tag:blogger.com,1999:blog-14798240335062508752024-03-18T19:57:19.022-07:00What I Know About Linux That You May Not KnowSadique Puthenhttp://www.blogger.com/profile/15174000939443129488noreply@blogger.comBlogger36125tag:blogger.com,1999:blog-1479824033506250875.post-68873414566935423412014-05-20T04:30:00.001-07:002014-05-20T04:31:42.812-07:00How to fix the garbled font on virt-manager on rhel7 (currently beta)?<div dir="ltr" style="text-align: left;" trbidi="on">
I was trying to do some tests with nested virtualization. For convenience, I decided to use virt-manager inside a vm to manage vms that I am going to run on top of that vm. (That is what nested virtualization means). I did "yum install virt-manager" and launched virt-manager. I could see the font is completely garbled.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6KJOfSmoUGGShdULnFsvvzeAnyoCd8hnqJvw3RNaMDx8h4io-Zz71VWd3P3SEUtZSLK_TXlyqYMYQkn-mPPiZ037aL0UXGjquhVlH33bzwMIFRJOlFi8hJkCXVtsurQrxuwIIsoOtQIY/s1600/Screenshot+from+2014-05-20+16:40:36.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6KJOfSmoUGGShdULnFsvvzeAnyoCd8hnqJvw3RNaMDx8h4io-Zz71VWd3P3SEUtZSLK_TXlyqYMYQkn-mPPiZ037aL0UXGjquhVlH33bzwMIFRJOlFi8hJkCXVtsurQrxuwIIsoOtQIY/s1600/Screenshot+from+2014-05-20+16:40:36.png" height="320" width="302" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNK_6fK-1OS5FQfz-qy93NCZ2NM8CGvVAk9-k5FxO39afC5n1LMBxTJMI_URFLQm1jVDCYcoNhMfuHsWSiC1HeMiucxymjT5uFf_2UOGdMdu-FNCIOCt7sUQrSYGT3SbVFbKlIg8FwpNk/s1600/Screenshot+from+2014-05-20+16:40:33.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNK_6fK-1OS5FQfz-qy93NCZ2NM8CGvVAk9-k5FxO39afC5n1LMBxTJMI_URFLQm1jVDCYcoNhMfuHsWSiC1HeMiucxymjT5uFf_2UOGdMdu-FNCIOCt7sUQrSYGT3SbVFbKlIg8FwpNk/s1600/Screenshot+from+2014-05-20+16:40:33.png" height="201" width="320" /></a></div>
<br />
After a bit research (or search), I found the simple resolutoin. Just install dejavu-sans-fonts package.<br />
<br />
<b><i># yum install dejavu-sans-fonts</i></b></div>
Sadique Puthenhttp://www.blogger.com/profile/15174000939443129488noreply@blogger.com0tag:blogger.com,1999:blog-1479824033506250875.post-82895394262117011682014-05-20T00:47:00.000-07:002014-05-20T00:47:25.857-07:00How do I enable nested virtualization on KVM?<div dir="ltr" style="text-align: left;" trbidi="on">
<div>
<div>
<div>
Nested virtualization allows you to run virtual machines inside a virtual machine. Though this is not good for any kind of production use case because of the performance issues involved, this is usually good for testing purposes. Eg, students can be given virtual machines to test virtualization without allocating physical systems per head count.<br />
<br />
I am only covering intel cpus in this blog post. The steps are very simple.<br />
<br />
<ul style="text-align: left;">
<li>Verify that nested virtualization is not enabled already.</li>
</ul>
<b><i>cat /sys/module/kvm_intel/parameters/nested</i></b><br />
<b><i>N</i></b><br />
<ul style="text-align: left;">
<li> Add below line to /etc/modprobe.d/kvm-intel.conf<i></i></li>
</ul>
</div>
<b><i>options kvm-intel nested=1</i></b><br />
<ul style="text-align: left;">
<li>Reboot the host or do</li>
</ul>
</div>
<b><i>modprobe -r kvm-intel</i></b><br />
<b><i>modprobe kvm-intel</i></b><br />
<ul style="text-align: left;">
<li>Verify that nested virtualization is enabled.</li>
</ul>
</div>
<b><i>cat /sys/module/kvm_intel/parameters/nested</i></b><br />
<b><i>Y</i></b></div>
Sadique Puthenhttp://www.blogger.com/profile/15174000939443129488noreply@blogger.com2tag:blogger.com,1999:blog-1479824033506250875.post-30122453617592943682012-08-09T11:10:00.001-07:002012-08-09T11:12:46.333-07:00Still Difference Between Du and DF output?<div dir="ltr" style="text-align: left;" trbidi="on">
Coming back to my blogs after a long time.<br />
<br />
This is a continuation of my earlier post <a href="http://sadiquepp.blogspot.in/2010/04/difference-in-output-du-and-df.html" target="_blank">Difference in the output du and df?</a><br />
<br />
I still have a filesystem with big difference between du and df output.<br />
<br />
<i>df -h /opt<br />Filesystem Size Used Avail Use% Mounted on<br />/dev/mapper/vg-lv<br /> 5.0G 4.2G 546M 89% /opt</i><br />
<br />
Obviously did all the tricks with deleted files via lsof<br />
<br />
<i># lsof | grep dele</i><br />
<br />
Just gave me no output.<br />
<br />
<i># du -sch /opt<br />24K /opt<br />24K total</i><br />
<i><br /></i>
<i># ls -a /opt/<br />. .. lost+found spp.txt</i><br />
<br />
Obviously nothing inside the directory, but still 4.2G is used.<br />
<br />
Since I had exhausted all the options, had to spent some time to find out the culprit.<br />
<br />
Couple of months back, I had an ISO file inside the /opt which was 4GB in size and had loop mounted it.<br />
<i><br /></i>
<i># losetup /dev/loop1 /opt/4gb.iso</i><br />
<i># mount /dev/loop1 /mnt</i><br />
<br />
Then obviously unmounted it after use.<br />
<i><br /></i>
<i># umount /mnt</i><br />
<i><br /></i>
But didnt' free the loop device /dev/loop1 after unmouting the iso which kept an fd open to the loop device which in turn points to the deleted iso and lsof failed to show to me. Bug in lsof?<br />
<i><br /></i>
I leave it to you the task to fix this by freeing the loop device.<br />
<br />
I could have fixed this by rebooting the system like 99% of system administrators do without running behind the root cause and the cause of this should have remained unknown for me forever. Please don't do it :-)<br />
<i><br /></i>
<br />
<br /></div>Sadique Puthenhttp://www.blogger.com/profile/15174000939443129488noreply@blogger.com2tag:blogger.com,1999:blog-1479824033506250875.post-9215983742797160822012-01-30T23:08:00.000-08:002012-01-30T23:16:13.229-08:00RHEV-3 supported 60 day evaluation availableSince I am working on RHEV support group, I am really elated to shared this news.<br /><br />If you are an enthusiast to explore various virtualization offerings, a fully supported RHEV3 60 day evaluation is available for you to test.<br /><br />You can sign up at http://www.redhat.com/promo/rhev3/<br /><br />Evaluation Guide at http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Virtualization/3.0/html-single/Evaluation_Guide/index.html<br /><br />More details at https://access.redhat.com/kb/docs/DOC-69002Sadique Puthenhttp://www.blogger.com/profile/15174000939443129488noreply@blogger.com0tag:blogger.com,1999:blog-1479824033506250875.post-86728305465176385622010-09-30T03:04:00.000-07:002010-09-30T03:22:27.737-07:00Cannot log in to web Albums from picasa while using fedora 12. "Login failied please try again later"Couple of days back, I had to sync some photos from my laptop to Picasa web albums. This was the first time I used <a href="http://picasa.google.com/linux/download.html">Picasa app</a> after installing Fedora 12 in my laptop.<br /><br />I clicked on the "Sign In to Web Albums" and entered my gmail username and password and got log in failure message. The log in window returned immediately showing "Login failed - Please try again later". The error was thrown in less than a second which was ample reason for me to believe that that this is a problem at my end, not at gmail end.<br /><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigW8WQSAkcGFjpUg-xYBiLsoReZ6JYdZjWey5FIFvRr93yv4w6B_0fT6c6T91oNg9ahmV7EaaShoyXTCjZIEDTXk2euQe41WES8l2vjbs_j8JJ7csTzitQlcP7GdCuX2hRQif6MLm8pFk/s1600/Screenshot-Web+Albums.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 299px; height: 320px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigW8WQSAkcGFjpUg-xYBiLsoReZ6JYdZjWey5FIFvRr93yv4w6B_0fT6c6T91oNg9ahmV7EaaShoyXTCjZIEDTXk2euQe41WES8l2vjbs_j8JJ7csTzitQlcP7GdCuX2hRQif6MLm8pFk/s320/Screenshot-Web+Albums.png" alt="" id="BLOGGER_PHOTO_ID_5522648320839200642" border="0" /></a><br />Searched the web and got the solution suggesting to install "openssl-devel" package on my laptop.<br /><br /><span style="font-weight: bold;"># yum install openssl-devel</span><br /><br />Tried to sign in to the web album again, but unfortunately still getting the same error message.<br /><br />Banged on my head for a couple of minutes and finally realized that Fedora 13 running on my laptop was x86_64 and picasa is a 32 bit application and I must install openssl-devel.i686.<br /><br /><span style="font-weight: bold;"># yum install openssl-devel.i686</span><br /><br />I was really happy after that. Everything worked as expected and my engagement photos are now live on picasa.Sadique Puthenhttp://www.blogger.com/profile/15174000939443129488noreply@blogger.com3tag:blogger.com,1999:blog-1479824033506250875.post-72714066204858628742010-08-08T06:16:00.000-07:002010-08-08T08:51:58.411-07:00Bash and CD<p>Shell scripting gives great advantage to system Administrators and I often use bash in my daily work. Though my work now involves less scripting but for a specific task, i wanted to write a script on my own. The script will take a Project Name as argument, which will would automatically take to that particular Project directory on an NFS share.</p><br />
<p>For example: Assume that I am working on a Project named MCP1516, then I want my script to take me to that directory. Now you may ask what's the need for a script, just cd command would suffice. But i wanted to do some other things also, <br />
<br />
<b>$cd /mnt/projects/*/mcp1516</b><br />
<br />
1. If the nfs share is not mounted , then mount the NFS share under /mnt/projects<br />
2. If the project directory doesn't exist, create the Project directory.<br />
3. Reuse this script with other tasks (probably as a function).<br />
<br />
Now the script looked like this:<br />
<br />
<b><i><br />
#!/bin/bash<br />
/bin/mount | grep nfs | grep nfs-server 1> /dev/null<br />
result=`echo $?`<br />
<br />
if [ $result -eq 0 ]<br />
then<br />
cd /mnt/projects/*/$1<br />
else<br />
sudo /bin/mount -t nfs nfs-server:/share/projects /mnt/projects<br />
cd /mnt/projects/*/$1<br />
fi</i></b><i></i><br />
<br />
Seems pretty simple script, Now i call the above script as "takemeto"<br />
<br />
<b>$takemeto mcp1516</b><br />
<br />
Assuming that the directory already exists , the above script when run should change my "pwd" to /mnt/projects/mcp1516, but (un)fortunately it doesn't.<br />
<br />
Now the problem is not in the script but the way bash works and the command "cd" .<br />
</p><br />
<p>First of all, when the script is called, the script is run in a new shell , so the command cd is being run in the "Newly created shell", the parent shell, i.e the shell which called the script has no idea about the commands run in the new shell, next cd is not an external command but it's a bash in-built command . So to execute the bash built commands in the current shell or also called Parent shell, use <b>"source"</b> command. </p><br />
So if you call the same script using source command , it would change the directory in the current shell<br />
<br />
<b>$source takemeto mcp1516</b><br />
<br />
So happy scripting :)<br />
<br />
<b>Niranjan</b>Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-1479824033506250875.post-16241049921178291872010-04-12T06:31:00.000-07:002010-04-13T05:58:23.056-07:00Difference in the output du and df?Found a nice write up <a href="http://www.sysunconfig.net/aixtips/df_du_diff_out.txt">here.</a> Just thought it's worth sharing as most people are unaware of this. There is one more nasty reason for df and du to show different output which is not discussed there. May not be worth discussing there.<br /><br />Me had a case where an administrator installed a system with just 5GB allocated to /. Later he figured out the log files in /var is quickly growing up and / will fill up very soon. So far /var has logs of size 2GB. He just created another 10GB partition, copied the current contents of /var to it, then mounted the new partition on /var without deleting the current contents in /var.<br /><br />This administrator did never document this event and quit the company. A new guy stepped in. Later, when he scanned the / filesystem (may be when the / was 100% next time) he found df and du output of / is different. (showing 2GB difference). You can imagine what is the cause?<br /><br />The worst question is how a Technical Support Engineer figure this out? Wild guesses? But I had to.Sadique Puthenhttp://www.blogger.com/profile/15174000939443129488noreply@blogger.com4tag:blogger.com,1999:blog-1479824033506250875.post-1305227655739290562010-02-09T00:34:00.000-08:002010-02-09T00:37:33.798-08:00How to merge pdf files in Linux?I was about to submit claims for my expenses. I had to scan the receipts and email them to blah blah blah. The scanner gave me multiple pdfs and I preferred to send only one pdf. I had to merge the pdfs and did that by using the below command in my Fedora 10 box.<br /><br /><span style="font-weight: bold;"># gs -dNOPAUSE -sDEVICE=pdfwrite -sOUTPUTFILE=merged.pdf -dBATCH first.pdf second.pdf</span><br /><br />I got this solution through a search in the web.Sadique Puthenhttp://www.blogger.com/profile/15174000939443129488noreply@blogger.com7tag:blogger.com,1999:blog-1479824033506250875.post-75682442957133760552010-01-20T09:53:00.000-08:002010-01-20T10:19:16.662-08:00"+" in the output of "ls -l" stands for what?Today when I logged into one of my test system and did "ls -l /root", I found a "+" in the output against each file and directory immediately after the permission bits are displayed. One example is given below.<br /><br /><span style="font-weight: bold;">-rw-r-xr--+ 1 root root 151 Jul 31 20:38 test.sh</span><br /><br />I had no idea what this "+" indicates about the file or directory. I just searched google to find out without any luck. Every docuemnt that I referred speaks about all other fields displayed in the output, but kept silent about "+". "man ls" has nothing to say about it. But I was not ready to give up, I found out myself what that field indicates. You may already know what is meant by this +, but this blog is intended to explain how did I find it out myself which may be useful for you also if you face a similar situation in future. Below is the method that I followed.