Thursday, June 20, 2013

Cloud Infrastructure Technologies

I've started a new blog focusing on Infrastructure-as-a-service topics. You can find it here

http://www.dyndca.com

I will continue to post topics here of a more general technical nature around Unix & Storage systems.

-steve

Friday, August 12, 2011

Issues with a 2011 Macbook Air dropping its wireless network?

Many people are reporting issues with the Macbook Air using wireless networks. From poor performance to the network simply not responding, even though it appears connected. I'm aware of a couple of threads on the subject.

Wifi Issues with MacBook Air
New MacBook Air wireless problems

Here's a script I wrote that will detect a network meltdown and do something about it. No warranty implied or offered. It works for me. Your mileage may vary.

This is NOT a fix for this issue. Unfortunately we need to wait for Apple to both acknowledge the problem publicly and/or fix it.

check-network.sh

It needs to run as root via cron? Don't know what I'm talking about. perhaps this isn't for you. I can't be held responsible if you break something. But I'll try to provide some simple instructions below.

NOTE: This assumes its running on a Macbook Air and that the wireless interface is en0

-----
1. Download the script and put it in a suitable folder. (I use a /scripts folder in the drive root. eg at the same level as Applications etc)
2. Open up terminal
3. Change the ownership of the script to root:staff (sudo chown root:staff /scripts/check-network.sh)
4. Ensure the script is executable (eg sudo chmod 550 /scripts/check-network.sh)
5. Add the script to the root crontab to execute every minute. ( sudo crontab -e)
* * * * * /scripts/check-network.sh

Type :wq to quit the crontab editor

7.The script will now watch your network and give it a kick when it identifies a problem.

If you have growl and growlnotify installed, edit the script and change the USEGROWL=0 line to USEGROWL=1.

You'll now get a sticky growl notification on your desktop when the script needs to take action.

Otherwise you can check for entries in the /var/log/check-network.log file

**Update and commentary on other published "fixes" - 29/08/2011

  • 10.7.1 hasn't fixed it
  • Creating an "internet" profile doesn't fix it
  • Disabling bluetooth doesn't completely fix it
  • Removing the Bluetooth PAN device from your Network profile helps, but doesn't fix it.
Summary: Apple needs to get their act together and resolve this.  Macbook Air is a Wifi orientated portable device. If Wifi no worky, its a massive FAIL:


Customers shouldn't, under any circumstances, be expected to have to carry out any obscure low level technical "workarounds" to get their device to function to a basic level. Shame apple. shame.

*Update 2/2/2012

  • 10.7.3 seems to help with the Wifi on wake issues
  • Explicitly disable IPv6 seems to solve the random internet dying issue.
    • sudo networksetup -setv6off Wi-Fi
Time will tell.

Thursday, August 11, 2011

apache, nfs & selinux


apache, nfs & selinux

> I have an apache on FC3 that uses an NFS mounted document root from an
> FC1 server. Starting httpd on the FC3 system:
>
> service httpd start
> Starting httpd: Syntax error on line 265 of /etc/httpd/conf/httpd.conf:
> DocumentRoot must be a directory
>
> In /var/log/messages, I get:
>
> Jul 13 13:43:34 localhost kernel: audit(1121226214.986:0): avc: denied { search } 

> for pid=26466 exe=/usr/sbin/httpd name=/ dev=0:1a ino=6 
> scontext=root:system_r:httpd_t tcontext=system_u:object_r:nfs_t tclass=dir
>
> DocumentRoot is a directory. It seems to be a selinux permission
> thing. Does anyone have a suggestion on how to fix this?

Try mounting the DocumentRoot filesystem with the
"context=system_u:object_r:httpd_sys_content_t" filesystem option.

or

setsebool -P use_nfs_home_dirs=1
should also fix it.

resize an ext3 filesystem online


resize an ext3 filesystem online

keywords: openfiler, iscsi, rhel, rhel4, linux, oracle, ext3, lvm2, ext2online, oracle

Rather than adding mutliple devices to a volume group when using openfiler to present
iSCSI Luns for filesystem use to a Linux system, I prefer to resize the LUN and extend the
volume and filesystem that holds it on the OS. You can do this without shutting anything
down or umounting the filesystem, but obviously use at your own risk.

