASE-NOTES-fr          RPM-GPG-KEY-beta
RELEASE-NOTES-cs       RELEASE-NOTES-fr.html     RPM-GPG-KEY-CentOS-5
RELEASE-NOTES-cs.html  RELEASE-NOTES-ja          TRANS.TBL
RELEASE-NOTES-de       RELEASE-NOTES-ja.html

As you can see Centos Directory has all the rpm , So I decided to make Centos directory as my Centralized yum directory.

For Centralized yum repository , I need to create rpm headers for base repository , so execute bellow command

Step 2: Create the base repository headers

createrepo /usr/local/apache/htdocs/install/centos64/CentOS

Upper command will create repodata directory under Centos directory
the directory should be like bellow :

[root@controlserver1 CentOS]# cd repodata/
[root@controlserver1 repodata]# pwd
/usr/local/apache/htdocs/install/centos64/CentOS/repodata
[root@controlserver1 repodata]# ls -al
total 14252
drwxr-xr-x 2 root root    4096 Nov 26 15:20 .
drwxr-xr-x 3 root root  221184 Nov 26 15:20 ..
-rw-r--r-- 1 root root 3373682 Nov 26 15:20 filelists.xml.gz
-rw-r--r-- 1 root root 9813890 Nov 26 15:20 other.xml.gz
-rw-r--r-- 1 root root 1144150 Nov 26 15:20 primary.xml.gz
-rw-r--r-- 1 root root     951 Nov 26 15:20 repomd.xml
[root@controlserver1 repodata]#

Building repository for updating yum packages

Step 3: Create a directory call updates

[root@controlserver1 centos64]# pwd
/usr/local/apache/htdocs/install/centos64
[root@controlserver1 centos64]# mkdir updates

So it should be like this

[root@controlserver1 centos64]# pwd
/usr/local/apache/htdocs/install/centos64
[root@controlserver1 centos64]# ls
CentOS                 RELEASE-NOTES-de.html     RELEASE-NOTES-nl
EULA                   RELEASE-NOTES-en          RELEASE-NOTES-nl.html
GPL                    RELEASE-NOTES-en.html     RELEASE-NOTES-pt_BR
images                 RELEASE-NOTES-en_US       RELEASE-NOTES-pt_BR.html
isolinux               RELEASE-NOTES-en_US.html  RELEASE-NOTES-ro
kicks                  RELEASE-NOTES-es          RELEASE-NOTES-ro.html
ks.cfg                 RELEASE-NOTES-es.html     repodata
NOTES                  RELEASE-NOTES-fr          RPM-GPG-KEY-beta
RELEASE-NOTES-cs       RELEASE-NOTES-fr.html     RPM-GPG-KEY-CentOS-5
RELEASE-NOTES-cs.html  RELEASE-NOTES-ja          TRANS.TBL
RELEASE-NOTES-de       RELEASE-NOTES-ja.html     updates

Step 4: Select an rsync mirror to upload
Select any mirror from here:
http://www.centos.org/modules/tinycontent/index.php?id=31

Step 5 : Rsync the updates-released repository

 rsync -avrt rsync://rsync.mirrorservice.org/mirror.centos.org/5.5/updates/x86_64/RPMS/ --exclude=debug/ /usr/local/apache/htdocs/install/centos64/updates/

It will download all the rpms from listed website into my updates directory.

Step 6: Rsync the repodata from

Go into updates directory and download all the contents from repodata.

[root@controlserver1 updates]# pwd
/usr/local/apache/htdocs/install/centos64/updates
[root@controlserver1 updates]#
 
rsync -avrt rsync://rsync.mirrorservice.org/mirror.centos.org/5.5/updates/x86_64/repodata --exclude=debug/ /usr/local/apache/htdocs/install/centos64/updates/

Step 7:Edit yum.conf

Create a repo file under your : /etc/yum.repos.d directory.

