#!/bin/sh
# This script is for Solaris 10
echo Creating syslog-ng.conf
mkdir /etc/syslog-ng 2>/dev/null
cat << END > /etc/syslog-ng/syslog-ng.conf
options {
stats(0);
sync(0);
time_reopen(1);
log_fifo_size(4096);
long_hostnames(off);
use_dns(no);
use_fqdn(no);
create_dirs(yes);
keep_hostname(yes);
};
source sys {
sun-streams("/dev/log" door("/etc/.syslog_door"));
internal();
udp();
tcp(ip("0.0.0.0") port(5150) max-connections(300));
};
filter notdebug {
level(info...emerg);
};
destination perhost {
file("/var/log/perhost/$HOST.log.$YEAR$MONTH$DAY");
};
log {
source(sys);
filter(notdebug);
destination(perhost);
};
destination syslog-ng-server {
tcp("10.10.10.10" port(5150));
};
log {
source(sys);
filter(notdebug);
destination(syslog-ng-server);
};
END
chown root:sys /etc/syslog-ng/syslog-ng.conf
chmod 644 /etc/syslog-ng/syslog-ng.conf
echo Removing old init script links if they exist
rm -f /etc/init.d/syslog /etc/rc2.d/S74syslog /etc/init.d/syslog /etc/rc0.d/K40syslog /etc/init.d/syslog /etc/rc1.d/K40syslog /etc/init.d/syslog /etc/rcS.d/K40syslog
echo Disabling stock syslog
svcadm disable system-log
echo Setting up syslog-ng method script
cat </lib/svc/method/svc-syslog-ng
#!/bin/sh
. /lib/svc/share/smf_include.sh
# Start processes required for syslog-ng
# Required for certain libgcc and eventlog libraries
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib:/usr/sfw/lib
export LD_LIBRARY_PATH
if [ -x /usr/local/sbin/syslog-ng ]; then
/usr/local/sbin/syslog-ng -f /etc/syslog-ng/syslog-ng.conf
else
echo "syslog-ng is missing or not executable."
exit $SMF_EXIT_ERR_CONFIG
fi
exit $SMF_EXIT_OK
E0F
chown root:bin /lib/svc/method/svc-syslog-ng
chmod 755 /lib/svc/method/svc-syslog-ng
echo Setting up SMF manifest
cat </var/svc/manifest/system/syslog-ng.xml name='system/syslog-ng'
type='service'
version='1'>
name='milestone'
grouping='require_all'
restart_on='none'
type='service'>
name='filesystem'
grouping='require_all'
restart_on='none'
type='service'>
name='autofs'
grouping='optional_all'
restart_on='none'
type='service'>
name='name-services'
grouping='require_all'
restart_on='none'
type='service'>
name='syslog-ng_single-user'
grouping='optional_all'
restart_on='none'>
type='method'
name='start'
exec='/lib/svc/method/svc-syslog-ng'
timeout_seconds='60' />
type='method'
name='stop'
exec=':kill'
timeout_seconds='60' />
type='method'
name='refresh'
exec=':kill -HUP'
timeout_seconds='60' />
value='solaris.smf.manage.syslog-ng' />
syslog-ng
manpath='/usr/share/man' />
E0F
chown root:sys /var/svc/manifest/system/syslog-ng.xml
chmod 444 /var/svc/manifest/system/syslog-ng.xml
echo Validating manifest
svccfg validate /var/svc/manifest/system/syslog-ng.xml
echo Importing manifest
svccfg import /var/svc/manifest/system/syslog-ng.xml
echo Starting syslog-ng
svcadm enable syslog-ng
root@maass> more /etc/syslog-ng/syslog-ng.conf
options {
stats(0);
sync(0);
time_reopen(1);
log_fifo_size(4096);
long_hostnames(off);
