Press "Enter" to skip to content

Posts published in “Geeky Stuff”

remove IPv6 from bind (named) at startup

To stop /var/log/messages from filling up with annoying dns errors the look like the following:


Jan 3 13:52:03 dns named[24933]: error (network unreachable) resolving 'greyfuzz.com/DS/IN': 2001:503:a83e::2:30#53
Jan 3 13:52:03 dns named[24933]: error (network unreachable) resolving 'greyfuzz.com/DS/IN': 2001:503:231d::2:30#53

Provided you are really not using IPv6 yet (you may need to reconsider this shortly)….  add the following line to your /etc/sysconfig/named file

OPTIONS="-4"

Restart BIND/named.

service named restart   (RH/CentOS)

Find unowned files on your system

From time to time software packages may leave files on your server/workstation with random User ID’s (UID) or Group ID (GID), especially if compiling from source, tarballs, extracting .rpm’s etc… Though not really an major issue but it should be cleaned up so that files that should not be accessible by others stay that way.

Easy way to locate them:

#!/bin/bash
#locate files on local filesystem with no valid UID
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -ls
#!/bin/bash
#locate files on local filesystem with no valid GID
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -ls

 

Solution for “Hostid 00000000000”

RHEL6 (later Fedora releases, and some other distros) recently made some things a bit screwy with the naming of network interfaces… some mainboard embedded NIC’s show up as em1, em2. instead of eth0, eth1 ….

Most of the time this is not a problem, however FlexLM definitely has a problem with this as it is hard-coded to look for the MAC address of eth0…. period, nothing else will do.

This is all caused by a package called biosdevname, before removing this package which is installed by default trying to resolve it, there is a better way to not break things or cause dependency issues further down the road.

Best way to solve this I have found follows:

# cp /etc/grub.conf /etc/grub.bak #get smart here and make a backup!

Add biosdevname=0 to the kernel boot arguments in /etc/grub.conf.

Rename /etc/sysconfig/network-scripts/ifcfg-em1 to /etc/sysconfig/network-scripts/ifcfg-eth0, changing the line DEVICE=”em1″ to DEVICE=”eth0″ (Repeat for any additional interfaces, BONDed interfaces should continue to function as expected.

Delete /etc/udev/rules.d/70-persistent-net.rules (if it exists)

Reboot.

Now FlexLM should detect the MAC of eth0 because…. well… eth0 now exists, which tends to make things much happier.

Crashplan on Linux Mint 17

Installing Crashplan on Linux Mint (17) is a pretty straight forward deal… just install and accept the defaults.

Getting to to run is another story,

#1 the Crashplan agent requires Oracle Java, Mint ships with OpenJDK (as does CentOS 6.x).

To install for Mint (64bit) do the following:

Remove OpenJDK
# sudo apt-get update && apt-get remove openjdk-6-jre
# sudo apt-get autoremove && apt-get clean

Download JRE from Oracle (http://www.java.com/)
In this example 1.7.0.67 was used.

# sudo mkdir -p -v /opt/java/64
# cd ~/Downloads (or wherever your downloaded to)
# tar -zxvf jre-7u67-linux-x64.tar.gz
# sudo mv -v jre1.7.0_* /opt/java/64

# sudo update-alternatives –install “/usr/bin/java” “java” “/opt/java/64/jre1.7.0_67/bin/java” 1
# sudo update-alternatives –set java /opt/java/64/jre1.7.0_67/bin/java

Setup the Firefox plugin:
# mkdir -v ~/.mozilla/plugins
# ln -s /opt/java/64/jre1.7.0_67/lib/amd64/libnpjp2.so ~/.mozilla/plugins/

Modify the contents of /usr/local/crashplan/bin/run.conf to match below:

SRV_JAVA_OPTS=”-Dfile.encoding=UTF-8 -Dapp=CrashPlanService -DappBaseName=CrashPlan -Xms20m -Xmx512m -Djava.net.preferIPv4Stack=true -Dsun.net.inetaddr.ttl=300 -Dnetworkaddress.cache.ttl=300 -Dsun.net.inetaddr.negative.ttl=0 -Dnetworkaddress.cache.negative.ttl=0 -Dc42.native.md5.enabled=false”
GUI_JAVA_OPTS=”-Dfile.encoding=UTF-8 -Dapp=CrashPlanDesktop -DappBaseName=CrashPlan -Xms20m -Xmx512m -Djava.net.preferIPv4Stack=true -Dsun.net.inetaddr.ttl=300 -Dnetworkaddress.cache.ttl=300 -Dsun.net.inetaddr.negative.ttl=0 -Dnetworkaddress.cache.negative.ttl=0 -Dc42.native.md5.enabled=false -Dorg.eclipse.swt.browser.DefaultType=mozilla”

Now Crashplan will launch.

