Category Archives: Linux

Build a Kali Linux ISO with the latest OS patches and packages

31 Saturday Aug 2019

Posted by in Linux, Security

Leave a comment

This post demonstrates how to build an updated Kali Linux ISO with the latest patches and package updates for the current 2019.2 release. This is helpful for offline environments, when you want a different desktop experience or you want every package available for Kali in one ISO. This is done as the root user.

1) Build a Kali Linux physical or virtual system. Downloads are available here:
https://www.kali.org/downloads/

2) Once built, update your system.
> apt update
> apt upgrade

3) Setup the build environment.
> mkdir -p /root/ISO
> cd /root/ISO/
> apt install -y curl git live-build cdebootstrap
> git clone https://gitlab.com/kalilinux/build-scripts/live-build-config.git

4) Modify the package list to get everything bundled into your ISO.
> cd /root/ISO/live-build-config/kali-config/variant-default/package-lists
> vi kali.list.chroot

Under the Kali applications header, set the file to look like the lines below. Basically, comment kali-linux-default (in red) and remove the comment on kali-linux-everything (in green). Leave the defaults for everything else in the file. When done, wq! to save your changes.

# Kali applications
#<package>
# You can customize the set of Kali metapackages (groups of tools) to install
# For the complete list see: https://tools.kali.org/kali-metapackages
# kali-linux-default
# kali-linux-large
kali-linux-everything
# kali-tools-top10

5) Build your ISO. Depending on your host’s CPU and internet speed, this could take an hour or more to complete.
> cd /root/ISO/live-build-config
> ./build.sh –verbose

Note: if you want a different desktop, run the associated build.sh variant below. Options are MATE, Gnome, XFCE, KDE, E17, I3WM, LXDE. For example:
For XFCE
./build.sh –variant xfce –verbose
For KDE
./build.sh –variant kde –verbose
For MATE
./build.sh –variant mate –verbose

6) When done, cd to the images folder and list the contents.
> cd /root/ISO/live-build-config/images
> ls -l
-rw-r–r– 1 root root 8184537088 Aug 31 14:23 kali-linux-rolling-amd64.iso
-rw-r–r– 1 root root 1619921 Aug 31 14:24 kali-linux-rolling-amd64.log

To check the size of the ISO:
> du -h kali-linux-rolling-amd64.iso
7.7G kali-linux-rolling-amd64.iso

HOWTO mount a Synology NAS SMB share on Linux with SMBv1 disabled

11 Sunday Mar 2018

Posted by in Linux, Security

1 Comment

If you haven’t disabled SMBv1 everywhere, on every PC, NAS, server, you should.

https://support.microsoft.com/en-us/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and

https://www.synology.com/en-uk/knowledgebase/DSM/help/DSM/AdminCenter/file_winmacnfs_win

After disabling SMBv1 on a Synology NAS with DSM 6.1.5-15254 Update 1, I could no longer mount the shares from Linux. On Linux Mint 18.3 with KDE, you can’t select SMBv2 or 3 in the Dolphin or Smb4K GUI (yet) so you have to mount it from the cli.

Both smbclient and mount worked when I specified the SMB version. Note that both commands will prompt you for your password.

user1@lmint ~ $ sudo mount -t cifs //192.168.1.10/data /home/user1/Synology -o username=user1,vers=2.0,sec=ntlmv2

user1@lmint ~ $ smbclient ‘//192.168.1.10/data’ -m SMB2

Completing the vSphere vCenter Appliance Hardening Process

19 Saturday Mar 2016

Posted by in Linux, Security, VMware

Leave a comment

Tags

, , ,

The vCenter Appliance is a SuSE Linux VM that ships fully hardened by VMware to the DoD STIG specifications. There are a few site specific settings you must perform to complete the hardening. This post provides the steps to complete the process.

1) Change the root password. Login to the appliance and as root, run:
> passwd
New password:
Retype new password:
Password changed.

> cat /etc/shadow | grep root
root:$6$(truncated)

If the root password starts with a $6$ hash, this confirms it is using a sha512 hash.

2) Set password expiry. Change the root expiry from 3 years to 1 year.
> passwd -x 365 root
Password expiry information changed.

3) Execute the Dodscript.sh script.
> cd /etc/
> ./dodscript.sh
Shutting down auditd                done
Starting auditd

4) You may be a company or site that has a custom banner. If so, edit (and verify) the banners to replace the DoD language with your own.
> vi /opt/vmware/etc/isv/welcometextDoD and paste in your banner.
> cat /opt/vmware/etc/isv/welcometextDoD > /etc/issue  (linked to issue.DoD)
> cat /opt/vmware/etc/isv/welcometextDoD > /opt/vmware/etc/isv/welcometext
> cat /opt/vmware/etc/isv/welcometextDoD > /opt/vmware/etc/isv/welcometext.template

5) Configure secure shell, admin accounts, and console access on the appliance. Add a user account that can su to root:
> useradd -s /bin/bash -m -d /home/(your username) -g users -G wheel (your username)

> passwd <your username>
Changing password for (your username)
New password:
Retype new password:
Password changed.

> su – (your username) to verify.

a) Test ability to su to root and verify identity:
> su – root
Password:
Last login: Sat 19 12 12:51:26 UTC 2016 from PC on pts/1
Directory: /root
Tue Mar 19 13:18:33 UTC 2016

> whoami
root

b) Note: The step below isn’t included in the documentation but if you don’t do it you will be locked out.
> vi /etc/security/access.conf

At the end of the file change -:ALL:ALL to +:ALL:ALL

c) Test that the user you just created can login via SSH and su – root before you proceed. Use ssh cli, PuTTY, etc.
> ssh -v (your username)@(your vCenter appliance hostname or IP)
Once logged in:
> su – root

d) Disable direct root SSH access to the appliance.
> vi /etc/ssh/sshd_config

change PermitRootLogin yes to PermitRootLogin no

e) Restrict SSH to the local network of the appliance.
> vi /etc/hosts.allow and add the following:

sshd:127.0.0.1:ALLOW
sshd:[::1]:ALLOW
sshd:(the same network your appliance is on):ALLOW

f) Restart sshd to read the changes:

> service sshd restart
Shutting down SSH daemon                  done
Starting SSH daemon

g) Disable direct root console login on the appliance. This means you must first login as a user and su to root. After setting this, when you try to login on the appliance console as root, it should say login incorrect.
> vi /etc/securetty

Set the first two lines as follows:
#tty1
console

6) Verify time synchronization. Recall that NTP is configured when you first import and setup the appliance. As root, verify:

> service ntp status
remote           refid      st t when poll reach   delay   offset  jitter
=============================================
192.168.1.252    .LOCL.       1 u   37   64    1    1.145  459.906   0.001
192.168.1.252     192.168.1.253  2 u   36   64    1    1.273  464.924   0.001

Checking for network time protocol daemon (NTPD):    Running

7) Setup log forwarding with syslog-ng and auditd. Uncomment and edit the following lines to fit your remote syslog server IP address:
> vi /etc/syslog-ng/syslog-ng.conf

destination logserver { udp(“Syslog_svr_IP_Address” port(514));};
log {source(src); destination(logserver);};

a) Restart the service.
> service syslog restart
Shutting down syslog services               done
Starting syslog services

b) Send your audit data to syslog.
> vi /etc/audisp/plugins.d/syslog.conf

change active=no to active=yes

c) Restart auditd.
> service auditd restart
Shutting down auditd                         done
Starting auditd

d) Tune audit performance.
> vi /etc/audisp/audispd.conf

change the following to 1280 and 8
q_depth = 1280
priority_boost = 8

e) Control the number and rotation of log files.
> vi /etc/logrotate.d/syslog

change all entries for rotate 15 to rotate 7

> vi /etc/logrotate.d/audit

change all entries for rotate 15 to rotate 7

8) Set a boot loader or grub password.
> cat /boot/grub/menu.lst | grep password

password –md5 (a_long_hash_will_be_here)

a) Create a password for grub. This is how the sequence goes: you enter grub and run the md5crypt command to create a hashed password. Once you type in the password, the hash is presented. Copy the password hash. Run the quit command to return to the root shell.

> grub

grub> md5crypt

Password: (Enter your password here)
Encrypted: (a_long_hash_will_be_here)
grub> quit

b) Add the following to the third line of the file:
> vi /boot/grub/menu.lst

password –md5 (the password hash from above)

9) Configure NFS and NIS. If you are not using NFS or NIS, disabled the services. You probably aren’t using them.
> chkconfig ypbind off
> chkconfig nfs off
> chkconfig rpcbind off
> service ypbind stop
> service nfs stop
> service rpcbind stop

10) Reboot to refresh your system and seat all of the changes.
> reboot

HOWTO Secure iSCSI Luns Between Ubuntu Server 14.10 and NetApp Storage with Mutual CHAP

29 Monday Dec 2014

Posted by in iSCSI, Linux, Security

Leave a comment

Tags

, ,

This post demonstrates how to enable two-way or mutual CHAP on iSCSI luns between Ubuntu Server 14.10 and NetApp storage. The aggregate, lun and disk sizes are small in this HOWTO to keep it simple. Note that Ubuntu follows the no root model so you must use sudo on privileged command. I will not show every “enter password” prompt in the doc. When you see it, just enter your password.

1) Install open-iscsi on your server.
> sudo apt-get install open-iscsi
> sudo reboot (don’t argue with me, just do it!)

2) Display your server’s new iscsi initiator or iqn nodename.
> sudo cat /etc/iscsi/initiatorname.iscsi
InitiatorName=iqn.1993-08.org.debian:01:ce45f9ecc9b

3) On the NetApp filer, create the volume that will hold the iscsi luns. This command assumes you have aggregrate aggr1 already created. If not use an aggregate that has enough room for your volume.
netapp> vol create MCHAPVOL aggr1 10g

4) On the NetApp filer, create the lun in the volume.
netapp> lun create -s 5g -t linux /vol/MCHAPVOL/UB1410_iSCSI_MCHAP_01

5) On the NetApp filer, create an igroup and add the Linux iscsi nodename or iqn from step 2 above to it.
netapp> igroup create -i -t linux ISCSI_MCHAP_UB1410
netapp> igroup add ISCSI_MCHAP_UB1410 iqn.1993-08.org.debian:01:ce45f9ecc9b
netapp> igroup show

ISCSI_MCHAP_UB1410 (iSCSI) (ostype: linux):
iqn.1993-08.org.debian:01:ce45f9ecc9b (not logged in)

6) Map the lun to the iscsi-group and give it lun ID 01.
netapp> lun map /vol/MCHAPVOL/UB1410_iSCSI_MCHAP_01 ISCSI_MCHAP_UB1410 01

7) Obtain the NetApp target nodename.
netapp> iscsi nodename
iSCSI target nodename: iqn.1992-08.com.netapp:sn.4055372815

8) Set the CHAP secret on the NetApp controller.
netapp> iscsi security add -i iqn.1993-08.org.debian:01:ce45f9ecc9b -s chap -p MCHAPUB1410 -n iqn.1993-08.org.debian:01:ce45f9ecc9b -o NETAPPMCHAP -m iqn.1992-08.com.netapp:sn.4055372815

netapp> iscsi security show
init: iqn.1993-08.org.debian:01:ce45f9ecc9b auth: CHAP Local Inbound password: **** Inbound username: iqn.1993-08.org.debian:01:ce45f9ecc9b Outbound
password: **** Outbound username: iqn.1992-08.com.netapp:sn.4055372815

9) On the server, edit your /etc/iscsi/iscsi.conf file and set the parameters below. You can just copy this into the file under iscsid.startup = /usr/sbin/iscsid but make sure you comment out node.startup = manual just below it. Since you want it to start automatically comment out node.leading_login = No.

> sudo vi /etc/iscsi/iscsid.conf:
node.startup = automatic
node.session.auth.authmethod = CHAP
node.session.auth.username = iqn.1993-08.org.debian:01:ce45f9ecc9b
node.session.auth.password = MCHAPUB1410
node.session.auth.username_in = iqn.1992-08.com.netapp:sn.4055372815
node.session.auth.password_in = NETAPPMCHAP
discovery.sendtargets.auth.authmethod = CHAP
discovery.sendtargets.auth.username = iqn.1993-08.org.debian:01:ce45f9ecc9b
discovery.sendtargets.auth.password = MCHAPUB1410
discovery.sendtargets.auth.username_in = iqn.1992-08.com.netapp:sn.4055372815
discovery.sendtargets.auth.password_in = NETAPPMCHAP
> wq!

