Cisco VPNs ... I've set up more than my share, but they always challenge me anyway. I've had a point to point vpn set up between two offices for a few months, but what got me, bugged the heck out of me was that I couldn't ping from the pix on one side to the inside interface on the asa on the other side (and vice versa). Moreover, I couldn't ping from hosts on one side to the inside intf on the firewall on the other side.
And my cisco contract expired before I thought to call them.
So at long last, I renewed the contract, sent in the email with all the configs, and alas, as I suspected the answer was illusive, but simple nonetheless.
management-access inside
command entered on both firewalls, and voila, as if by magic, the pings had response times instead of timeouts, and now my syslog server can reach the remote pix, and I get to check one little big thing off my list.
A site for me to share tips, tricks, and links to helpful sites. Starting in 2014, you can find me on Medium: https://medium.com/network-girl
Friday, December 12, 2008
Tuesday, November 18, 2008
Apple connecting to Windows Share
At long last, a problem I've ignored for many, many months is revealed and resolved. Apple gives this simplistic view of a Mac connecting to an SMB share on a windows file server (Win 2003):
http://support.apple.com/kb/HT1568
Which says, select Go > Connect to Server
type in
smb://servername/sharename
enter your domain/username/password
and voila! You are in the land of the MS clients now.
But alas, this failed, and Apple contractors on the net couldn't connect.
So I tried to connect to a member server using this method, with a local account instead of a domain account, and that DID work.
So I thought, Domain Policies, perhaps, and a quick Google turned up this completely useful link:
http://allinthehead.com/retro/218/accessing-a-windows-2003-share-from-os-x
Which says, basically, that by default a Windows domain policy will require all connecting clients to digitally sign communications, which Macs don't do, and thus, lost in translation.
Disable this policy (see link above), run gpupdate to refresh the domain policy, and away we go.
http://support.apple.com/kb/HT1568
Which says, select Go > Connect to Server
type in
smb://servername/sharename
enter your domain/username/password
and voila! You are in the land of the MS clients now.
But alas, this failed, and Apple contractors on the net couldn't connect.
So I tried to connect to a member server using this method, with a local account instead of a domain account, and that DID work.
So I thought, Domain Policies, perhaps, and a quick Google turned up this completely useful link:
http://allinthehead.com/retro/218/accessing-a-windows-2003-share-from-os-x
Which says, basically, that by default a Windows domain policy will require all connecting clients to digitally sign communications, which Macs don't do, and thus, lost in translation.
Disable this policy (see link above), run gpupdate to refresh the domain policy, and away we go.
Thursday, September 04, 2008
Monitoring homework made easy
I was just about to press the mouse button to purchase a 5 server version of ActiveXperts monitoring application, but had an itch to do a quick google search on 'ActiveXperts Nagios' - one of my favorite ways to find out competitive reviews.
And I found a list of products "suitable for large-scale IT installations and compatible with" a couple products I'd never heard of.
http://www.hw-group.com/software/pd_it_big_en.html
Quick summary of 10 products with their capabilities. Enjoy, someone saved us the time of researching!
And I found a list of products "suitable for large-scale IT installations and compatible with" a couple products I'd never heard of.
http://www.hw-group.com/software/pd_it_big_en.html
Quick summary of 10 products with their capabilities. Enjoy, someone saved us the time of researching!
Wednesday, May 07, 2008
PIX firewall - getting ssh to work
I always remember there is something I have to do for ssh to a pix or asa firewall to work, so here it is, the commands I remember I forgot:
hostname myfirewall
domain-name mydomain.mytld
ca gen rsa key 1024
ssh 0.0.0.0 0.0.0.0 outside #if you want to permit ssh from the Internet to your firewall
ssh timeout 20 #this is in minutes, I find the default of 5 to be irritating
passwd YourPasswordGoesHere
ca save all
then ssh using this from a *nix machine:
ssh -1 pix@publicIP
the ssh password is the "YourPasswordGoesHere" above NOT the enable password
hostname myfirewall
domain-name mydomain.mytld
ca gen rsa key 1024
ssh 0.0.0.0 0.0.0.0 outside #if you want to permit ssh from the Internet to your firewall
ssh timeout 20 #this is in minutes, I find the default of 5 to be irritating
passwd YourPasswordGoesHere
ca save all
then ssh using this from a *nix machine:
ssh -1 pix@publicIP
the ssh password is the "YourPasswordGoesHere" above NOT the enable password
Tuesday, March 04, 2008
Microsoft SQL Server 2005 - suspect status and restoring from backup
A couple days ago one of our production databases suddenly imploded, and the only warning it gave us wasthe status of the database in Management Studio Express said "Suspect" after the database name.
We couldn't write more data, update data, but my team found a couple articles that came in handy:
Code Project: How to restore a suspect database
and
SQL-Articles
The first was most useful. But because altering the state of the database and repairing it causes just a bit of ice water to run through my veins, first we did a test restore of the previous night's backup to SQL Express running on my laptop.
Now, if you have a full backup, a differential backup, and a few transaction logs to apply, here's what you'll want to do in the GUI. There are others who swear by TSQL but I'm not fluent in that language so here's my way.
In SQL Management Studio, right click on Databases, select New Database
Create a new database with the identical name to the one you're restoring
I left all options at defaults
Then, with your .bak file handy, restore over the empty database you just created.
Right click on the empty database just created, select Tasks > Restore > Database
In the dialog box, select "source for restore" *from device, and locate the full backup file to restore first. Then select Options in the top left.
Change the path for "Restore As" to a valid path. For the full backup, you'll need to check "Overwrite the existing database"
If, IF you have a differential backup and/or transaction logs to apply after the full backup, then you'll need to select:
Leave the database non-operational and do not roll back uncommitted transactions ... (RESTORE WITH NORECOVERY)
if you don't choose this, you won't be able to restore the differential or txn logs.
If you're only restoring the full backup and nothing else, keep the default first option "Leave the database ready to use by rolling back uncommitted transactions ... (RESTORE WITH RECOVERY)
Got that?
