LinuxSysAdmin

Things I don't want to look for twice..

Monthly Archives: February 2010

FreeBSD (III)

BSD Jails – some improved version of traditional chroot environment. It allows you to configure a hostname, an IP address, and processes does not leave in any case the jail they run into.
So, if you’re already using bash like I am, this are the steps:

# i used /usr/jail/myjail as my first jail in FreeBSD.
export J /usr/jail/myjail
mkdir -p $J
cd /usr/src
make buildworld # run it when using jails for the first time…and wait, it’s gonna last..
make ‌installworld DESTDIR=$J
make distribution DESTDIR=$J
mount -t devfs devfs $J/dev

Enable it on startup by editing /etc/rc.conf like this:

jail_enable=”YES”
jail_list=”myjail”
jail_myjail_rootdir=”/usr/jail/myjail”
jail_myjail_hostname=”myjail.localdomain”
jail_myjail_ip=”192.168.0.224″
jail_myjail_devfs_enable=”YES”
jail_myjail_devfs_ruleset=”myjail_ruleset”

To start/stop your jail, use this:

/etc/rc.d/jail start myjail
/etc/rc.d/jail stop myjail

To cleanly shutdown a jail, run:

sh /etc/rc.shutdown #from inside a jail

or, use jexec utility.
Some other programs you’ll probably use with jails, are found in /usr/ports/sysutils:

jailadmin, jailctl, jailutils

To see what jails are running you can run:

jls

To run a tcsh on a jail, run:

jexec JID tcsh

…which will get you directly on that jail.

Advertisements

Compiz Fusion – how to make inactive windows transparent

I’ve search for this on Google because i couldn’t find it myself. First of all, you’ll need compizconfig-settings-manager so you should apt-get install this first.
After this, go check the Effects > Trailfocus and then click the Appearance tab. You’ll see there:

– Opacity level of focused windows – normally left at 100
– Opacity level of unfocused windows – set this to whatever you want (this is the opacity of inactive windows)

BTW, i’m on Ubuntu 9.10 over here…

[update]: Well, it seems Compiz is running smoothly on my EeePC 1008HA with enough settings enabled, including that one from above…including the Water effect thing, which is actually …damn…filling out my desktop..and couldn’t see what i was writing) I know, i act like a 2 years old kid. But it looks veeery veeeery nice. Practicly, you don’t need a screen saver. If you don’t want anyone seeing what you have on your desktop, just run the water effect thing, and that’s all..

Ubuntu/Debian network adapter bonding

apt-get install ifenslave

nano /etc/modprobe.d/bonding.conf

alias bond0 bonding
options bonding mode=0 miimon=100

modes:
0 – Transmit packets in sequential order from the first available slave through the last.
1 – Only one slave in the bond is active. A different slave becomes active if, and only if, the active slave fails.
2 – This selects the same slave for each destination MAC address.
3 – Transmits everything on all slave interfaces.
4 – IEEE 802.3ad Dynamic link aggregation.

nano /etc/network/interfaces

auto lo
interface lo inet loopback
auto bond0
iface bond0 inet static
address 10.10.10.10
netmask 255.255.255.0
gateway 10.10.10.1
slaves eth0 eth1
bond-mode 0
bond-miimon 100

FreeBSD resource performance

…after 2 tries to recompile its kernel, and some sendmail disable, i finally got it working like this:
last pid:   814;  load averages:  0.12,  0.15,  0.07
up 0+00:14:50  20:02:00
9 processes:   1 running, 8 sleeping
CPU:     % user,     % nice,     % system,     % interrupt,     % idle
Mem: 3816K Active, 4968K Inact, 20M Wired, 9632K Buf, 968M Free
Swap: 537M Total, 537M Free
PID USERNAME    THR PRI NICE   SIZE    RES STATE   C   TIME   WCPU COMMAND
769 root          1  44    0  9400K  4380K select  1   0:00  0.00% sshd
720 root          1  70    0  3372K  1380K nanslp  0   0:00  0.00% cron
772 root          1  44    0  4572K  2316K wait    1   0:00  0.00% bash
473 root          1  44    0  3344K  1328K select  1   0:00  0.00% syslogd
711 root          1  44    0  6676K  3616K select  0   0:00  0.00% sshd
768 root          1  76    0  3344K  1180K ttyin   0   0:00  0.00% getty
767 root          1  76    0  3344K  1180K ttyin   1   0:00  0.00% getty
814 root          1  44    0  3680K  1796K CPU0    0   0:00  0.00% top
370 root          1  44    0  1888K   540K select  1   0:00  0.00% devd

