SLES10 – Page 4

Nagios3 with Active Directory authorization on SLES10

July 14, 2008June 21, 2013 Christian Leave a comment

Well, it seems to be getting a “trend” for me, to integrate stuff into our Active Directory. Now that I know why, and how easy that is, I expect to add more stuff. The good thing about the integration is, that you only need to maintain a single source for authorization.

The bad thing about that is, that stuff becomes dependent on the Active Directory (we do have four domain controllers, so that should be fine).

Now, here’s the ssl-(only) apache2 configuration file for my vhost:

&lt;VirtualHost *:80&gt;
  ## mod_core
  DocumentRoot &quot;/usr/share/nagios&quot;

  ServerName nagios.barfoo.org
  ServerAlias nagios3.barfoo.org
  ServerAdmin nagiosadmin@barfoo.org

  ## mod_rewrite
  RewriteEngine On
  RewriteRule ^/(.*)         https://nagios.barfoo.org/$1 [L,R]

&lt;/VirtualHost&gt;

&lt;VirtualHost *:443&gt;

  ## mod_core
  DocumentRoot &quot;/usr/share/nagios&quot;

  ServerName nagios.barfoo.org
  ServerAdmin nagiosadmin@barfoo.org

  ScriptAlias /nagios/cgi-bin /usr/lib/nagios/cgi
  Alias /nagios /usr/share/nagios
  Alias /pnp /usr/share/nagios/html/pnp4nagios

  &lt;DirectoryMatch &quot;/usr/(share/nagios|lib/nagios/cgi)&quot;&gt;
    AllowOverride None
    Order deny,allow
    Deny from all
    Allow from 10.0.0.
    Options None

    # Authorization
    AuthType Basic
    AuthName &quot;Nagios Barfoo&quot;

    # The authentification provider is mod_ldap
    AuthBasicProvider ldap

    # mod_ldap is our *only* authentification provider for this!
    AuthzLDAPAuthoritative on

    # Redirect the userfile requests to /dev/null
    AuthUserFile /dev/null

    # AD requires an authentication DN to access any records
    AuthLDAPBindDN &quot;BARFOO\ldap_nagios&quot;
    AuthLDAPBindPassword &quot;somethingrandom&quot;

    # The URL to search in
    AuthLDAPURL &quot;ldap://dc0.barfoo.org dc1.barfoo.org dc2.barfoo.org dc3.barfoo.org/OU=Users,dc=barfoo,dc=org?sAMAccountName?sub?(objectClass=*)&quot;

    # Search the group membership in the specified group, otherwise it&#039;s gonna
    # get searched at the binding DN&#039;s location
    AuthLDAPGroupAttributeIsDN on
    Require ldap-group CN=gr_nagios,OU=Groups,DC=barfoo,DC=org
  &lt;/DirectoryMatch&gt;

  ## mod_log
  ErrorLog /var/log/apache2/nagios.barfoo.org.error_log
  TransferLog /var/log/apache2/nagios.barfoo.org.access_log
  CustomLog /var/log/apache2/nagios.barfoo.org.ssl_request_log   ssl_combined

  ## mod_ssl
  SSLEngine on
  SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
  SSLCertificateFile /etc/apache2/ssl.crt/nagios.barfoo.org.crt
  SSLCertificateKeyFile /etc/apache2/ssl.key/nagios.barfoo.org.key

  &lt;Files ~ &quot;.(cgi|shtml|phtml|php3|php?)$&quot;&gt;
    SSLOptions +StdEnvVars
  &lt;/Files&gt;

  SetEnvIf User-Agent &quot;.*MSIE.*&quot; 
    nokeepalive ssl-unclean-shutdown 
    downgrade-1.0 force-response-1.0

&lt;/VirtualHost&gt;

## mod_core

DocumentRoot "/usr/share/nagios"

ServerName nagios.barfoo.org

ServerAlias nagios3.barfoo.org

ServerAdmin nagiosadmin@barfoo.org

## mod_rewrite

RewriteEngine On

RewriteRule ^/(.*) https://nagios.barfoo.org/$1 [L,R]

</VirtualHost>

## mod_core

DocumentRoot "/usr/share/nagios"

ServerName nagios.barfoo.org

ServerAdmin nagiosadmin@barfoo.org

ScriptAlias /nagios/cgi-bin /usr/lib/nagios/cgi

Alias /nagios /usr/share/nagios

Alias /pnp /usr/share/nagios/html/pnp4nagios

AllowOverride None

Order deny,allow

Deny from all

Allow from 10.0.0.

