Yearly Archives: 2019

How to remove product channels in Suse Manager

Quick post about how to remove the products channels in Suse Manager

There is a way you can add products and their channels in the Suse Manager server using the command line and webpage GUI. But once added it’s not easy to get them removed from the web console. Web console does not provide a direct option to remove product channels from Suse Manager. Also, the command used for adding channel i.e.. mgr-sync also does not support any option to remove channels.

So many of first time Suse Manager administrators stumble upon roadblock on how to remove product channels which are no more needed.

So let’s get started on the process to remove product channels (using command spacewalk-remove-channel) you might have added by mistake on Suse Manager or which are no longer needed and eating up your disk space.

First, you need to list out all the channels on your Suse Manager using mgr-sync list command –

root@kerneltalks # mgr-sync list channels
Available Channels:


Status:
  - [I] - channel is installed
  - [ ] - channel is not installed, but is available
  - [U] - channel is unavailable

[ ] RHEL6-Pool for x86_64 RHEL6 Base x86_64 [rhel6-pool-x86_64]
[I] SLE-Product-HPC-15-Pool for x86_64 SUSE Linux Enterprise High Performance Computing 15 x86_64 [sle-product-hpc-15-pool-x86_64]
    [ ] SLE-Module-Basesystem15-Debuginfo-Pool for x86_64 Basesystem Module 15 x86_64 [sle-module-basesystem15-debuginfo-pool-x86_64-hpc]
    [ ] SLE-Module-Basesystem15-Debuginfo-Updates for x86_64 Basesystem Module 15 x86_64 [sle-module-basesystem15-debuginfo-updates-x86_64-hpc]
    [I] SLE-Module-Basesystem15-Pool for x86_64 Basesystem Module 15 x86_64 [sle-module-basesystem15-pool-x86_64-hpc]
    [I] SLE-Module-Basesystem15-Updates for x86_64 Basesystem Module 15 x86_64 [sle-module-basesystem15-updates-x86_64-hpc]
...

Here let’s consider we need to remove channel sle-product-hpc-15-pool-x86_64. So first you need to remove all the child channels from this base product channel & then you will be able to remove the base channel. If you try to remove parent channel directly without removing child channels you will hit below error –

root@kerneltalks # spacewalk-remove-channel -c  sle-product-hpc-15-pool-x86_64
Error: cannot remove channel sle-product-hpc-15-pool-x86_64: subchannel(s) exist:
                        sle-module-basesystem15-pool-x86_64-hpc
                        sle-module-basesystem15-updates-x86_64-hpc
                        sle-module-devtools15-pool-x86_64-hpc
....

You can clearly see child channels to be removed before you try for parent channel. This is also a good way to get a child channel list quickly!

Then go ahead, remove the child channel followed by base one. For example, see below child channel removal output –

root@kerneltalks #  spacewalk-remove-channel -c sle-module-devtools15-pool-x86_64-hpc
Deleting package metadata (204):
                  ________________________________________
Removing:         ######################################## - complete

Repeat the process and remove all child channels one by one. You can use shell loops to get it done quicker. Finally, remove your parent channel, and you are done.

root@kerneltalks #  spacewalk-remove-channel -c sle-product-hpc-15-pool-x86_64
Deleting package metadata (3):
                  ________________________________________
Removing:         ######################################## - complete

Once done you can confirm that channel is no more enabled in webpage console or using mgr-sync list command.

How to remove lost physical volume from volume group

Leave a reply

The process to remove the missing disk from LVM configuration.

In this article, we will see how to remove a physical volume from the volume group when the disk is removed from the server. Normally, you need to remove the disk from the volume group first using vgreduce and then remove disk physically. But in some cases where disk went bad or you accidentally remove the disk from the server before you remove from VG, PV status will be shown as unknown in vgdisplay like below.

  --- Physical volumes ---
  PV Name               [unknown]
  PV UUID               fPFkBx-lbnG-R6Zo-3kq5-KOLA-U1ou-LdNIMD
  PV Status             allocatable
  Total PE / Free PE    1535 / 1535

And you will start seeing warnings with disk UUID in LVM commands as below –

WARNING: Device for PV fPFkBx-lbnG-R6Zo-3kq5-KOLA-U1ou-LdNIMD not found or rejected by a filter.
Couldn't find device with uuid fPFkBx-lbnG-R6Zo-3kq5-KOLA-U1ou-LdNIMD.

