Life of a Geek Admin

The Daily adventures of a true geek administrator

Life of a Geek Admin - The Daily adventures of a true geek administrator

Tag Archives: RedHat

Install Tomcat 7 and Java 1.7 on CentOS 6 RHEL 6

In this post we will cover how to install the Apache Tomcat 7 and jre 1.7 on CentOS 6 and RHEL 6. This process doesn’t use the rpm’s from the Redhat repositories, but uses the latest tar balls from Apache and Oracle. We will also be using service accounts to control Tomcat and its processes.

Download latest Tomcat from http://tomcat.apache.org/download-70.cgi. Version 7.0.40 is the curent version at the time of this post.
Download the latest Java 1.7 jdk from http://www.oracle.com/technetwork/java/javase/downloads/index.html, click on the JDK download buton. You will want jdk-7u21-linux-x64.tar.gz tarball.
Copy the downloaded tarballs to /tmp directory on your server.

Change directory to /opt or the directory of your choice on the server. I am using /opt for this post to contain Java and Tomcat.

$ cd /opt

Make the tomcat directory and change to it.

$ mkdir tomcat
$ cd tomcat

This step is optional to create individual instances by name for tomcat. Doing this allows you to run multiple instances of tomcat on a server. For this example tomcat-inst1 is what we will be using.

$ mkdir tomcat-inst1
$ cd tomcat-inst1

untar Tomcat in the instance you will be running.

$ tar -xvzf /tmp/apache-tomcat-7.0.40.tar.gz

Create a symlink called tomcat-current. This will allow you to untar newer versions of Tomcat and juwst update the symlink.

$ ln -sf apache-tomcat-7.0.40 tomcat-current

Create tomcat service account and set the UID to 520

$ useradd -u 520 -c “Tomcat Service Account” -d /opt/tomcat -m -s /bin/bash tomcat

 

Change ownership of the tomcat directory to the tomcat user.

$ cd /opt
$ chown -R tomcat:tomcat tomcat

Create an init.d script to start the Tomcat instance at reboot. There is not one available when using Apache supplied tarball install. Copy the below code and save as tomcat-inst1 in /etc/init.d directory, modify the instance name variable.

#!/bin/bash
#
# Startup script for the Tomcat 7.0 Servlet/JSP Container
#
# chkconfig: 345 98 02
# description: Tomcat is the servlet container that is used in the
#              official Reference Implementation for the Java Servlet
#              and JavaServer Pages technologies.

# Source function library.
. /etc/rc.d/init.d/functions

INSTANCE=tomcat-inst1
export INSTANCE
CATALINA_HOME=/app/tomcat/${INSTANCE}/tomcat-current

# Source configuration.
[ -f /etc/sysconfig/${INSTANCE} ] && . /etc/sysconfig/${INSTANCE}

RETVAL=0


start() {
    if [ -f /var/run/${INSTANCE}_restart ]
        then
        /bin/rm /var/run/${INSTANCE}_restart
    fi
    echo -n $"Starting $prog: "

    if [ ! -f /var/lock/subsys/${INSTANCE} ]; then
        
            su - tomcat -c "INST_NAME=${INSTANCE} $CATALINA_HOME/bin/startup.sh"
        

        if [ $RETVAL = 0 ]; then
            success $"$prog startup"
            touch /var/lock/subsys/${INSTANCE}
        else
            failure $"$prog startup"
        fi
    fi

    echo
    return $RETVAL
}

stop() {
    /bin/touch /var/run/${INSTANCE}_restart
    echo -n $"Stopping $prog: "

    if [ -f /var/lock/subsys/${INSTANCE} ]; then
        su - tomcat -c "$CATALINA_HOME/bin/shutdown.sh -force"

        if [ $RETVAL = 0 ]; then
            success $"$prog shutdown"
            rm -f /var/lock/subsys/${INSTANCE}
        else
            failure $"$prog shutdown"
        fi
    fi

    echo
    return $RETVAL
}

stopforce() {
    /bin/touch /var/run/${INSTANCE}_restart
    echo -n $"Forcefully Stopping $prog: "