Options None

# Authorization

AuthType Basic

AuthName "Nagios Barfoo"

# The authentification provider is mod_ldap

AuthBasicProvider ldap

# mod_ldap is our *only* authentification provider for this!

AuthzLDAPAuthoritative on

# Redirect the userfile requests to /dev/null

AuthUserFile /dev/null

# AD requires an authentication DN to access any records

AuthLDAPBindDN "BARFOO\ldap_nagios"

AuthLDAPBindPassword "somethingrandom"

# The URL to search in

AuthLDAPURL "ldap://dc0.barfoo.org dc1.barfoo.org dc2.barfoo.org dc3.barfoo.org/OU=Users,dc=barfoo,dc=org?sAMAccountName?sub?(objectClass=*)"

# Search the group membership in the specified group, otherwise it's gonna

# get searched at the binding DN's location

AuthLDAPGroupAttributeIsDN on

Require ldap-group CN=gr_nagios,OU=Groups,DC=barfoo,DC=org

</DirectoryMatch>

## mod_log

ErrorLog /var/log/apache2/nagios.barfoo.org.error_log

TransferLog /var/log/apache2/nagios.barfoo.org.access_log

CustomLog /var/log/apache2/nagios.barfoo.org.ssl_request_log ssl_combined

## mod_ssl

SSLEngine on

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

SSLCertificateFile /etc/apache2/ssl.crt/nagios.barfoo.org.crt

SSLCertificateKeyFile /etc/apache2/ssl.key/nagios.barfoo.org.key

SSLOptions +StdEnvVars

</Files>

SetEnvIf User-Agent ".*MSIE.*"

nokeepalive ssl-unclean-shutdown

downgrade-1.0 force-response-1.0

</VirtualHost>

As you can see, AuthLDAPUrl holds the four LDAP servers separated by spaces (that’s what the Apache2 documentation says about that), and that actually works.

The only additional thing I had to change from the nagios part is in /etc/nagios/cgi.cfg to allow everyone to issue system commands. Also, if you ever stumble upon extraneous chars in the check_nrpe output, update to a newer NRPE version, that fixed it for me (that is on the receiver side – as in the box running the NRPE agent).

Managing unixODBC connections on SLES10

July 3, 2008June 21, 2013 Christian Leave a comment

Recently I got the task, to implement unixODBC/freetds on one (well, it’s really three) of our web servers, as someone wanted to use Microsoft SQL Server 2005 with PHP (without using the MSSQL functions, which PHP provides soo nicely; don’t ask me why).

With that I also got a set of “instructions” on how to install freetds from source (remember, I was a Gentoo dev, so I know my way around, when it comes to building from source), as well as a small set of instructions on how to create the connection.

Well, after trying to figure out why the hell the connection ain’t working with unixODBC’s tsql and PHP’s odbc functions, and yet the plain connection using telnet works … *shrug* turns out it was a simple mistake …

The “howto” said something like this:

; html-script: false ][FreeTDS]
Description  = FreeTDS unixODBC Driver
Driver       = /usr/lib64/libtdsodbc.so
Setup        = /usr/lib64/libtdsodbc.so

[ODBC Data Sources]
mssql        = Microsoft SQL Server 2005

[mssql]
Driver       = /usr/lib64/libtdsodbc.so
Description  = MSSQLServer
Trace        = No
Database     = Database
TraceFile    = /var/log/freetdssql-foobar.log
Servername   = sql.foobar.org
Port         = 2433
TDS_Version  = 8.0

[Default]
Driver       = /usr/lib64/libtdsodbc.so

; html-script: false ][FreeTDS]

Description = FreeTDS unixODBC Driver

Driver = /usr/lib64/libtdsodbc.so

Setup = /usr/lib64/libtdsodbc.so

[ODBC Data Sources]

mssql = Microsoft SQL Server 2005

[mssql]

Driver = /usr/lib64/libtdsodbc.so

Description = MSSQLServer

Trace = No

Database = Database

TraceFile = /var/log/freetdssql-foobar.log

Servername = sql.foobar.org

Port = 2433

TDS_Version = 8.0

[Default]

Driver = /usr/lib64/libtdsodbc.so

; html-script: false ][FreeTDS]
Description  = FreeTDS unixODBC Driver
Driver       = /usr/lib64/libtdsodbc.so
Setup        = /usr/lib64/libtdsodbc.so

[ODBC Data Sources]
mssql        = Microsoft SQL Server 2005

[mssql]
Driver       = /usr/lib64/libtdsodbc.so
Description  = MSSQLServer
Trace        = No
Database     = Database
TraceFile    = /var/log/freetdssql-foobar.log
Server       = sql.foobar.org
Port         = 2433
TDS_Version  = 8.0

