Archive for the ‘Uncategorized’ Category
Tuesday, January 18th, 2011
Xen allows you to hot add (and remove) disks to a guest domU while the system is running. To do this you’ll use the ‘xm block-*’ commands.
Hot Add
To hot add a disk we use the ‘xm block-attach’ command.
Usage: xm block-attach <Domain> <BackDev> <FrontDev> <Mode> [BackDomain]
Let me describe what each of these arguments means:
Domain: The name of the guest domU you wish to add a block device to.
BackDev: The location of the block device in the dom0
FrontDev: The device name to assign the new device in the domU
Mode: read-only or read-write (r or w)
For example, we have a physical (phy:) LVM device called /dev/vg0/vm_osol that we want to attach to a virtual machine named ‘comlag’ as /dev/xvda3.
xm block-attach comlag phy:/dev/vg0/vm_osol /dev/xvda3 w
The device /dev/xvda3 will become available on comlag. Because we used mode “w” the device is presented as read/write and we can now mount, format, enable swap and do anything else you normally would do with a block device.
Hot Remove
To hot remove we use the ‘xm block-detach’ command.
Usage: xm block-detach <Domain> <DevId> [-f|--force]
Domain: Name of the guest domU
DevId: Name of the device within the domU (same idea as FrontDev above)
Now let’s remove the device we just attached to comlag.
Note: Be sure that the device isn’t mounted, or you risk damaging the contents of the block device.
xm block-detach comlag /dev/xvda3
And that’s it. Just be sure to update your xen config files to reflect any change you make by hot-add or these changes will go away when the domain is re-created.
Tags: block, block-attach, block-detach, disk, hot-add, howto, linux, storage, sysadmin, unix, Xen, xm
Posted in Uncategorized | No Comments »
Monday, January 10th, 2011
Netmask Netmask (binary) CIDR Notes
_____________________________________________________________________________
255.255.255.255 11111111.11111111.11111111.11111111 /32 Host (single addr)
255.255.255.254 11111111.11111111.11111111.11111110 /31 Unuseable
255.255.255.252 11111111.11111111.11111111.11111100 /30 2 useable
255.255.255.248 11111111.11111111.11111111.11111000 /29 6 useable
255.255.255.240 11111111.11111111.11111111.11110000 /28 14 useable
255.255.255.224 11111111.11111111.11111111.11100000 /27 30 useable
255.255.255.192 11111111.11111111.11111111.11000000 /26 62 useable
255.255.255.128 11111111.11111111.11111111.10000000 /25 126 useable
255.255.255.0 11111111.11111111.11111111.00000000 /24 "Class C" 254 useable
255.255.254.0 11111111.11111111.11111110.00000000 /23 2 Class C's
255.255.252.0 11111111.11111111.11111100.00000000 /22 4 Class C's
255.255.248.0 11111111.11111111.11111000.00000000 /21 8 Class C's
255.255.240.0 11111111.11111111.11110000.00000000 /20 16 Class C's
255.255.224.0 11111111.11111111.11100000.00000000 /19 32 Class C's
255.255.192.0 11111111.11111111.11000000.00000000 /18 64 Class C's
255.255.128.0 11111111.11111111.10000000.00000000 /17 128 Class C's
255.255.0.0 11111111.11111111.00000000.00000000 /16 "Class B"
255.254.0.0 11111111.11111110.00000000.00000000 /15 2 Class B's
255.252.0.0 11111111.11111100.00000000.00000000 /14 4 Class B's
255.248.0.0 11111111.11111000.00000000.00000000 /13 8 Class B's
255.240.0.0 11111111.11110000.00000000.00000000 /12 16 Class B's
255.224.0.0 11111111.11100000.00000000.00000000 /11 32 Class B's
255.192.0.0 11111111.11000000.00000000.00000000 /10 64 Class B's
255.128.0.0 11111111.10000000.00000000.00000000 /9 128 Class B's
255.0.0.0 11111111.00000000.00000000.00000000 /8 "Class A"
254.0.0.0 11111110.00000000.00000000.00000000 /7
252.0.0.0 11111100.00000000.00000000.00000000 /6
248.0.0.0 11111000.00000000.00000000.00000000 /5
240.0.0.0 11110000.00000000.00000000.00000000 /4
224.0.0.0 11100000.00000000.00000000.00000000 /3
192.0.0.0 11000000.00000000.00000000.00000000 /2
128.0.0.0 10000000.00000000.00000000.00000000 /1