[root@ ~]# vmstat
procs      memory      page                    disks     faults         cpu
r b w     avm    fre   flt  re  pi  po    fr  sr da0 pa0   in   sy   cs us sy id
0 0 0  39704K   968M    64   0   0   0    54   0   0   0    2  129   78  0  1 99

Now that’s a veeeery light resource consuming operating system, isn’t it?!

FreeBSD (II)

Installing X11 on FreeBSD

# cd /usr/ports/x11/xorg
# make install clean
# nano /etc/rc.conf

add this to rc.conf for keyboard and mouse auto-detection:

hald_enable=”YES”
dbus_enable=”YES”

Nice thing with installing things in FreeBSD. For example, using a package manager in Red Hat and Debian based distributions doesn’t allow you to install multiple packages from different consoles, that’s mainly because it has to track every changes to the internal database of packages installed, so if you’re installing a package in a console windows, and you try to install another package in another console window, you’ll get an error telling you the package database is locked. Well, in my newly installed FreeBSD I’m installing X.org in a console window, and nano editor in another one. Pretty cool shit!!
To test if X is starting, you run “startx” in CLI, and you should see some green window crap.
Installing Gnome is way too easy:

# pkg_add –r gnome2

Additionally, if you want gnome to be started automatically, you add this to /etc/rc.conf:

# gdm_enable=”YES”
# gnome_enable=”YES”

Upgrading installed ports. You can easily do that by using one of the commands:

# portmanager –u
# portmaster –a
# portupgrade –a

Cleaning disk space after using ports can be done like this:

# portsclean –C # to clean up ports collection
# portsclean –DD # to clean up dist files

FreeBSD (I)

How to update installed ports:

# portsnap fetch
# portsnap extract update

How to install and switch default shell to bash:

# cd /usr/ports/shell/bash
# make install clean
(and prepare yourself for a looong waiting…because it’s installing a lot of dependencies)
chsh –s /usr/local/bin/bash

So now, you’ll have filename, path and command autocompletion.
You can install Midnight Commander like this:

# cd /usr/ports/misc/mc
# make install clean

…and of course, wait…
After that, you can have VI iMproved installed like this:

# cd /usr/ports/editors/vim
# make install clean

If you don’t like default “top”, you can install “htop” by doing this:

# cd /usr/ports/sysutils/htop
# make install clean

I also installed “lsof”, because it was in the handbook they have on the website, so  you can find it in “/usr/ports/sysutils/lsof”.
Another few network settings, and i’m done for today. So, if you need static IP for your internet card you can set it up in “/etc/rc.conf” like this:

ifconfig_le0=”inet 192.168.0.100 netmask 255.255.255.0″

If you need to configure a gateway, you can add this to the same “rc.conf”:

defaultrouter=”192.168.0.1″

And for domain resolution, i had to manually create a file called “/etc/resolv.conf” and add my
wireless router to the file like this:

nameserver 192.168.0.1

That’s all for today.

