# psrinfo -v
Status of virtual processor 0 as of: 12/28/2007 09:41:56
on-line since 12/14/2007 13:04:10.
The sparcv9 processor operates at 1062 MHz,
and has a sparcv9 floating point processor.
Status of virtual processor 1 as of: 12/28/2007 09:41:56
on-line since 12/14/2007 13:04:10.
The sparcv9 processor operates at 1062 MHz,
and has a sparcv9 floating point processor.
Status of virtual processor 2 as of: 12/28/2007 09:41:56
on-line since 12/14/2007 13:04:10.
The sparcv9 processor operates at 1062 MHz,
and has a sparcv9 floating point processor.
Status of virtual processor 3 as of: 12/28/2007 09:41:56
on-line since 12/14/2007 13:03:45.
The sparcv9 processor operates at 1062 MHz,
and has a sparcv9 floating point processor.
[ add comment ] ( 5 views ) | [ 0 trackbacks ] | permalink
Sparc with 64bit Solaris version
# isainfo -v
64-bit sparcv9 applications
vis2 vis
32-bit sparc applications
vis2 vis v8plus div32 mul32
Intel with 32bit version
# isainfo -v
32-bit i386 applications
sse sse2 sse fxsr mmx cmov sep cx8 tsc fpu
[ add comment ] ( 5 views ) | [ 0 trackbacks ] | permalink
Setup commands
scinstall
install primary or next cluster node
clsetup
menu driven re-configuration utility
cluster
interactive command shell for cluster management
cluster status
status for all cluster components
cluster list-cmds
lists available commands
Quorum device commands
clq status
quorum votes summary, quorum votes by node/device status
clq list
list all the quorum elements (devices/hosts)
clq show
cluster nodes (with reservation keys) and quorum device/s path/s
SCSI commands and devices
/usr/cluster/lib/sc/scsi -c inkeys -d /dev/did/rdsk/device
shows reservation keys (all possible/available keys for device)
/usr/cluster/lib/sc/scsi -c inresv -d /dev/did/rdsk/device
shows active reservation (server accessing quorum device)
cldev
Administer Sun Cluster device instances
cldevice status
status of disk devices
Server node commands
clnode list
list servers in cluster
clnode show-rev
cluster software version
clnode status
shows status of the clustered servers (Online/Offline)
Heart-beat links
clintr
HB endpoint status
scstat -W
Cluster Transport Paths
Cluster resource commands
clrs status
(rs as for for resource) resource status
clrs show -v resouirce-name
shows values of all resource attributes for given resource-name (as Type/Group/Class)
clrs show -p NetIflist resource-name
shows NetIflist resource attribute value
clrs set -p netiflist=primary@1,primary@3,primary@4 resource-name
set attrinute value(s)
Resource group commands
clrg status
(rg as for resource group) resource group status
clrg manage resource-group
put resource group under cluster management
clrg online resource-group
bring it online
clrg add-node -n hostnameX resource-group
allow service/resource-group to migrate/failover even to hostnameX
clrg switch -n hostnameX resource-group
fail-over resource group to hostnameX
Resource types
clrt list
(rc as for resource types: SUNW.SharedAddress, SUNW.LogicalHostname ...) prints registered SUNW resource types
Checksum
/usr/cluster/lib/sc/ccradm -i infrastructure
compute new checksum after changing cluster config in /etc/cluster/ccr/infrastructure file
[ add comment ] ( 7 views ) | [ 0 trackbacks ] | permalink
[ add comment ] ( 6 views ) | [ 0 trackbacks ] | permalink
Decrease a huge amount of spam hitting your Postfix mail server is pretty easy. Prevent your server to accept mail from invalid domains and reject sites which are already on the spam-lists. Following piece of blurb with some additional option-steroids will help you keep the wires clean(er). Paste it to the bottom of your /etc/postfix/main.cf .
