Posts Tagged ‘Linux’

Openssl s_client to verify you installed your certificate properly and list of return codes

I use openssl’s s_client option all the time to verify if a certificate is still good on the other end of a web service. So I figured I’d put a couple of common options down on paper for future use.

openssl s_client -connect www.google.com:443    #HTTPS
openssl s_client -starttls ftp -connect some_ftp_server.com:21      #FTPES
openssl s_client -starttls smtp -crlf -connect smtp.gmail.com:25     #SMTP
openssl s_client -starttls smtp -crlf -connect smtp.gmail.com:587    #SMTPS
openssl s_client -starttls imap -crlf -connect some_imap_server:143  #IMAP
openssl s_client -connect imap.gmail.com:993     #IMAPS
openssl s_client -connect pop.gmail.com:995      #POPS


You can use the…

-showcerts

..option to display the entire certificate chain which is useful for validating your intermediates.
You’ll also get an official “Verify return code” which can be used to diagnose any SSL/TLS issues. Here’s a quick list of common return codes:

(I blatantly grabbed this from here!)

Error Code

Error Text

Description

0 Ok The operation was successful.
2 Unable to get issuer certificate The issuer certificate of a looked up certificate could not be found. This normally means the list of trusted certificates is not complete.
3 Unable to get certificate CRL The CRL of a certificate could not be found.
4 Unable to decrypt certificate’s signature The certificate signature could not be decrypted. This means that the actual signature value could not be determined rather than it not matching the expected value, this is only meaningful for RSA keys.
5 Unable to decrypt CRL’s signature The CRL signature could not be decrypted. This means that the actual signature value could not be determined rather than it not matching the expected value. Unused.
6 Unable to decode issuer public key The public key in the certificate SubjectPublicKeyInfo could not be read.
7 Certificate signature failure The signature of the certificate is invalid.
8 CRL signature failure The signature of the certificate is invalid.
9 Certificate is not yet valid The certificate is not yet valid. the notBefore date is after the current time.
10 Certificate has expired The certificate has expired. that is the notAfter date is before the current time.
11 CRL is not yet valid The CRL is not yet valid.
12 CRL has expired The CRL has expired.
13 Format error in certificate’s notBefore field The certificate notBefore field contains an invalid time.
14 Format error in certificate’s notAfter field The certificate notAfter field contains an invalid time.
15 Format error in CRL’s lastUpdate field The CRL lastUpdate field contains an invalid time.
16 Format error in CRL’s nextUpdate field The CRL nextUpdate field contains an invalid time.
17 Out of memory An error occurred trying to allocate memory. This should never happen.
18 Self signed certificate The passed certificate is self signed and the same certificate cannot be found in the list of trusted certificates.
19 Self signed certificate in certificate chain The certificate chain could be built up using the untrusted certificates but the root could not be found locally.
20 Unable to get local issuer certificate The issuer certificate could not be found. this occurs if the issuer certificate of an untrusted certificate cannot be found.
21 Unable to verify the first certificate No signatures could be verified because the chain contains only one certificate and it is not self signed.
22 Certificate chain too long The certificate chain length is greater than the supplied maximum depth. Unused.
23 Certificate revoked The certificate has been revoked.
24 Invalid CA certificate A CA certificate is invalid. Either it is not a CA or its extensions are not consistent with the supplied purpose.
25 Path length constraint exceeded The basicConstraints pathlength parameter has been exceeded.
26 Unsupported certificate purpose The supplied certificate cannot be used for the specified purpose.
27 Certificate not trusted The root CA is not marked as trusted for the specified purpose.
28 Certificate rejected The root CA is marked to reject the specified purpose.
29 Subject issuer mismatch The current candidate issuer certificate was rejected because its subject name did not match the issuer name of the current certificate. Only displayed when the -issuer_checks option is set.
30 Authority and subject key identifier mismatch The current candidate issuer certificate was rejected because its subject key identifier was present and did not match the authority key identifier current certificate. Only displayed when the -issuer_checks option is set.
31 Authority and issuer serial number mismatch The current candidate issuer certificate was rejected because its issuer name and serial number was present and did not match the authority key identifier of the current certificate. Only displayed when the -issuer_checks option is set.
32 Key usage does not include certificate signing The current candidate issuer certificate was rejected because its keyUsage extension does not permit certificate signing.
50 Application verification failure An application specific error. Unused.

