Wuhai’s Weblog

September 27, 2009

WWPN – RHEL5 – QLogic

Filed under: Linux, RedHat, SAN — wuhai @ 6:23 pm

http://kbase.redhat.com/faq/docs/DOC-19446

ql-hba-info-1.2/ql-hba-info.sh -a

systool -c fc_host -v

apt-get install sg3_utils

sg_map -x

I have been wondering about the following one recently:
http://kbase.redhat.com/faq/docs/DOC-9937

September 4, 2009

Red Hat Summit Today

Filed under: RedHat — wuhai @ 6:23 am

I went through the following sessions in Red Hat Summit today:

1. JBoss and eXo => Gatein Portal demo;
2. Performance Tuning I and II;
3. Red Hat Satellite Lab, lab server keeps rebooting, but eventually managed to complete the lab after rebooting so many times;
4. JBoss ON Lab

August 28, 2009

CVE-2009-2692, Go root!

Filed under: RedHat — wuhai @ 3:25 am

I have been busy putting workarounds on hundreds of servers here these days due to CVE-2009-2692.

The following is Centos 5:

[root ~]# lsmod | grep hidp
hidp 83649 2
l2cap 89281 5 hidp
bluetooth 118725 2 hidp,l2cap

I couldn’t unload the above kernel modules previously, just figured out that in order to rmmod hidp, I had to do this:

[root ~]# /etc/init.d/hidd status
hidd (pid 3224) is running…

[root ~]# /etc/init.d/hidd stop
Shutting down hidd: [ OK ]
[root ~]# lsmod | grep hidp
hidp 83649 0
l2cap 89281 1 hidp
bluetooth 118725 2 hidp,l2cap
[root ~]# rmmod hidp
[root ~]# rmmod l2cap
[root ~]# rmmod bluetooth

Good now:

[hwu wunderbar_emporium]$ ./exploit
[+] MAPPED ZERO PAGE!
[+] Resolved security_ops to 0xffffffff80462840
[+] Resolved sel_read_enforce to 0xffffffff8011cde6
unable to find a vulnerable domain, sorry

For Netezza head nodes:
# cat /etc/issue
Red Hat Enterprise Linux AS release 4 (Nahant Update 1)
Kernel \r on an \m
# getenforce
Disabled

Selinux is disabled, but the exploit still works.

rmmod l2cap and then rmmod bluetooth works for me.

February 25, 2009

Install Oracle9i client on Linux 64bit – “copying naeet.o”

Filed under: Oracle Database, RedHat — wuhai @ 8:04 am

To record silent mode installation script:
./runInstaller -record -destinationFile /tmp/oracle9iclient.rsp

The recording session hang up when it was 63% complete when doing “copying naeet.o”.

The fix: export LD_ASSUME_KERNEL=2.4.1 (note: export LD_ASSUME_KERNEL=2.4.21 did not work in this case:

$ uname -r
2.6.9-67.ELsmp

./runInstaller -silent -responsefile /home/oracle/admin/Disk1/response/oracle9iclient.rsp
$ Initializing Java Virtual Machine from /tmp/OraInstall2009-02-25_01-20-48AM/jre/bin/java. Please wait…
In Product Registration Page
In UNIX Group Name Page
Install inventory needs to be created on this system before this silent install can proceed. Please run the script in /tmp/orainstRoot.sh with root previleges and retry the silent installation. See /tmp/silentInstall.log for more details.

export LD_ASSUME_KERNEL=2.4.1
$ ./runInstaller -silent -responsefile /home/oracle/admin/Disk1/response/oracle9iclient.rsp
$ Initializing Java Virtual Machine from /tmp/OraInstall2009-02-25_01-24-15AM/jre/bin/java. Please wait…
In Product Registration Page
In UNIX Group Name Page
Inside isClusterMode, bCluster is : false
Inside isCluster, bCluster bfr return is : false
In Cluster Node Selection Page
Inside isCluster, bCluster bfr return is : false
In File Locations Page
In Available Products Page
In Installation Types Page
In Component Locations Page
In Summary Page
Inside isCluster, bCluster bfr return is : false
Inside isCluster, bCluster bfr return is : false
Inside isCluster, bCluster bfr return is : false
In End of Installation Page
The installation of Oracle9i Client was successful.
Please check /home/oracle/oraInventory/logs/silentInstall2009-02-25_01-24-15AM.log for more details.
In Product Registration Page
In UNIX Group Name Page
Inside isCluster, bCluster bfr return is : false
In Cluster Node Selection Page
Inside isCluster, bCluster bfr return is : false

$ cat /etc/issue
Red Hat Enterprise Linux AS release 4 (Nahant Update 6)
Kernel \r on an \m

Metalink notes 360142.1 “When Running OUI, OUI Hangs at 18% Copying naeet.o” mentions to do:
export LD_ASSUME_KERNEL=2.4.21
which did not work in this case.

