Solaris network card IP alias 
# ifconfig interface:1 plumb
# ifconfig interface:1 192.168.1.2 netmask 255.255.255.0
# cat /etc/hostname.interface:1
alias
# cat /etc/hosts | grep alias
192.168.1.2 alias


[ add comment ] ( 5 views )   |  [ 0 trackbacks ]   |  permalink
PS1 variable - prompt settings 
\a	The ASCII bell character (you can also type \007)
\d Date in "Wed Sep 06" format
\e ASCII escape character (you can also type \033)
\h First part of hostname (such as "mybox")
\H Full hostname (such as "mybox.mydomain.com")
\j The number of processes you've suspended in this shell by hitting ^Z
\l The name of the shell's terminal device (such as "ttyp4")
\n Newline
\r Carriage return
\s The name of the shell executable (such as "bash")
\t Time in 24-hour format (such as "23:01:01")
\T Time in 12-hour format (such as "11:01:01")
\@ Time in 12-hour format with am/pm
\u Your username
\v Version of bash (such as 2.04)
\V Bash version, including patchlevel
\w Current working directory (such as "/home/drobbins")
\W The "basename" of the current working directory (such as "drobbins")
\! Current command's position in the history buffer
\# Command number (this will count up at each prompt, as long as you type something)
\$ If you are not root, inserts a "$"; if you are root, you get a "#"
\xxx Inserts an ASCII character based on three-digit number xxx (replace unused digits with zeros, such as "\007")
\\ A backslash
\[ This sequence should appear before a sequence of characters that don't move the cursor (like color escape sequences). This allows bash to calculate word wrapping correctly.
\] This sequence should appear after a sequence of non-printing characters.


Example:

root (VM server1):# cat /etc/profile | tail -1
PS1="\u (VM server1):# "


[ add comment ] ( 5 views )   |  [ 0 trackbacks ]   |  permalink
iSCSI filesystem (direct and VM zone) benchmark using bonnie++ 
Configuration:

initiator:  Linux 2.6 CentOS5.2 (Intel Xeon @3000, 2x Quadcore, 4GB)
target: Solaris 10u5 target (AMD Dualcore @2300, 1x dualcore, 4GB)
connection: connected using 1Gbit dedicated TP cable
method: bonnie++ -u root -d /dir/
TCP stack: default


The initiator:

root (VM server1):# ethtool eth1
Advertised auto-negotiation: Yes
Speed: 1000Mb/s
Duplex: Full
Port: Twisted Pair
PHYAD: 1
Transceiver: internal
Auto-negotiation: on
Supports Wake-on: g
Wake-on: g
Link detected: yes


Target:

(iSCSI target1):# dladm show-dev
nge0 link: up speed: 100 Mbps duplex: full
nge1 link: unknown speed: 0 Mbps duplex: unknown
e1000g0 link: up speed: 1000 Mbps duplex: full
e1000g1 link: up speed: 1000 Mbps duplex: full



Setup 1:

Direct test: Linux initiator connects target iSCSI, used with ext3.

	------Sequential Output------ --Sequential Input- --Random-
-Per Chr- --Block-- -Rewrite- -Per Chr- --Block-- --Seeks--
Size K/sec %CP K/sec %CP K/sec %CP K/sec %CP K/sec %CP /sec %CP
8G 64534 79 37878 9 16037 3 26290 40 24539 1 225.6 0


Setup 2:

VmWare Server zone test: VmWare zone is accessing its filesystem which is a regular file ontop of host machine iSCSI/ext3 partition.

	------Sequential Output------ --Sequential Input- --Random-
-Per Chr- --Block-- -Rewrite- -Per Chr- --Block-- --Seeks--
Size K/sec %CP K/sec %CP K/sec %CP K/sec %CP K/sec %CP /sec %CP
5G 12911 17 18164 3 12984 3 19130 33 21674 3 346.3 3


Conclusion: the VM zone disk access speed is too slow when the VM disk is a regular file ontop of VmWare server's iSCSI/ext3 filesystem. The io of the 64bit XP Windows zone seems to be yet worse than 64bit CentOS VM.

