E-mail
We are playing with a private cloud internally since time ago.
Recently a coworker had to move to another city, he's working with this cloud so we need to facilitate the network access for the project.
This is more or less the project network diagram:
He is on the 10.239. network so what's the idea? Use the Cisco!!!
Hands on:
Step 1 : Configure Cisco vpn server.
Authentication and authorization model:
aaa new-model aaa authentication login default local aaa authentication login vpn_auth local aaa authorization exec default local aaa authorization network vpn_group local aaa session-id common
User for the vpn client:
username iavantevpn password 0 mypassword
IP Pool to assign to the different vpn clients:
ip local pool VPN 192.168.29.240 192.168.29.250
Policy for key management:
crypto isakmp policy 1 encr 3des authentication pre-share group 2
Group for the vpn client:
crypto isakmp client configuration group vpn key grouppassword domain lds.iavante.es pool VPN netmask 255.255.255.0
Security protocol and algorithms to use for the tunnel:
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
Only accept clients with this encrypt negotiation (no more restrictions):
crypto dynamic-map DYN 1 set transform-set ESP-3DES-SHA
Join transform set and the rest of the IPSec policy:
crypto map CMAP client authentication list vpn_auth crypto map CMAP isakmp authorization list vpn_group crypto map CMAP client configuration address respond crypto map CMAP 65535 ipsec-isakmp dynamic DYN
Apply de crypto map to the interface:
interface FastEthernet0/0
crypto map CMAP
Step 2. Configure the clients.
We're using Ubuntu 11.10. If you want to integrate the VPN with network manager this is your package:
sudo apt-get install network-manager-vpnc
After that we need to overwrite the default vpnc-script, this guy set me straight: http://blog.nowherelan.com/2011/10/10/vpnc-on-ubuntu-oneiric-error-either-to-is-duplicate-or-ipid-is-a-garbage/
This is the configuration we use for the cisco server we configured before:
IPSec gateway 10.111.250.197 IPSec ID vpn IPSec secret grouppassword Xauth username iavantevpn Xauth password mypassword
Step 3. Fun!
Launch the vpn connection:
(! 547)-> vpnc-connect iavante VPNC started in background (pid: 11098)...
This is how the tunnel looks like:
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.29.242 P-t-P:192.168.29.242 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1412 Metric:1
RX packets:14 errors:0 dropped:0 overruns:0 frame:0
TX packets:61 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:1906 (1.9 KB) TX bytes:9527 (9.5 KB)
... and how to disconnect from the vpn:
(! 549)-> vpnc-disconnect Terminating vpnc daemon (pid: 11098)
This is a quick recipe related to ip static maps. I will take advantage from this configuration to assign automatically a different MTU in function of the network and the MAC of the interface using the option 26 of the DHCP protocol.
Jumbo frames on my switches have a MTU of 9216 bytes, the option 26 is formated with 2 digits in base 16.
echo "obase=16; 9216" | bc
2400
So in the Cisco DHCP configuration is easy as pie:
option 26 hex 2400
We want to configure a static NAT in order to expose an internal service to an outside network. More or less this is the network diagram:
The first thing you need to do is set which interface is exposed to the outside and which interface is in the inside network (for example):
rcisco#enable rcisco#configure terminal rcisco(config)#interface FastEthernet0/1.26 rcisco(config-subif)#ip nat inside rcisco(config-subif)#end rcisco(config)#interface FastEthernet0/0 rcisco(config-subif)#ip nat outside rcisco(config-subif)#end
Then you must declare the address and port translation:
ip nat inside source static tcp 192.168.26.10 8443 10.111.250.197 8443
... easy as apple pie.
Now you can access to your service at 10.111.250.197:8443
Gerardo.
Hi, I want share with you how to map a MAC to an IP with a Cisco 28xx router. For this task we take the assignment file published in a tftp server.
Example file:
*time* Feb 17 2011 12:19 PM *version* 4 !IP address Type Hardware address Lease expiration VRF !Cloud Controller && Node 1 192.168.29.10 /24 1 0021.2875.93XX Infinite !Cloud Node 2 192.168.29.11 /24 1 0021.2877.60XX Infinite !Cloud Node 3 192.168.19.12 /24 1 0021.2877.61XX Infinite !Cloud Node 4 192.168.29.13 /24 1 0021.2877.61XX Infinite *end*
Here the first field is the IP we want to assign, then a space and the network mask. The second field can be "id" for client id identification or 1 in case we want to use the ethernet address (4 digit dotted). We also can use, if we want, a expiration time (use "Infinite" for no expiration) and VRF.
