Set IP to the IPMI/KVM server module with ipmitool

IPMI/KVM module are pretty useful add-on module to every server. In fact every server should have IPMI module installed for a fast management of the server in critical cases!
Here are the commands to set a static IP to the IPMI/KVM module with ipmitool using a console to the server:

ipmitool -I open lan set 1 ipsrc static
ipmitool -I open lan set 1 ipaddr [IPADDR]
ipmitool -I open lan set 1 netmask [NETMASK]
ipmitool -I open lan set 1 defgw ipaddr [GW IPADDR]
ipmitool -I open lan set 1 access on
  • [IPADDR] – the IP address of the IPMI/KVM
  • [NETMASK] – the netmask of the network
  • [GW IPADDR] – the gateway of the network

Here is a real world example of setting properly the LAN settings of the IPMI module.

[root@srv0 ~]# ipmitool -I open lan set 1 ipsrc static
[root@srv0 ~]# ipmitool -I open lan set 1 ipaddr 192.168.6.45
Setting LAN IP Address to 192.168.6.45
[root@srv0 ~]# ipmitool -I open lan set 1 netmask 255.255.255.0
Setting LAN Subnet Mask to 255.255.255.0
[root@srv0 ~]# ipmitool -I open lan set 1 defgw ipaddr 192.168.6.1
Setting LAN Default Gateway IP to 192.168.6.1
[root@srv0 ~]# ipmitool -I open lan set 1 access on
Set Channel Access for channel 1 was successful.
[root@srv0 ~]#

To see the current settings use:

[root@srv0 ~]# ipmitool -I open lan print
Set in Progress         : Set Complete
Auth Type Support       : NONE MD2 MD5 PASSWORD 
Auth Type Enable        : Callback : MD2 MD5 PASSWORD 
                        : User     : MD2 MD5 PASSWORD 
                        : Operator : MD2 MD5 PASSWORD 
                        : Admin    : MD2 MD5 PASSWORD 
                        : OEM      : MD2 MD5 PASSWORD 
IP Address Source       : Static Address
IP Address              : 192.168.6.45
Subnet Mask             : 255.255.255.0
MAC Address             : 00:25:90:18:8b:c9
SNMP Community String   : public
IP Header               : TTL=0x00 Flags=0x00 Precedence=0x00 TOS=0x00
BMC ARP Control         : ARP Responses Enabled, Gratuitous ARP Disabled
Default Gateway IP      : 192.168.6.1
Default Gateway MAC     : 00:00:00:00:00:00
Backup Gateway IP       : 0.0.0.0
Backup Gateway MAC      : 00:00:00:00:00:00
802.1q VLAN ID          : Disabled
802.1q VLAN Priority    : 0
RMCP+ Cipher Suites     : 1,2,3,6,7,8,11,12
Cipher Suite Priv Max   : aaaaXXaaaXXaaXX
                        :     X=Cipher Suite Unused
                        :     c=CALLBACK
                        :     u=USER
                        :     o=OPERATOR
                        :     a=ADMIN
                        :     O=OEM
Bad Password Threshold  : Not Available

*Dependencies

Installation of ipmitool:

  • CentOS 7
    yum -y install ipmitool
    
  • Ubuntu 16+
  • apt-get install ipmitool
    
  • Gentoo
    emerge -vu sys-apps/ipmitool
    

*Troubleshooting

If you receive errors when you execute ipmitool:

[root@srv0 ~]# ipmitool -I open lan set 1 ipaddr 192.168.6.45
Could not open device at /dev/ipmi0 or /dev/ipmi/0 or /dev/ipmidev/0: No such file or directory
[root@srv0 ~]# ipmitool -I open lan set 1 netmask 255.255.255.0
Could not open device at /dev/ipmi0 or /dev/ipmi/0 or /dev/ipmidev/0: No such file or directory
[root@srv0 ~]# ipmitool -I open lan set 1 defgw ipaddr 192.168.6.1
Could not open device at /dev/ipmi0 or /dev/ipmi/0 or /dev/ipmidev/0: No such file or directory

The kernel module for the IPMI/KVM is not loaded by the system, so just execute:

[root@srv0 ~]# modprobe ipmi_si
[root@srv0 ~]# modprobe ipmi_devintf

And then you could use ipmitool commands above to set the network configuration of the IPMI/KVM add-on module.

megacli – restart a rebuild with a disk in failed state

Sometimes we need to start a rebuild with a disk in failed state when using a LSI hardware controller, but if we just return the good state of the failed disk, it will return immediately in the array and our filesystem will be broken for sure! In addition it happens that when we replace a disk the new disk to be in failed state, too.

