Friday, October 31, 2014

Platform LSF – Working with Hosts (bhost, lsload)

Taken from LSF Platform Administrative Guide. The Document on bhost and lsload and more information can be taken from Platform - Working with hosts. Although your version of LSF may be different, but the commands can be still use.

Here are some excerpts.....

Host status Host status describes the ability of a host to accept and run batch jobs in terms of daemon states, load levels, and administrative controls. The bhosts and lsload commands display host status.    

1. bhosts Displays the current status of the host
STATUS DESCRIPTION
ok Host is available to accept and run new batch jobs
unavail Host is down, or LIM and sbatchd are unreachable.
unreach LIM is running but sbatchd is unreachable.
closed Host will not accept new jobs. Use bhosts -l to display the reasons.
unlicensed Host does not have a valid license.


2. bhosts -l Displays the closed reasons. A closed host does not accept new batch jobs:
$ bhosts -l
HOST  node001
STATUS           CPUF  JL/U    MAX  NJOBS    RUN  SSUSP  USUSP    RSV DISPATCH_WINDOW
closed_Adm      60.00     -     16      0      0      0      0      0      -

CURRENT LOAD USED FOR SCHEDULING:
r15s   r1m  r15m    ut    pg    io   ls    it   tmp   swp   mem   root maxroot
Total           0.0   0.0   0.0    0%   0.0     0    0 28656  324G   16G   60G  3e+05   4e+05
Reserved        0.0   0.0   0.0    0%   0.0     0    0     0    0M    0M    0M    0.0     0.0

processes clockskew netcard iptotal  cpuhz cachesize diskvolume
Total             404.0       0.0     2.0     2.0 1200.0     2e+04      5e+05
Reserved            0.0       0.0     0.0     0.0    0.0       0.0        0.0

processesroot   ipmi powerconsumption ambienttemp cputemp
Total                 396.0   -1.0             -1.0        -1.0    -1.0
Reserved                0.0    0.0              0.0         0.0     0.0


aa_r aa_r_dy aa_dy_p aa_r_ad aa_r_hpc fluentall fluent fluent_nox
Total         17.0    25.0   128.0    10.0    272.0      48.0   48.0       50.0
Reserved       0.0     0.0     0.0     0.0      0.0       0.0    0.0        0.0

gambit geom_trans tgrid fluent_par
Total           50.0       50.0  50.0      193.0
Reserved         0.0        0.0   0.0        0.0


3. bhosts -X Condensed host groups in an condensed format
$ bhosts -X
HOST_NAME          STATUS       JL/U    MAX  NJOBS    RUN  SSUSP  USUSP    RSV
comp027            ok              -     16      0      0      0      0      0
comp028            ok              -     16      0      0      0      0      0
comp029            ok              -     16      0      0      0      0      0
comp030            ok              -     16      0      0      0      0      0
comp031            ok              -     16      0      0      0      0      0
comp032            ok              -     16      0      0      0      0      0
comp033            ok              -     16      0      0      0      0      0


4. bhosts -l hostID Display all information about specific server host such as the CPU factor and the load thresholds to start, suspend, and resume jobs
# bhosts -l comp067
HOST  comp067
STATUS           CPUF  JL/U    MAX  NJOBS    RUN  SSUSP  USUSP    RSV DISPATCH_WINDOW
ok              60.00     -     16      0      0      0      0      0      -

CURRENT LOAD USED FOR SCHEDULING:
r15s   r1m  r15m    ut    pg    io   ls    it   tmp   swp   mem   root maxroot
Total           0.0   0.0   0.0    0%   0.0     0    0 13032  324G   16G   60G  3e+05   4e+05
Reserved        0.0   0.0   0.0    0%   0.0     0    0     0    0M    0M    0M    0.0     0.0

processes clockskew netcard iptotal  cpuhz cachesize diskvolume
Total             406.0       0.0     2.0     2.0 1200.0     2e+04      5e+05
Reserved            0.0       0.0     0.0     0.0    0.0       0.0        0.0

processesroot   ipmi powerconsumption ambienttemp cputemp
Total                 399.0   -1.0             -1.0        -1.0    -1.0
Reserved                0.0    0.0              0.0         0.0     0.0

aa_r aa_r_dy aa_dy_p aa_r_ad aa_r_hpc fluentall fluent fluent_nox
Total         18.0    25.0   128.0    10.0    272.0      47.0   47.0       50.0
Reserved       0.0     0.0     0.0     0.0      0.0       0.0    0.0        0.0

gambit geom_trans tgrid fluent_par
Total           50.0       50.0  50.0      193.0
Reserved         0.0        0.0   0.0        0.0