[Default]
Driver       = /usr/lib64/libtdsodbc.so

; html-script: false ][FreeTDS]

Description = FreeTDS unixODBC Driver

Driver = /usr/lib64/libtdsodbc.so

Setup = /usr/lib64/libtdsodbc.so

[ODBC Data Sources]

mssql = Microsoft SQL Server 2005

[mssql]

Driver = /usr/lib64/libtdsodbc.so

Description = MSSQLServer

Trace = No

Database = Database

TraceFile = /var/log/freetdssql-foobar.log

Server = sql.foobar.org

Port = 2433

TDS_Version = 8.0

[Default]

Driver = /usr/lib64/libtdsodbc.so

See the difference ? If not, I’ll show you a diff:

; html-script: false ]--- odbc.ini.orig
+++ odbc.ini
@@ -12,7 +12,7 @@
 Trace        = No
 Database     = Database
 TraceFile    = /var/log/freetdssql-foobar.log
-Servername   = sql.barfoo.org
+Server       = sql.barfoo.org
 Port         = 2433
 TDS_Version  = 8.0

; html-script: false ]--- odbc.ini.orig

+++ odbc.ini

@@ -12,7 +12,7 @@

Trace = No

Database = Database

TraceFile = /var/log/freetdssql-foobar.log

-Servername = sql.barfoo.org

+Server = sql.barfoo.org

Port = 2433

TDS_Version = 8.0

Something as simple as adding another part of a word (as in “name“) to Server, makes the whole thing go wonko. Well, it ain’t going wonko per se, as Servername is different from the meaning of Server, at least when it comes to freetds.

Servername is the SQL-Server Instance name, while Server is the DNS name .. figures.

subversion on WebDAV with Active Directory authorization on SLES10

June 29, 2008June 21, 2013 Christian Leave a comment

Okay, so I ended up toying with subversion via WebDAV on SLES today (I know, I know .. it’s bloody Sunday). It wasn’t much of a hassle though, after reading this. Sure, I made a few errors at first (simply confused the logic behind “Location” and “Directory“), but after that plain subversion commits via WebDAV (thus utilizing Apache) worked fine.

For POC or as a hint to myself, here’s where and what I needed to add/change:

Add the following modules to APACHE_MODULES in /etc/sysconfig/apache2:

dav_svn (dav_svn needs dav, thus the need to add it too)
dav
authnz_ldap (authnz_ldap needs ldap, so again we need that too!)
ldap

After that, we can add our repository (or our multi-repository folder) to /etc/apache2/conf.d/subversion.conf:

&lt;IfModule mod_dav_svn.c&gt;

&lt;Location /svn&gt;
  DAV svn
  SVNParentPath /srv/svn

  # Limit write permission to list of valid users.
  &lt;LimitExcept GET PROPFIND OPTIONS REPORT&gt;
    # Require SSL connection for password protection.
    # SSLRequireSSL

    AuthType Basic
    AuthName &quot;Subversion repositories (Domänenzugangsdaten)&quot;

    # The authentification provider is mod_ldap
    AuthBasicProvider ldap

    # mod_ldap is our *only* authentification provider for this!
    AuthzLDAPAuthoritative on

    # AD requires an authentication DN to access any records
    AuthLDAPBindDN &quot;CN=LDAP Subversion,OU=anon_accounts,OU=Users,DC=foobar,DC=org&quot;
    AuthLDAPBindPassword &quot;somethingrandom&quot;

    # The URL to search in
    AuthLDAPURL &quot;ldap://dc0.foobar.org/ou=Users,dc=foobar,dc=org?sAMAccountName?sub?(objectClass=*)&quot;

    # Search the group membership in the specified group, otherwise it&#039;s gonna
    # get searched at the binding DN&#039;s location
    AuthLDAPGroupAttributeIsDN on
    Require ldap-group CN=gr_subversion,OU=Groups,DC=foobar,DC=org

  &lt;/LimitExcept&gt;
&lt;/Location&gt;

DAV svn

SVNParentPath /srv/svn

# Limit write permission to list of valid users.

# Require SSL connection for password protection.

# SSLRequireSSL

AuthType Basic

AuthName "Subversion repositories (Domänenzugangsdaten)"

# The authentification provider is mod_ldap

AuthBasicProvider ldap

# mod_ldap is our *only* authentification provider for this!

AuthzLDAPAuthoritative on

# AD requires an authentication DN to access any records

AuthLDAPBindDN "CN=LDAP Subversion,OU=anon_accounts,OU=Users,DC=foobar,DC=org"

AuthLDAPBindPassword "somethingrandom"

# The URL to search in

AuthLDAPURL "ldap://dc0.foobar.org/ou=Users,dc=foobar,dc=org?sAMAccountName?sub?(objectClass=*)"

# Search the group membership in the specified group, otherwise it's gonna

# get searched at the binding DN's location

AuthLDAPGroupAttributeIsDN on

Require ldap-group CN=gr_subversion,OU=Groups,DC=foobar,DC=org

</LimitExcept>

</Location>

Now, as you can see, my goal was to not rely on a separate authorization database, but to use our already existing Active Directory at work. Generally this works just fine, but it didn’t. I tried various things, like trying another user, changing the group (as in the “require ldap-group“) as well as changing my own password. Zip.

