After replace the faulty HBA Card on SUN Servers, need to perform below actions
1)SAN Team update the zoning and masking for the new HBA-WWN No like <10000000C9388B24>
2) SA Team run the below commands, these steps will get the path active
#update_drv -f sd ; devfsadm -C -c disks
#update_drv -f sd ; devfsadm -C -c disks
#vxdctl enable
Sunday, December 27, 2009
Wednesday, December 16, 2009
Symbolic Values for File and Directory Permissions
Symbolic Values for File and Directory Permissions :-
Symbol Function* Description
u Who User (owner)
g Who Group
o Who Others
A Who All
= Operation Assign
+ Operation Add
- Operation Remove
r Permission Read
w Permission Write
x Permission Execute
l Permission Mandatory locking, setgid bit is on, group execution bit is off
s Permission setuid or setgid bit is on
S Permission suid bit is on, user execution bit is off
t Permission Sticky bit is on, execution bit for others is on
T Permission Sticky bit is on, execution bit for others is off
Symbol Function* Description
u Who User (owner)
g Who Group
o Who Others
A Who All
= Operation Assign
+ Operation Add
- Operation Remove
r Permission Read
w Permission Write
x Permission Execute
l Permission Mandatory locking, setgid bit is on, group execution bit is off
s Permission setuid or setgid bit is on
S Permission suid bit is on, user execution bit is off
t Permission Sticky bit is on, execution bit for others is on
T Permission Sticky bit is on, execution bit for others is off
Tuesday, December 15, 2009
How to bring Processors offline permanently / permanently
How to bring Processors offline Temporarily
#psradm -f 1 2 3 4
1,2,3,4 ---> processors numbers, we get this info from prtdiag -v.
How to bring Processors offline permanently
This document describes how to use the commands 'asr-enable' and
'asr-disable' to manually disable CPUs on a Sun Fire V480/V880
V490/V890.
This document also provides examples of the steps necessary to implement
these ASR commands for single and multiple CPUs.
Steps to Follow
Using the ASR commands to manually enable or disable CPUs on V480/V880
490/v890
========================================================================
=======
The user level commands 'asr-enable' and 'asr-disable' can be used to
manually enable or disable system devices. To view the full list of
devices that can be enabled or disabled, type the command at the ok
prompt.
Below is an example of the asr-enable command for the V480 -
{2} ok asr-enable
Usage: asr-enable
Where is an absolute device path, a device alias, or a device
label.
Valid device labels include:
cpu3-bank3 cpu3-bank2 cpu3-bank1 cpu3-bank0
cpu2-bank3 cpu2-bank2 cpu2-bank1 cpu2-bank0
cpu1-bank3 cpu1-bank2 cpu1-bank1 cpu1-bank0
cpu0-bank3 cpu0-bank2 cpu0-bank1 cpu0-bank0
pci-slot5 pci-slot4 pci-slot3 pci-slot2
pci-slot1 pci-slot0 gptwo-slotc gptwo-slotb gptwo-slota ob-ide ob-net0
ob-net1 ob-fcal io-bridge9 io-bridge8 io-bridge5
cpu3 cpu2 cpu1 cpu0
* cpu3-bank* cpu2-bank* cpu1-bank*
cpu0-bank* pci* pci-slot* gptwo-slot*
io-bridge* cpu*
Output from V490
=================
Be aware that the devices are changed and replaced by "cmp" instead of
"cpu"
cpu3-bank3 = cmp3-bank3
{1} ok asr-enable
Usage: asr-enable
Where is an absolute device path, a device alias, or a device label.
Valid device labels include:
cmp3-bank3 cmp3-bank2 cmp3-bank1 cmp3-bank0
cmp2-bank3 cmp2-bank2 cmp2-bank1 cmp2-bank0
cmp1-bank3 cmp1-bank2 cmp1-bank1 cmp1-bank0
cmp0-bank3 cmp0-bank2 cmp0-bank1 cmp0-bank0
pci-slot5 pci-slot4 pci-slot3 pci-slot2
pci-slot1 pci-slot0 gptwo-slotc gptwo-slotb gptwo-slota ob-ide ob-net0
ob-net1 ob-fcal io-bridge9 io-bridge8 io-bridge5
cmp3 cmp2 cmp1 cmp0
* cmp3-bank* cmp2-bank* cmp1-bank*
cmp0-bank* pci* pci-slot* gptwo-slot*
io-bridge* cmp*
The .asr is another user-level command, that will display the current
status (enabled or disabled) of devices that are supported by ASR (the
example output is for V480):
{0} ok .asr
ASR Disablement Status
Component: Status
CPU/Memory: Enabled
IO-Bridge5: Enabled
IO-Bridge8: Enabled
IO-Bridge9: Enabled
GPTwo Slots: Enabled
Onboard FCAL: Enabled
Onboard Net1: Enabled
Onboard Net0: Enabled
Onboard IDE: Enabled
PCI Slots: Enabled
The normal ASR function is that disabling a CPU with 'asr-disable' will
effectively disable the entire CPU module, so disabling CPU1 will also
take
CPU3 out of the system. To bring a CPU back alive after it has been
disabled, you must 'asr-enable' the CPU and then power-cycle the system.
