lundi 22 août 2011

Remise en route de la piscine en début de saison, procédure de redémarrage

 

I - Remise en route de la piscine en début de saison, procédure de redémarrage

1 - Nettoyage de la piscine

- enlever la couverture d'hivernage en prenant soin de bien la nettoyer avant de la ranger, faites la sécher avant de la replier.
- Retirer les accessoires d'hivernage qui se trouvent dans la piscine : bouteilles gizmo, bouchons...
- Remettre les buses de refoulement en place ainsi que les paniers dans les skimmers
et le pré-filtre de la pompe de filtration.
- Nettoyer le fond du bassin en passant lentement le balai aspirateur
positionner la vanne 6 voies en évacuation directe à l'égout pour ne pas encrasser le filtre.
N'utilisez que la prise balai si possible en fermant les skimmers et la bonde de fond.
Si le fond de la piscine est invisible et l'eau trop verte, évacuer la majeure partie de l'eau.
- Nettoyer la ligne d'eau avec un gel nettoyant
- Contrôler le bon fonctionnement de votre installation (filtre, pompe, armoire électrique,...)

2 - Nettoyage du filtre

Remettre les bouchons de vidange sur le pré filtre, le filtre et la pompe
Nettoyer et détartrer le filtre piscine grâce à un nettoyant filtre, filtration stoppée.
Si le filtre ne peut s'ouvrir, introduire le produit en amont par le pré filtre. Effectuer un rapide rinçage égout, quelques secondes suffisent pour disperser le produit dans le filtre.
Laisser agir 12h, contre-laver (égout) et rincer (égout) jusqu'à disparition de la coloration dans le voyant de contrôle.
Ajuster le niveau de l'eau de la piscine jusqu'au 3/4 des skimmers

3 - Analyse du pH et contrôle du taux de stabilisant

Contrôler le pH de l'eau à l'aide d'un testeur pH ou d'une trousse d'analyse, le corriger pour un équilibre entre 7,0 et 7,4
Vérifier le taux de stabilisant avec un test languette : le taux de stabilisant ne doit pas être supérieur à 75 mg/l. Dans le cas contraire, prévoyez une vidange partielle ou totale du bassin (si possible).
Sur-stabilisation de l'eau de piscine
L'utilisation de chlore en galets charge votre eau, au fil des années de traitement, en produit stabilisant.
Un excès de stabilisant annule tout effet du traitement de l'eau. Ce stabilisant ne s'évacue qu'à condition de vider l'eau du bassin.
Vérifier votre taux de stabilisant à l'aide d'un photomètre d'analyse de l'eau (150 ppm : vidanger la moitié du bassin - 100 ppm : vidanger le tiers) et utiliser un chlore non stabilisé

4 - Traitement de choc

Effectuer un traitement de choc à l'aide d'un chlore choc, et laisser votre filtration en continu pendant 48h.
Enfin, effectuer un nouveau lavage du filtre et analyser l'eau pour équilibrer le pH entre 7,0 et 7,4, et le taux de chlore à 1,5 mg/l.

Une floculation tous les 15 jours rendra votre eau plus cristalline

II - Entretien courant de votre piscine

1 - 1 à 2 fois par semaine :
Vider le ou les paniers des skimmers, retirer insectes, feuilles mortes et autres débris
nettoyez la ligne d'eau à l'aide d'une éponge et d'un gel de nettoyage
passez le balai aspirateur branché à la prise d'aspiration
ou utilisez un robot de piscine
ajuster le niveau d'eau de la piscine en le maintenant au 3/4 des skimmers. Un niveau d'eau trop bas va provoquer une aspiration d'air par le skimmer et désamorcer la pompe de filtration.

2 - Filtration
Vider le panier du pré-filtre de la pompe (moteur arrêté).
Vérifier la pression du manomètre du filtre et effectuer si nécessaire un lavage du filtre
Pression anormalement élevée sur le manomètre du filtre :
Le filtre est encrassé - effectuer un contre lavage du filtre. Si le problème persiste, utiliser un détartrant filtre.

3 - Equilibre de l'eau
Contrôler régulièrement le pH de l'eau

*Le pH est trop haut :

Alcalinité de l'eau trop importante - Ajouter du pH moins
Basicité trop importante - Ajouter du pH moins

*Le pH est trop bas :

Alcalinité de l'eau trop faible - utiliser un correcteur d'alcalinité
Acidité trop importante - contrôle fréquent du pH, ajouter du pH plus

III - Problèmes d'eau : quelques solutions pour vous aider à les résoudre

1 - Eau laiteuse ou trouble :
Le pH est incorrect - réajuster entre 7 et 7,4 à l'aide d'un produit correcteur de pH ( pH+ ou pH-), contrôlez à nouveau à l'aide d'un testeur pH, puis effectuer un traitement de choc

Le taux de chlore est insuffisant - effectuer un traitement de choc, une floculation à l'aide d'un floculant permettant d'agglomérer les particules trop fines, procéder à 3 contres lavages répétés, faire fonctionner la filtration pendant 24h en continu

Filtration insuffisante - augmenter la durée de filtration (15h/jour pour une eau à 28°c, 24h/24 au delà de 32°c)

2 - Eau verte :
Formation d'algues au fond et sur les parois du bassin - Effectuer une chloration choc, laver puis rincer le filtre, mettre une cartouche de floculant dans le skimmer et utiliser un produit anti-algues concentré.
Ne pas utiliser de floculant si votre filtre dispose d'une cartouche.

