//

Sunday, March 30, 2014

Cisco: Configure VTY Access

First of all, what is VTY?
VTY stands for Virtual Teletype. Today its more common to describe it as virtual terminal lines.
VTY lines are used  to allow remote inbound connections (Telnet or SSH) and therefor eliminate the need to use psychical serial cable like the rollover cable.

You can see the configuration of the VTY lines by running the show running-config command. If its brand new router you will see two simples lines:

line vty 0 4
 login 

0 4 is the numbers of virtual terminal lines. In this case 5 lines.
You can double check it by using the show line command:










As you can see from the image above, we have five virtual terminal lines.
Now, I prefer to disable telnet connections due to security issues. You can allow ssh only, with the following steps:





If you want to take it one step further, you can allow access to your host only with the following steps:






The first step was to permit only single host to connect. After creating the IP access list, we  apply it on the vty lines with the access-class command.

Saturday, February 1, 2014

Python: OS Module

If you are a Linux system administrator, you probably used sometime or may still use, the Python language for your scripts.
If no, you should try it, its really great.

One of the most useful modules Linux sys admins need to be familiar with, is, in my opinion, the OS module.

It basically lets you use operating system functionality within python. You will find many of your daily commands in this module. Like creating directories, change ownership  and killing processes. 
It also OS dependent, so you could use it on other platforms as well.

I will show you few short examples, so you could grasp the idea of it and maybe start using it in your scripts as well.


Note: If you are new to python scripting, make sure that:

1. python installed:
rpm -q python
2. the header of your script should look like:
#!/usr/bin/python
import os
The path of python binary can change, depends on how you installed it. You can verify this by using "which python"

System Information


Lets say your script is used only on 64Bit systems. You could use the OS module in order to perform simple check before you continue to the main function of your program.
print os.uname()[5]
x86_64
os.uname() will return a tuple containing 5 strings. The 4 remaining are:
1 - system name 
2 - hostname
3 - kernel version
4 - release date

It basically has the same functionality as the uname command from the coreutils package.


Files And Directories

Here is an example of how you create a directory:
if not os.path.exists('/tmp/mario'):
        os.mkdir('/tmp/mario')
else:
        print "This directory already exists"
The first line checks whether the directory already exists, if not it will create it using the mkdir function.
Now, would this function work if I'll try to create multiple directories? 
The answer is no. But there is makedirs: 
os.makedirs('/tmp/mario/luigi/and/other/friends')
Now lets rename mario to wario and delete the friends directory
os.rename('/tmp/mario','/tmp/wario')
os.rmdir('/tmp/wario/luigi/and/friends')
The next script will show you how to use the current directory path, list the content of this directory and print the size of the files and directories, using the st_size attribute:
path = os.getcwd()
print "The current directory is %s"%path
for obj in os.listdir(path):
        print "%s size is %s"%(obj, os.stat(path + "/" + obj).st_size)
os.getcwd will get us the current directory path. This is equivalent to the pwd command.
os.listdir will return a list of the directories and files in the current directory. And os.stat will return an object representation of file/directory. This object includes many attributes. One of them is the st_size which represents the file size in bytes.

Prcoess Control

Everyone who uses Linux, at one point or another, interact somehow with processes. You may create one, kill it or pull out some information  you need on specific process.

It may happen, that your script is very important for the system to complete its work cycle. 
You want to ensure its getting the top priority for users processes. How you do it? using nice. or more precisely renice the process of your script.

For everyone who forgot what is renice here is a short reminder: renice is the action of altering the priority of running processes. It can take values from -20 to 19 on most systems. With priority of 19, the process will run only when no other process on the system need to run.

After writing this quite long introduction, here is the short way to do it:
os.nice(-14)
Be aware that this will work as an increment or reduction and as value set.
If your nice value was 2 it will be now -12.

One common task that is used widely by developers and admins is the killing anther process.
This done mostly because of of stuck processes, but sometimes  also because specific conditions are met. 
os.kill(1316, 15)
1316 is the process id. 
15 is the signal. In this case SIGTERM.

Sometimes you'll need to terminate your program because of unexpected behavior. I do it mostly with sys module which is  also an important module. But the OS module also got exit function of its own:
os._exit(2)
This will exit the script with the exit code 2. you can use whatever number you want or need.

Command Execution

In the past, running os.system was a common way for executing commands on your OS with python.
Later, This function was deprecated. So now the best way to execute your own customized command is to use the subprocess module.

Here's a short example of using subprccess to print all SElinux booleans that are on:

import subprocess
subprocess.call('getsebool -a | grep -w on' , shell=True)
You can execute every command you want with subprocess and you can control the way you do it in many ways. I really recommend everyone that still use the system function to stop using it and move to subprocess.
You can find more details on subprocess module right here

The OS module includes many more functions I haven't discussed here. To make the most of this module, check out the full documtion here.
Dont forget, many functions is this module, supported on variety of operating systems.

Saturday, January 11, 2014

CentOS/RHEL: Ulimit And Maximum Number Of Open Files

Sometimes you may want to set limits on some of your system resources(Processes, Files)
But other times, you may want to do the just the opposite - disable those limits or change them to higher limits like I needed to do few days ago.

1. Check what are the limits

Apparently, RedHat set the default max number of open files for users  to 1024 and and not long ago, this was change to 4096.
For some applications/users this is very low and can cause you a lot of problems.

