I've started a new blog focusing on Infrastructure-as-a-service topics. You can find it here
http://www.dyndca.com
I will continue to post topics here of a more general technical nature around Unix & Storage systems.
-steve
Thursday, June 20, 2013
Friday, August 12, 2011
Issues with a 2011 Macbook Air dropping its wireless network?
Many people are reporting issues with the Macbook Air using wireless networks. From poor performance to the network simply not responding, even though it appears connected. I'm aware of a couple of threads on the subject.
Wifi Issues with MacBook Air
New MacBook Air wireless problems
Here's a script I wrote that will detect a network meltdown and do something about it. No warranty implied or offered. It works for me. Your mileage may vary.
This is NOT a fix for this issue. Unfortunately we need to wait for Apple to both acknowledge the problem publicly and/or fix it.
check-network.sh
It needs to run as root via cron? Don't know what I'm talking about. perhaps this isn't for you. I can't be held responsible if you break something. But I'll try to provide some simple instructions below.
NOTE: This assumes its running on a Macbook Air and that the wireless interface is en0
-----
1. Download the script and put it in a suitable folder. (I use a /scripts folder in the drive root. eg at the same level as Applications etc)
2. Open up terminal
3. Change the ownership of the script to root:staff (sudo chown root:staff /scripts/check-network.sh)
4. Ensure the script is executable (eg sudo chmod 550 /scripts/check-network.sh)
5. Add the script to the root crontab to execute every minute. ( sudo crontab -e)
* * * * * /scripts/check-network.sh
Type :wq to quit the crontab editor
7.The script will now watch your network and give it a kick when it identifies a problem.
If you have growl and growlnotify installed, edit the script and change the USEGROWL=0 line to USEGROWL=1.
You'll now get a sticky growl notification on your desktop when the script needs to take action.
Otherwise you can check for entries in the /var/log/check-network.log file
**Update and commentary on other published "fixes" - 29/08/2011
Customers shouldn't, under any circumstances, be expected to have to carry out any obscure low level technical "workarounds" to get their device to function to a basic level. Shame apple. shame.
*Update 2/2/2012
Wifi Issues with MacBook Air
New MacBook Air wireless problems
Here's a script I wrote that will detect a network meltdown and do something about it. No warranty implied or offered. It works for me. Your mileage may vary.
This is NOT a fix for this issue. Unfortunately we need to wait for Apple to both acknowledge the problem publicly and/or fix it.
check-network.sh
It needs to run as root via cron? Don't know what I'm talking about. perhaps this isn't for you. I can't be held responsible if you break something. But I'll try to provide some simple instructions below.
NOTE: This assumes its running on a Macbook Air and that the wireless interface is en0
-----
1. Download the script and put it in a suitable folder. (I use a /scripts folder in the drive root. eg at the same level as Applications etc)
2. Open up terminal
3. Change the ownership of the script to root:staff (sudo chown root:staff /scripts/check-network.sh)
4. Ensure the script is executable (eg sudo chmod 550 /scripts/check-network.sh)
5. Add the script to the root crontab to execute every minute. ( sudo crontab -e)
* * * * * /scripts/check-network.sh
Type :wq to quit the crontab editor
7.The script will now watch your network and give it a kick when it identifies a problem.
If you have growl and growlnotify installed, edit the script and change the USEGROWL=0 line to USEGROWL=1.
You'll now get a sticky growl notification on your desktop when the script needs to take action.
Otherwise you can check for entries in the /var/log/check-network.log file
**Update and commentary on other published "fixes" - 29/08/2011
- 10.7.1 hasn't fixed it
- Creating an "internet" profile doesn't fix it
- Disabling bluetooth doesn't completely fix it
- Removing the Bluetooth PAN device from your Network profile helps, but doesn't fix it.
Summary: Apple needs to get their act together and resolve this. Macbook Air is a Wifi orientated portable device. If Wifi no worky, its a massive FAIL:
Customers shouldn't, under any circumstances, be expected to have to carry out any obscure low level technical "workarounds" to get their device to function to a basic level. Shame apple. shame.
*Update 2/2/2012
- 10.7.3 seems to help with the Wifi on wake issues
- Explicitly disable IPv6 seems to solve the random internet dying issue.
- sudo networksetup -setv6off Wi-Fi
Time will tell.