Now we can configure our dhcp pool for this static ips:
ip dhcp pool Storage origin file tftp://192.168.29.4/boot/gPXE/static-mapping bootfile boot/gPXE/gpxelinux.0 next-server 192.168.29.4 default-router 192.168.29.1 dns-server 192.168.29.1 option 208 ascii "f1:00:74:7e"
The important part here is the command "origin" where we can put the url of the previous file. If we turn on the debugging of the dhcp server we can view how the router reads and makes the bindings:
000412: Feb 17 15:57:32.029 Paris: DHCPD: reading bindings from tftp://192.168.29.4/boot/gPXE/static-mapping. 000413: Feb 17 15:57:32.317 Paris: DHCPD: read 360 / 1024 bytes. 000414: Feb 17 15:57:32.321 Paris: DHCPD: parsing text line "*time* Feb 17 2011 12:19 PM" 000415: Feb 17 15:57:32.321 Paris: DHCPD: parsing text line "*version* 4 " 000416: Feb 17 15:57:32.321 Paris: DHCPD: route: Parsed version = 4 000417: Feb 17 15:57:32.321 Paris: DHCPD: parsing text line "!IP address Type Hardware address Lease expirationVRF" 000418: Feb 17 15:57:32.321 Paris: DHCPD: parsing text line "!Cloud Controller && Node 1" 000419: Feb 17 15:57:32.321 Paris: DHCPD: parsing text line "192.168.29.10 /24 1 0021.2875.93XX Infinite" 000420: Feb 17 15:57:32.321 Paris: DHCPD: creating binding for 192.168.29.10 000421: Feb 17 15:57:32.321 Paris: DHCPD: Adding binding to radix tree (192.168.29.10) 000422: Feb 17 15:57:32.321 Paris: DHCPD: Adding binding to hash tree 000423: Feb 17 15:57:32.321 Paris: DHCPD: parsing text line "!Cloud Node 2" 000424: Feb 17 15:57:32.321 Paris: DHCPD: parsing text line "192.168.29.11 /24 1 0021.2877.60XX Infinite" 000425: Feb 17 15:57:32.321 Paris: DHCPD: creating binding for 192.168.29.11 000426: Feb 17 15:57:32.321 Paris: DHCPD: Adding binding to radix tree (192.168.29.11) 000427: Feb 17 15:57:32.321 Paris: DHCPD: Adding binding to hash tree 000428: Feb 17 15:57:32.321 Paris: DHCPD: parsing text line "!Cloud Node 3" 000429: Feb 17 15:57:32.321 Paris: DHCPD: parsing text line "192.168.19.12 /24 1 0021.2877.61XX Infinite" 000430: Feb 17 15:57:32.321 Paris: DHCPD: creating binding for 192.168.19.12 000431: Feb 17 15:57:32.321 Paris: DHCPD: Adding binding to radix tree (192.168.19.12) 000432: Feb 17 15:57:32.321 Paris: DHCPD: Adding binding to hash tree 000433: Feb 17 15:57:32.321 Paris: DHCPD: parsing text line "!Cloud Node 4" 000434: Feb 17 15:57:32.321 Paris: DHCPD: parsing text line "192.168.29.13 /24 1 0021.2877.61XX Infinite " 000435: Feb 17 15:57:32.321 Paris: DHCPD: creating binding for 192.168.29.13 000436: Feb 17 15:57:32.321 Paris: DHCPD: Adding binding to radix tree (192.168.29.13) 000437: Feb 17 15:57:32.321 Paris: DHCPD: Adding binding to hash tree 000438: Feb 17 15:57:32.321 Paris: DHCPD: parsing text line "*end*" 000439: Feb 17 15:57:32.325 Paris: DHCPD: read static bindings from tftp://192.168.29.4/boot/gPXE/static-mapping.
All other stuff in the dhcp pool configuration is for the gPXE boot of this servers and isn't necessary for the assignment.
Reference: Cisco IOS guide
I tested this instructions with Guadalinex v7, so sorry if they don't work with your distro 
.
- Install the pam_mount packages:
apt-get install libpam-mount
- Put the next snippet just before "</pam_mount>" at "/etc/security/pam_mount.conf.xml":
<volume options="uid=%(USER),gid=%(GROUP),file_mode=0700,dir_mode=0700" user="*" mountpoint="/home/%(USER)" path="%(USER)" server="servername" fstype="cifs" />
- ... create a file in pam.d named "common-pammount" with this content:
# # /etc/pam.d/common-pammount # session optional pam_mount.so
- Voilá! Easy as pie.