<br /><br />I created a file in /tmp named file.txt. When I did "ls -l" on that file, I didn't see the "+" in the output. Now I have a file which has a + in the "ls -l" output and one which doesn't have.<br /><br />Now I did strace on "ls -l" while listing both the files. Strace was executed as below.<br /><br /><span style="font-weight: bold;"># strace -fvvv -s 1024 -o <outpt> output-file ls -l <file></file></outpt></span><span style="font-weight: bold;">file-name</span><br /><br />Analyzed both straces and compared them. This comparison helped me to see what is different between these two files.<br /><br />For the file which has + in its output, I found the below system call in strace.<br /><br /><span style="font-weight: bold;">29608 getxattr("/root/test.sh", "system.posix_acl_access", 0x0, 0) = 44</span><br /><br />For the file which doesn't have + in the output, I found the same system call as below.<br /><br /><span style="font-weight: bold;">29616 getxattr("/tmp/file.txt", "system.posix_acl_access", 0x0, 0) = -1 ENODATA (No data available)</span><br /><span style="font-weight: bold;">29616 getxattr("/tmp/file.txt", "system.posix_acl_default", 0x0, 0) = -1 ENODATA (No data available)</span><br /><br />The difference in the output of getxattr() told me that the file which has a "+" in the output has a filesystem acl on it where as the file which doesn't have a "+" in the output has no acls set on it (This is indicated by the "-1 ENODATA (No data available").<br /><br />I verified this by running "getfacl <file>" on both files. Then I did "man acl" and started reading that and found the below details.<br /><br />"For files that have a default ACL or an access ACL that contains more than the three required ACL entries, the ls(1) utility in the long form produced by ls -l displays a plus sign (+) after the permission string."<br /><br />Is "man acl" the right place to have this info?</file>Sadique Puthenhttp://www.blogger.com/profile/15174000939443129488noreply@blogger.com0tag:blogger.com,1999:blog-1479824033506250875.post-59832959019227795752009-10-01T07:37:00.000-07:002009-10-01T08:27:30.636-07:00How to play vcds in Fedora?I am running Fedora 10 on my Laptop. My sister brought a vcd and requested me to play that. I inserted the vcd, mounted on /mnt and started to play it. To my surprise, it didn't work.<br /><br /><span style="font-weight: bold;">$ cd /mnt/</span><br /><br /><span style="font-weight: bold;">$ ls</span><br /><span style="font-weight: bold;">cdi ext mpegav segment vcd</span><br /><br /><span style="font-weight: bold;">$ cd mpegav/</span><br /><br /><span style="font-weight: bold;">$ ls</span><br /><span style="font-weight: bold;">avseq01.dat</span><br /><br /><span style="font-weight: bold;">$ mplayer avseq01.dat </span><br /><br /><span style="font-weight: bold;">Playing avseq01.dat.</span><br /><span style="font-weight: bold;">Seek failed</span><br /><br /><span style="font-weight: bold;">Exiting... (End of file)</span><br /><br />Then I tried to copy the avseq01.dat to a local folder.<br /><br /><span style="font-weight: bold;">$ cp avseq01.dat ~/</span><br /><span style="font-weight: bold;">cp: reading `avseq01.dat': Input/output error</span><br /><br />Tried to copy using dd, but no luck.<br /><br /><span style="font-weight: bold;">$ dd if=avseq01.dat of=~/vcd.dat</span><br /><span style="font-weight: bold;">dd: reading `avseq01.dat': Input/output error</span><br /><span style="font-weight: bold;">0+0 records in</span><br /><span style="font-weight: bold;">0+0 records out</span><br /><span style="font-weight: bold;">0 bytes (0 B) copied, 0.00805312 s, 0.0 kB/s</span><br /><br />Problem is neither with cdrom nor with the drive, but with the format of the data which need to be converted to another format which is free from the proprietry stuffs. So my friend Ritesh came to my help. Below is how I did it.<br /><br />- Installed "<span style="font-weight: bold;">vcdimager</span>" package. That version that I installed was <span style="font-weight: bold;">vcdimager-0.6.2-1.i386</span>. It's available via yum.<br /><br />- Create a folder named ~/vcd and cd into it.<br /><br />- Run vcdrip (vcdxrip in the latest version of vcdimager package) to copy the video file to mpg format.<br /><br /><span style="font-weight: bold;">$ vcdrip --rip --cdrom-device=/dev/cdrom</span><br /><br />- The above command will copy the avseq01.dat from cd to avseq01.mpg in the current working directory. This process will take sometime and will take more time if there are a lot of scratches on the cd. Once it exits, run "mplayer avseq01.mpg" in the current directory to play it.Sadique Puthenhttp://www.blogger.com/profile/15174000939443129488noreply@blogger.com4tag:blogger.com,1999:blog-1479824033506250875.post-49497440232955477652009-09-06T06:14:00.000-07:002009-09-08T22:18:28.560-07:00How to clone a guest over the network?Below are the steps that I followed to clone an RHEL5 guest running under vmware ESX-3.5 to Xen environment over the network. The method that I followed can be used to clone any virtual machine (except windows?) running under any virtualization product to any other virtualization product (Correct?). I agree that there are specific tools provided by vendors for p2v and v2v conversions, but they are limited to their virtualization product. Eg, Vmware tools may not be used to convert a virtual machine running under vmware to run on Xen/KVM and vice-versa.<br /><br /><span style="font-weight: bold;">Pre-requisites.</span><br /><br />- Linux based LiveCD. (Which should have coreutils and nc - netcat - packages installed).<br /><br /><span style="font-weight: bold;">Below are the steps that I followed:</span><br /><br />- Downloaded the LiveCD for Fedora 10 from <a href="http://ftp-stud.hs-esslingen.de/pub/fedora/linux/releases/10/Live/x86_64/F10-x86_64-Live.iso">here</a> (You can use whatever Linux LiveCD you want.)<br /><br />- Booted the rhel5 virtual machine already available in Vmware ESX from this ISO by attaching this ISO to the guest and selecting cdrom as the first boot device. (Consult the concerned documentation for more details)<br /><br />- Created a new blank guest in Xen and assigned it a hard disk with the same size of vmware disk. I just created a fully virtualized guest using virt-manager and when it started the anaconda installation, aborted the installation and shutdown the guest. Now I have a guest with a blank image.<br /><br />- Then started the blank guest under Xen from the Fedora LiveCD. (If not sure how to do it, please consult xen documentation).<br /><br />Now we have both Vmware guest (will be called GuestA from now onwards) and a guest with blank image in Xen (will be called GuestB from now onwards) booted of the Fedora 10 Live CD.<br /><br />- On both guests flush the iptables firewall.<br /><br /><span style="font-weight: bold;"># iptables -F</span><br /><br />- Networking should be enabled automatically by the LiveCD. Make sure that networking is working as expected on both guests and they can ping each other.<br /><br />- Run <span style="font-weight: bold;">fdisk -l</span> on both guests and identify how the hard disk has been detected. I had them detected as <span style="font-weight: bold;">"/dev/sda"</span> on both GuestA and GuestB.<br /><br />- On GuestB, run the below command:<br /><br /><span style="font-weight: bold;"># nc -l 7000 | dd of=/dev/sda bs=16M</span><br /><br />- On GuestA, run the below command.<br /><br /><span style="font-weight: bold;"># dd if=/dev/sda bs=16M | nc ip-of-GuestB 7000</span><br /><br />Replace <span style="font-weight: bold;">ip-of-GuestB</span> with the actual ip of GuestB and replace <span style="font-weight: bold;">/dev/sda</span> with the actual block device in both commands. 7000 is the port number, you can use other unused ports as well.<br /><br />The process of copying the hard disk image will take sometime depending upon the network bandwidth and the IO bandwidth availability of storage. Please be patient and restart GuestB once the process is over from the hard disk.<br /><br />- Went to bed and had a good sleep. When I was up in the morning, I had the guest cloned successfully and started off the new guest.Sadique Puthenhttp://www.blogger.com/profile/15174000939443129488noreply@blogger.com3tag:blogger.com,1999:blog-1479824033506250875.post-31564287717774744912009-08-14T01:39:00.000-07:002009-08-14T01:54:25.636-07:00How to configure NFS4 with Kerberos using Windows AD + KDC?Below are the steps which explain how to set this up in a simple environment.<br /><br />This setup involves three systems.<br /><br />1. Windows 2003 as KDC<br />2. NFS server<br />3. NFS client<br /><br />Windows server is Windows 2003 R2 SP2. NFS server and NFS client are running RHEL-5.3<br /><br /><span style="font-weight: bold;">Pre-requisites</span><br /><br />- Working DNS server<br />- Working NTP server so that time in all the machines are in sync.<br /><br />These are requirements for Kerberos to work.<br /><br />In Windows server create a user "nfsuser" with some password.<br /><br /><span style="font-weight: bold;">How to setup NFS server?</span><br /><br />1.1- Run "authconfig-tui". In the "Authentication" section, select "Use Kerberos" -> Next -> Type in the realm name, IP of Windows AD for KDC and admin server.<br /><br />1.2- Add a user named "nfsuser" with uid 2000 without setting up any password for that user.<br /><br /><span style="font-weight: bold;"># useradd -u 2000 nfsuser</span><br /><br />1.3- Create 2 groups named "group1 and group2" with gid 3001-3002 on the system.<br /><br />1.4- Add "nfsuser" as member of both the groups.<br /><br /><span style="font-weight: bold;"># usermod -G group1,group2 nfsuser</span><br /><br />1.5- Create a directory to share using nfs.<br /><br /><span style="font-weight: bold;"># mkdir /nfs</span><br /><br />Create 2 directories and each writable by one group.<br /><br /><span style="font-weight: bold;"># mkdir /nfs/group1</span><br /><span style="font-weight: bold;"># chgrp group1 /nfs/group1</span><br /><span style="font-weight: bold;"># chmod g+w /nfs/group1</span><br /><br /><span style="font-weight: bold;"># mkdir /nfs/group2</span><br /><span style="font-weight: bold;"># chgrp group2 /nfs/group2</span><br /><span style="font-weight: bold;"># chmod g+w /nfs/group2</span><br /><br />1.6 - Edit /etc/sysconfig/nfs and un-comment the below line.<br /><br /><span style="font-weight: bold;">SECURE_NFS="yes"</span><br /><br />1.7 - Edit /etc/exports and share /nfs as below.<br /><br /><span style="font-weight: bold;">/nfs gss/krb5p(rw,sync,fsid=0)</span><br /><br />1.8- Now create the keytab on windows server in command prompt using the below coammnd.<br /><br /><span style="font-weight: bold;">ktpass -princ nfs/nfsserver.example.com@EXAMPLE.COM -mapuser nfsuser -pass **** -out nfsrv.keytab /crytp rc4-hmac-nt /ptype KRB5_NT_PRINCIPAL</span><br /><br />* Please note that I have used "rc4-hmac-nt" crypto.<br /><br />RC4-HMAC-NT is the default and employs 128-bit encryption.<br /><br />You can find more details about ktpass and types of crypto <a href="http://technet.microsoft.com/en-us/library/cc753771%28WS.10%29.aspx">here</a><br /><br />1.9- Copy nfsrv.keytab on NFS server as /etc/krb5.keytab<br />1.10- Verify with klist -ke<br /><br /><span style="font-weight: bold;"># klist -ke /etc/krb5.keytab</span><br /><span style="font-weight: bold;">Keytab name: FILE:/etc/krb5.keytab</span><br /><span style="font-weight: bold;">KVNO Principal</span><br /><span style="font-weight: bold;">---- --------------------------------------------------------------------------</span><br /><span style="font-weight: bold;"> 2 nfs/nfsserver.example.com@EXAMPLE.COM (ArcFour with HMAC/md5)</span><br /><br />1.11- Start nfs server service and rpcidmapd.<br /><br /><span style="font-weight: bold;"># service nfs start</span><br /><span style="font-weight: bold;"># service rpcidmapd restart</span><br /><br /><span style="font-weight: bold;">How to configure NFS client?</span><br /><br />2.1 - Repeat step 1.1<br />2.2 - Repeat step 1.2<br />2.3 - Repeat step 1.3<br />2.4 - Repeat step 1.4<br /><br />2.5- Edit /etc/sysconfig/nfs and un-comment the below line.<br /><br /><span style="font-weight: bold;">SECURE_NFS="yes"</span><br /><br />2.6- Create the keytab on windows server<br /><br /><span style="font-weight: bold;">ktpass -princ nfs/nfsclient.example.com@EXAMPLE.COM -mapuser nfsuser -pass **** -out nfscli.keytab /crytp rc4-hmac-nt /ptype KRB5_NT_PRINCIPAL</span><br /><br />2.7- Copy nfscli.keytab on NFS client as /etc/krb5.keytab<br /><br />2.8- Verify with klist -ke<br /><br /><span style="font-weight: bold;"># klist -ke /etc/krb5.keytab</span><br /><span style="font-weight: bold;">Keytab name: FILE:/etc/krb5.keytab</span><br /><span style="font-weight: bold;">KVNO Principal</span><br /><span style="font-weight: bold;">---- --------------------------------------------------------------------------</span><br /><span style="font-weight: bold;"> 2 nfs/nfsclient.example.com@EXAMPLE.COM (ArcFour with HMAC/md5)</span><br /><br /><br />2.9- Start "rpcgssd" and "rpcidmapd".<br /><br /><span style="font-weight: bold;"># service rpcgssd start</span><br /><span style="font-weight: bold;"># service rpcidmapd restart</span><br /><br />2.10 - Mount the share as below.