Openfiler:
1. Choose your LUN in openfiler volume management. Increase its size in Openfiler.
In this case I increase a LUN from 15Gb to 25GB.

OS:

[root@ora02 app]# iscsi-rescan
Rescanning host2
Rescanning host3

# Multiple "hosts" are listed since I present multiple targets to the host containing different
LUN groups. One set is shared LUNs for an Oracle cluster and the other contains LUNs
exclusive to this host.

# identify the device that you want to extend. In this case its /dev/sdb
# and the VG is ora01sanfs

[root@ora01 ~]# pvscan
/dev/cdrom: open failed: Read-only file system
Attempt to close device '/dev/cdrom' which is not open.
PV /dev/sdb VG ora01sanfs lvm2 [15.00 GB / 0 free]
PV /dev/sda2 VG rootdg lvm2 [232.75 GB / 195.44 GB free]
Total: 2 [247.75 GB] / in use: 2 [247.75 GB] / in no VG: 0 [0 ]

# Now execute a pvresize to reflect the LUNs new larger size

[root@ora01 ~]# pvresize /dev/sdb
Physical volume "/dev/sdb" changed
1 physical volume(s) resized / 0 physical volume(s) not resized

[root@ora02 app]# pvscan
PV /dev/sdb VG ora02sanfs lvm2 [25.00 GB / 0 free]
PV /dev/sda2 VG rootdg lvm2 [232.75 GB / 195.44 GB free]
Total: 2 [257.75 GB] / in use: 2 [257.75 GB] / in no VG: 0 [0 ]

# Now work out how many extra extents you have to given your VG for use when
increasing the LV size.

[root@ora01 ~]# vgdisplay ora01sanfs
--- Volume group ---
VG Name ora01sanfs
System ID
Format lvm2
Metadata Areas 1
Metadata Sequence No 5
VG Access read/write
VG Status resizable
MAX LV 0
Cur LV 1
Open LV 1
Max PV 0
Cur PV 1
Act PV 1
VG Size 25.00 GB
PE Size 4.00 MB
Total PE 6399
Alloc PE / Size 3839 / 15.00 GB
Free PE / Size 2560 / 10.00 GB
VG UUID ub4wUC-3Try-z7Rq-NgEH-1RAp-eG3B-K17JfQ

# Now extend the LV.
# Note the + symbol is important, as it states "add" 2560 extents.

[root@ora02 app]# lvextend -l +2560 /dev/mapper/ora02sanfs-lv_ora02_orahome
Extending logical volume lv_ora02_orahome to 25.00 GB
Logical volume lv_ora02_orahome successfully resized

# Note the filesystem is currently 15GB
[root@ora02 app]# df -k /u01
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/mapper/ora02sanfs-lv_ora02_orahome
15477744 12717992 1973796 87% /u01


# Now extend the filesystem (ext3)

[root@ora02 app]# ext2online /u01
ext2online v1.1.18 - 2001/03/18 for EXT2FS 0.5b

[root@ora02 app]# df -k /u01
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/mapper/ora02sanfs-lv_ora02_orahome
25798972 12725240 11763820 52% /u01

All done without shutting anything down.

Authenticating Linux users against AD using Kerberos


Authenticating Linux users against AD

using Kerberos

This is a neat trick for those of you who have Microsoft's Active Directory (AD)
in your environment and don't want to have to manage two different
username/passwords in the environment.

In very over simplified terms Microsoft AD is basically an LDAP directory
bolted on top of a Kerberos authentication system. Knowing this, you can
configure your Linux systems to authenticate directly against an AD domain
without requiring your Linux servers(#) to be added to the AD domain and
without using AD as your directory service for Unix.

