Resistance is futile, your data will be assimilated (Linux/CentOS, Solaris) http://alchy.org/index.php Copyright 2010, Alchy Alchy en-US SPHPBLOG 0.5.1 DSEE7: design http://alchy.org/index.php?entry=entry100817-120854

- The command line management and monitoring tools, dsconf(1M) and dpconf(1M), require only LDAP access to the servers that you manage.

- DSCC is a web application. DSCC runs inside the framework known as Sun Java Web Console. You typically install DSCC on only one system in your deployment. You then manage all your servers from that installation of DSCC.

- DSCC requires LDAP access to the servers for online management operations. DSCC also requires Java Management Extension (JMX) access to agents installed alongside the servers. The agents perform server process management operations on behalf of DSCC, operations that cannot be performed through LDAP on a running server. DSCC contacts the agents over the network using a specific port number.

- The agents run inside a common agent container on the server system. This common agent container provides its agents with a single external port for management applications. The common agent container also consolidates resources to save resources on systems where multiple local agents share the container. For troubleshooting purposes, a common agent container can be managed independently using the cacaoadm command.

- When you install DSCC you also install Directory Server software. DSCC uses its own private instance of Directory Server to store configuration information.

- When you install DSCC on the administration host, you must be root. However, you can then use DSCC installed on the administration host to manage server hosts installed as non-root.



Directory Service Control Center not initialized: App server was runnig as a non-root user and directory server was runnig as a different non-root user. It worked when both these non-root users are set to identical. Sun Java System Directory Server Discussion Thread.
]]> Computer related http://alchy.org/index.php?entry=entry100817-120854 Alchy Tue, 17 Aug 2010 10:08:54 GMT http://alchy.org/comments.php?y=10&m=08&entry=entry100817-120854 http://www.temnokomornik.com/ http://alchy.org/index.php?entry=entry100816-234753 http://www.temnokomornik.com/]]> http://alchy.org/index.php?entry=entry100816-234753 Alchy Mon, 16 Aug 2010 21:47:53 GMT http://alchy.org/comments.php?y=10&m=08&entry=entry100816-234753 DSEE7: query LDAP aci (ACL) records with ldapsearch http://alchy.org/index.php?entry=entry100815-211856 * show all ACLs in dc=example,dc=com

[root@dhcppc2 ~]# ldapsearch -h localhost -p 3200 -D "cn=Directory Manager" -w dsInstanceEXAMPLE -b "dc=example,dc=com" -s sub "(objectClass=*)" aci


* show all objectclassed available in schema

ldapsearch -h localhost -p 3200 -D "cn=Directory Manager" -w dsInstanceEXAMPLE -b "cn=schema" -s sub "(objectClass=*)" objectClasses
]]> Computer related http://alchy.org/index.php?entry=entry100815-211856 Alchy Sun, 15 Aug 2010 19:18:56 GMT http://alchy.org/comments.php?y=10&m=08&entry=entry100815-211856 DSEE7: removing, adding and registering (to dscc, cacao) instances http://alchy.org/index.php?entry=entry100815-211624 * recreating default ads instance

[root@dhcppc2 ~]# dsadm delete /usr/local/dsee7/var/dcc/ads
[root@dhcppc2 ~]# dsccsetup ads-create
[root@dhcppc2 ~]# dsadm start /usr/local/dsee7/var/dcc/ads
[root@dhcppc2 ~]# dsadm list-running-instances


* start Cacao, deploy Cacao init-script, register the DSCC agent in Common Agent Container

[root@dhcppc2 ~]# cacaoadm start
[root@dhcppc2 ~]# cacaoadm enable
[root@dhcppc2 ~]# dsccsetup cacao-reg


* create and deploy war file, start Glassfish

[root@dhcppc2 ~]# dsccsetup war-file-create
[root@dhcppc2 ~]# /opt/glassfish/bin/asadmin start-appserv


* connect to Glassfish

https://10.0.0.3:8181/dscc7/


* vytvoření dsInstanceEXAMPLE instance

[root@dhcppc2 ~]# dsadm create -u [user] -g [group] -p 3200 -P 3201 /usr/local/dsee7/dsInstanceEXAMPLE
[root@dhcppc2 ~]# dsadm create -u [user] -g [group] -p 4200 -P 4201 /usr/local/dsee7/dsInstanceEXAMPLE2
[root@dhcppc2 ~]# dsadm create -u [user] -g [group] -p 5200 -P 5201 /usr/local/dsee7/dsInstanceEXAMPLE3


* start instance

[root@dhcppc2 ~]# dsadm start /usr/local/dsee7/dsInstanceEXAMPLE
[root@dhcppc2 ~]# dsadm start /usr/local/dsee7/dsInstanceEXAMPLE2
[root@dhcppc2 ~]# dsadm start /usr/local/dsee7/dsInstanceEXAMPLE3


* přidání instance ads do DSEE

[root@dhcppc2 ~]# dsccreg add-server /usr/local/dsee7/dsInstanceEXAMPLE
[root@dhcppc2 ~]# dsccreg add-server /usr/local/dsee7/dsInstanceEXAMPLE2
[root@dhcppc2 ~]# dsccreg add-server /usr/local/dsee7/dsInstanceEXAMPLE3


* list instancí

[root@dhcppc2 ~]# dsccreg list-servers
Enter DSCC administrator's password:
Enter DSCC administrator's password:Hostname  Port  sPort  Type  Owner  Flags  iPath                                Description
--------  ----  -----  ----  -----  -----  -----------------------------------  -----------
dhcppc2   4000  4001   DS    root          /usr/local/dsee7/dsInstanceEXAMPLE2
dhcppc2   5200  5201   DS    root          /usr/local/dsee7/dsInstanceEXAMPLE3
dhcppc2   3200  3201   DS    root          /usr/local/dsee7/dsInstanceEXAMPLE
3 server instance(s) found in DSCC on localhost.


* create suffix

[root@dhcppc2 ~]# dsconf create-suffix -h [hostname] -p [port] dc=example.dc=com


* import data to instance

[root@dhcppc2 ~]# dsconf import -h [hostname] -p [port] [file.ldif] dc=example,dc=com


* or import data offline

[root@dhcppc2 ~]# dsadm import $DSHOME/slapd-ldap1 $DSHOME/prod.ldif dc=example,dc=com


* create index on attribute

[root@dhcppc2 ~]# dsconf create-index -h [hostname] -p [port] 'dc=example,dc=com' [attributeName]
]]> Computer related http://alchy.org/index.php?entry=entry100815-211624 Alchy Sun, 15 Aug 2010 19:16:24 GMT http://alchy.org/comments.php?y=10&m=08&entry=entry100815-211624 Sun DSEE7, úpravy nastavení http://alchy.org/index.php?entry=entry100814-203205 * atributy souborů vytvořené instance:

[root@dhcppc2 dsInstanceEXAMPLE]# cd /usr/local/dsee7/dsInstanceEXAMPLE/
[root@dhcppc2 dsInstanceEXAMPLE]# find . -type d | xargs chmod 770
[root@dhcppc2 dsInstanceEXAMPLE]# find . -type f | xargs chmod 660

[root@dhcppc2 dsInstanceEXAMPLE]# find . | xargs ls -l
-rw-rw----  1 ldapadm ldapadm     1624 Aug 14 12:32 ./alias/certmap.conf
-rw-rw----  1 ldapadm ldapadm    16384 Aug 14 12:32 ./alias/secmod.db
-rw-rw----  1 ldapadm ldapadm    65536 Aug 14 12:32 ./alias/slapd-cert8.db
-rw-rw----  1 ldapadm ldapadm    16384 Aug 14 12:32 ./alias/slapd-key3.db
-rw-rw----  1 ldapadm ldapadm       12 Aug 14 12:32 ./config/certdb.txt
-rw-rw----  1 ldapadm ldapadm    80048 Aug 14 14:12 ./config/dse.ldif
-rw-rw----  1 ldapadm ldapadm    70902 Aug 14 14:12 ./config/dse.ldif.bak
-rw-rw----  1 ldapadm ldapadm    65343 Aug 14 12:35 ./config/dse.ldif.startOK
-rw-rw----  1 ldapadm ldapadm    77945 Aug 14 12:32 ./config/schema/00core.ldif
-rw-rw----  1 ldapadm ldapadm     7403 Aug 14 12:32 ./config/schema/00ds6pwp.ldif
-rw-rw----  1 ldapadm ldapadm     1842 Aug 14 12:32 ./config/schema/05rfc2247.ldif