Similarly, if you have CPU1 & CPU3 disabled,then enabling (asr-enable)
only CPU1 will still leave CPU3 disabled, so CPU1 will still be
[effectively] disabled as well, so you must enable both CPUs (and
power-cycle) before either CPU is available. Simply asr-enable'ing a cpu
and reseting the system isn't good enough , you must power-cycle.
You need to use the .asr command at the ok prompt to check the status of
each CPU. The OBP command 'reset-all' should be used immediately after
'asr-enable' or 'asr-disable', so that these commands can take effect.
Here are some examples (based on 4-way V480 server) of the steps you
need to follow in order get a CPU(s) back alive after it has been
disabled:
1. Example procedure to asr-disable and asr-enable single CPU (4-way
system) :
The steps to "asr-enable" a previously "asr-disable'd" CPU (this is not
needed if the CPU was failed by POST, this is only needed when the CPU
has been manually "asr-disable"d):
a) ok asr-disable cpu1 (v480)
a1)ok asr-disable cmp1 (v490)
b) ok reset-all --> CPU1 and CPU3 (the other cpu on the same module)
now disabled and unavailable and the system will respond
with:
Resetting ...
WARNING: Offlining/Disabling CPU1...and CPU3...Done.
c) At this point if 'reset-all' is performed (or 'reset-all' followed by
power cycle) CPU1 will still be unavailable. This can be verified via
.env command (at the ok prompt), which will show the status only for
CPU0&2, or at the OS level by using the commands 'psrinfo -v' and
'prtdiag -v'.
d) To enable CPU1/CMP1:
ok asr-enable cpu1 (V480)
d1) ok asr-enable cmp1 (V490)
ok .asr (to check status)
ok reset-all --> cpu1 is still unavailable (can be verified by using
.env, which will only show the status for CPU0 & CPU2 Power-cycle
(power-off/power-on) --> cpu1 & cpu3 are now available.
This can be verified via the .env command (OBP level), which will now
show the status for all 4 CPUs, or at the OS level by using the
commands:
'psrinfo -v' and 'prtdiag -v'.
2. Example procedure to asr-disable and asr-enable CPU1 & CPU3 (4-way
system):
{3} ok asr-disable cpu1 (V480)
{3} ok asr-disable cpu3 (V480)
{3} ok asr-disable cmp1 (V490)
{3} ok asr-disable cmp3 (V490)
{3} ok .asr (to check ASR Disablement Status)
Component: Status
CPU0/Memory: Enabled
CPU1: Disabled
Memory Bank0: Enabled
Memory Bank1: Enabled
Memory Bank2: Enabled
Memory Bank3: Enabled
CPU2/Memory: Enabled
CPU3: Disabled
Memory Bank0: Enabled
Memory Bank1: Enabled
Memory Bank2: Enabled
Memory Bank3: Enabled
IO-Bridge5: Enabled
IO-Bridge8: Enabled
IO-Bridge9: Enabled
GPTwo Slots: Enabled
Onboard FCAL: Enabled
Onboard Net1: Enabled
Onboard Net0: Enabled
Onboard IDE: Enabled
PCI Slots: Enabled
{3} ok reset-all
Resetting ... WARNING: Offlining/Disabling CPU1...and CPU3...Done.
To bring back CPU1 and CPU3 both CPU's need to be asr-enabled (if only
CPU1 is enabled, after 'reset-all' the system will again offline
(effectively disable) both CPU1 and CPU3):
ok asr-enable cpu1 (V480)
ok asr-enable cpu3 (V480)
ok asr-enable cmp1 (V490)
ok asr-enable cmp3 (v490)
ok reset-all
ok .asr (to check ASR Disablement Status)
Component: Status
CPU/Memory: Enabled
IO-Bridge5: Enabled
IO-Bridge8: Enabled
IO-Bridge9: Enabled
GPTwo Slots: Enabled
Onboard FCAL: Enabled
Onboard Net1: Enabled
Onboard Net0: Enabled
Onboard IDE: Enabled
PCI Slots: Enabled
ok .env (will still not display the status for CPU1 & CPU3)
After power-cycle both CPU's will be back on-line.
