How to install PostgreSQL on Centos / Redhat/

Hi All, In this article I want to quickly show you specific steps to install PostgreSQL 8 database on CENTOS Linux 5. As we all know that we can use yum to install packages / softwares, I am using yum for this installation. To make sure that you have everything needed do:

#yum list | grep postgresql

Then verify that you see:

postgresql.i386, postgresql-server.i386 and postgres-libs.i386. if you have 64 bit version then you will see x86_64.

Centos installation comes with postgresql-lib installed. If it is not installed then please follow:

#yum install postgresql-libs

Now, the general installation. As root install postgres core and postgresql server:

#yum install postgresql postgresql-server

We need a seperate user as owner of postgresql database owner so create postgres user:

#adduser postgres

A directory to store datafiles caleed the ‘datafile’ for the database:

#mkdir -p /usr/local/pgsql/data

It is necessary to change ownership of the data files to the postgres user:

#chown postgres /usr/local/pgsql/data

now change your role to postgres user from root user:

#su – postgres

Initialize the datafiles for the database:

#/usr/bin/initdb -D /usr/local/pgsql/data

In most of the cases it will starStart the database with initialized datafiles as the background process (&) and log all messages and errors (2&1) in the logfile:

#/usr/bin/postgres -D /usr/local/pgsql/data > logfile 2>&1 &

Create the test database:

#/usr/bin/createdb firstdb

Log in to the test database:


$/usr/bin/psql firstdb
Welcome to psql 8.3.7, the PostgreSQL interactive terminal.

Type: \copyright for distribution terms
\h for help with SQL commands
\? for help with psql commands
\g or terminate with semicolon to execute query
\q to quit

firstdb=>

http://www.mydailylinux.com/my-daily-linux/node/install-postgresql-centos

PostgreSQL

Hi all, In this article you will able to find some useful , important details about PostgreSQL.

PostgreSQL is a powerful, truely open source , feature rich, relational database system. It has over 15 years of active development and a proven architecture that has earned it a strong reputation for reliability, data integrity, and correctness. It just runs on all major operating systems, including Linux, UNIX (AIX, BSD, HP-UX, SGI IRIX, Mac OS X, Solaris, Tru64), and Windows without any pain. It is fully ACID compliant, has full support for foreign keys, joins, views, triggers, and stored procedures (in multiple languages). It includes most SQL92 and SQL99 data types, including INTEGER, NUMERIC, BOOLEAN, CHAR, VARCHAR, DATE, INTERVAL, and TIMESTAMP. It also supports storage of binary large objects, including pictures, sounds, or video. It has native programming interfaces for C/C++, Java, .Net, Perl, Python, Ruby, Tcl, ODBC, among others, and exceptional documentation. Postgresql

An enterprise class database, PostgreSQL boasts sophisticated features such as Multi-Version Concurrency Control (MVCC), point in time recovery, tablespaces, asynchronous replication, nested transactions (savepoints), online/hot backups, a sophisticated query planner/optimizer, and write ahead logging for fault tolerance. It supports international character sets, multibyte character encodings, Unicode, and it is locale-aware for sorting, case-sensitivity, and formatting. It is highly scalable both in the sheer quantity of data it can manage and in the number of concurrent users it can accommodate. There are active PostgreSQL systems in production environments that manage in excess of 4 terabytes of data. Some general PostgreSQL limits are included in the table below.


Limit Value
Maximum Database Size Unlimited
Maximum Table Size 32 TB
Maximum Row Size 1.6 TB
Maximum Field Size 1 GB
Maximum Rows per Table Unlimited
Maximum Columns per Table 250 – 1600 depending on column types
Maximum Indexes per Table Unlimited

PostgreSQL has won praise from its users and industry recognition, including the Linux New Media Award for Best Database System and five time winner of the The Linux Journal Editors’ Choice Award for best DBMS.

Featureful and Standards Compliant

PostgreSQL prides itself in standards compliance. Its SQL implementation strongly conforms to the ANSI-SQL 92/99 standards. It has full support for subqueries (including subselects in the FROM clause), read-committed and serializable transaction isolation levels. And while PostgreSQL has a fully relational system catalog which itself supports multiple schemas per database, its catalog is also accessible through the Information Schema as defined in the SQL standard.

Data integrity features include (compound) primary keys, foreign keys with restricting and cascading updates/deletes, check constraints, unique constraints, and not null constraints.

It also has a host of extensions and advanced features. Among the conveniences are auto-increment columns through sequences, and LIMIT/OFFSET allowing the return of partial result sets. PostgreSQL supports compound, unique, partial, and functional indexes which can use any of its B-tree, R-tree, hash, or GiST storage methods.

GiST (Generalized Search Tree) indexing is an advanced system which brings together a wide array of different sorting and searching algorithms including B-tree, B+-tree, R-tree, partial sum trees, ranked B+-trees and many others. It also provides an interface which allows both the creation of custom data types as well as extensible query methods with which to search them. Thus, GiST offers the flexibility to specify what you store, how you store it, and the ability to define new ways to search through it — ways that far exceed those offered by standard B-tree, R-tree and other generalized search algorithms.

