RHEL3 Upgrade to RHEL4 Breaks up2date

Last week I had to upgrade one of our old RHEL3 servers in order to get it to address disks larger than 2TB. I did the upgrade from CD, and it went fairly smoothly, except up2date would not run after the box came back up.

It gave me the following error:

[root@x up2date]# Traceback (most recent call last):
  File "/usr/sbin/up2date", line 27, in ?
    from up2date_client import repoDirector
  File "/usr/share/rhn/up2date_client/repoDirector.py", line 5, in ?
    import rhnChannel
  File "/usr/share/rhn/up2date_client/rhnChannel.py", line 10, in ?
    import up2dateAuth
  File "/usr/share/rhn/up2date_client/up2dateAuth.py", line 5, in ?
    import rpcServer
  File "/usr/share/rhn/up2date_client/rpcServer.py", line 23, in ?
    from rhn import rpclib
ImportError: No module named rhn

It turns out that there is no “really easy” way to fix it, but these directions on spaceblog do work. Basically it involves removing a lot of packages and re-adding them. The problem is related to python, so rather than remove the entire list of packages, I focused only on those relating to python and up2date:


libxml2-python
popt
pyOpenSSL
python
rhnlib
rhpl
up2date

Make sure not to remove these packages:


rpm
rpm-libs
rpm-python

Or you will break rpm and not be able to add the packages back after you remove them. All told, this is a grisly process, and you will have to use rpm -e --nodeps in order to get it done. This sucks, but up2date will work everything out once you can get it running again.

How to Make Gnarly Big Linux Filesystems

At least in RHEL 4, the fdisk command does not support the creation of filesystems larger than 2TB. In order to get around it, you have to use the parted command. I found the basic info here, but this is the long and short of how to cut off a big ol’ slice of disk using parted:

Run parted

# /sbin/parted

It’s interactive, so the following commands are issued within the utility.

1) Make the disk label

(parted) mklabel gpt

2) Create the partition

(parted) mkpart primary 0 -1

3) Verify

(parted) print


Disk geometry for /dev/sda: 0.000-38146.972 megabytes
Disk label type: msdos
Minor    Start       End     Type      Filesystem  Flags
1          0.031    101.975  primary   ext3        boot
2        101.975  38146.530  primary               lvm

4) Exit the GNU Parted command shell

(parted) quit

5) Finally, make the filesystem:

# mkfs.ext3 -m0 -F /dev/sdb1

6)Finally, you don’t want to wait for that big filesystem to fsck from time to time, so make sure it does not get checked unless you run the command yourself:

# tune2fs -c0 -i0 /dev/sdb1

That should just about do it. Remember that only RHEL 4 and higher can support filesystems larger than 2TB. If I remember correctly RHEL 3 can go up to 2TB, RHEL4 can handle 8TB, and RHEL 5 can make a whopping 16TB chunk of disk. Have fun!

Disable SSH Root Logins on RHEL

For one reason or another RHEL does not disallow incoming ssh connections as root. This is, of course a glaring security problem which should be addressed for all systems that allow ssh connections to be made from any but the most restricted networks.

The best practice, of course, would be to make the initial ssh connection as an unprivileged user and then use the “su” command to promote yourself to root. This way, even if an attacker managed to get into the system, it would be as an unprivileged user and they would not able to do much harm. Allowing incoming ssh connections at root leaves you much more exposed to attack. Granted your root password is still protecting you, but it becomes your only layer of defense.

Ok, so how do we disallow incoming ssh connections as root on our RHEL box?

First, edit “/etc/ssh/sshd_config”

Find the section of the file that looks like this:

# Authentication:
#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6

Change this line:
#PermitRootLogin yes

To this:
PermitRootLogin no

Restart sshd:
/sbin/service sshd restart

Getting ntpd to work correctly on RHEL

When many new servers are delivered from the factory, the system clock is way off. Most UNIX systems run “ntpd” to keep the time in sync with internet time servers, which are, in turn synchronized against an atomic clock. This results in a system time that is very very close to the “actual” time of day. The downside, however, is that even a properly configured “ntpd” will not synchronize the system clock if it is too far out of sync with the time server. To remedy this, we first have to run “ntpdate” to get the system clock close to the correct time, and then enable “ntpd” to keep it there.