3 - Dépôts calcaires :
pH incorrect, trop élevé - Réajuster le pH entre 7,0 et 7,4
Dureté élevée (trop de calcaire) - Ajouter de l'anti-calcaire.

4 - Eau brune, rougeâtre ou noire :
présence de Fer ou de Manganèse - réajuster le pH entre 7,0 et 7,4 effectuer une chloration choc, une floculation liquide, filtration arrêtée pendant 12h puis aspirer les dépôts en les envoyant directement à l'égout ("vidange égout" sur la vanne).

5 -Eau verte translucide :
Présence de cuivre - utiliser un séquestrant métaux.

6 - Eau verte mais limpide :
pH trop bas dans le cadre du traitement au Brome -
Rectifier le pH entre 7 et 7,4

7 - Odeur de chlore, irritation des yeux et de la peau :
Le taux de chlore est insuffisant, formation de chloramines - effectuer une chloration choc pour relever le taux de chlore, réajuster le pH entre 7,0 et 7,4

8 - Difficulté à maintenir le taux de chlore ou pH incorrect :
Chloration insuffisante en présence d'une forte fréquentation - réajuster entre 7 et 7,4, effectuer un traitement de choc

9 - En cas de trop fortes variations du pH :
L'eau n'a pas suffisamment d'effet "Tampon". Ajouter un produit augmentant l'alcalinité de l'eau

IV - Lavages


1 - Procédure de contre lavage d'un filtre à sable :

  1. Arrêter la pompe de la piscine
  2. Ouvrir la vanne de mise à l'égout
  3. Placer la Vanne 6 voies en position "Lavage"
  4. Mettre la pompe en marche une minute
  5. Arrêter la pompe de la piscine
  6. Placer la Vanne 6 voies en position "Rinçage"
  7. Mettre la pompe en marche une minute
  8. Arrêter la pompe de la piscine
  9. Fermer la vanne de mise à l'égout
  10. Placer la Vanne 6 voies en position "Filtration"
  11. Mettre la pompe de la piscine en marche

2 - Nettoyage de la piscine au balai :

  1. Balai monté, appliquer l'embout du tuyau flottant contre une buse de refoulement.
  2. Une fois l'air évacué du tuyau, laisser le tuyau sous l'eau et le brancher sur la prise balai ou sur le skimmer à l'aide d'un skim-vac
  3. Fermer la bonde de fond et passer le balai lentement

 

IP Addressing

CIDR

Netmask              Netmask (binary)                 CIDR     Notes
_____________________________________________________________________________
255.255.255.255  11111111.11111111.11111111.11111111  /32  Host (single addr)
255.255.255.254  11111111.11111111.11111111.11111110  /31  Unuseable
255.255.255.252  11111111.11111111.11111111.11111100  /30    2  useable
255.255.255.248  11111111.11111111.11111111.11111000  /29    6  useable
255.255.255.240  11111111.11111111.11111111.11110000  /28   14  useable
255.255.255.224  11111111.11111111.11111111.11100000  /27   30  useable
255.255.255.192  11111111.11111111.11111111.11000000  /26   62  useable
255.255.255.128  11111111.11111111.11111111.10000000  /25  126  useable
255.255.255.0    11111111.11111111.11111111.00000000  /24 "Class C" 254 useable
255.255.254.0    11111111.11111111.11111110.00000000  /23    2  Class C's
255.255.252.0    11111111.11111111.11111100.00000000  /22    4  Class C's
255.255.248.0    11111111.11111111.11111000.00000000  /21    8  Class C's
255.255.240.0    11111111.11111111.11110000.00000000  /20   16  Class C's
255.255.224.0    11111111.11111111.11100000.00000000  /19   32  Class C's
255.255.192.0    11111111.11111111.11000000.00000000  /18   64  Class C's
255.255.128.0    11111111.11111111.10000000.00000000  /17  128  Class C's
255.255.0.0      11111111.11111111.00000000.00000000  /16  "Class B"
255.254.0.0      11111111.11111110.00000000.00000000  /15    2  Class B's
255.252.0.0      11111111.11111100.00000000.00000000  /14    4  Class B's
255.248.0.0      11111111.11111000.00000000.00000000  /13    8  Class B's
255.240.0.0      11111111.11110000.00000000.00000000  /12   16  Class B's
255.224.0.0      11111111.11100000.00000000.00000000  /11   32  Class B's
255.192.0.0      11111111.11000000.00000000.00000000  /10   64  Class B's
255.128.0.0      11111111.10000000.00000000.00000000  /9   128  Class B's
255.0.0.0        11111111.00000000.00000000.00000000  /8   "Class A"
254.0.0.0        11111110.00000000.00000000.00000000  /7
252.0.0.0        11111100.00000000.00000000.00000000  /6
248.0.0.0        11111000.00000000.00000000.00000000  /5
240.0.0.0        11110000.00000000.00000000.00000000  /4
224.0.0.0        11100000.00000000.00000000.00000000  /3
192.0.0.0        11000000.00000000.00000000.00000000  /2
128.0.0.0        10000000.00000000.00000000.00000000  /1
0.0.0.0          00000000.00000000.00000000.00000000  /0   IP space