Thursday, August 11, 2011
apache, nfs & selinux
apache, nfs & selinux
> I have an apache on FC3 that uses an NFS mounted document root from an > FC1 server. Starting httpd on the FC3 system: > > service httpd start > Starting httpd: Syntax error on line 265 of /etc/httpd/conf/httpd.conf: > DocumentRoot must be a directory > > In /var/log/messages, I get: > > Jul 13 13:43:34 localhost kernel: audit(1121226214.986:0): avc: denied { search } > for pid=26466 exe=/usr/sbin/httpd name=/ dev=0:1a ino=6 > scontext=root:system_r:httpd_t tcontext=system_u:object_r:nfs_t tclass=dir > > DocumentRoot is a directory. It seems to be a selinux permission > thing. Does anyone have a suggestion on how to fix this? Try mounting the DocumentRoot filesystem with the "context=system_u:object_r:httpd_sys_content_t" filesystem option. or setsebool -P use_nfs_home_dirs=1 should also fix it. |
resize an ext3 filesystem online
resize an ext3 filesystem online
keywords: openfiler, iscsi, rhel, rhel4, linux, oracle, ext3, lvm2, ext2online, oracle Rather than adding mutliple devices to a volume group when using openfiler to present iSCSI Luns for filesystem use to a Linux system, I prefer to resize the LUN and extend the volume and filesystem that holds it on the OS. You can do this without shutting anything down or umounting the filesystem, but obviously use at your own risk. Openfiler: 1. Choose your LUN in openfiler volume management. Increase its size in Openfiler. In this case I increase a LUN from 15Gb to 25GB. OS: [root@ora02 app]# iscsi-rescan Rescanning host2 Rescanning host3 # Multiple "hosts" are listed since I present multiple targets to the host containing different LUN groups. One set is shared LUNs for an Oracle cluster and the other contains LUNs exclusive to this host. # identify the device that you want to extend. In this case its /dev/sdb # and the VG is ora01sanfs [root@ora01 ~]# pvscan /dev/cdrom: open failed: Read-only file system Attempt to close device '/dev/cdrom' which is not open. PV /dev/sdb VG ora01sanfs lvm2 [15.00 GB / 0 free] PV /dev/sda2 VG rootdg lvm2 [232.75 GB / 195.44 GB free] Total: 2 [247.75 GB] / in use: 2 [247.75 GB] / in no VG: 0 [0 ] # Now execute a pvresize to reflect the LUNs new larger size [root@ora01 ~]# pvresize /dev/sdb Physical volume "/dev/sdb" changed 1 physical volume(s) resized / 0 physical volume(s) not resized [root@ora02 app]# pvscan PV /dev/sdb VG ora02sanfs lvm2 [25.00 GB / 0 free] PV /dev/sda2 VG rootdg lvm2 [232.75 GB / 195.44 GB free] Total: 2 [257.75 GB] / in use: 2 [257.75 GB] / in no VG: 0 [0 ] # Now work out how many extra extents you have to given your VG for use when increasing the LV size. [root@ora01 ~]# vgdisplay ora01sanfs --- Volume group --- VG Name ora01sanfs System ID Format lvm2 Metadata Areas 1 Metadata Sequence No 5 VG Access read/write VG Status resizable MAX LV 0 Cur LV 1 Open LV 1 Max PV 0 Cur PV 1 Act PV 1 VG Size 25.00 GB PE Size 4.00 MB Total PE 6399 Alloc PE / Size 3839 / 15.00 GB Free PE / Size 2560 / 10.00 GB VG UUID ub4wUC-3Try-z7Rq-NgEH-1RAp-eG3B-K17JfQ # Now extend the LV. # Note the + symbol is important, as it states "add" 2560 extents. [root@ora02 app]# lvextend -l +2560 /dev/mapper/ora02sanfs-lv_ora02_orahome Extending logical volume lv_ora02_orahome to 25.00 GB Logical volume lv_ora02_orahome successfully resized # Note the filesystem is currently 15GB [root@ora02 app]# df -k /u01 Filesystem 1K-blocks Used Available Use% Mounted on /dev/mapper/ora02sanfs-lv_ora02_orahome 15477744 12717992 1973796 87% /u01 # Now extend the filesystem (ext3) [root@ora02 app]# ext2online /u01 ext2online v1.1.18 - 2001/03/18 for EXT2FS 0.5b [root@ora02 app]# df -k /u01 Filesystem 1K-blocks Used Available Use% Mounted on /dev/mapper/ora02sanfs-lv_ora02_orahome 25798972 12725240 11763820 52% /u01 All done without shutting anything down. |
Authenticating Linux users against AD using Kerberos
Authenticating Linux users against AD
using Kerberos
This is a neat trick for those of you who have Microsoft's Active Directory (AD) in your environment and don't want to have to manage two different username/passwords in the environment. In very over simplified terms Microsoft AD is basically an LDAP directory bolted on top of a Kerberos authentication system. Knowing this, you can configure your Linux systems to authenticate directly against an AD domain without requiring your Linux servers(#) to be added to the AD domain and without using AD as your directory service for Unix. I will use RHEL5 as my example distribution for this: (Note: Strictly speaking, this technique should work on any Unix platform that has kerberos support. I've personally witnessed it working on HPUX. However, configuring kerberos and your authenication methods to support this will vary significantly between platforms. Redhat just make it really easy on their Linux distribution. Your mileage will vary.) Only two or three changes are effectively required. Even in stripped down systemsthe kerberos client libraries are usually part of the distribution so its rare package installations are required.
