There are so many tools to monitor network such as MRTG, now I am going to explain such tool which monitors bandwidth for a system, ie vnstat(view network statistics). Its very much easy to install and configure.
This tool can give you full details about how much bandwidth used on the basics of,
Per month.
Per week.
Per day.
Per hour.
Per second.
Even we can see live traffic. This is awesome tool .
So all the tools will not only have advantages but also disadvantages, here are they:
1)Can not monitor multiple interfaces at a time.
2)Can not monitor remote host.
3)Can not monitor per host statistics(which is verymuch useful to find the network hogger, if you want per host bandwidth analyser then use iptables counters for it).
Before configuring vnstat, one thing we have to keep in mind that vnstat is a aggregating tool which is required to run at regular intervals to monitor network bandwidth. So by default when we install vnstat a cron job is created at /etc/cron.d folder.
Step1 : installing vnstat
#rpm –ivh vnstat-1.6-2.fc9.i386.rpm
Step2 : Configuring vnstat.
As I mention earlier that vnstat is an aggregate tool so it should run background by using crontab, So first edit the cron job
Vi /etc/cron.d/vnstat
*/5 * * * * vnstat /usr/sbin/vnstat.cron
Add the above line to the file, then save it and exit.
Step3 : Specifying which interface to monitor
#vnstat –I interfacename
Example :
[root@test ~]# vnstat -i eth0
Error :
Unable to read database "/var/lib/vnstat/eth0".
eth0: Not enough data available yet.
Don’t worry about error intitially it will show error because it’s the first time you are executing that command, so it has to create DB.
Step4 : Monitoring bandwidth with different intervals
Type1 : For live traffic
#vmstat –l
-l is nothing but live
Example:
[root@test ~]# vnstat -l
Monitoring eth0... (press CTRL-C to stop)
rx: 8.32 kB/s 30 p/s tx: 0.19 kB/s 0 p/s
eth0 / traffic statistics
rx tx
--------------------------------------+----------------------------------------
bytes 206 kB 4 kB
--------------------------------------+----------------------------------------
max 11.19 kB/s 0.24 kB/s
average 7.96 kB/s 0.19 kB/s
min 6.35 kB/s 0.11 kB/s
--------------------------------------+----------------------------------------
packets 695 16
--------------------------------------+----------------------------------------
max 61 p/s 2 p/s
average 26 p/s 0 p/s
min 9 p/s 0 p/s
--------------------------------------+----------------------------------------
time 26 seconds
Type2 :For monitoring traffic per second
#vmstat –tr 5
This command will monitor bandwidth for 5 seconds and give you the output.
Type3 : For hourly
#vmstat –h
Example :
[root@test ~]# vnstat -h
eth0 21:00
^ r
r
r
r
r
r
r
r
r
r
-+--------------------------------------------------------------------------->
22 23 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21
h rx (kB) tx (kB) h rx (kB) tx (kB) h rx (kB) tx (kB)
22 0 0 06 0 0 14 0 0
23 0 0 07 0 0 15 0 0
00 0 0 08 0 0 16 0 0
01 0 0 09 0 0 17 0 0
02 0 0 10 0 0 18 0 0
03 0 0 11 0 0 19 0 0
04 0 0 12 0 0 20 12,614 41
05 0 0 13 0 0 21 0 0
Type4:For dialy
#vmstat –d
Example :
[root@test ~]# vnstat -d
eth0 / daily
day rx tx total
------------------------+-------------+----------------------------------------
09.09. 12.32 MB 41 kB 12.36 MB %%%%%%%%%%%%%%%%%%%%%%%%%
------------------------+-------------+----------------------------------------
estimated -- -- --
Type5 : For weekly
#vmstat –w
Example :
[root@test ~]# vnstat -w
eth0 / weekly
rx tx total
----------------------------+---------------+--------------
last 7 days 12.32 MB 41 kB 12.36 MB
current week 12.32 MB 41 kB 12.36 MB
----------------------------+---------------+--------------
estimated -- -- --
Type6 : For monthly
#vmstat –m
Example :
[root@test ~]# vnstat -m
eth0 / monthly
month rx tx total
-------------------------+--------------+--------------------------------------
Sep '09 12.32 MB 41 kB 12.36 MB %%%%%%%%%%%%%%%%%%%%%%
-------------------------+--------------+--------------------------------------
How To : FTPS Server Configuration
vsftpd which abrivated to Very Secure File Transfer Demon(vsftpd). But when we see the security prospective of this package there is no much security included with this package. I mean when you login to server the credentials are transfered in plain text. So by defalut root user is not allowed to login to ftp server.
To eliminate transfering data in plain text and to encrypt the entire transmission we can take help from open ssl to generate a certificate and use SSL certificate when communicating with FTP server. This is nothing but a FTPS server.
Some file transfers you should know are.
1. TFTP(Trivial File Transfer Protocol which uses UDP for transmission) –high data rates/not secure
2. (This protocol uses SSH in backend, so you no need to run an FTP server) –secure
3. FTP(This is normal ftp transfer which uses TCP) –not secure
4. FTPS(FTP+SSL certificate to encrypt data transmission)
5. Over SSH(this is a kind of ftp tunnel on SSH protocol)
In this post we will see how you can configure SSL certificate for VSFTPD.
Step1 : Check the following packages on the server and if they are not install please install them.
#yum install openssl
#yum install vsftpd
Step2 : Generate rsa key in /etc/vsftpd folder as below.
#cd /etc/vsftpd
#/usr/bin/openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout vsftpd.pem -out vsftpd.pem
The clipped output for your reference
[root@v-itig42 vsftpd]# /usr/bin/openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout vsftpd.pem -out vsftpd.pem
Generating a 1024 bit RSA private key
....................................................++++++
..........................................++++++
writing new private key to 'vsftpd.pem'
-----
You are about to be asked to enter information that will be incorporated.
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank.
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:IN
State or Province Name (full name) [Berkshire]:Andhra Pradesh
Locality Name (eg, city) [Newbury]:Vijaywada
Organization Name (eg, company) [My Company Ltd]:Linuxnix Systems Limited
Organizational Unit Name (eg, section) []: IT admin Group
Common Name (eg, your name or your server's hostname) []:ftp2.linuxnix.co.in
Email Address []:surendra@linuxnix.co.in
Step3 : Once the Certificate is generated, certificate is kept in /etc/vsftpd folder. We have to provide this entry in vsftpd.conf along some ssl configurations.
Step4 : Edit vsftpd.conf and give enteris at the last of the file.
#vi /etc/vsftpd/vsftpd.conf
#For SSL on specify yes to below option.
ssl_enable=YES
# To allow anonysonomous users to use SSL
allow_anon_ssl=YES
# if you want local users to use both ssl as well unsecure way of transmission of data plz specify no to below option.
force_local_data_ssl=NO
#If you want to allow all the login credentials which are transmitted should be sent with encryption #pleas use below option to force them to use only ssl connection at the time of login.
force_local_logins_ssl=YES
# Permit TLS v1 protocol connections. TLS v1 connections are preferred
ssl_tlsv1=YES
# Permit SSL v2 protocol connections. TLS v1 connections are preferred
ssl_sslv2=NO
# permit SSL v3 protocol connections. TLS v1 connections are preferred
ssl_sslv3=NO
#Please pecifies the location of the RSA certificate to use for SSL encrypted connections
, which we #created some time back.
rsa_cert_file=/etc/vsftpd/vsftpd.pem
Now save and exit the vsftpd file
Step5 : Restart the vsftpd service.
# service vsftpd restart
Shutting down vsftpd: [ OK ]
Starting vsftpd for vsftpd: [ OK ]
Start accessing the ftp server with user name credentials with filezila or some other FTP clients which will support SSL/TSL. If you want to access ftps sites through browsers its not possible. We have to have addon called fireftp. Then only we can access ftps:// site
To eliminate transfering data in plain text and to encrypt the entire transmission we can take help from open ssl to generate a certificate and use SSL certificate when communicating with FTP server. This is nothing but a FTPS server.
Some file transfers you should know are.
1. TFTP(Trivial File Transfer Protocol which uses UDP for transmission) –high data rates/not secure
2. (This protocol uses SSH in backend, so you no need to run an FTP server) –secure
3. FTP(This is normal ftp transfer which uses TCP) –not secure
4. FTPS(FTP+SSL certificate to encrypt data transmission)
5. Over SSH(this is a kind of ftp tunnel on SSH protocol)
In this post we will see how you can configure SSL certificate for VSFTPD.
Step1 : Check the following packages on the server and if they are not install please install them.
#yum install openssl
#yum install vsftpd
Step2 : Generate rsa key in /etc/vsftpd folder as below.
#cd /etc/vsftpd
#/usr/bin/openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout vsftpd.pem -out vsftpd.pem
The clipped output for your reference
[root@v-itig42 vsftpd]# /usr/bin/openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout vsftpd.pem -out vsftpd.pem
Generating a 1024 bit RSA private key
....................................................++++++
..........................................++++++
writing new private key to 'vsftpd.pem'
-----
You are about to be asked to enter information that will be incorporated.
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank.
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:IN
State or Province Name (full name) [Berkshire]:Andhra Pradesh
Locality Name (eg, city) [Newbury]:Vijaywada
Organization Name (eg, company) [My Company Ltd]:Linuxnix Systems Limited
Organizational Unit Name (eg, section) []: IT admin Group
Common Name (eg, your name or your server's hostname) []:ftp2.linuxnix.co.in
Email Address []:surendra@linuxnix.co.in
Step3 : Once the Certificate is generated, certificate is kept in /etc/vsftpd folder. We have to provide this entry in vsftpd.conf along some ssl configurations.
Step4 : Edit vsftpd.conf and give enteris at the last of the file.
#vi /etc/vsftpd/vsftpd.conf
#For SSL on specify yes to below option.
ssl_enable=YES
# To allow anonysonomous users to use SSL
allow_anon_ssl=YES
# if you want local users to use both ssl as well unsecure way of transmission of data plz specify no to below option.
force_local_data_ssl=NO
#If you want to allow all the login credentials which are transmitted should be sent with encryption #pleas use below option to force them to use only ssl connection at the time of login.
force_local_logins_ssl=YES
# Permit TLS v1 protocol connections. TLS v1 connections are preferred
ssl_tlsv1=YES
# Permit SSL v2 protocol connections. TLS v1 connections are preferred
ssl_sslv2=NO
# permit SSL v3 protocol connections. TLS v1 connections are preferred
ssl_sslv3=NO
#Please pecifies the location of the RSA certificate to use for SSL encrypted connections
, which we #created some time back.
rsa_cert_file=/etc/vsftpd/vsftpd.pem
Now save and exit the vsftpd file
Step5 : Restart the vsftpd service.
# service vsftpd restart
Shutting down vsftpd: [ OK ]
Starting vsftpd for vsftpd: [ OK ]
Start accessing the ftp server with user name credentials with filezila or some other FTP clients which will support SSL/TSL. If you want to access ftps sites through browsers its not possible. We have to have addon called fireftp. Then only we can access ftps:// site
Hardening SSH Server In The DMZ(De Militarised Zone)
Its good to harden your box which is in DMZ.
What is DMZ?
Ans : DMZ is a De Militarised Zone where we will be keeping our servers, so that they can be access by out side people. Let me explain more about this DMZ. Who are not familiarise(And this activity is most of the time a Network admin work).
1. DMZ is a place where we will be isolate machines from companies local LAN.
2. These DMZ machines will have different IP address range and subnet.
3. The communication between two machines in DMZ is blocked for security reasons.
4. We cannot login to Local LAN machine from a DMZ machine, but we can login to DMZ machine from local LAN(only one way communication from LAN).
5. Ping to these machines will be disabled(most of the companies will do this for security reasons).
6. The way these machines communicate totally depends on network team what type of rule they set on their routers.
7. The security of DMZ machines are more when compared to local LAN machines(in other ways every thing is restricted to DMZ machines).
8. Only required ports are opened on DMZ machines and remaining ports are in closed or reject state(This should be done on system by Linux admin and on network level done by companies network engineer).
Once you keep your Linux machine in DMZ first and far-most thing to do is to secure SSH logins to the server.
In this post we will see some security measures for SSH to be taken when system is kept in DMZ. Most of the SSH settings are located in /etc/ssh/sshd_config (Red hat/Debian based systems).
1. Set Maximum failed login attempts, so after that many login attempts connection to the server is reseted and once again we have to connect to server.
MaxAuthTries 3
Here I have set failed login attempts to 3.
2. Disable root to login through SSH. This is a good option to force the user not to use root user to login to the server
PermitRootLogin no
Here we set it to no which indicates root can not login.
3. We should disable logging of users who donot have passwords.
PermitEmptyPasswords no
4. Allow only users who have passwords.
PasswordAuthentication yes
5. Specify who should access this server. I can say this one is more secure because SSH will allow only the users who are specified here.
AllowUsers test1 test2
Here I have allowed only two users i.e. test1 and test2.
6. Set-up a login banner to give warnings to the users how are logging in to that server
Banner /etc/ssh-banner
Please specify the warning message in /etc/ssh-banner.
Once done the above changes in /etc/ssh/sshd_config file just reload the ssh server.
Note : Don't restart SSH service on production servers. Its not advisable to do it. so in-order to update your changes always use reload option. Most of the services will support reload option with service command.
#service sshd reload
What is DMZ?
Ans : DMZ is a De Militarised Zone where we will be keeping our servers, so that they can be access by out side people. Let me explain more about this DMZ. Who are not familiarise(And this activity is most of the time a Network admin work).
1. DMZ is a place where we will be isolate machines from companies local LAN.
2. These DMZ machines will have different IP address range and subnet.
3. The communication between two machines in DMZ is blocked for security reasons.
4. We cannot login to Local LAN machine from a DMZ machine, but we can login to DMZ machine from local LAN(only one way communication from LAN).
5. Ping to these machines will be disabled(most of the companies will do this for security reasons).
6. The way these machines communicate totally depends on network team what type of rule they set on their routers.
7. The security of DMZ machines are more when compared to local LAN machines(in other ways every thing is restricted to DMZ machines).
8. Only required ports are opened on DMZ machines and remaining ports are in closed or reject state(This should be done on system by Linux admin and on network level done by companies network engineer).
Once you keep your Linux machine in DMZ first and far-most thing to do is to secure SSH logins to the server.
In this post we will see some security measures for SSH to be taken when system is kept in DMZ. Most of the SSH settings are located in /etc/ssh/sshd_config (Red hat/Debian based systems).
1. Set Maximum failed login attempts, so after that many login attempts connection to the server is reseted and once again we have to connect to server.
