Difference between revisions of "Sysadmin Notes"
(→Fun with OpenVPN) |
|||
Line 213: | Line 213: | ||
EndSection | EndSection | ||
</pre> | </pre> | ||
+ | |||
+ | == How to Upgrade VMware VMserver 2.0 on Linux == | ||
+ | |||
+ | I recently had to upgrade my VMware VMserver 2.0 to 2.0.2 to install Windows 7. Rather than re-invent the wheel and re-learn how to do this, I find this website which outlines the fairly simple procedure. | ||
+ | |||
+ | [http://www.cyberciti.biz/tips/rhel-centos-upgrade-vmware-server.html] |
Revision as of 21:29, 29 October 2009
Notes on system administration gotchas, snafus, etc.
Linux Unable to See/Use My 2nd CPU Core
CPU #1 not responding - cannot use it. powernow-k8: Found 1 AMD Athlon(tm) 64 X2 Dual Core Processor 5600+ processors (1 cpu cores) (version 2.00.00)
Santa brought me an HP Pavilion a6230n for Christmas 2007. It came with an AMD Athlon(tm) 64 X2 Dual Core Processor 5600+ stepping 03, 3GB of RAM, 400 GB SATA, decent nVidia graphics, etc. When I installed both FC7 and FC8, I received the above warning messages in my log files. Linux was unable to use the 2nd core. Fixing this involved installing a BIOS update, for this model, that I downloaded from HP. Unfortunately, the BIOS update would only run under Windows Vista so I had to re-install Vista on the machine.
Fun with Dovecot IMAP, Postfix, Squirrel Mail, Apache, etc.
I recently lost a disk and paid to have it recovered. When I re-loaded my home directory, some of my file permissions got mangled.
When I tried to log into my Webmail facility, I received the following error message:
ERROR: Could not complete request. Query: LSUB "" "*" Reason Given: Permission denied
Fixing this problem involved finding all the Dovecot files in my home directory and changing the ownership and group back to my user rather than root.
Look for .subscriptions and .imap in your Mail directory (or mail) and check the ownership and permissions.
Fun with Java Keystores: How to import an existing private key and cert into a Java Keystore
I use SSL outside of Java for many things including Web servers, LDAP, SSL programming, etc. Consequently, most of my systems already have private keys and x509 certs. Java's keytool program makes it nearly impossible (as far as I can tell) to import pre-existing keys and certs into an existing or new keystore. Plus, the various Java keystore GUIs are hard to use (I cannot figure them out) or are not open source.
I came across this web page that describes how to do so. I summarize here just in case this web page goes away. We assume the private key is in key.pem and the cert is in cert.pem (both are in PEM format).
Convert the key and cert from PEM format to DER format using openssl command
Use openssl to convert from PEM to DER format.
openssl pkcs8 -topk8 -nocrypt -in key.pem -inform PEM -out key.der -outform DER openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER
Put key and cert into a new Java Keystore
Use the ImportKey.java class to take the key and cert and place it in a newly constructed JKS keystore. I modified the ImportKey java source to use the keystore password changeit and to use the key alias importkey and to save the resulting keystore in the file jetty.keystore
java ImportKey key.der cert.der
Getting Apache to work with Subversion and LDAP Authentication
I use both LDAP and NIS internally for directory services although I am migrating everything to LDAP. I recently installed and created a Subversion repository for my source code. I wanted Apache 2.x to provide access to the repository and I wanted to use LDAP (LDAPS actually) to authenticate users so that I did not have to do yet another .htusers file.
To get everything working, I placed the following directives in conf.d/subversion.conf. I already had https working on the server and configured it to load SSL at startup.
LoadModule dav_svn_module modules/mod_dav_svn.so LoadModule authz_svn_module modules/mod_authz_svn.so <Location /repos> DAV svn SVNPath /columbia4/repos AuthType Basic AuthName "Subversion repository" AuthBasicProvider ldap AuthzLDAPAuthoritative on Require valid-user AuthzLDAPMethod ldap AuthLDAPUrl ldaps://columbia.krupczak.org/dc=krupczak,dc=org?uid </Location>
Notes for Administering OpenNMS
Root Login on FC10 with Gnome 2.24 and FC11 with Gnome 2.26
The geniuses at Fedora and Gnome have disabled root login on the console in Fedora Core 10 (FC10). No matter what I did, I was unable to "fix" this using the docs I found on the web. On various Fedora mailing lists, allowing or not allowing root login generated a lot of discussion.
I re-enabled root login on FC10 Gnome 2.24 by editing the file /etc/pam.d/gdm and commenting out the line that says user != root.
#auth required pam_succeed_if.so user != root quiet
On FC11 with Gnome 2.26, there are even more files to edit. gdm-password and gdm-fingerprint also need to be edited to comment out the user/root clause.
How to Change Network Device Names in FC10 and FC 11
Network device names (e.g. eth0, eth1) are seemingly assigned in an arbitrary and capricious manner in recent Fedora distributions. I like for my network interfaces to be assigned in a more predictable manner such as: motherboard ethernet should be eth0 while PCI ethernet cards should be ordered sequentially based on their slot number.