                                   Net     Host    Total
Net      Addr                      Addr    Addr    Number
Class   Range      NetMask         Bits    Bits   of hosts
----------------------------------------------------------
A        0-127    255.0.0.0         8      24     16777216   (i.e. 114.0.0.0)
B      128-191    255.255.0.0      16      16        65536   (i.e. 150.0.0.0)
C      192-254    255.255.255.0    24       8          256   (i.e. 199.0.0.0)
D      224-239    (multicast)
E      240-255    (reserved)
F      208-215    255.255.255.240  28       4           16
G      216/8      ARIN - North America
G      217/8      RIPE NCC - Europe
G      218-219/8  APNIC
H      220-221    255.255.255.248  29       3            8   (reserved)
K      222-223    255.255.255.254  31       1            2   (reserved)
----------------------------------------------------------

The current list of special use prefixes:
        0.0.0.0/8
        127.0.0.0/8
        192.0.2.0/24
        10.0.0.0/8
        172.16.0.0/12
        192.168.0.0/16
        169.254.0.0/16
        all D/E space



UNIX SHELL: send a mail with an attachment

UNIX SHELL: send a mail with an attachment

So, i found an old tips, and i wanted to write here.

To send a mail with an attachment, with the plain old mail command:

you need:

uuencode
gzip
mail


General Form:

uuencode <binary_file> | mail -s"Subject" <recipient>

Example:

gzip -c9 2308cc1fi02.dat            |\
    uuencode cc1fi02.dat.gz         |\
    mail -s "My Import File" samplemail@domain.com

6U


bash bug with read

The echo pipe read a bug

so, a frequently reported bug is this one:

$ echo hi | read a; echo $a

and the result is not "hi", is nothing !

So why ?

Whenever you see a pipe in a command line you should understand that a subprocess has implicitly been created. That must exist in order for there to be an un-named pipe. Remember that the pipe in an "interprocess communication mechanism" (IPC). Therefore we have to have multiple processes  between/among which to communicate.

In most shells (including Bourne, older Korn, bash, and pdksh) the subprocess was created to handle the commands on the right of the pipe operator. Thus our 'read' command (in the examples below) is happening in a subshell. Naturally that shell exits after completing its commands; and the variables it  has set are lost. Naturally the subshell can only affect its own copies for any shell and environment variables.

With newer versions of ksh and zsh we find that the subshell is usually created on the left of the pipe.

This allows us to use commands like "echo foo bar  bang | read a b c ; echo $a $b $c" with that effect that most people would expect.

Note that the follow will work under bash, pdksh, etc: "echo foo bar  bang | ( read a b c ; echo $a $b $c )"

(We have to do everything with our variables within the subshell).

so, the solution is:

$ echo hi | ( read a; echo $a )
hi




mercredi 10 août 2011

HPUX: Extending File Systems with the LVM

If you have installed the LVM Logical Volume Manager on the root disk drive of your HP-UX 10.X system, you can use it to dynamically extend the size of a given file system. Here are some step by step instructions. Please see the individual man pages on each command for more information.

Procedure for using LVM to extend an existing file system. You must be user root to perform these steps.

 

Part I - Checking for Free Space

1. Check the current volume group for the amount of free space in the volume group. Check the number of free physical extents (Free PE):

# /usr/sbin/vgdisplay /dev/vgxx

where xx is the appropriate number for your volume group. Use bdf to see a list of all your volume groups and logical volumes.

2. You may use any free PE's to extend a file system. If you have enough free PE's already available, skip down to Part IV.

If you do not have any free PE's, you will need to create some. You can create free PE's by reducing the number of PE's in an existing logical volume, or by removing a logical volume entirely.

Part II - Removing an Existing Logical Volume

1. First, you must first unmount the logical volume:

# /etc/umount /dev/vgxx/lvolx

where xx and x are the appropriate number for your volume group and logical volume.

2. If the logical volume won't unmount because the "device is busy", the first thing to do is make sure that no users are accessing that logical volume. For example, if you are currently in the /tmp directory, you can't unmount the /tmp logical volume. Change directories to another directory outside the logical volume.

Additionally, you can use the fuser command to get a list of process IDs currently using a specified logical volume:

# fuser /dev/vgxx/lvolx

This will return either a blank line, or a list of numbers followed by lower case letters. These numbers are process IDs.

Use /bin/ps -elf | grep pid to find what these processes are and kill them. Once you've killed the processes accessing the logical volume, run the /etc/umount command again.