# SPAM control
smtpd_recipient_restrictions = permit_mynetworks,
reject_invalid_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_pipelining,
reject_unauth_destination,
reject_rbl_client bl.spamcop.net,
reject_rbl_client list.dsbl.org,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client dul.dnsbl.sorbs.net,
permit
If your Postfix is acting as a mail-forwarding gateway for another mail server (fx. for your internal Exchange server), you can add line "reject_unverified_recipient," to the config.
Postfix then tries to send a blank message (just init mail conection) to the destination and tests, if the destination server will accept mail address specified in message header. If the destination doesn't complain about non_existent recipient, the real message is accepted by Postfix and then forwarded. Postfix doesn't have to waste resources trying to send messages back to spammer. Of course, this solution will slow a bit your incoming mail traffic.
# SPAM control
smtpd_recipient_restrictions = permit_mynetworks,
reject_invalid_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_pipelining,
reject_unauth_destination,
reject_rbl_client bl.spamcop.net,
reject_rbl_client list.dsbl.org,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client dul.dnsbl.sorbs.net,
reject_unverified_recipient,
permit
[ add comment ] ( 4 views ) | [ 0 trackbacks ] | permalink
I got the error "cannot change directory" with sftp daemon on CentOS 5. The main suspect of murder was vsfpd configuration, but after about hour I realized seLinux does it's job wrong again. I had some directories in /var/www/html/homes/user and I though this is not acceptable for seLinux policy definitions, but the error repeated even when I moved user to /home/user. This [vsftp definition] should be already present in Red-Hat seLinux policiy, but...
error: 500 OOPS: cannot change directory /home/user
app: vsftp - very secure ftp daemon
selinux correction: /usr/sbin/setsebool -P ftp_home_dir 1
explanation: SElinux disallow ftp dameon to switch/read user's directory
[ add comment ] ( 6 views ) | [ 0 trackbacks ] | permalink
On a corporate LAN running yum which can't connect? Can't browse net, wget rejects to download? Yes, it is simple, proxy missing, but how the hell is the syntax to set the http_proxy shell value?
http_proxy=http://username:password@proxy.my.doma.in:8080/
https_proxy=http://username:password@proxy.my.doma.in:8080/
no_proxy=my.doma.in
export http_proxy https_proxy no_proxy
[ add comment ] ( 6 views ) | [ 0 trackbacks ] | permalink
Another thousand+ /var/log/messagess entries with brute force ssh re-tries. I was bothered with them since one of my servers got a 6Mbit line. To improve security I did configure the SSH the way it requires the private key and if you do not have it, just disconnects. Simply - the service is not asking for the keyboard-interactive password entry any more. You don't have a right private-key? Drop the session immediately. In the /etc/ssh/sshd_config change:
PubkeyAuthentication yes # allow login via keys (authorized_keys must be filled with public key)
PasswordAuthentication no # disallow users whose keys are not in the authorized_keys file
ChallengeResponseAuthentication no
# do not ask for keyboard-interactive login
# "keyboard-interactive" userauth method
# It allows for an arbitrary sequence of
# server prompts and typed user responses
Allow also only specific user/s to log via ssh. The interactive session for mail/pop/web user is too big deal. To allow only some users, put the directive
"AllowUsers only_my_allowd_ssh_user1 only_my_allowed_ssh_user2"
into sshd configuration file and restart the daemon. Also disable root login and use ordinary user for loggin-in.
AllowRootLogin no
Are you iptables user? Then you can also use the anti syn-flood feature of the iptables and limit number of requests for SSH sessions on time basis.
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 2 --rttl --name SSH --rsource -j LOG --log-prefix SSH_brute_force
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 2 --rttl --name SSH --rsource -j REJECT --reject-with icmp-port-unreachable
Above: iptables will allow to open only three login session per minute, if the count is higher, the next syn packets are dropped until the counter clears itself - next minute.