MaxAuthTries 3
Here I have set failed login attempts to 3.
2. Disable root to login through SSH. This is a good option to force the user not to use root user to login to the server
PermitRootLogin no
Here we set it to no which indicates root can not login.
3. We should disable logging of users who donot have passwords.
PermitEmptyPasswords no
4. Allow only users who have passwords.
PasswordAuthentication yes
5. Specify who should access this server. I can say this one is more secure because SSH will allow only the users who are specified here.
AllowUsers test1 test2
Here I have allowed only two users i.e. test1 and test2.
6. Set-up a login banner to give warnings to the users how are logging in to that server
Banner /etc/ssh-banner
Please specify the warning message in /etc/ssh-banner.
Once done the above changes in /etc/ssh/sshd_config file just reload the ssh server.
Note : Don't restart SSH service on production servers. Its not advisable to do it. so in-order to update your changes always use reload option. Most of the services will support reload option with service command.
#service sshd reload
File Types In Linux
"How many types of files are there and what are they?" This is a common question to every person who started learing Linux.
Why is this so much important to know file types?
Ans : This is because Linux will consider every thing as files. The Answer to this question is little bit confusing with different answers.
Let me put it in this way to clarify. By default Unix have only 3 types of files..
They are.
1. Regular files
2. Directory files
3. Special files(This is the file type who is the culprit for different answers. This catagory is having 5 sub types.)
So Total file types in Linux are 7. Remeber I am saying in linux there are only 7 types of files but if it comes to unix it is 8 types.
Here are those files. And you can see the file type indication at leftmost part of “ls -l” command
1. Regular file(-)
2. Directory files(d)
Special files
3. Block file(b)
4. Character device file(c)
5. Named pipe file or just a pipe file(p)
6. Symbolic link file(l)
7. Socket file(s)
For your information there is one more file called door files(D) which is present in Sun Solaris. A door is a special file for inter-process communication between a client and server(so total 8 types in Unix machines.).
Regular files : These are the files are indicated with "-" in ls -l output. And these files are.1. Readable files or
2. A binary files or
3. Image files or
4. Compressed files etc.
How to create them?
Ans : Use touch command.
Example listing of regular files :-rw-r--r-- 1 krishna krishna 20986522 2010-01-31 13:48 test.wmv
-rw-r--r-- 1 krishna krishna 173448 2010-01-30 21:20 Transformers-Teaser-Wallpaper-310.jpg
-r-xr-xr-x 1 root root 135168 2009-12-12 19:14 VIDEO_TS.VOB
-rw-r--r-- 1 krishna krishna 2113536 2009-12-01 13:32 Aditya 365 – Janavule.mp3
-rwxrwxrwx 1 root root 168 2010-02-14 14:12 xyz.sh
Directory files : These contains the name and location of files/folders/special files stored on a physical device. And this type of files will be in blue in color.
How to create them?
Ans : Use mkdir command
Example listing of directories.drwxr-xr-x 2 surendra surendra 4096 2010-01-19 18:37 bin
drwxr-xr-x 5 surendra surendra 4096 2010-02-15 18:46 Desktop
drwxr-xr-x 2 surendra surendra 4096 2010-01-18 14:36 Documents
drwxr-xr-x 2 surendra surendra 4096 2010-02-13 17:45 Downloads
Block files : These files are hardware files most are present in /dev
How to create them?
Ans : Use fdisk command or create virtual partition.
Example listing of Block files(for you to see these file, they are located in /dev).
brw-rw---- 1 root disk 8, 1 2010-02-15 09:35 sda1
brw-rw---- 1 root disk 8, 2 2010-02-15 09:35 sda2
brw-rw---- 1 root disk 8, 5 2010-02-15 09:35 sda5
Character devices files : Provide only a serial stream of input or output.
Example listing of character files(located in /dev)
crw-rw-rw- 1 root tty 5, 0 2010-02-15 16:52 tty
crw--w---- 1 root root 4, 0 2010-02-15 09:35 tty0
crw------- 1 root root 4, 1 2010-02-15 09:35 tty1
Pipe files : The other sort of pipe is a “named” pipe, which is sometimes called a FIFO. FIFO stands for “First In, First Out” and refers to the property that the order of bytes going in is the same coming out. The “name” of a named pipe is actually a file name within the file system. --www.linux.com
How to create them?Ans : Use mkfifo command.
Example listing of pipe files
prw-r----- 1 root root 0 2010-02-15 09:35 /dev/.initramfs/usplash_outfifo
prw-r----- 1 root root 0 2010-02-15 09:35 /dev/.initramfs/usplash_fifo
prw------- 1 syslog syslog 0 2010-02-15 15:38 /var/run/rsyslog/kmsg
Sybolic link files : These are linked files to other files.
How to create them?
Ans : use ln command
Example listing of linked files
lrwxrwxrwx 1 root root 24 2010-02-15 09:35 sndstat -> /proc/asound/oss/sndstat
lrwxrwxrwx 1 root root 15 2010-02-15 09:35 stderr -> /proc/self/fd/2
lrwxrwxrwx 1 root root 15 2010-02-15 09:35 stdin -> /proc/self/fd/0
lrwxrwxrwx 1 root root 15 2010-02-15 09:35 stdout -> /proc/self/fd/1
Socket files : A socket file is used to pass information between applications for communication purpose
How to create them?
Ans : You can create a socket file using socket() system call avialable under
Example
int sockfd = socket(AF_INET, SOCK_STREAM, 0);
You can refer to this socket file using the sockfd. This is same as the file descriptor, and you can use read(), write() system calls to read and write from the socket.
Example listing of socket files.
srw-rw-rw- 1 root root 0 2010-02-15 09:35 /dev/log
srwxrwxrwx 1 root root 0 2010-02-15 10:07 /var/run/cups/cups.sock
srwxrwxrwx 1 root root 0 2010-02-15 09:35 /var/run/samba/winbindd_privileged/pipe
srwxrwxrwx 1 mysql mysql 0 2010-02-15 09:35 /var/run/mysqld/mysqld.sock
A tip for you guys.
How to find your desired type of a file ?Ans : Use find command with -type option.
For example if you want to find socket file, just use below command.find / -type sIf you want to find linked file then how?Find / -type l
Why is this so much important to know file types?
Ans : This is because Linux will consider every thing as files. The Answer to this question is little bit confusing with different answers.
Let me put it in this way to clarify. By default Unix have only 3 types of files..
They are.
1. Regular files
2. Directory files
3. Special files(This is the file type who is the culprit for different answers. This catagory is having 5 sub types.)
So Total file types in Linux are 7. Remeber I am saying in linux there are only 7 types of files but if it comes to unix it is 8 types.
Here are those files. And you can see the file type indication at leftmost part of “ls -l” command
1. Regular file(-)
2. Directory files(d)
Special files
3. Block file(b)
4. Character device file(c)
5. Named pipe file or just a pipe file(p)
6. Symbolic link file(l)
7. Socket file(s)
For your information there is one more file called door files(D) which is present in Sun Solaris. A door is a special file for inter-process communication between a client and server(so total 8 types in Unix machines.).
Regular files : These are the files are indicated with "-" in ls -l output. And these files are.1. Readable files or
2. A binary files or
3. Image files or
4. Compressed files etc.
How to create them?
Ans : Use touch command.
Example listing of regular files :-rw-r--r-- 1 krishna krishna 20986522 2010-01-31 13:48 test.wmv
-rw-r--r-- 1 krishna krishna 173448 2010-01-30 21:20 Transformers-Teaser-Wallpaper-310.jpg
-r-xr-xr-x 1 root root 135168 2009-12-12 19:14 VIDEO_TS.VOB
-rw-r--r-- 1 krishna krishna 2113536 2009-12-01 13:32 Aditya 365 – Janavule.mp3
-rwxrwxrwx 1 root root 168 2010-02-14 14:12 xyz.sh
Directory files : These contains the name and location of files/folders/special files stored on a physical device. And this type of files will be in blue in color.
How to create them?
Ans : Use mkdir command
Example listing of directories.drwxr-xr-x 2 surendra surendra 4096 2010-01-19 18:37 bin
drwxr-xr-x 5 surendra surendra 4096 2010-02-15 18:46 Desktop
drwxr-xr-x 2 surendra surendra 4096 2010-01-18 14:36 Documents
drwxr-xr-x 2 surendra surendra 4096 2010-02-13 17:45 Downloads
Block files : These files are hardware files most are present in /dev
How to create them?
Ans : Use fdisk command or create virtual partition.
Example listing of Block files(for you to see these file, they are located in /dev).
brw-rw---- 1 root disk 8, 1 2010-02-15 09:35 sda1
brw-rw---- 1 root disk 8, 2 2010-02-15 09:35 sda2
brw-rw---- 1 root disk 8, 5 2010-02-15 09:35 sda5
Character devices files : Provide only a serial stream of input or output.
Example listing of character files(located in /dev)
crw-rw-rw- 1 root tty 5, 0 2010-02-15 16:52 tty
crw--w---- 1 root root 4, 0 2010-02-15 09:35 tty0
crw------- 1 root root 4, 1 2010-02-15 09:35 tty1
Pipe files : The other sort of pipe is a “named” pipe, which is sometimes called a FIFO. FIFO stands for “First In, First Out” and refers to the property that the order of bytes going in is the same coming out. The “name” of a named pipe is actually a file name within the file system. --www.linux.com
How to create them?Ans : Use mkfifo command.
Example listing of pipe files
prw-r----- 1 root root 0 2010-02-15 09:35 /dev/.initramfs/usplash_outfifo
prw-r----- 1 root root 0 2010-02-15 09:35 /dev/.initramfs/usplash_fifo
prw------- 1 syslog syslog 0 2010-02-15 15:38 /var/run/rsyslog/kmsg
Sybolic link files : These are linked files to other files.
How to create them?
Ans : use ln command
Example listing of linked files
lrwxrwxrwx 1 root root 24 2010-02-15 09:35 sndstat -> /proc/asound/oss/sndstat
lrwxrwxrwx 1 root root 15 2010-02-15 09:35 stderr -> /proc/self/fd/2
lrwxrwxrwx 1 root root 15 2010-02-15 09:35 stdin -> /proc/self/fd/0
lrwxrwxrwx 1 root root 15 2010-02-15 09:35 stdout -> /proc/self/fd/1
Socket files : A socket file is used to pass information between applications for communication purpose
How to create them?
Ans : You can create a socket file using socket() system call avialable under
Example
int sockfd = socket(AF_INET, SOCK_STREAM, 0);
You can refer to this socket file using the sockfd. This is same as the file descriptor, and you can use read(), write() system calls to read and write from the socket.
Example listing of socket files.
srw-rw-rw- 1 root root 0 2010-02-15 09:35 /dev/log
srwxrwxrwx 1 root root 0 2010-02-15 10:07 /var/run/cups/cups.sock
srwxrwxrwx 1 root root 0 2010-02-15 09:35 /var/run/samba/winbindd_privileged/pipe
srwxrwxrwx 1 mysql mysql 0 2010-02-15 09:35 /var/run/mysqld/mysqld.sock
A tip for you guys.
How to find your desired type of a file ?Ans : Use find command with -type option.
For example if you want to find socket file, just use below command.find / -type sIf you want to find linked file then how?Find / -type l
RSYNC --The tool to copy
Recently I came accross rsync utility... Its an awesome command it is a sub service under xinetd along with some other services such as tftp, rcp, rsh, rlogin, telnet etc..
Let us list advantages of this command then we will know how to configure it.
Advantages of rsync :
1. This tool will keep both the destination and source folder synced.
2. rsync is fast, because it will not copy entire data every time it got synced, it just copes the date which got changed from previous copy.
3. For security reasons, rsync will support ssh to transfer data between two machines.
4. rsync is used to download RPM updated repository to local machine.
And lot more advantages are there.. please share your valuable experiences here.
Configuration : rsync
Some points to be remembered when dealing with rsync
* This utility is the part of xinetd so there is no special package for this.
* When we are doing rsync between two systems, both the systems should be configured to allow rsync connections.
* rsync uses 873.
Step1 : Install xinetd package, if you want to configure yum server click here.
#yum install xinetd
Step2 : Configure rsync to allow connections, the configuration file for rsync is located in /etc/xinetd.d
#cd /etc/xinetd.d
#vi rsync
# default : off
# description: The rsync server is a good addition to an ftp server, as it \
# allows crc checksumming etc.
service rsync
{
disable = yes
socket_type = stream
wait = no
user = root
server = /usr/bin/rsync
server_args = --daemon
log_on_failure += USERID
}
In this configuration file just change disable = yes to no, then save the file and exit. Here is the updated configured file.
# description: The rsync server is a good addition to an ftp server, as it \
# allows crc checksumming etc.
service rsync
{
disable = no
socket_type = stream
wait = no
user = root
server = /usr/bin/rsync
server_args = --daemon
log_on_failure += USERID
}
Step3 : Start the rsync service, so how to do it? As i mention earlier that rsync is a part of xinetd service so just restart the xinetd service.
#service xinetd restart
Step4 : Permanently on the service
#chkconfig rsync --levels 345 on
Let us list advantages of this command then we will know how to configure it.
Advantages of rsync :
1. This tool will keep both the destination and source folder synced.
2. rsync is fast, because it will not copy entire data every time it got synced, it just copes the date which got changed from previous copy.
3. For security reasons, rsync will support ssh to transfer data between two machines.
4. rsync is used to download RPM updated repository to local machine.
And lot more advantages are there.. please share your valuable experiences here.
Configuration : rsync
Some points to be remembered when dealing with rsync
* This utility is the part of xinetd so there is no special package for this.
* When we are doing rsync between two systems, both the systems should be configured to allow rsync connections.
* rsync uses 873.
Step1 : Install xinetd package, if you want to configure yum server click here.
#yum install xinetd
Step2 : Configure rsync to allow connections, the configuration file for rsync is located in /etc/xinetd.d
#cd /etc/xinetd.d
#vi rsync
# default : off
# description: The rsync server is a good addition to an ftp server, as it \
# allows crc checksumming etc.
service rsync
{
disable = yes
socket_type = stream
wait = no
user = root
server = /usr/bin/rsync
server_args = --daemon
log_on_failure += USERID
}
In this configuration file just change disable = yes to no, then save the file and exit. Here is the updated configured file.
# description: The rsync server is a good addition to an ftp server, as it \
# allows crc checksumming etc.
service rsync
{
disable = no
socket_type = stream
wait = no
user = root
server = /usr/bin/rsync
server_args = --daemon
log_on_failure += USERID
}
Step3 : Start the rsync service, so how to do it? As i mention earlier that rsync is a part of xinetd service so just restart the xinetd service.