GiST serves as a foundation for many public projects that use PostgreSQL such as OpenFTS and PostGIS. OpenFTS (Open Source Full Text Search engine) provides online indexing of data and relevance ranking for database searching. PostGIS is a project which adds support for geographic objects in PostgreSQL, allowing it to be used as a spatial database for geographic information systems (GIS), much like ESRI’s SDE or Oracle’s Spatial extension.

Other advanced features include table inheritance, a rules systems, and database events. Table inheritance puts an object oriented slant on table creation, allowing database designers to derive new tables from other tables, treating them as base classes. Even better, PostgreSQL supports both single and multiple inheritance in this manner.

The rules system, also called the query rewrite system, allows the database designer to create rules which identify specific operations for a given table or view, and dynamically transform them into alternate operations when they are processed.

The events system is an interprocess communication system in which messages and events can be transmitted between clients using the LISTEN and NOTIFY commands, allowing both simple peer to peer communication and advanced coordination on database events. Since notifications can be issued from triggers and stored procedures, PostgreSQL clients can monitor database events such as table updates, inserts, or deletes as they happen.
Highly Customizable

PostgreSQL runs stored procedures in more than a dozen programming languages, including Java, Perl, Python, Ruby, Tcl, C/C++, and its own PL/pgSQL, which is similar to Oracle’s PL/SQL. Included with its standard function library are hundreds of built-in functions that range from basic math and string operations to cryptography and Oracle compatibility. Triggers and stored procedures can be written in C and loaded into the database as a library, allowing great flexibility in extending its capabilities. Similarly, PostgreSQL includes a framework that allows developers to define and create their own custom data types along with supporting functions and operators that define their behavior. As a result, a host of advanced data types have been created that range from geometric and spatial primitives to network addresses to even ISBN/ISSN (International Standard Book Number/International Standard Serial Number) data types, all of which can be optionally added to the system.

Just as there are many procedure languages supported by PostgreSQL, there are also many library interfaces as well, allowing various languages both compiled and interpreted to interface with PostgreSQL. There are interfaces for Java (JDBC), ODBC, Perl, Python, Ruby, C, C++, PHP, Lisp, Scheme, and Qt just to name a few.

Best of all, PostgreSQL’s source code is available under the most liberal open source license: the BSD license. This license gives you the freedom to use, modify and distribute PostgreSQL in any form you like, open or closed source. Any modifications, enhancements, or changes you make are yours to do with as you please. As such, PostgreSQL is not only a powerful database system capable of running the enterprise, it is a development platform upon which to develop in-house, web, or commercial software products that require a capable RDBMS.

For more details : http://www.postgresql.org

Postgresql: show tables, show databases, show columns

Hi all, In this article you will know some very very basic commands about postgresql. When i started learning postgresql, I found bit strange when “show databases”, “show tables”, and “show columns” command did not work. I was using mysql and I am still using mysql but it is just matter of learning one more database as postgresql started becomming popular now. So.. If you have question in your mind how to list databases, tables and colums in postgresql database then I have answer for you.

First of all to connect to postgresql you need to use :
psql -d “database name” -h “hostname OR IP” -U “user name” command. This will prompt you to enter password.
Note: By default you can not connect to postgresql with user name root.

  1. To list databases aaccessible to user you connected with
    mysql: SHOW DATABASES
    postgresql: \l
    postgresql: SELECT datname FROM pg_database;
  2. To list tables in your database
    mysql: SHOW TABLES
    postgresql: \d
    postgresql: SELECT table_name FROM information_schema.tables WHERE table_schema = ‘public’;
  3. To list columns in particular table / schema use :
    mysql: SHOW COLUMNS
    postgresql: \d table
    postgresql: SELECT column_name FROM information_schema.columns WHERE table_name =’table‘;

Apache + Mod_SSL + OpenSSL

SSL Certificate CSR Generation Instructions

Apache + Mod_SSL + OpenSSL

Follow these instructions to generate a CSR for your Web site. When you have completed this process, you will have a CSR ready to submit to your provider in order to be generated into a SSL Security Certificate.

1. Create a RSA key for your Apache server:

cd /apacheserverroot/conf/ssl.key (ssl.key is the default key directory.)

If you have a different path, cd to your server’s private key directory OR you can generate key and csr any where on your system. To make it working you need to copy them to correct path according to your webserver configuration.


2. Enter the following command to generate a private key that is file encrypted. You will be prompted for the password to access the file and also when starting your webserver:

openssl genrsa -des3 -out domainname.key 1024

Warning: If you lose or forget the passphrase, you will not be able to use the certificate. so we suggest you to create key without passphrase.