3.To disable and then enable the entire CPU module in Slot B (both CPU1
& CPU3) the following commands can be used as well:
{3} ok asr-disable gptwo-slotb
{3} ok .asr
ASR Disablement Status
Component: Status
CPU/Memory: Enabled
IO-Bridge5: Enabled
IO-Bridge8: Enabled
IO-Bridge9: Enabled
GPTwo Slot A: Enabled
GPTwo Slot B: Disabled
GPTwo Slot C: Enabled
Onboard FCAL: Enabled
Onboard Net1: Enabled
Onboard Net0: Enabled
Onboard IDE: Enabled
PCI Slots: Enabled
{3} ok reset-all
Resetting ...
WARNING: Offlining/Disabling CPU1...and CPU3...Done.
To bring back the cpu's in slot B use the command:
{0} ok asr-enable gptwo-slotb
{0} ok .asr
ASR Disablement Status
Component: Status
CPU/Memory: Enabled
IO-Bridge5: Enabled
IO-Bridge8: Enabled
IO-Bridge9: Enabled
GPTwo Slots: Enabled
Onboard FCAL: Enabled
Onboard Net1: Enabled
Onboard Net0: Enabled
Onboard IDE: Enabled
PCI Slots: Enabled
After a 'reset-all' and power-cycle of the system the cpu's in slot B
(cpu1 and cpu3) will be back online.
Documentations about ASR:
V880 Sun Fire 880 Server Owner's Guide /Chapter 6
http://docs.sun.com/app/docs/doc/806-6592-11?q=806-6592-11
#psradm -f 1 2 3 4
1,2,3,4 ---> processors numbers, we get this info from prtdiag -v.
How to bring Processors offline permanently
This document describes how to use the commands 'asr-enable' and
'asr-disable' to manually disable CPUs on a Sun Fire V480/V880
V490/V890.
This document also provides examples of the steps necessary to implement
these ASR commands for single and multiple CPUs.
Steps to Follow
Using the ASR commands to manually enable or disable CPUs on V480/V880
490/v890
========================================================================
=======
The user level commands 'asr-enable' and 'asr-disable' can be used to
manually enable or disable system devices. To view the full list of
devices that can be enabled or disabled, type the command at the ok
prompt.
Below is an example of the asr-enable command for the V480 -
{2} ok asr-enable
Usage: asr-enable
Where
label.
Valid device labels include:
cpu3-bank3 cpu3-bank2 cpu3-bank1 cpu3-bank0
cpu2-bank3 cpu2-bank2 cpu2-bank1 cpu2-bank0
cpu1-bank3 cpu1-bank2 cpu1-bank1 cpu1-bank0
cpu0-bank3 cpu0-bank2 cpu0-bank1 cpu0-bank0
pci-slot5 pci-slot4 pci-slot3 pci-slot2
pci-slot1 pci-slot0 gptwo-slotc gptwo-slotb gptwo-slota ob-ide ob-net0
ob-net1 ob-fcal io-bridge9 io-bridge8 io-bridge5
cpu3 cpu2 cpu1 cpu0
* cpu3-bank* cpu2-bank* cpu1-bank*
cpu0-bank* pci* pci-slot* gptwo-slot*
io-bridge* cpu*
Output from V490
=================
Be aware that the devices are changed and replaced by "cmp" instead of
"cpu"
cpu3-bank3 = cmp3-bank3
{1} ok asr-enable
Usage: asr-enable
Where is an absolute device path, a device alias, or a device label.
Valid device labels include:
cmp3-bank3 cmp3-bank2 cmp3-bank1 cmp3-bank0
cmp2-bank3 cmp2-bank2 cmp2-bank1 cmp2-bank0
cmp1-bank3 cmp1-bank2 cmp1-bank1 cmp1-bank0
cmp0-bank3 cmp0-bank2 cmp0-bank1 cmp0-bank0
pci-slot5 pci-slot4 pci-slot3 pci-slot2
pci-slot1 pci-slot0 gptwo-slotc gptwo-slotb gptwo-slota ob-ide ob-net0
ob-net1 ob-fcal io-bridge9 io-bridge8 io-bridge5
cmp3 cmp2 cmp1 cmp0
* cmp3-bank* cmp2-bank* cmp1-bank*
cmp0-bank* pci* pci-slot* gptwo-slot*
io-bridge* cmp*
The .asr is another user-level command, that will display the current
status (enabled or disabled) of devices that are supported by ASR (the
example output is for V480):
{0} ok .asr
ASR Disablement Status
Component: Status
CPU/Memory: Enabled
IO-Bridge5: Enabled
IO-Bridge8: Enabled
IO-Bridge9: Enabled
GPTwo Slots: Enabled
Onboard FCAL: Enabled
Onboard Net1: Enabled
Onboard Net0: Enabled
Onboard IDE: Enabled
PCI Slots: Enabled
The normal ASR function is that disabling a CPU with 'asr-disable' will
effectively disable the entire CPU module, so disabling CPU1 will also
take
CPU3 out of the system. To bring a CPU back alive after it has been
disabled, you must 'asr-enable' the CPU and then power-cycle the system.
