Friday 31 January 2014

Settings for EMC Netwoker agent on Linux

After you have installed EMC Networker agent on your Linux OS, it is time to adjust system settings.

FIREWALL:

To enable communication of Networker agent with Networker server ou have to open this range of ports:
TCP from 7937 to 9936.

If you iptables are down, you won't need to do anything and your. Your iptables look like this then:

# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
 

In case that your iptables are up, you have to insert new rule. You can open these ports for IP addresses but it is wise to only allow it for you Networker server.

#iptables -I INPUT 10 -p tcp --dport 7937:9936 -s 192.168.0.2 -j ACCEPT

Above iptables rule will insert in line 10 of chain INPUT for protocol tcp and ports from7937 to 9936 from source address 192.168.0.2 with ACCEPT condition.

In your iptables you will have this entry:
 
# iptables -nL |grep 79
ACCEPT     tcp  --  192.168.0.2           0.0.0.0/0           tcp dpts:7937:9936
 

Don't forget to save your new iptables rules!

# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]


OS files

It is very wise to insert line for your Networker server in /etc/hosts file

192.168.0.2 networker_server.your_domain networker_server

This is important because Networker server and client do now work with IP addresses but with DNS names. In case that you cannot reach you DNS server this line is crucial.

TIP:
Feedback if your comuniccation is working will be gave to you by your backup admin and your network admin so good with them is crucial!


Installation of EMC Netwoker agent on Linux

Couple years ago we start to use EMC Networker solution for backup and restore of are servers. It works perfectly!!!
To backup and restore your OS or DB you have to install Networker clients(so called then agents).
you have to install then on your OS.

In this post, I will only write about installation of Networker agent for backup and restore of file system on Linux.
When you download agent it will came in tar.gz format. You can download it for 32bit or 64bit Linux OS.
This package look like this

# ls
nw81_linux_x86_64.tar.gz

Untar it!

# tar xzvf nw81_linux_x86_64.tar.gz
linux_x86_64/
linux_x86_64/lgtoclnt-8.1.0.4-1.x86_64.rpm
linux_x86_64/lgtofr-8.1.0.4-1.x86_64.rpm
linux_x86_64/lgtoja-8.1.0.4-1.x86_64.rpm
linux_x86_64/lgtoko-8.1.0.4-1.x86_64.rpm
linux_x86_64/lgtolicm-8.1.0.4-1.x86_64.rpm
linux_x86_64/lgtoman-8.1.0.4-1.x86_64.rpm
linux_x86_64/lgtonode-8.1.0.4-1.x86_64.rpm
linux_x86_64/lgtoserv-8.1.0.4-1.x86_64.rpm
linux_x86_64/lgtozh-8.1.0.4-1.x86_64.rpm
linux_x86_64/lgtoclnt_8.1.0.4_amd64.deb
linux_x86_64/lgtonmc-8.1-1.x86_64.rpm
linux_x86_64/LGTO_METAFILE.linuxx86_64
linux_x86_64/sd_products.res
linux_x86_64/NetWorkerAdaptor-1.1.0-28-linux-x64.run







# ls
linux_x86_64  nw81_linux_x86_64.tar.gz


Go in linux_x86_64 folder.

 # cd linux_x86_64/
# ls
lgtoclnt-8.1.0.4-1.x86_64.rpm  LGTO_METAFILE.linuxx86_64
lgtoclnt_8.1.0.4_amd64.deb     lgtonmc-8.1-1.x86_64.rpm
lgtofr-8.1.0.4-1.x86_64.rpm    lgtonode-8.1.0.4-1.x86_64.rpm
lgtoja-8.1.0.4-1.x86_64.rpm    lgtoserv-8.1.0.4-1.x86_64.rpm
lgtoko-8.1.0.4-1.x86_64.rpm    lgtozh-8.1.0.4-1.x86_64.rpm
lgtolicm-8.1.0.4-1.x86_64.rpm  NetWorkerAdaptor-1.1.0-28-linux-x64.run
lgtoman-8.1.0.4-1.x86_64.rpm   sd_products.res

To install client you have to install lgtoclnt-8.1.0.4-1.x64_64.rpm package.