Setup 3:

VmWare ESXi zone directly accessing iSCSI.

	------Sequential Output------ --Sequential Input- --Random-
-Per Chr- --Block-- -Rewrite- -Per Chr- --Block-- --Seeks--
Size K/sec %CP K/sec %CP K/sec %CP K/sec %CP K/sec %CP /sec %CP
5G 38094 47 33518 6 16307 4 32691 52 40159 4 276.3 1


[ add comment ] ( 7 views )   |  [ 0 trackbacks ]   |  permalink
VmWare Server: how to enable 64bit virtualisation support with Xeon CPU 
On certain platforms the virtualisation support is disabled by default. You have to enable it in BIOS. On HP DL380 press F9, go to Advanced Options -> Processor Options -> Intel(R) Virtualization Technology -> Set it to Enable. Then VmWare Server will be able to run the 64bit VM system.





[ add comment ] ( 4 views )   |  [ 0 trackbacks ]   |  permalink
Linux: manual target login 
The script handles the proper order of iSCSI device mounting to corresponding mount points.

#!/bin/sh
#
# chkconfig: 345 13 89
# description: Logs into iSCSI targets by predefined order
#
# Source function library.
. /etc/init.d/functions

PATH=/sbin:/bin:/usr/sbin:/usr/bin

RETVAL=0

start()
{

status iscsid
RETVAL=$?

if [ $RETVAL -ne 0 ]; then
/etc/init.d/iscsid start
fi

echo $"Setting up iSCSI targets: "

# iqn defined below
for iqn in `cat <<STRING
iqn.1986-03.com.sun:02:cc480a5c-9f2c-4e0e-fc20-ccca9a52e8bd.vol01
iqn.1986-03.com.sun:02:07d047b9-1516-e653-8cf5-b420cc415fca.vol02
iqn.1986-03.com.sun:02:0b29e3d8-51aa-e7d2-a6af-eca279dacb37.vol03
iqn.1986-03.com.sun:02:374ad4f1-c5af-406d-b803-c72af0635ff4.vol04
iqn.1986-03.com.sun:02:df7f1424-0e62-c5c9-e729-b3d8a172c897.vol05
iqn.1986-03.com.sun:02:815f51f5-32ee-6bed-d939-d3a956e61c05.vol06
iqn.1986-03.com.sun:02:c5aea149-91de-c64b-c996-858cd7a4b898.vol07
iqn.1986-03.com.sun:02:2cc98a64-bcc1-6097-b804-a954aa897afc.vol08
STRING`
do
vol=`echo ${iqn} | awk -F"." '{ print $5 }'`
echo -n "login in: ${vol} "
iscsiadm -m node -T ${iqn} -p 192.168.103.100:3260 --login > /dev/null 2>&1
if [ $? -ne 0 ]; then
echo "*** PROBLEM WHILE LOGGING to iSCSI ***"
echo "check if the iSCSI device is not already mounted"
exit 255
fi
dev=`dmesg | grep "Attached scsi disk" | tail -1 | cut -d" " -f6`
echo "mount /dev/${dev}1 /mnt/${vol}"
sleep 1
`mount /dev/${dev}1 /mnt/${vol}`
if [ $? -ne 0 ]; then
echo "*** PROBLEM WHILE MOUNTING: mount /dev/${dev}1 to /mnt/${vol} ***"
echo "check if the iSCSI device is not already mounted"
exit 255
fi
sleep 1
done

touch /var/lock/subsys/iscsi
success
echo
}

stop()
{
sleep 5
for vol in `mount | grep vol | cut -d" " -f3`; do `umount ${vol}`; done
sync
sleep 5

rm -f /var/lock/subsys/iscsi

# If this is a final shutdown/halt, do nothing since
# lvm/dm, md, power path, etc do not always handle this
if [ "$RUNLEVEL" = "6" -o "$RUNLEVEL" = "0" -o "$RUNLEVEL" = "1" ]; then
success
return
fi

