Monday, April 30, 2012

oracle 11r1 & r2 centos install notes

i don't like reading long docs. just distill it down you say? okay.
echo redhat-4 >> /etc/redhat-release

in /etc/security/limits.conf

 # settings for oracle
 *               soft    nproc   2047
 *               hard    nproc   16384
 *               soft    nofile  1024
 *               hard    nofile  65536

in /etc/sysctl.conf

 kernel.shmmni = 4096

/sbin/sysctl -p

groupadd oinstall ; groupadd dba ; groupadd oper ; groupadd oracle 
useradd -g oinstall -G oracle -d /opt/oracle oracle
passwd oracle

install as user oracle...

11r1 & r2 install add'l packages

setarch
make
glibc
libaio
compat-libstdc++
gcc
libXp
openmotif
compat-db

11r2 yum install add'l packages:

elfutils-libelf-devel
gcc-c++
libaio-devel
libstdc++-devel
sysstat
unixODBC-2.2.11
unixODBC-devel-2.2.11
pdksh

Friday, April 27, 2012

dhcp3 combatting evil

After lunch yesterday I received a request for support from a fellow running several VMs and them not getting IP addresses from the DHCP server. That's weird. I've done nothing to my network and the ESX server looks just fine. There goes an afternoon...

After a look at the logs on the dhcp3 server, I found that an errant bank of devices was going haywire. Sure, pulling the power cord would've been a quicker fix, but I like puzzles.

Here's what I saw: first, a whole bunch of requests were coming in from a bunch of MACs pre-pended with e8:39:35 . All these requests were taking dhcp addresses. So, I plug in the address here:
http://www.wireshark.org/tools/oui-lookup.html

To figure out what hardware is behind that MAC.

I find out that it is not a virtual machine gone bad. HP device. Great. So then I pull out the bigger brain and decide that I want to craft a dhcp pool that'll ban HP devices and allow everything else. To do this I create rules explicitly allowing and denying classes of devices. Easy?

Below you'll find a list of common MAC identifiers for Virtual machines, a dhcp3.conf and some pertinent logs.

MAC identifiers
Company and Products                        MAC unique identifier
VMware ESX 3/4 Server, Workstation, Player  00:50:56 00:0C:29 00:05:69
MS Hyper-V, Virtual Server, Virtual PC      00:03:ff
Parallells Desktop, Workstation, Server, Virtuozzo 00:1c:42
Virtual Iron 4                              00:0f:4b
RedHat Xen                                  00:16:3e
Oracle VM                                   00:16:3e
XenSource                                   00:16:3e
Novell Xen                                  00:16:3e
Sun xVM VirtualBox                          08:00:27

dhcp3.conf
ddns-update-style none;

default-lease-time 600;
max-lease-time 7200;

authoritative;
log-facility local7;

option subnet-mask 255.255.255.0;
option broadcast-address 10.10.10.255;
option routers 10.10.10.1;
option domain-name-servers 10.10.10.2, 10.10.10.3;
option domain-name "my.company.com";
option netbios-name-servers 10.10.10.2;

class "evil" {
        match if (binary-to-ascii (16,8,":",substring(hardware, 0, 4)) = "1:e8:39:35");
        log (info, (binary-to-ascii (16,8,":",substring(hardware, 0, 4))));
}

class "vmware-clients" {
        match if (binary-to-ascii (16,8,":",substring(hardware, 0, 4)) = "1:0:50:56")
        or (binary-to-ascii (16,8,":",substring(hardware, 0, 4)) = "1:0:c:29")
        or (binary-to-ascii (16,8,":",substring(hardware, 0, 4)) = "1:0:5:69");
        log (info, (binary-to-ascii (16,8,":",substring(hardware, 0, 4))));
} 

class "not-evil" {
        match if not (binary-to-ascii (16,8,":",substring(hardware, 0, 4)) = "1:e8:39:35");
        log (info, (binary-to-ascii (16,8,":",substring(hardware, 0, 4))));
}

subnet 10.10.10.0 netmask 255.255.255.0 {
        pool {
                range 10.10.10.100 10.10.10.10.200;
                range 10.10.10.204 10.10.10.220;
                allow members of "vmware-clients";
                allow members of "not-evil";
                deny members of "evil";
                }
}