Create a private key without file encryption if you do not want to enter the passphrase when starting your webserver:

openssl genrsa -out domainname.key 1024

Note: We recommend that you name the private key using the domain name that you are purchasing the certificate for ie domainname.key

3. Type the following command to create a CSR with the RSA private key (output will be PEM format):

openssl req -new -key domainname.key -out domainname.csr

Note: You will be prompted for your PEM passphrase if you included the “-des3” switch in step 3. When creating a CSR you must follow these conventions:

• Enter the information to be displayed in the certificate. The following characters can not be accepted: < > ~ ! @ # $ % ^ / \ ( ) ?.,&
• If you are applying for a wildcard certificate you must state * in place of the sub domain, for example *.yourdomain.com instead of www.yourdomain.com

You will now be prompted for information to include within the CSR:

Country Name (2 letter code) [AU]:

US (must be two letter country code, note for United Kingdom the country code must be GB and NOT UK)

State or Province Name (full name) [Some-State]:

The state or province where your organization is legally located. This cannot be abbreviated and must be entered in full.

Locality Name (eg, city) []:

The city where your organization is legally located.

Organization Name (eg, company) [Internet Widgits Pty Ltd]:

The exact legal name of your organization. Do not abbreviate your organization name.

Organizational Unit Name (eg, section) []:

Section of the organization, such as Marketing or Web Development.

Common Name (eg, YOUR name) []:

The fully qualified domain name for your web server. This must be an exact match. If you intend to secure the URL https://www.yourdomain.com, then your CSR’s common name must be www.yourdomain.com. If you applying for a wildcard certificate to secure all sub domains on your domain, the common name must be *.yourdomain.com.

Email Address []:

Leave this field blank by just pressing return.

A challenge password []:

Leave this field blank by just pressing return.

An optional company name []:

Leave this field blank by just pressing return.

4. If you would like to verify the contents of the CSR, use the following command:

openssl req -noout -text -in domainname.csr

5. Create a backup of your private key. If the private key is lost your CSR and Certificate will be invalid. Make a copy of the private key file (domainname.key) generated earlier and store it in a safe place! The private key file should begin with (when using a text editor):

—–BEGIN RSA PRIVATE KEY—– and end with —–END RSA PRIVATE KEY—–

6. Your CSR will now have been created. Open the domainname.csr in a text editor and copy and paste the contents into the online enrollment form when requested.

7. Verifying a Digital Certificate To verify a X.509 Certificate use the following command.
# openssl verify server.crt
server.crt: OK
Verifying a Digital Certificate

To verify a X.509 Certificate use the following command

# openssl verify server.crt
server.crt: OK

Where server.crt is the name of the file that contains the Digital Certificate
7.1. Viewing the contents of a Digital Certificate

The contents of a Digital Certificate can be viewed by using the # openssl x509 command as follows:

# openssl x509 -text -in server.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 312312312 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=UK, O=Some Corporation, CN=Some CompanyTrust Root
Validity
Not Before: May 8 03:25:50 2005 BST
Not After : May 8 03:25:50 2010 BST
Subject: C=GB, ST=London, L=London, O=Open-source, OU=webtechnologies, CN=www.xml-dev.com/Email=admin@linux4beginners.info
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
…………
…………
Exponent: 65537 (0x10001)
Signature Algorithm: md5WithRSAEncryption
…………
…………

7.2. Modifying the httpd.conf to Install the Certificates.

You will need to place this certificate on the server, and tell Apache where to find it.

For this example, the Private Key is placed in the /usr/local/apache2/conf/ssl.key/ directory, and the Sever Certificate is placed in the /usr/local/apache2/conf/ssl.crt/.

Copy the file received from the Certification to a file called server.crt in the /usr/local/apache2/conf/ssl.crt/.

And place the private.key generated in the previous step in the /usr/local/apache2/conf/ssl.key/

Then modify the /usr/local/apache2/conf/ssl.conf to point to the correct Private Key and Server Certificate files:

# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. Keep
# in mind that if you have both an RSA and a DSA certificate you
# can configure both in parallel (to also allow the use of DSA
# ciphers, etc.)
SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt
#SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server-dsa.crt

# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you’ve both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/private.key
#SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server-dsa.key

7.3. Removing passphrase from the RSA Private Key.

RSA Private Key stored on the webserver is usually encrypted, and you need a passphrase to parse the file. That is why you are prompted for a passphrase when start Apache with modssl:

# apachectl startssl
Apache/1.3.23 mod_ssl/2.8.6 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide us with the pass phrases.
Server your.server.dom:443 (RSA)
Enter pass phrase:

Encrypting the RSA Private Key is very important. If a cracker gets hold of your “Unencrypted RSA Private Key” he/she can easily impersonate your webserver. If the Key is encrypted, the cracker can not do anything without brute forcing the passphrase. Use of a strong (ie: long) passphrase is encouraged.

However encrypting the Key can sometimes be nuisance, since you will be prompted for a passphrase everytime you start the web-server. Especially if you are using rc scripts to start the webserver at boot time. The prompt for a passphrase will stop the boot process, waiting for your input.

You can get rid of the passphrase prompt easily by decrypting the Key. However make sure that no one can hold of this Key. I would recommend Hardening and Securing guidelines be followed before decrypting the Key on the webserver.

