Archive for the ‘Mẹo vặt của hiếu râu’ Category

31
Oct

ssh VPN

   Posted by: admin

Scenario

In this recipe two machines will be configured:

  • A server which is a firewall and has access to a private network ¹
  • A client which initiates the connections to the server and gains direct access to the private network
 --------         /\_/-\/\/-\       -----------------
| Client |~~~~~~~/ Internet /~~~~~~| Server/Firewall |~~~[ private net ]
 --------        \_/-\/\_/\/      / ----------------- \
    ||\                           \          ||\       \
    || {tun0}                      {eth0}    || {tun0}  {eth1}
    ||                                       ||
    \-================= tunnel ==============-/

For this recipe lets number things like this:

  • the private net is 10.99.99.0/24
  • eth0 on the server has public IP 5.6.7.8
  • eth1 on the server has private IP 10.99.99.1
  • the VPN network is 10.254.254.0/30
  • tun0 on the server has private IP 10.254.254.1
  • tun0 on the client has private IP 10.254.254.2

On the Client

If you do not already have them, generate an SSH keypair for root:

$ sudo ssh-keygen -t rsa

/etc/network/interfaces: Add this stanza to the file:

iface tun0 inet static
      pre-up ssh -S /var/run/ssh-myvpn-tunnel-control -M -f -w 0:0 5.6.7.8 true
      pre-up sleep 5
      address 10.254.254.2
      pointopoint 10.254.254.1
      netmask 255.255.255.252
      up route add -net 10.99.99.0 netmask 255.255.255.0 gw 10.254.254.1 tun0
      post-down ssh -S /var/run/ssh-myvpn-tunnel-control -O exit 5.6.7.8

The first time we connect to the server as root we may need to acknowledge saving the servers SSH key fingerprint:

$ sudo ssh 5.6.7.8
The authenticity of host '5.6.7.8 (5.6.7.8)' can't be established.
RSA key fingerprint is aa:fe:a0:38:7d:11:78:60:01:b0:80:78:90:ab:6a:d2.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '5.6.7.8' (RSA) to the list of known hosts.

Don’t bother logging in, just hit CTRL-C.

On the server

/etc/ssh/sshd_config: Add/modify the two keywords to have the same values as below.

PermitTunnel point-to-point
PermitRootLogin forced-commands-only

The PermitRootLogin line is changed from the default of no. You do restrict root SSH login, right?

/root/.ssh/authorized_keys: Add the following line.

tunnel="0",command="/sbin/ifdown tun0;/sbin/ifup tun0" ssh-rsa AAAA ..snipped.. == root@server

Replace everything starting with “ssh-rsa” with the contents of root’s public SSH key from the client(/root/.ssh/id_rsa.pub on the client).

/etc/network/interfaces: Add the following stanza.

iface tun0 inet static
      address 10.254.254.1
      netmask 255.255.255.252
      pointopoint 10.254.254.2

/etc/sysctl.conf: Make sure net.ipv4.conf.default.forwarding is set to 1

net.ipv4.conf.default.forwarding=1

This will take effect upon the next reboot so make it active now:

$ sudo sysctl net.ipv4.conf.default.forwarding=1

Using the VPN

user@client:~$ sudo ifup tun0
RTNETLINK answers: File exists
run-parts: /etc/network/if-up.d/avahi-autoipd exited with return code 2

user@client:~$ ping -c 2 10.99.99.1
PING 10.99.99.1 (10.99.99.1) 56(84) bytes of data.
64 bytes from 10.99.99.1 icmp_seq=1 ttl=64 time=96.3 ms
64 bytes from 10.99.99.1 icmp_seq=2 ttl=64 time=94.9 ms

--- 10.99.99.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 94.954/95.670/96.387/0.780 ms
user@client:~$ sudo ifdown tun0
Exit request sent.

You may get the two errors after running ifup. No problem, they are harmless.

