Planeta Srbija

Софтверски пакет за обраду дигиталних слика ImageMagick у сарадњи са терминалом на Линуксу неке тривијалне а досадне ствари уме да убрза и олакша, а додатно и поштеди корисника од силног кликтања по програмима за обраду фотографија, чак и за једноставну интервенцију.

I just read that Theo de Raadt released new song for the upcomming OpenBSD 4.6 called "Planet of the Users". And I must say I like it. These release songs have been so much fun in the past and together with the artwork for each release make OpenBSD even more fun. You may download new song here. And check out the lyrics here.  

One thousand, one hundred and seventy-two: Twenty-three to complain to -current about the lights being out; Four to claim that it is a configuration problem, and that such matters really belong on -questions; Three to submit PRs about it, one of which is misfiled under doc and consists only of “it’s dark”; One to commit an untested lightbulb which breaks buildworld, then back it out five minutes later; Eight to flame the PR originators for not including patches in their PRs; Five to complain about buildworld being broken; Thirty-one to answer that it works for them, and they must have cvsupped at a bad time; One to post a patch for a new lightbulb to -hackers; One to complain that he had patches for this three years ago, but when he sent them to -current they were just ignored, and he has had bad experiences with the PR system; besides, the proposed new lightbulb is non-reflexive; Thirty-seven to scream that lightbulbs do not belong in the base system, that committers have no right to do things like this without consulting the Community, and WHAT IS -CORE DOING ABOUT IT!? Two hundred to complain about the color of the bicycle shed; Three to point out that the patch breaks style(9); Seventeen to complain that the proposed new lightbulb is under GPL; Five hundred and eighty-six to engage in a flame war about the comparative advantages of the GPL, the BSD license, the MIT license, the NPL, and the personal hygiene of unnamed FSF founders; Seven to move various portions of the thread to -chat and -advocacy; One to commit the suggested lightbulb, even though it shines dimmer than the old one; Two to back it out with a furious flame of a commit message, arguing that FreeBSD is better off in the dark than with a dim lightbulb; Forty-six to argue vociferously about the backing out of the dim lightbulb and demanding a statement from -core; Eleven to request a smaller lightbulb so it will fit their Tamagotchi if we ever decide to port FreeBSD to that platform; Seventy-three to complain about the SNR on -hackers and -chat and unsubscribe in protest; Thirteen to post “unsubscribe”, “How do I unsubscribe?”, or “Please remove me from the list”, followed by the usual footer; One to commit a working lightbulb while everybody is too busy flaming everybody else to notice; Thirty-one to point out that the new lightbulb would shine 0.364% brighter if compiled with TenDRA (although it will have to be reshaped into a cube), and that FreeBSD should therefore switch to TenDRA instead of EGCS; One to complain that the new lightbulb lacks fairings; Nine (including the PR originators) to ask “what is MFC?”; Fifty-seven to complain about the lights being out two weeks after the bulb has been changed.From The FreeBSD Funnies

Weekend… finally! I haven’t been able to post anything interesting since the week behind us was so… well, a lot of things happened at work. I became a project manager (PM) at MySkin. I’m still working as security consultant it’s just now I have to work with the whole team to push our project forward. Fun never stops! In the meantime new FreeBSD beta was released. I haven’t been reading mailing lists to carefully thus I missed that 8.0 has became BETA. I’m downloading USB stick image - thank you for this FreeBSD team! I just have to put this new baby on my other laptop and test it. Oh, and Facebook related commets are going straight to /dev/null from now on. Sorry people but you say/ask so dumb stuff I just can’t afford to fill my blog’s DB with that crap. Chill out a bit. Go out. Have a drink.

Ako se nećkaš da li da na računar instaliraš linuks evo nekih dobrih razloga zašto da ga instaliraš:

- Na linuksu možeš svakodnevno da gledaš kako se pojavljuju unapređenja, pošto za unapređenja ima prostora koliko hoćeš, ne mogu da stignu da unaprede sve što treba.

- Linuks možeš tako da prilagodiš sebi da kada neko drugi, ko inače koristi istu linuks distribuciju kod sebe, sedne za tvoj računar, neće moći da se snađe jer je sve drugačije.

- Čak i da ga ne prilagodiš, svaka instalacija linuksa je malo drugačija što je dobro jer ne može mali iz komšiluka da zapamti kako se šta radi, gde se šta nalazi i kako se zove, pa ne može da se predstavlja za eksperta.

- Kada na…

Unixtime je zanimljiv i efikasan način računanja vremena na operativnim sistemima koji su bazirani na Unix-u. Filozofija ovog vremena je jednostavna -broj označava koliko je sekundi proteklo od ponoći, 1. januara 1970. godine (po UTC vremenu). Ovaj način računanja vremena ne može da se pohvali tekom velikom tačnošću (ne uključuje prestupne sekunde) ali posao za [...]

Петак је дан који се највише пута појављује у грегоријанском циклусу од 400 година, па је петак 13. симболично постао дан када се дешавају добре или лоше ствари (о мистерији броја 13 неки други пут). На данашњи дан ће UNIX време добити импресивну вредност.