0.0.0.0 00000000.00000000.00000000.00000000 /0 IP space
Net Host Total
Net Addr Addr Addr Number
Class Range NetMask Bits Bits of hosts
----------------------------------------------------------
A 0-127 255.0.0.0 8 24 16777216 (i.e. 114.0.0.0)
B 128-191 255.255.0.0 16 16 65536 (i.e. 150.0.0.0)
C 192-254 255.255.255.0 24 8 256 (i.e. 199.0.0.0)
D 224-239 (multicast)
E 240-255 (reserved)
F 208-215 255.255.255.240 28 4 16
G 216/8 ARIN - North America
G 217/8 RIPE NCC - Europe
G 218-219/8 APNIC
H 220-221 255.255.255.248 29 3 8 (reserved)
K 222-223 255.255.255.254 31 1 2 (reserved)
(ref: RFC1375 & http://www.iana.org/assignments/ipv4-address-space )
( http://www.iana.org/numbers.htm )
----------------------------------------------------------
The current list of special use prefixes:
0.0.0.0/8
127.0.0.0/8
192.0.2.0/24
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
169.254.0.0/16
all D/E space
(ref: RFC1918 http://www.rfc-editor.org/rfc/rfc1918.txt )
( or ftp://ftp.isi.edu/in-notes/rfc1918.txt )
(rfc search: http://www.rfc-editor.org/rfcsearch.html )
( http://www.ietf.org/ietf/1id-abstracts.txt )
( http://www.ietf.org/shadow.html )
Martians: (updates at: www.iana.org/assignments/ipv4-address-space )
no ip source-route
access-list 100 deny ip host 0.0.0.0 any
deny ip 0.0.0.0 0.255.255.255 any log ! antispoof
deny ip 0.0.0.0 0.255.255.255 0.0.0.0 255.255.255.255 ! antispoof
deny ip any 255.255.255.128 0.0.0.127 ! antispoof
deny ip host 0.0.0.0 any log ! antispoof
deny ip host [router intf] [router intf] ! antispoof
deny ip xxx.xxx.xxx.0 0.0.0.255 any log ! lan area
deny ip 0/8 0.255.255.255 any log ! IANA - Reserved
deny ip 1/8 0.255.255.255 any log ! IANA - Reserved
deny ip 2/8 0.255.255.255 any log ! IANA - Reserved
deny ip 5/8 0.255.255.255 any log ! IANA - Reserved
deny ip 7/8 0.255.255.255 any log ! IANA - Reserved
deny ip 10.0.0.0 0.255.255.255 any log ! IANA - Private Use
deny ip 23/8 0.255.255.255 any log ! IANA - Reserved
deny ip 27/8 0.255.255.255 any log ! IANA - Reserved
deny ip 31/8 0.255.255.255 any log ! IANA - Reserved
deny ip 36-37/8 0.255.255.255 any log ! IANA - Reserved
deny ip 39/8 0.255.255.255 any log ! IANA - Reserved
deny ip 41-42/8 0.255.255.255 any log ! IANA - Reserved
deny ip 50/8 0.255.255.255 any log ! IANA - Reserved
deny ip 58-60/8 0.255.255.255 any log ! IANA - Reserved
deny ip 69-79/8 0.255.255.255 any log ! IANA - Reserved
deny ip 82-95/8 0.255.255.255 any log ! IANA - Reserved
deny ip 96-126/8 0.255.255.255 any log ! IANA - Reserved
deny ip 127/8 0.255.255.255 any log ! IANA - Reserved
deny ip 169.254.0.0 0.0.255.255 any log ! link-local network
deny ip 172.16.0.0 0.15.255.255 any log ! reserved
deny ip 192.168.0.0 0.0.255.255 any log ! reserved
deny ip 192.0.2.0 0.0.0.255 any log ! test network
deny ip 197/8 0.255.255.255 any log ! IANA - Reserved
deny ip 220/8 0.255.255.255 any log ! IANA - Reserved
deny ip 222-223/8 0.255.255.255 any log ! IANA - Reserved
deny ip 224.0.0.0 31.255.255.255 any log ! multicast
deny ip 224.0.0.0 15.255.255.255 any log ! unless MBGP-learned routes
deny ip 224-239/8 0.255.255.255 any log ! IANA - Multicast
deny ip 240-255/8 0.255.255.255 any log ! IANA - Reserved
filtered source addresses
0/8 ! broadcast
10/8 ! RFC 1918 private
127/8 ! loopback
169.254.0/16 ! link local
172.16.0.0/12 ! RFC 1918 private
192.0.2.0/24 ! TEST-NET
192.168.0/16 ! RFC 1918 private
224.0.0.0/4 ! class D multicast
240.0.0.0/5 ! class E reserved
248.0.0.0/5 ! reserved
255.255.255.255/32 ! broadcast
ARIN administrated blocks: (http://www.arin.net/regserv/IPStats.html)
24.0.0.0/8 (portions of)
63.0.0.0/8
64.0.0.0/8
65.0.0.0/8
66.0.0.0/8
196.0.0.0/8
198.0.0.0/8
199.0.0.0/8
200.0.0.0/8
204.0.0.0/8
205.0.0.0/8
206.0.0.0/8
207.0.0.0/8
208.0.0.0/8
209.0.0.0/8
216.0.0.0/8
A coworker linked me to this most excellent subnet cheat sheet. Mirroring it here for future reference.
