Geek Projects – Linux, Apache, MySQL, PHP, DNS A Linux Sysadmin

July 29, 2015

Increase CentOS 7’s MTU

Filed under: Linux — Matt @ 10:09 pm

Ethernet interfaces normally use an MTU of 1500 bytes.

I recently needed to increase the MTU use by the NICs on a point-to-point link to 9000 bytes in order to improve DRBD performance. This is sometimes referred to as enabling jumbo frames.

In the past I’ve used ifconfig to test this change out. For example, to increase the MTU of the eth0 interface from the default of 1500 bytes to 9000 bytes, I would run

ifconfig eth0 mtu 9000

I could then verify that the new MTU had been applied by running:

ifconfig eth0

Unfortunately for me the two servers that I was working on, like many CentOS 7 systems did not have the ifconfig command installed.

If you want the ifconfig command, then you can install it by installing the net-tools package:

yum install net-tools

However, I wanted to avoid making any changes other than increasing the MTU, so I use the ip command instead.

The ip command can be used in place of ifconfig for many purposes, including increasing the MTU. For example, to increase the MTU of the eth0 interface from the default of 1500 bytes to 9000 bytes, run:

ip link set mtu 9000 dev eth0

You can then verify that the new MTU has taken effect by running:

ip link show dev eth0

After you’ve applied the new MTU, and verified that all is working as expected, be sure to update the interface’s configuration file, so that this change persists the next time the server is rebooted.

To edit the MTU for the eth0 interface, add an “MTU=” line to the /etc/sysconfig/network-scripts/ifcfg-eth0 file. For example:

MTU=9000

July 22, 2015

How to configure a BIND DNS Cache in CentOS 7

Filed under: DNS,Linux — Matt @ 9:33 pm

Introduction

I recently configured a CentOS 7 server to run BIND as a DNS caching server. This post documents the process.

Although I used CentOS 7, these instructions should be equally applicable to CentOS 5 through 7, and Red Hat Enterprise Linux 5 through 7.

If you already know why and where you want to configure a DNS caching server, feel free to skip ahead to this page’s “DNS Cache Setup” section. Otherwise, read on.

A DNS Cache is normally setup accomplish one or more of the following:

  • Improve performance. This can be especially true for mail servers, which make a large number of DNS queries.
  • Bypass a flaky DNS resolver.

The DNS caching server configuration that’s described on this page is applicable to both situations.

It’s important to restrict which clients can query your DNS caching server, so that you don’t create an open resolver. This document includes instructions for doing so using BIND’s “allow-recursion” directive.

Performance Considerations

All other things being equal, I recommend placing your DNS caching server as close as possible to the clients which will query it.

If the DNS cache will be used by a single client, it could make sense to run the DNS cache on that client. For example, you could install a DNS cache on your mail server. By running the cache on the same system as the querying application, you bypass the network latency that there would normally be between the DNS cache, and client.

If the clients are primarily in a single data center or geographic area, try to place the DNS cache within that same datacenter or area. Network latency is the main factor here.

DNS caching servers do not have much overhead, so if you do setup a dedicated cache, you probably won’t need much in the way of hardware. For example, I opted to use a dedicated VM, so I selected a VM with 512MB of RAM and a single CPU core at Digital Ocean. That doesn’t sound like much, but it’s usually plenty for a dedicated DNS cache.

If you want this caching server to be be able to query IPv6 name servers, or be queried by IPv6 clients, then it pays to have it located on a network with native IPv6 support. A tunnel broker will work in a pinch, but the extra network latency that it introduces comes with a performance cost.

DNS Cache Setup

Now we’re ready to setup our DNS cache. The BIND configuration file that we end up with is included in the “BIND Configuration File” section:

  1. Install BIND:

    yum -y install bind

  2. Update BIND’s configuration file (/etc/named.conf) using your text editor of choice:
    • Allow the desired clients using the “allow-recursion” directive within the global options clause. For example, I’m allowing the localhost (127.0.0.1) and one of DNS Check’s servers (represented as 1.2.3.4) to query this name server:

      allow-recursion { 127.0.0.1; 1.2.3.4; };

    • BIND’s default CentOS 7 configuration listens for queries on the localhost interface only for both IPv4 and IPv6. If you allowed any other IP addresses to query your DNS cache in the previous step, then you’ll probably also want to listen for queries on at at least one additional interface by updating the “listen-on” directive for IPv4 and/or the “listen-on-v6” directive for IPv6. For example, to listen on all IPv4 and IPv6 interfaces, add the following within the global options clause:

      listen-on {any;};
      listen-on-v6 {any;};