To decrypt the Key:

First make a copy of the encrypted key

# cp server.key server.key.cryp

Then re-write the key with encryption. You will be prompted for the original encrypted Key passphrase

# /usr/local/ssl/bin/openssl rsa -in server.key.cryp -out server.key
read RSA key
Enter PEM pass phrase:
writing RSA key

One way to secure the decrypted Private Key is to make readable only by the root:

# chmod 400 server.key

7.4. SSL Performance Tuning

7.4.1. Inter Process SSL Session Cache

Apache uses a multi-process model, in which all the request are NOT handled by the same process. This causes the SSL Session Information to be lost when a Client makes multiple requests. Multiple SSL HandShakes causes lot of overhead on the webserver and the client. To avoid this, SSL Session Information must be stored in a inter-process Session Cache, allowing all the processes to have access to to handshake information. SSLSessionCache Directive the in /usr/local/apache2/conf/ssl.conf file can be used to specify the location of the SSL Session Cache:

SSLSessionCache shmht:logs/ssl_scache(512000)
#SSLSessionCache shmcb:logs/ssl_scache(512000)
#SSLSessionCache dbm:logs/ssl_scache
SSLSessionCacheTimeout 300

Using dbm:logs/ssl_scache creates the Cache as DBM hashfile on the local disk.
Using shmht:logs/ssl_scache(512000) creates the Cache in Shared Memory Segment
Note shmht vs shmcb
shmht: uses a Hash Table to Cache the SSL HandShake Information in the Shared Memory
shmht: uses a Cyclic Buffer to Cache the SSL HandShake Informationin the Shared Memory

Note Note:

Not all platforms/OS support creation of Hash table in the Shared Memory. So dbm:logs/ssl_scache must be used instead
7.4.2. Verifying SSLSession Cache.

To verify if the SSLSessionCache is working properly, you can use the openssl utility with the -reconnect as follows:

# openssl s_client -connect your.server.dom:443 -state -reconnect

CONNECTED(00000003)
…….
…….
Reused, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
SSL-Session:
…..
Reused, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
SSL-Session:
…..
Reused, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
SSL-Session:
…..
Reused, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
SSL-Session:
…..
Reused, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
SSL-Session:
…..

-reconnect forces the s_client to connect to the server 5 times using the same SSL session ID. You should see 5 attempts of Reusing the same Session-ID as shown above.

How to configure network bonding in CentOS Redhat Fedora

Steps to configure network bonding in CentOS / Redhat / fedora

  1. It is not necessary but good to run lspci | grep Eth command to list your ethernet port details.
  2. setup ethernet channel bonding for redundant network connectivity. Add following lines in /etc/modprobe.conf

    alias bond0 bonding
    options bond0 mode=1 use_carrier=1 primary=eth0 miimon=100 downdelay=300 updelay=300

  3. Create a ifcfg-bond0, ifcfg-eth0 and ifcfg-eth1 config file as explained below to hold your bonding configuration

    DEVICE=bond0
    ONBOOT=yes
    USERCTL=no
    BOOTPROTO=none
    NETMASK=255.255.255.0
    IPADDR=192.168.x.y
    BROADCAST=192.168.x.255
    NETWORK=192.168.x.0

    DEVICE=eth0
    BOOTPROTO=none
    ONBOOT=yes
    MASTER=bond0
    SLAVE=yes

    DEVICE=eth1
    BOOTPROTO=none
    ONBOOT=yes
    MASTER=bond0
    SLAVE=yes

  4. after you finish configuration you need to restart network daemon(service)
    /etc/rc.d/init.d/network restart

You can configure more then 1 bonded interface on same linux system.

Use MASTER=bond1 for bond1 if you have configured a second bonding interface, then add the following after the first bond (bond0) in /etc/modprobe.conf:
options bond1 -o bonding1 miimon=100 mode=1

How to find out mac addresses for bonded interfaces

Sometimes people ask this question and answer is very simple.
you can find out details of mac addresses from /proc/net/bonding/bondx OR /proc/net/[file/dir]for bonding

Nagios Quickstart installation guide (Fedora/CentOS)

This guide is intended to provide you with simple instructions on how to install Nagios from source (code) on Fedora and have it monitoring your local machine inside of 20 minutes. No advanced installation options are discussed here – just the basics that will work for 95% of users who want to get started.

These instructions were written based on a standard Fedora Core 6 Linux distribution.

What You’ll End Up With

If you follow these instructions, here’s what you’ll end up with:

* Nagios and the plugins will be installed underneath /usr/local/nagios
* Nagios will be configured to monitor a few aspects of your local system (CPU load, disk usage, etc.)
* The Nagios web interface will be accessible at http://localhost/nagios/

Prerequisites

During portions of the installation you’ll need to have root access to your machine.

Make sure you’ve installed the following packages on your Fedora installation before continuing.

* Apache
* GCC compiler
* GD development libraries

You can use yum to install these packages by running the following commands (as root):

yum install httpd
yum install gcc
yum install glibc glibc-common
yum install gd gd-devel

1) Create Account Information

Become the root user.

su -l

Create a new nagios user account and give it a password.

