yum repolist without connecting to repos

Here's how you get yum to list all the configured repos, without actually connecting to any of them (e.g. if your system is offline):

yum -C repolist all

The "-C" option tells yum to use the local cache, no matter how old the cache is.

Symantec 12.1.5 on Linux LiveUpdate failures -- BouncyCastleProvider

TL;DR version: To fix this, temporarily remove the "noexec" mount option from /tmp and run the install.sh program again.

We recently started using Symantec 12.1.5 on our Linux systems at work. I installed the client on a test system and immediately had issues with LiveUpdate:

/opt/Symantec/symantec_antivirus/sav liveupdate -u
Picked up JAVA_TOOL_OPTIONS:
Command failed: Problem with LiveUpdate.
Check that java directory is in PATH
Unable to perform update


In liveupdt.log:

Apr 1, 2015 11:32:26 AM There was a failure in reading the settings from the .conf file.
Apr 1, 2015 11:32:26 AM org.bouncycastle.jce.provider.BouncyCastleProvider
Apr 1, 2015 11:32:26 AM JLU received a DeleteSetting command.


Running Liveupdate in debug mode:

java -cp /opt/Symantec/LiveUpdate/jlu.jar com.symantec.liveupdate.LiveUpdate -d
Using character set UTF-8
Command-line Product Selections to update:
(ProdName, Version, Lang, ItemSeqName, SeqNum)
Debug - output[nIdx] = uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023
Adding JLU to the current command line
JLU Linux, 3.10, English, LiveUpdateSeq, 26
Trying to load jar file from /opt/Symantec/LiveUpdate/bcprov-jdk15on-148.jar
Trying to load jar file from current directory or mentioned in classpath
JLUException [
Nested Exception is:
[ java.lang.ClassNotFoundException ] org.bouncycastle.jce.provider.BouncyCastleProvider

java.lang.ClassNotFoundException: org.bouncycastle.jce.provider.BouncyCastleProvider
at java.net.URLClassLoader.findClass(Unknown Source)
[...]


I will leave out the frustrating troubleshooting my coworker and I did and give you the reason: Our security configuration specifies that we set the "noexec" mount option on /tmp.

Unfortunately, the Symantec install script requires exec on /tmp to install correctly. Specifically, it creates some temporary scripts in /tmp and runs them to install the BC (bouncycastle) provider. Here's an excerpt from the sepjlu-install.log:


Java LiveUpdate version 3.10 Build 26.
Extracted out unixinstall.sh to /tmp/1427202521861/unixinstall.sh.
Extracted out unixuninstall.sh to /tmp/1427202521861/unixuninstall.sh.
Extracted out liveupdate.conf to /tmp/1427202521861/liveupdate.conf.
Extracted out bcprov-jdk15on-148.jar to /tmp/1427202521861/bcprov-jdk15on-148.jar.
Copied /opt/Symantec/LiveUpdate/jlu.jar to /tmp/1427202521861/jlu-3.10.0.26.jar.
Error running /tmp/1427202521861/unixinstall.sh with reason: java.io.IOException: Cannot run program "/tmp/1427202521861/unixinstall.sh": error=13, Permission denied.


The script is supposed to copy bcprov-jdk15on-148.jar into $SYMROOT/LiveUpdate/, but obviously because "noexec" was set on /tmp, it couldn't run.

So in full, the solution is:


mount -o remount,exec /tmp
$INSTALLER_DIR/install.sh -i
mount -o remount,noexec /tmp


rancid 3.x - juniper display set

I found a lot of directions on the net for how to change rancid 2.x to do "display set" for juniper switches, but none for rancid 3.x (this was tested on rancid 3.1.2 on CentOS 6.6)

It's actually pretty easy:

1. Find your switch type (in this case "juniper") in /etc/rancid/rancid.types.base and copy those lines into /etc/rancid/rancid.types.conf:
   
   juniper;script;rancid -t juniper
   juniper;login;jlogin
   [...]
   juniper;command;junos::ShowConfiguration;show configuration
   
   
2. Now change "juniper" to some unique string that doesn't exist in rancid.types.base, e.g. "juniper-dset"
3. Modify all the "juniper" strings in rancid.types.conf to be "juniper-dset"
   
   juniper-dset;script;rancid -t juniper-dset
   juniper-dset;login;jlogin
   [...]
   juniper-dset;command;junos::ShowConfiguration;show configuration
   
   
4. Add a new line to do the display set:
   
   juniper-dset;command;junos::ShowConfiguration;show configuration | display set | no-more
   
   It's up to you whether you want that before or after the normal multi-line "show configuration".


