Category Archives: Other

FreeRadius install howto (1)

FreeRADIUS is the most widely deployed RADIUS server in the world. It is the basis for multiple commercial offerings. It supplies the AAA needs of many Fortune-500 companies and Tier 1 ISPs. In this post I will try to describe basic installation and config options (at least some of them). The biggest problem for me was the lack of documentation and it was very hard to learn something about it when the latest book about Radius was published 8 years ago.

Where possible, I recommend using the packaging system that is used for your distro. The version that is supplied might be out of date, but it is likely to work “out of the box”.

RPM packages

FreeRADIUS is distributed on Fedora/RHEL/CentOS systems as a set of RPM packages. There is a main package called “freeradius” and several subpackages whose name is “freeradius-XXX” where XXX is optional functionality. For example the support needed for MySQL database backend will be found in the package “freeradius-mysql”.

On CentOS and Red Hat, “yum install freeradius” will install FreeRadius 1.1.3 which is a several years old version. Better option is to install FreeRadius 2.x with yum install freeradius2. Please see the notes above about optional packages. Also, keep in mind that all config files will be installed in /etc/raddb. More info can be found HERE.

More info about RPM versions can be found Here (Thanks J. Dennis).

[root@ms ~]# yum search freeradius
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * addons: mirror.centos.com.ba
 * base: mirror.centos.com.ba
 * extras: mirror.centos.com.ba
 * rpmforge: ftp-stud.fht-esslingen.de
 * updates: mirror.centos.com.ba
Excluding Packages in global exclude list
Finished
====================== Matched: freeradius ===================================
freeradius.x86_64 : High-performance and highly configurable free RADIUS server.
freeradius-mysql.x86_64 : MySQL bindings for freeradius
freeradius-postgresql.x86_64 : postgresql bindings for freeradius
freeradius-unixODBC.x86_64 : unixODBC bindings for freeradius
freeradius2.x86_64 : High-performance and highly configurable free RADIUS server
freeradius2-krb5.x86_64 : Kerberos 5 support for freeradius
freeradius2-ldap.x86_64 : LDAP support for freeradius
freeradius2-mysql.x86_64 : MySQL support for freeradius
freeradius2-perl.x86_64 : Perl support for freeradius
freeradius2-postgresql.x86_64 : Postgresql support for freeradius
freeradius2-python.x86_64 : Python support for freeradius
freeradius2-unixODBC.x86_64 : Unix ODBC support for freeradius
freeradius2-utils.x86_64 : FreeRADIUS utilities

More info about basic settings will be shown later.

Install from source

Download the latest FreeRadius from this link. (Current version is 2.1.10)

# wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.1.10.tar.gz
# tar xvzf freeradius-server-2.1.10.tar.gz
# cd freeradius-server-2.1.10
# ./configure

It is very likely that config process will fail for some reasons. To fix this, search WARNINGS lines and install the missing rpms (yum install libtood-ltdl libtool-ltdl-devel is required).

# make
# make install

This is a default installation and all config files will be located in /usr/local/etc/raddb and you should find the next files inside

[root@ms raddb]# ls -la
total 220
drwxr-xr-x 7 root root  4096 Jan 27 15:54 .
drwxr-xr-x 4 root root  4096 Jan 27 15:53 ..
-rw-r----- 1 root root   671 Jan 27 15:54 acct_users
-rw-r----- 1 root root  4174 Jan 27 15:54 attrs
-rw-r----- 1 root root   513 Jan 27 15:54 attrs.access_challenge
-rw-r----- 1 root root   458 Jan 27 15:54 attrs.access_reject
-rw-r----- 1 root root   437 Jan 27 15:54 attrs.accounting_response
-rw-r----- 1 root root  2022 Jan 27 15:54 attrs.pre-proxy
drwxr-x--- 2 root root  4096 Jan 27 15:54 certs
-rw-r----- 1 root root  6703 Jan 27 15:54 clients.conf
-rw-r----- 1 root root   883 Jan 27 15:54 dictionary
-rw-r----- 1 root root 18063 Jan 27 15:54 eap.conf
-rwxr-xr-x 1 root root  4744 Jan 27 15:54 example.pl
-rw-r----- 1 root root 12722 Jan 27 15:54 experimental.conf
-rw-r----- 1 root root  2352 Jan 27 15:54 hints
-rw-r----- 1 root root  1604 Jan 27 15:54 huntgroups
-rw-r----- 1 root root  3218 Jan 27 15:54 ldap.attrmap
drwxr-x--- 2 root root  4096 Jan 27 15:54 modules
-rw-r----- 1 root root  2840 Jan 27 15:54 policy.conf
-rw-r----- 1 root root  4873 Jan 27 15:54 policy.txt
-rw-r----- 1 root root   984 Jan 27 15:54 preproxy_users
-rw-r----- 1 root root 26529 Jan 27 15:54 proxy.conf
-rw-r----- 1 root root 27238 Jan 27 15:54 radiusd.conf
drwxr-x--- 2 root root  4096 Jan 27 15:54 sites-available
drwxr-x--- 2 root root  4096 Jan 27 15:54 sites-enabled
drwxr-x--- 7 root root  4096 Jan 27 15:54 sql
-rw-r----- 1 root root  3042 Jan 27 15:54 sql.conf
-rw-r----- 1 root root  2475 Jan 27 15:54 sqlippool.conf
-rw-r----- 1 root root  3597 Jan 27 15:54 templates.conf
-rw-r----- 1 root root  6524 Jan 27 15:54 users