Tags: cheat sheet, CIDR, IP, netmask, networking, subnet, sysadmin
Posted in Uncategorized | No Comments »
Wednesday, January 5th, 2011
If you notice that your linux machine is holding on to old DNS entries and you are running the nscd service there is a good chance that invalidating (flushing) the NSCD hosts database will help. This is roughly the linux equivalent to ipconfig /flushdns on windows or dscacheutil -flushcache on os x.
From the NSCD man page:
The daemon will try to watch for changes in configuration files appropriate
for each database (e.g. /etc/passwd for the passwd database or /etc/hosts and
/etc/resolv.conf for the hosts database), and flush the cache when these are
changed. However, this will happen only after a short delay (unless the
inotify(7) mechanism is available and glibc 2.9 or later is available), and
this auto-detection does not cover configuration files required by nonstandard
NSS modules, if any are specified in /etc/nsswitch.conf. In that case, you
need to run the following command after changing the configuration file of the
database so that nscd invalidates its cache:
$ nscd -i <database>
Tags: cache, clear, DNS, flush, hosts, linux, nscd, reset, sysadmin
Posted in Uncategorized | No Comments »
Tuesday, December 21st, 2010
In most variants of GNU/Linux the init daemon and its configuration file /etc/inittab are used to define things like runlevels and consoles. In an effort to improve boot time, system performance and ease scripted configuration, ubuntu has implemented upstart, an event-based replacement for the traditional init daemon. This is good for the most part, but in different versions ubuntu upstart is configured in different locations which can be quite confusing.
Aside from the change in location, the items that traditionaly would be represented by a line in /etc/inittab have been split up into individual files. Despite this difference, the syntax used within the individual files is very familiar.
With all that said, here’s where “inittab” lives on different version of ubuntu.
Karmic (9.10) and newer:
Jaunty (9.04), Feisty (7.04) & Edgy (6.10)
Dapper (6.06) and Earlier
Tags: event.d, howto, init, inittab, linux, sysadmin, telinit, ubuntu, unix, upstart
Posted in Uncategorized | No Comments »
Sunday, December 19th, 2010
After upgrading to Snow Leopard I noticed that when using finder to browse certain directories, especially network file shares, the window would begin scrolling and jumping up and down erratically on its own. I was left scratching my head about this for a while until I finally realized that this only happened when connecting to file shares that we served from hosts that were case sensitive.
Turns out finder freaks out when two files or directories contain the same text but have different case. For example, “test_directory” and “Test_directory”. This is perfectly valid on systems that support case sensitive files but causes odd results in OSX.
The fix that I implemented was to simply identify files and directories whose case would collide in OSX and renamed them accordingly. From a linux system you could use a command like the following to detect and count duplicate files or directories.
ls | tr [:upper:] [:lower:] | sort -n | uniq -cd
This takes the output of ls and uses tr to read everything as lower case, sorts that output and then uses uniq to determine if any duplicates exist.
I haven’t been able to locate a switch in finder to simply enable case sensitivity, if this exists I would love to hear about it
Tags: finder, linux, mac, OSX, snow leopard, sysadmin, unix
Posted in Uncategorized | No Comments »
Tuesday, September 28th, 2010
Configuring an amazon EC2 image to associate itself with your puppet master on boot was once an involved manual process requiring custom boot scripts and hand-rolling your own AMI. With the UEC (Ubuntu Enterprise Cloud) AMIs this is much more straightforward. As long as you use an AMI from this list you’ll be able to pass information about the puppet master into the user-data field when booting the instance.
Simply modify the following and place it in the user-data field when booting your instance to automatically connect to your puppet master.
Note: indentation counts!