To install this package you have to have installed following packages.Version of these packages have to be this one or above.

expat-1.95.7-4.s390.rpm
 libstdc++-3.4.6-11.s390.rpm
 freetype-2.1.9-8.el4.6.s390.rpm
 fontconfig-2.2.3-13.el4.s390.rpm
 xorg-x11-Mesa-libGL-6.8.2*.rpm
 xorg-x11-libs-6.8.2*.rpm

 openmotif

 Above list is from official documentation and in practise this is OLD list.

For example on SLES 11 you have to check for this packages:
expat
libstdc++46
freetype
fontconfig
Mesa
xorg-x11-libs
libcap1


openmotif

 After you installed these, you can install Networker agent!
# rpm -ivh --test lgtoclnt-8.1.0.4-1..x86_64.rpm
Preparing...                ########################################### [100%]

If there are some dependencies missing install them and retry above step.


# rpm -ivh lgtoclnt-8.1.0.4-1..x86_64.rpm
Preparing...                ########################################### [100%]


It is good idea to install man pages for client. So install lgtoman-8.1.0.4-1.x86_64.rpm, too.

After installation is complete, folder /nsr and service networker will be created.
To start Networker agent use this

#/etc/init.d/networker start

This will start necessary processes. To se if agents are running type this

# ps aux |grep nsr
root     12545  0.0  0.0 196440  9524 ?        Ssl  09:22   0:00 /usr/sbin/nsrexecd
root     20151  0.0  0.0  61180   740 pts/0    S+   13:31   0:00 grep nsr


or

# /etc/init.d/networker status
+--o nsrexecd (12545)


Mission complete, Networker agent installed!!!

Saturday 25 January 2014

SFTP why and how?

SFTP is short from SSH FTP. To enable sftp communication you have enable sftp-server on server side.

WHY  to use sftp:
Plus side:
- you have ssh encryption and security
- use ssh port
- can exchange ssh keys for authentication
- limited set of commands like FTP use it
- user that connect through sftp is locked to SFTP defined folder

Minus side:
- none(so far)

We start to use sftp when we had demand to make secure file transfer over Internet. In are case security was most import thing and limited access for user that will transfer files to are server.

SERVER SETTINGS:

On RH, Suse, CentOS and Ubuntu sftp is disabled by default. To enable sftp you have to change /etc/ssh/sshd_config  file.
Replace following line

Subsystem       sftp    /usr/libexec/openssh/sftp-server

with

Subsystem       sftp    internal-sftp -f AUTH -l INFO

This will enable internal sftp-server.
Now you have to configure sftp-server settings. These settings are also configured in /etc/ssh/sshd_config file.

There are numerous settings for sftp-server, we use these:
  
Match Group usergroup
        ChrootDirectory /usergroup/%u
        ForceCommand internal-sftp
         X11Forwarding   no
        AllowTcpForwarding      no


        PasswordAuthentication  no

So these settings will provide following:
Match Group usergroupsftp = applied for users that are in group usergroupsftp
ChrootDirectory /usergroupsftp/%u = chroot users that connect thru sftp to /usergroupsftp/%u directory. Option %u means that they connect to users folder
 ForceCommand internal-sftp = use command from internal-sftp server command set
 X11Forwarding   no =  X11 forwarding is disabled
 AllowTcpForwarding      no = TCP forwarding is disabled so you cannot use sftp connection for tcp forwarding
 PasswordAuthentication  no = Can not authenticate with password, so with keys you can connect on sftp-server

After you are done with configuring, you have to restart ssh service.
server1# /etc/init.d/sshd restart
Stopping sshd:                                             [  OK  ]
Starting sshd:                                              [  OK  ]



USER SETTINGS:

Now create user that will login on your server with sftp.

server1#useradd sftp1
server1#passwd sftp1
passwd sftp1
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully

User sftp1 has to be in group that you defined in sshd_config, in are case that is usergroupsftp.


server1#usermod -g usergroupsftp sftp1
server1#id sftp1

uid=505(sftp1) gid=503(usergroupsftp) groups=503(usergroupsftp) context=system_u:system_r:initrc_t