All I got was this line in the error_log of Apache:

[warn] [client 10.0.0.148] [9486] auth_ldap authenticate: user foo authentication failed; URI /svn/admin-scripts/!svn/act/71f2b65f-d050-0410-b33c-3b31fbb94a00 [ldap_search_ext_s() for user failed][Operations error]

1	[warn] [client 10.0.0.148] [9486] auth_ldap authenticate: user foo authentication failed; URI /svn/admin-scripts/!svn/act/71f2b65f-d050-0410-b33c-3b31fbb94a00 [ldap_search_ext_s() for user failed][Operations error]

Now, that itself does tell you what is happening, but not why. So again, I ended up googling till I found this:

The suggested step was to add “REFERRALS off” to /etc/ldap/ldap.conf. Surprise, the file don’t exist. Heck, there’s that one in /etc/ldap.conf. I did that, still zip.

Did I get the wrong file ? Absolutely.

/etc/ldap.conf is used by nsswitch and pam_ldap, but not by openldap2 (which is what Apache is using). So reading this comment, adding the line to /etc/openldap2/ldap.conf, and *kaching*! Works.

Now I just need to install redmine (already installed ruby, rubygems and rubygem-rails from the SDK Addon), but I’ll leave that for tomorrow, today I’m gonna watch Band of Brothers.

The clue to build ppc64 RPM’s

June 26, 2008August 16, 2014 Christian Leave a comment

Remember, I talked about building RPM’s on SLES10SP2 on ppc64 ? Well, turns out I was rather stupid .. and it was rather simple (don’t ask me why I didn’t think of that). I tried asking solar, I used Google (apparently with the wrong search parameters), nothing though. Not a clue.

Today it bugged me again, so I used Google again. This time with “ppc64 suse rpmbuild“, and guess what I saw within the preview of the second hit ..

rpmbuild -ba --target ppc64 myfile.spec

1	rpmbuild -ba --target ppc64 myfile.spec

And here I thought I was missing something, turns out I was really stupid though .. *shrug* Building stuff like nagios works with that just fine ..

Update: or not. It worked only a single time and is broken ever since again. Guess I’m gonna reload the box on Tuesday.

Building RPMs on SLES10SP2-ppc64

June 14, 2008June 21, 2013 Christian 1 Comment

Well, it turns out that building stuff on ppc64 is a *real* pain in the ass, at least on anything SUSE related. I do have to tweak every damn spec to include this:

%ifarch ppc64
export LDFLAGS=&quot;$LDFLAGS -m64&quot;
%endif

%ifarch ppc64

export LDFLAGS="$LDFLAGS -m64"

%endif

Otherwise, ld is gonna fail when linking, as it’s gonna try linking the generated 64bit code (-m64 is passed on via RPM_OPT_FLAGS to CFLAGS) as 32bit code, which ain’t gonna work at all …

On top of that, stuff ain’t building due to multiple problems (for example nagios and vim, cause ld is unable to find the fitting -lperl (for nagios) and -lXt (for vim)) as well as source errors …

gcc -DHAVE_CONFIG_H -I. -I. -I../../include -I../../include -I/usr/include -D_FREETDS_LIBRARY_SOURCE -DUNIXODBC -DHAVE_UNISTD_H -DHAVE_PWD_H -DHAVE_SYS_TYPES_H -DHAVE_LONG_LONG -DSIZEOF_LONG=4 -D_REENTRANT -D_THREAD_SAFE -DDEBUG=1 -Wall -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -pthread -O2 -g -m64 -fmessage-length=0 -D_FORTIFY_SOURCE=2 -Wdeclaration-after-statement -MT connectparams.lo -MD -MP -MF .deps/connectparams.Tpo -c connectparams.c  -fPIC -DPIC -o .libs/connectparams.o
In file included from connectparams.c:22:
../../include/config.h:375:1: warning: &quot;SIZEOF_LONG&quot; redefined
&lt;command line&gt;:1:1: warning: this is the location of the previous definition
connectparams.c:90: error: static declaration of `SQLGetPrivateProfileString&#039; follows non-static declaration
/usr/include/odbcinst.h:170: error: previous declaration of `SQLGetPrivateProfileString&#039; was here
make[3]: *** [connectparams.lo] Error 1
make[3]: Leaving directory `/srv/BUILD/freetds-0.82/src/odbc&#039;
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/srv/BUILD/freetds-0.82/src/odbc&#039;
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/srv/BUILD/freetds-0.82/src&#039;
make: *** [all-recursive] Error 1