5
Oct

expect example

   Posted by: admin

#!/usr/bin/expect -f
set timeout 60
set env(TERM)

spawn orafed orafed
expect “assw”
send “123456\r”
expect “orafed”
send “sqlplus / as sysdba\r”
expect “SQL>”
send “startup;\r”
expect “SQL>”
send “exit\r”
expect “orafed”
send “lsnrctl start\r”
expect “command completed”
send “exit\r”

——————-

#!/usr/bin/expect -f

set timeout 60

set env(TERM)

set vuser [lindex $argv 0]

set vhost [lindex $argv 1]

spawn ssh $vuser@$vhost

expect {

“*assword” { send “thispass\r” }

timeout { exit 2 }

}

expect {

“thisTerm” { send “ssh nextuser@nextterm\r”

exp_continue }

“*assword: ” {

stty -echo

send_user “ask pass: ”

expect_user -re “(.*)\n”

send_user “\n”

send “$expect_out(1,string)\r”

stty echo

exp_continue

}

“nextTerm” { send “w\r” }

}

interact {

“done” { send_user “send ls -la\r”; send “ls -la\r”; return

}

}

expect {

“nextTerm” { send “exit\r”; exp_continue }

“thisTerm” { send — “exit\r” }

timeout {exit 3}

}

3
Apr

solaris tips

   Posted by: admin

List all services

#svcs

svcadm [enable/disable] [service]

enable/disable X login

#/usr/dt/bin/dtconfig [-d/-e]

download packages from sunfreeware.com

#gunzip package_local.gz

#pkgadd -d package_local

#pkgrm

#reboot

change hostname in /etc/hostname.e1000g0 and /etc/nodename

enable dhcp by #touch /etc/dhcp.e1000g0

hint : flash=1, mirror=1,remove mirror part

29
Mar

radius - ldap

   Posted by: admin

install freeradius

cd /etc/freeradius - etc/raddb

vi radiusd.conf

ldap {

server = “demo1″

identity = “myaccount”

password = “mypassword”

basedn = “OU=Users,OU=Production,DC=demo,DC=com,DC=vn”

filter = “(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})(memberOf=OU=Groups,OU=Production,DC=demo,DC=com,DC=vn))”

#password_attribute = userPassword

# set this to ‘yes’ to use TLS encrypted connections

# to the LDAP database by using the StartTLS extended

# operation.

# The StartTLS operation is supposed to be used with normal

# ldap connections instead of using ldaps (port 689) connections

start_tls = no

# tls_cacertfile        = /path/to/cacert.pem

# tls_cacertdir         = /path/to/ca/dir/

# tls_certfile          = /path/to/radius.crt

# tls_keyfile           = /path/to/radius.key

# tls_randfile          = /path/to/rnd

# tls_require_cert      = “demand”

# default_profile = “cn=radprofile,ou=dialup,o=My Org,c=UA”

# profile_attribute = “radiusProfileDn”

#access_attr = “dialupAccess” <<——– comment this line

# Mapping of RADIUS dictionary attributes to LDAP

Uncomment ldap in authorize and authenticate sessions
vi clients.conf
client 10.100.0.0/24 {
secret          = mypassword
shortname       = hcm-network-vl100
}
vi users
DEFAULT Auth-Type = LDAP
Fall-Through = 1
radtest user pass 127.0.0.1 0 testing123
29
Mar

httpd - ldap

   Posted by: admin

LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

AuthType Basic
AuthBasicProvider ldap
AuthName “DEMO”
AuthLDAPURL “ldap://demo1.demo.com.vn:3268 demo2:3268/DC=demo,DC=com,DC=vn?samAccountName?sub?(objectCategory=person)”

AuthLDAPBindDN demo\myaccount

AuthLDAPBindPassword mypassword

Require ldap-group OU=Groups,OU=Production,DC=demo,DC=com,DC=vn

23
Mar

USB 3G modem 4linux

   Posted by: admin

#lsusb

vendor=0×0471 product=0×1237

#rmmod usb-storage

#modprobe usbserial vendor=0×0471 product=0×1237

—————————————–

#file wvdial.conf
#internet Dialer version 1.56
#created by Cyblade
#Written for the E220 usb modem
[Dialer Defaults]
Init2 = ATZ
Init3 = ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0
Stupid Mode = 1
Modem Type = Analog Modem
ISDN = 0
Phone = *99***1#
Modem = /dev/ttyUSB0
username = username
Password = password
Dial Command = ATDT
Baud =466600
Init4 = AT+CGDCONT=1,”IP”,”e-connect”