10) On the server, discover your iSCSI target (your NetApp storage system).
> sudo iscsiadm -m discovery -t st -p 10.10.10.141
10.10.10.141:3260,1000 iqn.1992-08.com.netapp:sn.4055372815

> sudo iscsiadm -m node  (this should display the same as above)
10.10.10.141:3260,1000 iqn.1992-08.com.netapp:sn.4055372815

11) On the server, manually login to the iSCSI target (your storage array). Note there are two “- -” dashed in front of targetname and login.
> sudo iscsiadm -m node –-targetname “iqn.1992-08.com.netapp:sn.4055372815” -–login

Logging in to [iface: default, target: iqn.1992-08.com.netapp:sn.4055372815, portal: 10.10.10.141,3260] (multiple)
Login to [iface: default, target: iqn.1992-08.com.netapp:sn.4055372815, portal: 10.10.10.141,3260] successful.

On the NetApp storage console you should see the iSCSI sessions:
[iscsi.notice:notice]: ISCSI:
New session from initiator iqn.1993-08.org.debian:01:ce45f9ecc9b at IP addr 10.10.10.128

Verify the iSCSI session on the filer:
netapp> iscsi session show
Session 1
Initiator Information
Initiator Name: iqn.1993-08.org.debian:01:ce45f9ecc9b
ISID: 00:02:3d:01:00:00
Initiator Alias: ub1410

12) Stop and start the iscsi service on the server.
> sudo service open-iscsi stop
Pause for 10 seconds and then run the next command.
> sudo service open-iscsi start

13) From the server, check your session.
> sudo iscsiadm -m session -P 1

14) From the server, check the NetApp iSCSI details. Note that mode, targetname and portal have two “- -” dashes in front of them.
> sudo iscsiadm –mode node –targetname “iqn.1992-08.com.netapp:sn.4055372815” –portal 10.10.10.141:3260

15) From the server, find and format the new lun (new disk). The command below will find the device. In this case its sdb.
> dmesg | grep “unknown partition table”
[ 1930.949065]  sdb: unknown partition table
[ 2167.186068]  sdb: unknown partition table

> sudo fdisk /dev/sdb  (note: commands are in bold red below)

Welcome to fdisk (util-linux 2.25.1).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

Device does not contain a recognized partition table.
Created a new DOS disklabel with disk identifier 0xe4775fd7.

Command (m for help): w

The partition table has been altered!
Calling ioctl() to re-read partition table.
Syncing disks.

> sudo fdisk /dev/sdb

Command (m for help): n
Partition type
p   primary (0 primary, 0 extended, 4 free)
e   extended (container for logical partitions)
Select (default p): p
Partition number (1-4, default 1): 1
First sector (2048-10485759, default 2048): press enter
Last sector, +sectors or +size{K,M,G,T,P} (2048-10485759, default 10485759): press enter

Created a new partition 1 of type ‘Linux’ and of size 5 GiB.

Command (m for help): p
Disk /dev/sdb: 5 GiB, 5368709120 bytes, 10485760 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 65536 bytes
Disklabel type: dos
Disk identifier: 0xc68508a4

Device     Boot Start      End  Sectors Size Id Type
/dev/sdb1        2048 10485759 10483712   5G 83 Linux

Command (m for help): w
The partition table has been altered!
Calling ioctl() to re-read partition table.
Syncing disks.

16) On the server, create the Linux file system on the new partition.
> sudo mkfs -t ext4 /dev/sdb1
mke2fs 1.42.10 (18-May-2014)
Discarding device blocks: done
Creating filesystem with 1310464 4k blocks and 327680 inodes
Filesystem UUID: d125b8ff-a690-4cbb-925d-645764d41172
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736

Allocating group tables: done
Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done

17) Verify the partition.
> sudo blkid /dev/sdb1
/dev/sdb1: UUID=”d125b8ff-a690-4cbb-925d-645764d41172″ TYPE=”ext4″ PARTUUID=”c68508a4-01″

18) Create the mount point and manually mount the directory.
> sudo mkdir /newiscsilun
> sudo mount /dev/sdb1 /newiscsilun
> df -h | grep newiscsilun
/dev/sdb1  4.8G   10M  4.6G   1% /newiscsilun

19) Add the new mount point to /etc/fstab.
> sudo vi /etc/fstab
/dev/sdb1 /newiscsilun ext4 _netdev 0 0
> wq!

Note: the _netdev option is important so that it doesn’t try mounting the target before the network is available.

20) Test that it survives a reboot by rebooting the server now. With the _netdev set, iscsi starts and your CHAP logins should take place before it attempts to mount. After the reboot, login and verify that it is mounted.

> df -h | grep newiscsilun
/dev/sdb1  4.8G   10M  4.6G   1% /newiscsilun

21) On the server you can check session stats.
> sudo iscsiadm -m session -s

22) As root, change permissions on /etc/iscsi/iscsid.conf. I’m not sure why they haven’t fixed this clear text CHAP password in a file issue so just make sure only root can read/write the file.
> sudo chmod 600 /etc/iscsi/iscsid.conf

23) On the NetApp storage you can verify the lun and the server’s session.
netapp> lun show -v /vol/MCHAPVOL/UB1410_iSCSI_MCHAP_01
/vol/MCHAPVOL/UB1410_iSCSI_MCHAP_01      5g (5368709120)    (r/w, online, mapped)
Serial#: BQVJ3]DxwBcB
Share: none
Space Reservation: enabled
Multiprotocol Type: linux
Maps: ISCSI_MCHAP_UB1410=1
Occupied Size:  132.8m (139202560)
Creation Time: Mon Dec 29 13:33:18 EST 2014
Cluster Shared Volume Information: 0x0

You can also get stats with the command below.
netapp>  iscsi session show -v

HOWTO Secure iSCSI Luns Between Oracle Enterprise Linux 7 and NetApp Storage with Mutual CHAP

01 Monday Sep 2014

Posted by in iSCSI, Linux, Oracle, Security

Leave a comment

Tags

, , ,

This post demonstrates how to enable Bidirectional or Mutual CHAP on iSCSI luns between Oracle Enterprise Linux 7 and NetApp storage. The aggregate, lun and disk sizes are small in this HOWTO to keep it simple.