I’ve been having issues with FreeBSD 7.x and Intel graphic card on my laptop. Well, at first I didn’t blame XOrg nor graphic card. The issue was following: for no apparent reason my system would freeze now and then. I could not repeat the crash and logs didn’t say much. The only thing dmesg gave me were some gnome-keyring-daemon errors. So I blamed GNOME. I’ve deinstalled everything that needed gnome-keyring and moved to XFCE4 or E17. It worked OK for some time and then it started again. And then I found this: http://forums.freebsd.org/showthread.php?t=1345&highlight=Xorg In the meanting I had a chat on an IRC channel with a fellow who’s having similar issues with his laptop. We figured out that Intel and FreeBSD’s DRM aren’t really working well together. Too bad. So, the only solution would be to disable DRI, DRM and so on… I’ve disabled GLX, DRI and GL. It seems to be working OK for now. Thou, I think I’ll be going back to my dear OpenBSD this weekend.

Oni koji koriste Linux znaju da komande mogu da budu bas zanimljive. Evo je “jedna”, iz Facebook statusa mog prijatelja: who | grep -i blonde | date; cd~; unzip; touch; strip; finger; mount; gasp; yes; uptime; umount; sleep Cemu ove naredbe sluze…. proverite sami :))

Jedan od onih dana kada se dešavaju krajnje čudni problemi na sistemu. Zvoni telefon, javlja se kolega iz podrške i dobija informaciju da jednom klijentu ne radi sajt već da konstantno dobija grešku 403. Pogledam sajt, stvarno. Dobro, lopatu u ruke pa da razgrnem malo logove Apacha. Kad tamo, ovo što vidite u naslovu. Pogledam .htaccess fajl i shvatim da u njemu nema ama baš ničeg. Dobro, bacim error_log pod rep - tail -f error_log i gledam šta se dešava. Gomila ljudi pokušava da pristupi sajtu bez previše uspeha jer dobijaju istu grešku kao i ja. Promenim CHMOD za .htaccess na 777. Ništa. I onda shvatim da je ova poruka varka. Navela me je da posmatram pogrešno mesto. Ubrzo shvatam da je problem što je ceo public_html direktorijum pogešno namešten i da su mu dozvole 644. Jedna mala izmena na 755 i sve radi kako treba. Ovo je jedan od onih besmislenih problema na koje čovek potroši ceo dan… ja sam potršio samo 10 min ali i to je mnogo.

Deveti put za redom se proslavlja svetski dan sistem administratora. Dan kada se prisećamo koliko su nam važni naši sistem administratori. Kolege admini, srećan vam praznik! System down!

Verovatno ste do sada imali problem sa mountovanje LVM fajl sistema, ili cete tek imati Pa evo da budete spremni kako da to ucinite.. 1. Instalirajte LVM:sudo apt-get install lvm2 sudo cp -r /lib/lvm-200/ /lib/lvm-0 2. Proveriti na kom je device-u pariticija koju zelite da mountujete:lvdisplay 3. Uraditi sledece komande:sudo modprobe dm-mod sudo vgchange -ay sudo mkdir /mnt/old_hd sudo mount /dev/VolGroup00/LogVol00 /mnt/old 4. Folder /mnt/old mora da je validan, jer ce tu da se mountuje doticna pariticija. Sretno!

Mozda ste vec videli moducnost instalacije IE pod Linux operativnim sistemom, ali bih zeleo da vas podsetim ! Upravo sam ovu mogucnost otkrio i potpuno sam odusevljen posto sam dugo trazio nacin da koristim e-banking pod pingvinom (za e-banking su neophodne ActiveX kontrole). Trik je u Wine-u, naravno, a dobri ljudi su na [ovoj stranici | http://www.tatanka.com.br/ies4linux/page/Main_Page] postavili skript koji instalira IE i konfigurise Wine potpuno automatski. Uputstva postoje za nekoliko main-steam distribucija. Uspesno sam podesio e-banking kod Intesa banke, dok za Meridian i ne ide bas najbolje posto server banke zahteva prethodnu instalaciju Peximove sigurnosne komponente koja sluzi za potpisivanje naloga. Wine instalira tu komponentu, ali posto ne znam puno o Wine, nije mi jasno kako da ubedim bancin server da je komponenta instalirana.