Click OK when ready and wait patiently for the first increment of 10% to be passed. Progress is measured in 10% increments for reasons known only to the MS SQL team.
After this one is up, if you chose the RESTORE WITH NORECOVERY option, the database will say "Restoring"
Now do about the same thing as above to restore a differential if you have one. If you have transaction logs, choose the NORECOVERY option, if this is it, chose the RECOVERY option and you'll have a functioning database when you're done.
If you need to restore a transaction log,
Right click on the database name > Tasks > Restore > Transaction log
choose the file, and select the RESTORE WITH RECOVERY option if you want the DB to be functional after this txn log is applied.
Possible errors you may see:
System.Data.SqlClient.SqlError: The log or differential backup cannot be restored because no files are ready to rollforward. (Microsoft.SqlServer.Express.Smo)
For me this meant I chose RESTORE WITH RECOVERY when I still had differential or transaction logs to apply.
System.Data.SqlClient.SqlError: This differential backup cannot be restored because the database has not been restored to the correct earlier state.
For me, this meant I had restored a full backup but didn't have the next in line differential to apply. I found a newer full backup and then was able to restore the diff. Don't ask, I had two different apps making full backups of the database.
HTHSomeone ...
We couldn't write more data, update data, but my team found a couple articles that came in handy:
Code Project: How to restore a suspect database
and
SQL-Articles
The first was most useful. But because altering the state of the database and repairing it causes just a bit of ice water to run through my veins, first we did a test restore of the previous night's backup to SQL Express running on my laptop.
Now, if you have a full backup, a differential backup, and a few transaction logs to apply, here's what you'll want to do in the GUI. There are others who swear by TSQL but I'm not fluent in that language so here's my way.
In SQL Management Studio, right click on Databases, select New Database
Create a new database with the identical name to the one you're restoring
I left all options at defaults
Then, with your .bak file handy, restore over the empty database you just created.
Right click on the empty database just created, select Tasks > Restore > Database
In the dialog box, select "source for restore" *from device, and locate the full backup file to restore first. Then select Options in the top left.
Change the path for "Restore As" to a valid path. For the full backup, you'll need to check "Overwrite the existing database"
If, IF you have a differential backup and/or transaction logs to apply after the full backup, then you'll need to select:
Leave the database non-operational and do not roll back uncommitted transactions ... (RESTORE WITH NORECOVERY)
if you don't choose this, you won't be able to restore the differential or txn logs.
If you're only restoring the full backup and nothing else, keep the default first option "Leave the database ready to use by rolling back uncommitted transactions ... (RESTORE WITH RECOVERY)
Got that?
Click OK when ready and wait patiently for the first increment of 10% to be passed. Progress is measured in 10% increments for reasons known only to the MS SQL team.
After this one is up, if you chose the RESTORE WITH NORECOVERY option, the database will say "Restoring"
Now do about the same thing as above to restore a differential if you have one. If you have transaction logs, choose the NORECOVERY option, if this is it, chose the RECOVERY option and you'll have a functioning database when you're done.
If you need to restore a transaction log,
Right click on the database name > Tasks > Restore > Transaction log
choose the file, and select the RESTORE WITH RECOVERY option if you want the DB to be functional after this txn log is applied.
Possible errors you may see:
System.Data.SqlClient.SqlError: The log or differential backup cannot be restored because no files are ready to rollforward. (Microsoft.SqlServer.Express.Smo)
For me this meant I chose RESTORE WITH RECOVERY when I still had differential or transaction logs to apply.
System.Data.SqlClient.SqlError: This differential backup cannot be restored because the database has not been restored to the correct earlier state.
For me, this meant I had restored a full backup but didn't have the next in line differential to apply. I found a newer full backup and then was able to restore the diff. Don't ask, I had two different apps making full backups of the database.
HTHSomeone ...
Thursday, February 21, 2008
Cannot see wireless network woes ... resolved
I've had a pesky sort of problem for a couple months now that my CEO's computer can only see our wireless network but not our neighbors and couldn't see any in the city of Manhattan from his tower-high hotel room. Another contractor could see every other wireless network except ours; ditto for three new contractors that started this week.
But all the Dell Latitude D630s with (Dell Wireless 1490 Dual Band WLAN Mini-Cards) in the office could see all wireless access points including ours and the upstairs neighbors.
After many fruitless google searches, I finally extracted a clue.
The Cisco Aironet 1131AG in my office was only broadcasting over 802.11A, whereas the wireless network adapters of various makes and models including an Intel Wireless Wifi 4965AGN in a Sony Vaio and an undocumented card in an Acer were only listening on networks other than 802.11A.
So did two things:
I enabled 802.11G on the Cisco Aironet.
Then on the CEO's Vaio, I went into the properties of the wireless adapter
On Vista - Network and Sharing Center > Manage network connections > right click on the wireless adapter, select properties > select Configure > Advanced
in the list, look for something that goes by various names like Wireless Mode, Band Preference, or just search through the list until you see something that makes you choose whether you want 802.11 a/b/g or some combination.
On the Vaio, I could choose 802.11a/b/g and voila! CEO's vaio could suddenly see everyone's WAPs. I haven't tested on the other machines, but I'll repost if it doesn't solve the issue.
But all the Dell Latitude D630s with (Dell Wireless 1490 Dual Band WLAN Mini-Cards) in the office could see all wireless access points including ours and the upstairs neighbors.
After many fruitless google searches, I finally extracted a clue.
The Cisco Aironet 1131AG in my office was only broadcasting over 802.11A, whereas the wireless network adapters of various makes and models including an Intel Wireless Wifi 4965AGN in a Sony Vaio and an undocumented card in an Acer were only listening on networks other than 802.11A.
So did two things:
I enabled 802.11G on the Cisco Aironet.
Then on the CEO's Vaio, I went into the properties of the wireless adapter
On Vista - Network and Sharing Center > Manage network connections > right click on the wireless adapter, select properties > select Configure > Advanced
in the list, look for something that goes by various names like Wireless Mode, Band Preference, or just search through the list until you see something that makes you choose whether you want 802.11 a/b/g or some combination.