1) If not already installed, install the iSCSI initiator on your server.
> yum install iscsi-initiator*

2) Display your server’s new iSCSI initiator or iqn nodename.
> cat /etc/iscsi/initiatorname.iscsi
InitiatorName=iqn.1988-12.com.oracle:77ff4f784c55

3) On the NetApp filer, create the volume that will hold the iscsi luns. This command assumes you have aggregate aggr1 already created.  If not, use an aggregate that has enough room for your volume.
netapp> vol create MCHAPVOL aggr1 10g

4) Create the lun in the volume.
netapp> lun create -s 5g -t linux /vol/MCHAPVOL/OEL7_iSCSI_MCHAP_01

5) Create an igroup and add the Linux iscsi nodename or iqn from step 2 above to the new igroup.
netapp> igroup create -i -t linux ISCSI_MCHAP_OEL7
netapp> igroup add ISCSI_MCHAP_OEL7 iqn.1988-12.com.oracle:77ff4f784c55
netapp> igroup set ISCSI_MCHAP_OEL7 report_scsi_name yes
netapp> igroup show ISCSI_MCHAP_OEL7

ISCSI_MCHAP_OEL7 (iSCSI) (ostype: linux):
iqn.1988-12.com.oracle:77ff4f784c55 (not logged in)

6) Map the lun to the igroup and give it lun ID 01.
netapp> lun map /vol/MCHAPVOL/OEL7_iSCSI_MCHAP_01 ISCSI_MCHAP_OEL7 01

7) Obtain the NetApp target nodename.
netapp> iscsi nodename
iSCSI target nodename: iqn.1992-08.com.netapp:sn.4055372815

8) Set the CHAP secret on the NetApp controller.
netapp> iscsi security add -i iqn.1988-12.com.oracle:77ff4f784c55 -s chap -p OEL7 -n iqn.1988-12.com.oracle:77ff4f784c55 -o NETAPPMCHAP -m iqn.1992-08.com.netapp:sn.4055372815

netapp> iscsi security show
Default sec is None
init: iqn.1986-03.com.sun:01:e00000000000.52bcad1c auth: CHAP Local Inbound password: **** Inbound username: iqn.1986-03.com.sun:01:e000000000bound password: **** Outbound username: iqn.1992-08.com.netapp:sn.4055372815
init: iqn.1988-12.com.oracle:77ff4f784c55 auth: CHAP Local Inbound password: **** Inbound username: iqn.1988-12.com.oracle:77ff4f784c55 Outbou** Outbound username: iqn.1992-08.com.netapp:sn.4055372815

9) On the server, edit your /etc/iscsi/iscsi.conf file and set the parameters below.
> vi /etc/iscsi/iscsid.conf
node.startup = automatic
node.session.auth.authmethod = CHAP
node.session.auth.username = iqn.1988-12.com.oracle:77ff4f784c55
node.session.auth.password = OEL7
node.session.auth.username_in = iqn.1992-08.com.netapp:sn.4055372815
node.session.auth.password_in = NETAPPMCHAP
discovery.sendtargets.auth.authmethod = CHAP
discovery.sendtargets.auth.username = iqn.1988-12.com.oracle:77ff4f784c55
discovery.sendtargets.auth.password = OEL7
discovery.sendtargets.auth.username_in = iqn.1992-08.com.netapp:sn.4055372815
discovery.sendtargets.auth.password_in = NETAPPMCHAP
> wq!

10) On the server, restart the service and discover your iSCSI target (your storage system).
> service iscsi restart
Redirecting to /bin/systemctl restart  iscsi.service

a) Verify the target.
> iscsiadm -m discovery -t st -p 10.10.10.141
10.10.10.141:3260,1000 iqn.1992-08.com.netapp:sn.4055372815

> iscsiadm -m node  (this should display the same as above)
10.10.10.141:3260,1000 iqn.1992-08.com.netapp:sn.4055372815

11) On the server, manually login to the iSCSI target (your storage array). Note there are two dashes “- -” in front of targetname and login.
> iscsiadm -m node –targetname “iqn.1992-08.com.netapp:sn.4055372815” –login
Logging in to [iface: default, target: iqn.1992-08.com.netapp:sn.4055372815, portal: 10.10.10.141,3260] (multiple)
Login to [iface: default, target: iqn.1992-08.com.netapp:sn.4055372815, portal: 10.10.10.141,3260] successful.

a) On the NetApp storage console you should see the iSCSI session:
[netapp:iscsi.notice:notice]: ISCSI: New session from initiator iqn.1988-12.com.oracle:77ff4f784c55 at IP addr 10.10.10.201

b) Verify the iSCSI session on the filer:
netapp> iscsi session show
Session 4
Initiator Information
Initiator Name: iqn.1988-12.com.oracle:77ff4f784c55
ISID: 00:02:3d:06:00:00
Initiator Alias: localhost.localdomain

12) From the server , check your session.
> iscsiadm -m session -P 1
Target: iqn.1992-08.com.netapp:sn.4055372815 (non-flash)
Current Portal: 10.10.10.141:3260,1000
Persistent Portal: 10.10.10.141:3260,1000
**********
Interface:
**********
Iface Name: default
Iface Transport: tcp
Iface Initiatorname: iqn.1988-12.com.oracle:77ff4f784c55
Iface IPaddress: 10.10.10.201
Iface HWaddress: <empty>
Iface Netdev: <empty>
SID: 6
iSCSI Connection State: LOGGED IN
iSCSI Session State: LOGGED_IN
Internal iscsid Session State: NO CHANGE