—————————-

/etc/modprobe.d/modprobe.conf

options usbserial vendor=0×0471 product=0×1237
28
Jul

GSMSMSD - KQEMU

   Posted by: admin

gsmsmsd -a ‘tail -n 30 > /SMS_IN/`date +%y%m%d-%H%M%S`’ -d /dev/ttyS0 -b 9600 -s /SMS_OUT -t sm -f no_cb no_stat sms &

autoexec=xampp changes=/dev/hda1/ noagp nosound nopcmcia noauto

qemu.exe -L . -m 256M -hda hda.img -cdrom slaxdev.iso -localtime -M pc -net nic -net user -redir tcp:3306::3306 -redir tcp:8080::80 -redir tcp:2222::22 -boot d -vnc 127.0.0.1:100 -k en-us -serial COM1

17
Jun

LVS

   Posted by: admin

package included in HA

vi /etc/ha.d/ldirectord.conf

checktimeout=3

checkinterval=10

autoreload=yes
quiescent=yes
virtual=10.10.50.28:2323
real=10.10.50.165:2323 gate 80
real=10.10.50.162:2323 gate 80
service=simpletcp
scheduler=wrr
protocol=tcp
persistent=300
netmask=255.255.255.255
checktype=connect
checkport=2323
echo 1 > /proc/sys/net/ipv4/vs/expire_quiescent_template
perl -MCPAN -e shell
>install LWP::UserAgent
>install Mail::Send
/etc/init.d/ldirectord start
ipvsadm -L -n [ -c | --rate | --persistent-conn | --stats]
– direct route —
echo 1 > /proc/sys/net/ipv4/conf/lo/arp_ignore
echo 2 > /proc/sys/net/ipv4/lo/arp_anounce
echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
echo 2 > /proc/sys/net/ipv4/all/arp_anounce
ifconfig lo:1 10.10.50.28/32 -arp up
10
Jun

IETD iSCSI SAN - OCFS2

   Posted by: admin

download http://slackbuilds.org/repository/12.2/network/iscsitarget/

download src (link in iscsitarget.info)

./iscsitarget.SlackBuild

installpkg /tmp/iscsitarget-0.4.17-i486-1_SBo.tgz

vi /etc/ietd.conf

Target iqn.2001-04.com.example:storage.disk2.sys1.xyz
# Users, who can access this target. The same rules as for discovery
# users apply here.
# Leave them alone if you don’t want to use authentication.
#IncomingUser joe secret
#OutgoingUser jim 12charpasswd
# Logical Unit definition
# You must define one logical unit at least.
# Block devices, regular files, LVM, and RAID can be offered
# to the initiators as a block device.
Lun 0 Path=/dev/drbd1,Type=blockio
# Alias name for this target
Alias Test

/etc/rc.d/rc.iscsi-target start

OCFS2

download http://oss.oracle.com/projects/ocfs2-tools/files/

mkdir /etc/sysconfig

touch /sbin/chkconfig ; chmod 755 /sbin/chkconfig

rpm -ivh –nodeps ocfs2-tools-1.4.2-1.el5.i386.rpm

vi /etc/sysconfig/o2cb

O2CB_ENABLED=true
vi /etc/ocfs2/cluster.conf
node:
        ip_port = 7777
        ip_address = 10.10.50.6
        number = 0
        name = GSX-2
        cluster = ocfs2
node:
        ip_port = 7777
        ip_address = 10.10.50.5
        number = 1
        name = GSX-1
        cluster = ocfs2

