analytic

Thursday, 20 June 2013

Increasing the maximum processes value in Linux

The maximum number of processes which can be running concurrently on a Linux Server is 32768 (value of short int). Which means at any given time a 32768 processes can exist concurrently on a Linux Server.  However this value can be increased to a larger number by modifying pid_max parameter under /proc/sys/kernel/ folder.  The setting can be made permanent by adding this parameter to /etc/sysctl.conf.

To increase the number in realtime, execute following command :

echo 33000 > /proc/sys/kernel/pid_max.  Replace 33000 with the maximum number of process you want on your servers.


Wednesday, 29 May 2013

Authentication refused: bad ownership or modes for file

This is one of the common error many system administrators face after configuring password-less ssh (key based authentication between two unix servers. The password-less ssh does not work and (ssh asks for the user password) and /var/log/messages file would show an error message “sshd[15426]:Authentication refused: bad ownership or modes for file”.
Most of the times this error comes due to incorrect permissions on $HOME/.ssh/authorized_keys file.
Make sure the permissions of $HOME/.ssh/authorized_keys file and other important files is as given below to fix this error.
1. Permissions of $HOME/.ssh folder (.ssh folder in home directory of user) should be 700 (drwx——)
2. Permissions on authorized_keys file in $HOME/.ssh folder should be 740
3. Permissions on id_dsa or id_rsa (depending upon the algorithm type used) file in $HOME/.ssh folder should be 600
4. Permissions on id_dsa.pub or id_rsa.pub file in $HOME/.ssh folder should be 640
5. Permissions on known_hosts files in $HOME/.ssh folder should be 640.
6. Make sure the $HOME/.ssh folder and all the above mentioned files in $HOME/.ssh folder has correct ownership (example.  If you logged in using pwssh user then the ownership on the .ssh folder and all the files inside .ssh folder should be pwssh:pwssh).
Cheers!!

Immutable Files in Linux

Recently I came across a situation. I was trying to delete a configuration file in Linux and got error “rm: cannot remove `path/filename’: Operation not permitted”.  I was logged in as root but even though I was neither able to change the contents of file nor able to delete it.  I checked the ownership and permissions on the file and found that the file is owned by root user and permissions are 644 which are the default permission when you create a new file.
[root@vcsnode1 ~]# ls -l /etc/configfile
-rw-r–r– 1 root root 0 Jan 26 08:45 /etc/configfile
[root@vcsnode1 ~]#
After little troubleshooting, I found that Immutable Flag was set on the file.
What is Immutable Flag :
Immutable flag is an additional file attribute which can be set on file so that anyone should not be able to delete/tamper with the file. It is very useful to setup this flag on Production Servers where changes to configuration files are rare. This attribute can be set on a Linux second extended file system only.
Who can set immutable flag on a file:
Either root user or any process having CAP_LINUX_IMMUTABLE capability can set or clear this attribute.
How to check whether immutable flag is set on a file
lsattr command can be used to check whether an immutable flag is set on a file.
Syntax : lsattr filename
Example :
[root@vcsnode1 ~]# lsattr /etc/configfile
—-i——– /etc/configfile
[root@vcsnode1 ~]#
How to Set/Unset Immutable Flag
Immutable flag can be set/unset  using the chattr command.
To set the flag use the + sign wi=th chattr command and to unset use the – sign with chattr command
Syntax : chattr +or- i filename
Example
[root@vcsnode1 ~]# chattr +i /etc/configfile
[root@vcsnode1 ~]# lsattr /etc/configfile
—-i——– /etc/configfile
[root@vcsnode1 ~]# chattr -i /etc/configfile
[root@vcsnode1 ~]# lsattr /etc/configfile
————- /etc/configfile
[root@vcsnode1 ~]#
There are many other  file attributes which can be set on a file on Linux second extended file system.  A couple of attributes are mentioned below :
  1. append only (a)  : – File with this attribute can be opened in append mode only.  One has to be root or a process having CAP_LINUX_Immutable capability to set/unset this flat.
  2. compressed (c) : -  File with this attribute keep the file in compressed state on the disk by the kernel.  A read to this file always
  3. no dump (d)  :- File with this attribute set, would not be a candidate for backup when the dump program executes.
  4. data journalling (j)  :- File with this attribute set writes all it’s data to journal before writing the data to the file if the file system is mounted with ordered or writeback  journaling options.  If the file system is mounted with “journal” journaling option, this flag has no effect as the “journal” journaling option would  provide similar functionality for all the files stored on the file system.
  5. secure  deletion  (s)  :- If the file with this attribute set is deleted, all the data blocks for the file are zeroed and written back to the disk.
All the above attributes can be set/unset using the chattr command.
Syntax : chattr + or – flag filename.
To set an attribute use “+” sign with chattr command followed by the flag mentioned above in “()”.
To unset an attribute use “-” sign with chattr command followed by the flag mentioned above in “()”.
References : Man page for lsattr and chattr