13) From the server, check the NetApp iSCSI details. Note there are two dashes “- -” in front of mode, targetname and portal.
> iscsiadm –mode node –targetname “iqn.1992-08.com.netapp:sn.4055372815″ –portal 10.10.10.141:3260
# BEGIN RECORD 6.2.0.873-21
node.name = iqn.1992-08.com.netapp:sn.4055372815
node.tpgt = 1000
node.startup = automatic
node.leading_login = No
iface.hwaddress = <empty>
iface.ipaddress = <empty>
iface.iscsi_ifacename = default
iface.net_ifacename = <empty>
iface.transport_name = tcp
iface.initiatorname = <empty>
iface.state = <empty>
iface.vlan_id = 0
iface.vlan_priority = 0
iface.vlan_state = <empty>
iface.iface_num = 0
iface.mtu = 0
iface.port = 0
iface.bootproto = <empty>
iface.subnet_mask = <empty>
iface.gateway = <empty>
iface.dhcp_alt_client_id_state = <empty>
iface.dhcp_alt_client_id = <empty>
iface.dhcp_dns = <empty>
iface.dhcp_learn_iqn = <empty>
iface.dhcp_req_vendor_id_state = <empty>
iface.dhcp_vendor_id_state = <empty>
iface.dhcp_vendor_id = <empty>
iface.dhcp_slp_da = <empty>
iface.fragmentation = <empty>
iface.gratuitous_arp = <empty>
iface.incoming_forwarding = <empty>
iface.tos_state = <empty>
iface.tos = 0
iface.ttl = 0
iface.delayed_ack = <empty>
iface.tcp_nagle = <empty>
iface.tcp_wsf_state = <empty>
iface.tcp_wsf = 0
iface.tcp_timer_scale = 0
iface.tcp_timestamp = <empty>
iface.redirect = <empty>
iface.def_task_mgmt_timeout = 0
iface.header_digest = <empty>
iface.data_digest = <empty>
iface.immediate_data = <empty>
iface.initial_r2t = <empty>
iface.data_seq_inorder = <empty>
iface.data_pdu_inorder = <empty>
iface.erl = 0
iface.max_receive_data_len = 0
iface.first_burst_len = 0
iface.max_outstanding_r2t = 0
iface.max_burst_len = 0
iface.chap_auth = <empty>
iface.bidi_chap = <empty>
iface.strict_login_compliance = <empty>
iface.discovery_auth = <empty>
iface.discovery_logout = <empty>
node.discovery_address = 10.10.10.141
node.discovery_port = 3260
node.discovery_type = send_targets
node.session.initial_cmdsn = 0
node.session.initial_login_retry_max = 8
node.session.xmit_thread_priority = -20
node.session.cmds_max = 128
node.session.queue_depth = 32
node.session.nr_sessions = 1
node.session.auth.authmethod = CHAP
node.session.auth.username = iqn.1988-12.com.oracle:77ff4f784c55
node.session.auth.password = ********
node.session.auth.username_in = iqn.1992-08.com.netapp:sn.4055372815
node.session.auth.password_in = ********
node.session.timeo.replacement_timeout = 120
node.session.err_timeo.abort_timeout = 15
node.session.err_timeo.lu_reset_timeout = 30
node.session.err_timeo.tgt_reset_timeout = 30
node.session.err_timeo.host_reset_timeout = 60
node.session.iscsi.FastAbort = Yes
node.session.iscsi.InitialR2T = No
node.session.iscsi.ImmediateData = Yes
node.session.iscsi.FirstBurstLength = 262144
node.session.iscsi.MaxBurstLength = 16776192
node.session.iscsi.DefaultTime2Retain = 0
node.session.iscsi.DefaultTime2Wait = 2
node.session.iscsi.MaxConnections = 1
node.session.iscsi.MaxOutstandingR2T = 1
node.session.iscsi.ERL = 0
node.conn[0].address = 10.10.10.141
node.conn[0].port = 3260
node.conn[0].startup = manual
node.conn[0].tcp.window_size = 524288
node.conn[0].tcp.type_of_service = 0
node.conn[0].timeo.logout_timeout = 15
node.conn[0].timeo.login_timeout = 15
node.conn[0].timeo.auth_timeout = 45
node.conn[0].timeo.noop_out_interval = 5
node.conn[0].timeo.noop_out_timeout = 5
node.conn[0].iscsi.MaxXmitDataSegmentLength = 0
node.conn[0].iscsi.MaxRecvDataSegmentLength = 262144
node.conn[0].iscsi.HeaderDigest = None
node.conn[0].iscsi.IFMarker = No
node.conn[0].iscsi.OFMarker = No
# END RECORD

14) From the server, find and format the new lun (new disk). Your fdisk commands are in bold red below.
> cat /var/log/messages | grep “unknown partition table”
localhost kernel: sdb: unknown partition table

> fdisk /dev/sdb

Welcome to fdisk (util-linux 2.23.2).

Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

Device does not contain a recognized partition table
Building a new DOS disklabel with disk identifier 0x195fbc72.

The device presents a logical sector size that is smaller than
the physical sector size. Aligning to a physical sector (or optimal
I/O) size boundary is recommended, or performance may be impacted.

Command (m for help): w

> fdisk /dev/sdb
Command (m for help): n
Partition type:
p   primary (0 primary, 0 extended, 4 free)
e   extended
Select (default p): p
Partition number (1-4, default 1): 1
First sector (2048-10485759, default 2048): <press enter>
Using default value 2048
Last sector, +sectors or +size{K,M,G} (2048-10485759, default 10485759): <press enter>
Using default value 10485759
Partition 1 of type Linux and of size 5 GiB is set

Command (m for help): p
Disk /dev/sdb: 5368 MB, 5368709120 bytes, 10485760 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 65536 bytes
Disk label type: dos
Disk identifier: 0xa1c2729d

Device Boot      Start         End      Blocks   Id  System
/dev/sdb1            2048    10485759     5241856   83  Linux

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.
Syncing disks.

15) On the server, create the Linux file system on the new partition.
> mkfs -t ext4 /dev/sdb1
mke2fs 1.42.9 (28-Dec-2013)
Discarding device blocks: done
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=16 blocks
327680 inodes, 1310464 blocks
65523 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=1342177280
40 block groups
32768 blocks per group, 32768 fragments per group
8192 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736

Allocating group tables: done
Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done

16) Verify the partition.
> blkid /dev/sdb1
/dev/sdb1: UUID=”eb7fa074-50d8-47d1-83aa-7b69568020e4″ TYPE=”ext4″

17) Create the mount point and manually mount the directory.
> mkdir /newiscsilun
> mount /dev/sdb1 /newiscsilun
> df -h | grep newiscsilun
/dev/sdb1  4.8G   20M  4.6G   1% /newiscsilun

18) Add the new mount point to /etc/fstab.
> vi /etc/fstab
/dev/sdb1 /newiscsilun ext4 _netdev 0 0
> wq!

Note: the _netdev option is important so that it doesn’t try mounting the target before the network is available.

19) Test that it survives a reboot by rebooting the server. With the _netdev set, iscsi starts and your CHAP logins should take place before it attempts to mount. After the reboot, login and verify its mounted.

