SUSE Linux Enterprise Server 10 on VMware ESX
Posted on July 22nd, 2008 by Christian in Life
We’re currently having a *really* weird problem with our VM’s. Sometime last week, SUSE released a kernel update. Now, once you install it and you reboot the selected VM with a DVD/CD image present, you’re gonna see this:
msg.vmxaiomgr.retrycontabort.unknown
The only workaround so far has been to unmount *any* cleanse any CD-Drives attached to the VM. And yes, this is reproduceable, even reinstalling from scratch doesn’t change the fact, that after installing the patch the VM quits working.
I also know, SLES10 SP2 ain’t officially supported yet by VMware, but I’d still suspect it to just work and not produce such weird errors. The only thing I found so far is this VMTN thread ..
Nagios Hostgroup Inheritance (continued)
Posted on July 19th, 2008 by Christian in Life
Well, it turns out that my thought was ultimativly flawed. When defining the hostgroup_members in the lower tiers, nagios is association the checks from the lower tier with the upper tiers. Thus propagandating all checks upwards, and me ending up with ~250 checks instead of ~150.
Gonna have to try to define the dependency backwards, maybe that’ll help. But that’s a topic for Monday. Guess I’ll finish viewing Ghost in the Shell - Stand Alone Complex first.
Nagios Hostgroup Inheritance
Posted on July 17th, 2008 by Christian in Life
As I wrote earlier, I recently virtualized our nagios. Along with that came a complete “redesign” of how checks are applied. Up till now, I defined checks for each and every single server, thus ending up with ~25 files, each holding roughly 6 checks which are in the same file just sorted by hostname.
As you can imagine, it gets quite confusing with that amount of checks (~150). So the last two days I spent on reorganizing (with Visio), on which object/hostgroup placing a check would make sense. Now, this is my first result of two days planning, reorganizing, reordering and moving hosts into different hostgroups.
Nagios Hostgroup Inheritance - Linux
Nagios Hostgroup Inheritance - Windows
Thanks to Josh (and Chris I think), realizing the above is gonna get quite easy. Gonna talk about the config layout itself about once I have it all wrapped up. Stay tuned!
Latest SLES10 RPM additions
Posted on July 14th, 2008 by Christian in Life
Well, as some people know, I keep around a small set of packages for my own needs (stuff I need from time to time, packages currently in the distributions but yet too old).
So here are some additions to my small repo (that is so far this month):
- iftop 0.17-7 for SLES10 (i586, x86_64, srpm) — Rebuild from Fedora’s SRPM
- nagios-nrpe 2.12-1 for SLES10 (i586, x86_64, srpm) — Rebuild/Bump from my previous SRPM
- nagios 3.0.3-1 for SLES10 — Rebuild/Bump from the original SLES10 SRPM
- pnp4nagios 0.4.10 for SLES10 (i586, x86_64, srpm) — Rebuild from CentOS SRPM, modified to fit into the SLES scheme — currently has a small bug, still need to fix it tomorrow (/etc/apache2/conf.d/pnp4nagios.conf has a wrong “Allow” line … ooooops).
Nagios3 with Active Directory authorization on SLES10
Posted on July 14th, 2008 by Christian in Life
Well, it seems to be getting a “trend” for me, to integrate stuff into our Active Directory. Now that I know why, and how easy that is, I expect to add more stuff. The good thing about the integration is, that you only need to maintain a single source for authorization.
The bad thing about that is, that stuff becomes dependant on the Active Directory (we do have four domain controllers, so that should be fine).