#service xinetd restart
Step4 : Permanently on the service
#chkconfig rsync --levels 345 on
Debian NIS HOWTO
1. HOW TO SETUP A LOCAL NIS CLIENT
1. Install the netbase, portmap and nis packages, apt-get install nis will do.
2. The installation procedure will ask for your NIS domainname. This is just a name which describes the group of systems that use NIS, it is not a hostname. It is stored in the config file /etc/defaultdomain, in case you ever want to change it. Unlike DNS hostnames and domainnames, the NIS domainname is case-sensitive!
3. If your NIS server is not "local" to your network, you will have to do some finetuning. The ypbind process has a configuration file called /etc/yp.conf. You can hardcode a NIS server there - for more info see the manual page for ypbind(8).
*NOTE NOTE NOTE* - if you put a servername in /etc/yp.conf, make sure the server is also in /etc/hosts, or put it in in dotted-quad notation (12.34.56.78). Otherwise if your system boots and the network is not yet up or DNS isn't reachable, ypserv cannot resolve the servers in /etc/yp.conf and will hang!
4. Start NIS by typing:
/etc/init.d/nis stop
/etc/init.d/nis start
2. HOW TO SPECIFY WHAT RESOURCES TO USE FOR NIS:
1. FOR LIBC6:
Check your /etc/nsswitch.conf file and make sure that the entries for passwd, group, shadow and netgroup look like this:
passwd: compat
group: compat
shadow: compat
netgroup: nis
At this moment, libc6 has some troubles with reading netgroup data from files. So do not use "db" or "files" in the entry for netgroup, all netgroup lookups have to go through the NIS server.
2. USERS: Add the following line to /etc/passwd on your NIS clients (at the end of the file):
+::::::
You can also use the + and - characters to include/exclude or change users. If you want to exclude the user guest just add -guest to your /etc/passwd file. You want to use a different shell (e.g. ksh) for the user "linux"? No problem, just add "+linux::::::/bin/ksh" (without the quotes) to your /etc/passwd. Fields that you don't want to change have to be left empty.
For example, to only allow login-access to miquels,dth and ed, but to have the account data of all other users available:
+miquels::::::
+ed::::::
+dth::::::
+:*::::::/etc/NoShell
Note that in Linux you can also override the password field, as we did in this example.
If you are using shadow passwords and export a "shadow" map from your NIS server, you also want to put the following in /etc/shadow (again at the end of the file):
+::::::::
If you want to override the password field and you're using shadow passwords do it in /etc/shadow, not in /etc/passwd ofcourse.
3. GROUPS: Add the following line to /etc/group (at the end):
+:::
You should also consider changing the MINGID setting in /var/yp/Makefile if you want membership in groups such as audio, users, etc. to convey to clients.
4. HOSTS:
Normally you should not do host lookups through NIS, use DNS for that. If you really must use NIS for it, here's how to do it.
1. For libc5 applications:
If you want to use the NIS host maps of your NIS server you have to change your /etc/host.conf file. You just have to add the word "nis" to the "order" line. A sample host.conf file could look like this:
order hosts,nis
multi on
2. For libc6 applications:
Edit /etc/nsswitch.conf and change the hosts entry:
hosts: files nis
3. HOW TO SETUP A MASTER NIS SERVER:
1. Install the nis package. You'll also need other packages such as portmap, but the debian dependancy system will take care of that automatically.
2. Make sure that all systems you are going to use as a NIS server, master or slave, have all other systems in the /etc/hosts file. The FQDN (Fully Qualified Domain Name) should be the first hostname after every IP address, followed by just the hostname (without the domainname). For example:
192.168.88.10 troi.cistron.nl troi
On the NIS server the NIS hosts file (which is usually just /etc/hosts) should also have this setup. This is because NIS does not use DNS.
3. set your NIS domain in the /etc/defaultdomain file. The NIS domain is just a name which describes the group of systems that use NIS, it is not a hostname. It is common practice to use your DNS domainname for this.
Many people say this is a security risk, as by knowing your domainname it is possible to query your NIS server remotely and download all your NIS maps. Do not try to prevent this by choosing an obscure domainname. Just setup your /etc/ypserv.securenets and/ or your /etc/ypserv.conf properly so that your NIS server cannot be accessed outside of your local network at all.
4. set ypserv to master (NISSERVER=master) in /etc/default/nis
Note that earlier versions of the Debian NIS package kept this setting in the /etc/init.d/nis script - if you upgraded from a version before 3.9 you might still have the old script and you need to edit that script instead. Alternatively copy the new /etc/init.d/nis.dpkg-new script to /etc/init.d/nis.
5. As mentioned above, add your local network number to the file /etc/ypserv.securenets. You don't have to do this: the default is to allow everybody to access your NIS server. It is however *strongly* recommended.
For added security you might also want to edit the /etc/ypserv.conf file to mangle the password file for some clients (do not do this if you have non-debian slave servers in your network!)
6. Start the server by typing:
/etc/init.d/nis stop
/etc/init.d/nis start
This will start the server (ypserv) and the password daemon (yppasswdd).
7. Setup the server.
You do this by typing "/usr/lib/yp/ypinit -m". Before doing this, however, check that you have an /etc/networks file. The Makefile in /var/yp expects this, to build a "networks" NIS map. If you don't have one (new potato installs come without one) just use the command "touch /etc/networks" to create an empty one.
If you want to restrict access to your NIS server, you'll have to setup the NIS server as a client as well by running ypbind and adding the plus-entries to /etc/passwd halfway the password file. The library functions will ignore all normal entries after the first NIS entry, and will get the rest of the info through NIS. This way the NIS access rules are maintained. example:
root:x:0:0:root:/root:/bin/bash
daemon:*:1:1:daemon:/usr/sbin:
bin:*:2:2:bin:/bin:
sys:*:3:3:sys:/dev:
sync:*:4:100:sync:/bin:/bin/sync
games:*:5:100:games:/usr/games:
man:*:6:100:man:/var/catman:
lp:*:7:7:lp:/var/spool/lpd:
mail:*:8:8:mail:/var/spool/mail:
news:*:9:9:news:/var/spool/news:
uucp:*:10:50:uucp:/var/spool/uucp:
nobody:*:65534:65534:noone at all,,,,:/dev/null:
+miquels::::::
+:*:::::/etc/NoShell
[ All normal users AFTER this line! ]
tester:*:299:10:Just a test account:/tmp:
miquels:1234567890123:101:10:Miquel van Smoorenburg:/home/miquels:/bin/zsh
The user tester will exist, but have a shell of /etc/NoShell. miquels will have normal access.
Alternatively, you could edit the /var/yp/Makefile file and set NIS to use another source password file by pointing the YPPWDDIR variable at the top of the Makefile to another directory than /etc. On big systems, the NIS password and group files are often stored in /var/yp/ypfiles/. If you do this the normal tools to administrate the password file such as "passwd", "chfn", "adduser" will not work anymore and you will need special homemade tools for this.
However yppasswd, ypchsh and ypchfn will work ofcourse, provided you run the yppasswdd with the -D option to point it to the location of the NIS password and shadow file. In version 3.9 and up of the Debian package, you can set this in the /etc/default/nis configuration file - the name of the variable is YPPWDDIR, just like in /var/yp/Makefile.
The Debian version of these utilities - and the yppasswdd daemon - have a non-standard extension. "Root" can - using the root password - change other people's passwords, finger info and shell. If you edit the NIS password file manually or you use the standard /etc/passwd file, remember that after every change in one of the NIS source files you'll have to run "make" in the /var/yp directory to update the NIS maps. It would be reasonable to do this nightly from cron to be sure the NIS maps are kept up-to-date.
4. SHADOW PASSWORDS
The Linux libc5 does not support shadow NIS maps. If you are dependant on libc5 applications, do not use shadow NIS maps. Instead you can use the method below:
1. SHADOW-LIKE SECURITY
You can provide shadow-like security by "mangling" the password for NIS lookups of pasword-file entries. Read the manpage for "ypserv.conf" and read the comments in the sample /etc/ypserv.conf.
2. REAL SHADOW SUPPORT
Libc6 has real shadow support for NIS builtin. It works like you would expect; export the shadow map from the NIS server and just use it. The shadow map should be built with the "-s" (secure) option to makedbm. This is automatic in all modern /var/yp/Makefile files.
Note that if you use the shadow password file you need to add "plus" entries (as in 2.2) to both /etc/passwd and /etc/shadow. Make sure you use the correct format; the passwd and shadow files have different fields.
On the master server you need to edit the /var/yp/Makefile to include the shadow file in the "all:" target. If you're using the sample /var/yp/Makefile, you can just remove the comment sign in the "networks # shadow publickey ... " line and put it just after the "shadow" word instead of just before it.
5. HOW TO SETUP A NIS SLAVE SERVER
1. First setup your system as a working NIS client (see 1.)
2. Follow the steps 3.1 .. 3.5 as described in above, but at step 3.4 set ypserv to slave (NISSERVER=slave) in the /etc/default/nis file.
3. Tell your master NIS server it has a slave. First you have to adjust the NIS Makefile *on the master* so that all future updates get distributed to the slave(s) automatically. Set the NOPUSH variable in /var/yp/Makefile to "false" like this:
NOPUSH="false"
(Don't you just hate double negatives ..) Now tell the master about its slaves by running "/usr/lib/yp/ypinit -m". Enter the names of the slave servers. The maps will get rebuilt, but not pushed to the slaves just yet.
4. Start the slave and initialize it by entering:
/etc/init.d/nis stop
/etc/init.d/nis start
/usr/lib/yp/ypinit -s
The slave server will transfer the maps from the master.
5. You might want to put the following script fragment into /etc/cron.d/nis *on the slave*, and make /etc/cron.d/nis executable (chmod 755 /etc/cron.d/nis) :
20 * * * * root /usr/lib/yp/ypxfr_1perhour >/dev/null 2>&1
40 6 * * * root /usr/lib/yp/ypxfr_1perday >/dev/null 2>&1
55 6,18 * * * root /usr/lib/yp/ypxfr_2perday >/dev/null 2>&1
This will ensure that most NIS maps are kept up-to-date, even if an update is missed because the slave was down at the time the update was done on the master.
Known Bugs
1. The Debian adduser command does not interact well with nis. Bugs 110516, 143432 and 150186 against adduser describe various problems in this vein.
WORKAROUND: After using adduser to add a user, run:
make -C /var/yp
If the passwords entered during the adduser process don't match, then you must run the above command before retrying adduser.
1. Install the netbase, portmap and nis packages, apt-get install nis will do.
2. The installation procedure will ask for your NIS domainname. This is just a name which describes the group of systems that use NIS, it is not a hostname. It is stored in the config file /etc/defaultdomain, in case you ever want to change it. Unlike DNS hostnames and domainnames, the NIS domainname is case-sensitive!
3. If your NIS server is not "local" to your network, you will have to do some finetuning. The ypbind process has a configuration file called /etc/yp.conf. You can hardcode a NIS server there - for more info see the manual page for ypbind(8).
*NOTE NOTE NOTE* - if you put a servername in /etc/yp.conf, make sure the server is also in /etc/hosts, or put it in in dotted-quad notation (12.34.56.78). Otherwise if your system boots and the network is not yet up or DNS isn't reachable, ypserv cannot resolve the servers in /etc/yp.conf and will hang!
4. Start NIS by typing:
/etc/init.d/nis stop
/etc/init.d/nis start
2. HOW TO SPECIFY WHAT RESOURCES TO USE FOR NIS:
1. FOR LIBC6:
Check your /etc/nsswitch.conf file and make sure that the entries for passwd, group, shadow and netgroup look like this:
passwd: compat
group: compat
shadow: compat
netgroup: nis
At this moment, libc6 has some troubles with reading netgroup data from files. So do not use "db" or "files" in the entry for netgroup, all netgroup lookups have to go through the NIS server.
2. USERS: Add the following line to /etc/passwd on your NIS clients (at the end of the file):
+::::::
You can also use the + and - characters to include/exclude or change users. If you want to exclude the user guest just add -guest to your /etc/passwd file. You want to use a different shell (e.g. ksh) for the user "linux"? No problem, just add "+linux::::::/bin/ksh" (without the quotes) to your /etc/passwd. Fields that you don't want to change have to be left empty.
For example, to only allow login-access to miquels,dth and ed, but to have the account data of all other users available:
+miquels::::::
+ed::::::
+dth::::::
+:*::::::/etc/NoShell
Note that in Linux you can also override the password field, as we did in this example.
If you are using shadow passwords and export a "shadow" map from your NIS server, you also want to put the following in /etc/shadow (again at the end of the file):
+::::::::
If you want to override the password field and you're using shadow passwords do it in /etc/shadow, not in /etc/passwd ofcourse.
3. GROUPS: Add the following line to /etc/group (at the end):
+:::
You should also consider changing the MINGID setting in /var/yp/Makefile if you want membership in groups such as audio, users, etc. to convey to clients.
4. HOSTS:
Normally you should not do host lookups through NIS, use DNS for that. If you really must use NIS for it, here's how to do it.
1. For libc5 applications:
If you want to use the NIS host maps of your NIS server you have to change your /etc/host.conf file. You just have to add the word "nis" to the "order" line. A sample host.conf file could look like this:
order hosts,nis
multi on
2. For libc6 applications:
Edit /etc/nsswitch.conf and change the hosts entry:
hosts: files nis
3. HOW TO SETUP A MASTER NIS SERVER:
1. Install the nis package. You'll also need other packages such as portmap, but the debian dependancy system will take care of that automatically.
2. Make sure that all systems you are going to use as a NIS server, master or slave, have all other systems in the /etc/hosts file. The FQDN (Fully Qualified Domain Name) should be the first hostname after every IP address, followed by just the hostname (without the domainname). For example:
192.168.88.10 troi.cistron.nl troi
On the NIS server the NIS hosts file (which is usually just /etc/hosts) should also have this setup. This is because NIS does not use DNS.
3. set your NIS domain in the /etc/defaultdomain file. The NIS domain is just a name which describes the group of systems that use NIS, it is not a hostname. It is common practice to use your DNS domainname for this.
Many people say this is a security risk, as by knowing your domainname it is possible to query your NIS server remotely and download all your NIS maps. Do not try to prevent this by choosing an obscure domainname. Just setup your /etc/ypserv.securenets and/ or your /etc/ypserv.conf properly so that your NIS server cannot be accessed outside of your local network at all.
4. set ypserv to master (NISSERVER=master) in /etc/default/nis
Note that earlier versions of the Debian NIS package kept this setting in the /etc/init.d/nis script - if you upgraded from a version before 3.9 you might still have the old script and you need to edit that script instead. Alternatively copy the new /etc/init.d/nis.dpkg-new script to /etc/init.d/nis.