[root@mysqlcluster2 yum.repos.d]# pwd
/etc/yum.repos.d
[root@mysqlcluster2 yum.repos.d]# ls
CentOS-Base.repo CentOS-Media.repo local.repo
[root@mysqlcluster2 yum.repos.d]

And disable other repos by inserting enabled=0 , Example :
[centosplus]
name=CentOS-$releasever – Plus
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=centosplus
#baseurl=http://mirror.centos.org/centos/$releasever/centosplus/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5

Insert the bellow lines into local.repo files

[base-local]
name=Centos $releasever - $basearch
failovermethod=priority
baseurl=http://10.0.0.55/centos64/CentOS/
enabled=1
gpgcheck=0
 
[updates-local]
name=Centos $releasever - $basearch - Updates
failovermethod=priority
baseurl=http://10.0.0.55/centos64/updates/
enabled=1
gpgcheck=0

Now try yum command

 yum clean all
Loaded plugins: fastestmirror
Cleaning up Everything
Cleaning up list of fastest mirrors
[root@mysqlcluster2 /]# yum update
Loaded plugins: fastestmirror
Determining fastest mirrors
base-local                                               |  951 B     00:00
base-local/primary                                       | 1.1 MB     00:00
base-local                                                            3186/3186
updates-local                                            | 1.9 kB     00:00
updates-local/primary_db                                 | 1.0 MB     00:00
Setting up Update Process

Centralized Local repository is done!!..

Apapce 2: How to turn off directory listings

Monday, November 22nd, 2010

Directory listings can be a security threat .

By default apache has bellow lines:

 
Options Indexes FollowSymLinks

Delete indexes from that line, so it will be like bellow

 
Options  FollowSymLinks

Now restart apache daemon.

It will stop Apache to show directory listing .

Ticket listing

Sunday, November 21st, 2010

You can view the list tickets on this page.

The frontend ticket listing feature is only available in the premium release. Don't hesitate to order the premium release on http://www.ticket-system.net/order-now/

Ticket submission form

Sunday, November 21st, 2010

You can submit tickets on this page.

The frontend submission form feature is only available in the premium release. Don't hesitate to order the premium release on http://www.ticket-system.net/order-now/

1 Ticket Submission Form

Sunday, November 21st, 2010

You can submit ticket on this page

The frontend submission form feature is only available in the premium release. Don't hesitate to order the premium release on http://www.ticket-system.net/order-now/

Linux:How to install vncserver

Monday, November 15th, 2010

Ref: http://wiki.centos.org/HowTos/VNC-Server

(a)Install vnc-server packages

yum install vnc-server

(b)Create your VNC users

useradd user1

(c)Set your users’ VNC passwords:
Login to each user, and run vncpasswd. This will create a .vnc directory.

vncpasswd

(d)Edit the server configuration
Edit /etc/sysconfig/vncservers, and add the following to the end of the file.

VNCSERVERS="2:root 3:user1"
VNCSERVERARGS[2]="-geometry 640x480"
VNCSERVERARGS[3]="-geometry 640x480"

(e)Create xstartup scripts/ Starting the server

 /sbin/service vncserver start

(g) Edit xstartup
Login each user’s home directory and Edit xstartup file

cd /root/.vnc
 vi xstartup
Uncomment bellow 2 lines 
 unset SESSION_MANAGER
 exec /etc/X11/xinit/xinitrc

xstartup file should be like this

#!/bin/sh
( while true ; do xterm ; done ) &
 
# Uncomment the following two lines for normal desktop:
 unset SESSION_MANAGER
 exec /etc/X11/xinit/xinitrc
 
[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
xsetroot -solid grey
vncconfig -iconic &
xterm -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" &
twm &

(g) Restart vnserver again

service restart vncserver

Linux: lsof command and its uses

Monday, November 1st, 2010

How to view only TCP Established connections

lsof -iTCP | grep ESTABLISHED

How to view traffic on specific port ( port 22)

Syntax is : lsof -i : port number
lsof -i :22  | grep ESTABLISHED

How to view traffic from specific ip address

lsof -i@ip.of.your.user

how to view open files by a individual users

lsof -u username

How to collect information about a process

lsof -p process_id

Linux:Unable to copy long( _ ,#) file name from windows to samba server

Tuesday, October 5th, 2010

Some times , When trying to copy long directories/subdirectories or file name include (_ or # ) from windows to Samba server, it gives error example : “unable to copy” or “Cant move folder file_name_long_name.cfm ,the file name or extension is too long”

The solution is :

[ share ]
         path = /share-name /long-directory
         read only = no
         case sensitive = True
         default case = upper
         preserve case = no
         short preserve case = no

after Edit, please reboot the server

Miscellaneous useful websites about xen

Monday, September 27th, 2010

Useful Links :
Live Migration:
http://www.linux.com/archive/feed/55773

Linux:How to force puppet client to download updates from puppet server

Friday, September 17th, 2010

By default puppetd (puppet server) applies the client configuration; in 1800 seconds. If you have some emergency updates which has to be apply to every puppet clients instanly , you can do followings :

(a) puppetrun (This commands run from the puppet server)

 SYNOPSIS
Trigger a puppetd run on a set of hosts.
 
