XenServer: Enable SNMP

KB ID 0001629

Problem

We had to enable SNMP on a XenServer today, I’d never even logged onto one, but it turns out, much like ESX, it’s just a Linux server, at least the good folk at Citrix included nano on there so I didn’t have to struggle with the vi editor!

Solution

First from the web console ensure that SSH access is enabled > Remote Services Configuration > Enable/Disable Remote Shell.

SSH into the host and execute the following commands to start the SNMP daemon,  take a backup of the config file, and finally edit the ‘live’ config file.

[box]

chkconfig snmpd
cp /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.backup
nano /etc/snmp/snmpd.conf

[/box]

You can delete EVERYTHING (At the beginning of the file press CTRL+6 to mark the file, then Press ALT+Shif+T (or ALT+T) to cut the text away). Then type in;

[box]

rocommunity {SNMP-String} {IP address or range with /{bits}}

i.e.
rocommunity public 192.168.1.0/24

[/box] 

Save and Exit (CTRL+X > ‘Y’ > {Enter}). Now you need to edit the firewall on the host (iptables). To allow the IP addresses of your SNMP collector(s).

[box]

nano /etc/sysconfig/iptables

[/box]

At the bottom, (usually) you will see a deny for ICMP, put an entry for each collector BEFORE that in the following format;

[box]

-A RH-Firewall-1-INPUT -s {Collector-IP-Address} -p udp -m udp --dport 161 -j ACCEPT

[/box]

Save and Exit (CTRL+X > ‘Y’ > {Enter}). then restart iptables and the snmp daemon.

[box]

service iptables restart
service snmpd restart

[/box]

If you are polling it though a firewall you can test it locally using this piece of freeware, (I use this to test, but remember to add the local IP you are testing from to the sump config and the iptables!)

Related Articles, References, Credits, or External Links

NA

Unified Networking Lab – Connecting ESX VM to the Internet

KB ID 0001276

Problem

UPDATE: This is an old article, UNL is now EVE-NG, please use the following link;

EVE-NG Connecting to the Internet

UNL is by far the coolest bit of kit I’ve got my hands on this year. I can run it in ESX, and connect to it from anywhere, so I don’t have to keep my labs on my laptop. But what if you want to connect your labs to a live network? Theres a great article on the unetlab website for the smaller versions of VMWare. If you’re lucky enough to have your own vSphere environment there’s a few more hoops to jump through.

Solution

First job is to present the vNics to the UNL virtual machine. Here all those vNics are in the same ‘port group’, but they don’t have to be, there’s no reason why you can’t present different VLANS,  test networks, or DMZs for example.

Here I’m directly on the console, but you can also connect via SSH if you prefer. Make sure you can see the presented vNics with the following command;

[box]ifconfig -a | grep ^eth[/box]

Those networks need to be ‘bridged’ to the pnet interfaces that you use within UNL, to do that edit the network setttings;

[box]nano /etc/network/interfaces[/box]

Note: I already had nano installed, ‘apt-get install nano’ will install it for you if you don’t. 

Make sure it looks like this, (OK, I’ve got 10 network cards bridged and only presented 5, but I can add more now, without having to go though this process again).

[box]

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
iface eth0 inet manual
auto pnet0
iface pnet0 inet dhcp
    bridge_ports eth0
    bridge_stp off
    bridge_ageing 0

# Cloud devices
iface eth1 inet manual
auto pnet1
iface pnet1 inet manual
    bridge_ports eth1
    bridge_stp off
    bridge_ageing 0

iface eth2 inet manual
auto pnet2
iface pnet2 inet manual
    bridge_ports eth2
    bridge_stp off
    bridge_ageing 0

iface eth3 inet manual
auto pnet3
iface pnet3 inet manual
    bridge_ports eth3
    bridge_stp off
    bridge_ageing 0

iface eth4 inet manual
auto pnet4
iface pnet4 inet manual
    bridge_ports eth4
    bridge_stp off
    bridge_ageing 0

iface eth5 inet manual
auto pnet5
iface pnet5 inet manual
    bridge_ports eth5
    bridge_stp off
    bridge_ageing 0

iface eth6 inet manual
auto pnet6
iface pnet6 inet manual
    bridge_ports eth6
    bridge_stp off
    bridge_ageing 0

iface eth7 inet manual
auto pnet7
iface pnet7 inet manual
    bridge_ports eth7
    bridge_stp off
    bridge_ageing 0

iface eth8 inet manual
auto pnet8
iface pnet8 inet manual
    bridge_ports eth8
    bridge_stp off
    bridge_ageing 0

iface eth9 inet manual
auto pnet9
iface pnet9 inet manual
    bridge_ports eth9
    bridge_stp off
    bridge_ageing 0