# don't turn off iscsi if root is possibly on a iscsi disk
rootopts=$(awk '{ if ($1 !~ /^[ \t]*#/ && $2 == "/") { print $4; }}' /etc/mtab)
if [[ "$rootopts" =~ "_netdev" ]] ; then
echo $"Can not shutdown iSCSI. Root is on a iSCSI disk."
exit 1
fi

iscsiadm -m node --logoutall=all
/etc/init.d/iscsid stop
success
}


case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
status)
iscsiadm -m node
status iscsid
RETVAL=$?
;;
condrestart)
[ -f /var/lock/subsys/iscsi ] && restart
;;
*)
echo $"Usage: $0 {start|stop|restart|status|condrestart}"
exit 1
esac
exit $RETVAL


[ add comment ] ( 3 views )   |  [ 0 trackbacks ]   |  permalink
iSCSI: Linux initiator connects to Solaris target 
Solaris target:

Check if iSCSI service is running (initiator and target status):

(iSCSI target1):# svcs -a | grep iscsi
disabled 8:54:25 svc:/network/iscsi_initiator:default
disabled 8:54:26 svc:/system/iscsitgt:default


By default, on the vanilla Solaris the iscsitgt is disabled. Enable the service:

(iSCSI target1):# svcadm enable /system/iscsitgt


Set directory for iscsi target daemon saves:

# iscsitadm modify admin -d /iscsi


Prepare zfs pool, create some shared volumes:

(iSCSI target1):# zpool create -f tank /dev/dsk/c1t0d0s7
(iSCSI target1):# zfs create -s -V 8g tank/vol0[1..8]


You can share volumes using zfs option sharescsi=on. This is not recommended if you need to use extended iscsi attributes like TPGT.

Quote:
The root cause of this issue, is that the ZFS zvol is the Solaris component offering persistence of this iSCSI Target. ZFS, due to its ease of management, does not support a means to associate iSCSI Target parameters, like TPGT with the shareiscsi attribute of a ZVOL, and rightfully so.

If you like the ease of shareiscsi, but wish to add additional iSCSI properties, enable shareiscsi, then issue "iscsitadm list target -v", retain the data, disable shareiscsi, and the configure the target, plus iSCSI properties yourself.


(iSCSI target1):# zfs set shareiscsi=on tank/vol0[1..8]


The other way - share volumes using iscsitadm:

(iSCSI target1):# iscsitadm create target -b /dev/zvol/rdsk/tank/vol0[1..8] vol0[1..8]


(iSCSI target1):# iscsitadm list target -v
..
..
Target: vol08
iSCSI Name: iqn.1986-03.com.sun:02:f1ddcc58-f103-6b74-e505-b58a78893f92.vol08
Connections: 0
ACL list:
TPGT list:
LUN information:
LUN: 0
GUID: 0
VID: SUN
PID: SOLARIS
Type: disk
Size: 8.0G
Backing store: /dev/zvol/dsk/tank/vol08
Status: online


Linux initiator:

Install all required (CentOS5.2 distro):

(VM server1):# yum list | grep iscsi
iscsi-initiator-utils.x86_64 6.2.0.868-0.7.el5 base
(VM server1):# yum install iscsi-initiator-utils
(VM server1):# service iscsid start
(VM server1):# chkconfig iscsid on


I would like to use fast Gbit link which connects initiator and target. Gigabit is on eth1:

(VM server1):# iscsiadm -m iface -I iface1 --op=new
New interface iface1 added


Add iface1 MAC address:

(VM server1):# iscsiadm -m iface -I iface1 --op=update -n iface.hwaddress -v 00:1F:29:E7:C2:7E 
iface1 updated.