<br /><br /><span style="font-weight: bold;"># mount -t nfs4 nfsserver.example.com:/ -o sec=krb5p</span><br /><br /><span style="font-weight: bold;"># mount | grep nfs4</span><br /><span style="font-weight: bold;">nfsserver.example.com:/ on /mnt type nfs4 (rw,sec=krb5p,addr=10.65.209.189)</span><br /><br /><span style="font-weight: bold;"># ls /mnt</span><br /><span style="font-weight: bold;">group1 group2</span>Karanhttp://www.blogger.com/profile/13741486009633528963noreply@blogger.com0tag:blogger.com,1999:blog-1479824033506250875.post-59548728780415552412009-06-06T02:14:00.000-07:002009-06-06T02:19:34.665-07:00How to add a sound card to a KVM guest?I have a windows Xp virtual machine running in my laptop on top of Fedora 10 KVM. One day I accidentally deleted the sound card from virt-manager -> Hardware tab for that guest. I then understood my mistake and tried to add it via "Add Hardware" wizard. To my dismay, there was no option to add a sound card.<br /><br />Then how did I add the sound card back to the guest?<br /><br />- I did <span style="font-weight: bold;">"virsh dumpxml anotherguest"</span> which has sound card attached to it and was able to see the below line in the output.<br /><br /><span style="font-weight: bold;"> ....................</span><br /><span style="font-weight: bold;"> <sound model="'es1370'/"></sound></span><span style="font-weight: bold;"> sound model='es1370'</span><br /><span style="font-weight: bold;"> ....................</span><br /><br />- I then did <span style="font-weight: bold;">"virsh dumpxml xp"</span> and was not able to see the above line in it. So fixing this is as simple as adding the above line to winxp configuration file.<br /><br /><span style="font-weight: bold;">How to do that?</span><br /><br />- Dump the xml file to a file in the disk.<br /><br /><span style="font-weight: bold;"># virsh dumpxml xp > xp.xml</span><br /><br />- Edit the <span style="font-weight: bold;">xp.xml</span> and add the below line to it.<br /><br /><span style="font-weight: bold;"> <sound model="'es1370'/"></sound></span> <span style="font-weight: bold;"> sound model='es1370'</span><br /><br />I added this immediately before the <span style="font-weight: bold;">"devices"</span> line.<br /><br />- Then redefine the guest using the new configuration file.<br /><br /><span style="font-weight: bold;"># virsh define xp.xml</span><br /><br />Restart the guest and the network card would be present in the guest. Hope we can add the sound card in F11 through virt-manager GUI.Sadique Puthenhttp://www.blogger.com/profile/15174000939443129488noreply@blogger.com0tag:blogger.com,1999:blog-1479824033506250875.post-79273533685371704772009-03-28T02:22:00.000-07:002009-03-28T02:25:44.394-07:00How to prepare a system for kernel crash dump analysis?<span style="font-weight: bold;">In simple steps:</span><br /><br />1 - Collect the below details about the system from where the crash dump was generated.<br /><br />- Architecture of the system. i686, x86_64 and etc.<br />- Version of the kernel running while the system crashed.<br /><br />2 - Prepare a system which runs the same OS as of the crashed system and the same arch. (Not mandatory, but below steps depends on this). Using the same system which crashed is also fine.<br /><br />3 - Download the kernel-debug package matching the version of the kernel which was running while the system crashed and install it using "rpm -ivh packagename" command.<br /><br />Debug info packages for RHEL can be downloaded from <a href="ftp://ftp.redhat.com/pub/redhat/linux/enterprise/">here</a><br /><br />4 - Run crash as below.<br /><br /><span style="font-weight: bold;"># crash /usr/lib/debug/lib/modules/kernel-version/vmlinux path-to-the-vmcore</span><br /><br />Eg, I had a customer recently reported a kernel crash with rhel5 kernel "2.6.18-128.1.1.el5xen". Below is the steps that I did.<br /><br />- Downloaded debug kernel from <a href="http://www.blogger.com/-%20Downloaded%20debug%20kernel%20from%20ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/x86_64/Debuginfo/kernel-xen-debuginfo-2.6.18-128.1.1.el5.x86_64.rpm">here</a><br /><br />- Installed it using <span style="font-weight: bold;">"rpm -ivh kernel-xen-debuginfo-2.6.18-128.1.1.el5.x86_64.rpm"</span><br /><br />- Executed crash as below.<br /><br /><span style="font-weight: bold;"># crash /usr/lib/debug/lib/modules/2.6.18-128.1.1.el5xen/vmlinux /root/vmcore</span>Sadique Puthenhttp://www.blogger.com/profile/15174000939443129488noreply@blogger.com0tag:blogger.com,1999:blog-1479824033506250875.post-43055043516116237542009-03-09T23:24:00.001-07:002009-03-09T23:29:02.860-07:00Network failure with xen/kvm while using round-robin bonding + bridging?If anyone of you are facing complete network failure or unacceptable packet loss in guest communication while using RHEL5 for Virtualization using xen + bonding (only mode0/round robin) + briding, please refer <a href="http://kbase.redhat.com/faq/docs/DOC-16051">redhat kbase</a> to know how to solve or work around it. This can also be applicable for KVM virtualization in Fedora if public bridge is used for networking with bonding in mode0Sadique Puthenhttp://www.blogger.com/profile/15174000939443129488noreply@blogger.com0tag:blogger.com,1999:blog-1479824033506250875.post-88024508889233653272009-02-28T05:39:00.000-08:002009-02-28T05:48:32.696-08:00Support for autofs5 in RHEL4Red Hat has introduced support for autofs5 in RHEL4. The default version of autofs in RHEL4 is autofs4 which has a lot of limitations. The biggest limitation of autofs4 is that doesn't have support for direct mounts. With the introduction of autofs5 in RHEL4, one can achieve all the features of autofs5 in RHEL4.<br /><br />I wanted to run the autofs configuration that I explained <a href="http://sadiquepp.blogspot.com/2009/02/how-to-configure-autofs-maps-in-ldap.html">here</a> with ldap support which includes examples for both direct and indirect mounts in RHEL4 and below are the steps that I followed.<br /><br />- The minimum update level to support autofs5 in RHEL4 is U7. The kernel version required is 2.6.9-78 and above. So I updated my system to RHEL4 U7 and the kernel running is 2.6.9-78.0.13.EL<br /><br />- Install "autofs5" rpm.<br /><br /><span style="font-weight: bold;">up2date autofs5 </span>or<span style="font-weight: bold;"> rpm -ivh autofs5-blah-blah.rpm</span><br /><br />- It's best to turn off autofs v4 while using v5 to avoid conflict. Autofs5 supports everything in autofs4 and there is no need to run both of them at the same time.<br /><br /><span style="font-weight: bold;">chkconfig autofs off</span><br /><span style="font-weight: bold;">service autofs stop</span><br /><br />- Edit /etc/sysconfig/autofs5 and uncomment the schema definitions that you are following in your network. I uncommented the below lines to follow schema III that I explained <a href="http://sadiquepp.blogspot.com/2009/02/how-to-configure-autofs-maps-in-ldap.html">here</a><br /><br />- Edit /etc/auto.master and add the below line into it.<br /><br /><span style="font-weight: bold;">+auto.master</span><br /><br />This step is very important as the default rhel4 /etc/auto.master does not include this line unlike RHEL5. So if you forget this step, maps will not be read from LDAP.<br /><br />- Start "autofs5" service.<br /><br /><span style="font-weight: bold;">chkconfig autofs5 on</span><br /><span style="font-weight: bold;">service autofs5 start</span><br /><br />It should work just like in RHEL5.Sadique Puthenhttp://www.blogger.com/profile/15174000939443129488noreply@blogger.com6tag:blogger.com,1999:blog-1479824033506250875.post-25465202946110369392009-02-28T01:09:00.000-08:002009-02-28T01:51:49.156-08:00How to install a fully virtualized RHEL5 guest (ia64) in xen using virt-manager?This doc can be followed to install any fully virtualized guest, but I am concentrating specifically how to install an RHEL5 ia64 fully virtualized guest on top of an RHEL5 dom0 using virt-manager.<br /><br />Before starting the installation, please make sure that you are following a working combination of Dom0 + guest. See details <a href="http://www.redhat.com/rhel/server/advanced/virt.html">here</a><br /><br />1 - Launch virt-manager and click <span style="font-weight: bold;">"New"</span>.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifh-rjKXHFFiynWZS4UBlU4rQmCEks-hW5OWUoIpmNJ3NtTLz2-P21KtYXD_c0LAerRm_VKNr8CpxYCccIhpwsrlKnW6HX9-h7cm0u2v8CLtp8PGnhZUNpmSQUQDk0FesXiS5-mCVccw4/s1600-h/image1.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 240px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifh-rjKXHFFiynWZS4UBlU4rQmCEks-hW5OWUoIpmNJ3NtTLz2-P21KtYXD_c0LAerRm_VKNr8CpxYCccIhpwsrlKnW6HX9-h7cm0u2v8CLtp8PGnhZUNpmSQUQDk0FesXiS5-mCVccw4/s320/image1.jpg" alt="" id="BLOGGER_PHOTO_ID_5307777978361858354" border="0" /></a>2 - Click <span style="font-weight: bold;">"Forward"</span> In the next window.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJ8QYXYvHnNz2NMwEmSFgwfqGEReLrYLpGuoP3YgPqVenTxS2lR-n2Ka8IV_RYPrhTNLYnJ3VVrKhi1Ugc8p2-XkuUJwQA1a3fjV83peRxcUInzKaJYSYYwoSR6B4nV3oRPTpm_zqXbGI/s1600-h/image2.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 286px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJ8QYXYvHnNz2NMwEmSFgwfqGEReLrYLpGuoP3YgPqVenTxS2lR-n2Ka8IV_RYPrhTNLYnJ3VVrKhi1Ugc8p2-XkuUJwQA1a3fjV83peRxcUInzKaJYSYYwoSR6B4nV3oRPTpm_zqXbGI/s320/image2.jpg" alt="" id="BLOGGER_PHOTO_ID_5307777979647170562" border="0" /></a><br />3 - In the <span style="font-weight: bold;">"Naming your virtual system"</span> window, Enter a name in the <span style="font-weight: bold;">"System Name Column"</span>. Click <span style="font-weight: bold;">"Forward"</span>.<br /><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgg8_UjkzCSkUAIMSgB5j2AybFKxwuJaO-ONeiOnWI9dVWjqpzOXL7gHYq2zMtdI5-xlMfDunWCb1kbepU4h7s8UF9C0VLz3ODoZ1S1tImtMcBH3RNZ74GybXEsWWp_8qojIWIX4xMnaT8/s1600-h/image3.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 284px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgg8_UjkzCSkUAIMSgB5j2AybFKxwuJaO-ONeiOnWI9dVWjqpzOXL7gHYq2zMtdI5-xlMfDunWCb1kbepU4h7s8UF9C0VLz3ODoZ1S1tImtMcBH3RNZ74GybXEsWWp_8qojIWIX4xMnaT8/s320/image3.jpg" alt="" id="BLOGGER_PHOTO_ID_5307777980761945234" border="0" /></a><br />4 - In the <span style="font-weight: bold;">"Choosing a Virtualization Method"</span> window, Select <span style="font-weight: bold;">"Fully Virtualized"</span>. Click <span style="font-weight: bold;">"Forward"</span>.<br /><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjL9fRUe5Jm-yn_2G04CeUVwPUmZJ_vMHMyZwL8txq7TSE-M7D3xdfBZRZrFXqQyVoqe5dFEaewx3ygTgQPjqNOP2iy6ZgR8DM2ZCA9w6UvaUHMWs1j0svi9sNFhulv5b_Z6oRI6s4a7xI/s1600-h/image4.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 286px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjL9fRUe5Jm-yn_2G04CeUVwPUmZJ_vMHMyZwL8txq7TSE-M7D3xdfBZRZrFXqQyVoqe5dFEaewx3ygTgQPjqNOP2iy6ZgR8DM2ZCA9w6UvaUHMWs1j0svi9sNFhulv5b_Z6oRI6s4a7xI/s320/image4.jpg" alt="" id="BLOGGER_PHOTO_ID_5307777976453624226" border="0" /></a><br />5 - In the <span style="font-weight: bold;">"Locating Installation Media"</span> windows, Select your option appropriately. If you have a DVD iso downloaded in dom0, select <span style="font-weight: bold;">"ISO Image Location"</span> and browse the iso from the location. If you have a CD or DVD media, insert it in the drive and Select <span style="font-weight: bold;">"CD-ROM or DVD"</span> and select path to <span style="font-weight: bold;">"Install Media appropirately"</span>. Click <span style="font-weight: bold;">"Forward"</span>.<br /><br />Select <span style="font-weight: bold;">"OS Type and OS Variant"</span> appropriately.<br /><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXzVarc277xzNBMu3Oi1s8rieP1i205CRAF6BWGzMrVnw1thka0_3XO0MPv0sUNhkF2hwtEhxbQiP1F1a-XQOpHp8-J-RHHxzkZB-NjIDi9zbW-70PJYuGc5kcwVdBZizH7GJojXefo5I/s1600-h/image5.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 284px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXzVarc277xzNBMu3Oi1s8rieP1i205CRAF6BWGzMrVnw1thka0_3XO0MPv0sUNhkF2hwtEhxbQiP1F1a-XQOpHp8-J-RHHxzkZB-NjIDi9zbW-70PJYuGc5kcwVdBZizH7GJojXefo5I/s320/image5.jpg" alt="" id="BLOGGER_PHOTO_ID_5307777974471375586" border="0" /></a><br /><span style="font-weight: bold;">Note:</span> If you have SElinux enabled in dom0, please make sure that the iso is kept under /var/lib/xen/images. Selinux may prevent xend from loading iso from other locations which would endup in guest creation failure.<br /><br />6 - On the <span style="font-weight: bold;">"Assigning Storage space"</span> window, either point an empty partition or lvm block device in the <span style="font-weight: bold;">"Normal Disk Partition"</span> section or slect <span style="font-weight: bold;">"Simple File"</span> and point to the file location. File would be automatically created. Click <span style="font-weight: bold;">"Forward"</span><br /><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4Lv0qeZFYU4cwSXUU6_Wyvb0E8L5l5vnANeEe1RdcUWpZK4-7UFiLdfNcaIf8XjeqdvLGdCF9qVBYkqkTCK14DPEv3H3QkYA7m9-h77UE5KuZb7rfB9LqqI69RZrAHGO2yopwxNgnqZA/s1600-h/image6.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 286px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4Lv0qeZFYU4cwSXUU6_Wyvb0E8L5l5vnANeEe1RdcUWpZK4-7UFiLdfNcaIf8XjeqdvLGdCF9qVBYkqkTCK14DPEv3H3QkYA7m9-h77UE5KuZb7rfB9LqqI69RZrAHGO2yopwxNgnqZA/s320/image6.jpg" alt="" id="BLOGGER_PHOTO_ID_5307777763337816162" border="0" /></a><br /><br /><span style="font-weight: bold;">Note:</span> If you have SElinux enabled in dom0, please make sure that the image is kept under /var/lib/xen/images. Selinux may prevent xend from writing to images on other locations which would endup in guest creation failure.<br /><br />7 - In the <span style="font-weight: bold;">"Connect to Host network"</span> section, select either the <span style="font-weight: bold;">"Virtual Network"</span> or "Share physical device". Set fixed Mac address if desired. Click <span style="font-weight: bold;">"Forward"</span>.<br /><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoy0h5BnGi70tpAXZJ3D0-Fu4qMDyFYwXHprRhN_u3V9nYlqYOAomscMrwDRWvatj5SIJ7jsHPYNP5JtX-mLs9NJuQea5DRv1_NYNQ8KXOqd2I78UBd2-7mpZYbGfOOSSUWxvNLLqL-r8/s1600-h/image7.