USAGE
puppetrun [-a|--all] [-c|--class ] [-d|--debug] [-f|--fore-
ground]
[-h|--help] [--host ] [--no-fqdn] [--ignoreschedules]
[-t|--tag ] [--test] [-p|--ping]

If you dont have LDAP support then -a(–all) and -c(–class) is useless . In that case ,if you want to force update every hosts, you will have to define all your hosts with puppetrun command ,
Eample :

According to puppetrun man pages, then uses is :
EXAMPLE
sudo puppetrun -p 10 --host host1 --host host2 -t remotefile -t web-server
 
or
puppetrun --host host1 --host host2

(b) func
If you have loads of server then its not practical to add all the hosts with puppetrun command!!.
in that case we can use func command .
how to install and use func

After install func in master and all rest of the server.
we can execute the bellow command :
Note : Please dont run puppetd daemon in clients if you want to update by calling func .

http://docs.puppetlabs.com/guides/scaling.html#triggered_selective_updates

func "*" call command run "puppetd --onetime"

This command will execute puppetd command one time only and it will download all the updates from puppet server.

Last updates : 17th September 2010

Linux:InnoDB: Unable to lock ./ibdata1, error: 37

Tuesday, September 14th, 2010

Ref: http://bugs.mysql.com/bug.php?id=47769
Database is located on the remote storage that mount via NFS. During mysql startup the
following entries appear in the .err file:
InnoDB: Unable to lock ./ibdata1, error: 37

Solution: mount -t nfs -o nolock IP:/data /data

Linux: Troubleshooting Redhat Cluster Suite

Wednesday, September 8th, 2010

Ref:http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Configuration_Example_-_NFS_Over_GFS/NFS_GFS_Troubleshoot.html

If you find that you are seeing error messages when you try to configure your system, or if after configuration your system does not behave as expected, you can perform the following checks and examine the following areas.

*
Connect to one of the nodes in the cluster and execute the clustat(8) command. This command runs a utility that displays the status of the cluster. It shows membership information, quorum view, and the state of all configured user services.
The following example shows the output of the clustat(8) command.

      [root@clusternode4 ~]# clustat
      Cluster Status for nfsclust @ Wed Dec  3 12:37:22 2008
      Member Status: Quorate
 
       Member Name                              ID   Status
       ------ ----                              ---- ------
       clusternode5.example.com          1 Online, rgmanager
       clusternode4.example.com          2 Online, Local, rgmanager
       clusternode3.example.com          3 Online, rgmanager
       clusternode2.example.com          4 Online, rgmanager
       clusternode1.example.com          5 Online, rgmanager
 
       Service Name             Owner (Last)                     State
       ------- ---              ----- ------                     -----
       service:nfssvc           clusternode2.example.com         starting

In this example, clusternode4 is the local node since it is the host from which the command was run. If rgmanager did not appear in the Status category, it could indicate that cluster services are not running on the node.
*
Connect to one of the nodes in the cluster and execute the group_tool(8) command. This command provides information that you may find helpful in debugging your system. The following example shows the output of the group_tool(8) command.

      [root@clusternode1 ~]# group_tool
      type             level name       id       state
      fence            0     default    00010005 none
      [1 2 3 4 5]
      dlm              1     clvmd      00020005 none
      [1 2 3 4 5]
      dlm              1     rgmanager  00030005 none
      [3 4 5]
      dlm              1     mygfs      007f0005 none
      [5]
      gfs              2     mygfs      007e0005 none
      [5]

The state of the group should be none. The numbers in the brackets are the node ID numbers of the cluster nodes in the group. The clustat shows which node IDs are associated with which nodes. If you do not see a node number in the group, it is not a member of that group. For example, if a node ID is not in dlm/rgmanager group, it is not using the rgmanager dlm lock space (and probably is not running rgmanager).
The level of a group indicates the recovery ordering. 0 is recovered first, 1 is recovered second, and so forth.
*
Connect to one of the nodes in the cluster and execute the cman_tool nodes -f command This command provides information about the cluster nodes that you may want to look at. The following example shows the output of the cman_tool nodes -f command.