On the Vaio, I could choose 802.11a/b/g and voila! CEO's vaio could suddenly see everyone's WAPs. I haven't tested on the other machines, but I'll repost if it doesn't solve the issue.
Tuesday, February 19, 2008
Issue deleting MS SQL Server Maintenance Plans and Jobs
I was contemplating running around in circles, as that's what my brain was doing trying to figure out this inane error with Microsoft SQL Server 2005 Maintenance Plans and associated jobs (subtasks).
I had a brand new install of SQL server and used the Maintenance Plan wizard to create a series of jobs for full backup, differential backup, and transaction log backup.
Seemed to be working just fine, until someone else changed the 'sa' password and all the jobs failed left right and center.
It took me a while to figure out that was the cause, and the last day to figure out how to delete a maintenance plan and associated jobs once the sa password was changed. Couldn't delete them manually, I got an error saying the login failed for user 'sa'.
I could delete all but one of the subplans by listing them first under maintenance plans, but one could never be deleted.
This turned out to be the major error:
An exception occurred while executing a Transact-SQL statement or batch. (Microsoft.SqlServer.ConnectionInfo)
------------------------------
The DELETE statement conflicted with the REFERENCE constraint "FK_subplan_job_id". The conflict occurred in database "msdb", table "dbo.sysmaintplan_subplans", column 'job_id'.
The statement has been terminated. (Microsoft SQL Server, Error: 547)
And at long last, after many, many searches, I found this marvelous post on how to manually delete the jobs and maintenance plans with TSQL code:
MS Forums
and this one, which was inordinately useful:
sql-server-2005-delete-maintenance-plan-error
And here's pretty much what I did in TSQL to delete the subplan and the maintenance plan 'SystemDB-MaintenancePlan':
USE [msdb]
declare @job_name varchar(100)
set @job_name = N'SystemDB-MaintenancePlan.Subplan_1'
delete sysmaintplan_log
FROM sysmaintplan_subplans AS subplans INNER JOIN
sysjobs_view AS syjobs ON subplans.job_id = syjobs.job_id INNER JOIN
sysmaintplan_log ON subplans.subplan_id = sysmaintplan_log.subplan_id
WHERE (syjobs.name = @job_name)
USE [msdb]
declare @job_name varchar(100)
set @job_name = N'SystemDB-MaintenancePlan.Subplan_1'
delete sysmaintplan_subplans
FROM sysmaintplan_subplans AS subplans INNER JOIN
sysjobs_view AS syjobs ON subplans.job_id = syjobs.job_id
WHERE (syjobs.name = @job_name)
declare @job_name varchar(100)
set @job_name = N'SystemDB-MaintenancePlan.Subplan_1'
delete
from msdb.dbo.sysjobs_view where name = @job_name
delete
FROM msdb.dbo.sysmaintplan_plans
where name = 'SystemDB-MaintenancePlan'
other commands I find useful:
select * FROM sysmaintplan_subplans
select * FROM sysmaintplan_plans
Happy deleting! Thanks so much Gedzuks!
I had a brand new install of SQL server and used the Maintenance Plan wizard to create a series of jobs for full backup, differential backup, and transaction log backup.
Seemed to be working just fine, until someone else changed the 'sa' password and all the jobs failed left right and center.
It took me a while to figure out that was the cause, and the last day to figure out how to delete a maintenance plan and associated jobs once the sa password was changed. Couldn't delete them manually, I got an error saying the login failed for user 'sa'.
I could delete all but one of the subplans by listing them first under maintenance plans, but one could never be deleted.
This turned out to be the major error:
An exception occurred while executing a Transact-SQL statement or batch. (Microsoft.SqlServer.ConnectionInfo)
------------------------------
The DELETE statement conflicted with the REFERENCE constraint "FK_subplan_job_id". The conflict occurred in database "msdb", table "dbo.sysmaintplan_subplans", column 'job_id'.
The statement has been terminated. (Microsoft SQL Server, Error: 547)
And at long last, after many, many searches, I found this marvelous post on how to manually delete the jobs and maintenance plans with TSQL code:
MS Forums
and this one, which was inordinately useful:
sql-server-2005-delete-maintenance-plan-error
And here's pretty much what I did in TSQL to delete the subplan and the maintenance plan 'SystemDB-MaintenancePlan':
USE [msdb]
declare @job_name varchar(100)
set @job_name = N'SystemDB-MaintenancePlan.Subplan_1'
delete sysmaintplan_log
FROM sysmaintplan_subplans AS subplans INNER JOIN
sysjobs_view AS syjobs ON subplans.job_id = syjobs.job_id INNER JOIN
sysmaintplan_log ON subplans.subplan_id = sysmaintplan_log.subplan_id
WHERE (syjobs.name = @job_name)
USE [msdb]
declare @job_name varchar(100)
set @job_name = N'SystemDB-MaintenancePlan.Subplan_1'
delete sysmaintplan_subplans
FROM sysmaintplan_subplans AS subplans INNER JOIN
sysjobs_view AS syjobs ON subplans.job_id = syjobs.job_id
WHERE (syjobs.name = @job_name)
declare @job_name varchar(100)
set @job_name = N'SystemDB-MaintenancePlan.Subplan_1'
delete
from msdb.dbo.sysjobs_view where name = @job_name
delete
FROM msdb.dbo.sysmaintplan_plans
where name = 'SystemDB-MaintenancePlan'
other commands I find useful:
select * FROM sysmaintplan_subplans
select * FROM sysmaintplan_plans
Happy deleting! Thanks so much Gedzuks!
Tuesday, January 22, 2008
Installing Java / JDK and Tomcat with jpackage
Periodically, when amnesia strikes and I can't recall how I made this work the last 20 or so times I did it before, I get baffled, and start all over from the beginning.
I could be talking about anything, I suppose, but in this case I'm installing Java or the JDK as it's fondly called, and Tomcat and twelve billion dependencies it has on a server, in this case Linux.
Do yourself a favor here that I forgot when I was writing this blog ... see if java is already installed. If it's some antiquated version before 1.5, remove it, unless you know you need it. rpm -qa | grep on java and on jdk to make sure you're not missing anything.
