Archive for the ‘ Linux ’ Category

Quick postfix queue depth script

Or counting files in any folder(s)

for i in `ls -al /var/spool/postfix |grep '^d'|awk '{print $9}'|grep -v '\.$'`; do c=`find $i|wc -l`; echo "$c $i"; done;

FreeIPA Server/Client setup on CentOS 6.5

So I’ve been dorking around with 389-ds a LOT at work lately and it’s a bitch to setup, especially when it comes to the certs.  As a hackathon project I decided to setup FreeIPA, which is the Free version of Redhat Identity Manager as a more comprehensive and easy to manage solution.  I have this setup at home as well in my personal lab.  Some pre-requisites first… make sure you have DNS and REVERSE LOOKUPS for all servers and clients and if you’re running iptables or a firewall on your hosts then make sure you have the following ports open, TCP/UDP: 888/444 for kerberos and 389/636 for ldap.

Here are the following specifics for our setup:

  • Domain:                             example.com
  • Realm:                               EXAMPLE.COM
  • Server1:                             freeipa01.example.com
  • Server2(replica):                 freeipa02.example.com
  • Client:                                client01.example.com

FreeIPA Server Setup

This setup is stupid easy, you just have yum install the ipa-server, then set it up with ipa-server-install.  Note you can just call run #ipa-server-install without any flags and it will ask you realm, domain, etc.  It will automatically setup your certificates, kerberos, etc… etc…

# yum -y install ipa-server
# ipa-server-install --domain=example.com --realm=EXAMPLE.COM

Next let’s see if IPA is working correctly by requesting a ticket for the admin user

#kinit admin

There shouldn’t be any output, let’s validate that the ticket was issued

#klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@EXAMPLE.COM

Valid starting     Expires            Service principal
02/12/14 16:09:06  02/13/14 16:09:03  krbtgt/EXAMPLE.COM@EXAMPLE.COM
02/12/14 16:49:46  02/13/14 16:09:03  host/client01.example.com@example.com

Replication Setup

On the master(Server1):

#ipa-replica-prepare freeipa02.example.com

Copy the gpg file that was just created at /var/lib/ipa to Server2(the replica) and run the following command on Server2:

#ipa-replica-install /var/lib/ipa/replica-info-ipareplica.freeipa02.example.com.gpg

Client Setup

I’ll specify that I find it rather important to specify the –mkhomedir flag. If you don’t then setting it up later can be a bitch.

#ipa-client-install --domain=example.com --server=freeipa01.example.com --realm=EXAMPLE.COM -p admin  --password=<password> --mkhomedir --hostname=client01.example.com

Enable WebUI access from anywhere

By default the WebUI is only accessible from authenticated IPA clients. This means that non-ipa clients can not access the WebUI to manage FreeIPA. While the extra security is nice, in a dev or lab setting it might be overkill. Here’s the workaround I found so you can access the webui from any computer. How the workaround actually works is that enables kerberos authentication through the web browser itself. Note that you have to do this on all freeipa servers.

On the server(s) open the ipa.conf file used by the Apache web service.

#vim /etc/httpd/conf.d/ipa.conf

In the <Location “/ipa”> location definition, change the KrbMethodK5Passwd attribute from off to on.

KrbMethodK5Passwd on

Restart the httpd service:

# service httpd restart

One small issue I found is the default admin user doesn’t seem to work if you try to access from a non-ipa client. I had to create another user(webadmin) give it admin privileges and log in to a machine as that user before I could access the WebUI from non-ipa clients.