 

Additional links:
https://www.openssl.org/docs/apps/s_client.html

https://www.openssl.org/docs/apps/ciphers.html

Implemented stronger Diffie-Hellman encryption thanks to “Logjam”

Well, I haven’t written anything in a while so I figured I’d put this into WP. I recently upgraded a couple of my iOS devices to 8.4 and sure enough, I couldn’t send emails. Come to find out, my services at home were using weaker DH encryption and I needed to fix them if I wanted to send email ever again from my iPhone.

First I worked on sendmail. I needed to first create a DH 2048 bit file using openssl:

openssl dhparam -out dh_2048.pem -2 2048

This produced a file in my /etc/pki/tls/certs folder which I can now configure sendmail.mc to use via adding this line:

define(`confDH_PARAMETERS', `/etc/pki/tls/certs/dh_2048.pem')

Next you can do a ‘make -C /etc/mail’ or simply restart sendmail as it will detect the changes and do it for you (did for me at least.) Email was now working as expected and I’m no longer seeing this in my /var/log/maillog folder:

Aug 1 11:01:10 Sauron sendmail[11796]: t71F0eh9011796: 89.sub-70-197-133.myvzw.com [70.197.133.89] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Aug 1 11:01:11 Sauron sendmail[11803]: STARTTLS=server, error: accept failed=0, SSL_error=5, errno=0, retry=-1
Aug 1 11:01:11 Sauron sendmail[11803]: t71F1Ae8011803: 89.sub-70-197-133.myvzw.com [70.197.133.89] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Aug 1 11:01:11 Sauron sendmail[11804]: STARTTLS=server, error: accept failed=0, SSL_error=5, errno=0, retry=-1
Aug 1 11:01:11 Sauron sendmail[11804]: t71F1BBU011804: 89.sub-70-197-133.myvzw.com [70.197.133.89] did not issue MAIL/EXPN/VRFY/ETRN during connection to TLSMTA

Now to take a look at Apache. I’m using an older version, I think 2.2.3-91 w/ CentOS so there’s only so much I can do regarding MITM attacks apparently. But I can explicitly tell Apache to NOT use weaker encryption protocols even though I can’t use the SSLOpenSSLConfCmd DHParameters “{path to dhparams.pem}” option and specify my DH key.

Here’s what I did put in my ssl.conf file:

SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder on

 

Which will at least help for now.

 

Here’s a couple of useful links:

https://weakdh.org/sysadmin.html
http://serverfault.com/questions/700655/sendmail-rejecting-some-connections-with-handshake-failure-ssl-alert-number-40
http://weldon.whipple.org/sendmail/wwstarttls.html
http://serverfault.com/questions/693241/how-to-fix-logjam-vulnerability-in-apache-httpd
http://appleinsider.com/articles/15/07/10/how-to-resolve-mail-smtp-errors-in-os-x-10104-and-ios-84

 

 

CentOS 6 with SCST

I keep meaning to write down my SCST installs so the other network engineers here at work can reference how I did it all. This documentation is also for me too (well, primarily for me actually!)

Here it goes…

1.       install CentOS:

a.       While on Hostname screen, select “configure Network” and check “connect automatically” on your eth0 device so it will install & configure basic networking alongside NetworkManager.

b.      Select the “Software Development Workstation” option then unselect groups virtualization, virtualization-client and virtualization-platform or let the installer finish then use “yum groupremove virtualization virtualization-client virtualization-platform” once you’ve booted into the OS the first time. By selecting the “Software Development Workstation” as your install type, it will pretty much install every package you’ll need to do the kernel compile.

2.       Now do a yum update and reboot the box so you’re using the new kernel.

3.       Install some remaining dependencies for this full kernel build:

a.       yum install asciidoc

b.      yum install newt-devel

c.    yum install xmlto (thanks Gilbert!)