3. There are some logical volumes for which the /etc/umount command will always fail. For example, the /usr volume can't be unmounted. In these
cases, you will have to boot your system into single user mode. In single user mode, these volumes will automatically be unmounted for you. To get to single user mode, run the command

# shutdown

4.Now that you've unmounted the logical volume, you can remove it. Obviously, when you remove the logical volume, you lose the contents of that file system. To remove the volume use the command:

# /usr/sbin/lvremove /dev/vgxx/lvolx

You will be prompted to approve this action.

Note: If you are removing the /usr logical volume, you must use /sbin/lvremove rather than /usr/sbin/lvremove, because you just unmounted the
/usr directory.

5. Now that you have created some free physical extents, use /usr/sbin/vgdisplay /dev/vgxx to verify that new free PE's exist. Once you've verified that enough free PE's exist, skip down to Part IV.

Part III - Reducing the Size of an Existing Logical Volume

1. If you want to reduce the size of a logical volume, the process is a bit more complicated. Reducing the size of the logical volume destroys the file system. So, you need to first make a back up of the contents of the file system on the logical volume. For example, if you are reducing the /tmp logical volume, you must back up the /tmp directory tree. You can make a tape back up of the files, or you can create a tar file on another disk drive. Either way, make sure your back up is successful because the process below will destroy all the files on the logical volume.

2. Once the file system has been backed up, unmount the logical volume. Please see Part II steps 1-3 for instructions on how to unmount the logical volume.

3. Now you can reduce the size of the logical volume. For example, to reduce the size of logical volume 3 to 50 PE's, use the following command:

# /usr/sbin/lvreduce -l 50 /dev/vg00/lvol3

Note: If you are reducing the /usr logical volume, you must use /sbin/lvreduce rather than /usr/sbin/lvreduce, because you just unmounted the
/usr directory. Also note that the number specified on the command line is the final size of the logical volume, not the amount you want to reduce it by.

4. Now that you have reduced the size of the logical volume, you must create a new file system in the smaller volume. Use the command:

# /usr/sbin/newfs -F hfs /dev/vgxx/rlvolx

Note: If you are reducing the /usr file system, you must use /sbin/newfs rather than /usr/sbin/newfs, because you just unmounted the /usr directory.

5. Now, re-mount the logical volume:

# /etc/mount /dev/vgxx/lvolx

and restore the files from your back up tape or tar file. This will complete the reduction process and free up some physical extents in the volume group.

6. Now that you have created some free physical extents, use /usr/sbin/vgdisplay /dev/vgxx to verify that new free PE's exist. Once you've verified that enough free PE's exist, continue with Part IV.

 

Part IV - Extending the Logical Volume and File System

1. Now you will work with the logical volume that you want to extend. First, display the characteristics of the logical volume you are intending to extend. Use the command:

# /usr/sbin/lvdisplay /dev/vgxx/lvolx

2. Look for the keywords strict or contiguous. If you see strict, any space you add to the logical volume has to be on the same physical disk with the original space. Usually, this is not a problem. If you see contiguous, all space allocated for the logical volume (even what you want to add) has to be "together" on the physical disk. This restriction usually precludes extending the logical volume, because it is extremely unlikely that the free PE's are contiguous with this logical volume on the physical disk.

3. If the logical volume you want to extend is restricted to contiguous, you must change the configuration to non-contiguous using the command:

# /usr/sbin/lvchange -C n /dev/vgxx/lvolx


If the logical volume is labeled strict, skip this step.

4. Now unmount the logical volume. Please see Part II steps 1-3 for instructions on how to unmount the logical volume.

5. Once the logical volume is unmounted, you can assign the available PE's to the logical volume. For example, if currently the logical volume has 25 PE's allocated, and you have freed up 10 more PE's, you can extend the logical volume to a total of 35 PE's using the command:

# /usr/sbin/lvextend -l 35 /dev/vgxx/lvolx

Note: If you are extending the /usr logical volume, you must use /sbin/lvextend rather than /usr/sbin/lvextend, because you just unmounted the
/usr directory. Also note that the number specified on the command line is the final size of the logical volume, not the amount you want to increase it by.

6. Now that you have allocated additional PE's for this logical volume, you must extend the file system on the logical volume so that you can take advantage of the extra space. Use the command:

# /usr/sbin/extendfs -F hfs /dev/vgxx/rlvolx

Note: If you are extending the /usr file system, you must use /sbin/extendfs rather than /usr/sbin/extendfs, because you just unmounted the /usr directory.

7. Finally, you can mount the extended file system using the command

# /etc/mount /dev/vgxx/lvolx /mount_point

where mount_point is the directory on which the logical volume is mounted. Or, you can simply reboot the system. Use the bdf command to verify that your changes have taken affect.

