June 2018
M T W T F S S
« May    
 123
45678910
11121314151617
18192021222324
252627282930  

Categories

WordPress Quotes

Are you bored with life? Then throw yourself into some work you believe in with all your heart, live for it, die for it, and you will find happiness that you had thought could never be yours.
Dale Carnegie

Recent Comments

June 2018
M T W T F S S
« May    
 123
45678910
11121314151617
18192021222324
252627282930  

Short Cuts

2012 SERVER (64)
2016 windows (9)
AIX (13)
Amazon (26)
Ansibile (17)
Apache (124)
Asterisk (2)
cassandra (2)
Centos (207)
Centos RHEL 7 (250)
chef (3)
cloud (2)
cluster (3)
Coherence (1)
DB2 (5)
DISK (25)
DNS (9)
Docker (24)
Eassy (11)
EXCHANGE (3)
Fedora (6)
ftp (5)
GOD (2)
Grub (1)
Hacking (10)
Hadoop (6)
horoscope (23)
Hyper-V (10)
IIS (15)
IPTABLES (15)
JAVA (6)
JBOSS (32)
jenkins (1)
Kubernetes (1)
Ldap (4)
Linux (188)
Linux Commands (167)
Load balancer (5)
mariadb (14)
Mongodb (4)
MQ Server (21)
MYSQL (80)
Nagios (5)
NaturalOil (13)
Nginx (27)
Ngix (1)
openldap (1)
Openstack (6)
Oracle (33)
Perl (3)
Postfix (19)
Postgresql (1)
PowerShell (2)
Python (3)
qmail (36)
Redis (11)
RHCE (28)
SCALEIO (1)
Security on Centos (29)
SFTP (1)
Shell (64)
Solaris (58)
Sql Server 2012 (4)
squid (3)
SSH (10)
SSL (14)
Storage (1)
swap (3)
TIPS on Linux (28)
tomcat (59)
Uncategorized (29)
Veritas (2)
vfabric (1)
VMware (28)
Weblogic (38)
Websphere (71)
Windows (19)
Windows Software (2)
wordpress (1)
ZIMBRA (17)

WP Cumulus Flash tag cloud by Roy Tanck requires Flash Player 9 or better.

Who's Online

20 visitors online now
4 guests, 16 bots, 0 members

Hit Counter provided by dental implants orange county

JBoss Too Many Files Open Error

 

First of all you want to determine what file(s) remain open. I’m assuming your server runs linux, so once you know JBoss’es PID

ps ax | grep something-that-makes-your-jboss-process-unique

you can do

ls -l /proc/jbosspid/fd

to get a nice list of files that are open at that instant.

What you’re going to do next depends a bit on what you see here:

  1. you may just need to up the number of files the server can open a bit with ulimit (also look at systemwide limits on your server)
  2. maybe you spot a number of files your application forgot to close
  3. ….

 

Also the max limit is high

linux-server:~# cat /proc/sys/fs/file-max
202989

and the max ever occupied is well below the limit:
cat /proc/sys/fs/file-nr
6304 0 202989

all users return the same limit (including the jboss user who initiates the app server):
jboss@linux-server:/home$ ulimit -n

A wat to have a look at this is to run the lsof command (only as root) – it will show you all the open file descriptors.

In order to fix that, edit the file in /etc/security/limits.conf and add the following lines and restart your jboss.

jboss          soft    nofile          16384
jboss          hard    nofile          16384

(assuming your jboss is run by the “jboss” user)

 

 

  • Settings in /etc/security/limits.conf take the following form:
    # vi /etc/security/limits.conf
    #<domain>        <type>  <item>  <value>
    
    *               -       core             <value>
    *               -       data             <value>
    *               -       priority         <value>
    *               -       fsize            <value>
    *               soft    sigpending       <value> eg:57344
    *               hard    sigpending       <value> eg:57444
    *               -       memlock          <value>
    *               -       nofile           <value> eg:1024
    *               -       msgqueue         <value> eg:819200
    *               -       locks            <value>
    *               soft    core             <value>
    *               hard    nofile           <value>
    @<group>        hard    nproc            <value>
    <user>          soft    nproc            <value>
    %<group>        hard    nproc            <value>
    <user>          hard    nproc            <value>
    @<group>        -       maxlogins        <value>
    <user>          hard    cpu              <value>
    <user>          soft    cpu              <value>
    <user>          hard    locks            <value>
    
    • <domain> can be:
      • an user name
      • a group name, with @group syntax
      • the wildcard *, for default entry
      • the wildcard %, can be also used with %group syntax, for maxlogin limit
    • <type> can have the two values:
      • “soft” for enforcing the soft limits
      • “hard” for enforcing hard limits
    • <item> can be one of the following:
      • core – limits the core file size (KB)
      • data – max data size (KB)
      • fsize – maximum filesize (KB)
      • memlock – max locked-in-memory address space (KB)
      • nofile – max number of open files
      • rss – max resident set size (KB)
      • stack – max stack size (KB)
      • cpu – max CPU time (MIN)
      • nproc – max number of processes
      • as – address space limit (KB)
      • maxlogins – max number of logins for this user
      • maxsyslogins – max number of logins on the system
      • priority – the priority to run user process with
      • locks – max number of file locks the user can hold
      • sigpending – max number of pending signals
      • msgqueue – max memory used by POSIX message queues (bytes)
      • nice – max nice priority allowed to raise to values: [-20, 19]
      • rtprio – max realtime priority
  • Exit and re-login from the terminal for the change to take effect.
  • More details can be found from below command:
# man limits.conf

Diagnostic Steps

  • To improve performance, we can safely set the limit of processes for the super-user root to be unlimited. Edit the .bashrc file vi /root/.bashrcand add the following line:
# vi /root/.bashrc
ulimit -u unlimited

HTTPS TLS performance optimization details

HTTPS TLS performance optimization details

HTTPS (HTTP over SSL) is a security-oriented HTTP channel and can be understood as HTTP + SSL/TLS, that is, adding an SSL/TLS layer under HTTP as a security foundation. The predecessor of TLS is SSL. Currently, TLS 1.2 is widely used.

 

 

TLS performance tuning
TLS is widely considered to slow down services, mainly because early CPUs are still slow, and only a few sites can afford cryptographic services. But today’s computing power is no longer the bottleneck of TLS. In 2010, Google enabled encryption on its e-mail service by default, after which they stated that SSL/TLS no longer costly calculations:

In our front-end services, SSL/TLS calculations account for less than 1% of CPU load, less than 10KB of memory per connection, and less than 2% of network overhead.

1. 
The speed of delay and connection management network communication is determined by two major factors: bandwidth and delay.

Bandwidth: Used to measure how much data can be sent in a unit of time. 
Delay: Describe the time required for a message to be sent from one end to the other. 
Among them, bandwidth is a secondary factor because usually you can buy more bandwidth at any time; This is unavoidable because it is a limitation that is imposed when data is transmitted over a network connection.

Latency has a particularly large impact on TLS because it has its own well-designed handshaking, adding an additional two round trips during connection initialization.

1.1 TCP Optimization 
Each TCP connection has a speed limit called a congestion window that is initially small and grows over time with guaranteed reliability. This mechanism is called slow start.

Therefore, for all TCP connections, the startup is slow and worse for the TLS connection because the TLS handshake protocol consumes precious initial connection bytes (when the congestion window is small). If the congestion window is large enough, there is no additional delay for slow start. However, if the long handshake protocol exceeds the size of the congestion window, the sender must split it into two blocks, send a block first, wait for confirmation (a round trip), increase the congestion window, and then send the rest.

1.1.1 Congestion Window Tuning The 
startup speed limit is called the initial congestion window. RFC6928 recommends that the initial congestion window be set to 10 network segments (approximately 15 KB). The early advice was to start with 2-4 network segments.

 

 

 

 

On older Linux platforms, you can change the initial congestion window of the route:

# ip route | while read p; do ip route change $p initcwnd 10; done

1.1.2 Preventing Slow Start Slow Start 
Slow start can affect the connection over a period of time without any traffic, reducing its speed, and the speed drops very quickly. On Linux, you can disable slow start when the connection is idle:

# sysctl -w net.ipv4.tcp_slow_start_after_idle=0 can be made permanent by adding this setting to the /etc/sysctl.conf configuration.

