My Digital Brain: December 2008

Tuesday, December 30, 2008

Script to set up syslog-ng on Solaris 10 hosts



#!/bin/sh
# This script is for Solaris 10

echo Creating syslog-ng.conf
mkdir /etc/syslog-ng 2>/dev/null
cat << END > /etc/syslog-ng/syslog-ng.conf
options {
        stats(0);
        sync(0);
        time_reopen(1);
        log_fifo_size(4096);
        long_hostnames(off);
        use_dns(no);
        use_fqdn(no);
        create_dirs(yes);
        keep_hostname(yes);
};

source          sys {
        sun-streams("/dev/log" door("/etc/.syslog_door"));
        internal();
        udp();
        tcp(ip("0.0.0.0") port(5150) max-connections(300));
};

filter          notdebug {
        level(info...emerg);
};
destination     perhost {
        file("/var/log/perhost/$HOST.log.$YEAR$MONTH$DAY");
};
log {
        source(sys);
        filter(notdebug);
        destination(perhost);
};

destination     syslog-ng-server {
        tcp("10.10.10.10" port(5150));
};
log {
        source(sys);
        filter(notdebug);
        destination(syslog-ng-server);
};
END
chown root:sys /etc/syslog-ng/syslog-ng.conf
chmod 644 /etc/syslog-ng/syslog-ng.conf

echo Removing old init script links if they exist
rm -f /etc/init.d/syslog /etc/rc2.d/S74syslog /etc/init.d/syslog /etc/rc0.d/K40syslog /etc/init.d/syslog /etc/rc1.d/K40syslog /etc/init.d/syslog /etc/rcS.d/K40syslog

echo Disabling stock syslog
svcadm disable system-log

echo Setting up syslog-ng method script
cat </lib/svc/method/svc-syslog-ng
#!/bin/sh
. /lib/svc/share/smf_include.sh

# Start processes required for syslog-ng

# Required for certain libgcc and eventlog libraries
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib:/usr/sfw/lib
export LD_LIBRARY_PATH

if [ -x /usr/local/sbin/syslog-ng ]; then
  /usr/local/sbin/syslog-ng -f /etc/syslog-ng/syslog-ng.conf
else
  echo "syslog-ng is missing or not executable."
  exit $SMF_EXIT_ERR_CONFIG
fi

exit $SMF_EXIT_OK
E0F
chown root:bin /lib/svc/method/svc-syslog-ng
chmod 755 /lib/svc/method/svc-syslog-ng

echo Setting up SMF manifest
cat </var/svc/manifest/system/syslog-ng.xml




        name='system/syslog-ng'
        type='service'
        version='1'>

        

        

                        name='milestone'
                grouping='require_all'
                restart_on='none'
                type='service'>
                
        

        
                        name='filesystem'
                grouping='require_all'
                restart_on='none'
                type='service'>
                
        

        
                        name='autofs'
                grouping='optional_all'
                restart_on='none'
                type='service'>
                
        

        
                        name='name-services'
                grouping='require_all'
                restart_on='none'
                type='service'>
                
        

                        name='syslog-ng_single-user'
                grouping='optional_all'
                restart_on='none'>
                
        

        
                        type='method'
                name='start'
                exec='/lib/svc/method/svc-syslog-ng'
                timeout_seconds='60' />

                        type='method'
                name='stop'
                exec=':kill'
                timeout_seconds='60' />

                        type='method'
                name='refresh'
                exec=':kill -HUP'
                timeout_seconds='60' />

        
                
                                        value='solaris.smf.manage.syslog-ng' />
        

        

        