(c) Originally prepared by Peggy Bruehl

Getting X11 forwarding through ssh working after running su


Le problème est le suivant:
We want to export a display from a remote unix box, but from another user than the one we connect with.
Example:
i connect on a remote host with the user root, or the user user1.
but i want to export the display of a program started with the user oracle.
if i just do:
ssh user1@remotehost
su - oracle
xlogo

i receive an error, display broken.
Lets see the tip:
TIP:
X authentication is based on cookies -- secret little pieces of random data that only you and the X server know...
So, you need to let the other user in on what your cookie is. One way to do this is as follows:
Before you issue the su or sudo (but after having ssh'ed into the remote system), request the cookie for the current DISPLAY that's connecting to your X server:
Remote Host:
I assume we connected with ssh and X11 forwarding, and mmsdyy00 is my host with a screen/display:
$ xauth list
mmsdyy00/unix:13  MIT-MAGIC-COOKIE-1  c1825a6cb90d3c4f23368c6764c18989
mmsdyy00/unix:14  MIT-MAGIC-COOKIE-1  5f79f56e5fb5b801572fe0c07598a72b
mmsdyy00/unix:10  MIT-MAGIC-COOKIE-1  5a0510f245c81f1bb2741c6af0a13c8c
mmsdyy00/unix:11  MIT-MAGIC-COOKIE-1  146e0c800789cc7f0aceb75a5d6d9857
mmsdyy00/unix:12  MIT-MAGIC-COOKIE-1  59b4090b6ded3a79ad59523238925873


$ echo $DISPLAY # quel est notre display ?
localhost:12.0


$ su - oracle

$ export DISPLAY=localhost:12.0 #==> positionnement de la variable

$ xlogo # ==> erreur
X connection to localhost:12.0 broken (explicit kill or server shutdown).

$ xauth add mmsdyy00/unix:12  MIT-MAGIC-COOKIE-1  59b4090b6ded3a79ad59523238925873

$ xlogo # ==> OK

Remarque: j'ai pris dans la liste le dpyname qui contient un 12 :
    ( DISPLAY=localhost:12.0 )
    (dpyname=mmsdyy00/unix:12)

JUNOS: HOWTO create an olive

What's an olive ?

"olive" is the codename given to a virtualized junos router/switches/firewall operating system.

But, right now, just the router version can be virtualized, in a vmware image or in a qemu or in a virtualbox image.

Then you can hace the choice between the M/T series junos version (ie: without flow module) or a J-series junos version, with the flow module. Flow module can track the sessions, so you can have a statefull Firewall.


The easiest way to create one olive.


I tried different method,  the last exposed i my prefered.

Somes people try to first install a freebsd base system version 4.4, then they install the junos version 7, then install the version 8, and then the version 9. For me this is not the cleanest way nor the easiest way to do it.

I prefer to download the install media image package, which is a raw image of the Card Flash, and copying it on a virtual disk, with the dd tool.

The goal is to extract/copy the content of disk image to a virtual disk, i'll use a LiveCD of freebsd, named frenzy.
So you have to access somes files from your VirtualImage, first is the disk image, second is a copy of the new fstab.mr, here you have many choice:

  • using a usb stick,
  • using a pre-formatted  virtualdisk with FAT,
  • using network transfert with ssh/scp
  • using network transfert with ftp
  • .....

Personally i prefer using a pre-formatted vdisk with FAT, so i can map the disk with the windows host, and copy whatever file i need, and doing so remotely.

HINT: with VM-Workstation, you can't attach a usb stick to the guest when accsesing to the host remotely (ie: with RDP).

Preparing the Virtual Images

For the JUNOS:

  • Memory: 512 Mo
  • Processors: 1
  • HardDisk 1: Type=IDE, Size=1Go, Option=Independent,Persistent
  • HardDisk 2: Type=IDE, Size=1Go, Option=Independent,Persistent
  • Network Adapter 1: Bridged (as u want)
  • Network Adapter 2: Bridged (as u want)
  • Network Adapter 3: Bridged (as u want)
  • Network Adapter 4: Bridged (as u want)
  • USB Controler: Present
  • Display: Auto Detect


For the Frenzy:

  • Memory: 256 Mo
  • Processors: 1
  • HardDisk 1: Type=IDE, Size=20Go, Option=Independent,Persistent, Formated FAT with a WINXP vm
  • HardDisk 2: Type=IDE, Existent, HDD 1 from JUNOS VM
  • HardDisk 3: Type=IDE, Existent, HDD 1 from JUNOS VM
  • CD/DVD: Type=IDE, Using file: link to the frenzy.iso
  • Network Adapter 1: Bridged (as u want)
  • USB Controler: Present (or not)
  • Display: Auto Destec


For the VDISK:
using a Windows vm, don't forget to first create the disk, IDE, 20Go, boot the windows, with the disk manager create a primary partition and format it with FAT. Then you have to stop the windows vm.

Preparing the Files:

Map the VDISK:

using VM-Workstation, map the vdisk using:

File>Map or Disconnect Virtual Disk

don't forget to map it with read/write rights !


