Blog Archives

Oracle Enterprise Linux 6.x networking

Lately I got many questions regarding the network configuration of Oracle Enterprise Linux 6 (Red Hat Enterprise Linux 6).
Enough to write a little article about it.

It seems that some of the network configuration was altered in OEL6. The reason as far as I know is the implementation of the NetworkManager daemon. I don’t know why they are using CamelCase for the daemon name, but mind that. Even though the NetworkManager should make the configuration as painless as possible (at least thats what the manual page said), it seems to actually make the configuration more of a pain for some.

Below I will cover some topics in an effort to get you going and remove the pain 🙂

Configuring eth0 for manual operation

  • Step 1: disable the NetworkManager daemon
    service NetworkManager stop
  • Step 2: remove the NetworkManager from Init (start-up)
    chkconfig --level 2345 NetworkManager off
  • Step 3: open the ifcfg-eth0 config file (alter the suffix ‘eth0’ to match the adapter of your choice)
    vi /etc/sysconfig/network-scripts/ifcfg-eth0
  • Step 4: Alter the following to match your environment…
    DEVICE=eth0
    TYPE=Ethernet
    HWADDR={Your MAC address here}
    ONBOOT=yes
    NM_CONTROLLED=no
    BOOTPROTO=static
    IPADDR=192.168.1.10
    #PREFIX=24    [can be used alternativly to NETMASK=]
    NETMASK=255.255.255.0
    NETWORK=192.168.1.0
    BROADCAST=192.168.1.255
    GATEWAY=192.168.1.1
    
  • Step 5: Write/close the configuration file (:wq in vi)
  • Step 6: Restart the network service
    service network restart
  • TIP 0: Obviously match the configuration above to match your home network.
  • TIP 1: NetworkManager is not always present in which case you can obviously skip step 1 – 2.
  • TIP 2: There are reports that NETMASK=xxx.xxx.xxx.xxx is actually more stable then PREFIX=xx notation.
    My advice, use NETMASK= which is also better understood by non networking guys.
  • TIP 3: Not sure about the correct NETWORK, NETMASK, BROADCAST or PREFIX settings, give ipcalc a try:
    ipcalc --netmask {IPADDR}
    ipcalc --prefix {IPADDR} {NETMASK}
    ipcalc --broadcast {IPADDR} {NETMASK}
    ipcalc --network {IPADDR} {NETMASK}
    

Configuring DNS

DNS always seems to be a bugger and a hard one to understand. Do note that DNS is JUST A IP PHONEBOOK. Nothing fancy there. Also there are various ways of configuring DNS. One way is by adding the DNS configuration in the ifcfg-suffix configuration file with the DNS1=ip.ip.ip.ip DNS2=ip.ip.ip.ip keywords. As an effect, the networking service will update the appropriate configuration files. To be frank, I find this to be confusing and do not like duplicate configurations everywhere in my -has to be clean- environment. My advice is to configure the DNS is the appropriate files directly like this…

  • Step 1: Edit the resolve.conf where DNS is configured.
    vi /etc/resolv.conf
  • Step 2: Add or Alter the following to match your environment
    search mydomain.home
    nameserver 192.168.1.1
    nameserver 8.8.8.8
    
  • Step 3: Test to see if name resolution works
    nslookup
    set debug
    www.google.com
    
  • TIP 1: Linux actually tries to find the ip in the /etc/hosts file first. If you know the hostnamename and FQDN to an certain IP and it can be classified as static. Consider using the hostsfile instead of a centralized DNS. This will boost performance if the name is resolved often. If multiple systems use and depend on a machine reference, use centralized DNS in order to lighten the administrative tasks.
    vi /etc/hosts
  • TIP 2: Experiencing slow log on times or slow application performance? A faulty DNS configuration might just be the cause. A quick way to test this is by temp. disabling DNS all together. This can be done by editing the /etc/nsswitch.conf file.
    vi /etc/nsswitch.conf
    • alter the line
      hosts:     files dns
    • to the line
      hosts: files
    • write the file and test if the performance has improved.
  • The reason for this is that DNS is often used to register user logon or session information based on the visitors IP address. Examples are the ssh daemon, ftp servers, webservers, linux logon, etc.