Posto svi mi imamo neki serv. gde nikad dosta sigurnosti, evo da napisem jedan kratki how to za kreiranje kljuceva za ssh i osiguravanje istog. Dakle, da pocnemo: 1. Editujemo iz Vaseg omiljenog editora file koji se nalazi u: /etc/ssh/sshd_config 2. Sledece stavke u doticnom fajlu treba da izgledaju ovako:Port 22 Protocol 2 PermitRootLogin no StrictModes yes MaxAuthTries 3 RSAAuthentication no PubkeyAuthentication yes RhostsRSAAuthentication no HostbasedAuthentication no IgnoreUserKnownHosts yes PermitEmptyPassword no ChallengeResponseAuthentication no PasswordAuthentication no X11Forwarding yes X11DisplayOffset 10 Znaci stavke koje su ovde izmenjene, treba tako da budu i u Vasem config file-u od sshd-a. 3. Ulogujemo se na usera sa kojim zelite da pristupate serveru i kucamo sledece:ssh-keygen -t rsa U sledecim opcijama upisite samo sifru koju cete da koristite za Vas kljuc (ova sifra sluzi za unosenje kljuca, ne za usera!) 4. Nakon toga kucamo:cd ~/.ssh/ && cp id_rsa.pub authorized_keys 5. File koji se nalazi u ~/.ssh/ id_rsa je potrebno kopirati na Vasu windows mashinu u koliko sa nje zelite da pristupate Vasem serveru (kopiranje mozete izvrsiti programom winscp) 6. Kada smo kopirali doticni fajl skidamo puttygen i pratimo sledeca uputstva: Ucitavamo file id_rsa i upisujemo sifru koju smo naveli prilikom kreiranja istog. 7. Posle unete sife idemo klik na "Save private key" i usnimavamo *.ppk file u zeljeni folder. 8. Sada otvaramo putty i unosimo IP i port od servera: 9. Sa leve strane putty-a klikcemo na polje SSH u kom navodimo da koristi iskljucivo verziju 2 ("2 only") 10. U polju "Auth" otvaramo *.ppk file koji smo malo pre kreirali: 11. Nakon unetog key-a vracamo se na polje (Sa leve strane) Session i u polju "Saved sessions" unosimo ime za nas server i klikcemo na "Save" 12. Na serveru resetujemo sshd daemon komandom (ako je linux u pitanju) "service sshd restart" 13. Uspesno ste obezbedili SSH pristup Vasem serveru samo uz pomoc key-a.NAPOMENA: Ne izlazite sa servera dok ne proverite da KEY radi!!, jer u suprotnom mozete "zauvek" da izgubite pristup Vasem serveru.

Iza nas je rekord Firefox-a u broju preuzetih kopija programa u jednom danu. U prva četiri sata preko 3 miliona preuzetih kopija. Može to i brojkama: 3 000 000. Izuzetno! No, ono što mene zanima a što, kladim se, niste znali jeste uloga FreeBSD-a 7 u ovoj novoj Mozilli kao i obaranju rekorda. Novi Firefox je od nama dragog demona sa Berkija preuzeo par jako važnih funkcija koje su mu omogućile stabilnost i bezbednost. Firefox 3 ima novi alokator memorije, jemalloc, koji je napisao Džejson Evans, član razvojnog tima FreeBSD-a. Iako je  jemalloc već deo FreeBSD 7 operativnog sistema Mozilla razvojni tim je odlučio da i u sam Firefox 3 ubaci ovu funkciju. Stjuart Parmenter, jedan od programera iz Mozille, na svom blogu kaže: "Primetili smo smanjenje upotrebe memorije i do 22% kada je jemalloc bio uključen." Druga važna funkcija jeste bsdiff’. U pitanju je sistem za binarno ažuriranje FreeBSD sistema. Ovo je uticalo na znatno ubrzanje i smanjenje upotrebe resursa pri ažuriranju Firefoxa. Ovaj sistem je i Apple počeo da koristi za ažuriranje svog OSX-a (pitam se samo kako su se tačno zahvalili zajednici i kako su joj vratili… banditi!) A sada najvažniji momenat za našu priču i razlog zbog kog se svaki FreeBSD korisnik oseti ponosnim na svoj sistem. Glavni Mozillin server za preuzimanje, jedini koji nije pao ni jednom u toku ovog ludila od preuzimanja programa, se nalazi kod Internet Systems Consortium (ISC) - mozilla.isc.org. ISC je organizacija  koja odavno podržava FreeBSD sistem te je i ovaj njihov server koristio FreeBSD 7. Server je podneo opterećenje od gigabita u sekundi u momentima najvećeg broja konekcija na njega. "ISC je doživeo četiri puta veće opterećenje od uobičajenog na mozilla.isc.org sajtu za vreme Download Day", rekao je Piter Lošer, menadžer u ISC. "Kao po običaju, FreeBSD se pokazao platformom čvrstom kao stena i omogućio nam da isporučimo sadržaj bez problema". FreeBSD 7. Upamtite to ime. Dostojan slogana "The Power to Serve". Šta, još uvek niste prešli na FreeBSD?:)