/usr/sbin/useradd nagios
passwd nagios

Create a new nagcmd group for allowing external commands to be submitted through the web interface. Add both the nagios user and the apache user to the group.

/usr/sbin/groupadd nagcmd
/usr/sbin/usermod -G nagcmd nagios
/usr/sbin/usermod -G nagcmd apache

2) Download Nagios and the Plugins

Create a directory for storing the downloads.

mkdir ~/downloads
cd ~/downloads

Download the source code tarballs of both Nagios and the Nagios plugins (visit http://www.nagios.org/download/ for links to the latest versions). At the time of writing, the latest versions of Nagios and the Nagios plugins were 3.0 and 1.4.11, respectively.

wget http://osdn.dl.sourceforge.net/sourceforge/nagios/nagios-3.0.tar.gz
wget http://osdn.dl.sourceforge.net/sourceforge/nagiosplug/nagios-plugins-1.4…

3) Compile and Install Nagios

Extract the Nagios source code tarball.

cd ~/downloads
tar xzf nagios-3.0.tar.gz
cd nagios-3.0

Run the Nagios configure script, passing the name of the group you created earlier like so:

./configure –with-command-group=nagcmd

Compile the Nagios source code.

make all

Install binaries, init script, sample config files and set permissions on the external command directory.

make install
make install-init
make install-config
make install-commandmode

Don’t start Nagios yet – there’s still more that needs to be done…

4) Customize Configuration

Sample configuration files have now been installed in the /usr/local/nagios/etc directory. These sample files should work fine for getting started with Nagios. You’ll need to make just one change before you proceed…

Edit the /usr/local/nagios/etc/objects/contacts.cfg config file with your favorite editor and change the email address associated with the nagiosadmin contact definition to the address you’d like to use for receiving alerts.

vi /usr/local/nagios/etc/objects/contacts.cfg

5) Configure the Web Interface

Install the Nagios web config file in the Apache conf.d directory.

make install-webconf

Create a nagiosadmin account for logging into the Nagios web interface. Remember the password you assign to this account – you’ll need it later.

htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin

Restart Apache to make the new settings take effect.

service httpd restart

6) Compile and Install the Nagios Plugins

Extract the Nagios plugins source code tarball.

cd ~/downloads
tar xzf nagios-plugins-1.4.11.tar.gz
cd nagios-plugins-1.4.11

Compile and install the plugins.

./configure –with-nagios-user=nagios –with-nagios-group=nagios
make
make install

7) Start Nagios

Add Nagios to the list of system services and have it automatically start when the system boots.

chkconfig –add nagios
chkconfig nagios on

Verify the sample Nagios configuration files.

/usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg

If there are no errors, start Nagios.

service nagios start

8) Modify SELinux Settings

Fedora ships with SELinux (Security Enhanced Linux) installed and in Enforcing mode by default. This can result in “Internal Server Error” messages when you attempt to access the Nagios CGIs.

See if SELinux is in Enforcing mode.

getenforce

Put SELinux into Permissive mode.

setenforce 0

To make this change permanent, you’ll have to modify the settings in /etc/selinux/config and reboot.

Instead of disabling SELinux or setting it to permissive mode, you can use the following command to run the CGIs under SELinux enforcing/targeted mode:

chcon -R -t httpd_sys_content_t /usr/local/nagios/sbin/
chcon -R -t httpd_sys_content_t /usr/local/nagios/share/

For information on running the Nagios CGIs under Enforcing mode with a targeted policy, visit the NagiosCommunity.org wiki at http://www.nagioscommunity.org/wiki .

9) Login to the Web Interface

You should now be able to access the Nagios web interface at the URL below. You’ll be prompted for the username (nagiosadmin) and password you specified earlier.

http://localhost/nagios/

Click on the “Service Detail” navbar link to see details of what’s being monitored on your local machine. It will take a few minutes for Nagios to check all the services associated with your machine, as the checks are spread out over time.

10) Other Modifications

Make sure your machine’s firewall rules are configured to allow access to the web server if you want to access the Nagios interface remotely.

Configuring email notifications is out of the scope of this documentation. While Nagios is currently configured to send you email notifications, your system may not yet have a mail program properly installed or configured. Refer to your system documentation, search the web, or look to the NagiosCommunity.org wiki for specific instructions on configuring your system to send email messages to external addresses. More information on notifications can be found here.

11) You’re Done

Congratulations! You sucessfully installed Nagios. Your journey into monitoring is just beginning. You’ll no doubt want to monitor more than just your local machine, so check out the following docs…

Recover MySQL root password

You can recover MySQL database server password with following five easy steps.

Step # 1: Stop the MySQL server process.

Step # 2: Start the MySQL (mysqld) server/daemon process with the –skip-grant-tables option so that it will not prompt for password

Step # 3: Connect to mysql server as the root user

Step # 4: Setup new root password

Step # 5: Exit and restart MySQL server

Here are commands you need to type for each step (login as the root user):

Step # 1 : Stop mysql service

# /etc/init.d/mysql stop

Output:

Stopping MySQL database server: mysqld.

