Wednesday, November 5, 2014

How to install Perl modules on AIX Server?

How to install Perl modules on AIX Server?

Download perl module from http://search.cpan.org

Execute following commands to install module

gunzip –d package-module.tar.gz
tar xvf package-module.tar
cd package-module
perl Makefile.PL

If perl is installed on different location i.e.; /home/user/perl. Then follow below command

/home/user/perl/bin/perl Makefile.PL
make
make test
make install

Check installed perl module version

/home/user/perl/bin/perl –Mpackage::name –le ‘print $package::name::version’

For example, for EMail-Simple module


/home/user/perl/bin/perl -MEmail::Simple -le 'print $Email::Simple::VERSION'

How to install IBM Java 7?

If you want to run Java programs, then you should install JRE
If you want to develop Java programs, then you should install Java SDK (previously called as JDK). SDK also contains JRE

So, if someone ask you to install Java then install Java SDK

How to install Java 7 on AIX 7?

1st check what version of Java is compatible with AIX OS version

Refer : http://www.ibm.com/developerworks/java/jdk/aix/service.html


oslevel            ### check AIX OS version

bootinfo -K     ### AIX OS architecture 32bit or 64bit

Lets say it's 64bit, so we want to install 64bit java version

We must be registered with IBM with some login name and password to download Java SDK software

Once downloaded perform following steps to install:

Download Java and save in /tmp/ directory

mkdir /tmp/java7_64

cp /tmp/Java7r1_64.sdk.tar.gz /tmp/java7_64

cd /tmp/java7_64

gunzip -d Java7r1_64.sdk.tar.gz

tar xvf Java7r1_64.sdk.tar

inutoc .

smitty installp

Select "Install Software"

INPUT device / directory for software [./]                ### Directory where java installer available
SOFTWARE to install [_all_latest]
PREVIEW only? (install operation will NOT occur) no
COMMIT software updates? yes
SAVE replaced files? no
AUTOMATICALLY install requisite software? yes
EXTEND file systems if space needed? yes
OVERWRITE same or newer versions? no
VERIFY install and check file sizes? no
Include corresponding LANGUAGE filesets? yes
DETAILED output? no
Process multiple volumes? yes
ACCEPT new license agreements? yes           ### Use Tab to change No to Yes

Press enter to install

That's it!!

Tuesday, October 28, 2014

CentOS / RHEL 6 - Setup SELinux to work with Apache

By default SeLinux is enabled and it will mark some labeling on each and every file and ports on OS based on Service.

SeLinux work on following parameters:

1) Context
2) Boolean

1) Context, we can say label. Commands chcon and semanage
2) Boolean, SeLinux having properties for each service like need to enable read or write access to directory, enable http with ftp or not etc.. Commands semanage, getseboolean, setseboolean

In our case we are going to setup SeLinux to work with Apache

Context

Port Settings

As per SeLinux, services can work on only assigned specific ports like

semanage port -l|grep -i mysql

mysqld_port_t                  tcp      1186, 3306, 63132-63164

semanage port -l|grep -i http_port_t

http_port_t                    tcp      80, 81, 443, 488, 8008, 8009, 8443, 9000

So, port given in above output, by default allowed for mysql and apache services

Lets, take an example and change following line in /etc/httpd/conf/httpd.conf

Listen *:2222

Save and restart httpd service

While httpd restart, this will show following:

service httpd restart
Stopping httpd:                                            [FAILED]
Starting httpd: httpd: Could not reliably determine the server's fully qualified domain name, using 192.168.56.103 for ServerName
(13)Permission denied: make_sock: could not bind to address [::]:2222
(13)Permission denied: make_sock: could not bind to address 0.0.0.0:2222
no listening sockets available, shutting down
Unable to open logs
                                                           [FAILED]

It's showing Permission denied: make_sock, that means SeLinux not allowing to create sock on 2222 port

As we want run Apache / httpd on 2222 port, execute following command to enable 2222 port for httpd service

semanage port -a -t http_port_t -p tcp 2222

semanage port -l|grep -i http_port_t

http_port_t                    tcp      2222, 80, 81, 443, 488, 8008, 8009, 8443, 9000