Apache SSL Redirect

Need to redirect all traffic to an Apache server from HTTP (Port 80) to HTTPS (port 443)?

Just add a redirect statement in your httpd.conf for that server.

[code]
<VirtualHost *:80>
DocumentRoot "/path/to/greyfuzz.com"
ServerName https://www.greyfuzz.com
ServerAlias greyfuzz.com
ErrorLog logs/greyfuzz-error.log
CustomLog logs/greyfuzz-access_log combined
Redirect / https://www.greyfuzz.com/
<Directory "/path/to/greyfuzz.com">
Your directory options
</Directory>
</VirtualHost>
[/code]

Line #7 above does the magic for you.

Be sure to include the trailing ‘/’ on the end of the domain being redirected,
without it you may get some untoward URLs that look like
https://www.greyfuzz.comindex.php instead of https://www.greyfuzz.com/index.php.

Note: Be certain your conf.d/ssl.conf (or equivalent) is already set up and HTTPS is working properly first.

Remove password from SSL Certificate

To remove the password or passphrase from your SSL certificate so that Apache will restart without hanging waiting for you to enter the password/passphrase,

In a couple of simple steps, but the first and most important

Make a backup copy of your key!!!
Actually make a couple and store them somewhere safe!

Then strip the key out with:
[code]
/usr/bin/openssl rsa -in /path/to/server.key -out /path/to/newservernopass.key
[/code]
(you may need to adjust the path to openssl for your server)

Copy the newservernopass.key file over your server.key file and restart apache, if all goes well, apache will just start up without prompting for the passphrase.

NOTE: Be sure permissions on your SSL key file are only as permissive as needed (for example apache:apache 400) without a passphrase the key *could* be used on another server that you did not intend if it was leaked out. So keep it secure!

List Installed libraries

To display all of the libraries installed on your Linux system there is no need to soft through /lib and /usr/lib, etc… try this command it will display all of the libraries and where they are linked to.

[code]
/sbin/ldconfig -p
[/code]

Combine it with grep and you can search for a specific library

something like:
[code]
/sbin/ldconfig -p | grep libQtTest
[/code]

Convert ESXi disk from thick to thin

When copying, cloning, and moving VM’s around in general any disks that were created with thin provisioning will unltimately be converted to thick provisioning. What a tremendous waste of disk space if you frequently over provision disk space and allow them to grow over time as needed. (Oh yeah that’s what thin provisioning was created for)

Let’s reduce the disk consumption and convert the vmdk’s back to thin (or to thin if you chose thick to begin with)

Ensure you have ssh enabled to your esx server and login as root or su to root from your user account.

Shut down the VM you wish to shrink (I’d suggest reconciling any snapshots you have and making a backup just in case something goes sideways)

Change directory to the path holding your VM, it will look something like /vmfs/volumes/53448b8c-b6d48f58-692a-ac220bdcff63/server_name (you may have to hunt down the right path)
for example I am going to shrink my vCenter Server Appliance which lives in
/vmfs/volumes/53448b8c-b6d48f58-692a-ac220bdcff63/VMware-vCenter-Server-Appliance-5.5.0.5201-1476389_OVF10

