Abbas | Bassu

Sometimes when some applications start logging to console, it can really bleed your eyes when something wrong happens. Not mentioning about standard output or standard errors which are rather easily controllable but it could be anything else invoked by kernel such as iptables logging when you  would like to log any rules to a log file or default syslog. But “hideously” such applications log to system console too and can surprise you when you plug monitor and see a messy mesh of error loggings all the way back and forth, specifically when a machine is virtual – of course in that case VM would be unresponsive

I was trying to look into syslog.conf to control but found out that this is not what a syslog daemon has dominance over; in fact, needs kernel-level  logging modified. And this can be done through either of these ways.

Instruct kernel to log only “errors” instead of informational notifications.

Controlled by ‘printk’ kernel parameter. Defaults are:

# sysctl -a | grep printk
kernel.printk_ratelimit_burst = 10
kernel.printk_ratelimit = 5
kernel.printk = 6    4    1    7
# find /proc -name '*printk*' -exec cat {} ;
6    4    1    7

Just change ‘6 4 1 7′ to ‘3 4 1 7′.

# echo "kernel.printk = 3 4 1 7" >> /etc/sysctl.conf
# sysctl -p

Documentation goes over here, if you’re intrested /usr/share/doc/kernel-doc-2.6.18/Documentation/sysctl/kernel.txt

printk:

The four values in printk denote:
 console_loglevel,
 default_message_loglevel,
 minimum_console_loglevel and
 default_console_loglevel respectively.

These values influence printk() behavior when printing or
 logging error messages. See 'man 2 syslog' for more info on
 the different loglevels.

- console_loglevel: messages with a higher priority than this will be printed to the console
 - default_message_level: messages without an explicit priority will be printed with this priority
 - minimum_console_loglevel: minimum (highest) value to which console_loglevel can be set
 - default_console_loglevel: default value for console_loglevel

Definitions of kernel logging numbers, from Syslog’s manual:

#define KERN_EMERG    "<0>"  /* system is unusable               */
 #define KERN_ALERT    "<1>"  /* action must be taken immediately */
 #define KERN_CRIT     "<2>"  /* critical conditions              */
 #define KERN_ERR      "<3>"  /* error conditions                 */
 #define KERN_WARNING  "<4>"  /* warning conditions               */
 #define KERN_NOTICE   "<5>"  /* normal but significant condition */
 #define KERN_INFO     "<6>"  /* informational                    */
 #define KERN_DEBUG    "<7>"  /* debug-level messages             */

Change kernel ring buffer logging level

Just keep in mind, using this approach only limits console logging and issuing dmesg would still print the over all logs.

# dmesg -n 3
or
# dmesg -n 4

Last month I wrote a howto for highly available load balanced Piranha cluster using Red Hat’s cluster suite. Until then it was quite not obvious why one should use the Debian styled network load balanced cluster in the production environment when actual “heartbeat” package and service creates a lot of havoc on Red Hat machines. But my reckoning of doing classic things more manually kept me interrogative and I found the flexible way of doing load balanced clustering without needing the actual heartbeat service. Reasons why I’m so much against of having it are numerous:
- Running heartbeat snatches the independence of managing virtual IP addresses on load balancer by hand.
- Thus restricting expansion of the pools!
- Ldirector’s daemon must be managed by heartbeat when its running.
- Waste of resources in utilization; such with a sheer restart of heartbeat service and it just sits on waiting and waiting,…
- And above all, I don’t need a “second” load balancer for a failover. All that glitters is one load balancer running ldirectord in a simple environment and as for the job, it does most of heartbeat’s when acting as a divider and a monitor for distributing requests between web servers.

Environment

Requirements: At least three systems, each with a minimum of one IP (CentOS in my case). Packages ‘heartbeat’, ‘heartbeat-ldirector’ for load balancing and ‘ipvsadm’ for Linux IP Virtual Server. I know you’re thinking that why the ‘heartbeat’ when actually we’re not going to run it. In fact, we’re not going to run it; its just for a dependency resolution, rather a service startup requirement – I should say (/etc/ha.d/shellfuncs is the file needed)! And I swear we won’t run it ! So these are the packages which shape into a project Ultramonkey when combined and it describes the different topologies of a functional HA LB cluster but that’s not our concern, anyway (perhaps yours if you think you’ve a bit of free time)

Virtual IP: 12.12.12.60
Load Balancer: 12.12.12.61 aka VM1.
Cluster Nodes/Real Servers:
Web Server1: 12.12.12.62 aka VM2
Web Server2: 12.12.12.63 aka VM3.