gcc -DHAVE_CONFIG_H -I. -I. -I../../include -I../../include -I/usr/include -D_FREETDS_LIBRARY_SOURCE -DUNIXODBC -DHAVE_UNISTD_H -DHAVE_PWD_H -DHAVE_SYS_TYPES_H -DHAVE_LONG_LONG -DSIZEOF_LONG=4 -D_REENTRANT -D_THREAD_SAFE -DDEBUG=1 -Wall -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -pthread -O2 -g -m64 -fmessage-length=0 -D_FORTIFY_SOURCE=2 -Wdeclaration-after-statement -MT connectparams.lo -MD -MP -MF .deps/connectparams.Tpo -c connectparams.c -fPIC -DPIC -o .libs/connectparams.o

In file included from connectparams.c:22:

../../include/config.h:375:1: warning: "SIZEOF_LONG" redefined

<command line>:1:1: warning: this is the location of the previous definition

connectparams.c:90: error: static declaration of `SQLGetPrivateProfileString' follows non-static declaration

/usr/include/odbcinst.h:170: error: previous declaration of `SQLGetPrivateProfileString' was here

make[3]: *** [connectparams.lo] Error 1

make[3]: Leaving directory `/srv/BUILD/freetds-0.82/src/odbc'

make[2]: *** [all-recursive] Error 1

make[2]: Leaving directory `/srv/BUILD/freetds-0.82/src/odbc'

make[1]: *** [all-recursive] Error 1

make[1]: Leaving directory `/srv/BUILD/freetds-0.82/src'

make: *** [all-recursive] Error 1

IBM (Tivoli) Integrated Solutions Console

May 23, 2008June 21, 2013 Christian Leave a comment

Here I am, preparing our environment for the first (of hopefully many) tester for our upcoming VTL project. So I ended up installing the ISC and Administration Center for Tivoli Storage Manager on a 64bit guest (that is SLES10 for AMD64), just because I forgot to include support for later versions with our current running one. Guess what, na–na na na na. Exactly, didn’t work, the same errors I got while trying it before in a virtual environment. “Portlet is not available.”

So I ended up redoing the whole thing on a 32bit guest and guess what … bada-bing. works … *shrug* I don’t know whether or not that’s a surprising thing .. but what surprises me, is that I do have a working 64bit Integrated Solutions Console and Administration Center running, only difference is that one is running on real hardware.

Anyway, after looking on how the Integrated Solutions Console (that is the Websphere environment – yes *yuck*) did it’s own start up after boot (you know, I’d like to restart an application if it’s hanging without the need to reboot the whole box), I found this particular line of code:

; html-script: false ]isc6:23:boot:/opt/tivoli/isc/PortalServer/bin/startISC.sh ISC_Portal

1	; html-script: false ]isc6:23:boot:/opt/tivoli/isc/PortalServer/bin/startISC.sh ISC_Portal

And since I was lazy (and it was already Friday afternoon), I ended up writing a small init script which rids you of the need of such a ugly way to start a service.

#!/bin/sh
#
# /etc/init.d/isc
#
### BEGIN INIT INFO
# Provides:       isc
# Required-Start: network
# Should-Start:
# Required-Stop:  network
# Default-Start:  2 3 5
# Default-Stop:
# Description:    Start the Tivoli Integrated Solutions console
### END INIT INFO

. /etc/sysconfig/isc

BINDIR=/sbin

. /etc/rc.status
rc_reset

case &quot;$1&quot; in
  start)
    echo -n &quot;Starting Tivoli Integrated Solutions Console server&quot;
    startproc -p /var/run/tivoli-isc.pid 
      $ISC_INSTALL/PortalServer/bin/startISC.sh 
      ISC_Portal 2&gt;&amp;1 &gt;/var/log/tivoli-isc.log
    # I know, this is *real* ugly
    PID=$( tail -n 1 /var/log/tivoli-isc.log | cut -d  -f10 )
    echo $PID &gt;/var/run/tivoli-isc.pid
    rc_status -v
    ;;
  stop)
    echo -n &quot;Stopping Tivoli Integrated Solutions Console server&quot;
    $ISC_INSTALL/PortalServer/bin/stopISC.sh 
      ISC_Portal $ISC_ADMIN $ISC_PASSWORD 
      2&gt;&amp;1 &gt;/var/log/tivoli-isc.log
    rc_status -v
    ;;
  restart)
    $0 stop
  	$0 start
  	rc_status
  	;;
  status)
    echo -n &quot;Tivoli Integrated Solutions Console server:&quot;
    checkproc -p /var/run/tivoli-isc.pid 
      $ISC_INSTALL/AppServer/java/bin/java
    rc_status -v
    ;;
  *)
  	echo &quot;Usage: $0 {start|stop|status|restart}&quot;
    exit 1
  ;;
esac
rc_exit

