Corosync/Pacemaker in Centos 7 con LCMC

Pacchetti da installare

yum install perl
yum install perl-Digest-MD5
yum install epel-release
rpm -ivh http://www.elrepo.org/elrepo-release-7.0-2.el7.elrepo.noarch.rpm
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-elrepo.org
yum update
yum install kmod-drbd90 drbd90-utils
yum install acpid
yum install open-vm-tools

/etc/corosync/corosync.conf

logging {
        fileline: off
        to_logfile: yes
        logfile: /var/log/cluster/corosync.log
        to_stderr: no
        debug: off
        timestamp: on
        to_syslog: yes
        logger_subsys {
                subsys: QUORUM
                debug: off
        }
}
totem {
        version: 2
        token: 3000
        secauth: on
        rrp_mode: active
        transport: udpu
}
nodelist {
  node {
        ring0_addr: 172.21.8.131
        nodeid: 1
       }
  node {
        ring0_addr: 172.21.8.132
        nodeid: 2
       }
}
quorum {
        provider: corosync_votequorum
        two_node: 1
        expected_votes: 2
}

systemctl enable corosync
systemctl enable pacemaker
reboot

andrea

tema vim

.vimrc

#execute pathogen#infect()
syntax on
filetype plugin indent on
set nowrap
set t_Co=256
set background=dark
colorscheme PaperColor

Tema PaperColor
PaperColor-Dark

Wget in /.vim/colors/

wget https://raw.githubusercontent.com/NLKNguyen/papercolor-theme/master/colors/PaperColor.vim

andrea

http://www-01.ibm.com/support/docview.wss?uid=isg3T1011985
http://www.sysadminshare.com/2013/06/multipath-config-status-check-in-linux.html
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html-single/DM_Multipath/index.html#config_file_multipath

Multipath: Active/Passive, Dual Active, and Active/Active


https://serverfault.com/questions/288087/linux-multipath-not-using-all-paths-and-wont-use-queue-length-path-selector/355151
https://h50146.www5.hpe.com/products/software/oe/linux/mainstream/support/doc/option/fibre/pdfs/c02020121.pdf

grep mpt /sys/class/scsi_host/host?/proc_name

rescan-scsi-bus.sh

echo “- – -” > /sys/class/scsi_host/host1/scan
multipath -l

multipathd -k”fail path sdb”
multipathd -k”del path sdb”
multipathd -k”reinstate path sdb”
multipathd -k”show paths”

dmsetup remove /dev/mapper/MSA_BELLNET
dmsetup ls

echo 1 > /sys/block/sde/device/delete
echo 1 > /sys/block/sda/device/rescan

service multipath-tools restart

partprobe /dev/sdb
sfdisk -R /dev/sdb
partx -u /dev/sdb
blockdev –rereadpt /dev/mapper/MSA_BELLNET
partprobe -s

pvcreate –uuid “DMD39I-rIMF-vVUc-6KaY-li2N-SF4n-v38O5m” –restorefile /root/VG-BELL.vg /dev/disk/by-id/scsi-MSA_BELLNET
vgcfgbackup -f VG-BELL.vg VG-BELL
vgcfgrestore -f VG-BELL.vg VG-BELL

