Its always better to set up a DNS server for your private network and also no remembering the Ip's if you have good number of servers.
It helps in the jumpstart installation too.
posted by Nitin @ 8/31/2004 12:02:00 AM
0 comments
Comming to the topic of backups
To begin with here are some wordings from Linus Torvalds Himself :
Only wimps use tape backup: _real_ men just upload their important stuff on ftp, and let the rest of the world mirror it. -- Linus Torvalds, about his failing hard drive on linux.cs.helsinki.fi
Another Cool Link describing backup is : http://www.taobackup.com/index.html
The most important concept with tape drives under Linux is rewinding and non-rewinding tape devices. Typically, /dev/st0 is your rewinding tape device, while /dev/nst0 is your non-rewinding tape device
DUMP :
Dump is a sourceforge project available on : http://dump.sourceforge.net/
Dump examines files on an ext2/3 filesystem and determines which files need to be backed up. Either a mountpoint of a filesystem or a list of files and directories can be specified for backup. The target filesystem can be specified by its raw device name if it is unmounted (which is actually preferrable). The target is copied to the given disk, tape or other storage medium for safe keeping. A dump that is larger than the output medium is broken into multiple volumes.
Dump recognizes different levels of incremental backups in addition to performing a full backup. At one point in the past, incremental backups made sense for a variety of economic reasons. However the cost of media is low enough today to warrant the reduced headache of performing a full backup each and every time.
Dump is instructed to perform a level 0 full backup which guarantees the entire file system is copied (-0), to bypass all tape length calculations and write until an end-of-media indication is returned (-a), update the file /usr/local/etc/dumpdates after a successful dump (-u), abort the entire dump in the case of write errors rather than entering into an interactive prompt (-q), use 64 KB per dump record (-b 64), and write to the non-rewinding tape device (-f /dev/nst0).
A simple script to backup your whole system would be
#dump -0auqb 64 -f /dev/nst0 /dev/sda3
where 0 specifies Full Backup of file system /dev/sda3
To backup say a certain directory then
#dump -0uf /dev/st0 /home/neo
A simple script to restore your backup would be
------------------------------------------------------------
#!/bin/sh
mt -f /dev/st0 rewind
echo "Restore from which session number?"
read number
restore -ivf /dev/nst0 -b 64 -s $number
------------------------------------------------------------
But i guess dump has either been deprecated from Rh AS 2.1 or mebe my friend forgot to add it.
Then comes into help our favourite utility *tar*
#tar -cvf /dev/st0 /home /opt
This would back up directories /home and /opt (and their sub directories roo) on the tape device /dev/st0
To restore the backup :
#tar -xvf /dev/st0
Some additional commands
1. zip the tar file to save on space : tar -z -cvf /dev/st0 /home /opt
2. List contents of tape: tar -tf /dev/st0
3. List contents of compressed backup tape: tar -tzf /dev/st0
Incremental backups are also possible with tar.
Please do a man tar to know more about it.
.... Nitin ....
posted by Nitin @ 8/30/2004 11:55:00 PM
0 comments
Just did this for one of my good friend Hemant Sharma
Will be putting soon how we could manage to get backups of a certain directory on tape using tar command and how dump did not help much thet time.
Nitin.
posted by Nitin @ 8/29/2004 01:09:00 AM
0 comments
Coming back to what we left yesterday night was utilizing the the ssh agent to push updated file like /etc/resolv.conf or /etc/ntp.conf across a list of servers.
Its much better than logging into each server and modifying them 
.
Say i have a list of 100 servers in a file called /home/nitin/list.
#more /home/nitin/list
server1.mydomain.com
posted by Nitin @ 8/29/2004 01:06:00 AM
0 comments
Hi Friends
Sorry could not post since looong but lives been all the more hectic since the last post and putting this port on a friday night will eyes full of sleep but i hope this helps .
I helped me a lot though.
SSH is a much more secure way of sending data over the network cause it encrypts the information as compared to telnet which sends it as plain text.