The first thing we have to do is “ntpd” to free up the port for “ntpdate”:

[root@server /]# /sbin/service ntpd stop
Shutting down ntpd:                                        [  OK  ]

This frees up the port for ntpdate. Next we run:

[root@server /]# /usr/sbin/ntpdate time.apple.com

Now the time should be set correctly. We then change the default time servers to something like the following in /etc/ntp.conf:

# --- OUR TIMESERVERS -----
time-a.timefreq.bldrdoc.gov
time-b.timefreq.bldrdoc.gov
time-c.timefreq.bldrdoc.gov

We can use any time server we want, but I like these and find them to be reliable.

Finally, start backup up your “ntpd” service, and your all set to go.

[root@server /]# /sbin/service ntpd start
Starting ntpd:                                        [  OK  ]

Remember to use “chkconfig” to make sure “ntpd” is enabled to come up when the system starts.

How To Install Oracle 10g on RedHat Enterprise 3

So you’ve got Oracle 10G and you want to install it on your RedHat Enterprise 3 server. Well, since Oracle can’t manage to create tar files like everyone else in the world, you have to find a way of dealing with the .cpio they send you. Here’s how to get it extracted:

cpio -idmv < /path/to/ship-version.cpio

This extracts everything nicely into a Disk1 directory.

Now, before flying off and running the installer, you have a couple of things to do first. To start, you have to tweak your kernel a bit. There are a number of ways to do this, but I like to use the /etc/sysctl.conf file.

Edit /etc/sysctl.conf and add the following lines:

kernel.shmall = 134217728
kernel.shmmax = 2147483648
kernel.semopn = 100
semaphores: semmsl, semmns, semopm, semmni
kernel.sem = 250 32000 100 128
fs.file-max = 65536
net.ipv4.ip_local_port_range = 1024 65000

Next you have to add an oracle user and a dba group. Run the following commands as root:

groupadd dba
useradd -d /path/to/oracle/user/directory -g dba -c ‘Oracle User’ -s /path/to/fovorite/shell oracle
chown oracle:dba /path/to/oracle/user/directory
passwd oracle (set new password)

Add the following environmental settings to your oracle user’s .bashrc file. Feel free to change them if you are using a C-Type shell.

# Oracle Settings
TMP=/tmp; export TMP
TMPDIR=$TMP; export TMPDIR

ORACLE_BASE=/u01/app/oracle; export ORACLE_BASE
ORACLE_HOME=$ORACLE_BASE/product/10.1.0/Db_1; export ORACLE_HOME
ORACLE_SID=YOUR_SID; export ORACLE_SID
ORACLE_TERM=xterm; export ORACLE_TERM
PATH=/usr/sbin:$PATH; export PATH
PATH=$ORACLE_HOME/bin:$PATH; export PATH

LD_LIBRARY_PATH=$ORACLE_HOME/lib:/lib:/usr/lib; export LD_LIBRARY_PATH
CLASSPATH=$ORACLE_HOME/JRE:$ORACLE_HOME/jlib:$ORACLE_HOME/rdbms/jlib; export CLASSPATH

That should just about do it. Restart the system, log in as the oracle user and run the oracle installer (/path/to/Disk1/runInstaller). Check to make sure that all the settings from your .bashrc file are picked up by the oracle installer and have fun.

In some cases, the installer may complain about not having the required packages. If it does this, make sure that the following packages are installed:

setarch-1.3-1.i386.rpm
openmotif-2.2.2-16.i386.rpm
compat-libstdc++-7.3-2.96.122.i386.rpm
compat-libstdc++-devel-7.3-2.96.122.i386.rpm
compat-db-4.0.14-5.i386.rpm
compat-gcc-7.3-2.96.122.i386.rpm
compat-gcc-c++-7.3-2.96.122.i386.rpm