This is because the disk was removed from the server or disk is disappeared from the server without being gracefully removed from LVM.

How to remove missing PV from VG

Now to clean VG after PV is deleted or removed you need to use vgreduce command with --removemissing switch-

# vgreduce  --removemissing datavg
  WARNING: Device for PV fPFkBx-lbnG-R6Zo-3kq5-KOLA-U1ou-LdNIMD not found or rejected by a filter.
  Couldn't find device with uuid fPFkBx-lbnG-R6Zo-3kq5-KOLA-U1ou-LdNIMD.
  Wrote out consistent volume group datavg.

It will clean up all missing physical volumes from the volume group and thus making VG consistent. You will see no more missing PV warnings now!

How to convert JKS file to KEY file for Apache

Leave a reply

Article explaining how to convert java keystore jks into PEM formatted certificate or key file for Apache configuration

Scenario: I have a key file (*.jks) and CSR file generated in using keytool command i.e. in java. I wanted to convert this jks file to *.key file so that it can be used in Apache webserver configuration.

Read how to create java Keystore file *.jks if you want to know how to create CSR using java keytool.

Solution :

JKS file is Keystore used in java. You need to follow the below steps to get your unencrypted key file. Its a two-step process :

Import key data from keystore to PKC12 format
Convert PKCS12 key to un-encrypted PEM

Import key data from keystore to PKC12 format

We will import key data from jks Keystore to new Keystore in PKC12 format using keytool command where –

-srckeystore : Your jks file
-destkeystore : Name of new keystore to create
-deststoretype : Obv has to be PKCS12

You need to provide a password of the source Keystore and also set a new password to the new Keystore.

[root@kerneltalks ~]# keytool -importkeystore -srckeystore kerneltalks.com.jks -destkeystore keystore.pkcs12 -deststoretype PKCS12
Importing keystore kerneltalks.com.jks to keystore.p12...
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Entry for alias server successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

Convert PKCS12 key to un-encrypted PEM

We now need to convert this PKCS12 key in PEM format so that it can be used in the Apache configuration.

[root@kerneltalks ~]# openssl pkcs12 -in keystore.pkcs12  -nodes -nocerts -out kerneltalks.com.key
Enter Import Password:
MAC verified OK

Now verify your private key file.