    if [ -f /var/lock/subsys/${INSTANCE} ]; then
        su - tomcat -c "$CATALINA_HOME/bin/shutdown.sh -force"

        if [ $RETVAL = 0 ]; then
            success $"$prog shutdown"
            rm -f /var/lock/subsys/${INSTANCE}
        else
            failure $"$prog shutdown"
        fi
    fi

    echo
    return $RETVAL
}

status() {
    local base=${1##*/}
    if [ -f /var/lock/subsys/${base} ]; then
        echo $"${base} is running..."
        return 0
    else
        echo $"${base} is stopped."
        return 3
    fi
}

getpid() {
        tomcatpid=`ps auwwwx | grep -v grep |grep -i /${INSTANCE}/ | awk '{print $2}'`
        echo "The PID for ${INSTANCE} is ${tomcatpid}."
        echo
}

threaddump() {
        getpid
        kill -3 ${tomcatpid}
        echo "Thread dump has been sent to where stdout is logged."
        echo
}

# See how we were called.
case "$1" in
  start)
        start
        ;;
  stop)
        stop
        ;;
  stopforce)
        stopforce
        ;;
  status)
        status ${INSTANCE}
        ;;
  restart|reload)
        stopforce
        start
        ;;
  condrestart)
        if [ -f /var/lock/subsys/${INSTANCE} ] ; then
                stop
                start
        fi
        ;;
  getpid)
        getpid
        ;;
  threaddump)
        threaddump
        ;;
  *)
        echo $"Usage: $prog {start|stop|stopforce|restart|condrestart|reload|status|getpid|threaddump}"
        exit 1
esac

exit $RETVAL

Make the following changes
# Source function library.
. /etc/rc.d/init.d/functions

INSTANCE=tomcat-inst1
export INSTANCE
CATALINA_HOME=/app/tomcat/${INSTANCE}/tomcat-current

Set init script to run at startup.

$ chkconfig --levels 345 tomcat-inst1 on

Setup Java jdk 1.7

$ cd /opt
$ mkdir java
$ cd java

Untar the tarball

$ tar -xzvf /tmp/jdk-7u21-linux-x64.tar.gz

Create the symlink

$ ln -sf jdk1.7.0_21 current

Create setenv.sh in /opt/tomcat/tomcat-inst1/tomcat-current/bin/ . In this exaple there is a ENV_LEVEL which you can omit the two lines or use them. This is for maintaining different developement levels set to correct environment (DEV, INT, CERT, PROD) if you want to use them.

#Java Home for this Tomcat Instance
JAVA_HOME=/app/java/current

#Set Java Options (Memory minimum/maximum?
JAVA_OPTS="-server -Xms1024m -Xmx1024m"

#Modify umask so that group has r+w
umask 02
CATALINA_PID=${CATALINA_HOME}/bin/catalina.pid

ENV_LEVEL=DEV
export ENV_LEVEL

$ chmod 755 setenv.sh
$ chown tomcat:tomcat setenv.sh

Modify tomcat-users.xml to set password and roles access.

$ cd /opt/tomcat/tomcat-inst1/tomcat-current/conf

Make a backup of the current file.

$ mv tomcat-users.xml tomcat-users.xml.orig

Create a new file with the following contents and set the passwords to your liking.

$ vi tomcat_users.xml

<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
  <role rolename="manager-gui"/>
  <role rolename="tomcat"/>
  <role rolename="admin"/>
  <user username="manager" password="tommgr" roles="manager-gui,admin"/>
  <user username="tomcat" password="tomcat" roles="tomcat"/>
</tomcat-users>

chmod 600 tomcat-users.xml
chown tomcat:tomcat tomcat-users.xml

Now we can start Tomcat up and should be working.

How To Fix RHEL / CentOS 6.4 LDAP MD5 Cert Error

Recently we updated to the latest RHEL 6.4 which caused LDAP to stop using our MD5 signed  certificate. This was due to the nss-3.14.0 update that now deems MD5 as unsecure. This change caused authentication of users using LDAP to fail. If the account had a local password (such as root), they were able to login.