> df -h | grep newiscsilun
/dev/sdb1  4.8G   20M  4.6G   1% /newiscsilun

20) On the server you can check session stats.
> iscsiadm -m session -s
Stats for session [sid: 6, target: iqn.1992-08.com.netapp:sn.4055372815, portal: 10.10.10.141,3260]
iSCSI SNMP:
txdata_octets: 137976652
rxdata_octets: 3841684
noptx_pdus: 0
scsicmd_pdus: 1127
tmfcmd_pdus: 0
login_pdus: 0
text_pdus: 0
dataout_pdus: 1827
logout_pdus: 0
snack_pdus: 0
noprx_pdus: 0
scsirsp_pdus: 1127
tmfrsp_pdus: 0
textrsp_pdus: 0
datain_pdus: 793
logoutrsp_pdus: 0
r2t_pdus: 1827
async_pdus: 0
rjt_pdus: 0
digest_err: 0
timeout_err: 0
iSCSI Extended:
tx_sendpage_failures: 0
rx_discontiguous_hdr: 0
eh_abort_cnt: 0

21) As root, change permissions on /etc/iscsi/iscsid.conf. I’m not sure why they haven’t fixed this clear text CHAP password in a file issue so just make sure only root can read/write the file.
> chmod 600 /etc/iscsi/iscsid.conf

22) On the NetApp storage you can verify the Lun and the server’s session.
netapp>  lun show -v /vol/MCHAPVOL/OEL7_iSCSI_MCHAP_01
/vol/MCHAPVOL/OEL7_iSCSI_MCHAP_01      5g (5368709120)    (r/w, online, mapped)
Serial#: BQVJ3]DxwBc-
Share: none
Space Reservation: enabled
Multiprotocol Type: linux
Maps: ISCSI_MCHAP_OEL7=1
Occupied Size:  134.0m (140546048)
Creation Time: Sat Aug 30 12:14:47 EST 2014
Cluster Shared Volume Information: 0x0

netapp> iscsi session show -v
Session 6
Initiator Information
Initiator Name: iqn.1988-12.com.oracle:77ff4f784c55
ISID: 00:02:3d:01:00:00
Initiator Alias: localhost.localdomain

Session Parameters
SessionType=Normal
TargetPortalGroupTag=1000
MaxConnections=1
ErrorRecoveryLevel=0
AuthMethod=CHAP
HeaderDigest=None
DataDigest=None
ImmediateData=Yes
InitialR2T=No
FirstBurstLength=65536
MaxBurstLength=65536
Initiator MaxRecvDataSegmentLength=65536
Target MaxRecvDataSegmentLength=65536
DefaultTime2Wait=2
DefaultTime2Retain=0
MaxOutstandingR2T=1
DataPDUInOrder=Yes
DataSequenceInOrder=Yes
Command Window Size: 64

Connection Information
Connection 0
Remote Endpoint: 10.10.10.201:41613
Local Endpoint: 10.10.10.141:3260
Local Interface: e0a
TCP recv window size: 131400

Command Information
No commands active

No commands active

HOWTO check compatability of your website on multiple platforms

02 Saturday Aug 2014

Posted by in Linux, Windows

Leave a comment

Tags

,

The sites listed below allow you to verify how your website renders on multiple platforms and browser combinations. Each has their advantages so check both.

http://www.browserstack.com
1) Launch a browser and enter http://www.browserstack.com/screenshots. Enter your URL, select the OS, browser version and click the orange Generate Screenshots button at the bottom of the page.

bc-1
2) The site will render your front page on each of the platforms you selected and create a thumbnail. Click an image and it opens in a larger window so you can verify that it renders properly. In this test, IE on XP and Chrome 35 on Windows 8.1 didn’t fair so well.

bc-2

http://browsershots.org/
1) What elevates browsershots.org is its support for Linux. Launch a browser and enter http://browsershots.org/. Enter your URL at the top. At the bottom you may select screen size, color depth, Javascript, Java and Flash. Just avove that you can select the OS. Next, select the browsers you want to test, or just select “all” just above the screen size drop-down box on the lower left. When you have selected your options, on the upper right click the green Submit button.

bc-3
2) The site will start rendering your selections and generate a thumbnail. Click the image to verify.

bc-4

HOWTO create a local yum repository for Oracle Linux 5.10

13 Tuesday May 2014

Posted by in Linux, Oracle

Leave a comment

Tags

,

1) Choose a location for the contents of Oracle Linux DVD. It could be local disk, an NFS mount point or an iSCSI, fiber channel or FCOE lun. Whatever it is, make sure its mounted, has a filesystem and is available to receive files.

2) I used an NFS mount from a NetApp filer. Make sure you add the mount point to /etc/fstab if you want it to survive a reboot. The directory I created is called oracle_linux_files. You can name it whatever you want.

3) Insert the Oracle Linux DVD into the server and mount it. Copy the contents and install the createrepo rpm.

> mount /dev/cdrom /media

> cd /media/

> cp -rp “OL5.10 x86_64 dvd 20131002” /oracle_linux_files/

> cd /oracle_linux_files/

> mv “OL5.10 x86_64 dvd 20131002” OL5.10_x86_64_dvd_20131002

> cd OL5.10_x86_64_dvd_20131002/Server/

> ls -l | grep createrepo  (to find the rpm)

> rpm -ivf createrepo-0.4.11-3.el5.noarch.rpm

4) Create the local yum repo.

> cd /oracle_linux_files/OL5.10_x86_64_dvd_20131002/

> createrepo .

5) Create yum repository definition file /etc/yum.repos.d/localnfs.repo:

> cd /etc/yum.repos.d/

> vi localnfs.repo and add the following:

[localnfs.repo]
name=localnfs.repo
baseurl=file:///oracle_linux_files/OL5.10_x86_64_dvd_20131002/
enabled=1
gpgcheck=0

> wq!

6) Move the existing repo file.

> mkdir -p /etc/yum.repos.d/archive

> mv /etc/yum.repos.d/public-yum-el5.repo etc/yum.repos.d/archive/

7) Test the new yum configuration.

> yum clean all

> yum list

8) You can now install rpm’s via Gnome Add/Remove Software GUI or yum from the cli.

HOWTO Secure iSCSI Luns Between Red Hat Enterprise Linux 7 (Beta) and NetApp Storage with Mutual CHAP

01 Saturday Feb 2014

Posted by in iSCSI, Linux, NetApp, Security

Leave a comment

Tags

, , ,

This post demonstrates how to enable Bidirectional or Mutual CHAP on iSCSI luns between Red Hat Enterprise Linux 7 (Beta) and NetApp storage. The aggregate, lun and disk sizes are small in this HOWTO to keep it simple.