Posle jedne od diskusija na linuxo.net forumima palo mi je na pamet da sastavim jedno malo uputstvo za povećanje bezbednosti OpenSSH servera. OpenSSH je odlična aplikacija za udaljeni pristup računarima jer omogućava kriptovanu vezu i potpuni osećaj rada u komandnoj liniji kao na lokalnoj mašini. OpenSSH je projekat, pazi ti to, OpenBSD ekipe. Dakle, postoji više načina da zaštitite svoj SSH pristup od radoznalaca i loših ljudi. Ja ću se ovde koncentrisati na jedan konkretan - sertifikati. Upotreba sertifikata za pristup udaljenoj mašini je jedan od boljih načina da se poveća sveukupna bezbednost servera. Sertifikati se obično koriste za tzv. pristup bez šifre. Naime, da ne biste pamtili stalno svoju šifru kreiraćete sertifikat koji nema šifru i pomoću njega pristupati sistemu. Ovo je loše jer ako neko dođe u posed vašeg sertifikata onda nastaju problemi. Za ovu priliku ću ipak koristiti seritifkat sa šifrom. Dakle, pređimo na posao. # local$ ssh-keygen -t rsa - obavezno unesite šifru u dijalogu za nju # local$ scp ~/.ssh/id_dsa.pub udaljena_masina # local$ ssh username@udaljena_masina # remote$ cat ~/id_rsa.pub >> ~/.ssh/authorized_keys # remote$ chmod 644 ~/.ssh/authorized_keys - obavezno ovo uradite jer u suprotnom sistem neće čitati sertifikat nego će tražiti šifru. To je to. Prekinete vezu sa udaljenom mašinom i kada pokušate ponovo da se nakačite dobićete nešto ovako: Enter passphrase for key ‘/home/nightweaver/.ssh/id_rsa’: Unesete šifru RSA ključa i bićete na sistemu. OK, idemo korak dalje. Ukoliko neko nema sertifikat biće prebačen na obično logovanje. Mi to ne želimo. Želimo da samo ljudi sa sertifikatom mogu da pristupe sistemu. Slede momenti napredne paranoje. Pre svega, napravimo korisnika koji ima neko neobično ime. Nešto što će biti teško povezati sa vama. Recimo, gatto. Dakle, imamo korisnika gatto. Prebacimo onaj sertifikat od malopre u home DIR korisnika gatto. Proverimo da li radi tako što ćemo uraditi: ssh gatto@udaljena_masina Ako se traži šifra sertifikata onda je sve OK. Idemo dalje. OpenSSH server ne mora slušati na podrazumevanom portu 22. To je port koji će razni skeneri prvo napadati. Prebacimo taj port na nešto visoko i nestandardno. Recimo: 7000. Ovo sve radim na OpenBSD mašini ali je procedura identična i za FreeBSD i GNU/Linux. Dakle: vim /etc/ssh/sshd_config Pri vrhu datoteke ćete videti liniju: Port 22. Izmenite to u 7000. Sačuvajte izmene i restartujte SSH server. Sada čete se na sistem kačiti na sledeći način: ssh -p 7000 gatto@udaljena_masina a sftp če raditi ovako: sftp -oPort=7000 gatto@udaljena_masina Proverite da li sve radi kako treba. Radi? Sjajno, idemo dalje. Kao što sam već naveo, ukoliko neko nema sertifikat bićemu tražena obična šifra. Ali mi želimo da ti "brute force" pokušaji unošenja šifre budu potpuno onemogućeni. Izmenimo sshd_config podatke da izgledaju ovako: LoginGraceTime 1m PermitRootLogin no StrictModes yes MaxAuthTries 3 AllowUsers gatto Ovako postižemo sledeće: korisnik ima 1m da unese svoju šifru, logovanje root korisnika direktno nije dozvoljeno a na raspolaganju će imati samo tri šanse da unese šifru. Poslednji red je veoma koristan. Samo korisnička imena koja se tu nalaze će uopše moći da priđu SSH serveru. Dakle, čak i da ne koristite sertifikate samo čete korisnikom gatto moći da se ulogujete. Lukavo, zar ne? Idemo dalje. Ukažimo sistemu gde mu se nalate RSA ključevi: RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys Isključimo sve ostalo: RhostsRSAAuthentication no HostbasedAuthentication no IgnoreRhosts yes Sledeći redovi su jako bitni. Stavite ovde NO samo ako ste prethodno testirali pristup RSA ključevima. Posto kada ovo prebacite u NO više neće biti moguće ući na sistem običnom šifrom. PasswordAuthentication no PermitEmptyPasswords no Dakle, sada samo korisnik gatto može pokušati da se uloguje i to ako i samo ako ima RSA sertifikat. No, ovo meni nije bilo dovoljno. Želeo sam da čak i ako neko uspe da uđe na sistem ne može tek tako doći do root naloga. Zato korisnika gatto nisam stavio u grupu wheel te samim tim komanda SU nije radila za njega. No, gatto se može prebaciti na nekog drugog korisnika. Napravio sam sebi radni nalog nightweaver koji je član grupe wheel i može postati root. Da vidimo sada malo skicirano kako izgleda ulaz na sistem: A nema sertifikat i ne zna dozvoljenog korisnika –> server - odbijen i pokušaj prilaska A ima sertifikat ali ne zna dozvoljenog korisnika –> server - odbijen i pokušaj prilaska A ima sertifikat, zna dozvoljenog korisnika ali ne za koji korisnik moze da radi SU –> ne može da napravi veliku štetu Putanja do sistema bi onda izgledala ovako: A mora imati sertifikat A mora znati koji korisnik koristi taj sertifikat i koja je šifra sertifikata A mora znati koji korisnik na serveru može da radi SU i koja je njegova šifra A se mora prebaciti na korisnika koji može raditi SU pa tek onda postati root Sve ovo može izgledati dosta komplikovano… verujte mi, nije. Probajte sami pa ćete videti. Kao neko ko se dosta dugo bavi bezbednošču računarskih mreža mogu vam reći da ni jedan sistem nikada neće biti najbezbedniji. Uz dovoljno truda i znanja svaka se zaštita može pre ili kasnije probiti. Ali zašto ne zakomplikovati put do sistema za one kojima tamo nije mesto?