multipath.conf

defaults {
        polling_interval        15
        path_selector           "round-robin 0"
        path_grouping_policy    multibus
        prio                    const
        path_checker            directio
        rr_min_io               100
        flush_on_last_del       no
        max_fds                 8192
        rr_weight               priorities
        failback                immediate
        no_path_retry           fail
        queue_without_daemon    no
        user_friendly_names     yes
        mode                    644
        uid                     0
        gid                     disk
}
blacklist {
        devnode "^(ram|raw|loop|fd|md|dm-|sr|scd|st)[0-9]*"
        devnode "^hd[a-z]"
        devnode "^sda"
        devnode "^sda[0-9]"
        wwid    "3600508b1001c1f5b93df16da7e7ab72e"
        wwid    "3600508b1001c81da7e4515d6a1c3a693"
        wwid    "OCZ-VELO_DRIVE_OCZ-938561J47139J405"
        wwid    "OCZ-VELO_DRIVE_OCZ-ADU3LJ4GZL225676"
        wwid    "OCZ-VELO_DRIVE_OCZ-V98FXMA0Q041W67U"
#       wwid 3600c0ff0001432f020c55c5901000000
        device {
                vendor HP
                product "P410i|LOGICAL"
        }
}
devices {
        device {
                vendor                  "HP"
                product                 "P2000 G3*"
                path_grouping_policy    "group_by_prio"
#               uid_attribute           "ID_SERIAL"
                path_checker            "tur"
                path_selector           "round-robin 0"
                features                "0"
                hardware_handler        "0"
                prio                    "alua"
                rr_weight               "uniform"
                failback                "immediate"
                no_path_retry           18
                rr_min_io               100
        }
}
multipaths {
        multipath {
                wwid 3600c0ff00014e4ed9724235801000000
                alias MSA_NETLITE
        }
        multipath {
                wwid 3600c0ff00014e4edfa37695801000000
                alias MSA_NETLITE_BACKUP
        }
        multipath {
#               path_grouping_policy    multibus
                wwid 3600c0ff0001432f020c55c5901000000
                alias MSA_BELLNET
        }
        multipath {
                wwid 3600c0ff0001432f0a80e5a5901000000
                alias MSA_BELLNET_BACKUP
        }
}

andrea

Proxy Squid

squid.conf

http_port 8081
#http_port 10.1.1.5:8082
pid_filename /var/run/squid3-2.pid
cache_mgr [email protected]
visible_hostname NETLITEPROXY
#dns_nameservers 8.8.8.8 8.8.4.4 208.67.222.123 208.67.220.123
dns_nameservers 10.5.1.5
dns_timeout 1 minutes
positive_dns_ttl 1 hours
negative_dns_ttl 10 minutes
fqdncache_size 51200
ipcache_size 51200
#pipeline_prefetch on
cache_dir aufs /var/lib/vz/squid/cache/squid3-2/aufs-small 1024 16 256 max-size=32768
cache_dir aufs /var/lib/vz/squid/cache/squid3-2/aufs-large 4096 16 256
cache_mem 2048 MB
minimum_object_size 0 KB
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF
memory_pools on
maximum_object_size 128 MB
minimum_object_size 0 KB
maximum_object_size_in_memory 512 KB
ie_refresh on
cache_access_log /var/log/squid3/access-2.log
#cache_access_log /dev/null
#cache_log /var/log/squid3/cache-2.log
cache_log /dev/null
#cache_store_log /var/log/squid3/store-2.log
cache_store_log /dev/null
logfile_rotate 0
log_mime_hdrs off
log_icp_queries off
buffered_logs on
redirect_rewrites_host_header off
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
acl SSL_ports port 443          # https
acl SSL_ports port 563          # snews
acl SSL_ports port 873          # rsync
acl SSL_ports port 8080          # rsync
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 631         # cups
acl Safe_ports port 873         # rsync
acl Safe_ports port 901         # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
debug_options ALL,1
client_lifetime 12 hour
half_closed_clients off
pconn_timeout 5 minutes
request_timeout 5 minutes
connect_timeout 30 seconds
authenticate_ttl 15 minutes
authenticate_ip_ttl 15 minutes
max_open_disk_fds 32768
acl java_jvm browser Java/1. J/SSL
#acl localhost src 127.0.0.1/32
#acl reti_abilitate src 127.0.0.1/32
acl reti_abilitate src 10.5.1.0/24
acl netlite src 212.29.137.82/32 #netlite office
acl netlite src 87.248.52.82/32 #netlite office
acl no_cache_siti dstdomain "/etc/squid3/no-cache-siti.txt"
acl siti_pubblici dstdomain "/etc/squid3/siti-pubblici.txt"
acl lan-allowed-ip src "/etc/squid3/good-lan-ip.txt"
http_access allow lan-allowed-ip
# MAC Utenti Bovolone
acl MAC arp "/etc/squid3/mac.txt"
acl emerge browser Wget
http_access allow emerge
always_direct allow emerge
acl aptupdate browser APT-HTTP
http_access allow aptupdate
always_direct allow aptupdate
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny connect !SSL_ports
http_access allow netlite
http_access deny !reti_abilitate
http_access allow siti_pubblici
http_access allow java_jvm
no_cache deny no_cache_siti
always_direct allow no_cache_siti
#request_header_access Allow allow all
#request_header_access Authorization allow all
#request_header_access WWW-Authenticate allow all
#request_header_access Proxy-Authorization allow all
#request_header_access Proxy-Authenticate allow all
#request_header_access Cache-Control allow all
#request_header_access Content-Encoding allow all
#request_header_access Content-Length allow all
#request_header_access Content-Type allow all
#request_header_access Date allow all
#request_header_access Expires allow all
#request_header_access Host allow all
#request_header_access If-Modified-Since allow all
#request_header_access Last-Modified allow all
#request_header_access Location allow all
#request_header_access Pragma allow all
#request_header_access Accept allow all
#request_header_access Accept-Charset allow all
#request_header_access Accept-Encoding allow all
#request_header_access Accept-Language allow all
#request_header_access Content-Language allow all
#request_header_access Mime-Version allow all
#request_header_access Retry-After allow all
#request_header_access Title allow all
#request_header_access Connection allow all
#request_header_access Proxy-Connection allow all
#request_header_access User-Agent allow all
#request_header_access From allow all
#request_header_access Referer allow all
#request_header_access Cookie allow all
#request_header_access All deny all
request_header_access All allow all
follow_x_forwarded_for deny all
forwarded_for delete
via off
forwarded_for off
http_reply_access allow all
icp_access allow all
coredump_dir /var/cache
balance_on_multiple_ip off
#http_access deny !MAC
# utilizzati per ftp anonimo
ftp_user [email protected]
ftp_passive on
acl ftp proto FTP
acl ftp_port port 21
http_access allow ftp_port CONNECT
ftp_epsv off
#dns_v4_first on
http_access allow all

