Erralt

Ulimit, setting max open files, temporary and permanently

Posted in Administration, LF, Linux by erralt on 25 novembre 2010

You tried :
me$ ulimit -n 4096
and you still have 1024 max open files ?

You tried to add the line in /etc/security/limits.conf :
me hard nofile 4096
and you still have 1024 max open files ?

After that, you tried :
me$ ulimit -n 4096
but on the next login, max open files got back to 1024 ?

So, add the following line in /etc/security/limits.conf :
me soft nofile 4096
it sets permanently max open files soft limit from 1024 to 4096 !

Tagged with: , , ,

Embedded archives in your shell scripts

Posted in Administration, LF, Linux by erralt on 16 août 2010

My problem was how to make an install of my servers with different files to create/modify with only one script, just using a copy/paste into my SSH console ?

It’s pretty easy to do, good news.

The principle is to have a variable which contains all the files we need in the script.
It’s done with base64 command which ensure me to have a string that does not interfere with the rest of my script.

How to use ? What to put in the variable ?

For an entire archive :
ARCHIVE = `tar -c /path/to/files | gzip | base64`
or just one file :
ARCHIVE = `cat /path/to/file | gzip | base64`
If you don’t want to compress, remove gzip step.

The variable looks like a simple hexadecimal string. Put it in one line (it could work when it’s truncated but i met some problems).
ARCHIVE = "PD9YTUwgdmVyc2lvbj0iMS4xIiBlbmNvZGluZz0iVVRGLTgiPz4NPCFET0NUWVBFIGtleWJvYXJkIFBVQkxJQyAiIiAiZmlsZTovL2xvY2FsaG9zdC9TeXN0ZW0vTGlicmFyeS9EVERzL0tleWJvYXJkTGF5b3V0LmR0ZCI+DTwhLS1MYXN0IGVkaXRlZCBieSBVa2VsZWxlIHZlcnNpb24gZW1hIiBvdXRwdXQ9IsKoIi8+DSAgICA8L3Rlcm1pbmF0b3JzPg08L2tleWJvYXJkPg0="

And finally just do the reverted actions in order to restore files contained in $ARCHIVE.
For an archive :
echo $ARCHIVE | base64 -d | gzip -d | tar -x
(use -t option instead of -x of tar to control what you are doing)
or just one file :
echo $ARCHIVE | base64 -d | gzip -d | cat > destination-file
If you don’t want to compress, remove gzip -d step.

Tagged with: , , , , ,

TypeMatrix french key layout for Mac OS X

Posted in LF, MacOSX by erralt on 31 juillet 2010

Here is the TypeMatrix French keylayout file for Mac OS X : http://www.erralt.info/TypeMatrix-Fr-MacOSX.keylayout (put it on /Libray/Keyboard Layouts).

For the french key layout of typematrix keyboards (be sure to switch to « 102 keys keyboard » using « Fn+F2 » combination) :

Follow these instructions http://scripts.sil.org/cms/scripts/page.php?site_id=nrsi&id=Ukelele in order to install the new key layout. Check « TypeMatrix-Fr-MacOSX » input method.

You’re now ready to type in french !

Make SFTP and umask working

Posted in Administration, LF, Linux by erralt on 5 mai 2010

In your file /etc/ssh/sshd_config use this line for SFTP working with custom umask :

Subsystem sftp /bin/sh -c 'umask 0002; exec /usr/lib/openssh/sftp-server'

OpenLDAP, syncrepl via TLS/SSL

Posted in Administration, LF, Linux by erralt on 19 janvier 2010

I had to configure an Openldap consumer to replicate datas from my Openldap provider.

At the first time, my openldap server does not use slapd.conf directives but cn=config directives.
All the configuration examples i found on Internet, used slapd.conf. So, i had to find by myself howto translate slapd.conf directives in cn=config directives, especially syncrepl directives.


On the provider


1/ Add the attribute « olcModuleLoad » with value « syncprov »

the server will change your modification to :

dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModuleLoad: {0}back_hdb
olcModuleLoad: {1}syncprov
olcModulePath: /usr/lib/ldap

Equivalence with slapd.conf :

module syncprov


2/ Add overlay directive with some suboptions

– add this entry under a node of a database backend configuration, not under the master configuration directive (it doesn’t work, i made the mistake). Verify that you have bdb or hdb database type because syncrepl works only with one of them.

dn: olcOverlay={0}syncprov,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov
olcSpCheckpoint: 100 10
olcSpSessionlog: 100

Adjust olcSpCheckpoint and olcSpSessionlog as you want.