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 286px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoy0h5BnGi70tpAXZJ3D0-Fu4qMDyFYwXHprRhN_u3V9nYlqYOAomscMrwDRWvatj5SIJ7jsHPYNP5JtX-mLs9NJuQea5DRv1_NYNQ8KXOqd2I78UBd2-7mpZYbGfOOSSUWxvNLLqL-r8/s320/image7.jpg" alt="" id="BLOGGER_PHOTO_ID_5307777766705200498" border="0" /></a><br />8 - In the <span style="font-weight: bold;">"Allocate memory and cpu"</span> page, select a minimum of 512MB of memory and vcpu = physical cpu on the host for optimum performance. Click <span style="font-weight: bold;">"Forward"</span>.<br /><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJj_1kbR7t2idX2Ye8_gIFjDshabtZLHWNIFPTspHa9a5HsR39COU2ChKvl9zykvfGYPlCU6DECge4yzhEpEf7NjL3kpUl0q1OIf2m4bU2xZ8ducOm5i7Ig4MqOaML2DBceOBfO1gR4vU/s1600-h/image8.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 285px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJj_1kbR7t2idX2Ye8_gIFjDshabtZLHWNIFPTspHa9a5HsR39COU2ChKvl9zykvfGYPlCU6DECge4yzhEpEf7NjL3kpUl0q1OIf2m4bU2xZ8ducOm5i7Ig4MqOaML2DBceOBfO1gR4vU/s320/image8.jpg" alt="" id="BLOGGER_PHOTO_ID_5307777764568764610" border="0" /></a><br />9 - Review the summary screen and click <span style="font-weight: bold;">"Finish"</span>.<br /><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipb9aybT18UvcQS0IzafzSKslu_qQ1_iZ9T4QkeDCI96CiYknBI2nwR3FxSYKtHAbtqGzRTSfM_pAE0o8xYkwMCnNTBn73JVwgNbG1DaqMLVSOlVCVwsmSLUbUrF-62KDhAP1ToUPN7PI/s1600-h/image9.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 286px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipb9aybT18UvcQS0IzafzSKslu_qQ1_iZ9T4QkeDCI96CiYknBI2nwR3FxSYKtHAbtqGzRTSfM_pAE0o8xYkwMCnNTBn73JVwgNbG1DaqMLVSOlVCVwsmSLUbUrF-62KDhAP1ToUPN7PI/s320/image9.jpg" alt="" id="BLOGGER_PHOTO_ID_5307777766283798882" border="0" /></a><br />If you are installing a x86 or x86_64 guest, a graphical vnc window will pop up starting the installation of the guest and installation of the guest can be continued normally as per the installation documentation of the OS that you are trying to install.<br /><br />If you are installing an ia64 guest, the installer would drop you to an EFI shell. Below steps demonstrates how to proceed with the installation from the efi shell.<br /><br />10 - Efi shell would be shown somewhat similar to the below image.<br /><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhE1wJ7FQwbdzFclRJRs3YuAfiTCeLieioGlLbNn9mLtHwUGDR9GgppirZkALyh80AWybZ4Dnv62TyXb8KpUtVymZvqGBdCUCeWjVO2Mo0_I7lC7Sj5h6rE4Km_GBA9qyGBwPQItg_d10Q/s1600-h/image10.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 188px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhE1wJ7FQwbdzFclRJRs3YuAfiTCeLieioGlLbNn9mLtHwUGDR9GgppirZkALyh80AWybZ4Dnv62TyXb8KpUtVymZvqGBdCUCeWjVO2Mo0_I7lC7Sj5h6rE4Km_GBA9qyGBwPQItg_d10Q/s320/image10.jpg" alt="" id="BLOGGER_PHOTO_ID_5307777762846701170" border="0" /></a><br />11 - On the shell, type <span style="font-weight: bold;">"mount fs0"</span> to have the DVD iso that we specified in the virt-manager mounted.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzQ4QzJ0fhXK9HDH7UeUfLPyXhLVYlsoYTpj3PGorbEdVKNWwyq2wq6DC55ROPJUJpIGLgxfxJHZRarHq_kHPmZYMywuDe7-3QSA1VOE7rNvBS2_2Es0XTvCvVpGa7uwkrkDWSIti9-kI/s1600-h/image11.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 189px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzQ4QzJ0fhXK9HDH7UeUfLPyXhLVYlsoYTpj3PGorbEdVKNWwyq2wq6DC55ROPJUJpIGLgxfxJHZRarHq_kHPmZYMywuDe7-3QSA1VOE7rNvBS2_2Es0XTvCvVpGa7uwkrkDWSIti9-kI/s320/image11.jpg" alt="" id="BLOGGER_PHOTO_ID_5307777582699151138" border="0" /></a><br />12 - Change to fs0 by typing <span style="font-weight: bold;">"fs0:</span>" and see the contents by running <span style="font-weight: bold;">"dir"</span> command.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYTwV5edPMoWoAHyFFzCAVlxiWkddrod5nfOo8pMbsjW0Gqs_wCaCLCprX7JgeHY3Tg9u2OHWZ5Wa0KNstGdgYtivcqTTwq1LeZJQR7EY8X6avZCkttdtQMipFbsDlLA3i55hot-QngLk/s1600-h/image12.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 189px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYTwV5edPMoWoAHyFFzCAVlxiWkddrod5nfOo8pMbsjW0Gqs_wCaCLCprX7JgeHY3Tg9u2OHWZ5Wa0KNstGdgYtivcqTTwq1LeZJQR7EY8X6avZCkttdtQMipFbsDlLA3i55hot-QngLk/s320/image12.jpg" alt="" id="BLOGGER_PHOTO_ID_5307777576617221954" border="0" /></a><br />13 - boot the installation using the <span style="font-weight: bold;">bootia64.efi</span>.<br /><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgohGFo_3zrHk_a3KoZtc_udtE6HIDeF0cHdDD_zHCIV7WA2kDyIRAJGpwxpOy6nIwZjRQf0v_rBsL1ZRP1pCPMUzlxCPCMJsibzzLflg9pPXK5eu8Zb4gjiUAK1960qd0v-K-_akl2gCc/s1600-h/image13.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 189px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgohGFo_3zrHk_a3KoZtc_udtE6HIDeF0cHdDD_zHCIV7WA2kDyIRAJGpwxpOy6nIwZjRQf0v_rBsL1ZRP1pCPMUzlxCPCMJsibzzLflg9pPXK5eu8Zb4gjiUAK1960qd0v-K-_akl2gCc/s320/image13.jpg" alt="" id="BLOGGER_PHOTO_ID_5307777577767987426" border="0" /></a><br />14 - Press <span style="font-weight: bold;">"Enter"</span> on the <span style="font-weight: bold;">"Elilo boot:"</span> prompt. From this point onwards, the installation of the guest would start normally.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0MA6xeD3GIQBhhc50brCvD1jNNAXMoFb7ZGsCNJtJf1DZMyr-VC-qauxYBADzpbvzDBJ1I05ekceCTsq06OHaCGymQeWoWLKgIWmiwWnDVolStvbl_tCMHCQRs1Pef0Vbrs1u3korD64/s1600-h/image14.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 188px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0MA6xeD3GIQBhhc50brCvD1jNNAXMoFb7ZGsCNJtJf1DZMyr-VC-qauxYBADzpbvzDBJ1I05ekceCTsq06OHaCGymQeWoWLKgIWmiwWnDVolStvbl_tCMHCQRs1Pef0Vbrs1u3korD64/s320/image14.jpg" alt="" id="BLOGGER_PHOTO_ID_5307777570948220690" border="0" /></a>Sadique Puthenhttp://www.blogger.com/profile/15174000939443129488noreply@blogger.com1tag:blogger.com,1999:blog-1479824033506250875.post-61028522938357565912009-02-22T02:48:00.000-08:002009-02-23T00:33:07.476-08:00How to configure autofs maps in LDAP using different schemas?<div style="text-align: justify;">Through this blog, I am explaining how to configure autofs maps in LDAP using different schemas supported by autofs in Red Hat Enterprise Linux 5. In this blog, I am not explaining details of how to configure LDAP server. It's assumed that you have an LDAP server in your environment which is already working perfectly, anonymous read access is allowed for the autofs maps and autofs clients are allowed to contact port 389 of the ldap server. Different LDAP servers provide different interfaces to manage databases. So explaining how to add the data to ldap database and how to manage them are outside the scope of this doc.<br /><br />It's also assumed that every client in the network is already configured as a client of the ldap server to take user Information from the LDAP server via authconfig-tui. If no, please configure all clients as below.<br /><br />Run "<span style="font-weight: bold; font-style: italic;">authconfig-tui</span>". In the "<span style="font-weight: bold; font-style: italic;">User Information</span>" section, select "<span style="font-weight: bold; font-style: italic;">Use LDAP" -> Next -> Type in the server name as ldap://ip-of-ldap-server</span>-> Enter <span style="font-weight: bold; font-style: italic;">"dc=example,dc=com</span><span style="font-style: italic;">"</span> as the <span style="font-weight: bold;">"Base DN</span>". Click "<span style="font-weight: bold;">ok</span>".<br /></div><br />Currently there are three different schemas supported by autofs. I would take the below scenario as an example to explain these three schemas. This scenario includes examples for both direct mounts and indirect mounts. If you don't know what is the difference between direct and indirect mounts, please stop here, search the web and get a thorough understanding and come back.<br /><br /><ol><li>/direct (nfs share) from a remote server need to be auto mounted on /diret-mnt on the client whenever a user tries to access /direct-mnt.</li><li>/isos/debian-40r7-i386-netinst.iso (kept locally on every client) should be auto mounted on /debian whenever a user tries to access /debian.</li><li>/homedirs/$username from a remote server need to be auto mounted on /home/$username whenever a user attempts to log in to the client.</li><li>If user x tries to access /projects/x, /projects/x from the remote system should be auto mounted.</li></ol><br />We would configure #1 and #2 using direct mount and #3 and #4 using indirect mount. If ldap is not used, the equivalent local configuration file (/etc/auto.master and other mapped files) would look like as below.<br /><br /><span style="font-weight: bold;">/etc/auto.master</span><br /><br /><span style="font-style: italic;"> +auto.master<br /></span> <span style="font-style: italic;">/- /etc/auto.direct</span> <span style="font-style: italic;"><br />/home /etc/auto.home</span> <span style="font-style: italic;"><br />/projects /etc/auto.project<br /><br /></span><span style="font-weight: bold;">/etc/auto.direct</span><br /><br /><span style="font-style: italic;">/direct-mnt -fstype=nfs,rw ip-of-nfs-server:/direct</span><br /><span style="font-style: italic;">/debian -fstype=iso9660,ro,loop :/iso/debian-40r7-i386-netinst.iso</span><br /><br /><span style="font-weight: bold;">/etc/auto.home</span><br /><br /><span style="font-style: italic;">* -fstype=nfs,rw ip-of-nfs-server:/homedirs/&</span><br /><br /><span style="font-weight: bold;">/etc/auto.project</span><br /><br /><span style="font-style: italic;">x -fstype=nfs,rw ip-of-nfs-server:/projects/x</span><br /><br />Now we are exploring how we can define all these maps in ldap server and configure the autofs in client to read the maps from ldap server instead of local files. The only thing needed locally is the below entry in /etc/auto.master which is there in all RHEL5 systems by default..<br /><br /><span style="font-style: italic;">+auto.master</span><br /><br /><span style="font-weight: bold;font-size:180%;" >Schema I</span><br /><br />The LDIF file to populate the above maps to ldap server would look like as below. The ldap suffix used in my example is dc=example,dc=com which is already defined in the ldap server.<br /><br />Below is the definition of the schema for LDAPv3 servers.<br /><span style="font-weight: bold;font-size:85%;" ><br />attributetype ( 1.3.6.1.1.1.1.26 NAME 'nisMapName'<br />SUP name )<br /><br />attributetype ( 1.3.6.1.1.1.1.27 NAME 'nisMapEntry'<br />EQUALITY caseExactIA5Match<br />SUBSTR caseExactIA5SubstringsMatch<br />SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{1024} SINGLE-VALUE )<br /><br />objectclass ( 1.3.6.1.1.1.2.9 NAME 'nisMap'<br />DESC 'A generic abstraction of a NIS map'<br />SUP top STRUCTURAL<br />MUST nisMapName<br />MAY description )<br /><br />objectclass ( 1.3.6.1.1.1.2.10 NAME 'nisObject'<br />DESC 'An entry in a NIS map'<br />SUP top STRUCTURAL<br />MUST ( cn $ nisMapEntry $ nisMapName )<br />MAY description )</span><br /><br />Below is the LDIF file which defines the ldap maps for autofs for the above mentioned example.<br /><br /><span style="font-weight: bold;font-size:85%;" >#defining auto.master<br /><br />dn: nisMapName=auto.master,dc=example,dc=com<br />objectClass: top<br />objectClass: nisMap<br />nisMapName: auto.master<br /><br />#Defining all those required for auto.direct (1 & 2)<br /><br />dn: cn=/-,nisMapName=auto.master,dc=example,dc=com<br />objectClass: nisObject<br />cn: /-<br />nisMapName: auto.master<br />nisMapEntry: auto.direct<br /><br />dn: nisMapName=auto.direct,dc=example,dc=com<br />objectClass: top<br />objectClass: nisMap<br />nisMapName: auto.direct<br /><br />dn: cn=/direct-mnt,nisMapName=auto.direct,dc=example,dc=com<br />objectClass: nisObject<br />cn: /direct-mnt<br />nisMapName: auto.direct<br />nisMapEntry: -fstype=nfs,rw ip-of-nfs-server:/direct<br /><br />dn: cn=/debian,nisMapName=auto.direct,dc=example,dc=com<br />objectClass: nisObject<br />cn: /debian<br />nisMapName: auto.direct<br />nisMapEntry: -fstype=iso9660,ro,loop :/iso/debian-40r7-i386-netinst.iso<br /><br />#Defining all those required for auto.home (3)<br /><br />dn: cn=/home,nisMapName=auto.master,dc=example,dc=com<br />objectClass: nisObject<br />cn: /home<br />nisMapName: auto.master<br />nisMapEntry: auto.home<br /><br />dn: nisMapName=auto.home,dc=example,dc=com<br />objectClass: top<br />objectClass: nisMap<br />nisMapName: auto.home<br /><br />dn: cn=/,nisMapName=auto.home,dc=example,dc=com<br />objectClass: nisObject<br />cn: /<br />nisMapName: auto.home<br />nisMapEntry: -fstype=nfs,rw ip-of-nfs-server:/homedirs/&<br /><br />#Defining all those required for auto.project (4)<br /><br />dn: cn=/projects,nisMapName=auto.master,dc=example,dc=com<br />objectClass: nisObject<br />cn: /projects<br />nisMapName: auto.master<br />nisMapEntry: auto.project<br /><br />dn: nisMapName=auto.project,dc=example,dc=com<br />objectClass: top<br />objectClass: nisMap<br />nisMapName: auto.project<br /><br />dn: cn=x,nisMapName=auto.project,dc=example,dc=com<br />objectClass: nisObject<br />cn: x<br />nisMapName: auto.project<br />nisMapEntry: -fstype=nfs,rw ip-of-nfs-server:/projects/x</span><br /><br />- Populate the ldap databae with the above ldif file. Please refer the respective ldap server docs to know more on how to do that.<br /><br />- On the client, edit /etc/sysconfig/autofs and uncomment the below lines.<br /><br /><span style="font-weight: bold;">MAP_OBJECT_CLASS="nisMap"</span><br /><span style="font-weight: bold;">ENTRY_OBJECT_CLASS="nisObject"</span><br /><span style="font-weight: bold;">MAP_ATTRIBUTE="nisMapName"</span><br /><span style="font-weight: bold;">ENTRY_ATTRIBUTE="cn"</span><br /><span style="font-weight: bold;">VALUE_ATTRIBUTE="nisMapEntry"</span><br /><br />- Restart autofs and verify everything is working as expected.<br /><br /><span style="font-weight: bold;font-size:180%;" >Schema II</span><br /><br />Below is the definition of the schema for LDAPv3 servers.