1.2 Long Connections In 
most cases, the TLS performance impact is concentrated on the start handshake phase of each connection. An important optimization technique is to keep every connection as close as possible with the number of connections allowed.

The current trend is to use an event-driven WEB server to handle all communications by using a fixed thread pool (even a single thread), thereby reducing the cost of each connection and the possibility of being attacked.

The disadvantage of long connections is that after the last HTTP connection is completed, the server waits for a certain amount of time before closing the connection, although a connection does not consume too many resources, but it reduces the overall scalability of the server. Long connections are suitable for scenarios where the client bursts a large number of requests.

When configuring large long connection timeouts, it is important to limit the number of concurrent connections to avoid server overload. Adjust the server by testing to run within capacity limits. If TLS is handled by OpenSSL, make sure that the server correctly sets the SSL_MODE_RELEASE_BUFFERS flag.

1.3 HTTP/2.0 
HTTP/2.0 is a binary protocol that provides features such as multiplexing and header compression to improve performance.

1.4 CDNs 
use CDNs to achieve world-class performance, using geographically dispersed servers to provide edge caching and traffic optimization.

The further away the user is from your server, the slower the access to the network, in which case connection establishment is a big limiting factor. For the server to be as close to the end user as possible, the CDN operates a large number of geographically distributed servers, which can provide two ways to reduce latency, namely edge caching and connection management.

1.4.1 Edge Cache 
Since the CDN server is close to the user, you can provide your file to the user just as if your server is really there.

1.4.2 Connection Management 
If your content is dynamic, user-specific, you cannot cache data through the CDN for a long time. However, a good CDN can help with connection management even without any cache, which is that it can eliminate most of the cost of establishing a connection through a long connection that is maintained for a long time.

Most of the time spent establishing a connection is spent waiting. To minimize waiting, the CDN routes traffic to its closest point to the destination through its own basic settings. Because it is the CDN’s own fully controllable server, it can maintain long internal connections for a long time.

When using a CDN, the user connects to the nearest CDN node. This is only a short distance. The network delay of the TLS handshake is also very short. The existing long-distance connection can be directly reused between the CDN and the server. This means that the user and server have established a valid connection with the CDN Fast Initial TLS handshake.

2. TLS protocol optimization 
After connection management, we can focus on the performance characteristics of TLS and have the knowledge of security and speed tuning of the TLS protocol.

2.1 Key Exchange The 
maximum cost of using TLS is the CPU-intensive cryptographic operations used for security parameter negotiation except for delays. This part of the communication is called key exchange. The CPU consumption of key exchange largely depends on the server’s chosen private key algorithm, private key length, and key exchange algorithm.

Key length 
The difficulty of cracking a key depends on the length of the key. The longer the key, the more secure it is. However, a longer key also means that it takes more time for encryption and decryption.

Key Algorithms 
There are currently two key algorithms available: RSA and ECDSA. The current RSA key algorithm recommends a minimum length of 2048 bits (112-bit encryption strength), and 3072 bits (128-bit encryption strength) will be deployed in the future. ECDSA is superior to RSA in terms of performance and security. 256-bit ECDSA (128-bit encryption strength) provides the same security as 3072-bit RSA, but with better performance.

Key Exchange 
There are currently two key exchange algorithms available: DHE and ECDHE. Which DHE is too slow is not recommended. The performance of the key exchange algorithm depends on the length of the configured negotiation parameters. For DHE, the commonly used 1024 and 2048 bits provide 80 and 112 bit security levels, respectively. For ECDHE, security and performance depend on something called a **curve**. Secp256r1 provides a 128-bit security level.

In practice, you cannot combine key and key exchange algorithms at will, but you can use combinations specified by the protocol.

2.2 Certificate During 
a complete TLS handshake, the server sends its certificate chain to the client for authentication. The length and correctness of the certificate chain have a great influence on the performance of the handshake.

Using as few certificates as possible 
for each certificate in the certificate chain increases the handshaking packet. Too many certificates in the certificate chain may cause the TCP initial congestion window to overflow.

Including Only 
Required Certificates It is a common mistake to include non-required certificates in the certificate chain. Each such certificate will add an additional 1-2 KB to the handshake protocol.

Providing a complete certificate chain 
server must provide a complete certificate chain that is trusted by the root certificate.

Using elliptic curve certificate chains 
Because ECDSA private key length uses fewer bits, ECDSA certificates can be smaller.

Avoiding the binding of too many domain names with the same certificate 
Each additional domain name increases the size of the certificate, which has a significant impact on a large number of domain names.

2.3 Revocation Checks 
Although the status of certificate revocation is constantly changing and the behavior of user agents in revocation of certificates is very different, as a server, the only thing to do is to deliver the revocation information as quickly as possible.

Certificate OCSP using OCSP information is designed to provide real-time queries, allowing the user agent to request only access to the website’s revocation information, and the query is brief and fast (an HTTP request). In contrast, the CRL is a list containing a large number of revoked certificates.

Using OCSP Responders with Fast and Reliable OCSP Responders The performance of OCSP Responders 
differs between different CAs and you check their historical OCSP Responders before submitting them to the CA. Another criterion for choosing a CA is how quickly it updates OCSP responders.

Deploying OCSP stapling 
OCSP stapling is a protocol feature that allows revocation information (entire OCSP response) to be included in the TLS handshake. After it is enabled, by giving the user agent all the information to revoke the check for better performance, the user agent can be omitted to obtain the CA’s OCSP response program through a separate connection to query the revocation information.

2.4 Protocol Compatibility 
If your server is incompatible with the features of some new version protocols (eg TLS 1.2), the browser may need to make multiple attempts with the server to negotiate an encrypted connection. The best way to ensure good TLS performance is to upgrade the latest TLS protocol stack to support newer protocol versions and extensions.

2.5 Hardware Acceleration 
As the CPU speed continues to increase, software-based TLS implementations have run fast enough on normal CPUs to process large numbers of HTTPS requests without specialized encryption hardware. However, installing an accelerator card may increase speed.

oracle xe backup

ORACLE_BASE=/u01/app/oracle
export ORACLE_BASE
ORACLE_HOME=/u01/app/oracle/product/11.2.0/xe
export ORACLE_HOME
ORACLE_SID=XE
export ORACLE_SID
PATH=$ORACLE_HOME/bin:$PATH
export PATH

BKUP_DEST=/home/mohan/backups
find $BKUP_DEST -name 'backup*.dmp' -mtime +10 -exec rm {} \;



cd /home/mohan/backups && /u01/app/oracle/product/11.2.0/xe/bin/exp schema/password FILE=backup_`date +'%Y%m%d-%H%M'`.dmp STATISTICS=NONE


startup nomount pfile=/u01/app/oracle/product/11.2.0/xe/dbs/initXE.ora
/

create database
        maxinstances 1
        maxloghistory 2
        maxlogfiles 16
        maxlogmembers 2
        maxdatafiles 30
      datafile '/u01/app/oracle/oradata/XE/system.dbf'
        size 200M reuse autoextend on next 10M maxsize 600M
        extent management local
      sysaux datafile '/u01/app/oracle/oradata/XE/sysaux.dbf'
        size 10M reuse autoextend on next  10M
      default temporary tablespace temp tempfile 
 '/u01/app/oracle/oradata/XE/temp.dbf'
        size 20M reuse autoextend on next  10M maxsize 500M
      undo tablespace undotbs1 datafile '/u01/app/oracle/oradata/XE/undotbs1.dbf'
        size 50M reuse autoextend on next  5M maxsize 500M
       character set cl8mswin1251
       national character set al16utf16
       set time_zone='00:00'
       controlfile reuse
       logfile '/u01/app/oracle/oradata/XE/log1.dbf' size 50m reuse
             , '/u01/app/oracle/oradata/XE/log2.dbf' size 50m reuse
             , '/u01/app/oracle/oradata/XE/log3.dbf' size 50m reuse
      user system identified by oracle
      user sys identified by oracle
/

create tablespace users
       datafile '/u01/app/oracle/oradata/XE/users.dbf'
       size 100M reuse autoextend on next 10M maxsize 11G
       extent management local
/

exit;

 Create additional database in Oracle Express edition 

 Create additional database in Oracle Express edition 

*In my windows i have installed oracle11g express edition i want to create new database for my testing purpose but the express edition doesnot support DBCA utiltiy let us we can discuss How to Create additional database in Oracle Express edition or How to create manual database in oracle11g windows enivornment.

