How Do I Install sar?
Type the following command:
# yum install sysstat -y
Configuration Files
Edit /etc/sysconfig/sysstat file specify how long to keep log files in days, maximum is a month:
# vi /etc/sysconfig/sysstat
Sample outputs:
# keep log for 28 days
# the default is 7
HISTORY=28
# chkconfig sysstat on
# service sysstat start
$ wget http://ksar.atomique.net/kSar/kSar-5.0.6.zip
or Download
http://ksar.atomique.net/kSar/kSar-5.0.6.zip
$ unzip kSar-5.0.6.zip
$ cd kSar-5.0.6/
$ sh run.sh
How Do I Generate sar Graphs Using kSar?
First, you need to grab sar command statistics. Type the following command to get stats, enter (type it on your server):
[server1 ]# LC_ALL=C sar -A > /tmp/hostname-sar.data.txt
Red Hat, Fedora, Gnome, KDE, MySQL, PostgreSQL, PostGIS, Slony, Zarafa, Scalix, SugarCRM, vtiger, CITADEL,OpenOffice, LibreOffice,Wine, Apache, hadoop, Nginx Drupla, Joomla, Jboss, Wordpress, WebGUI, Tomcat, TiKi WiKi, Wikimedia, SpamAssassin, ClamAV, OpenLDAP, OTRS, RT, Samba, Cyrus, Dovecot, Exim, Postfix, sendmail, Amanda, Bacula, DRBD, Heartbeat, Keepalived, Nagios, Zabbix, Zenoss,
Thursday, December 17, 2009
Thursday, December 10, 2009
Thursday, November 12, 2009
RHEL Installing Apache2 With PHP5 And MySQL Support LAMP Server
LAMP is short for Linux, Apache, MySQL, PHP. This tutorial shows how you can install an Apache2 webserver on a Fedora 11 server with PHP5 support (mod_php) and MySQL support.
Step 1
#yum install mysql mysql-server httpd php php-mysql php-gd php-imap php-ldap php-odbc php-pear php-xml php-xmlrpc phpmyadmin
Step 2
In this tutorial I use the hostname rajat.yeswedeal.com with the IP address 192.168.1.110 These settings might differ for you, so you have to replace them where appropriate.
Then we create the system startup links for MySQL (so that MySQL starts automatically whenever the system boots) and start the MySQL server:
chkconfig --levels 235 mysqld on
/etc/init.d/mysqld start
Run
mysqladmin -u root password yourrootsqlpassword
mysqladmin -h rajat.yeswedeal.com -u root password yourrootsqlpassword
to set a password for the user root (otherwise anybody can access your MySQL database!).
Apache2 is available as a RHEL package, therefore we can install it like this:
Now configure your system to start Apache at boot time...
chkconfig --levels 235 httpd on
... and start Apache:
/etc/init.d/httpd start
Now direct your browser to http://192.168.1.110, and you should see the Apache2 placeholder
Apache's default document root is /var/www/html on Fedora, and the configuration file is /etc/httpd/conf/httpd.conf. Additional configurations are stored in the /etc/httpd/conf.d/ directory.
We must restart Apache afterwards:
/etc/init.d/httpd restart
Testing PHP5 / Getting Details About Your PHP5 Installation
The document root of the default web site is /var/www/html. We will now create a small PHP file (info.php) in that directory and call it in a browser. The file will display lots of useful details about our PHP installation, such as the installed PHP version.
vi /var/www/html/info.php
Now we call that file in a browser (e.g. http://192.168.1.110/info.php):
As you see, PHP5 is working, and it's working through the Apache 2.0 Handler, as shown in the Server API line. If you scroll further down, you will see all modules that are already enabled in PHP5. MySQL is not listed there which means we don't have MySQL support in PHP5 yet.
Now restart Apache2:
/etc/init.d/httpd restart
Now reload http://192.168.1.110/info.php in your browser and scroll down to the modules section again. You should now find lots of new modules there, including the MySQL module:
Now we configure phpMyAdmin. We change the Apache configuration so that phpMyAdmin allows connections not just from localhost (by commenting out the stanza):
vi /etc/httpd/conf.d/phpMyAdmin.conf
# phpMyAdmin - Web based MySQL browser written in php
#
# Allows only localhost by default
#
# But allowing phpMyAdmin to anyone other than localhost should be considered
# dangerous unless properly secured by SSL
Alias /phpMyAdmin /usr/share/phpMyAdmin
Alias /phpmyadmin /usr/share/phpMyAdmin
#
# order deny,allow
# deny from all
# allow from 127.0.0.1
# allow from ::1
#
# This directory does not require access over HTTP - taken from the original
# phpMyAdmin upstream tarball
#
Order Deny,Allow
Deny from All
Allow from None
# This configuration prevents mod_security at phpMyAdmin directories from
# filtering SQL etc. This may break your mod_security implementation.
#
#
#
# SecRuleInheritance Off
#
#
Restart Apache:
/etc/init.d/httpd restart
Afterwards, you can access phpMyAdmin under http://192.168.1.110/phpmyadmin/:
Step 1
#yum install mysql mysql-server httpd php php-mysql php-gd php-imap php-ldap php-odbc php-pear php-xml php-xmlrpc phpmyadmin
Step 2
In this tutorial I use the hostname rajat.yeswedeal.com with the IP address 192.168.1.110 These settings might differ for you, so you have to replace them where appropriate.
Then we create the system startup links for MySQL (so that MySQL starts automatically whenever the system boots) and start the MySQL server:
chkconfig --levels 235 mysqld on
/etc/init.d/mysqld start
Run
mysqladmin -u root password yourrootsqlpassword
mysqladmin -h rajat.yeswedeal.com -u root password yourrootsqlpassword
to set a password for the user root (otherwise anybody can access your MySQL database!).
Apache2 is available as a RHEL package, therefore we can install it like this:
Now configure your system to start Apache at boot time...
chkconfig --levels 235 httpd on
... and start Apache:
/etc/init.d/httpd start
Now direct your browser to http://192.168.1.110, and you should see the Apache2 placeholder
Apache's default document root is /var/www/html on Fedora, and the configuration file is /etc/httpd/conf/httpd.conf. Additional configurations are stored in the /etc/httpd/conf.d/ directory.
We must restart Apache afterwards:
/etc/init.d/httpd restart
Testing PHP5 / Getting Details About Your PHP5 Installation
The document root of the default web site is /var/www/html. We will now create a small PHP file (info.php) in that directory and call it in a browser. The file will display lots of useful details about our PHP installation, such as the installed PHP version.
vi /var/www/html/info.php
Now we call that file in a browser (e.g. http://192.168.1.110/info.php):
As you see, PHP5 is working, and it's working through the Apache 2.0 Handler, as shown in the Server API line. If you scroll further down, you will see all modules that are already enabled in PHP5. MySQL is not listed there which means we don't have MySQL support in PHP5 yet.
Now restart Apache2:
/etc/init.d/httpd restart
Now reload http://192.168.1.110/info.php in your browser and scroll down to the modules section again. You should now find lots of new modules there, including the MySQL module:
Now we configure phpMyAdmin. We change the Apache configuration so that phpMyAdmin allows connections not just from localhost (by commenting out the
vi /etc/httpd/conf.d/phpMyAdmin.conf
# phpMyAdmin - Web based MySQL browser written in php
#
# Allows only localhost by default
#
# But allowing phpMyAdmin to anyone other than localhost should be considered
# dangerous unless properly secured by SSL
Alias /phpMyAdmin /usr/share/phpMyAdmin
Alias /phpmyadmin /usr/share/phpMyAdmin
#
# order deny,allow
# deny from all
# allow from 127.0.0.1
# allow from ::1
#
# This directory does not require access over HTTP - taken from the original
# phpMyAdmin upstream tarball
#
Order Deny,Allow
Deny from All
Allow from None
# This configuration prevents mod_security at phpMyAdmin directories from
# filtering SQL etc. This may break your mod_security implementation.
#
#
#
# SecRuleInheritance Off
#
#
Restart Apache:
/etc/init.d/httpd restart
Afterwards, you can access phpMyAdmin under http://192.168.1.110/phpmyadmin/:
Tuesday, November 3, 2009
RedHat / CentOS Clustering Linux HA
Creating a service in Red Hat Enterprise Linux using Conga
1. Log in to the Conga web interface
*
Go to https://:8084 (replacing with the hostname of the Conga web server) and login.
*
Click the cluster tab.
*
Choose the cluster to configure.
2. Add a service
*
In the navigation bar on the left, choose Services => Add A Service.
*
Enter a descriptive Name for the service.
*
Choose whether to Automatically start this service and/or Run exclusive
*
Choose a Failover Domain.
*
Choose a Recovery Policy.
*
Optionally enter the maximum number of restarts and the restart counter timeout.
3. Add an IP Resource
*
Click Add a resource to this service.
*
Under Add a new local resource, choose IP Address.
*
Enter the IP Address that clients will use to access the MySQL database.
*
Choose whether to monitor the link for failures or not.
4. Add an LVM Resource
NOTE: This step is only required if HA-LVM is in use. If LVM will not be used at all or if clvmd is running in this cluster, then an LVM resource is not needed.
*
Under the previously created IP resource, click Add a child.
*
Under Add a new local resource, choose LVM.
*
Enter a descriptive name for the resource.
*
Fill in the Volume Group Name and Logical Volume Name.
5. Add a filesystem resource
*
Under the previously created LVM resource (or the IP resource if step 4 was skipped), click Add a child.
*
Under Add a new local resource, select File System.
*
Enter a a descriptive Name for the resource.
*
Choose the File system type.
*
Enter a Mount point, such as /var/lib/mysql.
*
Enter the Device path. If step 4 was followed then this should match the device that was entered, such as /dev/mysqlvg/datalv.
*
Enter any mount Options to use.
*
Optionally choose to Force unmount the filesystem, Reboot the host node if unmount fails, and/or Check the file system before mounting.
NOTE A MySQL resource can be created in one of two ways. Follow only one of 6a or 6b:
6a. Add a MySQL resource
*
Under the above filesystem resource, click Add a child.
*
Under Add a new local resource, select MySQL.
*
Enter a descriptive Name for the resource.
*
Enter the path to the Config File, such as /etc/my.cnf. See the above section on Configuring MySQL to Use Shared Storage for details.
*
Enter a Listen Address. In most situations this should match the IP address that was created as a resource in step #3.
*
Optionally enter any Options that should be passed to the mysqld daemon.
*
Optionally enter a Shutdown Wait in seconds. This determines the length of time that rgmanager will wait while stopping the resource before determining something has gone wrong and throwing an error.
6b. Add a script resource
*
Under the above filesystem resource, click Add a child.
*
Under Add a new local resource, select Script.
*
Enter a descriptive name for the resource.
*
Enter the Full path to script file, such as /etc/init.d/mysqld.
7. Save the service
*
Click Submit at the bottom of the page
Creating a service in Red Hat Enterprise Linux 4 and 5 using system-config-cluster
1. Open the system-config-cluster tool by running
# system-config-cluster
in a terminal.
2. Create a Service
*
In the Cluster Configuration tab, highlight the Services group.
*
Click the Create a Service button on the right side.
*
Enter a descriptive Name for the service.
*
Choose whether to Autostart This Service and/or Run Exclusive.
*
Select a Failover Domain in the upper right corner.
*
Select a Recovery Policy.
3. Add an IP resource
*
Click the Create a new resource for this service button.
*
Select IP Adress from the drop-down menu.
*
Enter the IP address that clients will connect to the MySQL service on.
*
Choose whether to monitor the link for failures or not.
*
Click OK.
4. Add an LVM resource
NOTE: This step is only required if HA-LVM is in use. If LVM will not be used at all or if clvmd is running in this cluster, then an LVM resource is not needed.
*
Highlight the previously created IP resource.
*
Click Attach a new Private Resource to the Selection.
*
Select LVM from the drop-down menu.
*
Enter a descriptive Name for the resource.
*
Enter the Volume Group Name and Logical Volume Name.
*
Click OK.
5. Add a filesystem resource
*
Highlight the previously created LVM resource (or the IP resource if step #4 was skipped).
*
Click Attach a new Private Resource to the Selection.
*
Select File System from the drop-down menu.
*
Enter a descriptive Name for the resource.
*
Choose the File System Type.
*
Enter the Mount Point, such as /var/lib/mysql.
*
Enter the Device path. If step 4 was followed then this should match the device that was entered, such as /dev/mysqlvg/datalv.
*
Optionally enter any mount Options that should be used.
*
Optionally choose to Force unmount the filesystem, Reboot the host node if unmount fails, and/or Check the file system before mounting.
*
Click OK.
NOTE A MySQL resource can be created in one of two ways. Follow only one of 6a or 6b:
6a. Add a MySQL resource
*
Highlight the previously created filesystem resource.
*
Click Attach a new Private Resource to the selection.
*
Select MySQL Server from the drop-down menu.
*
Enter a descriptive Name for the resource.
*
Enter the path to the Config File, such as /etc/my.cnf.
*
Enter a Listen Address. In most situations this should match the IP address that was created as a resource in step #3.
*
Optionally enter any Options that should be passed to the mysqld daemon.
*
Optionally enter a Shutdown Wait in seconds. This determines the length of time that rgmanager will wait while stopping the resource before determining something has gone wrong and throwing an error.
*
Click OK.
6b. Add a script resource
*
Highlight the previously created filesystem resource.
*
Click Attach a new Private Resource to the selection.
*
Select Script from the drop-down menu.
*
Enter a descriptive Name for the resource.
*
Enter the path for the File that will be used as the script, such as /etc/init.d/mysqld.
*
Click OK.
7. In the Service Management dialog, click Close.
8. To save the changes to the local configuration file, choose File => Save.
9. To propagate the changes to the rest of the cluster and allow for the service to be started, click Send to Cluster.
Service Configuration Examples
Red Hat Enterprise Linux
A service example from /etc/cluster.xml for Red Hat Enterprise Linux 3 is as follows:
Red Hat Enterprise Linux
The following is a service example from /etc/cluster/cluster.conf for Red Hat Enterprise Linux 4 or 5 using the rgmanager MySQL resource agent:
or alternatively using a script resource:
Apache Clustering HA
1.
Select the Services tab and click New. The Service properties dialog box is displayed.
a. Give the service a name (for example, httpd).
b. Choose httpd-domain from the Failover Domain list.
c. Specify a value in the Check Interval field.
d. Specify /etc/rc.d/init.d/httpd in the User Script field.
e. Click OK.
a. Choose Add Device and click OK. The Device properties dialog box is displayed.
b. Enter the device special file name in the Device Special File field (for example,
/dev/hda7).
c. Enter the mount point in the Mount Point field (for example, /var/www/html/).
d. Choose ext3 from the FS Type list.
e. Enter rw in the Options field.
f. Ensure that Force Unmount is checked, and click OK.
2.
Select the httpd service on the Services tab and click Add Child. The Add Device or Service IP Address dialog box is displayed.
a. Choose Add Service IP Address and click OK. The Service IP Address properties dialog box is displayed.
b. In the IP Address field, specify an IP address, which the cluster infrastructure binds to the network interface on the cluster system that runs the httpd service (for example, 192.168.26.10).
c. Specify a netmask of None in the Netmask field.
d. In the Broadcast field, specify an IP address of None for broadcasting on the cluster subnet.
e. Click OK.
3.
Ensure that the httpd service is still selected in the Services tab and click Add Child. The Add Device or Service IP Address dialog box is displayed.
4.
Choose File => Save to save your changes.
5.
To start the Apache HTTP Server within the Cluster Status Tool, highlight the service and click Enable.
1. Log in to the Conga web interface
*
Go to https://
*
Click the cluster tab.
*
Choose the cluster to configure.
2. Add a service
*
In the navigation bar on the left, choose Services => Add A Service.
*
Enter a descriptive Name for the service.
*
Choose whether to Automatically start this service and/or Run exclusive
*
Choose a Failover Domain.
*
Choose a Recovery Policy.
*
Optionally enter the maximum number of restarts and the restart counter timeout.
3. Add an IP Resource
*
Click Add a resource to this service.
*
Under Add a new local resource, choose IP Address.
*
Enter the IP Address that clients will use to access the MySQL database.
*
Choose whether to monitor the link for failures or not.
4. Add an LVM Resource
NOTE: This step is only required if HA-LVM is in use. If LVM will not be used at all or if clvmd is running in this cluster, then an LVM resource is not needed.
*
Under the previously created IP resource, click Add a child.
*
Under Add a new local resource, choose LVM.
*
Enter a descriptive name for the resource.
*
Fill in the Volume Group Name and Logical Volume Name.
5. Add a filesystem resource
*
Under the previously created LVM resource (or the IP resource if step 4 was skipped), click Add a child.
*
Under Add a new local resource, select File System.
*
Enter a a descriptive Name for the resource.
*
Choose the File system type.
*
Enter a Mount point, such as /var/lib/mysql.