Existe un comando que nos resuelve toda la instalación / comprobación / eliminación del soporte a un local o una región dados: localeadm.
La primera vez que se ejecuta este comando crea una configuración con los medios y los locales que se encuentran en el mismo:
localeadm -l -v
Para instalar todo el soporte para una zona dada, como por ejemplo: Europa del Sur (seu) sólo tendríamos que ejecutar el siguiente comando:
localeadm -a seu -m -d /"ruta al medio de instalación"
Lo siguiente que tendremos que hacer es elegir en la pantalla de login nuestro idioma y listo.
Gracias a NetLinx
Estos son los pasos necesarios:
Prerequisitos
- Paquetes a instalar:
apt-get install gcc make binutils lesstif2 rpm libmotif3 libaio1 gawk alien ksh unzip sun-java6-jre x11-utils x11-xserver-utils elfutils unixodbc-dev pdksh sysstat
- Creamos el directorio donde va a residir la bbdd:
mkdir -p /u01/app/oracle
- Creamos los usuarios y grupos que espera el instalador (preparado para RH):
# addgroup oinstall # addgroup dba # addgroup nobody # useradd -g oinstall -G dba -p password -d /home/oracle -s /bin/bash oracle # usermod -g nobody nobody
- ... de la misma forma tendremos que crear algunos alias para hacer el entorno más amigable al instalador:
# ln -s /usr/bin/awk /bin/awk # ln -s /usr/bin/rpm /bin/rpm # ln -s /usr/bin/basename /bin/basename
- También tendremos que retocar los límites por proceso (/etc/sysctl.conf):
fs.file-max = 65535 kernel.shmall = 2097152 kernel.shmmax = 2147483648 kernel.shmmni = 4096 kernel.sem = 250 32000 100 128 net.ipv4.ip_local_port_range = 1024 65000 net.core.rmem_default = 1048576 net.core.rmem_max = 1048576 net.core.wmem_default = 262144 net.core.wmem_max = 262144
... ejecutamos con "sysctl -p"
- Modificaremos también algunos límites de usuario:
oracle soft nproc 2047 oracle hard nproc 16383 oracle soft nofile 1023 oracle hard nofile 65535
- Incluimos la carga de límites en el "login" del usuario (/etc/pam.d/login):
session required pam_limits.so
Instalación
- Descomprimimos los ficheros que contienen la bbdd:
unzip linux_11gR2_database_1of2.zip unzip linux_11gR2_database_2of2.zip
- Ajustamos los permisos necesarios:
chown -R oracle:oinstall database chown -R oracle:oinstall /u01/app/oracle
- Entramos desde algún ssh con redirección X11:
ssh -X oracle@ddbbserver
- Corremos el instalador:
$database/runInstaller
- Opciones elegidas por defecto:
- "Create and configure a database".
- Instalación clase desktop.
- Oracle base: "/u01/app/oracle".
- Software location: "/u01/app/oracle/product/11.2.0/dbhome_1
- Database file location: "/u01/app/oracle/oradata"
- OSDBA Group: DBA
- Global database name: orcl
- Administrative password: XXXX
- Inventory Directory: "/u01/app/oraInventory"
- orainventory Group Name: "oinstall"
- Url de acceso por defecto: https://localhost:1158/em.
- Variables de entorno de esta instalación:
ORACLE_OWNER= oracle ORACLE_HOME= /u01/app/oracle/product/11.2.0/dbhome_1
Script de arranque / parada
#! /bin/sh ### BEGIN INIT INFO # Provides: soracle # Default-Start: 2 3 4 5 # Default-Stop: 1 # Required-Start: $network # Required-Stop: # Short-Description: Oracle 11g server ### END INIT INFO set -e . /lib/lsb/init-functions ORA_HOME=/u01/app/oracle/product/11.2.0/dbhome_1 ORA_OWNER=oracle if [ ! -f $ORA_HOME/bin/dbstart ] then echo "Oracle startup: cannot start" exit fi case "$1" in start) log_daemon_msg "Starting Oracle 11g server" "oracle11g" if su - $ORA_OWNER -c "$ORA_HOME/bin/dbstart $ORA_HOME"; then touch /var/lock/oracle11g log_end_msg 0 else log_end_msg 1 fi ;; stop) log_daemon_msg "Stopping Oracle 11g server" "oracle11g" if su - $ORA_OWNER -c "$ORA_HOME/bin/dbshut $ORA_HOME"; then rm -f /var/lock/oracle11g log_end_msg 0 else log_end_msg 1 fi ;; *) log_action_msg "Usage: /etc/init.d/$0 {start|stop}" exit 1 esac exit 0
- Lo añadimos a los servicios por defecto con "update-rc.d oracle11g defaults"
Acceso a la base de datos
export ORACLE_SID=test export ORACLE_HOME=/u01/app/oracle/product/11.2.0/dbhome_1/
Cuando hay máquinas que no poseen ip fija y además no puedes gestionar (por el problema que sea) el servicio de DNS con el que se tienen que relacionar estás en un problema.