You can check what is the current limit with ulimit using bash shell:
ulimit -Hn
This will show you the hard limit of maximum number of files for your user. you can use -S to check the soft limit.
tcsh: using tcsh you can can check this limit with limit descriptors

if you wish to check the max Open file descriptors for the process your user/application running, use the following command: 
cat /proc/[Process ID]/limits

To check what is the system limit for number of files descriptors use the following command:

cat /proc/sys/fs/file-max

2. Change the limit

lets start by changing the limit for the user mario:
vi /etc/security/limits.conf
now change the following lines:
mario soft nofile 4096
mario hard nofile 20480
save the file and verify the result by using ulimit like we used it in section 1.
If you want to set maximum number of processes use nproc instead of nofile
If you want to set this setting to all users use * instead of specify user name

Now lets change the limit for the entire system:
vi /etc/sysctl.conf
and put the line:
fs.file-max = 200500

update the system with::
sysctl -p

3. List number of open files/allocated file handles

To check the number of files opened on your system, use:
lsof | wc -l
You can also check the allocated file descriptors by using:
cat /proc/sys/fs/files-nr
the first field is the number of total allocated files descriptors.
second field is unused file descriptors
and the third field is the maximum file descriptors that can be used

Friday, January 3, 2014

CentOS/RHEL : Change CPU Frequency

Few days ago I was asked by someone in our organization to set the CPU frequency to maximum on one of our red hat 6.2 servers

The first thing to do here was to check the reason for this unusual request. Do not immediately attempt to change the CPU frequency without understanding the implication of such changes.

The second thing to do, was to check the current cpu frequency. This can achieved by either:

1. Installing nice set of tools called cpupowerutils:

yum install cpupowerutils

Next, check the frequency with cpufreq-info:

[root@mario~]# cpufreq-info
analyzing CPU 0:
driver: acpi-cpufreq
CPUs which need to switch frequency at the same time: 0
hardware limits: 1.33 - 2.00 GHz
available frequency steps: 1.33 GHz, 1.60 GHz, 2.00 GHz
available cpufreq governors: userspace, ondemand, conservative, powersave, performance
current policy: frequency should be within 1.33 MHz and 2.00 GHz.
                The governor "conservative" may decide which speed to use
                within this range.
current CPU frequency is 1.33MHz.

2. Without cpupowerutils, you can look at sysfs

ls /sys/devices/system/cpu/cpu[cpu number]/cpufreq/

You will find there the max, min and current cpufrequency  with other bunch of useful files

Now, to change to cpu frequency to maximum can by done also by either:

1. Using cpupowerutils

cpupower frequency-set -g performance 

2. setting the the wanted value in sysfs

echo 1300000 > /sys/devices/system/cpu/cpu[cpu number]/cpufreq/scaling_min_freq

This will not allow the CPU getting below the specified value

### Be sure you understand what you are trying to achieve ###

You can find the full documentation HERE

Monday, December 30, 2013

Nagios - HTTP WARNING: HTTP/1.1 403 Forbidden

You may have encountered this message after installing new frest copy of Nagios on one of your servers

This happening because nagios is searching for index page under your http root directory and cannot find it

To fix it quickly all you need to do is go to your http root directory (by default /var/www/html) and create empty index file:

cd /var/www/html
touch index.html

restart both nagios & httpd service:

service nagios restart
service httpd restart

Fixed =)



Thursday, December 27, 2012

How to Disable SElinux

Important note!  I do not recommend on disabling SElinux!
This article is meant for study purpose only!

as you know SElinux provides sophisticated security mechanism for your system.
sometimes you might want to temporarily disable SElinux  in order to see if its the reason for the problems you experience. Even if its the reason, you shouldn't disable its permanently! you should find anther solution!

First of all you need to know the possible selinux modes. taken from wiki.centos.org:

  • Enforcing: The default mode which will enable and enforce the SELinux security policy on the system, denying access and logging actions
  • Permissive: In Permissive mode, SELinux is enabled but will not enforce the security policy, only warn and log actions. Permissive mode is useful for troubleshooting SELinux issues
  • Disabled: SELinux is turned off

1. Temorarily switch to permissive mode:

Type in the following command:
echo 0 > /selinux/enforce
1 - enforcfing 
0 - permissive

2. permanently switch to permissive mode:

edit /etc/selinux/config 

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive 
# SELINUXTYPE= can take one of these two values:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
As you can see SELINUX is set to permissive. 
Dont forget to reboot after the change.

1. DISABLE SElinux

edit /etc/selinux/config and this time set it like that: SELINUX=disabled

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
dont forget to reboot!

for none Redhat/Centos os append "enforcing=0" to the end of the kernel line:

title Mint (2.6.22-194.26.1.el5)
        root (hd0,0)
        kernel /vmlinuz-2.6.22-194.26.1.el5 ro root=LABEL=/ console=tty0,19200n8 enforcing=0
        initrd /initrd-2.6.22-194.26.1.el5.img


Thursday, October 11, 2012

Nice & Renice: manage the priority of processes

With nice and renice you can control the priority each new process given.

Each process is given an nice number which represents his priority among other processes in the system.
The default nice number given to process is 0

The range of nice numbers is -20 to 19.
-20 is the "highest" priority number. If you want to give your process the highest priority, give it the nice number minus 20
19 is the lowest. it might take time for your process to start running (if at all).

now lets see some examples:

1. Set Nice Number

nice  -n 19  ./scriptos
In this example I started my script "scriptos" with the nice number 19.
I can check the actual priority of the process in two ways:

ps  axl  |  grep  scriptos
top
The priority will be under PRI column.

2. Change Nice Number

You can change the priority of your process by changing the nice number with renice.
Lets look on the following example:

renice  -n  12  474
12 - the new nice number of the scriptos (instead of 19).
474 - the PID of scriptos.