STATIC ROUTES

In some case you want linux to use alternative routes to access certain Linux resources. The way to go in these cases are creating routes. In most cases you want these to be presistant in which case ‘route add –‘ wont suffice. In our example we will create two new routes. On describing a route to a specific host, the other describing the route to a specific network. Alter the example to match your needs.

  • STEP 1: Create a new file called static-routes in the /etc/sysconfig/ directory
    vi /etc/sysconfig/static-routes
  • STEP 2: Add the following, obviously matching your specific needs
    any net 192.168.2.0/24 gw 192.168.1.254 metric 1
    any host 192.168.2.254 gw 192.168.1.254 metric 1
  • STEP 3: Restart the network service
    service network restart
  • TIP 1: SIOCADDRT: No such process means the designated gateway doesnt exsist on any known interface. (typo?)
  • TIP 2: view the route information usint the route command
  • TIP 3: use the ipcalc –prefix {IPADDR} {NETMASK} command to determin the right /prefix for your environment.
  • TIP 4: In older environments the ifup-routes is used, this shscript still exsists in the /etc/sysconfig/network-scripts/ifup-routes

Locate my mac address

The ifcfg-eth# config allows you to configure the specific mac address to guarantee the IP is bound to the right adapter. In virtualized environments this might save you a lot of trouble in the situation where the virtualized domain is altered. On the other hand it might cause trouble when the staticly configured MAC is migrated in virtual environments. Either case, you might want to know the MAC linux sees belonging to an certain adapter. You can find the MAC address in the following location:

 cat /sys/class/net/eth0/address

Obviously you need to alter eth0 in the path to match the adapter you are looking for. Not sure? The change directory to /sys/class/net and perform a list to see all discovered and registered adapters.

IPTables (Linux firewall)

By default IPtables (which is the linux firewall) is enabled. You can view the running configuration by checking the service status like this.

 service iptables status

You can simply turn the firewall off by modifying and applying steps 1-2 of the first configuring eth0 instruction. This will reduce the security of your linux platform significantly. My advice, add the ports you need for your services and let IPtables protect you. The easiest way is by simply editing the iptables configuration file.

 vi /etc/sysconfig/iptables 

Adding a port is as easy as copy/pasting the always present firewall rule that allowes port 22 (ssh). Copy past it and alter the -p (protocol) -dport (destination port) to match your needs. For example, allowing HTTP/HTTPS.

-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT

afterward restart iptables

service iptables restart

TIP: If you are experimenting with IPv6 (then your Instant COOL!), mind that the ipv6 firewall is called ip6tables and the configuration is called the same. The basic iptables doesnt handle ipv6 at all.

TIP: If you are using ipv6 code your IPv4 ip to ease administration. Example:

ipv4: 192.168.10.1/32
ipv6: 2001::0192:0168:0010:0001/64
Then route on the nibble of choice.

Additional questions?

Just post it below and maybe ill respond in due time 🙂

Exact Globe, folder allready exists during CLIOP export to network.

On Windows 7.

If you get an error message suggesting that the user doesnt have the correct rights to create a new directory inside the designated CLIOP export networkpath. This might be, because you are running Exact in an elevated state (as administrator). This is needed by some users to netupdate the client, but will cause all sorts of problems when the client is used in this state.

To resolve this problem, verify that the user has the proper rights on the designated network location. This can simply be done by opening the path in windows explorer, next create a folder and file. If this is succesfull the network rights are correct (so you dont need to create a new support call 😉

Next verify that the exact client isnt running as administrator. You can verify this by rightclicking the shortcut, and then select properties. Locate the ‘Compatibility’ tab, and verify that the checkbox ‘run as administrator’ isnt checked. IF it is, uncheck it and apply the new settings.

