N-C

Aller au contenu | Aller au menu | Aller à la recherche

mercredi 15 juin 2016

SSH command and usefull option

many option about ssh command are not describe into man, and when you need to automatic some script, it could be usefull to bypath some ask from default ssh command

exemple : (more info into man ssh_config)

  • ConnectTimeout=xx is about to stop connection if no reply after x sec
  • PasswordAuthentication=yes|no   Dont ask password (default yes)
  • ChallengeResponseAuthentication=yes|no   (default yes)
  • BatchMode=yes|no  this disable passphrase / password ask , really usefull for scripting (default no)
  • StrictHostKeyChecking=yes|no|ask  (default ask) usefull to add automatically new server authkey into ~/.ssh/known_hosts whitout asking

a usefull ssh  command exemple :

LISTE_SERV=/Path_list

LOG_OUT=/PATH_log

# for i in `cat $LISTE_SERV` ; do ssh $i -o BatchMode=yes -o ConnectTimeout=5 -o StrictHostKeyChecking=no -o ChallengeResponseAuthentication=no "command into ssh tunnel" >> $LOG_OUT ; done

 To copy ssh public key on remote server using SSH :

cat ~/.ssh/id_dsa.pub | ssh ${username}@${remote_server} "touch ~/.ssh/authorized_keys && cat - >> ~/.ssh/authorized_keys" ; exit 0


To get more options about scanning all your Unix-Linux information system you can use this script as below.

mardi 17 mai 2016

Astuces Awk

Autant `Cut` je gère, autant AWK est un outil assez puissant qui permet bien plus de possibilités.
Et à chaque fois je cherche sur le net la bonne syntaxe, et bien je vais regrouper ici les commandes awk que j'utilise régulièrement sous forme d'exemple :

chkconfig avec le tri par colonne  :

chkconfig --list |egrep "tomcatxxx|tomcatyyy|tomcatzzz|apachexxx"  |awk '{FS="\t"} {print $1,$5}'

Sortie :

apachexxx 3:on
apachexxx3      3:on
tomcatyyy1        3:on
tomcatxxx1      3:on
tomcatxxx2      3:on
tomcatzzz3      3:on
tomcatxxx4      3:on


Afficher la colonne 1 en greppant sur la colonne 2 si la valeur de la colonne 2 est égal à "0":

 awk '$2 == 0 {print $1}' liste_test







mercredi 4 mai 2016

HowTo create mirror LVM with pacemaker HA-cluster RHEL 7


hi,

here about a tips to add / remove an LV using raid mirror with multiple slice and all that with HA-cluster RHEL 7.1

HA-cluster is monitored by Pacemaker

why this ticket ?

Just becaus there is a redhat bug implementation and RedHat support don't find alone solution.

So, first the need is : (we have already 4 PV using multipath, and 1 VG "vgtest" already using pacemaker resource)

lvcreate -m1 -i2 -I 128 -L 200m -n test4 vgtest /dev/mapper/pv1-1 /dev/mapper/pv2-1 /dev/mapper/pv1-2 /dev/mapper/pv2-2


First, we have to stop resource onto active node
pcs resource disable $resource_name_vgtest

then we need to reconfigure /etc/lvm/lvm.conf

locking_type = 1
ignore_lvm_mirrors = 0 => (set 1 if ou need remove a failed or inactive  LV/VG)
use_lvmetad = 1
## Add the VG into locale volume list group:
volume_list = [ "vgroot", "vgtest" ]

reload lvm :
systemctl restart lvm2-lvmetad

# create your LV with raid 1 onto 4 slice #
lvcreate -m1 -i2 -I 128 -L 200m -n test4 vgtest /dev/mapper/pv1-1 /dev/mapper/pv2-1 /dev/mapper/pv1-2 /dev/mapper/pv2-2
# format it - default xfs under RHEL 7 #
mkfs.xfs /dev/vgtest/test4  or /dev/mapper/vgtest-test4


## backoff local LV to cluster ##
edit /etc/lvm/lvm.conf and change to this properties
 volume_list = [ "vgroot" ]

# reload lvm service
systemctl restart lvm2-lvmetad

# enable pacemaker resource
pcs resource enable $resource_name_vgtest


You can check it :
pcs resource  || pcs status
## all have to be "started" ##

## Then you can mount this Lv as any other FileSystem mount method ##

## If not all started, use a clean to purge all failed and redetect status
pcs resource cleanup $Resource_name

vendredi 25 mars 2016

Fiber Channel Commands - solaris

To see info on all fc ports: fcinfo hba-port -l


To see port status:

luxadm -e port


Show link errors:

luxadm -e rdls /dev/cfg/c1   (check from fcinfo)

Examine and individual path:

luxadm disp /dev/rdsk/c1t0xxxxxxxxxxxxx


Display info on scsi devices:

cfgadm -al


Shows the fc ports:

mpathadm list initiator-port


Check for support:

mpathadm list mpath-support


To see how many "logical units" are visible:

mpathadm show lu /dev/rdsk/c0t1xxxxxxxx


Run an inquiry on a disk: (more verbose)

luxadm inq /dev/rdsk/c0t1xxxxxx

Activation du multipath :

grep -i mpxio /kernel/drv/fp.conf   (passer à "No" pour activer le Multipath)

then reboot serveur.

jeudi 17 mars 2016

remote check openssl cipher used

ce script permet de faire une liste des ciphers utilisés par l'ensemble des protocole du package openssl :

#!/usr/bin/env bash

# OpenSSL requires the port number.
SERVER=xxx.xxx.xxx.xxx:443
DELAY=1
ciphers=$(openssl ciphers 'ALL:eNULL' | sed -e 's/:/ /g')

echo Obtaining cipher list from $(openssl version).

for cipher in ${ciphers[@]}
do
echo -n Testing $cipher...
result=$(echo -n | openssl s_client -cipher "$cipher" -connect $SERVER 2>&1)
if [[ "$result" =~ ":error:" ]] ; then
  error=$(echo -n $result | cut -d':' -f6)
  echo NO \($error\)
else
  if [[ "$result" =~ "Cipher is ${cipher}" || "$result" =~ "Cipher    :" ]] ; then
    echo YES
  else
    echo UNKNOWN RESPONSE
    echo $result
  fi
fi
sleep $DELAY
done


Commande pour tester le mode anonyme en excluant SSLv3 TLS1.0 TLS 1.1 (seul TLS1.2 gardé) en espérant que vous ayez une version openssl à jour qui supprime le SSLv2 :)


openssl s_client -no_tls1_1 -no_ssl3 -no_tls1 -connect xxx.xxx.xxx.xxx:443 -cipher aNULL


en sortie :  (anonyme connexion OK :(  == faille de sécurité )

SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ADH-AES256-GCM-SHA384
    Session-ID:....
......





sinon une erreur de type : (connexion anonyme NOK)

6924:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:../../../../common/openssl/ssl/s23_clnt.c:470:


- page 1 de 13