S-1:

create directory

 

C:\Windows\system32>mkdir C:\oraclexe\app\oracle\admin\TEST

C:\Windows\system32>cd C:\oraclexe\app\oracle\admin\TEST



C:\oraclexe\app\oracle\admin\TEST>mkdir adump

C:\oraclexe\app\oracle\admin\TEST>mkdir bdump

C:\oraclexe\app\oracle\admin\TEST>mkdir dpdump

C:\oraclexe\app\oracle\admin\TEST>mkdir pfile

 

S-2:

Create new instance


  
C:\Windows\System32>oradim -new -sid test

Instance created.

 

S-3:

create pfile and Password file like below

 

C:\Windows\System32>orapwd file=C:\oraclexe\app\oracle\product\11.2.0\server\dat
abase\PWDTEST.ora password=oracle

 

Note: I just copied the pfile (InitXE.ora )from Xe database into new database pfile(my manual database) location then I changed the file name “initXE.ora” into “initTEST.ora” and opened that file

 

S-4:

Open the pfile “InitTEST.ora”



xe.__db_cache_size=411041792
xe.__java_pool_size=4194304
xe.__large_pool_size=4194304
xe.__oracle_base='C:\oraclexe\app\oracle'#ORACLE_BASE set from environment
xe.__pga_aggregate_target=432013312
xe.__sga_target=641728512
xe.__shared_io_pool_size=0
xe.__shared_pool_size=205520896
xe.__streams_pool_size=8388608
*.audit_file_dest='C:\oraclexe\app\oracle\admin\XE\adump'
*.compatible='11.2.0.0.0'
*.control_files='C:\oraclexe\app\oracle\oradata\XE\control.dbf'
*.db_name='XE'
*.DB_RECOVERY_FILE_DEST_SIZE=10G
*.DB_RECOVERY_FILE_DEST='C:\oraclexe\app\oracle\fast_recovery_area'
*.diagnostic_dest='C:\oraclexe\app\oracle\.'
*.dispatchers='(PROTOCOL=TCP) (SERVICE=XEXDB)'
*.job_queue_processes=4
*.memory_target=1024M
*.open_cursors=300
*.remote_login_passwordfile='EXCLUSIVE'
*.sessions=20
*.shared_servers=4
*.undo_management='AUTO'
*.undo_tablespace='UNDOTBS1'

 

S-5:

Change The parameter like below



*.audit_file_dest='C:\oraclexe\app\oracle\admin\TEST\adump'
*.compatible='11.2.0.0.0'
*.control_files='C:\oraclexe\app\oracle\oradata\TEST\control.dbf'
*.db_name='TEST'
*.DB_RECOVERY_FILE_DEST_SIZE=10G
*.DB_RECOVERY_FILE_DEST='C:\oraclexe\app\oracle\fast_recovery_area'
*.diagnostic_dest='C:\oraclexe\app\oracle\.'
*.dispatchers='(PROTOCOL=TCP) (SERVICE=TESTXDB)'
*.job_queue_processes=4
*.memory_target=1024M
*.open_cursors=300
*.remote_login_passwordfile='EXCLUSIVE'
*.sessions=20
*.shared_servers=4
*.undo_management='AUTO'
*.undo_tablespace='UNDOTBS1'

 

S-6:

After modifying the pfile and i started the new instance like below



  C:\Windows\System32>set ORACLE_SID=TEST

C:\Windows\System32>sqlplus

SQL*Plus: Release 11.2.0.2.0 Production on Wed Sep 20 12:41:38 2017

Copyright (c) 1982, 2010, Oracle.  All rights reserved.

Enter user-name: / as sysdba
Connected to an idle instance.

 

S-7:

Start the database in nomount stage using pfile



SQL> startup nomount pfile='C:\oraclexe\app\oracle\admin\TEST\pfile\initTEST.ora
'
ORACLE instance started.

Total System Global Area  644468736 bytes
Fixed Size                  1385488 bytes
Variable Size             192941040 bytes
Database Buffers          444596224 bytes
Redo Buffers                5545984 bytes

 

S-8:

Create the database script


create database TEST
MAXLOGFILES 16
MAXLOGMEMBERS 3
MAXDATAFILES 100
MAXINSTANCES 8
MAXLOGHISTORY 292
LOGFILE
  GROUP 1 'C:\oraclexe\app\oracle\oradata\TEST\REDO01.LOG'  SIZE 50M BLOCKSIZE 512,
  GROUP 2 'C:\oraclexe\app\oracle\oradata\TEST\REDO02.LOG'  SIZE 50M BLOCKSIZE 512
DATAFILE'C:\oraclexe\app\oracle\oradata\TEST\SYSTEM.DBF' size 100m autoextend on
sysaux datafile 'C:\oraclexe\app\oracle\oradata\TEST\SYSAUX.DBF' size 100m autoextend on
undo tablespace undotbs1 datafile  'C:\oraclexe\app\oracle\oradata\TEST\UNDOTBS1.DBF' size 100m autoextend on
CHARACTER SET AL32UTF8
;

 

S-9:

Execute the @createdatabase.sql file


SQL> @C:\oraclexe\app\oracle\CREATEDATABASE.SQL

Database created.

 

S-10:

Test our database name and instance status



SQL> select status from v$instance;

STATUS
------------
OPEN

SQL> select * from V$version;

BANNER
--------------------------------------------------------------------------------

Oracle Database 11g Express Edition Release 11.2.0.2.0 - Production
PL/SQL Release 11.2.0.2.0 - Production
CORE    11.2.0.2.0      Production
TNS for 32-bit Windows: Version 11.2.0.2.0 - Production
NLSRTL Version 11.2.0.2.0 - Production

SQL> select name from V$database;

NAME
---------
TEST

 

S-11:

Execute this below two scripts


  SQL> @C:\oraclexe\app\oracle\product\11.2.0\server\rdbms\admin\catalog.sql

  SQL> @C:\oraclexe\app\oracle\product\11.2.0\server\rdbms\admin\catproc.sql

How to list all database names in Oracle

1) To view database

select * from v$database;

2) To view instance

select * from v$instance;

3) To view all users

select * from all_users;


4) To view table and columns for a particular user

select tc.table_name Table_name
,tc.column_id Column_id
,lower(tc.column_name) Column_name
,lower(tc.data_type) Data_type
,nvl(tc.data_precision,tc.data_length) Length
,lower(tc.data_scale) Data_scale
,tc.nullable nullable
FROM all_tab_columns tc
,all_tables t
WHERE tc.table_name = t.table_name;



select owner from dba_tables
union
select owner from dba_views;


select username from dba_users;


QL> SELECT TABLESPACE_NAME FROM USER_TABLESPACES;

Resulting in:

SYSTEM
SYSAUX
UNDOTBS1
TEMP
USERS
EXAMPLE
DEV_DB

It is also possible to query the users in all tablespaces:

SQL> select USERNAME, DEFAULT_TABLESPACE from DBA_USERS;

Or within a specific tablespace (using my DEV_DB tablespace as an example):

SQL> select USERNAME, DEFAULT_TABLESPACE from DBA_USERS where DEFAULT_TABLESPACE = 'DEV_DB';

ROLES DEV_DB
DATAWARE DEV_DB
DATAMART DEV_DB
STAGING DEV_DB

EXP-00002: error in writing to export file

EXP-00002: error in writing to export file

While exporting table or schema using exp/imp utility you may come across below error.
Most of the time this error occurs due to insufficient space available on disk.so confirm space is available where you are taking taking export dump and re-run export.
[oracle@DEV admin]$ exp test/test@DEV tables=t1,t2,t3,t4 file=exp_tables.dmp log=exp_tables.log
Export: Release 9.2.0.8.0 – Production on Thu Sep 10 12:25:52 2015
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
Connected to: Oracle9i Enterprise Edition Release 9.2.0.8.0 – Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.8.0 – Production
Export done in US7ASCII character set and AL16UTF16 NCHAR character set
About to export specified tables via Conventional Path …
. . exporting table t1 1270880 rows exported
. . exporting table t2 2248883 rows exported
. . exporting table t3 2864492 rows exported
. . exporting table t4
EXP-00002: error in writing to export file
EXP-00002: error in writing to export file
EXP-00000: Export terminated unsuccessfully

CentOS 7 Installs Docker Application Container Engine

Docker is an open source application container engine based on the  Go language  and open sourced under the Apache 2.0 protocol.