In the past I've used the works and packages of the fine jpackage.org folks. This time is no exception.
First, dig deep in Sun's website until I find a 1.5.0 binary for Linux. I downloaded the Linux RPM in self-extracting file: jdk-1_5_0_14-linux-i586-rpm.bin.
For the uninitiated, it's easiest to use wget to get the binary right onto the server without any intermediate file saving, scp-ing, and the like, but since Sun's URLs are about 5 miles long, they fail wonderfully with the error: blahblahblah "File name too long."
So to make this work, use:
wget -O jdk-1_5_0_14-linux-i586-rpm.bin http://reallylongurlfromsuncopiedandpastedfromtheRPMinselfextractingfilelinkthatendsin/jdk-1_5_0_14-linux-i586-rpm.bin
and then, to our wonder and amazement, it will work. I also often forget this and the reminder is really for me, but if it helps you, all the better.
then, extract the .bin file:
./jdk-1_5_0_14-linux-i586-rpm.bin
which dumps a rpm in your pwd.
then install the RPM, do I need to say how to do this, well okay then:
rpm -i jdk-1_5_0_14-linux-i586.rpm
but then the fun begins, like finding out an older 1.4.2 version was installed already and I didn't delete it before I began this process so installing the rpm gave the message:
[root@server jdk]# rpm -i jdk-1_5_0_14-linux-i586.rpm
package jdk-1.5.0_14-fcs is already installed
and look, rpm -qa | grep jpp gives a whole big list of pkgs, do I need to remove them all? (yes, is the answer you'll see later)
[root@server yum.repos.d]# rpm -qa | grep jpp
bsh-manual-1.3.0-9jpp.1
bsh-javadoc-1.3.0-9jpp.1
tomcat5-servlet-2.4-api-5.5.23-0jpp.3.0.2.el5
xalan-j2-2.7.0-6jpp.1
jakarta-commons-logging-1.0.4-6jpp.1
java-1.4.2-gcj-compat-javadoc-1.4.2.0-40jpp.112
jpackage-utils-1.7.3-1jpp.2.el5
xmlrpc-javadoc-2.0.1-3jpp.1
java-1.4.2-gcj-compat-1.4.2.0-40jpp.112
tomcat5-jsp-2.0-api-5.5.23-0jpp.3.0.2.el5
bsf-2.3.0-11jpp.1
bsh-1.3.0-9jpp.1
jakarta-commons-codec-1.3-7jpp.2
jakarta-commons-httpclient-3.0-7jpp.1
java-1.4.2-gcj-compat-devel-1.4.2.0-40jpp.112
ldapjdk-4.18-2jpp.3.el5
antlr-2.7.6-4jpp.2
junit-3.8.2-3jpp.1
xmlrpc-2.0.1-3jpp.1
java-1.4.2-gcj-compat-src-1.4.2.0-40jpp.112
Okay, so to begin, let's update /etc/yum.repos.d to include the jpackage repository:
in the /etc/yum.repos.d do:
wget http://www.jpackage.org/jpackage17.repo
but do you see the problem ... I don't want 1.7, I want 1.5, so how do I get that?
What I did was create my own jpackage50.repo file containing this:
[jpackage50-generic]
name=JPackage 5.0, generic
baseurl=http://mirrors.dotsrc.org/jpackage/5.0/generic/free/
gpgkey=http://www.jpackage.org/jpackage.asc
gpgcheck=1
enabled=1
[jpackage50-generic-nonfree]
name=JPackage (non-free), generic
baseurl=http://mirrors.dotsrc.org/jpackage/5.0/generic/non-free/
gpgcheck=1
gpgkey=http://www.jpackage.org/jpackage.asc
enabled=1
and now I'll go hunting to remove the jpps:
deleted all the jpp rpms except these:
bsh-manual-1.3.0-9jpp.1
bsh-javadoc-1.3.0-9jpp.1
jpackage-utils-1.7.3-1jpp.2.el5
xmlrpc-javadoc-2.0.1-3jpp.1
now reinstall jdk:
rpm -ev jdk-1.5.0_14-fcs
rpm -iv jdk-1.5.0_14-fcs
install java-compat from jpp:
rpm -iv java-1.5.0-sun-compat-1.5.0.14-1jpp.src.rpm
which seemed to work, but rpm isn't listed with rpm -qa | grep java
but what did work:
yum install java-1.5.0-sun-compat-1.5.0.14-1jpp
and now it's in the rpm list. yay!
and java -version shows the new version - yay yay!
[root@quinoa jdk]# java -version
java version "1.5.0_14"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_14-b03)
Java HotSpot(TM) Client VM (build 1.5.0_14-b03, mixed mode, sharing)
figured out I need tomcat 5.5, not 6.0, and a handy
yum list *tomcat*
gave me a list of all tomcat options, giving me a choice between tomcat5 (which was really 5.5.23) and tomcat6.
ran
yum install tomcat5
and away it went, installing the 37 dependencies and tomcat5 from jpackage.
it ended with this error:
/usr/bin/build-jar-repository: error: Could not find xml-commons-apis Java extension for this JVM
/usr/bin/build-jar-repository: error: Some specified jars were not found for this jvm
and when I started tomcat I got the same error. So I installed xml-commons-apis
yum install xml-commons-apis
which inconveniently uninstalled the jdk, why, I'm not sure, so I installed it back again from the rpm I got from sun.
restarting tomcat didn't get that error this time.
Credits to:
Sun
jpackage.org
Bart Busschotts
I could be talking about anything, I suppose, but in this case I'm installing Java or the JDK as it's fondly called, and Tomcat and twelve billion dependencies it has on a server, in this case Linux.
Do yourself a favor here that I forgot when I was writing this blog ... see if java is already installed. If it's some antiquated version before 1.5, remove it, unless you know you need it. rpm -qa | grep on java and on jdk to make sure you're not missing anything.
In the past I've used the works and packages of the fine jpackage.org folks. This time is no exception.
First, dig deep in Sun's website until I find a 1.5.0 binary for Linux. I downloaded the Linux RPM in self-extracting file: jdk-1_5_0_14-linux-i586-rpm.bin.