In past Fedora distributions, /etc/modprobe.conf could be edited to reflect device naming preferences. I supposed that may still be true in Fedora 10 and 11. However, one can also edit udev rules in /etc/udev/rules.d. For example, in my new router/firewall box with four ethernet interfaces, the following file can be edited to reflect my desired ethernet interface numbering preferences. From 70-persistent-net.rules
# Networking Interface (rule written by anaconda) SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:17:31:8c:6d:be", ATTR{type}=="1", KERNEL=="eth*", NAME="eth0" # Networking Interface (rule written by anaconda) SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:0c:41:e5:43:56", ATTR{type}=="1", KERNEL=="eth*", NAME="eth2" # Networking Interface (rule written by anaconda) SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:13:46:77:fe:b3", ATTR{type}=="1", KERNEL=="eth*", NAME="eth3" # Networking Interface (rule written by anaconda) SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:04:5a:6b:aa:58", ATTR{type}=="1", KERNEL=="eth*", NAME="eth1"
Add Support for Remote X11 in Gnome
I read email on a different machine using mutt. I want to be able to have pictures and other content displayed on my desktop display via X. The default settings in more recent versions of Gnome disable X11/TCP.
%ps -aef | grep Xorg rdk 1494 30140 0 11:22 pts/7 00:00:00 grep -i Xorg root 4115 4114 0 Aug01 tty1 00:06:29 /usr/bin/Xorg :0 -nr -verbose -auth /var/run/gdm/auth-for-gdm-tJGw2e/database -nolisten tcp vt1
To disable the nolisten tcp, edit /etc/gdm/custom.conf and add DisallowTCP=false under the [security] section. Log out and back in and that should do the trick.
Fun with OpenVPN
I spent a lot of time getting OpenVPN to work so that I could do site-to-site and allow mobile clients to connect. Throw in iptables, routing issues, and OpenSSL and it gets really entertaining.
The OpenVPN server is a multi-homed router with several internal subnets. I wanted the OpenVPN server to make the internal subnets available to clients and other sites. One big problem is that the OpenVPN server was to export the very subnet it resides on to clients and sites. This caused a potential routing loop to occur. I also wanted to be able to access the client's subnet as well hence site-to-site.
The configuration solution was to have the OpenVPN server bind to my ppp0 interface only rather than an internal yet routable subnet interface. I also used a private CA to generate x509v3 certs and keys. Using a private CA allows me to overload client authentication onto the PKI provided by SSL.
After getting things working, I noticed that any sustained traffic, over the VPN, would cause the link to lock up. Searching through the net, I tried tuning the end-system TCP implementations, setting MTUs, etc. Adding the statement mssfix 1400 greatly reduced the congestion on the VPN link by essentially "helping" the end-system TCP implementations tune their maximum-segment-size.
I also added the following entry to both sides /etc/sysctl.conf file to increase buffers available to UDP.
vm.min_free_kbytes = 8192
The server's config, stripped down is:
proto udp port 1194 dev tun mssfix 1400 local ppp0-ip-address tls-server ca /etc/openvpn/ca.crt cert /etc/openvpn/server.crt key /etc/openvpn/server.key dh /etc/openvpn/dh1024.pem server 172.30.0.0 255.255.255.0 client-to-client ifconfig-pool-persist ipp.txt keepalive 10 60 ping-timer-rem comp-lzo user nobody group nobody persist-key persist-tun status openvpn-status.log client-config-dir ccd # tell the underlying system to route to this subnet via VPN # this subnet is located at the other site; my subnets are "pushed" # to the other side via the ccd config file route 10.0.1.0 255.255.255.0
The client (other site) config file:
client local my-own-ppp0-ip-address proto udp port 1194 dev tun tls-client ca /etc/openvpn/ca.crt cert /etc/openvpn/client.crt key /etc/openvpn/client.key resolv-retry infinite keepalive 10 60 ping-timer-rem remote server-ip-address 1194 comp-lzo user nobody group nobody persist-key persist-tun # server side iroutes my net and make it available to others # via CCD config
The client-specific config file, located on the OpenVPN server is:
# client-specific config that gets pushed to specific client # filename must match hostname/cert-CN in order to get read push "route 10.0.0.0 255.255.255.0" push "route w.x.y.z 255.255.255.240" # iroute tells the VPN daemon to route packets to 10.0.1.x # to this particular client iroute 10.0.1.0 255.255.255.0
Fun With Nvidia Graphics Cards
I bought and installed a nice PCI Nvidia graphics card but had problems telling Xorg to use the new card. It turned out that I needed to specify the BusID of the video card in my xorg.conf file. Dmesg returns the BusID in one format (with a period) and the config file wants a slightly different format. The two formats are subtly different hence the cause of my consternation.
# dmesg | grep nvidia nvidia 0000:03:00.0: PCI INT A -> Link[LN0A] -> GSI 19 (level, low) -> IRQ 19
Here is the working device section from my xorg.conf file. Note the use of colons separating the BusID components. Dmesg puts a period before the last 0.
Section "Device" Identifier "Videocard0" Driver "nvidia" VendorName "NVIDIA Corporation" BusID "PCI:03:00:0" EndSection
How to Upgrade VMware VMserver 2.0 on Linux
I recently had to upgrade my VMware VMserver 2.0 to 2.0.2 to install Windows 7. Rather than re-invent the wheel and re-learn how to do this, I find this website which outlines the fairly simple procedure.