Docker allows developers to package their applications and dependencies into a lightweight, portable container that can then be published to any popular Linux machine or virtualized.

Containers are completely sandboxed and do not have any interfaces with each other (similar to the iPhone’s app). More importantly, the container’s performance overhead is extremely low.

Docker application scenarios

  • Web application automation packaged and released.
  • Automated testing and continuous integration, release.
  • Deploy and tune databases or other back-end applications in a service-oriented environment.
  • Build or extend your existing OpenShift or Cloud Foundry platform from scratch to build your own PaaS environment.

Docker advantages

  • 1, simplify the program:

Docker allows developers to package their applications and dependencies into a portable container and then publish it to any popular Linux machine for virtualization. Docker has changed the way of virtualization so that developers can directly put their own results into Docker for management. Convenience is already Docker’s biggest advantage. In the past, it took days or even weeks to complete the task, and it took only a few seconds to finish in the Docker container.

  • 2. Avoid phobias:

If you have phobia, you are still a senior patient. Docker helps you pack your tangle! Such as the Docker image; Docker image contains the operating environment and configuration, so Docker can simplify the deployment of a variety of application examples work. For example, Web applications, background applications, database applications, big data applications such as Hadoop clusters, message queues, and so on can all be packaged into a single mirrored deployment.

  • 3, save expenses:

On the one hand, the arrival of cloud computing era, so that developers do not have to configure high hardware for the pursuit of effect, Docker changed the mindset of high performance inevitable high prices. The combination of Docker and cloud makes the cloud space more fully utilized. Not only solved the problem of hardware management, but also changed the way of virtualization.

1.Docker’s installation:

Docker supports the following CentOS versions:

  • CentOS 7 (64-bit)
  • CentOS 6.5 (64-bit) or later

1.2 Prerequisites

Currently, Docker is supported by kernels in the CentOS distribution only.

Docker runs on CentOS 7 and requires a 64-bit system with a 3.10 or higher kernel version.

Docker runs on CentOS-6.5 or higher versions of CentOS. It requires a 64-bit system with a kernel version of 2.6.32-431 or higher.

 

My operating system version:

Centos7 officially installs docker CE instructions: https://docs.docker.com/install/linux/docker-ce/centos/

Docker packages and dependencies are included in the default CentOS-Extras source. You can update the yum source to install yum install, or you can choose to download the rpm package.

The official download address: https://download.docker.com/linux/centos/7/x86_64/stable/Packages/

 

1.3 Use wget command to download rpm package

Create a downloads folder and use the wget command to download

[root@sungeek downloads]# wget https://download.docker.com/linux/centos/7/x86_64/stable/Packages/docker-ce-18.03.1.ce-1.el7.centos.x86_64.rpm 
[ Root@sungeek downloads]# yum install docker-ce-18.03.0.ce-1.el7.centos.x86_64.rpm

 

 

1.4 Use yun install to install directly

I use yum update to update the yum source and install yum install

 

[root@rmohan downloads]# yum update
[root@rmohan downloads]# yum -y install docker-io
[root@localhost downloads]# docker –version –View the version, preferably using wget, so you can find the corresponding The latest installation package
Docker version 1.13.1, build 94f4240/1.13.1

1.5 Start the Docker Process
[root@localhost downloads]# systemctl start docker
[root@localhost downloads]# systemctl status docker
[root@localhost downloads]# systemctl enable docker –Set boot self-booting docker service

1.6 Verifying Successful Installation

Enter docker directly to list the usage of this command

 

Test Run First Container: hello-world

Since there is no hello-world image locally, a hello-world image will be downloaded and run inside the container.

 

 

2. The most commonly used commands

2.1 Use docker images to view images

[root@localhost downloads]# docker images 
REPOSITORY TAG IMAGE ID CREATED SIZE 
docker.io/hello-world latest e38bc07ac18e 2 months ago 1.85 kB

Docker ps is also the most commonly used command, -a : displays all containers, including those that are not running.

2.3 Use docker logs to view the container console output

Get the container’s log

Docker logs [container]

 

 

 

 

Bond Technology Load Balancing in Linux

Problem introduction

When the general enterprise is used to provide NFS service, samba service or vsftpd service, the system must provide 7*24 hours of network transmission service. The maximum network transmission speed it can provide is 100MB/s, but when there are a large number of users accessing, the server’s access pressure is very high, and the network transmission rate is particularly slow.

Solution

Therefore, we can use bond technology to achieve load balancing of multiple network cards to ensure automatic backup and load balancing of the network. In this way, the reliability of the network and the high-speed transmission of files in the actual operation and maintenance work are guaranteed.

There are seven (0~6) network card binding modes: bond0, bond1, bond2, bond3, bond4, bond5, bond6. 
The common network card binding driver has the following three modes:

  • Mode0 Balanced load mode: Usually two network cards work and are automatically backed up, but port aggregation is required on the switch devices connected to the server’s local network card to support bonding technology.
  • Mode1 automatic backup technology: usually only one network card works, after it fails, it is automatically replaced with another network card;
  • Mode6 Balanced load mode: Normally, both network cards work, and they are automatically backed up. There is no need for the switch device to provide auxiliary support.

Here mainly describes the mode6 network card binding drive mode, because this mode allows two network cards to work together at the same time, when one of the network card failure can automatically backup, and without the need for switch device support, thus ensuring reliable network transmission protection .

The following is the bond binding operation of the network card in RHEL 7 in the VMware virtual machine

  1. Add another network card device to the virtual machine system and set two network cards in the same network connection mode. As shown in the following figure, the network card device in this mode can bind the network card. Otherwise, the two network cards cannot be added. Send data to each other.
  2. Configure the binding parameters of the network card device. It should be noted here that the independent network card needs to be configured as a “slave” network card. Serving the “main” network card, it should not have its own IP address. After the following initialization of the device, they can support network card binding.
    cd /etc/sysconfig/network-scripts/

    Vim ifcfg-eno16777728 # Edit NIC 1 configuration file

    TYPE=Ethernet
    BOOTPROTO=none
    DEVICE=eno16777728
    ONBOOT=yes
    HWADDR=00:0C:29:E2:25:2D
    USERCTL=no
    MASTER=bond0
    SLAVE=yes

    Vim ifcfg-eno33554968 # Edit NIC 2 configuration file

    TYPE=Ethernet
    BOOTPROTO=none
    DEVICE=eno33554968
    ONBOOT=yes
    HWADDR=00:0C:29:E2:25:2D
    MASTER=bond0
    SLAVE=yes

    1. Create a new network card device file ifcfg-bond0, and configure the IP address and other information. In this way, when the user accesses the corresponding service, the two network card devices provide services together.

    Vim ifcfg-bond0 # Create a new ifcfg-bond0 configuration file in the current directory.

    TYPE=Ethernet
    BOOTPROTO=none
    ONBOOT=yes
    USERCTL=no
    DEVICE=bond0
    IPADDR=192.168.100.5
    PREFIX=24
    DNS=192.168.100.1
    NM_CONTROLLED=no

    1. Modify the network card binding drive mode, here we use mode6 (balanced load mode)

    Vim /etc/modprobe.d/bond.conf # Configure the mode of the NIC driver

    Alias ??bond0 bonding
    options bond0 miimon=100 mode=6

    1. Restart the network service so that the configuration takes effect

    Systemctl restart network

    1. test

First, bonding technology

Bonding is a network card binding technology in a Linux system. It can abstract (bind) n physical NICs on the server into a logical network card, which can improve network throughput and achieve network redundancy. , load and other functions have many advantages.