Equivalence with slapd.conf :

overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100


3/ Add indexes for entryCSN and entryUUID :

on the node dn: olcDatabase={1}hdb,cn=config

olcDbIndex: entryCSN,entryUUID eq

Here are the options for syncprov translated in cn=config version :

syncprov-checkpoint -> olcSpCheckpoint
syncprov-sessionlog -> olcSpSessionlog
syncprov-nopresent -> olcSpNoPresent
syncprov-reloadhint -> olcSpReloadHint


On the consumer


Configuration of syncrepl :

On the node of your database configuration (for me : dn: olcDatabase={1}hdb,cn=config), add the following attribute and value :

olcSyncrepl: {0}rid=000 provider=ldap://provider.mydomain.net
searchbase=dc=mydomain.net
bindmethod=simple
binddn=cn=syncrepl,dc=mydomain.net
credentials=XXXXX
retry="60 +"
type=refreshOnly
interval=00:00:10:00

Equivalence with slapd.conf :

syncrepl rid=000 provider=ldap://provider.mydomain.net
searchbase=dc=mydomain.net
bindmethod=simple
binddn=cn=syncrepl,dc=mydomain.net
credentials=XXXXX
retry="60 +"
type=refreshOnly
interval=00:00:10:00

At this point, the provider directory could be replicated to the consumer directory in clear text. Verify that all work fine.


Using TLS/SSL

Prior to every TLS/SSL configuration of openldap server, add user « openldap » to « ssl-cert » group.

After, check that « openldap » user is able to read /etc/ssl/private/server.key file.

On the provider

Check if the provider is well configured for SSL or TLS connections.
To check SSL connection, launch this :

ldapsearch -H ldaps://provider.mydomain.net -x -W

To check TLS connection :

ldapsearch -H ldap://provider.mydomain.net -W -x -ZZ


On the consumer

* For SSL connection, in syncrepl configuration :
– change provider option to use ldaps:// instead of ldap://
– add these options :

tls_cert=/etc/ssl/certs/server.pem
tls_cacert=/etc/ssl/certs/cacert.org.pem
tls_key=/etc/ssl/private/server.key

* For TLS connection, in syncrepl configuration :
– keep provider option using ldap://
– add these options :

starttls=yes
tls_cert=/etc/ssl/certs/server.pem
tls_cacert=/etc/ssl/certs/cacert.org.pem
tls_key=/etc/ssl/private/server.key

* I got this error :

main: TLS init def ctx failed: -1

=> I had a look on http://readthefuckingmanual.net/2010/01 and my problem came from not following symbolic links, weird.

* I got this error :

main: TLS init def ctx failed: -207

=> It seems to be an error on checking SSL chain (have a look on this thread on Openldap list). I used certtool from GNUTLS package to create self signed certificate.

* I got this error :

main: TLS init def ctx failed: -69

=> remove the passphrase from the key.

Now, all work, but sometimes I have the error :

slap_client_connect: URI=ldaps://****.*****.net DN="cn=syncrepl,dc=*****.net" ldap_sasl_bind_s failed (-1)

and i don’t know if it’s critical. It seems to be not, it works again after.

———
Example of syncrepl which does work :

