21 Jan

Sync linux server time with network time protocol(NTP) servers

Sync linux server time with network time protocol(NTP) servers

To sync linux server time with network time protocol(NTP) servers, you need to have the NTP client installed in your machine. To perform the installation in an Ubuntu server, please execute the below command.

1
apt-get install ntp 

Sync linux server time with network time protocol(NTP) servers

To perform the installation in a Redhat or in a CentOS server, please execute the below command,

1
 yum install ntp

Once you are done with the NTP client installation, we need to edit the NTP configuration file /etc/ntp.conf

1
 vi /etc/ntp.conf

By default, you may find a list of NTP servers listed in the configuration file.

Sync linux server time with network time protocol(NTP) servers

If you wish to change the default values to the ones closer to your location, please visit the NTP site http://www.pool.ntp.org/. You will see the list of NTP servers for each time zone listed at the NTP portal.

Sync linux server time with network time protocol(NTP) servers

For India location, you need to visit the link http://www.pool.ntp.org/zone/in

Sync linux server time with network time protocol(NTP) servers

Once the configuration changes are made, we need to restart the NTP service

1
 /etc/init.d/ntp restart

Sync linux server time with network time protocol(NTP) servers

To run the time synchronisation with  the NTP servers, please execute the below command, after stopping the NTP service.

1
 /usr/sbin/ntpdate pool.ntp.org

If the ntpdate is not installed in your server, then you can run the below command to install it.

1
apt-get install ntpdate

Sync linux server time with network time protocol(NTP) serversIf you are facing the error “the NTP socket is in use, exiting“, upon executing the above command, which points to the issue that the NTP service is still running.

Sync linux server time with network time protocol(NTP) serversSo stop the service and execute the command again.

Sync linux server time with network time protocol(NTP) servers

If you are encountering the error “no server suitable for synchronization found“, please check your firewall settings. Please ensure that, the UDP port 123 is enabled.

Verify the NTP client status

To verify the NTP client status, three major utilities can be used,

NTPQ

NTPQ is a standard NTP Query program, which is used to monitor NTP daemon ntpd operations and analyse its performance.

Run the below command to obtain the current status of ntp

1
 ntpq -pn
1
2
 -n  :  Output all host addresses in dotted-quad numeric format rather than converting to the canonical host names.
-p  :  Print a list of the peers known to the server as well as a summary of their state. This is equivalent to the peers interactive command.

Sync linux server time with network time protocol(NTP) serversTo know more about the utility, please refer the man page

1
man ntpq

NTPSTAT

The ntpstat utility  will display the network time synchronisation status. If your server is synchronised to reference NTP value, then the ntpstat command will return the approximate time accuracy.

If the ntpstat is not installed in your machine, please execute the below command to install it.

1
apt-get install ntpstat

Execute the below command to get the status of your NTP daemon,

1
ntpstat

The return value of ntpstat will tell you the status. Please execute the below command to get the return value,

1
echo $? 

The clock is synchronised, if the return value is “0”. If the ntpstat return value is “1”, then the clock is not synchronised. If the return value is “2”, then the clock is indeterminant, Eg : If ntp is not reachable.

To know more about the ntpstat usage, please refer its man page

1
man ntpstat

timedatectl

On a systemd based system, you can use the command timedatectl. The status can be checked by executing the below command,

1
 timedatectl status

If NTP enabled is set to No, then you can edit the systemd-timesyncd configuration file “/etc/systemd/timesyncd.conf” to change it.

 

15 Jan

Install Microsoft Azure Linux Agent – WAAGENT

Install Microsoft Azure Linux Agent – WAAGENT

To install Microsoft Azure Linux Agent – WAAGENT, it is required to meet two requirements.

  1. SSH access should be working against the Azure virtual machine.
  2. VM should be running.

To install the package in CentOS, please execute the below command,

1
sudo yum install waagent

To install the package in Ubuntu, please execute the below command,

1
sudo apt-get install walinuxagent

If you couldn’t install the linux agent by following the above steps, please proceed with manual installation as given below,

Download Microsoft Azure Linux Agent – WAAGENT

To download Microsoft Azure Linux Agent 2.0.x, please execute,

1
2
3
4
5
wget wget https://github.com/Azure/WALinuxAgent/archive/WALinuxAgent-2.0.<version>.zip

unzip WALinuxAgent-2.0.<version>.zip

cd WALinuxAgent-[version]