[/box]

You can ensure the interfaces are up by running;

[box]brctl show[/box]

If there’s a problem, you can bring tham up manually by running ‘for i in $(seq 1 9); do ifup pnet${i}; done‘.

ESX Enabling Promiscuous Mode

To enable your devices to talk through your vSwitches, they need to allow ‘promiscuous mode‘, below you can see that being done on the vSwitch (in the VI Client).

Check the ‘port group’ as well and ensure that will also accept promiscuous mode.

If you are using the vSphere Web Client here is where promiscuous mode is set on the vSwitch.

And here is where it’s set on the port group.

Unfortunately you can’t change this setting in the new HTML5 management console but you can view it.

Connect Your UNL Lab To the Public Network

Add a new node, and select the ‘Network’ option > When you place it you can select which live network you want to connect to.

WARNING: Connect to live networks as you would in real life, (with a router, firewall, or correctly configured L3 device).

 

Related Articles, References, Credits, or External Links

NA

The uploaded file exceeds the upload_max_filesize directive in php.ini

KB ID 0001125 

Problem

When attempting to upload a file to your website, (in my case from within WordPress). You see this error.

Solution

If you are on ‘shared hosting‘ then you may not have access to your php.ini file, if that is the case you should add the following to your .htaccess file, (this will be a hidden file in the root folder of your website).

[box]

#########
php_value upload_max_filesize 50M
php_value post_max_size 50M
php_value max_execution_time 500
php_value max_input_time 500
#########

[/box]

If , (like me), you have your own server, then you will need to edit the php.ini file directly, but where is it? Executing a ‘whereis php.ini‘ command  in my case showed me a few copies in various locations, but which one was live?

I’m assuming your website is installed in /var/www/html, so change the commands if yours is in a different location. I’m going to create a .php file in the root of my website, then browse to this file, it will show me all my .php settings, and tell me where the live copy of php.ini is located.

I use nano, if you don’t have it installed, enter the hell that is the ‘vi editor’ and use that instead 🙂

[box]

nano /var/www/html/info.php

[/box]

Then paste in the following text;

[box]

<?php phpinfo(); ?>

[/box]

Then browse to the info.php file on your website with a web browser, i.e. http://www.your-website.com/info.php. You should see something like this.

You can see that the ‘Loaded Configuration File’ is in /etc/php.ini

WARNING: Now it’s a little bit of a security hole having this sat there, so let’s delete this file on the server with the following command;

[box]

rm /var/www/html/info.php
THEN Enter 'y' to confirm.

[/box]

How To Edit The php.ini File

Execute the following command;

[box]

nano /etc/php.ini

[/box]

Locate Upload_max_filesize and change its setting accordingly, by default it’s only 2MB.

Also change your post size setting, as the default is only 8MB.

Save and exit the file, then restart Apache.

[box]

/sbin/service httpd restart

[/box]

Try to upload your file again.

 

Related Articles, References, Credits, or External Links

NA

Ubuntu – Joining / Logging into Windows Domains

KB ID 0000384

Problem

You have a Linux client machine, and you want to authenticate to, and log into a Windows domain. I don’t have too much history with Linux, but from what I’ve read this used to be a nightmare. Using Ubuntu (10.10) I did have a couple of hiccups, but I did get there in the end.

Note: The domain controller is a Windows 2008 R2 Server.

Solution

Notes

1. The commands needed to install the “likewise-open5” package, and join the domain, (assuming the FQDN of the domain is domaina.com and the user name you are using to join the domain is administrator).