[root@kerneltalks ~]# file kerneltalks.com.key
kerneltalks.com.key: ASCII text
[root@kerneltalks ~]# file kerneltalks.com.jks
kerneltalks.com.jks: Java KeyStore
[root@kerneltalks ~]# cat kerneltalks.com.key
Bag Attributes
    friendlyName: server
    localKeyID: 54 69 6D 65 20 31 35 35 36 32 30 38 36 31 33 32 36 34
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCLc1bmTilYhwRZ
14CBZEN+TGrzsPAbdg3zBW9nSmnRQRS9qWYLkqSBF1zcTj6T8P5BtDr6MOr7pivZ
DXbS9RPUcJk9JwRskj+FGrOP8qquzCOHXvzgxZNKNYDNdz+YzT3Hz0n4bbhYwYCW
qo+768GSnCJS+i3m+xztTB1hIq881UK4cbujTkm42L3i8YCzycy+Y6my+z4to4yf
kn8t9v2b/18m432+hz/dA+h7aVF8sdterc6c+XC35zdk8kkly+TZPn9DY9piBuPb
DPe/CPa+BTUwHQW/22HcAUwd/T0PWi2MeDWja2KtGrCPB/Tg07ZC8oGnXPF9pADg
ydHR+MHrAgMBAAECggEAD/RQOuUyYciAvO6k6yjXd/myOtNBhULKccVra3veA2zY
vKJG5IgQfhx4KVRiYHawAEBohvtVxxjJ53lc4OHdNO70+UQfg3RwBAB8DroKwRjl
77T0ZZr1MQZSCC/efNLugI+8vMmAz9bDqXk2HJ/qc6WdX7Tzz3tnYdbVfamENwdb
7+w3isHa+XhsJdR9IrpPL35mf2HSeW2WgOMku/GWIdEcCGdxm0cZTx7X1JNBrimm
zAp1+5xVx3ptgrtRYYAihFjQLNvhp5twyAdK2mB4iOpU35c3KPWD2HqNfp0MYPNq
eRlqEdIxFimXMnRw4zSA7GuaSADv5ddS60529KK2IQKBgQC/fK99E/8iSk3UtZvz
/5PUSabnAUK73Z0N5QLZfGwSWF51q0zmxfVQInHXIGIFeqkjt8EOEiOIXi7XyA+c
FG8KBKIkXoeJ/Rzxskzp1yG0L2EePJbUSnxtL4PTqlVCW6H5/C6V4icaMx4nC1Od
4vWmAqtRKBCdF5fMEOKWcn6t8wKBgQC6bqAwQUe4WvcnySN2vjMJiLDPm4RpnnuJ
o1s3pkPDeXaDI+2nD8NJT6GaskJsQhuq9ikdecDljqJIoSi7hCqHO75pUDPWdHIG
QMiyR2OB4NOOCvFf9FuVEz7JMWa7vk+KVgtgaaX3wG7vqsaYJcQ/VgsBqtKDSKS6
j4gaJiECKQKBgEjxcVQfOvBQB8gAinDvKdwTVm3nEAnKiNpTI7u/ZteyLAF9CKVc
QW+OP3loj45wxF+jzvnSNRDsd8GhJzkYm5fgXfemvtD0x4LWne/yEJe3+LHw+K/T
1AQvtnL6DtJhX5l/1CsqZCTZ1iGfcfHSFCtyFtqqfXGqHBwTTo1q/hC7AoGBALbW
2/+3ZjFl9VNtrnw8WS2Wg2F4skorhhkcvs87HuZM72/6Ao9/pBT4JhPjk8U8qIno
1bX0vLvmQT5d3+bX3iW28C203MIMfe+oBazi2rJ73r9F+CgVLORtdXw4GPsz0Cpp
7MpnksACWEpxAEgjce5z4mOGNuNOkU/uiJqsnl7RAoGAb5JbI7nBMJbUQp6QaZjN
tn1ZIaYEF+wyx2XR12iaqWG8RGwLcayZ55wjlAgO+qx3aYoheU4BTlqQiZMP+ytp
vUfV2rbexdqkvQAefg4kFkrFtOMQ7gzVWoIbWIhd5xyEtonvX3lqkm+c/kpxcruP
xe2Elr6dfovdXXadgIBDiSA=
-----END PRIVATE KEY-----

To use this key file in Apache configuration you need to strip off a header. Delete all parts till -----BEGIN PRIVATE KEY----- and save the file. Now you are good to use this *.key file in Apache SSL configuration.

How to export certificate from JKS file

As an addon to this post, I will walk you through how to export a certificate from java Keystore to PEM format. This is again two-step exercise as below –

Export certificate in binary

You read from the Keystore file certificate associated with alias and export it to a binary file. I used alias as server while creating this jks file hence options are –

-export : To export data. This is same as exportcert in newer versions
-alias : Enter same alias you used while creating this java key file
-file : Destination binary file in which you will export
-keystore : Your jks key file

[root@kerneltalks ~]# keytool -export -alias server -file kerneltalks.com.der -keystore kerneltalks.com.jks
Enter keystore password:
Certificate stored in file <kerneltalks.com.der>

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore kerneltalks.com.jks -destkeystore kerneltalks.com.jks -deststoretype pkcs12".

Convert exported certificate data to PEM format

Now we will convert certificate binary to PEM format using below command where –

-in : Input binary means exported file in last command
-out : Output file in PEM format

Now verify your certificate file.