use_dns(no);
use_fqdn(no);
create_dirs(yes);
keep_hostname(yes);
};
source sys {
sun-streams("/dev/log" door("/etc/.syslog_door"));
internal();
udp();
tcp(ip("0.0.0.0") port(5150) max-connections(300));
};
filter notdebug {
level(info...emerg);
};
destination perhost {
file("/var/log/perhost/$HOST.log.$YEAR$MONTH$DAY");
};
log {
source(sys);
filter(notdebug);
destination(perhost);
};
destination florey {
tcp("144.83.19.28" port(5150));
};
log {
source(sys);
filter(notdebug);
destination(florey);
};
Tuesday, December 30, 2008
Script to set up syslog-ng on Solaris 10 hosts
Syslog-ng log evacuation
#!/bin/sh
#calculate yesterday's date
YESTERDAY=`env TZ=EST29EDT date +%Y%m%d`
#find the logs associated with yesterday
LOGS=`/usr/bin/find /var/log/perhost -name "*.$YESTERDAY"`
PROXYLOGS=`/usr/bin/find /var/log/proxy -name "*.$YESTERDAY"`
#compress the logs
/usr/bin/gzip $LOGS
/usr/bin/gzip $PROXYLOGS
#now select the logs.gz
GZLOGS=`/usr/bin/find /var/log/perhost -name "*.$YESTERDAY.gz"`
PROXYGZ=`/usr/bin/find /var/log/proxy -name "*.$YESTERDAY.gz"`
#change ownership of the files so the remote sawmill process can read them
/usr/bin/chmod 644 /var/log/perhost/*
#cp the files to sawmill ~logevac
/usr/bin/cp $GZLOGS /nfsserver/servers/sawmill/evacuated-logs
/usr/bin/cp $PROXYGZ /nfsserver/servers/sawmill/proxy-logs-to-be-processed
#
/usr/bin/chmod 644 /nfsserver/servers/sawmill/evacuated-logs/*
/usr/bin/chown 55555:55555 /nfsserver/servers/sawmill/evacuated-logs/*
# remove the local syslog-ng server files after 7 days
oldlogs=`/usr/bin/find /var/log -mtime +7`
/usr/bin/rm $oldlogs
# clear out the logfiles older than 21 days
/usr/bin/find /hjfnfs/servers/sawmill/evacuated-logs -name "*log*.gz" -mtime +21 -exec /usr/bin/rm -f {} \;
#calculate yesterday's date
YESTERDAY=`env TZ=EST29EDT date +%Y%m%d`
#find the logs associated with yesterday
LOGS=`/usr/bin/find /var/log/perhost -name "*.$YESTERDAY"`
PROXYLOGS=`/usr/bin/find /var/log/proxy -name "*.$YESTERDAY"`
#compress the logs
/usr/bin/gzip $LOGS
/usr/bin/gzip $PROXYLOGS
#now select the logs.gz
GZLOGS=`/usr/bin/find /var/log/perhost -name "*.$YESTERDAY.gz"`
PROXYGZ=`/usr/bin/find /var/log/proxy -name "*.$YESTERDAY.gz"`
#change ownership of the files so the remote sawmill process can read them
/usr/bin/chmod 644 /var/log/perhost/*
#cp the files to sawmill ~logevac
/usr/bin/cp $GZLOGS /nfsserver/servers/sawmill/evacuated-logs
/usr/bin/cp $PROXYGZ /nfsserver/servers/sawmill/proxy-logs-to-be-processed
#
/usr/bin/chmod 644 /nfsserver/servers/sawmill/evacuated-logs/*
/usr/bin/chown 55555:55555 /nfsserver/servers/sawmill/evacuated-logs/*
# remove the local syslog-ng server files after 7 days
oldlogs=`/usr/bin/find /var/log -mtime +7`
/usr/bin/rm $oldlogs
# clear out the logfiles older than 21 days
/usr/bin/find /hjfnfs/servers/sawmill/evacuated-logs -name "*log*.gz" -mtime +21 -exec /usr/bin/rm -f {} \;
Script to clear out Solaris corefiles
Run this from the global zone...