E0F
chown root:sys /var/svc/manifest/system/syslog-ng.xml
chmod 444 /var/svc/manifest/system/syslog-ng.xml

echo Validating manifest
svccfg validate /var/svc/manifest/system/syslog-ng.xml

echo Importing manifest
svccfg import /var/svc/manifest/system/syslog-ng.xml

echo Starting syslog-ng
svcadm enable syslog-ng
root@maass>  more /etc/syslog-ng/syslog-ng.conf
options {
        stats(0);
        sync(0);
        time_reopen(1);
        log_fifo_size(4096);
        long_hostnames(off);
        use_dns(no);
        use_fqdn(no);
        create_dirs(yes);
        keep_hostname(yes);
};

source          sys {
        sun-streams("/dev/log" door("/etc/.syslog_door"));
        internal();
        udp();
        tcp(ip("0.0.0.0") port(5150) max-connections(300));
};

filter          notdebug {
        level(info...emerg);
};
destination     perhost {
        file("/var/log/perhost/$HOST.log.$YEAR$MONTH$DAY");
};
log {
        source(sys);
        filter(notdebug);
        destination(perhost);
};

destination     florey {
        tcp("144.83.19.28" port(5150));
};
log {
        source(sys);
        filter(notdebug);
        destination(florey);
};

Syslog-ng log evacuation

#!/bin/sh

#calculate yesterday's date
YESTERDAY=`env TZ=EST29EDT date +%Y%m%d`

#find the logs associated with yesterday
LOGS=`/usr/bin/find /var/log/perhost -name "*.$YESTERDAY"`
PROXYLOGS=`/usr/bin/find /var/log/proxy -name "*.$YESTERDAY"`

#compress the logs
/usr/bin/gzip $LOGS
/usr/bin/gzip $PROXYLOGS

#now select the logs.gz
GZLOGS=`/usr/bin/find /var/log/perhost -name "*.$YESTERDAY.gz"`
PROXYGZ=`/usr/bin/find /var/log/proxy -name "*.$YESTERDAY.gz"`

#change ownership of the files so the remote sawmill process can read them
/usr/bin/chmod 644 /var/log/perhost/*

#cp the files to sawmill ~logevac
/usr/bin/cp $GZLOGS /nfsserver/servers/sawmill/evacuated-logs
/usr/bin/cp $PROXYGZ /nfsserver/servers/sawmill/proxy-logs-to-be-processed
#
/usr/bin/chmod 644 /nfsserver/servers/sawmill/evacuated-logs/*
/usr/bin/chown 55555:55555 /nfsserver/servers/sawmill/evacuated-logs/*

# remove the local syslog-ng server files after 7 days
oldlogs=`/usr/bin/find /var/log -mtime +7`
/usr/bin/rm $oldlogs

# clear out the logfiles older than 21 days
/usr/bin/find /hjfnfs/servers/sawmill/evacuated-logs -name "*log*.gz" -mtime +21 -exec /usr/bin/rm -f {} \;

Script to clear out Solaris corefiles

Run this from the global zone...



#!/bin/sh
#
# clear out corefiles
# miw 9/1/06
#
/usr/bin/rm /var/core/core*
/usr/bin/rm /zones/*/root/var/core/core*

Script to email basic system info



#!/bin/sh
#
#       This script emails basic system info to sysadmin
#
#
SERVERNAME=`uname -n`
file=/usr/local/scripts/safe
#
uname -a > $file
#
/usr/bin/df -F ufs -o i >>$file
#
for i in /etc/passwd /etc/group /etc/vfstab
do
echo "">>$file
echo "***********************************************************************" >
> $file
ls -l $i >> $file
cat $i >> $file
done
#
#for a in "swap -l" "df -k" "prtvtoc /dev/dsk/c1t0d0s0" /usr/sbin/metastat "/usr
/sbin/metadb -i"
#do
#echo "***********************************************************************"
>>$file
#echo "$a" >> $file
#$a >> $file
#done
#
cat  $file|mailx -s recovery_info_$SERVERNAME me@myhost.com

Script to manage syslog-ng files

#!/bin/sh
#
# miw 9/20/07
#
# gzip any syslog-ng logfiles older than 7 days
find /var/log/perhost -name "*.log*" -mtime +7 -exec /bin/gzip {} \;

# clear out the syslog-ng logfiles older than 21 days
find /var/log/perhost -name "*log*.gz" -mtime +21 -exec /bin/rm -f {} \;

Script to check for expiring passwords

/usr/local/scripts/account-exp

#!/bin/sh
#
# This script checks to see if an acount's password is expired and
# then sends me an email
#
#