LOAD THRESHOLD USED FOR SCHEDULING:
r15s   r1m  r15m   ut      pg    io   ls    it    tmp    swp    mem
loadSched   -     -     -     -       -     -    -     -     -      -      -
loadStop    -     -     -     -       -     -    -     -     -      -      -

root maxroot processes clockskew netcard iptotal   cpuhz cachesize
loadSched     -       -         -         -       -       -       -         -
loadStop      -       -         -         -       -       -       -         -

diskvolume processesroot    ipmi powerconsumption ambienttemp cputemp
loadSched        -             -       -                -           -       -
loadStop         -             -       -                -           -       -


5. lsload Displays the current state of the host:
STATUS DESCRIPTION
ok Host is available to accept and run batch jobs and remote tasks.
-ok LIM is running but RES is unreachable.
busy Does not affect batch jobs, only used for remote task placement (i.e., lsrun). The value of a load index exceeded a threshold (configured in lsf.cluster.cluster_name, displayed by lshosts -l). Indices that exceed thresholds are identified with an asterisk (*).
lockW Does not affect batch jobs, only used for remote task placement (i.e., lsrun). Host is locked by a run window (configured in lsf.cluster.cluster_name, displayed by lshosts -l).
lockU Will not accept new batch jobs or remote tasks. An LSF administrator or root explicitly locked the host using lsadmin limlock, or an exclusive batch job (bsub -x) is running on the host. Running jobs are not affected. Use lsadmin limunlock to unlock LIM on the local host.
unavail Host is down, or LIM is unavailable.
unlicensed The host does not have a valid license.


6. References:
  1. Platform - Working with hosts

Thursday, October 30, 2014

killing all the processes belonging to a single user

IF you need to kill all the processes belonging to a user, you may want to consider this command which

# pkill -u user

Alternatively, you can log on as the user whom you wish to eliminate his/her jobs, you can use the command. Remember to logon as the person and not as root or you will kill your processes
$ kill -9 -l

Wednesday, October 29, 2014

Unable to boot HP Elitebook 2730p with USB CD-ROM



If you are using old HP Elitebook 2730p and after atttaching a USB-powered DVD-ROM, but somehow the BIOS is not able to recognize the USB DVD-ROM, first thing first, go

Step 1: Go to the HP Elitebook 2730p Drivers & Software

Step 2: Download the ROMPaq for HP Notebook System BIOS (68POU) - FreeDOS Bootable Media (International). Apparently the original BIOS has some bug which cause issue in booting with USB DVD-ROM

Step 3: Use a Thumb Drive 2GB and below and insert into your PC USB Drive. Format in FAT and run the sp50060.exe. This will flash and update the BIOS.

Step 4: Boot with the USB DVD-ROM, you can install any OS..... :)

Tuesday, October 28, 2014

Common Administrative Commands for RHEL and CentOS 5,6,7

This Common Administrative Commands Poster from Red Hat for RHEL and CentOS 5,6,7  is something l really appreciate as a system administrator. Read it for yourself and you will see what it meant. This is done by Red Hat

  1. RHEL 5 6 7 Administrative Commands Cheatsheet

How to do setup auto-support for NetApp DataOnTap


This is taken from Data ONTAP 8.1 System Administration Guide for Cluster-Mode Guide Page 142. See attached for the document How to setup AutoSupport (pdf)

Monday, October 27, 2014

Data OnTap 7-Mode to Cluster-Mode Command Map


If you have been using Data OnTap 7-Mode but if you need the equivalent for Cluster-Mode. Do look at this pdf for the mapping. You will find it very useful.

For more information, do take a look at Data OnTap 7-Mode to Cluster-Mode Command Map

Sunday, October 26, 2014

The Spice Project


Taken from Spice Project Site

The Spice project aims to provide a complete open source solution for interaction with virtualized desktop devices.The Spice project deals with both the virtualized devices and the front-end. Interaction between front-end and back-end is done using VD-Interfaces. The VD-Interfaces (VDI) enable both ends of the solution to be easily utilized by a third-party component. ces (VDI) enable both ends of the solution to be easily utilized by a third-party component.



The Spice project plans to provide additional solutions, including:
  1. Remote access for a physical machine
  2. VM front-end for local users (i.e., render on and share devices of the same physical machine)
Downloads:
  1.  Client Downloads

Friday, October 17, 2014

Protecting Servers from SSLv3 "POODLE" Vulnerability

The Secure Sockets Layer version 3.0 is an old version of security technology for establishing an encrypted link between a server and a client.