Through with all this theory just a thought how it could make your life easier .
Right from logging in to all servers without password to pushing updated conf files to all servers without manual intervention to using the rsync package to keep your servers in sync.
This component is generally called the OpenSSH's RSA/DSA key authentication system.
OpenSSH's RSA and DSA authentication protocols are based on a pair of specially generated cryptographic keys, called the private key and the public key. The advantage of using these key-based authentication systems is that in many cases, it's possible to establish secure connections without having to manually type in a password.
Now this is how you go on to do it :
%ssh nitin@remoteserver
mailto:nitin@remoteserver password:
This is generally the cumbersome process.
Here is the way to make it simple :
% ssh-keygen
Generating public/private rsa1 key pair.
Enter file in which to save the key (/home/nitin/.ssh/identity): (hit enter)
Enter passphrase (empty for no passphrase): (enter a passphrase)
Enter same passphrase again: (enter it again)
Your identification has been saved in /home/nitin/.ssh/identity.
Your public key has been saved in /home/nitin/.ssh/identity.pub.
The key fingerprint is:
a4:e7:f2:39:a7:eb:fd:f8:39:f1:f1:7b:fe:48:a1:09 nitin@localbox
Generally newer versions of keygen will ask you for the type of key you want to generate :
% ssh-keygen -t rsa1 (thats what i prefer / you can also use dsa)
Also note that ssh-keygen prompted us to enter a passphrase. When prompted, we entered a good passphrase (seven or more hard-to-predict characters). ssh-keygen then encrypted our private key (~/.ssh/identity) using this passphrase so that our private key will be useless to anyone who does not know it.
# ssh nitin@remoteserver
Enter passphrase for key '/home/nitin/.ssh/identity': (enter passphrase)
Last login: Thu Aug 28 20:28:47 from localbox.mydomain.net
Welcome to remoteserver!%
Now entering a password everytime is as cumbersome as entering a passphrase.
SO theres a work around to it :
A cool utility called ssh-agent
% ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-XX4LkMJS/agent.26916;export SSH_AUTH_SOCK;
SSH_AGENT_PID=26917; export SSH_AGENT_PID;
echo Agent pid 26917;
so to run it type
% eval `ssh-agent`
% ssh-add ~/.ssh/identity
Need passphrase for /home/nitin/.ssh/identity
Enter passphrase for /home/nitin/.ssh/identity (enter passphrase) :
ssh-agent is really cool, but its default configuration still leaves us with a few minor inconveniences. Let's take a look at them.
posted by Nitin @ 8/28/2004 12:21:00 AM
0 comments
All awaited weekend has arrives after a hectific week at work ( Usually this is not very common for system / network admins :)) and
looks like in the mid of everything and work i found the girl i think is my type and hope things go the good way :).
Picking up a very light topic today but a very important one is to have all the servers in sync with a central server with aspect to time.
This generally helps a lot when comparing logs from different machines etc ....
A li'll theory behind NTP is that NTP is organised in a hierarchical client-server model. In the top of this hierarchy there are a small number of machines known as reference clocks. A reference clock is known as stratum 0 and is typically a cesium clock or a Global Positioning System (GPS) that receives time from satellites. Attached to these machines there are the so-called stratum 1 servers (that is, stratum 0 clients), which are the top level time servers available to the Internet, that is, they are the best NTP servers available.
With all this theoritical definitions now discuss what we as admins actually need to do is to syncronise a server on the n/w with a public NTP server and keep the other servers on the n/w in sync with the NTP server on our production network.
Basically NTP server and client are not two different deamons it is one and the same thing just depends on the configuration file /etc/ntp.conf.
Before we start with the actual configuration a list of public NTP server's can be found at : http://www.eecis.udel.edu/~mills/ntp/servers.html
Majorly Listing the files used for NTP :
1. /etc/ntp.conf Whenever ntpd starts it checks its configuration file to determine syncronization sources, authentication options, monitoring options, access control and other operating options.