And we’ll be using LVS-DR (direct routing) approach for clustering; its most widely used and has lesser downsides.
Lets start by configuring the web servers first.

Cluster Nodes  Configurations

1. On both web servers VM2 and VM3, apache should be running having a common serving file (for purpose of get checked by ldirectord).

# yum install httpd -y
# echo foo > /var/www/html/test.html
# service httpd start
# chkconfig httpd on

And to distinguish both of the web servers during test loading, create at least a one unique file on each of web servers.

[root@VM2 ~]# echo "This is VM2" > /var/www/html/index.html
[root@VM3 ~]# echo "This is VM3" > /var/www/html/index.html

2. Virtual IP needs to be terminated on both web servers so we’ll create a second network interface on each of it. Because eventually all three NICs on all three servers would have to have the same VIP so this would cause a problem with ARP as it resolves MACs against IPs. There are different solutions to this problem. Some may refer to use iptables or arptables_jf. Many would recommend changing default gateway route or hiding the network interface (by the way don’t use iptables or change default gateway for this; Red Hat discourages both of these methods as they cause a lot of overhead). But the most flexible approach I’ve found is:

a. create a loopback interface so it doesn’t communicate with your network gateway/router directly.
b. instruct Linux kernel to announce ARP requests with preference to be taken from local address when matching for communication instead preference from the destination address.
c. instruct Linux kernel to send ARP responses only to the requests originating from same sender address to same local addresses’ subnet. Details here, if you’re really curious about it.

# vi /etc/sysconfig/network-scripts/ifcfg-lo:0
DEVICE=lo:0
IPADDR=12.12.12.60
NETMASK=255.255.255.255
ONBOOT=yes
NAME=loopback
#
# vi /etc/sysctl.conf
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.eth0.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
net.ipv4.conf.eth0.arp_announce = 2
# sysctl -p
# ifup lo:0

Load Balancer Configuration

We’ll be going through:

a. installing required packages
b. enabling IP forwarding,

# yum install heartbeat heartbeat-ldirector ipvsadm -y
# chkconfig --add ldirectord
# chkconfig --del heartbeat
# sed -i 's/net.ipv4.ip_forward = 1/net.ipv4.ip_forward = 0' /etc/sysctl.conf

# sysctl -p

c. configure secondary eth0 for VIP as its going to be exposed to outside world or your local gateway and

# vi /etc/sysconfig/network-scripts/ifcfg-eth0:0
DEVICE=eth0:0
BOOTPROTO=none
ONBOOT=yes
HWADDR=3a:5d:71:ad:67:47
NETMASK=255.255.255.0
IPADDR=12.12.12.60
GATEWAY=12.12.12.1
TYPE=Ethernet

d. then creating ldirector.cf, the configuration file of our load balancer, respectively!!

# vi /etc/ha.d/ldirectord.cf
checktimeout=10
checkinterval=2
autoreload=no
logfile="/var/log/ldirectord.log"
quiescent=no
virtual=12.12.12.60:80
 real=12.12.12.62:80 gate
 real= 12.12.12.63:80 gate
 service=http
 request="test.html"
 receive="foo"
 scheduler=wrr
 protocol=tcp
 checktype=negotiate

# service ldirectord start

Option ‘quiescent’ just removes the real server from ipvs table whom ldirectord doesn’t recieve any response from, when querying for test.html within ten seconds, marking that real server as dead; until its available again. Note that the “gate” switch in ‘real’ server’s parameter value which testifies the usage of LVS Direct Routing method. The rest of the two methods are masq and ipip the details of which along with the other options available, particularly the scheduler parameters, for this configuration file can be found in ‘man ldirectord’.

Testing

Use ‘ipvsadm’ to list down current statistics of ldirectord. Make sure that both real servers IPs are listed there and have non-zero value in weight (since we’ve this default setup, it should be 1). If not, then try checking the log file, tcpdump on ldirector and apache logs on real servers.
If everything works good, you’ll see changing content when browsing to http://12.12.12.60/ multiple times (from another system outside these cluster nodes). Then stop httpd on one web server, browse to the URL again and all requests should now be served from the other web server.