*** doplnit pro adresář, /usr/local/dsee7/dsInstance${NAME|$CLASS}/plugins/signatures
(cert7.db, key3.db, secmod.db)

* CACAO bind

[root@dhcppc2 bin]# cacaoadm stop
[root@dhcppc2 bin]# cacaoadm list-params
[root@dhcppc2 bin]# cacaoadm set-param network-bind-address=127.0.0.1
[root@dhcppc2 bin]# cacaoadm start


* CACAO file rights

[root@dhcppc2 local]# cacaoadm verify-configuration
CONFIG ERROR : File access rights of [/usr/local/dsee7/ext/cacao_2/etc/opt/sun/cacao2/instances/default/security/snmp] are wrong [rwxrwxrwx] should be [rwxr-xr-x].
CONFIG ERROR : File access rights of [/usr/local/dsee7/ext/cacao_2/etc/opt/sun/cacao2/instances/default/security/snmp/jdmk.acl] are wrong [rwxrwxrwx] should be [rw-------].


* není vhodné logovat do adresáře instance

[root@dhcppc2 dsee7]# INSTANCE_LOG="/var/log/dsee7/dsInstanceEXAMPLE/logs"
[root@dhcppc2 dsee7]# mkdir -p $INSTANCE_LOG
[root@dhcppc2 dsee7]# touch $INSTANCE_LOG/error
[root@dhcppc2 dsee7]# touch $INSTANCE_LOG/logs/audit
[root@dhcppc2 dsee7]# touch $INSTANCE_LOG/access
[root@dhcppc2 dsee7]# chown -R ldapadm.ldapadm $INSTANCE_LOG

[ldapadm]$ ldapmodify -h dhcppc2 -p 3200 -D "cn=Directory Manager" -w dsInstanceEXAMPLE
dn: cn=config
changetype: modify
replace: nsslapd-errorlog
nsslapd-errorlog: /var/log/dsee7/dsInstanceEXAMPLE/logs/errors
replace: nsslapd-accesslog
nsslapd-accesslog: /var/log/dsee7/dsInstanceEXAMPLE/logs/access
replace: nsslapd-auditlog
nsslapd-auditlog: /var/log/dsee7/dsInstanceEXAMPLE/logs/audit

[ldapadm]$  ldapmodify -h dhcppc2 -p 3200 -D "cn=Directory Manager" -w dsInstanceEXAMPLE
dn: cn=config
changetype: modify
replace: nsslapd-auditlog-permissions
nsslapd-auditlog-permissions: 660
replace: nsslapd-accesslog-permissions
nsslapd-accesslog-permissions: 660
replace: nsslapd-errorlog-permissions
nsslapd-errorlog-permissions: 660
modifying entry cn=config


* změna defaultní úrovně logování

[ldapadm]$  ldapmodify -h dhcppc2 -p 3200 -D "cn=Directory Manager" -w dsInstanceEXAMPLE
dn: cn=config
changetype: modify
replace: nsslapd-errorlog-level
nsslapd-errorlog-level: 256
replace: nsslapd-infolog-level
nsslapd-infolog-level: 256


* ověření nastavení

[ldapadm]$ ldapsearch -h localhost -p 3200 -D "cn=Directory Manager" -w dsInstanceEXAMPLE -b "cn=config" -s base "(objectclass=*)"


Core Server Configuration Reference

* password policy
[ldapadm]$ ldapsearch -h localhost -p 3200 -D "cn=Directory Manager" -w dsInstanceEXAMPLE -b "cn=Password Policy,cn=config" -s sub "(objectclass=*)"
version: 1
dn: cn=Password Policy,cn=config
objectClass: top
objectClass: ldapsubentry
objectClass: pwdPolicy
objectClass: sunPwdPolicy
objectClass: passwordPolicy
cn: Password Policy
pwdAttribute: userPassword
passwordStorageScheme: SSHA
passwordChange: on
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE
passwordRootdnMayBypassModsChecks: off
passwordNonRootMayResetUserpwd: on
passwordInHistory: 0
pwdInHistory: 0
passwordMinAge: 0
pwdMinAge: 0
passwordCheckSyntax: off
pwdCheckQuality: 0
passwordMinLength: 6
pwdMinLength: 6
passwordMustChange: off
pwdMustChange: FALSE
passwordExp: off
passwordMaxAge: 0
pwdMaxAge: 0
passwordWarning: 86400
pwdExpireWarning: 86400
passwordExpireWithoutWarning: on
pwdGraceAuthNLimit: 0
pwdKeepLastAuthTime: FALSE
passwordLockout: off
pwdLockout: FALSE
passwordMaxFailure: 3
pwdMaxFailure: 3
passwordResetFailureCount: 600
pwdFailureCountInterval: 600
pwdIsLockoutPrioritized: TRUE
passwordUnlock: on
passwordLockoutDuration: 3600
pwdLockoutDuration: 3600

]]> Computer related http://alchy.org/index.php?entry=entry100814-203205 Alchy Sat, 14 Aug 2010 18:32:05 GMT http://alchy.org/comments.php?y=10&m=08&entry=entry100814-203205 Sun's DSEE7, some command basics http://alchy.org/index.php?entry=entry100813-215018 Directory Service Control Center: Directory Service Control Center (DSCC) is a user interface that enables you to manage Directory Servers and Directory Proxy Servers by using a browser.

* OS user. Creates a server instance and is the only user who has the right to run operating system commands on a server instance by using the dsadm command. DSCC might request the OS user password in some cases. This user must have a password and must be able to create directory server instances.

* Directory Manager. The LDAP superuser for a server. The default DN is cn=Directory Manager.

* Directory Administrator. Administers a Directory Server. This user has the same rights as the Directory Manager but are subject to access controls, password policies, and authentication requirements. You can create as many Directory Administrators as you need.

* Directory Service Manager. Manages server configuration and data on multiple machines through DSCC. This user has the same rights as the Directory Manager for each of the servers registered in DSCC and is a member of the Directory Administrators Group.


---------------------------------------------------------------
---------------------- dscc commands --------------------------
--------- dsccmon dsccreg dsccsetup ---------------
---------------------------------------------------------------


*** dsccmon: Monitor servers registered with the DSCC registry
view-repl-agmts   Displays replication agreement monitoring view  
view-servers      Displays server monitoring view  
view-suffixes     Displays suffix monitoring view 

[root@dhcppc2 dsee7]# dsccmon view-repl-agmts
Enter DSCC administrator's password:
Suffix  Source  Destination  Status  Status Details  
------  ------  -----------  ------  --------------  

[root@dhcppc2 dsee7]# dsccmon view-suffixes
Enter DSCC administrator's password:
Role  Suffix                   Server  Entry#  Agmt#  State           NMC  AMC  Status Details  
----  -----------------  ------------  ------  -----  --------------  ---  ---  --------------  
-     dc=example,dc=com  dhcppc2:1389     160      0  Not-Replicated    -    -  -  

[root@dhcppc2 dsee7]# dsccmon view-servers
Enter DSCC administrator's password:
Server        Status  Version  Entry#  Suffix#  Roles  
------------  ------  -------  ------  -------  -----  
dhcppc2:1389  DOWN    -             0        0    ---


