Thursday, December 6, 2012

A picture worth 1000 MB

So many things about this picture make me happy, thanks to for the repo to make steam client installation painless.

Tuesday, November 6, 2012

Monitoring apache-status on aegir servers with nagios / check_mk

Apache server-status can produce interesting performance information that can be useful for server and application tuning, getting access to this information and graphing it with nagios is not terribly hard but add in check_mk and the Aegir platform and things get a little bit more complicated.

In the following steps I will demonstrate how to install the check_mk agent, install the script and dependencies, add the proper stanza for server-status to aegir and finally add the check into mrpe (check_mk replacement for nrpe).

Assumptions: RedHat/CentOS/Scientific Linux, 64-bit, EPEL, Aegir, root access.

# Install check_mk agent:
*First install the check_mk agent rpm:
yum install --nogpg
*We don't want just anyone to poll the data from check_mk, so modify the /etc/xinetd.d/check_mk by adding the ip of your nagios server to the 'only_from' line:
only_from     = nagios_server_ip
*The check_mk agent operates through xinetd on port 6556, verify that xinetd will start at boot, and make sure it is currently running:
chkconfig xinetd on ; service xinetd start
*Hopefully you are running a firewall, to poke a hole in an iptables based firewall you can add a rule similar to:
-A INPUT -s nagios_server_ip -p tcp -m tcp --dport 6556 -j ACCEPT 
to /etc/sysconfig/iptables, then restart iptables with the service command:
service iptables restart
# Install the plugin
* Install the nagios-plugins-perl rpm from EPEL, this will provide the /usr/lib64/nagios/plugins/ file, as well as creating a directory structure:
yum install nagios-plugins-perl
* Download plugin from to /usr/lib64/nagios/plugins, modify it to find in /usr/lib64/nagios/plugins:
wget -O /tmp/check_apachestatus_auto.tgz
tar zxvf /tmp/check_apachestatus_auto.tgz -C /usr/lib64/nagios/plugins/
sed -i 's/\/usr\/local\/nagios\/libexec/\/usr\/lib64\/nagios\/plugins/g' /usr/lib64/nagios/plugins/
# Modify apache to display server-status
* Typically you could enable server-status by un-commenting the correct stanza in /etc/httpd/conf/httpd.conf, but with an aegir system any get request for http://localhost/server-status will be fulfilled by aegir. If you do some digging you will fine the /var/aegir/config/server_master/apache/pre.d directory which is included before any virtual hosts, this is where you need to put a config file for server-status.
cat << EOF >> /var/aegir/config/server_master/apache/pre.d/nagios.conf
<VirtualHost *:80>
ServerName localhost
<Location /server-status>
    SetHandler server-status
    Order deny,allow
    Deny from all
    Allow from
* Reload apache to read your new config file:
service httpd reload
* Verify it's working using curl, this should dump the raw html from the server-status page to your screen:
curl localhost/server-status
# Setup mrpe to execute the plugin
* This is one of the easier steps, simply create /etc/check_mk/mrpe.cfg, and add a line with the check alias and location:
mkdir /etc/check_mk
echo "Apache_Status /usr/lib64/nagios/plugins/ -H localhost" >> /etc/check_mk/mrpe.cfg
# Now that we have installed the check_mk agent, the script and the mrpe.cfg file you can re-inventory the node from your check_mk server, note the mrpe line in the following output:
cpu.loads         1 new checks
cpu.threads       1 new checks
df                7 new checks
diskstat          1 new checks
kernel            3 new checks
kernel.util       1 new checks
lnx_if            1 new checks
mem.used          1 new checks
mounts            7 new checks
mrpe              1 new checks
ntp.time          1 new checks
postfix_mailq     1 new checks
tcp_conn_stats    1 new checks
uptime            1 new checks
# Once you have reloaded nagios, check_mk will watch the server-status page and produce nice graphs like this:

Friday, April 13, 2012

Installing Dwarf Fortress and Dwarf Therapist on 64-bit fedora 16/17

Because losing is fun.

Dwarf Fortress:
 sudo yum install -y SDL{,_image}.i686 gtk2.i686 mesa-libGLU.i686 SDL_ttf.i686
Grab the latest linux pack for Phoebus with DF pre-installed from, untar and you should be good to go.

