Sep
04
2008
You would like to access X11 applications on your server, but it is only reachable with SSH? Nevermind with Putty! Putty allows you to create an SSH tunnel in which the X11 flow is encapsulated: X11 forwarding.
xorg-x11-xauth has to be installed on the server side to be authenticated on X.
Launch a graphical manager on your workstation. We’ll use Cygwin here.
Run Cygwin, launch startX and type in:
xhost +
to authorize all clients to connect.
Finally, Run Putty. In Connection -> SSH -> Tunnels, check “Enable X11 forwarding”
Open a session and log in.
A .Xauthority is created in the current directory: it’s the cookie that authenticates the session.
Launch an X application and it will show up on your workstation. xclock for instance.
To run an application from a different user – after a su for instance -, give access to the .Xauthority file, and set his XAUTHORITY variable:
export XAUTHORITY=/home/user/.Xauthority
Tags: linux, SSH
Aug
30
2008
Channel bonding – or port truncking – gives the ability to apply a policy to a group of network interfaces. It is then possible to load-balance the traffic accross different ports, or keep one aside for failover.
Module Loading
Declare the channel bonding bond0 interface into /etc/modprobe.conf
# Channel Bonding
alias bond0 bonding
options bond0 miimon=100 mode=1
# You can add more with alias bond1 and so on
Here mode is 1, meaning in a failover state. Another useful mode is 0, that load-balances the traffic sequencially.
Interfaces
On Redhat/Suse, usual configuration files can be used. Bond0 includes eth0 and eth1 in this case.
– /etc/sysconfig/network-scripts/ifcfg-bond0
DEVICE=bond0
IPADDR=192.168.1.2
NETMASK=255.255.255.0
ONBOOT=yes
BOOTPROTO=none
USERCTL=no
– /etc/sysconfig/network-scripts/ifcfg-eth0
HWADDR=00:1F:39:56:DF:C0
ONBOOT=yes
DEVICE=eth0
MASTER=bond0
SLAVE=yes
– /etc/sysconfig/network-scripts/ifcfg-eth1
HWADDR=00:1F:39:56:DF:C1
ONBOOT=yes
DEVICE=eth1
MASTER=bond0
SLAVE=yes
A reboot and you’re done!
Tags: linux, network, redhat
Aug
29
2008
A lot of networks use LDAP or NIS to authenticate users on Linux servers and any Unix flavours. There is no policy control by default and all users in the central LDAP database have access to all servers.
Access can be restricted to some of the accounts adding them into the default passwd file if the compat mode is set. This works on most of the Unix family: Linux, Solaris, Aix, etc…
nsswitch.conf File Settings
“file” is the passwd property on a default system. Change it to “compat” to authenticate on your central user base:
passwd: compat
passwd_compat: ldap
By default, the source is nis, but this may be overridden by specifying nisplus or LDAP as source for the pseudo-database passwd_compat.
Grant Access to LDAP / NIS users
Once authentication was set to NIS or LDAP, users can now be authorized to connect on a specific server adding an entry in /etc/passwd of the following format:
+user:x:::::
or
+@netgroup:x:::::
if you have netgroups in your LDAP or NIS user base.
It is also possible to exclude some specific users with -user, and allow anybody else with a single + at the end of /etc/passwd. This brings some flexibility to restrict LDAP users access.
Tags: AIX, Authentication, ldap, linux, NIS, solaris, unix
Aug
29
2008
I looked for a long time for a piece of software that allows to manage messages sent to a central syslog server. Logwatch sends email reports containing tons of messages, or focused on some applications. Logs are usually not being looked at and forgotten. I then found out a Cacti module could do the job, quick and easy.
Installation
Installation steps are clearly described on cacti forum.
I should mention this module only supports syslog-ng, not syslog.
Configuration
I only filtered out messages to be displayed restricting them to errors and criticals. This was achieved modifying the syslog-ng configuration:
filter f_cacti { level(error..emerg) and
not (facility(mail)
or facility(authpriv)
or facility(cron)); };
source net {
udp();
};
destination d_mysql {
pipe("/tmp/mysql.pipe"
template("INSERT INTO syslog_incoming (host, facility, priority, date, time, message) VALUES ( '$HOST', '$
FACILITY', '$PRIORITY', '$YEAR-$MONTH-$DAY', '$HOUR:$MIN:$SEC', '$MSG' );\n")
template-escape(yes)
);
};
log { source(net); filter(f_cacti); destination(d_mysql); };
log { source(s_sys); filter(f_cacti); destination(d_mysql); };
It is then possible to filter logs out using patterns, sort by server, criticity or date, or receive alerts, as shown in the screenshot:
Only regret: there is no option to mark a log as “being processed” or “closed” for instance.