*
Enter the Device path. If step 4 was followed then this should match the device that was entered, such as /dev/mysqlvg/datalv.
*
Enter any mount Options to use.
*
Optionally choose to Force unmount the filesystem, Reboot the host node if unmount fails, and/or Check the file system before mounting.
NOTE A MySQL resource can be created in one of two ways. Follow only one of 6a or 6b:
6a. Add a MySQL resource
*
Under the above filesystem resource, click Add a child.
*
Under Add a new local resource, select MySQL.
*
Enter a descriptive Name for the resource.
*
Enter the path to the Config File, such as /etc/my.cnf. See the above section on Configuring MySQL to Use Shared Storage for details.
*
Enter a Listen Address. In most situations this should match the IP address that was created as a resource in step #3.
*
Optionally enter any Options that should be passed to the mysqld daemon.
*
Optionally enter a Shutdown Wait in seconds. This determines the length of time that rgmanager will wait while stopping the resource before determining something has gone wrong and throwing an error.
6b. Add a script resource
*
Under the above filesystem resource, click Add a child.
*
Under Add a new local resource, select Script.
*
Enter a descriptive name for the resource.
*
Enter the Full path to script file, such as /etc/init.d/mysqld.
7. Save the service
*
Click Submit at the bottom of the page
Creating a service in Red Hat Enterprise Linux 4 and 5 using system-config-cluster
1. Open the system-config-cluster tool by running
# system-config-cluster
in a terminal.
2. Create a Service
*
In the Cluster Configuration tab, highlight the Services group.
*
Click the Create a Service button on the right side.
*
Enter a descriptive Name for the service.
*
Choose whether to Autostart This Service and/or Run Exclusive.
*
Select a Failover Domain in the upper right corner.
*
Select a Recovery Policy.
3. Add an IP resource
*
Click the Create a new resource for this service button.
*
Select IP Adress from the drop-down menu.
*
Enter the IP address that clients will connect to the MySQL service on.
*
Choose whether to monitor the link for failures or not.
*
Click OK.
4. Add an LVM resource
NOTE: This step is only required if HA-LVM is in use. If LVM will not be used at all or if clvmd is running in this cluster, then an LVM resource is not needed.
*
Highlight the previously created IP resource.
*
Click Attach a new Private Resource to the Selection.
*
Select LVM from the drop-down menu.
*
Enter a descriptive Name for the resource.
*
Enter the Volume Group Name and Logical Volume Name.
*
Click OK.
5. Add a filesystem resource
*
Highlight the previously created LVM resource (or the IP resource if step #4 was skipped).
*
Click Attach a new Private Resource to the Selection.
*
Select File System from the drop-down menu.
*
Enter a descriptive Name for the resource.
*
Choose the File System Type.
*
Enter the Mount Point, such as /var/lib/mysql.
*
Enter the Device path. If step 4 was followed then this should match the device that was entered, such as /dev/mysqlvg/datalv.
*
Optionally enter any mount Options that should be used.
*
Optionally choose to Force unmount the filesystem, Reboot the host node if unmount fails, and/or Check the file system before mounting.
*
Click OK.
NOTE A MySQL resource can be created in one of two ways. Follow only one of 6a or 6b:
6a. Add a MySQL resource
*
Highlight the previously created filesystem resource.
*
Click Attach a new Private Resource to the selection.
*
Select MySQL Server from the drop-down menu.
*
Enter a descriptive Name for the resource.
*
Enter the path to the Config File, such as /etc/my.cnf.
*
Enter a Listen Address. In most situations this should match the IP address that was created as a resource in step #3.
*
Optionally enter any Options that should be passed to the mysqld daemon.
*
Optionally enter a Shutdown Wait in seconds. This determines the length of time that rgmanager will wait while stopping the resource before determining something has gone wrong and throwing an error.
*
Click OK.
6b. Add a script resource
*
Highlight the previously created filesystem resource.
*
Click Attach a new Private Resource to the selection.
*
Select Script from the drop-down menu.
*
Enter a descriptive Name for the resource.
*
Enter the path for the File that will be used as the script, such as /etc/init.d/mysqld.
*
Click OK.
7. In the Service Management dialog, click Close.
8. To save the changes to the local configuration file, choose File => Save.
9. To propagate the changes to the rest of the cluster and allow for the service to be started, click Send to Cluster.
Service Configuration Examples
Red Hat Enterprise Linux
A service example from /etc/cluster.xml for Red Hat Enterprise Linux 3 is as follows:
Red Hat Enterprise Linux
The following is a service example from /etc/cluster/cluster.conf for Red Hat Enterprise Linux 4 or 5 using the rgmanager MySQL resource agent:
or alternatively using a script resource:
Apache Clustering HA
1.
Select the Services tab and click New. The Service properties dialog box is displayed.
a. Give the service a name (for example, httpd).
b. Choose httpd-domain from the Failover Domain list.
c. Specify a value in the Check Interval field.
d. Specify /etc/rc.d/init.d/httpd in the User Script field.
e. Click OK.
a. Choose Add Device and click OK. The Device properties dialog box is displayed.
b. Enter the device special file name in the Device Special File field (for example,
/dev/hda7).
c. Enter the mount point in the Mount Point field (for example, /var/www/html/).
d. Choose ext3 from the FS Type list.
e. Enter rw in the Options field.
f. Ensure that Force Unmount is checked, and click OK.
2.
Select the httpd service on the Services tab and click Add Child. The Add Device or Service IP Address dialog box is displayed.
a. Choose Add Service IP Address and click OK. The Service IP Address properties dialog box is displayed.
b. In the IP Address field, specify an IP address, which the cluster infrastructure binds to the network interface on the cluster system that runs the httpd service (for example, 192.168.26.10).
c. Specify a netmask of None in the Netmask field.
d. In the Broadcast field, specify an IP address of None for broadcasting on the cluster subnet.
e. Click OK.
3.
Ensure that the httpd service is still selected in the Services tab and click Add Child. The Add Device or Service IP Address dialog box is displayed.
4.
Choose File => Save to save your changes.
5.
To start the Apache HTTP Server within the Cluster Status Tool, highlight the service and click Enable.
Sunday, October 25, 2009
Squid Setup a transparent
My Server Setup:
i) Server: Xeon CPU system with 8 GB RAM .
ii) Eth0: IP:192.168.1.1
iii) Eth1: IP: 192.168.2.1 (192.168.2.0/24 network)
iv) Red Hat Enterprise Linux 5.0
Eth0 connected to internet and eth1 connected to local lan i.e. system act as router.
Server Configuration
* Step #1 : Squid configuration so that it will act as a transparent proxy
* Step #2 : Iptables configuration
o a) Configure system as router
o b) Forward all http requests to 3128 (DNAT)
* Step #3: Run scripts and start squid service
First, Squid server installed (use up2date squid) and configured by adding following directives to file:
# vi /etc/squid/squid.conf
Modify or add following squid directives:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
acl lan src 192.168.1.1 192.168.2.0/24
http_access allow localhost
http_access allow lan
Where,
* httpd_accel_host virtual: Squid as an httpd accelerator
* httpd_accel_port 80: 80 is port you want to act as a proxy
* httpd_accel_with_proxy on: Squid act as both a local httpd accelerator and as a proxy.
* httpd_accel_uses_host_header on: Header is turned on which is the hostname from the URL.
* acl lan src 192.168.1.1 192.168.2.0/24: Access control list, only allow LAN computers to use squid
* http_access allow localhost: Squid access to LAN and localhost ACL only
* http_access allow lan: -- same as above --
Here is the complete listing of squid.conf for your reference (grep will remove all comments and sed will remove all empty lines, thanks to David Klein for quick hint ):
# grep -v "^#" /etc/squid/squid.conf | sed -e '/^$/d'
OR, try out sed
# cat /etc/squid/squid.conf | sed '/ *#/d; /^ *$/d'
Output:
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl purge method PURGE
acl CONNECT method CONNECT
cache_mem 1024 MB
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl lan src 192.168.1.1 192.168.2.0/24
http_access allow localhost
http_access allow lan
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname myclient.hostname.com
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
coredump_dir /var/spool/squid
Iptables configuration
Next, I had added following rules to forward all http requests (coming to port 80) to the Squid server port 3128 :
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.1:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
Here is complete shell script. Script first configure Linux system as router and forwards all http request to port 3128
#!/bin/sh
# squid server IP
SQUID_SERVER="192.168.1.1"
# Interface connected to Internet
INTERNET="eth0"
# Interface connected to LAN
LAN_IN="eth1"
# Squid port
SQUID_PORT="3128"
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
Save shell script. Execute script so that system will act as a router and forward the ports:
# chmod +x /etc/fw.proxy
# /etc/fw.proxy
# service iptables save
# chkconfig iptables on
Start or Restart the squid:
# /etc/init.d/squid restart
# chkconfig squid on
Desktop / Client computer configuration
Point all desktop clients to your eth1 IP address (192.168.2.1) as Router/Gateway (use DHCP to distribute this information). You do not have to setup up individual browsers to work with proxies.
How do I test my squid proxy is working correctly?
See access log file /var/log/squid/access.log:
# tail -f /var/log/squid/access.log
Above command will monitor all incoming request and log them to /var/log/squid/access_log file. Now if somebody accessing a website through browser, squid will log information.
Problems and solutions
(a) Windows XP FTP Client
All Desktop client FTP session request ended with an error:
Illegal PORT command.
I had loaded the ip_nat_ftp kernel module. Just type the following command press Enter and voila!
# modprobe ip_nat_ftp
Please note that modprobe command is already added to a shell script (above).
(b) Port 443 redirection
I had block out all connection request from our router settings except for our proxy (192.168.1.1) server. So all ports including 443 (https/ssl) request denied. You cannot redirect port 443, from debian mailing list, "Long answer: SSL is specifically designed to prevent "man in the middle" attacks, and setting up squid in such a way would be the same as such a "man in the middle" attack. You might be able to successfully achive this, but not without breaking the encryption and certification that is the point behind SSL".
Therefore, I had quickly reopen port 443 (router firewall) for all my LAN computers and problem was solved.
(c) Squid Proxy authentication in a transparent mode
You cannot use Squid authentication with a transparently intercepting proxy.
i) Server: Xeon CPU system with 8 GB RAM .
ii) Eth0: IP:192.168.1.1
iii) Eth1: IP: 192.168.2.1 (192.168.2.0/24 network)
iv) Red Hat Enterprise Linux 5.0
Eth0 connected to internet and eth1 connected to local lan i.e. system act as router.
Server Configuration
* Step #1 : Squid configuration so that it will act as a transparent proxy
* Step #2 : Iptables configuration
o a) Configure system as router
o b) Forward all http requests to 3128 (DNAT)
* Step #3: Run scripts and start squid service
First, Squid server installed (use up2date squid) and configured by adding following directives to file:
# vi /etc/squid/squid.conf
Modify or add following squid directives:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
acl lan src 192.168.1.1 192.168.2.0/24
http_access allow localhost
http_access allow lan
Where,
* httpd_accel_host virtual: Squid as an httpd accelerator
* httpd_accel_port 80: 80 is port you want to act as a proxy
* httpd_accel_with_proxy on: Squid act as both a local httpd accelerator and as a proxy.
* httpd_accel_uses_host_header on: Header is turned on which is the hostname from the URL.
* acl lan src 192.168.1.1 192.168.2.0/24: Access control list, only allow LAN computers to use squid
* http_access allow localhost: Squid access to LAN and localhost ACL only
* http_access allow lan: -- same as above --
Here is the complete listing of squid.conf for your reference (grep will remove all comments and sed will remove all empty lines, thanks to David Klein for quick hint ):
# grep -v "^#" /etc/squid/squid.conf | sed -e '/^$/d'
OR, try out sed
# cat /etc/squid/squid.conf | sed '/ *#/d; /^ *$/d'
Output:
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl purge method PURGE
acl CONNECT method CONNECT
cache_mem 1024 MB
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl lan src 192.168.1.1 192.168.2.0/24
http_access allow localhost
http_access allow lan
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname myclient.hostname.com
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
coredump_dir /var/spool/squid
Iptables configuration
Next, I had added following rules to forward all http requests (coming to port 80) to the Squid server port 3128 :
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.1:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
Here is complete shell script. Script first configure Linux system as router and forwards all http request to port 3128
#!/bin/sh
# squid server IP
SQUID_SERVER="192.168.1.1"
# Interface connected to Internet
INTERNET="eth0"
# Interface connected to LAN
LAN_IN="eth1"
# Squid port
SQUID_PORT="3128"
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
Save shell script. Execute script so that system will act as a router and forward the ports:
# chmod +x /etc/fw.proxy
# /etc/fw.proxy
# service iptables save
# chkconfig iptables on
Start or Restart the squid:
# /etc/init.d/squid restart
# chkconfig squid on
Desktop / Client computer configuration
Point all desktop clients to your eth1 IP address (192.168.2.1) as Router/Gateway (use DHCP to distribute this information). You do not have to setup up individual browsers to work with proxies.
How do I test my squid proxy is working correctly?
See access log file /var/log/squid/access.log:
# tail -f /var/log/squid/access.log
Above command will monitor all incoming request and log them to /var/log/squid/access_log file. Now if somebody accessing a website through browser, squid will log information.
Problems and solutions
(a) Windows XP FTP Client
All Desktop client FTP session request ended with an error:
Illegal PORT command.
I had loaded the ip_nat_ftp kernel module. Just type the following command press Enter and voila!
# modprobe ip_nat_ftp
Please note that modprobe command is already added to a shell script (above).
(b) Port 443 redirection
I had block out all connection request from our router settings except for our proxy (192.168.1.1) server. So all ports including 443 (https/ssl) request denied. You cannot redirect port 443, from debian mailing list, "Long answer: SSL is specifically designed to prevent "man in the middle" attacks, and setting up squid in such a way would be the same as such a "man in the middle" attack. You might be able to successfully achive this, but not without breaking the encryption and certification that is the point behind SSL".
Therefore, I had quickly reopen port 443 (router firewall) for all my LAN computers and problem was solved.
(c) Squid Proxy authentication in a transparent mode
You cannot use Squid authentication with a transparently intercepting proxy.
Thursday, October 15, 2009
Linux NIC Bonding
vim /etc/sysconfig/network-scripts/ifcfg-bond0
DEVICE=bond0
IPADDR=10.5.1.76
NETMASK=
GATEWAY=10.5.1.93
ONBOOT=yes
BOOTPROTO=static
USERCLT=no
BONDING_OPTS="miimon=100 mode=1"
edit vim /etc/sysconfig/network-scripts/ifcfg-eth0
# Broadcom Corporation NetXtreme II BCM5708 Gigabit Ethernet
DEVICE=eth0
HWADDR=00:26:55:7D:38:00
USERCTL=no
ONBOOT=yes
MASTER=bond0
SLAVE=yes
BOOTPROTO=none
edit vim /etc/sysconfig/network-scripts/ifcfg-eth1
# Broadcom Corporation NetXtreme II BCM5708 Gigabit Ethernet
DEVICE=eth1
USERCTL=no
ONBOOT=yes
HWADDR=00:26:55:7D:38:01
MASTER=bond0
SLAVE=yes
BOOTPROTO=none
edit vim /etc/modprobe.conf
alias eth0 bnx2
alias eth1 bnx2
alias bond0 bonding
alias scsi_hostadapter megaraid_sas
alias scsi_hostadapter1 ata_piix
alias scsi_hostadapter2 qla2xxx
#modprobe bonding
http://www.cisco.com/en/US/tech/tk389/tk213/technologies_configuration_example09186a0080094470.shtml Since I don't know the model of your switch
#service network restart
# cat /proc/net/bonding/bond0
Ethernet Channel Bonding Driver: v3.4.0 (October 7, 2008)
Bonding Mode: fault-tolerance (active-backup)
Primary Slave: None
Currently Active Slave: eth2
MII Status: up
MII Polling Interval (ms): 100
Up Delay (ms): 0
Down Delay (ms): 0
Slave Interface: eth2
MII Status: up
Link Failure Count: 0
Permanent HW addr: 00:26:55:19:4a:18
Slave Interface: eth3
MII Status: up
Link Failure Count: 2
Permanent HW addr: 00:26:55:19:4a:1c
add following lines to file
#vim /etc/sysctl.conf
# Gigabit tuning
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
# net.core.wmem_max = 8388608
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 2096 65535 16777216
net.ipv4.tcp_mem = 98304 131072 196608
net.core.netdev_max_backlog = 250000
net.ipv4.tcp_timestamps = 1
net.ipv4.ip_local_port_range = 1025 61000
# VM pressure fixes
vm.swappiness = 100
vm.inactive_clean_percent = 100
vm.pagecache = 200 10 20
vm.dirty_ratio = 10
vm.dirty_background_ratio = 5
# Security tweaks
net.ipv4.tcp_synack_retries = 3
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_max_syn_backlog = 10240
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 1200
What is bonding?
Bonding is the same as port trunking. In the following I will use the word bonding because practically we will bond interfaces as one.