Dwarf Therapist:
sudo yum install -y mercurial qt-devel gcc-c++
Checkout a copy of the Dwarf Therapist code:
 cd ~/Downloads ; hg clone
Build with qmake/c++
 cd ~/Downloads/dwarftherapist/ ; qmake-qt4 && make && sudo make install
Therapist should now be in your path, and runnable from any directory with the 'dwarftherapist' command.
The only way I have been able to get this to run lately is from the directory it was built in, and not using the wrapper script (which is 'dwarftherapist' in all lower case):
 cd ~/Downloads/dwarftherapist ; DwarfTherapist

Monday, November 8, 2010


Home Directories
I have not been able to have home directories automagically created when logging in with LDAP, I have added many of the user home dir's to the default AIX build but you may run into some that don't exist, you can easily make you home directory using sudo.
If you are adding LDAP to a AIX box with local accounts already established it is best practice to remove the account for LDAP users. Before you run this command you must MAKE SURE THAT SECLDAPCLNTD IS NOT RUNNING, if it is still running you will remove all of the admin accounts from LDAP!:
stop-secldapclntd && for i in ; do rmuser -p $i ; done

Here are two one liners to create all the current Unix, App, and DB admins home folders:

for i in ; do
 mkdir /home/$i;
 chown -R $i. /home/$i;

for i in ; do
 mkdir /home/$i;
 chown -R $i.IRM /home/$i;

AIX 5.3 and 6.1

# Installing and configuring LDAP client service on AIX 5.3/6.1
All packages are available on the /media/software nfs share, instructions reference that location for installation.

# Install Java
If java is not currently installed you can install Java5 64 bit, this version is for AIX 5.3 AND 6.1:

 installp -acgXYd /media/software/AIX/java/ Java5_64.sdk

Once java is installed you may need to add it to your path, the following command will do this temporarily:

 export PATH=/usr/java5_64/bin:$PATH

# Install gskit

 installp -acgXd /media/software/AIX/GSKIT/ gsksa.rte gskta.rte

# Install ITDS packages
Remove any previous version of ldap that are installed, if the following command returns with filesets they need to be removed through smit:

  lslpp -aL *ldap* # will list installed ldap packages

6.2 packages

 installp -acgXd /media/software/AIX/ITDS/ idsldap.clt32bit62 \
 idsldap.clt64bit62 idsldap.cltbase62 idsldap.msg62.en_US idsldap.clt_max_crypto32bit62 \

Once those filesets are installed run 'lslpp -aL idsldap.*' to verify, output should be similar to this:

 lslpp -aL idsldap.*
  Fileset                      Level  State  Type  Description (Uninstaller)
  idsldap.clt32bit62.rte     6.2.0.n    C     F    Directory Server - 32 bit
  idsldap.clt64bit62.rte     6.2.0.n    C     F    Directory Server - 64 bit
                             6.2.0.n    C     F    Directory Server - 32 bit
                                                   Client (SSL)
                             6.2.0.n    C     F    Directory Server - 64 bit
                                                   Client (SSL)
  idsldap.cltbase62.adt      6.2.0.n    C     F    Directory Server - Base Client
  idsldap.cltbase62.rte      6.2.0.n    C     F    Directory Server - Base Client
  idsldap.msg62.en_US        6.2.0.n    C     F    Directory Server - Messages -
                                                   U.S. English (en)

# Configuration
Paste the following into a root cli: (this assumes that you use TSM for backups and that the client is configured)

 if [ $(grep -c LDAP /usr/lib/security/methods.cfg) -eq "0" ];
   echo "Backing up current methods.cfg, please wait"
   dsmc i /usr/lib/security/methods.cfg
   cat <>/usr/lib/security/methods.cfg

        program = /usr/lib/security/LDAP
        program_64 = /usr/lib/security/LDAP64
   echo "Found LDAP stanza in /usr/lib/security/methods.cfg, assuming that it is correct."

CA Certs
Get certs from the repos

 cd /etc/security/ldap/ && wget .crt && wget .crt

Create and list key database for ssl, if you run into java errors check that your version of java is at least 1.4.2

 gsk7cmd -keydb -create -db /etc/security/ldap/key.kdb -pw -type cms
 gsk7cmd -cert -list CA -db /etc/security/ldap/key.kdb -pw

Add CA cert from to key database

gsk7cmd -cert -add -db /etc/security/ldap/key.kdb -file /etc/security/ldap/.crt -format ascii -label " CA cert" -pw -trust enable

# mksecldap command / ldap.cfg file
Run the mksecldap command to tie the system into LDAP, this may take a minute or more.
The mkseclsap command cannot be used to setup anonymous bind configurations, instead of using that command create the /etc/security/ldap/ldap.cfg using the following command:

cat </etc/security/ldap/ldap.cfg

# IDS links
IDS needs certain libraries and binaries linked from /opt/IBM/ldap//... to /usr/lib, etc.
First step is to remove any current links

 /opt/IBM/ldap/V6.2/bin/idsrmlink -i -l 64 -s fullsrv
 /opt/IBM/ldap/V6.2/bin/idsrmlink -i -l 32 -s fullsrv