Strace is a tool that should be in a toolbox of every system administrator. Not only that it can help in troubleshooting simple problems (ie. missing libraries in newly created chroot, which ldd mysteriously misses to report) but it also helps in debugging very complex system problems and performance issues.

Recently I experienced a very strange problem with one of the RHEL 3 servers we’ve got. Problem manifested in a very strange way, SSH and su logins hanged, other daemons were also hanging during the startup, only way to reboot or shutdown the server was to physically press the restart/power off button, etc. All this could have been caused by problems on both software and hardware level. First suspicious was bad RAID controller, but after tests this proved to be a mislead. After more tests and brainstorms hardware problems were definitely excluded, so problem has to be on the software side. But what could be the problem?

After few more misleading steps I tried to trace system calls created by su command and found very interesting results.

$ strace -f -s 1024 -o /tmp/su.strace.out su - [– cut –] 3138 open(”/dev/audit”, O_RDWR) = 3 3138 fcntl64(3, F_GETFD) = 0 3138 fcntl64(3, F_SETFD, FD_CLOEXEC) = 0 3138 ioctl(3, 0×801c406f

And this is where the strace output ends and su command hangs. Audit device file is opened (file descriptor 3) and as soon as the first request is dispatched to this device (ioctl system call to file descriptor 3) command freezes. According to this I should just disable audit on the server and the problem will be gone. As a test, audit daemon was temporarily stopped and I tried to switch to another user and the problem was indeed gone.

After searching for similar problems with audit daemon I found an article in Red Hat knowledge base regarding the exactly same issue (http://kbase.redhat.com/faq/FAQ_79_6169.shtm). From the article:

When the free space in the filesystem holding the audit logs is less than 20%, the above notify command will error out and auditd will enter suspend mode. This causes all system calls to block.

So this behavior is not a bug but actual feature of the software. :o) From security point of view this is expected behaviour - attacker could fill up filesystem where audit logs are stored before the attack and audit will be disabled, meaning no logs of his activity, so better not to allow ANY activity on the system if audit is not able to write to its logs. But still, this kind of behaviour renders the system completely useless to legitimate users.

The topic of this post is not audit, so I will stop here. Important thing is that strace led us directly to the main source of the problem. Resolution of issues like this would be much more complex and time consuming without this great little tool. :)

Ono što sam najavio u prethodnom postu odigralo se danas. Za one koji nisu pročitali prethodni post, u pitanju je predavanje o OpenSolarisu.

Predavanje su održala dva developera iz Češke zaposlena u Sun-u (Tomas Dzik i Milan Jurik). Malo duže je trajalo nego što su najavili, ali su teme bile krajnje zanimljive (bar meni) tako da mi je i drago zbog toga. Pošto sam do sad imao jako malo dodira sa Solarisom (znam samo osnovne stvari) dosta novih stvari sam saznao. Teme o kojima je govoreno su napisane u prethodnom postu, a propraćene su live primerima.

Na kraju (kad je samo nas nekoliko ostalo) su podelili brisače šoferšajbne sa OpenSolaris logo-om uz rečenicu: “Wipe your windows!”

Drugi deo je možda i bio zanimljiviji jer je bio neoficijalan, a bilo je i piva . Dvojica predavača su došla u LUGoNS prostorije i u opuštenoj atmosferi su pričali o razmim IT temama. Na početku su uglavnom odgovarali na pitanja o OpenSolarisu, ali kasnije su se dotakli raznih tema. Jedna od zanimljivijih stvari koje sam saznao je kako je Eclipse (pomračenje sunca) dobio ime. Naime, IBM je bio kum, a ime je dato kao odgovor na ime firme koja je razvila Javu - Sun (sunce). I pre sam mislio da je Eclipse dobro ime, ali nikad se nisam potrudio da saznam zašto se tako zove.

Nisam ništa slikao (aparat mi je extremno star, a i nemam naviku), ali dreamerns jeste tako da možda okačim i koju sličicu ako se setim da tražim da mi pošalje.

Sve u svemu, odlično proveden dan.

U četvrtak, 13. decembra 2007. godine na Fakultetu Tehničkih Nauka u Novom Sadu biće održano predavanje o OpenSolaris-u. Predavanje će biti na engleskom, a predavači su Tomas Dzik i Milan Jurik iz Sun Microsytems predstavništva iz Češke.

Teme koje će biti obrađene su:

OpenSolaris i OpenSolaris distribucije, kako učestvovati u razvoju. DTrace - novi alat za tracing + demo uživo. ZFS - novi 128-o bitni fajl sistem + demo uživo Solaris Zones i BrandZ - Linux virtuelizacija pod Solrisom + demo uživo

Predviđeno vreme trajanja manifestacije je sat i trideset minuta.