But still...what is bonding?
Bonding allows you to aggregate multiple ports into a single group, effectively combining the bandwidth into a single connection. Bonding also allows you to create multi-gigabit pipes to transport traffic through the highest traffic areas of your network. For example, you can aggregate three megabits ports (1 mb each) into a three-megabits trunk port. That is equivalent with having one interface with three megabits speed.
Where should I use bonding?
You can use it wherever you need redundant links, fault tolerance or load balancing networks. It is the best way to have a high availability network segment. A very useful way to use bonding is to use it in connection with 802.1q VLAN support (your network equipment must have 802.1q protocol implemented).
The best documentation is on the Linux Channel Bonding Project page
I strongly recommend to read it for more details.
Credits: Linux Channel Bonding Project page , Thea
This small howto will try to cover the most used bonding types. The following script (the gray area) will configure a bond interface (bond0) using two ethernet interface (eth0 and eth1). You can place it onto your on file and run it at boot time..
#!/bin/bash
modprobe bonding mode=0 miimon=100 # load bonding module
ifconfig eth0 down # putting down the eth0 interface
ifconfig eth1 down # putting down the eth1 interface
ifconfig bond0 hw ether 00:11:22:33:44:55 # changing the MAC address of the bond0 interface
ifconfig bond0 192.168.55.55 up # to set ethX interfaces as slave the bond0 must have an ip.
ifenslave bond0 eth0 # putting the eth0 interface in the slave mod for bond0
ifenslave bond0 eth1 # putting the eth1 interface in the slave mod for bond0
You can set up your bond interface according to your needs. Changing one parameters (mode=X) you can have the following bonding types:
mode=0 (balance-rr)
Round-robin policy: Transmit packets in sequential order from the first available slave through the last. This mode provides load balancing and fault tolerance.
mode=1 (active-backup)
Active-backup policy: Only one slave in the bond is active. A different slave becomes active if, and only if, the active slave fails. The bond's MAC address is externally visible on only one port (network adapter) to avoid confusing the switch. This mode provides fault tolerance. The primary option affects the behavior of this mode.
mode=2 (balance-xor)
XOR policy: Transmit based on [(source MAC address XOR'd with destination MAC address) modulo slave count]. This selects the same slave for each destination MAC address. This mode provides load balancing and fault tolerance.
mode=3 (broadcast)
Broadcast policy: transmits everything on all slave interfaces. This mode provides fault tolerance.
mode=4 (802.3ad)
IEEE 802.3ad Dynamic link aggregation. Creates aggregation groups that share the same speed and duplex settings. Utilizes all slaves in the active aggregator according to the 802.3ad specification.
Pre-requisites:
1. Ethtool support in the base drivers for retrieving
the speed and duplex of each slave.
2. A switch that supports IEEE 802.3ad Dynamic link
aggregation.
Most switches will require some type of configuration
to enable 802.3ad mode.
mode=5 (balance-tlb)
Adaptive transmit load balancing: channel bonding that does not require any special switch support. The outgoing traffic is distributed according to the current load (computed relative to the speed) on each slave. Incoming traffic is received by the current slave. If the receiving slave fails, another slave takes over the MAC address of the failed receiving slave.
Prerequisite:
Ethtool support in the base drivers for retrieving the
speed of each slave.
mode=6 (balance-alb)
Adaptive load balancing: includes balance-tlb plus receive load balancing (rlb) for IPV4 traffic, and does not require any special switch support. The receive load balancing is achieved by ARP negotiation. The bonding driver intercepts the ARP Replies sent by the local system on their way out and overwrites the source hardware address with the unique hardware address of one of the slaves in the bond such that different peers use different hardware addresses for the server.
The most used are the first four mode types...
Also you can use multiple bond interface but for that you must load the bonding module as many as you need.
Presuming that you want two bond interface you must configure the /etc/modules.conf as follow:
alias bond0 bonding
options bond0 -o bond0 mode=0 miimon=100
alias bond1 bonding
options bond1 -o bond1 mode=1 miimon=100
Notes:
* To restore your slaves MAC addresses, you need to detach them from the bond (`ifenslave -d bond0 eth0'). The bonding driver will then restore the MAC addresses that the slaves had before they were enslaved.
* The bond MAC address will be the taken from its first slave device.
* Promiscous mode: According to your bond type, when you put the bond interface in the promiscous mode it will propogates the setting to the slave devices as follow:
o for mode=0,2,3 and 4 the promiscuous mode setting is propogated to all slaves.
o for mode=1,5 and 6 the promiscuous mode setting is propogated only to the active slave.
For balance-tlb mode the active slave is the slave currently receiving inbound traffic, for balance-alb mode the active slave is the slave used as a "primary." and for the active-backup, balance-tlb and balance-alb modes, when the active slave changes (e.g., due to a link failure), the promiscuous setting will be propogated to the new active slave.
DEVICE=bond0
IPADDR=10.5.1.76
NETMASK=
GATEWAY=10.5.1.93
ONBOOT=yes
BOOTPROTO=static
USERCLT=no
BONDING_OPTS="miimon=100 mode=1"
edit vim /etc/sysconfig/network-scripts/ifcfg-eth0
# Broadcom Corporation NetXtreme II BCM5708 Gigabit Ethernet
DEVICE=eth0
HWADDR=00:26:55:7D:38:00
USERCTL=no
ONBOOT=yes
MASTER=bond0
SLAVE=yes
BOOTPROTO=none
edit vim /etc/sysconfig/network-scripts/ifcfg-eth1
# Broadcom Corporation NetXtreme II BCM5708 Gigabit Ethernet
DEVICE=eth1
USERCTL=no
ONBOOT=yes
HWADDR=00:26:55:7D:38:01
MASTER=bond0
SLAVE=yes
BOOTPROTO=none
edit vim /etc/modprobe.conf
alias eth0 bnx2
alias eth1 bnx2
alias bond0 bonding
alias scsi_hostadapter megaraid_sas
alias scsi_hostadapter1 ata_piix
alias scsi_hostadapter2 qla2xxx
#modprobe bonding
http://www.cisco.com/en/US/tech/tk389/tk213/technologies_configuration_example09186a0080094470.shtml Since I don't know the model of your switch
#service network restart
# cat /proc/net/bonding/bond0
Ethernet Channel Bonding Driver: v3.4.0 (October 7, 2008)
Bonding Mode: fault-tolerance (active-backup)
Primary Slave: None
Currently Active Slave: eth2
MII Status: up
MII Polling Interval (ms): 100
Up Delay (ms): 0
Down Delay (ms): 0
Slave Interface: eth2
MII Status: up
Link Failure Count: 0
Permanent HW addr: 00:26:55:19:4a:18
Slave Interface: eth3
MII Status: up
Link Failure Count: 2
Permanent HW addr: 00:26:55:19:4a:1c
add following lines to file
#vim /etc/sysctl.conf
# Gigabit tuning
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
# net.core.wmem_max = 8388608
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 2096 65535 16777216
net.ipv4.tcp_mem = 98304 131072 196608
net.core.netdev_max_backlog = 250000
net.ipv4.tcp_timestamps = 1
net.ipv4.ip_local_port_range = 1025 61000
# VM pressure fixes
vm.swappiness = 100
vm.inactive_clean_percent = 100
vm.pagecache = 200 10 20
vm.dirty_ratio = 10
vm.dirty_background_ratio = 5
# Security tweaks
net.ipv4.tcp_synack_retries = 3
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_max_syn_backlog = 10240
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 1200
What is bonding?
Bonding is the same as port trunking. In the following I will use the word bonding because practically we will bond interfaces as one.
But still...what is bonding?
Bonding allows you to aggregate multiple ports into a single group, effectively combining the bandwidth into a single connection. Bonding also allows you to create multi-gigabit pipes to transport traffic through the highest traffic areas of your network. For example, you can aggregate three megabits ports (1 mb each) into a three-megabits trunk port. That is equivalent with having one interface with three megabits speed.
Where should I use bonding?
You can use it wherever you need redundant links, fault tolerance or load balancing networks. It is the best way to have a high availability network segment. A very useful way to use bonding is to use it in connection with 802.1q VLAN support (your network equipment must have 802.1q protocol implemented).
The best documentation is on the Linux Channel Bonding Project page
I strongly recommend to read it for more details.
Credits: Linux Channel Bonding Project page , Thea
This small howto will try to cover the most used bonding types. The following script (the gray area) will configure a bond interface (bond0) using two ethernet interface (eth0 and eth1). You can place it onto your on file and run it at boot time..
#!/bin/bash
modprobe bonding mode=0 miimon=100 # load bonding module
ifconfig eth0 down # putting down the eth0 interface
ifconfig eth1 down # putting down the eth1 interface
ifconfig bond0 hw ether 00:11:22:33:44:55 # changing the MAC address of the bond0 interface
ifconfig bond0 192.168.55.55 up # to set ethX interfaces as slave the bond0 must have an ip.
ifenslave bond0 eth0 # putting the eth0 interface in the slave mod for bond0
ifenslave bond0 eth1 # putting the eth1 interface in the slave mod for bond0
You can set up your bond interface according to your needs. Changing one parameters (mode=X) you can have the following bonding types:
mode=0 (balance-rr)
Round-robin policy: Transmit packets in sequential order from the first available slave through the last. This mode provides load balancing and fault tolerance.
mode=1 (active-backup)
Active-backup policy: Only one slave in the bond is active. A different slave becomes active if, and only if, the active slave fails. The bond's MAC address is externally visible on only one port (network adapter) to avoid confusing the switch. This mode provides fault tolerance. The primary option affects the behavior of this mode.
mode=2 (balance-xor)
XOR policy: Transmit based on [(source MAC address XOR'd with destination MAC address) modulo slave count]. This selects the same slave for each destination MAC address. This mode provides load balancing and fault tolerance.
mode=3 (broadcast)
Broadcast policy: transmits everything on all slave interfaces. This mode provides fault tolerance.
mode=4 (802.3ad)
IEEE 802.3ad Dynamic link aggregation. Creates aggregation groups that share the same speed and duplex settings. Utilizes all slaves in the active aggregator according to the 802.3ad specification.
Pre-requisites:
1. Ethtool support in the base drivers for retrieving
the speed and duplex of each slave.
2. A switch that supports IEEE 802.3ad Dynamic link
aggregation.
Most switches will require some type of configuration
to enable 802.3ad mode.
mode=5 (balance-tlb)
Adaptive transmit load balancing: channel bonding that does not require any special switch support. The outgoing traffic is distributed according to the current load (computed relative to the speed) on each slave. Incoming traffic is received by the current slave. If the receiving slave fails, another slave takes over the MAC address of the failed receiving slave.
Prerequisite:
Ethtool support in the base drivers for retrieving the
speed of each slave.
mode=6 (balance-alb)
Adaptive load balancing: includes balance-tlb plus receive load balancing (rlb) for IPV4 traffic, and does not require any special switch support. The receive load balancing is achieved by ARP negotiation. The bonding driver intercepts the ARP Replies sent by the local system on their way out and overwrites the source hardware address with the unique hardware address of one of the slaves in the bond such that different peers use different hardware addresses for the server.
The most used are the first four mode types...
Also you can use multiple bond interface but for that you must load the bonding module as many as you need.
Presuming that you want two bond interface you must configure the /etc/modules.conf as follow:
alias bond0 bonding
options bond0 -o bond0 mode=0 miimon=100
alias bond1 bonding
options bond1 -o bond1 mode=1 miimon=100
Notes:
* To restore your slaves MAC addresses, you need to detach them from the bond (`ifenslave -d bond0 eth0'). The bonding driver will then restore the MAC addresses that the slaves had before they were enslaved.
* The bond MAC address will be the taken from its first slave device.
* Promiscous mode: According to your bond type, when you put the bond interface in the promiscous mode it will propogates the setting to the slave devices as follow:
o for mode=0,2,3 and 4 the promiscuous mode setting is propogated to all slaves.
o for mode=1,5 and 6 the promiscuous mode setting is propogated only to the active slave.
For balance-tlb mode the active slave is the slave currently receiving inbound traffic, for balance-alb mode the active slave is the slave used as a "primary." and for the active-backup, balance-tlb and balance-alb modes, when the active slave changes (e.g., due to a link failure), the promiscuous setting will be propogated to the new active slave.
How to Setup Fedora Directory Server with Postfix Mail Server
Set hostname of the computer
#hostname mail.taashee.com
Install Fedora Directory Server
#yum install fedora-ds
Create a new user and group named fds. This account will be used to run the fds
service.
#useradd fds
Type in setup-ds-admin.pl in a terminal window to setup Fedora Directory Server.
#setup-ds-admin.pl
=====================================================
This program will set up the Fedora Directory and Administration Servers.
It is recommended that you have "root" privilege to set up the software.
Tips for using this program:
- Press "Enter" to choose the default and go to the next screen
- Type "Control-B" then "Enter" to go back to the previous screen
- Type "Control-C" to cancel the setup program
Would you like to continue with set up? [yes]: ↵
=====================================================
BY SETTING UP AND USING THIS SOFTWARE YOU ARE CONSENTING TO BE BOUND BY
AND ARE BECOMING A PARTY TO THE AGREEMENT FOUND IN THE
LICENSE.TXT FILE. IF YOU DO NOT AGREE TO ALL OF THE TERMS
OF THIS AGREEMENT, PLEASE DO NOT SET UP OR USE THIS SOFTWARE.
Do you agree to the license terms? [no]: yes
====================================================
Your system has been scanned for potential problems, missing patches,
etc. The following output is a report of the items found that need to
be addressed before running this software in a production
environment.
Fedora Directory Server system tuning analysis version 10-AUGUST-2007.
NOTICE : System is i686-unknown-linux2.6.18-92.el5 (1 processor).
WARNING: 494MB of physical memory is available on the system. 1024MB is recommended for
best performance on large production system.
NOTICE : The net.ipv4.tcp_keepalive_time is set to 7200000 milliseconds
(120 minutes). This may cause temporary server congestion from lost
client connections.
WARNING: There are only 1024 file descriptors (hard limit) available, which
limit the number of simultaneous connections.
WARNING: There are only 1024 file descriptors (soft limit) available, which
limit the number of simultaneous connections.
Would you like to continue? [no]: yes
===================================================
Choose a setup type:
1. Express
Allows you to quickly set up the servers using the most
common options and pre-defined defaults. Useful for quick
evaluation of the products.
2. Typical
Allows you to specify common defaults and options.
3. Custom
Allows you to specify more advanced options. This is
recommended for experienced server administrators only.
To accept the default shown in brackets, press the Enter key.
Choose a setup type [2]: ↵
=====================================================
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
.
Example: eros.example.com.
To accept the default shown in brackets, press the Enter key.
Computer name [mail.taashee.com]: ↵
=====================================================
The servers must run as a specific user in a specific group.
It is strongly recommended that this user should have no privileges
on the computer (i.e. a non-root user). The setup procedure
will give this user/group some permissions in specific paths/files
to perform server-specific operations.
If you have not yet created a user and group for the servers,
create this user and group using your native operating
system utilities.
System User [nobody]: fds
System Group [nobody]: fds
=====================================================
Server information is stored in the configuration directory server.
This information is used by the console and administration server to
configure and manage your servers. If you have already set up a
configuration directory server, you should register any servers you
set up or create with the configuration server. To do so, the
following information about the configuration server is required: the
fully qualified host name of the form
.(e.g. hostname.example.com), the port number
(default 389), the suffix, the DN and password of a user having
permission to write the configuration information, usually the
configuration directory administrator, and if you are using security
(TLS/SSL). If you are using TLS/SSL, specify the TLS/SSL (LDAPS) port
number (default 636) instead of the regular LDAP port number, and
provide the CA certificate (in PEM/ASCII format).
If you do not yet have a configuration directory server, enter 'No' to
be prompted to set up one.
Do you want to register this software with an existing
configuration directory server? [no]: ↵
=====================================================
Please enter the administrator ID for the configuration directory
server. This is the ID typically used to log in to the console. You
will also be prompted for the password.
Configuration directory server
administrator ID [admin]: ↵
Password:
Password (confirm):
====================================================
The information stored in the configuration directory server can be
separated into different Administration Domains. If you are managing
multiple software releases at the same time, or managing information
about multiple domains, you may use the Administration Domain to keep
them separate.
If you are not using administrative domains, press Enter to select the
default. Otherwise, enter some descriptive, unique name for the
administration domain, such as the name of the organization
responsible for managing the domain.
Administration Domain [taashee.com]: ↵
=====================================================
The standard directory server network port number is 389. However, if
you are not logged as the superuser, or port 389 is in use, the
default value will be a random unused port number greater than 1024.
If you want to use port 389, make sure that you are logged in as the
superuser, that port 389 is not in use.
Directory server network port [389]: ↵
=====================================================
Each instance of a directory server requires a unique identifier.
This identifier is used to name the various
instance specific files and directories in the file system,
as well as for other uses as a server instance identifier.
