rootninja

Why does snmpd try to log everything by default in Fedora? If you’re polling every five minutes or so for MRTG or a commercial product like Solarwinds, you might find /var/log/messages filling up with successful connection messages:

Oct 22 04:00:01 ServerName snmpd[2089]:last message repeated 5 times
Oct 22 04:00:01 ServerName snmpd[2089]: Connection from UDP: [127.0.0.1]:40732
Oct 22 04:00:01 ServerName snmpd[2089]: Received SNMP packet(s) from UDP: [127.0.0.1]:40732
Oct 22 04:00:01 ServerName snmpd[2089]: Connection from UDP: [127.0.0.1]:40732
Oct 22 04:05:01 ServerName snmpd[2089]:last message repeated 5 times
Oct 22 04:05:01 ServerName snmpd[2089]: Connection from UDP: [127.0.0.1]:34007
Oct 22 04:05:01 ServerName snmpd[2089]: Received SNMP packet(s) from UDP: [127.0.0.1]:34007
Oct 22 04:05:01 ServerName snmpd[2089]: Connection from UDP: [127.0.0.1]:34007

To stop this nonsense, override the default options being fed to snmpd in the init script. (no, don’t hack the init script!  You’ll forget to re-hack it when you update your system and your changes get overwritten, doh!)

Create /etc/snmp/snmpd.options and provide your own options to the snmpd daemon.  This is what I use on most clients to tell syslog to only log levels 0 through 4.

OPTIONS=”-LS 4 d -Lf /dev/null -p /var/run/snmpd.pid -a”

If you have a client that doesn’t have ipv6 addresses and you check TCP connections with snmp, you’ll want to change the 4 to a 2.  Otherwise you’ll still get messages like these:

Oct 22 04:20:31 ThisOldServer snmpd[21882]: could not open /proc/net/if_inet6
Oct 22 04:21:31 ThisOldServer snmpd[21882]: cannot open /proc/net/snmp6 …

In /etc/init.d/snmpd you should see where it’s looking for /etc/snmp/snmpd.options, and if it doesn’t find it, it provides a set of defaults, which is to let syslog log everything.

if [ -e /etc/snmp/snmpd.options ]; then
. /etc/snmp/snmpd.options
else
OPTIONS=”-Lsd -Lf /dev/null -p /var/run/snmpd.pid -a”
fi

After you make your snmpd.options file in /etc/snmp/ just restart snmpd and it should find your file and not follow the else clause which was setting those options for you before.  Just to make sure, wait 5 minutes (or force a snmp check) and look at the logs.  You could add an entry to your logs with ‘logger’ just to make a note of when you made the change.  But it should be quite obvious if you don’t a ton of syslog traffic.  You should also see the log level in the process list since you made the change and restarted the service.

ninja@ThisOldServer ~$ ps -ef | grep snmpd
root     21900     1  0 14:21 ?        00:00:00 /usr/sbin/snmpd -LS 2 d -Lf /dev/null -p /var/run/snmpd.pid -a
acarr    21936 21915  0 14:56 pts/0    00:00:00 grep snmpd
ninja@ThisOldServer ~$

Linux default, snmp, syslog

They were throwing out the entire library of old books at work since we’re moving to a new building.  I saw these in the trash pile and saved them! (along with several others)  I couldn’t believe they weren’t even going to donate them to the library or recycle them.  Off to the dumpster they were about to go…

They’re mostly from the 70’s and few from the early 80’s.  I can find 99% of what i’m looking for from searching online, but it’s amazing how many old programs and ideas there are that haven’t changed in the Unix/Linux world.

Uncategorized books, cs, old, programming, unix

The new 2010 Toyota Prius.  This is what is supposed to debut in January at the Detroit Auto Show.  It will have a slightly larger displacement but is supposed to keep the same fuel economy numbers.  So why does it still have a handicapped electric motor?  Is it to allow all those companies that will fill your trunk with lead acid batteries to grow their business?  Yeah right.  Let’s stick to the exterior visuals for now, but wouldn’t it be nice if it were just an electric car, or hybrid just meant that it had an emergency internal combustion engine just for those rare occasions you accidentally run out of battery juice?

Well it still looks pretty pathetic, but at least the lines fall in with the Toyota look.  I guess they’re trying to make it look more aggressive and attractive?  Too bad it looks like a corolla.  Why can’t it look more like a Supra or the Lexas LF-A prototype?  Well what ever happened to the Honda Insight?  I liked that little thing.  It got better gas mileage than the Prius anyway!  I’m sure they’re fetching a pretty penny on ebay or craigslist.

Uncategorized honda, hybrid, insight, pathetic, prius, toyota

Uncategorized icmp, networking

FSVS is the abbreviation for “Fast System Versioning” and is pronounced [fisvis].

It is a complete backup/restore/versioning tool for all files in a directory tree or whole filesystems, with a subversion repository as the backend. 

Using this application, all files(almost) in /etc/ are maintained in a subversion repository. As files get created in /etc/ they are added to the repository automatically. commit’s to the repository are executed on a daily basis with a cron job in /etc/cron.daily.  Configuration creation, updates, and deletions are easy to see and track down long after the fact, eliminating questions like, “When did this get changed?? and what the heck did it look like before!?”

• fsvs does not pollute directories with .svn folders.
• It keeps track of everything with file lists and hashes in /etc/fsvs/ and /var/spool/fsvs/
• All fsvs repositories can be stored in one place to make it easy to back up.

