Tag Archives: linux

How to identify ECC memory modules

This is a short article describing how you proceed to identify whether or not you have ECC memory modules in your Linux workstation or server.

Also as a side note, the importance of ECC memory is great. Even filesystems such as ZFS with check summing will not account for flipped bits due to cosmic rays. According to studies such as http://www.cs.toronto.edu/~bianca/papers/sigmetrics09.pdf , a DIMM has an 8% chance per year of getting a correctable error. Multiply that with the amount of DIMM’s you have in your system (4 or more?), and you suddenly have a very likely chance of seeing data corruption during a year.

To display what type of memory module you have, we make use of the following DMI type:

16   Physical Memory Array

Command

# dmidecode --type 16

Output

# dmidecode 2.11
SMBIOS 2.7 present.

Handle 0x0007, DMI type 16, 23 bytes
Physical Memory Array
        Location: System Board Or Motherboard
        Use: System Memory
        Error Correction Type: Single-bit ECC
        Maximum Capacity: 32 GB
        Error Information Handle: 0x0010
        Number Of Devices: 4

Both on Debian/Ubuntu and RedHat based distributions this tool is provided by the dmidecode package.

// CrashMAG

How to configure network bonding (LACP) on Debian Wheezy

This process essentially consist of two steps. I will be detailing steps relevant for the Linux host.

  • Configuring the switch for LACP bonding.
  • Configuring the Linux host for LACP bonding.

Prerequisites

  • ifenslave
  • Shut down the network after installing ifenslave.
  • Start the network once the configuration changes are in place.

Steps

This is a virtual package and will in reality install ifenslave-2.6

# aptitude install ifenslave

Stop the network. Make sure you’re not connected via SSH while doing this.

# /etc/init.d/networking stop

Debian Kernel Module Configuration

File: /etc/modprobe.d/bonding.conf

#/etc/modprobe.d/bonding.conf
alias bond0 bonding
        options bonding mode=4 miimon=100 lacp_rate=1

File: /etc/modules

echo "bonding" >> /etc/modules
echo "mii" >> /etc/modules

Debian Network Configuration

/etc/network/interfaces
#/etc/network/interfaces 
auto eth0
    iface eth0 inet manual
    bond-master bond0

auto eth1
     iface eth1 inet manual
     bond-master bond0

auto bond0
     iface bond0 inet static
     address 192.168.0.10
     gateway 192.168.0.1
     netmask 255.255.255.0
     bond-mode 802.3ad
     bond-miimon 100
     bond-downdelay 200
     bond-updelay 200
     bond-lacp-rate 4
     bond-slaves none
     dns-nameservers 192.168.0.1
     dns-search domain.int

Start up the network.

# /etc/init.d/networking start

// CrashMAG

Linux ACL

An access control list (ACL), with respect to a computer file system, is a list of permissions attached to an object. ACL allows you to grant or deny permissions for any user or group on a filesystem resource.

Enabling ACL

To enable ACL, edit your /etc/fstab file as such:

/dev/VolGroup00/LogVol00 /                       ext3    defaults,acl        1 1

Note: Moderm Redhat distributions enable ACL by default for the root filesystem.

Set ACL

To modify ACL use setfacl command. To add permissions use setfacl -m.

Add permissions to some user:

# setfacl -m "u:username:permissions"

or

# setfacl -m "u:uid:permissions"

Add permissions to some group:

# setfacl -m "g:groupname:permissions"

or

# setfacl -m "g:gid:permissions"

Add default ACL:

# setfacl -d -m "u:uid:permissions"

Remove all permissions:

# setfacl -b

Remove each entry:

# setfacl -x "entry"

To check permissions use:

# getfacl filename

Examples

Set read,write and execute permissions for user “johndoe” on the file named “abc”.

# setfacl -m "u:johndoe:rwx" abc

Check permissions.

# getfacl abc
# file: abc
# owner: someone
# group: someone
user::rw-
user:johny:rwx
group::r--
mask::rwx
other::r--

Change permissions for user “johndoe”.

# setfacl -m "u:johndoe:rw-" abc

Check permissions.

# getfacl abc
# file: abc
# owner: someone
# group: someone
user::rw-
user:johndoe:rw-
group::r--
mask::r-x
other::r--

Remove all extended ACL entries.