[root@VM1 ~]# ipvsadm -l
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  12.12.12.60:http wrr
-> 12.12.12.63:http             Route   1      0          0
-> 12.12.12.62:http             Route   1      0          0

For a more meaningful testing

$ for i in $(seq 6); do curl http://12.12.12.60/index.html; done
 This is VM3
 This is VM2
 This is VM3
 This is VM2
 This is VM3
 This is VM2

I’ll be posting a couple of optimizations techniques soon when I’ll be getting some more free time. Stay tuned and take care

If you use rsync frequently, you might be aware of the fact that rsync doesn’t show overall or total transfer statistics when you’re syncing directories recursively. Even options like ‘–progress’, ‘–stats’ and ‘-vv’ won’t do that. I was searching for that, was about to write a script to run in dry-run mode and measure an overall rsync progress but found a patch here written by Graeme Humphries. This patch later was incorporated into latest dev version 3.1dev downloadable here at http://samba.anu.edu.au/ftp/rsync/dev/nightly/ with an option invokable by ‘–info=progress2′.

Excerpts from the man pages:

There is also a --info=progress2 option that outputs statistics based on the whole transfer, rather than individual files.  Use this flag without outputting a filename (e.g. avoid -v or specify --info=name0 if you want to see how the transfer is doing without scrolling the screen with a lot of names.  (You don't need to specify the --progress option in order to use --info=progress2.)
 

So, I downloaded, compiled and installed this dev version and guess what now, there’s no creepy scrolls in shell console filling up the screen with individual file progress.
Yea, I know Red Hat and CentOS are slow in updating their packages repository but lets hope when this build is final, Dag’s repo may have an rpm for it.

For Linux its going to be with tool ‘genkey’ – a part of crypto-utils package available in Red Hat distros.

# genkey servername

And for Windows, easiest way to do is with SelfSSL available in IIS 6.x Resource Tools.

I’m fond of two ascii art tools in Linux.

- linux_logo
- figlet

Both of these are available in RPMForge/Dag’s repository. Second one, figlet draws the ascii art for any text that is input. It has a lot of font options available (see man for figlet and figlist).

CentOS 5’s base repository has an older version of HPLIP, something about ‘1.6.7′ or so which of course is not adequate to get newer HP printers specially the LaserJet series, to get to work. Now the natural way to have this installed, you may think is to compile it from source – if you’re thinking that then no, that won’t help out! Even after fulfilling all of the required dependencies. I got about almost 14 errors when running hp-check utility after compiling, got’em reduced to 10 but no far lesser than that if you know what I mean.

error: NOT FOUND! This is a REQUIRED/RUNTIME ONLY dependency. Please make sure that this dependency is installed before installing or running HPLIP.
error: NOT FOUND! This is a REQUIRED/RUNTIME ONLY dependency. Please make sure that this dependency is installed before installing or running HPLIP.
warning: NOT FOUND! This is an OPTIONAL/RUNTIME ONLY dependency. Some HPLIP functionality may not function properly.
warning: NOT FOUND! This is an OPTIONAL/RUNTIME ONLY dependency. Some HPLIP functionality may not function properly.
error: NOT FOUND! This is a REQUIRED/COMPILE TIME ONLY dependency. Please make sure that this dependency is installed before installing or running HPLIP.
error: Could not access file: No such file or directory
error: 10 errors and/or warnings.
-----------
| SUMMARY |
-----------
Please refer to the installation instructions at:

http://hplip.sourceforge.net/install/index.html

Pretty insane though, many of these dependencies were already installed. I would assume that this would be the reason why hplip is not under active development for CentOS and why its not current under CentOS as I saw quite a few HP’s devs and techs saying a big “no” to this community based distribution when people complained on their Launchpad about these compilation errors. Plus, the relative hplip installation issues I found on CentOS’ forum.

After being in disappointed (oops wth) situation, I tried running the RHEL5’s rpm (can be downloaded from hplip’s site) on it after removing the source installed version, but it too gave the dependency errors which I hoped I would resolve and I did later on.