I will use RHEL5 as my example distribution for this:

(Note: Strictly speaking, this technique should work on any Unix platform that
has kerberos support. I've personally witnessed it working on HPUX.
However, configuring kerberos and your authenication methods to support this
will vary significantly between platforms. Redhat just make it really easy on
their Linux distribution. Your mileage will vary.)

Only two or three changes are effectively required. Even in stripped down
systemsthe kerberos client libraries are usually part of the distribution so its rare
package installations are required.

  • Edit /etc/krb5.conf
  • Run authconfig to enable Kerberos for authentication on the system.
  • (Optional) If you use ssh to connect you need to modify sshd_config to add
    Kerberos support
1. Edit /etc/krb5.conf

(If this file is missing, the package required on RedHat systems is krb5-libs)

Let's assume your AD domain is MYAD.COM

Edit the [libdefaults] section.
Replace EXAMPLE.COM with MYAD.COM. (Kerberos uses capitalisation to indicate
a REALM vs a DNS domain)
Set dns_lookup_realm & dns_lookup_kdc to true

Delete the entire [realms] section as you won't be specifiying the servers unless
you know you really need to. I'll explain why below. (##)

Edit the [domain_realm] section and replace all references to example.com
to your AD Domain, in this example MYAD.COM

eg
[domain_realm]
.myad.com = MYAD.COM
myad.com - MYAD.COM

Save the file and exit your editor.

2.

Run the following command (RH Linux specific )

authconfig --update --enablekrb5

3. Configure SSH

Edit the sshd_config file to enable kerberos support

vi /etc/ssh/sshd_config

Uncomment or add these if necessary and set the following:
KerberosAuthentication yes
KerberosOrLocalPasswd yes


Restart sshd

On RH: service sshd restart

--
Now you can add users to your system with usernames matching an AD account
and they will be able to authenticate via AD.

(Note: AD is case insensitive, Unix is not. Create you usernames with all
lowercase even if the convention without your organisation is mixed case or
something different.)

A quick way to add a user without a local password that will be forced to
authenticate via AD is as follows:

adduser -m -r testuser

This will create a user as a system account (Cannot be logged in via a local
password)


Now, login via ssh using the userid you have created (assuming you know the
password!) and you should be able to login to the system.

I also use this technique for services that use local authentication but where I
don't want to provide a unix shell. eg Chrooted SFTP.

I can change my adduser command to: adduser -m -r -s /sbin/nologin testuser
or edit /etc/passwd and change the user shell.


I have found this technique useful on many clients sites especially for
providing access for non techie type users to services running on Unix hosts.

(#) Not all Unix platforms will allow this. One of the behind the scenes steps of
adding a host to an AD domain is the creation of a host principal in Kerberos.
Some PAM implementations on Unix systems will insist on a host principal existing
in the Kerberos Realm (In this case AD) before it will allow users to be
authenticated. Redhat Linux does not insist on the existence of the host
principal. Your mileage will vary with other distributions.


(##) Kerberos supports special DNS records called SRV records. These are
automatically created within an AD domain and tell clients where to find the
servers providing Kerberos authentication services. This is why we set
"dns_lookup_realm & dns_lookup_kdc" to true in our /etc/krb5.conf.

If you want to see what servers are providing authentication services in an AD
command run this on your Unix host. "#" indicates a Unix command prompt and
">" indicates an nslookup prompt.

# nslookup
> set type=srv
> _kerberos._tcp.myad.com <----- replace myad.com with your AD domain name.


You will be presented with a list of all Active Directory domain controllers
serving the AD domain. Much better than manually trying to maintain server
entries on your Unix hosts.

(###) If a user has a valid shell and can login to the host via this technique,
they will also be able to update their password in AD using the passwd command.
However, no one else, including root (####), will be able to update someone
elses passwd unless they know the users original passwd and can obtain a
valid kerberos ticket using kinit.

(####) This is not strictly true. If you create a root principal in kerberos and
grant it admin privilege, root can change any passwd in kerberos.
However, they would need to do so via the kadmin tool.