#!/bin/sh

# /etc/init.d/isc

### BEGIN INIT INFO

# Provides: isc

# Required-Start: network

# Should-Start:

# Required-Stop: network

# Default-Start: 2 3 5

# Default-Stop:

# Description: Start the Tivoli Integrated Solutions console

### END INIT INFO

. /etc/sysconfig/isc

BINDIR=/sbin

. /etc/rc.status

rc_reset

case "$1" in

start)

echo -n "Starting Tivoli Integrated Solutions Console server"

startproc -p /var/run/tivoli-isc.pid

$ISC_INSTALL/PortalServer/bin/startISC.sh

ISC_Portal 2>&1 >/var/log/tivoli-isc.log

# I know, this is *real* ugly

PID=$( tail -n 1 /var/log/tivoli-isc.log | cut -d -f10 )

echo $PID >/var/run/tivoli-isc.pid

rc_status -v

;;

stop)

echo -n "Stopping Tivoli Integrated Solutions Console server"

$ISC_INSTALL/PortalServer/bin/stopISC.sh

ISC_Portal $ISC_ADMIN $ISC_PASSWORD

2>&1 >/var/log/tivoli-isc.log

rc_status -v

;;

restart)

$0 stop

$0 start

rc_status

;;

status)

echo -n "Tivoli Integrated Solutions Console server:"

checkproc -p /var/run/tivoli-isc.pid

$ISC_INSTALL/AppServer/java/bin/java

rc_status -v

;;

echo "Usage: $0 {start|stop|status|restart}"

exit 1

;;

esac

rc_exit

And the corresponding sysconfig file:

## Type:     string
## Default:  iscadmin
## Config:   &quot;&quot;
## ServiceRestart:  isc
#
# Adminstration user for the Portal
ISC_ADMIN=&quot;iscadmin&quot;

## Type:     string
## Default:  iscadmin
## Config:   &quot;&quot;
## ServiceRestart:  isc
#
# Adminstration user password for the Portal
ISC_PASSWORD=&quot;iscadmin&quot;

## Type:     string
## Default:  /opt/ISC/601
## Config:   &quot;&quot;
## ServiceRestart:  isc
#
# Full path to the ISC Portal installation root directory
ISC_INSTALL=&quot;/opt/tivoli/isc&quot;

## Type: string

## Default: iscadmin

## Config: ""

## ServiceRestart: isc

# Adminstration user for the Portal

ISC_ADMIN="iscadmin"

## Type: string

## Default: iscadmin

## Config: ""

## ServiceRestart: isc

# Adminstration user password for the Portal

ISC_PASSWORD="iscadmin"

## Type: string

## Default: /opt/ISC/601

## Config: ""

## ServiceRestart: isc

# Full path to the ISC Portal installation root directory

ISC_INSTALL="/opt/tivoli/isc"

Et voilá, it’s done. Now just a `chkconfig -a isc‘ and it’s gonna startup nice and easy (when it really should) via the normal service startup and not get spawned from the inittab.

patch2mail for SLES10

April 21, 2008June 21, 2013 Christian 1 Comment

Well, there is this “nifty” tool called patch2mail, which basically converts the XML for the updates to a more readable format. But you’re screwed if you want to do the same on SLES10. Since it ain’t shipping with the zypper xml wrapper thing, you need to do it a bit different.

So I ended up writing a small (and yet, ugly) shell script to generate me a mail of my liking ..