5. Also, change /var/rancid/router.db to change the "juniper" switch type to "juniper-dset"

linux: how to determine if a binary is prelinked

On my systems I use aide to find changes to the system. On one of them, aide was complaining:

WARNING: AIDE detected prelinked binary objects on your system but the prelink tool (/usr/sbin/prelink) is missing!
WARNING: prelinked files will be processed without a prelink undo operation! Please install prelink to fix this.

This is because at one point, I did in fact use prelink. However, I had many issues with aide and prelink and finally just got fed up and removed it. Before doing that you're supposed to undo the prelink, but apparently I missed a file. But aide didn't tell me which one! I couldn't find any information on the net about how to determine whether a binary is prelinked, so here's the answer:

readelf -S | grep prelink

If the binary is prelinked, you'll get something like:

[30] .gnu.prelink_undo PROGBITS 0000000000000000 000e4790

But what if you don't know which file is prelinked? And /etc/prelink.cache is non-existent (because someone removed it) or empty? In that case, you have to examine every ELF binary on the system. I elected to break this into two steps. First, find all the ELF binaries:

find / -type f ! -path "/sys/*" ! -path "/dev/*" ! -path "/proc/*" \
! -path "/opt/splunk/var/*" ! -path "/mnt/*" ! -path "/media/*" ! -path "/srv/*" \
! -path "/net/*" ! -path "/selinux/*" | xargs file | grep ELF | cut -f1 -d':' \
> /tmp/elffiles

Now that you have a list of all the ELF binaries, test each of them to find out if they are prelinked. I did not use xargs in this case because although readelf works on multiple files, when combined with grep it would be hard to tell which of the arguments in the long argument list is the culprit:
for file in $(cat /tmp/elffiles) ; do
   readelf -S $file | grep -q prelink
   if [ $? -eq 0 ]; then echo $file is prelinked ; fi
done

I realize the above doesn't handle paths with spaces or other weird characters. I guess I'm lucky my system didn't have any of those.

Dell PERC command-line utility program perccli

This tool apparently works for all PERC9 controllers and the following operating systems are supported:

Novell SuSE Linux ES 11 
MS Windows Server 2012 
Red Hat Ent Linux 6 
Red Hat Ent Linux 7 
SUSE Linux ES 12 
MS Windows Server 2012 R2/SP 
MS Windows 2008 R2

Binaries are at: http://www.dell.com/support/home/us/en/19/Drivers/DriversDetails?driverId=3XDPP

HTML version of manual: http://www.dell.com/support/Manuals/us/en/19/Topic/poweredge-rc-h730/PERC_CLI_RG_Pub-v1/en-us

PDF of manual: http://topics-cdn.dell.com/pdf/poweredge-rc-h730_Reference%20Guide_en-us.pdf

Automating the VMware vSphere Perl SDK install with expect:

I couldn't find any other postings on the net about this, so here's my solution for automating the installation for the VMware vSphere Perl SDK on RHEL6 (this assumes you already have all the prerequisites installed.).  It probably works on any Linux OS but I only tested it on RHEL6.4.

Save this expect script (requires expect to be installed, duh!) in the same directory as the extracted tarball for the SDK (probably vmware-vsphere-cli-distrib/):

#!/usr/bin/expect

set timeout 120

spawn "./vmware-install.pl"

expect "Press enter to display " { send "\r" }
expect "vSphere Software Development Kit License Agreement" { send "q" }
expect "Do you accept" { send "yes\r" }
expect "Do you want to install precompiled Perl modules for RHEL" { send "\r" }
expect "In which directory do you want to install the executable files" { send "\r" }
# Wait for installation to finish
expect EOF

This accepts the defaults ("yes" to installing precompiled perl modules, "/usr/bin" for the installation directory) If you don't like that, edit the script!

using pam_tally2 with dovecot

I recently configured some RHEL4 systems to use pam_tally2 to lock an account temporarily after several unsuccessful logins. This seems to work fine just by adding it to the "auth" section:

auth        required      /lib/security/$ISA/pam_tally2.so deny=5 unlock_time=900

However, I later found that if you're running dovecot (version 0.99.11-9 -- maybe it's been fixed since then), it doesn't reset the tally on a successful login; i.e. it does not call pam_setcred. So, if the user is only logging in via dovecot, and they are checking mail at an interval less than your reset time, eventually the account will get locked out!