Ulaz je slobodan i predavanje nije ograničeno sam0 na studente i zaposlene na FTN-u.

Kada posmatrate aktivnost na UNIX ili UNIX sličnom sistemu videćete određen broj procesa od kojih su neki ativni a neki spavaju. Ponekad će vam se desiti da se na listi nađe i određen broj zombiranih procesa. Nije potrebno previše mašte da shvatite šta može biti zombi proces. Za one koji ne žele puno da maštaju na datu temu evo kratkog objašnjenja: kada određen proces završi ono što radi ali ostane u tabeli procesa on postaje nemrtav ili zombi. Dete proces je umrlo (died) ali još uvek ga Smrt nije pokupila(reaped). U normalnim okolnostima bi roditeljski proces (parent) trebalo da pročita izlaznu informaciju svog deteta (child) izvršavanjem sistemske komande wait pri čemu se zombi uklanja. Ukoliko sve ne ide po planu mali zombi ostaje u listi procesa. Ovo ponekad može biti poželjno ukliko roditeljski proces pravi nove procese koji ne bi trebalo da imaju iste ID kao prethodna deca. Opet, ovo ponekad može biti loše..posebno kada se zombirana deca prenamnože.

Evo kratkog ali slatkog uputstva kako da pobijete svu zalutalu decu…(divna terminologija, zar ne?)

Prvo pokrenite komandu ps aux da biste videli svu tu zalutalu decu. Izaberite bilo koje od njih (PID) pošto će ih biti podosta.

ps axo ppid -p <pid deteta> | grep -v PPID | sed 's/ //g'

Ovo će nam dati PID roditelja. Ukoliko nemate pojma koji je to program evo kako ćete saznati:

which `ps axo command -p <pid roditelja> | grep -v COMMAND | cut -d' ' -f1`

Ok, sad znamo ko je vudu vrač koji podiže sve te zombije. Šta ćete sa njim raditi je na vama. Prosto restartovanje programa će pobiti sve zombije. Ukoliko želite da vidite šta se to desilo možete uraditi sledeće:

gdb /putanja/do/programa PID-roditelja

Srećno ubijanje dece…zombija…zombirane dece:-)

Kada posmatrate aktivnost na UNIX ili UNIX sličnom sistemu videćete određen broj procesa od kojih su neki ativni a neki spavaju. Ponekad će vam se desiti da se na listi nađe i određen broj zombiranih procesa. Nije potrebno previše mašte da shvatite šta može biti zombi proces. Za one koji ne žele puno da maštaju na datu temu evo kratkog objašnjenja: kada određen proces završi ono što radi ali ostane u tabeli procesa on postaje nemrtav ili zombi. Dete proces je umrlo (died) ali još uvek ga Smrt nije pokupila(reaped). U normalnim okolnostima bi roditeljski proces (parent) trebalo da pročita izlaznu informaciju svog deteta (child) izvršavanjem sistemske komande wait pri čemu se zombi uklanja. Ukoliko sve ne ide po planu mali zombi ostaje u listi procesa. Ovo ponekad može biti poželjno ukliko roditeljski proces pravi nove procese koji ne bi trebalo da imaju iste ID kao prethodna deca. Opet, ovo ponekad može biti loše..posebno kada se zombirana deca prenamnože.

Evo kratkog ali slatkog uputstva kako da pobijete svu zalutalu decu…(divna terminologija, zar ne?)

Prvo pokrenite komandu ps aux da biste videli svu tu zalutalu decu. Izaberite bilo koje od njih (PID) pošto će ih biti podosta.

ps axo ppid -p <pid deteta> | grep -v PPID | sed 's/ //g'

Ovo će nam dati PID roditelja. Ukoliko nemate pojma koji je to program evo kako ćete saznati:

which `ps axo command -p <pid roditelja> | grep -v COMMAND | cut -d' ' -f1`

Ok, sad znamo ko je vudu vrač koji podiže sve te zombije. Šta ćete sa njim raditi je na vama. Prosto restartovanje programa će pobiti sve zombije. Ukoliko želite da vidite šta se to desilo možete uraditi sledeće:

gdb /putanja/do/programa PID-roditelja

Srećno ubijanje dece…zombija…zombirane dece:-)

10$ question. Sometime ago you have created backup of your systems Master Boot Record (MBR). Now, after some change, you noticed you did a fatal mistake and your partition table is corrupted and you need to recover it from the backup you created, but you are not sure if it is the correct version. The question is, what is the easiest way to read partition table from the backup of your MBR? No, Hex editor is not the easiest way to do it (and it is bad for your eyes :)). I wonder how many of you said ‘file’ command? Yes, magical file command is able to read the data from the mbr dump and prints you the actual partition table. Here is an example from my laptop.

# file mbr.bin mbr.bin: x86 boot sector; partition 1: ID=0×83, active, starthead 1, startsector 63, 40949622 sectors; partition 2: ID=0×82, starthead 254, startsector 40949685, 2088450 sectors; partition 3: ID=0×8e, starthead 254, startsector 43038135, 74172105 sectors, code offset 0×48

As you can see I have only 3 partitions on the disk. First one has type 0×83, which is HEX id for ext3 type of partition and it is my / partition (you don’t see it here, but I know it :)). It is also active partition, it means that it is used for booting the system. You can also see the size of the partition in sectors. Knowing that one sector has length of 512 bytes you can easily find out the size of the partition.

