Category Archives: Linux

Real-time CPU statistics utility (Linux)

If you have multiprocessor Linux systems, top does not show individual CPU load by default. Press ‘1’ while top is running to change the default behavior and show each processor’s current load. Another utility is mpstat of the sysstat package, it is also capable of showing each processor’s current load.

Now you get to see which processor gets more load. 🙂

ipt_account HOWTO for Fedora Core 6

For the last few days I have been looking for a bandwidth monitoring tool that is more efficient, accurate, and complete than IPFM. I found so many bandwidth monitoring tools (bandwidthd, ipband, darkstat, and a few others) on Google but couldn’t find one that fits what I want. In fact, IPFM suits me better than the others.

While I was reading iptables’ man page, I accidentally came across ‘account’ under ‘MATCH EXTENSIONS’. After reading the brief description and example, I got excited! This iptables match extension provides exactly what I need! With the flexibility of iptables’ rules plus the account match extension, this has to be the best solution for my new bandwidth monitoring system. There is one problem though. Fedora Core doesn’t have it. 🙁

With some experience I got from installing ipp2p by hand, I started trying to make this iptables match extension work on my Fedora Core 6 server. First, I used Google to locate ipt_account’s website. Then I used Google to search for some install guides on ipt_account but couldn’t find any, so I went through its website and found something.

Since I have prepared my system with kernel & iptables source tree, rpmbuild, etc. (basically everything required to build ipp2p modules), I will not go over the “ingredients” again. Sorry!

Download the kernel and iptables patches from this page. Patch the kernel tree:

  • cd /usr/src/redhat/BUILD/kernel-2.6.19/linux-2.6.19.i386/
  • patch -p1 < path_to_kernel_patch

You should see the following:

patching file include/linux/netfilter_ipv4/ipt_account.h
patching file net/ipv4/netfilter/ipt_account.c
patching file net/ipv4/netfilter/Kconfig
patching file net/ipv4/netfilter/Makefile

OK, now the kernel tree is patched. Now do make oldconfig. You will be asked:

account match support (IP_NF_MATCH_ACCOUNT) [N/m/?] (NEW)

Since this will be a kernel module, hit m. Once the process has finished, do make scripts/kconfig/ (if you haven’t previously during ipp2p module build process). Create a temporary directory somewhere (e.g. /tmp/ipt). Copy /usr/src/redhat/BUILD/kernel-2.6.19/linux-2.6.19.i386/net/ipv4/netfilter/ipt_account.c into that directory and create a file named Makefile. Paste the following into Makefile:

obj-m := ipt_account.o
KDIR := /usr/src/redhat/BUILD/kernel-2.6.19/linux-2.6.19.i386/
PWD := $(shell pwd)
default:
$(MAKE) -C $(KDIR) SUBDIRS=$(PWD) modules

Make sure that there is a tab before $(MAKE). Save the file and execute make. If the compile process goes well, there will be a file named ipt_account.ko in the directory. Load the module by using insmod. Check lsmod to see the newly loaded module.

If you have got this far, that means your kernel now supports ipt_account. Now we will add ipt_account extension for iptables. To see if your iptables has ipt_account support, do iptables -m account. If it prints out something like “Couldn’t load match `account’: …”, that means there is no iptables account extension yet.

Let’s patch iptables source tree:

  • cd /usr/src/redhat/BUILD/iptables-1.3.5
  • patch -p1 < path_to_iptables_patch

Expect the following:

patching file extensions/libipt_account.c

Open extensions/Makefile, on line 8, add account before ah. Then compile the ipt_account’s extension:

cc -O2 -Wall -Wunused -I/usr/src/redhat/BUILD/kernel-2.6.19/linux-2.6.19.i386/include -Iinclude/ -DIPTABLES_VERSION=\”1.3.5\” -fPIC -o extensions/libipt_account_sh.o -c extensions/libipt_account.c
cc -shared -o extensions/libipt_account.so extensions/libipt_account_sh.o

Copy extensions/libipt_account.so to /lib/iptables and verify the extension: iptables -m account. That’s it! Pretty easy, eh? 🙂

Read this page to test the new iptables account match extension. Enjoy!

ipp2p HOWTO for Fedora Core 6

While this post is titled “for Fedora Core 6”, it may be applicable to previous versions of Fedora Core. I tested this on Fedora Core 4 too, but some steps are different.
Note: This guide uses iptables-1.3.5-1.2.1 and kernel-2.6.19-1.2895.fc6.

First, grab ipp2p-0.8.2.tar.gz or the latest version if there’s any. Extract the tarball and make sure you have iptables and the currently installed kernel’s SRPMs installed. To proceed, I recommend rpm-build to be installed (simply use yum to install, i.e. yum install rpm-build). Next, install both SRPMs using the following command: rpm -ivh file.rpm. If you get “error: cannot create %sourcedir /usr/src/redhat/SOURCES” message, you can create the required directory: mkdir -p /usr/src/redhat. Also, rpm-building the kernel source requires redhat-rpm-config and unifdef to be installed.
Now that the “ingredients” are ready, let’s start doing the fun part..

Go to /usr/src/redhat/SPECS and do rpmbuild -bp iptables.spec, this will prepare the iptables’ source tree to match with the currently installed iptables binaries’ source. Do the same for the kernel, rpmbuild -bp kernel-2.6.spec. The newly patched source tree can be found inside /usr/src/redhat/BUILD directory.