#!/bin/sh
#
# clear out corefiles
# miw 9/1/06
#
/usr/bin/rm /var/core/core*
/usr/bin/rm /zones/*/root/var/core/core*
Script to email basic system info
#!/bin/sh
#
# This script emails basic system info to sysadmin
#
#
SERVERNAME=`uname -n`
file=/usr/local/scripts/safe
#
uname -a > $file
#
/usr/bin/df -F ufs -o i >>$file
#
for i in /etc/passwd /etc/group /etc/vfstab
do
echo "">>$file
echo "***********************************************************************" >
> $file
ls -l $i >> $file
cat $i >> $file
done
#
#for a in "swap -l" "df -k" "prtvtoc /dev/dsk/c1t0d0s0" /usr/sbin/metastat "/usr
/sbin/metadb -i"
#do
#echo "***********************************************************************"
>>$file
#echo "$a" >> $file
#$a >> $file
#done
#
cat $file|mailx -s recovery_info_$SERVERNAME me@myhost.com
Script to manage syslog-ng files
#!/bin/sh
#
# miw 9/20/07
#
# gzip any syslog-ng logfiles older than 7 days
find /var/log/perhost -name "*.log*" -mtime +7 -exec /bin/gzip {} \;
# clear out the syslog-ng logfiles older than 21 days
find /var/log/perhost -name "*log*.gz" -mtime +21 -exec /bin/rm -f {} \;
#
# miw 9/20/07
#
# gzip any syslog-ng logfiles older than 7 days
find /var/log/perhost -name "*.log*" -mtime +7 -exec /bin/gzip {} \;
# clear out the syslog-ng logfiles older than 21 days
find /var/log/perhost -name "*log*.gz" -mtime +21 -exec /bin/rm -f {} \;
Script to check for expiring passwords
/usr/local/scripts/account-exp
#!/bin/sh
#
# This script checks to see if an acount's password is expired and
# then sends me an email
#
#
##############
# Variables
##############
SERVERNAME=`uname -n`
file=/var/tmp/accounts
LOGFILE=/var/cron/log
WORD=expire
#########################################
# Check to see if there are
# any expired accounts
#########################################
EXPIRED=`grep ${WORD} ${LOGFILE} | wc -l`
#########################################
# If an expired account has
# been detected, email the administrator
#########################################
if [ ${EXPIRED} -ne 0 ]; then
# Attach a header
uname -a >$file
echo "">>$file
echo "**************************************************************" >> $fil
e
#
# Also attach expired info
grep expire ${LOGFILE} >> $file
#
# Now email the administrator
cat $file|mailx -s expired_accounts_$SERVERNAME me@myhost.com
#
# Clean up
rm $file
#
fi
#!/bin/sh
#
# This script checks to see if an acount's password is expired and
# then sends me an email
#
#
##############
# Variables
##############
SERVERNAME=`uname -n`
file=/var/tmp/accounts
LOGFILE=/var/cron/log
WORD=expire
#########################################
# Check to see if there are
# any expired accounts
#########################################
EXPIRED=`grep ${WORD} ${LOGFILE} | wc -l`
#########################################
# If an expired account has
# been detected, email the administrator
#########################################
if [ ${EXPIRED} -ne 0 ]; then
# Attach a header
uname -a >$file
echo "">>$file
echo "**************************************************************" >> $fil
e
#
# Also attach expired info
grep expire ${LOGFILE} >> $file
#
# Now email the administrator
cat $file|mailx -s expired_accounts_$SERVERNAME me@myhost.com
#
# Clean up
rm $file
#
fi
Script to remove Staroffice from Solaris
Not fancy, but it works...