Example

1
2
3
4
5
wget https://github.com/Azure/WALinuxAgent/archive/WALinuxAgent-2.0.16.zip

unzip WALinuxAgent-2.0.16.zip

cd WALinuxAgent-2.0.16

Refer : https://github.com/Azure/WALinuxAgent/releases

To download the latest version,

1
2
3
4
5
wget wget https://github.com/Azure/WALinuxAgent/archive/v2.x.x.zip

unzip v2.x.x.zip

cd v2.x.x

Example

1
2
3
4
5
wget https://github.com/Azure/WALinuxAgent/archive/v2.2.2.zip

unzip v2.2.2.zip

cd v2.2.2

Refer : https://github.com/Azure/WALinuxAgent/releases

Install Microsoft Azure Linux Agent – WAAGENT

The python package setuptools is a prequisite to install the waalinux agent. To install the setuptools in your virtual machine, please execute,

1
pip install -U pip setuptools

If pip is not installed in your machine, then download it and install it by following the below steps,

1
2
3
wget https://bootstrap.pypa.io/get-pip.py

python get-pip.py

Once the python package setuptools is installed, proceed with Azure Linux Agent installation,

1
sudo python setup.py install

Restart Azure Linux Agent – waagent

For Ubuntu based servers, please execute the below command to restart the agent,

1
sudo service walinuxagent restart

For most of other linux distros, the below command will work,

1
sudo service waagent restart

If not working, please try the below command,

1
sudo systemctl restart waagent

Check Azure Linux Agent Version

To check the Azure linux agent – waagent version, please execute the below command,

1
waagent -version

To know more about Azure linux agent installation, please refer the link,

 https://docs.microsoft.com/en-us/azure/virtual-machines/virtual-machines-linux-update-agent#install-the-azure-linux-agent

15 Jan

Step to modify time stamp value of files in linux

Modify time stamp value of files in linux

We can modify time stamp value of files using the touch command. It can be changed based on Access Time, Modify Time or combination of both. To check the time stamp value of a file, please execute,

1
stat testfile

modify time stamp value of filesPlease use the below commands to create a file with an older time stamp, say May 05 2013,

1
touch -d 20130505 testfile

modify time stamp value of files

Copying time stamp from existing file to new file,

1
touch -r testfile newtestfile

Copying time stamp from existing file to multiple new files \ existing files

1
touch -r testfile newtestfile  newtestfile2 newtestfile3

modify time stamp value of files

Make changes to Access Time and Modify Time

To modify the Access Time parameter of a file, please use the switch “-a“.  It will change access time to the current date and time as given below.

1
touch –a testfile

To make changes to  “Modify Time” parameter of a file, please use the switch “-m“.  It will change modify time to the current date and time as given below.

modify time stamp value of files

12 Jan

Configure and administering UFW using commands

Administering UFW

UFW or uncomplicated firewall is for managing firewall rules in Ubuntu, Debian and Arch Linux. You can use the below commands for administering UFW.

To install UFW, please execute the below command,

1
sudo apt-get install ufw
UFW InstallAllow Rules

Always make sure to add allow rule fo SSH as priority,

1
sudo ufw allow ssh

or

1
sudo ufw allow 22

You can allow or deny a service based on protocol. For example, to allow TCP on port 80, please execute,

1
sudo ufw allow 80/tcp

or

1
sudo ufw allow http/tcp

To allow https on port 443, please execute,

1
sudo ufw allow 443/tcp

or

1
sudo ufw allow https/tcp

UFW AllowIf you wish to allow UDP protocol on port 1234, please execute,

1
sudo ufw allow 1234/udp

If you wish to allow traffic from a specific IP address 111.222.333.444, please execute,

1
sudo ufw allow from 111.222.333.444

If you wish to allow traffic from a specific subnet, then execute,

If you wish to allow a particular IP address to access a specific port, say port 80, then execute,

If you wish to allow a particular subnet address to access a specific port, say port 80, then execute,

 

Block Traffic

To deny traffic from a particular IP address,

1
sudo ufw deny from 111.222.333.444

If you wish to deny traffic from a particular IP address to a specific network interface, please execute,

1
sudo ufw deny in on eth1 from 111.222.333.444

If you wish to allow a particular service to a private ethernet interface, say eth1,

Allow Traffic to network interface using UFW
1
sudo ufw allow in on eth1 to any port 3306