For the uninitiated, it's easiest to use wget to get the binary right onto the server without any intermediate file saving, scp-ing, and the like, but since Sun's URLs are about 5 miles long, they fail wonderfully with the error: blahblahblah "File name too long."
So to make this work, use:
wget -O jdk-1_5_0_14-linux-i586-rpm.bin http://reallylongurlfromsuncopiedandpastedfromtheRPMinselfextractingfilelinkthatendsin/jdk-1_5_0_14-linux-i586-rpm.bin
and then, to our wonder and amazement, it will work. I also often forget this and the reminder is really for me, but if it helps you, all the better.
then, extract the .bin file:
./jdk-1_5_0_14-linux-i586-rpm.bin
which dumps a rpm in your pwd.
then install the RPM, do I need to say how to do this, well okay then:
rpm -i jdk-1_5_0_14-linux-i586.rpm
but then the fun begins, like finding out an older 1.4.2 version was installed already and I didn't delete it before I began this process so installing the rpm gave the message:
[root@server jdk]# rpm -i jdk-1_5_0_14-linux-i586.rpm
package jdk-1.5.0_14-fcs is already installed
and look, rpm -qa | grep jpp gives a whole big list of pkgs, do I need to remove them all? (yes, is the answer you'll see later)
[root@server yum.repos.d]# rpm -qa | grep jpp
bsh-manual-1.3.0-9jpp.1
bsh-javadoc-1.3.0-9jpp.1
tomcat5-servlet-2.4-api-5.5.23-0jpp.3.0.2.el5
xalan-j2-2.7.0-6jpp.1
jakarta-commons-logging-1.0.4-6jpp.1
java-1.4.2-gcj-compat-javadoc-1.4.2.0-40jpp.112
jpackage-utils-1.7.3-1jpp.2.el5
xmlrpc-javadoc-2.0.1-3jpp.1
java-1.4.2-gcj-compat-1.4.2.0-40jpp.112
tomcat5-jsp-2.0-api-5.5.23-0jpp.3.0.2.el5
bsf-2.3.0-11jpp.1
bsh-1.3.0-9jpp.1
jakarta-commons-codec-1.3-7jpp.2
jakarta-commons-httpclient-3.0-7jpp.1
java-1.4.2-gcj-compat-devel-1.4.2.0-40jpp.112
ldapjdk-4.18-2jpp.3.el5
antlr-2.7.6-4jpp.2
junit-3.8.2-3jpp.1
xmlrpc-2.0.1-3jpp.1
java-1.4.2-gcj-compat-src-1.4.2.0-40jpp.112
Okay, so to begin, let's update /etc/yum.repos.d to include the jpackage repository:
in the /etc/yum.repos.d do:
wget http://www.jpackage.org/jpackage17.repo
but do you see the problem ... I don't want 1.7, I want 1.5, so how do I get that?
What I did was create my own jpackage50.repo file containing this:
[jpackage50-generic]
name=JPackage 5.0, generic
baseurl=http://mirrors.dotsrc.org/jpackage/5.0/generic/free/
gpgkey=http://www.jpackage.org/jpackage.asc
gpgcheck=1
enabled=1
[jpackage50-generic-nonfree]
name=JPackage (non-free), generic
baseurl=http://mirrors.dotsrc.org/jpackage/5.0/generic/non-free/
gpgcheck=1
gpgkey=http://www.jpackage.org/jpackage.asc
enabled=1
and now I'll go hunting to remove the jpps:
deleted all the jpp rpms except these:
bsh-manual-1.3.0-9jpp.1
bsh-javadoc-1.3.0-9jpp.1
jpackage-utils-1.7.3-1jpp.2.el5
xmlrpc-javadoc-2.0.1-3jpp.1
now reinstall jdk:
rpm -ev jdk-1.5.0_14-fcs
rpm -iv jdk-1.5.0_14-fcs
install java-compat from jpp:
rpm -iv java-1.5.0-sun-compat-1.5.0.14-1jpp.src.rpm
which seemed to work, but rpm isn't listed with rpm -qa | grep java
but what did work:
yum install java-1.5.0-sun-compat-1.5.0.14-1jpp
and now it's in the rpm list. yay!
and java -version shows the new version - yay yay!
[root@quinoa jdk]# java -version
java version "1.5.0_14"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_14-b03)
Java HotSpot(TM) Client VM (build 1.5.0_14-b03, mixed mode, sharing)
figured out I need tomcat 5.5, not 6.0, and a handy
yum list *tomcat*
gave me a list of all tomcat options, giving me a choice between tomcat5 (which was really 5.5.23) and tomcat6.
ran
yum install tomcat5
and away it went, installing the 37 dependencies and tomcat5 from jpackage.
it ended with this error:
/usr/bin/build-jar-repository: error: Could not find xml-commons-apis Java extension for this JVM
/usr/bin/build-jar-repository: error: Some specified jars were not found for this jvm
and when I started tomcat I got the same error. So I installed xml-commons-apis
yum install xml-commons-apis
which inconveniently uninstalled the jdk, why, I'm not sure, so I installed it back again from the rpm I got from sun.
restarting tomcat didn't get that error this time.
Credits to:
Sun
jpackage.org
Bart Busschotts
Monday, January 21, 2008
Postfix useful queue commands
Two Postfix commands I discovered by accident while trying to figure out how to delete mail out of the queue:
postqueue -d
list all mail in the queue currently
postqueue -f
flush mail from the queue; will attempt to deliver all mail
postsuper
superuser postfix command
and the command:
postsuper -d ALL
will delete all messages from the queue
Credit:
Seaglass Postfix FAQ
man postsuper
man postqueue
postqueue -d
list all mail in the queue currently
postqueue -f
flush mail from the queue; will attempt to deliver all mail
postsuper
superuser postfix command
and the command:
postsuper -d ALL
will delete all messages from the queue
Credit:
Seaglass Postfix FAQ
man postsuper
man postqueue
Wednesday, January 16, 2008
Setting up a new server - ntp
Super brief notes on configuring NTP
Make sure ntp is installed
rpm -qa | grep ntp
yum install ntp
Edit /etc/ntp.conf
Add stratum servers from www.ntp.org - check the server pool for your locale.