# setfacl -b abc

Check permissions.

# getfacl abc
# file: abc
# owner: someone
# group: someone
user::rw-
group::r--
other::r--

Additional Resources

man getfacl
man setfacl

If you weren’t using these already, you should.

// CrashMAG

Configuring Windows 7 support for UTC BIOS time

Windows 7 does not natively support UTC time. Which makes it a problem if you’re also running either Linux or OSX on the same machine. Either way having your BIOS keep time using UTC is the proper way.

  • Universal Time can be unambiguously converted into a local time. The opposite is not true, that is a local time cannot reliably be converted back into Universal time. This is due to the Summer Time or Daylight Savings Time offset periods implemented in many countries. At the end of that offset period, local-time clocks have to be turned back by usually one hour, therefore a 60 minute period on the local-time scale is repeated.
  • Daylight Savings Time makes it necessary to readjust the RTC twice per year. However, there exists currently no convention to label in the CMOS RAM, whether that adjustment has already been performed or not. As a result, the operating systems can get confused and will apply the correction multiple times. One possible fix is to record somewhere on the hard disk, whether the DST change has already been performed this year or not. However this fails for users who have a requirement to run several operating system versions in different hard disk partitions on the same computer, where the same RTC is shared by several operating systems that can be booted alternatively but do not have access to each others configuration files. A similar problem occurs when the operating system is booted from some exchangeable storage medium or a PC-in-PC emulator is used.

To enable UTC support please do the following.

Copy the following into a text document using notepad and save it as utc.reg

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation] “RealTimeIsUniversal”=dword:00000001

Run it, reboot and you’re done.

Or do the following

  • Start the Registry Editor (regedit)
  • Traverse the following path, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation
  • Create a dword named RealTimeIsUniversal and set the value to 1
  • Restart your computer

// CrashMAG

Useful GNU/Linux search commands

These will work on any GNU/Linux system.

Find the email address someone@example.com within the path /etc recursively

grep -H -r "someone@example.com" /etc

-H, –with-filename
Print the file name for each match.
-R, -r, –recursive
Read all files under each directory, recursively

Find every file under the directory /home owned by the user john

find /home -user john

Find every file under the directory /usr ending in ”log”

find /usr -name *log

Find every file under the directory /etc that was modified more than 60 days ago

find /etc -mtime +60

Runs `file’ on every file in or below the current directory

find . -type f -exec file '{}' \;

Search for files in your home directory which have been modified in the last twenty-four hours. This command works this way because the time since each file was last modified is divided by 24 hours and any remainder is discarded. That means that to match -mtime

find $HOME -mtime 0

Search for files which have read and write permission for their owner, and group, but which other users can read but not write to. Files which meet these criteria but have other permissions bits set (for example if someone can execute the file) will not be matched

find . -perm 664

Search for files which have read and write permission for their owner and group, and which other users can read, without regard to the presence of any extra permission bits (for example the executable bit)

find . -perm -664

Search for files which are writable by somebody (their owner, or their group, or anybody else)

find . -perm /222

All three of these commands do the same thing, but the first one uses the octal representation of the file mode, and the other two use the symbolic form. These commands all search for files which are writable by either their owner or their group. The files don’t have to be writable by both the owner and group to be matched; either will do

find . -perm /220
find . -perm /u+w,g+w
find . -perm /u=w,g=w

Both these commands do the same thing; search for files which are writable by both their owner and their group

find . -perm -220
find . -perm -g+w,u+w

These two commands both search for files that are readable for everybody (-perm -444 or -perm -a+r), have at least on write bit set (-perm /222 or -perm /a+w) but are not executable for anybody (! -perm /111 and ! -perm /a+x respectively)

find . -perm -444 -perm /222 ! -perm /111
find . -perm -a+r -perm /a+w ! -perm /a+x

// CrashMAG

Public key authentication with SSH. Both with and without a password.

This article will run through quick and easy examples for setting up public key authentication with SSH. I will include one example that requires a password and one that does not. Typically used for scripts.

I will assume you know why you want to either use the one or the other. Public key authentication can only be set up on a per user/system basis, keep that in mind.

Public key authentication without a password

This the least secure option. It all boils down to how well secured your private key is. (.ssh/id_dsa)

  1. Create a key pair. (Private & public key)
  2. Copy the public key to the remote system.
  3. Log on the remote system.