1) If not already installed, install the iSCSI initiator on your system.
> yum install iscsi-initiator*

2) Display your server’s new iscsi initiator or iqn nodename.
> cat /etc/iscsi/initiatorname.iscsi
InitiatorName=iqn.1994-05.com.redhat:ece5618996a9

3) On the NetApp filer, create the volume that will hold the iscsi luns. This command assumes you have aggregate aggr1 already created.  If not use an aggregate that has enough room for your volume.
netapp> vol create MCHAPVOL aggr1 10g

4) Create the lun in the volume.
netapp> lun create -s 5g -t linux /vol/MCHAPVOL/RHEL7_iSCSI_MCHAP_01

5) Create an igroup and add the Linux iscsi nodename or iqn from step 2 above to the new igroup.
netapp> igroup create -i -t linux ISCSI_MCHAP_RHEL7
netapp> igroup add ISCSI_MCHAP_RHEL7 iqn.1994-05.com.redhat:ece5618996a9
netapp> igroup show ISCSI_MCHAP_RHEL7

ISCSI_MCHAP_RHEL7 (iSCSI) (ostype: linux):
iqn.1994-05.com.redhat:ece5618996a9 (not logged in)

6) Map the lun to the igroup and give it lun ID 01.
netapp> lun map /vol/MCHAPVOL/RHEL7_iSCSI_MCHAP_01 ISCSI_MCHAP_RHEL7 01

7) Obtain the NetApp target nodename.
netapp> iscsi nodename
iqn.1992-08.com.netapp:sn.84167939

8) Set the CHAP secret on the NetApp controller.
netapp> iscsi security add -i iqn.1994-05.com.redhat:ece5618996a9 -s chap -p RHEL7 -n iqn.1994-05.com.redhat:ece5618996a9 -o NETAPPMCHAP -m iqn.1992-08.com.netapp:sn.84167939

netapp> iscsi security show
init: iqn.1994-05.com.redhat:ece5618996a9 auth: CHAP Inbound password: **** Inbound username: iqn.1994-05.com.redhat:ece5618996a9 Outbound password: **** Outbound username: iqn.1992-08.com.netapp:sn.84167939

9) On the server, edit your /etc/iscsi/iscsi.conf file and set the parameters below.
> vi /etc/iscsi/iscsid.conf
node.startup = automatic
node.session.auth.authmethod = CHAP
node.session.auth.username = iqn.1994-05.com.redhat:ece5618996a9
node.session.auth.password = RHEL7
node.session.auth.username_in = iqn.1992-08.com.netapp:sn.84167939
node.session.auth.password_in = NETAPPMCHAP
discovery.sendtargets.auth.authmethod = CHAP
discovery.sendtargets.auth.username = iqn.1994-05.com.redhat:ece5618996a9
discovery.sendtargets.auth.password = RHEL7
discovery.sendtargets.auth.username_in = iqn.1992-08.com.netapp:sn.84167939
discovery.sendtargets.auth.password_in = NETAPPMCHAP
> wq!

10) On the server, restart the service and discover your iSCSI target (your storage system).
> service iscsi restart
Redirecting to /bin/systemctl restart  iscsi.service

a) Verify the target.
> iscsiadm -m discovery -t st -p 10.10.10.11
10.10.10.11:3260,1000 iqn.1992-08.com.netapp:sn.84167939

> iscsiadm -m node  (this should display the same as above)
10.10.10.11:3260,1000 iqn.1992-08.com.netapp:sn.84167939

11) On the server, manually login to the iSCSI target (your storage array). Note there are two dashes “- -” in front of targetname and login.
> iscsiadm -m node –targetname “iqn.1992-08.com.netapp:sn.84167939” –login
Logging in to [iface: default, target: iqn.1992-08.com.netapp:sn.84167939, portal: 10.10.10.11,3260] (multiple)
Login to [iface: default, target: iqn.1992-08.com.netapp:sn.84167939, portal: 10.10.10.11,3260] successful.

a) On the NetApp storage console you should see the iSCSI session:
[iscsi.notice:notice]: ISCSI: New session from initiator iqn.1994-05.com.redhat:ece5618996a9 at IP addr 10.10.10.186

b) Verify the iSCSI session on the filer:
netapp> iscsi session show
Session 88
Initiator Information
Initiator Name: iqn.1994-05.com.redhat:ece5618996a9
ISID: 00:02:3d:01:00:00
Initiator Alias: rhel7

12) From the server , check your session.
> iscsiadm -m session -P 1
Target: iqn.1992-08.com.netapp:sn.84167939
Current Portal: 10.10.10.11:3260,1000
Persistent Portal: 10.10.10.11:3260,1000
**********
Interface:
**********
Iface Name: default
Iface Transport: tcp
Iface Initiatorname: iqn.1994-05.com.redhat:ece5618996a9
Iface IPaddress: 10.10.10.186
Iface HWaddress: <empty>
Iface Netdev: <empty>
SID: 1
iSCSI Connection State: LOGGED IN
iSCSI Session State: LOGGED_IN
Internal iscsid Session State: NO CHANGE

13) From the server, check the NetApp iSCSI details. Note there are two dashes “- -” in front of mode, targetname and portal.
> iscsiadm –mode node –targetname “iqn.1992-08.com.netapp:sn.84167939” –portal 10.10.10.11:3260

14) From the server, find and format the new lun (new disk). Your fdisk commands are in bold red below.
> cat /var/log/messages | grep “unknown partition table”
rhel7 kernel: [   24.102281]  sdb: unknown partition table

> fdisk /dev/sdb

Welcome to fdisk (util-linux 2.23.2).

Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

Device does not contain a recognized partition table
Building a new DOS disklabel with disk identifier 0x2c025f67.

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.
Syncing disks.

> fdisk /dev/sdb
Command (m for help): n
Partition type:
p   primary (0 primary, 0 extended, 4 free)
e   extended
Select (default p): p
Partition number (1-4, default 1): 1
First sector (2048-10485759, default 2048): <press enter>
Using default value 2048
Last sector, +sectors or +size{K,M,G} (2048-10485759, default 10485759): <press enter>
Using default value 10485759
Partition 1 of type Linux and of size 5 GiB is set

Command (m for help): p
Disk /dev/sdb: 5368 MB, 5368709120 bytes, 10485760 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0xeb560917

Device Boot  Start  End       Blocks   Id  System
/dev/sdb1    2048   10485759  5241856  83  Linux

Command (m for help): w
The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.

15) On the server, create the Linux file system on the new partition.
> mkfs -t ext4 /dev/sdb1
mke2fs 1.42.8 (20-Jun-2013)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
327680 inodes, 1310464 blocks
65523 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=1342177280
40 block groups
32768 blocks per group, 32768 fragments per group
8192 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736

Allocating group tables: done
Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done

16) Verify the partition.
> blkid /dev/sdb1
/dev/sdb1: UUID=”540997d7-ee07-42b3-a4af-612af6812d18″ TYPE=”ext4″

17) Create the mount point and manually mount the directory.
> mkdir /newiscsilun
> mount /dev/sdb1 /newiscsilun
> df -h | grep newiscsilun
Filesystem Size  Used Avail Use% Mounted on
/dev/sdb1  4.8G  10M  4.6G   1% /newiscsilun

18) Add the new mount point to /etc/fstab.
> vi /etc/fstab
/dev/sdb1 /newiscsilun ext4 _netdev 0 0
> wq!

