use iptables to manage firewalling of ubuntu 16.04 bridge on VMware

背景: IDC分配了大量IP地址,但是自己并不能做网关,但我又不能把所有的机器全部直接置于外网,增加管理成本。
方案:
使用ubuntu 16.04做防火墙(FW)
外网(internet)只连接FW的ens160。
增加DMZ网络(DMZ),所有的需要外网IP的机器和FW的ens192全部连接到DMZ。

在FW中安装bridge-utils并桥接ens160与ens192,不知道怎么桥接的请直接参考这里

接下来就是在VMware上启用DMZ和internet的混杂模式(Promiscuous Mode)。记住,两个网络的混杂模式都必须开启。不知道怎么开启混杂模式的可以看这里。这里没必要开启整个vSwitch的混杂模式,只需要开启DMZ和internet端口组就足够了。

到了这步,你的桥接就做完了。这个时候,你DMZ里面所有的机器都有完全的外网访问权限,你在iptables里面设置的规则完全限制不了DMZ的网络。接下来就是启用iptables对bridge的限制。

运行下面命令启用bridge netfilter模块

modprobe br_netfilter

修改 /etc/modules-load.d/modules.conf,在最后加上下面一行,这样机器在重启后也会自动加载bridge netfilter模块

br_netfilter

再修改 /etc/sysctl.conf,在文件的最后添加下面几行:

###################################################################
# For iptables to manage bridge firewalling
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-arptables = 1

最后,运行下面命令使配置生效

sysctl -p

现在,就可以使用iptables对DMZ进行管理了。
不过,我目前还没摸清这里面进出端口(iptables里面的-i和-o)的规则,只能直接使用IP了。

How to remove the read failed after 0 of 4096 I/O error

from: https://freeshell.de/~jose/317/kludges/how-to-temove-the-read-failed-after-0-of-4096-io-error/

Recently in a very old server I had to remove a disk. My server was composed by two physical volumes: a RAID5 volume, shown as /dev/sda to the operating system by the SCSI controller, and a single hard disk as /dev/sdb.

My /dev/sdb, since there is no way to have a new disk with the same geometry, I decided to remove it.
The bios utility of my SCSI controller is quite strange and I cannot remove my une-disk logical volume without remove all the configuration.

root@arch:~# pvdisplay
  /dev/sdb: read failed after 0 of 4096 at 0: input/output Error
  /dev/sdb: read failed after 0 of 4096 at 146695716864: input/output Error
  /dev/sdb: read failed after 0 of 4096 at 146695774208: input/output Error
  /dev/sdb: read failed after 0 of 4096 at 4096: input/output Error
  — Physical volume —
  PV Name               /dev/sda1
  VG Name               vg_system
  PV Size               838,12 GiB / not usable 2,00 MiB
  Allocatable           yes
  PE Size               4,00 MiB
  Total PE              214559
  Free PE               21184
  Allocated PE          193375
  PV UUID               ZQQwAs-yGgP-LZXk-3cTy-yaOb-gijr-bnUCz4

So I’d better to leave my controller untouched and tell my linux CentOS to forget the /dev/sdb disk.

root@arch:~# echo 1 > /sys/block/sdb/device/delete

php script to monitor OTRS queue size from SNMP

最近公司上线OTRS,感觉还不错,顾问居然还给了数据库的结构图,闲下来就写了这个php脚本给Opsview用来监控OTRS支持队列的大小。别问我为什么用php…因为我实在是不会pel….

测试环境:

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=12.04
DISTRIB_CODENAME=precise
DISTRIB_DESCRIPTION="Ubuntu 12.04.4 LTS"

废话不说,先帖脚本:

#!/usr/bin/php
<?php

# Tomas Tang on 18/02/2014
# Check the OTRS support queue size

# Disable error report
error_reporting(0);

# get arguments
$procname = $argv[0];
$queuename = $argv[1];
$warnlevel = $argv[2];
$critilevel = $argv[3];

# keep it for future develop
#$QUEUE = array(
#               "allnew",
#               "escalated",
#               "second_level_support",
#               "first_level_support",
#);