The default configuration is designed to work everywhere, and to provide nearly every authentication method. Do not edit the default configuration files until you understand what they do. This means reading the documentation contained in the comments of the configuration files.

When the server has been installed on a new machine, the first step is to start it in debugging mode, as user root:

# radiusd -X

This step demonstrates that the server is installed and configured properly. If you have installed Version 2 from source, this step will also create the default certificates used for EAP authentication. If everything went OK, you should see the lines

......
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /usr/local/var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.

To stop freeradius press Ctrl+C.

Thats all for now… In next few days I will add more articles about FreeRadius.

Simple FTP backup script

The first post for this year…

Simple FTP backup script

# nano backup_script

Add next lines and save.

#!/bin/sh
DM=$(date +"%b-%d-%Y")
tar -Pzcf /backup/backup_$DM.tar.gz /backup/some_dir/
cd /backup
ftp -nv <<EOF
open 192.168.1.2
user ftp_username ftp_password
bin
put backup_$DM.tar.gz
quit
EOF
echo -e  "FTP backup done!"

Make it executable with

# chmod +x backup_script

Of course, you need to replate ftp_username and ftp_password with valid username and password. Also, IP address should be replaced with your ftp server IP address.

Add this script to cron (for example once per day at 4:00AM)

Reducing ibdata1 – howto

One of the biggest mistakes you can make with MySQL is to leave its default configuration. It will work, but not as it should.

For example, default MySQL installation (5.0x) will keep all InnoDB data in one file – ibdata1. This file is usually located in /var/lib/mysql (at least on RH and Debian based distros) and after few months this file can became very big (in my case it was 20GB). This file has a initial size of 10Mb and it automatically extends but it can’t be reduced with DELETE, TRUNCATE or DROP. The file could reach the maximum size allowed by the filesystem if no limit is set in the my.cnf file (Debian/Ubuntu -/etc/mysql/my.cnf or RH based distros /etc/my.cnf). The best idea is to force MySQL to create an ibd file for each InnoDB table (add innodb_file_per_table in my.cnf and restart mysql). Unf. this won’t affect old tables which are already created and which are in use.

You can “FIX” this on several ways but no matter what option do you choose, BACKUP YOUR WHOLE MYSQL DATA DIRECTORY and stop services connected to your MySQL server (httpd, radius, postfix, dovecot, etc).

Keep in mind that converting InnoDB table to MyISAM will kill foreign keys so do not do it unless you know how to recreate your foreign keys.

The best option is to dump all your databases in one sql file.

Step 1

# /usr/bin/mysqldump ––extended-INSERT ––all-DATABASES ––add-drop-DATABASE ––disable-KEYS ––flush-privileges ––quick ––routines ––triggers > backup.sql

Step 2

Stop mysql server with

# service mysqld stop

or

# /etc/init.d/mysqld stop

Step 3

Backup complete mysql data dir (/var/lib/mysql).

# cd /var/lib/
# mv mysql mysql_backup
# mkdir mysql
# chown mysql:mysql mysql

Then you should have something like

drwxr-xr-x  5 mysql     mysql     4096 2010-12-30 13:38 mysql

Step 4

Add innodb_file_per_table option in /etc/my.cnf file and save file

Step 5

Re-initialize the database with the following commands

# su mysql
$ mysql_install_db
$ exit

Step 6

Start mysql server with service mysqld start and get into mysql console with

# mysql -u root

Then exec next commands

SET FOREIGN_KEY_CHECKS=0;
SOURCE backup.sql;
SET FOREIGN_KEY_CHECKS=1;

Step 7

Restart mysql server with service mysqld restart

That should be all.

In case that something goes wrong you still have mysql_backup dir which contains all you databases and files. Simple rename the new mysql dir to mysql_new and mysql_backup to mysql. Then restart mysql.