2. /etc/ntp/drift It is called as the frequency file that contains the latest estimate of clock frequency error
3. /etc/ntp/keys If specified, it will also look for this file containing the authentication keys .
Taking a look at the sample /etc/ntp.conf :
# Server to sync the clock from
server 134.214.100.6 ]
server publicntpserver.com
#Peers are servers on the same network which also as ntp servers.
peer 192.168.100.125
peer 192.168.100.126
peer 192.168.100.127
# Location of the drift File
driftfile /etc/ntp/drift
#Does the server require authentication (A better method is to block the other public servers from synchronising is using the restrict option shown below.)
authenticate no
#This is used in case authentication method is used.
#keys /etc/ntp/keys
#trustedkey 65535
#requestkey 65535
#controlkey 65535
# This is a better way to restrict servers by allowing only certain IP subnets.
# by default ignore all ntp packets
restrict 0.0.0.0 mask 0.0.0.0 ignore
# allow localhost
restrict 127.0.0.1 mask 255.255.255.255
# accept packets from... (Only the servers on the subnet below will be allowed to sync time including localhost :)
restrict 192.168.100.125 mask 255.255.255.255
restrict 192.168.100.126 mask 255.255.255.255
restrict 192.168.100.127 mask 255.255.255.255
A sample file on the NTP client would simply be :
#more /etc/ntp.conf
driftfile /etc/ntp/ntp.drift
pidfile /var/run/ntpd.pid
server ntp1.mydomain.com
server ntp2.mydomain.com
restrict default ignore
restrict 127.0.0.1
restrict
That all should get you up and running in the NTP side and listing some good utils with the NTP server.
ntp-genkeys >>>> to generate a key for NTP authentication
ntpd >>>> The actual NTP deamon
ntpdate >>>> Generally used in cron jobs or if your machine is not continuously on the ineternet and can be run manually when you connect to the internet.
Crontab entry to update the system clock once a day
0 2 * * * /usr/sbin/ntpdate -s -b -p 8 -u 129.132.2.21
-b : Force the time to be stepped using the settimeofday() system call, rather than slewed (default) using the adjtime() system call. This option should be used when called from a startup file at boot time.
-p samples
Specify the number of samples to be acquired from each server as the integer samples, with values from 1 to 8 inclusive. The default is 4.
-s
Divert logging output from the standard output (default) to the system syslog facility. This is designed primarily for convenience of cron scripts.
-u
Direct ntpdate to use an unprivileged port or outgoing packets. This is most useful when behind a firewall that blocks incoming traffic to privileged ports, and you want to synchronise with hosts beyond the firewall. Note that the -d option always uses unprivileged ports.
Last but not the least NTP works on the port no. 123 and supports both TCP and UDP protocols.
After you modify your ntp.conf for a new subnet steps to check are :
1. Check your rules on the firewall / ACL's on the router whether the traffic is allowed to pass or not.
2. Check the /etc/hosts.allow file on the server to check whether the new sunet is allowed there.
3. This is the most common mistake and i make it too is that after modifying the configuration file i do not give a -HUP to the NTP deamon so that it can read the new configuration again and accept time time packets from the new servers.
Hey ppl i think todays stuff was written in a very unorganised manner but lack of time and 72 Hr work schdule ...... :)
WIll try and put more some more intruging topics like BGP starting with simple topics and moving on to complex stuff like route dampening and filters etc ....
posted by Nitin @ 8/21/2004 05:21:00 PM
0 comments
Hi Folks ,
The best way manage logins for cisco router / switches is using the tacacs server.
Provides central authentication / privilidge levels etc....
But one big problem u face is that when the connectivity to tacacs goes down the router falls back to the default authentication procedure.
Many a times you forget the default enable passwords and you are in a fix if the connectivity goes down .... thats what happened with me :(.