#!/bin/bash
TO=&quot;admin-addr@localhost&quot;
CLASSES=&quot;security recommended optional&quot;
 
# Temporary files
ZYPP_LIST=&quot;$( mktemp /tmp/zypper-list.XXXXXX )&quot;
ZYPP_DETAILS=&quot;$( mktemp /tmp/zypper-details.XXXXXX )&quot;
TMP=&quot;$( mktemp /tmp/zypper-report.XXXXXX )&quot;
zypper pch 2&gt;/dev/null &gt; $ZYPP_LIST
 
# Figure out how much updates are still pending
PENDING=&quot;$( cat $ZYPP_LIST | grep &quot;| Needed&quot; | wc -l )&quot;
 
if [ $PENDING -eq 0 ] ; then
  exit 0
fi
 
echo &gt; $TMP
echo &quot; Pending updates for $( domainname -f ) on $( date )&quot; &gt;&gt; $TMP
 
for severity in $CLASSES; do
  PACKAGES=&quot;$( cat $ZYPP_LIST | egrep &quot;${severity}(.*)| Needed&quot; | 
    cut -d| -f2 | sed &quot;s,^ ,,&quot; )&quot;
  echo
  echo &quot;  Category: $severity&quot;
  for package in $PACKAGES; do
    zypper patch-info $package 2&gt;/dev/null &gt; $ZYPP_DETAILS
    echo &quot;  * $package ($( cat $ZYPP_DETAILS | grep &quot;Version: &quot; | 
      sed &quot;s,Version,version,&quot; ))&quot;
    echo &quot;    $( cat $ZYPP_DETAILS | grep &quot;Summary: &quot;)&quot;
    echo &quot;    $( cat $ZYPP_DETAILS | grep &quot;Reboot Required:&quot; )&quot;
    echo
  done
  echo
done &gt;&gt; $TMP
 
cat $TMP | 
  mail -s &quot;[$( date +%F )] Update report for $( domainname -f )&quot; $TO
trap &#039;rm -f &quot;$TMP&quot; &quot;$ZYPP_LIST&quot; &quot;$ZYPP_DETAILS&quot; &gt;/dev/null 2&gt;&amp;1&#039; 0
trap &quot;exit 2&quot; 1 2 3 15
 
# vim: set tw=80

#!/bin/bash

TO="admin-addr@localhost"

CLASSES="security recommended optional"

# Temporary files

ZYPP_LIST="$( mktemp /tmp/zypper-list.XXXXXX )"

ZYPP_DETAILS="$( mktemp /tmp/zypper-details.XXXXXX )"

TMP="$( mktemp /tmp/zypper-report.XXXXXX )"

zypper pch 2>/dev/null > $ZYPP_LIST

# Figure out how much updates are still pending

PENDING="$( cat $ZYPP_LIST | grep "| Needed" | wc -l )"

if [ $PENDING -eq 0 ] ; then

exit 0

echo > $TMP

echo " Pending updates for $( domainname -f ) on $( date )" >> $TMP

for severity in $CLASSES; do

PACKAGES="$( cat $ZYPP_LIST | egrep "${severity}(.*)| Needed" |

cut -d| -f2 | sed "s,^ ,," )"

echo

echo " Category: $severity"

for package in $PACKAGES; do

zypper patch-info $package 2>/dev/null > $ZYPP_DETAILS

echo " * $package ($( cat $ZYPP_DETAILS | grep "Version: " |

sed "s,Version,version," ))"

echo " $( cat $ZYPP_DETAILS | grep "Summary: ")"

echo " $( cat $ZYPP_DETAILS | grep "Reboot Required:" )"

echo

done

echo

done >> $TMP

cat $TMP |

mail -s "[$( date +%F )] Update report for $( domainname -f )" $TO

trap 'rm -f "$TMP" "$ZYPP_LIST" "$ZYPP_DETAILS" >/dev/null 2>&1' 0

trap "exit 2" 1 2 3 15

# vim: set tw=80

Creating multi-distribution RPM/XML repositories

April 2, 2008August 16, 2014 Christian Leave a comment

Well, as we do have quite a few custom built RPM’s, I was searching for a new solution to manage the repo(s). Currently I do have a single repository per distribution.

One thing one needs to know about createrepo (from createrepo), it doesn’t support this type of thing in the first place. So I had to come up with another way of doing it. First, I created a proper layout (much like the Debian Official Repository layout):

dists/
- sle9/ (contains the repodata for SLES 9)
- sle10/ (contains the repodata for SLES 10)
- esx35/ (contains the repodata for VMware ESX 3.5)
i586/
noarch/
ppc64/
src/
x86_64/

As you can see, this is gonna get tricky in regards to managing the RPMS in a single place, while keeping the distributions apart.

So I went ahead, rewrote the script that perviously managed our two repositories for SLES 9/10. The limitation I pointed out above (keeping the RPMS in a single place), is easily overcome by using bind-mounts (sure it looks messy).

Now the only problem I’m still facing is that createrepo isn’t even looking at the excludes when it’s called by the script. But if I pass the raw command line the script is calling on a simple shell, it works like a charm .. So I don’t have the slightest clue right now, why in gods name it ain’t working … 🙁

OCFS2 follow-up

March 7, 2008June 21, 2013 Christian Leave a comment

OK, it turned out that said colleague wasn’t responsible at all. Turns out, the *real* trigger was me creating a new volume on our SAN, on the same array that houses the OCFS2 volume.

