Mapping port to pid in solaris

In solaris, how can you tell which process is binding to certain port? Given a limited user privilege, and no lsof available. Please let me know if you have the answer. In the meantime, I have to stick with the script written by Lubos Kosco:

#!/bin/bash

# Get the process which listens on port

# $1 is the port we are looking for

if [ $# -lt 1 ]
then
echo "Please provide a port number parameter for this script"
echo "e.g. $0 22"
exit
fi

echo "Greping for your port, please be patient (CTRL+C breaks) ... "

for i in `ls /proc`
do
pfiles $i | grep AF_INET | grep $1
if [ $? -eq 0 ]
then
echo Is owned by pid $i
fi
done

The original page is here. Thanks Lubos and thanks google.

more...

less...

Do 5 before 5

I'm blogging today(during lunch time of course), because I'm quite free compared to last week, and weeks before that. By the way, I just received a confirmation letter for my position as System Integrator. Thank God(reads Allah) for that.

Salary - Money paid to an employee for regular work performed that is supposed to reflect the true value of the employee to the company, but more often resembles a bad joke - urban dictionary.


Did I ever mentioned that this is the first time I feel overpaid(it is NOT that high! or is it because I always get less? hu hu). Before this, even though I never cried it out loud, I always that the company did not pay me as much as I work. My principle is quite simple actually, and I always give the same answer during any job interview. You give me something, then I'll give you something, if not more. Usually it turns out the other way around. Regardless of how lazy I am, or how late I went home, there's always "something" at the end of the month. But most people including me, just like to nag around that the company should pay me this much or this much, although everything should be settled right after they step into the company. We always want more aren't we?

But things a bit different for me now. Going back early is like a crime, at least for me (One more reason is that the office hour officially start at 10). Somehow I just feel unfair to the company, looking at how much they paid to get me to work. And I repeat, its not that high, really. I got bunch of friends who earn more than me, and I respect that. I dont have any formula to calculate the effort I put in against the salary I get. One of the reason I feel this way, most probably because I have been jobless for 3 months before I got this job. It is hard to appreciate something until it is no longer in your possession. Remembering the struggling my family had to go through, makes the appreciation towards the 'rezeki' is higher, and thank God(always reads Allah) for that. And I hope the company feel the same way too.

Rasulullah (PBUH) said(a hadith that people tend to overlook):

“Make the most of five things before five others: life before death, health before sickness, free time before becoming busy, youth before old age, and wealth before poverty.” (Saheeh al-Jaami’)

And yes, you'll never appreciate life until you're dead, but then, it might be a bit too late.

more...

less...

Alhamdulillah (Thank God)

Systems Engineer
JobStreet SELECT
Job Status: Vacant
Total Applications: 7
Priority Applications: 0
Under Consideration: 1

My Application: Hired
Applied On: 16 Jun 2009
Viewed: 4 times

Special thanks to my wife, friends and relatives for your support during the hard time.

EOT

more...

less...

Nightmare on Ampang Street

Q. Do you know what is the worst nightmare for Sys Admin other than having a single point of failure that actually fails?

A. Not getting paid for 3 months(probably more), in a row

EOT

more...

less...

Holy goosh!

Feeling bored of the same old search engine? Then check this out. Cool eh!

EOT

more...

less...

New pair of shoes

I had been wearing my office shoes for as long as I have been married. Yes, the pair was included in the 'hantaran' package. Since then, I brought them to the cobbler twice, until it was going to cost me more to repair than buying a new one. So, early this year, I bought a motorcycle and outdoor shoes to go with the bike, which I have been using in the office as well.

Apparently, as I was also looking for another job at that time, I promised myself not to buy a new pair of shoes until I get a new job. And guess what, I just bought myself a new pair of office shoes.

EOT

more...

less...

Internet access, linux not ok, windows ok, *bsd ok

So what seemed to be a problem? Recently, within our network segment, guarded by pf firewall, somehow linux(redhat,fedora,*buntu) found difficulty in accessing the internet. Either the page is half loaded, or did not come out at all. It is not the browser; same result using wget. Obviously it is not the network; since XP and *BSD can go out. So, I suspect the pf is the mole. But since the pf owner is not around, and IT department could not be much of a help unless the problem affecting their segment, nothing much can be done. Plus I'm half system admin I used to be, too lazy to trace out the root cause now. Btw, here's the definition of problem based on ITIL concept(taken from wikipedia):

A problem is a condition often identified as a result of multiple Incidents that exhibit common symptoms. Problems can also be identified from a single significant Incident, indicative of a single error, for which the cause is unknown, but for which the impact is significant.

A known error is a condition identified by successful diagnosis of the root cause of a problem, and the subsequent development of a Work-around.