Discovery of targets via Gbit interface:

(VM server1):# iscsiadm -m discovery -t st -p 192.168.103.100:3260 -I iface1 -P 1
Target: iqn.1986-03.com.sun:02:fedb2159-fa06-e0c9-fad1-ee3eddd74d5d.vol01
Portal: 10.186.66.41:3260,1
Iface Name: iface1
Portal: 192.168.102.100:3260,1
Iface Name: iface1
Portal: 192.168.103.100:3260,1
Iface Name: iface1
...
...
Target: iqn.1986-03.com.sun:02:f1ddcc58-f103-6b74-e505-b58a78893f92.vol08
Portal: 10.186.66.41:3260,1
Iface Name: iface1
Portal: 192.168.102.100:3260,1
Iface Name: iface1
Portal: 192.168.103.100:3260,1
Iface Name: iface1


List all the iSCSI active sessions:

 # iscsiadm -m session


Restart iscsi, scan for a new volumes, create partitions:

(VM server1):# fdisk -l | grep "Linux" | sort
/dev/cciss/c0d0p1 * 1 1044 8385898+ 83 Linux
/dev/cciss/c0d0p2 1045 1305 2096482+ 82 Linux swap / Solaris
/dev/cciss/c0d0p3 1306 17840 132817387+ 83 Linux
/dev/sda1 1 8192 8388592 83 Linux
/dev/sdb1 1 8192 8388592 83 Linux
/dev/sdc1 1 8192 8388592 83 Linux
/dev/sdd1 1 8192 8388592 83 Linux
/dev/sde1 1 8192 8388592 83 Linux
/dev/sdf1 1 8192 8388592 83 Linux
/dev/sdg1 1 8192 8388592 83 Linux
/dev/sdh1 1 8192 8388592 83 Linux


SeLinux prevents you from attaching iSCSI volumes by default, some selinux magic cure below:

(VM server1):# dmesg | tail -1
audit(1204865870.929:115): avc: denied { search } for pid=4609 comm="iscsid" name="iscsi" dev=cciss/c0d0p3 ino=20742200 scontext=user_u:system_r:iscsid_t:s0 context=user_u:object_r:rpm_var_lib_t:s0 tclass=dir
(VM server1):# setsebool -P iscsid_disable_trans=1



Extended options: TGPT

We use TPGT to tell the system on which interface (or interfaces) our iSCSI target binds. Create group 1, then add IP of the local interface:

(iSCSI target1):# iscsitadm create tpgt 1
(iSCSI target1):# iscsitadm modify tpgt -i 192.168.103.100 1
(iSCSI target1):# iscsitadm list tpgt -v
TPGT: 1
IP Address: 192.168.103.100


You can delete TPGT via:
# iscsitadm delete tpgt -i 192.168.103.100 1


Assign group 1 to iSCSI target vol0[1..8]:

(iSCSI target1):# iscsitadm modify target -p 1 vol0[1..8]


Check TPGT:

(iSCSI target1):# iscsitadm list target -v vol01
Target: vol01
iSCSI Name: iqn.1986-03.com.sun:02:fedb2159-fa06-e0c9-fad1-ee3eddd74d5d.vol01
Connections: 1
Initiator:
iSCSI Name: iqn.1994-05.com.redhat:1f344efecc21
Alias: labt03.dev.domainname.com
ACL list:
TPGT list:
TPGT: 1
LUN information:
LUN: 0
GUID: 010000144fe6e00800002a0048f59ed8
VID: SUN
PID: SOLARIS
Type: disk
Size: 8.0G
Backing store: /dev/zvol/dsk/tank/vol01
Status: online


Extended options: CHAP


Set CHAP username/password for Linux initiator:

iscsiadm -m node -T iqn.xxx -p ip.add.re.ss:3260 --op=update --name=node.session.auth.authmethod --value=CHAP
iscsiadm -m node -T iqn.xxx -p ip.add.re.ss:3260 --op=update --name=node.session.auth.username --value=username
iscsiadm -m node -T iqn.xxx -p ip.add.re.ss:3260 --op=update --name=node.session.auth.password --value=password


Extended options: Solaris target with volumes (LUNs)


You can create one target with more volumes on it like SCSI can. The target is just single iqn, but you should be able to address separate volumes.