5. As mentioned above, add your local network number to the file /etc/ypserv.securenets. You don't have to do this: the default is to allow everybody to access your NIS server. It is however *strongly* recommended.
For added security you might also want to edit the /etc/ypserv.conf file to mangle the password file for some clients (do not do this if you have non-debian slave servers in your network!)
6. Start the server by typing:
/etc/init.d/nis stop
/etc/init.d/nis start
This will start the server (ypserv) and the password daemon (yppasswdd).
7. Setup the server.
You do this by typing "/usr/lib/yp/ypinit -m". Before doing this, however, check that you have an /etc/networks file. The Makefile in /var/yp expects this, to build a "networks" NIS map. If you don't have one (new potato installs come without one) just use the command "touch /etc/networks" to create an empty one.
If you want to restrict access to your NIS server, you'll have to setup the NIS server as a client as well by running ypbind and adding the plus-entries to /etc/passwd halfway the password file. The library functions will ignore all normal entries after the first NIS entry, and will get the rest of the info through NIS. This way the NIS access rules are maintained. example:
root:x:0:0:root:/root:/bin/bash
daemon:*:1:1:daemon:/usr/sbin:
bin:*:2:2:bin:/bin:
sys:*:3:3:sys:/dev:
sync:*:4:100:sync:/bin:/bin/sync
games:*:5:100:games:/usr/games:
man:*:6:100:man:/var/catman:
lp:*:7:7:lp:/var/spool/lpd:
mail:*:8:8:mail:/var/spool/mail:
news:*:9:9:news:/var/spool/news:
uucp:*:10:50:uucp:/var/spool/uucp:
nobody:*:65534:65534:noone at all,,,,:/dev/null:
+miquels::::::
+:*:::::/etc/NoShell
[ All normal users AFTER this line! ]
tester:*:299:10:Just a test account:/tmp:
miquels:1234567890123:101:10:Miquel van Smoorenburg:/home/miquels:/bin/zsh
The user tester will exist, but have a shell of /etc/NoShell. miquels will have normal access.
Alternatively, you could edit the /var/yp/Makefile file and set NIS to use another source password file by pointing the YPPWDDIR variable at the top of the Makefile to another directory than /etc. On big systems, the NIS password and group files are often stored in /var/yp/ypfiles/. If you do this the normal tools to administrate the password file such as "passwd", "chfn", "adduser" will not work anymore and you will need special homemade tools for this.
However yppasswd, ypchsh and ypchfn will work ofcourse, provided you run the yppasswdd with the -D option to point it to the location of the NIS password and shadow file. In version 3.9 and up of the Debian package, you can set this in the /etc/default/nis configuration file - the name of the variable is YPPWDDIR, just like in /var/yp/Makefile.
The Debian version of these utilities - and the yppasswdd daemon - have a non-standard extension. "Root" can - using the root password - change other people's passwords, finger info and shell. If you edit the NIS password file manually or you use the standard /etc/passwd file, remember that after every change in one of the NIS source files you'll have to run "make" in the /var/yp directory to update the NIS maps. It would be reasonable to do this nightly from cron to be sure the NIS maps are kept up-to-date.
4. SHADOW PASSWORDS
The Linux libc5 does not support shadow NIS maps. If you are dependant on libc5 applications, do not use shadow NIS maps. Instead you can use the method below:
1. SHADOW-LIKE SECURITY
You can provide shadow-like security by "mangling" the password for NIS lookups of pasword-file entries. Read the manpage for "ypserv.conf" and read the comments in the sample /etc/ypserv.conf.
2. REAL SHADOW SUPPORT
Libc6 has real shadow support for NIS builtin. It works like you would expect; export the shadow map from the NIS server and just use it. The shadow map should be built with the "-s" (secure) option to makedbm. This is automatic in all modern /var/yp/Makefile files.
Note that if you use the shadow password file you need to add "plus" entries (as in 2.2) to both /etc/passwd and /etc/shadow. Make sure you use the correct format; the passwd and shadow files have different fields.
On the master server you need to edit the /var/yp/Makefile to include the shadow file in the "all:" target. If you're using the sample /var/yp/Makefile, you can just remove the comment sign in the "networks # shadow publickey ... " line and put it just after the "shadow" word instead of just before it.
5. HOW TO SETUP A NIS SLAVE SERVER
1. First setup your system as a working NIS client (see 1.)
2. Follow the steps 3.1 .. 3.5 as described in above, but at step 3.4 set ypserv to slave (NISSERVER=slave) in the /etc/default/nis file.
3. Tell your master NIS server it has a slave. First you have to adjust the NIS Makefile *on the master* so that all future updates get distributed to the slave(s) automatically. Set the NOPUSH variable in /var/yp/Makefile to "false" like this:
NOPUSH="false"
(Don't you just hate double negatives ..) Now tell the master about its slaves by running "/usr/lib/yp/ypinit -m". Enter the names of the slave servers. The maps will get rebuilt, but not pushed to the slaves just yet.
4. Start the slave and initialize it by entering:
/etc/init.d/nis stop
/etc/init.d/nis start
/usr/lib/yp/ypinit -s
The slave server will transfer the maps from the master.
5. You might want to put the following script fragment into /etc/cron.d/nis *on the slave*, and make /etc/cron.d/nis executable (chmod 755 /etc/cron.d/nis) :
20 * * * * root /usr/lib/yp/ypxfr_1perhour >/dev/null 2>&1
40 6 * * * root /usr/lib/yp/ypxfr_1perday >/dev/null 2>&1
55 6,18 * * * root /usr/lib/yp/ypxfr_2perday >/dev/null 2>&1
This will ensure that most NIS maps are kept up-to-date, even if an update is missed because the slave was down at the time the update was done on the master.
Known Bugs
1. The Debian adduser command does not interact well with nis. Bugs 110516, 143432 and 150186 against adduser describe various problems in this vein.
WORKAROUND: After using adduser to add a user, run:
make -C /var/yp
If the passwords entered during the adduser process don't match, then you must run the above command before retrying adduser.
Using Rsync and SSH Using Rsync and SSH - Keys, Validating, and Automation
Using Rsync and SSH
Keys, Validating, and Automation
This document covers using cron, ssh, and rsync to backup files over a local network or the Internet. Part of my goal is to ensure no user intervention is required when the computer is restarted (for passwords, keys, or key managers).
I like to backup some logging, mail, and configuration information sometimes on hosts across the network and Internet, and here is a way I have found to do it. You'll need these packages installed:
* rsync
* openssh
* cron (or vixie-cron)
Please note these instructions may be specific to Red Hat Linux versions 7.3, 9, and Fedora Core 3, but I hope they won't be too hard to adapt to almost any *NIX type OS. The man pages for 'ssh' and 'rsync' should be helpful to you if you need to change some things (use the "man ssh" and "man rsync" commands).
First, I'll define some variables. In my explanation, I will be synchronizing files (copying only new or changed files) one way, and I will be starting this process from the host I want to copy things to. In other words, I will be syncing files from /remote/dir/ on remotehost, as remoteuser, to /this/dir/ on thishost, as thisuser.
I want to make sure that 'rsync' over 'ssh' works at all before I begin to automate the process, so I test it first as thisuser:
$ rsync -avz -e ssh remoteuser@remotehost:/remote/dir /this/dir/
and type in remoteuser@remotehost's password when prompted. I do need to make sure that remoteuser has read permissions to /remote/dir/ on remotehost, and that thisuser has write permissions to /this/dir/ on thishost. Also, 'rsync' and 'ssh' should be in thisuser's path (use "which ssh" and "which rsync"), 'rsync' should be in remoteuser's path, and 'sshd' should be running on remotehost.
Configuring thishost
If that all worked out, or I eventually made it work, I am ready for the next step. I need to generate a private/public pair of keys to allow a 'ssh' connection without asking for a password. This may sound dangerous, and it is, but it is better than storing a user password (or key password) as clear text in the script [0]. I can also put limitations on where connections made with this key can come from, and on what they can do when connected. Anyway, I generate the key I will use on thishost (as thisuser):
$ ssh-keygen -t dsa -b 2048 -f /home/thisuser/cron/thishost-rsync-key
Generating public/private dsa key pair.
Enter passphrase (empty for no passphrase): [press enter here]
Enter same passphrase again: [press enter here]
Your identification has been saved in /home/thisuser/cron/thishost-rsync-key.
Your public key has been saved in /home/thisuser/cron/thishost-rsync-key.pub.
The key fingerprint is:
2e:28:d9:ec:85:21:e7:ff:73:df:2e:07:78:f0:d0:a0 thisuser@thishost
and now we have a key with no password in the two files mentioned above [1]. Make sure that no other unauthorized user can read the private key file (the one without the '.pub' extension).
This key serves no purpose until we put the public portion into the 'authorized_keys' file [2] on remotehost, specifically the one for remoteuser:
/home/remoteuser/.ssh/authorized_keys
I use scp to get the file over to remotehost:
$ scp /home/thisuser/cron/thishost-rsync-key.pub remoteuser@remotehost:/home/remoteuser/
and then I can prepare things on remotehost.
Configuring remotehost
I 'ssh' over to remotehost:
$ ssh remoteuser@remotehost
remoteuser@remotehost's password: [type correct password here]
$ echo I am now $USER at $HOSTNAME
I am now remoteuser at remotehost
to do some work.
I need to make sure I have the directory and files I need to authorize connections with this key [3]:
$ if [ ! -d .ssh ]; then mkdir .ssh ; chmod 700 .ssh ; fi
$ mv thishost-rsync-key.pub .ssh/
$ cd .ssh/
$ if [ ! -f authorized_keys ]; then touch authorized_keys ; chmod 600 authorized_keys ; fi
$ cat thishost-rsync-key.pub >> authorized_keys
Now the key can be used to make connections to this host, but these connections can be from anywhere (that the ssh daemon on remotehost allows connections from) and they can do anything (that remoteuser can do), and I don't want that. I edit the 'authorized_keys' file (with vi) and modify the line with 'thishost-rsync-key.pub' information on it. I will only be adding a few things in front of what is already there, changing the line from this:
ssh-dss AAAAB3NzaC1kc3MAAAEBAKYJenaYvMG3nHwWxKwlWLjHb77CT2hXwmC8Ap+fG8wjlaY/9t4u
A+2qx9JNorgdrWKhHSKHokFFlWRj+qk3q+lGHS+hsXuvta44W0yD0y0sW62wrEVegz+JVmntxeYc0nDz
5tVGfZe6ydlgomzj1bhfdpYe+BAwop8L+EMqKLS4iSacNjoPlHsmqHMnbibn3tBqJEq2QJjEPaiYj1iP
5IaCuYBhuTKQGa+oyH3mXEif5CKdsIKBj46B0tCy0/GC7oWcUN92QdLrUyTeRJZsTWsxKpRbMliD2pBh
4oyX/aXEf8+HZBrO5vQjDBCfTFQA+35Xrd3eTVEjkGkncI0SAeUAAAAVAMZSASmQ9Pi38mdm6oiVXD55
Kk2rAAABAE/bA402VuCsOLg9YS0NKxugT+o4UuIjyl6b2/cMmBVWO39lWAjcsKK/zEdJbrOdt/sKsxIK
1/ZIvtl92DLlMhci5c4tBjCODey4yjLhApjWgvX9D5OPp89qhah4zu509uNX7uH58Zw/+m6ZOLHN28mV
5KLUl7FTL2KZ583KrcWkUA0Id4ptUa9CAkcqn/gWkHMptgVwaZKlqZ+QtEa0V2IwUDWS097p3SlLvozw
46+ucWxwTJttCHLzUmNN7w1cIv0w/OHh5IGh+wWjV9pbO0VT3/r2jxkzqksKOYAb5CYzSNRyEwp+NIKr
Y+aJz7myu4Unn9de4cYsuXoAB6FQ5I8AAAEBAJSmDndXJCm7G66qdu3ElsLT0Jlz/es9F27r+xrg5pZ5
GjfBCRvHNo2DF4YW9MKdUQiv+ILMY8OISduTeu32nyA7dwx7z5M8b+DtasRAa1U03EfpvRQps6ovu79m
bt1OE8LS9ql8trx8qyIpYmJxmzIdBQ+kzkY+9ZlaXsaU0Ssuda7xPrX4405CbnKcpvM6q6okMP86Ejjn
75Cfzhv65hJkCjbiF7FZxosCRIuYbhEEKu2Z9Dgh+ZbsZ+9FETZVzKBs4fySA6dIw6zmGINd+KY6umMW
yJNej2Sia70fu3XLHj2yBgN5cy8arlZ80q1Mcy763RjYGkR/FkLJ611HWIA= thisuser@thishost
to this [4]:
from="10.1.1.1",command="/home/remoteuser/cron/validate-rsync" ssh-dss AAAAB3Nza
C1kc3MAAAEBAKYJenaYvMG3nHwWxKwlWLjHb77CT2hXwmC8Ap+fG8wjlaY/9t4uA+2qx9JNorgdrWKhH
SKHokFFlWRj+qk3q+lGHS+hsXuvta44W0yD0y0sW62wrEVegz+JVmntxeYc0nDz5tVGfZe6ydlgomzj1
bhfdpYe+BAwop8L+EMqKLS4iSacNjoPlHsmqHMnbibn3tBqJEq2QJjEPaiYj1iP5IaCuYBhuTKQGa+oy
H3mXEif5CKdsIKBj46B0tCy0/GC7oWcUN92QdLrUyTeRJZsTWsxKpRbMliD2pBh4oyX/aXEf8+HZBrO5
vQjDBCfTFQA+35Xrd3eTVEjkGkncI0SAeUAAAAVAMZSASmQ9Pi38mdm6oiVXD55Kk2rAAABAE/bA402V
uCsOLg9YS0NKxugT+o4UuIjyl6b2/cMmBVWO39lWAjcsKK/zEdJbrOdt/sKsxIK1/ZIvtl92DLlMhci5
c4tBjCODey4yjLhApjWgvX9D5OPp89qhah4zu509uNX7uH58Zw/+m6ZOLHN28mV5KLUl7FTL2KZ583Kr
cWkUA0Id4ptUa9CAkcqn/gWkHMptgVwaZKlqZ+QtEa0V2IwUDWS097p3SlLvozw46+ucWxwTJttCHLzU
mNN7w1cIv0w/OHh5IGh+wWjV9pbO0VT3/r2jxkzqksKOYAb5CYzSNRyEwp+NIKrY+aJz7myu4Unn9de4
cYsuXoAB6FQ5I8AAAEBAJSmDndXJCm7G66qdu3ElsLT0Jlz/es9F27r+xrg5pZ5GjfBCRvHNo2DF4YW9
MKdUQiv+ILMY8OISduTeu32nyA7dwx7z5M8b+DtasRAa1U03EfpvRQps6ovu79mbt1OE8LS9ql8trx8q
yIpYmJxmzIdBQ+kzkY+9ZlaXsaU0Ssuda7xPrX4405CbnKcpvM6q6okMP86Ejjn75Cfzhv65hJkCjbiF
7FZxosCRIuYbhEEKu2Z9Dgh+ZbsZ+9FETZVzKBs4fySA6dIw6zmGINd+KY6umMWyJNej2Sia70fu3XLH
j2yBgN5cy8arlZ80q1Mcy763RjYGkR/FkLJ611HWIA= thisuser@thishost
where "10.1.1.1" is the IP (version 4 [5]) address of thishost, and "/home/remoteuser/cron/validate-rsync" (which is just one of a few options [6], including customization [7] to enhance security) is a script that looks something like this :
#!/bin/sh
case "$SSH_ORIGINAL_COMMAND" in
*\&*)
echo "Rejected"
;;
*\(*)
echo "Rejected"
;;
*\{*)
echo "Rejected"
;;
*\;*)
echo "Rejected"
;;
*\<*)
echo "Rejected"
;;
*\`*)
echo "Rejected"
;;
*\|*)
echo "Rejected"
;;
rsync\ --server*)
$SSH_ORIGINAL_COMMAND
;;
*)
echo "Rejected"
;;
esac
If thishost has a variable address, or shares its address (via NAT or something similar) with hosts you do not trust, omit the 'from="10.1.1.1",' part of the line (including the comma), but leave the 'command' portion. This way, only the 'rsync' will be possible from connections using this key. Make certain that the 'validate-rsync' script is executable by remoteuser on remotehost and test it.
