Monday, 28 December 2020

Virtual HBA in Oracle VM Server for SPARC

_--------------- ldm list-hba -l primary 505 fcinfo hba-port | grep online 506 fcinfo hba-port 507 cfgadm -alv 508 format 509 ldm list 510 ldm list -l ldm-test-db 511 ldm list-hba 512 ldm list-io 513 ldm list 514 ldm list -l | more 515 ldm list-hba -l primary 516 fcinfo hba-port 517 ldm add-vsan /SYS/MB/PCIE1/HBA0/PORT0,0 pci1_port0 primary 518 ldm list-hba -l primary 519 ldm add-vhba p0_pci1_port0 pci1_port0 stdisk 520 ldm list 521 ldm add-vhba id=0 timeout=120 p0_pci1_port0 pci1_port0 ldm-test-db 522 ldm list-hba -d primary 523 ldm list 524 telnet loghost 5000 525 ldm add-vhba id=1 timeout=120 p1_pci1_port0 pci1_port0 ldm-test-db-2 526 ldm list-domain -l 527 ldm list 528 ldm list -l ldm-test-db 529 ldm add-vhba id=1 timeout=120 p1_pci1_port0 pci1_port0 ldm-test-db-2 530 ldm add-vsan /SYS/MB/PCIE1/HBA0/PORT0,0 pci1_port1 primary 531 ldm add-vhba p0_pci1_port1 pci1_port1 stdisk1 532 ldm add-vhba id=1 timeout=120 p1_pci1_port1 pci1_port1 ldm-test-db-2 533 ldm list 534 telnet loghost 5001 535 ldm list 536 ldm list 537 ldm list -l ldm-test-db -------------------------- Oracle VM Server for SPARC 3.3 was released on October 26 during Oracle OpenWorld. This release added an important new feature, virtual HBA (vHBA), which adds flexibility and relieves prior limitations of virtual I/O without sacrificing performance. Important note: A lot of functionality has been added to vHBA support in Solaris 11.3 updates. It's very important to be on a recent Solaris 11.3 SRU to get the best results. Background Oracle VM Server for SPARC supports both virtual I/O and physical I/O Physical I/O, described in the Administration Guide chapter I/O domains, gives domains direct ownership and access to I/O devices via PCIe busses, a PCIe endpoint device, or a PCIe SR-IOV virtual function. This is ideal when native performance or full access to device features is needed, but comes with restrictions. In particular, it is limited to the number of physical devices that can be assigned to domains, and is incompatible with live migration. Virtual I/O is more commonly used, as it provides more operational flexibility for virtual networks and virtual disks. Virtual I/O supports live migration, and can provide near native performance when correctly configured. However, virtual I/O also has restrictions. It supports network and disk devices, but not tape or other device types. Virtual disks have good performance, but are limited to active-passive virtual disk multipathing using mpgroups, which cannot be used in conjunction with SCSI reservation. Ideally, a guest domain would be a "full participant" in the SAN infrastructure used by enterprise customers. Introducing vHBA Virtual HBA (vHBA) is a new capability of Oracle VM Server for SPARC that lets guest domains have virtual SCSI HBAs. In the vHBA model, a physical host bus adapter is mapped onto a virtual SAN (vsan) in the service domain, and a virtual HBA in the guest domain is associated with the vsan. SCSA protocol is used to communicate between the physical HBA, the virtual SAN, and the virtual HBA. The physical LUNs addressed by the physical HBA are visible within the guest as virtual LUNs, and are managed within the guest domain using the regular Solaris device drivers, just as in a non-virtual environment. vHBA provides multiple benefits: Device functionality: - Solaris in the domain uses native device drivers, and can use full functionality for SCSI reserveration and MPxIO for path management Device generality: - Any device Solaris supports on a physical HBA is supported in the virtual HBA. For example, the guest domain will be able to use tape devices for backup. Command scalability - instead of requiring two commands per virtual disk (an ldm add-vdsdev and an ldm add-vdisk, all of the devices on the physical HBA are presented to the guest in the same commands. This reduces the effort needed by the domain administrator. Logical Domain Channel scalability - Normally, a virtual device consumes an LDC in the guest and in the service domain, and since there are limits on the number of LDCs per system and per domain, this can be a constraint on the number of devices that domains can have. With vHBA, the entire HBA is represented by a single LDC in the guest and service domain, regardless of the number of LUNs. Implementing vHBA Let's show an example of vHBA. It requires Oracle VM Server for SPARC 3.3, which is delivered with Oracle Solaris 11.3 in the control domain. The guest domains using vHBA must run Solaris 11, as Solaris 10 does not have the SCSA interface described above. There are no special hardware requirements other than having a physical HBA with LUNs. It runs on any supported SPARC server - in this example on a SPARC T2. First, let's display the physical HBA that's available on the server: primary# ldm ls-hba primary # alias is ldm list-hba NAME VSAN ---- ---- MB/SASHBA/HBA0 MB/RISER2/PCIE2/HBA0/PORT0,0 MB/RISER2/PCIE2/HBA0,1/PORT0,0 primary# ldm ls-hba -p primary HBA |alias=MB/SASHBA/HBA0|dev=/pci@0/pci@0/pci@2/scsi@0|disks=2 |alias=MB/RISER2/PCIE2/HBA0/PORT0,0|dev=/pci@0/pci@0/pci@9/SUNW,emlxs@0/fp@0,0|disks=4 |alias=MB/RISER2/PCIE2/HBA0,1/PORT0,0|dev=/pci@0/pci@0/pci@9/SUNW,emlxs@0,1/fp@0,0|disks=4 primary# ldm ls-hba -t primary NAME VSAN ---- ---- MB/SASHBA/HBA0 init-port 50800200005ab000 Transport Protocol SAS MB/RISER2/PCIE2/HBA0/PORT0,0 init-port 10000000c9b09b3c Transport Protocol FABRIC MB/RISER2/PCIE2/HBA0,1/PORT0,0 init-port 10000000c9b09b3d Transport Protocol FABRIC We have a physical adapter, and can even see the LUNs under it. Let's show some output formats for details. # ldm ls-hba -d primary NAME VSAN ---- ---- MB/SASHBA/HBA0 c3t0d0s0 c3t1d0s0 MB/RISER2/PCIE2/HBA0/PORT0,0 c4t21000024FF2D4C83d2s0 c4t21000024FF2D4C83d0s0 c4t21000024FF2D4C82d2s0 c4t21000024FF2D4C82d0s0 MB/RISER2/PCIE2/HBA0,1/PORT0,0 c5t21000024FF2D4C83d2s0 c5t21000024FF2D4C83d0s0 c5t21000024FF2D4C82d2s0 c5t21000024FF2D4C82d0s0 # ldm ls-hba -l primary NAME VSAN ---- ---- MB/SASHBA/HBA0 [/pci@0/pci@0/pci@2/scsi@0] MB/RISER2/PCIE2/HBA0/PORT0,0 [/pci@0/pci@0/pci@9/SUNW,emlxs@0/fp@0,0] MB/RISER2/PCIE2/HBA0,1/PORT0,0 [/pci@0/pci@0/pci@9/SUNW,emlxs@0,1/fp@0,0] Now that I've identified the physical resource, I'll create the vsan against it, and the vHBA for my guest domain: primary# ldm add-vsan MB/RISER2/PCIE2/HBA0,1/PORT0,0 jeff-vsan primary MB/RISER2/PCIE2/HBA0,1/PORT0,0 resolved to device: /pci@0/pci@0/pci@9/SUNW,emlxs@0,1/fp@0,0 primary# ldm add-vhba jeff-vhba jeff-vsan ldom3 That was really all there was to it. The guest now has the vHBA and sees its LUNs. I'll show that in a bit.First, I'll show the virtual services created in the control domain: primary# ldm list-services ... snip ... VSAN NAME LDOM TYPE DEVICE IPORT jeff-vsan primary VSAN vsan@0 [/pci@0/pci@0/pci@9/SUNW,emlxs@0,1/fp@0,0] VHBA NAME VSAN DEVICE TOUT SERVER jeff-vhba jeff-vsan vhba@0 0 primary We now have a vsan and a vHBA I've creatively named for myself. I can inspect the configuration using the commands I used in the beginning: primary# ldm ls-hba -d primary NAME VSAN ---- ---- MB/SASHBA/HBA0 c3t0d0s0 c3t1d0s0 MB/RISER2/PCIE2/HBA0/PORT0,0 c4t21000024FF2D4C83d2s0 c4t21000024FF2D4C83d0s0 c4t21000024FF2D4C82d2s0 c4t21000024FF2D4C82d0s0 MB/RISER2/PCIE2/HBA0,1/PORT0,0 jeff-vsan c5t21000024FF2D4C83d2s0 jeff-vsan c5t21000024FF2D4C83d0s0 jeff-vsan c5t21000024FF2D4C82d2s0 jeff-vsan c5t21000024FF2D4C82d0s0 jeff-vsan primary# ldm ls-hba -l primary NAME VSAN ---- ---- MB/SASHBA/HBA0 [/pci@0/pci@0/pci@2/scsi@0] MB/RISER2/PCIE2/HBA0/PORT0,0 [/pci@0/pci@0/pci@9/SUNW,emlxs@0/fp@0,0] MB/RISER2/PCIE2/HBA0,1/PORT0,0 jeff-vsan [/pci@0/pci@0/pci@9/SUNW,emlxs@0,1/fp@0,0] primary# ldm ls-hba -t primary NAME VSAN ---- ---- MB/SASHBA/HBA0 init-port 50800200005ab000 Transport Protocol SAS MB/RISER2/PCIE2/HBA0/PORT0,0 init-port 10000000c9b09b3c Transport Protocol FABRIC MB/RISER2/PCIE2/HBA0,1/PORT0,0 jeff-vsan init-port 10000000c9b09b3d Transport Protocol FABRIC primary# ldm ls -o san,hba NAME primary VSAN NAME TYPE DEVICE IPORT jeff-vsan VSAN vsan@0 [/pci@0/pci@0/pci@9/SUNW,emlxs@0,1/fp@0,0] ... snip ... NAME ldom3 VHBA NAME VSAN DEVICE TOUT SERVER jeff-vhba jeff-vsan vhba@0 0 primary Not counting the commands to list the environment, it only took two commands in the control domain (ldm add-vsan, ldm add-vhba) to do the actual work. vHBA devices viewed from the guest domain The guest domain was running while the above commands were issues (showing that this works with guest domain dynamic reconfiguration). I thought it would be interesting to see what dmesg reported for the dynamic reconfiguration events, so I tailed it and saw the following interesting events: root@ldom3:/# dmesg|tail Jul 20 16:40:54 ldom3 scsi: [ID 583861 kern.info] sd10 at scsi_vhci0: unit-address g600144f0ede50676000055a815160019: f_tpgs Jul 20 16:40:54 ldom3 genunix: [ID 936769 kern.info] sd10 is /scsi_vhci/disk@g600144f0ede50676000055a815160019 Jul 20 16:40:54 ldom3 cmlb: [ID 107833 kern.warning] WARNING: /scsi_vhci/disk@g600144f0ede50676000055a815160019 (sd10): Jul 20 16:40:54 ldom3 Corrupt label; wrong magic number Jul 20 16:40:54 ldom3 genunix: [ID 408114 kern.info] /scsi_vhci/disk@g600144f0ede50676000055a815160019 (sd10) online Jul 20 16:40:54 ldom3 genunix: [ID 483743 kern.info] /scsi_vhci/disk@g600144f0ede50676000055a815160019 (sd10) multipath status: degraded: path 1 vhba1/disk@w21000024ff2d4c83,0 is online Jul 20 16:40:54 ldom3 genunix: [ID 530209 kern.info] /scsi_vhci/disk@g600144f0ede50676000055a815160019 (sd10) multipath status: optimal: path 2 vhba1/disk@w21000024ff2d4c82,0 is online: Load balancing: round-robin Jul 20 16:40:54 ldom3 genunix: [ID 408114 kern.info] /virtual-devices@100/channel-devices@200/scsi@0/iport@0/probe@w21000024ff2d4c83,2 (nulldriver1) online Jul 20 16:40:55 ldom3 scsi: [ID 583861 kern.info] sd11 at scsi_vhci0: unit-address g600144f0ede50676000055a81bb2001a: f_tpgs Jul 20 16:40:55 ldom3 genunix: [ID 936769 kern.info] sd11 is /scsi_vhci/disk@g600144f0ede50676000055a81bb2001a Jul 20 16:40:55 ldom3 genunix: [ID 408114 kern.info] /scsi_vhci/disk@g600144f0ede50676000055a81bb2001a (sd11) online Jul 20 16:40:55 ldom3 genunix: [ID 483743 kern.info] /scsi_vhci/disk@g600144f0ede50676000055a81bb2001a (sd11) multipath status: degraded: path 3 vhba1/disk@w21000024ff2d4c83,2 is online Jul 20 16:40:55 ldom3 genunix: [ID 530209 kern.info] /scsi_vhci/disk@g600144f0ede50676000055a81bb2001a (sd11) multipath status: optimal: path 4 vhba1/disk@w21000024ff2d4c82,2 is online: Load balancing: round-robin Next, I used format to show the disk devices: root@ldom3:/# format Searching for disks...done c0t600144F0EDE50676000055A815160019d0: configured with capacity of 23.93GB AVAILABLE DISK SELECTIONS: 0. c0t600144F0EDE50676000055A81BB2001Ad0 /scsi_vhci/disk@g600144f0ede50676000055a81bb2001a 1. c0t600144F0EDE50676000055A815160019d0 /scsi_vhci/disk@g600144f0ede50676000055a815160019 2. c1d0 /virtual-devices@100/channel-devices@200/disk@0 Specify disk (enter its number): ^C Note the long device names for the LUNs coming from a ZFS storage appliance - those are the ones I've just picked up. You can see that it's using the native device driver, instead of the 'virtual-devices' driver used with a standard vdisk. I even created a ZFS pool on one of the LUNs on another host accessing the physical SAN, so I can now import it: root@ldom3:/# zpool import pool: aux36 id: 10749927192920141180 state: ONLINE action: The pool can be imported using its name or numeric identifier. config: aux36 ONLINE c0t600144F0EDE50676000055A81BB2001Ad0 ONLINE root@ldom3:/# zpool import aux36 root@ldom3:/# zpool status -v pool: aux36 state: ONLINE scan: none requested config: NAME STATE READ WRITE CKSUM aux36 ONLINE 0 0 0 c0t600144F0EDE50676000055A81BB2001Ad0 ONLINE 0 0 0 errors: No known data errors At this point, if I had more devices I could use them too, and I could use all the device features Solaris supports on bare-metal, like SCSI reservation or MPxIO. Now, before you ask: I did some trivial performance tests with I/O workload tools, and it seemed to perform as well as regular vdisks on LUNs.
Posted by at No comments:

Wednesday, 9 December 2020

EMC Recover Point – how to recreate repository volume

EMC Recover Point – how to recreate repository volume We have to recreate repository volume of our RP but I could not find any guidance from EMC site. So I’m documenting my steps here for further usage: Procedure overview: On EMC storage: Create about 6-8 GB LUN. Present that LUN to storage group of RP nodes. On RP appliances: On last cluster member: Detach RPA from cluster Format repository volume Reboot Attach RPA to cluster On each subsequent appliance: Detach RPA from cluster Select repository volume Reboot Attach RPA to cluster This is a transcript of console sessions: login as: ****** Using keyboard-interactive authentication. Password: Last login: Fri May 23 07:56:54 2014 from 10.*.*.* Initializing Installation Manager... done Installation Manager - RecoverPoint Version 4.0.SP2(m.24) Cluster RP-CLUSTER RPA 1 ** Main Menu ** [1] Installation [2] Setup [3] Diagnostics [4] Cluster operations [5] Shutdown / Reboot operations [Q] Quit RP-CLUSTER RPA 1: 4 ** Cluster operations ** [1] Detach RPA from cluster [2] Remove a cluster from this system [3] Configure connection types to other clusters in the system [M] Main Menu [B] Back [Q] Quit RP-CLUSTER RPA 1: 1 Do you want to detach the RPA from the cluster (Note: RPA will be rebooted when re-attached) (y/n)? y Detach from cluster succeeded. ** Cluster operations ** [1] Attach RPA to cluster [2] Remove a cluster from this system [3] Configure connection types to other clusters in the system [M] Main Menu [B] Back [Q] Quit RP-CLUSTER RPA 1: b ** Main Menu ** [1] Installation [2] Setup [3] Diagnostics [4] Cluster operations [5] Shutdown / Reboot operations [Q] Quit RP-CLUSTER RPA 1: 2 ** Setup ** [1] Modify settings [2] Configure repository volume [3] Get remote settings [4] Retrieve previous settings [5] Apply settings [6] View settings [7] Reset settings changes [8] Advanced options [9] Console configuration [M] Main Menu [B] Back [Q] Quit RP-CLUSTER RPA 1: 2 1. Format a volume as a repository volume 2. Select an existing repository volume Select the operation for the volume (1 to 2): 2 |---------------------------------------------------------------------------| | | Size | Vndr | Product | Name | UID | Cluster | |----|-------|------|---------|--------------|--------------|---------------| | 1. | 8.0GB | DGC | RAID 5 | rp_repositor | 60,06,01,60, | 0x4 d | | | | | | y (3) | 3d,40,36,00, | 603d9 | |----|-------|------|---------|--------------|--------------|---------------| 1 volume was found. Do you want to continue? (y/n)? y Configure repository volume completed successfully. ** Setup ** [1] Modify settings [2] Configure repository volume [3] Get remote settings [4] Retrieve previous settings [5] Apply settings [6] View settings [7] Reset settings changes [8] Advanced options [9] Console configuration [M] Main Menu [B] Back [Q] Quit RP-CLUSTER RPA 1: b ** Main Menu ** [1] Installation [2] Setup [3] Diagnostics [4] Cluster operations [5] Shutdown / Reboot operations [Q] Quit RP-CLUSTER RPA 1: 4 ** Cluster operations ** [1] Attach RPA to cluster [2] Remove a cluster from this system [3] Configure connection types to other clusters in the system [M] Main Menu [B] Back [Q] Quit RP-CLUSTER RPA 1: 1 Do you want to attach the RPA to the cluster (Note: RPA will be rebooted) (y/n)? y RPA is going to be attached and reboot. Attach to cluster succeeded login as: ****** Using keyboard-interactive authentication. Password: Last login: Fri May 23 07:56:54 2014 from 10.*.*.* Initializing Installation Manager... done Installation Manager - RecoverPoint Version 4.0.SP2(m.24) Cluster RP-CLUSTER RPA 1 ** Main Menu ** [1] Installation [2] Setup [3] Diagnostics [4] Cluster operations [5] Shutdown / Reboot operations [Q] Quit RP-CLUSTER RPA 1: 4 ** Cluster operations ** [1] Detach RPA from cluster [2] Remove a cluster from this system [3] Configure connection types to other clusters in the system [M] Main Menu [B] Back [Q] Quit RP-CLUSTER RPA 1: 1 Do you want to detach the RPA from the cluster (Note: RPA will be rebooted when re-attached) (y/n)? y Detach from cluster succeeded. ** Cluster operations ** [1] Attach RPA to cluster [2] Remove a cluster from this system [3] Configure connection types to other clusters in the system [M] Main Menu [B] Back [Q] Quit RP-CLUSTER RPA 1: b ** Main Menu ** [1] Installation [2] Setup [3] Diagnostics [4] Cluster operations [5] Shutdown / Reboot operations [Q] Quit RP-CLUSTER RPA 1: 2 ** Setup ** [1] Modify settings [2] Configure repository volume [3] Get remote settings [4] Retrieve previous settings [5] Apply settings [6] View settings [7] Reset settings changes [8] Advanced options [9] Console configuration [M] Main Menu [B] Back [Q] Quit RP-CLUSTER RPA 1: 2 1. Format a volume as a repository volume 2. Select an existing repository volume Select the operation for the volume (1 to 2): 2 |---------------------------------------------------------------------------| | | Size | Vndr | Product | Name | UID | Cluster | |----|-------|------|---------|--------------|--------------|---------------| | 1. | 8.0GB | DGC | RAID 5 | rp_repositor | 60,06,01,60, | 0x4 d | | | | | | y (3) | 3d,40,36,00, | 603d9 | |----|-------|------|---------|--------------|--------------|---------------| 1 volume was found. Do you want to continue? (y/n)? y Configure repository volume completed successfully. ** Setup ** [1] Modify settings [2] Configure repository volume [3] Get remote settings [4] Retrieve previous settings [5] Apply settings [6] View settings [7] Reset settings changes [8] Advanced options [9] Console configuration [M] Main Menu [B] Back [Q] Quit RP-CLUSTER RPA 1: b ** Main Menu ** [1] Installation [2] Setup [3] Diagnostics [4] Cluster operations [5] Shutdown / Reboot operations [Q] Quit RP-CLUSTER RPA 1: 4 ** Cluster operations ** [1] Attach RPA to cluster [2] Remove a cluster from this system [3] Configure connection types to other clusters in the system [M] Main Menu [B] Back [Q] Quit RP-CLUSTER RPA 1: 1 Do you want to attach the RPA to the cluster (Note: RPA will be rebooted) (y/n)? y RPA is going to be attached and reboot. Attach to cluster succeeded login as: ****** Using keyboard-interactive authentication. Password: Last login: Fri May 23 07:56:54 2014 from 10.*.*.* Initializing Installation Manager... done Installation Manager - RecoverPoint Version 4.0.SP2(m.24) Cluster RP-CLUSTER RPA 1 ** Main Menu ** [1] Installation [2] Setup [3] Diagnostics [4] Cluster operations [5] Shutdown / Reboot operations [Q] Quit RP-CLUSTER RPA 1: 4 ** Cluster operations ** [1] Detach RPA from cluster [2] Remove a cluster from this system [3] Configure connection types to other clusters in the system [M] Main Menu [B] Back [Q] Quit RP-CLUSTER RPA 1: 1 Do you want to detach the RPA from the cluster (Note: RPA will be rebooted when re-attached) (y/n)? y Detach from cluster succeeded. ** Cluster operations ** [1] Attach RPA to cluster [2] Remove a cluster from this system [3] Configure connection types to other clusters in the system [M] Main Menu [B] Back [Q] Quit RP-CLUSTER RPA 1: b ** Main Menu ** [1] Installation [2] Setup [3] Diagnostics [4] Cluster operations [5] Shutdown / Reboot operations [Q] Quit RP-CLUSTER RPA 1: 2 ** Setup ** [1] Modify settings [2] Configure repository volume [3] Get remote settings [4] Retrieve previous settings [5] Apply settings [6] View settings [7] Reset settings changes [8] Advanced options [9] Console configuration [M] Main Menu [B] Back [Q] Quit RP-CLUSTER RPA 1: 2 1. Format a volume as a repository volume 2. Select an existing repository volume Select the operation for the volume (1 to 2): 2 |---------------------------------------------------------------------------| | | Size | Vndr | Product | Name | UID | Cluster | |----|-------|------|---------|--------------|--------------|---------------| | 1. | 8.0GB | DGC | RAID 5 | rp_repositor | 60,06,01,60, | 0x4 d | | | | | | y (3) | 3d,40,36,00, | 603d9 | |----|-------|------|---------|--------------|--------------|---------------| 1 volume was found. Do you want to continue? (y/n)? y Configure repository volume completed successfully. ** Setup ** [1] Modify settings [2] Configure repository volume [3] Get remote settings [4] Retrieve previous settings [5] Apply settings [6] View settings [7] Reset settings changes [8] Advanced options [9] Console configuration [M] Main Menu [B] Back [Q] Quit RP-CLUSTER RPA 1: b ** Main Menu ** [1] Installation [2] Setup [3] Diagnostics [4] Cluster operations [5] Shutdown / Reboot operations [Q] Quit RP-CLUSTER RPA 1: 4 ** Cluster operations ** [1] Attach RPA to cluster [2] Remove a cluster from this system [3] Configure connection types to other clusters in the system [M] Main Menu [B] Back [Q] Quit RP-CLUSTER RPA 1: 1 Do you want to attach the RPA to the cluster (Note: RPA will be rebooted) (y/n)? y RPA is going to be attached and reboot. Attach to cluster succeeded login as: ****** Using keyboard-interactive authentication. Password: Last login: Fri May 23 07:56:54 2014 from 10.*.*.* Initializing Installation Manager... done Installation Manager - RecoverPoint Version 4.0.SP2(m.24) Cluster RP-CLUSTER RPA 1 ** Main Menu ** [1] Installation [2] Setup [3] Diagnostics [4] Cluster operations [5] Shutdown / Reboot operations [Q] Quit RP-CLUSTER RPA 1: 4 ** Cluster operations ** [1] Detach RPA from cluster [2] Remove a cluster from this system [3] Configure connection types to other clusters in the system [M] Main Menu [B] Back [Q] Quit RP-CLUSTER RPA 1: 1 Do you want to detach the RPA from the cluster (Note: RPA will be rebooted when re-attached) (y/n)? y Detach from cluster succeeded. ** Cluster operations ** [1] Attach RPA to cluster [2] Remove a cluster from this system [3] Configure connection types to other clusters in the system [M] Main Menu [B] Back [Q] Quit RP-CLUSTER RPA 1: b ** Main Menu ** [1] Installation [2] Setup [3] Diagnostics [4] Cluster operations [5] Shutdown / Reboot operations [Q] Quit RP-CLUSTER RPA 1: 2 ** Setup ** [1] Modify settings [2] Configure repository volume [3] Get remote settings [4] Retrieve previous settings [5] Apply settings [6] View settings [7] Reset settings changes [8] Advanced options [9] Console configuration [M] Main Menu [B] Back [Q] Quit RP-CLUSTER RPA 1: 2 1. Format a volume as a repository volume 2. Select an existing repository volume Select the operation for the volume (1 to 2): 2 |---------------------------------------------------------------------------| | | Size | Vndr | Product | Name | UID | Cluster | |----|-------|------|---------|--------------|--------------|---------------| | 1. | 8.0GB | DGC | RAID 5 | rp_repositor | 60,06,01,60, | 0x4 d | | | | | | y (3) | 3d,40,36,00, | 603d9 | |----|-------|------|---------|--------------|--------------|---------------| 1 volume was found. Do you want to continue? (y/n)? y Configure repository volume completed successfully. ** Setup ** [1] Modify settings [2] Configure repository volume [3] Get remote settings [4] Retrieve previous settings [5] Apply settings [6] View settings [7] Reset settings changes [8] Advanced options [9] Console configuration [M] Main Menu [B] Back [Q] Quit RP-CLUSTER RPA 1: b ** Main Menu ** [1] Installation [2] Setup [3] Diagnostics [4] Cluster operations [5] Shutdown / Reboot operations [Q] Quit RP-CLUSTER RPA 1: 4 ** Cluster operations ** [1] Attach RPA to cluster [2] Remove a cluster from this system [3] Configure connection types to other clusters in the system [M] Main Menu [B] Back [Q] Quit RP-CLUSTER RPA 1: 1 Do you want to attach the RPA to the cluster (Note: RPA will be rebooted) (y/n)? y RPA is going to be attached and reboot. Attach to cluster succeeded
Posted by at No comments:

Thursday, 10 September 2020

Swap Space Made Easy

Swap Space Made Easy Cutting through the exposition and explanation, we can create a new swap file as easily and quickly as this: sudo dd if=/dev/zero /of=/swapfile2 bs=1024 count=104857 sudo mkswap /swapfile2 sudo chmod 600 /swapfile2 sudo swapon /swapfile2 And let’s check that it worked: swapon --show sudo dd if=/dev/zero /of=/swapfile2 bs=1024 count=104857 in a terminal window If you want to make that permanent drop, it into your /etc/fstab file. The line we need to add to the bottom of the file is: /swapfile none swap sw 0 0 The operating system makes use of swap space when its available physical memory (RAM) is running out due to ever-demanding applications. In this situation, the operating system moves the inactive pages in physical memory to swap space. This freeing up of physical memory will be used for other applications. When the physical memory is available enough, the swap memory area will be brought back to the physical memory. The administrators ensure that sufficient swap space present in the system so that some free physical memory always available to the operating system. This article provides steps to create or increase swap space and also delete if you need it. Table of Contents ​Do I really need swap space? Partition or file? What is the recommended swap size? Creating swap space Disable and remove a swap file Limitation ​Conclusion ​Do I really need swap space? Not always, the provided system has a large amount of physical memory (RAM). But it is recommended to have swap space handy. The system may crash when the system is run out of physical memory when many applications are running with large memory footprint. When compared to RAM, disk space is relatively cheap! Partition or file? Swap space can be a dedicated swap partition (recommended), a swap file, or a combination of both. By default, most of the Linux distributions create a dedicated swap partition or a file on the system partition during installation. Windows operating system generally has the swap space as a file. What is the recommended swap size? Though there is no hard and fast rule to have swap space, it is recommended to have at least 1.5 times the physical memory. In the case of hibernation, the swap partition should be at least as big as the RAM size. Creating swap space Following are the instructions to create swap space using a file: Login as root. sudo su get superuser ubuntu linux Create swap file in directory “/var” with name “swapfile”. At the shell, create the file and set root permissions as follows: cd /var touch swapfile chmod 600 swapfile ls -la swapfile create swap file Use “dd” command to fill the swap file with 1 GB size (as an example) as follows : dd if=/dev/zero of=/var/swapfile bs=1024k count=1000 create swap file with data Now setup the swap file: mkswap /var/swapfile Picture Enable the swap file: swapon /var/swapfile enable swap file To check whether the new swap file was successfully created, either of the below commands can be used.​ # cat /proc/swaps # swapon –show get all swap files Add below line to the “/etc/fstab” file so that next time when the system boots, it enables the newly created swap file: /var/swapfile none swap sw 0 0 Disable and remove a swap file Disable the swap file. # swapoff /var/swapfile Delete the swap file. # rm /var/swapfile Remove the entry from “/etc/fstab” file. /var/swapfile none swap sw 0 0 Limitation
Posted by at No comments:

Wednesday, 9 September 2020

Disable SELinux Permanently

Disable SELinux Permanently To permanently disable SELinux, use your favorite text editor to open the file /etc/sysconfig/selinux as follows: # vi /etc/sysconfig/selinux SELinux Enforcing Mode SELinux Enforcing Mode Then change the directive SELinux=enforcing to SELinux=disabled as shown in the below image. SELINUX=disabled Disable SELinux Permanently Disable SELinux Permanently Then, save and exit the file, for the changes to take effect, you need to reboot your system and then check the status of SELinux using sestatus command as shown: $ sestatus Check SELinux Status Check SELinux Status
Posted by at No comments:

Tuesday, 8 September 2020

Linux HTTP Server Configuration

Installation For a minimum HTTP server installation, issue the following command. # yum install httpd If you want a more complete installation, you can install the "Web Server" package group. # yum groupinstall "Web Server" Make sure the "/etc/hosts" file contains references for the loopback address and the hostname. 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 192.168.122.89 rhce1.localdomain rhce1 Turn on the HTTP server and make sure it starts automatically on reboot. # service httpd start # chkconfig httpd on The HTTP server is now installed and running. The HTTP configuration files are located under the "/etc/httpd" directory, with the main configuration file being the "/etc/httpd/conf/httpd.conf" file. The default document root is "/var/www/html". Any files or directories below this point will be visible using a browser once you configure the firewall. Changes to the "/etc/httpd/conf/httpd.conf" file have to be followed by a reload or a restart of the httpd service. # service httpd reload # # OR # service httpd restart Firewall If you are using the Linux firewall, you need to punch a hole in the firewall for port 80 (and 443 for HTTPS) to make sure the HTTP server can be accessed from the network. There are several ways to do this: The "Firewall Configuration" dialog from the menu (System > Administration > Firewall) or initiated from the command line by running the system-config-firewall command. On the "Trusted Services" section, scroll down the list and check the "WWW (HTTP)" option, then click the "Apply" button. The text-based "Firewall Configuration" utility (system-config-firewall-tui). This is the text-based version of the above dialog. Using the iptables service directly, as described here. In this case we could need the following entry. iptables -A INPUT -p tcp --dport 80 -j ACCEPT You can read more about the Linux firewall here. SELinux If you are using SELinux, you will need to consider the following points. The SELinux booleans associated with the httpd service are displayed using the getsebool command. # getsebool -a | grep httpd allow_httpd_anon_write --> off allow_httpd_mod_auth_ntlm_winbind --> off allow_httpd_mod_auth_pam --> off allow_httpd_sys_script_anon_write --> off httpd_builtin_scripting --> on httpd_can_check_spam --> off httpd_can_network_connect --> off httpd_can_network_connect_cobbler --> off httpd_can_network_connect_db --> off httpd_can_network_memcache --> off httpd_can_network_relay --> off httpd_can_sendmail --> off httpd_dbus_avahi --> on httpd_enable_cgi --> on httpd_enable_ftp_server --> off httpd_enable_homedirs --> off httpd_execmem --> off httpd_manage_ipa --> off httpd_read_user_content --> off httpd_run_stickshift --> off httpd_setrlimit --> off httpd_ssi_exec --> off httpd_tmp_exec --> off httpd_tty_comm --> on httpd_unified --> on httpd_use_cifs --> off httpd_use_gpg --> off httpd_use_nfs --> off httpd_use_openstack --> off httpd_verify_dns --> off # The setsebool command is used to set a specific boolean value. # setsebool httpd_use_nfs on # setsebool httpd_use_nfs off The httpd_sys_content_t context should be assigned to all content. # semanage fcontext -a -t httpd_sys_content_t "/var/www/html(/.*)?" # restorecon -F -R -v /var/www/html You can check the current context setting on files and directories using the "ls -alZ" command. More information on SELinux can be found here. Virtual Hosts Virtual Hosts allow multiple websites to be hosts by a single physical machine, with each website being apparently independent of each other. The virtual hosts can be IP-based, but are typically name-based, meaning the domain name in the URL used to access the web server determines which virtual host the request is for. Create the following directories as locations for two virtual hosts. I've also created a test file in both document roots. # mkdir -p /www/mysite1.com/logs # mkdir -p /www/mysite1.com/html # echo "MySite1.com Test file" > /www/mysite1.com/html/test.txt # mkdir -p /www/mysite2.com/logs # mkdir -p /www/mysite2.com/html # echo "MySite2.com Test file" > /www/mysite2.com/html/test.txt If you are using SELinux, make sure the directories and their contents are assigned the correct context. # semanage fcontext -a -t httpd_sys_content_t "/www(/.*)?" # restorecon -F -R -v /www Virtual hosts are defined in the "/etc/httpd/conf/httpd.conf" file. The definition of the two virtual hosts are shown below. NameVirtualHost *:80 ServerName www.mysite1.com Serveralias mysite1.com DocumentRoot /www/mysite1.com/html ErrorLog /www/mysite1.com/logs/mysite1.com-error_log ServerName www.mysite2.com Serveralias mysite2.com DocumentRoot /www/mysite2.com/html ErrorLog /www/mysite2.com/logs/mysite2.com-error_log Reload or restart the httpd service for the changes to take effect. # service httpd reload # # OR # service httpd restart Provided the DNS, or hosts file, resolves the names "mysite1.com" and "mysite2.com" to the IP address of the web server, pages under the document roots will now display for each virtual host. To test this you can alter your hosts file with the following entries. 127.0.0.1 mysite1.com mysite1 127.0.0.1 mysite2.com mysite2 You should now see the correct test page under each of the following URLs on the web server. http://mysite1.com/test.txt http://mysite2.com/test.txt Private Directories Using the virtual hosts we created previous, create a new directory called "private" and place a file in it. # mkdir /www/mysite1.com/html/private # echo "MySite1.com Private Test file" > /www/mysite1.com/html/private/test.txt Create a ".htpasswd" file containing a username/password, then add a second entry. # cd /www/mysite1.com/html/private # htpasswd -cmb .htpasswd user1 password1 # htpasswd -mb .htpasswd user2 password2 Edit the "/etc/httpd/conf/httpd.conf" file with an entry such as the following. AuthType basic AuthName "Private Access" AuthUserFile "/www/mysite1.com/html/private/.htpasswd" Require valid-user Order allow,deny Allow from all Reload or restart the httpd service for the changes to take effect. # service httpd reload # # OR # service httpd restart You should now be prompted for a username/password when trying to access the following file. http://mysite1.com/private/test.txt Group Managed Content Using the virtual hosts defined previously, we will enable group managed content for "mysite1.com". Create a group that the users will be part of. # groupadd webdevs Add the necessary users to the group. # # Create new users. # useradd -g webdevs user1 # useradd -g webdevs user2 # # # Modify existing users. # usermod -g webdevs user1 # usermod -g webdevs user2 Change the ownership and permissions of the directories holding the group managed content. # chown -R apache.webdevs /www/mysite1.com/html # chmod -R 775 /www/mysite1.com/html # chmod -R g+s /www/mysite1.com/html Log in a the two users and check they can add and amend content. # su - user1 $ umask 002 $ echo "Test by user1" > /www/mysite1.com/html/group-test.txt $ exit logout # su - user2 $ umask 002 $ echo "Test by user2" >> /www/mysite1.com/html/group-test.txt $ exit logout # The file with both users content is visible using the following URL. http://mysite1.com/group-test.txt Notice the umask setting, which allows read/write permission for the group. This setting can be placed in the "~/.bashrc" or the "~/.bash_profile" file for each user. Deploy a Basic CGI Application Create a directory called "cgi-bin" under an existing virtual host. # mkdir /www/mysite2.com/html/gci-bin Create a simple CGI application in the directory, for example a file called "helloworld.pl" with the following contents. #!/usr/bin/perl print "Content-type: text/html\n\n"; print "helloWorld!"; Change the ownership and make sure the file is executable. # chown apache.apache helloworld.pl # chmod u+x helloworld.pl Edit the "/etc/httpd/conf/httpd.conf" file, adding the following entries to the virtual host definition. ScriptAlias /cgi-bin/ /www/mysite2.com/html/gci-bin/ Options +ExecCGI AddHandler cgi-script .pl .cgi So the complete definition looks like this. ServerName www.mysite2.com Serveralias mysite2.com DocumentRoot /www/mysite2.com/html ErrorLog /www/mysite2.com/logs/mysite2.com-error_log # Below added to support CGI applications ScriptAlias /cgi-bin/ /www/mysite2.com/html/gci-bin/ Options +ExecCGI AddHandler cgi-script .pl .cgi Reload or restart the httpd service for the changes to take effect. # service httpd reload # # OR # service httpd restart The CGI application can now be run will the following URL. http://mysite2.com/cgi-bin/helloworld.pl If you prefer the "cgi-bin" directory to be placed in a different location, simply alter the "ScriptAlias" entry to reflect the changed location. SSL Configuration (HTTPS) HTTPS configuration is not a requirement of the RHCE exam, but it is useful to know, so I included it. If they are not already installed, install the mod_ssl, openssl and crypto-utils packages. # yum install mod_ssl openssl crypto-utils The installation of the mod_ssl package creates the "/etc/httpd/conf.d/ssl.conf" configuration file, which includes references to the default self-signed localhost certificate and key. This is sufficient for testing SSL configuration. The httpd service must be restarted for the module to be loaded, but we will do that later. The genkey command can generate a certificate request or a new self-signed certificate. For this test I created a new self-signed certificate. Remember, if you encrypt the certificate with a passphrase, you will need to enter it every time you start the HTTP server. # genkey --makeca rhce1.localdomain Move the key and certificate to the relevant directories. # mv /etc/pki/CA/private/rhce1.localdomain /etc/pki/tls/private/rhce1.localdomain # mv /etc/pki/CA/rhce1.localdomain /etc/pki/tls/certs/rhce1.localdomain Add/modify the following lines in the "/etc/httpd/conf.d/ssl.conf" file. SSLProtocol ALL -SSLv2 -SSLv3 SSLHonorCipherOrder On SSLCipherSuite HIGH:!aNULL:!MD5:!3DES:!DES:!DHE:!RSA SSLCertificateFile /etc/pki/tls/certs/rhce1.localdomain SSLCertificateKeyFile /etc/pki/tls/private/rhce1.localdomain #SSLCACertificateFile /etc/pki/tls/certs/intermediate.crt Notice the "SSLCACertificateFile" entry is commented out. If you are using a real certificate, you will probably need to download the intermediate bundle from the CA and reference it using this tag. Restart the HTTP server. # service httpd restart Provided you have the correct firewall settings, you should now be able to access your applications using HTTPS. https://rhce1.localdomain
Posted by at No comments:

Synchronize Time on Installed Linux Operating Systems NTP

Synchronize Time on Installed Linux Operating Systems When Linux machines are provisioned with an operating system, the Network Time Protocol (NTP) service is not running. After moving the newly provisioned Linux machines to a network with access to the NTP server, you must synchronize the time on the machines to network time. Prerequisites Configure the Linux machines on a network with access to the NTP server. Identify the NTP servers used in your environment. Procedure On the Linux machine, log in as root. Run the ntpdate -u command to update the machine clock. For example, ntpdate -u ntp-time.for.mydomain. Open the /etc/ntp.conf file and add the NTP servers used in your environment. You can add multiple NTP servers similar to these examples. server ntp-time.for.mydomain server otherntp.server.org server ntp.research.gov Run the service ntpd start command to start the NTP service and implement you configuration changes.
Posted by at No comments:

Monday, 24 August 2020

Important command

 for Windows

Command

wmic bios get serialnumber


Posted by at No comments:

Node Manager Username and Password for Oracle HTTP Server 12c

 

How to Change the Node Manager Username and Password for Oracle HTTP Server 12c in a Standalone Domain (Doc ID 1945039.1)

Applies to:

Oracle HTTP Server - Version 12.1.2.0.0 and later
Information in this document applies to any platform.

Goal

What tools can be used to modify the node manager user name and password for a standalone OHS 12c domain?  

Note:  A standalone domain is a container for system components, such as Oracle HTTP Server. It has a directory structure similar to an Oracle WebLogic Server Domain, but it does not contain an Administration Server or Managed Servers. It can contain one or more instances of system components of the same type, such as Oracle HTTP Server, or a mix of system component types.  Reference 1.4.2 Standalone Domain

 

Solution

The steps are as follows:

1. Stop the Oracle HTTP Server component and the Node Manager (NM) :

$ cd DOMAIN_HOME/bin
$ ./stopComponent.sh <ohs_component>

$ ./stopComponent.sh <ohs_component>
Stopping System Component <ohs_component> ...

Initializing WebLogic Scripting Tool (WLST) ...

Welcome to WebLogic Server Administration Scripting Shell

Type help() for help on available commands

Reading domain from DOMAIN_HOME
 
Please enter your password : <Enter old password>
Connecting to Node Manager ...
Successfully Connected to Node Manager.
Killing server <ohs_component> ...
Successfully killed server <ohs_component>
Successfully disconnected from Node Manager.

Exiting WebLogic Scripting Tool.

Done
$

CTRL C in the window where NM is running (Or kill the PID of NM)


2. Invoke WLST offline:

$ cd ORACLE_HOME/oracle_common/common/bin
$ ./wlst.sh

Initializing WebLogic Scripting Tool (WLST) ...

Welcome to WebLogic Server Administration Scripting Shell

Type help() for help on available commands

wls:/offline>

3. Read in the domain:

wls:/offline>readDomain('DOMAIN_HOME')

4. Get the security MBean:

wls:/offline/ohs_domain>cd('/SecurityConfiguration/ohs_domain')

5. Change the NM user name:
Need to provide a node manager user name on this step, this can be an old user name. Otherwise, the NM password may not modify correctly.

wls:/offline/new_ohs_domain/SecurityConfiguration/new_ohs_domain>set('NodeManagerUsername','<new_NM_Username>')

6. Change the NM password then commit the changes. You can give a clear text password such as 'welcome1'.
The encrypted password will be stored in /u01/oracle/config/ohs_domain/nodemanager/nm_password.properties.

wls:/offline/new_ohs_domain/SecurityConfiguration/new_ohs_domain>set('NodeManagerPasswordEncrypted','password')
wls:/offline/new_ohs_domain/SecurityConfiguration/new_ohs_domain>updateDomain()
wls:/offline/new_ohs_domain/SecurityConfiguration/new_ohs_domain>closeDomain()
wls:/offline>exit()

Exiting WebLogic Scripting Tool.


Checking timestamps you can see that  the following files have been updated:

/u01/oracle/config/ohs_domain/config/config.xml
/u01/oracle/config/ohs_domain/config/nodemanager/nm_password.properties

7. Restart NM:

$ cd DOMAIN_HOME/bin
$ ./startNodeManager.sh

8. Finally, restart OHS

$ ./startComponent.sh <ohs_component>
Starting System Component <ohs_component> ...

Initializing WebLogic Scripting Tool (WLST) ...

Welcome to WebLogic Server Administration Scripting Shell

Type help() for help on available commands

Reading domain from DOMAIN_HOME
 
Please enter your password : <Enter new password>
Connecting to Node Manager ...
Successfully Connected to Node Manager.
Starting server <ohs_component> ...
Successfully started server <ohs_component> ...
Successfully disconnected from Node Manager.

Exiting WebLogic Scripting Tool.

Done


9. It is possible to prevent the prompt for the NM password on each OHS startup by storing the password in an encrypted form using a key store with the command:

$ ./startComponent.sh <ohs_component> storeUserConfig

10. If the old password was previously stored in a key store before the password was changed, the cached key store files need to be removed before restarting the OHS component:

$ cd
$ cd .wlst
$ ls -l
total 8
-rw-r----- 1 user group 227 Nov 14 16:09 nm-cfg-ohs_domain.props
-rw-r----- 1 user group 64 Nov 14 16:09 nm-key-ohs_domain.props
$ rm nm-cfg-ohs_domain.props
$ rm nm-key-ohs_domain.props


11. If required, the new password can then be re-stored using the same command:

$ ./startComponent.sh <ohs_component> storeUserConfig
To BottomTo Bottom
Posted by at No comments:

Wednesday, 12 August 2020

Adding to Root Group using usermod

 

Method  1: Adding to Root Group using usermod

Let see how we can grant normal user root access by adding to root group.