Key management:
When I forgot again which key belongs to which server I realized it will be much easier to manage the keys with script. The following lines of shell do the job. Script generates key-pairs, distribute them to the server and allows you to connect to the server with appropriate key.
#!/bin/bash
while true
do
clear
echo "Generate key ... 1"
echo "Push key ... 2"
echo "Server connect ... 3"
echo "Exit ... x"
echo
echo -n ": "
read option
case $option in
1)
echo "Generatin key"
echo -n "Target srvr: "
read remotebox
if [ -f ~/.ssh/id_dsa_$remotebox ]
then
echo "WARNING: ~/.ssh/id_dsa_$remotebox exists - giving up."
else
ssh-keygen -f ~/.ssh/id_dsa_$remotebox
fi
sleep 8
;;
2)
echo "Pushing key"
echo -n "Target srvr: "
read remotebox
echo -n "Target user: "
read user
echo "Using id_dsa.pub: id_dsa.pub_$remotebox"
ls -la ~/.ssh/id_dsa_$remotebox.pub 2> /dev/null
if [ $? != 0 ]
then
echo "Problem with a key"
exit
fi
sleep 5
cat ~/.ssh/id_dsa_$remotebox.pub | ssh $user@$remotebox \
"(mkdir .ssh&>/dev/null; chmod 700 .ssh && cat - >> .ssh/authorized_keys )&&chmod 600 .ssh/authorized_keys"
sleep 5
echo
echo "Please edit the following options in /etc/ssh/sshd_config"
echo
echo "AllowUsers $user"
echo "PermitRootLogin no"
echo "PubkeyAuthentication yes"
echo "PasswordAuthentication no"
echo "ChallengeResponseAuthentication no"
echo "X11Forwarding no"
echo
echo "Press [enter]"
read
;;
3)
echo -n "Target srvr: "
read remotebox
echo -n "Target user: "
read user
ssh -l $user -i ~/.ssh/id_dsa_$remotebox $remotebox
;;
x)
echo "Quit"
exit
;;
*)
echo "Wrong"
;;
esac
done
[ add comment ] ( 7 views ) | [ 0 trackbacks ] | permalink
DHCP Server
Start from scratch with clean DHCPd tables:
# dhcpconfig -Ux
Unconfigure will stop the DHCP service and remove the DHCP configuration file.
Are you SURE you want to unconfigure the DHCP service? ([Y]/N): Y
DHCP server shutdown.
Deleted the server macro from dhcptab.
Deleted table for network x.x.x.x.
Deleted the dhcptab.
Deleted the DHCP configuration file.
Create new tables:
# dhcpconfig -D -r SUNWbinfiles -p /var/dhcp
Created DHCP configuration file.
Created dhcptab.
Added "Locale" macro to dhcptab.
Added server macro to dhcptab.
DHCP server started.
Configure DHCPd for your LAN:
# dhcpconfig -N $NETWORK -m $NETMASK -t $GATEWAY
Added network macro to dhcptab.
Created network table.
My network is 10.186.66.0, I'll check the records:
# dhtadm -P | grep "10.186.66.0"
10.186.66.0 Macro :Subnet=255.255.255.0:Broadcst=10.186.66.255:Router=10.186.66.1:
Through the macro variables we will tell the client where to find the installation and configs. Define macro spaces:
# dhtadm -A -s SinstPTH -d 'Vendor=SUNW.i86pc,12,ASCII,1,0'
# dhtadm -A -s SbootURI -d 'Vendor=SUNW.i86pc,16,ASCII,1,0'
# dhtadm -A -s SsysidCF -d 'Vendor=SUNW.i86pc,13,ASCII,1,0'
# dhtadm -A -s SjumpsCF -d 'Vendor=SUNW.i86pc,14,ASCII,1,0'
# dhtadm -A -s SrootIP4 -d 'Vendor=SUNW.i86pc,2,IP,1,1'
# dhtadm -A -s SrootPTH -d 'Vendor=SUNW.i86pc,4,ASCII,1,0'
# dhtadm -A -s SrootNM -d 'Vendor=SUNW.i86pc,3,ASCII,1,0'
# dhtadm -A -s SinstIP4 -d 'Vendor=SUNW.i86pc,10,IP,1,1'
# dhtadm -A -s SinstNM -d 'Vendor=SUNW.i86pc,11,ASCII,1,0'
Here is a legend for the environment definitions:
Install server name (SinstNM)
Install server IP (SinstIP4)
Install server path (SinstPTH)
Root server name (SrootNM)
Root server IP (SrootIP4)
Root server path (SrootPTH)
Profile location (SjumpsCF)
sysidcfg location (SsysidCF)
x86 (AMD based SUN) Client identidfies itself to the DHCP server as under Class Identifier is PXEClient:Arch:00000:UNDI:002001.