      [root@clusternode1 ~]# cman_tool nodes -f
      Node  Sts   Inc   Joined               Name
         1   M    752   2008-10-27 11:17:15  clusternode5.example.com
         2   M    752   2008-10-27 11:17:15  clusternode4.example.com
         3   M    760   2008-12-03 11:28:44  clusternode3.example.com
         4   M    756   2008-12-03 11:28:26  clusternode2.example.com
         5   M    744   2008-10-27 11:17:15  clusternode1.example.com

The Sts heading indicates the status of a node. A status of M indicates the node is a member of the cluster. A status of X indicates that the node is dead. The Inc heading indicating the incarnation number of a node, which is for debugging purposes only.
*
Check whether the cluster.conf is identical in each node of the cluster. If you configure your system with Conga, as in the example provided in this document, these files should be identical, but one of the files may have accidentally been deleted or altered.
*
In addition to using Conga to fence a node in order to test whether failover is working properly as described in Chapter 6, Testing the NFS Cluster Service, you could disconnect the ethernet connection between cluster members. You might try disconnecting one, two, or three nodes, for example. This could help isolate where the problem is.
*
If you are having trouble mounting or modifying an NFS volume, check whether the cause is one of the following:
o
The network between server and client is down.
o
The storage devices are not connected to the system.
o
More than half of the nodes in the cluster have crashed, rendering the cluster inquorate. This stops the cluster.
o
The GFS file system is not mounted on the cluster nodes.
o
The GFS file system is not writable.
o
The IP address you defined in the cluster.conf is not bounded to the correct interface / NIC (sometimes the ip.sh script does not perform as expected).
*
Execute a showmount -e command on the node running the cluster service. If it shows up the right 5 exports, check your firewall configuration for all necessary ports for using NFS.
*
If SELinux is currently in enforcing mode on your system, check your /var/log/audit.log file for any relevant messages. If you are using NFS to serve home directories, check whether the correct SELinux boolean value for nfs_home_dirs has been set to 1; this is required if you want to use NFS-based home directories on a client that is running SELinux. If you do not set this value on, you can mount the directories as root but cannot use them as home directories for your users.
*
Check the /var/log/messages file for error messages from the NFS daemon.
*
If you see the expected results locally at the cluster nodes and between the cluster nodes but not at the defined clients, check the firewall configuration at the clients.

Troubleshooting Red Hat Cluster Suite Networking
Ref : http://people.redhat.com/ccaulfie/docs/CSNetworking.pdf

Linux:named: transfer of ‘domain.com/IN’ from #53: failed while receiving responses: permission denied

Friday, September 3rd, 2010

When you setup a Slave Dns server and trying to transfer zone from master server, you might see problem as bellow :

Sep  3 09:52:37 publicdns1.domani.local named[13635]: dumping master file: tmp-PKhZ6y6rRp: open: permission denied
Sep  3 09:52:37 publicdns1.domain.local named[13635]: transfer of 'domain.com/IN' from 11.22.33.44#53: failed while receiving responses: permission denied
Sep  3 09:52:37 publicdns1.domain.local named[13635]: transfer of 'domain.com/IN' from 11.22.33.44#53: end of transfer

Solutions :
Make sure slave server is trying to create the zone file under /slave directory .( file “slaves/domain.com.zone”;)
Setting in named.conf for slave server would be like bellow

### Add Authoritiative zone for domain.com#######
        zone "domain.com" IN {
        type slave;
        file "slaves/domain.com.zone";
        masters {11.22.33.44; };
 
};

How to run perl/Python script from Linux Apache server

Thursday, September 2nd, 2010

For httpd.conf ( /usr/local/apache/conf – if you compile by source OR /etc/httpd/conf/httpd -: if you compile by yum)

ScriptAlias /cgi-bin/ "/usr/local/apache/cgi-bin/"

If you want to run cgi script from under your domain , example , www.fosiul.com/cgi-bin/test.cgi , do as bellow

<VirtualHost *:80>
ServerAdmin fosiul@example.co.uk
DocumentRoot /usr/local/apache/htdocs/example/
ServerName www.example.co.uk
ServerAlias example.co.uk
......................................
......................................
 