Bonding technology is implemented at the kernel level of the Linux system. It is a kernel module (driver). To use it, the system needs to have this module. We can use modinfo command to view the information of this module. Generally, it is supported.

# modinfo bonding
filename:       /lib/modules/2.6.32-642.1.1.el6.x86_64/kernel/drivers/net/bonding/bonding.ko
author:         Thomas Davis, tadavis@lbl.gov and many others
description:    Ethernet Channel Bonding Driver, v3.7.1
version:        3.7.1
license:        GPL
alias:          rtnl-link-bond
srcversion:     F6C1815876DCB3094C27C71
depends:        
vermagic:       2.6.32-642.1.1.el6.x86_64 SMP mod_unload modversions 
parm:           max_bonds:Max number of bonded devices (int)
parm:           tx_queues:Max number of transmit queues (default = 16) (int)
parm:           num_grat_arp:Number of peer notifications to send on failover event (alias of num_unsol_na) (int)
parm:           num_unsol_na:Number of peer notifications to send on failover event (alias of num_grat_arp) (int)
parm:           miimon:Link check interval in milliseconds (int)
parm:           updelay:Delay before considering link up, in milliseconds (int)
parm:           downdelay:Delay before considering link down, in milliseconds (int)
parm:           use_carrier:Use netif_carrier_ok (vs MII ioctls) in miimon; 0 for off, 1 for on (default) (int)
parm:           mode:Mode of operation; 0 for balance-rr, 1 for active-backup, 2 for balance-xor, 3 for broadcast, 4 for 802.3ad, 5 for balance-tlb, 6 for balance-alb (charp)
parm:           primary:Primary network device to use (charp)
parm:           primary_reselect:Reselect primary slave once it comes up; 0 for always (default), 1 for only if speed of primary is better, 2 for only on active slave failure (charp)
parm:           lacp_rate:LACPDU tx rate to request from 802.3ad partner; 0 for slow, 1 for fast (charp)
parm:           ad_select:803.ad aggregation selection logic; 0 for stable (default), 1 for bandwidth, 2 for count (charp)
parm:           min_links:Minimum number of available links before turning on carrier (int)
parm:           xmit_hash_policy:balance-xor and 802.3ad hashing method; 0 for layer 2 (default), 1 for layer 3+4, 2 for layer 2+3 (charp)
parm:           arp_interval:arp interval in milliseconds (int)
parm:           arp_ip_target:arp targets in n.n.n.n form (array of charp)
parm:           arp_validate:validate src/dst of ARP probes; 0 for none (default), 1 for active, 2 for backup, 3 for all (charp)
parm:           arp_all_targets:fail on any/all arp targets timeout; 0 for any (default), 1 for all (charp)
parm:           fail_over_mac:For active-backup, do not set all slaves to the same MAC; 0 for none (default), 1 for active, 2 for follow (charp)
parm:           all_slaves_active:Keep all frames received on an interface by setting active flag for all slaves; 0 for never (default), 1 for always. (int)
parm:           resend_igmp:Number of IGMP membership reports to send on link failure (int)
parm:           packets_per_slave:Packets to send per slave in balance-rr mode; 0 for a random slave, 1 packet per slave (default), >1 packets per slave. (int)
parm:           lp_interval:The number of seconds between instances where the bonding driver sends learning packets to each slaves peer switch. The default is 1. (uint)

The seven working modes of bonding: 

Bonding technology provides seven operating modes that need to be specified when used. Each has its own advantages and disadvantages.

  1. Balance-rr (mode=0) By default, there is a high availability (fault tolerance) and load balancing feature that requires configuration of the switch, each packet is polled for packet delivery (balanced traffic distribution).
  2. Active-backup (mode=1) Only the high availability (fault-tolerance) function does not require switch configuration. In this mode, only one network card is working and only one mac address is available to the outside world. The disadvantage is that the port utilization rate is relatively low.
  3. Balance-xor (mode=2) is not commonly used
  4. Broadcast (mode=3) is not commonly used
  5. 802.3ad (mode=4) IEEE 802.3ad dynamic link aggregation, requires switch configuration, never used
  6. Balance-tlb (mode=5) is not commonly used
  7. Balance-alb (mode=6) has high availability (fault tolerance) and load balancing features and does not require switch configuration (traffic distribution to each interface is not particularly balanced)

There is a lot of information on the specific Internet, understand the characteristics of each mode according to their own choices on the line, generally used 0,1,4,6 these several modes.

Second, CentOS 7 configuration bonding

surroundings:

System: Centos7
Network card: em1, em2
Bond0: 172.16.0.183 
Load Mode: mode6( adaptive load balancing )

The two physical network cards em1 and em2 on the server are bound to a logical network card bond0, and the bonding mode selects mode6.

Note: The ip address is configured on bond0. The physical network card does not need to configure an ip address.

1, close and stop the NetworkManager service

STOP NetworkManager.service systemctl      # Stop NetworkManager service 
systemctl disable NetworkManager.service   # prohibit start-up service NetworkManager

Ps: Must be closed, will not interfere with doing the bonding

2, loading the bonding module

modprobe --first-time bonding

There is no prompt to indicate successful loading. If modprobe: ERROR: could not insert ‘bonding’: Module already in kernel indicates that you have already loaded this module.

You can also use lsmod | grep bonding to see if the module is loaded

lsmod | grep bonding
bonding               136705  0

3, create a configuration file based on the bond0 interface

1
vim /etc/sysconfig/network-scripts/ifcfg-bond0

Modify it as follows, depending on your situation:

DEVICE=bond0
TYPE=Bond
IPADDR=172.16.0.183
NETMASK=255.255.255.0
GATEWAY=172.16.0.1
DNS1=114.114.114.114
USERCTL=no
BOOTPROTO=none
ONBOOT=yes
BONDING_MASTER=yes
BONDING_OPTS="mode=6 miimon=100"

The above BONDING_OPTS=” mode=6 miimon=100 ” indicates that the configured working mode is mode6 (adaptive load balancing), and miimon indicates the frequency of monitoring network links (milliseconds). We set the frequency to 100 milliseconds, depending on your needs. Mode can be specified for other load modes.

4, modify the em1 interface configuration file

vim /etc/sysconfig/network-scripts/ifcfg-em1

Modify it as follows:

DEVICE=em1
USERCTL=no
ONBOOT = yes
 MASTER =bond0                   # needs to correspond to the value of DEVICE in the ifcfg-bond0 configuration file above 
SLAVE= yes
BOOTPROTO=none

5, modify the em2 interface configuration file

vim /etc/sysconfig/network-scripts/ifcfg-em2

Modify it as follows:

DEVICE=em2
USERCTL=no
ONBOOT = yes
 MASTER =bond0                  # Needs and corresponds to the value of DEVICE in the ifcfg-bond0 configuration file 
SLAVE= yes
BOOTPROTO=none

6, test

Restart network service

systemctl restart network

View the interface status information of bond0 (If the error message shows that it is not successful, it is most likely that the bond0 interface is not up)

# cat /proc/net/bonding/bond0 

Bonding Mode: adaptive load balancing    // Binding mode: Currently it is ald mode (mode 6), ie high availability and load balancing mode
Primary Slave: None
Currently Active Slave: em1 
MII Status: up                            // Interface status: up (MII is the Media Independent Interface abbreviation, interface meaning)
MII Polling Interval (ms): 100 // Time interval for interface polling (here 100 ms)
Up Delay (ms): 0
Down Delay (ms): 0

Slave Interface: em1                      / / prepared interface: em0
 MII Status: up                            / / interface status: up (MII is the Media Independent Interface referred to, the interface means)
Speed: 1000 Mbps // The speed of the port is 1000 Mpbs
Duplex: full                              // full duplex
Link Failure Count: 0                     // Number of link failures: 0
Permanent HW addr: 84:2b:2b:6a:76:d4 // Permanent MAC address
Slave queue ID: 0

Slave Interface: em1                      / / prepared interface: em1
 MII Status: up                            / / interface status: up (MII is the Media Independent Interface referred to, the interface means)
Speed: 1000 Mbps
Duplex: full                              // full duplex
Link Failure Count: 0                     // Number of link failures: 0
Permanent HW addr: 84:2b:2b:6a:76:d5 // Permanent MAC address
Slave queue ID: 0