Now go to home folder of user sftp1

server1#cd /home/sftp1

If there are no .ssh folder in here create one

server1#mkdir .ssh
server1#cd .ssh

Now see in /etc/ssh/sshd_config what is name of file in which authorised keys will be in.

server1# cat /etc/ssh/sshd_config |grep Auth
AuthorizedKeysFile      .ssh/authorized_keys



FOLDER SETTINGS:

Ok, so now you have to configure chroot folder.

server1#cd /desired_space
server1#mkdir usergroupsftp
server1# ls -la
total 12
drwxr-xr-x   2 root root 4096 Jan 24 17:45 usergroupsftp


Very important thing is that this folder is owned by user root and root group. Why? This is integrated in ssh options and is this folder is used by some other user, sftp will not work.


Create folder with same name as name of user that will used to connect through sftp
server1#mkdir sftp1
server1#ls -la
total 1
drwxr-xr-x   2 root root 4096 Jan 24 17:46 sftp1

This folder also has to be in root ownership.

server1#cd sftp1
server1#pwd
/usergroupsftp/sftp1/

In this space you have to create folder which is owned by user sftp1 and group usergroupsftp
 
server1# mkdir new_folder
server1#chown sftp1:usergroupsftp new_folder


So files that will be transferred through sftp will be stored in
server1#pwd 
/usergroupsftp/sftp1/new_folder
 
 

CLIENT SIDE:

On server from witch you want to connect on sftp server, you have to create ssh keys for user that will be exchanged so that he can connect to sftp server. In are example user is user1.

server2#cd /home/user1
server2#keygen -t rsa
server2#ls
id_rsa    id_rsa.pub

You have created public part(id_rsa.pub) and private part(id_rsa) of rsa key. Public part of this key you have to insert in /home/sftp1/.ssh/authorized_keys file on server1.

After you inserted public part(id_rsa.pub) of key for user user1 from server2 in /home/sftp1/.ssh/authorized_keys file on server1 you can connect from server2 to server1 as user sftp1 through sftp!

server2#sftp sftp1@server1


Connected to server1.

sftp> 


And now you are connected to server1 using sftp!!!
To transfer files you have to go in folder that have permission for user sftp1. In case that you don't do this you will have something like this.



sftp> put 1.txt
Uploading 1.txt to /1.txt
remote open("/1.txt"): Permission denied
sftp> cd new_folder
sftp> put 1.txt
Uploading 1.txt to /new_folder/1.txt
1.txt                                         100%    0     0.0KB/s   00:00
sftp> ls
1.txt
 

It might seems confusing but all this work can be done in less that 5 minutes. Just remember these steps:
-enable sftp-server on server1
-create user that will be used for sftp
-create keys
-insert public keys
-folder settings


During setup I faced few problems myself:
1. # sftp sftp1@server1
Permission denied (publickey).
Couldn't read packet: Connection reset by peer

Public key is not good. You did not insert it right way or if you type it letter by letter you miss some letter.
In case you open id_rsa.pub on Windows before you transferred it on server1, it can happen that Windows change ending of line (rsa key is text line) and Linux will not see that line as finished.

2.sftp> put 1.txt
Uploading 1.txt to /1.txt
remote open("/1.txt"): Permission denied

You don't have right to write. Or you did not change ownership of folder /usergroupsftp/sftp1/new_folder or you did not create one.
Check your sshd_configuration and folder ownership.

3.  If you see in you logs something like this  
sshd[22047]: User sftp1 not allowed because account is locked

and your user are complaining that he can not connect you did not create password for user sftp1.




server1#passwd sftp1



 


Wednesday 22 January 2014

oracleasm-kmp-default issue installing

Receantly I had to prepare server for Oracle ASM and I came across silly stupid problem.

OS is SLES11.3 x64.

First package you need to install is oracleasm-kmp-default. So I coppied rpm from one of my recently instaled SLES servers that is already running ORACLE 11g with ASM.