Directory server identifier [mail]: ↵
=====================================================
The suffix is the root of your directory tree. The suffix must be a valid DN.
It is recommended that you use the dc=domaincomponent suffix convention.
For example, if your domain is example.com,
you should use dc=example,dc=com for your suffix.
Setup will create this initial suffix for you,
but you may have more than one suffix.
Use the directory server utilities to create additional suffixes.
Suffix [dc=taashee, dc=com]: ↵
=====================================================
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and typically has a
bind Distinguished Name (DN) of cn=Directory Manager.
You will also be prompted for the password for this user. The password must
be at least 8 characters long, and contain no spaces.
Directory Manager DN [cn=Directory Manager]: ↵
Password:
Password (confirm):
=====================================================
The Administration Server is separate from any of your web or application
servers since it listens to a different port and access to it is
restricted.
Pick a port number between 1024 and 65535 to run your Administration
Server on. You should NOT use a port number which you plan to
run a web or application server on, rather, select a number which you
will remember and which will not be used for anything else.
Administration port [9830]: ↵
=====================================================
The interactive phase is complete. The script will now set up your
servers. Enter No or go Back if you want to change something.
Are you ready to set up your servers? [yes]: ↵
Creating directory server . . .
Your new DS instance 'mail' was successfully created.
Creating the configuration directory server . . .
Beginning Admin Server creation . . .
Creating Admin Server files and directories . . .
Updating adm.conf . . .
Updating admpw . . .
Registering admin server with the configuration directory server . . .
Updating adm.conf with information from configuration directory server . . .
Updating the configuration for the httpd engine . . .
Starting admin server . . .
The admin server was successfully started.
Admin server was successfully created, configured, and started.
Exiting . . .
Log file is '/tmp/setupcT78dr.log'
Restart the dirsrv, dirsrv-admin and httpd service.
#service httpd restart
#service dirsrv restart
#service dirsrv-admin restart
Now launch the Fedora Console Login window.
#fedora-idm-console
Provide following details if you have default setup
User ID: cn=directory manager
Password: ******
Administration URL: localhost:9830
Create user on Fedora Directory server using following screen shots.
You have to enable POSIX User and fill the details if you want to authenticate a user from linux
box. You will have to create Home directory of users manually.
Setup LDAP Client (RHEL/Fedora Box).
#system-config-authentication
Add required LDAP details.
Now, check on client whether you are able to sync the ldap database using following
command.
# getent passwd
This document is only meant to make use of Fedora Directory Server as LDAP Server for Central
Authentication of users.
http://i36.tinypic.com/i1jjuo.jpg
http://i34.tinypic.com/33o1xj7.jpg
http://i38.tinypic.com/13zqwdu.jpg
http://i34.tinypic.com/wb9wfq.jpg
http://i33.tinypic.com/2rr55yv.jpg
http://i38.tinypic.com/2rgp1yg.jpg
#hostname mail.taashee.com
Install Fedora Directory Server
#yum install fedora-ds
Create a new user and group named fds. This account will be used to run the fds
service.
#useradd fds
Type in setup-ds-admin.pl in a terminal window to setup Fedora Directory Server.
#setup-ds-admin.pl
=====================================================
This program will set up the Fedora Directory and Administration Servers.
It is recommended that you have "root" privilege to set up the software.
Tips for using this program:
- Press "Enter" to choose the default and go to the next screen
- Type "Control-B" then "Enter" to go back to the previous screen
- Type "Control-C" to cancel the setup program
Would you like to continue with set up? [yes]: ↵
=====================================================
BY SETTING UP AND USING THIS SOFTWARE YOU ARE CONSENTING TO BE BOUND BY
AND ARE BECOMING A PARTY TO THE AGREEMENT FOUND IN THE
LICENSE.TXT FILE. IF YOU DO NOT AGREE TO ALL OF THE TERMS
OF THIS AGREEMENT, PLEASE DO NOT SET UP OR USE THIS SOFTWARE.
Do you agree to the license terms? [no]: yes
====================================================
Your system has been scanned for potential problems, missing patches,
etc. The following output is a report of the items found that need to
be addressed before running this software in a production
environment.
Fedora Directory Server system tuning analysis version 10-AUGUST-2007.
NOTICE : System is i686-unknown-linux2.6.18-92.el5 (1 processor).
WARNING: 494MB of physical memory is available on the system. 1024MB is recommended for
best performance on large production system.
NOTICE : The net.ipv4.tcp_keepalive_time is set to 7200000 milliseconds
(120 minutes). This may cause temporary server congestion from lost
client connections.
WARNING: There are only 1024 file descriptors (hard limit) available, which
limit the number of simultaneous connections.
WARNING: There are only 1024 file descriptors (soft limit) available, which
limit the number of simultaneous connections.
Would you like to continue? [no]: yes
===================================================
Choose a setup type:
1. Express
Allows you to quickly set up the servers using the most
common options and pre-defined defaults. Useful for quick
evaluation of the products.
2. Typical
Allows you to specify common defaults and options.
3. Custom
Allows you to specify more advanced options. This is
recommended for experienced server administrators only.
To accept the default shown in brackets, press the Enter key.
Choose a setup type [2]: ↵
=====================================================
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
Example: eros.example.com.
To accept the default shown in brackets, press the Enter key.
Computer name [mail.taashee.com]: ↵
=====================================================
The servers must run as a specific user in a specific group.
It is strongly recommended that this user should have no privileges
on the computer (i.e. a non-root user). The setup procedure
will give this user/group some permissions in specific paths/files
to perform server-specific operations.
If you have not yet created a user and group for the servers,
create this user and group using your native operating
system utilities.
System User [nobody]: fds
System Group [nobody]: fds
=====================================================
Server information is stored in the configuration directory server.
This information is used by the console and administration server to
configure and manage your servers. If you have already set up a
configuration directory server, you should register any servers you
set up or create with the configuration server. To do so, the
following information about the configuration server is required: the
fully qualified host name of the form
(default 389), the suffix, the DN and password of a user having
permission to write the configuration information, usually the
configuration directory administrator, and if you are using security
(TLS/SSL). If you are using TLS/SSL, specify the TLS/SSL (LDAPS) port
number (default 636) instead of the regular LDAP port number, and
provide the CA certificate (in PEM/ASCII format).
If you do not yet have a configuration directory server, enter 'No' to
be prompted to set up one.
Do you want to register this software with an existing
configuration directory server? [no]: ↵
=====================================================
Please enter the administrator ID for the configuration directory
server. This is the ID typically used to log in to the console. You
will also be prompted for the password.
Configuration directory server
administrator ID [admin]: ↵
Password:
Password (confirm):
====================================================
The information stored in the configuration directory server can be
separated into different Administration Domains. If you are managing
multiple software releases at the same time, or managing information
about multiple domains, you may use the Administration Domain to keep
them separate.
If you are not using administrative domains, press Enter to select the
default. Otherwise, enter some descriptive, unique name for the
administration domain, such as the name of the organization
responsible for managing the domain.
Administration Domain [taashee.com]: ↵
=====================================================
The standard directory server network port number is 389. However, if
you are not logged as the superuser, or port 389 is in use, the
default value will be a random unused port number greater than 1024.
If you want to use port 389, make sure that you are logged in as the
superuser, that port 389 is not in use.
Directory server network port [389]: ↵
=====================================================
Each instance of a directory server requires a unique identifier.
This identifier is used to name the various
instance specific files and directories in the file system,
as well as for other uses as a server instance identifier.
Directory server identifier [mail]: ↵
=====================================================
The suffix is the root of your directory tree. The suffix must be a valid DN.
It is recommended that you use the dc=domaincomponent suffix convention.
For example, if your domain is example.com,
you should use dc=example,dc=com for your suffix.
Setup will create this initial suffix for you,
but you may have more than one suffix.
Use the directory server utilities to create additional suffixes.
Suffix [dc=taashee, dc=com]: ↵
=====================================================
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and typically has a
bind Distinguished Name (DN) of cn=Directory Manager.
You will also be prompted for the password for this user. The password must
be at least 8 characters long, and contain no spaces.
Directory Manager DN [cn=Directory Manager]: ↵
Password:
Password (confirm):
=====================================================
The Administration Server is separate from any of your web or application
servers since it listens to a different port and access to it is
restricted.
Pick a port number between 1024 and 65535 to run your Administration
Server on. You should NOT use a port number which you plan to
run a web or application server on, rather, select a number which you
will remember and which will not be used for anything else.
Administration port [9830]: ↵
=====================================================
The interactive phase is complete. The script will now set up your
servers. Enter No or go Back if you want to change something.
Are you ready to set up your servers? [yes]: ↵
Creating directory server . . .
Your new DS instance 'mail' was successfully created.
Creating the configuration directory server . . .
Beginning Admin Server creation . . .
Creating Admin Server files and directories . . .
Updating adm.conf . . .
Updating admpw . . .
Registering admin server with the configuration directory server . . .
Updating adm.conf with information from configuration directory server . . .
Updating the configuration for the httpd engine . . .
Starting admin server . . .
The admin server was successfully started.
Admin server was successfully created, configured, and started.
Exiting . . .
Log file is '/tmp/setupcT78dr.log'
Restart the dirsrv, dirsrv-admin and httpd service.
#service httpd restart
#service dirsrv restart
#service dirsrv-admin restart
Now launch the Fedora Console Login window.
#fedora-idm-console
Provide following details if you have default setup
User ID: cn=directory manager
Password: ******
Administration URL: localhost:9830
Create user on Fedora Directory server using following screen shots.
You have to enable POSIX User and fill the details if you want to authenticate a user from linux
box. You will have to create Home directory of users manually.
Setup LDAP Client (RHEL/Fedora Box).
#system-config-authentication
Add required LDAP details.
Now, check on client whether you are able to sync the ldap database using following
command.
# getent passwd
This document is only meant to make use of Fedora Directory Server as LDAP Server for Central
Authentication of users.
http://i36.tinypic.com/i1jjuo.jpg
http://i34.tinypic.com/33o1xj7.jpg
http://i38.tinypic.com/13zqwdu.jpg
http://i34.tinypic.com/wb9wfq.jpg
http://i33.tinypic.com/2rr55yv.jpg
http://i38.tinypic.com/2rgp1yg.jpg
Postfix Server
POSTFIX HOWTO
First check postfix is install or not. ( You need to require basic repository to be setup )
[root@mail ~]# yum list postfix
Loading "security" plugin
Loading "rhnplugin" plugin
Loading "installonlyn" plugin
This system is not registered with RHN.
RHN support will be disabled.
Setting up repositories
Reading repository metadata in from local files
Available Packages
postfix.i386 2:2.3.3-2 rhel
[root@mail ~]#
Now install postfix
[root@mail ~]# yum install postfix
Loading "security" plugin
Loading "rhnplugin" plugin
Loading "installonlyn" plugin
This system is not registered with RHN.
RHN support will be disabled.
Setting up Install Process
Setting up repositories
Reading repository metadata in from local files
Parsing package install arguments
Resolving Dependencies
--> Populating transaction set with selected packages. Please wait.
---> Downloading header for postfix to pack into transaction set.
postfix-2.3.3-2.i386.rpm 100% |=========================| 41 kB 00:00
---> Package postfix.i386 2:2.3.3-2 set to be updated
--> Running transaction check
Dependencies Resolved
================================================================
Package Arch Version Repository Size
================================================================
Installing:
postfix i386 2:2.3.3-2 rhel 3.6 M
Transaction Summary
================================================================
Install 1 Package(s)
Update 0 Package(s)
Remove 0 Package(s)
Total download size: 3.6 M
Is this ok [y/N]: y
Downloading Packages:
(1/1): postfix-2.3.3-2.i3 100% |=========================| 3.6 MB 00:00
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing: postfix ######################### [1/1]
Installed: postfix.i386 2:2.3.3-2
Complete!
[root@mail ~]#
Let us make postfix default mta
[root@mail ~]# alternatives --display mta
mta - status is auto.
link currently points to /usr/sbin/sendmail.sendmail
/usr/sbin/sendmail.sendmail - priority 90
slave mta-pam: /etc/pam.d/smtp.sendmail
slave mta-mailq: /usr/bin/mailq.sendmail
slave mta-newaliases: /usr/bin/newaliases.sendmail
slave mta-rmail: /usr/bin/rmail.sendmail
slave mta-sendmail: /usr/lib/sendmail.sendmail
slave mta-mailqman: /usr/share/man/man1/mailq.sendmail.1.gz
slave mta-newaliasesman: /usr/share/man/man1/newaliases.sendmail.1.gz
slave mta-aliasesman: /usr/share/man/man5/aliases.sendmail.5.gz
slave mta-sendmailman: /usr/share/man/man8/sendmail.sendmail.8.gz
/usr/sbin/sendmail.postfix - priority 30
slave mta-pam: /etc/pam.d/smtp.postfix
slave mta-mailq: /usr/bin/mailq.postfix
slave mta-newaliases: /usr/bin/newaliases.postfix
slave mta-rmail: /usr/bin/rmail.postfix
slave mta-sendmail: /usr/lib/sendmail.postfix
slave mta-mailqman: /usr/share/man/man1/mailq.postfix.1.gz
slave mta-newaliasesman: /usr/share/man/man1/newaliases.postfix.1.gz
slave mta-aliasesman: /usr/share/man/man5/aliases.postfix.5.gz
slave mta-sendmailman: /usr/share/man/man1/sendmail.postfix.1.gz
Current `best' version is /usr/sbin/sendmail.sendmail.
[root@mail ~]#
[root@mail ~]# alternatives --config mta
There are 2 programs which provide 'mta'.
Selection Command
-----------------------------------------------
*+ 1 /usr/sbin/sendmail.sendmail
2 /usr/sbin/sendmail.postfix
Enter to keep the current selection[+], or type selection number: 2
[root@mail ~]#
Stop sendmail
[root@mail ~]# service sendmail stop
Shutting down sm-client: [ OK ]
Shutting down sendmail: [ OK ]
[root@mail ~]# chkconfig sendmail off
Start Postfix
[root@mail ~]# chkconfig postfix on
[root@mail ~]# service postfix start
Starting postfix: [ OK ]
[root@mail ~]#
CHECK POSTFIX LISTING ON .
[root@mail ~]# netstat -tlpn | grep ':25'
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 5108/master
[root@mail ~]#
As it is listing on localhost onle need to enabled it listen to all address.
[root@mail postfix]# postconf -n | grep interfaces
inet_interfaces = localhost
[root@mail postfix]#
FROM OTHER HOST 192.168.0.101
[root@mail postfix]# postconf -n | grep interfaces
inet_interfaces = localhost
[root@mail postfix]#
FROM LOCALHOST
[root@mail postfix]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 mail.taashee.com ESMTP Postfix
SO LET IT LISTION TO ALL PORTS
[root@mail postfix]# grep inet_interfaces main.cf
# The inet_interfaces parameter specifies the network interface
#inet_interfaces = all
#inet_interfaces = $myhostname
#inet_interfaces = $myhostname, localhost
inet_interfaces = localhost
# the address list specified with the inet_interfaces parameter.
# receives mail on (see the inet_interfaces parameter).
# to $mydestination, $inet_interfaces or $proxy_interfaces.
# - destinations that match $inet_interfaces or $proxy_interfaces,
# unknown@[$inet_interfaces] or unknown@[$proxy_interfaces] is returned
[root@mail postfix]#
[root@mail postfix]# postconf inet_interfaces
inet_interfaces = localhost
[root@mail postfix]# postconf -e "inet_interfaces = all"
[root@mail postfix]# postconf inet_interfaces
inet_interfaces = all
[root@mail postfix]#
[root@mail postfix]# service postfix restart
Shutting down postfix: [ OK ]
Starting postfix: [ OK ]
[root@mail postfix]#
NOW CHECKING FROM OTHER HOST
[root@vhost ~]# telnet 192.168.0.253 25
Trying 192.168.0.253...
telnet: connect to address 192.168.0.253: No route to host
telnet: Unable to connect to remote host: No route to host
STILL REFUSING CONNECTION, CHECK FIREWALL AND ADD FOLLOWING RULES.
[root@mail postfix]# iptables -I INPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT
[root@vhost ~]# telnet 192.168.0.253 25
Trying 192.168.0.253...
Connected to mail.taashee.com (192.168.0.253).
Escape character is '^]'.
220 mail.taashee.com ESMTP Postfix
check the trusted network.
