Best of the Santa Cruz City Council

She may not the the world’s angriest woman, but the lady in this video may very well be the biggest airhead! The rest of the characters in the last one are pretty good too. It turns out that you don’t have to live in Santa Cruz very long before you start running into these folks. What can I say… It’s a crazy place.

Santa Cruz lady at city council meeting:

Santa Cruz Lady Vs. Sarah Palin:

The whole Santa Cruz City Council Mashup:

Script to Determine Solaris 10 Zone Type

We use a lot of local zones in our Solaris 10 environment. We also use cfengine pretty heavily and there are some instances when we need to include or exclude certain automated tasks based on what type of zone we are working with. I wrote this little script that checks to see what type of zone we are dealing with. Based on the return value, I can set a cfengine class and control what gets run and where.

  • Return 0 if the machine is a global zone with 1 or more local zones
  • Return 1 if the machine is either a local zone or a global zone with 0 local zones
#! /bin/bash
#
# When issued with the -g or --global flag, this script will return:
# 0 if the machine is a global zone and has one or more local zones.
# Otherwise, it will return 1
#
# Wen issued with the -l or --local flag, this script will return:
# 0 if if is a local zone and 1 if it is not
#

list=( `/usr/sbin/zoneadm list -civ | awk '{ print $1 }'`)
  case "$1" in
    -g|--global)
        # If the third element in our array is null, set it to 0
        if [ "${list[2]}" == ""  ]; then
        list[2]=0
        fi
        # This is a global zone only if it has one or more local zones.
        if [ ${list[1]} -eq 0 ] && [ ${list[2]} -ge 1 ]; then
        # 1 is returned if we have a global and local zone, otherwise, we return 0
                exit 0
            else
                exit 1
        fi
              ;;
    -l|--local)
        # If the second element in our array is = or > 1, it is a local zone.
        if [ ${list[1]} -ge 1 ]; then
        # Return 1 if this is a local zone, otherwise return 0.
                exit 0
            else
                exit 1
        fi
              ;;
        *)
        echo "Usage: /local/adm/zonetype.sh {-l | --local | -g | --global}"
        exit 1
  esac

Check Speed / Duplex on Solaris 10

In the past, I always had to use the ndd – get command to figure out what my link speed and duplex settings were. In Solaris 10, Sun now gives us the handy dladm command, which makes it a whole lot easier.


# dladm show-dev
e1000g2 link: up speed: 1000 Mbps duplex: full
e1000g3 link: up speed: 1000 Mbps duplex: full
e1000g0 link: up speed: 1000 Mbps duplex: full
e1000g1 link: up speed: 1000 Mbps duplex: full

Replace Failed SVM Mirror Drive

So you have used SVM to mirror your disk, and one of the two drives fails. Aren’t you glad you mirrored them! You don’t have to do a restore from tape, but you are going have to replace the failed drive.

Many modern RAID arrays just require you to take out the bad drive and plug in the new one, while everything else is taken care of automatically. It’s not quite that easy on a Sun server, but it’s really just a few simple steps. I just had to do this, so I thought I would write down the procedure here.

Basically, the process boils down to the following steps:

  • Detach the failed meta devices from the failed drive
  • Delete the meta devices from the failed drive
  • Delete the meta databases from the failed drive
  • Unconfigure the failed drive
  • Remove and replace the failed drive
  • Configure the new drive
  • Copy the remaining drive’s partition table to the new drive
  • Re-create the meta databases on the new drive
  • Install the bootblocks on the new drive
  • Recreate the meta devices
  • Attach the meta devices

Let’s look at each step individually. In my case, c0t1d0 has failed, so, I detach all meta devices on that disk and then delete them:


# metadetach -f d0 d2
# metadetach -f d10 d12
# metadetach -f d40 d42
# metaclear d2
# metaclear d12
# metaclear d42

Next I take a look at the status of my meta databases. Below we can see the the replicas on that disk have write errors:

# metadb -i
        flags           first blk       block count
     a m  p  luo        16               8192            /dev/dsk/c0t0d0s3
     a    p  luo        8208             8192            /dev/dsk/c0t0d0s3
     W    p  luo        16                8192            /dev/dsk/c0t1d0s3
     W    p  luo        8208            8192            /dev/dsk/c0t1d0s3
 r - replica does not have device relocation information
 o - replica active prior to last mddb configuration change
 u - replica is up to date
 l - locator for this replica was read successfully
 c - replica's location was in /etc/lvm/mddb.cf
 p - replica's location was patched in kernel
 m - replica is master, this is replica selected as input
 W - replica has device write errors
 a - replica is active, commits are occurring to this replica
 M - replica had problem with master blocks
 D - replica had problem with data blocks
 F - replica had format problems
 S - replica is too small to hold current data base
 R - replica had device read errors

The replicas on c0t1d0s3 are dead to us, so let’s wipe them out!