4.       Commence kernel build prep.

a.       Find out which kernel you’re currently using w/ “uname -r” and write it down.

b.      Create user for building kernel & SCST by running “useradd mockbuild” go ahead and change from user root to that user “su – mockbuild” for the next step (no, mockbuild doesn’t need a password so don’t give it one!)

c.       While as the mockbuild user, execute “mkdir -p ~/rpmbuild/{BUILD,BUILDROOT,RPMS,SOURCES,SPECS,SRPMS}” which creates the directory structures for the build and finally “echo ‘%_topdir %(echo $HOME)/rpmbuild’ > ~/.rpmmacros” which creates your .rpmmacros file w/ the build directory location. (NOTE: spacing is very important on this command. Just copy & paste to be sure you typed it correctly.)

d.      Again, while as the mockbuild user, execute “rpm -i http://vault.centos.org/6.4/updates/Source/SPackages/kernel-2.6.32-358.14.1.el6.src.rpm 2>&1 | grep -v mock” which will install the current kernel source and put the files in your build tree folders (while also redirecting stderr to stdout while grepping it.)

e.      While in your homedir and as the mockbuild user, execute “rpmbuild -bp –target=$(uname -m) ./rpmbuild/SPECS/kernel.spec” (that’s 2 hyphens in front of target! WP is mangling the command) so it will uncompress the kernel sources and move them to your ./rpmbuild/BUILD folder. (NOTE: While it’s running, open up another console and as root run “rngd -r /dev/urandom” as the certificates will drain out the random number generator and kind of hang the rpmbuild.)

5.       Download SCST from svn & patch kernel in BUILD directory.

a.       We need to grab a copy of SCST using svn. There’s a number of branches but we want the latest stable. So run “svn co https://svn.code.sf.net/p/scst/svn/branches/2.2.x scst” while the mockbuild user and in /home/mockbuild directory. This will
be the latest stable version of SCST which is 2.2.1.

b.      Now that our user mockbuild has a copy of scst in his home directory, go ahead and cd into the unpacked kernel so we can patch it. Should be “cd ~/rpmbuild/BUILD/kernel-2.6.32-358.14.1.el6/linux-2.6.32-358.14.1.el6.x86_64/”.

c.       We need to patch for SCST’s fifo vs lifo: “patch -p1 < ~/scst/scst/kernel/rhel/scst_exec_req_fifo-2.6.32.patch”

d.      We need to patch for iscsi-scst’s put_page_callback: “patch -p1 < ~/scst/iscsi-scst/kernel/patches/rhel/put_page_callback-2.6.32-220.patch”

6.       Time to compile the Linux kernel & install it.

a.       Check your .config files (defualt one inside your ~rpmbuild/BUILD/kernel-*/linux-*/.config to your current kernel config in /boot/config-2.6.32-*) They shoud pretty much match. This means you can skip “make oldconfig” which would prompt you for stuff missing from your provided .config file with what this kernel you’re about to compile has as of now (meaning, if you’re compiling a newer kernel, your .config file is missing some stuff so it will prompt you for defaults and update your older .config file!)

b.      Change the kernel name by editing the Makefile. We need to separate this kernel from the others by editing the EXTRAVERSION varible. Change it to “=-scst” version versus being just empty or blank.

c.       Now run “make menuconfig” and change the following settings for SCST:


i.  Select “Network support”->”Networking options” make sure “TCP/IP networking” is checked (should be) and check “TCP/IP zero-copy transfer completion notification” underneath so SCST will be notified when a transfer of data across the nic has finished. This way, it can hurry up & send the next block. Should speed things up.


ii.   Next, verify that “Device Drivers”->”SCSI device support”->”SCSI disk support” is already checked. Again, for RHEL 6.4 it should be.


iii.  Verify that “Enable the block layer”->”IO Schedulers”->”CFQ I/O scheduler” and “Default I/O scheduler” set to CFQ are both set. Again, they should be.


iv.  Lastly, set “Processor type an features”->”Preemption Model” is set to “No Forced Preemption” versus Desktop mode.


v.  Once done, save your config so we can compile this kernel.d.      Once that’s done, we can compile it. Type “time make -j8 all” as the mockbuild user. This makes the kernel & modules while timing it and using all of your CPU’s cores (for me, I’ve got 8 cores so -j8!)