EOT

more...

less...

Changelog April 2008

A few bugs detected. Many things had been either fixed,ignored,or upgraded. Plus, many new experiments took place since February.

Government - positively fixed on 8th March with 5 state won by Opposition and denied 2/3 majority of Barisan Nasional in Dewan Rakyat.

Traffic jam - fixed with my new Honda Wave S 125. Automatically fixed a sleepy morning blues at the office.

Bugs detected, current office shoe not waterproof - to be replaced with a slipper or Waterproof Hi-Tec shoes. I went for the shoe.

Bugs detected, Redhat jacket is not waterproof (learn it a hard way) - to be replaced with infamous GIVI rain coat.

Boredom - fixed with a week trip to Indonesia. Request a status change from boredom to credit card headache.

Baby - upgraded to a toddler.

My Support Team - added 2 more executives, total up to 9 effective support personnels. A lot of things has been self cured. Still has a room for improvement. But sincerely, I'm proud of you guys. To be improved with a new Department Head(coming soon).

Annoying colleague,client - to be ignored until ermm (to be decided later)

Loving wife - equipped with company notebook, finally.

Inspiron 510m notebook with XP - upgraded RAM to 2GB, only to find the hibernation not working. Fixed with this patch. Thanks in advance(not tested yet).

Active request:
A notebook bag for wife (slimline paris from mobile edge is so tempting)
A house (hopefully by year end)
A new job (KIV aiyahh)

more...

less...

P-r-o-d-u-c-t-i-v-i-t-y

I am no motivator to preach about productivity. But when instant messenger is banned as the main cause of low productivity, I think somebody somewhere is missing a bigger picture. It is like preventing a driver to have a passenger for a long ride. He still can drive a car with no problem but boredom. Somehow he will find another way to get freshen up(eg stop for a snack/ciggy), and that will eventually still slowing him down. We have to admit, under normal circumstances, different people has different productive time. You cannot expect them to give 100 percent focusing on the job from 9 to 5. This is not a NASCAR race.

And it is depends on the nature of the job. A good system administrator will spend almost all his time doing other things besides reading mail because almost all tasks have been taken care of automatically. All backups will go smoothly as scheduled with minimal user intervention. Any abnormal activities will be alerted via email or sms. And no one can simply say that he's not productive in doing his work. He's just doing his work a smart way, not the hard way as what productivity suggested.

It is depends also on how your boss see things. I remember one episode of Seinfeld, where George got an idea how to fool his boss. He drove his car early in the morning and parked it near his boss 's parking space, then went home by bus. His boss then noticed George's car every time he parked his car and when he wanted to return home. His boss thought that George is a morning person and loves working late. What he did not know that George was spending time somewhere else and produce zero output. It is unethical but it works(at least for George).

For me, as a Moslem, I am bound to the what religion says. It is now depends on how God see things. As a Moslem, everything I do, I do it for God. And God always watching me and that thought will keep me away for any wrongdoings in life, Insyallah. If I cheat in my job, I might fool my boss but then I'll have a problem with the God. And I am very sure I don't want to come to that. Live for Islam, Die for Islam, 1 vote for PAS.

more...

less...

And then nagios asked "Hi servers, how are you today?"

There are quite a numbers of Network or Health Monitoring System. Being an opensource user I have shortlisted several of them; nagios, zabbix, zenoss, opennms. If you really need a quick one, choose zabbix, then you got yourself a car. If you got time, learn nagios. You'll be given an engine, then you have to choose the type of body, rear wheel drive or 4 wheel drive, how many doors do you want and so on, until finally you got yourself a car. OpenNMS has the enterprise look but like zabbix, quite dependant on SNMP but not as easy to install. Zenoss has gained a good position in term of ranking at sourceforge.net and currently is ranked at no 9. I might wanna try to look at this(and openNMS) later on but in the meantime, nagios, i choose you.

This guide is intended for those using Redhat,Fedora,Centos and I have added some steps to fit my needs. This steps works for me but I am not responsible for what you are going to do to your system. Like any other system admins, you should always have and setup a test server before put it into production.

refer http://nagios.sourceforge.net/docs/3_0/quickstart-fedora.html for original quickstart documentation

Introduction

This guide is intended to provide you with simple instructions on how to install Nagios from source (code) on Fedora and have it monitoring your local machine inside of 20 minutes. No advanced installation options are discussed here - just the basics that will work for 95% of users who want to get started.

These instructions were written based on a standard Fedora Core 6 Linux distribution.

What You'll End Up With

If you follow these instructions, here's what you'll end up with:

* Nagios and the plugins will be installed underneath /usr/local/nagios
* Nagios will be configured to monitor a few aspects of your local system (CPU load, disk usage, etc.)
* The Nagios web interface will be accessible at http://localhost/nagios/

Prerequisites

During portions of the installation you'll need to have root access to your machine.