Check the interface information of the network through the ifconfig command

# ifconfig

bond0: flags=5187<UP,BROADCAST,RUNNING,MASTER,MULTICAST>  mtu 1500
        inet 172.16.0.183  netmask 255.255.255.0  broadcast 172.16.0.255
        inet6 fe80::862b:2bff:fe6a:76d4  prefixlen 64  scopeid 0x20<link>
        ether 84:2b:2b:6a:76:d4  txqueuelen 0  (Ethernet)
        RX packets 11183  bytes 1050708 (1.0 MiB)
        RX errors 0  dropped 5152  overruns 0  frame 0
        TX packets 5329  bytes 452979 (442.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

em1: flags=6211<UP,BROADCAST,RUNNING,SLAVE,MULTICAST>  mtu 1500
        ether 84:2b:2b:6a:76:d4  txqueuelen 1000  (Ethernet)
        RX packets 3505  bytes 335210 (327.3 KiB)
        RX errors 0  dropped 1  overruns 0  frame 0
        TX packets 2852  bytes 259910 (253.8 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

em2: flags=6211<UP,BROADCAST,RUNNING,SLAVE,MULTICAST>  mtu 1500
        ether 84:2b:2b:6a:76:d5  txqueuelen 1000  (Ethernet)
        RX packets 5356  bytes 495583 (483.9 KiB)
        RX errors 0  dropped 4390  overruns 0  frame 0
        TX packets 1546  bytes 110385 (107.7 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 0  (Local Loopback)
        RX packets 17  bytes 2196 (2.1 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 17  bytes 2196 (2.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
The test network is highly available. We unplugged one of the network cables for testing. The conclusions are:
  • In the current mode=6 mode, one packet is lost. When the network is restored (the network is inserted back), the packet loss is about 5-6. This indicates that the high-availability function is normal but the packet loss will be more when the network recovers.
  • One packet was lost in the test mode=1 mode. When the network was restored (the cable was plugged back in), there was basically no packet loss, indicating that the high-availability function and recovery were normal.
  • Mode6 This kind of load mode is very good except that there is packet loss when the fault is recovered. If this can be ignored, this mode can be used; mode1 fault switching and recovery are fast, and there is basically no packet loss and delay. . But the port utilization is relatively low, because this kind of master-backup mode only has one network card at work.

Third, CentOS 6 configuration bonding

Centos6 configuration bonding is basically the same as the above Cetons7, but the configuration is somewhat different. 

System: Centos6
Network card: em1, em2
Bond0: 172.16.0.183 
Load Mode: mode1(adaptive load balancing) # Here, the load mode is 1, that is, active/standby mode.

1, close and stop the NetworkManager service

service  NetworkManager stop
chkconfig NetworkManager off

Ps: If it is installed, close it. If the error message indicates that this is not installed, then do not use it.

2, loading the bonding module

modprobe --first-time bonding

, a record built on bond0 interface configuration files

vim /etc/sysconfig/network-scripts/ifcfg-bond0

Modify the following (according to your needs):

DEVICE=bond0
TYPE=Bond
BOOTPROTO=none
ONBOOT=yes
IPADDR=172.16.0.183
NETMASK=255.255.255.0
GATEWAY=172.16.0.1
DNS1=114.114.114.114
USERCTL=no
BONDING_OPTS="mode=6 miimon=100"

4, load the bond0 interface to the kernel

vi /etc/modprobe.d/bonding.conf

Modify it as follows:

alias bond0 bonding

5, edit the em1, em2 interface file

vim /etc/sysconfig/network-scripts/ifcfg-em1

Modify it as follows:

DEVICE=em1
MASTER=bond0
SLAVE=yes
USERCTL = no
ONBOOT=yes
BOOTPROTO=none
vim /etc/sysconfig/network-scripts/ifcfg-em2

Modify it as follows:

DEVICE=em2
MASTER=bond0
SLAVE=yes
USERCTL = no
ONBOOT=yes
BOOTPROTO=none

6, load the module, restart the network and test

modprobe bonding
service network restart

Check the status of the bondo interface

cat /proc/net/bonding/bond0
Bonding Mode: fault-tolerance ( active- backup ) # The current load mode of bond0 interface is 
active/ backup mode
 Primary Slave: None Currently Active Slave: em2 
MII Status: up 
MII Polling Interval (ms): 100
Up Delay (ms): 0
Down Delay (ms): 0

Slave Interface: em1
MII Status: up
Speed: 1000 Mbps
Duplex: full
Link Failure Count: 2
Permanent HW addr: 84:2b:2b:6a:76:d4
Slave queue ID: 0

Slave Interface: em2
MII Status: up
Speed: 1000 Mbps
Duplex: full
Link Failure Count: 0
Permanent HW addr: 84: 2b: 2b: 6a: 76 : d5
Slave queue ID: 0

Use the ifconfig command to view the status of the next interface. You will find that all MAC addresses in the mode=1 mode are consistent, indicating that the external logic is a mac address.

ifconfig 
bond0: flags=5187<UP,BROADCAST,RUNNING,MASTER,MULTICAST>  mtu 1500
        inet6 fe80::862b:2bff:fe6a:76d4  prefixlen 64  scopeid 0x20<link>
        ether 84:2b:2b:6a:76:d4  txqueuelen 0  (Ethernet)
        RX packets 147436  bytes 14519215 (13.8 MiB)
        RX errors 0  dropped 70285  overruns 0  frame 0
        TX packets 10344  bytes 970333 (947.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

em1: flags=6211<UP,BROADCAST,RUNNING,SLAVE,MULTICAST>  mtu 1500
        ether 84:2b:2b:6a:76:d4  txqueuelen 1000  (Ethernet)
        RX packets 63702  bytes 6302768 (6.0 MiB)
        RX errors 0  dropped 64285  overruns 0  frame 0
        TX packets 344  bytes 35116 (34.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

em2: flags=6211<UP,BROADCAST,RUNNING,SLAVE,MULTICAST>  mtu 1500
        ether 84:2b:2b:6a:76:d4  txqueuelen 1000  (Ethernet)
        RX packets 65658  bytes 6508173 (6.2 MiB)
        RX errors 0  dropped 6001  overruns 0  frame 0
        TX packets 1708  bytes 187627 (183.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 0  (Local Loopback)
        RX packets 31  bytes 3126 (3.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 31  bytes 3126 (3.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Perform a high availability test, unplug one of the cables to see the packet loss and delay, and then plug in the network cable (analog recovery), and then watch the packet loss and delay.

centos7 openldap

systemctl stop firewalld.service
setenforce 0

sed -i s/^SELINUX=enforcing/SELINUX=disabled/g /etc/selinux/config

127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.1.70 master.apple.com master
192.168.1.71 slave.apple.com slave
192.168.1.73 client1.apple.com client1
192.168.1.74 client2.apple.com client2

yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel migrationtools vim

cd /etc/openldap/slapd.d

rm -rf

cp /usr/share/openldap-servers/slapd.ldif /root/ldap/

Set OpenLDAP admin password.
# generate encrypted password

slappasswd -s redhat -n > /etc/openldap/passwd

slappasswd -h {SSHA} -s ldppassword

[root@ldap ~]# slappasswd

New password:

Re-enter new password:

[root@master ldap]# cat slapd.ldif
#
# See slapd-config(5) for details on configuration options.
# This file should NOT be com readable.
#

dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/openldap/slapd.args
olcPidFile: /var/run/openldap/slapd.pid
#
# TLS settings
#
olcTLSCACertificatePath: /etc/openldap/certs
olcTLSCertificateFile: “OpenLDAP Server”
olcTLSCertificateKeyFile: /etc/openldap/certs/password
#
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#
#olcReferral: ldap://root.openldap.org
#
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 64-bit encryption for simple bind
#
#olcSecurity: ssf=1 update_ssf=112 simple_bind=64

#
# Load dynamic backend modules:
# – modulepath is architecture dependent value (32/64-bit system)
# – back_sql.la backend requires openldap-servers-sql package
# – dyngroup.la and dynlist.la cannot be used at the same time
#