<br /><br /><span style="font-weight: bold;font-size:85%;" >attributetype ( 1.3.6.1.1.1.1.25 NAME 'automountInformation'<br />DESC 'Information used by the autofs automounter'<br />EQUALITY caseExactIA5Match<br />SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )<br /><br />objectclass ( 1.3.6.1.1.1.1.13 NAME 'automount' SUP top STRUCTURAL<br />DESC 'An entry in an automounter map'<br />MUST ( cn $ automountInformation )<br />MAY ( description ) )<br /><br />objectclass ( 1.3.6.1.4.1.2312.4.2.2 NAME 'automountMap' SUP top STRUCTURAL<br />DESC 'An group of related automount objects'<br />MUST ( ou ) )</span><br /><br />Below is the LDIF file which defines the ldap maps for autofs for the above mentioned example.<br /><br /><span style="font-size:85%;"><span style="font-weight: bold;">#Defines auto.master</span><br /><br /><span style="font-weight: bold;">dn: ou=auto.master,dc=example,dc=com</span><br /><span style="font-weight: bold;">objectClass: top</span><br /><span style="font-weight: bold;">objectClass: automountMap</span><br /><span style="font-weight: bold;">ou: auto.master</span><br /><br /><span style="font-weight: bold;">#Defining all those required for auto.direct (1 & 2)</span><br /><br /><span style="font-weight: bold;">dn: cn=/-,ou=auto.master,dc=example,dc=com</span><br /><span style="font-weight: bold;">objectClass: top</span><br /><span style="font-weight: bold;">objectClass: automount</span><br /><span style="font-weight: bold;">cn: /-</span><br /><span style="font-weight: bold;">automountInformation: auto.direct</span><br /><br /><span style="font-weight: bold;">dn: ou=auto.direct,dc=example,dc=com</span><br /><span style="font-weight: bold;">objectClass: top</span><br /><span style="font-weight: bold;">objectClass: automountMap</span><br /><span style="font-weight: bold;">ou: auto.direct</span><br /><br /><span style="font-weight: bold;">dn: cn=/direct-mnt,ou=auto.direct,dc=example,dc=com</span><br /><span style="font-weight: bold;">objectClass: top</span><br /><span style="font-weight: bold;">objectClass: automount</span><br /><span style="font-weight: bold;">cn: /direct-mnt</span><br /><span style="font-weight: bold;">automountInformation: -fstype=nfs,rw ip-of-nfs-server:/direct</span><br /><br /><span style="font-weight: bold;">dn: cn=/debian,ou=auto.direct,dc=example,dc=com</span><br /><span style="font-weight: bold;">objectClass: top</span><br /><span style="font-weight: bold;">objectClass: automount</span><br /><span style="font-weight: bold;">cn: /debian</span><br /><span style="font-weight: bold;">automountInformation: -fstype=iso9660,ro,loop :/iso/debian-40r7-i386-netinst.iso</span><br /><br /><span style="font-weight: bold;">#Defining all those required for auto.home (3)</span><br /><br /><span style="font-weight: bold;">dn: cn=/home,ou=auto.master,dc=example,dc=com</span><br /><span style="font-weight: bold;">objectClass: top</span><br /><span style="font-weight: bold;">objectClass: automount</span><br /><span style="font-weight: bold;">cn: /home</span><br /><span style="font-weight: bold;">automountInformation: auto.home</span><br /><br /><span style="font-weight: bold;">dn: ou=auto.home,dc=example,dc=com</span><br /><span style="font-weight: bold;">objectClass: top</span><br /><span style="font-weight: bold;">objectClass: automountMap</span><br /><span style="font-weight: bold;">ou: auto.home</span><br /><br /><span style="font-weight: bold;">dn: cn=/,ou=auto.home,dc=example,dc=com</span><br /><span style="font-weight: bold;">objectClass: top</span><br /><span style="font-weight: bold;">objectClass: automount</span><br /><span style="font-weight: bold;">cn: /</span><br /><span style="font-weight: bold;">automountInformation: -fstype=nfs,rw ip-of-nfs-server:/homedirs/&</span><br /><br /><span style="font-weight: bold;">#Defining all those required for auto.project (4)</span><br /><br /><span style="font-weight: bold;">dn: cn=/projects,ou=auto.master,dc=example,dc=com</span><br /><span style="font-weight: bold;">objectClass: top</span><br /><span style="font-weight: bold;">objectClass: automount</span><br /><span style="font-weight: bold;">cn: /projects</span><br /><span style="font-weight: bold;">automountInformation: auto.project</span><br /><br /><span style="font-weight: bold;">dn: ou=auto.project,dc=example,dc=com</span><br /><span style="font-weight: bold;">objectClass: top</span><br /><span style="font-weight: bold;">objectClass: automountMap</span><br /><span style="font-weight: bold;">ou: auto.project</span><br /><br /><span style="font-weight: bold;">dn: cn=x,ou=auto.project,dc=example,dc=com</span><br /><span style="font-weight: bold;">objectClass: top</span><br /><span style="font-weight: bold;">objectClass: automount</span><br /><span style="font-weight: bold;">cn: x</span><br /><span style="font-weight: bold;">automountInformation: -fstype=nfs,rw ip-of-nfs-server:/projects/x<br /><br /></span></span>- Populate the ldap databae with the above ldif file. Please refer the respective ldap server docs to know more on how to do that.<span style="font-size:85%;"><span style="font-weight: bold;"><br /><br /></span></span>- On the client, edit /etc/sysconfig/autofs and uncomment the below lines.<br /><br /><span style="font-weight: bold;"></span><span style="font-weight: bold;">MAP_OBJECT_CLASS="automountMap"</span><br /><span style="font-weight: bold;">ENTRY_OBJECT_CLASS="automount"</span><br /><span style="font-weight: bold;">MAP_ATTRIBUTE="ou"</span><br /><span style="font-weight: bold;">ENTRY_ATTRIBUTE="cn"</span><br /><span style="font-weight: bold;">VALUE_ATTRIBUTE="automountInformation"</span><br /><br />- Restart autofs and verify everything is working as expected.<br /><br /><span style="font-weight: bold;font-size:180%;" >Schema III</span><br /><br />Below is the definition of the schema for LDAPv3 servers.<br /><br /><span style="font-weight: bold;font-size:85%;" >attributetype ( 1.3.6.1.1.1.1.31 NAME 'automountMapName'<br />DESC 'automount Map Name'<br />EQUALITY caseExactIA5Match<br />SUBSTR caseExactIA5SubstringsMatch<br />SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )<br /><br />attributetype ( 1.3.6.1.1.1.1.32 NAME 'automountKey'<br />DESC 'Automount Key value'<br />EQUALITY caseExactIA5Match<br />SUBSTR caseExactIA5SubstringsMatch<br />SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )<br /><br />attributetype ( 1.3.6.1.1.1.1.33 NAME 'automountInformation'<br />DESC 'Automount information'<br />EQUALITY caseExactIA5Match<br />SUBSTR caseExactIA5SubstringsMatch<br />SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )<br /><br />objectclass ( 1.3.6.1.1.1.2.16 NAME 'automountMap' SUP top STRUCTURAL<br />MUST ( automountMapName )<br />MAY description )<br /><br />objectclass ( 1.3.6.1.1.1.2.17 NAME 'automount' SUP top STRUCTURAL<br />DESC 'Automount information'<br />MUST ( automountKey $ automountInformation )<br />MAY description )<br /></span><br />Below is the LDIF file which defines the ldap maps for autofs for the above mentioned example.<br /><br /><span style="font-weight: bold;font-size:85%;" >#Defines auto.master<br /><br />dn: automountMapName=auto.master,dc=example,dc=com<br />automountMapName: auto.master<br />objectClass: top<br />objectClass: automountMap<br /><br />#Defining all those required for auto.direct (1 & 2)<br /><br />dn: automountKey=/-,automountMapName=auto.master,dc=example,dc=com<br />objectClass: automount<br />automountKey: /-<br />automountInformation: auto.direct<br /><br />dn: automountMapName=auto.direct,dc=example,dc=com<br />automountMapName: auto.direct<br />objectClass: top<br />objectClass: automountMap<br /><br />dn: automountKey=/direct-mnt,automountMapName=auto.direct,dc=example,dc=com<br />automountKey: /direct-mnt<br />objectClass: automount<br />automountInformation: -fstype=nfs,rw ip-of-nfs-server:/direct<br /><br />dn: automountKey=/debian,automountMapName=auto.direct,dc=example,dc=com<br />automountKey: /debian<br />objectClass: automount<br />automountInformation: -fstype=iso9660,ro,loop :/iso/debian-40r7-i386-netinst.iso<br /><br />#Defining all those required for auto.home (3)<br /><br />dn: automountKey=/home,automountMapName=auto.master,dc=example,dc=com<br />objectClass: automount<br />automountKey: /home<br />automountInformation: auto.home<br /><br />dn: automountMapName=auto.home,dc=example,dc=com<br />automountMapName: auto.home<br />objectClass: top<br />objectClass: automountMap<br /><br />dn: automountKey=/,automountMapName=auto.home,dc=example,dc=com<br />automountKey: /<br />objectClass: automount<br />automountInformation: -fstype=nfs,rw ip-of-nfs-server:/homedirs/&<br /><br />#Defining all those required for auto.project (4)<br /><br />dn: automountKey=/projects,automountMapName=auto.master,dc=example,dc=com<br />objectClass: automount<br />automountKey: /projects<br />automountInformation: auto.project<br /><br />dn: automountMapName=auto.project,dc=example,dc=com<br />automountMapName: auto.project<br />objectClass: top<br />objectClass: automountMap<br /><br />dn: automountKey=x,automountMapName=auto.project,dc=example,dc=com<br />automountKey: x<br />objectClass: automount<br />automountInformation: -fstype=nfs,rw ip-of-nfs-server:/projects/x</span><br /><br />- Populate the ldap databae with the above ldif file. Please refer the respective ldap server docs to know more on how to do that.<br /><br />- On the client, edit /etc/sysconfig/autofs and uncomment the below lines.<br /><br /><span style="font-weight: bold;">MAP_OBJECT_CLASS="automountMap"</span><br /><span style="font-weight: bold;">ENTRY_OBJECT_CLASS="automount"</span><br /><span style="font-weight: bold;">MAP_ATTRIBUTE="automountMapName"</span><br /><span style="font-weight: bold;">ENTRY_ATTRIBUTE="automountKey"</span><br /><span style="font-weight: bold;">VALUE_ATTRIBUTE="automountInformation"</span><br /><br />- Restart autofs and verify everything is working as expected.<br /><br />Note: In all maps, please replace ip-of-nfs-server with the actual IP address of the nfs server.Sadique Puthenhttp://www.blogger.com/profile/15174000939443129488noreply@blogger.com14tag:blogger.com,1999:blog-1479824033506250875.post-40242174464998505912009-02-17T10:14:00.000-08:002009-02-17T21:21:58.575-08:00How to Configure NFSv4 with kerberos in RHEL? (Part II)Most users of Solaris and <span class="blsp-spelling-error" id="SPELLING_ERROR_0">NetApp</span> file servers might have wondered why <span class="blsp-spelling-error" id="SPELLING_ERROR_1">linux</span> alone sticks very hard to the pseudo file system in <span class="blsp-spelling-error" id="SPELLING_ERROR_2">nfsv</span>4 and why it's not possible to mount <span class="blsp-spelling-error" id="SPELLING_ERROR_3">seperate</span> <span class="blsp-spelling-error" id="SPELLING_ERROR_4">nfsv</span>4 shares as separate mounts on the client. Technically this is possible. Below steps can be followed to achieve this. Before you read this post, it is highly recommended to read <a href="http://sadiquepp.blogspot.com/2009/02/how-to-configure-nfsv4-with-kerberos-in.html">this</a> to get a basic idea on how to configure <span class="blsp-spelling-error" id="SPELLING_ERROR_5">nfsv</span>4 with <span class="blsp-spelling-error" id="SPELLING_ERROR_6">kerberos</span> in <span class="blsp-spelling-error" id="SPELLING_ERROR_7">linux</span>.<br /><br /><span style="font-weight: bold;">Our requirements.</span><br /><br />On the server we want to share /home/share, /exports/public and /projects as <span class="blsp-spelling-error" id="SPELLING_ERROR_8">nfsv</span>4 shares and they need to be mounted on the client on /share, /public and /projects respectively.<br /><br /><span style="font-style: italic;">Follow the below steps on the server.</span><br /><br />- Create /home/share, /exports/public and /project directories. Use "<span class="blsp-spelling-error" id="SPELLING_ERROR_9">mkdir</span>" to do this.<br /><br />- Create an <span class="blsp-spelling-error" id="SPELLING_ERROR_10">nfsv</span>4 root directory. Let define it as "/<span class="blsp-spelling-error" id="SPELLING_ERROR_11">nfs</span>" and can be created using "<span class="blsp-spelling-error" id="SPELLING_ERROR_12">mkdir</span> /<span class="blsp-spelling-error" id="SPELLING_ERROR_13">nfs</span>",<br /><br />- Create /<span class="blsp-spelling-error" id="SPELLING_ERROR_14">nfs</span>/home/share, /<span class="blsp-spelling-error" id="SPELLING_ERROR_15">nfs</span>/exports/public and /<span class="blsp-spelling-error" id="SPELLING_ERROR_16">nfs</span>/projects on the server. Use "<span class="blsp-spelling-error" id="SPELLING_ERROR_17">mkdir</span>"<br /><br />- Bind mount /home/share on /<span class="blsp-spelling-error" id="SPELLING_ERROR_18">nfs</span>/home/share, /exports/public on /<span class="blsp-spelling-error" id="SPELLING_ERROR_19">nfs</span>/exports/public and /projects on /<span class="blsp-spelling-error" id="SPELLING_ERROR_20">nfs</span>/projects.<br /><br /><span style="font-weight: bold; font-style: italic;"># mount --bind /home/share /<span class="blsp-spelling-error" id="SPELLING_ERROR_21">nfs</span>/home/share</span><br /><br /><span style="font-weight: bold; font-style: italic;"># mount --bind /exports/public /<span class="blsp-spelling-error" id="SPELLING_ERROR_22">nfs</span>/exports/public</span><br /><br /><span style="font-weight: bold; font-style: italic;"># mount --bind /projects /<span class="blsp-spelling-error" id="SPELLING_ERROR_23">nfs</span>/projects</span><br /><br />- Define /etc/exports as below.