##############
# Variables
##############
SERVERNAME=`uname -n`
file=/var/tmp/accounts
LOGFILE=/var/cron/log
WORD=expire

#########################################
# Check to see if there are
# any expired accounts
#########################################

EXPIRED=`grep ${WORD} ${LOGFILE} | wc -l`

#########################################
# If an expired account has
# been detected, email the administrator
#########################################

if [ ${EXPIRED} -ne 0 ]; then

# Attach a header
uname -a >$file
echo "">>$file
echo "**************************************************************" >> $fil
e
#

# Also attach expired info
grep expire ${LOGFILE} >> $file
#

# Now email the administrator
cat $file|mailx -s expired_accounts_$SERVERNAME me@myhost.com
#

# Clean up
rm $file
#

fi

Script to remove Staroffice from Solaris

Not fancy, but it works...

#!/bin/sh
#
pkgrm SUNWstaroffice-xsltfilter
pkgrm SUNWstaroffice-writer
pkgrm SUNWstaroffice-w4wfilter
pkgrm SUNWstaroffice-sunsearchtoolbar
pkgrm SUNWstaroffice-ooofonts
pkgrm SUNWstaroffice-menuintegration
pkgrm SUNWstaroffice-math
pkgrm SUNWstaroffice-lngutils
pkgrm SUNWstaroffice-javafilter
pkgrm SUNWstaroffice-impress
pkgrm SUNWstaroffice-graphicfilter
pkgrm SUNWstaroffice-gnome-integration
pkgrm SUNWstaroffice-gallery
pkgrm SUNWstaroffice-base
pkgrm SUNWstaroffice-calc
pkgrm SUNWstaroffice-core01
pkgrm SUNWstaroffice-core02
pkgrm SUNWstaroffice-core03
pkgrm SUNWstaroffice-core04
pkgrm SUNWstaroffice-core05
pkgrm SUNWstaroffice-core06
pkgrm SUNWstaroffice-core07
pkgrm SUNWstaroffice-core08
pkgrm SUNWstaroffice-core09
pkgrm SUNWstaroffice-draw

Someone pointed out that this one liner would work as well -- I like it for it's simplicity:


# yes | pkgrm `pkginfo | grep staroffice | awk '{print $2}'`

Solaris ssh

Best way to start/initialize ssh:

/lib/svc/method/sshd -c
svcadm enable network/ssh

Other stuff:

svcs -l sshd
svcadm enable ssh
svcadm restart ssh
svcadm enable svc:/network/ssh:default
/usr/sbin/ssh-keygen -t rsa1 -b 1024 -f
/usr/sbin/ssh-keygen -t rsa -b 1024 -f
/usr/sbin/ssh-keygen -t dsa -b 1024 -f

Solaris 10 /devices

/devices is now dynamic and managed by the devfs filesystem, if necessary, new devices can be configured using /usr/sbin/cfgadm. Generate /dev/dsk, /dev/rdsk links using
/usr/sbin/devfsadm

Solaris JASS / VNC problem

If you ever need to run VNC with inetd on a server after applying SUNWjass's secure.driver, make sure to change the following file that JASS creates - /etc/dt/config/Xaccess (do not confuse this with /usr/dt/config/Xaccess or /usr/openwin/lib/X11/xdm/Xaccess):

(before)

##
## ex.
## !xtra.lcs.mit.edu # disallow direct/broadcast service for xtra
## bambi.ogi.edu # allow access from this particular display
## *.lcs.mit.edu # allow access from any display in LCS

## Deny all remote access (direct/broadcast) to this X server.

!*

(after)

##
## ex.
## !xtra.lcs.mit.edu # disallow direct/broadcast service for xtra
## bambi.ogi.edu # allow access from this particular display
## *.lcs.mit.edu # allow access from any display in LCS

## All remote access (direct/broadcast) to this X server.

*

This combined with /etc/hosts.allow and /etc/hosts.deny will provide the necessary security.