A vulnerability, known as POODLE ("Padding Oracle On Downgraded Legacy Encryption"), was reported in this SSLv3. An attacker can exploit this vulnerability to obtain users’ cookies and compromise users’ accounts.

This vulnerability has been assigned a CVE number: CVE-2014-3566. For more information, do take a look at Security Vulnerability Alert: POODLE SSLv3.0 vulnerability

Web system owners are also advised to disable SSLv3 and enable TLS_FALLBACK_SCSV to maintain interoperability.


Do take a look at How To Protect your Server Against the POODLE SSLv3 Vulnerability on how to protect your servers from SSLv3 "POODLE" Vulnerability


Step 1. I would like to highlight the CentOS / Red Hat variety in
# vim /etc/httpd/conf.d/ssl.conf

Step 2. Find the SSLProtocol Directives,
SSLProtocol all -SSLv3 -SSLv2

Step 3. Restart the httpd services
# service httpd restart

References
  1.  How To Protect your Server Against the POODLE SSLv3 Vulnerability
  2. Apache - SSLProtocol Directive

Tools to speed up kernel crash hang analysis with the kernel log

This is a summaries article taken from RHEL6: Speeding up kernel crash / hang analysis with the kernel log. When there is a kernel crash or hang, there is often a very large file is produced containing a memory dump of the entire system called a vmcore. Analysis of the kernel crash or hang often requires this large file be uploaded to Red Hat for analysis (if you have subscription)  

 For RHEL 6.4 and above Starting with RHEL 6.4, Starting with Red Hat Enterprise Linux 6.4 and kexec-tools-2.0.0-258.el6, the kdump process will dump the kernel log to a file called vmcore-dmesg.txt before creating the vmcore file.
# ls /var/crash/127.0.0.1-2012-11-21-09\:49\:25/
vmcore  vmcore-dmesg.txt
# cp /var/crash/127.0.0.1-2012-11-21-09\:49\:25/vmcore-dmesg.txt /tmp/00123456-vmcore-dmesg.txt

For RHEL 6.0 to RHEL 6.3, 
Do take a look at Speeding up kernel crash hang analysis with the kernel log

Thursday, October 16, 2014

Leaked Dropbox Password

Taken from SINGCERT

Online reports have revealed that some Dropbox accounts have been compromised. According to Dropbox’s media statement, the usernames and passwords were stolen from other services and they have since reset the "small number" of affected accounts.

  • Change your Dropbox passwords as soon as possible. If other accounts share the same password as your Dropbox account, it's recommended to change the passwords of those accounts as well.
  • Enable 2-factor authentication (2FA) for your Dropbox account. For more information on enabling 2FA in Dropbox, please refer to https://www.dropbox.com/help/363
  • Be selective of using your Dropbox account to sign in to third party services.
References
https://www.singcert.org.sg/alerts/21-latest/630-singcert-leaked-dropbox-passwords
http://www.cnet.com/news/hackers-hold-7-million-dropbox-passwords-ransom/
http://www.zdnet.com/dropbox-blames-other-services-for-claimed-7-million-password-hack-7000034629/
http://thenextweb.com/apps/2014/10/14/dropbox-passwords-leak-online-alleged-hack/


Wednesday, October 15, 2014

Security Vulnerability Alert: POODLE SSLv3.0 vulnerability

Description:
On 14/10, Google researchers had release a vulnerability in SSL 3.0, which could allowed malicious user to decrypt the contents that was supposedly encrypted when visiting SSL enabled websites.  Named POODLE attack ( Padding Oracle on Downgraded Legacy Encryption), a padding attack that targets CBC ciphers in SSL V3.

A detail analysis report of the POODLE exploit by the Google researchers can be found here: https://www.openssl.org/~bodo/ssl-poodle.pdf

Impact
Websites that support SSL V3.0 and CBC cipher mode chaining are vulnerable to the attacks, According to the report, The flaw allows attackers to steal secure HTTP cookies and headers, among other sensitive data.