Make sure you've installed the following packages on your Fedora installation before continuing.

* Apache
* GCC compiler
* GD development libraries
* RRDtool

You can use yum to install these packages by running the following commands (as root):

# yum install httpd
# yum install gcc
# yum install glibc glibc-common
# yum install gd gd-devel gd-progs
# yum install rrdtool

1) Create Account Information

Become the root user.

# su -l

Create a new nagios user account and give it a password.

# /usr/sbin/useradd nagios
# passwd nagios

Create a new nagcmd group for allowing external commands to be submitted through the web interface. Add both the nagios user and the apache user to the group.

# /usr/sbin/groupadd nagcmd
# /usr/sbin/usermod -G nagcmd nagios
# /usr/sbin/usermod -G nagcmd apache

2) Download Nagios and the Plugins

Create a directory for storing the downloads.

# mkdir ~/downloads
# cd ~/downloads

Download the source code tarballs of both Nagios and the Nagios plugins (visit http://www.nagios.org/download/ for links to the latest versions). At the time of writing, the latest versions of Nagios and the Nagios plugins were 3.0rc1 and 1.4.11, respectively.

# wget http://osdn.dl.sourceforge.net/sourceforge/nagios/nagios-3.0rc1.tar.gz
# wget http://osdn.dl.sourceforge.net/sourceforge/nagiosplug/nagios-plugins-1.4.11.tar.gz

3) Compile and Install Nagios

Extract the Nagios source code tarball.

# cd ~/downloads
# tar xzf nagios-3.0rc1.tar.gz
# cd nagios-3.0rc1

Run the Nagios configure script, passing the name of the group you created earlier like so:

# ./configure --with-command-group=nagcmd

Compile the Nagios source code.

# make all

Install binaries, init script, sample config files and set permissions on the external command directory.

# make install
# make install-init
# make install-config
# make install-commandmode

Don't start Nagios yet - there's still more that needs to be done...

4) Customize Configuration

Sample configuration files have now been installed in the /usr/local/nagios/etc directory. These sample files should work fine for getting started with Nagios. You'll need to make just one change before you proceed...

Edit the /usr/local/nagios/etc/objects/contacts.cfg config file with your favorite editor and change the email address associated with the nagiosadmin contact definition to the address you'd like to use for receiving alerts.

# vi /usr/local/nagios/etc/objects/contacts.cfg

5) Configure the Web Interface

Install the Nagios web config file in the Apache conf.d directory.

# make install-webconf

Create a nagiosadmin account for logging into the Nagios web interface. Remember the password you assign to this account - you'll need it later.

# htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin

create a file called .htaccess in /usr/local/nagios/sbin containing:

AuthUserFile /usr/local/nagios/etc/htpasswd.users
AuthName "Welcome To Nagios"
AuthType Basic
Require valid-user

Restart Apache to make the new settings take effect.

service httpd restart

6) Compile and Install the Nagios Plugins

Extract the Nagios plugins source code tarball.

# cd ~/downloads
# tar xzf nagios-plugins-1.4.11.tar.gz
# cd nagios-plugins-1.4.11

Compile and install the plugins.

# ./configure --with-nagios-user=nagios --with-nagios-group=nagios
# make
# make install

7) Start Nagios

Add Nagios to the list of system services and have it automatically start when the system boots.

# chkconfig --add nagios
# chkconfig nagios on

Verify the sample Nagios configuration files.

# /usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg

If there are no errors, start Nagios.

# service nagios start

8) Modify SELinux Settings

Fedora ships with SELinux (Security Enhanced Linux) installed and in Enforcing mode by default. This can result in "Internal Server Error" messages when you attempt to access the Nagios CGIs.

See if SELinux is in Enforcing mode.

getenforce

Put SELinux into Permissive mode.

setenforce 0

To make this change permanent, you'll have to modify the settings in /etc/selinux/config and reboot.

Instead of disabling SELinux or setting it to permissive mode, you can use the following command to run the CGIs under SELinux enforcing/targeted mode:

# chcon -R -t httpd_sys_content_t /usr/local/nagios/sbin/
# chcon -R -t httpd_sys_content_t /usr/local/nagios/share/

For information on running the Nagios CGIs under Enforcing mode with a targeted policy, visit the NagiosCommunity.org wiki at http://www.nagioscommunity.org/wiki.

9) Login to the Web Interface

You should now be able to access the Nagios web interface at the URL below. You'll be prompted for the username (nagiosadmin) and password you specified earlier.

http://localhost/nagios/

Click on the "Service Detail" navbar link to see details of what's being monitored on your local machine. It will take a few minutes for Nagios to check all the services associated with your machine, as the checks are spread out over time.

