CentOS 7 KeyMap IT

CentOS 7 utilizza di default systemd che è una suite di tools per l’amministrazione dei servizi di sistema.

per impostare il layout della tastiera si utilizza:

# localectl set-keymap it

ma facendo così, le informazioni al riavvio vengono perse.

basta editare il file /etc/grub2.cfg e impostare il parametro corretto vconsole.keymap=it al posto di vconsole.keymap=it2

al riavvio le informazioni vengono preservate dato che stiamo dicendo al kernel linux di utilizzare la virtual console con keymap it

maggiori info: http://www.freedesktop.org/software/systemd/man/systemd-vconsole-setup.service.html

Speeding up compression

We usually use compression when the only way to achieve faster data transmission is often reduce its size (especially  over the net). Canonical compression tools offer poor parallelism support, while multi-core system are wide adopted today.

If you want to keep working with versatile tool like gzip and step up to a higher level of performance, take a look at pigz (pronounced “pig-zee”, http://zlib.net/pigz , same lead programmer of zlib).

Command line is barely identical to gzip; by default it uses all available cores to spread calculation over. To limit core usage use the-p switch:

tar c  /data/path | pigz -p 3 > archive.tar.gz

uses 3 processes, if you run on a quad-core system, a processor  is made available for other tasks.

Restricted ssh access

Sometimes we need to use ssh secured connections to perform only a few system activities and not to actually open a command shell to the remote host.

When performing secure critical tasks, or accessing highly secured machines, accessing a full remote shell can be equal to open a breach.

E.g., backup tasks are usually performed by a specific system user, granting access using ssh; allowing a restricted set of commands for the backup user introduce some additional security, avoiding system-wide access.

Adding some configuration to ~user/.ssh/authorized_keys on the remote host can be a quick solution:

from="accessing_host.example.com",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="echo 'I can only print this useless message...damn'" ssh-rsa AAA...
...
...Pw== user@accessing_host.example.com

Where:

  • from option enables accessing from the specified host only
  • no-port-forwarding,no-X11-forwarding,no-agent-forwarding disable forwarding  capabilities from remote host
  • command option defines which command the connecting user can issue to the remote host. ALL other commands are ignored

command option can also include a script containing different shell commands to accomplish complex tasks.

r(h)e(v)set password

RHEV uses free-ipa services to authenticate users to its portal. If password expired, the administrator can only set an one-time-password via the IPA portal eg. https://freeipa.rhevlab.local/ipa/ui/ and the user must change it *before* logging in.

The user – eg. u01@rhevlab.local – needs only to
#kinit u01;

The kinit executable reads kerberos configuration from /etc/krb5.conf and sets the default realm (eg. rhevlab.local) thus associating the user with the ldap entry

[libdefaults]
default_realm = RHEVLAB.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes

You can otherwise specify the UPPERCASE domain in your kinit request
#kinit u01@RHEVLAB.LOCAL

While all your *lowercase* requests are doomed to fail ;
#kinit u01@rhevlab.local
kinit: Cannot find KDC for requested realm while getting initial credentials

IO Monitoring: pgrep thread support!

pgrep is a cool tool that shows all pids matching a given pattern, like
# pgrep -fl mysql

You can use it with #top to monitor memory usage and other stuff. Modern tools like #iotop are task/thread based and pgrep is not very useful in this case, because you are not tracking the IO made by subtasks.

We patched pgrep to print out all task/thread id, and we’re glad that our patch was merged in the trunk (available in Fedora 19)!
Just use the -w flag to list all threads (lightweight processes)
# pgrep -flw mysql

You can otherwise take that infos with the following
egrep -rl mysql /proc/[0-9]*/task/[0-9]*/cmdline | cut -d\/ -f 5

The limits inference…

I was enjoying the /etc/security/limits.d/ directory for splitting user configuration limits when something didn’t seem to work.

I added in limits.d/apache.conf the lines

root - nofile 65536
apache - nofile 8192

but the following still returned 1024

# service httpd restart
# grep files /proc/$(pidof httpd | cut -d\ -f1)/limits
1024

While I restarted httpd from the same bash process used to edit the limits.d – in which I had the following

# ulimit -n
1024

apache was ignoring the limits.d statement. This could have happened only if httpd was invoked without a `su` procedure (the one reading limits and setrlimit) – and that was actually the case on Red Hat 6.3.

So when the bash process fork-exec’d to httpd, the ulimit was still 1024 and no step were done to “raise” the limits; moreover after re-logging in and restarting httpd, the new limits were 65536 – the root’s one.

The solution on RHEL6.3 – for me – was to statically put apache ulimits in /etc/sysconfig/httpd.

Use ALOM type commands on an ILOM firmware server

Sun/Oracle servers give access to different CLIs to manage hardware settings and the console.

In this case, we’ll have a look at two common CLIs found in most servers: ILOM and ALOM.