[root@kerneltalks ~]# openssl x509 -inform der -in kerneltalks.com.der -out certificate.pem
[root@kerneltalks ~]# file certificate.pem
certificate.pem: PEM certificate
[root@kerneltalks ~]# cat  certificate.pem
-----BEGIN CERTIFICATE-----
MIIDhzCCAm+gAwIBAgIEXVVftjANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJJ
TjEUMBIGA1UECBMLTWFoYXJhc2h0cmExDzANBgNVBAcTBk11bWJhaTERMA8GA1UE
ChMIUGVyc29uYWwxETAPBgNVBAsTCFBlcnNvbmFsMRgwFgYDVQQDEw9rZXJuZWx0
YWxrcy5jb20wHhcNMTkwNDI1MTYwNzQ3WhcNMTkwNzI0MTYwNzQ3WjB0MQswCQYD
VQQGEwJJTjEUMBIGA1UECBMLTWFoYXJhc2h0cmExDzANBgNVBAcTBk11bWJhaTER
MA8GA1UEChMIUGVyc29uYWwxETAPBgNVBAsTCFBlcnNvbmFsMRgwFgYDVQQDEw9r
ZXJuZWx0YWxrcy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCL
c1bmTilYhwRZ14CBZEN+TGrzsPAbdg3zBW9nSmnRQRS9qWYLkqSBF1zcTj6T8P5B
tDr6MOr7pivZDXbS9RPUcJk9JwRskj+FGrOP8qquzCOHXvzgxZNKNYDNdz+YzT3H
z0n4bbhYwYCWqo+768GSnCJS+i3m+xztTB1hIq881UK4cbujTkm42L3i8YCzycy+
Y6my+z4to4yfkn8t9v2b/18m432+hz/dA+h7aVF8sdterc6c+XC35zdk8kkly+TZ
Pn9DY9piBuPbDPe/CPa+BTUwHQW/22HcAUwd/T0PWi2MeDWja2KtGrCPB/Tg07ZC
8oGnXPF9pADgydHR+MHrAgMBAAGjITAfMB0GA1UdDgQWBBTpp/RefN3Sym3rmhFo
oztuqM3H8DANBgkqhkiG9w0BAQsFAAOCAQEAYJ5r7dR/HMpiZis/JQK91njTayYY
v/ucXcc5uFQN6UyteGNmQuC8/7XtURks3gtwJXcrrtOgW9Vc4OSaR05Fwa+IHX53
123SygEfV/3hkTAznHp1xYXtRInOVU8O3U77s9MPbdGEK1mJRn8o0e82OORVd1Zx
u6BJW6K3sNt4odIeWcFJRzh8RA8pN+/zniiVxiM9wzI3pz2u5t8Rb9X/6oWBG75e
BFGzF56rQj2jx0o9aZP55uKHjY0YsTrck52nJi8bRKNfBhM6ojMhWOPu58/Wl0sM
rr6G9sBbkk/jBDf4qXxhDqnuPMXjCyLp7dhScrp5F3Qt61xWWDVnkgmbng==
-----END CERTIFICATE-----

How to add UUID entry in /etc/fstab in Linux

2 Replies

In this short tutorial, we will walk you through how to get UUID of the filesystem so that it can be used in /etc/fstab.

First of all, keep in mind you need to format your logical volume to get UUID registered in the kernel for it. Logical volume without filesystem on it won’t be having UUID attached to it. If you are using partitioning volume manager then disk partitions will have PARTUUID (partition UUID) even if you don’t format them. But it’s not useful in /etc/fstab since fstab deals with formatted partitions.

How to find UUID for logical volume

For this tutorial consider below setup –

[root@kerneltalks ~]# lsblk
NAME           MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
xvda           202:0    0    8G  0 disk
└─xvda1        202:1    0    8G  0 part /
xvdf           202:80   0    1G  0 disk
└─datavg-lvol0 253:0    0 1020M  0 lvm

We have one logical volume named lvol0 in the volume group datavg and now we need to find UUID for it. Use command blkid and grep for your logical volume name to get your desired output –

[root@kerneltalks ~]# blkid |grep lvol0
/dev/mapper/datavg-lvol0: UUID="5caaee32-c3d3-429e-bad7-2898cf923805" TYPE="ext4"

You can see you have UUID for the lvol you mentioned and along with it also sourced its filesystem type which is ext4.

How to add UUID entry in /etc/fstab

Lets add this UUID entry in /etc/fstab using format –

<UUID> <mount directory> <FS type> <mount options> <dump> <pass>

So our entry will look like –

UUID=5caaee32-c3d3-429e-bad7-2898cf923805  /data  ext4  defaults 0 0

We are mounting it on /data directory with default mount options and no fschecks. Add this entry to fstab and run mount -a and mount point established!

[root@kerneltalks ~]# df -Ph /data1
Filesystem                Size  Used Avail Use% Mounted on
/dev/mapper/datavg-lvol0  988M  2.6M  919M   1% /data

How to find UUID for disk partition

Consider below setup for finding UUID for disk partition.

