2014年12月3日 星期三

how to add system account after kerberos is used

1. use -r paramenter
# useradd -r -d /home/tommy -m tommy

2. change passsword for the new user
# passwd tommy

3. confirm the user
# grep tommy /etc/passwd

2014年11月20日 星期四

install yii mvc framework

1. use curl to install composer
#  export http_proxy=http;//X.X.X.X:3128
#  export https_proxy= http;//X.X.X.X:3128
#  curl -sS https://getcomposer.org/installer | php
#  mv composer.phar /usr/bin/composer

2. installl php-mcypt module
#  apt-get update
#  apt-get install php5-mcypt

3. enable php5-mcypt module
#  php5enmod mcrypt
#  /etc/init.d/apache2  restart

4. create first project use composer
#  composer create-project --prefer-dist yiisoft/yii2-app-basic yii

5. check project running status
user browser to http://localhost/yii/web/index.php



2014年11月5日 星期三

start ubuntu in text mode

1. modify grup setting
# vim /etc/default/grub

comment the line
GRUB_CMDLINE-LINUX_DEFAULT= ""

change the line to
GRUB_CMDLINE_LINUX = "text"

uncomment the line
GRUB_TERMINAL=console

2. update the setting
#update-grup

3. reboot the machine
# reboot

2014年10月29日 星期三

create local ubuntu update repository with apt-mirror package

1. install apt-mirror package
# apt-get update
# apt-get install apt-mirror

2. modify apt-mirror configuration file (example for 12.04)
# vim /etc/apt/mirror.list

############# config ##################
#
set base_path    /var/spool/apt-mirror
#
set mirror_path  $base_path/mirror
set skel_path    $base_path/skel
set var_path     $base_path/var
# set cleanscript $var_path/clean.sh
# set defaultarch  
# set postmirror_script $var_path/postmirror.sh
# set run_postmirror 0
set nthreads     20
set _tilde 0
#
############# end config ##############

deb http://archive.ubuntu.com/ubuntu precise main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu precise-security main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu precise-updates main restricted universe multiverse

deb-amd64 http://archive.ubuntu.com/ubuntu precise main restricted universe multiverse
deb-amd64 http://archive.ubuntu.com/ubuntu precise-security main restricted universe multiverse
deb-amd64 http://archive.ubuntu.com/ubuntu precise-updates main restricted universe multiverse

deb-i386 http://archive.ubuntu.com/ubuntu precise main restricted universe multiverse
deb-i386 http://archive.ubuntu.com/ubuntu precise-security main restricted universe multiverse
deb-i386 http://archive.ubuntu.com/ubuntu precise-updates main restricted universe multiverse
deb-amd64 http://archive.ubuntu.com/ubuntu precise-proposed main restricted universe multiverse
deb-amd64 http://archive.ubuntu.com/ubuntu precise-backports main restricted universe multiverse
deb-i386 http://archive.ubuntu.com/ubuntu precise-proposed main restricted universe multiverse
deb-i386 http://archive.ubuntu.com/ubuntu precise-backports main restricted universe multiverse

deb-src http://archive.ubuntu.com/ubuntu precise main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu precise-security main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu precise-updates main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu precise-proposed main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu precise-backports main restricted universe multiverse

clean http://archive.ubuntu.com/


3. initial apt-mirror
# /etc/init.d/apt-mirror

4. mkdir softlink in apache root directory
# ln -s /var/spool/apt-mirror/mirror/archive.ubuntu.com/ubuntu/ /var/www/ubuntu

5. modify client or server source.list direct to this server
# vim /etc/apt/source.list
change all hostname to this url

deb http://us.archive.ubuntu.com/ubuntu/ precise main restricted
deb-src http://us.archive.ubuntu.com/ubuntu/ precise main restricted

deb http://update.csp.com/ubuntu/ precise main restricted
deb-src http://update.csp.com/ubuntu/ precise main restricted