[box]sudo apt-get install likewise-open5 sudo domainjoin-cli join domaina.com administrator sudo reboot[/box]

2. Then to allow users to logon from the Ubuntu welcome screen,

[box]sudo nano /etc/samba/lwiauthd.conf[/box]

3. Add the following line (the file will probably be empty), to Save press CTRL+X, then Y, then {enter}.

[box]winbind use default domain = yes[/box]

4. Then reboot.

[box]sudo reboot[/box]

5. To allow sudo for the domain user(s),

[box]sudo nano /etc/sudoers[/box]

Locate the line that reads “#Members of the Admin group may gain root privileges and do the following:”. Below that, type the following (assuming the domain name is domaina and the user is a member of the domain admins group, domain^users also works).

[box]%domainadomain^admins ALL=(ALL) ALL[/box]/p>

Problem 1

Error: Lsass Error [code 0x00080047]

9502 (0x251E) DNS_ERROR_BAD_PACKET – A bad packet was received from a DNS server. Potentially the requested address does not exist.

 

This plagued me for a while, I tried everything I read online (like making sure that my time was correct – which it wasn’t (see below), making sure firewalls were off (they were), make sure your DNS has a reverse lookup zone (mine has), and finally make sure there are no existing DNS records for the IP address you are connecting with (mine did so I deleted them). None of these fixed the problem, to fix it is annoyingly simple.

FIX

Firstly make sure that the Ubuntu client is looking at your domain DNS server, for it’s DNS, the following command will tell you,

[box]cat /etc/resolv.conf[/box]

Then get the domain syntax right, in my case the domain name.

[box]

[WORKS] sudo domainjoin-cli join domaina.com administrator

[WONT WORK] sudo domainjoin-cli join DOMAINA.COM administrator
[WONT WORK] sudo domainjoin-cli join domaina administrator
[WONT WORK] sudo domainjoin-cli join DOMAINA administrator

[/box]

And then it connected faultlessly.

Problem 2

Error: Lsass Error [code 0x00080047]

5 (0x5) ERROR_ACCESS_DENIED – Access is denied.

This turned out to be a variation on the problem above, If you put in the domain name in UPPER CASE you will see this error.

[box]

[WORKS] sudo domainjoin-cli join domaina.com administrator

[WONT WORK] sudo domainjoin-cli join DOMAINA.COM administrator

[/box]

If you would like to add your domain user(s) to the welcome screen click here.

Update 04/01/12

Attention:  PeteNetLive – Suggestion 

Message: Hi,

Thanks very much for you YouTube and description of joining Ubuntu to a domain.  There was however one step extra that I needed to do to enable to logon screen to show users other than the local use and the guest account.  To do this I had to add the following line to /etc/lightdm/lightdm.conf

greeter-show-manual-login=true

I was joining Ubuntu 12.10 to the domain so maybe it is specific to 12.10 since you didn’t experience it but it would be good to add it to your article along with the other fixes to issues.

Thanks again.

From: Roland Elferink

Related Articles, References, Credits, or External Links

Thanks to Roland Elferink for the update.

Original Article written 27/01/11

CentOS – Install and Configure a TFTP Server

KB ID 0000998

Problem

I needed to back up a Cisco firewall, and perform an upgrade remotely, despite my best efforts to use the ASDM and update via http, I had to go ‘old school’ and bring up a TFTP server on one of my CentOS Linux servers.

Solution

1. Log onto the server and install the xinetd TFTP Server. Execute the following command and follow the on-screen prompts.

[box]Using username “root”.
Last login: Thu Aug 7 17:58:10 2014 from midd-8.cable.virginm.net
[root@Web-Test ~]# yum install tftp tftp-server xinetd[/box]

2. Now you need to edit the config file, here I’m using nano, but you could use vi as well.

[box][root@Web-Test ~]# nano /etc/xinetd.d/tftp[/box]

3. When you open the file it will look like this;

[box]