To fix this, you have to call pam_tally2 in the "account" section to reset the tally. You can do this in either the "system-auth" file, or in the "dovecot" file:

account    required     /lib/security/$ISA/pam_tally2.so

Resizing an NTFS partition with free tools

The guy that set up some of the Windows XP systems at work partitioned the drives to theoretically separate the OS (C:) from the data (D:). However, he didn't complete the process; i.e. he didn't move the default "Documents and Settings" folder, nor the "Program Files" folder to the "data" disk.

So, of course the "OS" partition eventually filled up with user data. A few months ago I moved the main user's Documents and Settings folder to the data drive, and used a junction point in the original location to point to it. That only staved off the disk filling up for a while -- this week I finally got around to deploying Office 2007, and the system didn't have enough space to install it.

I wanted to delete the "data" partition and consolidate everything into one partition. The old version of Partition Magic we had wouldn't boot the system for some reason, so I needed to find another tool to do it.

The answer: a Ubuntu 9.04 Desktop CD. The process is pretty simple. In summary, backup the data, delete all the NTFS partitions, recreate a single NTFS partition in the same cylinder space, then use ntfsresize to fix the NTFS partition.

1. Boot the system from the Ubuntu CD. At the boot menu, select "Try Ubuntu".
2. Open a terminal (Applications, Accessories, Terminal) and sudo to root with

   sudo -s

3. Figure out which disk is the one you want. Likely candidates are /dev/hda (IDE) or /dev/sda (SATA). If you're not sure, use

   dmesg | less

   to find the disk device.
4. Start fdisk on the device (e.g. fdisk /dev/sda), and print the existing partition table. Note the cylinder numbers for where the current NTFS partitions start and end (especially the start of the first NTFS partition, and the end of the last NTFS partition).
5. Delete all of the existing NTFS partitions. Then create a single new partition, starting at the same cylinder as the first partition, but ending at the cylinder number for the last NTFS partition.
6. Mark the NTFS partition as bootable! Exit fdisk.
   
7. Resize the partition to its maximum size using ntfsresize. Read the ntfsresize man page to learn how. You may also refer to this page on shrinking an NTFS volume (starting at step 8). For example, if the device size is 32079 MB, you may try

   ntfsresize -n -s 32079M /dev/sda 

   If you don't get any errors, proceed by removing the -n option. If you get an error that the partition size cannot exceed the device size, reduce the size by 1MB (e.g. 32078M).
8. Reboot the system with reboot. Windows will run chkdsk, reboot, and then everything should work as before.
9. Restore the data from the lost partition (D:).

Setting up a Linux system with a 3.5TB disk

As mentioned in my last post, I have this remote linux system with 3.5TB of disk, but broken into two LVMs. I want most of the storage to be in one big disk.


Today I had my remote monkey put the RHEL4 WS DVD in the machine and rebooted it. I entered the RAID BIOS (Dell PERC 5/i) to delete the existing virtual disks. I then created two new virtual disks -- one of 250GB for the OS, and one of the remaining 3.4TB for the data.

I booted from the RHEL DVD and entered "rescue" mode, because anaconda does not support making GPT disks. Then I entered

parted /dev/sdb
mklabel gpt
mkpart primary 0 3571900M
quit

Then:

mkfs.ext3 /dev/sdb1

Making the EXT3 FS took about 22 minutes.

That's mostly it! I rebooted and ran anaconda this time, setting up LVM on /dev/sda (except /boot, of course). I left /dev/sdb alone.

Want to convert partition table from MBR to GPT

One of the Linux (RHEL4) systems at work has about 3.5 TB of disk in a RAID configuration. Unfortunately, the guy who setup the system (not me) had apparently never heard of GPT before. So, he partitioned the RAID into two portions -- one of 2 TB, and the other 1.5 TB. Each of those partitions is managed by LVM.

Despite hours of searching, I am unable to figure out a way to convert these to one big 3.5 TB partition. The operating system is mostly installed on LVM-managed parts of the disk, so I can't destroy the partitions and redo them without reinstalling the OS.

The best part is that the system is 2,000 miles away. Fortunately, we recently installed a digital KVM switch to the system. We also have someone there that can manage to insert the installation CD. With the KVM I can reconfigure the RAID and reinstall the OS remotely.

By the way, if you are thinking of getting an Avocent KVM switch, and you want to use LDAP authentication -- well, you better have Active Directory, because Avocent's crappy software does not allow you to configure the LDAP authentication query. In addition, their tech support seems to be both clueless and illiterate.