(If this file is missing, the package required on RedHat systems is krb5-libs) Let's assume your AD domain is MYAD.COM Edit the [libdefaults] section. Replace EXAMPLE.COM with MYAD.COM. (Kerberos uses capitalisation to indicate a REALM vs a DNS domain) Set dns_lookup_realm & dns_lookup_kdc to true Delete the entire [realms] section as you won't be specifiying the servers unless you know you really need to. I'll explain why below. (##) Edit the [domain_realm] section and replace all references to example.com to your AD Domain, in this example MYAD.COM eg [domain_realm] .myad.com = MYAD.COM myad.com - MYAD.COM Save the file and exit your editor. 2. Run the following command (RH Linux specific ) authconfig --update --enablekrb5 3. Configure SSH Edit the sshd_config file to enable kerberos support vi /etc/ssh/sshd_config Uncomment or add these if necessary and set the following: KerberosAuthentication yes KerberosOrLocalPasswd yes Restart sshd On RH: service sshd restart -- Now you can add users to your system with usernames matching an AD account and they will be able to authenticate via AD. (Note: AD is case insensitive, Unix is not. Create you usernames with all lowercase even if the convention without your organisation is mixed case or something different.) A quick way to add a user without a local password that will be forced to authenticate via AD is as follows: adduser -m -r testuser This will create a user as a system account (Cannot be logged in via a local password) Now, login via ssh using the userid you have created (assuming you know the password!) and you should be able to login to the system. I also use this technique for services that use local authentication but where I don't want to provide a unix shell. eg Chrooted SFTP. I can change my adduser command to: adduser -m -r -s /sbin/nologin testuser or edit /etc/passwd and change the user shell. I have found this technique useful on many clients sites especially for providing access for non techie type users to services running on Unix hosts. (#) Not all Unix platforms will allow this. One of the behind the scenes steps of adding a host to an AD domain is the creation of a host principal in Kerberos. Some PAM implementations on Unix systems will insist on a host principal existing in the Kerberos Realm (In this case AD) before it will allow users to be authenticated. Redhat Linux does not insist on the existence of the host principal. Your mileage will vary with other distributions. (##) Kerberos supports special DNS records called SRV records. These are automatically created within an AD domain and tell clients where to find the servers providing Kerberos authentication services. This is why we set "dns_lookup_realm & dns_lookup_kdc" to true in our /etc/krb5.conf. If you want to see what servers are providing authentication services in an AD command run this on your Unix host. "#" indicates a Unix command prompt and ">" indicates an nslookup prompt. # nslookup > set type=srv > _kerberos._tcp.myad.com <----- replace myad.com with your AD domain name. You will be presented with a list of all Active Directory domain controllers serving the AD domain. Much better than manually trying to maintain server entries on your Unix hosts. (###) If a user has a valid shell and can login to the host via this technique, they will also be able to update their password in AD using the passwd command. However, no one else, including root (####), will be able to update someone elses passwd unless they know the users original passwd and can obtain a valid kerberos ticket using kinit. (####) This is not strictly true. If you create a root principal in kerberos and grant it admin privilege, root can change any passwd in kerberos. However, they would need to do so via the kadmin tool. |
Subscribe to:
Posts (Atom)