<Directory "/usr/local/apache/htdocs/example/">
Options FollowSymLinks ExecCGI
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<Directory "/usr/local/apache/htdocs/example/cgi-bin/">
        Order deny,allow
        Allow from all                
       Allow from xx.xx.xx.xx # If you just want to run cgi script from certain Ips , then you need to disable "Allow from All" options
       #Deny from all  # if you only want to allow cgi script from certain ip then you need to enable "Deny from all" options
        </Directory>
 
ScriptAlias /cgi-bin/ /usr/local/apache/htdocs/example/cgi-bin/

Now create a directory under : /usr/local/apache/example/cgi-bin
Create a cgi script

#!/usr/bin/perl -T
use strict;
use CGI;
my $cgi = new CGI;
print $cgi->header;
print $cgi->start_html('test world');
print $cgi->h1('Hellow test');
print $cgi->li('list');
print $cgi->end_html();

run this cgi script : http://www.example.co.uk/cgi-bin/test.cgi

How to run a python under cgi script

create a cgi script (testpy.cgi) as bellow to run python

#!/usr/bin/python
print "Content-Type: text/plain\n\n"
print "Hello, World!\n"

Now run this script as , www.example.co.uk/cgi-bin/testpy.cgi

Linux:How to configure/secure public primary/secondary bind dns server

Wednesday, September 1st, 2010

Localhost Resolver :
(a) install bind

yum install bind bind-chroot bind-devel

(b) Copy named.conf and related files from /usr/share/doc/bind-9.3.6/sample/etc/

cp /usr/share/doc/bind-9.3.6/sample/etc/* /var/named/chroot/etc/

(c) File lists in /var/named/chroot/etc are as bellows :

[root@publicdns1 etc]# ls
localtime   named.rfc1912.zones  rndc.conf
named.conf  named.root.hints     rndc.key

Check the Ownership of files. Ownership should be root:named as
bellow:

[root@publicdns1 etc]# pwd
/var/named/chroot/etc
[root@publicdns1 etc]# ls -al
total 64
drwxr-x--- 2 root named 4096 Aug 28 13:38 .
drwxr-x--- 6 root named 4096 Aug 28 13:37 ..
-rw-r--r-- 1 root root  3661 Aug 24 12:53 localtime
-rw-r--r-- 1 root named 5299 Aug 28 13:38 named.conf
-rw-r--r-- 1 root named  775 Aug 28 12:20 named.rfc1912.zones
-rw-r--r-- 1 root named  524 Aug 28 12:20 named.root.hints
-rw-r--r-- 1 root named    0 Aug 28 12:20 rndc.conf
-rw-r----- 1 root named  113 Aug 28 12:12 rndc.key
[root@publicdns1 etc]#

If the ownership is not right then we can change it as follows :

chown root:named named.conf  named.rfc1912.zones named.root.hints rndc.conf  rndc.key

(d) Copy named.root into /var/named/chroot/var/named directory

cp /usr/share/doc/bind-9.3.6/sample/var/named/named.root  /var/named/chroot/var/named/

File lists are :

[root@publicdns1 named]# ls
data  domain.co.uk.zone  named.root  slaves
[root@publicdns1 named]#

(e) For allowing internal pc’s to resolve dns request and for internal host name , we need to work on “view “localhost_resolver” ” section as bellow

view "localhost_resolver"
{
/* This view sets up named to be a localhost resolver ( caching only nameserver                                              ).
 * If all you want is a caching-only nameserver, then you need only define this                                              view:
 */
        match-clients           { localhost;10.0.0.0/24; };
        match-destinations      { localhost;10.0.0.0/24; };
        recursion yes;
        # all views must contain the root hints zone:
        include "/etc/named.root.hints";
 
        /* these are zones that contain definitions for all the localhost
         * names and addresses, as recommended in RFC1912 - these names should
         * ONLY be served to localhost clients:
         */
        include "/etc/named.rfc1912.zones";
};

Note : all the internal zone information will be placed on named.rfc1912.zones files

(f) Now edit named.rfc1912.zones which is located /var/named/chroot/etc
and enter bellow lines

zone “internaldomain.local” IN {

type master;
file “internaldomain.local.zone”;
};

So the Edited named.rfc1912.zones file be like bellow

// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
//zone "." IN {
//      type hint;
//      file "named.ca";
//};
zone "internaldomain.local" IN {
 
        type master;
        file "internaldomain.local.zone";
 
};
 
zone "localdomain" IN {
        type master;
        file "localdomain.zone";
        allow-update { none; };
};
 
zone "localhost" IN {
        type master;
        file "localhost.zone";
        allow-update { none; };
};
 
zone "0.0.127.in-addr.arpa" IN {
        type master;
        file "named.local";
        allow-update { none; };
};
 
zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
        type master;
        file "named.ip6.local";
        allow-update { none; };
};
 
zone "255.in-addr.arpa" IN {
        type master;
        file "named.broadcast";
        allow-update { none; };
};
 
zone "0.in-addr.arpa" IN {
        type master;
        file "named.zero";
        allow-update { none; };
};