[root@kerneltalks ~]# lsblk
NAME    MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
xvda    202:0    0    8G  0 disk
└─xvda1 202:1    0    8G  0 part /
xvdf    202:80   0    1G  0 disk
└─xvdf1 202:81   0 1023M  0 part

Here we have one non-root disk /dev/xvdf with one full partition /dev/xvdf1 on it. And it’s not yet formatted with any filesystem. Now if you run blkid command you will find PARTUUID for this partition.

[root@kerneltalks ~]# blkid |grep xvdf1
/dev/xvdf1: PARTUUID="6d123669-01"

I format it so that I can mount it on the directory. And after formatting it with the ext4 filesystem here is UUID making an entry!

[root@kerneltalks ~]# blkid | grep xvdf1
/dev/xvdf1: UUID="05ba450d-9c60-43f1-9dd1-8b6f89857961" TYPE="ext4" PARTUUID="6d123669-01"

You can compare this output with earlier one and you can see after formatting with ext4 you get UUID which can be used in /etc/fstab as explained earlier in this post.

Troubleshooting check_mk agent in Linux

Leave a reply

Different steps to troubleshoot check_mk agent in Linux

Before we start you may want to check our tutorial about setting up check_mk monitoring in Linux. You might experience issues when adding a server into check_mk monitoring. Below are a few steps, you can check to validate your configuration and communication between check_mk server and client works well.

Port 6556 communication

check_mk communicate over port 6556 by default. You need to check if port 6556 is open between client and server.

Also, you need to check if port 6556 is listening on your check_mk client so that server can fetch details by querying the client on port 6556.

root@kerneltalks#  netstat -lpn | grep 6556
tcp6       0      0 :::6556                 :::*                    LISTEN      24303/xinetd

You can even check using telnet on client and from server to client.

root@kerneltalks # telnet localhost 6556
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.

How to restart check_mk agent

check_mk agent runs on top of xinetd service in Linux. So if you make any changes to the config file then you need to reload configuration or restart the agent.

Reload check_mk configuration using below command –

root@kerneltalks # service xinetd reload
Redirecting to /bin/systemctl reload xinetd.service

Restart check_mk agent using below command –

root@kerneltalks # service xinetd stop
root@kerneltalks # service xinetd start

check_mk configuration file

Make sure you have a proper configuration file in place. check_mk configuration file is located at /etc/xinetd.d/check_mk_agent. The sample configuration file is as below –

# Created by Check_MK Agent Bakery.
# This file is managed via WATO, do not edit manually or you
# lose your changes next time when you update the agent.


service check_mk_agent
{
        type           = UNLISTED
        port           = 6556
        socket_type    = stream
        protocol       = tcp
        wait           = no
        user           = root
        server         = /usr/bin/check_mk_agent
        log_on_success =
        disable        = no
        only_from      = 10.10.1.2 10.10.1.3
}

only_from field denotes check_mk server IPs to which your agent will communicate. It will be populated by RPM you used to install. If it doesn’t reflect proper values you can edit it and reload check_mk configuration by using commands mentioned above.

check_mk agent updater

Check update for check_mk agent and download from the server using check_mk updater.

root@kerneltalks #  cmk-update-agent -v -v
+-------------------------------------------------------------------+
|                                                                   |
|  Check_MK Agent Updater - Update                                  |
|                                                                   |
+-------------------------------------------------------------------+
Read /etc/cmk-update-agent.state.
Getting target agent configuration from deployment server
Fetching URL: http://kerneltalks1/master/check_mk/deploy_agent.py?...
Response from deployment server:
AgentAvailable: False

Read /etc/cmk-update-agent.state.
Saved deployment status to /etc/cmk-update-agent.state.
No agent available for us.

Using this command you can even see to which server client is registered. If the client is not registered with check_mk server then you will see below error –

root@kerneltalks # cmk-update-agent -v -v
+-------------------------------------------------------------------+
|                                                                   |
|  Check_MK Agent Updater - Update                                  |
|                                                                   |
+-------------------------------------------------------------------+
Read /etc/cmk-update-agent.state.
Getting target agent configuration from deployment server
Fetching URL: http://kerneltalks1/master/check_mk/deploy_agent.py?...
ERROR This host is not registered for deployment

cmk-update-agent can not execute binary error

If you come across below error while executing cmk-update-agent command then it’s probably you are running binary of architecture it is not meant to run. e.g. you are running x86 binary on ARM server

/usr/bin/cmk-update-agent: line 8: /usr/lib/check_mk_agent/plugins/21600/cmk-update-agent: cannot execute binary file

