Embedding was disabled so go here and watch these parents pwn !
Archive for 2010
After I spent hours thinking I have lost the plot, I finally read about how IPF is configured by default now. I am not sure what build this was changed, but now, by default IPF on OpenIndiana does not look @ /etc/ipf/ipf.conf for default IPv4 IPF Rules to load @ start. To make it look @ this file apply the following.
[bash]
#!/bin/bash
IPFW_CFG="/etc/ipf/ipf.conf"
PRIV_EXEC="pfexec"
# Turn IPF back to legacy text file usage
$PRV_EXEC svccfg -s ipfilter:default setprop firewall_config_default/policy = astring: "custom"
$PRV_EXEC svccfg -s ipfilter:default setprop firewall_config_default/custom_policy_file = astring: "$IPFW_CFG"
$PRV_EXEC svcadm refresh ipfilter:default
echo "Done - Edit $IPFW_CFG and enable IPF now ..."
[/bash]
Sample Conf:
[bash]
# Default policies
pass out all keep state
block in all
block return-rst in log first proto tcp all
block return-icmp(host-unr) in log proto udp all
# Allow Loopback
pass in quick on lo0 all
pass out quick on lo0 all
# Allow ICMP
pass out quick proto icmp all keep state
pass in quick proto icmp all keep state
# Allow SSH
pass in quick proto tcp from any to any port = 22 flags S/FSRPAU keep state keep frags
# Allow SSH
pass in quick proto tcp from any to any port = 80 keep state
[/bash]
Now just enable the service
pfexec svcadm enable svc:/network/ipfilter:default
Handy IPF Commands
ipf -E : Enable ipfilter when running
: for the first time.
: (Needed for ipf on Tru64)
ipf -f /etc/ipf/ipf.conf : Load rules in /etc/ipf/ipf.conf file
: into the active firewall.
ipf -Fa -f /etc/ipf/ipf.conf : Flush all rules, then load rules in
: /etc/ipf/ipf.conf into active firwall.
ipf -Fi : Flush all input rules.
ipf -I -f /etc/ipf/ipf.conf : Load rules in /etc/ipf/ipf.conf file
: into inactive firewall.
ipf -V : Show version info and active list.
ipf -s : Swap active and inactive firewalls.
ipfstat : Show summary
ipfstat -i : Show input list
ipfstat -o : Show output list
ipfstat -hio : Show hits against all rules
ipfstat -t -T 5 : Monitor the state table and refresh every
: 5 seconds. Output is similiar to
: 'top' monitoring the process table.
ipmon -s S : Watch state table.
ipmon -sn : Write logged entries to syslog, and
: convert back to hostnames and servicenames.
ipmon -s [file] : Write logged entries to some file.
ipmon -Ds : Run ipmon as a daemon, and log to
: default location.
: (/var/adm/messages for Solaris)
Jr Coops killing it ...
[youtube=http://www.youtube.com/watch?v=T4ChcMtiiic&w=480&h=385]
IPMP in Solaris allows you to have redundancy with your network on mission critical servers. It is really excellent as it allows you to mix speed of NICs (e.g. a Ten Gigabit Ethernet with Gigabit Ethernet). Below will demonstrate the 'passive' IPMP configuration. Active mode allows you to check the ability to ping a defined host as well as the same checks of passive, but does require more extensive configuration.
NIC Setup
Stop the scary nwam service
- svcadm disable svc:/network/physical:nwam
Plumb each nic
- ifconfig NIC0 plumb
- ifconfig NIC1 plumb
Add to group
- ifconfig NIC0 group GROUPNAME
- ifconfig NIC1 group GROUPNAME
Edit /etc/hostname.interface
- Primary NIC: IP/NETMASK group GROUPNAME up
- Secondary NIC: group GROUPNAME standby
Enable traditional Solaris Networking
- svcadm enable svc:/network/physical:default
You should now be done. Have fun yanking network cables and seeing your server stay online.
Zone Setup
Once your networking is set up just set the zone up as you normally would, but use the ipmpX as your physical zone NIC in zonecfg.
- add net
- set physical=ipmpX
- end
- verify
- commit
For more zone configuration command information visit GenUnix Wiki.
A great quote, that is so true ...