Apparently, during creation of an additional SAN volume, all other SAN volumes in this array are either read-only or delayed during that time, as you can see from the following log:

kernel: (13,3):o2hb_write_timeout:242 ERROR: Heartbeat write timeout to device sdd1 after 12000 milliseconds
kernel: Heartbeat thread (13) printing last 24 blocking operations (cur = 4):
kernel: Heartbeat thread stuck at waiting for read completion, stuffing current time into that blocker (index 4)
kernel: Index 5: took 0 ms to do submit_bio for read
kernel: Index 6: took 0 ms to do waiting for read completion
kernel: Index 7: took 0 ms to do bio alloc write
kernel: Index 8: took 0 ms to do bio add page write
kernel: Index 9: took 0 ms to do submit_bio for write
kernel: Index 10: took 0 ms to do checking slots
kernel: Index 11: took 0 ms to do waiting for write completion
kernel: Index 12: took 2002 ms to do msleep
kernel: Index 13: took 0 ms to do allocating bios for read
kernel: Index 14: took 0 ms to do bio alloc read
kernel: Index 15: took 0 ms to do bio add page read
kernel: Index 16: took 0 ms to do submit_bio for read
kernel: Index 17: took 0 ms to do waiting for read completion
kernel: Index 18: took 0 ms to do bio alloc write
kernel: Index 19: took 0 ms to do bio add page write
kernel: Index 20: took 0 ms to do submit_bio for write
kernel: Index 21: took 0 ms to do checking slots
kernel: Index 22: took 0 ms to do waiting for write completion
kernel: Index 23: took 2004 ms to do msleep
kernel: Index 0: took 0 ms to do allocating bios for read
kernel: Index 1: took 0 ms to do bio alloc read
kernel: Index 2: took 0 ms to do bio add page read
kernel: Index 3: took 0 ms to do submit_bio for read
kernel: Index 4: took 9995 ms to do waiting for read completion
kernel: (13,3):o2hb_stop_all_regions:1682 ERROR: stopping heartbeat on all active regions.
kernel: Kernel panic - not syncing: *** ocfs2 is very sorry to be fencing this system by panicing ***

kernel: (13,3):o2hb_write_timeout:242 ERROR: Heartbeat write timeout to device sdd1 after 12000 milliseconds

kernel: Heartbeat thread (13) printing last 24 blocking operations (cur = 4):

kernel: Heartbeat thread stuck at waiting for read completion, stuffing current time into that blocker (index 4)

kernel: Index 5: took 0 ms to do submit_bio for read

kernel: Index 6: took 0 ms to do waiting for read completion

kernel: Index 7: took 0 ms to do bio alloc write

kernel: Index 8: took 0 ms to do bio add page write

kernel: Index 9: took 0 ms to do submit_bio for write

kernel: Index 10: took 0 ms to do checking slots

kernel: Index 11: took 0 ms to do waiting for write completion

kernel: Index 12: took 2002 ms to do msleep

kernel: Index 13: took 0 ms to do allocating bios for read

kernel: Index 14: took 0 ms to do bio alloc read

kernel: Index 15: took 0 ms to do bio add page read

kernel: Index 16: took 0 ms to do submit_bio for read

kernel: Index 17: took 0 ms to do waiting for read completion

kernel: Index 18: took 0 ms to do bio alloc write

kernel: Index 19: took 0 ms to do bio add page write

kernel: Index 20: took 0 ms to do submit_bio for write

kernel: Index 21: took 0 ms to do checking slots

kernel: Index 22: took 0 ms to do waiting for write completion

kernel: Index 23: took 2004 ms to do msleep

kernel: Index 0: took 0 ms to do allocating bios for read

kernel: Index 1: took 0 ms to do bio alloc read

kernel: Index 2: took 0 ms to do bio add page read

kernel: Index 3: took 0 ms to do submit_bio for read

kernel: Index 4: took 9995 ms to do waiting for read completion

kernel: (13,3):o2hb_stop_all_regions:1682 ERROR: stopping heartbeat on all active regions.

kernel: Kernel panic - not syncing: *** ocfs2 is very sorry to be fencing this system by panicing ***

OCFS2 fun

March 6, 2008August 16, 2014 Christian Leave a comment

Turns out, that said colleague has been playing with NFS on one off the web nodes, thus apparently rendering the remaining nodes offline (or semi-offline).

Now after all web nodes hung themselves, we had to hard reset them, now everything is tingly again .. *yay* for a great first day …