Keep in mind that this operation will kill all services who depends on mysql. So, be quick 🙂

Also, good idea is to execute command mysql_secure_installation which will “tight” your MySQL server.

mcelog problem

Few servers I maintain totally confused me. The loadavg is steadily increasing every round hour. With top command I can’t see any relevant process which can produce high load.

top - 15:07:17 up 41 days,  3:52,  1 user,  load average: 4.22, 1.61, 0.76
Tasks: 147 total,   1 running, 146 sleeping,   0 stopped,   0 zombie
Cpu(s):  0.2%us,  0.7%sy,  0.0%ni, 85.5%id, 13.5%wa,  0.1%hi,  0.2%si,  0.0%st
Mem:   1025084k total,  1016732k used,     8352k free,    24472k buffers
Swap:  2064376k total,      116k used,  2064260k free,   133380k cached
 
  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
 6082 root      15   0  126m 9632 5008 S  0.3  0.9   0:00.50 php
 7363 root      15   0 12736 1112  808 R  0.3  0.1   0:00.03 top
27418 root      15   0  347m 3860 1096 S  0.3  0.4   0:22.80 radiusd
    1 root      15   0 10344  680  568 S  0.0  0.1   0:01.88 init
    2 root      RT  -5     0    0    0 S  0.0  0.0   0:00.54 migration/0
    3 root      34  19     0    0    0 S  0.0  0.0   0:15.33 ksoftirqd/0
    4 root      RT  -5     0    0    0 S  0.0  0.0   0:00.00 watchdog/0
    5 root      RT  -5     0    0    0 S  0.0  0.0   0:01.81 migration/1
    6 root      34  19     0    0    0 S  0.0  0.0   0:00.00 ksoftirqd/1
    7 root      RT  -5     0    0    0 S  0.0  0.0   0:00.00 watchdog/1
    8 root      RT  -5     0    0    0 S  0.0  0.0   0:39.01 migration/2
...

The server is CentOS 5.5 64b, quad core Intel processor. After some digging I found out that 4 servers are affected and they are CentOS 5.x 64b. 32bit systems are not affected…

So, the first step is to check cron settings because it is obvious that something is triggered by cron (hourly). Here it is: mcelog.cron. After Googleing about this problem I found this LINK. Or here LINK.

The bug is “closed” but I wouldn’t say so… I had latest mcelog installed and it causes the same problem which is described above.

Exclude some packages from update

During update process RH based distros will always try to update all installed packages. Sometimes it is not recommended to do that. For example default Postfix goes without quota patch and without Mysql support. Also update process will install even 32b files and your system is 64bit, etc.

To solve this problem you can add exclude=package* to yum update command

# yum --exclude=package* update

For example

# yum --exclude=postfix* update

or

# yum --exclude=kernel* update

Also, if you don’t want to think about this, you can add exclude in yum.conf file under [main] section

# nano /etc/yum.conf
[main]
cachedir=/var/cache/yum
keepcache=0
debuglevel=2
logfile=/var/log/yum.log
distroverpkg=redhat-release
tolerant=1
exactarch=1
obsoletes=1
gpgcheck=1
plugins=1
exclude=postfix* kernel* php*
 
# Note: yum-RHN-plugin doesn't honor this.
metadata_expire=1h
 
# Default.
# installonly_limit = 3
 
# PUT YOUR REPOS HERE OR IN separate files named file.repo
# in /etc/yum.repos.d

If you don’t want to mess up with i386 i586 or i686 files add exclude=*.i386 *.i586 *.i686 to yum.conf

I hope this post was helpful to you…

PostgreSQL 9.0 Final Release

Unfortunately I don’t have any experience with PostgreSQL but for all DBAs who are familiar… PostgreSQL 9.0 is here!  The PostgreSQL Global Development Group announces the availability of our most eagerly awaited release. PostgreSQL 9.0 includes built-in, binary replication, and over a dozen other major features which will appeal to everyone from web developers to database hackers.

9.0 includes more major features than any release before it, including:

  • Hot standby
  • Streaming replication
  • In-place upgrades
  • 64-bit Windows builds
  • Easy mass permissions management
  • Anonymous blocks and named parameter calls for stored procedures
  • New windowing functions and ordered aggregates

For details on the over 200 additions and improvements in this version, developed by over a hundred contributors, please see the release notes HERE.

I decided to visit Amazon and to find out something usable for reading… This smells good…

Winamp 2.95

Winamp doesn’t have anything with servers and administration and this post will be categorized in “Other” category. You can skip it if you want…

I downloaded Winamp 2.95 right after it is released (I think it is released during 2001-2002) and it works fine. Every computer I’m working on has this version installed. Few days ago I had a chance to see the latest version… It is big, aggressive, complicated,… All I want is to listen music. I don’t want to rip music, burn CD/DVD, create media catalogs, etc… To see what I’m talking about check this image.

It looks like Enterprise command board with proton rockets, warp shit, enabled teleport modules… And all I want is to listen music in the background…

To download good old Winamp 2.95 click HERE.

Because new versions is not always better…