“A programmer is much like a virtuoso musician. They know their instrument extremely well. They may know, and occasionally play other instruments, but tend to focus almost exclusively on one. A sysadmin is more like the conductor. They have to know about all the instruments, the characteristics of each, how they play and sound together and in contrast with others. Then [they] need to understand the timing, the sound characteristics of the hall, etc. and make everything work together.”
- System administrator
8:00am Monday morning driving to work - Time for a weekly dose of Twit !
GG Telstra 3G - Coverage 95% + of the way ..
Hi Leo and Mr Dvorak - You're live in Wollongong, NSW AU there 🙂
Don't have a webcam but have a Wireless Network and a iPhone? Found an awesome app that will allow you to install drivers to talk to your iPhone using Bonjour and share the camera with appications like Skype.
There are drivers for Windows + Mac OS X
iPhone Webcamera
Get the Drivers here - App on the iTunes App Store
Good times in NT with good mates - Uluru to Alice Springs June 2010
[youtube=http://www.youtube.com/watch?v=2O4aJukwK0U&w=480&h=385]
Great stuff Mr Tome - Top editing.
Browsing 'Cupidtino' (http://cupidtino.com/) quote from a female stating that your her type if
"You're more Woz than Jobs"
Great stuff - haha. Woz is a legend.
Well after I tried myself months ago to get istatd to compile on my Opensolaris box (token) someone smarter and who is not as lazy has worked it all out and got it to compile. One thing he did not do tho was write an init script so that it would start @ boot time. Here you can find it.
Please follow the install instructions on the following blog - I have written scripts, included a sample configuration and written a init script.
Compile Script (Place in parent dir to source code):
[bash]
#!/bin/bash
DIR=istatd-
VER=0.5.7
ACLOCAL110=aclocal-1.10
export ACLOCAL110
AUTOMAKE110=automake-1.10
export AUTOMAKE110
AUTOCONF26=autoconf
export AUTOCONF26
AUTOHEADER26=autoheader
export AUTOHEADER26
LIBTOOLIZE15=libtoolize
export LIBTOOLIZE15
cd ${DIR}${VER}
pwd
./configure
if [ $? -ne 0 ]; then
echo "ERROR with configure"
fi
make
echo "--> Finished compiling ..."
pfexec useradd istat
pfexec groupadd istat
if [ ! -d /var/cache/istat ]; then
mkdir /var/cache/istat
fi
pfexec chown istat:istat /var/cache/istat
echo "--> Finished ..."
[/bash]
Sample Config:
[plain]
#
# /etc/istat.conf: Configuration for iStat server
#
# network_addr 127.0.0.1
network_port 5901
server_code 55551
server_user istat
server_group istat
# server_socket /tmp/istatd.sock
server_pid /var/run/istat/istatd.pid
cache_dir /var/cache/istat
# Note: Only support for one network interface, limited by client.
monitor_net ( bge0 )
# Array of disks to monitor. Specify mount path or device name.
monitor_disk ( / /home )
# Set to 1 if you want to use mount path as label instead of the device name.
disk_mount_path_label 0
# Try to probe the filesystem for disk label, will override the mount path label.
disk_filesystem_label 1
# Set custom disk label. Will override all other labels.
# disk_rename_label /dev/sda1 "root"
# disk_rename_label /home "home"
# End of file
[/plain]
Init Script:
[bash]
#!/bin/bash
# Basic support for chkconfig
###
# chkconfig: 35 99 55
# description: start and stop istatd - iphone monitoring tool daemon
###
DIR=/usr/local/bin/
BINARY=istatd
OPTS="-d"
PIDFILE=/var/run/istat/istatd.pid
case "$1" in
start)
echo -n "Starting $BINARY ... "
$DIR/$BINARY $OPTS
if [ $? -ne 0 ]; then
echo "! Failed !"
else
echo "done"
fi
;;
stop)
echo -n "Stopping $BINARY ... "
kill $(cat $PIDFILE)
echo "done"
;;
status)
ps -ef | grep "$BINARY $OPTS"
;;
*)
echo "Usage: $0 {start|status|stop}"
exit 1
esac
exit 0
[/bash]
ln -s /etc/init.d/istatd /etc/rc3.d/S99istatd
ln -s /etc/init.d/istatd /etc/rc3.d/K10istatd
If someone has written a SMF service I would love to take it from you 🙂
If you have any questions - feel free to ask ...