# default: off
# description: The tftp server serves files using the trivial file transfer
#       protocol.  The tftp protocol is often used to boot diskless
#       workstations, download configuration files to network-aware printers,
#       and to start the installation process for some operating systems.
service tftp
{
        socket_type             = dgram
        protocol                = udp
        wait                    = yes
        user                    = root
        server                  = /usr/sbin/in.tftpd
        server_args             = -s /var/lib/tftpboot
        disable                 = yes
        per_source              = 11
        cps                     = 100 2
        flags                   = IPv4
}  

[/box]

4. Edit the file and save it, so it looks like this;

[box]

# default: off
# description: The tftp server serves files using the trivial file transfer
#       protocol.  The tftp protocol is often used to boot diskless
#       workstations, download configuration files to network-aware printers,
#       and to start the installation process for some operating systems.
service tftp
{
        socket_type             = dgram
        protocol                = udp
        wait                    = yes
        user                    = root
        server                  = /usr/sbin/in.tftpd
        server_args             = -c -s /var/lib/tftpboot
        disable                 = no
        per_source              = 11
        cps                     = 100 2
        flags                   = IPv4
}

[/box]

5. Set the permissions on the tftp folder.

[box][root@Web-Test ~]# chmod 777 /var/lib/tftpboot[/box]

Note: if you run SELinux you may also need to execute the following command, ‘setsebool -P tftp_anon_write 1‘.

WARNINIG: This enables anonymous access on the TFTP root folder, if your server is public facing and not firewalled, then I would suggest you do what I do, (stop and start the service manually, and only open the firewall for TFTP when you need to use it – see below).

6. If you use iptables as a firewall, you will need to open the TFTP port (UDP Port 69).

[box][root@Web-Test ~]# iptables -I INPUT -p udp –dport 69 -j ACCEPT[/box]

7. Start the xinetd service.

[box][root@Web-Test ~]# /etc/init.d/xinetd start
Starting xinetd:[ OK ][/box]

8. If you want the service to always be running, (see my warning above) then use the following command.

[box][root@Web-Test ~]# chkconfig xinetd on[/box]

9. Let’s give it a test, from my Cisco device lets see if I can backup the config to this server.

[box]

Petes-ASA# copy run tftp

Source filename [running-config]?

Address or name of remote host []? 123.123.123.123

Destination filename [running-config]?
Cryptochecksum: 9d4006ed 0bb1d39c fe61da22 91222a76
!!!
9284 bytes copied in 2.130 secs (4642 bytes/sec)
Petes-ASA#

[/box]

10. I could SSH into the server and change to the /var/lib/tftpboot directory and see the file. But I’ve got WinSCP installed so I can view the backup with that.

11. Let’s see if we can copy a file off the TFTP server back to the firewall.

[box]

Petes-ASA# copy tftp flash

Address or name of remote host []? 123.123.123.123

Source filename []? asa915-k8.bin

Destination filename [asa915-k8.bin]?

Accessing tftp://123.123.123.123/asa915k8.bin…!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/asa915-k8.bin…
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
27113472 bytes copied in 845.110 secs (32086 bytes/sec)
Petes-ASA#

[/box]

12. Now unless you are leaving xinetd running lets turn it off.

[box][root@Web-Test ~]# /etc/init.d/xinetd stop
Stopping xinetd: [ OK ][/box]

13. If you are running iptables and have opened the TFTP port I like to close that as well.

Note: It its possible to see that that port is open even if there is no service running on it, that’s why I close it down.

[box][root@Web-Test ~]# iptables -D INPUT -p udp –dport 69 -j ACCEPT[/box]

Related Articles, References, Credits, or External Links

NA

 

Apache Web Server – Change the Default Page

KB ID 0000882 

Problem

Out of the box, Apache expects your website homepage to be called index, on this site the homepage is called home, here’s how to change it.

Solution

1. Connect to the server via SSH, (or open a terminal session). The file you need to edit is called httpd.conf. This server is running CentOS, so you should find that file in the /etc/httpd/conf folder.

2. I’m going to edit it with nano.

3. Locate the DirectoryIndex section and remove index and any other unwanted filename (i.e. in this example index.var).

4. Add in the one you require and save and exit, (press CTRL+X and Y to save).

5. You nee to restart Apache for the change to take effect.

[box] apachectl -k restart[/box]

 

Related Articles, References, Credits, or External Links

NA