Auto-ftp script

One of our Peoplesoft developers needed a script to ftp encrypted files to a vendor. Here's what I came up with:


#!/usr/bin/ksh
cd /tmp/ww
HOST='ftp.somehost.com'
USER='myusername'
PASSWD='mypassword'
FILE='somefilename.PGP'
LOCATION='remotefolder'
exec 4>&1
ftp -nv >&4 2>&4 |&
print -p open $HOST
print -p user $USER $PASSWD
print -p cd $LOCATION
print -p binary
print -p put $FILE
exit 0

Monday, December 29, 2008

VMware RCLI commands for ESXi

[I didn't write this, but it's a nice summary]

Using the RCLI to configure a VMware ESXi server.... These tasks can be
accomplished via the Virtual Infrastructure client but with a little
scripting you can easily configure, audit and manage multiple ESX i hosts.

To help identify what command does you can use the --help switch with any
of the perl scripts.

* vicfg-advcfg.pl - allows for the modification of any of the
advanced configuraiton options.

# vicfg-advcfg.pl --server 10.10.1.104 --get Cpu.MigratePeriod
- returns the value of the Cpu.MigrationPeriod

* vicfg-cfgbackup.pl - can backup and restore ESX settings

# vicfg-cfgbackup.pl --server 10.10.1.104 --save rwgood

* vicfg-cfgbackup.pl can also restore the file

# vicfg-cfgbackup.pl --server 10.10.1.104 --load rwgood --force

* vicfg-dns.pl allows you to change the DNS settings of a host

* vicfg-dumppart.pl > helps with the support files

* vicfg-module.pl > allows you to manged the loaded modules

* vicfg-mpath.pl - all sorts of info on the VMFS paths

# vicfg-mpath.pl --server 10.10.1.104 --list

* vicfg-nas.pl
* vicfg-nics.pl > configure the phsical NICs in the host
* vicfg-ntp.pl > managed the NTP settings

# vicfg-ntp.pl --server 10.10.1.104 --list
- Lists the configured NTP servers on the host

# vicfg-ntp.pl --server 10.10.1.104 --add time.gov
- Adds time.gov to the ntp configuration

# vicfg-ntp.pl --server 10.10.1.104 --delete time.gov
- Removes the time.gov from the ntp configuration

# vicfg-ntp.pl --server 10.10.1.104 --start
- Starts the NTP service on the host

# vicfg-ntp.pl --server 10.10.1.104 --stop
- Stops the NTP service on the host

* vicfg-rescan.pl > rescanning for VMFS and storage

* vicfg-route.pl

* vicfg-snmp.pl > configure your SNMP settings

* vicfg-syslog.pl > configure the ESX host syslog target

* vicfg-user.pl > local ESXi user management

* vicfg-vmhbadevs.pl > all about the HBAs

* vicfg-vmknic.pl > more and same infor for you nics

* vicfg-vswitch.pl > configuring the vSwitches

# vicfg-vswitch.pl --server 10.10.1.104 --add mine
- adds new vSwitch called mine

# vicfg-vswitch.pl --server 10.10.1.104 --add-pg public mine
- adds a port group called public to the vSwitch mine

# vicfg-vswitch.pl --server nhqesx036 vSwitch1 --pg mine --vlan 100
- adds a vlan tag of 100 to the port goup mine.

# vicfg-vswitch.pl --server 10.10.1.104 --link vmnic1 mine
- adds the vmnic1 to the vSwitch called mine

* vifs.pl > used to move files to and from the ESX host

* vihostupdate.pl > updating and patching the ESX i

# vihostupdate.pl --server 10.10.1.104 /
--bundle --install ESXe350-200807812-O-BG.zip
- installs the ESXi patch on server 10.10.1.104

# vihostupdate.pl --server 10.10.1.104 -q
- shows the version of the ESXi host

* vmkfstools.pl > same as alway managing disk
* vmkuptime.pl - does nothing yet
* vms.pl
* vmware-cmd.pl > same as always managing the VMs on the host

ISO Mounting on Solaris

# lofiadm -a /export/temp/software.iso /dev/lofi/1
# mount -F hsfs -o ro /dev/lofi/1 /mnt

or

# mkdir /iso ; mount -F hsfs -o ro `lofiadm -a /tmp/software.iso` /iso

My Digital Brain