hdb_modify: updated id=00000032 dn="cn=*****,ou=users,dc=*****.net"
slapd[19443]: send_ldap_result: conn=-1 op=0 p=3
slapd[19443]: send_ldap_result: err=0 matched="" text=""
slapd[19443]: syncrepl_entry: rid=000 be_modify cn=*****,ou=users,dc=*****.net (0)
slapd[19443]: do_syncrep2: rid=000 LDAP_RES_SEARCH_RESULT
slapd[19443]: =>do_syncrepl rid=000
slapd[19443]: =>do_syncrep2 rid=000
slapd[19443]: do_syncrep2: rid=000 LDAP_RES_SEARCH_RESULT
slapd[19443]: do_syncrep2: cookie=rid=000,csn=20100109013243.742646Z#000000#000#000000
slapd[19443]: slap_queue_csn: queing 0x7f0b4ab5f9c0 20100109013243.742646Z#000000#000#000000
slapd[19443]: hdb_modify: dc=******.net
slapd[19443]: bdb_dn2entry("dc=******.net")
slapd[19443]: bdb_modify_internal: 0x0000001d: dc=*****.net
slapd[19443]:  entry_encode(0x0000001d):
slapd[19443]: <= entry_encode(0x0000001d):
slapd[19443]: hdb_modify: updated id=0000001d dn="dc=******.net"
slapd[19443]: send_ldap_result: conn=-1 op=0 p=3
slapd[19443]: send_ldap_result: err=0 matched="" text=""
slapd[19443]: slap_graduate_commit_csn: removing 0x7f0b4ab5fa00 20100109013243.742646Z#000000#000#000000

——–
If you have to control if slapd uses Gnutls or Openssl as a library :

# ldd $(which slapd)
        linux-vdso.so.1 =>  (0x00007fff2a318000)
        libldap_r-2.4.so.2 => /usr/lib/libldap_r-2.4.so.2 (0x00007f103bb68000)
        liblber-2.4.so.2 => /usr/lib/liblber-2.4.so.2 (0x00007f103b95a000)
        libdb-4.7.so => /usr/lib/libdb-4.7.so (0x00007f103b5f8000)
        libodbc.so.1 => /usr/lib/libodbc.so.1 (0x00007f103b398000)
        libslp.so.1 => /usr/lib/libslp.so.1 (0x00007f103b186000)
        libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x00007f103af6c000)
        libgnutls.so.26 => /usr/lib/libgnutls.so.26 (0x00007f103acca000)  <=====
        libcrypt.so.1 => /lib/libcrypt.so.1 (0x00007f103aa91000)
        libresolv.so.2 => /lib/libresolv.so.2 (0x00007f103a878000)
        libltdl.so.7 => /usr/lib/libltdl.so.7 (0x00007f103a66e000)
        libwrap.so.0 => /lib/libwrap.so.0 (0x00007f103a463000)
        libpthread.so.0 => /lib/libpthread.so.0 (0x00007f103a247000)
        libc.so.6 => /lib/libc.so.6 (0x00007f1039ed8000)
        libnsl.so.1 => /lib/libnsl.so.1 (0x00007f1039cbe000)
        libdl.so.2 => /lib/libdl.so.2 (0x00007f1039aba000)
        libtasn1.so.3 => /usr/lib/libtasn1.so.3 (0x00007f10398a9000)
        libz.so.1 => /lib/libz.so.1 (0x00007f1039692000)
        libgcrypt.so.11 => /lib/libgcrypt.so.11 (0x00007f103941a000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f103bdb1000)
        libgpg-error.so.0 => /lib/libgpg-error.so.0 (0x00007f1039216000)

Edit : pay attention to /usr/local/etc/openldap/ldap.conf, used by ldapsearch and seems to make syncrepl working easier.
Find with « strace ldapsearch -b dc=mydomain.net -x -ZZ », ldapsearch does not use /etc/ldap/ldap.conf on Ubuntu 9.10 (Karmic).

Pnp4nagios, adding a datasource to a rrd file (not only for pnp4nagios)

Posted in Administration, LF, Linux by erralt on 14 janvier 2010

Pnp4nagios

Pnp4nagios : http://docs.pnp4nagios.org/pnp-0.6/start is monitoring tool based on http://www.rrdtool.org for the data storage and on PHP for the frontend.

This tool parses performance datas provided by Nagios probes. They follow this format : ‘data name’=value; (more details on this page : http://nagiosplug.sourceforge.net/developer-guidelines.html#AEN201)

I use Pnp4nagios and i got this error (in Disk.xml file by example) because of adding a new data in the output of a Nagios probe.

<TXT>expected 10 data source readings (got 14) from 1263470356:794:378:49</TXT>

Natively, Pnp4nagios cannot add new datasource on the fly, RRDTool does not do it too. So, i had to search for an useful tool.

I found this post on a blog (http://michael.thegrebs.com/2007/12/30/adding-a-datastore-to-an-rrd-file) which made me a bit happy.