Since creating / updating the MD5 certificate was not an immediate solution for us we had to find a way to use what we have while we work on a permanent solution Here are a few of the workarounds.

Option 1

The first option involves modifying each kernel line in /etc/grub.conf and adding support for MD5 as well as creating a file in /etc/profile.d exporting this variable. In our situation this option did not work, but others on the Internet it worked.

Add in /etc/grub.conf to the end of kernel lines
systemd.setenv=NSS_HASH_ALG_SUPPORT=+MD5

Create /etc/profile.d/nss.sh
export NSS_HASH_ALG_SUPPORT=+MD5

Reboot the server

Option 2

The second option adds the export option to /etc/sysconfig/init. This option worked for allowing users to connect via ssh, but it did not allow authentication when accessing via a console, like Open Console option in vSphere.

Add to /etc/sysconfig/init
export NSS_HASH_ALG_SUPPORT=+MD5

Reboot the server

Option 3

The third option involves downgrading nss packages to 3.13 and adding an exclusion in /etc/yum.conf to not allow an update to nss 3.14 or higher. This was the option that worked for our situation.

You will need to downgrade nss, nss-tools, nss-sysinit and nss-util.

yum downgrade nss nss-tools nss-sysinit nss-util

Next open /etc/yum.conf and add / change:

exclude=nss*

Reboot the server

I hope one of these options helps you in your situation.

How To Install MySQL Community Edition on RHEL 6 x86_64

Recently had the need to install the latest Community edition of MySQL on a RHEL 6.3 x86_64 server. For most purposes the included version of MySQL works but if you want the latest version you will need to install the Community edition.

First download the latest Community Edition MySQL from here. At the time of this post 5.6.10 is the current version. From the drop down select Oracle & RedHat Linux 6. Download the following four packages.

  • MySQL-server
  • MySQL-client
  • MySQL-shared
  • MySQL-shared-compat

 

mysqlrhel1

Now that we have the downloads we will need to update the current mysql-libs.

$ sudo yum update mysql-libs
$ sudo yum install MySQL-server MySQL-client MySQL-shared MySQL-shared-compat

Now that we have MySQL installed we will need to create the base tables and start the service.

$ sudo /usr/bin/mysql_install_db --user=mysql
$ cd /usr
$ sudo /usr/bin/mysqld_safe &

Next step is to login and set the mysql root password and we are done.

# mysqladmin -u root -p password newpassword

That’s all we need to do.

How to Create RPM’s from CPAN modules using Cpan2rpm

You know how it is sometimes working on corporate servers that are in DMZ’s and have firewalls blocking them from accessing Internet and getting to modules, programs and such. You can’t directly and you find ways around to get the files to the systems, that’s a good thing and just part of being an admin.

Thus is the case in this instance with installing a CPAN program on an RHEL server. I recently ran into a situation where I needed an RPM of a specific CPAN module that none of the usual repositories had and with a bit of searching found a handy little application called cpan2rpm.

The trick for using cpan2rpm is that is needs to be installed on the same version you need to create the package for, for example RHEL 6 x64 for a cpan package, etc… Easy enough if you have a full stack for the environments for a server assuming one of th lower environments has Internet access to get the needed packages to create.

Download from http://perl.arix.com/cpan2rpm/

Install the CPAN with the module you need on the build system. You may need rpm-build installed as well. Once installed you can create.

Installed:
rpm-build.x86_64 0:4.9.1.3-1.fc16

Dependency Installed:
patch.x86_64 0:2.6.1-9.fc16

Complete!

 $ sudo rpm -ivh cpan2rpm-2.028-1.noarch.rpm
 warning: cpan2rpm-2.028-1.noarch.rpm: Header V3 DSA/SHA1 Signature, key ID de770456: NOKEY
 Preparing...                ########################################### [100%]
 1:cpan2rpm               ########################################### [100%]

Now install the CPAN module locally on your system using CPAN and make sure any dependent rpms are installed. Once done you can create the rpm.

cpan> install GD::Thumbnail

Now we can create the RPM we need

$ cpan2rpm --no-sign GD::Thumbnail

If cpan2rpm cannot determine the version you can assist it by using –version

 $ cpan2rpm --no-sign --version 1.41 GD::Thumbnail

Now we have an RPM that can be installed on the system.