2014年10月20日 星期一

squid server use ntlm authenction with multi group

1. modify squid.conf as below
# vim /etc/squid3/squid.conf

http_port  3128
icp_port 0
htcp_port 0
cache_mgr admin@cps.com
visible_hostname squid.csp.com
cache_dir diskd /var/spool/squid3 81920 16 256
cache_mem 1024 MB
cache_swap_low  80
cache_swap_high 95
maximum_object_size  1024 KB
maximum_object_size_in_memory 800 KB
ipcache_size 65536
ipcache_low 80
ipcache_high 95

acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

digest_generation off
pipeline_prefetch on
shutdown_lifetime 1 second

cache_access_log /var/log/squid3/access.log
#cache_access_log syslog:local5.info squid
cache_log /var/log/squid3/cache.log
cache_store_log none
pid_filename /var/run/squid3.pid
cache_swap_log /var/log/squid3/cache_swap.log
read_timeout 10 minutes
request_timeout 8 minutes
pconn_timeout 120 seconds
ftp_user anonymous
ftp_list_width 64
ftp_passive on
ftp_sanitycheck on
hosts_file /etc/hosts
negative_ttl 2 minutes

cache_peer 10.10.2.2 parent 9119 0 no-query name=fproxy
cache_peer_domain fproxy .yahoo.co.jp .gov.tw

# authentication
authenticate_ttl 8 hours
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 50
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 10
auth_param basic realm squidt1-6 Proxy
auth_param basic credentialsttl 8 hours

external_acl_type wbinfo_check %LOGIN /usr/lib/squid3/wbinfo_group.pl
acl tw_www_disabled external wbinfo_check tw_www_disabled
acl tw_www_enabled external wbinfo_check tw_www_enabled
acl tw_www_cloud external wbinfo_check tw_www_cloud

#ACLS
#general
acl java browser -i ^JAVA/
acl svn browser -i ^SVN/
acl CONNECT method CONNECT
acl password proxy_auth REQUIRED
acl manager proto cache_object
acl Safe_ports port 20 21 80 81 82 443 888 1025-65535
acl SSL_ports port 22 94 443 2083-2093 8443 10443
acl ftp proto FTP
acl http proto http

acl localhost src 127.0.0.1/32
acl gissrc src 10.77.0.0/16
acl cspdst dst 10.0.0.0/8  192.168.0.0/16
acl cspsrc src 10.0.0.0/8

acl site_block dstdomain "/etc/squid3/site_block"
acl site_allow dstdomain "/etc/squid3/site_allow"
acl ip_block dst "/etc/squid3/ip_block"
acl ip_china_proxy src "/etc/squid3/ip_china_proxy"
acl ip_gmail_allow src "/etc/squid3/ip_gmail_allow"
acl ip_cloud_allow src "/etc/squid3/ip_cloud_allow"
acl site_webmail_allow dstdomain "/etc/squid3/site_webmail_allow"
acl site_cloud_allow dstdomain "/etc/squid3/site_cloud_allow"

#allow_specific
http_access allow tw_www_disabled site_allow
http_access deny tw_www_disabled !site_allow

http_access allow ip_gmail_allow site_webmail_allow
http_access allow tw_www_cloud site_cloud_allow

#deny rule
http_access deny site_block
http_access deny ip_block
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny !cspsrc
snmp_access deny !cspsrc
icp_access deny !cspsrc

#allow rule
http_access allow java
http_access allow svn
http_access allow ip_china_proxy
http_access allow gissrc
http_access allow manager localhost
http_access deny manager
http_access allow ftp
http_access allow Safe_ports tw_www_enabled