Create a key pair

[user@localsystem ~]$ ssh-keygen -t dsa

Here’s what you’ll see when you run through this procedure. (“Press [ENTER]” are my comments)

[user@localsystem ~]$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_dsa): Press [ENTER]
Created directory '/home/usr/.ssh'.
Enter passphrase (empty for no passphrase): Press [ENTER]
Enter same passphrase again: Press [ENTER]
Your identification has been saved in /home/user/.ssh/id_dsa.
Your public key has been saved in /home/user/.ssh/id_dsa.pub.
The key fingerprint is:
29:d1:34:6c:53:2b:96:e6:ea:28:fd:c5:3a:cb:0f:65 user@localsystem
The key's randomart image is:
+--[ DSA 1024]----+
|       .o..      |
|       o+o .     |
|      ..*..      |
|       = o       |
|      . E        |
|       *         |
|   .  o o        |
|  . .+.+         |
|   ...*+.        |
+-----------------+

Copy the public key to the remote system

[user@localsystem ~]$ ssh user@remotesystem

If you don’t set the permissions in this step SSH will refuse the public key even if it’s there due to bad ownership.

[user@remotesystem ~]$ mkdir .ssh
[user@remotesystem ~]$ touch .ssh/authorized_keys
[user@remotesystem ~]$ chmod -R u=rwx,go= .ssh
[user@remotesystem ~]$ exit
scp ~/.ssh/id_dsa.pub user@remotesystem:.ssh/authorized_keys

Enter your password when asked, and you’re done.

Log on the remote system

[user@localsystem ~]$ ssh user@remotesystem

Public key authentication with password

This is the route you want to go. Once done, you should also disable logins with passwords only. Do this by editing the /etc/ssh/sshd_config file and add/modify the following parameter “PasswordAuthentication no”. Also make sure “PubkeyAuthentication” is set to “yes”.

  1. Create a key pair. (Private & public key)
  2. Copy the public key to the remote system.
  3. Log on the remote system.

Create the key pair

[user@localsystem ~]$ ssh-keygen -t dsa

Here’s what you’ll see when you run through this procedure. (“[Your Password]” and “Press [ENTER]” are my comments)

[user@localsystem ~]$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_dsa): Press [ENTER]
Created directory '/home/usr/.ssh'.
Enter passphrase (empty for no passphrase): [Your Password]
Enter same passphrase again: [Your Password]
Your identification has been saved in /home/user/.ssh/id_dsa.
Your public key has been saved in /home/user/.ssh/id_dsa.pub.
The key fingerprint is:
29:d1:34:6c:53:2b:96:e6:ea:28:fd:c5:3a:cb:0f:65 user@localsystem
The key's randomart image is:
+--[ DSA 1024]----+
|       .o..      |
|       o+o .     |
|      ..*..      |
|       = o       |
|      . E        |
|       *         |
|   .  o o        |
|  . .+.+         |
|   ...*+.        |
+-----------------+

Copy the public key to the remote system

[user@localsystem ~]$ ssh user@remotesystem

If you don’t set the permissions in this step SSH will refuse the public key even if it’s there due to bad ownership.

[user@remotesystem ~]$ mkdir .ssh
[user@remotesystem ~]$ touch .ssh/authorized_keys
[user@remotesystem ~]$ chmod -R u=rwx,go= .ssh
[user@remotesystem ~]$ exit
scp ~/.ssh/id_dsa.pub user@remotesystem:.ssh/authorized_keys

Enter your password when asked, and you’re done.

Log on the remote system

[user@localsystem ~]$ ssh user@remotesystem

Tip

You can later change the password for your keys by using

[user@localsystem ~]$ ssh-keygen -p

// CrashMAG

How to be a more productive Linux system administrator

Came across a nice little article at IBM developerworks today. Learned a new command and got reminded of a few things. It was worth my time reading it.

Here’s a quote of the summary of the article…

Learn these 10 tricks and you’ll be the most powerful Linux® systems administrator in the universe…well, maybe not the universe, but you will need these tips to play in the big leagues. Learn about SSH tunnels, VNC, password recovery, console spying, and more. Examples accompany each trick, so you can duplicate them on your own systems.

Click here to head over to developerworks for the original article

// CrashMAG