the directory looks like this:
# ls -ltrah
total 140495888
-rw-r–r– 1 root root 0 Apr 10 23:57 VMware-vCenter-Server-Appliance-5.5.0.5201-1476389_OVF10.vmsd
-rw-r–r– 1 root root 311 Apr 10 23:57 VMware-vCenter-Server-Appliance-5.5.0.5201-1476389_OVF10.vmxf
-rw——- 1 root root 547 Apr 11 00:05 VMware-vCenter-Server-Appliance-5.5.0.5201-1476389_OVF10.vmdk
-rw——- 1 root root 553 Apr 11 00:05 VMware-vCenter-Server-Appliance-5.5.0.5201-1476389_OVF10_1.vmdk
drwxr-xr-t 1 root root 1.6K Apr 11 01:49 ..
-rw——- 1 root root 100.0G Apr 12 01:37 VMware-vCenter-Server-Appliance-5.5.0.5201-1476389_OVF10_1-flat.vmdk
-rw——- 1 root root 8.5K Apr 12 01:37 VMware-vCenter-Server-Appliance-5.5.0.5201-1476389_OVF10.nvram
-rw——- 1 root root 25.0G Apr 12 01:37 VMware-vCenter-Server-Appliance-5.5.0.5201-1476389_OVF10-flat.vmdk
-rw-r–r– 1 root root 125.6K Apr 12 01:37 vmware.log
-rwxr-xr-x 1 root root 3.1K Apr 12 01:37 VMware-vCenter-Server-Appliance-5.5.0.5201-1476389_OVF10.vmx

As you can see the directory contains 125+G (I closed my terminal window with the actual du output.
But I know it’s using closer to 10G, so let’s shrink it down….

Notice there are two virtual disks ending with OVF10.vmdk & OVF10_1.vmdk

# vmkfstools -K ./VMware-vCenter-Server-Appliance-5.5.0.5201-1476389_OVF10.vmdk
vmfsDisk: 1, rdmDisk: 0, blockSize: 1048576
Hole Punching: 100% done.

# vmkfstools -K VMware-vCenter-Server-Appliance-5.5.0.5201-1476389_OVF10_1.vmdk
vmfsDisk: 1, rdmDisk: 0, blockSize: 1048576
Hole Punching: 100% done.

This may take a bit of time to complete depending on your disk speed etc…

End result looks the same but notice the actual usage:
# ls -ltrah
total 11077648
-rw-r–r– 1 root root 0 Apr 10 23:57 VMware-vCenter-Server-Appliance-5.5.0.5201-1476389_OVF10.vmsd
-rw-r–r– 1 root root 311 Apr 10 23:57 VMware-vCenter-Server-Appliance-5.5.0.5201-1476389_OVF10.vmxf
-rw——- 1 root root 547 Apr 11 00:05 VMware-vCenter-Server-Appliance-5.5.0.5201-1476389_OVF10.vmdk
-rw——- 1 root root 553 Apr 11 00:05 VMware-vCenter-Server-Appliance-5.5.0.5201-1476389_OVF10_1.vmdk
drwxr-xr-t 1 root root 1.6K Apr 11 01:49 ..
-rw——- 1 root root 100.0G Apr 12 01:37 VMware-vCenter-Server-Appliance-5.5.0.5201-1476389_OVF10_1-flat.vmdk
-rw——- 1 root root 8.5K Apr 12 01:37 VMware-vCenter-Server-Appliance-5.5.0.5201-1476389_OVF10.nvram
-rw——- 1 root root 25.0G Apr 12 01:37 VMware-vCenter-Server-Appliance-5.5.0.5201-1476389_OVF10-flat.vmdk
-rw-r–r– 1 root root 125.6K Apr 12 01:37 vmware.log
-rwxr-xr-x 1 root root 3.1K Apr 12 01:37 VMware-vCenter-Server-Appliance-5.5.0.5201-1476389_OVF10.vmx
drwxr-xr-x 1 root root 1.5K Apr 12 02:03 .

# du -hs
10.6G .

Much better!
Now restart your VM and move on to your next project

Updated ssltest.sh

I had to update my ssl cipher testing script, the output from openssl changed enough in recent versions of RedHat/CentOS 6.x which broke the reporting. I tried to write in in simple code so it would be easy to understand and facilitate those wanting to improve upon it (if you do… please share!)

What does it do? I scans your installed copy of openssl for all supported ciphers, and tests the target webserver and reports back what ciphers and ssl/tls versions it will support. I added a little color coding to the ciphers to quickly point out less than optimal (ie non-FIPS ciphers) in red. FIPS ciphers will display in green.

Why is this important? That’s akin to asking the difference between padlocks.. the better the lock the more relative security it will provide and resist being broken.