Second step is to create new links to the 32 bit binaries

 /opt/IBM/ldap/V6.2/bin/idslink -i -l 32 -s base

# Start secldap at reboot
Remove existing inittab entries

rmitab ldapclntd

Create new inittab entry

 mkitab 'ldapclntd:23456789:wait:/usr/sbin/start-secldapclntd  > /dev/console  > 2&>1

# /etc/security/user
Add ldap compatability to /etc/security/user, without this ldap login will not work

 chsec -f /etc/security/user -s default -a "SYSTEM=LDAP or compat"

# sudo
Add your sudo config, I haven't had success with the AIX Linux Toolbox sudo rpm, try the sudo-noldap package (also on AIX Linux Toolbox)

# Start secldap client
Run the following command to start the ldap client


# Syslog

AIX pulls its logging configuration from /etc/syslog.conf, the standard AIX build as of May 2009 writes most messages to /var/adm/SYSLOG and does not include rotation. I like the logging to be more Linux-like so I append this to the end of the /etc/syslog.conf file, consider commenting out the existing logging if you don't want to write to /var/adm/SYSLOG:

 # Linux-ify the AIX logging setup and enable automagic rotation
 # Everything but mail and auth to messages
 *.info;mail.none;auth.none      /var/log/messages       rotate size 10m files 10 compress
 # Auth to secure
 auth.debug                      /var/log/secure         rotate size 10m files 10 compress
 # Mail to maillog
 mail.debug                      /var/log/maillog        rotate size 10m files 10 compress
 # Emergency messages to all users
 *.emerg         *ss
 *.info;mail.none                @

This will send:
All messages except mail and authentication to /var/log/messages.
All authentication messages to /var/log/secure.
All mail messages to /var/log/maillog.
All emergency messages to all users.
All messages except mail to

If you don't like seeing the "Message forwarded from hostname:" message all over splunk you need to run the following command line as root:
 chssys -s syslogd -a "-n"
All the files need to exist prior to syslog writing to them, it will not create them on its own:
 sudo touch /var/log/messages /var/log/secure /var/log/maillog
You must then restart syslog
 stopsrc -s syslogd && startsrc -s syslogd

Wednesday, May 26, 2010

Enabling console access on fully virt guests (virsh/virt-manager)

Using virsh or virt-manager you can gain access to the console by editing grub.conf, this allows you to watch the machine boot from a terminal.

Add the following to the kernel line in /etc/grub.conf and reboot:
console=tty0 console=ttyS0

Friday, May 21, 2010

Converting kvm guests from lvm to qcow2, base images and snapshots

lvm based kvm guests are fast but you lose some flexibility, playing with fedora/kvm on my laptop I prefer to use file based images. Converting from lvm images to qcow2 isn't hard but the documentation is sparse.

1. use qemu-img to convert from an lvm to qcow2 format:
qemu-img convert -O qcow2 /dev/vg_name/lv_name/ /var/lib/libvirt/images/image_name.qcow2
If you want the image compressed add '-c' right after the word convert.

2. edit the xml for the image
virsh edit image_name
modify the disk stanza, adding a type to the driver line; on the source line change 'dev' to 'file' and modify the path:
driver name='qemu' type='qcow2'
source file='/var/lib/libvirt/images/image_name.qcow2'

Creating images from with a base image allows quick rollouts of many boxes based on an single install - for example I have a 'golden image' of centos, I can stop that VM and create 2 servers using the original VM disk as a base file and writing changes to different files.
qemu-img create -b original_image.qcow2 -f qcow2 clone_image01.qcow2
qemu-img create -b original_image.qcow2 -f qcow2 clone_image02.qcow2

Taking this further I can then snapshot both images so once I start making changes, rolling back to a point in time prior to the changes is very easy:
qemu-img snapshot -c snapshot_name vm_image_name.qcow2


Thursday, November 12, 2009

DHCP hostnames

On my home LAN Windows and Ubuntu boxes push their hostnames into local DNS which makes them easily resolvable - my router lists the names associated with MACs in its web interface, this is one of those small things that is really convenient. For some reason my fedora boxes have not been doing this lately and I finally got annoyed enough to look it up, turns out the fix is very simple.

First off figure out which interface you are using, if you are using more then 1 then I will assume you know which one you want the hostname pushed from, easily enough you can run 'ipconfig' or 'ip addr show' and note the interface name. In most cases this will be eth0 for copper and something like wlan0 for a wireless connection. Once you have the interface name substitute it into the following command:
echo "DHCP_HOSTNAME=$HOSTNAME" >> /etc/sysconfig/network-scripts/ifcfg-

Then restart networking:
sudo service network restart

In the above example I am using '$HOSTNAME' which is the system hostname variable but you could set this to a static name if you desired.