Solution: Make sure you install the proper architecture package on your server which matches your server architecture. Generally x86 check_mk package is marked as noarch package but it will land you up in the above issue when you install it on the ARM arch server.

check_mk xinetd error

---------------------------------------------
WARNING
This package needs xinetd to be installed.
Currently you do not have installed xinetd.
Please install and start xinetd or install
and setup another inetd manually.
It's also possible to monitor via SSH without
an inetd.
---------------------------------------------

Solution: Install xinetd package. Start and enable xinetd service. If you are running a newer kernel/OS like Suse 15 SP1, xinetd is not available in it. Its sockets being served by systemd. You need to install a higher version of check_mk agent RPM which identifies systemd sockets and it won’t show you above error. e.g. version 1.4 packages were showing above error to me while when I used version 1.5 package, it got away and installation succeeded.

check_mk python error

---------------------------------------------
ERROR
Failed to install agent: Could not find a
'python' interpreter.
---------------------------------------------

Solution: It means you have a higher version of python like python3 and agent rpm is looking for python. Use the higher version of check_mk agent which understands the latest python binaries (which has nomenclature with like python3 and not python)

How to add new disk in Linux

Leave a reply

Step by step procedure to add disk in Linux machine

In this article, we will walk you through steps to add a new disk in the Linux machine. Adding a raw disk to the Linux machine may vary depending upon the type of server you have but once the disk is presented to the machine, the procedure of getting it to mount points is almost the same.

Objective: Add a new 10GB disk to the server and create a 5GB mount point out of it using LVM and newly created volume group.

Adding raw disk to Linux machine

If you are using the AWS EC2 Linux server, you may follow these steps to add raw disk. If you are on VMware Linux VM you will have a different set of steps to follow to add disk. If you are running a physical rack-mount/blade server then adding disk will be a physical task.

Now once the disk is attached to the Linux machine physically/virtually, it will be identified by the kernel and then our rally starts.

Identifying newly added disk in Linux

After the attachment of the raw disk, you need to ask the kernel to scan a new disk. Mostly it’s done now automatically by the kernel in new versions.

First thing is to identify the newly added disk and its name in the kernel. There are numerous ways to achieve this. I will list a few –

You can observer lsblk output before and after adding/scanning disk to get a new disk name.
Check newly created disk files in /dev filesystem. Match timestamp of file and disk addition time.
Observer fdisk -l output before and after adding/scanning disk to get a new disk name.

For our example, I am using the AWS EC2 server and I added 5GB disk to my server. here is my lsblk output –

[root@kerneltalks ~]# lsblk
NAME    MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
xvda    202:0    0  10G  0 disk
├─xvda1 202:1    0   1M  0 part
└─xvda2 202:2    0  10G  0 part /
xvdf    202:80   0  10G  0 disk

You can see xvdf is our newly added disk. Full path for disk is /dev/xvdf.

Add new disk in LVM

We are using LVM here since its widely used and flexible volume manager on the Linux platform. Make sure you have lvm or lvm2 package installed on your system. If not, install lvm/lvm2 package.

Now, we are going to add this RAW disk in Logical Volume Manager and create 10GB of mount point out of it. List of commands you need to follow are –

If you are willing to add a disk to the existing mount point and use its space to extend mount point then vgcreate should be replaced by vgextend.

Sample outputs from my session –

[root@kerneltalks ~]# pvcreate /dev/xvdf
  Physical volume "/dev/xvdf" successfully created.
[root@kerneltalks ~]# vgcreate vgdata /dev/xvdf
  Volume group "vgdata" successfully created
[root@kerneltalks ~]# lvcreate -L 5G -n lvdata vgdata
  Logical volume "lvdata" created.

Now, you have a logical volume created. You need to format it with the filesystem on your choice and mount it. We are choosing ext4 filesystem here and formatting using mkfs.ext4 .

[root@kerneltalks ~]# mkfs.ext4 /dev/vgdata/lvdata
mke2fs 1.42.9 (28-Dec-2013)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
327680 inodes, 1310720 blocks
65536 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=1342177280
40 block groups
32768 blocks per group, 32768 fragments per group
8192 inodes per group
Superblock backups stored on blocks:
        32768, 98304, 163840, 229376, 294912, 819200, 884736

Allocating group tables: done
Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done

Mounting volume from new disk on mount point

Lets mount the logical volume of 5GB which we created and formatted on /data mount point using mount command.