    • Optionally, adjust how long entries are cached. For example, if you wish to cache positive answers (successful lookups) for 15 minutes (900 seconds), and negative answers (failed lookups) for 1 minute (60 seconds), then you would add the following within the global options clause:

      max-cache-ttl 900;
      max-ncache-ttl 60;
  3. Start BIND’s “named” service, and configure it to automatically start at boot time:

    chkconfig named on
    service named restart

  4. Make the operating system that you just configured the DNS cache on query its own cache:

    echo "nameserver 127.0.0.1" > /etc/resolv.conf

  5. Add the new DNS cache’s IP address to /etc/resolv.conf on any other servers that you would like to query it. For example if the DNS cache’s IP address is 1.2.3.4, run:

    echo "nameserver 1.2.3.4" >> /etc/resolv.conf

  6. Run a test query from a client to verify that the DNS cache is working end-to-end:

    dig mx gmail.com

BIND Configuration File

Here are the final contents BIND’s configuration file (/etc/named.conf). If you copy this configuration, then at a minimum, you’ll want to either remove 1.2.3.4, or replace it with the IP address(es) that you want to be able to query the DNS caching server:


// named.conf

options {
listen-on {any;};
listen-on-v6 {any;};
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; };
allow-recursion { 127.0.0.1; 1.2.3.4; };
max-cache-ttl 900;
max-ncache-ttl 60;

/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;

dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";

managed-keys-directory "/var/named/dynamic";

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};

logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

zone "." IN {
type hint;
file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

April 9, 2010

Reset the GroundWork Monitor 6.0 Password

Filed under: Linux,Systems Administration — Matt @ 8:38 pm

The GroundWork Monitor is a simple way to deploy Nagios monitoring to networks. It does a great job of monitoring Linux servers, and anything that speaks SNMP.

I recently needed to make some updates to a GroundWork Community Edition VM, and found myself in a situation where the admin user’s dashboard (web browser interface) password had been changed to an unknown value. I was able to SSH into the GroundWork VM though (it’s CentOS Linux based). There’s info floating around the net on how to reset the admin password, but it was written for older versions of GroundWork, so some of the default password, and MySQL schema details have changed.

Here’s what I did to reset the admin user’s password on GroundWork Monitor 6.0 Community Edition:

  • SSH into the GroundWork VM. If you haven’t changed the root user’s default password, then it’s going to be “opensource”
  • Login to MySQL, and run a query to reset the “admin” user’s password to “admin”. The admin password entered below uses a hash:

    • /usr/local/groundwork/mysql/bin/mysql -u root monarch
    update users set password='21232f297a57a5a743894a0e4a801fc3' where user_name='admin';

January 23, 2010

Updating a Soekris net4511’s BIOS

Filed under: Linux — Matt @ 12:55 pm

I performed BIOS updates on a stack of Soekris net4511s and net4521s today. Here’s a quick-and-dirty howto for anyone who wants to do the same thing from a Linux host running minicom. Note that these instructions should work on any net45xx series Soekris board, including the net4501.

  1. Download the BIOS update from Soekris’ Downloads Page. As of the time of this writing, if you’re using anything prior to version 1.20 (my Soekris boards were all running 1.15), you’ll want to start with the update to 1.26a, then consider whether you want to upgrade to the latest BIOS from there. Soekris publishes a changelog of their BIOS updates to their website.
  2. Connect your serial port to the Soekris net45xx using a null-modem cable, and use minicom, or your  terminal emulator of choice to establish a connection. Connection settings should be 9600,8,N,1 with hardware and software flow control both turned off.
  3. If your Soekris net45xx’s serial console isn’t already configured to work at 9600bps, you can set this by entering Ctrl-P to enter the Monitor, then set the console speed to 9600bps, and reboot:
    > set ConSpeed=9600
    > reboot
  4. Start up your Soekris box, and enter Ctrl-P when prompted to enter the Monitor. This should bring to you a “>” prompt.
  5. Enter the “download” command, and press Enter.
    > download
  6. In another terminal, run the following command to initiate an xmodem transfer of the updated Soekris BIOS. Substitute in name of the BIOS file:
    # sx -X b4501x_126a.bin > /dev/ttyS0 < /dev/ttyS0
  7. Switch back to your minicom terminal. You should see a “File downloaded succesfully” message. If so, run the following commands to apply the update, and reboot:
    flashupdate
    reboot

That’s it! Your Soekris net4501, net4511 or net4521 should now have an updated BIOS.

October 26, 2009

Directadmin and “Error Parsing Cron File”

Filed under: Linux — Matt @ 2:22 pm

I migrated my web hosting servers from cPanel to Directadmin earlier this year. The transition was smooth for the most part, but one problem was that users with blank crontabs with cPanel had corrupted crontabs post-migration. They could ssh in, and issue crontab -e, but any attempts to manipulate the crontab via Directadmin’s web interface resulted in the following error:

Error Parsing Cron File

The fix for this problem is to clear out all the lines in /usr/local/directadmin/data/users/username/crontab.conf.

August 12, 2009

Logging into a VMware Server stuck on the “Loading…” Page

Filed under: Linux,Virtualization — Matt @ 8:45 pm

VMware Server is a handy app to run in places where server virtualization is needed, but you can’t justify the expense or effort required to setup a VMware ESXi or Xen host. One of the reoccurring problems that I run into, even on lightly loaded servers is when trying to log into the VMware Infrastructure Web Access interface, the browser gets stuck at “Loading…”, and never brings up the login form. I’ve observed this on Firefox in Linux, Mac OS X and Windows; as well as within Internet Explorer.