andrea

La documentazione di OpenVPN non è chiarissima a riguardo ma spesso ci può capitare di dover lavorare con più collegamenti VPN attivi contemporaneamente.

Openvpn permette questo a patto che siano presenti più device TAP altrimenti alla partenza della seconda VPN ci viene segnalato che non vi sono dispositivi liberi disponibili.

Per creare ulteriori device TAP basta eseguire:

cd c:\Program Files\TAP-Windows\bin
addtap.bat

tap1

tap2

andrea

Avendo la necessità di configurare una VPN verso apparecchiature FORTINET abbiamo rilevato alcune criticità e le abbiamo risolte con questo semplice script.

#!/usr/bin/expect -f
set timeout -1
spawn ./forticlientsslvpn_cli --server vpn.xxxx.xx:10443 --vpnuser user
expect "Password for VPN:" {send -- "password\r"}
expect "to this server? (Y/N)\r" {send -- "y\r"}
expect eof

Oppure questo:

#!/usr/bin/expect -f
spawn ./forticlientsslvpn_cli --server : --vpnuser  2>&1
log_user 0
send_user "Logging in\n"
expect "Password for VPN:"
send "\n"
# i needed ths for 'certificate error'
expect "Would you like to connect to this server"
send "Y\n"
send_user "Beginning to connect\n"
expect "STATUS::Tunnel running"
send_user "Tunnel running!\n"
# this is how long the next expect waits for pattern match, in seconds
set timeout 90001
expect "STATUS::Tunnel closed"
send_user "Tunnel closed!\n"
send_user "Dying\n"
close
exit

Potrebbe essere necessario installare il ppp, expect e le librerie di compatibilità per eseguibili a 32 bit.

apt-get install ppp
apt-get install expect
apt-get install lib32stdc++6

Qui il LINK per scaricare il client.

Andrea