Sunday, 3 March 2013

Securing JBOSS JMX and Web Console

After installing the JBOSS Application Server, the jmx console can be accessed by anybody without providing any username/password. This is a big security risk as anybody can perform changes though the jmx and web console. Setting up basic username/password security for the jboss jmx/web console can be accomplished by performing the following steps on the JBOSS Application Server.

1. Edit $JBOSS_HOME/server/all/conf/props/jmx-console-users.properties to add jmx console users. Replace all with your JBOSS profile name. The syntax to add users is username=password. By default admin user would be available in this file with admin as password.
Ex : sysadmin=Password007 ## This configuration will create a new jmx and web console user as sysadmin and set the password as Password007
2. To provide admin privileges on jmx and web console to the newly created user, edit jmx-console-roles.properties file available in $JBOSS_HOME/server/all/conf/props folder and add username=JBossAdmin.
Ex : sysadmin=JBossAdmin ## This configuration will provide admin privileges to sysadmin user on jmx and web console.
3. Edit $JBOSS_HOME/server/all/deploy/jmx-console.war/WEB-INF/jboss-web.xml file and uncomment the security domain as shown below.
<jboss-web>
<security-domain>
java:/jaas/jmx-console
</security-domain>
</jboss-web>
4. Edit $JBOSS_HOME/server/all/deploy/jmx-console.war/WEB-INF/web.xml file and uncomment the security constraint as shown below.
<security-constraint>
<web-resource-collection>
<web-resource-name>
HtmlAdaptor
</web-resource-name>
<description>
An example security config that only allows
users with the role JBossAdmin to access the
HTML JMX console web application
</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>
5. The location, path or name of the users and roles configuration files i.e. jmx-console-users.properties or jmx-console-roles.properties can be changed by editing $JBOSS_HOME/server/all/conf/login- -config.xml file. Sample configuration is given below.
<application-policy name=”jmx-console”>
<authentication>
<login-module code=
“org.jboss.security.auth.spi.UsersRolesLoginModule”
flag=”required”>
<module-option name=”usersProperties”>
props/jmx-console-users.properties
</module-option>
<module-option name=”rolesProperties”>
props/jmx-console-roles.properties
</module-option>
</login-module>
</authentication>
</application-policy>
6. Edit $JBOSS_HOME/server/all/deploy/management/console-mgr.sar/ web-console.war/WEB-INF/jboss-web.xml file and remove the comment of the security domain as shown below.
<jboss-web>
<security-domain>java:/jaas/web-console</security-domain>
<depends>jboss.admin:service=PluginManager</depends>
</jboss-web>
7. Edit $JBOSS_HOME/server/all/deploy/management/console-mgr.sar/ web-console.war/WEB-INF/web.xml file and remove the comment of the security constraint as shown below.
<security-constraint>
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
<description>An example security config that only allows
users with the role JBossAdmin to access the
HTML JMX console web application
</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>
8. Restart JBOSS.