I added these:
server 0.north-america.pool.ntp.org
server 1.north-america.pool.ntp.org
server 2.north-america.pool.ntp.org
server 3.north-america.pool.ntp.org
And this to restrict access from those servers:
restrict 0.north-america.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery
restrict 1.north-america.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery
restrict 2.north-america.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery
restrict 3.north-america.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery
And permit any host in my private network to get time from my server:
restrict 10.1.1.0 mask 255.255.255.0 nomodify notrap
check if ntpd is currently running:
ps -ef | grep ntp
no dice, so configure it to start at boot
chkconfig --list ntpd
ntpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
Check to see if the server time is reasonably close to ntp time (within 2 minutes), if not run:
ntpdate pool.ntp.org
to synchronize.
Run:
chkconfig ntpd on
service start ntpd
Check for log messages in /var/log/messages and check the time on the server to see if it's accurate. Also check status with:
[root@server etc]# ntpq -pn
remote refid st t when poll reach delay offset jitter
==============================================================================
64.73.32.134 64.73.0.9 2 u 30 64 1 72.596 4.418 0.001
66.250.45.2 209.51.161.238 2 u 29 64 1 92.327 -8.728 0.001
66.36.239.127 129.6.15.29 2 u 28 64 1 86.409 1.150 0.001
82.165.184.7 74.208.4.166 3 u 27 64 1 88.581 -7.514 0.001
127.127.1.0 .LOCL. 10 l 26 64 1 0.000 0.000 0.001
Tip of the keyboard to:
ntp.org
linuxhomenetworking.com
Make sure ntp is installed
rpm -qa | grep ntp
yum install ntp
Edit /etc/ntp.conf
Add stratum servers from www.ntp.org - check the server pool for your locale.
I added these:
server 0.north-america.pool.ntp.org
server 1.north-america.pool.ntp.org
server 2.north-america.pool.ntp.org
server 3.north-america.pool.ntp.org
And this to restrict access from those servers:
restrict 0.north-america.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery
restrict 1.north-america.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery
restrict 2.north-america.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery
restrict 3.north-america.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery
And permit any host in my private network to get time from my server:
restrict 10.1.1.0 mask 255.255.255.0 nomodify notrap
check if ntpd is currently running:
ps -ef | grep ntp
no dice, so configure it to start at boot
chkconfig --list ntpd
ntpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
Check to see if the server time is reasonably close to ntp time (within 2 minutes), if not run:
ntpdate pool.ntp.org
to synchronize.
Run:
chkconfig ntpd on
service start ntpd
Check for log messages in /var/log/messages and check the time on the server to see if it's accurate. Also check status with:
[root@server etc]# ntpq -pn
remote refid st t when poll reach delay offset jitter
==============================================================================
64.73.32.134 64.73.0.9 2 u 30 64 1 72.596 4.418 0.001
66.250.45.2 209.51.161.238 2 u 29 64 1 92.327 -8.728 0.001
66.36.239.127 129.6.15.29 2 u 28 64 1 86.409 1.150 0.001
82.165.184.7 74.208.4.166 3 u 27 64 1 88.581 -7.514 0.001
127.127.1.0 .LOCL. 10 l 26 64 1 0.000 0.000 0.001
Tip of the keyboard to:
ntp.org
linuxhomenetworking.com
Setting up a new server - logwatch & logrotate
A couple hints so that you get logwatch emails and include other log files you want to monitor.
Logwatch depends on having the email address set for root to forward somewhere, otherwise the emails will sit in the local mailbox for root.
Change this line in /etc/aliases - works for either sendmail or postfix:
# Person who should get root's mail
root: validuser@yourdomain.com
Then run 'newaliases' (for sendmail) so this will be in use.
You may run into issues if the hostname for your box isn't in public DNS because of actions to cut down spam, so set it to masquerade if needed (see last post).
Then to have logwatch check other logfiles besides the defaults, which on my CentOS box are listed in /usr/share/logwatch/default.conf/logfiles
in my case, I'm going to add monitors for the syslog alerts for my network equipment that I have set to go to /var/log/network and also for a newly created mysql backup log file /var/log/mysqlbackup
Defaults are fine, so I created the file /etc/logwatch/conf/logfiles/network.conf
#######################################################
# Defile log file group for /var/log/network
# syslog output for network equipment
# created by JAR 1/16/08
#######################################################
# Actual file
LogFile = network
#EOF
We'll see if this works.
Also a quick note about logrotate - when I configured syslog to accept messages from my network gear, I configured the new log file "network" in logrotate so that it would follow the normal rotation.
I added to the /etc/logrotate.d/syslog file:
/var/log/network
Logwatch depends on having the email address set for root to forward somewhere, otherwise the emails will sit in the local mailbox for root.
Change this line in /etc/aliases - works for either sendmail or postfix:
# Person who should get root's mail
root: validuser@yourdomain.com
Then run 'newaliases' (for sendmail) so this will be in use.
You may run into issues if the hostname for your box isn't in public DNS because of actions to cut down spam, so set it to masquerade if needed (see last post).
Then to have logwatch check other logfiles besides the defaults, which on my CentOS box are listed in /usr/share/logwatch/default.conf/logfiles
in my case, I'm going to add monitors for the syslog alerts for my network equipment that I have set to go to /var/log/network and also for a newly created mysql backup log file /var/log/mysqlbackup
Defaults are fine, so I created the file /etc/logwatch/conf/logfiles/network.conf
#######################################################
# Defile log file group for /var/log/network
# syslog output for network equipment
# created by JAR 1/16/08
#######################################################
# Actual file
LogFile = network
#EOF
We'll see if this works.
Also a quick note about logrotate - when I configured syslog to accept messages from my network gear, I configured the new log file "network" in logrotate so that it would follow the normal rotation.