#dn: cn=module,cn=config
#objectClass: olcModuleList
#cn: module
#olcModulepath: /usr/lib/openldap
#olcModulepath: /usr/lib64/openldap
#olcModuleload: accesslog.la
#olcModuleload: auditlog.la
#olcModuleload: back_dnsapple.la
#olcModuleload: back_ldap.la
#olcModuleload: back_mdb.la
#olcModuleload: back_meta.la
#olcModuleload: back_null.la
#olcModuleload: back_passwd.la
#olcModuleload: back_relay.la
#olcModuleload: back_shell.la
#olcModuleload: back_sock.la
#olcModuleload: collect.la
#olcModuleload: constraint.la
#olcModuleload: dds.la
#olcModuleload: deref.la
#olcModuleload: dyngroup.la
#olcModuleload: dynlist.la
#olcModuleload: memberof.la
#olcModuleload: pcache.la
#olcModuleload: ppolicy.la
#olcModuleload: refint.la
#olcModuleload: retcode.la
#olcModuleload: rwm.la
#olcModuleload: seqmod.la
#olcModuleload: smbk5pwd.la
#olcModuleload: sssvlv.la
#olcModuleload: syncprov.la
#olcModuleload: translucent.la
#olcModuleload: unique.la
#olcModuleload: valsort.la

#
# Schema settings
#

dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema

include: file:///etc/openldap/schema/corba.ldif
include: file:///etc/openldap/schema/core.ldif
include: file:///etc/openldap/schema/cosine.ldif
include: file:///etc/openldap/schema/duaconf.ldif
include: file:///etc/openldap/schema/dyngroup.ldif
include: file:///etc/openldap/schema/inetorgperson.ldif
include: file:///etc/openldap/schema/java.ldif
include: file:///etc/openldap/schema/misc.ldif
include: file:///etc/openldap/schema/nis.ldif
include: file:///etc/openldap/schema/openldap.ldif
include: file:///etc/openldap/schema/ppolicy.ldif
include: file:///etc/openldap/schema/collective.ldif

#
# Frontend settings
#

dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend
#
# Sample global access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
#
#olcAccess: to dn.base=”” by * read
#olcAccess: to dn.base=”cn=Subschema” by * read
#olcAccess: to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., “access to * by * read”)
#
# rootdn can always read and write EVERYTHING!
#

#
# Configuration database
#

dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcAccess: to * by dn.base=”gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
n=auth” manage by * none

#
# Server status monitoring
#

dn: olcDatabase=monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: monitor
olcAccess: to * by dn.base=”gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
n=auth” read by dn.base=”cn=Manager,dc=apple,dc=com” read by * none

#
# Backend database definitions
#

dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: hdb
olcSuffix: dc=apple,dc=com
olcRootDN: cn=Manager,dc=apple,dc=com
olcRootPW: {SSHA}cc+n64r5WNtLivZppJmYvWWMo3DIhcAy
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub

rm -rf /etc/openldap/slapd.d/*

[root@master ldap]# slapadd -F /etc/openldap/slapd.d/ -n 0 -l /root/ldap/slapd.ldif
_#################### 100.00% eta none elapsed none fast!
Closing DB…
[root@master ldap]#

[root@server home]# slaptest -u -F /etc/openldap/slapd.d/
config file testing succeeded

config file testing succeeded

chown -Rv ldap.ldap /etc/openldap/slapd.d

[root@server slapd.d]# chown -Rv ldap.ldap /etc/openldap/slapd.d/

[root@master ldap]# cd /etc/openldap/slapd.d/
[root@master slapd.d]# ls -la
total 4
drwxr-x— 3 ldap ldap 45 Jun 15 19:18 .
drwxr-xr-x. 5 root root 92 Jun 15 19:07 ..
drwxr-x— 3 ldap ldap 182 Jun 15 19:18 cn=config
-rw——- 1 ldap ldap 589 Jun 15 19:18 cn=config.ldif
[root@master slapd.d]#

[root@master ldap]# systemctl start slapd.service
[root@master ldap]# systemctl status slapd.service
[root@master ldap]# systemctl enable slapd.service

[root@master ldap]# cat create_user.sh
#!/bin/bash
USER_LIST=ldapuser.txt
HOME_ldap=/home/ldapuser
mkdir -pv $HOME_ldap
for USERID in `awk ‘{print $1}’ $USER_LIST`; do
USERNAME=”`grep “$USERID” $USER_LIST | awk ‘{print $2}’`”
HOMEDIR=${HOME_ldap}/${USERNAME}
useradd $USERNAME -u $USERID -d $HOMEDIR
grep “$USERID” $USER_LIST | awk ‘{print $3}’ | passwd –stdin $USERNAME
done

[root@master ldap]# cat ldapuser.txt
5000 lduser1 123456
5001 lduser2 123456
5002 lduser3 123456
5003 lduser4 123456
5004 lduser5 123456
5005 lduser6 123456
[root@master ldap]#

vim /usr/share/migrationtools/migrate_common.ph

# Default DNS domain
$DEFAULT_MAIL_DOMAIN = “apple.com”;

# Default base
$DEFAULT_BASE = “dc=apple,dc=com”;

vim /usr/share/migrationtools/migrate_common.ph
/usr/share/migrationtools/migrate_base.pl > /root/ldap/base.ldif

/usr/share/migrationtools/migrate_passwd.pl /etc/passwd /root/ldap/user.ldif
cat /root/ldap/user.ldif
/usr/share/migrationtools/migrate_group.pl /etc/group /root/ldap/group.ldif

ldapadd -D “cn=Manager,dc=apple,dc=com” -W -x -f base.ldif
ldapadd -D “cn=Manager,dc=apple,dc=com” -W -x -f user.ldif
ldapadd -D “cn=Manager,dc=apple,dc=com” -W -x -f group.ldif

yum -y install nfs-utils

yum -y install nfs-utils

[root@server ~]# cat /etc/exports
/home/ldapuser 192.168.1.0/24(rw,sync)

[root@server ~]# systemctl start nfs-server.service

[root@client home]# exportfs -rv
exporting *:/home/ldapuser

systemctl enable nfs-server.service

vi /etc/rsyslog.conf

local4.* /var/log/ldap.log
touch /var/log/ldap.log

rsyslog?

systemctl restart rsyslog.service

slapd /var/log/messages

systemctl status slapd.service -l

tail -f /var/log/messages

SSL SETUP IN LDAP

openssl req -nodes -sha256 -newkey rsa:2048 -keyout PrivateKey.key -out CertificateRequest.csr

2. Optional: Check to see if the CSR really has 256bit signatures

openssl req -in CertificateRequest.csr -text -noout

You should see “Signature Algorithm: sha256WithRSAEncryption”

3. Create the certificate

We use the CSR and sign it with the private key and create a public certificate

openssl req -nodes -sha256 -newkey rsa:2048 -keyout PrivateKey.key -out CertificateRequest.csr
openssl req -in CertificateRequest.csr -text -noout
openssl x509 -req -days 365 -sha256 -in CertificateRequest.csr -signkey PrivateKey.key -out my256.crt

cp my256.crt /etc/openldap/certs/server.crt

cp PrivateKey.key /etc/openldap/certs/server.key

cp /etc/pki/tls/certs/ca-bundle.crt /etc/openldap/certs/
cat my256.crt PrivateKey.key >> master.pem
cat my256.crt PrivateKey.key >> slave.pem

vi mod_ssl.ldif

# create new
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/certs/ca-bundle.crt

replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/server.crt

replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/server.key

[root@master ldap]# ldapmodify -Y EXTERNAL -H ldapi:/// -f mod_ssl.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry “cn=config”

[root@master ldap]# vi /etc/sysconfig/slapd
add
SLAPD_URLS=”ldapi:/// ldap:/// ldaps:///”

systemctl restart slapd

client end

[root@master ldap]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.1.70 master.apple.com master
192.168.1.71 slave.apple.com slave
192.168.1.73 client1.apple.com client1
192.168.1.74 client2.apple.com client2

yum -y install sssd-ldap nss-pam-ldapd nfs-utils

authconfig-tui

authconfig –enableldap –enableldapauth –ldapserver=ldaps://master.apple.com –ldapbasedn=”dc=apple,dc=com” –enablemkhomedir –disableldaptls –update
authconfig –enableldap –enableldapauth –ldapserver=ldaps://slave.apple.com –ldapbasedn=”dc=apple,dc=com” –enablemkhomedir –disableldaptls –update

reate the c hash of the CA certificate.

