Determine if the system is running in 32-bit or 64-bit mode (Solaris) 
Sparc with 64bit Solaris version

# isainfo -v
64-bit sparcv9 applications
vis2 vis
32-bit sparc applications
vis2 vis v8plus div32 mul32

Intel with 32bit version

# isainfo -v
32-bit i386 applications
sse sse2 sse fxsr mmx cmov sep cx8 tsc fpu

[ add comment ] ( 5 views )   |  [ 0 trackbacks ]   |  permalink
Sun cluster commands (3.2) 

Setup commands

install primary or next cluster node

menu driven re-configuration utility

interactive command shell for cluster management

cluster status
status for all cluster components

cluster list-cmds
lists available commands

Quorum device commands

clq status
quorum votes summary, quorum votes by node/device status
clq list
list all the quorum elements (devices/hosts)
clq show
cluster nodes (with reservation keys) and quorum device/s path/s

SCSI commands and devices

/usr/cluster/lib/sc/scsi -c inkeys -d /dev/did/rdsk/device
shows reservation keys (all possible/available keys for device)
/usr/cluster/lib/sc/scsi -c inresv -d /dev/did/rdsk/device
shows active reservation (server accessing quorum device)

Administer Sun Cluster device instances

cldevice status
status of disk devices

Server node commands

clnode list
list servers in cluster
clnode show-rev
cluster software version
clnode status
shows status of the clustered servers (Online/Offline)

Heart-beat links

HB endpoint status

scstat -W
Cluster Transport Paths

Cluster resource commands

clrs status
(rs as for for resource) resource status
clrs show -v resouirce-name
shows values of all resource attributes for given resource-name (as Type/Group/Class)
clrs show -p NetIflist resource-name
shows NetIflist resource attribute value
clrs set -p netiflist=primary@1,primary@3,primary@4 resource-name
set attrinute value(s)

Resource group commands

clrg status
(rg as for resource group) resource group status
clrg manage resource-group
put resource group under cluster management
clrg online resource-group
bring it online
clrg add-node -n hostnameX resource-group
allow service/resource-group to migrate/failover even to hostnameX
clrg switch -n hostnameX resource-group
fail-over resource group to hostnameX

Resource types

clrt list
(rc as for resource types: SUNW.SharedAddress, SUNW.LogicalHostname ...) prints registered SUNW resource types


/usr/cluster/lib/sc/ccradm -i infrastructure
compute new checksum after changing cluster config in /etc/cluster/ccr/infrastructure file

[ add comment ] ( 7 views )   |  [ 0 trackbacks ]   |  permalink
Bill Evans-My Foolish Heart 

[ add comment ] ( 6 views )   |  [ 0 trackbacks ]   |  permalink
Spam protection in Postfix  
Decrease a huge amount of spam hitting your Postfix mail server is pretty easy. Prevent your server to accept mail from invalid domains and reject sites which are already on the spam-lists. Following piece of blurb with some additional option-steroids will help you keep the wires clean(er). Paste it to the bottom of your /etc/postfix/ .

# SPAM control

smtpd_recipient_restrictions = permit_mynetworks,

If your Postfix is acting as a mail-forwarding gateway for another mail server (fx. for your internal Exchange server), you can add line "reject_unverified_recipient," to the config.

Postfix then tries to send a blank message (just init mail conection) to the destination and tests, if the destination server will accept mail address specified in message header. If the destination doesn't complain about non_existent recipient, the real message is accepted by Postfix and then forwarded. Postfix doesn't have to waste resources trying to send messages back to spammer. Of course, this solution will slow a bit your incoming mail traffic.

# SPAM control

smtpd_recipient_restrictions = permit_mynetworks,

[ add comment ] ( 4 views )   |  [ 0 trackbacks ]   |  permalink
500 OOPS: cannot change directory /home/user (seLinux) 
I got the error "cannot change directory" with sftp daemon on CentOS 5. The main suspect of murder was vsfpd configuration, but after about hour I realized seLinux does it's job wrong again. I had some directories in /var/www/html/homes/user and I though this is not acceptable for seLinux policy definitions, but the error repeated even when I moved user to /home/user. This [vsftp definition] should be already present in Red-Hat seLinux policiy, but...

error: 500 OOPS: cannot change directory /home/user
app: vsftp - very secure ftp daemon
selinux correction: /usr/sbin/setsebool -P ftp_home_dir 1
explanation: SElinux disallow ftp dameon to switch/read user's directory