UNIX/Linux common kill signals

NAME
kill — terminate or signal a process
SYNOPSIS
kill [-s signal_name] pid
kill -l [exit_status]
kill signal_name pid
kill signal_number pid
DESCRIPTION
The kill utility sends a signal to the processes specified by the pid operands. Only the super-user may send signals to other users’ processes. The options are as follows:
-s signal_name A symbolic signal name specifying the signal to be sent instead of the default TERM.
-l [exit_status] If no operand is given, list the signal names; otherwise, writethe signal name corresponding to exit_status.
signal_name A symbolic signal name specifying the signal to be sent instead of the default TERM.
signal_number A non-negative decimal integer, specifying the signal to be sent instead of the default TERM.
The following PIDs have special meanings:
-1 If superuser, broadcast the signal to all processes; otherwise broadcast to all processes belonging to the user.
Some of the more commonly used signals:
1 HUP (hang up)
2 INT (interrupt)
3 QUIT (quit)
6 ABRT (abort)
9 KILL (non-catchable, non-ignorable kill)
14 ALRM (alarm clock)
15 TERM (software termination signal)
This is copied from the freebsd kill manual from here. It’s copied over here cause i keep forgetting all this crap.

Linux Atheros AR9285 wireless driver

So, my 1008HA eee pc has a Atheros Communications Inc. AR9285 Wireless Network Adapter as lspci shows me. Usually, linux uses the default ath9k driver for it, but unfortunately, it sucks. It disconnects, it’s slow, it’s a big fucking mess. So, if you need wireless drivers for your Atheros wireless adapter, i’d proudly recommend this website:

http://linuxwireless.org/

From there, you can download an archive called compat-wireless. Unarchive it, make, make install, …and then reboot your computer. You’ll have a brand new ath9k driver that …RULEZ! No more disconnecting from the wireless AP, no more 30% signal when u’re 5m away from the AP…

IPSec + L2TP on Ubuntu

The requirements were to find a way to make secure VPN tunnel with the workplace, and dial-up VPN being not so secured, we opted for IPsec with L2TP, the built-in VPN client in Windows distributions – including my newly Windows Mobile 6.1, which i actually tested and works great with the VPN.
Basically, we’ll start with a fresh clean installation of Ubuntu Server, in my case, the lastest one 9.04. You start to apt-get everything you need:

apt-get update
apt-get install openswan xl2tpd

PPP is already installed so you won’t have any problems with it. This scenario will be a “road warrior”, because we want to be able to connect from every kind of internet connection to the company’s network – including home internet, 3G modem connected to the laptop, GPRS connection on the mobile phone, ..whatever.
Ok, so you’ll need to configure some files first. Let’s start with ipsec:

ipsec.conf

conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
left=99.99.99.99                  #your external IP address for the clients to enter in their VPN wizzard
leftnexthop=99.99.99.1    #your gateway
leftprotoport=17/1701
right=%any
rightprotoport=17/0

This is the default ipsec.conf configuration file that is installed together with openswan. Next, you’ll have to configure a secret for IPsec, and you’ll do that by configuring /etc/ipsec.secrets file:

99.99.99.99 %any : PSK “yourfavouritepresharedkey”

That should be all for IPsec to work. You just have to put it on startup with:
update-rc.d ipsec defaults
Ok, next, you’ll have to configure xl2tp to work. For that, there is a file called /etc/xl2tpd/xl2tpd.conf that needs to be edited:

[global]                                                                ; Global parameters:
ipsec saref = yes
listen-addr = 99.99.99.99
port = 1701                                                     ; * Bind to port 1701
auth file = /etc/ppp/chap-secrets       ; * Where our challenge secrets are
rand source = dev                     ; Source for entropy for random
[lns default]                                                   ; Our fallthrough LNS definition
exclusive = no                                          ; * Only permit one tunnel per host
ip range = 88.88.88.50-88.88.88.150     ; * Allocate from this IP range
local ip = 88.88.88.1                           ; * Our local IP to use
length bit = yes                                                ; * Use length bit in payload?
refuse pap = yes                                                ; * Refuse PAP authentication
refuse chap = yes                                               ; * Refuse CHAP authentication
require authentication = yes                    ; * Require peer to authenticate
name = vpn-srv                                        ; * Report this as our hostname
ppp debug = yes                                         ; * Turn on PPP debugging
pppoptfile = /etc/ppp/options.l2tpd                     ; * ppp options file

I guess this is almost self explanatory, ..but if you need some help on this, just put a comment. 2 files to go. First is the pppoptfile – /etc/ppp/options.l2tpd

