F5: Remove Appliance mode if not able to login as root user

With F5 BigIP you can activate an "Appliance Mode" as described here in SOL12815. Unfortunately, you cannot disable this mode again without installing the whole VM/System from scratch and install a license without the "Appliance Mode".

BUT…. there is a possibility which I tested and works.
First you need to install a new license WITHOUT the "Appliance Mode".
Then you need to do the following in tmsh:

# modify sys db systemauth.disablerootlogin value false

If you still have the "Appliance Mode" active in the license you will get an error like the following. Then you need to install a license WITHOUT App Mode:

<number>: Root Account feature not licensed

If you need to enable again use the following:

# modify sys db systemauth.disablerootlogin value true

I did a "save sys config" and I could directly login as root again to the F5!

Logserver with Elasticsearch / Logstash / Rsyslog / Kibana on Ubuntu 14.04

In this Documentation I will show how to install and configure Elasticsearch (Log Store and search) / Logstash (Log forwarder) / Rsyslog (Syslog) / Kibana (Web GUI).

Logstash will get the Logs from Rsyslog, with this setup it is possible to send standard syslog to the Logserver.

The goal is to use whenever possible Repositories so that we can do easy upgrades via apt-get && apt-get upgrade of the packages.

Continue reading “Logserver with Elasticsearch / Logstash / Rsyslog / Kibana on Ubuntu 14.04”

iTerm2 OSX: Jump Word-wise left and right in Navigation

I’m using iTerm 2 daily and I like it very much.
What I was missing is the possibility to jump word-wise in the cli. This can be solved in the following way:

  1. Open the Preferences Pane
  2. Goto Tab Keys
  3. Create a new Key Binding with the Shortcut “⌥ + ←” and use “Send Escape Sequence” as the Action and Set “Esc + b”
  4. Create a new Key Binding with the Shortcut “⌥ + →” and use “Send Escape Sequence” as the Action and Set “Esc + f”

See here:

Now you can use the Keys above to jump left and right word-wise.

If you want delete word-wise use Shortcut “⌥ + DELETE” and as Action use “Send Hex Code” with the value of 17.
 

CentOS: Reconfigure Network Interfaces after cloning VM with vCenter

If you need to clone a VM in VMWare to get a new Guest System you normally have then a new MAC Address on the new Ethernet Interface.
Please make sure that you have the Mac Address Setting in vSphere set to Auto:

So we clone now this VM and we get a new random MAC Address created for our new VM.

When we then boot the new VM, CentOS will tell you that it couldn't activate Network Interfaces. When you check the interfaces you will have a eth1 except a eth0.
This is because of the detection of new interfaces and udev is doing then the mapping with the new interfaces.

To get the same interface and ip-address of your "old" vm you have to do the following:

vim /etc/udev/rules.d/70-persistent-net.rules

Now you can remove all the lines with beginning of "SUBSYSTEM…".
Now reboot the machine, the new Interface and MAC-Address will newly detected by udev and we have a clean new eth0 device.
The file locks as example like this:

# This file was automatically generated by the /lib/udev/write_net_rules
# program, run by the persistent-net-generator.rules rules file.
#
# You can modify it, as long as you keep each rule on a single
# line, and change only the value of the NAME= key.

# PCI device 0x8086:0x100f (e1000) (custom name provided by external tool)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:50:ab:9d:11:13", ATTR{type}=="1", KERNEL=="eth*", NAME="eth0"

Howto Install MIBs in Ubuntu

Install MIBS downloader

sudo apt-get install snmp-mibs-downloader
sudo cp /usr/share/doc/snmp-mibs-downloader/examples/cisco* /etc/snmp-mibs-downloader/
cd /etc/snmp-mibs-downloader && sudo gzip -d ciscolist.gz

change /etc/snmp-mibs-downloader/snmp-mibs-downloader.conf to

BASEDIR=/var/lib/mibs
AUTOLOAD="rfc ianarfc iana cisco"

change /etc/snmp-mibs-downloader/cisco.conf to

HOST=ftp://ftp.cisco.com
ARCHIVE=v2.tar.gz
ARCHTYPE=tgz
DIR=pub/mibs/v2/
ARCHDIR=auto/mibs/v2
CONF=ciscolist
DEST=cisco

edit /etc/snmp-mibs-downloader/ciscolist and remove lines containing

CISCO-802-TAP-MIB
CISCO-IP-TAP-CAPABILITY
CISCO-IP-TAP-MIB
CISCO-SYS-INFO-LOG-MIB
CISCO-TAP2-CAPABILITY
CISCO-TAP2-MIB
CISCO-TAP-MIB
CISCO-USER-CONNECTION-TAP-MIB

Start downloading all the configured MIBs

sudo download-mibs

Install SNMP Tools

sudo apt-get install snmp

To use the MIB Files comment the following out /etc/snmp/snmp.conf

mibs :

Link: http://x123.net/howto-cisco-mibs-ubuntu.html

Setup SNMP Tools / OID Conversion check

If you ever have setup an snmp client on a Linux System you know how difficult it is to get SNMP Mibs, do the OID Translation etc.