# metadb -d c0t1d0s3
# metadb -i

        flags           first blk       block count
     a m  p  luo        16               8192            /dev/dsk/c0t0d0s3
     a    p  luo        8208             8192            /dev/dsk/c0t0d0s3

The only replicas we have left are on c0t0d0s3, so I’m all clear to unconfigure the device. I run cfgadm to get the c0 path:


# cfgadm -al

Ap_Id                          Type         Receptacle   Occupant     Condition
c0                             scsi-bus     connected    configured   unknown
c0::dsk/c0t0d0                 disk         connected    configured   unknown
c0::dsk/c0t1d0                 disk         connected    configured   unknown
c0::dsk/c0t2d0                 disk         connected    configured   unknown
c0::dsk/c0t3d0                 disk         connected    configured   unknown
c1                             scsi-bus     connected    configured   unknown
c1::dsk/c1t0d0                 CD-ROM       connected    configured   unknown
usb0/1                         unknown      empty        unconfigured ok
usb0/2                         unknown      empty        unconfigured ok
usb1/1.1                       unknown      empty        unconfigured ok
usb1/1.2                       unknown      empty        unconfigured ok
usb1/1.3                       unknown      empty        unconfigured ok
usb1/1.4                       unknown      empty        unconfigured ok
usb1/2                         unknown      empty        unconfigured ok

I run the following command to unconfigure the failed drive:


# cfgadm -c unconfigure c0::dsk/c0t1d0

The drive light turns blue
Pull the failed drive out
Insert the new drive

Configure the new drive:


# cfgadm -c configure c0::dsk/c0t1d0

Now that the drive is configured and visible from within the format command, we can copy the partition table from the remaining mirror member:


# prtvtoc /dev/rdsk/c0t0d0s2 | fmthard -s - /dev/rdsk/c0t1d0s2

Next, I install the bootblocks onto the new drive:


# installboot /usr/platform/`uname -i`/lib/fs/ufs/bootblk /dev/rdsk/c0t1d0s2

Create the state replicas:


metadb -a -c 2 c0t1d0s3

Recreate the meta devices:

metainit -f d2 1 1 c0t1d0s0
metainit -f d12 1 1 c0t1d0s1
metainit -f d42 1 1 c0t1d0s4

And finally, reattach the metadevices which will sync them up with the mirror.


metattach d0 d2
metattach d10 d12
metattach d40 d42

Happy 1234567890’th Second UNIX!

Today, Friday February 13, at 3:31 PM (PST), the UNIX time will read exactly 1234567890. So exacly what is all this excitement about UNIX being able to count to 10? Surely, the operating system that is slowly but steadily putting Microsoft out of business must be able to do that. Well, it’s actually the UNIX time stamp, and what has all of us nerds talking is really just the fact that the numbers have never lined up in sequence like this before.

So what the heck is this UNIX time anyhow? Well, simply put, it’s actually the exact number of seconds since the the Unix epoch. This was 00:00:00 UTC on January 1, 1970.

From Wikipedia:

It is not a linear representation of time nor a true representation of UTC (though it is frequently mistaken for both) as the times it represents are UTC but it has no way of representing UTC leap seconds (e.g. 1998-12-31 23:59:60).

Basic iptables Configuration

It’s always a good idea to setup a local firewall on hosts that are on unprotected networks. The internet “winds” blow harder and harder each day, and it’s only a matter of time before some daemon has an exploit that gets taken advantage of. I use CentOS 5 for all my web servers, and here is an example of the script I use to create a DEFAULT TO DENY set of firewall rules. This script generates a file called iptables in /etc/sysconfig.

I used to create a special rule for MySQL that only allowed connections from my own network, but lately I have been omitting this rule and tunneling the connection through ssh instead. That is why it is commented out in the script below.


### SCRIPT ###
#!/bin/sh
# Drop all incoming traffic
/sbin/iptables -P INPUT DROP
# Drop all forwarded traffic
/sbin/iptables -P FORWARD DROP
# Allow all outgoing traffic
/sbin/iptables -P OUTPUT ACCEPT
# Allow returning packets
/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow incoming traffic on port 80 for web server
/sbin/iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
# Allow MySQL only from a certain network
/sbin/iptables -A INPUT -p tcp -m tcp -s XXX.XXX.XXX.0/24 --dport 3306 -j ACCEPT
# Allow local traffic
/sbin/iptables -A INPUT -i lo -j ACCEPT
# Allow incoming SSH on port 22
#/sbin/iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# Allow ping
/sbin/iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
/sbin/iptables-save > /etc/sysconfig/iptables
chmod go-r /etc/sysconfig/iptables
/sbin/sudo service iptables restart
### /SCRIPT ###

Here is what /etc/sysconfig/iptables looks like after running this script:


# Generated by iptables-save v1.3.5 on Wed Dec 31 13:47:40 2008
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [12:8972]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
COMMIT
# Completed on Wed Dec 31 13:47:40 2008

After you are done, make sure you have iptables setup to start when the system boots.


# /sbin/chkconfig --list | grep iptables

iptables       	0:off	1:off	2:on	3:on	4:on	5:on	6:off

If it’s not on, just run:

/sbin/chkconfig iptables on

Install Solaris Package in Alternate Base Directory

Unless you specify a different administrative file, the pkgadd command reads “/var/sadm/install/admin/default”, which specifies the base directory as “/opt”. Do not change the settings in this file, but rather create a custom admin file and enter an alternate “basedir” directive if you want to install your package into a different directory. We are going to install our package into “/var/applications”, and call our custom admin file “custom”.

First, create and edit “/var/sadm/install/admin/custom”, adding a line similar to this:
basedir=/var/applications/$PKGINST

Next, issue the pkgadd command with the “-a” flag to call you alternative admin file:

pkgadd -d device -a custom PackageName

This really comes in handy when your customers want to retain control over their packages, but you don’t want to give them access to write packages into the system area. More detailed instructions can be found here.