I added to the /etc/logrotate.d/syslog file:
/var/log/network
Tuesday, January 15, 2008
Setting up a new server - sendmail/postfix
Someday I will create a checklist of things to do to a new unix server to make it behave as I'd like. Until that someday comes, I'll write bits and pieces of things to do to remind myself.
Here's one.
When setting up a new system that has Logwatch enabled, remember by default it's going to email "root@localhost" all the logs. This is fine, except that if you're like me, you seldom check email for root and would prefer that the logfiles get sent to an email address, probably Internet routable, that you check more frequently.
This is how to make that happen, or perhaps what to do first:
Edit the /etc/aliases file
notice that everything is going to root, either directly or indirectly.
At the very bottom of the file, see the line that is commented out:
# Person who should get root's mail
#root: marc
make it a real email address that goes to a real human somewhere.
then run command 'newaliases' so the change you made goes into a file that's read.
Or, if you are, in fact, not a fan of sendmail, you can quickly switch to postfix (or qmail for the diehards) which has the reputation of being more secure and easier to work with.
In fact, I recommend this:
yum install postfix
service sendmail stop
yum erase sendmail
and then, if you want your host to pretend to be a different name (masquerade), edit this line:
myhostname = hostname.outsidedomain.com
and uncomment this line:
myorigin = $mydomain
so that email sent from this box will appear as username@outsidedomain.com.
a quick
service postfix restart
and you're good to go.
Here's one.
When setting up a new system that has Logwatch enabled, remember by default it's going to email "root@localhost" all the logs. This is fine, except that if you're like me, you seldom check email for root and would prefer that the logfiles get sent to an email address, probably Internet routable, that you check more frequently.
This is how to make that happen, or perhaps what to do first:
Edit the /etc/aliases file
notice that everything is going to root, either directly or indirectly.
At the very bottom of the file, see the line that is commented out:
# Person who should get root's mail
#root: marc
make it a real email address that goes to a real human somewhere.
then run command 'newaliases' so the change you made goes into a file that's read.
Or, if you are, in fact, not a fan of sendmail, you can quickly switch to postfix (or qmail for the diehards) which has the reputation of being more secure and easier to work with.
In fact, I recommend this:
yum install postfix
service sendmail stop
yum erase sendmail
and then, if you want your host to pretend to be a different name (masquerade), edit this line:
myhostname = hostname.outsidedomain.com
and uncomment this line:
myorigin = $mydomain
so that email sent from this box will appear as username@outsidedomain.com.
a quick
service postfix restart
and you're good to go.
Monday, January 14, 2008
CVS Setup on Linux
I know, in this fast paced modern world that SVN is thought to be superior to CVS, but for some of my studio audience, and myself, here are my notes from configuring CVS.
I'm using CentOS rel 5, but should be similar on RH or Fedora (now please tell me you're not surprised about that).
check if you have cvs already:
rpm -qa | grep cvs
if not ...
yum install cvs
then add CVSROOT as a variable for everyone using bash ... if they're not using bash, they're on their own ...
add to /etc/bashrc:
CVSROOT=/home/cvsrep
export CVSROOT
create initial repository:
cvs -d /home/cvsrep init
Edit the file /etc/xinetd.d/cvs which starts the service in the xinetd server - this was created by "yum install cvs"
# default: off
# description: The CVS service can record the history of your source \
# files. CVS stores all the versions of a file in a single \
# file in a clever way that only stores the differences \
# between versions.
service cvspserver
{
disable = yes
port = 2401
socket_type = stream
protocol = tcp
wait = no
user = root
passenv = PATH
server = /usr/bin/cvs
env = HOME=/var/cvs
server_args = -f --allow-root=/var/cvs pserver
# bind = 127.0.0.1
}
but note the "disable=yes" line
if you want cvs to work ... change to:
disable=no
and restart xinetd after you make all configuration changes necessary
tip of the keyboard to:
http://personal.vsnl.com/sureshms/linuxindex.html
I'm using CentOS rel 5, but should be similar on RH or Fedora (now please tell me you're not surprised about that).
check if you have cvs already:
rpm -qa | grep cvs
if not ...
yum install cvs
then add CVSROOT as a variable for everyone using bash ... if they're not using bash, they're on their own ...
add to /etc/bashrc:
CVSROOT=/home/cvsrep
export CVSROOT
create initial repository:
cvs -d /home/cvsrep init
Edit the file /etc/xinetd.d/cvs which starts the service in the xinetd server - this was created by "yum install cvs"
# default: off
# description: The CVS service can record the history of your source \
# files. CVS stores all the versions of a file in a single \
# file in a clever way that only stores the differences \
# between versions.
service cvspserver
{
disable = yes
port = 2401
socket_type = stream
protocol = tcp
wait = no
user = root
passenv = PATH
server = /usr/bin/cvs
env = HOME=/var/cvs
server_args = -f --allow-root=/var/cvs pserver
# bind = 127.0.0.1
}
but note the "disable=yes" line
if you want cvs to work ... change to:
disable=no
and restart xinetd after you make all configuration changes necessary
tip of the keyboard to:
http://personal.vsnl.com/sureshms/linuxindex.html
Tuesday, January 08, 2008
Using Syslog to get network device logs
Because I always forget how to do this ...
To configure syslog on a CentOS Linux box to receive logs from my network gear; examples below for Cisco ASA/PIX, Foundry SI, Cisco Catalyst 3500XL, and Netscreen-50 firewall. This will also work for Fedora and RedHat, in case you were curious.
If you want names to display instead of IP addresses in the log file, add names to /etc/hosts.
On the Linux host, add these lines to /etc/syslog:
I've set all the network gear to log to local3 - you can choose different local values for each if you want to log to different files.
local3.* /var/log/network
To keep the logging from the network gear *out* of the /var/log/messages file, I added this "local3.none" to this line in /etc/syslog.conf, as below:
*.info;mail.none;authpriv.none;cron.none;local3.none /var/log/messages
And have syslog listen for remote requests by changing this line in /etc/sysconfig/syslog -OR- /etc/init.d/syslog - check the /etc/init.d/syslog file to see if it checks the /etc/sysconfig file.