Now, here’s the ssl-(only) apache2 configuration file for my vhost:
<VirtualHost *:80> ## mod_core DocumentRoot "/usr/share/nagios" ServerName nagios.barfoo.org ServerAlias nagios3.barfoo.org ServerAdmin nagiosadmin@barfoo.org ## mod_rewrite RewriteEngine On RewriteRule ^/(.*) https://nagios.barfoo.org/$1 [L,R] </VirtualHost> <VirtualHost *:443> ## mod_core DocumentRoot "/usr/share/nagios" ServerName nagios.barfoo.org ServerAdmin nagiosadmin@barfoo.org ScriptAlias /nagios/cgi-bin /usr/lib/nagios/cgi Alias /nagios /usr/share/nagios Alias /pnp /usr/share/nagios/html/pnp4nagios <DirectoryMatch "/usr/(share/nagios|lib/nagios/cgi)"> AllowOverride None Order deny,allow Deny from all Allow from 10.0.0. Options None # Authorization AuthType Basic AuthName "Nagios Barfoo" # The authentification provider is mod_ldap AuthBasicProvider ldap # mod_ldap is our *only* authentification provider for this! AuthzLDAPAuthoritative on # Redirect the userfile requests to /dev/null AuthUserFile /dev/null # AD requires an authentication DN to access any records AuthLDAPBindDN "BARFOO\\ldap_nagios" AuthLDAPBindPassword "somethingrandom" # The URL to search in AuthLDAPURL "ldap://dc0.barfoo.org dc1.barfoo.org dc2.barfoo.org dc3.barfoo.org/OU=Users,dc=barfoo,dc=org?sAMAccountName?sub?(objectClass=*)" # Search the group membership in the specified group, otherwise it's gonna # get searched at the binding DN's location AuthLDAPGroupAttributeIsDN on Require ldap-group CN=gr_nagios,OU=Groups,DC=barfoo,DC=org </DirectoryMatch> ## mod_log ErrorLog /var/log/apache2/nagios.barfoo.org.error_log TransferLog /var/log/apache2/nagios.barfoo.org.access_log CustomLog /var/log/apache2/nagios.barfoo.org.ssl_request_log ssl_combined ## mod_ssl SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /etc/apache2/ssl.crt/nagios.barfoo.org.crt SSLCertificateKeyFile /etc/apache2/ssl.key/nagios.barfoo.org.key <Files ~ "\.(cgi|shtml|phtml|php3|php?)$"> SSLOptions +StdEnvVars </Files> SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 </VirtualHost>
As you can see, AuthLDAPUrl holds the four LDAP servers separated by spaces (that’s what the Apache2 documentation says about that), and that actually works.
The only additional thing I had to change from the nagios part is in /etc/nagios/cgi.cfg to allow everyone to issue system commands. Also, if you ever stumble upon extranous chars in the check_nrpe output, update to a newer NRPE version, that fixed it for me (that is on the receiver side - as in the box running the NRPE agent).
Managing unixODBC connections on SLES10
Posted on July 3rd, 2008 by Christian in Life
Recently I got the task, to implement unixODBC/freetds on one (well, it’s really three) of our web servers, as someone wanted to use Microsoft SQL Server 2005 with PHP (without using the MSSQL functions, which PHP provides soo nicely; don’t ask me why).
With that I also got a set of “instructions” on how to install freetds from source (remember, I was a Gentoo dev, so I know my way around, when it comes to building from source), as well as a small set of instructions on how to create the connection.
Well, after trying to figure out why the hell the connection ain’t working with unixODBC’s tsql and PHP’s odbc functions, and yet the plain connection using telnet works … *shrug* turns out it was a simple mistake …
The “howto” said something like this:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | [FreeTDS] Description = FreeTDS unixODBC Driver Driver = /usr/lib64/libtdsodbc.so Setup = /usr/lib64/libtdsodbc.so [ODBC Data Sources] mssql = Microsoft SQL Server 2005 [mssql] Driver = /usr/lib64/libtdsodbc.so Description = MSSQLServer Trace = No Database = Database TraceFile = /var/log/freetdssql-foobar.log Servername = sql.foobar.org Port = 2433 TDS_Version = 8.0 [Default] Driver = /usr/lib64/libtdsodbc.so |
While it should have been this:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | [FreeTDS] Description = FreeTDS unixODBC Driver Driver = /usr/lib64/libtdsodbc.so Setup = /usr/lib64/libtdsodbc.so [ODBC Data Sources] mssql = Microsoft SQL Server 2005 [mssql] Driver = /usr/lib64/libtdsodbc.so Description = MSSQLServer Trace = No Database = Database TraceFile = /var/log/freetdssql-foobar.log Server = sql.foobar.org Port = 2433 TDS_Version = 8.0 [Default] Driver = /usr/lib64/libtdsodbc.so |
See the difference ? If not, I’ll show you a diff:
1 2 3 4 5 6 7 8 9 10 | --- odbc.ini.orig +++ odbc.ini @@ -12,7 +12,7 @@ Trace = No Database = Database TraceFile = /var/log/freetdssql-foobar.log -Servername = sql.barfoo.org +Server = sql.barfoo.org Port = 2433 TDS_Version = 8.0 |
Something as simple as adding another part of a word (as in “name“) to Server, makes the whole thing go wonko. Well, it ain’t going wonko per se, as Servername is different from the meaning of Server, at least when it comes to freetds.
Servername is the SQL-Server Instance name, while Server is the DNS name .. figures.
subversion on WebDAV with Active Directory authorization on SLES10
Posted on June 29th, 2008 by Christian in Life
Okay, so I ended up toying with subversion via WebDAV on SLES today (I know, I know .. it’s bloody Sunday). It wasn’t much of a hassle though, after reading this. Sure, I made a few errors at first (simply confused the logic behind “Location” and “Directory“), but after that plain subversion commits via WebDAV (thus utilizing apache) worked fine.