#cloud-config
#
# This is an example file to automatically setup and run puppetd
# when the instance boots for the first time.
# Make sure that this file is valid yaml before starting instances.
# It should be passed as user-data when starting the instance.
puppet:
# Every key present in the conf object will be added to puppet.conf:
# [name]
# subkey=value
#
# For example the configuration below will have the following section
# added to puppet.conf:
# [puppetd]
# server=puppetmaster.example.org
# certname=i-0123456.ip-X-Y-Z.cloud.internal
#
# The puppmaster ca certificate will be available in
# /var/lib/puppet/ssl/certs/ca.pem
conf:
puppetd:
server: "puppetmaster.mydomain.com"
# certname supports substitutions at runtime:
# %i: instanceid
# Example: i-0123456
# %f: fqdn of the machine
# Example: ip-X-Y-Z.cloud.internal
#
# NB: the certname will automatically be lowercase as required by puppet
certname: "%i-%f"
# ca_cert is a special case. It won't be added to puppet.conf.
# It holds the puppetmaster certificate in pem format.
# It should be a multi-line string (using the | yaml notation for
# multi-line strings).
# The puppetmaster certificate is located in
# /var/lib/puppet/ssl/ca/ca_crt.pem on the puppetmaster host.
#
ca_cert: |
-----BEGIN CERTIFICATE-----
MIICKTCCAZKgAwIBAgIBATANBgkqhkiG9w0BAQUFADAdMRswGQYDVQQDDBJzZXJ2
ZXIuZGNzdGVhbS5jb20wHhcNMTAwODI4MjAyNTE1WhcNMTUwODI3MjAyNTE1WjAd
MRswGQYDVQQDDBJzZXJ2ZXIuZGNzdGVhbS5jb20wgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBANvMoMdOBfBWinFsfAIvEhnCHI73AUeAZYuOmIE3FeZwoHDvY/To
y9zzgVSXTmXE9GSQUiOJ6jq/xFpfClPSGJb+KLDWAt+gCVTI8RaMsFCnyltFpBaP
KnT6P0nwMrrNgxEpZ2U8qIiqibqOzabcdp3X183N8uQEumnfmhmm8i1ZAgMBAAGj
eTB3MDgGCWCGSAGG+EIBDQQrFilQdXBwZXQgUnVieS9PcGVuU1NMIEdlbmVyYXRl
ZCBDZXJ0aWZpY2F0ZTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQwtldWP7Gf
+469Ywmr8KaM23DEfTALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEFBQADgYEArbaS
3TZP5Tn+E6Vn8souVD8e4UG1jSeGeb639cGUyMSJBOhKQ0gGYtsmx84cu8wVCXFx
KfJsWhxWFNZ/0RapuhOg5uGJLDJNuC6QCXRjh/T+Bk1oMNif6noBi6ObhubFRWJd
e3B9hRPbAaTMg6cpA/3bvQT5LyvwsN4D6VkT4sw=
-----END CERTIFICATE-----That’s really all there is to it! Give the machine a few minutes to initialize and soon you will see a new certificate waiting to be signed by puppetca!
Thanks to this post.
Tags: amazon, ec2, howto, linux, puppet, sysadmin, uec, unix, Virtualization
Posted in Uncategorized | No Comments »
Thursday, September 23rd, 2010
Because I refer to the NetApp man pages so frequently I host a copy on this web server at http://backdrift.org/man/netapp/. I Hope you find them useful!
Tags: documentation, howto, linux, man, manual, netapp, storage, troubleshooting, unix
Posted in Uncategorized | No Comments »
Sunday, August 29th, 2010
I came across this odd puppet error while setting up a puppet client on a host running in amazon EC2 and it took me a bit of head scratching to figure it out.
(/File[/var/lib/puppet/lib]) Failed to generate additional resources using 'eval_generate': undefined method `closed?' for nil:NilClass
(/File[/var/lib/puppet/lib]) Failed to retrieve current state of resource: undefined method `closed?' for nil:NilClass Could not retrieve file metadata for puppet://example.com/plugins: undefined method `closed?' for nil:NilClass
Could not retrieve catalog from remote server: undefined method `closed?' for nil:NilClass
The problem was that the host name I used in my puppet.conf file as the puppet server (example.com) did not match the host name (cn) of the puppetmaster CA. A quick update to puppet.conf and everything was working as expected!
Another possible cause for this error is an incorrect puppetmaster CA in your puppet config. In general, this error seems to indicate that something isn’t settling right with SSL.