Btw if you wanna know how to get your cisco routers on tacacs please go to :
http://www.cisco.com/warp/public/480/tacplus.shtml#intro
But the important part is how to break the current password :
Step 1 : Attach a terminal or PC with terminal emulation to the console port of the router. Use the following terminal settings (Generally Hyper terminal is used) :
9600 baud rate
No parity
8 data bits
1 stop bit
No flow control
Step 2 : Type show version and record the setting of the configuration register. Click here to see output of ashow version command.
The configuration register setting is usually 0x2102 or 0x102.
Step 3 : Reboot the cisco router
Step 4: Press Break (ctrl + break) on the terminal keyboard within 60 seconds of the powerup to put the router into ROMMON.
Type confreg 0x2142 at the rommon 1> prompt to boot from Flash without loading theConfiguration
Step 5: Type reset at the rommon 2> prompt.
Now with output from a test router a below :
System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)Copyright (c) 1999 by cisco Systems, Inc.TAC:Home:SW:IOS:Specials for infoC2600 platform with 32768 Kbytes of main memoryprogram load complete, entry point: 0x80008000, size: 0x6fdb4cSelf decompressing the image :
Restricted Rights LegendUse, duplication, or disclosure by the Government issubject to restrictions as set forth in subparagraph(c) of the Commercial Computer Software - RestrictedRights clause at FAR sec. 52.227-19 and subparagraph(c) (1) (ii) of the Rights in Technical Data and ComputerSoftware clause at DFARS sec. 252.227-7013.cisco Systems, Inc.170 West Tasman DriveSan Jose, California 95134-1706Cisco Internetwork Operating System SoftwareIOS (tm) C2600 Software (C2600-IS-M), Version 12.0(7)T, RELEASE SOFTWARE (fc2)Copyright (c) 1986-1999 by cisco Systems, Inc.Compiled Tue 07-Dec-99 02:21 by phanguyeImage text-base: 0x80008088, data-base: 0x80C524F8cisco 2611 (MPC860) processor (revision 0x202) with 26624K/6144K bytes of memory.Processor board ID JAB031202NK (3878188963)M860 processor: part number 0, mask 49Bridging software.X.25 software, Version 3.0.0.Basic Rate ISDN software, Version 1.1.2 Ethernet/IEEE 802.3 interface(s)2 Serial(sync/async) network interface(s)1 ISDN Basic Rate interface(s)32K bytes of non-volatile configuration memory.8192K bytes of processor board System flash partition 1 (Read/Write)8192K bytes of processor board System flash partition 2 (Read/Write)--- System Configuration Dialog ---4 of 7 10/5/2000 3:22 PM
Step 6 : Would you like to enter the initial configuration dialog? [yes/no]: n (please do a ctrl + c or no at this prompt )
Press RETURN to get started!00:00:19: %LINK-3-UPDOWN: Interface BRI0/0, changed state to up00:00:19: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up00:00:19: %LINK-3-UPDOWN: Interface Ethernet0/1, changed state to up00:00:19: %LINK-3-UPDOWN: Interface Serial0/0, changed state to down
00:00:50: %SYS-5-RESTART: System restarted --Cisco Internetwork Operating System SoftwareIOS (tm) C2600 Software (C2600-IS-M), Version 12.0(7)T, RELEASE SOFTWARE (fc2)Copyright (c) 1986-1999 by cisco Systems, Inc.Compiled Tue 07-Dec-99 02:21 by phanguye00:00:50: %LINK-5-CHANGED: Interface BRI0/0, changed state to administratively do00:00:52: %LINK-5-CHANGED: Interface Ethernet0/0, changed state to administrative00:00:52: %LINK-5-CHANGED: Interface Serial0/0, changed state to administratively00:00:52: %LINK-5-CHANGED: Interface Ethernet0/1, changed state to administrative00:00:52: %LINK-5-CHANGED: Interface Serial0/1, changed state to administratively00:00:53: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed st00:00:53: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/1, changed st
Sorry for the above garbled router :
After booting you come to the prompt below without asking for a password :
Router>
Router>en
Step 7 : Router#copy start run
Destination filename [running-config]?1324 bytes copied in 2.35 secs (662 bytes/sec)
Router#
00:01:24: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0/0:1, changed state
00:01:24: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0/0:2, changed state
Step 8 : Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.Router(config)
Chnage the password for the cisco router :
Step 9 : Router#enable secret cisco
Router(config)#^Z
00:01:54: %SYS-5-CONFIG_I: Configured from console by console
This step is very important as interfaces are generally shut down after the recovery procedure :
Check the interfaces which are shutdown and un shut them.