10) Other Modifications

Make sure your machine's firewall rules are configured to allow access to the web server if you want to access the Nagios interface remotely.

Configuring email notifications is out of the scope of this documentation. While Nagios is currently configured to send you email notifications, your system may not yet have a mail program properly installed or configured. Refer to your system documentation, search the web, or look to the NagiosCommunity.org wiki for specific instructions on configuring your system to send email messages to external addresses. More information on notifications can be found here.

11) You're Done(Well, I'm not)

Congratulations! You sucessfully installed Nagios. Your journey into monitoring is just beginning. You'll no doubt want to monitor more than just your local machine, so check out the following docs...

* Monitoring Windows machines
* Monitoring Linux/Unix machines
* Monitoring Netware servers
* Monitoring routers/switches
* Monitoring publicly available services (HTTP, FTP, SSH, etc.)

12) Beautify it a lil bit

Download nuvola style front-end from nagiosexchange.org.
Browse also for some other interesting logo package available there.
Previously, I used whiteline.zip and extract it into /usr/local/nagios/share/images/logos
# mkdir /usr/local/nuvola
# cd /usr/local/nuvola
# tar -zxvf ~/downloads/nagios-nuvola-1.0.3.tar.gz

Backup(just in case)
# cp /usr/local/nagios/share /usr/local/nagios/share.old
# cp -rf html/ /usr/local/nagios/share
edit /usr/local/nagios/share/config.js to make sure cgi-bin pointing to the right path and some other option

Done.

13) Replace nagios logo with your custom logo in statusmap

make sure you have install gd-progs package
turn your logo into gif or png format(eg mine.gif) and put it in /usr/local/nagios/share/images/logos
# cd /usr/local/nagios/share/images/logos
use pngtogd2 tool or giftogd2 tools to convert it into gd2 format
# ls -al mine.gif
-rw-r--r-- 1 root root 1536 Jan 24 12:24 mine.gif

# giftogd2 mine.gif mine.gd2 1536 1

backup old and replace with new logo
# cp nagios.gd2 nagios.gd2.old
# cp mine.gd2 nagios.gd2

Done.

14) Nagiosgraph

http://www.novell.com/coolsolutions/feature/19843.html provides good details
# cd /usr/local/
# tar -zxvf ~/downloads/nagiosgraph-0.9.0.tgz
read the INSTALL file carefully
you might need to create nagiosgraph.log and /var/spool/perfdata.log
and can manipulate the data like in serviceextinfo.cfg like:

define serviceextinfo {
service_description PING
hostgroup MYHOSTGROUP
notes_url show.cgi?host=$HOSTNAME$&service=$SERVICEDESC$&db=ping,losspct&db=ping,rta
icon_image graph.gif
icon_image_alt View graphs
}
so it gives a clearer picture by separating the data in 2 different graph

any problem refer here:
http://nagiosgraph.wiki.sourceforge.net/errors_and_troubleshooting

15) SMS Notification

download smstools and buy GSM Modem Wavecom 1306b

Now there's your car.

more...

less...

Note to self: Perl Module Installation using CPAN

First approach:
[root@svr rrdtool]# perl -MCPAN -e shell

cpan shell -- CPAN exploration and modules installation (v1.61)
ReadLine support available (try 'install Bundle::CPAN')

cpan> install Time::HiRes
CPAN: Storable loaded ok

Makefile:91: *** missing separator
then set the environment variable LC_ALL to "C" and retry
from scratch (re-run perl "Makefile.PL").
(And consider upgrading your Perl.)
(You got this message because you seem to have
an UTF-8 locale active in your shell environment, this used
to cause broken Makefiles to be created from Makefile.PLs.)
Makefile:91: *** missing separator. Stop.
Deng!


To search for module while in the shell:
cpan> i /HiRes/
Or if you know the exact name of the modules, can install it straight away:
[root@svr rrdtool]# perl -MCPAN -e install 'Time::HiRes'

To check the installed modules:
[root@svr4 nagios]# perl -e 'use Time::HiRes;'
Can't locate Time/HiRes.pm in @INC -- meaning the modules is not(yet) installed

For manual installation:
Go search for the module at here, then:

[root@svr rrdtool]wget http://search.cpan.org/CPAN/authors/id/J/JH/JHI/Time-HiRes-1.9711.tar.gz
[root@svr rrdtool] tar -zxvf Time-HiRes-1.9711.tar.gz
[root@svr rrdtool] cd Time-HiRes-1.9711
[root@svr Time-HiRes-1.9711] perl Makefile.PL
[root@svr Time-HiRes-1.9711] make
[root@svr Time-HiRes-1.9711] make test
[root@svr Time-HiRes-1.9711] make install

Back to the error, google brought me to perl monks website

"RH9 caused more than a few problems for me with a number of modules until I edited my /etc/sysconfig/i18n file. Here's mine:

#LANG="en_US.UTF-8"
LANG="en_US"
SUPPORTED="en_US.UTF-8:en_US:en"
SYSFONT="latarcyrheb-sun16"

It looks like some modules (like CPAN!) don't like that UTF-8. If you don't want to monkey with your system-wide locale setting, just type "export LANG=en_US" and then try your install again."