/etc/ppp/options.l2tpd

asyncmap 0
auth
crtscts
lock
hide-password
modem
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
noipx

After configuring ppp to work with xl2tp, there is one more step for things to work – authentication. You accomplish that by editing the auth file /etc/ppp/chap-secrets

/etc/ppp/chap-secrets

user1      l2tpd     user1password    88.88.88.5

#specify an IP from the range or out of it; whenever user1 is logging in, it will get the same IP

user2      l2tpd     user2password *

# user2 will always get an IP from the range specified in the range from xl2tpd.conf file.
That’s about it. When I’ll feel like doing print screens, I’ll show you how you add your VPN connection in a Windows XP, but i guess you can already find that out with google search.

[update]: i tried the configuration i posted on my blog, but vista client behind NAT didn’t work at all. There are 2 things you should do:

1. registry modification on windows xp/vista:
for windows xp:
in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPsec create a DWORDcalled AssumeUDPEncapsulationContextOnSendRule and assign the hex value of “2″. This should allow both client and server behind NAT.
for windows vista:

in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent create a 32-bit DWORD called AssumeUDPEncapsulationContextOnSendRule and assign the same value of “2″ for the same reasons.

2. you should define private networks in ipsec.conf by adding this into ipsec.conf in config setup section:

virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12

It should work after all this.

[update2]: here is the latest configuration that worked, with computers behind NAT or not, with Vista or XP..works with all combinations – of course, with the registry key inserted where it has to be.

conn ROADW-NAT
rightsubnet=vhost:%priv
authby=secret
pfs=no
rekey=no
keyingtries=3
left=80.80.80.80
leftnexthop=80.80.80.1
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
dpddelay=15
dpdtimeout=60
dpdaction=clear
type=transport
auto=add
conn ROADW
authby=secret
pfs=no
rekey=no
keyingtries=3
left=80.80.80.80
leftnexthop=80.80.80.1
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
dpddelay=15
dpdtimeout=60
dpdaction=clear
type=transport
auto=add

and of course, insert this line in ipsec.conf:

virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12

This should work in every type of road warrior. Have fun!! The rest of the configuration files are exactly the ones from above..

Hot vs Cold cloning

It’s not about human cloning, ok?
It’s about VMware cloning. VMware, which is the new project i have to finish in few months – virtualizing almost every server we have. So, there are 2 ways to clone a physical machine:

– cold cloning – you boot the machine into a VMware converter ISO, operating system is off, no activity on the hard drive, and you get to clone everything just the way it was just before you shut down the machine. Configured IP address on the VMware converter that boots up has to have access to the VCenter or ESX machine in order for things to work.

– hot cloning – the physical machine is booted into the operating system it currently has. You start VMware converter on another machine. This machine has to have access to both physical machine that you want to virtualize and the VCenter / ESX machines, and they have to be visible to each other too. Bad part about this method is that the machine is not turned off, i mean, the operating system is not turned off, then hard drive might change during cloning, and data loss occurs.

Unfortunately, cold cloning is not working for me at all. It gives all kinds of errors. Yesterday i tried cold cloning again…made some changes and tried again..and so on, till i finally decided to close all services on the server and then do a hot cloning. I looked the error on VMware KB and they said it’s something related to network problems – something like the NICs are not configured with automatic negociation, ..or something like that. I made sure every NIC from ESX or the physical machine i wanted to virtualize were both auto-negociating speed and duplex and tried again. But i had the same problem. After closing every service on the machine, so no hard drive changes during cloning, and my computer at work coordinating the conversion from the VMware converter standalone, everything work great. Started everything at around 10pm. At 6:30 am i had almost 400GB of virtual machines (2 of them) converted from physical to virtual. All i had to do was changing IP addresses for the new VMware adapter on the host, and installing VMware tools. That was all. BTW, physical machines were Windows 2000.

Anyway, after a good night sleep, when i woke up in the morning at 7am, both machines were converted. No errors, too.