(g)

create a zone file internaldomain.local.zone file in /var/named/chroot/var/named like bellow:

$TTL    86400
@               IN SOA  @       root (
                                        42              ; serial (d. adams)
                                        3H              ; refresh
                                        15M             ; retry
                                        1W              ; expiry
                                        1D )            ; minimum
 
                          IN NS           internaldns
                          IN MX   10     internalmailserver
                          IN        A      10.0.0.20
internaldns            IN        A      10.0.0.9
Account               IN        A       10.0.0.6
internalmailserver   IN        A   10.0.0.10
www                    IN        A       10.0.0.20

Note : make sure you have permission as bellow or bind would not be able to read it.

chown root:named internaldomain.local.zone

Primary Server:

(A)
Create zone entries in named.conf
Since This server will work as public dns server,We will create zone entries for example.co.uk under external views.

view    "external"
{
/* This view will contain zones you want to serve only to "external" clients
 * that have addresses that are not on your directly attached LAN interface subnets:
 */
        match-clients           { any; };
        match-destinations      { any; };
 
        recursion no;
        // you'd probably want to deny recursion to external clients, so you don't
        // end up providing free DNS service to all takers
 
    allow-query-cache { none; };
        // Disable lookups for any cached data and root hints
 
        // all views must contain the root hints zone:
        include "/etc/named.root.hints";
 
        // These are your "authoritative" external zones, and would probably
        // contain entries for just your web and mail servers:
 
        ### Add Authoritiative zone for example.co.uk#######
        zone "example.co.uk" IN {
        type master;
        file "example.co.uk.zone";
        allow-update { none; };
        allow-transfer { 22.33.44.55; };//only this host will received updates from this master server.
 
};
 
};

Secondary Server :

Follow every steps from beginning . We just need to make changes on named.conf file to allow slave to download zone file, updates from master server.

view    "external"
{
/* This view will contain zones you want to serve only to "external" clients
 * that have addresses that are not on your directly attached LAN interface subnets:
 */
        match-clients           { any; };
        match-destinations      { any; };
 
        recursion no;
        // you'd probably want to deny recursion to external clients, so you don't
        // end up providing free DNS service to all takers
 
    allow-query-cache { none; };
        // Disable lookups for any cached data and root hints
 
        // all views must contain the root hints zone:
        include "/etc/named.root.hints";
 
        // These are your "authoritative" external zones, and would probably
        // contain entries for just your web and mail servers:
 
        ### Add Authoritiative zone for example.co.uk#######
      zone "example.co.uk" IN {
        type slave;
        file "slaves/example.co.uk.zone";
        masters { 55.55.55.55 ;};
};
 
};

Full named.conf file for Primary Name server(Public + Local host resolver :

 cat named.conf
//
// Sample named.conf BIND DNS server 'named' configuration file
// for the Red Hat BIND distribution.
//
// See the BIND Administrator's Reference Manual (ARM) for details, in:
//   file:///usr/share/doc/bind-*/arm/Bv9ARM.html
// Also see the BIND Configuration GUI : /usr/bin/system-config-bind and
// its manual.
//
options
{
        // Those options should be used carefully because they disable port
        // randomization
        // query-source    port 53;
        // query-source-v6 port 53;
 
        // Put files that named is allowed to write in the data/ directory:
        directory "/var/named"; // the default
        dump-file               "data/cache_dump.db";
        statistics-file         "data/named_stats.txt";
        memstatistics-file      "data/named_mem_stats.txt";
 
};
logging
{
/*      If you want to enable debugging, eg. using the 'rndc trace' command,
 *      named will try to write the 'named.run' file in the $directory (/var/nam                                             ed).
 *      By default, SELinux policy does not allow named to modify the /var/named                                              directory,
 *      so put the default debug log file in data/ :
 */
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
//
// All BIND 9 zones are in a "view", which allow different zones to be served
// to different types of client addresses, and for options to be set for groups
// of zones.
//
// By default, if named.conf contains no "view" clauses, all zones are in the
// "default" view, which matches all clients.
//
// If named.conf contains any "view" clause, then all zones MUST be in a view;
// so it is recommended to start off using views to avoid having to restructure
// your configuration files in the future.
//
view "localhost_resolver"
{
/* This view sets up named to be a localhost resolver ( caching only nameserver                                              ).
 * If all you want is a caching-only nameserver, then you need only define this                                              view:
 */
        match-clients           { localhost;10.0.0.0/24; };
        match-destinations      { localhost;10.0.0.0/24; };
        recursion yes;
        # all views must contain the root hints zone:
        include "/etc/named.root.hints";
 