So i did just that.
Test the module again:
[root@svr4 Time-HiRes-1.9711]# perl -e 'use Time::HiRes;'
[root@svr4 Time-HiRes-1.9711]#

No error means the modules is there.

more...

less...

Bee-sy

Busy like a bee. That's how I feel for since October, 2007. Since I'm becoming a Support Team Leader, so called. My major task is coordinating the team, other than attending to the meeting and some troubleshooting. In November alone, I attended 11 meeting/discussion, excluding informal discussion and sidewalk chats. So this is how the management see things. This is so different. This is so not me.

Most of the discussion/meeting are meant for Head of Unit or Head of Department role which are still vacant as of now. So automatically, most of the their tasks are falling right back at me. Now I consider my team and me is just like a bodyless and headless lizard tail, wiggling around(most of the times being played around by a cat, a very bad, idiotic cat).

I suppose I cannot be called a Sys Admin anymore. Thankfully I am wrong. My services still useful for some of the projects(I'm still exist so to speak). Sometimes I feel like being technically downgraded. Most of the time I feel like being used. I wonder if this what they called a middle-aged crisis or career crisis. But no matter what people called it, I hope I'll see a solution soon. Sorry for that is one heck of a nag. I'll buzz off for now.

Btw, have you watched that movie "Bee the movie". Its about how can a single individual can make difference in the world, hoping for something better, but turn out worse. I brought my 3 year-old son to the movie just to watch him took an 8 ringgit nap. More nagggging, less bloggging. Buzzz zzzZzZzzzzz

more...

less...

Better Things

Better Things lyric, heard from Marky Ramones and The Intruders. Well written, well sang..

Here’s wishing you the bluest skies
And hoping something better comes tomorrow
Hoping all the verses rhyme
And the very best of choruses to…
Follow all the doubt and sadness
I know that better things are on the way

Here’s hoping all the days ahead
Won’t be as bitter as the ones behind you
Be an optimist instead
And somehow happiness will find you
Forget what happened yesterday
I know that better things are on the way

It’s really good to see you rocking out
And having fun
Living like you just begun
Accept your life and what it brings
I hope tomorrow you’ll find better things
I hope tomorrow you’ll find better things

Here’s wishing you the bluest skies
And hoping something better comes tomorrow
Hoping all the verses rhyme
And the very best of choruses to…

Follow all the doubt and sadness
I know that better things are on the way

I know you got a lotta good things
Happening up ahead
The fast is gone
It’s all been said
Here’s to what the future brings
I hope tomorrow you’ll find better things
I hope tomorrow you’ll find better things
I hope tomorrow you’ll find better things
I hope tomorrow you’ll find better things

more...

less...

Large file support for Apache

I'm about to do some Linux installation on several PC. Somehow I just feel to do it via network. Since I've done it using NFS before, this time around http method will be used. The server running on Centos 4.4 already had httpd-2.0.52-28.ent.centos4 installed and already got fedora 6 DVD iso on my external hard drive. So everything's seemed to be in place, right? TTEEETTTT!

I'd uploaded the iso into /var/www/html/fc6 and start up the httpd daemon. Then, fire up firefox and put http://fileserver/fc6/ just to see an empty directory. Moreover, I got the 403 forbidden error when try to access the file directly. Check the error logs and see the the infamous error message
"[Thu Nov 01 14:18:58 2007] [error] [client 192.168.1.207 ] (75)Value too large for defined data type: access to /fc6/FC-6-i386-DVD.iso failed".
Asked google and get a few reference, something was missing in my installed apache so that it could not support any file bigger than 2GB.

OK, no big deal, just use yum to update. But the version suggested by yum is still did not have this feature supported. Next alternative, download a tarball from the the apache itself(version 2.0.61) and run ./configure. Deng!! no gcc installed. Thanks to yum update, the compiler is installed a few minutes later.

./configure, make && make install, went smoothly. But still the get the error messages. I first thought that the later version has automatically set this large file option, guess I was wrong. So google some more to find the required parameters.
Later, I reconfigure my apache using the flags as below:

[root@fileserv httpd-2.0.61]# CFLAGS="-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64" ./configure --prefix=/usr/local/www

The file appeared in the browser and accessible. There goes the half day. Case closed. Got a DBA to meet.

more...

less...