Log snippet
Apr 26 16:03:50 dhcpd: Wrote 8 leases to leases file.
Apr 26 16:05:00 dhcpd: DHCPREQUEST for 10.10.10.175 from e8:39:35:1f:8a:6e via eth0: lease 10.10.10.75 unavailable.
Apr 26 16:05:00 dhcpd: DHCPNAK on 10.10.10.175 to e8:39:35:1f:8a:6e via eth0
Apr 26 16:05:01 dhcpd: 1:0:50:56
Apr 26 16:05:01 dhcpd: 1:0:50:56
Apr 26 16:05:01 dhcpd: DHCPDISCOVER from 00:50:56:80:1a:75 via eth0
Apr 26 16:05:02 dhcpd: DHCPOFFER on 10.10.10.159 to 00:50:56:80:1a:75 (vmware-client01) via eth0
Apr 26 16:05:06 dhcpd: 1:0:50:56
Apr 26 16:05:06 dhcpd: 1:0:50:56
Apr 26 16:05:06 dhcpd: DHCPREQUEST for 10.10.10.159 (10.10.10.2) from 00:50:56:80:1a:75 (vmware-client01) via eth0
Apr 26 16:05:06 dhcpd: DHCPACK on 10.10.10.159 to 00:50:56:80:1a:75 (vmware-client01) via eth0
Apr 26 16:05:42 dhcpd: DHCPREQUEST for 10.10.10.162 from e8:39:35:1f:0e:97 via eth0: lease 10.10.10.162 unavailable.
Apr 26 16:05:42 dhcpd: DHCPNAK on 10.10.10.162 to e8:39:35:1f:0e:97 via eth0
Apr 26 16:07:03 dhcpd: 1:34:40:b5
Apr 26 16:07:03 dhcpd: DHCPREQUEST for 10.10.10.172 from 34:40:b5:20:a8:01 via eth0
Apr 26 16:07:03 dhcpd: DHCPACK on 10.10.10.172 to 34:40:b5:20:a8:01 via eth0

Wednesday, April 18, 2012

fix arp caches

so yeah. your ipv4 forwarder may be all scrambled and you've flushed the arp cache per a previous post, but the switches still have the incorrect arp information and hilarity ensues. an easy way to fix this is to issue a network command from the machine affected by arp nastiness. here's a quick oneliner to use ssh to connect to somewhere else - in this case via an ip'd secondary nic:

ssh -b secondary.nic.ip.address -p port me@somewhere

and the arp cache up the switch stack's been updated. of course, you're connecting to another system that's hanging off another switch up and around the stack, right?

Monday, April 16, 2012

who's plugging my ldap server

come on now. stop it already.
netstat -an | grep :389 | awk {'print $5'} | awk -F : '{print $1}' | sort | uniq
netstat -an | grep 389  | awk {'print $5'} | cut -f 1 -d \: | sort | uniq -c  
or. who the heck is searching for that freaking uid?
ngrep -q -t "uid" \(port 389 or port 636 \)

Tuesday, April 3, 2012

sunstudio11 curses!

sigh i messed up a studio11 install. i did. delete the directory, sure? and i did.
in the process of reinstalling, the installer said studio was already installed.
oh... yeah... pkgadd... whoopsies!
i need to reinstall. what to do?

Fixing a Failed Installation or Uninstallation on Solaris Platforms

    Become superuser by typing:

    su
    Password: root-password

    Open the Solaris Product Registry tool by typing:

    /usr/bin/prodreg &

    In the left pane of the tool, expand the Unclassified Software node.
    Select all of the package names containing Oracle Solaris Studio 11 and click Uninstall. 
    Follow the instructions to remove the packages.
    Click Exit to exit the tool.
    Remove the /root/.nbi directory by typing:

    rm -r /.nbi

From the commandline:
# /var/sadm/prod/com.sun.studio_11/
# ./batch_uninstall_all