Tags: ec2, linux, puppet, ruby, sysadmin, systems administration, troubleshooting
Posted in Uncategorized | 1 Comment »
Tuesday, August 17th, 2010
This is the most complete list of ports used by NetApp filers that I have been able to find to date. It is from the /etc/services file that NetApp provides within their firmware that they have updated to show only services consumed or served by a NetApp filer.
This is taken from Data ONTAP firmware Release 7.2.6.1.
#/vol/vol0/etc/services
#
# Network services, Internet style
#
ftp-data 20/tcp
ftp 21/tcp
ssh 22/tcp
telnet 23/tcp
smtp 25/tcp
time 37/tcp # Time Service
time 37/udp # Time Service
domain 53/udp # DNS
domain 53/tcp # DNS
portmap 111/udp
portmap 111/tcp
dhcps 67/udp # DHCP server
dhcpc 68/udp # DHCP client
tftp 69/udp
http 80/tcp
kerberos 88/udp # Kerberos 5
kerberos 88/tcp # Kerberos 5
nntp 119/tcp
ntp 123/tcp # Network Time Protocol
ntp 123/udp # Network Time Protocol
netbios-name 137/udp # NetBIOS nameserver
netbios-dg 138/udp # NetBIOS datagram service
netbios-ssn 139/tcp # NetBIOS service session
snmp 161/udp
ldap 389/tcp # LDAP session
https 443/tcp # SecureAdmin/SSL
cifs-tcp 445/tcp # CIFS over TCP with NetBIOS framing
kpasswd 464/tcp # Filer does not listen on this port;
# used as Domain Controller destination port
# for Kerberos passwd set/change operations
shell 514/tcp
syslog 514/udp
route 520/udp
ldap-ssl 636/tcp # LDAP over SSL
kerberos-sec 750/udp # For compatibility with older "750" clients
kerberos-sec 750/tcp # For compatibility with older "750" clients
nfsd 2049/udp
nfsd 2049/tcp
nrv 2050/tcp # NetApp Remote Volume protocol, used in
# FlexCache and Restore-On-Demand.
iscsi-target 3260/tcp
nlockmgr 4045/tcp # NLM
nlockmgr 4045/udp
mountd 4046/tcp # NFS mountd protocol
mountd 4046/udp
status 4047/tcp
status 4047/udp
pcnfsd 4048/tcp # PCNFS protocol
pcnfsd 4048/udp
rquotad 4049/udp
ndmp 10000/tcp
sm-ics 10565/tcp # Snapmirror Multipath
snapmirror 10566/tcp
sm-sync-block 10567/tcp # Snapmirror Sync Block Data
sm-sync-trans 10568/tcp # Snapmirror Sync Transaction Data
sm-sync-ctrl 10569/tcp # Snapmirror Sync Control Data
nbu-nearstore 10571/tcp # NetBackup - Nearstore
sm-ics-test 10670/tcp # INTERNAL USE: Snapmirror Multipath Test
ndmp-local 32243/tcp # Internal connection inside NetApp box
Tags: filer, linux, netapp, networking, ontap, port, server, storage, tcp, troubleshooting, udp, unix
Posted in Uncategorized | No Comments »
Wednesday, July 28th, 2010
There are probably a million and one individual pieces of software and websites you can use to generate a randomized password string. But the truth of the matter is that, if you have a UNIX machine, you don’t need them at all! Here’s how to generate a randomized password using widely available UNIX commands.
Random Data
UNIX is really, really good at generating random output. In fact, there is a device dedicated specifically to this cause. Meet /dev/random. We will be using this device as the source of our random password.
What about ASCII?
/dev/random provides us with some *really* random output. If you were to use a section of this random output in its raw form you would likely run into characters that are hard if not impossible to enter with your keyboard. To address this we will use uuencode to convert the raw output into a more human readable base64 version.
Putting it all together
Using dd we can take a small slice of randomness and pipe it into uuencode. The second to last line will be our randomized password.
Note: you may need to install the ‘sharutils’ package onto your system if uuencode isn’t installed by default.
$ dd if=/dev/random bs=1 count=12 | uuencode -m -
begin-base64 644 -
12+0 records in
12+0 records out
12 bytes transferred in 0.000165 secs (72734 bytes/sec)
KJ1yeC4MtSg5QQCY
====
“dd if=/dev/random bs=1 count=12 ” outputs 12 (count=12) bytes (bs=1) of random data (if=/dev/random).
“| uuencode -m -” This reads the input from the previous command (pipe and trailing -) and encodes it into base64 (-m)
And there you have it, your shiny new random password!
Tags: howto, linux, password, security, sysadmin, tips, unix
Posted in Uncategorized | No Comments »