Happy SysAdmin Day

For today is July 27th, I'd like to wish all system administrators, men or women, friends or foes, mcses or rhces, old or young, married or single, tall or short, thin or fat, with shoes or barefoot, lazy or hardworking, doing commercial or opensource, Happy SysAdmin Day!

We sure work harder(or hardly work) than some of you :p . And yet, they got one day specially dedicated for each of them. Well secretaries and others, you can have any other day of the year for all I care, but every last friday of July is SysAdmin Day. Secretaries usually will spend the whole day in saloon or any place with mirrors as they want to look elegant during dinner while Apek will joke and sing for them. And what about us? Well I dont want no singer(other than pussycat dolls or shania twain, sigh!) but a little appreciation will do(such as bonuses,lunch treat).

What are the things you really want to do on SysAdmin Day? Well, for me, I dont want anything special(a brand new notebook wont hurt though). Since we sure dont have an ample time to celebrate, just think of something that you cannot give us on any other day. Yes, just give me and other IT people a Peace of Mind.

We are not SpongeBob that has "Go to work" only in his to-do list. We dont hate users, we just can communicate better with machines than with them. And in most cases, machines understand us better too. Below are some of the things that you should avoid doing on the last Friday of July or any other times. For a full list, in case you want to print out as a reminder, go to here.

Dont do any critical things on the Friday, since if something could go wrong, you know how we are always dying to work on weekend.

Read the documentations/manuals before asking questions, do not wild-guessing the linux command with paramaters if you're not sure, use the manpages or I will 'lart -use "monkey wrench" ' you.

If something happened, just make up a story that can save your cute ars*, and let us digging up all the logs and let you know what really happened, we just love playing puzzle games with either missing or wrong pieces.

Shall you not listen, then just go ahead, make my day.

How are you going to appreciate us on SysAdminDay? I dont expect much of it. Do we deserve it? I think yes, we certainly do.

more...

less...

A See Thru Firewall

A transparent firewall has some pros and cons. In OpenBSD, it use a bridging feature offered by the OS. I use a machine with 2 NICs, running OpenBSD 4.1 to build this perimeter fencing.

Pros:
On network, nobody knows it was there(except its coming from your big mouth)
Since it is ip-less, you can avoid the many hacking attempt(physical attempt is excluded), but still open for DDOS in rare cases.

Cons:
You cannot do anything related with IP on it(eg. NATting,dhcp,mail)
You cannot ping(for monitoring or testing or troubleshooting) since it is ip-less
You cannot ssh to it since it is ip-less(again). So anything, you have to face the coldness of the server cave.

How do you configure it. Well the rules in the pf.conf is up to you. What I know on setting up this poise machine is as below:

first create a file in /etc called bridgename.bridge0
and put these lines into it:
add bge0
add bge1
up

Save it and while still in /etc, create files called hostname.bge0 and hostname.bge1 and put this line into both:
up

Save it and go on editing /etc/rc.conf
search for pf=NO entry and change "NO" to "YES"

Save rc.conf and move on to the next file /etc/sysctl.conf and uncomment this line
net.inet.ip.forwarding=1

Provided you have pf.conf well-configured, restart the network and load the rules
#sh /etc/netstart
#pfctl -f /etc/pf.conf

Last but not least, to avoid some performance issue(kapla_hodot and I found an issue of duplicate packet or something, sorry I dont remember but I've read it somewhere) be sure to use only one interface to control the rules. The other interface should be all allow, for example:

external_if="bge0"
internal_if="bge1"
scrub in all
#allow all internal
pass in quick on $internal_if all
pass out quick on $internal_if all
#block all external
block in log on $external_if all
block out log on $external_if all
#your passing rules go here and just use "external_if" in your lines

That's about it, I dont want to drill down this firewall thingy, because there is already a firewall engineer post available nowadays(and I got a lot of other things to think about in life). Please let me know if I'm missing something. Else, voila.

more...

less...

Memory Lane - Tape Backup For Linux (Recovery)

A few days after using flexbackup as a backup tool, then I've reached the next phase in the procedure; Data Recovery. In other words, how'd you want to extract the data from the tape. Being absolutely vain in tape backup, I quickly typed 'ls' to view the content of the tape. Well, I wish it was that easy.

But it was not that difficult either provided you understand some basic things about a tape. Note to self: a tape is nothing like a cd where you can easily mount and unmount. A tape is not a folder where it holds all the files and sub-folder. It is just a media that use sequential access in archiving data instead of random access method used in disk.