# adduser user1
# adduser user2
# groupadd test

These are the groups I have in my Linux box.

# groups
root bin daemon sys adm disk wheel

I am going to add user1 to root group as follows:

# usermod -G root user1

The command given below provides the existing user with the root privilege

# usermod -g 0 -o root_user

Method 2: Adding to Root Group using Useradd Command

I have added a new user, 'user3' to the root group using one single command:

# useradd -m -G root user3
# groups user3
user3 : user3 root

Another option using useradd command

useradd -c “Imitation Root” -d /home/root_user -m -k /etc/skel -s /bin/bash -u 0 -o -g root root_user

Method 3: Editing /etc/passwd file

Edit /etc/passwd for the particular user. Change the user's UID and GID to '0'. This will give root permissions to user.

root:x:0:0:root:/root:/bin/bash
temproot:x:128:128:temproot

Now, temproot user should have root privilege:

root:x:0:0:root:/root:/bin/bash
temproot:x:0:0:temproot

Note: This is not the recommended method for granting root access

Method 4: Setting as Sudo User

The sudo configuration file is /etc/sudoers and you can edit this file using visudo command: # visudo.

Using visudo protects from conflicts and guarantees that the right syntax is used.

To give full access to specific users

Add the entry given below in the file:

bob, tom ALL=(ALL) ALL

Following this method is not a good idea because this allows both bob and tom to use the su command to grant themselves permanent root privileges. Thereby skipping the command logging features of sudo.

Granting access to specific files to one particular user

This entry allows bob and all the other members of the group operator to gain access to all the program files in the /sbin and /usr/sbin directories, as well as the privilege of running the command /usr/oracle/backup.pl.

bob, %operator ALL= /sbin/, /usr/sbin, /usr/oracle/backup.pl

If you have any questions or thoughts to share on this topic, use the feedback form.

Posted by at No comments:

Monday, 27 July 2020

Displaying Password Information in solaris 11


You can use the passwd command to display password information about all users in a domain or about one particular user:
For your password information

passwd -s
For all users in current domain

passwd -s -a
For a particular user

passwd -s username
Only the entries and columns for which you have read permission will be displayed. Entries are displayed with the following format:
  • Without password aging: username status
  • With password aging: username status mm/dd/yy min max warn expire inactive
Table 11-4 NIS+ Password Display Format
Field
 Description
 For Further Information
username
The user's login name.
status
The user's password status. PS indicates the account has a password. LK indicates the password is locked. NP indicates the account has no password.
 See "Locking a Password".
mm/dd/yy
The date, based on Greenwich mean time, that the user's password was last changed.
min
The minimum number of days since the last change that must pass before the password can be changed again.
 See "Setting Minimum Password Life".
max
The maximum number of days the password can be used without having to change it.
 See "Setting a Password Age Limit".
warn
The number of days' notice that users are given before their passwords have to be changed.
 See "Establishing a Warning Period".
expire
A date on which users loose the ability to log in to their accounts.
 See "Password Privilege Expiration".
inactive
A limit on the number of days that an account can go without being logged in to. Once that limit is passed without a log in users can no longer access their accounts.
 See "Specifying Maximum Number of Inactive Days".

To display entries from a passwd table in another domain, use the -D option:
For all users in another domain

passwd -s -a -D domainname
For a particular user

passwd -s -D domainname username 
 
 

Changing Passwords

New passwords must meet the criteria described in "Password Requirements".

Changing Your Own Password

To change your password, type

station1% passwd
You will be prompted for your old password and then the new password and then the new password a second time to confirm it.

Changing Someone Else's Password

To change someone else' password, use:
To change another user's password in the same domain

passwd username
To change another user's password in a different domain

passwd -D domainname username
When using the passwd command in an NIS+ environment (see "The passwd Command and "NIS+ Environment"") to change someone else's password you must have modify rights to that user's entry in the passwd table (this usually means that you are a member of the group for the passwd table and the group has modify rights). You do not have to enter either the user's old password or your password. You will be prompted to enter the new password twice to make sure that they match. If they do not match, you will be prompted to enter them again.

Changing Root's Password

When changing root's password, you must always run chkey -p immediately after changing the password with the passwd command. Failure to run chkey -p after changing root's password will result in root being unable to properly log in.
To change a root password, follow these steps:
  1. Log in as root.
  2. Change root's password using passwd.
    Do not use nispasswd.
  3. Run chkey -p.
    You must use the -p option.

Locking a Password

When operating in an NIS+ environment (see "The passwd Command and "NIS+ Environment""), an administrator (a group member) with modify rights to a user's entry in the passwd table can use the passwd command to lock a password. An account with a locked password cannot be used. When a password is locked, the user will receive a Login incorrect message after each login attempt.
Keep in mind that locked passwords have no effect on users who are already logged in. A locked password only prevents users from performing those operations that require giving a password such as login, rlogin, ftp, or telnet.
Note also that if a user with a locked password is already logged in, and that user uses the passwd command to change passwords, the lock is broken.
You can use this feature to:
  • Temporarily lock a user's password while that user is on vacation or leave. This prevents anyone from logging in as the absent user.
  • Immediately lock one or more user passwords in the case of suspected security problem.
  • Quickly lock a dismissed employee out of the system. This is quicker and easier than eliminating that user's account and is an easy way of preserving any data stored in that account.
  • If you have assigned passwords to UNIX processes, you can lock those passwords. This allows the process to run, but prevents anyone from logging in as those processes even if they know the process password. (In most cases, processes would not be set up as NIS+ principals, but would maintain their password information in /etc files. In such a case you would have to run the passwd command in files mode to lock /etc stored passwords.)
To lock a password, use:

passwd -l username

Unlocking a Password

To unlock a user's password, you simply change it. You can "change" it back to the exact same password that it was when it was locked. Or you can change it to something new.
For example, to unlock jody's password, you would enter:

station1% passwd jody

Managing Password Aging

Password aging is a mechanism you can use to force users to periodically change their passwords.
Password aging allows you to:
  • Force a user to choose a new password the next time the user logs in. (See "Forcing Users to Change Passwords" for details.)
  • Specify a maximum number of days that a password can be used before it has to be changed. (See "Setting a Password Age Limit" for details.)
  • Specify a minimum number of days that a password has to be in existence before it can be changed. (See "Setting Minimum Password Life" for details.)
  • Specify that a warning message be displayed whenever a user logs in a specified number of days before the user's password time limit is reached. (See "Establishing a Warning Period" for details.)
  • Specify a maximum number of days that an account can be inactive. If that number of days pass without the user logging in to the account, the user's password will be locked. (See "Specifying Maximum Number of Inactive Days" for details.)
  • Specify an absolute date after which a user's password cannot be used, thus denying the user the ability to log on to the system. (See "Password Privilege Expiration" for details.)
Keep in mind that users who are already logged in when the various maximums or dates are reached are not affected by the above features. They can continue to work as normal.
Password aging limitations and activities are only activated when a user logs in or performs one of the following operations:
  • login
  • rlogin
  • telnet
  • ftp
These password aging parameters are applied on user-by-user basis. You can have different password aging requirements for different users. (You can also set general default password aging parameters as described in "Managing Password Aging".)

Forcing Users to Change Passwords

There are two ways to force a user to change passwords the next time the user logs in:
Force change keeping password aging rules in effect

passwd -f username
Force change and turn off password aging rules

passwd -x 0 username

Setting a Password Age Limit

The -max argument to the passwd command sets an age limit for the current password. In other words, it specifies the number of days that a password remains valid. After that number of days, a new password must be chosen by the user. Once the maximum number of days have passed, the next time the user tries to login with the old password a Your password has been expired for too long message is displayed and the user is forced to choose a new password in order to finish logging in to the system.
The max argument uses the following format:

passwd -x max username
Where:
  • username is the login ID of the user
  • max is one of the following values:
    • Greater than zero. Any number greater than zero sets that number of days before the password must be changed.
    • Zero (0). A value of zero (0) forces the user to change passwords the next time the user logs in, and it then turns off password aging.
    • Minus one (-1). A value of minus one (-1) turns off password aging. In other words, entering passwd -x -1 username cancels any previous password aging applied to that user.
For example, to force the user schweik to change passwords every 45 days, you would type the command:

station1% passwd -x 45 schweik

Setting Minimum Password Life

The min argument to the passwd command specifies the number of days that must pass before a user can change passwords. If a user tries to change passwords before the minimum number of days has passed, a Sorry less than N days since the last change message is displayed.
The min argument uses the following format:

passwd -x max -n min username
Where:
  • username is the login ID of the user
  • max is the maximum number of days a password is valid as described in the section above
  • min is the minimum number of days that must pass before the password can be changed.
For example, to force the user eponine to change passwords every 45 days, and prevent him from changing it for the first 7 days you would type the command:

station1% passwd -x 45 -n 7 eponine
The following rules apply to the min argument:
  • You do not have to use a min argument or specify a minimum number of days before a password can be changed.
  • If you do use the min argument, it must always be used in conjunction with the -max argument. In other words, in order to set a minimum value you must also set a maximum value.
  • If you set min to be greater than max, the user is unable to change passwords at all. For example, the command passwd -x 7 -n 8 prevents the user from changing passwords. If the user tries to change passwords, the You may not change this password message is displayed. Setting the min value greater than the max value has two effects:
    • The user is unable to change password. In this case, only someone with administer privileges could change the password. For example, in situations where multiple users share a common group password, setting the min value for that password greater than the max value would prevent any individual user from changing the group password.
    • The password is only valid for the length of time set by the max value, but the user cannot change it because the min value is greater than the max value. Thus, there is no way for the user to prevent the password from becoming invalid at the expiration of the max time period. In effect, this prevents the user from logging in after the max time period unless an administrator intervenes.