#!/bin/sh
#
pkgrm SUNWstaroffice-xsltfilter
pkgrm SUNWstaroffice-writer
pkgrm SUNWstaroffice-w4wfilter
pkgrm SUNWstaroffice-sunsearchtoolbar
pkgrm SUNWstaroffice-ooofonts
pkgrm SUNWstaroffice-menuintegration
pkgrm SUNWstaroffice-math
pkgrm SUNWstaroffice-lngutils
pkgrm SUNWstaroffice-javafilter
pkgrm SUNWstaroffice-impress
pkgrm SUNWstaroffice-graphicfilter
pkgrm SUNWstaroffice-gnome-integration
pkgrm SUNWstaroffice-gallery
pkgrm SUNWstaroffice-base
pkgrm SUNWstaroffice-calc
pkgrm SUNWstaroffice-core01
pkgrm SUNWstaroffice-core02
pkgrm SUNWstaroffice-core03
pkgrm SUNWstaroffice-core04
pkgrm SUNWstaroffice-core05
pkgrm SUNWstaroffice-core06
pkgrm SUNWstaroffice-core07
pkgrm SUNWstaroffice-core08
pkgrm SUNWstaroffice-core09
pkgrm SUNWstaroffice-draw
Someone pointed out that this one liner would work as well -- I like it for it's simplicity:
#!/bin/sh
#
pkgrm SUNWstaroffice-xsltfilter
pkgrm SUNWstaroffice-writer
pkgrm SUNWstaroffice-w4wfilter
pkgrm SUNWstaroffice-sunsearchtoolbar
pkgrm SUNWstaroffice-ooofonts
pkgrm SUNWstaroffice-menuintegration
pkgrm SUNWstaroffice-math
pkgrm SUNWstaroffice-lngutils
pkgrm SUNWstaroffice-javafilter
pkgrm SUNWstaroffice-impress
pkgrm SUNWstaroffice-graphicfilter
pkgrm SUNWstaroffice-gnome-integration
pkgrm SUNWstaroffice-gallery
pkgrm SUNWstaroffice-base
pkgrm SUNWstaroffice-calc
pkgrm SUNWstaroffice-core01
pkgrm SUNWstaroffice-core02
pkgrm SUNWstaroffice-core03
pkgrm SUNWstaroffice-core04
pkgrm SUNWstaroffice-core05
pkgrm SUNWstaroffice-core06
pkgrm SUNWstaroffice-core07
pkgrm SUNWstaroffice-core08
pkgrm SUNWstaroffice-core09
pkgrm SUNWstaroffice-draw
Someone pointed out that this one liner would work as well -- I like it for it's simplicity:
# yes | pkgrm `pkginfo | grep staroffice | awk '{print $2}'`
Solaris ssh
Best way to start/initialize ssh:
/lib/svc/method/sshd -c
svcadm enable network/ssh
Other stuff:
svcs -l sshd
svcadm enable ssh
svcadm restart ssh
svcadm enable svc:/network/ssh:default
/usr/sbin/ssh-keygen -t rsa1 -b 1024 -f
/usr/sbin/ssh-keygen -t rsa -b 1024 -f
/usr/sbin/ssh-keygen -t dsa -b 1024 -f
Solaris 10 /devices
/devices is now dynamic and managed by the devfs filesystem, if necessary, new devices can be configured using /usr/sbin/cfgadm. Generate /dev/dsk, /dev/rdsk links using
/usr/sbin/devfsadm
/usr/sbin/devfsadm
Solaris JASS / VNC problem
If you ever need to run VNC with inetd on a server after applying SUNWjass's secure.driver, make sure to change the following file that JASS creates - /etc/dt/config/Xaccess (do not confuse this with /usr/dt/config/Xaccess or /usr/openwin/lib/X11/xdm/Xaccess):
(before)
##
## ex.
## !xtra.lcs.mit.edu # disallow direct/broadcast service for xtra
## bambi.ogi.edu # allow access from this particular display
## *.lcs.mit.edu # allow access from any display in LCS
## Deny all remote access (direct/broadcast) to this X server.
!*
(after)
##
## ex.
## !xtra.lcs.mit.edu # disallow direct/broadcast service for xtra
## bambi.ogi.edu # allow access from this particular display
## *.lcs.mit.edu # allow access from any display in LCS
## All remote access (direct/broadcast) to this X server.
*
This combined with /etc/hosts.allow and /etc/hosts.deny will provide the necessary security.
(before)
##
## ex.
## !xtra.lcs.mit.edu # disallow direct/broadcast service for xtra
## bambi.ogi.edu # allow access from this particular display
## *.lcs.mit.edu # allow access from any display in LCS
## Deny all remote access (direct/broadcast) to this X server.
!*
(after)
##
## ex.
## !xtra.lcs.mit.edu # disallow direct/broadcast service for xtra
## bambi.ogi.edu # allow access from this particular display
## *.lcs.mit.edu # allow access from any display in LCS
## All remote access (direct/broadcast) to this X server.
*
This combined with /etc/hosts.allow and /etc/hosts.deny will provide the necessary security.