PLEASE NOTE: The private key, though now somewhat limited in what it can do (and hopefully where it can be done from), allows the possessor to copy any file from remotehost that remoteuser has access to. This is dangerous, and I should take whatever precautions I deem necessary to maintain the security and secrecy of this key. Some possibilities would be ensuring proper file permissions are assigned, consider using a key caching daemon, and consider if I really need this process automated verses the risk.
ALSO NOTE: Another security detail to consider is the SSH daemon configuration on remotehost. This example focuses on a user (remoteuser) who is not root. I recommend not using root as the remote user because root has access to every file on remotehost. That capability alone is very dangerous, and the penalties for a mistake or misconfiguration can be far steeper than those for a 'normal' user. If you do not use root as your remote user (ever), and you make security decisions for remotehost, I recommend either:
PermitRootLogin no
or:
PermitRootLogin forced-commands-only
be included in the '/etc/ssh/sshd_config' file on remotehost. These are global settings, not just related to this connection, so be sure you do not need the capability these configuration options prohibit. [8].
The 'AllowUsers', 'AllowGroups', 'DenyUsers', and 'DenyGroups' key words can be used to restrict SSH access to particular users and groups. They are documented in the man page for "sshd_config", but I will mention that they all can use '*' and '?' as wildcards to allow and deny access to users and groups that match patterns. 'AllowUsers' and 'DenyUsers' can also restrict by host when the pattern is in USER@HOST form.
Troubleshooting
Now that I have the key with no password in place and configured, I need to test it out before putting it in a cron job (which has its own small set of baggage). I exit from the ssh session to remotehost and try:
$ rsync -avz -e "ssh -i /home/thisuser/cron/thishost-rsync-key" remoteuser@remotehost:/remote/dir /this/dir/
If this doesn't work, I will take off the "command" restriction on the key and try again. If it asks for a password, I will check permissions on the private key file (on thishost, should be 600), on 'authorized_keys' and (on remotehost, should be 600), on the '~/.ssh/' directory (on both hosts, should be 700), and on the home directory ('~/') itself (on both hosts, should not be writeable by anyone but the user). If some cryptic 'rsync' protocol error occurs mentioning the 'validate-rsync' script, I will make sure the permissions on 'validate-rsync' (on remotehost, may be 755 if every remotehost user is trusted) allow remoteuser to read and execute it.
If things still aren't working out, some useful information may be found in log files. Log files usually found in the /var/log/ directory on most linux hosts, and in the /var/log/secure log file on Red Hat-ish linux hosts. The most useful logfiles in this instance will be found on remotehost, but localhost may provide some client side information in its logs [9] . If you can't get to the logs, or are just impatient, you can tell the 'ssh' executable to provide some logging with the 'verbose' commands: '-v', '-vv', '-vvv'. The more v's, the more verbose the output. One is in the command above, but the one below should provide much more output:
$ rsync -avvvz -e "ssh -i /home/thisuser/cron/thishost-rsync-key" remoteuser@remotehost:/remote/dir /this/dir/
Hopefully, it will always just work flawlessly so I never have to extend the troubleshooting information listed here [10] .
Cron Job Setup
The last step is the cron script. I use something like this:
#!/bin/sh
RSYNC=/usr/bin/rsync
SSH=/usr/bin/ssh
KEY=/home/thisuser/cron/thishost-rsync-key
RUSER=remoteuser
RHOST=remotehost
RPATH=/remote/dir
LPATH=/this/dir/
$RSYNC -az -e "$SSH -i $KEY" $RUSER@$RHOST:$RPATH $LPATH
because it is easy to modify the bits and pieces of the command line for different hosts and paths. I will usually call it something like 'rsync-remotehost-backups' if it contains backups. I test the script too, just in case I carefully inserted an error somewhere.
When I get the script running successfully, I use 'crontab -e' to insert a line for this new cron job:
0 5 * * * /home/thisuser/cron/rsync-remotehost-backups
for a daily 5 AM sync, or:
0 5 * * 5 /home/thisuser/cron/rsync-remotehost-backups
for a weekly (5 AM on Fridays). Monthly and yearly ones are rarer for me, so look at "man crontab" or here for advice on those.
Keys, Validating, and Automation
This document covers using cron, ssh, and rsync to backup files over a local network or the Internet. Part of my goal is to ensure no user intervention is required when the computer is restarted (for passwords, keys, or key managers).
I like to backup some logging, mail, and configuration information sometimes on hosts across the network and Internet, and here is a way I have found to do it. You'll need these packages installed:
* rsync
* openssh
* cron (or vixie-cron)
Please note these instructions may be specific to Red Hat Linux versions 7.3, 9, and Fedora Core 3, but I hope they won't be too hard to adapt to almost any *NIX type OS. The man pages for 'ssh' and 'rsync' should be helpful to you if you need to change some things (use the "man ssh" and "man rsync" commands).
First, I'll define some variables. In my explanation, I will be synchronizing files (copying only new or changed files) one way, and I will be starting this process from the host I want to copy things to. In other words, I will be syncing files from /remote/dir/ on remotehost, as remoteuser, to /this/dir/ on thishost, as thisuser.
I want to make sure that 'rsync' over 'ssh' works at all before I begin to automate the process, so I test it first as thisuser:
$ rsync -avz -e ssh remoteuser@remotehost:/remote/dir /this/dir/
and type in remoteuser@remotehost's password when prompted. I do need to make sure that remoteuser has read permissions to /remote/dir/ on remotehost, and that thisuser has write permissions to /this/dir/ on thishost. Also, 'rsync' and 'ssh' should be in thisuser's path (use "which ssh" and "which rsync"), 'rsync' should be in remoteuser's path, and 'sshd' should be running on remotehost.
Configuring thishost
If that all worked out, or I eventually made it work, I am ready for the next step. I need to generate a private/public pair of keys to allow a 'ssh' connection without asking for a password. This may sound dangerous, and it is, but it is better than storing a user password (or key password) as clear text in the script [0]. I can also put limitations on where connections made with this key can come from, and on what they can do when connected. Anyway, I generate the key I will use on thishost (as thisuser):
$ ssh-keygen -t dsa -b 2048 -f /home/thisuser/cron/thishost-rsync-key
Generating public/private dsa key pair.
Enter passphrase (empty for no passphrase): [press enter here]
Enter same passphrase again: [press enter here]
Your identification has been saved in /home/thisuser/cron/thishost-rsync-key.
Your public key has been saved in /home/thisuser/cron/thishost-rsync-key.pub.
The key fingerprint is:
2e:28:d9:ec:85:21:e7:ff:73:df:2e:07:78:f0:d0:a0 thisuser@thishost
and now we have a key with no password in the two files mentioned above [1]. Make sure that no other unauthorized user can read the private key file (the one without the '.pub' extension).
This key serves no purpose until we put the public portion into the 'authorized_keys' file [2] on remotehost, specifically the one for remoteuser:
/home/remoteuser/.ssh/authorized_keys
I use scp to get the file over to remotehost:
$ scp /home/thisuser/cron/thishost-rsync-key.pub remoteuser@remotehost:/home/remoteuser/
and then I can prepare things on remotehost.
Configuring remotehost
I 'ssh' over to remotehost:
$ ssh remoteuser@remotehost
remoteuser@remotehost's password: [type correct password here]
$ echo I am now $USER at $HOSTNAME
I am now remoteuser at remotehost
to do some work.
I need to make sure I have the directory and files I need to authorize connections with this key [3]:
$ if [ ! -d .ssh ]; then mkdir .ssh ; chmod 700 .ssh ; fi
$ mv thishost-rsync-key.pub .ssh/
$ cd .ssh/
$ if [ ! -f authorized_keys ]; then touch authorized_keys ; chmod 600 authorized_keys ; fi
$ cat thishost-rsync-key.pub >> authorized_keys
Now the key can be used to make connections to this host, but these connections can be from anywhere (that the ssh daemon on remotehost allows connections from) and they can do anything (that remoteuser can do), and I don't want that. I edit the 'authorized_keys' file (with vi) and modify the line with 'thishost-rsync-key.pub' information on it. I will only be adding a few things in front of what is already there, changing the line from this:
ssh-dss AAAAB3NzaC1kc3MAAAEBAKYJenaYvMG3nHwWxKwlWLjHb77CT2hXwmC8Ap+fG8wjlaY/9t4u
A+2qx9JNorgdrWKhHSKHokFFlWRj+qk3q+lGHS+hsXuvta44W0yD0y0sW62wrEVegz+JVmntxeYc0nDz
5tVGfZe6ydlgomzj1bhfdpYe+BAwop8L+EMqKLS4iSacNjoPlHsmqHMnbibn3tBqJEq2QJjEPaiYj1iP
5IaCuYBhuTKQGa+oyH3mXEif5CKdsIKBj46B0tCy0/GC7oWcUN92QdLrUyTeRJZsTWsxKpRbMliD2pBh
4oyX/aXEf8+HZBrO5vQjDBCfTFQA+35Xrd3eTVEjkGkncI0SAeUAAAAVAMZSASmQ9Pi38mdm6oiVXD55
Kk2rAAABAE/bA402VuCsOLg9YS0NKxugT+o4UuIjyl6b2/cMmBVWO39lWAjcsKK/zEdJbrOdt/sKsxIK
1/ZIvtl92DLlMhci5c4tBjCODey4yjLhApjWgvX9D5OPp89qhah4zu509uNX7uH58Zw/+m6ZOLHN28mV
5KLUl7FTL2KZ583KrcWkUA0Id4ptUa9CAkcqn/gWkHMptgVwaZKlqZ+QtEa0V2IwUDWS097p3SlLvozw
46+ucWxwTJttCHLzUmNN7w1cIv0w/OHh5IGh+wWjV9pbO0VT3/r2jxkzqksKOYAb5CYzSNRyEwp+NIKr
Y+aJz7myu4Unn9de4cYsuXoAB6FQ5I8AAAEBAJSmDndXJCm7G66qdu3ElsLT0Jlz/es9F27r+xrg5pZ5
GjfBCRvHNo2DF4YW9MKdUQiv+ILMY8OISduTeu32nyA7dwx7z5M8b+DtasRAa1U03EfpvRQps6ovu79m
bt1OE8LS9ql8trx8qyIpYmJxmzIdBQ+kzkY+9ZlaXsaU0Ssuda7xPrX4405CbnKcpvM6q6okMP86Ejjn
75Cfzhv65hJkCjbiF7FZxosCRIuYbhEEKu2Z9Dgh+ZbsZ+9FETZVzKBs4fySA6dIw6zmGINd+KY6umMW
yJNej2Sia70fu3XLHj2yBgN5cy8arlZ80q1Mcy763RjYGkR/FkLJ611HWIA= thisuser@thishost
to this [4]:
from="10.1.1.1",command="/home/remoteuser/cron/validate-rsync" ssh-dss AAAAB3Nza
C1kc3MAAAEBAKYJenaYvMG3nHwWxKwlWLjHb77CT2hXwmC8Ap+fG8wjlaY/9t4uA+2qx9JNorgdrWKhH
SKHokFFlWRj+qk3q+lGHS+hsXuvta44W0yD0y0sW62wrEVegz+JVmntxeYc0nDz5tVGfZe6ydlgomzj1
bhfdpYe+BAwop8L+EMqKLS4iSacNjoPlHsmqHMnbibn3tBqJEq2QJjEPaiYj1iP5IaCuYBhuTKQGa+oy
H3mXEif5CKdsIKBj46B0tCy0/GC7oWcUN92QdLrUyTeRJZsTWsxKpRbMliD2pBh4oyX/aXEf8+HZBrO5
vQjDBCfTFQA+35Xrd3eTVEjkGkncI0SAeUAAAAVAMZSASmQ9Pi38mdm6oiVXD55Kk2rAAABAE/bA402V
uCsOLg9YS0NKxugT+o4UuIjyl6b2/cMmBVWO39lWAjcsKK/zEdJbrOdt/sKsxIK1/ZIvtl92DLlMhci5
c4tBjCODey4yjLhApjWgvX9D5OPp89qhah4zu509uNX7uH58Zw/+m6ZOLHN28mV5KLUl7FTL2KZ583Kr
cWkUA0Id4ptUa9CAkcqn/gWkHMptgVwaZKlqZ+QtEa0V2IwUDWS097p3SlLvozw46+ucWxwTJttCHLzU
mNN7w1cIv0w/OHh5IGh+wWjV9pbO0VT3/r2jxkzqksKOYAb5CYzSNRyEwp+NIKrY+aJz7myu4Unn9de4
cYsuXoAB6FQ5I8AAAEBAJSmDndXJCm7G66qdu3ElsLT0Jlz/es9F27r+xrg5pZ5GjfBCRvHNo2DF4YW9
MKdUQiv+ILMY8OISduTeu32nyA7dwx7z5M8b+DtasRAa1U03EfpvRQps6ovu79mbt1OE8LS9ql8trx8q
yIpYmJxmzIdBQ+kzkY+9ZlaXsaU0Ssuda7xPrX4405CbnKcpvM6q6okMP86Ejjn75Cfzhv65hJkCjbiF
7FZxosCRIuYbhEEKu2Z9Dgh+ZbsZ+9FETZVzKBs4fySA6dIw6zmGINd+KY6umMWyJNej2Sia70fu3XLH
j2yBgN5cy8arlZ80q1Mcy763RjYGkR/FkLJ611HWIA= thisuser@thishost
where "10.1.1.1" is the IP (version 4 [5]) address of thishost, and "/home/remoteuser/cron/validate-rsync" (which is just one of a few options [6], including customization [7] to enhance security) is a script that looks something like this :
#!/bin/sh
case "$SSH_ORIGINAL_COMMAND" in
*\&*)
echo "Rejected"
;;
*\(*)
echo "Rejected"
;;
*\{*)
echo "Rejected"
;;
*\;*)
echo "Rejected"
;;
*\<*)
echo "Rejected"
;;
*\`*)
echo "Rejected"
;;
*\|*)
echo "Rejected"
;;
rsync\ --server*)
$SSH_ORIGINAL_COMMAND
;;
*)
echo "Rejected"
;;
esac
If thishost has a variable address, or shares its address (via NAT or something similar) with hosts you do not trust, omit the 'from="10.1.1.1",' part of the line (including the comma), but leave the 'command' portion. This way, only the 'rsync' will be possible from connections using this key. Make certain that the 'validate-rsync' script is executable by remoteuser on remotehost and test it.