Sources:
http://blogatharva.blogspot.com/2013/05/free-yourself-with-freeipa.html
http://sgros.blogspot.com/2012/06/installing-freeipa-on-minimal-centos.html
http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/index.html
http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/using-the-ui.html#Enabling_UsernamePassword_Authentication_in_Your_Browser

Yum and kernels, removing old one’s and limiting how many kernels yum keeps around

Check installed kernels:
# rpm -q kernel
kernel-2.6.32-279.el6.x86_64
kernel-2.6.32-279.2.1.el6.x86_64
kernel-2.6.32-279.5.2.el6.x86_64
kernel-2.6.32-279.9.1.el6.x86_64

Remove old kernels:
# package-cleanup –oldkernels –count=2

Make it permanent:
#vi etc/yum.conf
installonly_limit=2

Working with volume groups that have the same name (cloned disk, recoveries, etc)

First, we attach the vmdk to the vm and then scan the bus to see it in linux:
# echo “- – -” > /sys/class/scsi_host/host0/scan

In this scenario, /dev/sda2 and /dev/sdb2 have the same volume group name of VolGroup00, let’s rename /dev/sdb2 to VolGroup01:
# vgimportclone –basevgname VolGroup01 /dev/sdb2

next let’s find the new VolumeGroup:
# vgscan
# vgchange -a y

Now let’s mount the LV we want from the new volume group:
# mount /dev/VolGroup01/LogVol02 /mnt/restore/

Once we’re done, we want to unmount the LV and remove reference to the VG
# umount /mnt/restore
# vgchange -an VolGroup01 (make VG unavailable)
# sync

Remove the drive, wait a few minutes and let’s do a rescan:
# vgscan

Finding biggest directories in linux

find . -type d -print0 | xargs -0 du -s | sort -n | tail -10 | cut -f2 | xargs -I{} du -sh {}

How to SSH tunnel a VNC connection and launch a Gnome desktop

For remote graphical access to a linux server I generally prefer to use NX aka nomachine, however I’ve been doing admin work on some shared servers that I don’t want to install NX on for a few different reasons.  All of the other admins here use VNC with SSH tunneling to access these boxen so I figured I would toe the party line and use VNC as well.  Here’s a quick guide as to what I did in order to get VNC with SSH tunneling working, complete with accessing a gnome desktop.

I am using Putty for SSH on Windows, and a TightVNC client to access a CentOS 6.x box that is running a Gnome desktop.

Putty Setup

In the putty session for the host you are connecting to, go to SSH –> Tunnels and set the port that you are going to forward.  VNC ports start @ 5900 by default and vary depending on the session number you choose.  In my example we’re going to use session number 66, so we’re going to forward port 5966 to localhost:5966 and click add, then save the configuration.

vnc5966

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

VNC Server Configuration

In this section we’re going to configure the VNC server, define ~/.vnc/xstartup to launch Gnome when your VNC session is started and actually launch a VNC session to connect to.

SSH to the vncserver using the session with the tunnel defined from the last step.  Once you’re there create ~/.vnc/xstartup if it is not already defined and replace the contents with the following:

[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
xsetroot -solid grey
vncconfig -iconic &
/usr/bin/gnome-session & gnome-terminal &

Mainly what we’re looking for here is the last line, which tells X to launch a gnome session when a new VNC session is created.  In this example I also have it launching gnome-terminal, so you can see how you could launch multiple apps every time a session is initiated.  You could add whatever apps you want to this, such as firefox or eclipse.  When you’re done editing the file, make sure it is executable by doing a chmod +x.

Finally, we’re going to launch a vnc session  and then connect to it with tightvnc.  If this is your first time launching a VNC session then it will ask you to define a password to secure your current and future sessions.  Here, :66 defines the session number.

$vncserver :66

It is important that your session number match the port that is forwarded… vncserver :10 would launch a session on port 5910, vncserver :22 would launch a session on port 5922.  Whatever session number/corresponding port is launched has to be defined as a tunnel in putty.