Install Media:

you need to download the disk image from the Juniper.net website.
As a reminder, those files are named like this:

junos-jsr-9.3R4.4-export-cf1024  # JUNOS for JSERIES with flow support, 1Go CardFlash image

junos-jseries-9.3R4.4-export-cf1024 # JUNOS for JSERIES without flow support, 256Mo CardFlash image


Seleect the one you need, and copy it to the vdisk.


fstab.mr file:

You need to modify the fstab file, it should be something like:

# Device Mountpoint FStype Options Dump Pass#
/dev/md0 / cd9660 ro 0 0
proc /proc procfs rw 0 0
/dev/ad1s1d /config ufs rw 2 2
/dev/ad1s1b none swap sw 0 0


Copy the files, junos and fstab to the fat partition. Then umount the partiton from windows.

Preparing the Disks:

For the rest of the preparation steps, we will run on the frenzy vm / frenzy booted.

First DISK

This one is easy, you just have to dd the junos file:

First, mount / as read/write:

mount -o rw /

normally the fat partion should be automatically mounted, if not:
mkdir /mnt/ad0s1.fat
mount -t msdosfs /dev/ad0s1 /mnt/ad0s1.fat

copy the content of the disk image to the virtual disk:
dd if=/mnt/ad0s1.fat/
junos-jseries-9.3R4.4-export-cf1024 of=/dev/ad1

When it is done, you can copy the fstab:
mount -t ufs /dev/ad0s1a /mnt/tmp
cp
/mnt/ad0s1.fat/fstab.mr /mnt/tmp/cf/etc/

Then create a /config dir:

mkdir /config

Now launch sysintall,

go to Configure > Disk then choose the ad2 disk,

then create a partition of 1000M,

press C then enter 1000M,
partition type will be 165,
type W
you can install standard MBR, clic ok,
type Q to quit,

Then in the sysinstall go to Label, and add 2 label:

one of 500M for filesystem,
another one for swap,

Quit, that should be sufficent.

NETWORK Interface: E1000

be sure to use a network interface of E1000 type, for this, edit the .vmx file from your virtual machine,

Below the line
ethernet0.present = "True"

add
ethernet0.virtualDev = "e1000"


do the same for the other interfaces.



Reminder: All the Steps

  1. Have the frenzy livecd
  2. Have a junos system media file
  3. Create the virtual machine
  4. Add a hard-drive of 1Go
  5. Add another hard-rive of 1Go
  6. boot on the frenzy livecd
  7. copy the content of system media file to the hard-drive, via dd
  8. mount the first slice of this HDD and copy the fstab.mr file to /mnt/tmp/cf/etc
  9. mount / with read-write option
  10. create the /config dir
  11. launch sysinstall
  12. create a partition with type 165, with Fdisk
  13. create a standard boot manager
  14. create a slice of 100M with label, type is FS, mountpoint is /config
  15. create a slice for the swap
  16. halt the virtual machine
  17. add network interface to the virtual machine
  18. verify that the type is e1000
  19. Boot the vm.


Tune frenzy

at the boot loader you can set your language:

lang=fr

when booted, sometimes you need to modify the disks after mounting/demounting it, so you need to tune the system:

sysctl kern.geom.debugflags=16


TODO

this post is draft, i need to reread it, to find mistakes, but, if you understand what you are doing, you should have an olive, working:

philippe@jseries1> show version
Hostname: jseries1
Model: olive
JUNOS Software Release [9.3R4.4] (Export edition)





Authentication with PublicKeys

Ce document explique les différentes étapes pour mettre en place l'authentification par clef
publiques.

Les avantages tirés sont pluriel:

- Evite la propagation des mots de passe root,
- Evite l'utilisation d'un mot de passe trop simple, souvent utilisé pour ne
  pas l'oublier, et car les connexion sont nombreuses dans une journée,
- Ajoute une granularité dans la mise en place de la sécurité,
- Facilite le travail quotidien, par des connexions plus rapides.


I - Coté client

1.1 Création des paires de clef privée/publiques cliente.

Les clef sont crée avec la commande `ssh-keygen', il vous sera demander un nom
de fichier, acceptez celui par défaut, puis une pass-phrase (Le mot de passe),
veillez à en choisir un assé long, une phrase serait l'idéal.

    $ ssh-keygen -t rsa1 # SSH1
    $ ssh-keygen -t rsa  # SSH2
    $ ssh-keygen -t dsa  # SSH2

1.2. L'agent ssh

Maintenant pour éviter d'avoir à taper notre passphrase à chaque connexion,
nous allons utiliser la commande `ssh-agent'. Grâce à lui, nous n'aurons qu'à
taper notre passphrase qu'une fois au début de la journée:

    $ eval $(ssh-agent)
    Agent pid 2592


puis il nous faut ajouter nos clef.
Rem: si vous avez choisi la même passphrase pour toutes les trois clef, elle
ne vous sera demandée qu'une seulle fois:

    $ ssh-add
    Enter passphrase for /home/YE01389/.ssh/id_rsa:
    Identity added: /home/YE01389/.ssh/id_rsa (/home/YE01389/.ssh/id_rsa)
    Identity added: /home/YE01389/.ssh/id_dsa (/home/YE01389/.ssh/id_dsa)
    Identity added: /home/YE01389/.ssh/identity (YE01389@CTIRE333)


