Wednesday, March 7, 2012

How to setup multiple gateways for multiple Ethernets?

■ Purpose : Setup multiple gateways in linux
■ OS Environment : Linux [RHEL 5, 6]
■  Application : iproute package
■  Implementation Steps :
■  Assumption : eth0 has gateway 10.1XX.69.1 and eth3's gateway is 10.1XX.66.1.

Concept : Defining the gateway in two tables in conjunction with each interface.

1. Put entries in routing table :

echo "1 ISP1" >> /etc/iproute2/rt_tables
echo "2 ISP2 " >> /etc/iproute2/rt_tables

2.  Setup routing rules for  ISP1 table:

$ ip route add default via 10.1XX.69.1 dev eth0 table ISP1
$ ip rule add from 10.1XX.69.0/24 table ISP1


For the ISP2 table:

$ ip route add default via 10.1XX.66.1 dev eth3 table ISP2
$ ip rule add from 10.1XX.66.0/24 table ISP2

3. Make above rules persistent:

Put below entries in rc.local file  :

ip route add default via 10.1XX.69.1 dev eth0 table ISP1
ip rule add from 10.1XX.69.0/24 table ISP1
ip route add default via 10.1XX.66.1 dev eth3 table ISP2
ip rule add from 10.1XX.66.0/24 table ISP2

Note : You should replace the IP addresses in above commands.
Posted by at No comments:

Wednesday, February 29, 2012

How to create bridge on top of bonding in linux?

■ Purpose: create bridge on top of bonding
■ OS Environment: Linux [RHEL, Centose]
■ Application: bonding
■ Practical Usage : Used in KVM environment
■ Implementation Steps : 

1. Create network script :
vi /etc/sysconfig/network-scripts/ifcfg-eth0 & put following entries :

DEVICE=eth0
NM_CONTROLLED=no
BOOTPROTO=none
ONBOOT=yes
MASTER=bond0
SLAVE=yes
TYPE=Ethernet
IPV6INIT=no
USERCTL=no

2. Create another network script : 
vi /etc/sysconfig/network-scripts/ifcfg-eth1 & put following entries :

DEVICE=eth1
NM_CONTROLLED=no
BOOTPROTO=none
ONBOOT=yes
MASTER=bond0
SLAVE=yes
TYPE=Ethernet
IPV6INIT=no
USERCTL=no

3. Create a network bonding script :

vi /etc/sysconfig/network-scripts/ifcfg-bond0 & put following lines :

DEVICE=bond0
ONBOOT=yes
BOOTPROTO=none
USERCTL=no
IPV6INIT=no
BONDING_OPTS="mode=1 miimon=100 updelay=200 downdelay=200 primary=eth0"
BRIDGE=br0

4. Create network bridge script :
vi /etc/sysconfig/network-scripts/ifcfg-br0 & put below entries with valid value

DEVICE=br0
TYPE=Bridge
BOOTPROTO=none
IPADDR=10.XXX.XXX.X7
NETMASK=255.255.255.XXX
GATEWAY=10.XXX.XXX.XXX
ONBOOT=yes
DELAY=0
IPV6INIT=no

5. Add alias of bonding in modprobe.conf like :

# vi /etc/modprobe.conf

 alias bond0 bonding

6. Restart network service :

# service network restart

Posted by at 1 comment:

Friday, February 24, 2012

How to start apache uisng worker MPM?

■ Purpose : Start Apache using worker MPM
■ OS Environment : Linux[RHEL, Centos]
■ Application: httpd
■ Implementation Steps:

1. Check if apache is running with MPM :

$ /usr/sbin/apachectl -l

If it's seen that worker.c in the list of loaded modules, then Apache is running with worker MPM. If  it's seen prefork.c, then it is running as prefork.

2. To determine if apache has worker MPM compiled in:

$ /usr/sbin/httpd.worker -l

If it's seen worker.c in the list of compiled-in modules, Apache can run Worker MPM.

3. Un-Comment following line in /etc/sysconfig/httpd : 

HTTPD=/usr/sbin/httpd.worker in 

4. Restart httpd :

$ service httpd restart

Note : Please recompile php with thread-safe option(php still doesn't support worker MPM. It's required mod_fcgid ), else it will throw error.


Posted by at No comments:

Wednesday, February 22, 2012

How to create reverse DNS record in bind?

■ Purpose: Create reverse DNS record 
■ OS Environment: Linux
■ Application : bind
■ Assumption: Used C class address
■ Implementation Steps :

1. Add following lines in /etc/named.conf :

zone "0.168.192.in-addr.arpa" IN {
type master;
file "0.168.192.in-addr.arpa";
allow-update { none; };
};

2. Create zone for this reverse record :

$ vi  /var/named/0.168.192.in-addr.arpa  & put below entries

$TTL 600
@ IN SOA ns1.example.com. host.example.com. (
2012013001 ;Serial Number
86400 ;refresh
7200 ;retry
3600000 ;expire
86400 ;minimum

 )

 0.168.192.in-addr.arpa. IN NS ns1.example.com.
0.168.192.in-addr.arpa. IN NS ns2.example.com.
201 IN PTR example.com.


Posted by at No comments:

Monday, January 2, 2012

Which command will provide IO details of all processes in the system?