Similarly, if you have CPU1 & CPU3 disabled,then enabling (asr-enable)
only CPU1 will still leave CPU3 disabled, so CPU1 will still be
[effectively] disabled as well, so you must enable both CPUs (and
power-cycle) before either CPU is available. Simply asr-enable'ing a cpu
and reseting the system isn't good enough , you must power-cycle.
You need to use the .asr command at the ok prompt to check the status of
each CPU. The OBP command 'reset-all' should be used immediately after
'asr-enable' or 'asr-disable', so that these commands can take effect.
Here are some examples (based on 4-way V480 server) of the steps you
need to follow in order get a CPU(s) back alive after it has been
disabled:
1. Example procedure to asr-disable and asr-enable single CPU (4-way
system) :
The steps to "asr-enable" a previously "asr-disable'd" CPU (this is not
needed if the CPU was failed by POST, this is only needed when the CPU
has been manually "asr-disable"d):
a) ok asr-disable cpu1 (v480)
a1)ok asr-disable cmp1 (v490)
b) ok reset-all --> CPU1 and CPU3 (the other cpu on the same module)
now disabled and unavailable and the system will respond
with:
Resetting ...
WARNING: Offlining/Disabling CPU1...and CPU3...Done.
c) At this point if 'reset-all' is performed (or 'reset-all' followed by
power cycle) CPU1 will still be unavailable. This can be verified via
.env command (at the ok prompt), which will show the status only for
CPU0&2, or at the OS level by using the commands 'psrinfo -v' and
'prtdiag -v'.
d) To enable CPU1/CMP1:
ok asr-enable cpu1 (V480)
d1) ok asr-enable cmp1 (V490)
ok .asr (to check status)
ok reset-all --> cpu1 is still unavailable (can be verified by using
.env, which will only show the status for CPU0 & CPU2 Power-cycle
(power-off/power-on) --> cpu1 & cpu3 are now available.
This can be verified via the .env command (OBP level), which will now
show the status for all 4 CPUs, or at the OS level by using the
commands:
'psrinfo -v' and 'prtdiag -v'.
2. Example procedure to asr-disable and asr-enable CPU1 & CPU3 (4-way
system):
{3} ok asr-disable cpu1 (V480)
{3} ok asr-disable cpu3 (V480)
{3} ok asr-disable cmp1 (V490)
{3} ok asr-disable cmp3 (V490)
{3} ok .asr (to check ASR Disablement Status)
Component: Status
CPU0/Memory: Enabled
CPU1: Disabled
Memory Bank0: Enabled
Memory Bank1: Enabled
Memory Bank2: Enabled
Memory Bank3: Enabled
CPU2/Memory: Enabled
CPU3: Disabled
Memory Bank0: Enabled
Memory Bank1: Enabled
Memory Bank2: Enabled
Memory Bank3: Enabled
IO-Bridge5: Enabled
IO-Bridge8: Enabled
IO-Bridge9: Enabled
GPTwo Slots: Enabled
Onboard FCAL: Enabled
Onboard Net1: Enabled
Onboard Net0: Enabled
Onboard IDE: Enabled
PCI Slots: Enabled
{3} ok reset-all
Resetting ... WARNING: Offlining/Disabling CPU1...and CPU3...Done.
To bring back CPU1 and CPU3 both CPU's need to be asr-enabled (if only
CPU1 is enabled, after 'reset-all' the system will again offline
(effectively disable) both CPU1 and CPU3):
ok asr-enable cpu1 (V480)
ok asr-enable cpu3 (V480)
ok asr-enable cmp1 (V490)
ok asr-enable cmp3 (v490)
ok reset-all
ok .asr (to check ASR Disablement Status)
Component: Status
CPU/Memory: Enabled
IO-Bridge5: Enabled
IO-Bridge8: Enabled
IO-Bridge9: Enabled
GPTwo Slots: Enabled
Onboard FCAL: Enabled
Onboard Net1: Enabled
Onboard Net0: Enabled
Onboard IDE: Enabled
PCI Slots: Enabled
ok .env (will still not display the status for CPU1 & CPU3)
After power-cycle both CPU's will be back on-line.