So I compare the requirement given to me with what Flexbackup can offers. Flexbackup has an extract feature(--extract) and it also can read(--flist) a file that has list of archives to extract. That will do it. But first I need to get the list. So using tar -itvf and mt command, I end up with this tape-list.sh:

#
#!/bin/bash
# This simple script is to create a list of files from the tape.
# This list will be use to extract - [eg. tape-extract ]
# by yoe Dec,2005

help_usage()
{
echo "Usage: $0 filename "
exit 0
}

if [ $# -ne 1 ]; then
#echo "Usage: $0 [filename] "
help_usage
exit
fi

if [ -f "$1" ]; then
echo file exist!
echo choose another filename
exit 1
fi

tape=/dev/nst0
currentdir=`echo $PWD`
now=`date +'%Y%m%d'`
tempfile="temp.$now"
h=0

/bin/mt -f $tape rewind
/bin/mt -f $tape eod
lastcount=`/bin/mt -f $tape status |grep -i file |awk '{print $2}' |tr -d "number=" |tr -d ","`
echo "There are $lastcount blocks on the tape .."
echo
echo "Preparing to create filelist $2"
echo
/bin/mt -f $tape rewind
echo "Start creating filelist $2"

cd $currentdir
while [ $h -le $lastcount ]
do
tar -itvf $tape | awk '$1 !~ /V/' | awk '{print $6}' | sed -e 's/\.\///g' | grep "." >> $tempfile
h=$((h+1))
done

cat $tempfile | sort | uniq > $2
echo "Done creating filelist $2"
echo

#remove temporary file
#echo "Clearing temp files"
#echo
rm -rf $currentdir/$tempfile
#echo DONE
EOF

eg. #./tape-list list1.txt

so every files on the tape will be listed into a file called list1.txt. So, in list1.txt I just leave which ever file I need to restore and delete the unwanted. Then here's another script to extract the files listed in list1.txt called tape-extract.sh:

#!/bin/bash
# This simple script is for extracting files from backup.
# It requires a list that can be easily created using tape-list script
# by yoe Dec,2005

help_usage()
{
echo "Usage: $0 filename "
exit 0
}

currentdir=`echo $PWD`
logdir="/usr/local/test/log/"
now=`date +'%Y%m%d'`
tape="/dev/nst0"
logfile="tape-extract.log.$now"
flex_config="/etc/flexbackup.nst0"
if [ $# -ne 2 ]; then
help_usage
exit
fi

if [ -f "$2" ]; then

echo "extracting files into $currentdir"
h=0
/bin/mt -f $tape rewind
/bin/mt -f $tape eod
#/bin/mt -f $tape bsf 1
lastcount=`/bin/mt -f $tape status |grep -i file |awk '{print $2}' |tr -d "number=" |tr -d ","`
echo "There are $lastcount blocks on the tape .."
echo
echo Preparing to extract

/bin/mt -f $tape rewind

echo "Start finding and extracting files"
echo

cd $currentdir
while [ $h -le $lastcount ]
do
#/bin/mt -f $tape rewind
#/bin/mt -f $tape fsf $h
/usr/bin/flexbackup -c $flex_config -extract -flist $2 1>> $logdir$logfile 2>> $logdir$logfile
#/usr/bin/flexbackup -extract -flist $1
#/bin/mt -f $tape rewind
#echo h: $h
#echo 2m: $m
h=$((h+1))
done

echo "Done extracting"
echo "Create logfile named $logfile in log directory"
else
echo "file does not exist!"
echo
fi
EOF

eg. #./tape-extract list1.txt

more...

less...

Utilizing netsh to Change IP Address

Most all the time, I will hanging out in different client sites that require me to change the IP Address and some other TCP/IP configuration. The usual way requires several combination of mouse clicks and keypress. This is when netsh come in handy (thanks to kapla_hodot for showing the way). Yes, you might know better, but since this is my blog so I want to put something useful to me as a noob system admin. This is just a note to self on how to create the netsh network configuration file.

For dhcp setting, first fire up your favorite text editor(notepad,ultraedit,vim etc.). Then, put this lines into the file.

interface ip
set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp
bye

Then save it to the file called, say C:\dhcp.netsh

To test it out, go to the command prompt and type:

C:\>netsh exec dhcp.netsh

Here are the sample configuration for static IP Address:

interface ip
set address name="Local Area Connection" source=static addr=192.168.1.207 mask=255.255.255.0
set address name="Local Area Connection" gateway=192.168.1.5 gwmetric=0
set dns name="Local Area Connection" source=static addr=192.168.1.6 register=PRIMARY
add dns name="Local Area Connection" addr=202.188.0.133 index=2
bye

Note that the line
add dns name="Local Area Connection" addr=202.188.0.133 index=2
is intended to specify the secondary DNS.