Now 2222 port has been assigned to http_port i.e.; http/apache service

Start http/apache service, you should not get any error this time

service httpd start
Starting httpd: httpd: Could not reliably determine the server's fully qualified domain name, using 192.168.56.103 for ServerName
                                                           [  OK  ]

netstat -antp|grep http
tcp        0      0 :::2222                     :::*                        LISTEN      1403/httpd

File/Folder Labeling

SeLinux keep labeling on each and every file which is as per service

ls -ldZ /var/www/

drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/

ls -ldZ /var/www/html/

drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/

ls -ldZ /etc/httpd/

drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 /etc/httpd/

ls -ldZ /etc/httpd/conf

drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 /etc/httpd/conf

ls -lZ /usr/sbin/httpd

-rwxr-xr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd

Here (starting with http means its Domain for only httpd service):

httpd_config_t                          # http configuration
httpd_sys_content_t                 # http system content
httpd_exec_t                            # http executable

So, each and every called by httpd/apache service should have proper label.

Lets try to run httpd with different DocumentRoot with im-proper labeling on files and folders

mkdir /data/www -p

ls -ldZ /data/

drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /data/

ls -ldZ /data/www/

drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /data/www/


cat > /data/www/index.html
this is test

ctrl+D

ls -lZ /data/www/index.html

-rw-r--r--. root root unconfined_u:object_r:default_t:s0 /data/www/index.html


Restart httpd service and access through your web browser http://server-IP:2222

You should get following error in web broweser:

Forbidden

You don't have permission to access / on this server.


and following in apache/httpd service error logs:

[Tue Oct 28 21:17:07 2014] [error] [client 192.168.56.1] (13)Permission denied: access to /index.html denied


How to recover from above error:

Change label of DocumentRoot i.e.; /data/www and its files

As this is going to be http content directory, we should change label to httpd_sys_content_t

chcon -t httpd_sys_content_t /data -R

for permanent changes

semanage fcontext -t httpd_sys_content_t /data
semanage fcontext -t httpd_sys_content_t /data/www

Now you should be able to access server pages without any error

Command to see running process context

ps auxZ         # will provide process context too

Boolean

Commands to get or set Boolean variables

getsebool
setsebool

Some of the http/apache boolean variables

getsebool -a|grep http

httpd_enable_cgi --> on
httpd_enable_homedirs --> off
httpd_unified --> on
httpd_use_cifs --> off
httpd_use_fusefs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off

If you do not want to disable apache/http to serve cgi files

setsebool httpd_enable_cgi off

Enable user's home directory to be used for data/pages serving for apache/http

setsebool httpd_enable_homedirs on

Enable Apache/http to use CIFS/NFS directory to serve pages

setsebool httpd_use_cifs off
setsebool httpd_use_nfs off


Other commands to use

Disable SeLinux

setenforce 0

modify /etc/sysconfig/selinux file and set
SELINUX=disabled

Reboot machine

Command to restore context

restorecon -Rv /data

Create /.autorelabel for allow OS to relabel complete system at next boot time

Wednesday, October 1, 2014

How to Install and Configure NTP Server and Client in RHEL/CentOS6?

NTP Server

1) Install NTP package using yum

yum -y install ntp

2) Setup Restrict Values

vim /etc/ntp.conf               # Add below given lines

# Permit time synchronization with our time source, but do not # permit the source to query or modify the service on this system.
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

  • noquery prevents dumping status data from ntpd.
  • notrap prevents control message trap service.
  • nomodify prevents all ntpq queries that attempts to modify the server.
  • nopeer prevents all packets that attempts to establish a peer association.
  • Kod – Kiss-o-death packet is to be sent to reduce unwanted queries
The value -6 in the second line allows forces the DNS resolution to the IPV6 address resolution. For more information on the access parameters list, Please refer to documentation on “man ntp_acc”The value -6 in the second line allows forces the DNS resolution to the IPV6 address resolution.