Step # 2: Start to MySQL server w/o password:

# mysqld_safe --skip-grant-tables &
Output:

[1] 5988
Starting mysqld daemon with databases from /var/lib/mysql
mysqld_safe[6025]: started

Step # 3: Connect to mysql server using mysql client:

# mysql -u root
Output:

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 1 to server version: 4.1.15-Debian_1-log

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql>

Step # 4: Setup new MySQL root user password

mysql> use mysql;
mysql> update user set password=PASSWORD("NEW-ROOT-PASSWORD") where User='root';
mysql> flush privileges;

mysql> quit

Step # 5: Stop MySQL Server:

# /etc/init.d/mysql stop
Output:

Stopping MySQL database server: mysqld
STOPPING server from pid file /var/run/mysqld/mysqld.pid
mysqld_safe[6186]: ended

[1]+  Done                    mysqld_safe --skip-grant-tables

Step # 6: Start MySQL server and test it

# /etc/init.d/mysql start

# mysql -u root -p

How to mount windows share on linux system ad non-root user

Mount windows share on linux system easily.

Due to increased requirement of linux servers in production environment, some times there are needs to mount windows shares to linux systems. you can definately and certainly mount windows shares on Linux machines using smbmount. follow steps listed below to achieve it.

  • smbmount //{Name or IP of windows system}/{Share Name} {local path on linux to be mounted} -o username={username},password={password} rw

when you use this command, by default it does not allow the non-root users to write in this directory. only root user can mount shares using it. If you try to change the owner of the directory using chown command then it will throw error.

  • chown -R username {path of the mounted share}

it will report an error ,such as “operation not permitted “
changing the permissions of the directory will not work either.

For this situation tricky solution is to add sticky bit on smbmnt. after then you will able to mount it as non root user.

chmod +s /usr/bin/smbmnt
and now try above mentioned command as non-root user.


  • smbmount //{Name ORIP of windows system}/{Share Name} {local path on linux to be mounted} -o username={username},password={password} rw

if you will setup sticky bit on smbmount then you will see following error.
You need to try again to mount the shared folder and it should work this time.
If you get an error like this in some Linux OS
“libsmb based programs must *NOT* be setuid root.”

If you have already set the suid bit for /usr/bin/smbmount, then unset it as
chmod -s /usr/bin/smbmount

hope this helps.

Managing Linux Users

Howto add a user

While logged in as root, type:
adduser username
Where “username” is the name of the user you want to add.
Then to assign password for your new user type
passwd username
Where “username” is the name of the user whose password you want to add OR change. If you type “passwd” only i.e without specifing “username” then the password will be changed for the user, you are logged in as.

How to remove a user
While logged in as root, type:
userdel -r username

Where “username” is the name of the user you want to remove. This will remove the user’s home directory. You can delete the user without the “-r” option and delete the user’s home directory manually. If the group the user was in, is no longer needed, you may delete it by editing the “/etc/group” file.

Linux Passwords, Users, Groups, and Quotas

There are several characteristics of passwords and how they are or should be stored on your system. They should be:

1. In a file that is readable only by root.
2. In a one way hash format.

The actual password is not stored on your system, but its one way hash value is.

One way hash

A one way hash is a function. The password is given to the function, and the function generates an output. This function is special since it has the following characteristics:

1. It is easy to generate a output from it that will produce the same output for the same password.
2. It is very difficult to generate the original input from the produced output. An example would be like a sine to inverse sine function, square to square root, etc.

There are one way hash protocols that are used for this purpose. One popular protocol used on Linux is called MD5 . Therefore the way “crack” password cracking programs work is to get a copy of your system password file and try to guess at the password, running it through the one way hash function until it gets a match. This is why short passwords are not good. There is another solution to help this situation called salting, which is now a days implemented yet in Linux by default., It is only a two character string, Basically, when a password is received it is “salted” with extra characters at random. The extra salt characters must be stored somewhere on the system in a secure location and used to generate the hashed password value for comparison to the stored value anytime the user logs in. The “longer” salted password and the associated output will make it more difficult for crack programs to guess the original password.

This can cause a problem compromising system security. This is why shadow passwords was implemented. See the section on the login process for a description of the /etc/passwd file and how it is used.

Linux Shadow Passwords

The shadow password suite allows the following features to be added to your system:

* A configuration file to set login defaults (/etc/login.defs)
* Utilities for adding, modifying, and deleting user accounts and groups,
* Password aging and expiration
* Account expiration and locking
* Shadowed group passwords (optional).
* Better control over user’s password selection
* Dial-up passwords

Replacement programs included are chfn, chsh, id, login, newgrp, passwd, and su. Additional programs included are chage, dpasswd, gpasswd, groupadd, groupdel, groupmod, groups, grpck, lastlog, newusers, pwck, pwconv, pwunconv, useradd, userdel, and usermod. Also libshadow.a is a library included for compiling programs that need to use the user password files or user passwords.