The following shows howto setup SNMP on a Ubuntu Linux Host

Setup SNMP

apt-get install snmp

Comment out the line mibs : in the file /etc/snmp/snmp.conf

OID Conversion check

In its simplest form, snmptranslate takes a numeric OID and displays the corresponding textual MIB name

# snmptranslate .1.3.6.1.2.1.1.3.0
SNMPv2-MIB::sysUpTime.0

It can also perform the reverse translation, taking the textual MIB name and displaying the numeric OID. This uses the -On flag

# snmptranslate -On SNMPv2-MIB::sysUpTime.0
.1.3.6.1.2.1.1.3.0

There are several other ways of displaying an OID. One of these is to show the full list of MIB subidentifier names, using the -Of flag

# snmptranslate -Of SNMPv2-MIB::sysUpTime.0
.iso.org.dod.internet.mib-2.system.sysUpTime.0

Note that these flags determine how the OID should be displayed, regardless of how it was originally specified

# snmptranslate .iso.3.6.1.private.enterprises.2021.2.1.prNames.0
NET-SNMP-MIB::prNames.0
# snmptranslate -On .iso.3.6.1.private.enterprises.2021.2.1.prNames.0
.1.3.6.1.4.1.2021.2.1.2.0
# snmptranslate -Of .iso.3.6.1.private.enterprises.2021.2.1.prNames.0
.iso.org.dod.internet.private.enterprises.ucdavis.procTable.prEntry.prNames.0

Specifying a MIB object

The examples above identified a particular object, either by providing the full list of MIB subidentifiers (numeric, textual or a mixture), or by specifying the relevant MIB module containing the desired MIB object. However MIB objects are guaranteed to be unique within IETF standard MIBs (and are rarely duplicated across vendor-supplied MIBs either). So it would usually be sufficient to simply give the bare MIB object name, with no further qualifications. snmptranslate uses the -IR flag to do this "random-access" lookup

# snmptranslate sysUpTime.0
Invalid object identifier: sysUpTime.0
# snmptranslate -IR sysUpTime.0
SNMPv2-MIB::sysUpTime.0

(The other commands do this by default – only snmptranslate needs it to be explicitly turned on).

It's even possible to provide a regex pattern, and have snmptranslate (or the other command-line tools) do a "best-match" search to find the appropriate MIB object. This uses the -Ib flag

# snmptranslate -TB 'sys.*ime'
SNMPv2-MIB::sysORUpTime
SNMPv2-MIB::sysUpTime
HOST-RESOURCES-MIB::hrSystemUptime

Further Information

To get extended information about a particular MIB node, use the -Td flag to display the full description from the MIB file

# snmptranslate -On -Td SNMPv2-MIB::sysUpTime
.1.3.6.1.2.1.1.3
sysUpTime OBJECT-TYPE
  -- FROM    SNMPv2-MIB, RFC1213-MIB
  SYNTAX    TimeTicks
  MAX-ACCESS    read-only
  STATUS    current
  DESCRIPTION    "The time (in hundredths of a second) since the
            network management portion of the system was last
            re-initialized."
::= { iso(1) org(3) dod(6) internet(1) mgmt(2) mib-2(1) system(1) 3 }

This can be combined with the other flags described earlier

# snmptranslate -On -Td -IR sysUpTime
# snmptranslate -On -Td -Ib 'sys.*ime'

to give the same results.

Finally, it's possible to display a formatted diagram of a selected subset of the MIB tree, using the -Tp flag

   # snmptranslate -Tp -IR system
   +--system(1)
      |
      +-- -R-- String    sysDescr(1)
      |        Textual Convention: DisplayString
      +-- -R-- ObjID     sysObjectID(2)
      +-- -R-- TimeTicks sysUpTime(3)
      +-- -RW- String    sysContact(4)
      |        Textual Convention: DisplayString
      +-- -RW- String    sysName(5)
      |        Textual Convention: DisplayString
      +-- -RW- String    sysLocation(6)
      |        Textual Convention: DisplayString
      +-- -R-- Integer   sysServices(7)
      +-- -R-- TimeTicks sysORLastChange(8)
      |        Textual Convention: TimeStamp
      |
      +--sysORTable(9)
         |
         +--sysOREntry(1)
            |
            +-- ---- Integer   sysORIndex(1)
            +-- -R-- ObjID     sysORID(2)
            +-- -R-- String    sysORDescr(3)
            |        Textual Convention: DisplayString
            +-- -R-- TimeTicks sysORUpTime(4)
                     Textual Convention: TimeStamp

This shows the accessibility (read-only, or read-write), syntax, name and subidentifier of each MIB object within the specified subtree, together with the internal structure of those MIB objects.