[root@mail postfix]# postconf mynetworks
mynetworks = 127.0.0.0/8 192.168.122.0/24 192.168.0.0/24
FROM POSTFIX main.cf
# TRUST AND RELAY CONTROL
# The mynetworks parameter specifies the list of "trusted" SMTP
# clients that have more privileges than "strangers".
#
# In particular, "trusted" SMTP clients are allowed to relay mail
# through Postfix. See the smtpd_recipient_restrictions parameter
# in postconf(5).
#
# You can specify the list of "trusted" network addresses by hand
# or you can let Postfix do it for you (which is the default).
#
# By default (mynetworks_style = subnet), Postfix "trusts" SMTP
# clients in the same IP subnetworks as the local machine.
# On Linux, this does works correctly only with interfaces specified
# with the "ifconfig" command.
#
# Specify "mynetworks_style = class" when Postfix should "trust" SMTP
# clients in the same IP class A/B/C networks as the local machine.
# Don't do this with a dialup site - it would cause Postfix to "trust"
# your entire provider's network. Instead, specify an explicit
# mynetworks list by hand, as described below.
#
# Specify "mynetworks_style = host" when Postfix should "trust"
# only the local machine.
Check defaults and current parameters.
[root@mail postfix]# postconf mynetworks_style
mynetworks_style = subnet
[root@mail postfix]# postconf -d mynetworks_style
mynetworks_style = subnet
checking myhostname parameters
[root@mail postfix]# postconf myhostname
myhostname = mail.taashee.com
[root@mail postfix]# postconf -d myhostname
myhostname = mail.taashee.com
[root@mail postfix]# postconf -d myorigin
myorigin = $myhostname
[root@mail postfix]# postconf -d mydomain
mydomain = example.com
[root@mail postfix]# postconf myorigin
myorigin = $myhostname
[root@mail postfix]#
CHECKING WITH MAIL COMMAND
[root@mail postfix]# su - raj
[raj@mail ~]$ echo testmail | mail -s thefirstmail rajat
THE OUTPUT OF tail -f /var/log/maillog.
July 711:07:27 mail postfix/pickup[6523]: 9FF6B135FCA: uid=511 from=
July 711:07:27 mail postfix/cleanup[8412]: 9FF6B135FCA: message-
id=<20090125053727.9FF6B135FCA@mail.taashee.com>
July 711:07:27 mail postfix/qmgr[6524]: 9FF6B135FCA: from=, size=336,
nrcpt=1 (queue active)
July 711:07:27 mail postfix/local[8414]: 9FF6B135FCA: to=, orig_to=,
relay=local, delay=0.07, delays=0.03/0.01/0/0.03, dsn=2.0.0, status=sent (delivered to mailbox)
July 711:07:27 mail postfix/qmgr[6524]: 9FF6B135FCA: removed
CHECKING MAIL ON RAJAT USER
[root@mail postfix]# mail -u rajat
Mail version 8.1 6/6/93. Type ? for help.
"/var/mail/rajat": 1 message 1 new
>N 1 rajat@mail. Sun July 711:07 14/498 "thefirstmail"
&
NOW CHANGE myorigin parameter
[root@mail postfix]# grep mydomain /etc/postfix/main.cf
# The mydomain parameter specifies the local internet domain name.
# $mydomain is used as a default value for many other configuration
#mydomain = domain.tld
# machines, you should (1) change this to $mydomain and (2) set up
myorigin = $mydomain
AND CHECK
[root@mail postfix]# postconf myorigin
myorigin = $mydomain
SET ALSO mydestination parameters.
[root@mail postfix]# postconf mydestination
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
SO WHENEVER YOU SEND A MAIL IT WILL SEND AS USER@mydomain instead of user@hostname and
$mydomain is also considered as local domain now.
LIKE FROM LOG
FIRST CASE WHEN myorigin = $myhostname
July 711:23:33 mail postfix/pickup[10798]: 91217135FD7: uid=511 from=
July 711:23:33 mail postfix/cleanup[10937]: 91217135FD7: message-
id=<20090125055333.91217135FD7@mail.taashee.com>
July 711:23:33 mail postfix/qmgr[10799]: 91217135FD7: from=, size=326,
nrcpt=1 (queue active)
July 711:23:33 mail postfix/local[10939]: 91217135FD7: to=, relay=local,
delay=0.04, delays=0.03/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
July 711:23:33 mail postfix/qmgr[10799]: 91217135FD7: removed
SECOND CASE WHEN myorigin = $mydomain
July 711:25:16 mail postfix/pickup[11177]: AE0F8135FD7: uid=511 from=
July 711:25:16 mail postfix/cleanup[11247]: AE0F8135FD7: message-
id=<20090125055516.AE0F8135FD7@mail.taashee.com>
July 711:25:16 mail postfix/qmgr[11178]: AE0F8135FD7: from=, size=315,
nrcpt=1 (queue active)
July 711:25:16 mail postfix/local[11249]: AE0F8135FD7: to=, relay=local,
delay=0.05, delays=0.04/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
July 711:25:16 mail postfix/qmgr[11178]: AE0F8135FD7: removed
REDUCE INFORMATION LEAKAGE BY DISABLING THE vrfy command
[root@mail postfix]# postconf disable_vrfy_command
disable_vrfy_command = no
[root@mail postfix]# postconf -e 'disable_vrfy_command = yes'
[root@mail postfix]# postconf disable_vrfy_command
disable_vrfy_command = yes
[root@mail postfix]#
LET US CHECK
[root@vhost ~]# telnet 192.168.0.253 25
Trying 192.168.0.253...
Connected to mail.taashee.com (192.168.0.253).
Escape character is '^]'.
220 mail.taashee.com ESMTP Postfix
vrfy rajat
502 5.5.1 VRFY command is disabled
[root@mail postfix]# postconf smtpd_banner
smtpd_banner = $myhostname ESMTP $mail_name
[root@vhost ~]# telnet 192.168.0.253 25
Trying 192.168.0.253...
Connected to mail.taashee.com (192.168.0.253).
Escape character is '^]'.
220 mail.taashee.com ESMTP Postfix
vrfy rajat
502 5.5.1 VRFY command is disabled
^]
telnet> quit
Connection closed.
[root@mail postfix]# postconf -e 'smtpd_banner = $myhostname ESMTP'
[root@mail postfix]# postconf smtpd_banner
smtpd_banner = $myhostname ESMTP
[root@mail postfix]# service postfix restart
Shutting down postfix: [ OK ]
Starting postfix:
[root@vhost ~]# telnet 192.168.0.253 25
Trying 192.168.0.253...
Connected to mail.taashee.com (192.168.0.253).
Escape character is '^]'.
220 mail.taashee.com ESMTP
FORCE CONNECTING HOST TO ISSUE A CORRECT HELO OR EHLO BEFORE SENDING ANY COMMAND
[root@mail postfix]# postconf smtpd_helo_required
smtpd_helo_required = no
[root@mail postfix]# postconf -e 'smtpd_helo_required = yes'
[root@mail postfix]# postconf smtpd_helo_required
smtpd_helo_required = yes
[root@mail postfix]# service postfix restart
Shutting down postfix: [ OK ]
Starting postfix: [ OK ]
[root@mail postfix]#
SIMILARLY ALSO SEND HELO OR EHLO WHEN WE ESTABLIESHED THE CONNECTION
[root@mail postfix]# postconf smtp_always_send_ehlo
smtp_always_send_ehlo = yes
LET US SETUP MAIL BOX DELEVERY AS MAIL DIR.
[root@mail postfix]# postconf home_mailbox
home_mailbox = Maildir/
[root@mail postfix]# postconf -e 'home_mailbox = Maildir/'
[root@mail postfix]# yum install dovecot
Loading "security" plugin
Loading "rhnplugin" plugin
Loading "installonlyn" plugin
This system is not registered with RHN.
RHN support will be disabled.
Setting up Install Process
Setting up repositories
Reading repository metadata in from local files
Parsing package install arguments
Resolving Dependencies
--> Populating transaction set with selected packages. Please wait.
---> Downloading header for dovecot to pack into transaction set.
dovecot-1.0-1.2.rc15.el5. 100% |=========================| 27 kB 00:00
---> Package dovecot.i386 0:1.0-1.2.rc15.el5 set to be updated
--> Running transaction check
--> Processing Dependency: libmysqlclient.so.15(libmysqlclient_15) for package: dovecot
--> Processing Dependency: libmysqlclient.so.15 for package: dovecot
--> Restarting Dependency Resolution with new changes.
--> Populating transaction set with selected packages. Please wait.
---> Downloading header for mysql to pack into transaction set.
mysql-5.0.22-2.1.0.1.i386 100% |=========================| 36 kB 00:00
---> Package mysql.i386 0:5.0.22-2.1.0.1 set to be updated
--> Running transaction check
--> Processing Dependency: perl(DBI) for package: mysql
--> Restarting Dependency Resolution with new changes.
--> Populating transaction set with selected packages. Please wait.
---> Downloading header for perl-DBI to pack into transaction set.
perl-DBI-1.52-1.fc6.i386. 100% |=========================| 16 kB 00:00
---> Package perl-DBI.i386 0:1.52-1.fc6 set to be updated
--> Running transaction check
Dependencies Resolved
================================================================
Package Arch Version Repository Size
================================================================
Installing:
dovecot i386 1.0-1.2.rc15.el5 rhel 1.5 M
Installing for dependencies:
mysql i386 5.0.22-2.1.0.1 rhel 3.0 M
perl-DBI i386 1.52-1.fc6 rhel 605 k
Transaction Summary
================================================================
Install 3 Package(s)
Update 0 Package(s)
Remove 0 Package(s)
Total download size: 5.1 M
Is this ok [y/N]: y
Downloading Packages:
(1/3): dovecot-1.0-1.2.rc 100% |=========================| 1.5 MB 00:00
(2/3): perl-DBI-1.52-1.fc 100% |=========================| 605 kB 00:00
(3/3): mysql-5.0.22-2.1.0 100% |=========================| 3.0 MB 00:00
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing: perl-DBI ######################### [1/3]
Installing: mysql ######################### [2/3]
Installing: dovecot ######################### [3/3]
Installed: dovecot.i386 0:1.0-1.2.rc15.el5
Dependency Installed: mysql.i386 0:5.0.22-2.1.0.1 perl-DBI.i386 0:1.52-1.fc6
Complete!
[root@mail postfix]#
UNCOMMENT THE FOLLOWING LINE FROM /etc/dovecot.conf
protocols = imap imaps pop3 pop3s
AS WE NEED TO SETUP DOVECOT TO ACCEPT MAIL AS MAILDIR FORMAT WE NEED TO CHANGE
FOLLOWING LINE ALSO.
mail_location = maildir:~/Maildir
[root@mail postfix]# service dovecot restart
Stopping Dovecot Imap: [FAILED]
Starting Dovecot Imap: [ OK ]
[root@mail postfix]# chkconfig dovecot on
[root@mail postfix]#
LET US NOW CONFIGURE SASL ON CLIENT SIDE AUTHENTICATION
[root@mail postfix]# chkconfig --list | grep saslauthd
saslauthd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
[root@mail postfix]#
[root@mail postfix]# chkconfig saslauthd on
ONE CAN REFFER [root@mail postfix]# vim /usr/share/doc/postfix-2.3.3/README_FILES/SASL_README
[root@mail postfix]# postconf smtpd_sasl_auth_enable
smtpd_sasl_auth_enable = no
[root@mail postfix]# postconf -e 'smtpd_sasl_auth_enable = yes'
[root@mail postfix]# postconf smtpd_sasl_auth_enable
smtpd_sasl_auth_enable = yes
FROM main.cf
#sasl authentication
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions =
permit_mynetworks permit_sasl_authenticated
smtpd_sasl_authenticated_header = yes
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
---------------
Added dovecot configuration on date
-----------
Add following entry in "auth default " section at the end. ( /etc/dovecot.conf )
---------entry start-----------
socket listen {
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
}
} <-----------do not add this, it is already there to complete the auth default section.
-----------end----------
Thanks.
Rajat
First check postfix is install or not. ( You need to require basic repository to be setup )
[root@mail ~]# yum list postfix
Loading "security" plugin
Loading "rhnplugin" plugin
Loading "installonlyn" plugin
This system is not registered with RHN.
RHN support will be disabled.
Setting up repositories
Reading repository metadata in from local files
Available Packages
postfix.i386 2:2.3.3-2 rhel
[root@mail ~]#
Now install postfix
[root@mail ~]# yum install postfix
Loading "security" plugin
Loading "rhnplugin" plugin
Loading "installonlyn" plugin
This system is not registered with RHN.
RHN support will be disabled.
Setting up Install Process
Setting up repositories
Reading repository metadata in from local files
Parsing package install arguments
Resolving Dependencies
--> Populating transaction set with selected packages. Please wait.
---> Downloading header for postfix to pack into transaction set.
postfix-2.3.3-2.i386.rpm 100% |=========================| 41 kB 00:00
---> Package postfix.i386 2:2.3.3-2 set to be updated
--> Running transaction check
Dependencies Resolved
================================================================
Package Arch Version Repository Size
================================================================
Installing:
postfix i386 2:2.3.3-2 rhel 3.6 M
Transaction Summary
================================================================
Install 1 Package(s)
Update 0 Package(s)
Remove 0 Package(s)
Total download size: 3.6 M
Is this ok [y/N]: y
Downloading Packages:
(1/1): postfix-2.3.3-2.i3 100% |=========================| 3.6 MB 00:00
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing: postfix ######################### [1/1]
Installed: postfix.i386 2:2.3.3-2
Complete!
[root@mail ~]#
Let us make postfix default mta
[root@mail ~]# alternatives --display mta
mta - status is auto.
link currently points to /usr/sbin/sendmail.sendmail
/usr/sbin/sendmail.sendmail - priority 90
slave mta-pam: /etc/pam.d/smtp.sendmail
slave mta-mailq: /usr/bin/mailq.sendmail
slave mta-newaliases: /usr/bin/newaliases.sendmail
slave mta-rmail: /usr/bin/rmail.sendmail
slave mta-sendmail: /usr/lib/sendmail.sendmail
slave mta-mailqman: /usr/share/man/man1/mailq.sendmail.1.gz
slave mta-newaliasesman: /usr/share/man/man1/newaliases.sendmail.1.gz
slave mta-aliasesman: /usr/share/man/man5/aliases.sendmail.5.gz
slave mta-sendmailman: /usr/share/man/man8/sendmail.sendmail.8.gz
/usr/sbin/sendmail.postfix - priority 30
slave mta-pam: /etc/pam.d/smtp.postfix
slave mta-mailq: /usr/bin/mailq.postfix
slave mta-newaliases: /usr/bin/newaliases.postfix
slave mta-rmail: /usr/bin/rmail.postfix
slave mta-sendmail: /usr/lib/sendmail.postfix
slave mta-mailqman: /usr/share/man/man1/mailq.postfix.1.gz
slave mta-newaliasesman: /usr/share/man/man1/newaliases.postfix.1.gz
slave mta-aliasesman: /usr/share/man/man5/aliases.postfix.5.gz
slave mta-sendmailman: /usr/share/man/man1/sendmail.postfix.1.gz
Current `best' version is /usr/sbin/sendmail.sendmail.
[root@mail ~]#
[root@mail ~]# alternatives --config mta
There are 2 programs which provide 'mta'.
Selection Command
-----------------------------------------------
*+ 1 /usr/sbin/sendmail.sendmail
2 /usr/sbin/sendmail.postfix
Enter to keep the current selection[+], or type selection number: 2
[root@mail ~]#
Stop sendmail
[root@mail ~]# service sendmail stop
Shutting down sm-client: [ OK ]
Shutting down sendmail: [ OK ]
[root@mail ~]# chkconfig sendmail off
Start Postfix
[root@mail ~]# chkconfig postfix on
[root@mail ~]# service postfix start
Starting postfix: [ OK ]
[root@mail ~]#
CHECK POSTFIX LISTING ON .
[root@mail ~]# netstat -tlpn | grep ':25'
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 5108/master
[root@mail ~]#
As it is listing on localhost onle need to enabled it listen to all address.
[root@mail postfix]# postconf -n | grep interfaces
inet_interfaces = localhost
[root@mail postfix]#
FROM OTHER HOST 192.168.0.101
[root@mail postfix]# postconf -n | grep interfaces
inet_interfaces = localhost
[root@mail postfix]#
FROM LOCALHOST
[root@mail postfix]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 mail.taashee.com ESMTP Postfix
SO LET IT LISTION TO ALL PORTS
[root@mail postfix]# grep inet_interfaces main.cf
# The inet_interfaces parameter specifies the network interface
#inet_interfaces = all
#inet_interfaces = $myhostname
#inet_interfaces = $myhostname, localhost
inet_interfaces = localhost
# the address list specified with the inet_interfaces parameter.
# receives mail on (see the inet_interfaces parameter).
# to $mydestination, $inet_interfaces or $proxy_interfaces.
# - destinations that match $inet_interfaces or $proxy_interfaces,
# unknown@[$inet_interfaces] or unknown@[$proxy_interfaces] is returned
[root@mail postfix]#
[root@mail postfix]# postconf inet_interfaces
inet_interfaces = localhost
[root@mail postfix]# postconf -e "inet_interfaces = all"
[root@mail postfix]# postconf inet_interfaces
inet_interfaces = all
[root@mail postfix]#
[root@mail postfix]# service postfix restart
Shutting down postfix: [ OK ]
Starting postfix: [ OK ]
[root@mail postfix]#
NOW CHECKING FROM OTHER HOST
[root@vhost ~]# telnet 192.168.0.253 25
Trying 192.168.0.253...
telnet: connect to address 192.168.0.253: No route to host
telnet: Unable to connect to remote host: No route to host
STILL REFUSING CONNECTION, CHECK FIREWALL AND ADD FOLLOWING RULES.
