Tuesday, July 24, 2012

Amazon ec2 dynamic ip updater

How to setup ddclient on Centos machine running in Amazon EC2 to update it's public ip address to dyndns-like services.

1. Install ddclient from EPEL repository
$ sudo yum install ddclient
2. modify/add following lines in /etc/ddclient.conf:

use=cmd, cmd='curl http://169.254.169.254/2007-08-29//meta-data/public-ipv4'
server=no-ip.org
login=noipuser
password=noippassword
yourhostname=no-ip.org

Some explanation on "use" line: this is the recommended way to get the public ip address of the running machine.

3. Start ddclient service:
$ sudo /etc/init.d/ddclient start

4. Do not forget to set ddclient's default runlevels to start after reboot
$ sudo chkconfig ddclient on

That's all.

UPDATE:
It seems that dynupdate.no-ip.com does not accept SSL traffic other than TLSv1.
T workaround this put following line to /usr/sbin/ddclient after 1864th line:
            SSL_version => 'TLSv1',

The diff between orig and new file will lokk like this:

# diff -u ddclient.orig ddclient
--- ddclient.orig       2012-10-27 10:06:10.000000000 +0200
+++ ddclient    2012-10-27 09:49:56.000000000 +0200
@@ -1861,6 +1861,7 @@
             Proto => 'tcp',
             MultiHomed => 1,
             Timeout => opt('timeout'),
+            SSL_version => 'TLSv1',
         );
            defined $sd or warning("cannot connect to $peer:$port socket: $@ " . IO::Socket::SSL::errstr());
     } else {


Do not forget to re-apply this patch after updating ddclient!
Posted by at No comments:
Labels: , , , , , , , ,

Sunday, July 22, 2012

Edit crontab from shell script

Editing crontabs from shell script is not so easy as it sounds first.
You can't simply edit /var/spool/cron/crontabs/user file because you have to install new crontab by running crontab command.

So the right method is:
1. list the current crontabs to a temporary file:
$ crontab -l > crontab.lst


2. Edit/append the created file
$ echo "*/10 * * * * /path/to/new/job" >>crontab.lst

3. Install edited crontab file:
$ crontab crontab.lst
Posted by at No comments:
Labels: , , , ,

Saturday, July 21, 2012

Nagios/Icinga plugin for amanda

I have a simple amanda server which contains a single tape drive only (no changer).
Need I say that I always forget changing the tape and backups are filling the holding disk?
I've written a simple check, which reminds me changing the tape or warns that the holding disk is almust full.
This script is very simple and it assumes that there is only one slot.
Comments/improvements are welcome! 
#!/bin/bash
# Nagios plugin to check amanda server by amcheck
# (c) ZsZs 2012

# put following lines to sudoers file:
# Defaults:icinga  !requiretty
# icinga ALL=(amandabackup) NOPASSWD: /usr/sbin/amcheck

STATE_OK=0
STATE_WARNING=1
STATE_CRITICAL=2
STATE_UNKNOWN=3
STATE_DEPENDENT=4
scr=${0##*/}
# Default alarm levels
warn=50
crit=25

usage() {
  cat <<EOF
  Usage: ${scr} [-w xx] [-c yy] -C amConf

  Check if the correct tape inserted into the tape device and there is enough space on the holding disk
  Options:
    -C  Amanda config name
    -w  Holding disk warning threshhold (GB)
    -c  Holding disk critical threshhold (GB)
    -?  Show this help
EOF
exit $STATE_UNKNOWN
}

[ -z "$1" ] && usage
until [ -z "$1" ]  # Until all command line parameters read up
do
  case $1 in
    -w) warn=$2
      shift 2;;
    -c) crit=$2
      shift 2;;
    -C) conf=$2
      shift 2;;
     *) usage
  esac
done

[ $crit -gt $warn ] && { echo "Critical treshold can not be greater than warning treshold!"; exit $STATE_UNKNOWN; }
tmpfile=$(mktemp)
sudo -u amandabackup /usr/sbin/amcheck $conf >$tmpfile
slot=$(grep '^slot' $tmpfile)
holdtmp=$(grep '^Holding' $tmpfile)
holdtmp2=${holdtmp##*: }
holding=${holdtmp2%%GB*}
rm $tmpfile >dev/null

if [[ "$slot" =~ 'is not' ]]; then
  echo "CRITICAL - $slot"
  exit $STATE_CRITICAL
elif [ $holding -lt $crit ]; then
  echo "CRITICAL - Holding disk space: $holding GB free"
  exit $STATE_CRITICAL
elif [ $holding -lt $warn ]; then
  echo "WARNING - Holding disk space: $holding GB free"
  exit $STATE_WARNING
elif [[ "$slot" =~ 'still active' ]]; then
  echo "WARNING - $slot"
  exit $STATE_WARNING
else
  echo "OK - $slot"
  exit $STATE_OK
fi

Posted by at No comments:
Labels: , , ,

Saturday, July 7, 2012

Leap seconds on CentOS6/RHEL6 masterclock


Setting up handling leap seconds on Centos6/RHEL6


1. Download actual leapseconds file
# cd /etc/ntp
# wget ftp://tycho.usno.navy.mil/pub/ntp/leap-seconds.*
2. Make a symlink to the downloaded file
# ln -s leap-seconds.3535142400 ntpkey_leap
3. Generate host keys for ntpd
# ntp-keygen -H -p password
Using OpenSSL version 10000003
Generating RSA keys (512 bits)...
RSA 0 0 2       1 11 24 3 1 2
Generating new host file and link
ntpkey_host_ntptest->ntpkey_RSAkey_ntptest.3550552917
Using host key as sign key
Generating certificate RSA-MD5
X509v3 Basic Constraints: critical,CA:TRUE
X509v3 Key Usage: digitalSignature,keyCertSign
Generating new cert file and link
ntpkey_cert_ntptest->ntpkey_RSA-MD5cert_ntptest.3550552917
4. Add following lines to the ntpd.conf:
# echo >>/etc/ntpd.conf
keysdir /etc/ntp
crypto pw password
5. Restart ntpd
# /etc/init.d/ntpd restart
6. Check results
# ntpq -c "rv 0 leap,tai,leapsec,expire,update"
assID=0 status=4944 leap_add_sec, sync_telephone, 4 events, event_peer/strat_chg, leap=01, update=201206302154, leapsec=201201100000, tai=34, expire=201207061434


# ntpq -c "rv 0" | egrep "(update|leapsec|expire)"
assID=0 status=4944 leap_add_sec, sync_telephone, 4 events, event_peer/strat_chg, leap=01, update=201206302154, leapsec=201201100000, tai=34expire=201307061434 
Note that there can be a bug because two different commands give two different values for expire.


After leap second event ntpq output looks like this. Main differences to previous state are shown in green.
assID=0 status=0944 leap_none, sync_telephone, 4 events, event_peer/strat_chg, leap=00update=201206302154, leapsec=201201100000, tai=35expire=201307061434 

Kernel log reports leap second insertion as follows:
Jul  1 01:59:59 ntptest kernel: Clock: inserting leap second 23:59:60 UTC
Note that the leap second insertion is at UTC midnight.


Updating leapseconds file.

Last but not least: DO NOT FORGET to check newly published leap seconds file regularly!
Here is the latest announcement about leap second insertion.
If it refers to a newer leap second than your configured leapsecond file you sholud repeat 1-2 steps above.
ntpd doesn not need to be restarted because it will re-read the ntp_leap file on daily basis.
Posted by at No comments:
Labels: , , , , ,
Subscribe to: Posts (Atom)