I think of it as a safety parachute, incase the regular one doesn’t work. (my regular method of backing up a config is to copy the original file with the extension “.old”, “.bak”, or “.orig”)

How to install it

Commands to run from the subversion server, “TheServer”

# yum install fsvs
# mkdir /RAID/fsvs_repos
# svnadmin create /RAID/fsvs_repos/TargetHost

Commands run from the client machine, “TargetHost”

# yum install fsvs
# cd /etc   ($pwd must be the base directory you want to use to populate the repository)
# fsvs urls svn://theserver/fsvs_repos/TargetHostName  (this points to the berkley db you just created on “theserver”)
# fsvs ignore ./fsvs
# fsvs ignore ./ld.so.cache
# fsvs ignore ./prelink.cache
# fsvs ignore ./lvm
# fsvs ignore ./localtime
# fsvs ignore ./.pwd.lock
# fsvs ignore ./selinux
# fsvs commit -m “Initial fsvs commit”

Daily cron commit setup

A one liner cron in /etc/cron.weekly/fsvs.cron should be all you need.

/usr/bin/fsvs commit -m “cron commit at `date +%R_%d-%m-%Y`”

Linux backups, cron, etc, fsvs, Linux, subversion, svn

These are just some things to watch out for when setting up replicas.

SPACING IN REPLICA DEFINITIONS

In slapd.conf, replica server directives must start with replica, and accompanying defintions must be indented in order for slurpd to parse them properly.  Alternatively you could put the whole thing on one line but it’s ugly that way.  I couldn’t figure out why slurpd skipped my replica until I indented the lines.  Here’s what it should look like:

replica uri=ldap://ldap-slave.domain.com:389
         bindmethod=simple
         binddn=”cn=doppelganger,dc=domain.com”
         credentials=PasswordCanNotBeHashed
         replogfile /var/lib/ldap/the.replog.file

Unlike the rootdn password, the password for the replication user can’t be a hash!  I tried my {SSHA} password and ran slurpd with debugging turned on and it didn’t like the credentials.  So I put the plain text password in there, with no other changes, and it started working fine.

ACLS IN SLAPD.CONF ON THE REPLICA

Don’t forget to change your ACLs on the slave to allow write access to the replication user.  This is simple, but easily overlooked.  Your ACLs should look something like this:
access to attrs=shadowLastChange,userPassword,shadowMax,shadowWarning

by dn=”cn=doppelgangler,dc=domain.com” write
         by tls_ssf=256 ssf=256 self write
         by tls_ssf=256 ssf=256 anonymous auth
         by * none
access to *
         by dn=”cn=doppelgangler,dc=domain.com” write
         by tls_ssf=256 ssf=256 users read
         by tls_ssf=256 ssf=256 self write
         by tls_ssf=256 ssf=256 * read
         by * none

This is only needed on your slaves of course.  If you’re doing some sort of master-master setup where updates go both ways, then it’s needed on both sides of course.  updatedn on the slave must match the replica binddn on the master and updateref must be the master server’s uri.

SSL CERTIFICATES

To avoid problems using self-signed or certs signed by different CA’s, put them in the same place.  So both servers will have master.pem and slave.pem but each will point to it’s own cert just like so:

slapd.conf on ldap-master:

TLSCACertificateFile /etc/openldap/cacerts/master.pem
TLSCertificateFile /etc/openldap/cacerts/master.pem
TLSCertificateKeyFile /etc/openldap/cacerts/master.pem

slapd.conf on ldap-slave:

TLSCACertificateFile /etc/openldap/cacerts/slave.pem
TLSCertificateFile /etc/openldap/cacerts/slave.pem
TLSCertificateKeyFile /etc/openldap/cacerts/slave.pem

The TLS lines in slapd on the master and replicas will each point to their own certs, but as long as you leave them in the same directory, you can use “TLS_CACERTDIR” in ldap.conf and not have to specify exactly which one to use.

THE URI LINE IN LDAP.CONF

I overlooked this one it seemed like no instructions or howto’s on the net talked about this at all!  I guess it’s just that obvious, but it’s just another gotcha that you might overlook.  Since the ldap servers are also going to be client’s themselves, they need to point to their own databases in ldap.conf.  The master’s URI is ldap://ldap-master.domain.com and the replicas URI is ldap://ldap-slave.domain.com.  Don’t forget to put both servers on the same URI line for the clients or else they won’t be able to fail over.

uri ldap://ldap-master.domain.com ldap://ldap-slave.domain.com

Linux ldap replicas tls acls gotchas

In a shell script you’re probably testing a variable against some constant or another variable, but why not run a command in a subshell and compare the output?  You could even compare the output of two subshell commands!  I guess most of the time i’m doing something like this i’m using perl or python.  But I needed a way to double check which disk had a powerpc boot partition on it before copying it over to a blank disk and I didn’t have much to work with on those old boards, so I whipped this up right quick:

#!/bin/sh

#check to see if sda has a PPC boot partition

if [ "`/sbin/fdisk -l /dev/sda | grep PPC`" == "" ]; then

if [ "`/sbin/fdisk -l /dev/sdb | grep PPC`" == "" ]; then

echo “both disks have PPC boot partitions”

exit 1;

else

echo “run this: dd if=/dev/sdb of=/dev/sda”

fi

else

if [ "`/sbin/fdisk -l /dev/sdb | grep PPC`" == "" ]; then

echo “run this: dd if=/dev/sda of=/dev/sdb”

else

echo “both disks have PPC boot partitions”

exit 1;

fi

fi

Shell scripting if-then-else tests with commands embedded in backticks.  Why?  Because i’m messing with some old power pc blades running 2.4 kernels with no modern day apps like ssh, rsync, or python.  I don’t know why I didn’t think of this before now?

Linux 2.4, if-then-else, kernel, Linux, ppc, shell scripts