[root@mail postfix]# iptables -I INPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT
[root@vhost ~]# telnet 192.168.0.253 25
Trying 192.168.0.253...
Connected to mail.taashee.com (192.168.0.253).
Escape character is '^]'.
220 mail.taashee.com ESMTP Postfix
check the trusted network.
[root@mail postfix]# postconf mynetworks
mynetworks = 127.0.0.0/8 192.168.122.0/24 192.168.0.0/24
FROM POSTFIX main.cf
# TRUST AND RELAY CONTROL
# The mynetworks parameter specifies the list of "trusted" SMTP
# clients that have more privileges than "strangers".
#
# In particular, "trusted" SMTP clients are allowed to relay mail
# through Postfix. See the smtpd_recipient_restrictions parameter
# in postconf(5).
#
# You can specify the list of "trusted" network addresses by hand
# or you can let Postfix do it for you (which is the default).
#
# By default (mynetworks_style = subnet), Postfix "trusts" SMTP
# clients in the same IP subnetworks as the local machine.
# On Linux, this does works correctly only with interfaces specified
# with the "ifconfig" command.
#
# Specify "mynetworks_style = class" when Postfix should "trust" SMTP
# clients in the same IP class A/B/C networks as the local machine.
# Don't do this with a dialup site - it would cause Postfix to "trust"
# your entire provider's network. Instead, specify an explicit
# mynetworks list by hand, as described below.
#
# Specify "mynetworks_style = host" when Postfix should "trust"
# only the local machine.
Check defaults and current parameters.
[root@mail postfix]# postconf mynetworks_style
mynetworks_style = subnet
[root@mail postfix]# postconf -d mynetworks_style
mynetworks_style = subnet
checking myhostname parameters
[root@mail postfix]# postconf myhostname
myhostname = mail.taashee.com
[root@mail postfix]# postconf -d myhostname
myhostname = mail.taashee.com
[root@mail postfix]# postconf -d myorigin
myorigin = $myhostname
[root@mail postfix]# postconf -d mydomain
mydomain = example.com
[root@mail postfix]# postconf myorigin
myorigin = $myhostname
[root@mail postfix]#
CHECKING WITH MAIL COMMAND
[root@mail postfix]# su - raj
[raj@mail ~]$ echo testmail | mail -s thefirstmail rajat
THE OUTPUT OF tail -f /var/log/maillog.
July 711:07:27 mail postfix/pickup[6523]: 9FF6B135FCA: uid=511 from=
July 711:07:27 mail postfix/cleanup[8412]: 9FF6B135FCA: message-
id=<20090125053727.9FF6B135FCA@mail.taashee.com>
July 711:07:27 mail postfix/qmgr[6524]: 9FF6B135FCA: from=
nrcpt=1 (queue active)
July 711:07:27 mail postfix/local[8414]: 9FF6B135FCA: to=
relay=local, delay=0.07, delays=0.03/0.01/0/0.03, dsn=2.0.0, status=sent (delivered to mailbox)
July 711:07:27 mail postfix/qmgr[6524]: 9FF6B135FCA: removed
CHECKING MAIL ON RAJAT USER
[root@mail postfix]# mail -u rajat
Mail version 8.1 6/6/93. Type ? for help.
"/var/mail/rajat": 1 message 1 new
>N 1 rajat@mail. Sun July 711:07 14/498 "thefirstmail"
&
NOW CHANGE myorigin parameter
[root@mail postfix]# grep mydomain /etc/postfix/main.cf
# The mydomain parameter specifies the local internet domain name.
# $mydomain is used as a default value for many other configuration
#mydomain = domain.tld
# machines, you should (1) change this to $mydomain and (2) set up
myorigin = $mydomain
AND CHECK
[root@mail postfix]# postconf myorigin
myorigin = $mydomain
SET ALSO mydestination parameters.
[root@mail postfix]# postconf mydestination
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
SO WHENEVER YOU SEND A MAIL IT WILL SEND AS USER@mydomain instead of user@hostname and
$mydomain is also considered as local domain now.
LIKE FROM LOG
FIRST CASE WHEN myorigin = $myhostname
July 711:23:33 mail postfix/pickup[10798]: 91217135FD7: uid=511 from=
July 711:23:33 mail postfix/cleanup[10937]: 91217135FD7: message-
id=<20090125055333.91217135FD7@mail.taashee.com>
July 711:23:33 mail postfix/qmgr[10799]: 91217135FD7: from=
nrcpt=1 (queue active)
July 711:23:33 mail postfix/local[10939]: 91217135FD7: to=
delay=0.04, delays=0.03/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
July 711:23:33 mail postfix/qmgr[10799]: 91217135FD7: removed
SECOND CASE WHEN myorigin = $mydomain
July 711:25:16 mail postfix/pickup[11177]: AE0F8135FD7: uid=511 from=
July 711:25:16 mail postfix/cleanup[11247]: AE0F8135FD7: message-
id=<20090125055516.AE0F8135FD7@mail.taashee.com>
July 711:25:16 mail postfix/qmgr[11178]: AE0F8135FD7: from=
nrcpt=1 (queue active)
July 711:25:16 mail postfix/local[11249]: AE0F8135FD7: to=
delay=0.05, delays=0.04/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
July 711:25:16 mail postfix/qmgr[11178]: AE0F8135FD7: removed
REDUCE INFORMATION LEAKAGE BY DISABLING THE vrfy command
[root@mail postfix]# postconf disable_vrfy_command
disable_vrfy_command = no
[root@mail postfix]# postconf -e 'disable_vrfy_command = yes'
[root@mail postfix]# postconf disable_vrfy_command
disable_vrfy_command = yes
[root@mail postfix]#
LET US CHECK
[root@vhost ~]# telnet 192.168.0.253 25
Trying 192.168.0.253...
Connected to mail.taashee.com (192.168.0.253).
Escape character is '^]'.
220 mail.taashee.com ESMTP Postfix
vrfy rajat
502 5.5.1 VRFY command is disabled
[root@mail postfix]# postconf smtpd_banner
smtpd_banner = $myhostname ESMTP $mail_name
[root@vhost ~]# telnet 192.168.0.253 25
Trying 192.168.0.253...
Connected to mail.taashee.com (192.168.0.253).
Escape character is '^]'.
220 mail.taashee.com ESMTP Postfix
vrfy rajat
502 5.5.1 VRFY command is disabled
^]
telnet> quit
Connection closed.
[root@mail postfix]# postconf -e 'smtpd_banner = $myhostname ESMTP'
[root@mail postfix]# postconf smtpd_banner
smtpd_banner = $myhostname ESMTP
[root@mail postfix]# service postfix restart
Shutting down postfix: [ OK ]
Starting postfix:
[root@vhost ~]# telnet 192.168.0.253 25
Trying 192.168.0.253...
Connected to mail.taashee.com (192.168.0.253).
Escape character is '^]'.
220 mail.taashee.com ESMTP
FORCE CONNECTING HOST TO ISSUE A CORRECT HELO OR EHLO BEFORE SENDING ANY COMMAND
[root@mail postfix]# postconf smtpd_helo_required
smtpd_helo_required = no
[root@mail postfix]# postconf -e 'smtpd_helo_required = yes'
[root@mail postfix]# postconf smtpd_helo_required
smtpd_helo_required = yes
[root@mail postfix]# service postfix restart
Shutting down postfix: [ OK ]
Starting postfix: [ OK ]
[root@mail postfix]#
SIMILARLY ALSO SEND HELO OR EHLO WHEN WE ESTABLIESHED THE CONNECTION
[root@mail postfix]# postconf smtp_always_send_ehlo
smtp_always_send_ehlo = yes
LET US SETUP MAIL BOX DELEVERY AS MAIL DIR.
[root@mail postfix]# postconf home_mailbox
home_mailbox = Maildir/
[root@mail postfix]# postconf -e 'home_mailbox = Maildir/'
[root@mail postfix]# yum install dovecot
Loading "security" plugin
Loading "rhnplugin" plugin
Loading "installonlyn" plugin
This system is not registered with RHN.
RHN support will be disabled.
Setting up Install Process
Setting up repositories
Reading repository metadata in from local files
Parsing package install arguments
Resolving Dependencies
--> Populating transaction set with selected packages. Please wait.
---> Downloading header for dovecot to pack into transaction set.
dovecot-1.0-1.2.rc15.el5. 100% |=========================| 27 kB 00:00
---> Package dovecot.i386 0:1.0-1.2.rc15.el5 set to be updated
--> Running transaction check
--> Processing Dependency: libmysqlclient.so.15(libmysqlclient_15) for package: dovecot
--> Processing Dependency: libmysqlclient.so.15 for package: dovecot
--> Restarting Dependency Resolution with new changes.
--> Populating transaction set with selected packages. Please wait.
---> Downloading header for mysql to pack into transaction set.
mysql-5.0.22-2.1.0.1.i386 100% |=========================| 36 kB 00:00
---> Package mysql.i386 0:5.0.22-2.1.0.1 set to be updated
--> Running transaction check
--> Processing Dependency: perl(DBI) for package: mysql
--> Restarting Dependency Resolution with new changes.
--> Populating transaction set with selected packages. Please wait.
---> Downloading header for perl-DBI to pack into transaction set.
perl-DBI-1.52-1.fc6.i386. 100% |=========================| 16 kB 00:00
---> Package perl-DBI.i386 0:1.52-1.fc6 set to be updated
--> Running transaction check
Dependencies Resolved
================================================================
Package Arch Version Repository Size
================================================================
Installing:
dovecot i386 1.0-1.2.rc15.el5 rhel 1.5 M
Installing for dependencies:
mysql i386 5.0.22-2.1.0.1 rhel 3.0 M
perl-DBI i386 1.52-1.fc6 rhel 605 k
Transaction Summary
================================================================
Install 3 Package(s)
Update 0 Package(s)
Remove 0 Package(s)
Total download size: 5.1 M
Is this ok [y/N]: y
Downloading Packages:
(1/3): dovecot-1.0-1.2.rc 100% |=========================| 1.5 MB 00:00
(2/3): perl-DBI-1.52-1.fc 100% |=========================| 605 kB 00:00
(3/3): mysql-5.0.22-2.1.0 100% |=========================| 3.0 MB 00:00
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing: perl-DBI ######################### [1/3]
Installing: mysql ######################### [2/3]
Installing: dovecot ######################### [3/3]
Installed: dovecot.i386 0:1.0-1.2.rc15.el5
Dependency Installed: mysql.i386 0:5.0.22-2.1.0.1 perl-DBI.i386 0:1.52-1.fc6
Complete!
[root@mail postfix]#
UNCOMMENT THE FOLLOWING LINE FROM /etc/dovecot.conf
protocols = imap imaps pop3 pop3s
AS WE NEED TO SETUP DOVECOT TO ACCEPT MAIL AS MAILDIR FORMAT WE NEED TO CHANGE
FOLLOWING LINE ALSO.
mail_location = maildir:~/Maildir
[root@mail postfix]# service dovecot restart
Stopping Dovecot Imap: [FAILED]
Starting Dovecot Imap: [ OK ]
[root@mail postfix]# chkconfig dovecot on
[root@mail postfix]#
LET US NOW CONFIGURE SASL ON CLIENT SIDE AUTHENTICATION
[root@mail postfix]# chkconfig --list | grep saslauthd
saslauthd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
[root@mail postfix]#
[root@mail postfix]# chkconfig saslauthd on
ONE CAN REFFER [root@mail postfix]# vim /usr/share/doc/postfix-2.3.3/README_FILES/SASL_README
[root@mail postfix]# postconf smtpd_sasl_auth_enable
smtpd_sasl_auth_enable = no
[root@mail postfix]# postconf -e 'smtpd_sasl_auth_enable = yes'
[root@mail postfix]# postconf smtpd_sasl_auth_enable
smtpd_sasl_auth_enable = yes
FROM main.cf
#sasl authentication
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions =
permit_mynetworks permit_sasl_authenticated
smtpd_sasl_authenticated_header = yes
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
---------------
Added dovecot configuration on date
-----------
Add following entry in "auth default " section at the end. ( /etc/dovecot.conf )
---------entry start-----------
socket listen {
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
}
} <-----------do not add this, it is already there to complete the auth default section.
-----------end----------
Thanks.
Rajat
Linux Memory use
#!/usr/bin/python
import os, sys, time
a="\x00"*(32*1024*1024) #alloc 32MiB
pid=os.fork()
if(not pid):
time.sleep(1)
sys.exit()
sizel=map(float,open("/proc/"+str(pid)+"/statm").readlines()[0].split()[1:3])
print "only %.1f%% reported as shared" % ((sizel[1]/sizel[0])*100)
os.wait()
--
import sys, os, string
if os.geteuid() != 0:
sys.stderr.write("Sorry, root permission required.\n");
sys.exit(1)
PAGESIZE=os.sysconf("SC_PAGE_SIZE")/1024 #KiB
our_pid=os.getpid()
#(major,minor,release)
def kernel_ver():
kv=open("/proc/sys/kernel/osrelease").readline().split(".")[:3]
for char in "-_":
kv[2]=kv[2].split(char)[0]
return (int(kv[0]), int(kv[1]), int(kv[2]))
kv=kernel_ver()
have_pss=0
#return Private,Shared
#Note shared is always a subset of rss (trs is not always)
def getMemStats(pid):
global have_pss
Private_lines=[]
Shared_lines=[]
Pss_lines=[]
Rss=int(open("/proc/"+str(pid)+"/statm").readline().split()[1])*PAGESIZE
if os.path.exists("/proc/"+str(pid)+"/smaps"): #stat
for line in open("/proc/"+str(pid)+"/smaps").readlines(): #open
if line.startswith("Shared"):
Shared_lines.append(line)
elif line.startswith("Private"):
Private_lines.append(line)
elif line.startswith("Pss"):
have_pss=1
Pss_lines.append(line)
Shared=sum([int(line.split()[1]) for line in Shared_lines])
Private=sum([int(line.split()[1]) for line in Private_lines])
#Note Shared + Private = Rss above
#The Rss in smaps includes video card mem etc.
if have_pss:
pss_adjust=0.5 #add 0.5KiB as this average error due to trunctation
Pss=sum([float(line.split()[1])+pss_adjust for line in Pss_lines])
Shared = Pss - Private
elif (2,6,1) <= kv <= (2,6,9):
Shared=0 #lots of overestimation, but what can we do?