Metalink notes 377217.1 “What should the value of LD_ASSUME_KERNEL be set to for Linux?”:
RHAS 2.1 2.2.5
RHEL3, RHEL4, OEL4 any value from 2.4.1 to 2.4.19
SLES8, SLES9 2.4.21
RHEL5, OEL5, SLES10 Should not be set

So it is correct that since in this case, it is RHEL4, it should be from 2.4.1 to 2.4.19, not 2.4.21 ..

$ find /lib/ -name libc.so.6
/lib/tls/i686/nosegneg/libc.so.6
/lib/tls/libc.so.6
/lib/i686/libc.so.6
/lib/libc.so.6

# eu-readelf -n /lib/libc.so.6

Note segment of 32 bytes at offset 0×154:
Owner Data size Type
GNU 16 VERSION
OS: Linux, ABI: 2.2.5

# eu-readelf -n /lib/i686/libc.so.6

Note segment of 32 bytes at offset 0×154:
Owner Data size Type
GNU 16 VERSION
OS: Linux, ABI: 2.4.1

# eu-readelf -n /lib/tls/libc.so.6

Note segment of 32 bytes at offset 0×174:
Owner Data size Type
GNU 16 VERSION
OS: Linux, ABI: 2.4.20

February 20, 2009

VMWare Guest Time Drifting Issue

Filed under: RedHat, vmware — wuhai @ 7:45 am

Under heavy load today, VMWare guest (Centos5.0, 64bit) time drifts a lot, sometimes 5 or 10 minutes earlier, after restarting ntpd (and guests are configured with right ntpd.conf), the time would be good for a few seconds, then quickly drifts away. Later the time becomes 30 seconds ahead.

The quick fix:
1. notsc kernel parameter added;
2. tools.synctime set to TRUE in .vmx file

February 19, 2009

mod_proxy / selinux

Filed under: Apache, Linux, RedHat — wuhai @ 4:36 am

Refer to: http://blog.simb.net/2007/08/01/centos-5-apache-223-proxy-balancer-permission-denied-proxy-http/

If getting the following errors:

Service Temporarily Unavailable

The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.

Feb 18 18:13:53 xx01p kernel: audit(1235002433.312:12): avc: denied { name_connect } for pid=18276 comm=”httpd” dest=9000 scontext=user_u:system_r:httpd_t:s0 tcontext=system
_u:object_r:port_t:s0 tclass=tcp_socket

[Wed Feb 18 18:29:09 2009] [error] (13)Permission denied: proxy: HTTP: attempt to connect to 10.xx.1.xx:9000 (10.xx.1.xx) failed
[Wed Feb 18 18:29:09 2009] [error] ap_proxy_connect_backend disabling worker for (10.235.1.97)
[Wed Feb 18 18:29:13 2009] [error] proxy: HTTP: disabled connection for (10.235.1.97)

# sestatus -b | grep httpd
allow_httpd_anon_write                 off
allow_httpd_bugzilla_script_anon_write off
allow_httpd_mod_auth_pam               off
allow_httpd_nagios_script_anon_write   off
allow_httpd_squid_script_anon_write    off
allow_httpd_sys_script_anon_write      off
httpd_builtin_scripting                on
httpd_can_network_connect              off
httpd_can_network_connect_db           off
httpd_can_network_relay                off
httpd_disable_trans                    off
httpd_enable_cgi                       on
httpd_enable_ftp_server                off
httpd_enable_homedirs                  on
httpd_rotatelogs_disable_trans         off
httpd_ssi_exec                         off
httpd_suexec_disable_trans             off
httpd_tty_comm                         on
httpd_unified                          on
# togglesebool httpd_can_network_connect
httpd_can_network_connect: active
# sestatus -b | grep httpd
allow_httpd_anon_write                 off
allow_httpd_bugzilla_script_anon_write off
allow_httpd_mod_auth_pam               off
allow_httpd_nagios_script_anon_write   off
allow_httpd_squid_script_anon_write    off
allow_httpd_sys_script_anon_write      off
httpd_builtin_scripting                on
httpd_can_network_connect              on
httpd_can_network_connect_db           off
httpd_can_network_relay                off
httpd_disable_trans                    off
httpd_enable_cgi                       on
httpd_enable_ftp_server                off
httpd_enable_homedirs                  on
httpd_rotatelogs_disable_trans         off
httpd_ssi_exec                         off
httpd_suexec_disable_trans             off
httpd_tty_comm                         on
httpd_unified                          on
# setsebool -P httpd_can_network_connect=1