If network policies allow, also verify that the checkbox isnt checked on the exact binairy inside the exact installation dir.

I hope this helps 🙂

Rgrds, Chris

Optimize Windows Server TCP/IP settings

When you are installing windows Server 2003 from the box, you should always realize that the TCP settings used might not be optimal for the network environment in which the server was installed. The default settings used by Windows are optimized by the windows OS and will ensure a stable and sure data flow, but in some cases these settings can be optimized using a series of registry settings.

Read the rest of this entry

network issues with Dell Broadcom interfaces?

Experiencing “Copper Link Down” messages with increased network load on Dell R and M Series servers?

Then you might want to look into this thread.
https://bugzilla.redhat.com/show_bug.cgi?id=520888

There is a known issue with the bnx2 driver used on the Linux platform that might cause the network card to become inactive. The problem is caused by the drivers MSI (Message Signaled Interface) option.
http://en.wikipedia.org/wiki/Message_Signaled_Interrupts

The two suggested solutions to this problem are;

1. Disable the msi option in the modprobe.conf file by adding the following rule;
options bnx2 disable_msi=1 (Recommended)

2. Load the latest dell driver that disables the msi-x option in the driver itself.

Please read these threads carefully before you decide this problem is the one you might be experiencing.

How to detect the problem on OracleVM / OEL.

1. Make sure the Link-led is lid on the back op the physical machine.
2. Run the ethtool eth# -t to view its current state
3. Make sure the ethtool reports a Link-Down

Applying the fix use the following steps;

1. Logon to the OracleVM Dom0 / OEL / Other Linux box.
2. vi /etc/modprobe.conf
3. Add the following line below alias eth0 bnx2
options bnx2 disable_msi=1
4. Save and quit vi :sq
5. Reinit the module using the following command.
modprobe bnx2
6. Verify the setting using the following command.
modinfo bnx2
The following rule should be listed.
parm: disable_msi:Disable Message Signaled Interrupt (MSI) (int)

Hope this fix resolves the problem for you!

Rgrds,

Timekeeping in VMware… o my…

If there is a subject that has many and i realy mean many posts, and with these posts many many readers its timekeeping in vmware. Especially when your Guest OS is of the linux platform. Also there are many suggestions on how to solve this problem. Too give you guys a quick glace of whats happening out there… Some of the suggestions you might encounter.

1. Cron the ntpd refresh command. (put the ntp renew in a task and execute it every second)
    (Not realy an option with 100Servers+ and loads, loads of network traffic)
2. Recompile the kernel using the 100Hz frequency setting instead of the 1000 or 250hz setting.
    (One I want to test before discarding it, he might have a point there)
3. Patch the kernel / NTPD using the latest versions.
     (Should be a standard job and best practice, not an suggestion!)
4. Use a VMWare compatible compiled rpm to reinstall the kernel.
     (Sounds much like option 2 i want to test first, ill go for the manual compile 🙂 )
5. dont even want to mention all these other options 
     (too silly but fun reading 🙂 )

With all respect to the guys searching and finding solutions stated above. There was indeed a time these solutions where the best to apply. But time has gone past, vmware introduced solutions using the VMWare tools (almost the same a the cron solution). And communities responded comitted to solve these problems for their most valued distro. The result is a setting in the kernel that is available for various kernels, and these settings can be found on the VMware site. Even though i commited myself to test these various options before implementing one or the other, the bootloader option looks the savest to suggest too the big audience. So here it is.

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1006427

Oh always there are people to thank 🙂
• My uncle for paying way more attention then me 🙂 Marco Gralike
• Prutser for breaking open the kernel discussion, good article there.
http://prutser.wordpress.com/2009/02/08/why-does-my-linux-virtual-machine-lose-time/
•  VMware for maintaining there KB so well 🙂
• You for taking the time to read this nonsense 🙂

Ndo Utils startup script for usage with chkconfig.