If your system did not come with shadow passwords and you are going to install it you will want to read the Shadow-Password-HOWTO and roughly do the following.

1. Find the latest shadow password suite that will work on your system
2. Backup a copy of your files listed above that the shadow password suite will replace.
3. Install the shadow password suite.
4. Remove old man pages that may interfere with you seeing the correct replacement man pages that came with the shadow password suite.
5. run pwconv which creates /etc/npasswd and /etc/nshadow
6. Backup /etc/passwd and copy the files /etc/npasswd and /etc/nshadow to /etc/passwd and /etc/shadow respectively.
7. Be sure the /etc/shadow and /etc/passwd owners and permissions are the same as shown in listings in this manual.
8. Verify you can login
9. When you are sure the system runs OK, remove backup files such as the backed up copy of /etc/passwd.
10. You may need to upgrade your xlock program to get X working. xlock is the screen saver used to lock the screen.
11. xdm presents the login screen for X. You may need to upgrade xdm.

The shadow password suite of software allows for the user’s passwords to be stored in a file, /etc/shadow with the following permissions:

-r——– 1 root root 729 May 5 12:43 /etc/shadow

This file can only be read by root and looks like:

root:!!:11077:0:99999:7:-1:-1:134550548
bin:*:10942:0:99999:7:::
daemon:*:10942:0:99999:7:::
adm:*:10942:0:99999:7:::
lp:*:10942:0:99999:7:::
sync:*:10942:0:99999:7:::
shutdown:*:10942:0:99999:7:::
halt:*:10942:0:99999:7:::
mail:*:10942:0:99999:7:::
news:*:10942:0:99999:7:::
uucp:*:10942:0:99999:7:::
operator:*:10942:0:99999:7:::
games:*:10942:0:99999:7:::
gopher:*:10942:0:99999:7:::
ftp:*:10942:0:99999:7:::
nobody:*:10942:0:99999:7:::
xfs:!!:10942:0:99999:7:::
gdm:!!:10942:0:99999:7:::
postgres:!!:10942:0:99999:7:::
squid:!!:10942:0:99999:7:::
mark:!!:10942:0:99999:7:-1:-1:134550548
george:!!:11082:0:99999:7:-1:-1:134549460

I have modified the password entries. Its format is:

login:password:Daysince:Daysafter:Daysmust:dayswarn:daysexpire:daysince:reserved

Where:

* login – login name
* password – password in encrypted form, which is 13 to 24 characters long.
* Daysince – Days since Jan 1, 1970 that the password was changed
* Daysafter – Days before the password may be changed
* Daysmust – Days after which the password must be changed
* dayswarn – Days before the password will expire ( A warning to the user)
* daysexpire – Days after the password expires that the account is disabled
* daysince – Days since Jan1, 1970 that the account is disabled.
* reserved – Reserved field.

Shadow password utility programs

The following programs are available as tools to manipulate shadow passwords and user password entry information/requirements.

* chage – Used to change information on the required number of days between user password changes and date of the last change. Non-root users can only use chage with the -l option to see when their password will expire. Options are:
1. l –
2. m – Set the minimum days between password changes
3. M – Set the maximum days a password will be valid for.
4. W – Sets the number of days the user is warned before their password expires.
5. d – Used to change the time of the last password change.
6. E – Set a date the user’s account will not be accessible.
7. I – The days of inactivity after a password has expired until the account is locked.
* pwconv – Used to create the file /etc/shadow from the file /etc/passwd. In short, it converts to a shadow password system. It uses the file /etc/login.defs to get PASS_MIN_DAYS, PASS_MAX_DAYS, and PASS_WARN_AGE values to help generate the /etc/shadow file.
* pwunconv – Uses the files /etc/passwd and /etc/shadow to create /etc/passwd, then deletes /etc/shadow. In short, it removes the shadow password system.
* grpconv – Creates /etc/gshadow form the file /etc/group.
* grpunconv – Uses the files /etc/passwd and /etc/shadow to create /etc/passwd, then deletes /etc/shadow.
* pwck – Checks the /etc/passwd and /etc/shadow files for errors.
* grpck – Checks the /etc/group and /etc/sgroup files for errors.
* usermod – Modify a user’s account. Options are:
1. d – Change the user’s home directory
2. e – Change the user’s account expiration date in the format YYYY-MM-DD.
3. f – Change the number of days after the password expires to when the account is disabled.
4. g – Change the user’s initial login group name.
5. G – Supplemental groups that hte user is also a member of.
6. l – Change the user’s login name
7. p – The encrypted password
8. s – Change the name of the user’s login shell
9. u – The numerical value oif the users ID
10. L – Lock a user’s password, disabling it with a ! infront to the value in the /etc/shadow file.
11. U – Unlock a user’s password
See the manpage on usermod for more information.
* crypt – The password encryption function.