<br /><br /><span style="font-weight: bold; font-style: italic;">/<span class="blsp-spelling-error" id="SPELLING_ERROR_24">nfs</span> <span class="blsp-spelling-error" id="SPELLING_ERROR_25">gss</span>/<span class="blsp-spelling-error" id="SPELLING_ERROR_26">krb</span>5p(<span class="blsp-spelling-error" id="SPELLING_ERROR_27">rw</span>,sync,<span class="blsp-spelling-error" id="SPELLING_ERROR_28">fsid</span>=0,<span class="blsp-spelling-error" id="SPELLING_ERROR_29">crossmnt</span>)</span><br /><span style="font-weight: bold; font-style: italic;">/<span class="blsp-spelling-error" id="SPELLING_ERROR_30">nfs</span>/home/share <span class="blsp-spelling-error" id="SPELLING_ERROR_31">gss</span>/<span class="blsp-spelling-error" id="SPELLING_ERROR_32">krb</span>5p(<span class="blsp-spelling-error" id="SPELLING_ERROR_33">rw</span>,sync)</span><br /><span style="font-weight: bold; font-style: italic;">/<span class="blsp-spelling-error" id="SPELLING_ERROR_34">nfs</span>/exports/public <span class="blsp-spelling-error" id="SPELLING_ERROR_35">gss</span>/<span class="blsp-spelling-error" id="SPELLING_ERROR_36">krb</span>5p(<span class="blsp-spelling-error" id="SPELLING_ERROR_37">rw</span>,sync)</span><br /><span style="font-weight: bold; font-style: italic;">/<span class="blsp-spelling-error" id="SPELLING_ERROR_38">nfs</span>/projects <span class="blsp-spelling-error" id="SPELLING_ERROR_39">gss</span>/<span class="blsp-spelling-error" id="SPELLING_ERROR_40">krb</span>5p(<span class="blsp-spelling-error" id="SPELLING_ERROR_41">rw</span>,sync)</span><br /><br />- Restart <span class="blsp-spelling-error" id="SPELLING_ERROR_42">nfs</span> server service and <span class="blsp-spelling-error" id="SPELLING_ERROR_43">rpcidmap</span>.<br /><br />- Configure the client as I explained in my previous post referenced earlier.<br /><br />- Now these share can be mounted on the client using the below commands.<br /><br /><span style="font-weight: bold; font-style: italic;">mount -t <span class="blsp-spelling-error" id="SPELLING_ERROR_44">nfs</span>4 server-<span class="blsp-spelling-error" id="SPELLING_ERROR_45">ip</span>:/home/share /share -o sec=<span class="blsp-spelling-error" id="SPELLING_ERROR_46">krb</span>5p</span><br /><span style="font-weight: bold; font-style: italic;">mount -t <span class="blsp-spelling-error" id="SPELLING_ERROR_47">nfs</span>4 server-<span class="blsp-spelling-error" id="SPELLING_ERROR_48">ip</span>:/exports/public /public -o sec=<span class="blsp-spelling-error" id="SPELLING_ERROR_49">krb</span>5p</span><br /><span style="font-weight: bold; font-style: italic;">mount -t <span class="blsp-spelling-error" id="SPELLING_ERROR_50">nfs</span>4 server-<span class="blsp-spelling-error" id="SPELLING_ERROR_51">ip</span>:/projects /projects -o sec=<span class="blsp-spelling-error" id="SPELLING_ERROR_52">krb</span>5p</span><br /><br />Looks a bit convoluted? If no, you are a diligent system administrator -:)Sadique Puthenhttp://www.blogger.com/profile/15174000939443129488noreply@blogger.com3tag:blogger.com,1999:blog-1479824033506250875.post-91503363369948951532009-02-12T23:36:00.001-08:002009-08-18T03:01:55.007-07:00How to configure nfsv4 with kerberos in RHEL?Below is a small howto which explain how to set this up in a simple environment. Below setup involves three systems.<br /><br /><span style="font-weight: bold;">1 - A kerberos server.</span><br /><span style="font-weight: bold;">2 - An NFS server.</span><br /><span style="font-weight: bold;">3 - An NFS client.</span><br /><br />All the above three systems are running RHEL-5.3. I am explaining what all need to be done on each server and showing an example to prove that 16 group limitation not affected with nfsv4 while using kerberos authentication. I am not including LDAP/NIS in this setup since that is optional.<br /><br /><span style="font-weight: bold;">Pre-requisites</span><br /><br />- There should be a dns server in your network and an FQDN for the above three systems. All FQDNs should resolve forward and revers from all systems appropriately. This is a requirement for kerberos to work.<br /><br />- Time on all the above three machines would be synced to the same NTP server and should have the same time on all the three machines. This is a requirement for kerberos to work properly.<br /><br /><span style="font-weight: bold;">How to setup a Kerberos server?</span><br /><br />Below is what all I did to setup the keberos server. If you already have a kerberos server in your environment like windows AD or Solaris, you can use that system and no need to setup a new one. Please refer respective docs for more details on how to configure those kerberos servers. I am setting up RHEL5 as the kerberos using MIT kerberos.<br /><br />1.1 - Install krb5-server.<br /><br /><span style="font-weight: bold; font-style: italic;"># yum install krb5-server</span><br /><br />1.2 - Choose a realm of your choice. It's generally recommended to use the dns domain name in UPPER case as the kerberos realm. My DNS domain name is pnq.redhat.com and I have selected PNQ.REDHAT.COM as the kerberos realm.<br /><br />1.3 - Run "<span style="font-weight: bold; font-style: italic;">authconfig-tui</span>". In the "<span style="font-weight: bold; font-style: italic;">Authentication</span>" section, select "<span style="font-weight: bold; font-style: italic;">Use Kerberos" -> Next -> Type in the realm name</span>, IP of the KDC and admin server. IP of the KDC and admin server is the ip of the same machine. Click "ok".<br /><br />1.4 - Edit <span style="font-weight: bold; font-style: italic;">/var/kerberos/krb5kdc/kdc.conf</span> and change the realm name in <span style="font-weight: bold; font-style: italic;">[realms]</span> section to match your realm name. Eg,<br /><br /><span style="font-weight: bold; font-style: italic;">[realms]</span><br /><span style="font-weight: bold; font-style: italic;">PNQ.REDHAT.COM = {</span><br /><span style="font-weight: bold; font-style: italic;">...............</span><br /><span style="font-weight: bold; font-style: italic;">...............</span><br /><br />1.5 - Create the database using the kdb5_util utility from a shell prompt:<br /><br /><span style="font-weight: bold; font-style: italic;"># /usr/kerberos/sbin/kdb5_util create -s</span><br /><br />Please type a password on the prompt and re-enter it on the verification prompt.<br /><br />1.6 - Edit the <span style="font-weight: bold; font-style: italic;">/var/kerberos/krb5kdc/kadm5.acl</span> file and give */admin all privileges on the database. Eg,<br /><br /><span style="font-weight: bold; font-style: italic;">*/admin@PNQ.REDHAT.COM *</span><br /><br />1.7 - Run "<span style="font-weight: bold; font-style: italic;">kadmin.local</span>" and add a principle named "<span style="font-weight: bold; font-style: italic;">root/admin</span>" using the "<span style="font-weight: bold; font-style: italic;">addprinc</span>" command. Set a password that you wish.<br /><br /><span style="font-weight: bold; font-style: italic;"># kadmin.local</span><br /><span style="font-weight: bold; font-style: italic;">Authenticating as principal root/admin@PNQ.REDHAT.COM with password.</span><br /><span style="font-weight: bold; font-style: italic;">kadmin.local: addprinc root/admin</span><br /><span style="font-weight: bold; font-style: italic;">WARNING: no policy specified for root/admin@PNQ.REDHAT.COM; defaulting to no policy</span><br /><span style="font-weight: bold; font-style: italic;">Enter password for principal "root/admin@PNQ.REDHAT.COM":</span><br /><span style="font-weight: bold; font-style: italic;">Re-enter password for principal "root/admin@PNQ.REDHAT.COM":</span><br /><span style="font-weight: bold; font-style: italic;">Principal "root/admin@PNQ.REDHAT.COM" created.</span><br /><br />1.8 - Start Kerberos using the following commands:<br /><br /><span style="font-weight: bold; font-style: italic;">/sbin/service krb5kdc start</span><br /><span style="font-weight: bold; font-style: italic;">/sbin/service kadmin start</span><br /><span style="font-weight: bold; font-style: italic;">/sbin/service krb524 start</span><br /><br />1.9 - Run the "<span style="font-weight: bold; font-style: italic;">kadmin</span>" command and enter the <span style="font-weight: bold; font-style: italic;">root/admin</span> password that you entered in 1.7 on the prompt and add a new user named "<span style="font-weight: bold; font-style: italic;">nfsuser</span>" with a password.<br /><br /><span style="font-weight: bold; font-style: italic;"># kadmin</span><br /><span style="font-weight: bold; font-style: italic;">Authenticating as principal root/admin@PNQ.REDHAT.COM with password.</span><br /><span style="font-weight: bold; font-style: italic;">Password for root/admin@PNQ.REDHAT.COM:</span><br /><span style="font-weight: bold; font-style: italic;">kadmin: addprinc nfsuser</span><br /><span style="font-weight: bold; font-style: italic;">WARNING: no policy specified for nfsuser@PNQ.REDHAT.COM; defaulting to no policy</span><br /><span style="font-weight: bold; font-style: italic;">Enter password for principal "nfsuser@PNQ.REDHAT.COM":</span><br /><span style="font-weight: bold; font-style: italic;">Re-enter password for principal "nfsuser@PNQ.REDHAT.COM":</span><br /><span style="font-weight: bold; font-style: italic;">Principal "nfsuser@PNQ.REDHAT.COM" created.</span><br /><br />Nothing more to do on the kerberos server at this time. We would do the rest from nfsserver and client after logging into the kerberos server via “kadmin” from there whenever appropriate.<br /><br /><span style="font-weight: bold;">How to configure the NFS server?</span><br /><br />2.1 - Run "<span style="font-weight: bold; font-style: italic;">authconfig-tui</span>". In the "<span style="font-weight: bold; font-style: italic;">Authentication</span>" section, select "<span style="font-weight: bold; font-style: italic;">Use Kerberos" -> Next -> Type in the realm name,</span> IP of the KDC and admin server that we setup earlier. Click "ok".<br /><br />2.2 - Add a user named "<span style="font-weight: bold; font-style: italic;">nfsuser</span>" with uid 2000 without setting up any password for that user.<br /><br /><span style="font-weight: bold; font-style: italic;"># useradd -u 2000 nfsuser</span><br /><br />2.3 - Create 20 groups named "group1 - group20" with gid 3001-3020 on the system.<br /><br /><span style="font-weight: bold; font-style: italic;"># for i in `seq 1 9`; do groupadd -g 300$i group$i;done</span><br /><br /><span style="font-weight: bold; font-style: italic;"># for i in `seq 10 20`; do groupadd -g 30$i group$i;done</span><br /><br />2.4 - Add "<span style="font-weight: bold; font-style: italic;">nfsuser</span>" member of all these 20 groups.<br /><br /><span style="font-weight: bold; font-style: italic;"># usermod -G group1,group2,group3,group4,group5,group6,group7,group8,group9,group10,group11,group12,group13,group14,group15,group16,group17,group18,group19,group20 nfsuser</span><br /><br />2.5 - Create a directory to share using nfs.<br /><br /><span style="font-weight: bold; font-style: italic;"># mkdir /nfs</span><br /><br />Create 20 directories and each are writable by one group.<br /><br /><span style="font-weight: bold; font-style: italic;"># for i in `seq 1 20`; do mkdir /nfs/group$i ;chgrp group$i /nfs/group$i; chmod g+w /nfs/group$i; done</span><br /><br />2.6 - Edit <span style="font-weight: bold; font-style: italic;">/etc/sysconfig/nfs</span> and uncomment the below line.<br /><br /><span style="font-weight: bold; font-style: italic;">SECURE_NFS="yes"</span><br /><br />2.7 - Edit <span style="font-weight: bold; font-style: italic;">/etc/exports</span> and share <span style="font-weight: bold; font-style: italic;">/nfs </span>as below.<br /><br /><span style="font-weight: bold; font-style: italic;">/nfs gss/krb5p(rw,sync,fsid=0)</span><br /><br />2.8 - Run "<span style="font-weight: bold; font-style: italic;">kadmin</span>" and create a service principle for nfs server and extract it to a keytab file in the nfsserver. The format of the service principle is "<span style="font-weight: bold; font-style: italic;">nfs/FQDN of nfs server</span>". Use ktadd to extract it to a keytab file.<br /><br /><span style="font-weight: bold; font-style: italic;"></span> <span style="font-weight: bold;"># kadmin </span><br /><span style="font-weight: bold;">Authenticating as principal root/admin@PNQ.REDHAT.COM with password.</span><br /><span style="font-weight: bold;">Password for root/admin@PNQ.REDHAT.COM: </span><br /><span style="font-weight: bold;">kadmin: addprinc -randkey nfs/dhcp7-135.pnq.redhat.com</span><br /><span style="font-weight: bold;">WARNING: no policy specified for nfs/dhcp7-135.pnq.redhat.com@PNQ.REDHAT.COM; defaulting to no policy</span><br /><span style="font-weight: bold;">Principal "nfs/dhcp7-135.pnq.redhat.com@PNQ.REDHAT.COM" created.</span><br /><span style="font-weight: bold;">kadmin: ktadd -e des-cbc-crc:normal nfs/dhcp7-135.pnq.redhat.com</span><br /><span style="font-weight: bold;">Entry for principal nfs/dhcp7-135.pnq.redhat.com with kvno 7, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.</span><br /><span style="font-weight: bold;">kadmin: quit</span><br /><br /><span style="font-weight: bold;">Note:</span> "-e des-cbc-crc:normal or -e des-cbc-crc:md5" to the above <span style="font-weight: bold;">ktadd </span>command is required only if you are willing to use RHEL4 or RHEL5.2 and below as the clients. If clients are only RHEL5.3 and other Unix systems (like Solaris), that option can be skipped.<br /><br />2.9 - Start nfs server service and rpcidmapd.<br /><br /><span style="font-weight: bold; font-style: italic;"># service nfs start</span><br /><span style="font-weight: bold; font-style: italic;"># service rpcidmapd restart</span><br /><br /><span style="font-weight: bold;">How to configure the NFS client?</span><br /><br />3.1 - Repeat step 2.1<br /><br />3.2 - Repeat step 2.2<br /><br />3.3 - Repeat step 2.3<br /><br />3.4 - Repeat step 2.4<br /><br />3.5 - Edit <span style="font-weight: bold; font-style: italic;">/etc/sysconfig/nfs</span> and uncomment the below line.<br /><br /><span style="font-weight: bold; font-style: italic;">SECURE_NFS="yes"</span><br /><br />3.6 - Run "kadmin" and create a service principle for nfs client and extract it to a keytab file in the nfsserver. The format of the service principle is "<span style="font-weight: bold; font-style: italic;">nfs/FQDN of nfs client</span>". Use ktadd to extract it to a keytab file.