It turns out that the fix for this doesn’t involve the browser at all, but rather a VMware Server settings. Some Googling turned up this thread in VMware Communities, which spells out the following fix:

  1. Edit /etc/vmware/webAccess/proxy.properties
  2. Change the following line:proxy.noCache = false…to:

    proxy.noCache = true

  3. Restart the vmware-mgmt service:
    /etc/init.d/vmware-mgmt restart

That’s it! You may need to refresh your browser one more time after this, but after completing these steps, you should now be prompted to login to VMware Infrastructure Web Access.

July 31, 2009

Joining the ACM – A Linux Sysadmin’s Perpective

Filed under: Linux,Systems Administration — Matt @ 9:07 pm

The ACM, or the Association of Computing Machinery describes itself as “the world’s largest educational and scientific computing society”. Until recently, I assumed that since I was out of academia, and focused more on things that sysadmins do, like developing, and implementing real-world solutions than the stuff of research papers, the ACM didn’t have much to offer me.

A contributor to this bias was the fact that I joined the ACM a few years ago while I was in college. I was working with a couple professors on a project that involved using Linux virtualization to teach networking concepts. Anyway, the reason I joined the ACM was that I was asked to give a presentation at an academic computing conference. As I recall, the two requirements for being a presenter were having a .edu email address (check), and ACM membership. I quickly signed up, and failed to investigate what benefits ACM membership would bring.

Fast forward to today. I spend a lot of time reading to keep up on current technologies, and while I am able to do most of this online, I still spend a lot of money each year buying books. A significant portion of these are published by O’Reilly, which writes a lot of excellent Linux, Unix, and development books. Cisco Press’ books make up another significant portion of my collection. Most of the networking products that I work with run either Linux or one of the BSDs, but I’m yet to find a publisher that consistently covers such a wide range of networking topics as well as Cisco Press does.

Many of these O’Reilly and Cisco Press books are available online through Safari. I was once a subscriber, and was happy with their service overall, but at $23/month, membership dues added up. This is where ACM membership comes in. For $99/year, they offer a number of benefits, including the one that I was most interested in – access to a large portion (600) of Safari’s collection of books. Restarting my ACM membership seemed like a no-brainer, given that I was about to spend $60 on one of the Cisco Press titles included in the collection.

I just joined, and taking a look at what else the ACM offers members, like what I see:

  • Access to 500 of Books24x7’s books. Looking over the list, I can see that this would be especially useful to those who are more involved in the Microsft and/or management side of things than I am. 🙂 Actually, there are a few Sybex books on that list that look interesting. I’ve been meaning to brush up on my Java and Oracle, and also see a number of books covering those topics. The Linux books on the list include:
    • Ubuntu Linux Bible
    • Professional Linux 10 Programming
    • Setting up LAMP; Getting Linux, Apache, MySQL, and PHP Working Together
    • Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort
  • All 184 issues of the Linux Journal. If you’re not familiar with this magazine, it’s an excellent resource covering all things Linux.
  • Element K courses and simulators. I haven’t used these before, but see a course listed for Cisco’s BCMSN exam, which I’m scheduled to take in a few weeks. I’ll check it out.

I feel like I’ve just scratched the service. Even if I don’t find anything else in the membership benefits worth using, $99/year for access to this collection of information is a bargain for a sysadmin who’s serious about learning.

April 3, 2009

Installing Linux using a serial console

Filed under: Linux — Matt @ 3:22 am

Just a quick note on the command to use to start up a RHEL / CentOS 5.x install from the serial console. This can come in handy if you’re using a modem and serial port for out of band management, and the need to conduct a remote reinstall arises. These settings start up a console on ttys0 (Serial Port 1) with the standard 9600/8-N-1 settings.

linux console=ttyS0,9600n8

March 24, 2009

vsftpd's “500 OOPS: cannot change directory” error

Filed under: Linux — Matt @ 2:00 pm

I recently installed a vsftpd FTP server on a CentOS Linux 5.2 box. After changing the FTP user’s home directory, I received the following error message every time I attempted to login as ftp:

500 OOPS: cannot change directory
500 OOPS: child died

Permissions were setup correctly on the ftp user’s home directory, so I did some digging around, and discovered that there’s an SELinux setting that causes this problem. I didn’t want to turn SELinux off, so the solution was to run the following command, which enables access to the ftp user’s home directory.

setsebool -P ftp_home_dir

March 19, 2009

Resuming failed Firefox downloads

Filed under: Linux — Matt @ 9:45 am

Firefox’s download manager doesn’t have a built-in mechanism for resuming failed downloads. My Internet connection was cut off just long enough this morning for a Firefox download of an ISO image to fail. To resume the download, I used the wget command, which is built into most Linux distributions, and installable if you’re running OS X or Windows. If you’re running Windows you can download wget from GnuWin32. If you’re running OS X, you can install wget with DarwinPorts.

To resume the failed Firefox download, open up a terminal, change to the directory that the is located in, and issue the wget command with the -c option. The -c option tells wget to continue the failed Firefox download. For example:

cd Downloads
wget -c http://download.mozilla.org/failed-download

Older Posts »

Powered by WordPress