e.      Now we need to install our new kernel. Do a “make modules_install” as root which will copy the modules over to /lib/modules/<kernel name> directory (you did call your kernel something different by setting the EXTRAVERSION variable right?) After it’s done, do a “make install” as root as well which will update the /boot directory & grub. Now update grub.conf so it will default to our new kernel upon boot up.

f.       Once that’s done, copy over the current .config file in the /home/mockbuild/rpmbuild/BUILD/kernel-2.6.32-358.14.1.el6/linux-2.6.32-358.14.1.el6.x86_64 directory to the /boot directory and name it such that it matches your other config files in that directory (such as config-2.6.32-scst.)

7.       Reboot your system so we can use the new kernel and compile scst off the new kernel source files.

8.       Now we’ll compile SCST.

a.   Go ahead and change the various Makefiles at once to release version by issuing “make debug2release” in the main scst directory. This will remove the debugging stuff. Do this as root. Also, since CentOS 6 now uses sysfs and not proc, we don’t have to do a “make enable_proc” like for CentOS 5.

b.      Now go ahead and issue “make scst scst_install” as root in the mockbuild directory’s scst folder.

c.       Issue “make iscsi iscsi_install” as root in your current folder.

d.      Finally, issue “make scstadm scstadm_install” as well. This finalizes the compiling part.

9.       Configure & start SCST.

a.       Need to go ahead and tell our system to start it up automagically on bootup so execute “/usr/lib/lsb/install_initd scst” as root user.

b.      Go ahead and either reboot to test it or “service scst start” to fire it up. (NOTE: We haven’t done a config file yet so it’s running w/ nothing up!)

c.       Next, we need a simple config. Since I’m using actual RAID volumes as disks in SCST, I’ve gone w/ BLOCKIO devices and list them as /dev/sdX devices. You may want to use FILEIO devices instead or even a different device handler all together (scst_disk instead of scst_vdisk.) Here’s a couple of different examples:


i.      dev_disk example which uses scst_disk:

                                                HANDLER dev_disk {

                                                                                DEVICE 3:0:0:0

                                                }

                                                TARGET_DRIVER iscsi {

                                                                                enabled 1

                                                                                TARGET iqn.2013-07.com.example.san1:iscsi-tgt1 {

                                                                                                                enabled 1

                                                                                                                LUN 0 3:0:0:0

                                                                                }

                                                }


ii.     vdisk_blockio example which uses scst_vdisk:

                                                HANDLER vdisk_blockio {

                                                                                DEVICE disk01 {

                                                                                                                filename /dev/sdb1

                                                                                }

                                                                                DEVICE disk02 {

                                                                                                                filename /dev/sdc1

                                                                                }

                                                }

                                                TARGET_DRIVER iscsi {

                                                                                enabled 1

                                                                                TARGET iqn.2012-09.com.example.san1:iscsi-tgt1 {

                                                                                                                enabled 1

                                                                                                                LUN 0 disk01

                                                                                                                LUN 1 disk02

                                                                                }

                                                }


iii.     vdisk_fileio example which also uses scst_vdisk:

HANDLER vdisk_fileio {

                                                DEVICE mydisk01 {

                                                                filename /home/testdisk1

                                                                nv_cache 1

                                                }

}

TARGET_DRIVER iscsi {

                                enabled 1

                                TARGET iqn.2013-07.net.spiderbird.san2:iscsi-tgt1 {

                                                                enabled 1

                                                                LUN 0 mydisk01

                                }

}

10.   Finalizing your install:

a.       Now that we’re done, it’s best to configure yum not to update your kernel w/ a newer one which would break all of your hard work. Modify your /etc/yum.conf file and add “exclude=kernel*” to it w/o the double quotes. This will help keep your system somewhat up-to-date w/o breaking SCST & your custom kernel.