        /* these are zones that contain definitions for all the localhost
         * names and addresses, as recommended in RFC1912 - these names should
         * ONLY be served to localhost clients:
         */
        include "/etc/named.rfc1912.zones";
};
view    "external"
{
/* This view will contain zones you want to serve only to "external" clients
 * that have addresses that are not on your directly attached LAN interface subn                                             ets:
 */
        match-clients           { any; };
        match-destinations      { any; };
 
        recursion no;
        // you'd probably want to deny recursion to external clients, so you don                                             't
        // end up providing free DNS service to all takers
 
        allow-query-cache { none; };
        // Disable lookups for any cached data and root hints
 
        // all views must contain the root hints zone:
        include "/etc/named.root.hints";
 
        // These are your "authoritative" external zones, and would probably
        // contain entries for just your web and mail servers:
 
            zone "example.co.uk" IN {
        type master;
        file "example.co.uk.zone";
        allow-update { none; };
        allow-transfer { 22.33.44.55; };//only this host will received updates from this master server.
 
};
 
};

Full named.conf for Public Slave server

 cat named.conf
//
// Sample named.conf BIND DNS server 'named' configuration file
// for the Red Hat BIND distribution.
//
// See the BIND Administrator's Reference Manual (ARM) for details, in:
//   file:///usr/share/doc/bind-*/arm/Bv9ARM.html
// Also see the BIND Configuration GUI : /usr/bin/system-config-bind and
// its manual.
//
options
{
        // Those options should be used carefully because they disable port
        // randomization
        // query-source    port 53;
        // query-source-v6 port 53;
 
        // Put files that named is allowed to write in the data/ directory:
        directory "/var/named"; // the default
        dump-file               "data/cache_dump.db";
        statistics-file         "data/named_stats.txt";
        memstatistics-file      "data/named_mem_stats.txt";
 
};
logging
{
/*      If you want to enable debugging, eg. using the 'rndc trace' command,
 *      named will try to write the 'named.run' file in the $directory (/var/nam                                             ed).
 *      By default, SELinux policy does not allow named to modify the /var/named                                              directory,
 *      so put the default debug log file in data/ :
 */
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
//
// All BIND 9 zones are in a "view", which allow different zones to be served
// to different types of client addresses, and for options to be set for groups
// of zones.
//
// By default, if named.conf contains no "view" clauses, all zones are in the
// "default" view, which matches all clients.
//
// If named.conf contains any "view" clause, then all zones MUST be in a view;
// so it is recommended to start off using views to avoid having to restructure
// your configuration files in the future.
//
view "localhost_resolver"
{
/* This view sets up named to be a localhost resolver ( caching only nameserver                                              ).
 * If all you want is a caching-only nameserver, then you need only define this                                              view:
 */
        match-clients           { localhost;10.0.0.0/24; };
        match-destinations      { localhost;10.0.0.0/24; };
        recursion yes;
        # all views must contain the root hints zone:
        include "/etc/named.root.hints";
 
        /* these are zones that contain definitions for all the localhost
         * names and addresses, as recommended in RFC1912 - these names should
         * ONLY be served to localhost clients:
         */
        include "/etc/named.rfc1912.zones";
};
view    "external"
{
/* This view will contain zones you want to serve only to "external" clients
 * that have addresses that are not on your directly attached LAN interface subn                                             ets:
 */
        match-clients           { any; };
        match-destinations      { any; };
 
        recursion no;
        // you'd probably want to deny recursion to external clients, so you don                                             't
        // end up providing free DNS service to all takers
 
        allow-query-cache { none; };
        // Disable lookups for any cached data and root hints
 
        // all views must contain the root hints zone:
        include "/etc/named.root.hints";
 
        // These are your "authoritative" external zones, and would probably
        // contain entries for just your web and mail servers:
 
        zone "example.co.uk" IN {
        type slave;
        file "slaves/example.co.uk.zone";
        masters { 55.55.55.55 ;};
};
 
};

Securing Name server :
(a) Dont End up providing free dns service for every one

options {
     recursion no;
};

(b)

options {
      fetch-glue no;
};

(c)Allow zone transfer from specific host

 ### Add Authoritiative zone for example.co.uk#######
        zone "example.co.uk" IN {
        type master;
        file "example.co.uk.zone";
        allow-update { none; };
        allow-transfer { 22.33.44.55; };//only this host will received updates from this master server.