So I started instalation ....

 rpm -ivh --test oracleasm-kmp-default-2.0.5_3.0.38_0.5-7.26.3.x86_64.rpm
error: Failed dependencies:
        kernel(default:fs_inode) = adf94420712fa702 is needed by oracleasm-kmp-default-2.0.5_3.0.38_0.5-7.26.3.x86_64
        kernel(default:fs_seq_file) = ef2713f4cd2441f5 is needed by oracleasm-kmp-default-2.0.5_3.0.38_0.5-7.26.3.x86_64
        kernel(default:kernel_mutex) = a661ac933270637f is needed by oracleasm-kmp-default-2.0.5_3.0.38_0.5-7.26.3.x86_64
        kernel(default:fs_dcache) = 5bbc6cd5324a8152 is needed by oracleasm-kmp-default-2.0.5_3.0.38_0.5-7.26.3.x86_64
        kernel(default:fs_dcache) = 939ee359cbd31c00 is needed by oracleasm-kmp-default-2.0.5_3.0.38_0.5-7.26.3.x86_64
        kernel(default:fs_file_table) = 8d604723f20adb43 is needed by oracleasm-kmp-default-2.0.5_3.0.38_0.5-7.26.3.x86_64
        kernel(default:fs_super) = b49484b3e1d7542e is needed by oracleasm-kmp-default-2.0.5_3.0.38_0.5-7.26.3.x86_64
        kernel(default:vmlinux) = 78ddd7e8714ce712 is needed by oracleasm-kmp-default-2.0.5_3.0.38_0.5-7.26.3.x86_64
        kernel(default:vmlinux) = d85b26d970125f4f is needed by oracleasm-kmp-default-2.0.5_3.0.38_0.5-7.26.3.x86_64
        kernel(default:fs_libfs) = f0b1c210f265c4b8 is needed by oracleasm-kmp-default-2.0.5_3.0.38_0.5-7.26.3.x86_64
        kernel(default:kernel_printk) = 9cc1b39ddf89e9f5 is needed by oracleasm-kmp-default-2.0.5_3.0.38_0.5-7.26.3.x86_64
        kernel(default:fs_bio) = 32807287bde6ab16 is needed by oracleasm-kmp-default-2.0.5_3.0.38_0.5-7.26.3.x86_64
        kernel(default:fs_proc_proc) = f609e7bc25995ef9 is needed by oracleasm-kmp-default-2.0.5_3.0.38_0.5-7.26.3.x86_64
        kernel(default:fs_block_dev) = 209e524c89967167 is needed by oracleasm-kmp-default-2.0.5_3.0.38_0.5-7.26.3.x86_64
        kernel(default:arch_x86_kernel_cpu_common) = f95ddd6e1fd9a3a9 is needed by oracleasm-kmp-default-2.0.5_3.0.38_0.5-7.26.3.x86_64
        kernel(default:fs_namespace) = 50b9876663f73f84 is needed by oracleasm-kmp-default-2.0.5_3.0.38_0.5-7.26.3.x86_64
        kernel(default:fs_namespace) = d29aeb749fa615ba is needed by oracleasm-kmp-default-2.0.5_3.0.38_0.5-7.26.3.x86_64
        kernel(default:kernel_module) = 1a1be7ca7e424d61 is needed by oracleasm-kmp-default-2.0.5_3.0.38_0.5-7.26.3.x86_64
        kernel(default:kernel_time_timekeeping) = 80d2df62da4c5dfe is needed by oracleasm-kmp-default-2.0.5_3.0.38_0.5-7.26.3.x86_64
        kernel(default:arch_x86_kernel_paravirt) = e18b6d3e391bb3a7 is needed by oracleasm-kmp-default-2.0.5_3.0.38_0.5-7.26.3.x86_64
        kernel(default:fs_filesystems) = bf13cfd30476c852 is needed by oracleasm-kmp-default-2.0.5_3.0.38_0.5-7.26.3.x86_64
        kernel(default:kernel_sched) = 99b9b2cee8d5c184 is needed by oracleasm-kmp-default-2.0.5_3.0.38_0.5-7.26.3.x86_64
        kernel(default:mm_page_alloc) = c5519693898c1b7d is needed by oracleasm-kmp-default-2.0.5_3.0.38_0.5-7.26.3.x86_64
        kernel(default:fs_partitions_check) = 20c04aea4dc7bb4b is needed by oracleasm-kmp-default-2.0.5_3.0.38_0.5-7.26.3.x86_64
        kernel(default:block_blk-core) = e9a9063f3758a611 is needed by oracleasm-kmp-default-2.0.5_3.0.38_0.5-7.26.3.x86_64

First thing I think of is that I am missing some dependencies so I started to search on google for similiar problem and solution for it. It seems that no one is having this issue.