11.   Troubleshooting:

a.       Keep in mind, if you’re going to use multiple SCST SANs in your backend, you need to make sure all of your exposed LUNs have different t10_dev_id values else your host will get confused and assume it’s seeing different paths to similar items. Also, using setup_id is supposed to help prevent this but evidently doesn’t work in version 2.2.x. You can skate around this issue by using different names for your defined DEVICEs (instead of using disk01 try using SAN1disk01.)

b.      Pass through devices work as expected except for when that pass through device is a simple SATA drive. Your ESXi 5+ server still won’t put a VMFS partition on there because it isn’t reliable storage. Best to stick w/ RAID volumes in pass through mode instead.

c.       I forget C….

Here’s another really good write up on installing SCST into OEL 6.5 from scratch by Gilbert:

https://sites.google.com/site/nandydandyoracle/home/scst-oel-6-5

 

Here’s a couple of links that I used during this write up:

Kernel compile links:

http://wiki.centos.org/HowTos/I_need_the_Kernel_Source

http://wiki.centos.org/HowTos/Custom_Kernel

SCST info regarding speed, settings & setups:

http://scst.sourceforge.net/max_outstanding_r2t.txt

http://scst.sourceforge.net/iscsi-scst-howto.txt

http://scst.sourceforge.net/vl_res.txt

http://sourceforge.net/p/scst/svn/4920/tree/branches/2.2.x/ (SCST SVN)

CentOS FAQ regarding install groups:

http://wiki.centos.org/FAQ/CentOS6#head-ef37a027209dcdba0f8f00cf2696721b774f74bf

A bunch of different write-ups for various Linux installations:

http://www.howtoforge.com/how-to-create-a-fiber-channel-san-using-scst-with-qlogic-hba-on-linux-debian-6  Debian…

http://aliuhui.blogspot.com/2012/04/setup-iscsi-target-with-iscsi-scst-20.html  Ubuntu …

http://jaysoncena.wordpress.com/2013/03/17/26/  generic..

http://temporalsolutions.com/linux-ha/scst-setup/ Ubuntu..

http://wiki.alpinelinux.org/wiki/High_performance_SCST_iSCSI_Target_on_Linux_software_Raid  Alpine Linux

http://monklinux.blogspot.com/2012/02/scst-configuration-how-to-using-gentoo.html Gentoo

http://www.bauer-power.net/2012/03/how-to-install-scst-on-ubuntu.html Ubuntu..

http://www.kcsts.co.uk/blog/scst-iscsi Ubuntu again…

http://www.lessfs.com/wordpress/?p=850

http://www.lessfs.com/wordpress/?page_id=577

http://marcitland.blogspot.com/2011/03/accelerating-vdi-using-scst-and-ssds.html Gentoo

Here’s a number of links regarding iSCSI settings you can tweak and what they mean. These are primarily geared towards using your SCST installation with ESXi and MPIO:

https://communities.vmware.com/docs/DOC-15437

http://deinoscloud.wordpress.com/2010/08/19/vsphere-4-1-iscsi-advanced-settings-and-their-meanings/

http://forum.open-e.com/archive/index.php/t-2537.html (Tuning iSCSI settings)

http://virtualgeek.typepad.com/virtual_geek/2009/09/a-multivendor-post-on-using-iscsi-with-vmware-vsphere.html Best link I’ve found yet of tweaking your ESX iSCSI settings.

http://www.gatt-it.co.uk/1/post/2012/11/how-to-set-the-round-robin-iops-setting.html

http://forum.open-e.com/showthread.php?1542-VMWare-vSphere-Recommended-settings

https://forums.openfiler.com/index.php?/topic/4681-howto-definitive-esxi-41-configuration-guide/

 

 

 

 

Linux and Active State Power Management

Last year I had an odd issue when installing CentOS 6.0 on a Supermicro motherboard with an Intel PCIe quad port GB nic using an 82576 chip. I got by the initial kernel panic by using pci=noaer as a kernel option but later encountered really weird kernel panics regarding the Intel nic again which required an additional pcie_aspm=off in my grub file. Pretty odd stuff really since this was a server and I wasn’t worried about managing my power consumption since we’re a small company and I simply want the server to stay on. There’s a number of good articles about ASPM & Linux over on the Phoronix.com website which I found very interesting.