So here are simple and tested steps for proper resetting a failed state of a disk to a good state and starting a rebuild. In the example below the disk in failed state is [32:1], replace with the proper [enclosure_id:slot_id] in your case.

  1. Make “Failed State” in “Unconfigured(BAD)”
    megacli -pdmarkmissing -physdrv[32:1] -aAll
    
  2. Prepare for removal (this command could fail, not a critical one)
    megacli -pdprprmv -physdrv[32:1] -a0
    
  3. Make the state of the disk “Unconfigured(Good), Spun Up”
    megacli -PDMakeGood -PhysDrv[32:1] -a0
    
  4. Start rebuild (this command could fail) – if the command fails continue with the next step, if not, the rebuild is restarted successfully.
    megacli -PDRbld -Start -PhysDrv[32:1] -a0
    

    Or

    megacli -pdlocate -start -physdrv[32:1] -a0
    

    One of the two commands will probably start the rebuild, but if the two fail then continue to the next step.

  5. Start rebuild, first clean the foreign configuration and then make the device hot spare (only if 4 the above command failed)
    megacli -CfgForeign -Clear -aALL
    #set global hostspare
    megacli -PDHSP -Set -PhysDrv [32:1] -a0
    

* If you need to unset/remove a global hotspare:

megacli -PDHSP -Rmv -PhysDrv [32:1] -aN

How to enable linux bonding without ifenslave

ifenslave is no more needed, when configuring bonding under linux. There are situations when we could have no network link without bonding, because of specific switch configuration and we do not have ifenslave package installed. We can configure bonding manually via Sysfs.
Here are the steps to configure bond0 in adaptive load balancing with two network cards in slave mode:

modprobe bonding
echo balance-alb > /sys/class/net/bond0/bonding/mode
echo +eth0 > /sys/class/net/bond0/bonding/slaves
echo +eth1 > /sys/class/net/bond0/bonding/slaves
ifconfig bond0 192.168.1.1 netmask 255.255.255.0 up

The adaptive load balancing does not require any special network setup. On the contrary the mode “802.3ad” could be used only if you enable bodning of the interfaces of your server to have network link.

echo 802.3ad > /sys/class/net/bond0/bonding/mode

For more detailed explanation:

https://www.kernel.org/doc/Documentation/networking/bonding.txt

bash: find all files between a given time period

Here is the command to find all files between two given dates with find linux command:

find /home/ -newermt 20140901T0000 -not -newermt 20141001T0000 -type f

to use “find” with

-newermt

you must have find version above 4.3.3.
With older version of the find utility it can be used with the time of two files.

  1. create two temporary files
  2. “touch” them with the right time
  3. execute find command with “-newer”
  4. delete the two temporary files

Here is the bash code:

dt1=$(date -d '2014-09-01' +'%Y%m%d%H%M.%S'); dt2=$(date -d '2014-10-01' +'%Y%m%d%H%M.%S'); touch -t $dt1 "$dt1"; touch -t $dt2 "$dt2"; find . -type f -newer "$dt2" -not -newer "$dt1";rm "$dt1" "$dt2"

Bring up network interface with an IP address using “ip” command

Lately many linux distributions do not ship by default with

ifconfig

which is considered as old style of setting the network when we need to do it manually.
The command is simple and self-explanatory but there is a catch! Just adding the IP won’t help you to bring up the network interface of your server. In fact we need two commands to instruct the network interface to bring up with an IP and then a third command to add a default gateway.
So here are the steps and commands to bring up an interface, set IP and gateway:

STEP 1) Add the IP to the network interface with

ip addr add 192.168.0.100/24 dev eth0

Change the IP with your IP address.

STEP 2) Bring up the interface link

ip link set eth0 up

If you omit this step a network interface, which is down won’t start and the next command (in step 3) will output an error! If your interface has been up already and you just add an additional IP to it you can skip this step (and probably the one below with the default gateway, but we do not describe this case here).

STEP 3) Bring up the interface link

ip route add default via 192.168.0.1

* The all three in one place for the right way of bringing up a network interface under linux with “ip” command:

ip addr add 192.168.0.100/24 dev eth0
ip link set eth0 up
ip route add default via 192.168.0.1

* Troubleshooting

as it was said: just adding an IP to a network interface, which is in down state, would not help to set an IP, but you would not understand it and when you tried to add the default route your would see not so informative error:

srv@local ~# ip addr add 192.168.0.100/24 dev eth0
srv@local ~# ip route add default via 192.168.0.1
ip: RTNETLINK answers: Network is unreachable

Network unreachable, but why I just added an IP. It is not enough just to add the IP, the link must also be set up, it’s like the

ifconfig eth0 up

.