# set query SQL and help
if("$queuename"=='allnew'){
        # all the tickets with state new but not in delete queue
        $sql = "select count(1) from ticket where ticket_state_id=1 and queue_id!=3;";
}elseif("$queuename"=='escalated'){
        # not in use yet, to be finished
        $sql = "select count(1) from ticket where ticket_state_id=1 and queue_id!=3;";
}elseif("$queuename"=='first_level_support'){
        # all tickets which are not (pending to) closed
        $sql = "select count(1) from ticket where ticket_state_id in (1,4,6,11) and queue_id=5;";
}elseif("$queuename"=='second_level_support'){
        # all tickets which are not (pending to) closed
        $sql = "select count(1) from ticket where ticket_state_id in (1,4,6,11) and queue_id=6;";
}else{
        echo "Usage: $procname  <QueueName>  <WarnNumber>  <CriticalNumber>\n";
        echo "      QueueName:      Queueu name to query, right now only in \"allnew\",\"escalated\",\"first_level_support\" and \"second_level_support\"\n";
        echo "      WarnNumber:     Tickets quantity start to be warn, required\n";
        echo "      CriticalNumber: Tickets quantity start to be critical, must greater than WarnNumber, required\n";
        exit(3);
}

# Double check query SQL
if(empty($sql)){
        echo "UNKNOWN - Unknown error\n";
        exit(3);
}

# Check arguments again.
if(!is_numeric("$warnlevel")||!is_numeric("$critilevel")){
        echo "UNKNOWN - Incorrect arguments.\n";
        exit(3);
}elseif($warnlevel>=$critilevel){
        echo "UNKNOWN - Incorrect warn/critical level.\n";
        exit(3);
}

# connect to database
$conn = @mysql_connect("localhost","readonly","readonly") or die("Cannot connect to DB");
mysql_select_db("otrs",$conn);

# fetch data
$result = mysql_query("$sql",$conn) or die("Query failed");
$result = mysql_result($result,0);

# close db
mysql_close($conn);

if ($result>=$critilevel){
        echo "CRITICAL - Queue size is $result, queue is huge!!!\n";
        exit(2);
}elseif($result>=$warnlevel){
        echo "WARN - Queue size is $result, queue is big!\n";
        exit(1);
}else{
        echo "OK - Queue size is $result, queue is OK.\n";
        exit(0);
}

?>

脚本本身没什么好看的,不过最开始用来传参的东西还是蛮好玩的,这种脚本不能跟在web里面一直的传参,只能通过这个叫$argv的数组。

把脚本保存为

/usr/local/bin/check_otrs_queue

修改/etc/snmp/snmpd.conf,加上下面几行

exec otrs_new_tickets /usr/local/bin/check_otrs_queue allnew 15 20
exec first_level_support /usr/local/bin/check_otrs_queue first_level_support 30 50
exec second_level_support /usr/local/bin/check_otrs_queue second_level_support 10 15

最后就是使用check_snmp_exec.sh检测了~~~

How to use gmail as relay host for postfix in Ubuntu 12.04

Reference: https://rtcamp.com/tutorials/linux/ubuntu-postfix-gmail-smtp/

first of all, please note that when the recipient receives your email, the sender will be changed to the gmail account you are going to use

Add the following code in /etc/postfix/main.cf

# Define relay host to gmail
relayhost = smtp.gmail.com:587

# Gmail requires tls connections
smtp_use_tls=yes
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt #Your trusted CA list

# Gmail requires authentication
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

# define authentication mechanism
smtp_sasl_security_options = noanonymous
smtp_sasl_mechanism_filter = plain
smtp_sasl_tls_security_options = noanonymous

Then, edit your authentication file /etc/postfix/sasl_passwd as the following format:

smtp.gmail.com    USERNAME:PASSWORD

please note that username should be your full mail address, include “@gmail.com” or your own domain name.
then update the file to postfix format for using:

#postmap /etc/postfix/sasl_passwd

remember restart postfix at the last

#service postfix restart

lsiutil to add hot spare drive on line for mpt raid controllers

environment: HP ProLiant ML150 G5 with Ubuntu 8.04 installed

  • Run “mpt-status –i 1” to get the current array information.