 

Epson Perfection 4490 Photo scanner on Fedora 17

The Epson Perfection 4490 Photo scanner is not supported in Fedora 17 by sane. In a previous post I describe how to install this scanner on Ubuntu. The process is similar except for the package names and commands. To get the scanner to work in Fedora you must download and install third party software. This how to describes how I was able to install it on Fedora 17 64-bit.

  1. Make sure sane and xsane are installed.
  2. Edit /etc/sane.d/dll.conf and uncomment epson2 if it is not done already.
  3. Go to http://www.sane-project.org/lists/sa…-external.html
  4. Scroll down and find “Perfection 4490 PHOTO” and fill out the distribution and location information.Click on the link and you’ll be redirected to Avasys http://www.avasys.jp/lx-bin2/linux_e/scan/DL1.do
  5. There is no 17 for the Fedora listing so choose 16. Fill in the form and download iscan-data-1.13.0-1.noarch.rpm,  iscan-2.28.1-3-ltdl7.x86_64.rpm and iscan-plugin-gt-x750_2.1.2-1.x86_64.rpm for 64 bit RPM 64 bit package [libltd7] (for Fedora 11 or later)
  6. Install the two files from a terminal or by double clicking. (sudo rpm -ivh -i iscan*)
  7. Power cycle or unplug-plug back in the scanner.
  8. From the terminal test that sane finds the system (sane-find-scanner and also run scanimage -L)
  9. Open X-sane and start scanning.

 

Update: The Avasys site is transitioning the drivers to Epson which can be found here http://download.ebz.epson.net/dsc/search/01/search/

How to install NIVIDIA drivers on Fedora 17

Recently i felt the need to upgrade the video card to an NVIDIA GT610 on my Fedora 17 system and with that thought installing the proprietary drivers might be a good idea. Lucky for me rpmfusion provides the drivers I am looking for installation.

First step is to make sure your are at the latest kernel, so run

$ sudo yum update kernel\* selinux-policy\*

and reboot after completed.

Second step is to make sure rpmfusion repository is on your system which it should be if you followed any other posts, but if not then run.

$ sudo yum --nogpgcheck install http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-stable.noarch.rpm http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-stable.noarch.rpm

Third step is to make sure you card is on the supported list here.

Fourth step is to install the drivers, now I am currently running x64 version of Fedora so the syntax is

sudo yum install akmod-nvidia xorg-x11-drv-nvidia-libs.x86_64

For 32 bit:

sudo yum install akmod-nvidia xorg-x11-drv-nvidia-libs.i686

For PAE enabled kernel

$ sudo yum install kmod-nvidia-PAE

Fifth step is to remove Open Source driver (nouveau)

$ su
$ mv /boot/initramfs-$(uname -r).img /boot/initramfs-$(uname -r)-nouveau.img
$ dracut /boot/initramfs-$(uname -r).img $(uname -r)

Final step is to reboot and enjoy the NVIDIA driver!

 

How To Setup and Use NFS on RHEL 5/6

I know this is probably old hat for a many out there but there are many newbies out there and even a few crusty admins that need to know, or be reminded how to setup NFS (Network File Sharing) to export and share files / directories on Linux systems.

There are several services that need to be running for NFS to work properly. They are portmap, nfs and nfslock. Enable the services and start them using chkconfig.

$ sudo chkconfig portmap on
 $ sudo chkconfig nfs on
 $ sudo chkconfig nfslock on

Now let’s fire them up!

$ sudo service portmap start
 $ sudo service nfs start
 $ sudo service nfslock start

So let’s see if they are running and running correctly. We can achieve this by running rpcinfo -p command.

