Saturday, May 24, 2008

Find and Replace Script

#!/bin/ksh
#
# Modify to your needs if different from *.txt
#

for THISFILE in *.txt; do
mv $THISFILE $THISFILE.backup
sed 's/findstr/replacestr/g' $THISFILE.backup > $THISFILE
done

Recover or Reset root password in Sun solaris (SPARC)

How many times have you encountered root password expired and got yourself logged out?

There is every little chance that one loses or forget the root password of his Sun Solaris servers. But then, in the enterprise world, we normally set the password aging so there, the password expired before you know it. My team put up a cron to monitor things like this as Solaris tend to warn you by putting a message in /var/adm/messages.

In the event, root password still expires, too bad. You need to shutdown your applications before performing the below procedures. This is the only way.

1) GO to OBP and Boot the server into Single User mode

OK boot cdrom -s
or
OK boot net -s


2) Mount the root file system (e.g. /dev/dsk/c0t0d0s0) to say, /a

For step 1, please use a Sun Solaris OS CD 1 or a jumpstat server in your environment! No password needed here.

Note that /a is a temporary mount point that is available when you boot from CD or a JumpStart server

edit /a/etc/shadow. If you remember your password, edit the expiry age. Else just blank out the encrypted password portion.

Once done. umount and reboot.

# cd /
# umount /a
# sync
# sync
# init s

If you have blank out the password, press enter at the prompt to enter a password for root else let the server progress to level 3. Reboot again to verify. Once in multi-user mode, log in and test the root password now.

Why we change the root password at level S is only to ensure that the root user at the state without password is not exposed to others. If started in multi-user mode, there is a degree of security risk till the root password is set.

Should say that the servers should be kept out of reach from casual users so that your server will not be so easily 'defeated', worse, lost, like the case in HK recently (May 2008).

----------------

One trick i tried, if somehow, someone still have a root session with the server, use the login command. This should prompt you that password has expired and force you to change. Follow accordingly and you should be able to use the new root password now... :) Good luck!

Change IP Address without rebooting in Solaris 10

Wonderful Solaris 10 huh? normally i would have to reboot the server whenever host IP is changed, now adding or editing the IP address on a Solaris 10 server need not need a reboot.

before Solaris 10, you need to edit the following files

/etc/hosts
/etc/nodenames
/etc/hostname.[device]
/etc/defaultrouter
/etc/defaultdomain
/etc/nodename

and add or modify the entries for the IP address and the hostname.

Be sure to check your /etc/netmasks too if you have network changes.

Example:
192.168.1.1 myserver

In Solaris 10, we need to edit BOTH

/etc/hosts (symlink to /etc/inet/hosts file) AND
/etc/inet/ipnodes

adding an entry for IP address and hostname plue those above mentioned ones.

Once done, do either of the following

1) svcadm restart network/physical <--- restart network service
2) reboot the server

From the man page, ipnodes file is read first before the system check hosts file. I hit this problem before when i changed the hostname/IP of a Solaris 10 server and got the network errors on my ALOM console.

Although, the /etc/inet/ipnodes files is primarily for IPv6 only, without adding an entry to the file, the IP address (IPv4) doesn’t become active in Solaris 10, at least on the release version that i'm using. This seems to be solved in Solaris 10 U4 (08/07 build).

If you need to add addresses, you must add IPv4 addresses to both the hosts and ipnodes files. You add only IPv6 addresses to the ipnodes file.

IPMP Configuration (Probe based)

Lets set up using 2 physical interface with 2 virtual IPs.

Physical interfaces ce0, ce3
Logical interfaces ce0:1, ce0:1

Lets put the IPs into the /etc/hosts.

172.20.1.10 mynic-ce0
172.20.1.11 mynic-ce3

172.20.1.12 application1-service
172.20.1.13 application2-service

Verify local-mac-address? is set to true.
# eeprom local-mac-address?
local-mac-address?=true

Impt! - setting local-mac-address to true will not take effect until next reboot*

If this host will not be forwarding packets set the following.
# touch /etc/notrouter

Manually plumb the interfaces (ignore if you plumb them already)

# ifconfig ce0 plumb mynic-ce0 netmask + broadcast + -failover deprecated up
# ifconfig ce3 plumb mynic-ce3 netmask + broadcast + -failover deprecated up
# ifconfig ce0 addif application1-service + broadcast + failover up
# ifconfig ce3 addif application2-service netmask + broadcast + failover up

Check using /usr/sbin/ifconfig -a.

Lets make the configuration persistant across reboots.

--- /etc/hostname.ce0 ---
mynic-ce0 netmask + broadcast + group production deprecated -failover up \
addif application1-service netmask + broadcast + failover up \
addif application2-service netmask + broadcast + failover up
--- EOF ---

--- /etc/hostname.ce3 ---
mynic-ce3 netmask + broadcast + group production deprecated -failover up
--- EOF ---

8) Now lets test the failover by pulling the ce0 cable. watch /var/adm/messages for the errors.

9) you can now get the applications and users to use the IP application1-service and application2-service

Impt!! network traffic on application1-service can be incoming and outgoing BUT network traffic on application2-service can only be incoming. I have tried to play around with the deprecated tag but only managed to get network traffic going out from application1-service. Well, if you have any advise on this, do let me know!! :)

Enable/Disable IP Forwarding in Solaris 10 without reboot

In Solaris 10, there is this feature of IP forwarding.

This is the process of forward/routing the packets between network interfaces on one system. Meaning to say that the packet for a host on a different network arrive on one of the network interface. This will be forwarded to the appropriate network interface.

We can enable or disable using the following commands:

1) routeadm
2) ifconfig

Read from other websites that in Solaris 9, ndd command is used.

The advantage here in Solaris 10 is that the change is dynamic, real-time and the change is persistant across reboot unlike the ndd command.

Example: Enable/Disable IP Forwarding Globally

# routeadm -e ipv[4|6]-forwarding
# routeadm -d ipv[4|6]-forwarding

Use either 4 or 6 for [4|6] options.
The switches “-e” enables IP Forwarding.
The switches “-d” enables IP Forwarding.

Once done, use either one of the steps below let the new setting take effect.

1) reboot
2) routeadm -u
3) svcadm enable svc:/network/ipv[4|6]-forwarding

The option -u as digged from the man page.
Apply the currently configured options to the running system. These options might include enabling or disabling IP forwarding and launching or killing routing daemons, if any are specified. It does not alter the state of the system for those settings that have been set to default. This option is meant to be used by administrators who do not want to reboot to apply their changes. In addition, this option upgrades on-SMF configurations from the invocations of daemon stop commands, which might include a set of arguments, to a simple enabling of the appropriate service.

To revert? do the following:

# routeadm -r ipv[4|6]-forwarding
# routeadm -u

Example: Enable/Disable IP Forwarding on a particular interface

If we want to work on the ce0 interface using the ifconfig command.

In IPv4
# ifconfig ce0 router <--- enable
# ifconfig ce0 -router <--- disable

In IPv6
# ifconfig ce0 inet6 router <--- enable
# ifconfig ce0 inet6 -router <--- disable

More References:
http://gibbs.acu.edu/2007/02/24/using-solaris-10-as-a-firewallrouter/