(d) Don’t disclose Bind version

options {
     version "Not disclosed";
 
};

Cisco:Miscellaneous commands

Thursday, August 5th, 2010

How to Delete OLD Ios from flash memory

Router# delete old IOS image name
Delete filename [old IOS image name]?
Delete flash: old IOS image name [confirm]
Router#

How claim the memory back?

Router# squeeze flash:
 
Squeeze operation may take a while. Continue? [confirm]
squeeze in progress... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
Rebuild file system directory...
Squeeze of flash complete
Router#

Running-projects

Thursday, July 15th, 2010

Objective : Write Monitoring script for bellow network diagram.

Script include : (a) Monitor Mysql replication
(b) Monitor Dns Servers
(i) Change A records for any Apache server failure.
(c) Monitor Apache servers
(d) Monitor Red hat clusters
(e) Monitor DRBD replication

How to configure Cisco router to use Microsoft DHCP server Or Active Directory Server between vlans

Friday, July 9th, 2010

Note :This is a router on a stick method (cisco 1941 router)

(a) Find out router interfaces

EVROUTER#show ip interface brief
Interface                  IP-Address      OK? Method Status                Prot
ocol
GigabitEthernet0/0         unassigned      YES manual up                    up
 
GigabitEthernet0/1         88.88.88.81    YES DHCP   up                    up
 
NVI0                       unassigned      NO  unset  up                    up

(b) Create Sub interface related to individuals vlan

For vlan1 
configure terminal
interface GigabitEthernet0/0.1
 encapsulation dot1Q 1
 ip address 192.168.1.1 255.255.255.0
 
For Vlan 10
configure terminal
interface GigabitEthernet0/0.10
 encapsulation dot1Q 10
 ip address 192.168.10.1 255.255.255.0
 
For Vlan 20
 
configure terminal
interface GigabitEthernet0/0.20
 encapsulation dot1Q 20
 ip address 192.168.20.1 255.255.255.0

output should be :

EVROUTER#show ip interface brief
Interface                  IP-Address      OK? Method Status                Prot
ocol
GigabitEthernet0/0         unassigned      YES manual up                    up
 
GigabitEthernet0/0.1       192.168.1.1        YES manual up                    up
 
GigabitEthernet0/0.10      192.168.10.1    YES manual up                    up
 
GigabitEthernet0/0.20      192.168.20.1    YES manual up                    up
 
GigabitEthernet0/1         88.88.88.81    YES DHCP   up                    up
 
NVI0                       unassigned      NO  unset  up                    up
 
EVROUTER#

(c)Setup the relay agent for individuals subnet

For vlan 1 
EVROUTER#configure terminal
EVROUTER(config)#interface gigabitEthernet 0/0.1
EVROUTER(config-subif)#ip helper-address 192.168.1.7
 
For Vlan10:
EVROUTER#configure terminal
EVROUTER(config)#interface gigabitEthernet 0/0.10
EVROUTER(config-subif)#ip helper-address 192.168.1.7
 
For vlan20
EVROUTER#configure terminal
EVROUTER(config)#interface gigabitEthernet 0/0.20
EVROUTER(config-subif)#ip helper-address 192.168.1.7

now all your vlans will be able to get Ip from each individuals subnet from DHCP server and they would be able to use active directory to login each computer with their user name and password.

(d) Allow each vlans to use internat
(1) label each interface and sub interface for NAT

     configure terminal	 
     interface gigabitEthernet 0/0.1 
     ip nat inside
     exit
      interface gigabitEthernet 0/0.10 
     ip nat inside
    exit
    interface gigabitEthernet 0/0.20 
     ip nat inside
    exit
     interface gigabitEthernet 0/1 
     ip nat outside
    exit

(2)Create Access list to allow this vlans to use NAT

     configure terminal
     ip access-list standard NAT_ADDRESS 
     permit 192.168.0.0 0.0.255.255

(3)Enable nat overload

   ip nat inside source list NAT_ADDRESS gigabitEthernet 0/1  overload

note : At this point all vlans will be able to get to the internet .