2014年10月6日 星期一

install squidgurard to implement acl

1. install squidguard
# apt-get update && apt-get install squidguard

2. modify squidguard configuration
# vim /etc/squid/squidguard.conf

dbhome /var/lib/squidguard/blacklists
logdir /var/log/squid

#
# TIME RULES:
# abbrev for weekdays:
# s = sun, m = mon, t =tue, w = wed, h = thu, f = fri, a = sat

time workhours {
        weekly mtwhf 00:00 - 24:00
        date *-*-01  00:00 - 24:00
}
src admin {
        ip              10.124.20.159
        user            root tommy
        within          workhours
}

src client-src {
        ip              10.0.0.0/8
}

#
# DESTINATION CLASSES:
#

dest good {
        domainlist      good/domains
        urllist         good/urls
        log             block.log
}


dest ads {
        domainlist      ads/domains
        urllist         ads/urls
        log             block.log
}

dest adult {
        domainlist      adult/domains
        urllist         adult/urls
        log             block.log
}

dest chat {
        domainlist      chat/domains
        urllist         chat/urls
        log             block.log
}

acl {
        admin {
                pass     any
        }

        client-src within workhours {
                pass     good !ads !adult !chat all
        } else {
                pass any
        }

        default {
                pass     none
                redirect http://xxx.xxxx.xxxx/cgi-bin/blocked.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
        }
}

3. download the blacklist from internet 
# cd /var/lib/squidguard/
# tar zxvf bigblacklist.tar.gz


4. create good folder in the db location
# cd /var/lib/squidguard/blacklists
# mkdir good
# touch good/domains
# touch good/urls

5. initial the database and change the permission for squid service account
# squidGuard -C all
# chown -Rf proxy:proxy  /var/lib/squidguard/blacklists

6. touch the block.log 
# touch /var/log/squid/block.log
# chown -Rf proxy:proxy /var/lig/squid

7. add the line into the squid.conf
# vim /etc/squid3/squid.conf
url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf

8. restart the squid service 
# /etc/init.d/squid restart

2014年10月1日 星期三

How to direct the squid log to splunk

1. modify squid config and change  cache_access_log  to rsyslog
# vim /etc/squid3/squid.conf

#cache_access_log /var/log/squid3/access.log
cache_access_log syslog:local5.info squid

2. modify rsyslog configurtion to direct squid.log to splunk
# vim /etc/rsyslog.d/50-default.conf

add this line to the file
local5.*                                  @splunk.xxx.xxx.xxx:514

3.restart squid  and rsyslog
# /etc/init.d/squid3 restart
# /etc/init.d/rsyslog restart

4. confirm squid server status
# /etc/init.d/squid3 status

5. confirm the log data in splunk server

2014年5月28日 星期三

how to mount disk that larger than 2TB

1. install the tool like gpart
# apt-get install gpart

2. confirm the disk lable you want to format
# fidsk /dev/sdx

3. use gpart tool to make a partition
#gpart /dev/sdx

make a partition label for it, we use gpt that support larger disk size
(parted) mklabel gpt

Warning: The existing disk label on /dev/sdx will be destroyed and all data on this disk will be lost. Do you want to continue?
Yes/No? yes
set the unit
(parted) unit TB

create 3TB size
(parted) mkpart primary 0.00TB 3.00TB

(parted) quit

4. format the disk
#mkfs.ext4 /dev/sdx

5. mount it
#mkdir /mnt/backup
#mount /dev/sdx1 /mnt/backup

6. use df to confirm the disk size
#df -h

2014年5月27日 星期二

use ldapsearch to query windows active directory

1. install ladp component
#apt-get install ldap-utils

2. -H ldap server
    -b bind
   -D domain account
  -w  doamin password
 
#ldapsearch -LLL -H ldap://dc01.csp.com: 389 -b "dc=csp,dc=com" -D "cps\tommy" -w "abc123" "(sAMAccountName=tommy.lbs)"

2014年5月5日 星期一

install postfix and dovecot and redirect all mail to one account

1. install postfix, pcre and dovecot
# apt-get install postfix postfix-pcre
# apt-get install dovecot-core dovecot-imapd

2. confirm your dns mx record have one mx record for your mail server

3. modify your postfix configuration  for your environment
# vim /etc/postfix/main.cf

myhostname = mail.csp.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, $mydomain, localhost.localdomain, localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 172.16.0.0/16
always_bcc = tommy@csp.com.tw
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
home_mailbox = Maildir/