(iSCSI target1):# iscsitadm create target -u 0 -b /dev/zvol/rdsk/tank/vol17 vol170
(iSCSI target1):# iscsitadm create target -u 1 -b /dev/zvol/rdsk/tank/vol18 vol170
(iSCSI target1):# iscsitadm create target -u 2 -b /dev/zvol/rdsk/tank/vol19 vol170
(iSCSI target1):# iscsitadm create target -u 3 -b /dev/zvol/rdsk/tank/vol20 vol170



[ add comment ] ( 6 views )   |  [ 0 trackbacks ]   |  permalink
Linux: Openfiler iSCSI target 
Openfiler pages

Openfiler is a powerful, intuitive browser-based network storage software distribution. Openfiler delivers file-based Network Attached Storage and block-based Storage Area Networking in a single framework.



[ add comment ] ( 5 views )   |  [ 0 trackbacks ]   |  permalink
Linux: Limit ssh attepmpts 
Limit ssh attempts to 3/min. Useful.

echo "*** SSH brute force - begin ***"
$IPTABLES -I INPUT -p tcp --dport 22 -m state --state NEW \
-m recent --set

$IPTABLES -I INPUT -p tcp --dport 22 -m state --state NEW -m recent \
--update --seconds 60 --hitcount 4 -j DROP
echo "*** SSH brute force - end ***"


The standard iptables RH/CentOS script could then be:

[root@xen ~]# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 300 --hitcount 4 -j REJECT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT


[ add comment ] ( 3 views )   |  [ 0 trackbacks ]   |  permalink
A very brief introduction to SeLinux problem troubleshooting 
If something is not working and you know that it should, you are on RedhHat or CentOS and you have the SeLinux enabled, then it is the right time to suspect SeLinux to be murderer.

In this example we will try to solve apache problem. Apache can't read the index.html file which he has permission to read.

The setroubleshoot is suprisingly made for that. The name itself is self explanatory, but I have to admit I was not familiar with the existence of such tool. We will install tool, or better a set of tools and the setroubleshoot daemon:

# yum install setroubleshoot


and run the service:

# service setroubleshoot start


Now, in my case, repeat the action which should work and check /var/log/messages:


Oct 14 17:33:26 setroubleshoot: SELinux is preventing the httpd from \
using potentially mislabeled files \
(/var/www/html/homes/my_new_virtual_home/index.html). \
For complete SELinux messages \
run sealert -l 88a55a70-b798-43b4-bcfb-32c8918e436d


Whoa, the "sealert" command gives you even some explanation on this:

SELinux has denied httpd access to potentially mislabeled file(s)
(/var/www/html/homes/my_new_virtual_home/index.html). This means that SELinux will not allow httpd to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories.
The problem is that the files end up with the wrong file context which confined applications are not allowed to access.


The command also tells you how you can fix it, at least for my specific case. It offered me to clear the security context on the files using restorecond, but this would not be useful because I had special setup when my home directory were within the httpd root subdirectory. Therefore the files were marked as common user files and not the webserver's. I needed to change the selinux attributes on file/s the apache is trying to access. You can check the se_context of all the files on the system using:

# ls -Z index.html
-rw-r--r-- alchy alchy user_u:object_r:user_home_dir_t index.html


In my case I had to set my file as the httpd_sys_content_t type to allow apache to read it. After the change the attributes looked like:

# ls -Z index.html
-rw-r--r-- alchy alchy user_u:object_r:httpd_sys_content_t index.html


I used the command:


# chcon -R -h -t httpd_sys_content_t \
/var/www/html/homes/my_new_virtual_home/


I simply set the content & directory to "httpd_sys_content_t"; I say the files here are regular static web pages. Some further reading.

I wil put together some more deep talk about the SeLinux later.

To boot without selinux selinux=0 in boot parameters.

[ add comment ] ( 7 views )   |  [ 0 trackbacks ]   |  permalink
VMWare and iSCSI 
Solaris iSCSI Target with ESX 3.02 Server

[ add comment ] ( 5 views )   |  [ 0 trackbacks ]   |  permalink

<<First <Back | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | Next> Last>>