PLEASE NOTE: The private key, though now somewhat limited in what it can do (and hopefully where it can be done from), allows the possessor to copy any file from remotehost that remoteuser has access to. This is dangerous, and I should take whatever precautions I deem necessary to maintain the security and secrecy of this key. Some possibilities would be ensuring proper file permissions are assigned, consider using a key caching daemon, and consider if I really need this process automated verses the risk.
ALSO NOTE: Another security detail to consider is the SSH daemon configuration on remotehost. This example focuses on a user (remoteuser) who is not root. I recommend not using root as the remote user because root has access to every file on remotehost. That capability alone is very dangerous, and the penalties for a mistake or misconfiguration can be far steeper than those for a 'normal' user. If you do not use root as your remote user (ever), and you make security decisions for remotehost, I recommend either:
PermitRootLogin no
or:
PermitRootLogin forced-commands-only
be included in the '/etc/ssh/sshd_config' file on remotehost. These are global settings, not just related to this connection, so be sure you do not need the capability these configuration options prohibit. [8].
The 'AllowUsers', 'AllowGroups', 'DenyUsers', and 'DenyGroups' key words can be used to restrict SSH access to particular users and groups. They are documented in the man page for "sshd_config", but I will mention that they all can use '*' and '?' as wildcards to allow and deny access to users and groups that match patterns. 'AllowUsers' and 'DenyUsers' can also restrict by host when the pattern is in USER@HOST form.
Troubleshooting
Now that I have the key with no password in place and configured, I need to test it out before putting it in a cron job (which has its own small set of baggage). I exit from the ssh session to remotehost and try:
$ rsync -avz -e "ssh -i /home/thisuser/cron/thishost-rsync-key" remoteuser@remotehost:/remote/dir /this/dir/
If this doesn't work, I will take off the "command" restriction on the key and try again. If it asks for a password, I will check permissions on the private key file (on thishost, should be 600), on 'authorized_keys' and (on remotehost, should be 600), on the '~/.ssh/' directory (on both hosts, should be 700), and on the home directory ('~/') itself (on both hosts, should not be writeable by anyone but the user). If some cryptic 'rsync' protocol error occurs mentioning the 'validate-rsync' script, I will make sure the permissions on 'validate-rsync' (on remotehost, may be 755 if every remotehost user is trusted) allow remoteuser to read and execute it.
If things still aren't working out, some useful information may be found in log files. Log files usually found in the /var/log/ directory on most linux hosts, and in the /var/log/secure log file on Red Hat-ish linux hosts. The most useful logfiles in this instance will be found on remotehost, but localhost may provide some client side information in its logs [9] . If you can't get to the logs, or are just impatient, you can tell the 'ssh' executable to provide some logging with the 'verbose' commands: '-v', '-vv', '-vvv'. The more v's, the more verbose the output. One is in the command above, but the one below should provide much more output:
$ rsync -avvvz -e "ssh -i /home/thisuser/cron/thishost-rsync-key" remoteuser@remotehost:/remote/dir /this/dir/
Hopefully, it will always just work flawlessly so I never have to extend the troubleshooting information listed here [10] .
Cron Job Setup
The last step is the cron script. I use something like this:
#!/bin/sh
RSYNC=/usr/bin/rsync
SSH=/usr/bin/ssh
KEY=/home/thisuser/cron/thishost-rsync-key
RUSER=remoteuser
RHOST=remotehost
RPATH=/remote/dir
LPATH=/this/dir/
$RSYNC -az -e "$SSH -i $KEY" $RUSER@$RHOST:$RPATH $LPATH
because it is easy to modify the bits and pieces of the command line for different hosts and paths. I will usually call it something like 'rsync-remotehost-backups' if it contains backups. I test the script too, just in case I carefully inserted an error somewhere.
When I get the script running successfully, I use 'crontab -e' to insert a line for this new cron job:
0 5 * * * /home/thisuser/cron/rsync-remotehost-backups
for a daily 5 AM sync, or:
0 5 * * 5 /home/thisuser/cron/rsync-remotehost-backups
for a weekly (5 AM on Fridays). Monthly and yearly ones are rarer for me, so look at "man crontab" or here for advice on those.
Linux How to recover grub.conf password and remove kernel panic error
The Grand Unified Bootloader (GRUB) is a multiboot boot loader used for Linux With GRUB, users can select operating systems to run from a menu interface displayed when a system boots up. Use arrow keys to move to an entry and press ENTER.
you have the Boot related problem and told to you that make successfully boot the System. While booting system, you saw some error and stop the boot process by displaying some error messages.
Kernel Panic - not syncing: Attempted to kill init!
And no further boot process. What you will do to boot the system.
If you are getting the Kernel panic error, it means it is boot loader related problem. Redhat Enterprise Linux uses the GRUB boot loader. You can pass the kernel parameter from the boot loader as well as you can correct the kernel parameter passing from boot loader from GRUB screen at boot time.
always take back up before modifying grub.conf parameter
Default grub.conf file look like this We suggest you to cram up this file
Now change kernel line as show below [ change forward slash / to backward slash \ ]
Save file with :wq and reboot the system
On Restart you will get kernel panic error
Now press e for edit and you will see the wrong entry of kernel line in grub.conf
Correct the kernel parameter replace backward slash \ to forward slash / and press enter to save
This will correct this error temporary.You will get same error after rebooting the system . As change here will not change the default faulty grub.conf so after booting system don't forget to Correct the kernel parameter replace backward slash \ to forward slash /
For this practical open grub.conf file
Now save file with :wq and restart the system
Now press space bar on boot menu and press e to edit It will ask to give the password which you set below the hidemenu
After it on boot screen it will ask OS password which you set under the title menu
Now assume that you lost all three root, grub.conf and boot loader password. How will you recover these passwords.
Boot system from Linux CD and give linux rescue command on boot screen
Select language to English
Select Keyboard layout to US
Press enter on continue and it will search for linux on hard disk
We don't need networking for this operation so select no
Rescue mode will mount system image under the /mnt/sysimage folder press ok
now change chroot to /mnt/sysimage and open /etc/grub.conf
Remove both hidemenu and title password and save file
Now reboot the system and remove Linux CD from CDROM
After reboot there should be no password on OS selection screen
And on boot screen
We have recovered both boot loader and OS selection menu password now you easily recovered root password by booting system in single mode. If you feel difficulties in recovering root password check our pervious article
you have the Boot related problem and told to you that make successfully boot the System. While booting system, you saw some error and stop the boot process by displaying some error messages.
Kernel Panic - not syncing: Attempted to kill init!
And no further boot process. What you will do to boot the system.
If you are getting the Kernel panic error, it means it is boot loader related problem. Redhat Enterprise Linux uses the GRUB boot loader. You can pass the kernel parameter from the boot loader as well as you can correct the kernel parameter passing from boot loader from GRUB screen at boot time.
RHEL Linux Kernel panic error
For this practical we will modify grub.conf So you can understand what exactly case the kernel panic error.always take back up before modifying grub.conf parameter
#cp /etc/grub.conf /rootopen /etc/grub.conf from vi command
Default grub.conf file look like this We suggest you to cram up this file
Now change kernel line as show below [ change forward slash / to backward slash \ ]
Save file with :wq and reboot the system
On Restart you will get kernel panic error
How to remove kernel panic error
Reboot system and press space bar on boot menu and select kernel lineNow press e for edit and you will see the wrong entry of kernel line in grub.conf
Correct the kernel parameter replace backward slash \ to forward slash / and press enter to save
This will correct this error temporary.You will get same error after rebooting the system . As change here will not change the default faulty grub.conf so after booting system don't forget to Correct the kernel parameter replace backward slash \ to forward slash /
#vi /etc/grub.conf
How remove grub.conf password
By booting system in single mode one can easily recovered root password. This could case great security risk. For this every Linux system administrator password protect the grub.conf Two types of password can be set on grub.conf one to edit the parameter in grub.conf during boot process and another to boot operating system. But what if you lost both root and grub.conf password.For this practical open grub.conf file
#vi /etc/grub.confSet password for editing just below the hidemenu option and Set password for booting the OS just below the title menu
Now save file with :wq and restart the system
Now press space bar on boot menu and press e to edit It will ask to give the password which you set below the hidemenu
After it on boot screen it will ask OS password which you set under the title menu
Now assume that you lost all three root, grub.conf and boot loader password. How will you recover these passwords.
Boot system from Linux CD and give linux rescue command on boot screen
Select language to English
Select Keyboard layout to US
Press enter on continue and it will search for linux on hard disk
We don't need networking for this operation so select no
Rescue mode will mount system image under the /mnt/sysimage folder press ok
now change chroot to /mnt/sysimage and open /etc/grub.conf
Remove both hidemenu and title password and save file
Now reboot the system and remove Linux CD from CDROM
After reboot there should be no password on OS selection screen
And on boot screen
We have recovered both boot loader and OS selection menu password now you easily recovered root password by booting system in single mode. If you feel difficulties in recovering root password check our pervious article
Troubleshooting tips to make troubleshooting a Linux kernel panic easier
Issue Description:
Kernel panics on Linux are hard to identify and troubleshoot. Troubleshooting kernel panics often requires reproducing a situation that occurs rarely and collecting data that is difficult to gather.
Solution Summary:
Solution Summary:
This document outlines several techniques that can help reduce the amount of time necessary to troubleshoot a kernel panic.
Technical Discussion:
Technical Discussion:
What is a kernel panic?
As the name implies, it is when the Linux kernel gets into a situation where it doesn't know what to do next. When this happens, the kernel gives as much information as it can about what caused the problem, depending on what led to the panic.
There are two main kinds of kernel panics:
1) Hard Panic (also known as Aieee! )
2) Soft Panic (also known as Oops )
What can cause a kernel panic?
Only modules that are located within kernel space can directly cause the kernel to panic. To see what modules are dynamically loaded, do lsmod this shows all dynamically loaded modules (Dialogic® drivers, LiS, SCSI driver, filesystem, etc.). In addition to these dynamically loaded modules, components that are built into the kernel (memory map, etc.) can cause a panic.
Since hard panics and soft panics are different in nature, this document discusses how to deal with each separately.
How to Troubleshoot a Hard Kernel Panic
Symptoms:
1) Machine is completely locked up and unusable
2) Num Lock / Caps Lock / Scroll Lock keys usually blink
3) If in console mode, dump is displayed on monitor (including the phrase “Aieee!”)
4) Similar to Windows® Blue Screen of Death
Causes:
The most common cause of a hard kernel panic is when a driver crashes within an interrupt handler, usually because it tried to access a null pointer within the interrupt handler. When this happens, that driver cannot handle any new interrupts and eventually the system crashes. This is not exclusive to Dialogic drivers.
Information to collect:
Depending on the nature of the panic, the kernel will log all information it can prior to locking up. Since a kernel panic is a drastic failure, it is uncertain how much information will be logged. Below are key pieces of information to collect. It is important to gather as many of these as possible, but there is no guarantee that all of them will be available, especially the first time a panic is seen.
1) /var/log/messages -- sometimes the entire kernel panic stack trace will be logged there
2) Application / Library logs (RTF, cheetah, etc.) – may show what was happening before the panic
3) Other information about what happened just prior to the panic, or how to reproduce the condition
4) Screen dump from console. Since the OS is locked, you cannot cut and paste from the screen. There are two common ways to get this information:
• Digital photograph of screen (preferred, since it’s quicker and easier)
• Copying screen with pen and paper or typing to another computer
If the dump is not available either in /var/log/message or on the screen, follow these steps to get a dump:
1) If in GUI mode, switch to full console mode – no dump information is passed to the GUI (not even to GUI shell)
2) Make sure screen stays on during full test run – if a screen saver kicks in, the screen won’t return after a kernel panic. Use these settings to keep the screen on:
• setterm -blank 0
• setterm -powerdown 0
• setvesablank off
3) From console, copy dump from screen (see above)
Troubleshooting when a full trace is available
The stack trace is the most important piece of information to use in troubleshooting a kernel panic. It is often crucial to have a full stack trace, something that may not be available if only a screen dump is provided – the top of the stack may scroll off the screen, leaving only a partial stack trace. If a full trace is available, it is usually sufficient to isolate root cause. To identify whether or not you have a large enough stack trace, look for a line with EIP, which will show what function call and module caused the panic. In the example below, this is shown in the following line:
EIP is at _dlgn_setevmask [streams-dlgnDriver] 0xe
If the culprit is a Dialogic driver you will see a module name with:
streams-xxxxDriver (xxxx = dlgn, dvbm, mercd, etc.)