Private = Rss
else:
Shared=int(open("/proc/"+str(pid)+"/statm").readline().split()[2])
Shared*=PAGESIZE
Private = Rss - Shared
return (Private, Shared)
def getCmdName(pid):
cmd = file("/proc/%d/status" % pid).readline()[6:-1]
exe = os.path.basename(os.path.realpath("/proc/%d/exe" % pid))
if exe.startswith(cmd):
cmd=exe #show non truncated version
#Note because we show the non truncated name
#one can have separated programs as follows:
#584.0 KiB + 1.0 MiB = 1.6 MiB mozilla-thunder (exe -> bash)
# 56.0 MiB + 22.2 MiB = 78.2 MiB mozilla-thunderbird-bin
return cmd
cmds={}
shareds={}
count={}
for pid in os.listdir("/proc/"):
try:
pid = int(pid) #note Thread IDs not listed in /proc/ which is good
if pid == our_pid: continue
except:
continue
try:
cmd = getCmdName(pid)
except:
#permission denied or
#kernel threads don't have exe links or
#process gone
continue
try:
private, shared = getMemStats(pid)
except:
continue #process gone
if shareds.get(cmd):
if have_pss: #add shared portion of PSS together
shareds[cmd]+=shared
elif shareds[cmd] < shared: #just take largest shared val
shareds[cmd]=shared
else:
shareds[cmd]=shared
cmds[cmd]=cmds.setdefault(cmd,0)+private
if count.has_key(cmd):
count[cmd] += 1
else:
count[cmd] = 1
#Add shared mem for each program
total=0
for cmd in cmds.keys():
cmds[cmd]=cmds[cmd]+shareds[cmd]
total+=cmds[cmd] #valid if PSS available
sort_list = cmds.items()
sort_list.sort(lambda x,y:cmp(x[1],y[1]))
sort_list=filter(lambda x:x[1],sort_list) #get rid of zero sized processes
#The following matches "du -h" output
#see also human.py
def human(num, power="Ki"):
powers=["Ki","Mi","Gi","Ti"]
while num >= 1000: #4 digits
num /= 1024.0
power=powers[powers.index(power)+1]
return "%.1f %s" % (num,power)
def cmd_with_count(cmd, count):
if count>1:
return "%s (%u)" % (cmd, count)
else:
return cmd
print " Private + Shared = RAM used\tProgram \n"
for cmd in sort_list:
print "%8sB + %8sB = %8sB\t%s" % (human(cmd[1]-shareds[cmd[0]]),
human(shareds[cmd[0]]), human(cmd[1]),
cmd_with_count(cmd[0], count[cmd[0]]))
if have_pss:
print "-" * 33
print " " * 24 + "%8sB" % human(total)
print "=" * 33
print "\n Private + Shared = RAM used\tProgram \n"
#Warn of possible inaccuracies
#2 = accurate & can total
#1 = accurate only considering each process in isolation
#0 = some shared mem not reported
#-1= all shared mem not reported
def shared_val_accuracy():
"""http://wiki.apache.org/spamassassin/TopSharedMemoryBug"""
if kv[:2] == (2,4):
if open("/proc/meminfo").read().find("Inact_") == -1:
return 1
return 0
elif kv[:2] == (2,6):
if os.path.exists("/proc/"+str(os.getpid())+"/smaps"):
if open("/proc/"+str(os.getpid())+"/smaps").read().find("Pss:")!=-1:
return 2
else:
return 1
if (2,6,1) <= kv <= (2,6,9):
return -1
return 0
else:
return 1
vm_accuracy = shared_val_accuracy()
if vm_accuracy == -1:
sys.stderr.write(
"Warning: Shared memory is not reported by this system.\n"
)
sys.stderr.write(
"Values reported will be too large, and totals are not reported\n"
)
elif vm_accuracy == 0:
sys.stderr.write(
"Warning: Shared memory is not reported accurately by this system.\n"
)
sys.stderr.write(
"Values reported could be too large, and totals are not reported\n"
)
elif vm_accuracy == 1:
sys.stderr.write(
"Warning: Shared memory is slightly over-estimated by this system\n"
"for each program, so totals are not reported.\n"
)
import os, sys, time
a="\x00"*(32*1024*1024) #alloc 32MiB
pid=os.fork()
if(not pid):
time.sleep(1)
sys.exit()
sizel=map(float,open("/proc/"+str(pid)+"/statm").readlines()[0].split()[1:3])
print "only %.1f%% reported as shared" % ((sizel[1]/sizel[0])*100)
os.wait()
--
import sys, os, string
if os.geteuid() != 0:
sys.stderr.write("Sorry, root permission required.\n");
sys.exit(1)
PAGESIZE=os.sysconf("SC_PAGE_SIZE")/1024 #KiB
our_pid=os.getpid()
#(major,minor,release)
def kernel_ver():
kv=open("/proc/sys/kernel/osrelease").readline().split(".")[:3]
for char in "-_":
kv[2]=kv[2].split(char)[0]
return (int(kv[0]), int(kv[1]), int(kv[2]))
kv=kernel_ver()
have_pss=0
#return Private,Shared
#Note shared is always a subset of rss (trs is not always)
def getMemStats(pid):
global have_pss
Private_lines=[]
Shared_lines=[]
Pss_lines=[]
Rss=int(open("/proc/"+str(pid)+"/statm").readline().split()[1])*PAGESIZE
if os.path.exists("/proc/"+str(pid)+"/smaps"): #stat
for line in open("/proc/"+str(pid)+"/smaps").readlines(): #open
if line.startswith("Shared"):
Shared_lines.append(line)
elif line.startswith("Private"):
Private_lines.append(line)
elif line.startswith("Pss"):
have_pss=1
Pss_lines.append(line)
Shared=sum([int(line.split()[1]) for line in Shared_lines])
Private=sum([int(line.split()[1]) for line in Private_lines])
#Note Shared + Private = Rss above
#The Rss in smaps includes video card mem etc.
if have_pss:
pss_adjust=0.5 #add 0.5KiB as this average error due to trunctation
Pss=sum([float(line.split()[1])+pss_adjust for line in Pss_lines])
Shared = Pss - Private
elif (2,6,1) <= kv <= (2,6,9):
Shared=0 #lots of overestimation, but what can we do?
Private = Rss
else:
Shared=int(open("/proc/"+str(pid)+"/statm").readline().split()[2])
Shared*=PAGESIZE
Private = Rss - Shared
return (Private, Shared)
def getCmdName(pid):
cmd = file("/proc/%d/status" % pid).readline()[6:-1]
exe = os.path.basename(os.path.realpath("/proc/%d/exe" % pid))
if exe.startswith(cmd):
cmd=exe #show non truncated version
#Note because we show the non truncated name
#one can have separated programs as follows:
#584.0 KiB + 1.0 MiB = 1.6 MiB mozilla-thunder (exe -> bash)
# 56.0 MiB + 22.2 MiB = 78.2 MiB mozilla-thunderbird-bin
return cmd
cmds={}
shareds={}
count={}
for pid in os.listdir("/proc/"):
try:
pid = int(pid) #note Thread IDs not listed in /proc/ which is good
if pid == our_pid: continue
except:
continue
try:
cmd = getCmdName(pid)
except:
#permission denied or
#kernel threads don't have exe links or
#process gone
continue
try:
private, shared = getMemStats(pid)
except:
continue #process gone
if shareds.get(cmd):
if have_pss: #add shared portion of PSS together
shareds[cmd]+=shared
elif shareds[cmd] < shared: #just take largest shared val
shareds[cmd]=shared
else:
shareds[cmd]=shared
cmds[cmd]=cmds.setdefault(cmd,0)+private
if count.has_key(cmd):
count[cmd] += 1
else:
count[cmd] = 1
#Add shared mem for each program
total=0
for cmd in cmds.keys():
cmds[cmd]=cmds[cmd]+shareds[cmd]
total+=cmds[cmd] #valid if PSS available
sort_list = cmds.items()
sort_list.sort(lambda x,y:cmp(x[1],y[1]))
sort_list=filter(lambda x:x[1],sort_list) #get rid of zero sized processes
#The following matches "du -h" output
#see also human.py
def human(num, power="Ki"):
powers=["Ki","Mi","Gi","Ti"]
while num >= 1000: #4 digits
num /= 1024.0
power=powers[powers.index(power)+1]
return "%.1f %s" % (num,power)
def cmd_with_count(cmd, count):
if count>1:
return "%s (%u)" % (cmd, count)
else:
return cmd
print " Private + Shared = RAM used\tProgram \n"
for cmd in sort_list:
print "%8sB + %8sB = %8sB\t%s" % (human(cmd[1]-shareds[cmd[0]]),
human(shareds[cmd[0]]), human(cmd[1]),
cmd_with_count(cmd[0], count[cmd[0]]))
if have_pss:
print "-" * 33
print " " * 24 + "%8sB" % human(total)
print "=" * 33
print "\n Private + Shared = RAM used\tProgram \n"
#Warn of possible inaccuracies
#2 = accurate & can total
#1 = accurate only considering each process in isolation
#0 = some shared mem not reported
#-1= all shared mem not reported
def shared_val_accuracy():
"""http://wiki.apache.org/spamassassin/TopSharedMemoryBug"""
if kv[:2] == (2,4):
if open("/proc/meminfo").read().find("Inact_") == -1:
return 1
return 0
elif kv[:2] == (2,6):
if os.path.exists("/proc/"+str(os.getpid())+"/smaps"):
if open("/proc/"+str(os.getpid())+"/smaps").read().find("Pss:")!=-1:
return 2
else:
return 1
if (2,6,1) <= kv <= (2,6,9):
return -1
return 0
else:
return 1
vm_accuracy = shared_val_accuracy()
if vm_accuracy == -1:
sys.stderr.write(
"Warning: Shared memory is not reported by this system.\n"
)
sys.stderr.write(
"Values reported will be too large, and totals are not reported\n"
)
elif vm_accuracy == 0:
sys.stderr.write(
"Warning: Shared memory is not reported accurately by this system.\n"
)
sys.stderr.write(
"Values reported could be too large, and totals are not reported\n"
)
elif vm_accuracy == 1:
sys.stderr.write(
"Warning: Shared memory is slightly over-estimated by this system\n"
"for each program, so totals are not reported.\n"
)
Performance and Tuning
Kernel
To successfully run enterprise applications, such as a database server, on your Linux distribution, you may be required to update some of the default kernel parameter settings. For example, the 2.4.x series kernel message queue parameter msgmni has a default value (for example, shared memory, or shmmax is only 33,554,432 bytes on Red Hat Linux by default) that allows only a limited number of simultaneous connections to a database. Here are some recommended values (by the IBM DB2 Support Web site) for database servers to run optimally:
- kernel.shmmax=268435456 for 32-bit
- kernel.shmmax=1073741824 for 64-bit
- kernel.msgmni=1024
- fs.file-max=8192
- kernel.sem="250 32000 32 1024"
Shared Memory
To view current settings, run command:
# more /proc/sys/kernel/shmmax
To set it to a new value for this running session, which takes effect immediately, run command:
# echo 268435456 > /proc/sys/kernel/shmmax
To set it to a new value permanently (so it survives reboots), modify the sysctl.conf file:
...
kernel.shmmax = 268435456
...
Semaphores
To view current settings, run command:
# more /proc/sys/kernel/sem
250 32000 32 1024
To set it to a new value for this running session, which takes effect immediately, run command:
# echo 500 512000 64 2048 > /proc/sys/kernel/sem
Parameters meaning:
SEMMSL - semaphores per ID
SEMMNS - (SEMMNI*SEMMSL) max semaphores in system
SEMOPM - max operations per semop call
SEMMNI - max semaphore identifiers
ulimits
To view current settings, run command:
# ulimit -a
To set it to a new value for this running session, which takes effect immediately, run command:
# ulimit -n 8800
# ulimit -n -1 // for unlimited; recommended if server isn't shared
Alternatively, if you want the changes to survive reboot, do the following:
- Exit all shell sessions for the user you want to change limits on.
- As root, edit the file /etc/security/limits.conf and add these two lines toward the end:
user1 soft nofile 16000
user1 hard nofile 20000
** the two lines above changes the max number of file handles - nofile - to new settings.
- Save the file.
- Login as the user1 again. The new changes will be in effect.
Message queues
To view current settings, run command:
# more /proc/sys/kernel/msgmni
# more /proc/sys/kernel/msgmax
To set it to a new value for this running session, which takes effect immediately, run command:
# echo 2048 > /proc/sys/kernel/msgmni
# echo 64000 > /proc/sys/kernel/msgmax
Network
Gigabit-based network interfaces have many performance-related parameters inside of their device driver such as CPU affinity. Also, the TCP protocol can be tuned to increase network throughput for connection-hungry applications.
Tune TCP
To view current TCP settings, run command:
# sysctl net.ipv4.tcp_keepalive_time
net.ipv4.tcp_keepalive_time = 7200 // 2 hours
where net.ipv4.tcp_keepalive_time is a TCP tuning parameter.
To set a TCP parameter to a value, run command:
# sysctl -w net.ipv4.tcp_keepalive_time=1800
A list of recommended TCP parameters, values, and their meanings:
Tuning Parameter Tuning Value Description of impact
------------------------------------------------------------------------------
net.ipv4.tcp_tw_reuse
net.ipv4.tcp_tw_recycle 1 Reuse sockets in the time-wait state
---
net.core.wmem_max 8388608 Increase the maximum write buffer queue size
---
net.core.rmem_max 8388608 Increase the maximum read buffer queue size
---
net.ipv4.tcp_rmem 4096 87380 8388608 Set the minimum, initial, and maximum sizes for the
read buffer. Note that this maximum should be less
than or equal to the value set in net.core.rmem_max.
---
net.ipv4.tcp_wmem 4096 87380 8388608 Set the minimum, initial, and maximum sizes for the
write buffer. Note that this maximum should be less
than or equal to the value set in net.core.wmem_max.
---
timeout_timewait echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout Determines the time that must elapse before
TCP/IP can release a closed connection and reuse its resources.
This interval between closure and release is known as the TIME_WAIT
state or twice the maximum segment lifetime (2MSL) state.
During this time, reopening the connection to the client and
server cost less than establishing a new connection. By reducing the
value of this entry, TCP/IP can release closed connections faster, providing
more resources for new connections. Adjust this parameter if the running application
requires rapid release, the creation of new connections, and a low throughput
due to many connections sitting in the TIME_WAIT state.
Disk I/O
Choose the Right File System
Use 'ext3' file system in Linux.
- It is enhanced version of ext2
- With journaling capability - high level of data integrity (in event of unclean shutdown)
- It does not need to check disks on unclean shutdown and reboot (time consuming)
- Faster write - ext3 journaling optimizes hard drive head motion
# mke2fs -j -b 2048 -i 4096 /dev/sda
mke2fs 1.32 (09-Nov-2002)
/dev/sda is entire device, not just one partition!
Proceed anyway? (y,n) y
Filesystem label=
OS type: Linux
Block size=2048 (log=1)
Fragment size=2048 (log=1)
13107200 inodes, 26214400 blocks
1310720 blocks (5.00%) reserved for the super user
First data block=0
1600 block groups
16384 blocks per group, 16384 fragments per group
8192 inodes per group
Superblock backups stored on blocks:
16384, 49152, 81920, 114688, 147456, 409600, 442368, 802816, 1327104,
2048000, 3981312, 5619712, 10240000, 11943936
Writing inode tables: done
Writing superblocks and filesystem accounting information: done
This filesystem will be automatically checked every 28 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.
Use 'noatime' File System Mount Option
Use 'noatime' option in the file system boot-up configuration file 'fstab'. Edit the fstab file under /etc. This option works the best if external storage is used, for example, SAN:
# more /etc/fstab
LABEL=/ / ext3 defaults 1 1
none /dev/pts devpts gid=5,mode=620 0 0
none /proc proc defaults 0 0
none /dev/shm tmpfs defaults 0 0
/dev/sdc2 swap swap defaults 0 0
/dev/cdrom /mnt/cdrom udf,iso9660 noauto,owner,kudzu,ro 0 0
/dev/fd0 /mnt/floppy auto noauto,owner,kudzu 0 0
/dev/sda /database ext3 defaults,noatime 1 2
/dev/sdb /logs ext3 defaults,noatime 1 2
/dev/sdc /multimediafiles ext3 defaults,noatime 1 2
Tune the Elevator Algorithm in Linux Kernel for Disk I/O
After choosing the file system, there are several kernel and mounting options that can affect it. One such kernel setting is the elevator algorithm. Tuning the elevator algorithm helps the system balance the need for low latency with the need to collect enough data to efficiently organize batches of read and write requests to the disk. The elevator algorithm can be adjusted with the following command:
# elvtune -r 1024 -w 2048 /dev/sda
/dev/sda elevator ID 2
read_latency: 1024
write_latency: 2048
max_bomb_segments: 6
The parameters are: read latency (-r), write latency (-w) and the device affected.
Red Hat recommends using a read latency half the size of the write latency (as shown).
As usual, to make this setting permanent, add the 'elvtune' command to the
/etc/rc.d/rc.local script.
Others
Disable Unnecessary Daemons (They Take up Memory and CPU)
There are daemons (background services) running on every server that are probably not needed. Disabling these daemons frees memory, decreases startup time, and decreases the number of processes that the CPU has to handle. A side benefit to this is increased security of the server because fewer daemons mean fewer exploitable processes.
Some example Linux daemons running by default (and should be disabled). Use command:
#/sbin/chkconfig --levels 2345 sendmail off
#/sbin/chkconfig sendmail off
Daemon
Description
apmd
Advanced power management daemon
autofs
Automatically mounts file systems on demand (i.e.: mounts a CD-ROM automatically)
cups
Common UNIX� Printing System
hpoj
HP OfficeJet support
isdn
ISDN modem support
netfs
Used in support of exporting NFS shares
nfslock
Used for file locking with NFS
pcmcia
PCMCIA support on a server
rhnsd
Red Hat Network update service for checking for updates and security errata
sendmail
Mail Transport Agent
xfs
Font server for X Windows
Shutdown GUI
Normally, there is no need for a GUI on a Linux server. All administration tasks can be achieved by the command line, redirecting the X display or through a Web browser interface. Modify the 'inittab' file to set boot level as 3:
To set the initial runlevel (3 instead of 5) of a machine at boot,
modify the /etc/inittab file as shown:
http://i35.tinypic.com/2d2jdbr.jpg
To successfully run enterprise applications, such as a database server, on your Linux distribution, you may be required to update some of the default kernel parameter settings. For example, the 2.4.x series kernel message queue parameter msgmni has a default value (for example, shared memory, or shmmax is only 33,554,432 bytes on Red Hat Linux by default) that allows only a limited number of simultaneous connections to a database. Here are some recommended values (by the IBM DB2 Support Web site) for database servers to run optimally:
- kernel.shmmax=268435456 for 32-bit
- kernel.shmmax=1073741824 for 64-bit
- kernel.msgmni=1024
- fs.file-max=8192
- kernel.sem="250 32000 32 1024"
Shared Memory
To view current settings, run command:
# more /proc/sys/kernel/shmmax
To set it to a new value for this running session, which takes effect immediately, run command:
# echo 268435456 > /proc/sys/kernel/shmmax
To set it to a new value permanently (so it survives reboots), modify the sysctl.conf file:
...
kernel.shmmax = 268435456
...