*** dsccsetup: Manage DSCC initialization and registration
ads-create       Create the DSCC Registry  
ads-delete       Delete the DSCC Registry  
cacao-reg        Register DSCC agent in Cacao  
cacao-unreg      Unregister DSCC agent from Cacao  
dismantle        Undo DSCC initialization by performing cacao-unreg, ads-delete and war-file-delete  
initialize       Initialize DSCC by performing cacao-reg, ads-create and war-file-create  
mfwk-reg         Register DS in JESMF  
mfwk-unreg       Unregister DS from JESMF  
prepare-patch    Performs actions required before applying patch  
status           Displays status of DSCC registration and initialization  
war-file-create  Generate the WAR file for deploying DSCC in an application server  
war-file-delete  Delete the WAR file

[root@dhcppc2 dsee7]# dsccsetup status -v
***
## /usr/local/dsee7/ext/cacao_2/cacao2/bin/cacaoadm is present
## /usr/local/dsee7/lib/jar/nquickmodule.jar is present
## /usr/local/dsee7/ext/cacao_2/.configured is present
## Running /usr/local/dsee7/ext/cacao_2/cacao2/bin/cacaoadm list-modules -r
DSCC Agent is registered in Cacao
## Running /usr/local/dsee7/ext/cacao_2/cacao2/bin/cacaoadm status
## Running /usr/local/dsee7/ext/cacao_2/cacao2/bin/cacaoadm get-param network-bind-address
## Running /usr/local/dsee7/ext/cacao_2/cacao2/bin/cacaoadm get-param jmxmp-connector-port
Cacao is down. Start it using:
        /usr/local/dsee7/ext/cacao_2/cacao2/bin/cacaoadm start
***
## /usr/local/dsee7/bin/dsadm is present
DSCC Registry has been created
Path of DSCC registry is /usr/local/dsee7/var/dcc/ads
Port of DSCC registry is 3998
***


*** dsccreg: Manage the DSCC registry
add-server     Add a server instance to the DSCC registry  
list-servers   List server instances added to DSCC registry  
remove-server  Remove a server instance from the DSCC registry  

[root@dhcppc2 dsee7]# dsccreg list-servers
Enter DSCC administrator's password:
Hostname  Port  sPort  Type  Owner  Flags  iPath              Description  
--------  ----  -----  ----  -----  -----  -----------------  -----------  
dhcppc2   1389  1636   DS    root          /usr/local/dsInst    
1 server instance(s) found in DSCC on localhost.



---------------------------------------------------------------
------------------------ ds commands --------------------------
------------------- dsutil dsadm dsconf -----------------------
---------------------------------------------------------------


*** dsutil: Commands for inactivating/activating user accounts
account-activate    Re-enable bind operation for a single user or users member of a role  
account-inactivate  Disable bind operation for a single user or users member of a role  
account-status      Indicates whether a user or role is activated

[root@dhcppc2 dsee7]# dsutil account-status --secure-port 1636 -D "cn=Directory Manager" \
> "uid=bjensen,ou=people,dc=example,dc=com"
Enter "cn=Directory Manager" password: 
"uid=bjensen,ou=people,dc=example,dc=com" is activated.

[root@dhcppc2 dsee7]# dsutil account-inactivate --secure-port 1636 -D "cn=Directory Manager" \
"uid=bjensen,ou=people,dc=example,dc=com"
Enter "cn=Directory Manager" password: 
"uid=bjensen,ou=people,dc=example,dc=com" has been inactivated.


*** dsadm: Manages a Directory Server instance, administration commands that must be run directly on the local host. For example: Starting and stopping the server, Creating a server Instance. You must have OS access permissions to the server instance path. 
add-cert                Adds a certificate to the certificate database
add-selfsign-cert       Creates and adds a selfsign certificate to the certificate database
analyze-indexes         Analyzes indexes and displays statistics on their values
backup                  Backs up Directory Server instance
create                  Creates Directory Server instance
delete                  Deletes Directory Server instance
export                  Creates LDIF representation of Directory Server instance
export-cert             Exports a certificate and its keys from the database
get-flags               Displays optional Directory Server instance flag values
import                  Populates existing suffix with LDIF data
import-cert             Adds a new certificate and its keys to the cert database
import-selfsign-cert    Adds a new selfsign certificate and its keys to the cert database
info                    Displays Directory Server instance status and some configuration info
list-certs              Lists all certificates in the database
list-running-instances  Displays running instances on this host
reindex                 Regenerates existing indexes
remove-cert             Removes a certificate from the database
renew-cert              Renews a certificate
renew-selfsign-cert     Renews a selfsign certificate
repack                  Repacks existing suffix
request-cert            Generates a certificate request
restart                 Restarts Directory Server instance
restore                 Restores Directory Server instance from backup archive
set-flags               Sets optional Directory Server instance flags
show-access-log         Displays lines from access log
show-cert               Displays a certificate
show-error-log          Displays lines from error log
start                   Starts Directory Server instance
stop                    Stops Directory Server instance
stop-running-instances  Stops Directory Server instances
upgrade                 Upgrades Directory Server instance from version 6 to version 7

[root@dhcppc2 dsee7]# dsadm start /usr/local/dsInst
Directory Server instance '/usr/local/dsInst' started: pid=10617

[root@dhcppc2 dsee7] dsadm list-running-instances
  PID    Instance path
-----    --------------------------
 1391    /opt/dsee7/var/dcc/ads
17999    /opt/dsee7/dsInst

[root@dhcppc2 dsee7]# dsadm show-access-log /usr/local/dsInst/
[13/Aug/2010:22:51:26 +0200] conn=22 op=12 msgId=-1 - closing from 127.0.0.1:48730 - U1 - Connection closed by unbind client -
[13/Aug/2010:22:51:26 +0200] conn=22 op=10 msgId=11 - RESULT err=0 tag=105 nentries=0 etime=0


*** dsconf: Configures a Directory Server Instance, Administration commands that can be run from a remote host. For example: Enabling replication, Setting cache size. The server must be running. You must have LDAP access permissions to configuration data, for example, as the user cn=admin,cn=Administrators,cn=config. You don't need to have OS access.
accord-repl-agmt               Ensures the authentication properties of the destination suffix are in accord with those of the replication agreement  
analyze-index-filters          Analyzes index filters and displays a status  
backup                         Backs up Directory Server data (cn=config excluded)  
change-repl-dest               Changes the remote replica pointed to by an existing replication agreement  
create-encrypted-attr          Creates an encrypted attribute   
create-index                   Creates an index   
create-plugin                  Creates a plugin  
create-repl-agmt               Creates replication agreement for existing suffix  
create-repl-priority           Creates a prioritized replication rule on a master  
create-suffix                  Creates suffix and empty data  
delete-encrypted-attr          Deletes an encrypted attribute   
delete-index                   Deletes an index   
delete-plugin                  Deletes a plugin  
delete-repl-agmt               Deletes replication agreement  
delete-repl-priority           Deletes a prioritized replication rule  
delete-suffix                  Deletes suffix configuration and data  
demote-repl                    Demotes an existing replicated suffix  
disable-index-filter-analyzer  Disables the index filter analyzer  
disable-plugin                 Disables a plugin  
disable-repl                   Abandons replication for replicated suffix  
disable-repl-agmt              Disables replication with another directory  
enable-index-filter-analyzer   Enables the index filter analyzer  
enable-plugin                  Enables a plugin  
enable-repl                    Enables replication by assigning a role to an existing suffix  
enable-repl-agmt               Enables replication with another directory  
export                         Exports suffix data to LDIF format  
get-index-prop                 Displays index property values  
get-log-prop                   Displays server log property values  
get-plugin-prop                Displays plugin property values  
get-repl-agmt-prop             Displays replication agreement property values  
get-server-prop                Displays server property values  
get-suffix-prop                Displays suffix property values  
help-properties                Lists properties exposed by subcommands  
import                         Populates an existing suffix with LDIF data  
info                           Displays information about server configuration  
init-repl-dest                 Launches total update of remote replica from local suffix  
list-encrypted-attrs           Lists encrypted attributes and displays their property values  
list-indexes                   Lists indexes  
list-plugins                   Lists plugins  
list-repl-agmts                Lists replication agreements  
list-repl-priorities           Lists prioritized replication rules and displays their property values  
list-suffixes                  Lists suffixes  
promote-repl                   Promotes an existing replicated suffix  
pwd-compat                     Changes Directory Server password compatibility mode  
reindex                        Rebuilds indexes of an existing suffix  
restore                        Restores Directory Server data from backup archive  
rotate-log-now                 Launches a rotation of a log file  
set-index-prop                 Sets index property values  
set-log-prop                   Sets server log property values  
set-plugin-prop                Sets plugin property values  
set-repl-agmt-prop             Sets replication agreement property values  
set-server-prop                Sets server property values  
set-suffix-prop                Sets suffix property values  
show-repl-agmt-status          Displays a comparison of a source and destination suffix configuration and the status of the replication agreement  
show-task-status               Displays a status of Directory Server active tasks  
update-repl-dest-now           Forces updates of remote replica from local suffix