Check a certificate and a private key for a match

Ever wondered how to verify your private key with a certificate or CSR certificate?


All of the three server certificate, private key and CSR contain a specific value, which must be the same for the three to be sure that the private key is used for the CSR and this CSR is used to issue the server certificate. The value

public exponent

of private key and the

modulus

must have the same value.
If they differ by value you can be sure this private key cannot be used in pair with the server certificate you think! Because modulus value is really big number like:

Modulus=C8A1E76902325B4449BE964A7F1E4D16F263245A4487E24CF373631211AA719FB17A65091A8ADF4AFD174CE95A069EDAF0F2E0DA8DA7A8F2D525695BB1F1AE6C825085C60053726BD9966277FAF73179D5F0285F45271D6C728D1A8A36EA846CE20EF7188397A859FE3F2A4933EA13E3643BACA8FA9569FFAAE907CC3E416B08368E2D9297E16CC14E7B6B98A0AA0703D865152C37F089ABD2CB7FCC2C0319F8098CBBE02DAF09B4B262B5A6A7D9002A0D6275BF56B7F406FB03E169D00EADC6A20F0709B1240067AB82D5411A4535C21B0A6EB96B6D23ACC0103703F9816DF04370F4734CF75FBB206618A91245A1F975C411D3CFAE83B8AF1318E773BF9A15

We could pipe it to a md5 function to make it more human verifiable.

Here are the three simple commands to check if your private key matches the certificate or the CSR certificate:

STEP 1) check the private key

[root@srv@local ]# openssl rsa -noout -modulus -in server.key | openssl md5
(stdin)= f1fdd77a19d21999264a1267253c6acd

STEP 2) check modulus value of the certificate

[root@srv@local ]# openssl x509 -noout -modulus -in server.crt | openssl md5
(stdin)= f1fdd77a19d21999264a1267253c6acd

STEP 3) check modulus value of the CSR

[root@srv@local ]# openssl req -noout -modulus -in server.csr | openssl md5
(stdin)= f1fdd77a19d21999264a1267253c6acd

If the three values are the same, you can use this pair of private key and certificate in your web (or whatever) server. It also means you can use this CSR to issue a server certificate and then use the pair this private key and the new server certificate!

* nginx web server reports error using not matching pair of private key and certificate:

[root@srv@local ]# nginx -t
nginx: [emerg] SSL_CTX_use_PrivateKey_file("/etc/ssl/nginx/server.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
nginx: configuration file /etc/nginx/nginx.conf test failed

And if you issue a restart command you’ll end up without working web server.

* Apache also reports an error in the error log (probably your ssl error log) and do not start:

[Tue Mar 06 03:37:39.378436 2014] [ssl:emerg] [pid 8182] AH02565: Certificate and private key localhost:443:0 from /etc/ssl/apache2/server.crt and /etc/ssl/apache2/server.key do not match

the default error log reports only configuration error:

AH00016: Configuration Failed

And strangely but apache2ctl reports no error!

 apache2ctl configtest
 * Checking apache2 configuration ...                                                                                          [ ok ]

SO always verify the private key and server certificate before issuing a restart of the service it depends on them!

Replace default program to open text files in Linux console

Ever wondered how to change your text editor when editing text files in Linux? Here is a newbie tip!
For example if you when you what to edit cron jobs you execute

[srv@local ~]# crontab -e

And you get in a text editor? Probably you like vim or nano or pico or some other text editor? and you want to use it whenever the system needs a text editor?
There is an environment variable EDITOR, which could be set to one of the text editors mentioned above.
Temporary you could do it from the command line for the current session to open text files with “nano”

[srv@local ~]# export EDITOR="nano"

And when you open to edit cron jobs or edit a text file in “mc” or whenever the system needs a text editor it will use “nano”. If you replace “nano” with other editor it will be used.
To make it permanent you must put it in your current .bashrc file – “/home//.bashrc” (or more accurate “~/.bashrc”). Just add the same line as above at the end of your .bashrc file:

export EDITOR="nano"

And if you check your current environment you’ll see there is a variable named EDITOR:

[srv@local ~]# env|grep EDITOR
EDITOR=nano