# echo $(((40949622/2)/1024)) 19994 # df -k / Filesystem 1K-blocks Used Available Use% Mounted on /dev/sda1 19833488 6504676 12305072 35% /

That’s it, correct. :)

Next partition is 0×82 which is swap partition. And last partition is 0×8e which is id for Linux LVM partition.

While I am here, I could also explain what is MBR and how it is used.

Main Boot Record resides in first 512 bytes of your bootable disk. Besides partition table it also holds bootloader and something called a magic number. As you can see on the picture, bootloader takes the biggest part of MBR, whole 446 bytes. During the boot process BIOS search for a bootable devices attached to your system and once it finds it it looks at the MBR and loads the bootloader, also called primary bootloader. Primary bootloader looks at the partition table inside MBR (next 64 bytes after the bootloader) and searches for an active partition. When it finds active partition it loads the secondary boot loader from that partitions boot record which, in turn, loads the kernel, and so on.

Magic number is used for sanity check of your MBR. It holds only 2 bytes and should be 0xAA55.

So, in short words, MBR is used to easily locate and load kernel from the correct device. (It is also used by your operating system to find the layout of the disk, but that is another story.)

PS: You can create a dump of your MBR by issuing next command:

# dd if=/dev/sda of=mbr.bin bs=512 count=1

Replace /dev/sda with the correct address to your disk.

PS 2: Sorry for bad quality of the MBR scheme, but I didn’t have much time to work on it and I am not a graphic designer. :D

HP-UX is well known for the ease of patch and product manipulation. These operations are done via software called Software Distributor (SD). Situations where SD fails are very rare but they can be very strange.

One of those weird situations happened to me last week. I downloaded patch bundle from HP site and tried to create a depot. Very simple action - untar the bundle, run the create_depot_hp-ux_11 script and the script and SD will do all the necessary things. But, here comes the weird part - checksum error for all patches in the bundle.

# create_depot_hp-ux_11 DEPOT: /var/depot BUNDLE: BUNDLE TITLE: Patch Bundle UNSHAR: y PSF: depot.psf Expanding patch shar files… x - PHCO_23651.text x - PHCO_23651.depot [compressed] ERROR: wc results of PHCO_23651.depot are 7082 23582 522240 should be 7082 18520 522240 x - PHKL_18543.text x - PHKL_18543.depot [compressed] ERROR: wc results of PHKL_18543.depot are 146386 592281 20377600 should be 146386 524212 20377600

I checked the checksum of the bundle itself and it seemed perfectly fine. What a puzzle, a?

Here is the story. HP-UX was supposed to be compatible with UNIX95 specification, but the problem is that, for some reason, this compatibility breaks SD. This compatibility is enforced by environment variable called UNIX95. So if you ever notice problem like this, check first if this variable is active on your server and if that is the case just simply unset it and your SD will be fully functional again.

# set|grep UNIX95 UNIX95=yes # unset UNIX95 # create_depot_hp-ux_11 DEPOT: /var/depot BUNDLE: BUNDLE TITLE: Patch Bundle UNSHAR: y PSF: depot.psf Expanding patch shar files… x - PHCO_23651.text x - PHCO_23651.depot [compressed] x - PHKL_18543.text x - PHKL_18543.depot [compressed]

Happy patching! :)

Like I previously announced, IBM AIX 6 Beta will be openly available for free download and testing. This time has come and you can start downloading it right now from this page. More info here.

AIX 6 should bring a lot of new stuff especially when it comes to virtualization and high-availability issues. Some new features are ported directly from fault-tolerant systems which should provide even more stable and reliable systems. There will be no official support for Beta testing, but you can ask for help on one of the IBM forums.

Openness of IBM is a pretty new thing. This change in IBM policy is probably influenced by SUN’s opening of Solaris to the community. But even though some changes started, IBM is still far away from OpenSource and from opening code of it’s product to the OpenSource community. And that is a pity because I would really like to see the same usability features on some other UNIX operating systems. Sadly, even Linux is far behind AIX when it comes to usability.

Last week I had an interesting assignment, upgrading one AIX 5.2 server from 32bit to 64bit kernel. Process should be pretty straight forward and is very nicely explained in AIX documentation, but as usual, all actions that require application stopping have to be done after working hours - in this case after 9pm. Considering that all changes, system reboot and application start/stop sequence should not take more than 45 minutes this is not a big problem. As many times before, I didn’t count on good ol’ friend of all system administrators - Murphy.

But, let’s start from the start. First thing I did was to check if the server supports 64bit environment and what version of the kernel is currently running.

# bootinfo -y 64 # bootinfo -K 32

So, the hardware on this server is 64bit (as expected) and active kernel is 32bit. Now, let’s stop applications. Only important application on this server is a production Oracle database. We have to stop it before reboot. (Important thing to note at this moment is the version of database, it is old 8.1.7.4 release of Oracle.)