RRD

I installed RRD::Simple with CPAN. I had to force the installation of it because of an error on the perlpod.

# cpan
cpan> force install RRD::Simple

I took the script provided on the post and modify it to fit to my needs :

/root/rrd_add_datasource.pl :

#!/usr/bin/perl

use strict;
use warnings;

use RRD::Simple();

my $rrd_file = shift @ARGV;
my $DS_name = shift @ARGV;
my $DS_type = shift @ARGV;

my $rrd = RRD::Simple->new();

print "Processing $rrd_file...";
$rrd->add_source($rrd_file, $DS_name => $DS_type);
print " ok.\n";

I launched this command for each $DS_name i wanted (11, 12, 13 and 14) :

/root/rrd_add_datasource.pl $rrd_file $DS_name GAUGE

Finally, it works fine !

I hope my post will be useful for other people, and i repeat it’s not specific to Pnp4nagios.

.screenrc, .zshrc

Posted in LF, Linux by erralt on 18 décembre 2009

% cat ~/.screenrc

autodetach on
shell zsh
altscreen on
attrcolor b ".I"
defbce "on"
activity "activity: window ~%"
startup_message off
hardstatus on
caption always 
caption string "[%y-%m-%d %c] %-w%{=b bw} %t%{-}%+w %= %?%{=b rw}%2`%{-} %?%1` %H"
bindkey -k kD stuff \O33[3~  # gestion de la touche "suppr" 
# WordPress pose problème : remplacer \O33 (lettre o et 33) par \ + 033 (zéro33)
defscrollback 1000
sessionname erralt
defutf8 on
screen -t shell
screen -t logs
term xterm-color
# visual bell
vbell off

% cat ~/.zshrc

SAVEHIST=9999
HISTSIZE=9999
HISTFILE=~/.zsh/history
[[ -z $(functions zsh/terminfo) ]] && autoload -Uz zsh/terminfo

# couleurs
autoload -U colors 
colors
eval `dircolors $HOME/.zsh/colors`
autoload -U zutil
autoload -U compinit
autoload -U complist
compinit

bindkey "^?" backward-delete-char
bindkey '^[[1~' beginning-of-line
bindkey '^[[4~' end-of-line
bindkey -e

alias ls='ls --color=auto'
alias ll='ls -l'
alias la='ls -la'

setopt always_toend
setopt hist_ignore_dups

if [[ "$terminfo[colors]" -ge 8 ]]; then
    if [[ "$EUID" = "0" ]] || [[ "$USER" = 'root' ]]
            then
                base_prompt="root%{$fg[red]%}@%m%{$reset_color%} "
            else
                base_prompt="%n%{$fg[blue]%}@%m%{$reset_color%} "
            fi
        else
            base_prompt="%n@%m "
            post_prompt=""
        fi
PS1="$base_prompt%~
%#%{$reset_color%} "

% cat .zsh/colors

COLOR tty
# Commandes suplemantaires pour ls .
# -F = affiche '/' pour les dossier, '*' pour les executables, etc.
# -T 0 = don't trust tab spacing when formatting ls output.
OPTIONS -F -T 0
#couleur pour les fichiers de base
NORMAL 00 # global default, although everything should be something.
FILE 00 # normal file
DIR 01;34 # directory
LINK 01;35 # symbolic link
FIFO 40;33 # pipe
SOCK 01;35 # socket
BLK 40;33;01 # block device driver
CHR 40;33;01 # character device driver

# pour les fichiers executables:
EXEC 01;32

# listez les extension comme par exemple '.gz' ou '.tar' que vous souhaitez que ls colore
# syntaxe : extension espace code de la couleur.
# Archives
.btm 01;32
.tar 01;31
.tgz 01;31
.arj 01;31
.gz 01;31
.bz2 01;31
.zip 01;31
.rar 01;31
.7z 01;31
.ace 01;31
.dar 01;31
.lzo 01;31
.tbz2 01;31
  
# Packages
.deb 01;35
.rpm 01;35
  
# Web
.htm 01;36
.php 01;36
.php3 01;36
.html 01;36
  
# Sources
.c 04;43;30
.cpp 04;43;30
.h 00;43;30
.hpp 00;43;30