Other user management programs:

* chfn – Change a user’s finger information
* chsh – Change a user’s shell
* gpasswd – Used to administer the /etc/group file and /etc/gshadow file.
o -A – Define group administrator.
o gpasswd -a user group – Adds a user to a group.
o gpasswd -d user group – Deletes a user from a group.
o -M – Define group members.
o gpasswd -R group – Removes a group disabling access to it using the newgrp command.
o gpasswd -r group – Remove a group password.
* groupadd – Create a new group.
* groupdel – Delete a group
* groupmod – Modify a group ID or name.
* id – Print group or user ID numbers for the specified user
* newgrp – Allows a user to log in to a new group.
* newusers – Used to update many user accounts at a single time by reading a file with user names and clear text passwords.
* passwd – Allows a user or root to change their or their user’s passwords.
* su – Allows a user to run in a shell with a different user and group ID. A user may become root with this command if they know the root password.
* useradd – Used to create a new user or update information.
* userdel – Used to delete a user. The user’s home directory can be deleted using the -r option.

Shadow password files

* /etc/passwd – Where the user information is stored.
* /etc/shadow – Further user information and user password and password management information is stored here.
* /etc/group – The group file of the format:

groupname:password:GID:user_list

An example file:

root:x:0:root,mark
bin:x:1:root,bin,daemon
daemon:x:2:root,bin,daemon
sys:x:3:root,bin,adm
adm:x:4:root,adm,daemon
tty:x:5:
disk:x:6:root
lp:x:7:daemon,lp
mem:x:8:
kmem:x:9:
wheel:x:10:root
mail:x:12:mail
news:x:13:news
uucp:x:14:uucp
man:x:15:
games:x:20:
gopher:x:30:
dip:x:40:
ftp:x:50:
nobody:x:99:
users:x:100:
floppy:x:19:
utmp:x:22:
xfs:x:101:
console:x:102:
gdm:x:42:
pppusers:x:230:
popusers:x:231:
slipusers:x:232:
postgres:x:233:
slocate:x:21:
squid:x:23:
mark:x:500:
george:x:501:

* /etc/groups – May contain passwords that let a user join a group.
* /etc/gshadow – Used to hold the group password and group administrator password information for shadow passwords. See the Shadow-Password-HOWTO.

root:::root
bin:::root,bin,daemon
daemon:::root,bin,daemon
sys:::root,bin,adm
adm:::root,adm,daemon
tty:::
disk:::root
lp:::daemon,lp
mem:::
kmem:::
wheel:::root
mail:::mail
news:::news
uucp:::uucp
man:::
games:::
gopher:::
dip:::
ftp:::
nobody:::
users:::
floppy:x::
utmp:x::
xfs:x::
console:x::
gdm:x::
pppusers:x::
popusers:x::
slipusers:x::
postgres:x::
slocate:x::
squid:x::
mark:!::
george:!::

* /etc/login.defs – Used with shadow passwords to set initial PATH and other parameters including how often a user must change passwords and what is acceptable as a password. An example file:

# *REQUIRED*
# Directory where mailboxes reside, _or_ name of file, relative to the
# home directory. If you _do_ define both, MAIL_DIR takes precedence.
# QMAIL_DIR is for Qmail
#
#QMAIL_DIR Maildir
MAIL_DIR /var/spool/mail
#MAIL_FILE .mail
# Password aging controls:
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
PASS_WARN_AGE 7
#
# Min/max values for automatic uid selection in useradd
#
UID_MIN 500
UID_MAX 60000
# Min/max values for automatic gid selection in groupadd
#
GID_MIN 500
GID_MAX 60000
#
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
#
#USERDEL_CMD /usr/sbin/userdel_local
#
# If useradd should create home directories for users by default
# On RH systems, we do. This option is ORed with the -m flag on
# useradd command line.
#
CREATE_HOME yes

* /etc/limits – Limits users resources when a system has shadow passwords installed.

The ability to set quotas limits a user’s disk storage by setting:

1. The number of inodes the user or group may use.
2. The number of disk blocks a user or group may use.

This limits the user’s ability to use up all system resources. It only works on ext2 filesystems. Quotas must be set for each filesystem that the user may use. The kernel must have quota support compiled in.

Commands used to set quotas and limits are:

* edquota(8) – Used to edit user or group quotas. This program uses the vi editor to edit the quota.user and quota.group files. If the environment variable EDITOR is set to emacs, the emacs editor will be used. Type “export EDITOR=emacs” to set that variable.
* quota(1) – Display users’ limits and current disk usage.
* quotaoff(8) – Turns system quotas off.
* quotaon(8) – Turn system quotas on.
* quotacheck(8) – Used to check a filesystem for usage, and update the quota.user file.
* repquota(8) – Lists a summary of quota information on filesystems.
* ulimit – A bash builtin command for setting the processes a user can run.

Files:

* /etc/mtab
* quota.user – Resides on the filesystem quotas are being set on. Stores user quota information.
* quota.group

This section only describes the tools and files involved in setting up user quotas. For complete instructions refer to the “Linux User’s Guide” in the “Managing Users” section.
linux how tos, linux-how-tos, linux-howto, useradd, adduser, ls, dir, pwd, groupadd, passwd, redhat, ubuntu, festi, suse, centos, debain, slackware, mandrake, knopix