La forma más fácil que he encontrado para manejarlo es crear una subzona con delegación en bind. De esta forma la máquina actualiza con su servicio de DNS y tu haces "relay" de esa subzona a tus propios DNS.
Es bastante simple de configurar, en el fichero de zona añadimos lo siguiente:
; Subzone subzone.zone.com. IN NS generic-ns1.zone.com. subzone.zone.com IN NS generic-ns2.zone.com. ; Google Public DNS generic-ns1.zone.com. IN A 8.8.8.8 generic-ns2.zone.com. IN A 8.8.4.4
e voila!
Es sencillo, aunque no viene explicado en ningún sitio (que yo sepa).
Arrancamos con el DVD de instalación y seleccionamos la opción "Sólo Consola".
Esta opción intentará montar todos los pools y sistemas de ficheros ZFS que ya existiesen en la máquina.
"The hard way"
Si no caes en la cuenta de que existe esta opción y tienes particiones / en ZFS eligiendo la opción Desktop o Console con soporte ZFS y siguiendo estos pasos:
Montar la partición raíz en lectura escritura
mount -o remount,rw /
Crear los puntos de montaje existentes en tu máquina:
mkdir /rpool /export
Identificar los pools:
zpool import
... activar los necesarios:
zpool import rpool
En este punto ya deberíamos tener montados en lectura/escritura los sistemas de ficheros más importantes de nuestra instalación, lo único que nos queda es saber donde se ha producido el problema y conseguir espacio:
du -hs /rpool/*
¡¡ Reiniciar y listo !!
reboot
Steps
At the EC2 instance with EC2-ami-tools do a rebundle of the AMI and upload it to S3:
ec2-bundle-vol -k /mnt/pk-iavante.pem -c /mnt/cert-iavante.pem -u XXXXXXX -d /mnt/ -s 3096 -e /pdata ec2-upload-bundle -b informarseessalud_ec2_ami_003 -m /mnt/image.manifest.xml -a XXXXXX -s XXXXXXXXX
With EC2-api-tools register the new AMI on EC2:
ec2-register informarseessalud_ec2_ami_003/image.manifest.xml
IMAGE ami-825ab9eb informarseessalud_ec2_ami_003/image.manifest.xml 104497119191 available private x86_64 machine aki-b51cf9dc ari-b31cf9da
With EC2-api-tools create a new snapshot of existent EBS volume:
ec2-create-snapshot vol-78866211 SNAPSHOT snap-772da51e vol-78866211 completed 2009-11-09T15:40:03+0000 100%
Create a new volume from this snapshot:
ec2-create-volume --snapshot snap-772da51e -z us-east-1a VOLUME vol-5d50ae34 50 snap-772da51e us-east-1a available 2009-11-09T15:45:02+0000 VOLUME vol-78866211 50 us-east-1a in-use 2008-12-03T09:58:59+0000
Create a new Machine from this AMI:
ec2-run-instances -t m1.large ami-825ab9eb -k informarseessalud
Attach de snapshot to the machine:
ec2-attach-volume vol-5d50ae34 -i i-0fc85767 -d sdz
Run AMI and check services ... voilá!
Se va a proceder a la instalación de FFMPEG en SPARC a través del repositorio blastwave, mientras que imagemagick se instalará desde los paquetes de sunfreeware.