To list the rules set in UFW, please execute,

1
sudo ufw status

To Action From
— —— —-
22 ALLOW Anywhere
8080/tcp ALLOW Anywhere
3306 ALLOW Anywhere
80 ALLOW Anywhere
443 ALLOW Anywhere
22 (v6) ALLOW Anywhere (v6)
8080/tcp (v6) ALLOW Anywhere (v6)
3306 (v6) ALLOW Anywhere (v6)
80 (v6) ALLOW Anywhere (v6)
443 (v6) ALLOW Anywhere (v6)

administering UFW statusTo enable the UFW firewall, please execute,

1
sudo ufw enable

To disble the UFW firewall, please execute,

1
sudo ufw disable

To enable the UFW logging, please execute,

1
sudo ufw logging on

Refer : https://en.wikipedia.org/wiki/Uncomplicated_Firewall

11 Jan

Linux network performance tuning

Why we need a fine tuning of network settings?

Usually the default network parameters supplied along with the OS should be able to handle the regular traffic. But if you are managing a high traffic server and if you are experiencing sluggishness in accessing your application, then it is recommended to do a linux network performance tuning of your linux operating system.

TCP Connection Establishment

As you know, web servers\application servers generally use Transmission Control Protocol(TCP) for their client-server communication. TCP is a connection oriented protocol, which means, the sender and receiver needs to establish a reliable connection between them to transmit the data. As the first step of establishing the connection, the sender will send a connection request to the receiver. If the receiver is ready to accept the data, then it will send back an acknowledgement(ACK) back with SYN bit set. Now the sender will acknowledges the receiver’s initial sequence Number and its ACK. Now the sender will start its data transfer.

performance tuningFlow Control & Window Scaling

Since the sender and receiver may not be having same network speed, the TCP uses a flow control mechanism named sliding window protocol, so that the sender and receiver will be transmitting the data at same rate. The receiver and the sender will exchange the information about the amount of data, they can accept, using a TCP segment field called receive window. The receiver updates the filed with the amount of data, that it can accept.

Upon seeing the value, the sender will adjust is data transmission, so that it will not send data above this window size, until an acknowledgement is received from the receiver. Once an acknowledgement is received and once the new receive window size is declared by the receiver, the sender can transmit the next set of data. Earlier, the maximum receive window size that can be mentioned in a TCP frame was 65,535 bytes. Now using a new feature called, Window Scaling, the limit is increased to a maximum of 1,073,725,440 bytes(1Gb)

Bandwidth Delay Product – BDP, the bits of data in transit between hosts is equal to Bandwidth * RTT

or in other words,

BDP (bytes) = total bandwidth (KBytes/sec) x round trip time (ms)

The network throughput of that network <= (TCP buffer size / RTT)

The TCP Windows size needs to be large enough to accommodate network bandwidth x maximum expected delay

or

TCP window size needs to be >= BW * RTT

On a 100 Mbps network with round trip time(RTT) value of 150 ms and with a TCP buffer size of 128 KB, the Bandwidth Delay Product will be 1.88 MB. The maximum throughput value will be <= 6.99 Mbps. To use the 100 Mbps with RTT 150ms, the TCP buffer size should be >= 1831.1 KB

Window Scaling

In our above mentioned network, we are wasting 1815 Kilo Bytes of window size(1880-65). So we need to enable the Window Scaling feature. We can modify the window scaling parameter in linux by editing the sysctl.conf file. You need to set the below parameter to 1.

1
net.ipv4.tcp_window_scaling = 1

You can do the same by executing the below command,

1
echo 'net.ipv4.tcp_window_scaling = 1' >> /etc/sysctl.conf

Obtain TCP Memory Values

Now obtain the TCP memory values by executing the below commands,

1
cat /proc/sys/net/ipv4/tcp_mem

To view receive socket memory size, please execute the below two commands,

1
2
cat /proc/sys/net/core/rmem_max
cat /proc/sys/net/core/rmem_default

To view the send socket memory size, please execute the below two commands. The first command will give its maximum value and the second command will provide you its default value.

1
2
cat /proc/sys/net/core/wmem_max
cat /proc/sys/net/core/wmem_default

To view the maximum amount of option memory buffers, please execute the below command,

1
cat /proc/sys/net/core/optmem_max

Performance Tuning

If the receive socket memory size is small, then sender will be able to send data equal to the receiver socket memory size. So we need to increase this value to a higher value,say 32MB. Likewise, we need the send socket memory size, also to be large, say 32MB.For a network with RTT value, 100ms and 10Gbps network, the value can be as higher as 64MB. If the RTT value is 50ms, then it can be increased to 128MB.