Hard panic – full trace example:
Unable to handle kernel NULL pointer dereference at virtual address 0000000c printing eip: f89e568a *pde = 32859001 *pte = 00000000 Oops: 0000 Kernel 2.4.9-31enterprise CPU: 1 EIP: 0010:[] Tainted: PF EFLAGS: 00010096 EIP is at _dlgn_setevmask [streams-dlgnDriver] 0xe eax: 00000000 ebx: f65f5410 ecx: f5e16710 edx: f65f5410 esi: 00001ea0 edi: f5e23c30 ebp: f65f5410 esp: f1cf7e78 ds: 0018 es: 0018 ss: 0018 Process pwcallmgr (pid: 10334, stackpage=f1cf7000) Stack: 00000000 c01067fa 00000086 f1cf7ec0 00001ea0 f5e23c30 f65f5410 f89e53ec f89fcd60 f5e16710 f65f5410 f65f5410 f8a54420 f1cf7ec0 f8a4d73a 0000139e f5e16710 f89fcd60 00000086 f5e16710 f5e16754 f65f5410 0000034a f894e648 Call Trace: [setup_sigcontext+218/288] setup_sigcontext [kernel] 0xda Call Trace: [ ] setup_sigcontext [kernel] 0xda [ ] dlgnwput [streams-dlgnDriver] 0xe8 [ ] Sm_Handle [streams-dlgnDriver] 0x1ea0 [ ] intdrv_lock [streams-dlgnDriver] 0x0 [ ] Gn_Maxpm [streams-dlgnDriver] 0x8ba [ ] Sm_Handle [streams-dlgnDriver] 0x1ea0 [ ] lis_safe_putnext [streams] 0x168 [ ] __insmod_streams-dvbmDriver_S.bss_L117376 [streams-dvbmDriver] 0xab8 [ ] dvbmwput [streams-dvbmDriver] 0x6f5 [ ] dvwinit [streams-dvbmDriver] 0x2c0 [ ] lis_safe_putnext [streams] 0x168 [ ] lis_strputpmsg [streams] 0x54c [ ] __insmod_streams_S.rodata_L35552 [streams] 0x182e [ ] sys_putpmsg [streams] 0x6f [system_call+51/56] system_call [kernel] 0x33 [ ] system_call [kernel] 0x33 Nov 28 12:17:58 talus kernel: Nov 28 12:17:58 talus kernel: Code: 8b 70 0c 8b 06 83 f8 20 8b 54 24 20 8b 6c 24 24 76 1c 89 5c
Troubleshooting when a full trace is not available
If only a partial stack trace is available, it can be tricky to isolate the root cause, since there is no explicit information about what module of function call caused the panic. Instead, only commands leading up to the final command will be seen in a partial stack trace. In this case, it is very important to collect as much information as possible about what happened leading up to the kernel panic (application logs, library traces, steps to reproduce, etc).
Hard panic – partial trace example (note there is no line with EIP information)
[] ip_rcv [kernel] 0x357 [ ] sramintr [streams_dlgnDriver] 0x32d [ ] lis_spin_lock_irqsave_fcn [streams] 0x7d [ ] inthw_lock [streams_dlgnDriver] 0x1c [ ] pwswtbl [streams_dlgnDriver] 0x0 [ ] dlgnintr [streams_dlgnDriver] 0x4b [ ] Gn_Maxpm [streams_dlgnDriver] 0x7ae [ ] __run_timers [kernel] 0xd1 [ ] handle_IRQ_event [kernel] 0x5e [ ] do_IRQ [kernel] 0xa4 [ ] default_idle [kernel] 0x0 [ ] default_idle [kernel] 0x0 [ ] call_do_IRQ [kernel] 0x5 [ ] default_idle [kernel] 0x0 [ ] default_idle [kernel] 0x0 [ ] default_idle [kernel] 0x2d [ ] cpu_idle [kernel] 0x2d [ ] __call_console_drivers [kernel] 0x4b [ ] call_console_drivers [kernel] 0xeb Code: 8b 50 0c 85 d2 74 31 f6 42 0a 02 74 04 89 44 24 08 31 f6 0f <0> Kernel panic: Aiee, killing interrupt handler! In interrupt handler - not syncing
Using kernel debugger (KDB)
If only a partial trace is available and the supporting information is not sufficient to isolate root cause, it may be useful to use kernel debugger (KDB). KDB is a tool that is compiled into the kernel to cause the kernel to break into a shell rather than lock up when a panic occurs. This enables you to collect additional information about the panic, which is often useful in determining root cause.
Some important things to note about using KDB:
1) If this is a potential Dialogic issue, then Dialogic technical support should be contacted prior to the to use of KDB
2) Must use base kernel; i.e. 2.4.18 kernel instead of 2.4.18-5 from RedHat. This is because KDB is only available for the base kernels, and not the builds created by RedHat. Although this does create a slight deviation from the original configuration, it usually does not interfere with root cause analysis.
3) Needs different Dialogic® drivers compiled to handle the specific kernel.
How to Troubleshoot a Soft Kernel Panic
Symptoms
1) Much less severe than hard panic
2) Usually results in a segmentation fault
3) Can see an oops message – search /var/log/messages for string ‘Oops’
4) Machine still somewhat usable (but should be rebooted after information is collected)
Causes
Almost anything that causes a module to crash when it is not within an interrupt handler can cause a soft panic. In this case, the driver itself will crash but will not cause catastrophic system failure since it was not locked in the interrupt handler. The same possible causes exist for soft panics as for hard panics (i.e. accessing a null pointer during runtime).
Information to collect
When a soft panic occurs, the kernel will generate a dump that contains kernel symbols – this information is logged in /var/log/messages. To begin troubleshooting, use the ksymoops utility to turn kernel symbols into meaningful data.
To generate a ksymoops file:
1) Create new file from text of stack trace found in /var/log/messages. Make sure to strip off timestamps, otherwise ksymoops will fail.
2) Run ksymoops on new stack trace file:
Generic: ksymoops -o [location of Dialogic drivers] filename
Example: ksymoops -o /lib/modules/2.4.18-5/misc ksymoops.log
All other defaults should work fine
Soft panic – oops trace example
Code: 8b 70 0c 50 e8 69 f9 f8 ff 83 c4 10 83 f8 08 74 35 66 c7 47 EIP; f89ba71e <[streams-dlgnDriver]_dlgn_setidlestate+1e/8c> Trace; f8951bd6 <[streams]lis_wakeup_close+86/110> Trace; f8a2705c <[streams-dlgnDriver]__module_parm_r4_feature+280/1453> Trace; f8a27040 <[streams-dlgnDriver]__module_parm_r4_feature+264/1453> Trace; f89b9198 <[streams-dlgnDriver]dlgnwput+e8/204>
Product List
Dialogic® System Release Software for Linux, all versions
Glossary of Acronyms / Terms
LiS – Linux Streams
SCSI – Small Computer Systems Interface
RTF – Runtime Tracing Facility
KDB – Kernel Debugger
SCSI – Small Computer Systems Interface
RTF – Runtime Tracing Facility
KDB – Kernel Debugger
THE APACHE SERVER STATUS & ERROR CODES
Successful Client Requests | ||
200 | OK | |
201 | Created | |
202 | Accepted | |
203 | Non-Authorative Information | |
204 | No Content | |
205 | Reset Content | |
206 | Partial Content | |
Client Request Redirected | ||
300 | Multiple Choices | |
301 | Moved Permanently | |
302 | Moved Temporarily | |
303 | See Other | |
304 | Not Modified | |
305 | Use Proxy | |
Client Request Errors | ||
400 | Bad Request | |
401 | Authorization Required | |
402 | Payment Required (not used yet) | |
403 | Forbidden | |
404 | Not Found | |
405 | Method Not Allowed | |
406 | Not Acceptable (encoding) | |
407 | Proxy Authentication Required | |
408 | Request Timed Out | |
409 | Conflicting Request | |
410 | Gone | |
411 | Content Length Required | |
412 | Precondition Failed | |
413 | Request Entity Too Long | |
414 | Request URI Too Long | |
415 | Unsupported Media Type | |
Server Errors | ||
500 | Internal Server Error | |
501 | Not Implemented | |
502 | Bad Gateway | |
503 | Service Unavailable | |
504 | Gateway Timeout | |
505 | HTTP Version Not Supported |
Apache Server Frequently Asked Questions
Error Log Messages and Problems Starting Apache
- Why do I get "setgid: Invalid argument" at startup? Your Group directive (probably in conf/httpd.conf) needs to name a group that actually exists in the /etc/group file (or your system's equivalent). This problem is also frequently seen when a negative number is used in the
Group
directive (e.g., "Group #-1
"). Using a group name -- not group number -- found in your system's group database should solve this problem in all cases.
- Why am I getting "httpd: could not set socket option TCP_NODELAY" in my error log? This message almost always indicates that the client disconnected before Apache reached the point of calling
setsockopt()
for the connection. It shouldn't occur for more than about 1% of the requests your server handles, and it's advisory only in any case.
- Why am I getting "connection reset by peer" in my error log? This is a normal message and nothing about which to be alarmed. It simply means that the client canceled the connection before it had been completely set up - such as by the end-user pressing the "Stop" button. People's patience being what it is, sites with response-time problems or slow network links may experience this more than high capacity ones or those with large pipes to the network.
- The errorlog says Apache dumped core, but where's the dump file? In Apache version 1.2, the error log message about dumped core includes the directory where the dump file should be located. However, many Unixes do not allow a process that has called
setuid()
to dump core for security reasons; the typical Apache setup has the server started as root to bind to port 80, after which it changes UIDs to a non-privileged user to serve requests.
Dealing with this is extremely operating system-specific, and may require rebuilding your system kernel. Consult your operating system documentation or vendor for more information about whether your system does this and how to bypass it. If there is a documented way of bypassing it, it is recommended that you bypass it only for the httpd server process if possible.
The canonical location for Apache's core-dump files is the ServerRoot directory. As of Apache version 1.3, the location can be set via the CoreDumpDirectory directive to a different directory. Make sure that this directory is writable by the user the server runs as (as opposed to the user the server is started as).
- When I run it under Linux I get "shmget: function not found", what should I do? Your kernel has been built without SysV IPC support. You will have to rebuild the kernel with that support enabled (it's under the "General Setup" submenu). Documentation for kernel building is beyond the scope of this FAQ; you should consult the Kernel HOWTO, or the documentation provided with your distribution, or a Linux newsgroup/mailing list. As a last-resort workaround, you can comment out the
#define USE_SHMGET_SCOREBOARD
definition in the LINUX section of src/conf.h and rebuild the server (prior to 1.3b4, simply removing#define HAVE_SHMGET
would have sufficed). This will produce a server which is slower and less reliable.
- Server hangs, or fails to start, and/or error log fills with "fcntl: F_SETLKW: No record locks available" or similar messages These are symptoms of a fine locking problem, which usually means that the server is trying to use a synchronization file on an NFS filesystem.
Because of its parallel-operation model, the Apache Web server needs to provide some form of synchronization when accessing certain resources. One of these synchronization methods involves taking out locks on a file, which means that the filesystem whereon the lockfile resides must support locking. In many cases this means it can't be kept on an NFS-mounted filesystem.
To cause the Web server to work around the NFS locking limitations, include a line such as the following in your server configuration files:
LockFile /var/run/apache-lock
- Why am I getting "Expected but saw " when I try to start Apache? This is a known problem with certain versions of the AIX C compiler. IBM are working on a solution, and the issue is being tracked by problem report #2312.
- I'm using RedHat Linux and I have problems with httpd dying randomly or not restarting properly RedHat Linux versions 4.x (and possibly earlier) RPMs contain various nasty scripts which do not stop or restart Apache properly. These can affect you even if you're not running the RedHat supplied RPMs.
If you're using the default install then you're probably running Apache 1.1.3, which is outdated. From RedHat's ftp site you can pick up a more recent RPM for Apache 1.2.x. This will solve one of the problems.
If you're using a custom built Apache rather than the RedHat RPMs then you shouldrpm -e apache
. In particular you want the mildly broken/etc/logrotate.d/apache
script to be removed, and you want the broken/etc/rc.d/init.d/httpd
(orhttpd.init
) script to be removed. The latter is actually fixed by the apache-1.2.5 RPMs but if you're building your own Apache then you probably don't want the RedHat files.
We can't stress enough how important it is for folks, especially vendors to follow the stopping Apache directions given in our documentation. In RedHat's defense, the broken scripts were necessary with Apache 1.1.x because the Linux support in 1.1.x was very poor, and there were various race conditions on all platforms. None of this should be necessary with Apache 1.2 and later.
- I upgraded from an Apache version earlier than 1.2.0 and suddenly I have problems with Apache dying randomly or not restarting properly You should read the previous note about problems with RedHat installations. It is entirely likely that your installation has start/stop/restart scripts which were built for an earlier version of Apache. Versions earlier than 1.2.0 had various race conditions that made it necessary to use
kill -9
at times to take out all the httpd servers. But that should not be necessary any longer. You should follow the directions on how to stop and restart Apache.
As of Apache 1.3 there is a scriptsrc/support/apachectl
which, after a bit of customization, is suitable for starting, stopping, and restarting your server.
- When I try to start Apache from a DOS window, I get a message like "Cannot determine host name. Use ServerName directive to set it manually." What does this mean? It means what it says; the Apache software can't determine the hostname of your system. Edit your conf\httpd.conf file, look for the string "ServerName", and make sure there's an uncommented directive such as
ServerName localhost
ServerName www.foo.com
Also, make sure that your Windows system has DNS enabled. See the TCP/IP setup component of the Networking or Internet Options control panel.
After verifying that DNS is enabled and that you have a valid hostname in your ServerName directive, try to start the server again.
- When I try to start Apache for Windows, I get a message like "Unable To Locate WS2_32.DLL...". What should I do? Short answer: You need to install Winsock 2, available from http://www.microsoft.com/windows95/downloads/
Detailed answer: Prior to version 1.3.9, Apache for Windows used Winsock 1.1. Beginning with version 1.3.9, Apache began using Winsock 2 features (specifically, WSADuplicateSocket()). WS2_32.DLL implements the Winsock 2 API. Winsock 2 ships with Windows NT 4.0 and Windows 98. Some of the earlier releases of Windows 95 did not include Winsock 2.
- Apache for Windows does not start. Error log contains this message: "[crit] (10045) The attempted operation is not supported for the type of object referenced: Parent: WSADuplicateSocket failed for socket ###". What does this mean? We have seen this problem when Apache is run on systems along with Virtual Private Networking clients like Aventail Connect. Aventail Connect is a Layered Service Provider (LSP) that inserts itself, as a "shim," between the Winsock 2 API and Window's native Winsock 2 implementation. The Aventail Connect shim does not implement WSADuplicateSocket, which is the cause of the failure.
The shim is not unloaded when Aventail Connect is shut down. Once observed, the problem persists until the shim is either explicitly unloaded or the machine is rebooted. Another potential solution (not tested) is to addapache.exe
to the Aventail "Connect Exclusion List".