Running snmptranslate -Tp without an OID argument will display this information for the known MIB tree in its entirety.

Link: http://www.net-snmp.org/wiki/index.php/TUT:snmptranslate

JasperServer: Cannot add user or change Privileges for Roles

Today I had to change Access Rights for the JasperServer Users and set the privileges to folders in the Tree:

When I try to change the Access rights, JasperServer just shows me again the Folder View. So no action was taken (??).

The Solution

In the new JasperServer 5.x (Maybe since 4.5) there is a new security Feature which is enabled per default. In the Manual I found the following:

Security - The JasperReports Server now has enterprise-grade
    security through the integration of a comprehensive security
    framework. This new security framework protects the server
    against common security threats. Customers can configure the
    security settings (switch on/off or change the security
    rules) based on their perceived threat level.

How to switch off the Security Framework?

You can find the rules in a config file here:

jasperserver/WEB-INF/classes/esapi/validation.properties

To disable, change the Security Properties File here:

jasperserver/WEB-INF/classes/esapi/security-config.properties

#########################################################
# Jaspersoft Security Configuration
#########################################################
security.validation.input.on=true
security.validation.csrf.on=true
security.validation.sql.on=true
encryption.on=false

Since I have the JasperServer only in a Intranet I switched off the Security the three true Settings above to false.

Keep in mind that the Security Feature is usefull when you're using a JasperServer connected to the Internet, so switching it off is maybe not a good idea…!

Jasper Reports: Inline Images as SVG for better scaling

If you're using Jasper Reports or Jasper Server you sometimes need to place a logo image or a background image to the report.

Jasper Report is able to use *.gif or *.png images to use in Reports but these raster images are very bad when you do resizing of your reports or converting to *.pdf etc.

Possible Solution

You have some options to make the image look better in your reports:

Create a version of the logo about 400% larger.
Create a *.svg version of the logo.
Convert the image to a vector format.

SVG Version

I created a *.svg version of the logo I used. To do that, I recommend the absolutely perfect iDraw for MacOSX ! With iDraw it is possible to import *.eps and export it again to *.svg. It is very usable to create your own logos etc. but that's another story.

To use the *.svg in Jasper Reports you need the normal <image…> xml tag with the following code:

<image hAlign="Center" vAlign="Middle">
<reportElement x="0" y="0" width="179" height="66"/>
<imageExpression class="net.sf.jasperreports.engine.JRRenderable">
<![CDATA[net.sf.jasperreports.renderers.BatikRenderer.getInstance(new java.io.File("/path/to/logo.svg"))]]>
</imageExpression>
</image>

To use the *.svg from an URL you need the following:

<image hAlign="Center" vAlign="Middle">
<reportElement x="0" y="0" width="179" height="66"/>
<imageExpression class="net.sf.jasperreports.engine.JRRenderable">
<![CDATA[net.sf.jasperreports.renderers.BatikRenderer.getInstance(new java.net.URL("http://server/path/to/logo.svg"))]]>
</imageExpression>
</image>

A hint from a reader (Lutz):

If you use

 net.sf.jasperreports.renderers.BatikRenderer.getInstanceFromLocation("./image/logo.svg")

instead, you can use relative path too. 
with  java.io.File you have to define an absolute path which will cause in errors if you share your reports…

Greetings

Lutz

sudo: sorry, you must have a tty to run sudo

I recently had to run a command on a remote machine with the following:

ssh root@host.domain.com sudo -n mount -t cifs //srv/volume -o user=password -o pass=password /tmp/mnt-srv

But I have an error:

sudo: sorry, you must have a tty to run sudo

So how to fix this problem?

Solution 1:

ssh -t root@host.domain.com sudo -n mount -t cifs //srv/volume -o user=password -o pass=password /tmp/mnt-srv

The -t option forces pseudo-tty activation in ssh. This can be used to execute screen based programs on a remote machine.

From the ssh man page:

Force pseudo-tty allocation.  This can be used to execute arbitrary screen-based programs on a remote machine, which can be very useful, e.g., when implementing menu services.  Multiple -t options force tty allocation, even if ssh has no local tty.

Solution 2:

Use the su command and not the sudo:

su --session-command="mount -t cifs //srv/volume -o user=password -o pass=password /tmp/mnt-srv"

On the remote machine as root:

ssh root@host.domain.com su --session-command "mount -t cifs //srv/volume -o user=password -o pass=password /tmp/mnt-srv"

And as another user:

ssh root@host.domain.com su --session-command "mount -t cifs //srv/volume -o user=password -o pass=password /tmp/mnt-srv" username