Establishing a Warning Period

The warn argument to the passwd command specifies the number of days before a password reaches its age limit that users will start to seeing a Your password will expire in N days message (where N is the number of days) when they log in.
For example, if a user's password has a maximum life of 30 days (set with the -max argument) and the warn value is set to 7 days, when the user logs in on the 24th day (one day past the warn value) the warning message Your password will expire in 7 days is displayed. When the user logs in on the 25th day the warning message Your password will expire in 6 days is displayed.
Keep in mind that the warning message is not sent by Email or displayed in a user's console window. It is displayed only when the user logs in. If the user does not log in during this period, no warning message is given.
Keep in mind that the warn value is relative to the max value. In other words, it is figured backwards from the deadline set by the max value. Thus, if the warn value is set to 14 days, the Your password will expire in N days message will begin to be displayed two weeks before the password reaches its age limit and must be changed.
Because the warn value is figured relative to the max value, it only works if a max value is in place. If there is no max value, warn values are meaningless and are ignored by the system.
The warn argument uses the following format:

passwd -x max -w warn username
Where:
  • username is the login ID of the user.
  • max is the maximum number of days a password is valid as described on "Setting a Password Age Limit".
  • warn is the number of days before the password reaches its age limit that the warning message will begin to be displayed.
For example, to force the user nilovna to change passwords every 45 days, and display a warning message 5 days before the password reaches its age limit you would type the command:

station1% passwd -x 45 -w 5 nilovna
The following rules apply to the warn argument:
  • You do not have to use the warn argument or specify a warning message. If no warn value is set, no warning message is displayed prior to a password reaching its age limit.
  • If you do use the warn argument, it must always be used in conjunction with the max argument. In other words, in order to set a warning value you must also set a maximum value.
Note - You can also use Solstice AdminSuiteTM to set a warn value for a user's password.

Turning Off Password Aging

There are two ways to turn off password aging for a given user:
Turn off aging while allowing user to retain current password

passwd -x -1 username
Force user to change password at next login, and then turn off aging 

passwd -x 0 username
This sets the max value to either zero or -1 (see "Setting a Password Age Limit" for more information on this value).
For example, to force the user mendez to change passwords the next time he logs in and then turn off password aging you would type the command:

station% passwd -x 0 mendez
Note - You can also use Solstice AdminSuiteTM to set this parameter for a user's password.
You can also use the nistbladm command to set this value. For example, to turn off password aging for the user otsu and allow her to continue using her current password, you would type: 

station1% nistbladm -m `shadow=0:0:-1:0:0:0:0' [name=otsu],passwd.org_dir
For additional information on using the nistbladm command, see "The nistbladm Command".

Password Privilege Expiration

You can set a specific date on which a user's password privileges expires. When a user's password privilege expires, that user can no longer have a valid password at all. In effect, this locks the user out of the system after the given date because after that date the user can no longer log in.
For example, if you specify an expire date of December 31, 1997, for a user named pete, on January 1, 1998 he will not be able to log in under that user ID regardless of what password he uses. After each login attempt he will receive a Login incorrect message.

Password Aging Versus Expiration

Expiration of a user's password privilege is not the same as password aging.
  • Password aging. A password that has not been changed for longer than the aging time limit is sometimes referred to as an expired password. But that password can still be used to log in one more time. As part of that last login process the user is forced to choose a new password.
  • Expiration of password privilege. When a user's password privilege expires, the user cannot log in at all with any password.) In other words, it is the user's permission to log in to the network that has expired.

Setting an Expiration Date

Password privilege expiration dates only take effect when the user logs in. If a user is already logged in, the expiration date has no affect until the user logs out or tries to use rlogin or telnet to connect to another machine at which time the user will not be able to log in again. Thus, if you are going to implement password privilege expiration dates, you should require your users to log out at the end of each day's work session.
Note - If you have Solstice AdminSuiteTM tools available, do not use nistbladm to set an expiration date. Use Solstice AdminSuiteTM tools because they are easier to use and provide less chance for error.
To set an expiration date with the nistbladm command: 

nistbladm -m `shadow=n:n:n:n:n:n6:n' [name=login],passwd.org_dir
Where:
  • login is the user's login ID
  • n indicates the values in the other fields of the shadow column.
  • n6 is the date on which the user's password privilege expires. This date is entered as a number of days since January 1, 1970 (see Table 11-2). n6 can be one of the following values:
    • Minus one (-1). A value of minus one (-1) turns off the expiration feature. If a user's password has already expired, changing this value to -1 restores (un-expires) it. If you do not want to set any expiration date, type -1 in this field.
    • Greater than zero. A value greater than zero sets the expiration date to that number of days since 1/1/70. If you enter today's date or earlier, you immediately expire the user's password.
For example, to specify an expiration date for the user pete of December 31, 1995 you would type:

station1% nistbladm -m `shadow=n:n:n:n:n:9493:n' [name=pete],passwd.org_dir
Caution - Caution - All of the fields must be filled in with valid values.

Turning Off Password Privilege Expiration

To turn off or deactivate password privilege expiration, you must use the nistbladm command to place a -1 in this field. For example, to turn off privilege expiration for the user huck, you would type:

station1% nistbladm -m `shadow=n:n:n:n:n:-1:n' [name=huck],passwd.org_dir
Or you can use the nistbladm command reset the expiration date to some day in the future by entering a new number of days in the n6 field.

Specifying Maximum Number of Inactive Days

You can set a maximum number of days that a user can go without logging in on a given machine. Once that number of days passes without the user logging in, that machine will no longer allow that user to log in. In this situation, the user will receive a Login incorrect message after each login attempt.
This feature is tracked on a machine-by-machine basis, not a network-wide basis. That is, in an NIS+ environment, you specify the number of days a user can go without logging in by placing an entry for that user in the passwd table of the user's home domain. That number applies for that user on all machines on the network.
For example, suppose you specify a maximum inactivity period of 10 days for the user sam. On January 1, sam logs in to both machine-A and machine-B, and then logs off both machines. Four days later on January 4, sam logs in on machine-B and then logs out. Nine days after that on January 13, sam can still log in to machine-B because only 9 days have elapsed since the last time he logged in on that machine, but he can no longer log in to machine-A because thirteen days have passed since his last log in on that machine.
Keep in mind that an inactivity maximum cannot apply to a machine the user has never logged in to. No matter what inactivity maximum has been specified or how long it has been since the user has logged in to some other machine, the user can always log in to a machine that the user has never logged in to before.
Caution - Caution - Do not set inactivity maximums unless your users are instructed to log out at the end of each workday. The inactivity feature only relates to logins; it does not check for any other type of system use. If a user logs in and then leaves the system up and running at the end of each day, that user will soon pass the inactivity maximum because there has been no login for many days. When that user finally does reboot or log out, he or she won't be able to log in.
Note - If you have Solstice AdminSuiteTM tools available, do not use nistbladm to set an inactivity maximum. Use Solstice AdminSuite tools because they are easier to use and provide less chance for error.
To set a login inactivity maximum, you must use the nistbladm command in the format: 

nistbladm -m `shadow=n:n:n:n:n5:n:n' [name=login],passwd.org_dir
Where:
  • login is the user's login ID
  • n indicates the values in the other fields of the shadow column.
  • n5 is the number of days the user is allowed to go between logins. Inactive can be one of the following values:
    • Minus one (-1). A value of minus one (-1) turns off the inactivity feature. The user can be inactive for any number of days without losing login privileges. This is the default.
    • Greater than zero. A value greater than zero sets the maximum inactive period to that number of days.
For example, to specify that the user sam must log in at least once every seven days, you would type:

station1% nistbladm -m `shadow=n:n:n:n:n:7:n:n' [name=sam],passwd.org_dir
To clear an inactivity maximum and allow a user who has been prevented from logging in to log in again, use nistbladm to set the inactivity value to -1.

Specifying Password Criteria and Defaults

The following subsections describe various password-related defaults and general criteria that you can specify.