Add the "-r" option to listen to remote requests
SYSLOGD_OPTIONS="-m 0 -r"
then
service syslog restart
a couple quick checks:
netstat -a | grep syslog
check that the file /var/log/netlog was created
and now configure the network devices:
on the ASA/PIX, facility 19 = local3
logging enable
logging timestamp
logging trap notifications
logging facility 19
logging host inside 10.1.1.10
On a Catalyst 3500 switch:
service timestamps log datetime localtime #this displays the timestamp in the syslog file
logging trap notifications
logging facility local3
logging 10.1.1.10
remember to set the clock to the right time, or use ntp
clock set ...
For a Foundry SI:
logging 10.1.1.10
logging facility local3
For a Netscreen 50:
set syslog config "10.1.1.10"
set syslog config "10.1.1.10" facilities local3 local3
set syslog src-interface ethernet1
set syslog enable
For Dell switches (poweredge something or other)
logging 10.1.1.10 facility local3
And don't forget if you want the new netlog rotated - add to /etc/logrotate.d/syslog
/var/log/netlog
Tip of the keyboard to:
http://www.linuxhomenetworking.com/wiki/index.php/
Quick_HOWTO_:_Ch05_:_Troubleshooting_Linux_with_syslog#Configuring_the_Linux_Syslog_Server
To configure syslog on a CentOS Linux box to receive logs from my network gear; examples below for Cisco ASA/PIX, Foundry SI, Cisco Catalyst 3500XL, and Netscreen-50 firewall. This will also work for Fedora and RedHat, in case you were curious.
If you want names to display instead of IP addresses in the log file, add names to /etc/hosts.
On the Linux host, add these lines to /etc/syslog:
I've set all the network gear to log to local3 - you can choose different local values for each if you want to log to different files.
local3.* /var/log/network
To keep the logging from the network gear *out* of the /var/log/messages file, I added this "local3.none" to this line in /etc/syslog.conf, as below:
*.info;mail.none;authpriv.none;cron.none;local3.none /var/log/messages
And have syslog listen for remote requests by changing this line in /etc/sysconfig/syslog -OR- /etc/init.d/syslog - check the /etc/init.d/syslog file to see if it checks the /etc/sysconfig file.
Add the "-r" option to listen to remote requests
SYSLOGD_OPTIONS="-m 0 -r"
then
service syslog restart
a couple quick checks:
netstat -a | grep syslog
check that the file /var/log/netlog was created
and now configure the network devices:
on the ASA/PIX, facility 19 = local3
logging enable
logging timestamp
logging trap notifications
logging facility 19
logging host inside 10.1.1.10
On a Catalyst 3500 switch:
service timestamps log datetime localtime #this displays the timestamp in the syslog file
logging trap notifications
logging facility local3
logging 10.1.1.10
remember to set the clock to the right time, or use ntp
clock set ...
For a Foundry SI:
logging 10.1.1.10
logging facility local3
For a Netscreen 50:
set syslog config "10.1.1.10"
set syslog config "10.1.1.10" facilities local3 local3
set syslog src-interface ethernet1
set syslog enable
For Dell switches (poweredge something or other)
logging 10.1.1.10 facility local3
And don't forget if you want the new netlog rotated - add to /etc/logrotate.d/syslog
/var/log/netlog
Tip of the keyboard to:
http://www.linuxhomenetworking.com/wiki/index.php/
Quick_HOWTO_:_Ch05_:_Troubleshooting_Linux_with_syslog#Configuring_the_Linux_Syslog_Server
Monday, January 07, 2008
PHP Note To Self
Things to install for PHP, Drupal, and SugarOS to be happy:
yum install curl-devel
yum install gd-devel
yum install gd-progs
and also because I got errors that ./configure couldn't find libgd because it's not in the same place as gd.h:
ln -s gd.h /usr/lib/gd.h
and the final ./configure line:
./configure --with-mysql --with-apxs2=/usr/sbin/apxs --lib-dir=/usr/lib --with-gd=/usr/lib --with-curl=/usr/bin/curl --enable-mbstring --with-jpeg-dir=/usr/lib --with-png-dir=/usr/lib --with-freetype-dir=/usr/lib
make
make test
make install
good to go
addendum:
to get ldap to work with SugarOS, more than likely I need to install all these, if they aren't already installed:
openldap
openldap-clients
openldap-servers (this adds the file /etc/init.d/ldap)
openldap-devel
but I haven't tried it yet, so we'll see
yum install curl-devel
yum install gd-devel
yum install gd-progs
and also because I got errors that ./configure couldn't find libgd because it's not in the same place as gd.h:
ln -s gd.h /usr/lib/gd.h
and the final ./configure line:
./configure --with-mysql --with-apxs2=/usr/sbin/apxs --lib-dir=/usr/lib --with-gd=/usr/lib --with-curl=/usr/bin/curl --enable-mbstring --with-jpeg-dir=/usr/lib --with-png-dir=/usr/lib --with-freetype-dir=/usr/lib
make
make test
make install
good to go
addendum:
to get ldap to work with SugarOS, more than likely I need to install all these, if they aren't already installed:
openldap
openldap-clients
openldap-servers (this adds the file /etc/init.d/ldap)
openldap-devel
but I haven't tried it yet, so we'll see
Friday, January 04, 2008
What I've been waiting for: ISP redundancy on PIX/ASA
I don't know how long I've wanted this...but by chance searching I found it exists as of the middle of last year:
ISP redundancy/tracking on the Cisco PIX and ASA as of the 7.2(x) release!
You can now use a second, inexpensive ISP (like DSL or cable) as a backup to a primary ISP - it's implemented with "tracking" a downstream IP address with ICMP, and if ICMP fails, the default static route is replaced with a backup.
More here:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml
ISP redundancy/tracking on the Cisco PIX and ASA as of the 7.2(x) release!
You can now use a second, inexpensive ISP (like DSL or cable) as a backup to a primary ISP - it's implemented with "tracking" a downstream IP address with ICMP, and if ICMP fails, the default static route is replaced with a backup.
More here:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml
Subscribe to:
Posts (Atom)