[ add comment ] ( 6 views )   |  [ 0 trackbacks ]   |  permalink
Proxy, proxy... Set http_proxy variable in shell. 
On a corporate LAN running yum which can't connect? Can't browse net, wget rejects to download? Yes, it is simple, proxy missing, but how the hell is the syntax to set the http_proxy shell value?

export http_proxy https_proxy no_proxy

[ add comment ] ( 6 views )   |  [ 0 trackbacks ]   |  permalink
Another thousand+ /var/log/messagess entries with brute force ssh re-tries. I was bothered with them since one of my servers got a 6Mbit line. To improve security I did configure the SSH the way it requires the private key and if you do not have it, just disconnects. Simply - the service is not asking for the keyboard-interactive password entry any more. You don't have a right private-key? Drop the session immediately. In the /etc/ssh/sshd_config change:

PubkeyAuthentication yes # allow login via keys (authorized_keys must be filled with public key)
PasswordAuthentication no # disallow users whose keys are not in the authorized_keys file
ChallengeResponseAuthentication no
# do not ask for keyboard-interactive login
# "keyboard-interactive" userauth method
# It allows for an arbitrary sequence of
# server prompts and typed user responses

Allow also only specific user/s to log via ssh. The interactive session for mail/pop/web user is too big deal. To allow only some users, put the directive

"AllowUsers only_my_allowd_ssh_user1 only_my_allowed_ssh_user2"

into sshd configuration file and restart the daemon. Also disable root login and use ordinary user for loggin-in.

AllowRootLogin no

Are you iptables user? Then you can also use the anti syn-flood feature of the iptables and limit number of requests for SSH sessions on time basis.

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 2 --rttl --name SSH --rsource -j LOG --log-prefix SSH_brute_force
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 2 --rttl --name SSH --rsource -j REJECT --reject-with icmp-port-unreachable

Above: iptables will allow to open only three login session per minute, if the count is higher, the next syn packets are dropped until the counter clears itself - next minute.

Key management:

When I forgot again which key belongs to which server I realized it will be much easier to manage the keys with script. The following lines of shell do the job. Script generates key-pairs, distribute them to the server and allows you to connect to the server with appropriate key.

while true
echo "Generate key ... 1"
echo "Push key ... 2"
echo "Server connect ... 3"
echo "Exit ... x"
echo -n ": "
read option
case $option in
echo "Generatin key"
echo -n "Target srvr: "
read remotebox
if [ -f ~/.ssh/id_dsa_$remotebox ]
echo "WARNING: ~/.ssh/id_dsa_$remotebox exists - giving up."
ssh-keygen -f ~/.ssh/id_dsa_$remotebox
sleep 8
echo "Pushing key"
echo -n "Target srvr: "
read remotebox
echo -n "Target user: "
read user
echo "Using id_dsa.pub_$remotebox"
ls -la ~/.ssh/id_dsa_$ 2> /dev/null
if [ $? != 0 ]
echo "Problem with a key"
sleep 5
cat ~/.ssh/id_dsa_$ | ssh $user@$remotebox \
"(mkdir .ssh&>/dev/null; chmod 700 .ssh && cat - >> .ssh/authorized_keys )&&chmod 600 .ssh/authorized_keys"
sleep 5
echo "Please edit the following options in /etc/ssh/sshd_config"
echo "AllowUsers $user"
echo "PermitRootLogin no"
echo "PubkeyAuthentication yes"
echo "PasswordAuthentication no"
echo "ChallengeResponseAuthentication no"
echo "X11Forwarding no"
echo "Press [enter]"
echo -n "Target srvr: "
read remotebox
echo -n "Target user: "
read user
ssh -l $user -i ~/.ssh/id_dsa_$remotebox $remotebox
echo "Quit"
echo "Wrong"

[ add comment ] ( 7 views )   |  [ 0 trackbacks ]   |  permalink
Jumpstart Server setup for Solaris - DHCP Server 
DHCP Server

Start from scratch with clean DHCPd tables:

# dhcpconfig -Ux
Unconfigure will stop the DHCP service and remove the DHCP configuration file.
Are you SURE you want to unconfigure the DHCP service? ([Y]/N): Y
DHCP server shutdown.
Deleted the server macro from dhcptab.
Deleted table for network x.x.x.x.
Deleted the dhcptab.
Deleted the DHCP configuration file.

Create new tables:

# dhcpconfig -D -r SUNWbinfiles -p /var/dhcp
Created DHCP configuration file.
Created dhcptab.
Added "Locale" macro to dhcptab.
Added server macro to dhcptab.
DHCP server started.