[root@dhcppc2 dsee7]# dsconf create-suffix -h dhcppc2 -p 3200 dc=example,dc=com
Certificate "CN=dhcppc2, CN=3201, CN=Directory Server, O=Sun Microsystems" presented by the server is not trusted.
Type "Y" to accept, "y" to accept just once, "n" to refuse, "d" for more details: y
Enter "cn=Directory Manager" password:  >dsInstanceEXAMPLE<



----------------------------------------------------
---------------------- cacao -----------------------
----------------------------------------------------


The short CACAO overview from Ludovic is taken from here. The CACAO homepage can be found at https://common-agent-container.dev.java.net/. DS depends on the common agent container for remote managent and monitoring.

The common agent container is also known by the nickname of Cacao (which is the French version of cocoa). It's a Solaris process used to host several Agents under the same process. DSEE has an agent for DS and DPS, that are required by DSCC to be able to do remote actions on the servers (such as start / stop).

Also we have an Agent for the JMX Monitoring of DS (which also requires the JavaES Monitoring Framework agents installed).

Common Agent Container Security Files. The cacaoadm utility is the command line interface for managing the common agent container’s management daemon.

The common agent container’s management daemon provides a modular infrastructure that hosts both a management agent and service modules. Several instances of the common agent container’s management daemon can run at the same time. Use the -i instancename option to specify a specific instance on which the action will be performed. If you specify the default instancename (called default), then the files are associated with the default daemon instance. This default instance is created automatically and cannot be deleted.

cacaoadm: The cacaoadm utility is the command line interface for managing the common agent containerâs management daemon.
 disable          Disable the automatic start or stop of the common agent
                  container daemon during system boot or shutdown.
 enable           Enable the common agent container daemon to startup
                  automatically during subsequent system boots and
                  to stop gracefully during system shutdown.
 restart          Stop and subsequently start the common agent container daemon.
 start            Start the common agent container daemon.
 stop             Stop the common agent container daemon.
 status           Display the common agent container daemon status.
 get-param        Display a parameter value.
 set-param        Set a parameter value.
 list-params      Display the list of parameters.
 list-modules     Display the list of all modules deployed.
 undeploy         Undeploy a module.
 lock             Lock a module.
 unlock           Unlock a module.
 deploy           Deploy a module.
 get-filter       Get the value associated with a filter.
 set-filter       Set a run-time filter level.
 list-filters     Display the list of all available filters along with their
                  levels.
 create-keys      Generate keys for the common agent container.
 delete-keys      Delete security keys of the common agent container.
 list-instances   Display the list of all created and not removed instances.
 create-instance  Create a new instance of the common agent container.
 delete-instance  Delete a common agent container instance.
 show-trusted-cert
                  Display a trusted certificate.
 add-trusted-cert
                  Add a trusted certificate.
 list-trusted-certs
                  Display the list of all trusted certificates.
 show-cert-chain  Display the common agent container certificate chain.
 register-module  Register a module so that the module starts the next
                  time the common agent container's management daemon starts.
 unregister-module
                  Unregister a module so that the module does not start the
                  next time the common agent container's management daemon
                  starts.
 verify-configuration
                  Check the validity of the common agent container
                  configuration.
 rebuild-dependencies
                  Redetect all dependencies.
 prepare-uninstall
                  Stop all the running instances and remove their startup
                  resources. To be used just before uninstalling Cacao.

[root@dhcppc2 local]# cacaoadm delete-keys
[root@dhcppc2 local]# cacaoadm create-keys

[root@dhcppc2 bin]# cacaoadm list-params
snmp-adaptor-port=21161
snmp-adaptor-trap-port=21162
jmxmp-connector-port=21162
commandstream-adaptor-port=21163
rmi-registry-port=0
secure-webserver-port=0
java-flags=-Xms4M -Xmx128M -Dcom.sun.management.jmxremote -Dfile.encoding=utf-8 
-Djava.endorsed.dirs=/opt/dsee7/ext/cacao_2/cacao2/share/lib/endorsed
micro-agent=false
java-home=/opt/dsee7/jre
jdmk-home=/opt/dsee7/lib/private
nss-lib-home=/opt/dsee7/lib/private
nss-tools-home=/opt/dsee7/bin
retries=4
log-file-limit=1000000
log-file-count=3
log-file-append=true
enable-instrumentation=false
user=root
group=root
network-bind-address=0.0.0.0
watchdog-heartbeat-timeout=60

[root@dhcppc2 local]# cacaoadm set-param network-bind-address=0.0.0.0

[root@dhcppc2 local]# netstat -tnl | grep 21162
tcp        0      0 ::ffff:127.0.0.1:21162      :::*                        LISTEN

[root@dhcppc2 bin]# ./cacaoadm list-trusted-certs
cacao_ca

[root@dhcppc2 bin]# ./cacaoadm show-trusted-cert -i default cacao_ca
-----BEGIN CERTIFICATE-----
MIIBoTCCAQqgAwIBAgIEehsXwzANBgkqhkiG9w0BAQUFADAVMRMwEQYDVQQDDApkaGNwcGMyX2Nh
MB4XDTY5MDYxMzIzMjkwM1oXDTMwMDgxMzIzMjkwM1owFTETMBEGA1UEAwwKZGhjcHBjMl9jYTCB
nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAygzWP+T4dPzE3qvhfYNIJrCdNSLZjy4hUVsFl2kp
vogooT37II9YxCxkINML2vV7ZXFjrUoAT1sLDRYBTIxayCZZ8/GqDiwVppbSdmnx28/QgzPnR517
Aj0rBdweu4/Js0yinK4prT7Zj0tcHuaaNuH8w8QQwWDiLsvM5xl84lkCAwEAATANBgkqhkiG9w0B
AQUFAAOBgQA57SpU04VlLYlblSqRLe0mp1cXJ8Crofk4ie7+GV02Gao+DgXj43aZVFNrbgWShVgZ
re/Qh7FkFIwAMATh0zhRw1X3Upa6AIKje5jnfPWHGqqZmTHjDU2J6BWhSGbJlAO0KVN+RRSFOMiY
TQ7UCHwcM5Rgyt/KIRkQNx6R9zWPhQ==
-----END CERTIFICATE-----


[root@dhcppc2 bin]# cacaoadm status
default instance is ENABLED at system startup.
Current retries count : 0/4
Processes:
23766
Uptime: 0 day(s), 0:0


Project OpenDMK has the same features and code base as the Java DMK version 5.1, patch level 3, with the exception of some legacy or deprecated APIs which were removed. The examples, documentation, and source code contributions that can be found in the commercial Java Dynamic Management Kit are not included in this release. 