How do I use it? Simple invoke the script and the hostname;port you want to test. If you see red… you should consider limiting the ciphers your webserver will support. (I’ll post these detailed how-to’s for apache, tomcat and weblogic in a future edition)

[code]
./ssltest.sh www.greyfuzz.com:443
or
./ssltest.sh www.greyfuzz.com:443 -v ( adding -v displays the ciphers being tested instead of just the results)
[/code]

[code]
#!/bin/sh
## ssltest.sh version 0.4 (last update 4/10/2014)
## – Dave Cochran
##
## Location of openssl
openssl=/usr/bin/openssl

## Make a request (may be altered)
echo "GET / HTTP/1.1" > ssltest.tmp

###### END OF CONFIGURATION #####

if ! [ $1 ]; then
echo syntax: $0 host:sslport [-v] optional for verbose testing
exit
fi

if ! [ -e $openssl ]; then
echo The path to openssl is wrong, please edit $0
exit
fi

## temp file for output – removed at script end
tempfile=./ssltest.tmp

touch $tempfile

if ! [ -e $tempfile ]; then
echo Cannot create temp file in this directory… exiting $0
exit
fi

## Request available ciphers from openssl and test them
for ssl in ssl2 ssl3 tls1
do
echo -e ‘E[37;30mnn’ Testing `echo $ssl ` ….

$openssl ciphers -$ssl -v | while read line

do
cipher=`echo $line | awk ‘{print $1}’`
bits=`echo $line | awk ‘{print $5}’ | cut -f2 -d( | cut -f1 -d)`
if [ $2 ]; then
echo -n $cipher – $bits bits…
fi

if ($openssl s_client -$ssl -cipher $cipher -connect $1 < $tempfile 2>&1 | grep "^Certificate chain" > /dev/null); then
# if [ $2 ]; then
# echo -en ‘E[37;32m’"Cipher Enabled"’E[37;30m’"n"
# else
if [[ $cipher = "EDH-RSA-DES-CBC3-SHA" || $cipher = "EDH-DSS-DES-CBC3-SHA" || $cipher = "DHE-RSA-AES256-SHA" || $cipher = "DES-CBC3-SHA" || $cipher = "AES256-SHA" || $cipher = "DES-CBC3-SHA" || $cipher = "AES128-SHA" || $cipher = "DHE-RSA-AES128-SHA" || $cipher = "DHE-DSS-AES128-SHA" || $cipher = "ADH-AES128-SHA" || $cipher = "DHE-DSS-AES256-SHA" || $cipher = "ADH-AES256-SHA" ]]; then
echo -en ‘E[37;32m’"$cipher – $bits bits – FIPS APPROVED CIPHER enabledn";
else
echo -en ‘E[37;31m’"$cipher – $bits bits – WEAK CIPHER enabledn";
fi
fi
#else
if [ $2 ]; then
echo -en ‘E[37;30m’"Cipher Not Enabled"’E[37;30m’"n"
fi
# fi
echo " " > $tempfile
done | grep -v error

done
echo -en ‘E[37;30m’"nTesting Complete.nn"
## Remove temporary file
rm -f $tempfile
[/code]

Copy CD/DVD to .iso

Installing from physical CD’s or DVD’s is always a hassle, first actually putting your hands on the disc you want can be quite a process. On and around my desk sit a number of 100 disk spindles, digging through them is always a hassle. Disk space is cheap, and the time saved by mounting an .iso can go a long way to paying for the disks. Not to mention physical optical disc’s are SLOW! I keep a mount point reserved on my filer to store everything I use frequently as .iso’s. Now when I need to spin up a Virtual Machine (VM) or even install to bare metal I simply mount the .iso and away we go, but at gigabit speeds instead of waiting for the slow transfer speeds of optical drives.

With Linux, it’s a simple as finding the disc and using the dd command.

[code]
dd if=/dev/sr0 of=/path_to_store/discname.iso
[/code]

That’s all there is to it. You may have to adjust the input device name to suit your particular setup, typically something along the lines of /dev/sr0, /dev/cdrom, /dev/dvd etc..

From here, lather, rinse, repeat. Then store your optical discs in a safe place, or use them for coasters. So long as your storage media is intact you will generally not need them.