Auto-ftp script
One of our Peoplesoft developers needed a script to ftp encrypted files to a vendor. Here's what I came up with:
#!/usr/bin/ksh
cd /tmp/ww
HOST='ftp.somehost.com'
USER='myusername'
PASSWD='mypassword'
FILE='somefilename.PGP'
LOCATION='remotefolder'
exec 4>&1
ftp -nv >&4 2>&4 |&
print -p open $HOST
print -p user $USER $PASSWD
print -p cd $LOCATION
print -p binary
print -p put $FILE
exit 0
Monday, December 29, 2008
VMware RCLI commands for ESXi
[I didn't write this, but it's a nice summary]
Using the RCLI to configure a VMware ESXi server.... These tasks can be
accomplished via the Virtual Infrastructure client but with a little
scripting you can easily configure, audit and manage multiple ESX i hosts.
To help identify what command does you can use the --help switch with any
of the perl scripts.
* vicfg-advcfg.pl - allows for the modification of any of the
advanced configuraiton options.
# vicfg-advcfg.pl --server 10.10.1.104 --get Cpu.MigratePeriod
- returns the value of the Cpu.MigrationPeriod
* vicfg-cfgbackup.pl - can backup and restore ESX settings
# vicfg-cfgbackup.pl --server 10.10.1.104 --save rwgood
* vicfg-cfgbackup.pl can also restore the file
# vicfg-cfgbackup.pl --server 10.10.1.104 --load rwgood --force
* vicfg-dns.pl allows you to change the DNS settings of a host
* vicfg-dumppart.pl > helps with the support files
* vicfg-module.pl > allows you to manged the loaded modules
* vicfg-mpath.pl - all sorts of info on the VMFS paths
# vicfg-mpath.pl --server 10.10.1.104 --list
* vicfg-nas.pl
* vicfg-nics.pl > configure the phsical NICs in the host
* vicfg-ntp.pl > managed the NTP settings
# vicfg-ntp.pl --server 10.10.1.104 --list
- Lists the configured NTP servers on the host
# vicfg-ntp.pl --server 10.10.1.104 --add time.gov
- Adds time.gov to the ntp configuration
# vicfg-ntp.pl --server 10.10.1.104 --delete time.gov
- Removes the time.gov from the ntp configuration
# vicfg-ntp.pl --server 10.10.1.104 --start
- Starts the NTP service on the host
# vicfg-ntp.pl --server 10.10.1.104 --stop
- Stops the NTP service on the host
* vicfg-rescan.pl > rescanning for VMFS and storage
* vicfg-route.pl
* vicfg-snmp.pl > configure your SNMP settings
* vicfg-syslog.pl > configure the ESX host syslog target
* vicfg-user.pl > local ESXi user management
* vicfg-vmhbadevs.pl > all about the HBAs
* vicfg-vmknic.pl > more and same infor for you nics
* vicfg-vswitch.pl > configuring the vSwitches
# vicfg-vswitch.pl --server 10.10.1.104 --add mine
- adds new vSwitch called mine
# vicfg-vswitch.pl --server 10.10.1.104 --add-pg public mine
- adds a port group called public to the vSwitch mine
# vicfg-vswitch.pl --server nhqesx036 vSwitch1 --pg mine --vlan 100
- adds a vlan tag of 100 to the port goup mine.
# vicfg-vswitch.pl --server 10.10.1.104 --link vmnic1 mine
- adds the vmnic1 to the vSwitch called mine
* vifs.pl > used to move files to and from the ESX host
* vihostupdate.pl > updating and patching the ESX i
# vihostupdate.pl --server 10.10.1.104 /
--bundle --install ESXe350-200807812-O-BG.zip
- installs the ESXi patch on server 10.10.1.104
# vihostupdate.pl --server 10.10.1.104 -q
- shows the version of the ESXi host
* vmkfstools.pl > same as alway managing disk
* vmkuptime.pl - does nothing yet
* vms.pl
* vmware-cmd.pl > same as always managing the VMs on the host
Using the RCLI to configure a VMware ESXi server.... These tasks can be
accomplished via the Virtual Infrastructure client but with a little
scripting you can easily configure, audit and manage multiple ESX i hosts.