Note: the _netdev option is important so that it doesn’t try mounting the target before the network is available.

19) Test that it survives a reboot by rebooting the server. With the _netdev set, iscsi starts and your CHAP logins should take place before it attempts to mount. After the reboot, login and verify its mounted.

> df -h | grep newiscsilun
Filesystem Size  Used Avail Use% Mounted on
/dev/sdb1  5.0G  139M  4.6G   3% /newiscsilun

20) On the server you can check session stats.
> iscsiadm -m session -s
Stats for session [sid: 1, target: iqn.1992-08.com.netapp:sn.84167939, portal: 10.10.10.11,3260]
iSCSI SNMP:
txdata_octets: 17096
rxdata_octets: 748232
noptx_pdus: 0
scsicmd_pdus: 213
tmfcmd_pdus: 0
login_pdus: 0
text_pdus: 0
dataout_pdus: 0
logout_pdus: 0
snack_pdus: 0
noprx_pdus: 0
scsirsp_pdus: 213
tmfrsp_pdus: 0
textrsp_pdus: 0
datain_pdus: 204
logoutrsp_pdus: 0
r2t_pdus: 0
async_pdus: 0
rjt_pdus: 0
digest_err: 0
timeout_err: 0
iSCSI Extended:
tx_sendpage_failures: 0
rx_discontiguous_hdr: 0
eh_abort_cnt: 0

21) As root, change permissions on /etc/iscsi/iscsid.conf. I’m not sure why they haven’t fixed this clear text CHAP password in a file issue so just make sure only root can read/write the file.
> chmod 600 /etc/iscsi/iscsid.conf

22) On the NetApp storage you can verify the Lun and the server’s session.
> lun show -v /vol/MCHAPVOL/RHEL7_iSCSI_MCHAP_01
/vol/MCHAPVOL/RHEL7_iSCSI_MCHAP_01      5g (5368709120)    (r/w, online, mapped)
Serial#: hoagPJvrDTup
Share: none
Space Reservation: enabled (not honored by containing Aggregate)
Multiprotocol Type: linux
Maps: ISCSI_MCHAP_RHEL7=1

> iscsi session show -v
Session 90
Initiator Information
Initiator Name: iqn.1994-05.com.redhat:ece5618996a9
ISID: 00:02:3d:01:00:00
Initiator Alias: rhel7

Session Parameters
SessionType=Normal
TargetPortalGroupTag=1000
MaxConnections=1
ErrorRecoveryLevel=0
AuthMethod=CHAP
HeaderDigest=None
DataDigest=None
ImmediateData=Yes
InitialR2T=No
FirstBurstLength=65536
MaxBurstLength=65536
Initiator MaxRecvDataSegmentLength=65536
Target MaxRecvDataSegmentLength=65536
DefaultTime2Wait=2
DefaultTime2Retain=0
MaxOutstandingR2T=1
DataPDUInOrder=Yes
DataSequenceInOrder=Yes
Command Window Size: 32

Connection Information
Connection 0
Remote Endpoint: 10.10.10.186:59575
Local Endpoint: 10.10.10.11:3260
Local Interface: e0a
TCP recv window size: 131400

Command Information
No commands active

Using HFS Standalone Web Server to Upgrade NetApp Data ONTAP and SP Firmware

23 Monday Dec 2013

Posted by in Linux, NetApp, Windows

Leave a comment

Tags

, ,

For a while I have been using XAMPP as my goto quick and easy web server to temporarily serve files like ONTAP or SP firmware upgrades. Its easy to use and always works. Then there was Z-WAMP which was great because it was zero install. Again easy to use and always works. The problem was they also carried the extra baggage of PHP, MySQL, etc. All I needed was a simple http instance. And then I found HFS. It stands for HTTP File Server. Its simple, incredibly small, very portable, very easy to use and is a standalone executable. No installation. Just double-click hfs.exe and you are ready to go.

HFS also works perfectly on Linux using wine 1.4 and later. Just don’t use the Wine Gecko option when prompted. On Linux, when you run >wine hfs.exe you will be prompted to download the Gecko option. Just click cancel to continue.

From a NetApp perspective, its perfect for updating Data ONTAP and SP firmware over the network. Especially for shops that don’t run CIFS or NFS or where your Security overlords won’t allow you to NFS export and mount the root volume. I run HFS from my OnCommand Unified Manager server where I have all of my NetApp tools and utilities installed.

Download HFS here:
http://www.rejetto.com/hfs/?f=dl

1) To start, double-click hfs.exe.
a) Select No to add it to your right-click menu (unless you really want to).
b) If you need to change the default port 80 perform this step. If not, skip it. In the upper left, click the Port: 80 button and change it to something like 8082. Click OK.
Notes:
– Depending on how your NetApp applications are deployed, port 80 will probably be taken. A simple port change avoids conflicts. Don’t forget to create a firewall rule if you use a non-standard port.
– If you are running this from a laptop or server without other apps using port 80, then its probably safe to leave on port 80.
– If you want to click the “You Are in Easy Mode” button to change it to “Expert Mode,” you get additional transfer details. Its up to you.
c) Copy the downloaded version of Data ONTAP you will be upgrading to onto the server where you are running HFS.
d) In the HFS window on the upper left under the house/ icon, right-click and select Add files.

hfs01
e) Browse to the Data ONTAP file and select Open. It will now be listed under the home root /. Note that you can also drag and drop the file into this window.

hfs02

2) On the NetApp controller, if not already done, create the software directory and then verify your version and backup kernel.
netapp> software
netapp> software list
netapp> version
netapp> version -b

3) Download and install the Data ONTAP image from your HFS instance. Note the :8082 port definition in the URL below. If you changed it to something other than the default port 80, you must change it on the command line as well. If not, the default port 80 is correct.
netapp> software update http://10.10.10.81:8082/814_q_image.tgz

software: You can cancel this operation by hitting Ctrl-C in the next 6 seconds.
software: Depending on system load, it may take many minutes
software: to complete this operation. Until it finishes, you will
software: not be able to use the console.
software: copying to 814_q_image.tgz
software: 5% file read from location.

<And that’s it. Output of the update truncated to shorten the post>