The /etc/defaults/passwd File

The /etc/defaults/passwd file is used to set four general password defaults for users whose nsswitch.conf file points to files. The defaults set by the /etc/defaults/passwd file apply only to those users whose operative password information is taken from /etc files; they do not apply to anyone using either NIS maps or NIS+ tables. An /etc/defaults/passwd file on an NIS+ server only affects local users who happen to be obtaining their password information from those local files. An /etc/defaults/passwd file on an NIS+ server has no effect on the NIS+ environment or users whose nsswitch.conf file points to either nis or nisplus.
The four general password defaults governed by the /etc/defaults/passwd file are:
  • Maximum number of weeks the password is valid
  • Minimum number of weeks the password is valid
  • The number of weeks before the password becomes invalid that the user is warned
  • The minimum number of characters that a password must contain
The following principles apply to defaults set with an /etc/defaults/passwd file:
  • For users who obtain password information from local /etc files, individual password aging maximums, minimums and warnings set by the password command or Solstice AdminSuite or AdminTool override any /etc/defaults/passwd defaults. In other words, defaults set in the /etc/defaults/passwd file are not only applied to those users who do not have corresponding individual settings in their entries in their passwd table.
  • Except for password length, all the /etc/defaults/passwd file defaults are expressed as a number of weeks. (Remember that individual password aging times are expressed as a number of days.)
  • The MAXWEEKS, MINWEEKS, and WARNWEEKS defaults are all counted forward from the date of the user's last password change. (Remember that individual warn values are counted backwards from the maximum date.)
By default, /etc/defaults/passwd files already contain the entries:

MAXWEEKS=
MINWEEKS=
PASSLENGTH=
To implement an entry, simply type the appropriate number after the equal sign. Entries that do not have a number after the equal sign are inactive and have no affect on any user. Thus, to set a MAXWEEKS default of 4, you would change the /etc/defaults/passwd file to read:

MAXWEEKS=4
MINWEEKS=
PASSLENGTH=

Maximum weeks

You can use the MAXWEEKS default in the /etc/defaults/passwd file to set the maximum number of weeks that a user's password is valid. To set a default maximum time period, type the appropriate number of weeks after the equal sign in the MAXWEEKS= line:

MAXWEEKS=N
Where N is a number of weeks. For example, MAXWEEKS=9.

Minimum Weeks

You can use the MINWEEKS default in the /etc/defaults/passwd file to set the minimum nuber of weeks that must pass before a user can change passwords. To set a default minimum time period, type the appropriate number of weeks after the equal sign on the MINWEEKS= line:

MINWEEKS=N
Where N is a number of weeks. For example, MINWEEKS=2.

Warning Weeks

You can add a WARNWEEKS default to the /etc/defaults/passwd file set the number of weeks prior to a password becoming invalid due to aging that user is warned. for example, if you have set the MAXWEEKS default to 9, and you want users to be warned two weeks before their passwords become invalid, you would set the MAXWEEKS default to 7.
There is no point in setting the WARNWEEKS default unless you also set a MAXWEEKS default.
Remember that WARNWEEKS are counted forward from the date of the user's last password change, not backwards from the MAXWEEKS expiration date. Thus, WARNWEEKS must always be less than MAXWEEKS and cannot be equal to or greater than MAXWEEKS .
A WARNWEEKS default will not work unless there is also a MAXWEEKS default.
To set the warning time period, type the appropriate number of weeks after the equal sign on the WARNWEEKS= line.

WARNWEEKS=N
Where N is the number of weeks. For example, WARNWEEKS=1.

Minimum Password Length

By default, the passwd command assumes a minimum length of six characters. You can use the PASSLENGTH default in the /etc/defaults/passwd files to change that by setting the minimum number of characters that a user's password must contain to some other number.
To set the minimum number of characters to something other than six, type the appropriate number of characters after the equal sign in the PASSLENGTH= line:

PASSLENGTH=N
Where N is the number of characters. For example, PASSLENGTH=7.

Password Failure Limits

You can specify a number-of-tries limit or an amount-of-time limit (or both) for a user's attempt to change passwords. These limits are specified by adding arguments when starting the rpc.nispasswdd daemon.
Limiting the number of attempts or setting a time frame provides a limited (but not foolproof) defense against unauthorized persons attempting to change a valid password to one that they discover through trial and error.

Maximum Number of Tries

To set the maximum number of times a user can try to change a password without succeeding, use the -a number argument with rpc.nispasswdd, where number is the number of allowed tries. (You must have superuser privileges on the NIS+ master server to run rpc.nispasswdd.)
For example, to limit users to no more than four attempts (the default is 3), you would type:

station1# rpc.nispasswdd -a 4
In this case, if a user's fourth attempt at logging in is unsuccessful, the message Too many failures - try later is displayed. No further attempts are permitted for that user ID until a specified period of time has passed.

Maximum Login Time Period

To set the maximum amount a time a user can take to successfully change a password, use the -c minutes argument with rpc.nispasswdd, where minutes is the number of minutes a user has to log in. (You must have superuser privileges on the NIS+ master server to run rpc.nispasswdd.)
For example, to specify that users must successfully log in within 2 minutes, you would type:

station1# rpc.nispasswdd -c 2
In this case, if a user is unable to successfully change a password within 2 minutes, the message is displayed at the end of the two-minute period. No further attempts are permitted for that user ID until a specified period of time has passed.
  • © 2010, Oracle Corporation and/or its affiliates
Posted by at No comments:

How to Display the User's Login Status


Before You Begin
To use the logins command, you must become an administrator who is assigned either the User Management or the User Security rights profile. By default, the root role has this authorization. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .
  • Display a user's login status by using the logins command. 
    # logins -x -l username
    –x
    Displays an extended set of login status information.
    –l username
    Displays the login status for the specified user. The variable username is a user's login name. Multiple login names are separated by commas.
    The logins command uses the appropriate password database to obtain a user's login status. The database can be the local /etc/passwd file, or a password database for the naming service. For more information, see the logins (1M) man page.
Example 3-1  Displaying a User's Login Status In the following example, the login status for the user jdoe is displayed.
# logins -x -l jdoe
jdoe       500     staff           10   Jaylee Jaye Doe
/home/jdoe
/bin/bash
PS 010103 10 7 -1
jdoe
Identifies the user's login name.
500
Identifies the user ID (UID).
staff
Identifies the user's primary group.
10
Identifies the group ID (GID).
Jaylee Jaye Doe
Identifies the comment.
/home/jdoe
Identifies the user's home directory.
/bin/bash
Identifies the login shell.
PS 010170 10 7 -1
    Specifies the password aging information:
  • Last date that the password was changed
  • Number of days that are required between changes
  • Number of days before a change is required
  • Warning period

 

++++++++++++++++++++++++++++

 

last

OR

last [UserNameHere]

OR

last [option] [UserNameHere]

Example: Display Linux user last login

To display when a user named ‘vivek’ last logged in to the system, type:
$ last vivek
$ last vivek | less
Sample outputs:

Fig.01: last command in action on my Debian base nas server
Fig.01: last command in action on my Debian base nas server

The output in this example tell us when user vivek last logged in. The output will go back for several months or more as last command searches back through the file /var/log/wtmp and displays a list of all users logged in (and out) since that file was created.

Display a list of recent system use for all users

Simply type the last command:
$ last
OR
$ last | less
Sample outputs taken from my RHEL based server:

root     pts/0        10.1.6.120       Mon Jan 27 06:26   still logged in   
root     pts/0        10.1.6.120       Mon Jan 27 03:37 - 06:26  (02:48)    
root     pts/0        10.1.6.120       Sun Jan 26 02:47 - 09:28  (06:40)    
root     pts/4        10.1.6.120       Sat Jan 25 11:02 - 11:02  (00:00)    
root     pts/0        10.1.6.120       Sat Jan 25 10:15 - 13:12  (02:56)    
root     pts/4        10.1.6.120       Sat Jan 25 06:01 - 06:32  (00:31)    
root     pts/0        10.1.6.120       Sat Jan 25 03:08 - 09:04  (05:55)    
root     pts/4        10.1.6.120       Sat Jan 25 01:06 - 03:18  (02:11)    
root     pts/0        10.1.6.120       Fri Jan 24 23:59 - 02:11  (02:12)    
root     pts/0        10.1.6.120       Fri Jan 24 05:30 - 08:39  (03:08)    
root     pts/0        10.1.6.120       Thu Jan 23 04:22 - 05:41  (01:19)    
....
...
...
root     pts/1        10.1.6.120       Sun Jan  5 11:09 - 14:29  (03:20)    
root     pts/0        10.1.6.120       Sun Jan  5 10:05 - 12:19  (02:14)    
reboot   system boot  2.6.32-431.3.1.e Sun Jan  5 10:02 - 06:52 (21+20:50)  
root     pts/0        10.1.6.120       Sun Jan  5 09:58 - down   (00:00)    
root     pts/0        10.1.6.120       Sun Jan  5 03:33 - 05:45  (02:12)    
root     pts/1        10.1.6.120       Sat Jan  4 15:06 - 17:28  (02:21)    
root     pts/0        10.1.6.120       Sat Jan  4 13:46 - 15:58  (02:11)    
root     pts/0        10.1.6.120       Sat Jan  4 05:05 - 07:16  (02:11)    
root     pts/1        10.1.6.120       Fri Jan  3 14:29 - 15:44  (01:15)    
root     pts/0        10.1.6.120       Fri Jan  3 13:20 - 15:32  (02:11)    
root     pts/0        10.1.6.120       Thu Jan  2 05:19 - 05:32  (00:13)    
root     pts/0        10.1.6.120       Tue Dec 31 13:57 - 16:06  (02:09)    
 
wtmp begins Tue Dec 31 13:57:23 2013

 

Posted by at No comments:
Subscribe to: Posts (Atom)