    * now: https://opendmk.dev.java.net/
    * Java DMK 5.1 (June 2004)
    * Java DMK 5.0 (June 2002)
    * Java DMK 4.2 (December 2000)
    * Java DMK 4.1 (April 2000)
    * Java DMK 4.0 (December 1999)
    * Java DMK 3.2 (March 1999)
    * Java DMK 3.0 (November 1998)
    * Java DMK 2.0 (February 1998)


Java Dynamic Management Kit (Java DMK) is a Java technology based toolkit that allows developers to rapidly create smart agents based on the Java Management Extensions (JMX) specification. The power of the JMX framework is that it supports multiple protocol access to management information residing in the agent. 

[root@dhcppc2 dsee7]# vi /usr/local/dsee7/ext/cacao_2/etc/opt/sun/cacao2/instances/default/private/cacao.properties
# Location of dependencies : Java, JDMK, NSSjava.home=/usr/java/jre1.6.0_21
jdmk.home=/usr/local/dsee7/lib/private
nss.lib.home=/usr/local/dsee7/lib/private
nss.tools.home=/usr/local/dsee7/lib/private
watchdog.heartbeat.timeout=60
# Define username and groupname for cacao process
process.username=root
process.groupname=root
# Audit configuration
audit.enabled=true
audit.reads=false
audit.daemon=false

[root@dhcppc2 dsee7]# more ././ext/mfwk/config/security/snmp/jdmk.acl
# Copyright 2004-2005 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
# ident "$Revision: 1.5 $       SMI"

# communities: can be comma separated strings
# access: can take only "read-only" or "read-write" values
# managers: can be a hostname, ipaddress or netmask
#    - hostname: hubble 
#    - ip v4 and v6 addresses: 123.456.789.12 , fe80::a00:20ff:fe9b:ea82
#    - subnet mask: 123!255!255!255  (its an IPO address where "." are replaced by "!"). This way of expressing the subnet is deprecated,
 use the prefix notation.
#    - ip v4 and v6 netmask prefix notation : 123.456.789.12/24, fe80::a00:20ff:fe9b:ea82/64
#

acl = {
 {
 communities = mfwk
 access = read-only
 managers = 255!255!255!255
 }
# {
# communities = private
# access = read-write
# managers = hostname
# } 
} 

#trap = {
#  {
#  trap-community = public
#  hosts = hostname
#  }
#}
]]> Computer related http://alchy.org/index.php?entry=entry100813-215018 Alchy Fri, 13 Aug 2010 19:50:18 GMT http://alchy.org/comments.php?y=10&m=08&entry=entry100813-215018 SSH http://alchy.org/index.php?entry=entry100811-163227 
# ssh-keygen -q -t rsa -N '' -f ~/.ssh/id_rsa


zkopírování veřejného klíče do ~/.ssh/authorized_keys
# ssh-copy-id user@remote.example.com


Odstranění hesla z privátního klíče:
# openssl rsa -in ~/.ssh/id_rsa -out ~/.ssh/id_rsa


Zašifrování privátního klíče heslem:
# openssl rsa -des3 -in ~/.ssh/id_rsa -out ~/.ssh/id_rsa


Správná práva na soubory .ssh
# chmod 700 ~/.ssh
# chmod 600 ~/.ssh/id_rsa
# chmod 644 ~/.ssh/id_rsa.pub  
# chmod 644 ~/.ssh/authorized_keys
# chmod 644 ~/.ssh/known_hosts
]]> Computer related http://alchy.org/index.php?entry=entry100811-163227 Alchy Wed, 11 Aug 2010 14:32:27 GMT http://alchy.org/comments.php?y=10&m=08&entry=entry100811-163227 Nagios check template pro kontrolu pres SSH (Linux audit system) http://alchy.org/index.php?entry=entry100811-151334 #!/bin/sh
# Nagios check
# check name: sec_auditd
# uses: ssh and private key to check the server
# log: logs the result using system log

# script args
# $0 - full path to command (default system)
# $1 - user parameter (host to check)
# $2 - user parameter (none)

# SSH credentials
SSH_HOST_TO_CHECK=$1
SSH_USERNAME="username"
SSH_PRIVATE_KEY="/home/nagios/.ssh/id_rsa.plain"
SYSLOG_FACILITY="user"
SYSLOG_SEVERITY="info"

# nagios check result states (default)
STATE_OK=0
STATE_WARNING=1
STATE_CRITICAL=2
STATE_UNKNOWN=3
STATE_DEPENDENT=4

# check pid, run date, name of the check, output to file
MY_PID=$$
DATE=`date`
SCRIPT_NAME=`basename $0`
CHECK_RESULT="/tmp/$MY_PID.tmp"

> $CHECK_RESULT
chown nagios.nagios $CHECK_RESULT

#######################
# the actual check body

# the following device names of tty lines are filtered: pts, pty
ssh -o StrictHostKeyChecking=no -o ConnectTimeout=8 \
-l $SSH_USERNAME -i $SSH_PRIVATE_KEY $SSH_HOST_TO_CHECK 'ps -ef' > $CHECK_RESULT

# log the ssh output
while read line
do
logger -t "$SCRIPT_NAME[$SSH_HOST_TO_CHECK]" -p "$SYSLOG_FACILITY.$SYSLOG_SEVERITY" "$line"
done < $CHECK_RESULT

# result evaluation
# should mirror the content of /etc/securetty
if [ `cat $CHECK_RESULT | grep auditd | grep -v grep | wc -l` -eq 0 ]; then
echo "CRITICAL: audit subsystem is not installed"
rm $CHECK_RESULT
exit $STATE_CRITICAL
fi

if [ `cat $CHECK_RESULT | grep auditd | grep -v grep | wc -l` -lt 2 ]; then
echo "WARNING: auditd service is not running"
rm $CHECK_RESULT
exit $STATE_WARNING
fi
rm $CHECK_RESULT
echo "OK: auditd is running"
exit $STATE_OK
 ]]> Computer related http://alchy.org/index.php?entry=entry100811-151334 Alchy Wed, 11 Aug 2010 13:13:34 GMT http://alchy.org/comments.php?y=10&m=08&entry=entry100811-151334 Nagios check template pro kontrolu pres SSH (console login) http://alchy.org/index.php?entry=entry100810-113618 
#!/bin/sh
# Nagios check
# check name: sec_console
# uses: ssh and private key to check the server
# log:  logs the result using system log

# script args
# $0 - full path to command (default system)
# $1 - user parameter (host to check)
# $2 - user parameter (none)

# SSH credentials
SSH_HOST_TO_CHECK=$1
SSH_USERNAME="username"
SSH_PRIVATE_KEY="/home/nagios/.ssh/id_rsa.plain"
SYSLOG_FACILITY="user"
SYSLOG_SEVERITY="info"

# nagios check result states (default)
STATE_OK=0
STATE_WARNING=1
STATE_CRITICAL=2
STATE_UNKNOWN=3
STATE_DEPENDENT=4

# check pid, run date, name of the check, output to file
MY_PID=$$
DATE=`date`
SCRIPT_NAME=`basename $0`
CHECK_RESULT="/tmp/$MY_PID.tmp"

> $CHECK_RESULT
chown nagios.nagios $CHECK_RESULT

#######################
# the actual check body

# the following device names of tty lines are filtered: pts, pty
ssh -o StrictHostKeyChecking=no -o ConnectTimeout=8 \
    -l $SSH_USERNAME -i $SSH_PRIVATE_KEY $SSH_HOST_TO_CHECK 'w -h' > $CHECK_RESULT

# log the ssh output
while read line
do
 logger -t "$SCRIPT_NAME[$SSH_HOST_TO_CHECK]" -p "$SYSLOG_FACILITY.$SYSLOG_SEVERITY" "$line"
done < $CHECK_RESULT