$ sudo rpcinfo -p
   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100011    1   udp    624  rquotad
    100011    2   udp    624  rquotad
    100011    1   tcp    627  rquotad
    100011    2   tcp    627  rquotad
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100003    4   udp   2049  nfs
    100021    1   udp  10180  nlockmgr
    100021    3   udp  10180  nlockmgr
    100021    4   udp  10180  nlockmgr
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100021    1   tcp  26899  nlockmgr
    100021    3   tcp  26899  nlockmgr
    100021    4   tcp  26899  nlockmgr
    100005    1   udp    639  mountd
    100005    1   tcp    642  mountd
    100005    2   udp    639  mountd
    100005    2   tcp    642  mountd
    100005    3   udp    639  mountd
    100005    3   tcp    642  mountd
    100024    1   udp    796  status
    100024    1   tcp    799  status

Now that things are running, it’s time to add the export. Open /etc/exports file and add the directory and access parameters. In this case I am adding rw and sync and only allowing a specific IP to access the share. This is ok for your home systems, but for an environment that it secure you will need to restrict this access further. We achieve this with /etc/hosts.allow, /etc/hosts.deny. First we deny them all and allow who we want.

Open /etc/hosts.deny and add:

portmap:ALL
lockd:ALL
mountd:ALL
rquotad:ALL
statd:ALL

As of now no one can get to your NFS server so lets grant some access. Open /etc/hosts.allow and use the following format for the entries.

daemon list : user pattern@host pattern

Since I want to give to a single system I could just add the IP so the entry would be:

portmap : 192.168.1.30
lockd   : 192.168.1.30
mountd  : 192.168.1.30
rquotad : 192.168.1.30
statd   : 192.168.1.30

But I would like to allow all of 192.168.1.0 subnet to to have access to the server and limit access to the share. This is accomplished by adding 192.168.1.0/255.255.255.

portmap : 192.168.1.0/255.255.255
lockd   : 192.168.1.0/255.255.255
mountd  : 192.168.1.0/255.255.255
rquotad : 192.168.1.0/255.255.255
statd   : 192.168.1.0/255.255.255

Now lets create the export.

$ sudo vi /etc/exports
/myfiles        192.168.1.30(rw,root squash)

This is a good setting for the export. We have set set it to be accessed by a specific system and set to read write access and protected files from client root access. What  this means is after having successfully cracked the client root password, may become root but still cannot access or change files that only root can. With squash it means that the root user will have the same access as user nobody. Restart nfs service.

$ sudo service nfs restart

Ok, now we go to the target server and create the mount point and directory. For the mount I want to stay with /myfiles. So create the directory on the system. Change the permissions on the directory the person accessing them can get to them.As with the source server you need to make sure portmap and nfslok are running and set to run at restart. Follow the same process to enable and start the services.

Now lets test the mount.

$ sudo mount -t nfs -o rw srcsvr:/myfiles /myfiles

You should now be able to access any files in the directory. That will work for short term and it tests the connection. Un-mount the nfs mount and lets make an entry in /etc/fstab to make this permanent.

$ sudo vi /etc/fstab
 srcsver:/myfiles /myfiles nfs _netdev,rw,tcp,intr,hard,rsize=65536,wsize=65536

So what does this all mean? Well there are up to six options in fstab in which a minimum of four are required. They are:

  • device
  • mount point
  • fs type
  • options
  • dump
  • check order

The minimum 4 are device, mount point, fs type and check order. here are the options used in the example above.

  • _netdev – The  device holding the filesystem requires network access. Do not mount until the network has been enabled.
  • tcp — Specifies for the NFS mount to use the TCP protocol
  • rsize=num and wsize=num — These settings speed up NFS communication for reads (rsize) and writes (wsize) by setting a larger data block size, in bytes, to be transferred at one time. Be careful when changing these values; some older Linux kernels and network cards do not work well with larger block sizes. For NFSv2 or NFSv3, the default values for both parameters is set to 8192. For NFSv4, the default values for both parameters is set to 32768.
  • hard or soft — Specifies whether the program using a file via an NFS connection should stop and wait (hard) for the server to come back online, if the host serving the exported file system is unavailable, or if it should report an error (soft). If hard is specified, the user cannot terminate the process waiting for the NFS communication to resume unless the intr option is also specified. If soft is specified, the user can set an additional timeo=<value> option, where <value> specifies the number of seconds to pass before the error is reported.
  • intr — Allows NFS requests to be interrupted if the server goes down or cannot be reached.