#head_checks
header_checks = pcre:/etc/postfix/header_checks

4.add new file /etc/postfix/header_checks
# vim /etc/postfix/header_checks
/TO:*@*/ REDIRECT check01@csp.com

5. check postfix setting and restart postfix
# postfix check
# /etc/init.d/postfix restart

6.modify /etc/dovecot/dovecot.conf
#vim /etc/dovecot/dovecot.conf
uncomment the lines

listen = *, ::
base_dir = /var/run/dovecot/
instance_name = dovecot
login_greeting = Dovecot ready.

7. change 10-auth.conf
#vim /etc/dovecot/conf.d/10-auth.conf
uncomment line and change the value
disable_plaintext_auth = no

8.change 10-master.conf
#vim /etc/dovecot/conf.d/10-master.conf
change contents within lines as below

service imap-login {
  inet_listener imap {
    port = 143
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }
service lmtp {
  unix_listener lmtp {
    mode = 0666
  }

service auth {
   # Postfix smtp-auth
  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
    user = postfix
    group = postfix
  }
}
auth_mechanisms = plain login

9. change 10-mail.conf
#vim /etc/dovecot/conf.d/10-mail.conf
mail_location = maildir:~/Maildir

10.change 20-imap.conf
#vim /etc/dovecot/conf.d/20-imap.conf
  imap_max_line_length = 64k
  mail_max_userip_connections = 10
  mail_plugins = $mail_plugins
  imap_logout_format = bytes=%i/%o
  imap_client_workarounds = tb-extra-mailbox-sep

11. restart the dovecot services.
# /etc/init.d/dovecot restart

2014年4月10日 星期四

ubuntu 12.04 install ntp server over http

1.install ntp server package
#apt-get update
#apt-get upgrade
#apt-get install ntp

2. modify ntp configuration
#vim /etc/ntp.conf

driftfile /var/lib/ntp/ntp.drift
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
server 127.127.1.0
restrict csp.garmin.com notrap nomodify nopeer noquery
restrict 192.168.200.0 mask 255.255.255.0
restrict 127.0.0.1
broadcast 192.168.200.255
disable auth
broadcastclient

3. restart ntp serivce
#/etc/init.d/ntp restart

4.add third party component to source.list
#vim /etc/apt/source.list
deb http://ppa.launchpad.net/landronimirc/htpdate/ubuntu precise main
deb-src http://ppa.launchpad.net/landronimirc/htpdate/ubuntu precise main

5.add ppa key
#app-apt-repository ppa:landronimirc/htpdate

6.update repository
#apt-get update

7. install htpdate package
#apt-get install htpdate

8.setting crontab
#vim /etc/crontab
* */6 * * * /usr/bin/htpdate -d http://www.perl.org

9. restart cron job
#/etc/init.d/cron restart

2014年3月11日 星期二

Multipath with storage

1.install multipath tools
#apt-get install multipath-tools  multipath-tools-boot

2. create multipath.conf
#cp /usr/share/doc/multipath-tools/examples/multipath.conf.synthetic /etc/multipath.conf

3.modify mutipath.conf
#vim /etc/multipath.conf

defaults {
        path_grouping_policy    multibus
        failback                immediate
        no_path_retry           fail
        user_friendly_names     yes
}
blacklist {
        devnode "^(ram|raw|loop|fd|md|dm-|sr|scd|st)[0-9]*"
        devnode "^hd[a-z][[0-9]*]"
        devnode "^cciss!c[0-9]d[0-9]*[p[0-9]*]"

      }

blacklist define device not included by multipath

4.restart multipath service
#service multipath-tools restart

5.show multipath status
#multipath -ll
mpath0 (360050cc000203d7a0000000000000008) dm-0 OVERLAND,RAID 1200
[size=1.5T][features=0][hwhandler=0]
\_ round-robin 0 [prio=2][active]
 \_ 2:0:0:0 sda 8:0   [active][ready]
 \_ 2:0:1:0 sdb 8:16  [active][ready]