Tags: cacti, linux, logging, unix
Jul
26
2008
It is generally good practice to respect the two following rules when backing up databases. The backup has to be:
Consistency is easily achieved putting a read lock on all tables beforehand. However, this isn’t always applied, and WILL definitely lead to a database integrity problem when restoring.
Once a lock has been set on the database, the backup has to be as quick as possible, all write instructions being held in the queue by the lock.
Mysql and LVM Snapshots
Here are some usual ways to run a backup:
- mysqldump, provided within Mysql package, is fast enough for very small databases and that’s about it! It is safe to run on replication servers, or if you can afford to suspend write operations for a long time
- A simple tar of the data directory, is faster but may remain slow, especially if you run the backup over the network
- A simple tar, coupled with a volume manager that supports snapshots, like Veritas or ZFS. The first option that comes to mind is Linux Volume Manager (LVM), now provided in standard with most Linux distributions. This option locks and unlocks tables within seconds if the backup runs on a snapshot!
Other methods exist indeed but we won’t deal with them in this article.
Before You Start the Backup
All you need is have mysql data directory on a LVM partition and 10% of free space on the volume group to create the snapshot. Parameters are similar to the mysql client command line, ie same options to specify the user and password for easy usage.
The script connects to your local mysql server and adds a read lock. It then creates a snapshot of the LVM partition, and releases the lock. The data directory is then archived with tar and put in the destination folder of your choice. We destroy the the snapshot after the backup is over.
It should also be run under the root user account. If not, provide sudo to the mount and lv commands, and make sure the user has read access to the Mysql files.
Mysql Backup Script
#!/bin/bash
user=$LOGNAME
password=
datadir=
tmpmountpoint="/mnt"
dstdir="/tmp"
usage () {
echo "Usage: $0 [OPTION]"
echo "-d, --dest=name Destination directory. Default is /tmp"
echo "-h, --help Display this help and exit."
echo "-p, --password[=name] Password to use when connecting to server. If password is"
echo " not given it's asked from the tty."
echo "-t Temporary mount point for the snapshot. Default is /mnt."
echo "-u, --user=name User for login if not current user"
exit 1
}
until [ -z "$1" ]; do
case "$1" in
-u)
[ -z "$2" ] && usage
user="$2"
shift
;;
--user=*)
user=`echo $1|cut -f 2 -d '='`
;;
-p*)
password=`echo $1|sed -e s/"^-p"//g`
;;
--password)
echo -n "Enter password: "
stty -echo
read password
stty echo
;;
--password=*)
password=`echo $1|cut -f 2 -d '='`
;;
-d)
[ -z "$2" ] && usage
dstdir="$2"
shift
;;
--dest=*)
dstdir=`echo $1|cut -f 2 -d '='`
;;
-t)
[ -z "$2" ] && usage
tmpmountpoint="$2"
shift
;;
* )
usage
;;
esac
shift
done
[ -z $password ] && echo "Empty password!" && usage
[ ! -d $dstdir ] && echo "$dstdir does not exist" && exit 1
# Check if temp mount point not used
[ `mount | grep "$tmpmountpoint" | wc -l` -ne 0 ] && exit 1
# Get Mysql data directory
datadir=`mysql -u $user -p$password -Ns -e "show global variables like 'datadir'"|cut -f 2|sed -e s/"\/$"//g`
[ -z "$datadir" ] && exit 1
# Get snap name and size
vg=`mount | grep $datadir | cut -d ' ' -f 1 | cut -d '/' -f 4 | cut -d '-' -f 1`
lv=`mount | grep $datadir | cut -d ' ' -f 1 | cut -d '/' -f 4 | cut -d '-' -f 2`
[ -z $lv ] && echo "Mysql data dir must be mounted on a LVM partition!" && exit 1
snap=$lv"snap"
snapsize=$(expr `df -m $datadir | tail -1 | tr -s ' ' | cut -d ' ' -f 2` / 10)M
# Backup
echo "Locking databases"
mysql -u$user -p$password << EOF
FLUSH TABLES WITH READ LOCK;
system lvcreate --snapshot -n $snap -L$snapsize /dev/$vg/$lv;
UNLOCK TABLES;
quit
EOF
echo "Databases unlocked"
echo "Backing up databases"
mount /dev/$vg/$snap $tmpmountpoint
cd $tmpmountpoint
tar cfz $dstdir/mysql.tar.gz *
cd
umount $tmpmountpoint
lvremove -f /dev/$vg/$snap
echo "Databases backed up in $dstdir"
exit 0
Tags: backup, linux, LVM, Mysql