On peut verifier qu'elles ont bien été prises en compte:

    $ ssh-add -l
    2048 9a:08:b9:b8:e6:25:bd:6c:4e:8c:25:13:2e:36:62:97 YE01389@CTIRE333 (RSA1)
    2048 5b:7f:cd:96:2c:f4:41:66:1a:83:4b:ff:ad:89:85:42 /home/YE01389/.ssh/id_rsa (RSA)
    2048 9a:e0:e3:af:b8:65:a1:c6:06:2c:80:8e:8a:1a:c9:30 /home/YE01389/.ssh/id_dsa (DSA)


Coté client c'est Ok.

II - Coté serveur

passons sur l'installation du serveur ssh, et concentrons nous sur le
spécifique pour accepter l'Authentification par Clef publiques.


2.1 La configuration du serveur:

Les options suivante doivent être présentes dans le fichier de conf :

/opt/ssh/etc/sshd_config:

    RSAAuthentication yes
    PubkeyAuthentication yes
    AuthorizedKeysFile    .ssh/authorized_keys

    StrictModes no # Si les droits sur le $HOME ne sont pas 0700


puis pour recharger la config :

$ kill -1 $(cat /var/run/sshd.pid)

2.2 Ajout des clef.

Pour que la connexion soit possible, il nous faut rajouter la(les) clef
publique dans le fichier d'authorization:

Après avoir copié sur le serveur la clef publique (DSA):
   
    $ cat id_dsa.pub >>$HOME/.ssh/authorized_keys

III - Test de connexion

    $ ssh unix@support
    MMSQYY00 [HP Release B.11.00]
    Last   successful login for unix: Tue Sep 20 15:12:54 MET-1METDST 2005 on pts/43
    Last unsuccessful login for unix: Tue Sep 20 09:58:07 MET-1METDST 2005 on pts/tp
    Last login: Mon Aug 29 20:19:36 2005 from VPNRE1NT.arpege
    You have mail.
   
Dans les logs:

    Sep 20 15:17:32 mmsqyy00 sshd[24103]: Accepted publickey for unix from 126.52.3.102 port 3546 ssh2



jeudi 14 avril 2011

SSH: creation de tunnel via fichier de config

Petit truck:

Mise en place d'un tunnel via ssh:

dans $HOME/.ssh/config:

--cut--------8<------------------------
Host smtp-forwarding
    Hostname mmseyy00
    User unix
    LocalForward 25 localhost:25
    SendEnv *
--cut--------8<------------------------

Ouverture du tunnel pendant 60 secondes:

$ ssh -fn smtp-forwarding sleep 60

explication:
    -f : fork to background
    -n : redirect stdin to /dev/null
    smtp-forwarding : appel de l'hote
    sleep 60  : commande pour laisser ouvert le tunnel

 

mardi 29 mars 2011

Juniper: How to reset to factory default a SRX

SRX: different way to reset to factory-default

so, you may know the standard way, the teached way, i mean pushing during 15 secondes the reset micro-button. This method work fine on J-series, but not on somes SRX, not on MX series...

so, i will try to write down somes of the method i used to reset to factory default the juniperdevices.

Factory Default, really ?

First, i need, we need to define what exactly is a factory-default reset. Is it just putting back the configuration to its initial state ? just this ? and what do you do with all the logs files ? the debug files ? the configurations saved ?

It is a security breach to lets everything inside the box, so putting a device back to the factory-default state is not just the configuration, it is mainly everything, even the ssh key: we want to generate a new one, because the old is not trusted anymore.

Lets start.

Loose the root password.
the common process is the boot in single user mode:

at the boot, after the u-boot, when the bootstrap is loaded, you can hit the spacebar:
 

Hit [Enter] to boot immediately, or space bar for command prompt.
 
so you should see:

FreeBSD/MIPS U-Boot bootstrap loader, Revision 1.5
(builder@ormonth.juniper.net, Fri Oct  9 10:55:15 UTC 2009)
Memory: 1024MB
[0]Booting from nand-flash slice 2
Un-Protected 1 sectors
writing to flash...
Protected 1 sectors
Loading /boot/defaults/loader.conf
/kernel data=0x97d8ac+0xd70d0 syms=[0x4+0x79c50+0x4+0xadd2e]
 

Hit [Enter] to boot immediately, or space bar for command prompt.


Loader>
Loader> watchdog disable
Loader> boot –s
root@host% cli
root@host> edit
root@host# set system root-authentication plain-text-password
New password: juniper1
Retype new password: juniper1
root@host# commit
commit complete
root@host# run request system reboot
Reboot the system ? [yes,no] (no) yes

Root passwd on SRX Platform
on SRX Branch platforms and JUNOS 10.0R1 or later, there is a condition in which the password recovery process does not work. After issuing recovery command, system never reaches the point where root password can be changed. System reboots instead. So we need to apply a specific procedure to recover root password for SRX Branch devices running on Junos version 10.0R1 or later. This involves disabling watchdog functionality to allow for system to properly boot into single-user mode.