Prerequisitos:
Son necesarios partiendo de un cluster básico al menos los siguientes paquetes:
- SUNWxwice
- SUNWmlib
- SUNWxwplt
Instalación de ffmpeg:
Actualizamos el catálogo, e instalamos el paquete:
/opt/csw/bin/pkgutil -a /opt/csw/bin/pkgutil -i ffmpeg
Además tenemos que corregir una actualización de libX11 no contemplada por blastwave:
cd /opt/csw/lib/ ln -s libX11.so.6 libX11.so.4
También es necesario configurar la variable LD_PATH:
crle -u -v l /lib crle -u -v -l /lib crle -u -v -l /usr/lib crle -u -v -l /lib/secure crle -u -v -l /usr/lib/secure crle -u -v -l /usr/local/lib crle -u -v -l /opt/csw/lib crle -u -v -l /usr/openwin/lib
Instalación de imagemagick:
Descargamos e instalamos los siguientes paquetes de sunfreeware:
- bzip2-1.0.5-sol10-sparc-local
- libgcc-3.4.6-sol10-sparc-local
- cairo-1.4.10-sol10-sparc-local
- libgsf-1.14.7-sol10-sparc-local
- expat-2.0.1-sol10-sparc-local
- libiconv-1.11-sol10-sparc-local
- file-5.03-sol10-sparc-local
- libintl-3.4.0-sol10-sparc-local
- fontconfig-2.4.2-sol10-sparc-local
- libpng-1.2.40-sol10-sparc-local
- freetype-2.3.9-sol10-sparc-local
- librsvg-2.22.3-sol10-sparc-local
- glib-2.14.1-sol10-sparc-local
- libxml2-2.6.31-sol10-sparc-local
- imagemagick-6.5.1-sol10-sparc-local
- pango-1.18.2-sol10-sparc-local
- jpeg-7-sol10-sparc-local
- render-0.8-sol10-sparc-local
- lcms-1.18a-sol10-sparc-local
- tiff-3.9.1-sol10-sparc-local
- libcroco-0.6.1-sol10-sparc-local
- zlib-1.2.3-sol10-sparc-local
Finalización.
Si queremos que los ejecutables (convert, ffmpeg, etc) estén en el PATH habrá que modificarlo o bien enlazarlos a /usr/bin.
Nos aseguramos de la versión que estamos ejecutando:
bash-3.00# cat /etc/release
Solaris 10 5/09 s10x_u7wos_08 X86
Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
Use is subject to license terms.
Assembled 30 March 2009
Montar la iso que acabamos de descargar:
lofiadm -a /share/iso/solaris_dvd.iso mount -F hsfs /dev/lofi/1 /mnt
Eliminamos los paquetes que se encargan del "Live Upgrade":
pkgrm SUNWlur SUNWluu SUNWluzone SUNWlucfg
Instalamos estos mismos paquetes desde la nueva versión de Solaris:
cd /mnt/Solaris_10/Product pkgadd -d . SUNWlucfg SUNWlur SUNWluu SUNWluzone
Preparamos el nuevo entorno de boot, donde X es la versión actual e Y la versión a la que queremos actualizar:
lucreate -c 10uX -n 10uY luupgrade -u -n 10uY -s /mnt luactivate 10uY
Reiniciamos y ya estamos actualizados
init 6
Con el comando prtdiag podemos sacar la configuración hardware de la máquina:
bash-3.00# prtdiag
System Configuration: SUN MICROSYSTEMS SUN FIRE X2250
BIOS Configuration: American Megatrends Inc. S86_3A11 07/11/2008
BMC Configuration: IPMI 2.0 (KCS: Keyboard Controller Style)
==== Processor Sockets ====================================
Version Location Tag
-------------------------------- --------------------------
Intel(R) Xeon(R) CPU X5472 @ 3.00GHz CPU 1
Intel(R) Xeon(R) CPU X5472 @ 3.00GHz CPU 2
==== Memory Device Sockets ================================
Type Status Set Device Locator Bank Locator
------- ------ --- ------------------- --------------------
DDR in use 0 DIMM 1A BANK
DDR empty 0 DIMM 2A BANK
DDR in use 0 DIMM 1B BANK
DDR empty 0 DIMM 2B BANK
DDR empty 0 DIMM 1C BANK
DDR empty 0 DIMM 2C BANK
DDR empty 0 DIMM 1D BANK
DDR empty 0 DIMM 2D BANK
==== On-Board Devices =====================================
AST2000
Gilgal PHY
Gilgal PHY
==== Upgradeable Slots ====================================
ID Status Type Description
--- --------- ---------------- ----------------------------
1 available PCI Express PCIE1
En las instalaciones con JumpStart sobre máquinas x86 no se crean las keys del host para el servidor ssh.
Normalmente nos vamos a encontrar con el siguiente error cuando esto sucede al intentar acceder por ssh a la máquina:
# ssh root@gadco01 Unable to negotiate a key exchange method
Una solución a este problema es crear manualmente las keys desde consola y "refrescar" el servicio:
# /lib/svc/method/sshd -c # svcadm refresh ssh
flarcreate -S -n "$HOSTNAME" -x /rpool/flardir/ -R / /rpool/flardir/$HOSTNAME.flar
Add Comment