Now that the session is launched, we just open TightVNC(or your favorite VNC client) and connect it to localhost:66 (session number), enter the VNC password that you defined and voila!

tvnc

 

 

 

 

That’s it!  we now have our connection to our Linux server with Gnome launched!

vncdone

 

 

 

 

 

 

 

 

-bb

Working With LVM In Linux

Creating a new volume group, adding a disk to it and making it usable

Scan HBA for new LUN’s:
#echo ‘- – -‘ > /sys/class/scsi_host/hostX/scan

#fdisk /dev/sda5 (or /dev/mapper/mpathx if multipathing) … create new partition, type lvm (8e), write changes to disk
#partprobe
#pvscan
#pvdisplay
#kpartx -a /dev/mapper/mpathX if it’s a multipathed device using dm-mulipath, otherwise skip this step
#pvcreate /dev/sda5 or /dev/mapper/mpathXpX  (initializes partition for LVM)
#vgcreate vg02 /dev/sda5 or /dev/mapper/mpathXpX (or vgextend vg02 /dev/sda5 or /dev/mapper/mpathXpX to add to a volume group)
#lvcreate -L 500G -n lvora_backup vg02  (or lvextend to add)
#mkfs -V -t ext3 /dev/mapper/vg02-lvora_backup  (or resize2fs to extend the fs)
#mount /dev/mapper/vg02-lvora_backup /ora_backup

edit /etc/fstab:

/dev/vg02/lvora_backup  /ora_backup             ext3    defaults        1 2

Extending a logical volume if the vg has available space

lvextend -L +512M /dev/rootvg/lvtmp
resize2fs /dev/rootvg/lvtmp (If it’s ext3, if not then use your specific filesystem tools)

If it’s GFS2, Find what it’s mounted as using cat /proc/mounts, we’ll look for /home3 in this example:

[root@linuxserver ~]# cat /proc/mounts |grep /home3
/dev/dm-54 /home3 gfs2 rw,noatime,nodiratime,hostdata=jid=0,localflocks,data=writeback 0 0

Next we’ll do a test run to make sure we don’t bugger anything up:

[root@linuxserver ~]# gfs2_grow -T /home3
(Test mode–File system will not be changed)
FS: Mount Point: /home3
FS: Device:      /dev/dm-54
FS: Size:        31457278 (0x1dffffe)
FS: RG size:     65535 (0xffff)
DEV: Size:       51132416 (0x30c3800)
The file system grew by 76856MB.
gfs2_grow complete.

Looks good, let’s run it without the -T flag:

[root@linuxserver ~]# gfs2_grow /home3
FS: Mount Point: /home3
FS: Device:      /dev/dm-54
FS: Size:        31457278 (0x1dffffe)
FS: RG size:     65535 (0xffff)
DEV: Size:       51132416 (0x30c3800)
The file system grew by 76856MB.
gfs2_grow complete.

How to find the scsi id of any device on linux

#scsi_id -g -u -s /block/sdx

If it’s a vm
#cat /proc/scsi/scsi

if it’s a /dev/cciss device(HP SAS) then use

#cciss_id /dev/cciss/cXdX

-bb

Installing The Latest Deluge in Ubuntu 9.10 (Karmic Koala)

Torrent clients on Linux just don’t seem to stack up to uTorrent.  I’ve tried all of them  and deluge seems to be the most configurable and feature rich that I’ve found.  Yes I’ve tried transmission, ktorrent, rtorrent and several others I don’t care to recall.  My primary computer at home is a Linux Mint Helena 64-bit, which is basically just Karmic all gussied up.  Here’s how I installed the latest and greatest version of deluge (1.2.3).  Some of the trackers I use have banned the use of deluge releases prior to 1.2.1.  Deluge 1.1.9 is what is in Karmic’s repo’s by default so this was a problem.  I gleaned these instructions from https://launchpad.net/~deluge-team/+archive/ppa.  Commands are in italics.

Pretty simple really, just open a terminal and type in:

$sudo add-apt-repository ppa:deluge-team/ppa

adds the deluge ppa to your systems software sources

$sudo apt-get update

checks the repo’s for the latest versions of the software

$sudo apt-get install deluge

installs the latest deluge on to your computer (1.2.3 as of this post).

That’s it!  Happy Sharing!

-bb