To help identify what command does you can use the --help switch with any
of the perl scripts.
* vicfg-advcfg.pl - allows for the modification of any of the
advanced configuraiton options.
# vicfg-advcfg.pl --server 10.10.1.104 --get Cpu.MigratePeriod
- returns the value of the Cpu.MigrationPeriod
* vicfg-cfgbackup.pl - can backup and restore ESX settings
# vicfg-cfgbackup.pl --server 10.10.1.104 --save rwgood
* vicfg-cfgbackup.pl can also restore the file
# vicfg-cfgbackup.pl --server 10.10.1.104 --load rwgood --force
* vicfg-dns.pl allows you to change the DNS settings of a host
* vicfg-dumppart.pl > helps with the support files
* vicfg-module.pl > allows you to manged the loaded modules
* vicfg-mpath.pl - all sorts of info on the VMFS paths
# vicfg-mpath.pl --server 10.10.1.104 --list
* vicfg-nas.pl
* vicfg-nics.pl > configure the phsical NICs in the host
* vicfg-ntp.pl > managed the NTP settings
# vicfg-ntp.pl --server 10.10.1.104 --list
- Lists the configured NTP servers on the host
# vicfg-ntp.pl --server 10.10.1.104 --add time.gov
- Adds time.gov to the ntp configuration
# vicfg-ntp.pl --server 10.10.1.104 --delete time.gov
- Removes the time.gov from the ntp configuration
# vicfg-ntp.pl --server 10.10.1.104 --start
- Starts the NTP service on the host
# vicfg-ntp.pl --server 10.10.1.104 --stop
- Stops the NTP service on the host
* vicfg-rescan.pl > rescanning for VMFS and storage
* vicfg-route.pl
* vicfg-snmp.pl > configure your SNMP settings
* vicfg-syslog.pl > configure the ESX host syslog target
* vicfg-user.pl > local ESXi user management
* vicfg-vmhbadevs.pl > all about the HBAs
* vicfg-vmknic.pl > more and same infor for you nics
* vicfg-vswitch.pl > configuring the vSwitches
# vicfg-vswitch.pl --server 10.10.1.104 --add mine
- adds new vSwitch called mine
# vicfg-vswitch.pl --server 10.10.1.104 --add-pg public mine
- adds a port group called public to the vSwitch mine
# vicfg-vswitch.pl --server nhqesx036 vSwitch1 --pg mine --vlan 100
- adds a vlan tag of 100 to the port goup mine.
# vicfg-vswitch.pl --server 10.10.1.104 --link vmnic1 mine
- adds the vmnic1 to the vSwitch called mine
* vifs.pl > used to move files to and from the ESX host
* vihostupdate.pl > updating and patching the ESX i
# vihostupdate.pl --server 10.10.1.104 /
--bundle --install ESXe350-200807812-O-BG.zip
- installs the ESXi patch on server 10.10.1.104
# vihostupdate.pl --server 10.10.1.104 -q
- shows the version of the ESXi host
* vmkfstools.pl > same as alway managing disk
* vmkuptime.pl - does nothing yet
* vms.pl
* vmware-cmd.pl > same as always managing the VMs on the host
ISO Mounting on Solaris
# lofiadm -a /export/temp/software.iso /dev/lofi/1
# mount -F hsfs -o ro /dev/lofi/1 /mnt
or
# mkdir /iso ; mount -F hsfs -o ro `lofiadm -a /tmp/software.iso` /iso
# mount -F hsfs -o ro /dev/lofi/1 /mnt
or
# mkdir /iso ; mount -F hsfs -o ro `lofiadm -a /tmp/software.iso` /iso
Subscribe to:
Posts (Atom)