Installing……

# rpm -ivh /Raid/hplip-3.9.10_rhel-5.0.i386.rpm
Preparing...                ########################################### [100%]
 file /usr/bin/hpijs from install of hplipfull-3.9.10-0.i386 conflicts with file from package hpijs-1.6.7-4.1.el5.4.i386
 file /usr/lib/libhpip.so.0.0.1 from install of hplipfull-3.9.10-0.i386 conflicts with file from package hpijs-1.6.7-4.1.el5.4.i386
 file /usr/lib/sane/libsane-hpaio.so.1.0.0 from install of hplipfull-3.9.10-0.i386 conflicts with file from package libsane-hpaio-1.6.7-4.1.el5.4.i386

So, I decided to remove problematic hpijs

 Package                 Arch       Version          Repository        Size

Removing:
 hpijs                   i386       1:1.6.7-4.1.el5.4  installed         588 k
Removing for dependencies:
 libsane-hpaio           i386       1.6.7-4.1.el5.4  installed          94 k
 sane-backends           i386       1.0.18-5.el5     installed         3.1 M
 sane-backends-devel     i386       1.0.18-5.el5     installed          27 k
 sane-backends-libs      i386       1.0.18-5.el5     installed         5.2 M
 xsane                   i386       0.991-5.el5      installed         4.5 M

Transaction Summary
Install      0 Package(s)
Update       0 Package(s)
Remove       6 Package(s)

But realised soon that it also removed libsane sub-dependency as well.

# rpm -ivh /Raid/hplip-3.9.10_rhel-5.0.i386.rpm
error: Failed dependencies:
 libsane.so.1 is needed by hplipfull-3.9.10-0.i386
 

Because installing sane would also install hpijs and other conflicting stuff as well so the solution here was to remove problematic packages without ‘removing’ any dependencies needed.

[root@ToughGuy ~]# rpm -ivh /Raid/hplip-3.9.10_rhel-5.0.i386.rpm
Preparing...                ########################################### [100%]
 file /usr/bin/hpijs from install of hplipfull-3.9.10-0.i386 conflicts with file from package hpijs-1.6.7-4.1.el5.4.i386
 file /usr/lib/libhpip.so.0.0.1 from install of hplipfull-3.9.10-0.i386 conflicts with file from package hpijs-1.6.7-4.1.el5.4.i386
 file /usr/lib/sane/libsane-hpaio.so.1.0.0 from install of hplipfull-3.9.10-0.i386 conflicts with file from package libsane-hpaio-1.6.7-4.1.el5.4.i386
#
# rpm -ev --nodeps libsane-hpaio
# rpm -ivh /Raid/hplip-3.9.10_rhel-5.0.i386.rpm
Preparing...                ########################################### [100%]
 file /usr/bin/hpijs from install of hplipfull-3.9.10-0.i386 conflicts with file from package hpijs-1.6.7-4.1.el5.4.i386
 file /usr/lib/libhpip.so.0.0.1 from install of hplipfull-3.9.10-0.i386 conflicts with file from package hpijs-1.6.7-4.1.el5.4.i386
#
# rpm -ev --nodeps hpijs
#
# rpm -ivh /Raid/hplip-3.9.10_rhel-5.0.i386.rpm
Preparing...                ########################################### [100%]
 1:hplipfull              ########################################### [100%]
#

Concluding the overall steps:

# yum install cups cups-devel ghostscript* PyQt xsane -y
# Download and install hplip-3.9.10_rhel-5.0.i386.rpm from http://hplipopensource.com/hplip-web/install_wizard/index.html choosing RHEL5.
# rpm -ev --nodeps libsane-hpaio
# rpm -ev --nodeps hpijs
# rpm -ivh hplip-3.9.10_rhel-5.0.i386.rpm
# Reboot the system if you're lucky enough, you'll see no errors
# reboot
# system-config-printer

And configure the printer now as usual. Just out of curiosity, this was my XenServer where I installed it (yea I know it would sound funny) and I got scanner (LaserJet M1120 is dual scanner and printer) working fine as well with xsane. Check it out

Scan Test HP LaserJet M1120 MFP

NOTE: If this post helped you out or provided you with ways of troubleshooting, feel free to say a little thanks

Just came across this snap in my cell’s pic gallery which I took at Zia Intl. Airport. Funny!