Grab symvers-2.6.19-1.2895.fc6.gz from /boot, gunzip and rename it as Module.symvers, then move it to the kernel’s source directory (/usr/src/redhat/BUILD/kernel-2.6.19/linux-2.6.19-i386). Go into that directory, make sure that existing kernel config (.config) exists, then do: make scripts/kconfig/.
Note: If you can’t find symvers file in /boot, install kernel-devel package and you will find Module.symvers in /usr/src/kernels//.

Next, return to the ipp2p source directory and do two modifications.

Add:

KERNEL_SRC=/usr/src/redhat/BUILD/kernel-2.6.19/linux-2.6.19.i386

before

KERNEL_SRC ?= $(firstword $(wildcard …

Add:

IPTABLES_SRC = /usr/src/redhat/BUILD/iptables-1.3.5

before

ifeq ($(IPTABLES_SRC),)

Save the changes and do make.

If it compiles successfully, then ipt_ipp2p.ko and libipt_ipp2p.so should be in the directory now.
Copy libipt_ipp2p.so to /lib/iptables. To verify whether this iptables module works, do iptables -m ipp2p -h.
In case you get the following: iptables v1.3.8: Couldn’t load match `ipp2p’, don’t worry. Have a look at this solution and simply recompile the modules.

There are two ways to load the ipp2p kernel module, insmod ipt_ipp2p.ko or copy ipt_ipp2p.ko to /lib/modules/2.6.19-1.2895.fc6/kernel/net/ipv4/netfilter and do depmod -a.

qmail-chkuser Patch

qmail-chkuser is one of the most useful qmail patches available out there. It helps reduce bandwidth usage for spam emails directed to non-existant users by rejecting them at SMTP level. Previous versions of chkuser was named chkusr, I used to use chkuser-0.6 from Bill Shupp‘s website due to its simplicity. The newer version (chkuser — notice the ‘e’) combines several other patches and provides configurable settings. Some people may like this but some (including me) may not. I use many qmail patches and prefer to keep only the patches that I use. I used chkuser for the latest qmail installation I installed and disabled other patches chkuser comes with including logging. Its logging function presented problem with stunnel. Somehow output of the log goes to stunnel instead of the log files causing problem. I looked for a fix on Google and found a similar problem including a fix. My stunnel installation doesn’t have ‘-f’ parameter as suggested by patch author, Antonio Nati, so I decided to disable logging and solved the problem.

PowerAdmin

I have been using PowerDNS plus PowerAdmin everytime I’m asked to build a web-frontend-enabled DNS system. Unfortunately the developers of PowerAdmin abandoned the project a while ago (last update was in 2004).
Wim Mostrey made an update to the 2 years old out-of-date PowerAdmin in March 2006. His patch introduces two new features for PowerAdmin.
When installing PowerAdmin, make sure that PEAR-DB and MySQL extension for PHP are installed. Otherwise it would produce an error message that’s not helpful (Oops! An error occured!). If those two are installed, then PowerAdmin should work properly.

RHEL Apache (Plesk) rebuild

By default, Apache distribution shipped with RHEL is compiled with a hard limit of 300 FDs. A busy server requires a lot more..This is how I increased the FD hard limit based on SW-Soft’s FAQ: http://faq.sw-soft.com/index.php?ToDo=view&questId=172&catId=42
A bit outdated, but that’ll do! 🙂

Add the following line to /etc/sysctl.conf:
fs.file-max = 131072

Run the following shell command:
# sysctl -w fs.file-max=131072

Edit __FD_SETSIZE value in /usr/include/bits/typesizes.h to:
#define __FD_SETSIZE 32768
(before, it is 1024)

Find httpd’s source rpm (try rpmfind or Google) and rebuild the package.
xmlto and pcre-devel are required, install both with up2date.
Other craps will be installed too:
pcre-devel xmlto docbook-dtds docbook-style-xsl passivetex sgml-common tetex xml-common xmltex tetex-fonts tetex-latex
Feel free to remove them once package has been rebuilt.

To rebuild the httpd rpm from the source rpm:
rpmbuild –rebuild sourcerpmfilehere.src.rpm

Once the custom binary rpm is ready, install it with -Uvh –force
Although the rebuild process produces 4 rpm files, I think only the httpd rpm is required.

Restart apache with the following commands:
/usr/local/psa/admin/sbin/websrvmng -a -v (not sure why this is needed)
service httpd restart

Valid for Plesk 7.5.

PowerDNS with Plesk servers

Having separate secondary NS for Plesk servers will be difficult to manage. To ease the process, I came up with an idea of using PowerDNS’ supermasters feature.
Just shove in the IP of the Plesk server, the name of the secondary NS and the server name to the supermasters table.
During initial touch-up of the Plesk server, make sure while modifying the DNS zone template to use THAT Plesk server as the first NS record. Otherwise it would cause problem with wrong SOA name causing PowerDNS not recognizing AXFR sent by the Plesk server.
Also make sure PowerDNS IP is included in the allowed list of AXFR on Plesk!

Some useful queries for PowerDNS’ SQL:
delete records.* from records, domains where records.domain_id = domains.id and domains.account = ‘SERVERNAME’;
delete from domains where account = ‘SERVERNAME’;

Valid for Plesk 7.5.