Save the changes and see if the mount works.

$ sudo mount /myfiles

Ok, that wasn’t so painful and us crusty admin’s now remember and the up and coming admin’s now have another tool in their arsenal.

How to set a Directory Sticky Bit in Linux

There are times on Linux / Unix that you need to set the permissions on a directory so that only the owner and root can delete / rename files or sub-directories in the directory. This is true by default with the /tmp directory.

This is commonly referred to as the sticky bit.

If you want to keep the permissions the same on the directory and just add the sticky bit you can do this by using the chmod command with +t option.

chmod +t /tmp

We can see the results by using ls -al and we see t at the end of the output.

drwxrwxrwt.  25 root root  4096 Oct  3 07:33 tmp

We can also set the permissions and the sticky bit using octal numbers with chmod. Using 1 and then the octal permissions is the way to achieve this.

chmod 1777 /tmp

With the same results.

drwxrwxrwt.  25 root root  4096 Oct  3 07:33 tmp

You can remove the sticky bit by passing -t.

chmod -t /tmp

With the results.

drwxrwxrw.  25 root root  4096 Oct  3 07:33 tmp

Hope you find this helpful!

 

How to lock down files in Linux using chattr

As system admins there is always a few trouble users that keep changing files we don’t want them to, such as /etc/resolv.conf. We can do that using the chattr command.

Here is the file with no flags using the lsattr command.

lsattr – list file attributes on a Linux second extended file system

$ lsattr resolv.conf
-------------e- resolv.conf

So lets lock down the file using -i (immutable) so that even root cannot make a change using the chattr command.

chattr – change file attributes on a Linux second extended file system

sudo chattr +i resolv.conf

Check our changes

$ lsattr resolv.conf
----i--------e- resolv.conf

Where we now see the i flag in the output. If we open the file we now see readonly at the bottom.

"resolv.conf" [readonly] 5L, 180C

So say we have to make a change to the file, easy enough using the chattr command again but instead of +i we use -i

sudo chattr -i resolv.conf

Check it with the lsattr command and we are back what we started with. So we can make the changes and then lock the file down again.

$ lsattr resolv.conf
-------------e- resolv.conf

So with just a few commands we can lock and unlock files on Linux.

How To Disable fsck at boot on RHEL

Recently ran into the need to disable fsck on a large filesystem at boot. This is not recommended to do by RedHat but in this case it was a evil that had to be put in place with the caveat of making sure to manually run fsck at a later time.

According to RedHat:

Red Hat does not typically suggest disabling the on-boot fsck except in situations where the machine does not boot, the file system is extremely large, or the file system is on remote storage.

With that in mind here is how to make it so the filesystem does not run fsck on reboot.

Open /etc/fstab with your favorite editor.

sudo vi /etc/fstab

Find the filesystem you want to stop from getting checked and change the last entry to 0.

/dev/mapper/vg_mhlinux3-lv_root /       ext4    defaults        1 0
                                                                  ^ change

Save the file and you are done. Pretty simple and straight forward. Let’s explore a bit more on fsck and settings. The default is check every 180 days and or 23 mounts. say we would want to tweak a few of these settings.

Let’s put the shoe on the other foot and say we want to force an fsck on a filesystem at next boot. Change directory into the filesystem you want to check as root user and create a file called forcefsck.

# cd /mnt
# touch forcefsck

Next reboot the fsck will run and the forcefsck file will be deleted. Say you want to take that to the next level and have it check it every reboot. We do this with tune2fs command and pass -c max-mount-counts option.

tune2fs allows the system administrator to adjust various tunable filesystem parameters on Linux ext2, ext3, or ext4  filesystems.

In this example /dev/sda3 is being told to check everytime.

sudo tune2fs -c 1 /dev/sda3

Now say we want to change the number of days from 180 to 200, we do this with the -i  interval-between-checks[d|m|w] option. If we set the value to 0 it will disable the interval, which is not recommended.

sudo tune2fs -i 200 /dev/sda3

So we have covered how to disable and a few tweaks for fsck. Be sure to use the man tune2fs command to see what else is possible!

 

Switch to our mobile site