3) Allow network / IP range for synchronizing time from this server

restrict 10.0.0.0 mask 255.255.255.0 nomodify notrap
restrict 127.0.0.1

4) Add local clock as backup

In case NTP server disconnected from internet, NTP server will provide time from its local system clock

server 127.127.1.0 # local clock
fudge 127.127.1.0 stratum 10

5) Specify log files

driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp.log

6) Finally start NTP server

service ntpd start

NTP Client

1) Modify /etc/ntp.conf configuration file, 

Sample entries, for internet servers :

server 0.centos.pool.ntp.org iburst
server 1.centos.pool.ntp.org iburst
server 2.centos.pool.ntp.org iburst
server 3.centos.pool.ntp.org iburst

iburst: After every poll, a burst of eight packets is sent instead of one. When the server is not responding, packets are sent 16s interval. When the server responds, packets are sent every 2s.

Edit your NTP.conf to reflect appropriate entries for your own NTP server.

server 10.0.0.1 prefer

prefer: If this option is specified that server is preferred over other servers.

2) Start NTP service

service ntpd start

3) Finally check NTP status

ntpq -p

4) Set date and time synchronized with desired server

ntpdate -u SERVER-NAME

5) Get the current status of  ntpd:

ntpdc -c sysinfo

system peer:          web10.hnshosting.com
system peer mode:     client
leap indicator:       00
stratum:              3
precision:            -24
root distance:        0.20857 s
root dispersion:      0.27481 s
reference ID:         [120.88.46.10]
reference time:       d7d65c1f.14c6b054  Wed, Oct  1 2014 16:25:27.081
system flags:         auth monitor ntp kernel stats
jitter:               0.014099 s
stability:            0.000 ppm
broadcastdelay:       0.000000 s
authdelay:            0.000000 s

Sunday, September 28, 2014

RHEL / CentOS 6 - How to setup iscsi target and initiator ?

How to setup ISCSI Target?

Server Side

1) Install scsi-target-utils using yum

yum -y install scsi-target-utils

2) Edit iSCSI target configuration

vim /etc/tgt/targets.conf






initiator-address 192.168.56.102              ##Initiator IP/Name
incominguser myuser redhat                    ##Username = myuser and password = redhat

"iqn.2014-09.net.node1:server.target01" ##Can be anything

There are 2 types of storage devices:

backing-store - defines a virtual device on the target.

direct-store  - defines a direct mapped device with the same properties as the physical device (such as VENDOR_ID, SERIAL_NUM, etc.)

3) Start iSCSI target and on boot

service tgtd start

Start on boot

chkconfig tgtd on

4) Enable 3260 port at firewall

5) Check iSCSI target configuration

tgtadm --mode target --op show

6) Check if everything works as expected

tgt-admin -s


How to setup iSCSI initiator?

Client Side

1) Install iscsi-initiator-utils using yum

yum -y install iscsi-initiator-utils

2) Edit initiator configuration file

vim /etc/iscsi/initiatorname.iscsi

InitiatorName=iqn.2014-09.net.node1:san.initiator01
InitiatorAlias=node2

3) Edit iscsi client configuration /etc/iscsi/iscsid.conf

node.session.auth.authmethod = CHAP
node.session.auth.username = manoj
node.session.auth.password = redhat

4) Start iscsi client service

service iscsid start

5) Start iscsi client on boot

chkconfig iscsid on

6) Discovering targets in our iSCSI server

iscsiadm -m discovery -t st --portal Target-server-IP

7) Login with iSCSI LUN

iscsiadm -m node --targetname iqn.2014-09.net.node1:server.target01 --portal Target-Server-IP --login

8) Checking session status with the target

iscsiadm --mode session --op show

Thats it!!

Please do not forget to update with your feedback :-)

Friday, September 26, 2014

Encrypting Disks With LUKS (RHEL 6 / CentOS 6)

LUKs a concept used to encrypt disks for securing data. Partitions will not be accessible without decrypting that device with an defined PASSPHRASE

How to setup encrypted disks with LUKs?