Increasing the rebuild speed

Sometimes when you’re quite lazy or bored and don’t like the noticeable amount of free resources on your server, you may like to increase the raid building and resyncing process speed.

# echo 250000 > /proc/sys/dev/raid/speed_limit_max
# echo 250000 > /proc/sys/dev/raid/speed_limit_min

And this would spin up the hards faster to their maximum extent saving almost half of the time!
Defaults were:

 # cat /proc/sys/dev/raid/speed_limit_max
200000
# cat /proc/sys/dev/raid/speed_limit_min
1000

And looks like my hards have 100M/s speed.

#hddtemp /dev/sda
/dev/sda: ST3750330AS: 31°C
# hdparm -t /dev/sda
/dev/sda:
 Timing buffered disk reads:  280 MB in  3.01 seconds =  93.09 MB/sec
 

Checking and repairing

The larger the hard drive is the greater the probability of having its blocks corrupted. Its better to check for consistency against any bad blocks or md superblocks.

# cat /sys/block/md0/md/sync_action
idle
# echo check > /sys/block/md0/md/sync_action

And if there are any, repair them.

# echo repair > /sys/block/md0/md/sync_action

Setting up RAID alerts to send emails about any errors

Red Hat family distros come with built in service daemon mdmonitor which runs ‘mdadm –monitor’ in a daemon mode.

# mdadm --detail --scan >> /etc/mdadm.conf
# echo "MAILADDR me@bashukhan.com" >> /etc/mdadm.conf
# chkconfig mdmonitor on
# service mdmonitor restart

Remember to add “DEVICE partitions” or partitions being components of an md array to top of file /etc/mdadm.conf.

I’m sometimes pretty sick of getting emails from ‘root’ reporting crons, updates, errors and rest of things I would usually use daily in any Linux machine. My eyes just get sore when I see email from root in all of my email clients specially Gmail. Perhaps that’s because I’m fed up of seeing root everywhere and that’s why I’ve an alias for root to forward all these rootish emails to one of my email addresses. But that’s just not enough as I actually want to see a humane human name as a sender just instead of root :>

To add to it, this just becomes more anguish when common, rather I would say major, Linux applications suck in changing the default sender address off from ‘root’ (although some apps like ‘exim -f’ and mutt having SET FROM defined in ~/.muttrc allow you to change sending address while emailing from command line but this isn’t what I needed). And so called mighty default MTA, sendmail just brings more panic to it when trying to change it during an in-mail transport (btw, I already dislike sendmail mainly cause of its sluggishness during startup and restart)! As I really had to do something about it and I already knew that Exim’s address rewriting can be helpful here so after installing it and changing default MTA with ‘alternative –config mta’ I added a quick rewrite at transport.

$ grep -A 5 remote_smtp /etc/exim/exim.conf | tail -5

driver = smtp
headers_rewrite = root@*  me@bashukhan.com fsr

This worked but didn’t change the FROM field’s name as expected. I tried combinations of different settings including the rewrite tag ‘F’ but the FROM envelop address kept showing the original sender root. I was searching till I stumbled upon http://www.exim.org/exim-html-2.00/doc/html/spec_32.html#SEC671 where it states the FULL ‘from’ envelop address is changed with ‘w’ tag and allows to have a new sender name (RFC 822) to be configured. So I added.

$ grep -A 5 remote_smtp /etc/exim/exim.conf | tail -5

driver = smtp
# Adding to rewrite the stupid root@ FROM field which I hate
headers_rewrite = root@* "Abbas <me@bashukhan.com>" fsrw
return_path = me@bashukhan.com

And boo you naughty (!) root 

I just finished setting my home XenServer making it fully redundant, mirrored and backup’ed. Thought, I would share what’s on it

- Raid1 setup on boot, grub as well as VM storage repository. If one of the hard goes down, it’ll boot from other one.
- Samba installed to have a share setup in a raid array of 700GB
- Raild alerts are configured to email me whenever there’s any issue
- Smartmontools are running to make sure that hard disks are healthy and have emails alerts configured as well.
- Auto on-the-fly backup of all virtual machines without shutting them off, every night at 1am keeping the two most recent backups of VMs all the time.