# result evaluation
# should mirror the content of /etc/securetty
if [ `cat $CHECK_RESULT | grep -v pts | grep -v pty | grep days | grep root | wc -l` -gt 0 ]; then
        echo "CRITICAL: root logged on console for more than a day"
        rm $CHECK_RESULT
        exit $STATE_CRITICAL
fi

if [ `cat $CHECK_RESULT | grep -v pts | grep -v pty | grep days | wc -l` -gt 0 ]; then
 echo "WARNING: user logged on console for more than a day"
 rm $CHECK_RESULT
 exit $STATE_WARNING
fi
rm $CHECK_RESULT
echo "OK: no long-term console session found"
exit $STATE_OK
]]> Computer related http://alchy.org/index.php?entry=entry100810-113618 Alchy Tue, 10 Aug 2010 09:36:18 GMT http://alchy.org/comments.php?y=10&m=08&entry=entry100810-113618 Google Chrome, vypnutí překladu http://alchy.org/index.php?entry=entry100808-234222
Montážní klíč, Francouzák(vpravo nahoře)->Možnosti->Pod Pokličkou->Změnit nastavení písma a jazyka->přidat angličtina->ok

Při příchodu na anglickou stránku nabídne Chrome ZASE překlad, ale navíc vpravo v možnostech přibude: "Jazyk angličtina nikdy nepřekládat". To stačí zaškrtnout a otravný dialog je pryč. Pokud by to nepomohlo, v konfiguračním dialogu "Pod pokličnou" je hned pod změnou nastavená proxy checkbox s textem "Nabízet překlad stránek, které nejsou v jazyce, kterému rozumím".]]> Computer related http://alchy.org/index.php?entry=entry100808-234222 Alchy Sun, 08 Aug 2010 21:42:22 GMT http://alchy.org/comments.php?y=10&m=08&entry=entry100808-234222 SSL certifikáty - postup generování cerifikátu (Zimbra nebo Apache) http://alchy.org/index.php?entry=entry100808-213430 
# openssl genrsa -des3 -rand file1:file2 -out server.key 2048


Získání nezašifrovaného privátního klíče ze souboru server.key:
# openssl rsa -in server.key -out server.pem


Pokračujeme vygenerováním žádosti o podpis našeho server.key (tvz. certificate signing request). Pokud je privátní klíč zašifrován, pak se před vygenerováním csr openssl zeptá na heslo:
# openssl req -new -key server.key -out server.csr


Po vygenerování našeho požadavku (server.csr) postoupíme soubor k podpisu certifgikační autoritě. Klíč rovněž můžeme podepsat sami. V OS Windows je standardně importován root CA mnoha certifikačních autorit. Mezi ně patří od jistého updatu i autorita StartSSL. Tato společnost podepisuje požadavky (csr) pro úroveň důvěryhodnosti 1 zdarma. Jak jsem psal výše, protože Windows mají již root certifilát této autority instalován, přistupují klienti Windows ke všem stránkám které StartSSL podepíše bez varování na neznámý certifikát - a to i přes to, že proces ověření autenticity vašeho csr je u této CA založen pouze na poslání mailu na doménu, pro kterou je certifikát určen. Pokud nebudeme podepisovat externí autoritou, pak podepíšeme csr pomocí vlastního server.key. Stejným server.key, ze kterého jsme vygenerovali csr. Tomuto procesu říká self-signing.
openssl x509 -req -days 360 -in server.csr -signkey server.key -out server.crt


Instalace certifikátu do Zimbry je jednoduchá, ale je nutné přesně dodržet všechny kroky, které jsou popsány v dokumentaci.

V první řadě musíme mít od externí CA její root CA a případný další strom certifikátů (říká se tomu intermediate certificate), protože certifikační autorita nemusí podepsat vše přímo svým root CA, ale podepisuje většinou podřízeným certifikátem (zase pem), který si vygenerovala a podepsala sama svým vlastním root CA. Pro autoritu StartSSL potřebujete certifikáty dva, protože na cestě od jeji root CA je ještě jeden certifikát. Oba soubory, které získáte od StartSSL spojíte dohromady:

# cd /tmp/zimbra_cert
# cat ca.pem sub.class1.server.ca.pem > ca_bundle.crt


To co online vyplivne Web StartSSL když jí předhodíte svůj csr je váš kýžený serverový certifikát, pro Zimbru se má soubor jmenovat ssl.crt. Původní privátní klíč, kterým to všechno začalo umístíte pod jménem commercial.key do /opt/zimbra/ssl/zimbra/commercial/commercial.key. Pokud je privátní klíč bez hesla, tak se jmenuje server.pem, ale stejně ho uložte pod jménem commercial.key.
# cp /root/ssl_cert/server.key /opt/zimbra/ssl/zimbra/commercial/commercial.key


Do Zimbry pak importujte root CA klíče návazné na CA. Import snad jde i z GUI:
cd /opt/zimbra/bin
 ./zmcertmgr deploycrt comm /tmp/ssl.crt /tmp/ca_bundle.crt


Pokud se vše podařilo, stačí restartovat Zimbru:
# su zimbra
# zmcontrol stop
# zmcontrol start


Na stránce Qualis, který nedávno požral SSLlabs najdete test validity nově vytvořeného certifikátu a je to zatím zadarmo, stejně jako kdysi byl zadarmo výborný DNSreport.

Pokud je někde problém, je to většinou v tom, že chybí na cestě od root CA k vašemu certifikátu nějaký mezi/intermediate certifikát. Pro ověření, zda-li řetěz není přetržen lze zase použít jak jinak než openssl. Všimněte si že jako parametry jsou použity všechny cerifikáty na cestě k vašemu.
# openssl verify -CAfile ca.pem -untrusted sub.class1.server.ca.pem ssl.crt


Něco více o tom je zde. Instalace certifikátu do Zimbry pro různé CA je popsána zde.

V případě vložení certifikátu do Apache je nutné v souboru /etc/httpd/conf.d/ssl.conf upravit cesty k novým souborům, nebo nahradit soubory stávající:

#   Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate.  If
# the certificate is encrypted, then you will be prompted for a
# pass phrase.  Note that a kill -HUP will prompt again.  A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/pki/tls/certs/localhost.crt

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

#   Server Certificate Chain:
#   Point SSLCertificateChainFile at a file containing the
#   concatenation of PEM encoded CA certificates which form the
#   certificate chain for the server certificate. Alternatively
#   the referenced file can be the same as SSLCertificateFile
#   when the CA certificates are directly appended to the server
#   certificate for convinience.
SSLCertificateChainFile /etc/pki/tls/certs/ca-bundle.crt
]]> Computer related http://alchy.org/index.php?entry=entry100808-213430 Alchy Sun, 08 Aug 2010 19:34:30 GMT http://alchy.org/comments.php?y=10&m=08&entry=entry100808-213430 A SparesMissing event had been detected on md device http://alchy.org/index.php?entry=entry100717-104821 If theres no spares= option in mdadm.conf, then spare_disks gets set to
UnSet, and --monitor sends a SparesMissing event because there are less
than 65534 spare disks available.

http://marc.info/?l=linux-raid&m=10 ... 64&w=2]]> Computer related http://alchy.org/index.php?entry=entry100717-104821 Alchy Sat, 17 Jul 2010 08:48:21 GMT http://alchy.org/comments.php?y=10&m=07&entry=entry100717-104821 Trigger action on file change, triggered tail http://alchy.org/index.php?entry=entry100715-140431 http://packages.sw.be/inotify-tools/ .