Some people go all the way to specify a new file type, so that you can just simply double-click the file to run it. But for me, the current way is lazy enough to fit the purpose.

more...

less...

Memory Lane - Tape Backup for Linux

Remembering the first task given to me, to find a backup solution for server logs. Being given a Redhat 9 box (dont ask why), and a tape drive (stop asking!), I have to choose appropriate tools to get the job done. Yes, you can simply do backup using built-in commands such as tar, cpio, dump etc. But I've never done this before and I'm sort of short of time, so I needed a quick (some people called it dirty) way to do this. After numerous searh engine and reviews, I end up with flexbackup tool.


Why flexbackup? Firstly, it is flexible as it sounds. It's like a middle-man software, where you first decide what kind of archive you want to use (afio, dump, tar, cpio, star, pax, zip, lha, ar, shar) the backup device, logfiles etc. and it will take care the rest. In my case I use 'tar' as the archive type.

So I downloaded the flexbackup tarball and installed it on the machine. The tape drive (Dell PV100T) is connected to the server via SCSI interface. So on RH9, you might want to load certain module for the tape drive to be recognized.

[root@bekap]# insmod /lib/modules/2.4.20-8smp/kernel/drivers/scsi/aic7xxx_old.o
[root@bekap]# insmod /lib/modules/2.4.20-8smp/kernel/drivers/scsi/st.o

Use the mt command to check the status of the device. On linux with one tape drive, the drive may be recognized as /dev/st0(or nst0). As far as I remember, st0 and nst0 are reffering to the same device, with different condition. If you run a command using /dev/nst0, the tape will be rewinded first before the running the command. If /dev/st0 is used, the command will be run at the current location on the tape.

[root@bekap]# whatis mt
mt (1) - control magnetic tape drive operation

[root@bekap]# mt -f /dev/nst0 status
SCSI 2 tape drive:
File number=0, block number=0, partition=0.
Tape block size 0 bytes. Density code 0x25 (DDS-3).
Soft error count since last status=0
General status bits on (41010000):
BOT ONLINE IM_REP_EN

To automate almost everything(what a sys admin always do), I just need to write a simple and sluggish bash script that contains mt command to operate the tape drive, and flexbackup command to backup files/folders.
Let say I need to backup all files in directory called /var/log/msglog.
Here's what I did:

[root@bekap]# cat /usr/local/test/tape-backup-log
#!/bin/bash
# This simple script is to be run for incremental log backup
# by yoe Dec,2005

if [ $# -ne 1 ]; then
echo "Usage: $0 [full] [incremental]"
exit
fi

tape="/dev/nst0"
rew=`mt -f $tape rewind`
flex_config="/etc/flexbackup.nst0"
#rewind the tape

#backup /var/log/msglog
#echo "backup /var/log/msglog"

if [ "$1" = "full" ];
then
echo "backup full for msglog"
echo
$rew
flexbackup -c $flex_config -dir /var/log/msglog -level full &> /dev/null
$rew
echo "Done . Refer log directory for details."

elif [ "$1" = "incremental" ];
then
echo "backup incremental for msglog"
echo
$rew
flexbackup -c $flex_config -dir /var/log/msglog -level incremental &> /dev/null
$rew
echo "Done . Refer log directory for details."
else


If you want to minimize user intervention, than blow it to the cronjob

[root@bekap]# crontab -l
# after inserting new tape, rewind, erase and full backup every 1st of the month at 10:05 am
5 10 1 1-12 * /bin/mt -f /dev/nst0 rewind && /bin/mt -f /dev/nst0 erase && /usr/local/test/tape-backup-log full

# run incremental backup every thursday 11:30 pm.
30 23 * 1-12 4 /usr/local/test/tape-backup-log incremental

Finally make an appropriate schedule for tape replacement.

dirty enough?

more...

less...

Friday Blues

I'm not sure if this headache I'm having is closely related to the sprained shoulder pain that I had since last week . Or issit because I have 3 reports to compile before next friday. Or issit because of a small lump-look-alike just between my son's chin and his neck. Or issit just because the career path i've chosen.

Talking about the career path, today is last day for my colleague. Like he mentioned, he's moving to the greener side of the field. No matter how green is it, the grass I'm standing on is a bit tasteless now comparing when I first arrived. Still I have to munch as long as it pay my bills. As what I said during interview session, "You give me something, I give you something, if not more".

By the way, a big thanks to the company for sponsoring the Umrah package. It was a fantastic journey, spiritually. For that, I'll struggle to be a good system administrator, not to mention notebook cleaner, cable puller, scanner troubleshooter and last but not least helpdesk operator.

more...

less...