/etc/pki/tls/misc/c_hash /etc/openldap/cacerts/server.pem

Output:

997ee4fb.0 => /etc/openldap/cacerts/server.pem

Now, symlink the rootCA.pem to the shown 8 digit hex number.

ln -s /etc/openldap/cacerts/server.pem 997ee4fb.0

[root@client1 ~]# echo “TLS_REQCERT allow” >> /etc/openldap/ldap.conf

[root@client1 ~]# echo “tls_reqcert allow” >> /etc/nslcd.conf

Restart the LDAP client service.

systemctl restart nslcd

[root@client1 ~]# getent passwd lduser1
lduser1:x:5000:5000:lduser1:/home/ldapuser/lduser1:/bin/bash

[root@client1 /]# mkdir -p /home/ldapuser
[root@client1 /]# mount -t nfs 192.168.1.70:/home/ldapuser/ /home/ldapuser/
[root@client1/]# cd /home/ldapuser/
[root@client ldapuser]# ls
lduser1 lduser2 lduser3 lduser4 lduser5 lduser6
[root@client ldapuser]# su – lduser1
Last login: Sat May 20 23:11:00 EDT 2017 on pts/0

Configure LDAP Client for TLS connection.
[root@client1 ~]# echo “TLS_REQCERT allow” >> /etc/openldap/ldap.conf

[root@client1 ~]# echo “tls_reqcert allow” >> /etc/nslcd.conf

[root@client1 ~]# authconfig –enableldaptls –update

getsebool: SELinux is disabled

scp server.pem root@client1:/tmp/

Enable debug logging on CentOS 7 LDAP Server

vi /root/ldap/logging.ldif
——
cat logging.ldif
dn: cn=config
replace: olcLogLevel
olcLogLevel: -1
——

# apply
ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/ldap/logging.ldif

# verify
ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config -s base|grep -i LOG

systemctl restart slapd

vi /etc/rsyslog.conf
——
local4.* -/var/log/slapd.log
——

systemctl restart rsyslog

vi /etc/logrotate.d/syslog
—–
# add this line
/var/log/slapd.log

Master slave replication
root@master ldap]# cat rpuser.ldif
dn: uid=rpuser,dc=apple,dc=com
objectClass: simpleSecurityObject
objectclass: account
uid: rpuser
description: Replication User
userPassword: root1234

[root@master ldap]# ldapadd -x -W -D cn=Manager,dc=apple,dc=com -W -f rpuser.ldif
Enter LDAP Password:
adding new entry “uid=rpuser,dc=apple,dc=com”

Configure LDAP Provider. Add syncprov module.
[root@master ~]# vi mod_syncprov.ldif
# create new

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la

[root@master ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f mod_syncprov.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry “cn=module,cn=config”

[root@master ~]# vi syncprov.ldif
# create new

dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpSessionLog: 100

[root@master ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry “olcOverlay=syncprov,olcDatabase={2}hdb,cn=config”

vi syncrepl.ldif

[root@slave ldap]# cat syncrepl.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
provider=ldap://192.168.1.70:389/
bindmethod=simple
binddn=”uid=rpuser,dc=apple,dc=com”
credentials=root1234
searchbase=”dc=apple,dc=com”
scope=sub
schemachecking=on
type=refreshAndPersist
retry=”30 5 300 3″
interval=00:00:05:00
[root@slave ldap]#

ldapadd -Y EXTERNAL -H ldapi:/// -f syncrepl.ldif

Test the LDAP replication:

Let’s create a user in LDAP called “ldaprptest“, to do that, create a .ldif file on the master LDAP server.

[root@master ~]# vi ldaprptest.ldif

Update the above file with below content.

dn: uid=ldaprptest,ou=People,dc=apple,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: ldaprptest
uid: ldaprptest
uidNumber: 9988
gidNumber: 100
homeDirectory: /home/ldaprptest
loginShell: /bin/bash
gecos: LDAP Replication Test User
userPassword: redhat123
shadowLastChange: 17058
shadowMin: 0
shadowMax: 99999
shadowWarning: 7

ldapsearch -x cn=ldaprptest -b dc=apple,dc=com

[root@master ldap]# slappasswd
New password:
Re-enter new password:
{SSHA}hbfwS2+203V3p+P6CB5n7nHVZpRB6ns+
[root@master ldap]# vi adduser.ldif
[root@master ldap]# cat adduser.ldif
dn: uid=mohan,ou=People,dc=apple,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: mohan
uid: mohan
uidNumber: 9999
gidNumber: 100
homeDirectory: /home/mohan
loginShell: /bin/bash
gecos: Mohan [Admin (at) Apple]
userPassword: {SSHA}uWC6jFxw/4nY3GEQfwf4Eh/cq13lvyKy
shadowLastChange: 17058
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
[root@master ldap]# ldapadd -x -W -D cn=Manager,dc=apple,dc=com -W -f adduser.ldif
Enter LDAP Password:
adding new entry “uid=mohan,ou=People,dc=apple,dc=com”

Backup LDAP with slapcat on CentOS 7

#!/bin/bash
export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
set -e
KEEP=7
BASE_DN=’dc=apple,dc=com’
LDAPBK=”ldap-$( date +%y%m%d-%H%M ).ldif”
BACKUPDIR=’/root/ldap-backup’
test -d “$BACKUPDIR” || mkdir -p “$BACKUPDIR”
slapcat -b “$BASE_DN” -l “$BACKUPDIR/$LDAPBK”
gzip -9 “$BACKUPDIR/$LDAPBK”
ls -1tr $BACKUPDIR/*.ldif.gz | head -n-$KEEP | xargs rm –

ldapmodify -Y EXTERNAL -H ldapi:/// -f monitor.ldif

cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap:ldap /var/lib/ldap/*

Add the cosine and nis LDAP schemas.

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

Generate base.ldif file for your domain.

vi base.ldif

Use the below information. You can modify it according to your requirement.

dn: dc=apple,dc=com
dc: apple
objectClass: top
objectClass: domain

dn: cn=ldapadm,dc=apple,dc=com
objectClass: organizationalRole
cn: ldapadm
description: LDAP Manager

dn: cn=Manager,dc=apple,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager

dn: ou=People,dc=apple,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=apple,dc=com
objectClass: organizationalUnit
ou: Group

Build the directory structure.

ldapadd -x -W -D cn=Manager,dc=apple,dc=com -W -f base.ldif

ldapsearch -x -W -D ‘cn=Manager,dc=apple,dc=com ‘ -b “” -s base

ldapsearch -x -b ” -s base ‘(objectclass=*)’ namingContexts

Backup and Restore Files in Red Hat / CentOS 7

This procedure is to backup XFS-based file systems in Red Hat Enterprise Linux 7.x
             

Backing up a file system (/etc)

1. To backup the /etc/ filessystem to a file called “/tmp/mybackup”, issue the following command:

# cd /tmp

# xfsdump -0f mybackup   /dev/mapper/rhel-root -s etc

where:

-f: do the dump to the file “mybackup”

-0: do full backup (1 means incremental)

-s: backup the etc subtree from the filesystem /dev/mapper/rhel-root

 

Restoring the file system (/etc/)

1. To list all the created dumps with detailed information:

# xfsrestore -I

2. To restore a particular dump:

# xfsrestore –f mybackup /tmp

where:

-f: restore from the file “mybackup”

 

Interactive Restore

1. This exercise enables you to navigate through the backup file “mybackup”, and allows you to restore selected files instead of perfuming a full restore:

# cd /tmp

# xfsrestore –if mybackup /tmp

2. Once you get the restore prompt, you may ls and cd commands to navigate and list the files inside the backup file.

3. Select the files you want to restore by using the add command:

# add yum.conf

4. Once the selection is complete, write extract to restore the selected files.

Page 1 of 17812345...102030...Last »