Configure DHCPd for your LAN:

# dhcpconfig -N $NETWORK -m $NETMASK -t $GATEWAY
Added network macro to dhcptab.
Created network table.

My network is, I'll check the records:

# dhtadm -P | grep "" Macro :Subnet=

Through the macro variables we will tell the client where to find the installation and configs. Define macro spaces:

# dhtadm -A -s SinstPTH -d 'Vendor=SUNW.i86pc,12,ASCII,1,0'
# dhtadm -A -s SbootURI -d 'Vendor=SUNW.i86pc,16,ASCII,1,0'
# dhtadm -A -s SsysidCF -d 'Vendor=SUNW.i86pc,13,ASCII,1,0'
# dhtadm -A -s SjumpsCF -d 'Vendor=SUNW.i86pc,14,ASCII,1,0'
# dhtadm -A -s SrootIP4 -d 'Vendor=SUNW.i86pc,2,IP,1,1'
# dhtadm -A -s SrootPTH -d 'Vendor=SUNW.i86pc,4,ASCII,1,0'
# dhtadm -A -s SrootNM -d 'Vendor=SUNW.i86pc,3,ASCII,1,0'
# dhtadm -A -s SinstIP4 -d 'Vendor=SUNW.i86pc,10,IP,1,1'
# dhtadm -A -s SinstNM -d 'Vendor=SUNW.i86pc,11,ASCII,1,0'

Here is a legend for the environment definitions:

Install server name (SinstNM)
Install server IP (SinstIP4)
Install server path (SinstPTH)
Root server name (SrootNM)
Root server IP (SrootIP4)
Root server path (SrootPTH)
Profile location (SjumpsCF)
sysidcfg location (SsysidCF)

x86 (AMD based SUN) Client identidfies itself to the DHCP server as under Class Identifier is PXEClient:Arch:00000:UNDI:002001.

For the installation we will need to create architecture specific macro. This will tell all the x86 (AMD based SUN) clients to boot our bootimage from the bootserver.

# dhtadm -A -m PXEClient:Arch:00000:UNDI:002001 -d :BootFile=":BootFile="pxegrub":BootSrvA='

Check the settings:

# dhtadm -P | grep 2001
PXEClient:Arch:00000:UNDI:002001 Macro BootFile="pxegrub":BootSrvA=

Check if pxegrub exists.

# ls -l /tftpboot/pxegrub
lrwxrwxrwx 1 root root 26 Sep 21 15:59 /tftpboot/pxegrub -> pxegrub.I86PC.Solaris_10-4

Each client in DHCP should have its macro defined. To define macro:

# dhtadm -A -m your_client \


# dhtadm -P | grep hotamanda
hotamanda :SbootURI="tftp://":
SrootNM="rumburak":SrootIP4= SrootPTH="/opt/inst/SunOS-5.10-i386-2007-08/Solaris_10/Tools/Boot": SinstNM="rumburak":SinstIP4="/opt/inst/SunOS-5.10-i386-2007-08": SjumpsCF="rumburak:/opt/inst/jumpstart": SsysidCF="rumburak:/opt/inst/jumpstart/SunOS-5.10.dhcp":

To correct only one parameter without removing a whole record:

# dhtadm -A -m macro_name -d':SomeVAR=new_value:'

Create lease record for hotamanda - client addres will be, the client mac addres is 00:14:4F:9A:8C:0A.

First, we will need to add prefix 01 for client definition as shown below. It's some Sun 'standard', do not ask me why.

# pntadm -A -i 0100144F9A8C0A -m "0100144F9A8C0A" -h hotamanda

You can also check all the settings via X dhcpd manager. To do that, run:

$ su root –c /usr/sadm/admin/bin/dhcpmgr

[ add comment ] ( 5 views )   |  [ 0 trackbacks ]   |  permalink
All the shortcuts and STOP+A via SSH connection (SPARC SOLARIS) 
1) send break to console CR / ~ / cntl B or CR / ~ / break

2) break SSH connection (after issuing # console -C your-zone / ~ / .

3) "ESC" + "(" - to get into ILOM on AMD


[ add comment ] ( 6 views )   |  [ 0 trackbacks ]   |  permalink
Check RBAC priviledges (Solaris) 
Not sure why the hell RBAC shit is not working? System tells you - not sufficient priviledges. Then try this to explore what's missing.

ppriv -D $$

enter your command

ppriv -N $$

if some priviledges are missing, this will tell you.

[ add comment ] ( 6 views )   |  [ 0 trackbacks ]   |  permalink

<<First <Back | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | Next> Last>>