After couple hours of browsing, dependenies searching and comparing server configuration, DB admin told me that oracleasm-kmp-default rpm is not on Oracle web site when you want to download oracleasmlib. I search on instalation DVD SLES11.3 and find oracleasm-kmp-default rpm package. So I try to install it with zypper

# zypper install oracleasm-kmp-default
Loading repository data...
Reading installed packages...
Resolving package dependencies...

The following NEW package is going to be installed:
  oracleasm-kmp-default

1 new package to install.
Overall download size: 31.0 KiB. After the operation, additional 108.0 KiB will be used.
Continue? [y/n/?] (y): y
Retrieving package oracleasm-kmp-default-2.0.5_3.0.76_0.11-7.37.3.x86_64 (1/1), 31.0 KiB (108.0 KiB unpacked)
Installing: oracleasm-kmp-default-2.0.5_3.0.76_0.11-7.37.3 [done]


So issue was this:
oracleasm-kmp-default from SLES11.2 CANNOT be installed on SLES11.3. Always use packages from instalation DVD.

I hope that this help someone!






Monday 20 January 2014

setup for ASM Oracle disks on Linux

Depending of your OS you will need to install different version of these packages.
Packages that you need to install to enable Oracle ASM disks are

oracleasm
oracleasm-kmp-default
oracleasm-support
oracleasmlib

For example for SLES11.3 I installed these versions

oracleasm-2.0.5-7.37.3
oracleasm-kmp-default-2.0.5_3.0.76_0.11-7.37.3
oracleasm-support-2.1.8-1.SLE11
oracleasmlib-2.0.4-1.SLE11

Oracleasm-kmp-default and oracleasm are on installation DVD.

# zypper info oracleasm-kmp-default
# zypper install oracleasm-kmp-default


# zypper info oracleasm
# zypper install oracleasm

Oracleasm-support and oracleasmlib you have to download from Oracle web site.


# cd location_of_packages
# lsoracleasm-support-2.1.8-1.SLE11.x86_64.rpm
oracleasmlib-2.0.4-1.sle11.x86_64.rpm
 
Test if you have everything for installation of asmlib

# rpm -ivh --test oracleasm*  

And install it

# rpm -ivh  oracleasm*

After you installed oracelasm and oracleasmlib on your server it is time to do setup for ASM disks.

After installation of asmlib new service in /etc/init.d.will show up oracleasm. With this service you create,delete ASM disks, see status and everything you need to do with ASM disks.


First thing that you need to do is to configure oracleasm.

Check for status of oracleasm
#/ etc/init.d/oracleasm status
Checking if ASM is loaded: no
Checking if /dev/oracleasm is mounted: no








Start to configure
# /etc/init.d/oracleasm configure
 

Configuring the Oracle ASM library driver.

This will configure the on-boot properties of the Oracle ASM library
driver. The following questions will determine whether the driver is
loaded on boot and what permissions it will have. The current values
will be shown in brackets ('[]'). Hitting <ENTER> without typing an
answer will keep that current value. Ctrl-C will abort.

Default user to own the driver interface [oracle]:
Default group to own the driver interface [dba]:
Start Oracle ASM library driver on boot (y/n) [y]:
Scan for Oracle ASM disks on boot (y/n) [y]:
Writing Oracle ASM library driver configuration: done
Initializing the Oracle ASMLib driver: [ OK ]
Scanning the system for Oracle ASMLib disks: [ OK ]


# /etc/init.d/oracleasm status
Checking if ASM is loaded: yes
Checking if /dev/oracleasm is mounted: yes



Before you start to create asm disks you need to create partition on disk that you want to use for asm.
(This will be explained in another post)

Suppose you create partition named sdb1.
To create ASM disk do this

# /etc/init.d/oracleasm createdisk ASMDISK1 /dev/mapper/sdb1
ASM disks is created!

To list ASM disks

# /etc/init.d/oracleasm listdisks
ASMDISK1