[root@kerneltalks ~]# mount /dev/vgdata/lvdata /data
[root@kerneltalks ~]# df -Ph /data
Filesystem                 Size  Used Avail Use% Mounted on
/dev/mapper/vgdata-lvdata  4.8G   20M  4.6G   1% /data

Verify your mount point with df command as above and you are all done! You can always add an entry in /etc/fstab to make this mount persistent over reboots.

You have attached a 10GB disk to the Linux machine and created a 5GB mount point out of it!

How to use sudo access in winSCP

4 Replies

Learn how to use sudo access in winSCP with screenshots.

Before you move into configurations, make sure that the user is having NOPASSWD access to sudo to target user or root account. This means /etc/sudoers file must have entry something like below –

user1 ALL=(root) NOPASSWD: ALL

Once you have proper sudo configuration you can go ahead with WinSCP config. This is to ensure that once shell tries sudo it should be non-interactive.

First of all, you need to check where is your SFTP server binary located on the server you are trying to connect with WinSCP.

You can check SFTP server binary location with below command –

[root@kerneltalks ~]# cat /etc/ssh/sshd_config |grep -i sftp-server
Subsystem sftp  /usr/libexec/openssh/sftp-server

Here you can see sftp server binary is located at /usr/libexec/openssh/sftp-server

Now open winSCP and click Advanced button to open up advanced settings.

It will open up an advanced setting window like one below. Here select SFTP under Environment on the left-hand side panel. You will be presented with an option on the right hand side.

Now, add SFTP server value here with the command sudo su -c here as displayed in the screenshot below –

So we added sudo su -c /usr/libexec/openssh/sftp-server in settings here. Now click Ok and connect to the server as you normally do.

After connection, you will be able to transfer files from the directory where you normally need sudo permission to access.

That’s it! You logged to server using WinSCP and sudo access.

How to redirect port in Linux using iptables

Leave a reply

Short post to explain how to redirect port in Linux using iptables.

In this short tutorial, we will walk you through the process to redirect port using iptables. How to check port redirection in Linux and how to save iptables rules.

Here are few iptables tutorials for your basics :

Our requirement is to redirect port 80 to port 8080 in the same server. This can be done by adding rules in PREROUTING chain. So run below command –

[root@kerneltalks ~]# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080

If you have an interface name other than eth0 then you need to edit your command accordingly. You can even add your source and destinations as well in same command using --src and --dst options. Without them, it’s assumed to any source and any destination.

How to check port redirection in iptable

Verify port redirect rule in iptables using below command –

[root@kerneltalks ~]# iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REDIRECT   tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 redir ports 8080
..............

You can see port 80 is being redirected to port 8080 on the server. Note here target is REDIRECT. Do not get confused with port redirection with port forwarding.

How to save iptables rules

To save iptables rules and make them persistent over reboots use below command –

[root@kerneltalks ~]# iptables-save

How to forward port using iptables in Linux

2 Replies

Quick article to demonstrate how to configure port forwarding in Linux using iptables.

In this article, we will walk you through port forwarding using iptables in Linux. First of all, you need to check if port forwarding is enabled or not on your server. For better understanding, we will be using eth0 as a reference interface and all our command executions will be related to eth0 in this article.

How to check if port forwarding is enabled in Linux

Either you can use sysctl to check if forwarding is enabled or not. Use below command to check –

[root@kerneltalks ~]#  sysctl -a |grep -i eth0.forwarding
net.ipv4.conf.eth0.forwarding = 0
net.ipv6.conf.eth0.forwarding = 0

Since both values are zero, port forwarding is disabled for ipv4 and ipv6 on interface eth0.

Or you can use the process filesystem to check if port forwarding is enabled or not.

[root@kerneltalks ~]# cat /proc/sys/net/ipv4/conf/eth0/forwarding
0
[root@kerneltalks ~]# cat /proc/sys/net/ipv6/conf/eth0/forwarding
0

Again here process FS with zero values confirms port forwarding is disabled on our system. Now we need to first enable port forwarding on our system then we will configure port forwarding rules in iptables.

How to enable port forwarding in Linux

As we checked above, using the same methods you can enable port forwarding in Linux. But its recommended using sysctl command rather than replacing 0 by 1 in proc files.