Initial bug report from RHEL: https://bugzilla.redhat.com/show_bug.cgi?id=704758

A number of Kernel parameters one can use at boot time to help troubleshoot things: http://www.kernel.org/doc/Documentation/kernel-parameters.txt

Initial Phoronix News article that got me wondering if Linux’s implementation of ASPM might be my problem: http://www.phoronix.com/scan.php?page=news_item&px=MTAwMjg

I can see how ASPM would be really important to laptop users sure, but when I’m installing a server I don’t need stuff shutting down on me when not in use. (Of course this is different for datacenters!)

 

Properly Partitioning a HW RAID Volume over 2TB in size

Like most geeks I’ve got lots of files and a need for spacious network shares. However, as soon as you go over a 2TB partition, you’ll encounter problems w/ how to correctly partition a drive or RAID volume using the newer 4096 sector spec called simply Advanced Format. I initially stumbled upon a series of articles written by Roderick W. Smith over on IBM’s DeveloperWorks when searching how to properly check partition alignment under Linux for SSDs but quickly had an “Uh Oh” moment when I realized SSDs weren’t my only problem and I had in fact been flying blind on larger than 2TB partitions under Linux. Thankfully I didn’t have systems in production where this was a problem but I was literally building a system at work where this could bite me in the rear!

To bottom line it for you, if you’re using software RAID or a true HW RAID setup, you need to stripe your file system across the partition in accordance to the number of discs involved, type of RAID and the stripe size in KBs. My example below is strictly regarding Areca ARC RAID cards and might not be applicable to your setup.

I’m using an ARC-1680ix-24 w/ 4GB of ram on board. I’ve got 24 – 500GB HDs with one volume using all HDs in a RAID 6 raidset. So, for me the math is such when using EXT4 filesystem:

chunk size = 128KB (For Areca ARC-1680s it's your Stripe size.)
block size = 4KB (My desired partition is over 2TB. 6.5TB to be exact.)
stride = chunk / block 
       = 128KB / 4KB 
       = 32
Stripe-width = stride * (( # disks in RAID) - # of RAID parity disks)
             = 32 * ((using all 24 disks) - RAID 6 uses 2 parity disks)
             = 32 * (24 - 2)
             = 32 * 22
             = 704

so in other words, once I’ve created the basic partition on my device and I’m ready to format it as EXT4 I’ll end up using:

mkfs.ext4 -v -m .1 -b 4096 -E stride=32,stripe-width=704 /dev/sdd1

I’m not going to go into every detail of the line so please read RAID Setup over on Kernel.org for the skinny.

 
So from Soup to Nuts:

    Use parted to create the partition table on my new volume & create a massive single partition at the right offset:
parted /dev/sdd
    Once in the parted tool:
mklabel gpt
unit s
mkpart primary 2048s 100%
name 1 BFS
quit

 

    Next, you’ll need to create an EXT4 filesystem inside your newly created partition from above:
mkfs.ext4 -v -m .1 -b 4096 -E stride=32,stripe-width=704 /dev/sdd1
    Now you’ll want to add it to your fstab file so let’s grab the UUID from blkid next:
blkid -o list
    And edit your /etc/fstab file so it will automount it at boot time
.
UUID=8e0a7d10-blah-blah-tomatoes-are-yummy-b4a0f6a13c15 /bfs ext4 defaults  1 2
.
    Finally, create the mount point and mount it.
sudo mkdir /bfs
mount /bfs

Here’s a couple of links I found note worthy while going down this rabbit hole:
https://raid.wiki.kernel.org/index.php/RAID_setup#Calculation (shows the actual formula shown above & values)
http://insights.oetiker.ch/linux/raidoptimization.html (a great read)
http://ubuntuforums.org/showthread.php?t=1715375  (Rod weighs in with helpful advice in the Ubuntu forums)
http://www.gnu.org/software/parted/manual/parted.html  (parted’s man page over on GNU.ORG)
http://en.wikipedia.org/wiki/Ext4
http://lwn.net/Articles/377897/  (talks about 4KB sector size disks and let the panic ensue!)
http://whattheit.wordpress.com/2011/08/23/linux-aligning-partitions-to-a-hardware-raid-stripe/  (lots of theory but looks incomplete)
Last 4 links are from Rod Smith:
http://www.rodsbooks.com/gdisk/advice.html  (using gdisk but applicable to parted)
http://www.rodsbooks.com/gdisk/index.html  (main gdisk site!)
http://www.ibm.com/developerworks/linux/library/l-4kb-sector-disks/  (talks about the severe performance effects if you gloss over this stuff!)
http://www.ibm.com/developerworks/linux/library/l-gpt/  (good overview of GPT & understanding why they’re moving away from MBR)

(Personal Note: By finally posting this up on my blog I can close 10 tabs I’ve had open since middle of 2011!)