Step 10 : Router#sh ip int brief
Interface IP-Address OK? Method Status Prot
Ethernet0/0 10.200.40.37 YES TFTP administratively down down
Serial0/0 unassigned YES TFTP administratively down down
BRI0/0 193.251.121.157 YES unset administratively down down
BRI0/0:1 unassigned YES unset administratively down down
BRI0/0:2 unassigned YES unset administratively down down
Ethernet0/1 unassigned YES TFTP administratively down down
Serial0/1 unassigned YES TFTP administratively down down
Loopback0 193.251.121.157 YES TFTP up up
Enter the configuration mode and un shut the interfaces :
Step 11 :Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Step 12 : Router(config)#int Ethernet0/0
Router(config-if)#no shut
Router(config-if)#
00:02:14: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up
00:02:15: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed st
Step 13 : After all this done. Write the running config into flash memory :
Router#copy run start
Destination filename [startup-config]?Building configuration...[OK]
Step 14 : Router#sh ver
Cisco Internetwork Operating System SoftwareIOS (tm) C2600 Software (C2600-IS-M), Version 12.0(7)T, RELEASE SOFTWARE (fc2)Copyright (c) 1986-1999 by cisco Systems, Inc.Compiled Tue 07-Dec-99 02:21 by phanguyeImage text-base: 0x80008088, data-base: 0x80C524F8ROM: System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)Router uptime is 3 minutesSystem returned to ROM by abort at PC 0x802D0B60System image file is "flash:c2600-is-mz.120-7.T"cisco 2611 (MPC860) processor (revision 0x202) with 26624K/6144K bytes of memory.Processor board ID JAB031202NK (3878188963)M860 processor: part number 0, mask 49Bridging software.X.25 software, Version 3.0.0.Basic Rate ISDN software, Version 1.1.2 Ethernet/IEEE 802.3 interface(s)2 Serial(sync/async) network interface(s)1 ISDN Basic Rate interface(s)32K bytes of non-volatile configuration memory.--More-- 8192K bytes of processor board System flash partition 1 (Read/Write)8192K bytes of processor board System flash partition 2 (Read/Write)
Configuration register is 0x2142 (this needs to be changed back to normal 0x2102)
Change the configuration register value back to normal :
Step 15 :Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#config-reg 0x2102
Router(config)#^Z
00:03:20: %SYS-5-CONFIG_I: Configured from console by console
Thats it folks the register value would be changed at the next reboot.
Wanna reboot the Cisco Router and check go ahead but remember we are here to minimise the downtime :).
--Nitin.
posted by Nitin @ 8/17/2004 02:43:00 PM
0 comments
Hello to all on a lazy sunday evening ...
Jai Hind to my fellow Indian's. Happy Independence Day to all.
Coming back to work ....
The stuff sysad's don't like generally is installation of large sets of machines (say 30 to 40) or mebbe 10 in a days (or say a week's time).
Some of the solutions normally used would be :
Disk Cloning
The most primitive, and perhaps oldest, technique is to create a prototype system by hand and then backup a copy of that system to be replicated on other systems. A lot of computer vendors do this to create their pre-installed systems. In many cases, the cloning is done by bulk copying the hard disk. Dump/restore or dd are useful for this.
After the system is cloned, you will usually need to give it some configuration (IP address, hostname, etc.), but you may be able to automate this with BOOTP or DHCP (Thats the tedious part of it cause servers in a production environment generally have a static IP address).