<br /><br /><span style="font-weight: bold; font-style: italic;"># kadmin</span><br /><span style="font-weight: bold; font-style: italic;">Authenticating as principal root/admin@PNQ.REDHAT.COM with password.</span><br /><span style="font-weight: bold; font-style: italic;">Password for root/admin@PNQ.REDHAT.COM:</span><br /><span style="font-weight: bold; font-style: italic;">kadmin: addprinc -randkey nfs/dhcp7-143.pnq.redhat.com</span><br /><span style="font-weight: bold; font-style: italic;">WARNING: no policy specified for nfs/dhcp7-143.pnq.redhat.com@PNQ.REDHAT.COM; defaulting to no policy</span><br /><span style="font-weight: bold; font-style: italic;">Principal "nfs/dhcp7-143.pnq.redhat.com@PNQ.REDHAT.COM" created.</span><br /><span style="font-weight: bold; font-style: italic;">kadmin: ktadd nfs/dhcp7-143.pnq.redhat.com</span><br /><span style="font-weight: bold; font-style: italic;">Entry for principal nfs/dhcp7-143.pnq.redhat.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.</span><br /><span style="font-weight: bold; font-style: italic;">Entry for principal nfs/dhcp7-143.pnq.redhat.com with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.</span><br /><span style="font-weight: bold; font-style: italic;">kadmin: quit</span><br /><br />3.7 - Start "<span style="font-weight: bold; font-style: italic;">rpcgssd</span>" and "<span style="font-weight: bold; font-style: italic;">rpcidmapd</span>".<br /><br /><span style="font-weight: bold; font-style: italic;"># service rpcgssd start</span><br /><span style="font-weight: bold; font-style: italic;"># service rpcidmapd restart</span><br /><br />3.8 - Mount the share as below.<br /><br /><span style="font-weight: bold; font-style: italic;"># mount -t nfs4 fqdn of the server</span><ip><span style="font-weight: bold; font-style: italic;">:/ </span><mount><span style="font-weight: bold; font-style: italic;"> -o sec=krb5p</span><br /><br />Eg,<br /><br /><span style="font-weight: bold; font-style: italic;"># mount -t nfs4 dhcp7-135.pnq.redhat.com:/ /mnt -o sec=krb5p</span><br /><br />This would successfully mount the share on the client.<br /><br />3.9 - Switch to user "<span style="font-weight: bold; font-style: italic;">nfsuser</span>".<br /><br /><span style="font-weight: bold; font-style: italic;"># su - nfsuser</span><br /><br />- Run "<span style="font-weight: bold; font-style: italic;">df -h /mnt</span>" and try to cd /mnt. This would fail because "nfsuser" requires a ticket to access the mount point. The "df" command wouldn't show the size of the filesystem, but it would show a "-" at this point.<br /><br /><span style="font-weight: bold; font-style: italic;"># df -h /mnt</span><br /><br /><span style="font-weight: bold; font-style: italic;">dhcp7-135.pnq.redhat.com:/</span><br /><span style="font-weight: bold; font-style: italic;"> - - - - /mnt</span><br /><br />- Get a ticket for "nfsuser".<br /><br /><span style="font-weight: bold; font-style: italic;"># kinit</span><br /><br />Enter the kerberos password for "nfsuser."<br /><br /><span style="font-weight: bold; font-style: italic;"># df -h /mnt</span><br /><br /><span style="font-weight: bold; font-style: italic;">dhcp7-135.pnq.redhat.com:/</span><br /><span style="font-weight: bold; font-style: italic;"> 7.2G 2.0G 4.9G 29% /mnt</span><br /><br />- "nfsuser" is member of "group1 - group20". Direcotry /mnt/group1 is writable by "group1" (first group) whereas /mnt/group20 is writable by "group20" (20th group). "nfsuser" would be able to write to both these directories on the client. Verify it by writing something to that directory as "nfsuser".<br /><br />Note: If you are seeing any problems, please re-confirm that you have met the pre-requisites successfully without any problems.<br /><br />It's highly recommended to use LDAP/NIS to store the user and group information and configure both nfs server and client to do name lookup on the LDAP/NIS server rather than configuring them on earch client's local files. How to configure LDAP/NIS is outside the scope of this write up.<br /><br /><span style="font-weight: bold;">What are the advantages of NFV4 over NFCv3?</span><br /><br />1 – NFSv4 with kerberos supports authentication. A big disadvantage of nfsv3 was that root user can “su – <normal>”, get the remote user's home directory automounted and delete/modify his files. This is a big security risk in bigger enterprises if they have 1000s of systems. In the above example, this problem is solved. If root on a system do “su - <normal>” and can get his home directory automouted, he can't delete or modify the files without getting a ticket from the kerberos server. To get a ticket, he must pass <normal>'s password.<br /><br />2 – NFSv4 with kerberos supports encryption. While using krb5p, every communication between client and server is sent over the wire after it was encrypted which was not supported by NFSv3.<br /><br />3 – 16 group limitation is raised. If you don't know more about this, please refer Eisler's nfs blog <a href="http://nfsworld.blogspot.com/2005/03/whats-deal-on-16-group-id-limitation.html">here</a><span style="text-decoration: underline;"></span><br /><br />In the above example, I have proved that there is no such limitation in nfsv4.<br /><br />There are more......................</normal></normal></normal></mount></ip>Sadique Puthenhttp://www.blogger.com/profile/15174000939443129488noreply@blogger.com8tag:blogger.com,1999:blog-1479824033506250875.post-54220486597667569822009-02-11T22:19:00.000-08:002009-02-15T23:03:12.746-08:00How to add static route through a virtual (alias) interface in RHEL5?I have two ips assigned to to my eth0. One for eth0 and the other for eth0:1 and both ips are from the same network.<br /><br /><span style="font-weight: bold;">eth0 Link encap:Ethernet HWaddr 00:16:3E:74:30:8B </span><br /><span style="font-weight: bold;"> inet addr:10.65.7.160 Bcast:10.65.7.255 Mask:255.255.254.0</span><br /><span style="font-weight: bold;"> </span><br /><span style="font-weight: bold;">eth0:1 Link encap:Ethernet HWaddr 00:16:3E:74:30:8B </span><br /><span style="font-weight: bold;"> inet addr:10.65.6.10 Bcast:10.65.7.255 Mask:255.255.254.0</span><br /><br />The entries added by default in routing table would be as below.<br /><br /><span style="font-weight: bold;">10.65.6.0/23 dev eth0 proto kernel scope link src 10.65.7.160 </span><br /><span style="font-weight: bold;">169.254.0.0/16 dev eth0 scope link </span><br /><span style="font-weight: bold;">default via 10.65.7.254 dev eth0 </span><br /><br />The default route means that the ip address of eth0:1 is not used as source address while contacting any machines in the network from this machine. Now I want all outgoing connetions to a specific machine in the network to be initiated with the source address of eth0:1. How this can be achieved?<br /><br />1 - Using the "route" command. (This configuration is not persistent on reboot)<br /><br /># <span style="font-weight: bold; font-style: italic;">route add -host <ip>destination-ip dev eth0:1</ip></span><br /><br />Eg,<br /><br /># <span style="font-weight: bold; font-style: italic;">route add -host 10.65.6.1 dev eth0:1</span><br /><br />After running the above command, all connections to 10.65.6.1 should have the source address of eth0:1<br /><br />2 - Through /etc/sysconfig/network-scripts/route-eth0:1 (This would be persistent on reboots). The tricky part comes in this configuration. Most people would add a line as below to this file which wouldn't give the expcted output.<br /><br /><span style="font-weight: bold;"><ip>destination-ip/32 dev eth0:1</ip></span><br /><br />Eg,<br /><br /><span style="font-weight: bold;">10.65.6.1/32 dev eth0:1</span><br /><br />The above line would add a routing to 10.65.6.1 via eth0:1, but the source ip address used would be the ip of eth0, not eth0:1. This can be verified by running "ip route show" and netstat.<br /><br />/etc/sysconfig/network-scripts/route-eth0:1 should have the below entry in it to use eth0:1's ip as source ip while contacting 10.65.6.1.<br /><br /><span style="font-weight: bold;"><ip><ip>destination-ip/32 dev eth0:1 src <ip></ip></ip></ip></span><ip><span style="font-weight: bold;">source-ip</span><br /><br />Eg,<br /><br /><span style="font-weight: bold;">10.65.6.1/32 dev eth0:1 src 10.65.6.10</span><br /><br /><span style="font-weight: bold; font-style: italic;">How to verify this is working as expected?</span><br /><br />From the system do "telnet 10.65.6.1 80" and check the output of "netstat -nalp | grep 80" on both source and destination machine. It should show the ip of eth0:1 as the source address.</ip>Sadique Puthenhttp://www.blogger.com/profile/15174000939443129488noreply@blogger.com4tag:blogger.com,1999:blog-1479824033506250875.post-11341264729995176452009-02-10T22:02:00.000-08:002009-02-10T22:17:04.190-08:00How to patch and recompile a source rpm ?Let me explain this through an example. The source rpm that I have in my Laptop while writing this is for pam_krb5. So I am taking this as an example. The base system which is used to do this is an RHEL5 system.<br /><br />- Make sure that rpm-build package is installed on the system.<br /><br /># <span style="font-weight: bold; font-style: italic;">yum install rpm-build</span><br /><br />- Install the source rpm.<br /><br /># <span style="font-style: italic; font-weight: bold;">rpm -ivh pam_krb5-2.2.14-1.el5_2.1.src.rpm</span><br /><br />- Change to /usr/src/redhat/SPECS direcotry.<br /><br /># <span style="font-weight: bold; font-style: italic;">cd /usr/src/redhat/SPECS/</span><br /><br />- Just prepare the source for compilation by unpacking the source and applying the patches already defined.<br /><br /># <span style="font-weight: bold; font-style: italic;">rpmbuild -bp pam_krb5.spec</span><br /><br />Note: It's highly likely that the above command could fail with missing dependency errors which are required to compile the package. Just installing the recommended packages in the output and re-running the above command after that would be fine to run the above command without any errors.<br /><br />- Move to /usr/src/redhat/BUILD directory. We can see the source unpacked in that directory.<br /><br /># <span style="font-weight: bold; font-style: italic;">ls</span><br />pam_krb5-2.2.14-1<br /><br />- Take a backup of the entire unpacked source which is required to generate the patch.<br /><br /># <span style="font-weight: bold; font-style: italic;">cp -r pam_krb5-2.2.14-1/ pam_krb5-2.2.14-1.orig</span><br /><br />Now the modification that I need to make to the source is to change the warining message given in pam_krb5-2.2.14-1/src/sly.c line no 168 from<br /><br /><span style="font-weight: bold;">warn("won't refresh credentials while running under sudo");</span><br /><br />To<br /><br /><span style="font-weight: bold;">warn("Sir, couldn't refresh credentials while running under sudo");</span><br /><br />- Simply Edit the file using your favorite editor and make the above change in the pam_krb5-2.2.14-1/src/sly.c and save the file.<br /><br />- Now change the directory to /usr/src/redhat/BUILD directory using "cd" command and generate a patch using the diff command and save the patch in /usr/src/redhat/SOURCES. Name the file just like other patches for pam_krb5 are named in the SOURCES directory.<br /><br />[root@localhost BUILD]# <span style="font-weight: bold; font-style: italic;">diff -Naur pam_krb5-2.2.14-1.orig/ pam_krb5-2.2.14-1 > ../SOURCES/pam_krb5-2.2.14-warning.patch</span><br /><br />- The content of the pam_krb5-2.2.14-warning.patch would be as below.<br /><br /><span style="font-weight: bold;">diff -Naur pam_krb5-2.2.14-1.orig/src/sly.c pam_krb5-2.2.14-1/src/sly.c</span><br /><span style="font-weight: bold;">--- pam_krb5-2.2.14-1.orig/src/sly.c 2009-02-11 11:07:36.000000000 +0530</span><br /><span style="font-weight: bold;">+++ pam_krb5-2.2.14-1/src/sly.c 2009-02-11 11:11:16.000000000 +0530</span><br /><span style="font-weight: bold;">@@ -165,7 +165,7 @@</span><br /><span style="font-weight: bold;"> /* nothing: everything's okay */</span><br /><span style="font-weight: bold;"> break;</span><br /><span style="font-weight: bold;"> case 1:</span><br /><span style="font-weight: bold;">- warn("won't refresh credentials while running under sudo");</span><br /><span style="font-weight: bold;">+ warn("Sir, Couldn't refresh credentials while running under sudo");</span><br /><span style="font-weight: bold;"> return PAM_SERVICE_ERR;</span><br /><span style="font-weight: bold;"> break;</span><br /><span style="font-weight: bold;"> case 2:</span><br /><br />- Now come back to /usr/src/redhat/SPECS directory and start editing the spec file. My spec file is named pam_krb5.spec. Make the below changes to apply the patch while compiling the rpm.<br /><br />* Increment the Release number. It was as below in my spec file.<br /><br /><span style="font-weight: bold;"> Release: 1%{?dist}.1</span><br /><br />I changed it to<br /><br /><span style="font-weight: bold;"> Release: 1%{?dist}.2</span><br /><br />* Define your patch as the last patch in the "Patchx" section. I defined it as below.<br /><br /><span style="font-weight: bold;"> Patch1 pam_krb5-2.2.14-warning.patch</span><br /><br />* In the %prep section, come to the last of %patchx and add your patch as the last patch. I added the below line.<br /><br /><span style="font-weight: bold;"> %patch1 -p1 -b .warning</span><br /><br />* In the %changelog section, document this change as the first entry. I made the below change.<br /><br /><span style="font-weight: bold;">*</span><span style="font-weight: bold;"> Wed</span><span style="font-weight: bold;"> Feb 11 2009 Blah Blah <blah@blah.com> - 2.2.14-1%{?dist}.2</blah@blah.com></span><br /><span style="font-weight: bold;">- Change the warning message when trying to refresh while running under sudo (bz #xxxx)</span><br /><br />- Now we are all set to start recompiling the rpm. Below command can be used to recompile an rpm.