Enable port forwarding in Linux using sysctl command –

[root@kerneltalks ~]# sysctl net.ipv4.conf.eth0.forwarding=1
net.ipv4.conf.eth0.forwarding = 1
[root@kerneltalks ~]# sysctl net.ipv6.conf.eth0.forwarding=1
net.ipv6.conf.eth0.forwarding = 1

To make it persistent over reboots, add parameters in /etc/sysctl.conf

[root@kerneltalks ~]# echo "net.ipv4.conf.eth0.forwarding = 1">>/etc/sysctl.conf
[root@kerneltalks ~]# echo "net.ipv6.conf.eth0.forwarding = 1">>/etc/sysctl.conf
[root@kerneltalks ~]# sysctl -p
net.ipv4.conf.eth0.forwarding = 1
net.ipv6.conf.eth0.forwarding = 1

Now, we have port forwarding enabled on our server, we can go ahead with configuring port forwarding rules using iptables.

How to forward port in Linux

Here we will forward port 80 to port 8080 on 172.31.40.29. Do not get confused port forwarding with port redirection.

We need to insert an entry in PREROUTING chain of iptables with DNAT target. Command will be as follows –

# iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j DNAT --to 172.31.40.29:8080
# iptables -A FORWARD -p tcp -d 172.31.40.29 --dport 8080 -j ACCEPT

Change interface, IP and ports as per your requirement. The first command tells us to redirect packets coming to port 80 to IP 172.31.40.29 on port 8080. Now packet also needs to go through FORWARD chain so we are allowing in in the second command.

Now rules have been applied. You need to verify them.

How to check port forwarding iptables rules

Command to verify port forwarding rules is –

[root@kerneltalks ~]# iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:172.31.40.29:8080

Here REDIRECT target means its a redirection rule. Since we have configured forwarding rule we see the target as DNAT

How to save iptables rules

To save iptables rules and make them persistent over reboots use below command –

[root@kerneltalks ~]# iptables-save

Script to create mount points in LVM

2 Replies

Here is a little script to create a mount point using CSV file which has a mount point name, size, and VG name.

Caution : Use script on your own risk!
Do not use it on production servers. Test it and use it on newly built/dev/testing servers.

Below is the script code. Save it under /tmp/lvm_script.sh and also save your CSV file under the same directory with the name list.csv

CSV file format is mount point name,size in GB,VG name. For example : /data,10,data_vg

Script code :

#Script to create mount point using CSV file
#Author : Shrikant Lavhate (kerneltalks.com)
#Save CSV file as list.csv in current working directory with format mount point name,size in GB,VG name

chckfail()
{
        if [ $? -ne 0 ];then
                echo "Check error above. Halting..."
                exit 1
        fi
}

for i in `cat list.csv`
do
        kt_mountname=`echo $i | cut -d, -f1`
        kt_lvname=`echo $i |cut -d, -f1|cut -c 2-|tr / _`
        kt_vgname=`echo $i | cut -d, -f3`
        kt_lvsize=`echo $i | cut -d, -f2`
        kt_lvsize="${kt_lvsize}G"
        lvcreate -n $kt_lvname -L $kt_lvsize $kt_vgname >/dev/null
        chckfail
        mkfs.ext4 /dev/$kt_vgname/$kt_lvname >/dev/null
        chckfail
        mkdir -p $kt_mountname >/dev/null
        chckfail
        mount /dev/$kt_vgname/$kt_lvname $kt_mountname>/dev/null
        chckfail
        echo "/dev/$kt_vgname/$kt_lvname $kt_mountname ext4 defaults 0 0">>/etc/fstab
        chckfail
done

Breaking the code :

Quick walk through above code.

Part one is chckfail function which used to check if the command ran is successful or not. If the command failed, it will stop the execution of the script and exits.
Variable part extracts mount point name, size, VG to be used details from CSV file. It also creates LV names out of mount point name in CSV
Standard LVM commands to create LV, format it with EXT4, create mount point directory, and mount LV on it.
Finally, it adds an entry to /etc/fstab for the persistent mount.

Modifying script for your requirement :

If you are using size in MB then remove line kt_lvsize="${kt_lvsize}G"
If you are using size in TB then replace G with T in above mentioned line.
If you are using filesystem other than ext4 then change mkfs.ext4 & /etc/fstab command accordingly.