 

Hit [Enter] to boot immediately, or space bar for command prompt.
Booting [kernel] in 9 seconds...
Loader>
Loader> watchdog disable
Loader> boot –s

change the root passwd, reboot, and don't forget to enable the watchdog, and boot in normal mode

 

Hit [Enter] to boot immediately, or space bar for command prompt.
Booting [kernel] in 9 seconds...
Loader>
Loader> watchdog enable
Loader> boot

Damned, HA is enabled

If you're lucky, your device is in master mode, so you can just diasble the HA:

{primary:node1}
root@titi> set chassis cluster disable reboot
Successfully disabled chassis cluster. Going to reboot now

But if you're not, lucky i mean, your device is on hold, and you're trying to reset the root passwd on single user mode, but you can't:

Starting CLI ...
{hold:node1}
root> edit
warning: Clustering enabled; using private edit
error: shared configuration database modified

Please temporarily use 'configure shared' to commit
outstanding changes in the shared database, exit,
and return to configuration mode using 'configure'

{hold:node1}
root>

Ok, so deleting all the interfaces in the configuration seems to allow me to finally commit.

Then reboot and disable the cluster :

root@>set chassis cluster disable

TRUE Factory default

so, to delete all the logs, the dumps, the rollback, the root password in the factory-default config, and even to reset the host ssh key, you need to zeroize the device:

root> request system zeroize
warning: System will be rebooted and may not boot without configuration
Erase all data, including configuration and log files? [yes,no] (no) yes

warning: zeroizing re0

....
....

Local package initialization:.
starting local daemons:.
kern.securelevel: -1 -> 1
Creating JAIL MFS partition...
JAIL MFS partition created

Database Initialization Utility
RDM Embedded 7 [04-Aug-2006] http://www.birdstep.com
Copyright (c) 1992-2006 Birdstep Technology, Inc.  All Rights Reserved.

secdb initialized

Database Initialization Utility
RDM Embedded 7 [04-Aug-2006] http://www.birdstep.com
Copyright (c) 1992-2006 Birdstep Technology, Inc.  All Rights Reserved.

dfacache initialized

Boot media /dev/da0 has dual root support
** /dev/da0s2a
FILE SYSTEM CLEAN; SKIPPING CHECKS
clean, 58564 free (44 frags, 7315 blocks, 0.0% fragmentation)
Tue Mar 29 14:41:31 UTC 2011

Amnesiac (ttyu0)

login: root

--- JUNOS 10.2R3.10 built 2010-10-16 20:36:59 UTC

root@%



EX series TIPS
LINECARD
sometimes, your switch can be in the linecard state, which means that there is no routing engine running in it. So you first need to enable one.
Example off linecard prompt:
root@:LC:0% cli
{linecard:0}
root>
To enabled the RE mode:

root> request virtual-chassis reactivate

This member split from a virtual chassis. Please make sure that no active
switch belonging to this virtual chassis has conflicting configuration.

Do you want to continue ? [yes,no] (no) yes

{linecard:0}
root>
Amnesiac (ttyu0)

login:
Amnesiac (ttyu0)

login:
Amnesiac (ttyu0)

root@:RE:0%      

so now you can configure the switch.

 

MEMBER-ID is not 0
so, if your switch was member of a virtual-chassis, and it member-id was from 1 to 9, you can't let it as is, because all your interfafce configuration that belongs to ge-0/0/0-47 won't be enabled...
So you need to renumber your device:

{master:1}
root> request virtual-chassis renumber new-member-id 0 member-id 1

Note: change 1 with your actual id.

prompt changed:

{master:0}
root>

That's all for the moment.

mardi 8 mars 2011

lvextend

Howto quickly extend a lvm partition

First, verify you have enough space available.

# pvs
  PV                VG       Fmt  Attr PSize   PFree
  /dev/block/104:17 lebowski lvm2 a-   273,45g 142,77g
  /dev/block/104:5  lebowski lvm2 a-   135,42g      0

 So, here we have about 142 Go free.

 Next, extend the logical volume, here i added 20 Go

# lvextend -L+20G /dev/lebowski/home
  Extending logical volume home to 251,54 GiB
  Logical volume home successfully resized

Finally, resize the partition to fit the physical available space:

# resize2fs /dev/lebowski/home
resize2fs 1.41.12 (17-May-2010)
Le système de fichiers de /dev/lebowski/home est monté sur /home ; le changement de taille doit être effectué en ligne
old desc_blocks = 15, new_desc_blocks = 16
En train d'effectuer un changement de taille en ligne de /dev/lebowski/home vers 65939456 (4k) blocs.
Le système de fichiers /dev/lebowski/home a maintenant une taille de 65939456 blocs.


Checking:

# df -h /home/
Sys. de fichiers    Taille  Uti. Disp. Uti% Monté sur
/dev/mapper/lebowski-home
                      248G  217G   19G  93% /home