#!/bin/sh
LOGFILE="/var/log/remote/arpwatch/*"
while inotifywait -e modify $LOGFILE; do
   if tail -n1 $LOGFILE | grep "STATUS=new"; then
      ARP=`tail -n1 $LOGFILE | cut -d" " -f3 | cut -d "=" -f2`
      echo "A new MAC address received: " $ARP
      if grep -i $ARP ARP_Monitor.csv; then
        echo "The MAC address is in the scope"
      else
        echo "The MAC address is not in the scope"
      fi
   fi
done
]]> Computer related http://alchy.org/index.php?entry=entry100715-140431 Alchy Thu, 15 Jul 2010 12:04:31 GMT http://alchy.org/comments.php?y=10&m=07&entry=entry100715-140431 Check nagios config file syntax http://alchy.org/index.php?entry=entry100714-190628 # /usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg]]> Computer related http://alchy.org/index.php?entry=entry100714-190628 Alchy Wed, 14 Jul 2010 17:06:28 GMT http://alchy.org/comments.php?y=10&m=07&entry=entry100714-190628 Prevzaty clanek o SMART diagnostice disku http://alchy.org/index.php?entry=entry100711-163758 http://www.linuxzone.cz/modules/tisk_cl ... mp;idc=658

S.M.A.R.T. - jak jsou na tom vaąe disky?

Znáte to, přijdete k počítači, ze kterého se linou zvuky připomínající zvuk motorové pily a přemýąlíte, kde narychlo sehnat nový disk, případně vzpomínáte, kde ľe jsou poslední zálohy. Naątěstí máme k dispozici software, který umoľňuje stav disků monitorovat - pokud jeątě nepouľíváte smartmontools, přečtěte si co od technologie S.M.A.R.T. a softwaru smartmontools můľete čekat.

  • 1) Co je to S.M.A.R.T
  • 2) Obsluľný software: smartsuite, smartmontools
  • 3) Distribuce smartmontools
  • 4) Nástroj smartctl
  • 5) Démon smartd
  • 6) Závěrem

1) Co je to S.M.A.R.T.

Zkratka S.M.A.R.T. značí "Self-Monitoring, Analysis and Reporting Technology System". Je to technologie, která je součástí moderních disků a daląích úloľných zařízení fungujících na rozhraní ATA i SCSI a která slouľí k monitorování stavu (nejen) pevných disků a provádění testů. Do určité míry je tak moľné odhalit vznikající problémy s předstihem a uľivatel má moľnost zavčasu sáhnout po výměně disku. Protoľe se dnes S.M.A.R.T pouľívá jak v IDE tak SCSI zařízeních, je příjemné, ľe si vystačíme s jedním obsluľným softwarem namísto toho, abychom pro jednotlivá zařízení pouľívali rozdílný, často proprietární diagnostický software.

Jak vlastně dopředu poznáme, ľe např. s pevným diskem něco není v pořádku? Disk se obvykle nepokazí během jednoho krátkého okamľiku - lze sledovat řadu parametrů, které by se měly za normálních okolností pohybovat v určitém předem daném rozmezí. Pokud za provozu zařízení hodnota některého parametru překročí dané meze, lze předpokládat, zařízení sice jeątě můľe fungovat, ale jeho ľivotnost a spolehlivost je ohroľena. S.M.A.R.T. zařízení evidují stav řady parametrů, přípustné rozmezí hodnot jednotlivých parametrů stanoví výrobce podle vlastností jednotlivých modelů zařízení a tyto jsou uloľeny ve firmware zařízení. S.M.A.R.T. nám na 100% nezaručí, ľe nebudeme překvapeni výpadkem disku, ale pokud budeme S.M.A.R.T. pouľívat, můľeme se řadě nečekaných problémů vyhnout. Kromě zařízení, která tuto technologii podporují, potřebujeme samozřejmě software, který je bude monitorovat a vhodným adeptem jsou právě Smartmontools.

2) Obsluľný software: smartsuite, smartmontools

Balíček smartmontools, který udrľuje Bruce Allen (domovskou s tránku projektu najdete na serveru smartmontools.sourceforge.net je odvozen ze starąího projektu smartsuite Michael Cornwella (který najdete na adrese http://sourceforge.net/projects/smartsuite/), oproti kterému obsahuje řadu uľitečných roząíření.

3) Distribuce smartsuite

Smartmontools jsou na stránkách projektu k dispozici jak formou RPM balíčků, tak zdrojového archívu, instalace je bez úskalí. Balíček smartmontools bsahuje dva nástroje:

  • smartctl - utilita pro příkazovou řádku, lze prohlíľet stav zařízení, spuątět self-testy, zapínat nebo vypínat automatické testování zařízení apod.

  • smartd - démon, tedy aplikace běľící na pozadí, která v určitém intervalu nepřetrľitě monitoruje stav konfigurovaných zařízení a veąkeré změny stavu zařízení zapisuje do systémového logu.

4) Nástroj smartctl

Pomocí volby -i získáme obecné informace jako je model disku, sériové číslo, verzí firmware a také zda zařízení S.M.A.R.T. podporuje a je zapnuto: 

[root@azucar]# smartctl -i /dev/hda
smartctl version 5.1-9 Copyright (C) 2002-3 Bruce Allen
Home page is http://smartmontools.sourceforge.net/

=== START OF INFORMATION SECTION ===
Device Model:     IBM-DJSA-210                            
Serial Number:    9ZP9Z5J6016
Firmware Version: JSFOAB8A
ATA Version is:   5
ATA Standard is:  ATA/ATAPI-5 T13 1321D revision 1
Local Time is:    Wed Apr  9 01:47:13 2003 CEST
SMART support is: Available - device has SMART capability.
SMART support is: Enabled

Volba -s parametrem "on" / "off" zapne / vypne podporu S.M.A.R.T. daného zařízení. Volba -a podrobně vypíąe veąkeré informace o stavu zařízení. Pomocí volby -H rychle zjistíme, zda je zařízení v pořádku: 

[root@azucar]# smartctl -H /dev/hda
smartctl version 5.1-9 Copyright (C) 2002-3 Bruce Allen
Home page is http://smartmontools.sourceforge.net/

=== START OF READ SMART DATA SECTION ===
SMART overall-health self-assessment test result: PASSED

Pomocí smartctl můľeme spouątět testy zařízení, S.M.A.R.T. Zařízení disponují 3 typy testů:

  • jenoduchý online test: bez vlivu na výkon, jeho provádění se zapíná automaticky pomocí volby -s on při zapnutí podpory S.M.A.R.T.;
  • offline test, který můľe do určité míry ovlivnit výkon zařízení, pomocí volby -t offline je spustíme jednorázově, pomocí volby -o pravidelně (co 4 hodiny). Podle specifikací je tento typ testu zastaralý, nicméně řada dneąních zařízení jej podporuje;
  • selftest, tento test má dvě varianty - krátkou a deląí, a narozdíl od předchozího testu se spouątí pouze jednorázově. Volba -t short iniciuje kratąí variantu, volba -t long spustí deląí variantu testu.

Vąechny tyto testy lze iniciovat i za provozu zařízení. Výsledky testů a detekované chyby vypíąeme spuątěním smartctl s volbou -l error nebo -l selftest: 

[root@azucar]# smartctl -l selftest  /dev/hda
smartctl version 5.1-9 Copyright (C) 2002-3 Bruce Allen
Home page is http://smartmontools.sourceforge.net/

=== START OF READ SMART DATA SECTION ===
SMART Self-test log, version number 1
Num  Test_Description   Status    Remaining  LifeTime(hours)  LBA_first_error
# 1  Extended off-line  Completed       00%      2237         -
# 2  Short off-line     Completed       00%      2755         -
# 3  Extended off-line  Completed       00%      3154         -
# 4  Short off-line     Completed       00%      3958         -

Jak to vypadá, kdyľ disk pomalu odchází na věčnost, ukazuje následující úryvek logu (smartctl -a). Vąimněme si, ľe S.M.A.R.T. status zařízení ukazuje "FAILED" a dále ve výpisu vidíme i důvod - zřejmě poąkozené médium disku, bylo realokováno přílią mnoho vadných sektorů: 

=== START OF INFORMATION SECTION ===
Device Model:     MAXTOR 4K080H4                          
Serial Number:    674119123435        
Firmware Version: A08.1500
ATA Version is:   5
ATA Standard is:  ATA/ATAPI-5 T13 1321D revision 1
SMART support is: Available - device has SMART capability.
SMART support is: Enabled

=== START OF READ SMART DATA SECTION ===
SMART overall-health self-assessment test result: FAILED!
Drive failure expected in less than 24 hours. SAVE ALL DATA.
See vendor-specific Attribute list for failed Attributes.