For POC or as a hint to myself, here’s where and what I needed to add/change:
Add the following modules to APACHE_MODULES in /etc/sysconfig/apache2:
- dav_svn (dav_svn needs dav, thus the need to add it too)
- dav
- authnz_ldap (authnz_ldap needs ldap, so again we need that too!)
- ldap
After that, we can add our repository (or our multi-repository folder) to /etc/apache2/conf.d/subversion.conf:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 | <IfModule mod_dav_svn.c> <Location /svn> DAV svn SVNParentPath /srv/svn # Limit write permission to list of valid users. <LimitExcept GET PROPFIND OPTIONS REPORT> # Require SSL connection for password protection. # SSLRequireSSL AuthType Basic AuthName "Subversion repositories (Domänenzugangsdaten)" # The authentification provider is mod_ldap AuthBasicProvider ldap # mod_ldap is our *only* authentification provider for this! AuthzLDAPAuthoritative on # AD requires an authentication DN to access any records AuthLDAPBindDN "CN=LDAP Subversion,OU=anon_accounts,OU=Users,DC=foobar,DC=org" AuthLDAPBindPassword "somethingrandom" # The URL to search in AuthLDAPURL "ldap://dc0.foobar.org/ou=Users,dc=foobar,dc=org?sAMAccountName?sub?(objectClass=*)" # Search the group membership in the specified group, otherwise it's gonna # get searched at the binding DN's location AuthLDAPGroupAttributeIsDN on Require ldap-group CN=gr_subversion,OU=Groups,DC=foobar,DC=org </LimitExcept> </Location> |
Now, as you can see, my goal was to not rely on a separate authorization database, but to use our already existing Active Directory at work. Generally this works just fine, but it didn’t. I tried various things, like trying another user, changing the group (as in the “require ldap-group“) as well as changing my own password. Zip.
All I got was this line in the error_log of apache:
[warn] [client 10.0.0.148] [9486] auth_ldap authenticate: user foo authentication failed; URI /svn/admin-scripts/!svn/act/71f2b65f-d050-0410-b33c-3b31fbb94a00 [ldap_search_ext_s() for use r failed][Operations error]
Now, that itself does tell you what is happening, but not why. So again, I ended up googling till I found this:
The suggested step was to add “REFERRALS off” to /etc/ldap/ldap.conf. Surprise, the file don’t exist. Heck, there’s that one in /etc/ldap.conf. I did that, still zip.
Did I get the wrong file ? Absolutely.
/etc/ldap.conf is used by nsswitch and pam_ldap, but not by openldap2 (which is what apache is using). So reading this comment, adding the line to /etc/openldap2/ldap.conf, and *kaching*! Works.
Now I just need to install redmine (already installed ruby, rubygems and rubygem-rails from the SDK Addon), but I’ll leave that for tommorow, today I’m gonna watch Band of Brothers.
The clue to build ppc64 RPM’s
Posted on June 26th, 2008 by Christian in Life
Remember, I talked about building RPM’s on SLES10SP2 on ppc64 ? Well, turns out I was rather stupid .. and it was rather simple (don’t ask me why I didn’t think of that). I tried asking solar, I used google (apparently with the wrong search parameters), nothing though. Not a clue.
Today it bugged me again, so I used google again. This time with “ppc64 suse rpmbuild“, and guess what I saw within the preview of the second hit ..
rpmbuild -ba --target ppc64 myfile.spec
And here I thought I was missing something, turns out I was really stupid though .. *shrug* Building stuff like nagios works with that just fine ..
Update: or not. It worked only a single time and is broken ever since again. Guess I’m gonna reload the box on Tuesday.