Mitigation
  • Google researchers recommend that support for SSL v3.0 be disable either on the end user browser or server end or both as well as others that rely on downgraded connections ( Warning : Doing this may “break” connectivity to web applications that only able to support up to SSL V3.0  and don’t support TLS 1.0, TLS 1.1, TLS 1.2 )
  • If the above is not possible, Google recommends implementing support of “TLS FALLBACK SCSV” the Transport Layer Security Signalling Cipher Suite Value that "prevents protocol downgrade attacks." https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00

    “This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks," explained Möller.”
More Information
  1. http://thenextweb.com/google/2014/10/15/web-encryption-vulnerability-opens-encrypted-data-hackers/
  2. http://googleonlinesecurity.blogspot.sg/2014/10/this-poodle-bites-exploiting-ssl-30.html
  3. http://blog.erratasec.com/2014/10/some-poodle-notes.html
  4. http://www.theregister.co.uk/2014/10/14/google_drops_ssl_30_poodle_vulnerability/
  5. Mozilla Blog - https://blog.Mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
  6. Microsoft - Disabling SSL 3.0 on Servers - http://support.Microsoft.com/kb/187498
  7. Mozilla Add-On - Disabling SSL 3.0 on Mozilla Browser - https://addons.mozilla.org/en-US/firefox/addon/ssl-version-control/

Friday, October 10, 2014

Deploying HAProxy 1.4.24 to load-balance MS Terminal Services on CentOS 6

HAProxy is an open source, free, veryfast and reliable solution offering high availability, load balancing and proxy for TCP and HTTP-based applications. It is particularly suited for very high traffic web sites and powers quite a number of the world's most visited ones. Over the years it has become the de-facto standard opensource load balancer, is now shipped with most mainstream Linux distributions, and is often deployed by default in cloud platforms.

The content of this blog entry is taken from Load balancing Windows Terminal Server – HAProxy and RDP Cookies or Microsoft Connection Broker

 In this blog entry, we will put in a sample working haproxy configuration to load balance between terminal services  

 Step 1: Install haproxy
# yum install haproxy

Step 2: Modify /etc/haproxy/haproxy.cfg  
#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
# to have these messages end up in /var/log/haproxy.log you will
# need to:
#
# 1) configure syslog to accept network log events. This is done
# by adding the '-r' option to the SYSLOGD_OPTIONS in
# /etc/sysconfig/syslog
#
# 2) configure local2 events to go to the /var/log/haproxy.log
# file. A line like the following can be added to
# /etc/sysconfig/syslog
#
# local2.* /var/log/haproxy.log
#
log 127.0.0.1 local2

chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4500
user haproxy
group haproxy
daemon
stats socket /var/lib/haproxy/stats

#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
timeout queue 1m
timeout connect 60m
timeout client 60m
timeout server 60m

# -------------------------------------------------------------------
# [RDP Site Configuration]
# -------------------------------------------------------------------
listen cattail 155.69.57.11:3389
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if RDP_COOKIE
persist rdp-cookie
balance leastconn
option tcpka
option tcplog
server win2k8-1 192.168.6.48:3389 weight 1 check inter 2000 rise 2 fall 3
server win2k8-2 192.168.6.47:3389 weight 1 check inter 2000 rise 2 fall 3
option redispatch

listen stats :1936
mode http
stats enable
stats hide-version
stats realm Haproxy\ Statistics
stats uri /

Information:
  • timeout client and timeout server is put at 6 hours (360m) to keep idle RDP session established
  • persist rdp-cookie and balance rdp-cookie. These instruct HAProxy to inspect the incoming RDP connection for a cookie; if one is found, it is used to persistently direct the connection to the correct real server
  • The 2 tcp-request lines help to ensure that HAProxy sees the cookie on the initial request.
  Reference:

Friday, October 3, 2014

VMWARE had release product updates to address the BASH security vulnerabilities

VMWARE had release product updates to address the BASH security vulnerabilities on 01/10/14 .

It is found at http://www.vmware.com/security/advisories/VMSA-2014-0010.html

Reports have shown using their honeypots system  that Malicious individuals are currently actively scanning for vulnerable and un-patch system and what commands they are attempting  to execute by simply passing URL/command  parameters.

https://www.alienvault.com/open-threat-exchange/blog/attackers-exploiting-shell-shock-cve-2014-6721-in-the-wild
http://blog.sucuri.net/2014/09/bash-shellshocker-attacks-increase-in-the-wild-day-1.html

Thursday, October 2, 2014

Unable to open socket connection to xcatd daemon on localhost:3001.

When I did a tabedit site to check my configuration, I encountered this error
Unable to open socket connection to xcatd daemon on localhost:3001.
Verify that the xcatd daemon is running and that your SSL setup is correct.

The solution to this error is quite easy. You just need to check your /etc/hosts. Have you # out your. In other words, make sure you have a line like this in your /etc/hosts
127.0.0.1       localhost.localdomain                   localhost

That's it.....

Wednesday, October 1, 2014