Sharing Keyboard and Mouse without KVM Switch using Synergy

Synergy is an open source platform independent application which allows you to control two system using the same Keyboard and Mouse without using a KVM Switch and help the organization save few dollars :)
Latest release of Synergy supports almost all Windows Platforms and Unix platforms with X Windows Version 11 revision 4 or up. Synergy uses the network to share keyboard and mouse hence, all the systems must support TCP/IP Networking .
Synergy is open source and released under the GNU Public License (GPL).
Setting up Synergy on Linux

1.  Download and install Synergy Software from http://sourceforge.net/projects/synergy2/files/
2.  Identify one system as server system and other would be the client.  I always prefer using a unix machine as server.
3.  In this example, I am going to use one Linux System and one Windows System to configure synergy. On the linux system, create /etc/synergy.conf file with the following information.
[root@linuxhost ~]# cat /etc/synergy.conf
# define the hosts
section: screens
linuxhost:
windowshost:
end
# define links i.e. which host is @ which side
section: links
linuxhost:
right=windowshost
windowshost:
left=linuxhost
end
[root@linuxhost ~]#
There are two sections in the configuration file.
Screens: This section defines the hosts or systems on which you want to share keyboard and mouse.  The dns must be configured or else an entry has to be made in the hosts file before using the host names in /etc/synergy.conf file.
Links: This section defines which host is on which side i.e. in the above example windows host machine is @ the right side of linux machine, so if you move the mouse pointer to the right side on linux machine, the pointer should go to Windows Machine and vice versa.
4.  Execute the following command to start Synergy as Server on Linux Machine.  You should see a message in /var/log/messages files that the synergy server is started.
[root@linuxhost ~]# synergys
[root@linuxhost ~]# tail -1 /var/log/messages
Mar 31 12:35:54 linuxhost Synergy 1.3.1: NOTE: synergys.cpp,500: started server
[root@linuxhost ~]#
5.  To make sure synergy starts at system boot time, add “synergys ” to /etc/rc.local file.
6.  Now open synergy application on the windows system.
7.  Select “Use another computer’s shared keyboard and mouse (client) and type the linux system’s hostname in “Other Computer’s Host Name” text box.

8.  Click on “Test”.
9.  If you see a message “Connected to server”, then the configuration is successful.
10.  Close the test window and click on “Stop”.

11.  Now, click on “AutoStart”

12.  Click on “Install” under “When Computer Starts”.  You will get a dialog box saying “Installed auto-start”.  Click on “OK”.

13.  Click on “Start”.  You will get a message that synergy is successfully started.  Click on “OK”

Cheers!!

Setting up slewing NTP option in Linux

Many times while installing/configuring Oracle Cluster, DBA’s receive the following error message.
Checking NTP daemon command line for slewing option “-x”
Check: NTP daemon command line
Node Name   Slewing Option Set?
vcsnode1 no
vcsnode2 no
Result:NTP daemon slewing option check failed on some nodes PRVF-5436 : The NTP daemon running on one or more nodes lacks the slewing option “-x”Result: Clock synchronization check using Network Time Protocol(NTP) failed
To fix this error, slewing needs to be configured.
Follow the below steps to configure slewing in Linux.
  • Stop ntpd daemon using the following command.
[root@vcsnode1 ~]# service ntpd stop
Shutting down ntpd:  [OK]
[root@vcsnode1 ~]#
  • Edit /etc/sysconfig/ntpd file.  Usually the file looks as given below.
[root@vcsnode1 sysconfig]# cat ntpd
# Drop root to id ‘ntp:ntp’ by default.
OPTIONS=”-u ntp:ntp -p /var/run/ntpd.pid”
# Set to ‘yes’ to sync hw clock after successful ntpdate
SYNC_HWCLOCK=no
[root@vcsnode1 sysconfig]#
  • Edit the file and add “-x” to  “OPTIONS=”-u ntp:ntp -p /var/run/ntpd.pid”" line befor e”-u”
  • After editing the file, the contents should look like given below
[root@vcsnode1 sysconfig]# cat ntpd
# Drop root to id ‘ntp:ntp’ by default.
OPTIONS=”-x -u ntp:ntp -p /var/run/ntpd.pid”
# Set to ‘yes’ to sync hw clock after successful ntpdate
SYNC_HWCLOCK=no
[root@vcsnode1 sysconfig]#
  • Start ntpd daemon using the following command
[root@VCSNode2 ~]# service ntpd start
Starting ntpd:  [OK]
[root@VCSNode2 ~]#
  • Ask the DBA to install/proceed to configure Oracle Cluster
Cheers!!