Sendmail’s tweakable settings in the sendmail.mc file

Recently had a question at work about the maximum number of recipients Sendmail would allow thru our in-house server. I wasn’t sure but knew I hadn’t personally configured a hard limit. Did some quick searching and stumbled upon confMAX_RCPT_PER_MESSAGE as the answer. I haven’t set it to anything in our config but didn’t know what the default limit was in Sendmail so I did some digging. Stumbled upon the following links of value (to me at least!)

http://www.sendmail.com/sm/open_source/docs/m4/tweaking_config.html

Answer: infinite number. Sendmail doesn’t have a limit (now it does!)

Also stumbled upon Centos.org’s version 5 Deployment Guide on running the m4 macro command to build a new Sendmail.cf file.

http://www.centos.org/docs/5/html/5.1/Deployment_Guide/s3-email-mta-sendmail-changes.html

 

PHP error w/ move_uploaded_file…

  So way back in the beginning I developed a simple web file manager for our company that allowed us to upload files to a Linux server and share them w/ noncorporate users. Things worked great but I’ve been left maintaining the server even though I’m now playing Network Engineer.

  Well, as time has progressed, the requirement to upload ever bigger files has ballooned and it orginally was built for files around 500MB. So I did a quick php -i | grep php.ini to find where my php.ini file was and started editing the config. I quickly found upload_max_filesize and increased it to over a 1GB for file uploads. Next I found post_max_size and increased that to the same size. Quick restart of the apache server and I was off testing. Started to do some large file uploads and I started getting some errors. I placed some debug code in my php subroutine and low and behold, I was getting an error = 2. This particular error meant I hadn’t increased the HTML form attribute MAX_FILE_SIZE to 1GB either. Once I had all three attributes set to a higher setting I was GTG.

Couple quick links:

Talks about the HTML form input field MAX_FILE_SIZE:
http://www.tizag.com/htmlT/htmlupload.php

PHP move_uploaded_file function call over on php.net/manual. Has LOTS of good demo code below:
http://php.net/manual/en/function.move-uploaded-file.php

Actual PHP file upload errors one can get when using move_uploaded_file:
http://php.net/manual/en/features.file-upload.errors.php

Custom Vanilla kernel part 2…

So I’ve expanded my SCST compiles onto other Linux OSes namely Fedora 14 & Red Hat 6.0 and I’ve come across another issue when attempting to get the modified kernel to compile, namely it doesn’t pass the precompile check and never fully assembles into a binary! This one took me a while to figure out but thankfully Google provides for those that seek…

The errors I was seeing were similar to below:


linux/X64/usr/include/drm/drm_mode.h:85: found __[us]{8,16,32,64} type without #include
linux/X64/usr/include/drm/i915_drm.h:120: found __[us]{8,16,32,64} type without #include
linux/X64/usr/include/drm/mga_drm.h:260: found __[us]{8,16,32,64} type without #include
linux/X64/usr/include/drm/radeon_drm.h:758: found __[us]{8,16,32,64} type without #include
linux/X64/usr/include/drm/via_drm.h:117: found __[us]{8,16,32,64} type without #include
linux/X64/usr/include/scsi/scsi_netlink.h:108: found __[us]{8,16,32,64} type without #include
linux/X64/usr/include/linux/resource.h:49: found __[us]{8,16,32,64} type without #include

Essentially a precompiler option #include was messing things up. Thankfully someone over on kernel.org found it and knew what to do about it. You’ve got to do your make menuconfig, make your new .config file then edit it w/ vi. Search for a line stating CONFIG_HEADERS_CHECK=y and make it =n instead.