1
2
echo 'net.core.wmem_max=33554432' >> /etc/sysctl.conf
echo 'net.core.rmem_max=33554432' >> /etc/sysctl.conf

Next step is to increase the linux autotuning TCP buffer limit to 16MB. Here, we can set minimum amount of receive window size, which will be set to each TCP connection, even if the server is having a high load. The default value will be allocated against each TCP connection. Since we are employing the window scaling feature, the window size will grow dynamically till the maximum receive window size, set in bytes, 16777216. For a network with RTT value, 100ms and 10Gbps network, the value can be as higher as 32MB.If the RTT value is 50ms, then it can be increased to 128MB.

1
2
echo 'net.ipv4.tcp_rmem = 4096 87380 16777216' >> /etc/sysctl.conf
echo 'net.ipv4.tcp_wmem = 4096 65536 16777216' >> /etc/sysctl.conf

Also recommended to set net.ipv4.tcp_timestamps and net.ipv4.tcp_sack to 1, so that it can reduce the CPU load.

1
2
echo 'net.ipv4.tcp_timestamps = 1' >> /etc/sysctl.conf
echo 'net.ipv4.tcp_sack = 1' >> /etc/sysctl.conf

View congestion control algorithms

To view the available list of congestion control algorithms available for your machine, please execute the bwlo command. It is recommended to set htcp as the congestion control mechanism.

1
sysctl net.ipv4.tcp_available_congestion_control

To set htcp as your congestion control alogithm, please execute the below command,

1
sysctl -w net.ipv4.tcp_congestion_control=htcp

It is recommended to increase number of incoming connections backlog queue Sets the maximum number of packets, queued on the INPUT side, when the interface receives packets faster than kernel can process them.

1
echo 'net.core.netdev_max_backlog = 65536' >> /etc/sysctl.conf

View the performance tuning done

To save and reload, please execute the below command,

1
sysctl -p

We can use the tcpdump to view the changes on eth1, if eth1 is your NIC.

1
tcpdump -ni eth1
07 Jan

Commands to delete files older than X days

Delete files older than X days

To delete files older than X days, please execute the below commands. The below commands will remove files from a specific folder location in your machine\server. If you want to change the day, then just change value of 90 with your value,

1
find /directory/path/to/your/file -mindepth 1 -mtime +90 -delete

or

1
find /directory/path/to/your/file -type f -mtime +90 -exec rm {} \;

or

1
find /directory/path/to/your/file -mindepth 1 -type f -mtime +90 | xargs rm

Before executing the script,

delete files older than X days

After executing the script

delete files older than X days

 

07 Jan

Samba Slow – Oplock break failed for file

Oplock break failed – Slow copying of files in Samba

If you are facing sluggishness in copying files to your samba drive, there is a good chance that, it may be because the error “Oplock break failed for file” in your /var/log/syslog(Ubuntu) and /var/log/messages(In other linux distributions)

To resolve this, you may need to add the below entries to the [global] section of your smb.conf(/etc/samba/smb.conf)

1
2
3
4
5
6
[global]
.......
.......
kernel oplocks = no
nt acl support = no
strict locking = no

Then add the below entries under [your share name] section of smb.conf

1
2
3
4
5
6
7
8
9
10
[your share name]
........
........
oplocks = no
share modes = no
locking = no
acl check permissions = false
level2 oplocks = no
strict locking = no
blocking locks = no
07 Jan

Remote join client to WSUS – no psexec

Remote join a client to WSUS without using psexec

To remote join client  to WSUS , please execute the below two commands, without using the psexec and also without login to the client machine,

1
2
WMIC /node: process call create "cmd.exe /c GPUpdate.exe /force"
WMIC /node: process call create "cmd.exe /c wuauclt.exe /detectnow"
07 Jan

WSUS not showing cloned machines

WSUS not showing cloned machines

In case your WSUS not showing cloned machines, please verify the SusClientId & SusClientIdValidation keys in the cloned servers. Most probably, all the servers will be having the same key, so that only one server will be successful in establishing the connectivity towards your WSUS server. In that case, please execute the below script as a bat file in your cloned servers from an elevated command prompt.

https://social.technet.microsoft.com/Forums/windowsserver/en-US/40b694e6-6586-47d3-8a68-dc11ecb7759b/wsus-cloned-server-2008-machines-and-registry-keys?forum=winserverwsus