<br /><br /># <span style="font-weight: bold; font-style: italic;">rpmbuild -ba pam_krb5.spec</span><br /><br />Watch that the patch is applied cleanly. I can see the below message which clearly says that the patch has been applied cleanly.<br /><br /><span style="font-weight: bold;">+ echo 'Patch #1 (pam_krb5-2.2.14-warning.patch):'</span><br /><span style="font-weight: bold;">Patch #1 (pam_krb5-2.2.14-warning.patch):</span><br /><span style="font-weight: bold;">+ patch -p1 -b --suffix .warning -s</span><br /><br />- Once the compilation process is complete, we can see the new rpm in /usr/src/redhat/RPMS/$arch/.Sadique Puthenhttp://www.blogger.com/profile/15174000939443129488noreply@blogger.com1tag:blogger.com,1999:blog-1479824033506250875.post-64503678675707089742009-02-10T09:49:00.000-08:002009-02-28T09:04:05.804-08:00How to configure kdump with xen in RHEL5?Most poeple get confused when it comes to configuring kdump for dom0. Since there are two entries in grub.conf, one representing the hypervisor and the other representing the dom0 kernel, the confusion is while thinking where should one give the "<span style="font-weight: bold;">crashkernel</span>" parameter. Have seen some people who are not ready to do trial and error passing the "<span style="font-weight: bold;">crashkernel</span>" parameter to both hypervisor and kernel. If you are too lazy to do a trial and error, this blog may help you.<br /><br />The crashkernel parameter need to be passed to the hypervisor.<br /><br />Eg, (Taken from my test system)<br /><br /><span style="font-weight: bold;">title Red Hat Enterprise Linux Server (2.6.18-92.1.18.el5xen)</span><br /><span style="font-weight: bold;"> root (hd0,0)</span><br /><span style="font-weight: bold;"> kernel /xen.gz-2.6.18-92.1.18.el5 crashkernel=128M@16M</span><br /><span style="font-weight: bold;"> module /vmlinuz-2.6.18-92.1.18.el5xen ro root=/dev/VolGroup00/LogVol00 rhgb quiet</span><br /><span style="font-weight: bold;"> module /initrd-2.6.18-92.1.18.el5xen.img</span><br /><br />- Configure /etc/kdump.conf appropriately. The file is self descriptive.<br /><br />- Run "<span style="font-weight: bold;">service kdump propagate</span>"<br /><br />- Run "<span style="font-weight: bold;">service kdump start</span>"Sadique Puthenhttp://www.blogger.com/profile/15174000939443129488noreply@blogger.com3tag:blogger.com,1999:blog-1479824033506250875.post-82089883248428307072008-11-20T02:41:00.000-08:002010-09-02T00:35:15.032-07:00Is it possible to resize the storage for a xen guest in RHEL5, If yes how?This is a million dollar question. The answer can be "yes" and "no" and highly depends upon the configuration of the guest backend and how it has been partitioned inside the guest. Most people want to resize without initiating a reboot of the guest system, but most of these people make wrong choice while configuring the guest backend intially and end up having to reboot the guest or not being able to resize partitions inside the guest.<br /><br />A lot things need to be taken into consideration to decide how to resize the guest storage. Before proceeding into how to resize, it's good explain different types of backends that can be used for guest.<br /><br />1 - Block device. A block device in Dom0 can be used as a backend for the guest. It can be raw partitions, LVMs, raid devices and etc. It can even be a unpartitioned disk as a whole (like "sda" which is not recommended).<br /><br />2 - File based storage. A file built with a specific size using zeros in Dom0 can be used as the backend of the guest. While using a file based storage it can be any of the below two types.<br /><br />2.1 - Sparse file. While using a sparse file, disk blocks are not pre-allocated while creating the file, but are allocated only when data is written to the disk fom the guest. This is not recommended for production uses due to performance issues.<br /><br />2.2 - Fully allocated file. Entire blocks are allocated while creating the file based image. This gives more performance and is recommended for production usage if using block devices are not an option.<br /><br />I would explore different types of storage configurations and how resizing can be done in those scenarios. I prefer to abstain from explaining the nasty methods of resizing partitions using "parted" or "fdisk" inside the guest. So I prefer to say, if LVM is not used inside the guest, resizing a partition is not possible. Only new partitions can be created after extending the backend. If resizing using parted or fdisk is preferred for anyone, it's upto them.<br /><br />Different Scenarios and How to resize.<br />----------------------------------------------<br /><br />1- LVM is used in both Host and Guest. The backend for the guest is an LVM device in Dom0 and this has been repartitioned in guest using LVM. There are two ways to resize it.<br /><br />1.1 - Create a new LV in Dom0 and attach it to the guest as a second disk. Repartition the second disk in guest, extend the Volume Group using the new disk, then extend the LV using the additinal free space in the VG. This method does not require a reboot of the guest and is preferred for most xen users.<br /><br />1.2 - Extend the LV device which is already attached to the guest in Dom0. After the LV is extended in Dom0, the guest should be rebooted to see the new size. There is currently no way to let the guest now that the size of backend has changed without a reboot. Once the guest is rebooted, it would show the new size as free. Create a new partition using the free space, make it a PV, extend the Volume Group using that PV, then extend the LV using the free space in VG. Most people don't like this method since it requires a guest reboot, but most people resize the LVM in Dom0 expecting that the guest would recognize the new space without a reboot and end up rebooting the guest and keep blasting the company that delivers the product.<br /><br />2 - Raw partition - Eg, sda1 - is used in Host as the backend of the guest and LVM is used inside the guest.<br /><br />2.1 - Attach a new partition to the guest - Eg, sdb1 - as a second disk. Repartition the second disk in guest, extend the Volume Group using the new disk, then extend the LV using the additinal free space in the VG. This method does not require a reboot of the guest and is preferred.<br /><br />2.2 - The other method may be to extend the raw partition in the host using parted or fdisk. Reboot the guest to see the new size and extend LVM inside the guest. This is not preferred and may be dangerous.<br /><br />3 - Fully allocated file based images are used as the guest backend.<br /><br />3.1 - Create a new fully allocated file based image in Dom0 and attach it to the guest as a second disk (see 3.2 for details on how to create it). Repartition the second disk in guest, extend the Volume Group using the new disk, then extend the LV using the additinal free space in the VG. This method does not require a reboot of the guest and is preferred.<br /><br />3.2 - Extend the fully allocated file image in Dom0 which is already attached to the guest. It's recommended to shutdown the guest while doing this.<br /><br />A fully allocated 5 GB /vm/images/guest.img disk is created using the below command initially while creating the guest.<br /><br /><span style="font-weight: bold;"># dd if=/dev/zero of=/vm/images/guest.img bs=1M count=5120</span><br /><br />To extend and make it 10G without losing data, the below command can be executed which is the safest method, I think.<br /><br /><span style="font-weight: bold;"># dd if=/dev/zero bs=1M count=5120 >> /vm/images/guest.img</span><br /><br />OR<br /><br /><span style="font-weight: bold;"># dd if=/dev/zero of=/vm/images/guest.img bs=1M count=5120 </span><span style="font-weight: bold;">oflag=append</span><br /><br />Then create new partitions inside the guest and extend the LVs which already exist or use the new partitions individually.<br /><br />4 - Sparse File based images are used as the guest backend.<br /><br />4.1 - Create a new sparse file image in Dom0 and attach it to the guest as a second disk (see 4.2 for more details on how to create it). Repartition the second disk in guest, extend the Volume Group using the new disk, then extend the LV using the additinal free space in the VG. This method does not require a reboot of the guest and is preferred.<br /><br />4.2 - Extend the sparse file image in Dom0 which is already attached to the guest It's recommended to shutdown the guest while doing this.<br /><br />A sparse file image with 5 GB of size - Eg, /vm/images/guest.img - is created using the below command initially while creating the guest.<br /><br /><span style="font-weight: bold;"># dd if=/dev/zero of=/vm/images/guest.img bs=1M count=0 seek=5120 conv=notrunc</span><br /><br />To extend and make this 10G without losing data, the below command can be executed which is the safest method, I think.<br /><br /><span style="font-weight: bold;"># dd if=/dev/zero of=/vm/images/guest.img bs=1M count=0 seek=10240 conv=notrunc</span><br /><br />Then create new partitions inside the guest and extend the LVs which already exists or use the new partitions individually or to create new VGs and LVs.<br /><br />Note: Sparse files are not recommended for production system due to preformance reasons. Always use fully allocated file based images.<br /><br />- In all x.1 above, it's ok to use all possible options. Eg, in 4.1, new LVM in Dom0 can be created and attached to the guest, a new raw partition can be created and attached to the guest and a new fully allocated file based image can be attached to the guest to extend the volumes inside it. This is applicable for all x.1 explained above. I used only one option for my convenience.<br /><br />- The task "attach it to the guest as a second disk" can be achieved by following either of the below two methods. This is applicable only for x.1 above, not x.2.<br /><br />1 -<span style="font-weight: bold;"> virt-manager -> Open -> View -> Details -> Hardware -> Add -> Storage Device -> Simple File/Normal Partition -> Device Type - Virtual Disk.</span> This is the hassle free method.<br /><br />2 - Edit guest configuration file and add the second disk details to the configuration file. See examples from the sample configuration file. Can also be attached live by the xm command as below.<br /><br /><span style="font-weight: bold;"># xm block-attach </span><domain> <backdev> <frontdev> <mode><br /><br />Eg, to attach a new lvm block device as xvdb to guest named "guest1" with read-write, below command need to be used.<br /><br /><span style="font-weight: bold;"># xm block-attach guest1 phy:/dev/VolGroup00/LV1 /dev/xvdb w</span><br /><br />or<br /><br /><span style="font-weight: bold;"># virsh attach-disk guest1 --driver phy /dev/VolGroup00/LV1 xvdb</span><br /><br />To attach a new file based image as xvdb to guest named guest1 with read-write, below command can be used.<br /><br /><span style="font-weight: bold;"># xm block-attach guest1 tap:aio:/vm/images/image1.img /dev/xvdb w</span><br /><br />Or<br /><br /><span style="font-weight: bold;"># virsh attach-disk guest1 --driver tap --subdriver aio /vm/images/image1.img xvdb</span><br /><br />- Reszing of guest LVs can be achieved without a reboot if x.1 is followed, but a reboot of the guest is necessary if x.2 is followed for the guest to see the new disk size.<br /><br />- The online attaching of disks may not work as expected for fully virtualized guests which doesn't have PV drivers installed.</mode></frontdev></backdev></domain>Sadique Puthenhttp://www.blogger.com/profile/15174000939443129488noreply@blogger.com0tag:blogger.com,1999:blog-1479824033506250875.post-62636683821905596302008-11-17T03:07:00.000-08:002009-02-28T09:00:31.904-08:00How to migrate guests using virsh commands?Usually "xm migrate <domain name=""> <destination host=""> -l" is used to migrate a guest from one system to other system. There is no option in virt-manager to migrate a guest from one host to another. Libvirt based virsh command can be used to do this. The syntax of "virsh migrate" is a bit confusing to a lot of beginners. Details given below would help in solving those confusions.<br /><br />- There are two systems - HostA and HostB. HostA is the source machine and HostB is the destination machine.<br /><br />1 - If you are currently logged into HostA as root, below command can be used to migrate a guest to HostB.<br /><br /><span style="font-weight: bold;"># virsh migrate --live </span><guest name=""><span style="font-weight: bold;"> xen+ssh://HostB</span><br /><br />Replace HostB with its ip or FQDN. You would be asked for the root password of HostB. Upon entering the right password for HostB, migration would happen successfully.<br /><br />2 - If you are currently logged into a third system in the network which has "virsh" command available in it, the below command can be used to migrate a guest from HostA to HostB.<br /><br /><span style="font-weight: bold;"># virsh --connect xen+ssh://HostA migrate --live </span><guest name=""><span style="font-weight: bold;"> xen+ssh://HostB</span><br /><br />Replace HostA and HostB with its ip addresses or FQDNs. You would be asked for the root password of HostA first, then the HostB. Upon entering the right password for both hosts, migration would happen successfully.<br /><br />3 - If you are currently logged into HostB and want to migrate a guest from HostA to HostB, can this be done using virsh? Try it out yourself.<br /><br />Libvirt connection over ssh (xen+ssh) is the the method used in the above example. Libvirt remote TLS connection can also be established using certificates. Since that needs a bit more deails to setup, that is apt for another doc.</guest></guest></destination></domain>Sadique Puthenhttp://www.blogger.com/profile/15174000939443129488noreply@blogger.com6