Apache is affected in a similar way by any firewall program that isn't correctly configured. Assure you exclude your Apache server ports (usually port 80) from the list of ports to block. Refer to your firewall program's documentation for the how-to.
- When I try to start Apache on Windows, I get a message like "
System error 1067 has occurred. The process terminated unexpectedly
." What does this mean? This message means that the Web server was unable to start correctly for one reason or another. To find out why, execute the following commands in a DOS window:
c: cd "\Program Files\Apache Group\Apache" apache
(If you don't get the prompt back, hit Control-C to cause Apache to exit.)
The error you see will probably be one of those preceding this question in the FAQ.
As of Apache 1.3.14, first check the Windows NT Event Log for Application errors using the Windows NT/2000 Event Viewer program. Any errors that occur prior to opening the Apache error log will be stored here, if Apache is run as a Service on NT or 2000. As with any error, also check your Apache error log.
- On a SuSE Linux system, I try and configure access control using basic authentication. Although I follow the example exactly, authentication fails, and an error message "
admin: not a valid FDN: ....
" is logged. In the SuSE distribution, additional 3rd party authentication modules have been added and activated by default. These modules interfere with the Apache standard modules and cause Basic authentication to fail. Our recommendation is to comment all those modules in/etc/httpd/suse_addmodule.conf
and/etc/httpd/suse_loadmodule.conf
which are not actually required for running your server.
- Why do I have weird entries in my logs asking for
default.ida
andcmd.exe
? The host requesting pages from your website and creating those entries is a Windows machine running IIS that has been infected by an Internet worm such as Nimda or Code Red. You can safely ignore these error messages as they do not affect Apache. ApacheWeek has an article with more information.
- Why am I getting server restart messages periodically, when I did not restart the server? Problem: You are noticing restart messages in your error log, periodically, when you know you did not restart the server yourself:
[Thu Jun 6 04:02:01 2002] [notice] SIGHUP received. Attempting to restart [Thu Jun 6 04:02:02 2002] [notice] Apache configured -- resuming normal operations
Check your cron jobs to see when/if your server logs are being rotated. Compare the time of rotation to the error message time. If they are the same, you can somewhat safely assume that the restart is due to your server logs being rotated.
- Why am I getting "module module-name is not compatible with this version of Apache" messages in my error log? Module Magic Number (MMN) is a constant defined in Apache source that is associated with binary compatibility of modules. It is changed when internal Apache structures, function calls and other significant parts of API change in such a way that binary compatibility cannot be guaranteed any more. On MMN change, all third party modules have to be at least recompiled, sometimes even slightly changed in order to work with the new version of Apache.
If you're getting the above error messages, contact the vendor of the module for the new binary, or compile it if you have access to the source code.
How To Install Oracle On RHEL5?
In this post we will come to know that how to install Oracle on RHEL5?
The most popular database(DB) software known to man is Oracle.
Step1 : Before installing Oracle it require following packages to be installed on the machine.
1. compat-gcc
2. compat-libstdc++
3. compat-db
4. make-3.79
5. binutils-2.11.90.0.8-12
6. gcc-3.2
7. openmotif-2.2
8. setarch-1.3
All these packages are there in RHEL5 DVD so you just implement YUM server for easy installation of the above packages, other wise you have to install one by one with rpm command which will create a lot of dependencies.
Step2 : Set kernel parameters by editing /etc/sysctl.conf or using sysctl -w command. As follows.
Note : When ever you edit any files take backup of that files before editing those files.
kernel.shmall = 268435456
kernel.sem = 250 32000 100 128
kernel.shmmax = 2147483647
kernel.shmmni = 4096
kernel.shmall = 2097152
fs.file-max = 65536
net.ipv4.ip_local_port_range = 1024 65000
kernel.sem=250 32000 100 128
net.core.rmem_default = 4194304
net.core.rmem_max= 4194304
net.core.wmem_default = 262144
net.core.wmem_max = 262144
#cp /etc/sysctl.conf /etc/sysctl.conf.org
#vi /etc/sysctl.conf
After entering the above values save and exit the file
or use sysctl -w to edit kernel paramaters.
Here I will just give one example how to edit sysctl.conf using sysctl -w command.
Suppose I want to edit kernel.sem value just execute below command.
#/sbin/sysctl -w kernel.sem=”250 32000 100 128”
Step3 : After editing the file check if any issue is there or not by printing the sysctl content.
#sysctl -p
Note1 : Most part of the installation is done by oracle user. Untill and unless specified. Only at the end of installation we require to run two scripts which will set path variables.
Note2 : If you are installing Oracle on remote machine we have to export the display to local machine or we have to take vnc to the remote machine.
Step4 : Create Group name
#groupadd dba
Step5 : Creat oracle user with group equal to dba and home directory equal to /oracle
#useradd -d /oracle -g dba oracle
Installation :
Step1 : Copy Oracle software to some folder. Change the directory to bin directory as showen below.
cd /test/database
Here you will find run Installer script which you should execute in oracle user and this should be done in GUI it self(so in order to execute this command you have to export display or take vnc to remote machine). Here in this document I have taken vnc connection to remote machine where I am installing OS. For those who don't have vnc export display as follows.
Step2 : Exporting display, you have to execute this command as oracle user on remote machine where you are going to install oracle. And one more thing. Display should be exported to local machine where you are going to preform your installation.
DISPLAY = system name/ip: 0.0
Export DISPLAY
Note : System name/ip in the above display command is the ip/system name of your local machine.
Image.
The above screen shot shows that you have to run the script. And this should be run only by root.
Step3 : Script to be run by root user.[root@test oracle]# /oracle/oracle/product/10.2.0/db_1/root.shRunning Oracle10 root.sh script...
The following environment variables are set as :ORACLE_OWNER= oracle
ORACLE_HOME= /oracle/oracle/product/10.2.0/db_1
Enter the full pathname of the local bin directory : [/usr/local/bin]:
Copying dbhome to /usr/local/bin ...
Copying oraenv to /usr/local/bin ...
Copying coraenv to /usr/local/bin ...
Entries will be added to the /etc/oratab file as needed by
Database Configuration Assistant when a database is created
Finished running generic part of root.sh script.
Now product-specific root actions will be performed.
Once run this as root go to oracle user gui login and say ok.. to exit..
4. To start the database executeSQL> startup
ORACLE instance started.
Total System Global Area 289406976 bytesFixed Size 1301536 bytes
Variable Size 262677472 bytes
Database Buffers 25165824 bytes
Redo Buffers 262144 bytes
Database mounted.
Database opened.
SQL>5. To check the name of the databaseSQL> select name from v_$database;
NAME
---------
IASDB
The most popular database(DB) software known to man is Oracle.
Step1 : Before installing Oracle it require following packages to be installed on the machine.
1. compat-gcc
2. compat-libstdc++
3. compat-db
4. make-3.79
5. binutils-2.11.90.0.8-12
6. gcc-3.2
7. openmotif-2.2
8. setarch-1.3
All these packages are there in RHEL5 DVD so you just implement YUM server for easy installation of the above packages, other wise you have to install one by one with rpm command which will create a lot of dependencies.
Step2 : Set kernel parameters by editing /etc/sysctl.conf or using sysctl -w command. As follows.
Note : When ever you edit any files take backup of that files before editing those files.
kernel.shmall = 268435456
kernel.sem = 250 32000 100 128
kernel.shmmax = 2147483647
kernel.shmmni = 4096
kernel.shmall = 2097152
fs.file-max = 65536
net.ipv4.ip_local_port_range = 1024 65000
kernel.sem=250 32000 100 128
net.core.rmem_default = 4194304
net.core.rmem_max= 4194304
net.core.wmem_default = 262144
net.core.wmem_max = 262144
#cp /etc/sysctl.conf /etc/sysctl.conf.org
#vi /etc/sysctl.conf
After entering the above values save and exit the file
or use sysctl -w to edit kernel paramaters.
Here I will just give one example how to edit sysctl.conf using sysctl -w command.
Suppose I want to edit kernel.sem value just execute below command.
#/sbin/sysctl -w kernel.sem=”250 32000 100 128”
Step3 : After editing the file check if any issue is there or not by printing the sysctl content.
#sysctl -p
Note1 : Most part of the installation is done by oracle user. Untill and unless specified. Only at the end of installation we require to run two scripts which will set path variables.
Note2 : If you are installing Oracle on remote machine we have to export the display to local machine or we have to take vnc to the remote machine.
Step4 : Create Group name
#groupadd dba
Step5 : Creat oracle user with group equal to dba and home directory equal to /oracle
#useradd -d /oracle -g dba oracle
Installation :
Step1 : Copy Oracle software to some folder. Change the directory to bin directory as showen below.
cd /test/database
Here you will find run Installer script which you should execute in oracle user and this should be done in GUI it self(so in order to execute this command you have to export display or take vnc to remote machine). Here in this document I have taken vnc connection to remote machine where I am installing OS. For those who don't have vnc export display as follows.
Step2 : Exporting display, you have to execute this command as oracle user on remote machine where you are going to install oracle. And one more thing. Display should be exported to local machine where you are going to preform your installation.
DISPLAY = system name/ip: 0.0
Export DISPLAY
Note : System name/ip in the above display command is the ip/system name of your local machine.
Image.
The above screen shot shows that you have to run the script. And this should be run only by root.
Step3 : Script to be run by root user.[root@test oracle]# /oracle/oracle/product/10.2.0/db_1/root.shRunning Oracle10 root.sh script...
The following environment variables are set as :ORACLE_OWNER= oracle
ORACLE_HOME= /oracle/oracle/product/10.2.0/db_1
Enter the full pathname of the local bin directory : [/usr/local/bin]:
Copying dbhome to /usr/local/bin ...
Copying oraenv to /usr/local/bin ...
Copying coraenv to /usr/local/bin ...
Entries will be added to the /etc/oratab file as needed by
Database Configuration Assistant when a database is created
Finished running generic part of root.sh script.
Now product-specific root actions will be performed.
Once run this as root go to oracle user gui login and say ok.. to exit..
Step4 : Now we have to check whether oracle is installed perfectly or not. We have to set ORACLE_HOME variable for oracle user .bash_profile file to export oracle bin directory as follows. So that we can start/stop oracle service with lsnrctl edit .bashrc file for the oracle user.$vi ~/.bash_profile
PATH=$PATH:$HOME/bin
export PATH
PATH=$PATH:$HOME/bin
export PATH
ORACLE_HOME=/oracle/oracle/product/10.2.0/db_1
PATH=$PATH:$ORACLE_HOME/bin
ORACLE_SID=orcl
export PATH ORACLE_HOME ORACLE_SID
PATH=$PATH:$ORACLE_HOME/bin
ORACLE_SID=orcl
export PATH ORACLE_HOME ORACLE_SID
Save and exit the file. Once done we have to source the .bash_profile file. Then start the oracle service by using below command.
[oracle@v-itig42 ~]$ lsnrctl start
LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 05-MAR-2010 07:12:13
Copyright (c) 1991, 2005, Oracle. All rights reserved.
TNS-01106: Listener using listener name LISTENER has already been startedFor checking status.[oracle@v-itig42 ~]$ lsnrctl status
LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 05-MAR-2010 07:12:01
Copyright (c) 1991, 2005, Oracle. All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC3)))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for Linux: Version 10.2.0.1.0 - Production
Start Date 05-MAR-2010 06:10:20
Uptime 0 days 1 hr. 1 min. 41 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Listener Parameter File /oracle/oracle/product/10.2.0/db_1/network/admin/listener.ora
Listener Log
[oracle@v-itig42 ~]$ lsnrctl start
LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 05-MAR-2010 07:12:13
Copyright (c) 1991, 2005, Oracle. All rights reserved.
TNS-01106: Listener using listener name LISTENER has already been startedFor checking status.[oracle@v-itig42 ~]$ lsnrctl status
LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 05-MAR-2010 07:12:01
Copyright (c) 1991, 2005, Oracle. All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC3)))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for Linux: Version 10.2.0.1.0 - Production
Start Date 05-MAR-2010 06:10:20
Uptime 0 days 1 hr. 1 min. 41 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Listener Parameter File /oracle/oracle/product/10.2.0/db_1/network/admin/listener.ora
Listener Log
File /oracle/oracle/product/10.2.0/db_1/network/log/listener.log
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC3)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=v-itig42.persistent.co.in)(PORT=1523)))
Services Summary :
Service "PLSExtProc" has 1 instance(s).
Instance "PLSExtProc", status UNKNOWN, has 1 handler(s) for this service...
Service "orcl" has 1 instance(s).
Instance "orcl", status READY, has 1 handler(s) for this service...
Service "orclXDB" has 1 instance(s).
Instance "orcl", status READY, has 1 handler(s) for this service...
Service "orcl_XPT" has 1 instance(s).
Instance "orcl", status READY, has 1 handler(s) for this service...
The command completed successfully
Step5 : Connect to Oracle sql database(and this should be done only as oracle user).
[oracle@v-itig42 ~]$ sqlplus /nolog
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC3)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=v-itig42.persistent.co.in)(PORT=1523)))
Services Summary :
Service "PLSExtProc" has 1 instance(s).
Instance "PLSExtProc", status UNKNOWN, has 1 handler(s) for this service...
Service "orcl" has 1 instance(s).
Instance "orcl", status READY, has 1 handler(s) for this service...
Service "orclXDB" has 1 instance(s).
Instance "orcl", status READY, has 1 handler(s) for this service...
Service "orcl_XPT" has 1 instance(s).
Instance "orcl", status READY, has 1 handler(s) for this service...
The command completed successfully
Step5 : Connect to Oracle sql database(and this should be done only as oracle user).
[oracle@v-itig42 ~]$ sqlplus /nolog
SQL*Plus: Release 10.2.0.1.0 - Production on Fri Mar 5 07:22:56 2010
Copyright (c) 1982, 2005, Oracle. All rights reserved.
SQL>
This sql> prompt indicates you have sucessfully connected..
SQL> conn sys@iasdb as sysdba
Enter password :Connected to an idle instance.SQL>If the database is not started it will show the messages as connected to idle instance.Copyright (c) 1982, 2005, Oracle. All rights reserved.
SQL>
This sql> prompt indicates you have sucessfully connected..
SQL> conn sys@iasdb as sysdba
4. To start the database executeSQL> startup
ORACLE instance started.
Total System Global Area 289406976 bytesFixed Size 1301536 bytes
Variable Size 262677472 bytes
Database Buffers 25165824 bytes
Redo Buffers 262144 bytes
Database mounted.
Database opened.
SQL>5. To check the name of the databaseSQL> select name from v_$database;
NAME
---------
IASDB
Subscribe to:
Posts (Atom)