After that it was smooth sailing and the kernel compiled just fine on Red Hat 6.0 & Fedora 14. I eventually had another problem w/ Fedora 14 down the road but installing redhat-lsb via yum solved that problem (had to do w/ the initial functions that are included in Linux Standard Base!)

Here’s the link I found regarding the compile issue:

https://patchwork.kernel.org/patch/274141/

Linux bonding: How to maximize your throughput by combining nics.

I’m currently working on building my own iSCSI SAN w/ SCST & a modified Linux kernel. Things are going pretty well but I needed to also bond out the 5 Gb nics so my VMHosts can maximize their connections. In Linux, you bond out an interface by creating a new network interface and telling the physical nics to register w/ that virtual network interface. There’s also 7 different types of bonding modes but the most common one is mode 6 or balance-ALB (active load balancing.)

If you’re using CentOS or RHEL like I am you cd to /etc/sysconfig/network-scripts/ and vi ifcfg-bond0.

Once you’ve got vi open, you dump the following in (this is an example only. Please change your IPADDR, NETMASK and NETWORK parameters as needed.)

DEVICE=bond0
BOOTPROTO=none
ONBOOT=yes
NETWORK=10.0.0.0
NETMASK=255.255.0.0
IPADDR=10.0.0.100
USERCTL=no

From there, you then modify your individual eth# interface config files so they point to the bonded device. As an example, here’s my /etc/sysconfig/network-scripts/ifcfg-eth0 interface file.

DEVICE=eth0
BOOTPROTO=none
ONBOOT=yes
MASTER=bond0
SLAVE=yes
USERCTL=no

And oh ya, don’t forget to modify your modprobe.conf file to specify the loading of the bond kernel module and what options it will needed @ run-time.

alias bond0 bonding 
options bond0 mode=6 miimon=100

Couple of useful links. There’s tons of good info on bonding w/ Linux. Keep in mind, some distros don’t want you to modify the individual interface config files so use their administrator control panel first if possible.

http://www.how2centos.com/how-to-set-up-network-bonding-with-centos-5x/
http://www.howtoforge.com/network_card_bonding_centos

Installing nVidia driver under CentOS & Red Hat 6.0

I’m a real big fan of nVidia’s Linux drivers for their GPUs and have installed them numerous times with CentOS 5. I just recently installed them under Red hat 6 (RHEL 6) and happened to notice a warning by the nVidia driver that Nouveau was already installed and needed to be removed first. Further investigation reveals that Fedora & the latest version of RHEL 6 are including Nouveau at the initial ramdisk so not only do you need to create your own modprobe.conf blacklist file but you also need to add a line on the end of your grub.conf file to tell the ramdisk not to load Nouveau at boot up.

First, creating a modprobe blacklist file to prevent the kernel from loading the Nouveau kernel module. You could easily add blacklist nouveau to any ole modprobe.conf file but you never know when your linux distribution may overwrite your modified file w/ the next update. You’re better off to just create your own modprobe blacklist file and dropping it inside /etc/modprobe.d/ folder. I went ahead and followed some directions I stumbled upon on the interwebs and created a file called /etc/modprobe.d/disable-nouveau.conf.

I then added the following to that file…

blacklist nouveau options nouveau modeset=0

Once that was done, I then needed to modify my /etc/grub.conffile so the initial ramdisk would stop loading Nouveau too. To do this I added rdblacklist=nouveauto my kernel vmlinuz line like such…

.
.
.
kernel /vmlinuz-2.6.32-71.14.1.el6.x86_64 ro root=UUID=209502fb-f4f0-4755-a275-de807916fb76 rd_NO_LUKS rd_NO_LVM rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=us crashkernel=128M rhgb rdblacklist=nouveau
.
.
.
.

Oh ya, I always remove the “quiet” at the end of the line too. Something about watching all of the modules load…

Here’s a couple links as usual:

http://us.download.nvidia.com/XFree86/Linux-x86_64/260.19.36/README/commonproblems.html
http://www.if-not-true-then-false.com/2009/howto-install-nvidia-driver-on-fedora-and-just-disable-the-nouveau-driver/

Return top
 
Icons made by Freepik from www.flaticon.com is licensed by CC BY 3.0