Is functional, there is a bug in the start portion that i still need to fix. But it will start the deamon correctly and if you use the “service ndodaemon rewrite-lock” the status and stop functions will also work correctly.


#!/bin/sh
#
# chkconfig: 345 90 01
# description: Nagios NDO Utils Deamon
# ./etc/init.d/ndodaemon

prefix=/usr/sbin
Bin=ndo2db
NdoBin=$prefix/$Bin
NdoUsr=root
NdoConf=/usr/local/nagios/etc/ndo2db.cfg
RunFile=/usr/local/nagios/var/ndo2db.lock

#check if ndobin exists
if [ ! -f $NdoBin ]; then
echo "NDO Binairy doesnt exist!"
exit 1
fi

#check if ndoConfig exists
if [ ! -f $NdoConf ]; then
echo "NDO Config file not found!"
exit 1
fi

case $1 in

start)
if test -f $RunFile; then
echo "NDO Deamon allready started"
exit 1
else
echo -n "Starting the NDO Deamon:"
$NdoBin -c $NdoConf & > /dev/null 2>&1;

if [ $? -eq 0 ]; then
for i in 1 2 3 4 5 6 7 8 9 10 ; do
echo -n ".";
sleep 1
done
P=`ps -C $Bin -o pid | grep -P [0-9]`

echo "Done."
exit 0
else
echo "Failed to start the deamon, check the config file!"
exit 1
fi
fi
;;

stop)
if test -f $RunFile; then
#make sure we have both services!
`ps -C $Bin -o pid | grep -P [0-9] > $RunFile`
#Get first PID
ndo1PID=`head -n 1 $RunFile`;
#Get 2nd PID
ndo2PID=`tail -n 1 $RunFile`;
echo $ndo1PID
echo $ndo2PID
#need to make this a bit more logic, but it works for the moment....
kill $ndo1PID > /dev/null 2>&1;
kill $ndo2PID > /dev/null 2>&1;
rm $RunFile > /dev/null
if [ $? -eq 0 ]; then
echo "Done."
exit 0;
else
echo "Failed."
exit 1
fi
else
echo "No NDO deamon to stop!"
exit 1;
fi

;;

rewrite-lock)
ps -C $Bin -o pid | grep -P [0-9] > $RunFile
;;

status)
if test -f $RunFile; then
#We have a runfile, so we check based on PID
ndo1PID=`head -n 1 $RunFile`;
ndo2PID=`tail -n 1 $RunFile`;
#Process Parent NDO deamon
if [ $ndo1PID > 0 ]; then
ps -p $ndo1PID > /dev/null 2>&1;
if [ $? -eq 0 ]; then
Status1="NDO Parent (PID $ndo1PID) is alive!"
else
Status1="NDO Parent (PID $ndo1PID) not alive, remove lock file then check for orphan processes then restart deamon."
fi
else
Status1="NDO Parent (PID $ndo1PID) not alive!"
fi

if [ $ndo2PID > 0 ]; then
ps -p $ndo2PID > /dev/null 2>&1;
if [ $? -eq 0 ]; then
Status2="NDO Child (PID $ndo2PID) is alive!"
else
Status2="NDO Child (PID $ndo2PID) not alive!"
fi
else
Status2="NDO child (PID $ndo2PID) not alive!"
fi
echo $Status1
echo $Status2
exit 0
else
#We dont have a Runfile so lets see if someone started it manually.
ps -C $Bin > /dev/null 2>&1;
if [ $? -eq 0 ]; then
echo "NDO process seems to be manually started!"
exit 1
else
echo "NDO Deamon is not running."
exit 1
fi
fi
;;

*)
echo "Usage: $0 {start|stop|status|rewrite-lock}"
exit 1
;;
esac