ILOM is a newer CLI, it supports a wider range of commands and it doesn’t require a reset to the Service Processor to commit changes. ALOM, which is found on “older” servers, on the contrary is simplier and user friendlier. A little example is console access: on ILOM you have to type:

-> start /SP/console

while on ALOM you just use this command:

sc> console

When operating with ILOMs, you have the chance to switch to the ALOM CLI (through backwards compatibility), which is not a commonly known fact.

Why would you do that? Well, one reason is because Oracle Support personnel happen to instruct you to run ALOM commands on servers with ILOM.

They do not even tell you how to do that.

So, let’s roll and see how:

Login to the SP as root user, as usual.

XXXXXXXXXXXXXXXXXX login: root
Password:
Waiting for daemons to initialize…

Daemons ready

Integrated Lights Out Manager

Version 2.0.4.n

Copyright 2008 Sun Microsystems, Inc. All rights reserved.
Use is subject to license terms.

Warning: password is set to factory default.

We have to create an administrative account (whatever name is fine, but we’ll stick with the standard admin user) and assign the CLI mode to alom.

-> create /SP/users/admin role=Administrator cli_mode=alom
Creating user…
Enter new password: ********
Enter new password again: ********
Created /SP/users/admin

If the user admin with the Administrator role already exists, you need only to change the CLI mode and (optional) reset its password.

-> create /SP/users/admin role=Administrator cli_mode=alom
create: /SP/users/admin already exists
Create failed

-> set /SP/users/admin cli_mode=alomSet ‘cli_mode’ to ‘alom’
Set ‘cli_mode’ to ‘alom’

-> set /SP/users/admin password
Enter new password: ********
Enter new password again: ********

Now you can login again to the ILOM, this time use the admin account:

XXXXXXXXXXXXXXXXXX login: admin
Password:
Waiting for daemons to initialize…

Daemons ready

Sun(TM) Integrated Lights Out Manager

Version 2.0.4.X

Copyright 2008 Sun Microsystems, Inc. All rights reserved.
Use is subject to license terms.

sc>

The sc> prompt indicates you are using the ALOM shell, and you can use most of its commands.

Pharaon of tests – I

Recentryl playing with phoronix-test-suite (aka pts). A wonderful toolkit that provides a lot of benchmarks, eventually downloading and installing the one you need.

Tests include aio-stress, iozone, pbzip2, phpbench and pybench.

Strangely enough I didn’t find a quickstart for custom batch benchmarking. Phoronix provide a batch-setup that’s quite inflexible, so here we are.

Running custom bench is simple and is done via env variables:
1. find the test definition file and get the parameters

# find .phoronix-test-suite/ -path \*iozone\*test-definition.xml

Values are 0 for the first option, 1 for the second and so on.

2. set the values in PRESET_OPTIONS

PRESET_OPTIONS=”iozone.record-size=0;”
PRESET_OPTIONS+=”iozone.file-size=0;”
export PRESET_OPTIONS+=”iozone.test=0″

3. set test name, identifier and description

export TEST_RESULTS_NAME=iozone-$s-${PRESET_OPTIONS//;/_}
export TEST_RESULTS_IDENTIFIER=$TEST_RESULTS_NAME-$(date +%s)
export TEST_RESULTS_DESCRIPTION=$TEST_RESULTS_NAME-$(date +$s)

4. run the test with

#phoronix-test-suite benchmark pts/iozone

5. get test values in

ls .phoronix-test-suite/test-results/

Kick off with kickstart v6

Kickstart is the Red Hat automatic installer. Installation is described by a ks.conf file divided in %sections.

Some differences:
v5 * package list

%package
# this section does not end

v6 * package list

%package
# this section ends with
%end

Other tips:

# don’t ask for registration key at install
key –skip
# disable graphical installation and
# X packages
text
skipx

Unable to login as a user on a 4.1 ESX server

By default, a 4.1 ESX server denies logins of standard users, while root access via ssh is enabled without problems. This has changed from 4.0 and has caused many headaches for those systems upgraded to 4.1.

Obviously, this is a security problem and something we do not want.

To protect your ESX server and restore standard user access, you have to replace the system-auth config file. In this event, an older 4.0 version of the file will do the job. Always remember to make a backup just in case something goes wrong (if it does and you don’t notice..you’re screwed, so pay attention)

#vi /etc/pam.d/system-auth

paste this content inside the file:

#%PAM-1.0
# Autogenerated by esxcfg-auth

account    required    /lib/security/$ISA/pam_unix.so

auth          required    /lib/security/$ISA/pam_env.so
auth          sufficient           /lib/security/$ISA/pam_unix.so        likeauth nullok
auth          required    /lib/security/$ISA/pam_deny.so

password    requisite     pam_cracklib.so try_first_pass retry=3 dcredit=-1 ucredit=0  ocredit=-1 lcredit=-1 minlen=8
password           required    /lib/security/$ISA/pam_cracklib.so            retry=3
password           sufficient           /lib/security/$ISA/pam_unix.so        nullok use_authtok md5 shadow
password           required    /lib/security/$ISA/pam_deny.so

session      required    /lib/security/$ISA/pam_limits.so
session      required    /lib/security/$ISA/pam_unix.so

You can now login to your 4.1 ESX server using standard login. Now go and harden your server!