■ Requirement : Command which provides IO details of process
■ OS Environment : Linux
■ Solution : 

$ for i in {1..65353}; do if [ -f /proc/$i/io ] ; then echo "---------------------------------------------------"; echo "Process name :" ; cat /proc/$i/cmdline; echo "PID : $i" ; echo "IO Details:" ; cat /proc/$i/io ; fi; done

NOTE : To dig the IO issue, one can use "iostat, sar, nfsstat -x" commands.

Posted by at No comments:

Saturday, December 31, 2011

How to generate CA certificate for server & client communication?

■ Requirement : Generate CA certificate for server & client communication.
■ OS Environment : Linux
■ Application : openssl 
■ Implementation Steps :

1. Create certification authority :

$ cd /etc/newcerts
$ openssl genrsa 2048 > ca-key.pem
$ openssl req -new -x509 -nodes -days 1000 -key ca-key.pem > ca-cert.pem

NOTE: Last command will ask for details of certificate provider. So, provide short names

2. Creating certificate for server using above CA certificate :

$ openssl req -newkey rsa:2048 -days 1000 -nodes -keyout server-key.pem > server-req.pem
$ openssl x509 -req -in server-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem

NOTE: First command may ask for a password. Don't provide it. Just press enter key for two times.

3. Creating certificate for client using above CA certificate(similar like server) :

$openssl req -newkey rsa:2048 -days 1000 -nodes -keyout client-key.pem > client-req.pem .
$openssl x509 -req -in client-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem

NOTE : Provide details of client owner who will contact server.  Client will be able to contact to server using client-cert.pem and server will consult it its server-cert.pem and approve encryption.

Posted by at No comments:

Friday, December 30, 2011

How to install mysql server and configure SSL with it on linux?

■ Requirement: Install mysql-server & configure SSL for secure communication
■ OS Environment : Linux
■ Application : 

  • perl-DBD-MySQL-3.0007-2.el5
  • perl-DBI-1.52-2.el5
  • mysql-server-5.0.77-4.el5_6.6
  • mysql-5.0.77-4.el5_6.6
  • mysql-5.0.77-4.el5_6.6
  • openssl

■ Symptoms encountered : 

  •  ERROR 2026 (HY000): SSL connection error

■  Implementation Steps :

1. Download all above packages & install them :  

$ yum install mysql mysql-server openssl perl-DBD-MySQL perl-DBI -y
$ rpm -ivh  

2. Start mysql service :

 $ service mysqld start

4. Change mysql root password :

 $/usr/bin/mysqladmin -u root password 'mysql'

5. Configure SSL for mysql server and client(who will access server) :

$ mkdir -p /etc/mysql/newcerts
$ chown -R mysql:mysql /etc/mysql/newcerts

6. Creating certificate authority :

$cd /etc/mysql/newcerts
$ openssl genrsa 2048 > ca-key.pem
$ openssl req -new -x509 -nodes -days 1000 -key ca-key.pem > ca-cert.pem

7. Creating certificate for server using above CA certificate :

$ openssl req -newkey rsa:2048 -days 1000 -nodes -keyout server-key.pem > server-req.pem
$ openssl x509 -req -in server-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem

8. Creating certificate for client using above CA certificate(similar like server) :

$ openssl req -newkey rsa:2048 -days 1000 -nodes -keyout client-key.pem > client-req.pem
$ openssl x509 -req -in client-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem

9. Make sure following entries are present in /etc/my.cnf file :

[mysqld]

datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
user=mysql
old_passwords=1
ssl 

 10. Restart mysqld & Grant mysql user to use ssl :

$service mysqld restart
$ mysql
$ GRANT ALL ON *.* TO 'mysql'@'%' IDENTIFIED BY 'mysql' REQUIRE SSL;

11. Verification / Testing :

$cd /etc/mysql/newcerts
$ mysql --ssl-cert=/etc/mysql/newcerts/ca-cert.pem --ssl-key=/etc/mysql/newcerts/client-key.pem --ssl-cert=/etc/mysql/newcerts/client-cert.pem -u root -p -v -v -v

Enter password: <<
 pw = mysql 

 Output will look like below :

  Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 4 Server version: 5.0.77 Source distribution Reading history-file /root/.mysql_history Type 'help;' or '\h' for help. Type '\c' to clear the buffer. 

  mysql> show variables like '%%ssl%%';

--------------
show variables like '%%ssl%%'
--------------

+---------------+-------------------------------------+
| Variable_name | Value |
+---------------+-------------------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /etc/mysql/newcerts/ca-cert.pem |
| ssl_capath | |
| ssl_cert | /etc/mysql/newcerts/server-cert.pem |
| ssl_cipher | |
| ssl_key | /etc/mysql/newcerts/server-key.pem |
+---------------+-------------------------------------+
7 rows in set (0.01 sec)

mysql> SHOW STATUS LIKE 'Ssl_cipher';
--------------
SHOW STATUS LIKE 'Ssl_cipher'
--------------
+---------------+--------------------+
| Variable_name | Value |
+---------------+--------------------+
| Ssl_cipher | DHE-RSA-AES256-SHA | << Confirmed +---------------+--------------------+ 1 row in set (0.00 sec) mysql>
mysql> quit
Posted by at 2 comments:
Subscribe to: Comments (Atom)