For the installation we will need to create architecture specific macro. This will tell all the x86 (AMD based SUN) clients to boot our bootimage from the bootserver.
# dhtadm -A -m PXEClient:Arch:00000:UNDI:002001 -d :BootFile=":BootFile="pxegrub":BootSrvA=10.186.66.31:'
Check the settings:
# dhtadm -P | grep 2001
PXEClient:Arch:00000:UNDI:002001 Macro BootFile="pxegrub":BootSrvA=10.186.66.31:
Check if pxegrub exists.
# ls -l /tftpboot/pxegrub
lrwxrwxrwx 1 root root 26 Sep 21 15:59 /tftpboot/pxegrub -> pxegrub.I86PC.Solaris_10-4
Each client in DHCP should have its macro defined. To define macro:
# dhtadm -A -m your_client \
':SbootURI="tftp://10.186.66.31/pxegrub":\
SrootNM="rumburak":SrootIP4=10.186.66.31:\
SrootPTH="/opt/inst/SunOS-5.10-i386-2007-08/Solaris_10/Tools/Boot":\
SinstNM="rumburak":SinstIP4=10.186.66.31:\
SinstPTH="/opt/inst/SunOS-5.10-i386-2007-08":\
SjumpsCF="rumburak:/opt/inst/jumpstart":\
SsysidCF="rumburak:/opt/inst/jumpstart/SunOS-5.10.dhcp":'
Check:
# dhtadm -P | grep hotamanda
hotamanda :SbootURI="tftp://10.186.66.31/pxegrub":
SrootNM="rumburak":SrootIP4=10.186.66.31: SrootPTH="/opt/inst/SunOS-5.10-i386-2007-08/Solaris_10/Tools/Boot": SinstNM="rumburak":SinstIP4=10.186.66.31:SinstPTH="/opt/inst/SunOS-5.10-i386-2007-08": SjumpsCF="rumburak:/opt/inst/jumpstart": SsysidCF="rumburak:/opt/inst/jumpstart/SunOS-5.10.dhcp":
To correct only one parameter without removing a whole record:
# dhtadm -A -m macro_name -d':SomeVAR=new_value:'
Create lease record for hotamanda - client addres will be 10.186.66.21, the client mac addres is 00:14:4F:9A:8C:0A.
First, we will need to add prefix 01 for client definition as shown below. It's some Sun 'standard', do not ask me why.
# pntadm -A 10.186.66.21 -i 0100144F9A8C0A -m "0100144F9A8C0A" -h hotamanda 10.186.66.0
You can also check all the settings via X dhcpd manager. To do that, run:
$ su root –c /usr/sadm/admin/bin/dhcpmgr
[ add comment ] ( 5 views ) | [ 0 trackbacks ] | permalink
1) send break to console CR / ~ / cntl B or CR / ~ / break
2) break SSH connection (after issuing # console -C your-zone / ~ / .
3) "ESC" + "(" - to get into ILOM on AMD
CR=return
[ add comment ] ( 6 views ) | [ 0 trackbacks ] | permalink
Calendar