cluster:
        node_count = 2
        name = ocfs2
vi /etc/init.d/o2cb
# Let’s try to use the LSB functions
. /lib/lsb/init-functions
if [ $? != 0 ]
then
echo “Unable to load LSB init functions” >&2
# exit 1
fi
/etc/init.d/o2cb configure
/etc/init.d/o2cb start
mkfs.ocfs2 -b 4k -C 32K -N 4 /dev/sdd1
mount -t ocfs2 /dev/sdd1 /mnt ( on all nodes )
/etc/init.d/o2cb status
/etc/init.d/o2cb: line 22: /lib/lsb/init-functions: No such file or directory
Unable to load LSB init functions
Driver for “configfs”: Loaded
Filesystem “configfs”: Mounted
Driver for “ocfs2_dlmfs”: Loaded
Filesystem “ocfs2_dlmfs”: Mounted
Checking O2CB cluster ocfs2: Online
Heartbeat dead threshold = 7
Network idle timeout: 10000
Network keepalive delay: 5000
Network reconnect delay: 2000
Checking O2CB heartbeat: Active
9
Jun

DRBD - BONDING - HA

   Posted by: admin

/usr/src/linux/Documentation/networking

gcc -Wall -O -I/usr/src/linux/include ifenslave.c -o ifenslave

cp ifenslave /sbin/ifenslave

vi rc.bond

#!/bin/sh
#
        case "$1" in
          'start')
            echo "start bond0"
            #modprobe bonding mode=balance-alb miimon=100
            modprobe bonding mode=balance-rr miimon=100
            modprobe tg3
            ifconfig bond0 up
            ifenslave bond0 eth0
            ifenslave bond0 eth1
            #TODO need to be changed
            ifconfig bond0 hw ether 00:16:3e:aa:aa:aa
          ;;
          'stop')
            ifconfig bond0 down
            rmmod bonding
            rmmod tg3
          ;;
          *)
            echo "Usage: $0 {start|stop}"
          ;;
        esac

vi rc.M
before "“#Initialize the networking hardware”"
# If script rc.bond is executeable then start it
if [ -x /etc/rc.d/rc.bond ]; then
  . /etc/rc.d/rc.bond start
fi
vi rc.inet1.conf
And add these lines to it before the default gateway gets assigned:
IFNAME[4]="bond0"
IPADDR[4]="XXX.XX.XX.XX"
NETMASK[4]="255.255.255.0"
USE_DHCP[4]=""
DHCP_HOSTNAME[4]=""

cat /proc/net/bonding/bond0

DRBD

KERNEL 2.6

Device Drivers,Connector - unified userspace <-> kernelspace linker
modprobe cn
download http://oss.linbit.com/drbd/
make; make install
/etc/drbd.conf


global {
    usage-count yes;
}

common {
  syncer { rate 10M; }
}

resource r0 {

  protocol C;

  handlers {
    pri-on-incon-degr "/usr/lib/drbd/notify-pri-on-incon-degr.sh; /usr/lib/drbd/notify-emergency-reboot.sh; echo b > /proc/sysrq-trigger ; reboot -f";
    pri-lost-after-sb "/usr/lib/drbd/notify-pri-lost-after-sb.sh; /usr/lib/drbd/notify-emergency-reboot.sh; echo b > /proc/sysrq-trigger ; reboot -f";
    local-io-error "/usr/lib/drbd/notify-local-io-error.sh; /usr/lib/drbd/notify-emergency-shutdown.sh; echo o > /proc/sysrq-trigger ; halt -f";
    outdate-peer "/usr/lib/heartbeat/drbd-peer-outdater -t 5";
  }

  startup {
    wfc-timeout  5;
    degr-wfc-timeout 120;    # 2 minutes.
    outdated-wfc-timeout 2;  # 2 seconds.
  }

  disk {
    on-io-error   detach;
  }

  net {
    max-buffers     8192;
    cram-hmac-alg "sha1";
    shared-secret "hieuvpn";
    after-sb-0pri discard-least-changes;
    after-sb-1pri discard-secondary;
    after-sb-2pri violently-as0p;
    rr-conflict disconnect;
  }

  syncer {
    rate 10M;
    al-extents 257;
  }

  on drdb-one {
    device    /dev/drbd0;
    disk      /dev/hda3;
    address   10.10.50.26:7788;
    meta-disk internal;
  }

  on drdb-two {
    device    /dev/drbd0;
    disk      /dev/hda3;
    address   10.10.50.27:7788;
    meta-disk internal;
  }