JumpStart (Sun Solaris)/KickStart (Redhat Linux) (Thats what i generally do) :
The solution was initially introduced by Sun in its OS Solaris and later implemeted by Redhat.
Well will put down some steps for the Sun System's:
Before you start make sure that :
1. The install server or boot server is in the same local network segment as client with network link up .
2. NFS, tftp, reverse address lookup daemon ,in.rarpd services are running On jumpstart server
Preparing for a jumpstart server
Install Solaris 2.x make directory to store install server data.
mkdir /export/install
share it
vi /etc/dfs/dfstab
add share -F nfs -o ro,anon=0 /export/install to export file system for sharing.
Do a shareall so that the file system is now exported
Setting up an Install server
Mount Solaris 2.x cdrom Follow the steps :
cd /cdrom/cdrom0/s0/Solaris_2.7/Tools
./setup_install_server /export/install
This will copy the cdrom contents in to the /export/install directory
cp –r /cdrom/cdrom0/s0/Solaris_2.7/Misc/* /jumpstart
< /jumpstart is the directory to copy the jump start sample conf file from CD >
Edit the sample rules file as per your requirement
vi /jumpstart/rules
Keywords their value and usage is described in rules file itself. any minus sign (-) in rule value always matches for that keyword.
RULE_KEYWORD RULE_VALUE DESCRIPTIONS
domainname text system's domain name
disksize text range system's disk size
disk device name text disk size (MBytes range)
hostname text system's host name
etc all depending on your requirements
Dunn forget to add default profile
The following rule set matches any machine and redirect the install request to a profile file called any_machine.
any - - any_machine -
Verifying rules
./check
Validating rules... Validating profile any_machine... rules ok.
vi any_machine
install_type initial_install
system_type server
partitioning explicit
filesys c0t0d0s0 500 /
filesys c0t0d0s1 1000 swap
filesys c0t0d0s3 1000 /usr
filesys c0t0d0s4 1000 /var
filesys c0t0d0s5 1000 /opt
cluster SUNWCall add
vi sysidcfg
system_locale=en_US
install_locale=en_US
timeserver=ntpserver1.com (put the name of your NTP server here)
timezone=Asia / Calcutta
network_interface=hme0 {netmask=255.255.255.0}
name_service=NONE
As you can see this file keeps all your system information like locale time zone etc and supply it to the client at the booting time.
Edit the file /etc/ethers to put in the client mac Id and hostname
vi /etc/ethers
8:00:50:44:88:12 Mercury
Finally adding a client to the boot image.
cd /export/install/Solaris_2.7/Tools
./add_install_client -e 8:00:50:44:88:12 -s inst_server:/export/install -c inst_server:/jumpstart -p inst_server:/jumpstart Mercury sun4u
-e specify the ethernet address of client
-s option specify the location of boot image
-c option specify the jumpstart directory path.
-p option specify the sysidcfg file location
inst_server is your jumpstart server mercury is jumpstart client to be installed
Now go to the clients :
ok>boot net - install
This will finish and will reboot and ask the new root password and after that takes you to the console prompt where you can login and do additional task you want to do.
This is a very basic type of Jumpstart installation you can have a begin script is a shell script which is used to perform the task before Solaris OS is installed. These are specified in the rules file.
Last but not the least Redhat Kickstart Help can be found at
http://www.faqs.org/docs/Linux-HOWTO/KickStart-HOWTO.html
You can always get back to me with any questions.
posted by Nitin @ 8/15/2004 03:22:00 PM
0 comments
I am Nitin Batta from Mumbai, India.
I work on deploying / configuring large storage area networks , handling Cisco 7200 series routers and 3600 switches. Managing and deploying UNIX and Linux servers with different flavours.
I am goona put articles on how do i go about my job (troble shotting networks / closing security holes / handling network issues).
Last but not the least i am just 23 years young so friends (Only girls) are always welcome to drop in a line.
posted by Nitin @ 8/14/2004 05:05:00 PM
0 comments
My Favorite one Liner : "Use technology to your Advantage "