Building RPMs on SLES10SP2-ppc64
Posted on June 14th, 2008 by Christian in Life
Well, it turns out that building stuff on ppc64 is a *real* pain in the ass, at least on anything SUSE related. I do have to tweak every damn spec to include this:
%ifarch ppc64 export LDFLAGS="$LDFLAGS -m64" %endif
Otherwise, ld is gonna fail when linking, as it’s gonna try linking the generated 64bit code (-m64 is passed on via RPM_OPT_FLAGS to CFLAGS) as 32bit code, which ain’t gonna work at all …
On top of that, stuff ain’t building due to multiple problems (for example nagios and vim, cause ld is unable to find the fitting -lperl (for nagios) and -lXt (for vim)) as well as source errors …
gcc -DHAVE_CONFIG_H -I. -I. -I../../include -I../../include -I/usr/include -D_FREETDS_LIBRARY_SOURCE -DUNIXODBC -DHAVE_UNISTD_H -DHAVE_PWD_H -DHAVE_SYS_TYPES_H -DHAVE_LONG_LONG -DSIZEOF_LONG=4 -D_REENTRANT -D_THREAD_SAFE -DDEBUG=1 -Wall -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -pthread -O2 -g -m64 -fmessage-length=0 -D_FORTIFY_SOURCE=2 -Wdeclaration-after-statement -MT connectparams.lo -MD -MP -MF .deps/connectparams.Tpo -c connectparams.c -fPIC -DPIC -o .libs/connectparams.o In file included from connectparams.c:22: ../../include/config.h:375:1: warning: "SIZEOF_LONG" redefined <command line>:1:1: warning: this is the location of the previous definition connectparams.c:90: error: static declaration of `SQLGetPrivateProfileString' follows non-static declaration /usr/include/odbcinst.h:170: error: previous declaration of `SQLGetPrivateProfileString' was here make[3]: *** [connectparams.lo] Error 1 make[3]: Leaving directory `/srv/BUILD/freetds-0.82/src/odbc' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/srv/BUILD/freetds-0.82/src/odbc' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/srv/BUILD/freetds-0.82/src' make: *** [all-recursive] Error 1
IBM (Tivoli) Integrated Solutions Console
Posted on May 23rd, 2008 by Christian in Life
Here I am, preparing our environment for the first (of hopefully many) tester for our upcoming VTL project. So I ended up installing the ISC and Administration Center for Tivoli Storage Manager on a 64bit guest (that is SLES10 for AMD64), just because I forgot to include support for later versions with our current running one. Guess what, na-na na na na. Exactly, didn’t work, the same errors I got while trying it before in a virtual environment. “Portlet is not available.”
So I ended up redoing the whole thing on a 32bit guest and guess what … bada-bing. works … *shrug* I don’t know whether or not that’s a surprising thing .. but what surprises me, is that I do have a working 64bit Integrated Solutions Console and Administration Center running, only difference is that one is running on real hardware.
Anyway, after looking on how the Integrated Solutions Console (that is the Websphere environment - yes *yuck*) did it’s own start up after boot (you know, I’d like to restart an application if it’s hanging without the need to reboot the whole box), I found this particular line of code:
isc6:23:boot:/opt/tivoli/isc/PortalServer/bin/startISC.sh ISC_Portal
And since I was lazy (and it was already Friday afternoon), I ended up writing a small init script which rids you of the need of such a ugly way to start a service.
#! /bin/sh # # /etc/init.d/isc # ### BEGIN INIT INFO # Provides: isc # Required-Start: network # Should-Start: # Required-Stop: network # Default-Start: 2 3 5 # Default-Stop: # Description: Start the Tivoli Integrated Solutions console ### END INIT INFO . /etc/sysconfig/isc BINDIR=/sbin . /etc/rc.status rc_reset case "$1" in start) echo -n "Starting Tivoli Integrated Solutions Console server" startproc -p /var/run/tivoli-isc.pid \ $ISC_INSTALL/PortalServer/bin/startISC.sh \ ISC_Portal 2>&1 >/var/log/tivoli-isc.log # I know, this is *real* ugly PID=$( tail -n 1 /var/log/tivoli-isc.log | cut -d\ -f10 ) echo $PID >/var/run/tivoli-isc.pid rc_status -v ;; stop) echo -n "Stopping Tivoli Integrated Solutions Console server" $ISC_INSTALL/PortalServer/bin/stopISC.sh \ ISC_Portal $ISC_ADMIN $ISC_PASSWORD \ 2>&1 >/var/log/tivoli-isc.log rc_status -v ;; restart) $0 stop $0 start rc_status ;; status) echo -n "Tivoli Integrated Solutions Console server:" checkproc -p /var/run/tivoli-isc.pid \ $ISC_INSTALL/AppServer/java/bin/java rc_status -v ;; *) echo "Usage: $0 {start|stop|status|restart}" exit 1 ;; esac rc_exit
And the corresponding sysconfig file:
## Type: string ## Default: iscadmin ## Config: "" ## ServiceRestart: isc # # Adminstration user for the Portal ISC_ADMIN="iscadmin" ## Type: string ## Default: iscadmin ## Config: "" ## ServiceRestart: isc # # Adminstration user password for the Portal ISC_PASSWORD="iscadmin" ## Type: string ## Default: /opt/ISC/601 ## Config: "" ## ServiceRestart: isc # # Full path to the ISC Portal installation root directory ISC_INSTALL="/opt/tivoli/isc"
Et voilá, it’s done. Now just a `chkconfig -a isc‘ and it’s gonna startup nice and easy (when it really should) via the normal service startup and not get spawned from the inittab.