}

resource r1 {

  protocol C;

  handlers {
    pri-on-incon-degr "/usr/lib/drbd/notify-pri-on-incon-degr.sh; /usr/lib/drbd/notify-emergency-reboot.sh; echo b > /proc/sysrq-trigger ; reboot -f";
    pri-lost-after-sb "/usr/lib/drbd/notify-pri-lost-after-sb.sh; /usr/lib/drbd/notify-emergency-reboot.sh; echo b > /proc/sysrq-trigger ; reboot -f";
    local-io-error "/usr/lib/drbd/notify-local-io-error.sh; /usr/lib/drbd/notify-emergency-shutdown.sh; echo o > /proc/sysrq-trigger ; halt -f";
    outdate-peer "/usr/lib/heartbeat/drbd-peer-outdater -t 5";
  }

  startup {
    wfc-timeout  5;
    degr-wfc-timeout 120;    # 2 minutes.
    outdated-wfc-timeout 2;  # 2 seconds.
  }

  disk {
    on-io-error   detach;
  }

  net {
    max-buffers     8192;

    cram-hmac-alg "sha1";
    shared-secret "hieuvpn";

    after-sb-0pri discard-least-changes;

    after-sb-1pri discard-secondary;
    after-sb-2pri violently-as0p;

    rr-conflict disconnect;

  }

  syncer {
    rate 10M;

    al-extents 257;

  }

  on drdb-one {
    device    /dev/drbd1;
    disk      /dev/hdb;
    address   10.10.50.26:7790;
    meta-disk internal;
  }

  on drdb-two {
    device    /dev/drbd1;
    disk      /dev/hdb;
    address   10.10.50.27:7790;
    meta-disk internal;
  }

}


Before starting the primary node, you should create the metadata for the devices:
root-shell> drbdadm create-md all
root-shell> /etc/init.d/drbd start
root-shell> drbdadm -- --overwrite-data-of-peer primary all
root-shell> mkfs.ext3 /dev/drbd0
root-shell> mount /dev/drbd0 /mnt/drbd
To set up a secondary node:
Copy the /etc/drbd.conf file from your primary node to your secondary node.
root-shell> drbdadm create-md all

root-shell> /etc/init.d/drbd start

cat /proc/drbd
root-shell> drbdadm primary all
root-shell> drbdadm secondary all
root-shell> drbdadm disconnect all
root-shell> drbdadm connect all
if split brain - run this on failed node
drbdadm -- --discard-my-data connect all
(forcing by drbdadm invalidate all )
and do connect on order side

HA

download http://www.slackware.com/~alien/slackbuilds/libnet/pkg/11.0/libnet-1.1.2.1-i486-1.tgz
download http://hg.linux-ha.org/lha-2.1/archive/STABLE-2.1.4.tar.bz2
tar -jxvf heartbeat.tar.bz2
./ConfigureMe configure
make; make install
vi ha.cf
logfacility local0
keepalive 500ms
deadtime 10
warntime 5
initdead 30
mcast bond0 225.0.0.1 694 2 0
auto_failback off
node drdb-one
node drdb-two
ping 10.10.50.254 10.10.50.50
respawn hacluster /usr/lib/heartbeat/ipfail
apiauth ipfail gid=haclient uid=hacluster
deadping 5
vi haresources
drdb-two drbddisk Filesystem::/dev/drbd0::/raid1::ext3 mysql 10.10.50.28
vi resource.d/mysql.resource
#!/bin/bash
#
# This script is inteded to be used as resource script by heartbeat
#
# Mar 2006 by Monty Taylor
#
###
. /etc/ha.d/shellfuncs
case "$1" in
    start)
        res=`/etc/init.d/mysql start`
        ret=$?
        ha_log $res
        exit $ret
        ;;
    stop)
        res=`/etc/init.d/mysql stop`
        ret=$?
        ha_log $res
        exit $ret
        ;;
    status)
        if [ `ps -ef | grep '[m]ysqld'` ] ; then
           echo "running"
        else
           echo "stopped"
        fi
        ;;
    *)
        echo "Usage: mysql {start|stop|status}"
        exit 1
        ;;
esac
exit 0