SMART Attributes Data Structure revision number: 11
Vendor Specific SMART Attributes with Thresholds:
ID# ATTRIBUTE_NAME          VALUE WORST THRESH TYPE     WHEN_FAILED RAW_VALUE
  1 Raw_Read_Error_Rate     100   253   020    Pre-fail     -       0
  3 Spin_Up_Time            074   074   020    Pre-fail     -       3294
  4 Start_Stop_Count        100   100   008    Old_age      -       32
  5 Reallocated_Sector_Ct   001   001   020    Pre-fail FAILING_NOW 499
  7 Seek_Error_Rate         100   001   023    Pre-fail In_the_past 0
  9 Power_On_Hours          086   086   001    Old_age      -       9812
 10 Spin_Retry_Count        100   100   000    Old_age      -       0
 11 Calibration_Retry_Count 100   100   020    Pre-fail     -       0
 12 Power_Cycle_Count       100   100   008    Old_age      -       32
 13 Read_Soft_Error_Rate    100   001   023    Pre-fail In_the_past 0
194 Temperature_Centigrade  091   086   042    Old_age      -       24
195 Hardware_ECC_Recovered  006   004   000    Old_age      -       417912090
196 Reallocated_Event_Count 100   100   020    Old_age      -       0
197 Current_Pending_Sector  033   032   020    Old_age      -       338
198 Offline_Uncorrectable   100   100   000    Old_age      -       0
199 UDMA_CRC_Error_Count    200   200   000    Old_age      -       0

5) Démon smartd

Smartd obvykle spouątíme prostřednictvím startovacích skriptů při startu systému (v distribucích Red Hat Linux pouľijeme skript /etc/rc.d/init.d/smartd). Standardně smartd kontroluje stav zařízení pravidelně ve 30-ti minutových intervalech, coľ samozřejmě můľeme změnit pomocí volby -i při spuątění smartd.

Aplikace smartd pouľívá konfifurační soubor /etc/smartd.conf, který po instalaci obsahuje okomentované příklady pouľití. V zásadě máme dvě moľnosti, jak naplnit seznam zařízení, které bude smartd monitorovat. Pokud pouľijeme direktivu DEVICESCAN, pokusí se smartd sám nalézt vąechna zařízení, která S.M.A.R.T. podporují. Přitom se v systémovém logu objeví neąkodná hláąení podobná těm následujícím (smartd se snaľí otevírat zařízení, která neexistují): 

vanvancito modprobe: Can't locate module block-major-57
vanvancito smartd[2161]: Device: /dev/hdl, No such device or address,\
                         open() failed 
vanvancito smartd[2161]: Unable to register ATA device /dev/hdl \
                         at line 19 of file /etc/smartd.conf 
vanvancito smartd[2161]: Device: /dev/sda, No such device or address,\
                         open() failed 
vanvancito smartd[2161]: Unable to register SCSI device /dev/sda \
                         at line 19 of file /etc/smartd.conf

Druhou moľností je explicitně vypsat zařízení, která chceme monitorovat, coľ má výhodu v tom, ľe můľeme zadat i odliąné parametry pro jednotlivá zařízení. Konfigurační soubor pak můľe vypadat třeba takto: 

# moniturejeme veąkeré atributy zařízení /dev/hda,
# a v případě problémů obdrľíme mail na adresu admin@domena
/dev/hde -a -m admin@domena
# SMART status a error logy zařízení /dev/hdc
/dev/hdg -H -l error -l selftest

Po úspěąném startu smartd obdrľíme v systémovém logu hláąení podobné tomuto: 

vanvancito smartd: smartd startuje succeeded
vanvancito smartd[2328]: Device: /dev/hde, is SMART capable. \
                         Adding to "monitor" list. 
vanvancito smartd[2328]: Device: /dev/hdg, opened 
vanvancito smartd[2328]: Device: /dev/hdg, is SMART capable. \
                         Adding to "monitor" list. 
vanvancito smartd[2328]: Started monitoring 2 ATA and 0 SCSI devices

Pokud provedeme změny v konfiguračním souboru, musíme smartd restartovat - smartd nepodporuje vynucení znovunačtení konfigurace zasláním signálu. Pokud chceme, aby smartd okamľitě zkontroloval stav monitorovaných zařízení, zaąleme procesu smartd signál SIGUSR1.

6) Závěrem

Vzhledem k tomu, ľe dneąní úloľná zařízení S.M.A.R.T. obvykle podporují, představují nástroje z balíčku smartmontools pohodlný způsob, jak pravidelně sledovat zdraví hardware. Pokud jde o stabilitu, některé starąí verze S.M.A.R.T firmwaru disků IBM mohou působit problémy, problémy byly reportovány s pouľitím ovladače AACRAID u serverů DELL a za určitých okolností u ovladače IDE řadiče Promise 20265, jinak jsou ale smartmontools bezproblémové.

Detailní informace (zejméma stran formátu logů zařízení apod.) čtenář nalezne v manuálových stránkách utilit smartctl a smartd, řadu odkazů na dokumentaci týkající technologie S.M.A.R.T. najdete na stránce projektu smarmontools.

Zdroj: Linuxzone.cz
Autor: David Häring, 09. 04. 2003, 04:00
Sekce: Hardware, Komentářů: 247
Průměrné hodnocení: 2,94


]]> Computer related http://alchy.org/index.php?entry=entry100711-163758 Alchy Sun, 11 Jul 2010 14:37:58 GMT http://alchy.org/comments.php?y=10&m=07&entry=entry100711-163758 Postfix as secondary MX http://alchy.org/index.php?entry=entry100707-120148 http://www.howtoforge.com/postfix_backup_mx]]> Computer related http://alchy.org/index.php?entry=entry100707-120148 Alchy Wed, 07 Jul 2010 10:01:48 GMT http://alchy.org/comments.php?y=10&m=07&entry=entry100707-120148 Zadlužení zemí EU http://alchy.org/index.php?entry=entry100502-195454 ]]> Other http://alchy.org/index.php?entry=entry100502-195454 Alchy Sun, 02 May 2010 17:54:54 GMT http://alchy.org/comments.php?y=10&m=05&entry=entry100502-195454 Find and replace with sed http://alchy.org/index.php?entry=entry100430-084247 sed -i 's/ugly/beautiful/g' /home/bruno/old-friends/sue.txt http://www.brunolinux.com/02-The_Termin ... h_Sed.html]]> Computer related http://alchy.org/index.php?entry=entry100430-084247 Alchy Fri, 30 Apr 2010 06:42:47 GMT http://alchy.org/comments.php?y=10&m=04&entry=entry100430-084247 Linux: read line by line from file in a bash script http://alchy.org/index.php?entry=entry100428-112213 while read line
do
echo "MAC=$line"
done < mac-hex-codes.txt > mac-hex-codes2.txt ]]> Computer related http://alchy.org/index.php?entry=entry100428-112213 Alchy Wed, 28 Apr 2010 09:22:13 GMT http://alchy.org/comments.php?y=10&m=04&entry=entry100428-112213 Linux: Red Hat Enterprise Linux 6 Beta Available http://alchy.org/index.php?entry=entry100423-074259 http://torrent.ibiblio.org/. ]]> Computer related http://alchy.org/index.php?entry=entry100423-074259 Alchy Fri, 23 Apr 2010 05:42:59 GMT http://alchy.org/comments.php?y=10&m=04&entry=entry100423-074259