Semaphores
To view current settings, run command:
# more /proc/sys/kernel/sem
250 32000 32 1024
To set it to a new value for this running session, which takes effect immediately, run command:
# echo 500 512000 64 2048 > /proc/sys/kernel/sem
Parameters meaning:
SEMMSL - semaphores per ID
SEMMNS - (SEMMNI*SEMMSL) max semaphores in system
SEMOPM - max operations per semop call
SEMMNI - max semaphore identifiers
ulimits
To view current settings, run command:
# ulimit -a
To set it to a new value for this running session, which takes effect immediately, run command:
# ulimit -n 8800
# ulimit -n -1 // for unlimited; recommended if server isn't shared
Alternatively, if you want the changes to survive reboot, do the following:
- Exit all shell sessions for the user you want to change limits on.
- As root, edit the file /etc/security/limits.conf and add these two lines toward the end:
user1 soft nofile 16000
user1 hard nofile 20000
** the two lines above changes the max number of file handles - nofile - to new settings.
- Save the file.
- Login as the user1 again. The new changes will be in effect.
Message queues
To view current settings, run command:
# more /proc/sys/kernel/msgmni
# more /proc/sys/kernel/msgmax
To set it to a new value for this running session, which takes effect immediately, run command:
# echo 2048 > /proc/sys/kernel/msgmni
# echo 64000 > /proc/sys/kernel/msgmax
Network
Gigabit-based network interfaces have many performance-related parameters inside of their device driver such as CPU affinity. Also, the TCP protocol can be tuned to increase network throughput for connection-hungry applications.
Tune TCP
To view current TCP settings, run command:
# sysctl net.ipv4.tcp_keepalive_time
net.ipv4.tcp_keepalive_time = 7200 // 2 hours
where net.ipv4.tcp_keepalive_time is a TCP tuning parameter.
To set a TCP parameter to a value, run command:
# sysctl -w net.ipv4.tcp_keepalive_time=1800
A list of recommended TCP parameters, values, and their meanings:
Tuning Parameter Tuning Value Description of impact
------------------------------------------------------------------------------
net.ipv4.tcp_tw_reuse
net.ipv4.tcp_tw_recycle 1 Reuse sockets in the time-wait state
---
net.core.wmem_max 8388608 Increase the maximum write buffer queue size
---
net.core.rmem_max 8388608 Increase the maximum read buffer queue size
---
net.ipv4.tcp_rmem 4096 87380 8388608 Set the minimum, initial, and maximum sizes for the
read buffer. Note that this maximum should be less
than or equal to the value set in net.core.rmem_max.
---
net.ipv4.tcp_wmem 4096 87380 8388608 Set the minimum, initial, and maximum sizes for the
write buffer. Note that this maximum should be less
than or equal to the value set in net.core.wmem_max.
---
timeout_timewait echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout Determines the time that must elapse before
TCP/IP can release a closed connection and reuse its resources.
This interval between closure and release is known as the TIME_WAIT
state or twice the maximum segment lifetime (2MSL) state.
During this time, reopening the connection to the client and
server cost less than establishing a new connection. By reducing the
value of this entry, TCP/IP can release closed connections faster, providing
more resources for new connections. Adjust this parameter if the running application
requires rapid release, the creation of new connections, and a low throughput
due to many connections sitting in the TIME_WAIT state.
Disk I/O
Choose the Right File System
Use 'ext3' file system in Linux.
- It is enhanced version of ext2
- With journaling capability - high level of data integrity (in event of unclean shutdown)
- It does not need to check disks on unclean shutdown and reboot (time consuming)
- Faster write - ext3 journaling optimizes hard drive head motion
# mke2fs -j -b 2048 -i 4096 /dev/sda
mke2fs 1.32 (09-Nov-2002)
/dev/sda is entire device, not just one partition!
Proceed anyway? (y,n) y
Filesystem label=
OS type: Linux
Block size=2048 (log=1)
Fragment size=2048 (log=1)
13107200 inodes, 26214400 blocks
1310720 blocks (5.00%) reserved for the super user
First data block=0
1600 block groups
16384 blocks per group, 16384 fragments per group
8192 inodes per group
Superblock backups stored on blocks:
16384, 49152, 81920, 114688, 147456, 409600, 442368, 802816, 1327104,
2048000, 3981312, 5619712, 10240000, 11943936
Writing inode tables: done
Writing superblocks and filesystem accounting information: done
This filesystem will be automatically checked every 28 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.
Use 'noatime' File System Mount Option
Use 'noatime' option in the file system boot-up configuration file 'fstab'. Edit the fstab file under /etc. This option works the best if external storage is used, for example, SAN:
# more /etc/fstab
LABEL=/ / ext3 defaults 1 1
none /dev/pts devpts gid=5,mode=620 0 0
none /proc proc defaults 0 0
none /dev/shm tmpfs defaults 0 0
/dev/sdc2 swap swap defaults 0 0
/dev/cdrom /mnt/cdrom udf,iso9660 noauto,owner,kudzu,ro 0 0
/dev/fd0 /mnt/floppy auto noauto,owner,kudzu 0 0
/dev/sda /database ext3 defaults,noatime 1 2
/dev/sdb /logs ext3 defaults,noatime 1 2
/dev/sdc /multimediafiles ext3 defaults,noatime 1 2
Tune the Elevator Algorithm in Linux Kernel for Disk I/O
After choosing the file system, there are several kernel and mounting options that can affect it. One such kernel setting is the elevator algorithm. Tuning the elevator algorithm helps the system balance the need for low latency with the need to collect enough data to efficiently organize batches of read and write requests to the disk. The elevator algorithm can be adjusted with the following command:
# elvtune -r 1024 -w 2048 /dev/sda
/dev/sda elevator ID 2
read_latency: 1024
write_latency: 2048
max_bomb_segments: 6
The parameters are: read latency (-r), write latency (-w) and the device affected.
Red Hat recommends using a read latency half the size of the write latency (as shown).
As usual, to make this setting permanent, add the 'elvtune' command to the
/etc/rc.d/rc.local script.
Others
Disable Unnecessary Daemons (They Take up Memory and CPU)
There are daemons (background services) running on every server that are probably not needed. Disabling these daemons frees memory, decreases startup time, and decreases the number of processes that the CPU has to handle. A side benefit to this is increased security of the server because fewer daemons mean fewer exploitable processes.
Some example Linux daemons running by default (and should be disabled). Use command:
#/sbin/chkconfig --levels 2345 sendmail off
#/sbin/chkconfig sendmail off
Daemon
Description
apmd
Advanced power management daemon
autofs
Automatically mounts file systems on demand (i.e.: mounts a CD-ROM automatically)
cups
Common UNIX� Printing System
hpoj
HP OfficeJet support
isdn
ISDN modem support
netfs
Used in support of exporting NFS shares
nfslock
Used for file locking with NFS
pcmcia
PCMCIA support on a server
rhnsd
Red Hat Network update service for checking for updates and security errata
sendmail
Mail Transport Agent
xfs
Font server for X Windows
Shutdown GUI
Normally, there is no need for a GUI on a Linux server. All administration tasks can be achieved by the command line, redirecting the X display or through a Web browser interface. Modify the 'inittab' file to set boot level as 3:
To set the initial runlevel (3 instead of 5) of a machine at boot,
modify the /etc/inittab file as shown:
http://i35.tinypic.com/2d2jdbr.jpg
How do I Find Out Linux CPU Utilization
Whenever a Linux system CPU is occupied by a process, it is unavailable for processing other requests. Rest of pending requests must wait till CPU is free. This becomes a bottleneck in the system. Following command will help you to identify CPU utilization, so that you can troubleshoot CPU related performance problems.
Finding CPU utilization is one of the important tasks. Linux comes with various utilities to report CPU utilization. With these commands, you will be able to find out:
* CPU utilization
* Display the utilization of each CPU individually (SMP cpu)
* Find out your system's average CPU utilization since the last reboot etc
* Determine which process is eating the CPU(s)
Old good top command to find out Linux cpu load
The top program provides a dynamic real-time view of a running system. It can display system summary information as well as a list of tasks currently being managed by the Linux kernel.
The top command monitors CPU utilization, process statistics, and memory utilization. The top section contains information related to overall system status - uptime, load average, process counts, CPU status, and utilization statistics for both memory and swap space.
Top command to find out Linux cpu usage
Type the top command:
$ top
Output:
You can see Linux CPU utilization under CPU stats. The task’s share of the elapsed CPU time since the last screen update, expressed as a percentage of total CPU time. In a true SMP environment (multiple CPUS), top will operate in number of CPUs. Please note that you need to type q key to exit the top command display.
The top command produces a frequently-updated list of processes. By default, the processes are ordered by percentage of CPU usage, with only the "top" CPU consumers shown. The top command shows how much processing power and memory are being used, as well as other information about the running processes.
Find Linux CPU utilization using mpstat and other tools
Please note that you need to install special package called sysstat to take advantage of following commands. This package includes system performance tools for Linux (Red Hat Linux / RHEL includes these tools by default).
# apt-get install sysstat
Use up2date command if you are using RHEL:
# up2date sysstat
Display the utilization of each CPU individually using mpstat
If you are using SMP (Multiple CPU) system, use mpstat command to display the utilization of each CPU individually. It report processors related statistics. For example, type command:
# mpstat Output:
Linux 2.6.15.4 (debian) Thursday 06 April 2006
05:13:05 IST CPU %user %nice %sys %iowait %irq %soft %steal %idle intr/s
05:13:05 IST all 16.52 0.00 2.87 1.09 0.07 0.02 0.00 79.42 830.06
The mpstat command display activities for each available processor, processor 0 being the first one. Global average activities among all processors are also reported. The mpstat command can be used both on SMP and UP machines, but in the latter, only global average activities will be printed.:
# mpstat -P ALL
Output:
Linux 2.6.15.4 (wwwportal1.xxxx.co.in) Thursday 06 April 2006
05:14:58 IST CPU %user %nice %sys %iowait %irq %soft %steal %idle intr/s
05:14:58 IST all 16.46 0.00 2.88 1.08 0.07 0.02 0.00 79.48 835.96
05:14:58 IST 0 16.46 0.00 2.88 1.08 0.07 0.02 0.00 79.48 835.96
05:14:58 IST 1 15.77 2.70 3.17 2.01 0.05 0.03 0.00 81.44 822.54
Another output from my HP Dual Opteron 64 bit server:# mpstat -P ALLOutput:
Linux 2.6.5-7.252-smp (ora9.xxx.in) 04/07/06
07:44:18 CPU %user %nice %system %iowait %irq %soft %idle intr/s
07:44:18 all 3.01 57.31 0.36 0.13 0.01 0.00 39.19 1063.46
07:44:18 0 5.87 69.47 0.44 0.05 0.01 0.01 24.16 262.11
07:44:18 1 1.79 48.59 0.36 0.23 0.00 0.00 49.02 268.92
07:44:18 2 2.19 42.63 0.28 0.16 0.01 0.00 54.73 260.96
07:44:18 3 2.17 68.56 0.34 0.06 0.03 0.00 28.83 271.47
Report CPU utilization using sar command
You can display today’s CPU activity, with sar command:
# sar
Output:
Linux 2.6.9-42.0.3.ELsmp (dellbox.xyz.co.in) 01/13/2007
12:00:02 AM CPU %user %nice %system %iowait %idle
12:10:01 AM all 1.05 0.00 0.28 0.04 98.64
12:20:01 AM all 0.74 0.00 0.34 0.38 98.54
12:30:02 AM all 1.09 0.00 0.28 0.10 98.53
12:40:01 AM all 0.76 0.00 0.21 0.03 99.00
12:50:01 AM all 1.25 0.00 0.32 0.03 98.40
01:00:01 AM all 0.80 0.00 0.24 0.03 98.92
...
.....
..
04:40:01 AM all 8.39 0.00 33.17 0.06 58.38
04:50:01 AM all 8.68 0.00 37.51 0.04 53.78
05:00:01 AM all 7.10 0.00 30.48 0.04 62.39
05:10:01 AM all 8.78 0.00 37.74 0.03 53.44
05:20:02 AM all 8.30 0.00 35.45 0.06 56.18
Average: all 3.09 0.00 9.14 0.09 87.68
Comparison of CPU utilization
The sar command writes to standard output the contents of selected cumulative activity counters in the operating system. The accounting system, based on the values in the count and interval parameters. For example display comparison of CPU utilization; 2 seconds apart; 5 times, use:
# sar -u 2 5
Output (for each 2 seconds. 5 lines are displayed):
Linux 2.6.9-42.0.3.ELsmp (www1lab2.xyz.ac.in) 01/13/2007
05:33:24 AM CPU %user %nice %system %iowait %idle
05:33:26 AM all 9.50 0.00 49.00 0.00 41.50
05:33:28 AM all 16.79 0.00 74.69 0.00 8.52
05:33:30 AM all 17.21 0.00 80.30 0.00 2.49
05:33:32 AM all 16.75 0.00 81.00 0.00 2.25
05:33:34 AM all 14.29 0.00 72.43 0.00 13.28
Average: all 14.91 0.00 71.49 0.00 13.61
Where,
* -u 12 5 : Report CPU utilization. The following values are displayed:
o %user: Percentage of CPU utilization that occurred while executing at the user level (application).
o %nice: Percentage of CPU utilization that occurred while executing at the user level with nice priority.
o %system: Percentage of CPU utilization that occurred while executing at the system level (kernel).
o %iowait: Percentage of time that the CPU or CPUs were idle during which the system had an outstanding disk I/O request.
o %idle: Percentage of time that the CPU or CPUs were idle and the system did not have an outstanding disk I/O request.
To get multiple samples and multiple reports set an output file for the sar command. Run the sar command as a background process using.
# sar -o output.file 12 8 >/dev/null 2>&1 &
Better use nohup command so that you can logout and check back report later on:
# nohup sar -o output.file 12 8 >/dev/null 2>&1 &
All data is captured in binary form and saved to a file (data.file). The data can then be selectively displayed ith the sar command using the -f option.
# sar -f data.file
Task: Find out who is monopolizing or eating the CPUs
Finally, you need to determine which process is monopolizing or eating the CPUs. Following command will displays the top 10 CPU users on the Linux system.
# ps -eo pcpu,pid,user,args | sort -k 1 -r | head -10
OR
# ps -eo pcpu,pid,user,args | sort -r -k1 | less
Output:
%CPU PID USER COMMAND
96 2148 vivek /usr/lib/vmware/bin/vmware-vmx -C /var/lib/vmware/Virtual Machines/Ubuntu 64-bit/Ubuntu 64-bit.vmx -@ ""
0.7 3358 mysql /usr/libexec/mysqld --defaults-file=/etc/my.cnf --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --skip-locking --socket=/var/lib/mysql/mysql.sock
0.4 29129 lighttpd /usr/bin/php
0.4 29128 lighttpd /usr/bin/php
0.4 29127 lighttpd /usr/bin/php
0.4 29126 lighttpd /usr/bin/php
0.2 2177 vivek [vmware-rtc]
0.0 9 root [kacpid]
0.0 8 root [khelper]
Now you know vmware-vmx process is eating up lots of CPU power. ps command displays every process (-e) with a user-defined format (-o pcpu). First field is pcpu (cpu utilization). It is sorted in reverse order to display top 10 CPU eating process.
iostat command
You can also use iostat command which report Central Processing Unit (CPU) statistics and input/output statistics for devices and partitions. It can be use to find out your system's average CPU utilization since the last reboot.
# iostatOutput:
Linux 2.6.15.4 (debian) Thursday 06 April 2006
avg-cpu: %user %nice %system %iowait %steal %idle
16.36 0.00 2.99 1.06 0.00 79.59
Device: tps Blk_read/s Blk_wrtn/s Blk_read Blk_wrtn
hda 0.00 0.00 0.00 16 0
hdb 6.43 85.57 166.74 875340 1705664
hdc 0.03 0.16 0.00 1644 0
sda 0.00 0.00 0.00 24 0
You may want to use following command, which gives you three outputs every 5 seconds (as previous command gives information since the last reboot):$ iostat -xtc 5 3
GUI tools for your laptops/desktops
Above tools/commands are quite useful on remote server. For local system with X GUI installed you can try out gnome-system-monitor. It allows you to view and control the processes running on your system. You can access detailed memory maps, send signals, and terminate the processes.
$ gnome-system-monitor
In addition, the gnome-system-monitor provides an overall view of the resource usage on your system, including memory and CPU allocation.
gnome-system-monitor - view and control the processes
Further readings
* For more information and command option please read man pages of top, iostat, mpstat, sar, ps commands.
Subscribe to:
Posts (Atom)