6. if your disk is GPT format then install fixparts and install deb 
#wget http://download.opensuse.org/repositories/home:/srs5694/xUbuntu_10.04/amd64/gptfdisk_0.8.8-1_amd64.de
#dpkg -i gptfdisk_0.8.8-1_amd64.deb
#apt-get -f install

7. format gpt disk 
# fixparts /dev/mapper/mpath0


2014年2月19日 星期三

ubuntu 12.04 install php + mysql + apache2 + oracle + mssql develop environment

1. install all packages for os
# apt-get update
# apt-get upgrade

2. install compiler packages
# apt-get install buiild-essential fakeroot dpkg-dev

3. install apache, mysql server, php
# aptg-get install mysql-server mysql-client php5 php5-cli libapache2-mod-auth-mysql apache2

4. check php function
# vim /var/www/1.php
echo phpinfo();
?>

5. install mssql odbc module
# apt-get install php5-sybase

6. install oracle module
# apt-get install libaio1 php-pear unzip

7. download instantclient for oracle
# cd /usr/local/lib
# wget http://download.oracle.com/otn/linux/instantclient/121010/instantclient-basic-linux.x64-12.1.0.1.0.zip
# wget http://download.oracle.com/otn/llinux/instantclient/instantclient-sdk-linux.x64-12.1.0.1.0.zip
# unzip instantclient-basic-linux.x64-12.1.0.1.0.zip
# unzip instantclient-sdk-linux.x64-12.1.0.1.0.zip
# cd instantclient_12_1
# ln -s libclntsh.so.12.1 libclntsh.so

8. add some line to /etc/environment
# vim /etc/environment

# Oracle Instant Client
LD_LIBRARY_PATH="/usr/local/lib/instantclient_12_1"
TNS_ADMIN="/usr/local/lib/instantclient_12_1"
ORACLE_BASE="/usr/local/lib/instantclient_12_1"
ORACLE_HOME=$ORACLE_BASE

9. install oci8 package for pear
# pecl install oci8
when you get the prompt for oracle_home, key in the path 
'instantclient,/usr/local/lib/instantclient_12_1'

10. add extension to php.ini
# vim /etc/php5/apache2/php.ini

extension=oci8.so

11. change apache default charset to utf-8
#vim /etc/apache2/conf.d/charset
uncomment AddDefaultCharset UTF-8


12. restart apache
#/etc/init.d/apache2 restart

2014年2月11日 星期二

manual install mysql server

1. update and install some package need to install mysql
# apt-get update
# apt-get install fakeroot build-essential dpkg-dev libaio-dev

2. download mysql compress file from mysql site and decompress it
# tar zxvf mysql-advanced-5.5.28-linux2.6-x86_64.tar.gz

3. move it to /usr/local and create software link for mysql
# mv mysql-advanced-5.5.28 /usr/local/
# cd /usr/local
# ln -s mysql-advanced-5.5.28 mysql

4.create mysql user and group
# adduser -d /home/mysql -m mysql

5. change file owner and install mysql
# chown -R mysql /usr/local/mysql
# chown -R mysql /usr/local/mysql

6.install mysql server
#/usr/local/mysql/bin/mysql_install_db --basedir=/usr/local/mysql --datadir=/var/lib/mysql --user=mysql

7.copy mysql configure to /etc/
#cp suuport-files/my-medium.cnf /etc/my.cnf

8.start mysql server
#/usr/local/mysql/bin/mysql_safe --user=mysql &

9. add mysql search path to default environment
# vim /etc/environments
add /usr/local/mysql/bin to the end of the line

10. cp mysql script to /etc/init.d/
# cp support-file/mysql.server /etc/mysql.server

11. login mysql and change root password
#mysql -u root

grant all on *.* to 'root'@'localhost' identified by 'xxxxx'
flush privileges

12. restart mysql to confirm the password for rooot
# /etc/init.d/mysql.server restart