1) Install LUKs utilities

yum -y install crypt*

2) Load dm_crypt module

modprobe dm_crypt

3) Add dm_crypt in system, so that after reboot this should be loaded

cat > /etc/sysconfig/modules/dm_crypt.modules
#!/bin/bash
modprobe dm_crypt

save and exit with  CTRL+D

chmod 755 /etc/sysconfig/modules/dm_crypt.modules

NOTE: dm_crypt.modules script created to loaod module


4) Lets say /dev/sdb is the disk to encrypt, First Create setup and format /dev/sdb with following command:

cryptsetup luksFormat /dev/sdb

This will ask for passphrase which will be used to decrypt/open this disk before using this disk

To mount or use /dev/sdb disk follow below given steps as at this point /dev/sdb will not be available to mount

5) Open LUKs disk/device by mapping/assigning an name, this will create and file/mapping in /dev/mapper

cryptsetup luksOpen /dev/sdb myluksdev_map

This will ask for passphrase to decrypt disk. Enter passphrase set in step number 4

NOTE : myluksdev_map given name can be anything as per your desire

6) As above command has opened/decrypted disk, now we can format with ext4

mkfs.ext4 /dev/mapper/myluksdev_map

7) Create an folder and mount /dev/sdb

mkdir /mnt/my_secret_dir

mount /dev/mapper/myluksdev_map /mnt/my_secret_dir

[Above /dev/mapper/myluksdev_map is name which is given at the time of opening/decrypting /dev/sdb device]

8) If we want to close encryption, have to follow given steps

umount /mnt/my_secret_dir
cryptsetup luksClose myluksdev_map

8) To make partition persistent or permanent after reboot we should add MOUNT entry in /etc/fstab but for mounting encrypted file system, we should decrypt disk/device. So, we should follow given steps to mount disks at the time of boot

    a) Create a file /etc/crypttab
    b) Update with given content

        MAPname         Device/path     ------------------- example

        In our case MAPname = myluksdev_map , Device Path = /dev/sdb

    c) Content should be

         cat /etc/crypttab
         myluksdev_map      /dev/sdb

   d) Now update /etc/fstab file with below content
 
       /dev/mapper/myluksdev_map                /mnt/my_secret_dir          ext4      defaults        0 0


Now reboot your server, this will ask for PASSPHRASE while mounting device /dev/mapper/myluksdev_map

To automatically unlock passphrase or avoiding asking password use below given steps:

    a) Create an file, lets say /root/cpasswd which will store password
       
         echo -n "password" > /root/cpasswd
         chmod 600 /root/cpasswd

   b) Now update /etc/crypttab like this

       MAPNAME         /DEVICE/PATH      /PASSWORD/FILE

       So, in our case this should be

       myluksdev_map     /dev/sdb           /root/cpasswd

Now try rebooting your server, this should not ask for password.

Thats it!!!

Please comment with your feedback :-)

Friday, September 19, 2014

Troubleshooting Kdump error "Memory for crashkernel is not reserved"

In case getting following error while starting kdump service

Memory for crashkernel is not reserved
Please reserve memory by passing "crashkernel=X@Y" parameter to the kernel

If your server is having more than 4GB of RAM then crashkernel=auto (in /etc/grub.conf line starting with kernel)will automatically Reserve memory else need to specify in following format:


crashkernel=0M-2G:128M,2G-6G:256M




If physical memory is 0MB to 2GB then 128MB of memory will be reserved
If physical memory is 2MB to 6GB then 256MB of memory will be reserved

Now REBOOT server for kdump changes to take effect (1st time after kdump installed, a new INITRD will be generated)

Thats it!!!

How To setup Kdump on Linux (Redhat/CentOS 6)?

1) Install kdump package using YUM

yum -y install kexec-tools

2) Once installed, check /etc/init.d/kdump file/service should be available

ls -l /etc/init.d/kdump

3) Enable kdump at boot

chkconfig kdump on

4) Reboot server for kdump to take effect (new initrd will be generated)

5) Once rebooted kdump status should be Operational

service kdump status

if it's not Operational check error with

service kdump restart/start

If error is "Memory for crashkernel is not reserved" follow given link

http://linuxtroubleshoot.blogspot.in/2014/09/troubleshooting-kdump-error-memory-for.html

Wednesday, March 19, 2014

How to set QLogic HBA Adapter Speed?

Here we are going to discuss steps which needs to follow for QLogic HBA Adapter

Reboot the server and go to Qlogic HBA BIOS by entering ctrl + Q when it appears on the screen.

1) Ctrl + Q



2) HBA BIOS, select the HBA port and press enter



3) Select "Configuration Settings"



4) Select "Data Rate"




5) Finally Select Speed as per requirement



Thats it!!