# su - oracle % sqlplus /nolog     SQL*Plus: Release 8.1.7.0.0 - Production on Wed Jul 4 21:01:20 2007     (c) Copyright 2000 Oracle Corporation. All rights reserved.     SQL> conn / as sysdba Connected.( SQL> shutdown immediate Database closed. Database dismounted. ORACLE instance shut down. SQL> exit Disconnected from Oracle8i Enterprise Edition Release 8.1.7.4.0 - Production JServer Release 8.1.7.4.0 - Production

In order to be able to execute 64bit binaries we must edit /etc/inittab so the syscall64 kernel extension is loaded during the boot.

# mkitab “load64bit:2:wait:/etc/methods/cfg64 >/dev/console 2>&1″

The switch to 64bit kernel is done by simply relinking paths to the kernel and modules, and updating boot image on the boot device. Followed by a reboot. Simple as that.

# ln -sf /usr/lib/boot/unix_64 /unix # ln -sf /usr/lib/boot/unix_64 /usr/lib/boot/unix # bosboot -a # shutdown -Fr

After the reboot, I checked the version of running kernel to see if the change actually took place.

# bootinfo -K 64

Perfect! so simple isn’t it. I just love when things go so smoothly. Now let’s start Oracle.

# su - oracle % sqlplus /nolog Could not load program sqlplus: Symbol resolution failed for sqlplus because: Symbol pw_post (number 272) is not exported from dependent module /unix. Symbol pw_wait (number 273) is not exported from dependent module /unix. Symbol pw_config (number 274) is not exported from dependent module /unix. Symbol aix_ora_pw_version3_required (number 275) is not exported from dependent module /unix. Examine .loader section symbols with the ‘dump -Tv’ command.

“Argh, this can’t be happening!” I was thinking, so I tried again. Surprisingly, that didn’t help. After the initial shock, I looked at the message more carefully and tried to figure out what the hell it meant. Kernel doesn’t support necessary Oracle symbols - so maybe the Oracle kernel extension is not loaded, let’s check.

# loadext -r     Oracle Kernel Extension Loader for AIX Copyright (c) 1998,1999 Oracle Corporation     sh: /usr/sbin/crash: not found No Kernel Extension is currently running.

I was on a right trail. But this is strange, Oracle kernel extension is loaded from /etc/inittab during the boot, it SHOULD be loaded. Maybe the inittab got corrupted.

# lsitab -a|grep ora orapw:2:wait:/etc/loadext -l /etc/pw-syscall

It is there. In the agony I thought maybe syscall64 extension was not loaded so it failed (although it should not matter).

# genkex|grep syscall 4635e70 390 /usr/lib/drivers/syscalls64.ext

It is there. Let’s try to call it manually, maybe it will work now.

# loadext -l /etc/pw-syscall     Oracle Kernel Extension Loader for AIX Copyright (c) 1998,1999 Oracle Corporation     Kernel Extension Version: 3 SYS_SINGLELOAD: Exec format error kmid: 0 (0×0) path: ‘/etc/pw-syscall’ libpath: ”

Maybe, this extension does not support 64bit environment?

# strings /etc/pw-syscall|head -3 Kernel Extension Version: 3 $Revision: 1.9 $ Supported Oracle Instances: 32-bit & 64-bit

Now I am puzzled even more.

At this point I felt stuck. Reverting back to 32bit kernel was not even an option as this was only one part of the big migration process on this server. But, on the other hand Oracle has to be up and running by morning - this is a very important production server. As I am not an Oracle guru and there was no one from DB team around to ask for advice, I asked Google for help. As many times before, it proved to be wise choice. People already had this problem and solved it by applying small patch for Oracle.

Important thing here is that Oracle version 8 does not support 64bit kernel on AIX. It requires patch number 2896876 in order to do so.

After applying this patch you get a new kernel extension which loads without complaining.

# genkex|grep syscall 466c850 1218 /etc/pw-syscall64 4641ec0 390 /usr/lib/drivers/syscalls64.ext

Now, let’s try to start Oracle.

# su - oracle % sqlplus /nolog     SQL*Plus: Release 8.1.7.0.0 - Production on Thu Jul 5 00:47:45 2007     (c) Copyright 2000 Oracle Corporation. All rights reserved.     SQL> conn / as sysdba Connected to an idle instance. SQL> startup ORACLE instance started.     Total System Global Area  178704276 bytes Fixed Size                    73620 bytes Variable Size             135630848 bytes Database Buffers           41943040 bytes Redo Buffers                1056768 bytes Database mounted. Database opened. SQL> exit Disconnected % ^D

Nice. :) Next thing is to change inittab to load new Oracle kernel extension,

# chitab “orapw:2:wait:/etc/loadext -l /etc/pw-syscall64″

stop oracle and reboot server again to see how it will behave after the reboot. Luckily everything works fine so at 01am I can finally go home. It was about time since I was there for almost 16 hours (hence the subject of the post.) Ah, the pleasures of being a system administrators are flexible working hours, isn’t it? :)