    ioc0 vol_id 1 type IM, 2 phy, 231 GB, state DEGRADED, flags ENABLED
    ioc0 phy 0 scsi_id 2 ATA      GB0250C8045      HPG2, 232 GB, state ONLINE, flags NONE
    ioc0 phy 1 scsi_id 9 ATA      GB0250EAFJF      HPG1, 232 GB, state FAILED, flags OUT_OF_SYNC
  • Run “cat /proc/scsi/scsi” to get the available drives information
  • Run “lsiutil”
    • Select the correct port, you can find the information from the 1st step
    • Select 8, and then 16 to confirm the physical drive information, recommended
    • Then select 21 to enter “RAID actions”
    • Select 50 “Create hot spare”
    • You need to figure out the 2 parameters yourselves, I forgot to write down
    • 1st is something like the drive number, you have to compare the information I asked you to collect
    • 2nd is something like the spare group, I suggest you use the same number you use for “mpt-status –i”
    • Then if you select 2 “show physical disks” you will see your hot spare drive
    • Last we run 99 “reset port” to activate the hot spare.
    • Select 0 until you back to shell
  • Run “mpt-status –i 1” again to confirm it is now recovering
    ioc0 vol_id 1 type IM, 2 phy, 231 GB, state DEGRADED, flags ENABLED RESYNC_IN_PROGRESS
    ioc0 phy 2 scsi_id 2 ATA      GB0250C8045      HPG2, 232 GB, state ONLINE, flags NONE
    ioc0 phy 0 scsi_id 3 ATA      GB0250EAFYK      HPG1, 232 GB, state ONLINE, flags OUT_OF_SYNC

Ubuntu 1204 安装NUT监控APC UPS

安装相关程序

apt-get update
apt-get install nut nut-client nut-server

利用udev设定固定的设备文件名

在/etc/udev/rules.d/下面添加52-nut-usb.rules文件,以下是文件内容

# APC - usbhid-ups
SYSFS{idVendor}=="051d", SYSFS{idProduct}=="0002", MODE="664", GROUP="nut", ATTRS{serial}=="ASNNNNNNNNNN", SYMLINK+="ups-test01"

ASNNNNNNNNNN是你的APC UPS序列号,你可以直接在机器上找到,也可以用lsusb -v命令得到(iSerial字段)。

重启udev与ups驱动

udevadm control --reload-rule
udevadm trigger
upsdrvctl start

配置NUT
进入/etc/nut目录。

修改nut.conf文件,将MODE修改为netserver

MODE=netserver

修改ups.conf,在文件最后添加如下内容:

[ups-test01]
        driver = usbhid-ups
        port = /dev/ups-test01
        desc = "UPS-TEST01"
        serial = "ASNNNNNNNNNN"

修改upsd.conf,修改LISTEN字段,把127.0.0.1改为你希望监听的地址,如果监听所有地址,用0.0.0.0

LISTEN 0.0.0.0 3493

修改upsd.users,按如下格式添加用户,这里不详解用户权限了。

[upsclient]
        password = upsclient
        upsmon slave

[upsmaster]
        password = upsmaster
        upsmon master

修改upsmon.conf,添加MONITOR字段

MONITOR ups-test01@localhost 1 upsmaster upsmaster master

重启nut服务之后,ups就已经在监控之中了,你可以用下面的命令查看基本信息了

upsc ups-test01@localhost

添加网页控制页面
直接用命令虽然看的很全面,但是很多时候还是不太方便。nut也提供网页查看方式,设置起来也很方便。

安装相关的软件

apt-get install nut-cgi apache2

修改/etc/nut/hosts.conf,添加如下内容:

MONITOR ups-test01@localhost "UPS-TEST01"

修改apache设置,添加alias到/usr/share/nut下面,然后就可以在网页上查看监控内容了。

PIN the kernel to the current version in apt

create a new file under /etc/apt/preferences.d with the following content

Package: linux-server
Pin: version 3.2.0.23.25
Pin-Priority: 1001

Package: linux-image-server
Pin: version 3.2.0.23.25
Pin-Priority: 1001

Package: linux-headers-server
Pin: version 3.2.0.23.25
Pin-Priority: 1001

then run

apt-get update
apt-get dist-upgrade

you will find that you won’t get the kernel upgrade notice any more.

you can find you current kernel version with

dpkg -l|grep linux

reference: http://linux.die.net/man/5/apt_preferences

ubuntu下进行MySQL的移植

最近一直很忙,忙着加班进行服务器升级。

服务器全部升到了Ubuntu 1004 LTS,但是在进行mysql移植的时候碰到了个大问题,直接到原来的数据文件同步过来,mysql却无论如果也启动不了。

最后那边的老大告诉我说,是AppArmor的问题,让哥关掉这个什么AppArmor,果然,数据库就起来了。
简单查了一个,这个AppArmor应该是跟SELinux差不多的东西,但级别好像并没有SELinux那么高,直接停用服务就没用了。相关资料:https://wiki.ubuntu.com/AppArmor

另外还有两个问题:

1, socket文件的如果不能写入,数据库也是起不来的,所以,还要关注一下你指定的socket文件的位置的权限
2, 从5.0升级到5.1有很多麻烦,建议最好是做逻辑备份而不是做直接物理升级

好像直接升级也有问题,等待进一步的更新。