January 23, 2009

RHEL4U6 and pam_ccreds

Filed under: Linux, RedHat — wuhai @ 2:10 pm

Refer to https://bugzilla.redhat.com/show_bug.cgi?id=478446

$ uname -m
x86_64
$ cat /etc/issue
Red Hat Enterprise Linux AS release 4 (Nahant Update 6)
Kernel \r on an \m

Here is a working version of ’system-auth’ file with pam_ccreds enabled:

auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so nullok
auth requisite /lib/security/$ISA/pam_succeed_if.so uid >= 500 quiet
auth [authinfo_unavail=ignore success=1 default=2] /lib/security/$ISA/pam_ldap.so use_first_pass
auth [success=done default=die] /lib/security/$ISA/pam_ccreds.so use_first_pass action=validate
auth [default=done] /lib/security/$ISA/pam_ccreds.so action=store
auth optional /lib/security/$ISA/pam_ccreds.so action=update
auth required /lib/security/$ISA/pam_deny.so

account required /lib/security/$ISA/pam_unix.so broken_shadow
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 500 quiet
account [authinfo_unavail=ignore default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so
account required /lib/security/$ISA/pam_permit.so

password requisite /lib/security/$ISA/pam_cracklib.so try_first_pass retry=3
password sufficient /lib/security/$ISA/pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
password required /lib/security/$ISA/pam_deny.so

session optional /lib/security/$ISA/pam_keyinit.so revoke
session required /lib/security/$ISA/pam_limits.so
session [success=1 default=ignore] /lib/security/$ISA/pam_succeed_if.so service in crond quiet use_uid
session required /lib/security/$ISA/pam_unix.so
session required /lib/security/$ISA/pam_mkhomedir.so umask=0077 skel=/etc/skel
session optional /lib/security/$ISA/pam_ldap.so

December 1, 2008

apt-rpm and CentOS

Filed under: RedHat — wuhai @ 5:45 am

http://dag.wieers.com/blog/using-apt-in-an-rpm-world

November 13, 2008

ngroups_max

Filed under: AIX, Linux, RedHat, Solaris — wuhai @ 7:24 am

RHEL 3:
$ getconf NGROUPS_MAX
32

RHEL 4:
$ getconf NGROUPS_MAX
65536
$ /sbin/sysctl kernel.ngroups_max
kernel.ngroups_max = 65536
$ cat /proc/sys/kernel/ngroups_max
65536

RHEL 5:
$ getconf NGROUPS_MAX
65536
$ /sbin/sysctl kernel.ngroups_max
kernel.ngroups_max = 65536
$ cat /proc/sys/kernel/ngroups_max
65536

Solaris 10:
# getconf NGROUPS_MAX
16

To get rid of the above limit:
/etc/system
set ngroups_max = 32

AIX 5.2.0.0:
# getconf NGROUPS_MAX
64

reference:
http://www.j3e.de/ngroups.html

October 1, 2008

New to Postgres, dbsize

Filed under: RedHat — wuhai @ 5:16 pm

OS: RHEL4U7, Postgres 7.4

How to install and use contrib/dbsize:

up2date –get postgresql-contrib
rpm -Uvh /var/spool/up2date/postgresql-contrib-7.4.19-1.el4_6.1.i386.rpm

psql -U postgres dbname -f /usr/share/pgsql/contrib/dbsize.sql

CREATE FUNCTION
CREATE FUNCTION

# psql -U postgres dbname
Welcome to psql 7.4.19, the PostgreSQL interactive terminal.

Type:  \copyright for distribution terms
       \h for help with SQL commands
       \? for help on internal slash commands
       \g or terminate with semicolon to execute query
       \q to quit

dbname=# select database_size(‘dbname’);
 database_size
—————
     163634957
(1 row)

dbname=#

Some additional information:

The server is CPU bound, caused by postgres db:

Did the following changes for the db server:

The rackspace server has 2G mem, 1 CPU: AMD Athlon(tm) 64 Processor 3200+, 2003.023, 512 KB

added this one: effective_cache_size = 120000

shared_buffers = 30000          # min 16, at least max_connections*2, 8KB each
sort_mem = 8000         # min 64, size in KB
vacuum_mem = 163840             # min 1024, size in KB
max_connections = 100
sysctl.conf: kernel.shmmax=335544320

 

Now it is behaving much much better…

Next Page »

Blog at WordPress.com.