3.To disable and then enable the entire CPU module in Slot B (both CPU1
& CPU3) the following commands can be used as well:
{3} ok asr-disable gptwo-slotb
{3} ok .asr
ASR Disablement Status
Component: Status
CPU/Memory: Enabled
IO-Bridge5: Enabled
IO-Bridge8: Enabled
IO-Bridge9: Enabled
GPTwo Slot A: Enabled
GPTwo Slot B: Disabled
GPTwo Slot C: Enabled
Onboard FCAL: Enabled
Onboard Net1: Enabled
Onboard Net0: Enabled
Onboard IDE: Enabled
PCI Slots: Enabled
{3} ok reset-all
Resetting ...
WARNING: Offlining/Disabling CPU1...and CPU3...Done.
To bring back the cpu's in slot B use the command:
{0} ok asr-enable gptwo-slotb
{0} ok .asr
ASR Disablement Status
Component: Status
CPU/Memory: Enabled
IO-Bridge5: Enabled
IO-Bridge8: Enabled
IO-Bridge9: Enabled
GPTwo Slots: Enabled
Onboard FCAL: Enabled
Onboard Net1: Enabled
Onboard Net0: Enabled
Onboard IDE: Enabled
PCI Slots: Enabled
After a 'reset-all' and power-cycle of the system the cpu's in slot B
(cpu1 and cpu3) will be back online.
Documentations about ASR:
V880 Sun Fire 880 Server Owner's Guide /Chapter 6
http://docs.sun.com/app/docs/doc/806-6592-11?q=806-6592-11
How to restrict application user-IDs for direct login to the servers
How to restrict users from logging into server directly from SSH
General way
====================
Add the below line in /ets/ssh/sshd_config file
DenyUsers
Hartford Way
=====================
Here we put the restricted users list in /etc/profile.no.direct.login.IDs
Need to put the below script in /etc/profile.
# DENY DIRECT LOGIN #
# The following section denys direct login of certain id's.
# To utilize this code: create a file /etc/profile.no.direct.login.IDs.
# Set ownership of above file to root, protection to 444.
# Each line in the file contains one ID for which direct login is prohibited.
# Each entry in the file must begin in column 1.
#
if [ -f /etc/profile.no.direct.login.IDs ]
then
cat /etc/profile.no.direct.login.IDs | while read ID_ENTRY;
do
if [ "`logname`" == $ID_ENTRY ]
then
echo ""
echo "###########################################"
echo "# Direct login not allowed for this ID !! #"
echo "###########################################"
echo ""
echo "Exiting..."
sleep 2
exit
fi
done
Fi
# END DENY DIRECT LOGIN #
--------------------------------------------------------------------------
Last however is a simple add in to /etc/profile
REALNAME=$(who am i)
if [ "$LOGNAME" == "$REALNAME" ]
echo "Naughty child, direct login disabled $LOGNAME"
exit 1
fi
Note that who am i is different than LOGNAME when su - is used.
You will have to add a loop to only check these users, lets say they are in a list
while read -r uname
if [ "$LOGNAME" == "$uname"
then
REALNAME=$(who am i)
if [ "$LOGNAME" == "$REALNAME" ]
then
echo "Naughty child, direct login disabled $LOGNAME"
exit 1
fi
fi
done < /etc/specialusers
-----------------------------------------------------------------------------
For Bourne and POSIX shells, add the following to /etc/profile:
#unsupported statements to prevent users from login but allow su.
name=`logname`
if [ $name = username ]
then
echo $name not allowed to login...only su
logout
fi
#end
Note: username should be replaced with the name of the user to
whom direct login access is denied.
For C shell, add the following to /etc/csh.login:
#unsupported statements to prevent users from login but allow su.
set name=`logname`
if ( $name == username ) then
echo $name not allowed to login...only su
exit
endif
#end
----------------------------------------------------------------------
Hello,
This is the final solution. I will write a
Knowledge Brief about it:
a) As in any good company, inetd-based
protocols were disabled (telnet, rsh, rlogin).
b) Ordinary users have access to the server
via SSH only.
c) Added into sshd_config:
DenyUsers oracle prdadm
d) Installed SUDO and SUDOSH.
Everyone is familar with sudo, and
sudosh is available at:
http://sourceforge.net/projects/sudosh
For example, to log in as oracle:
/bin/sudo -u oracle /usr/local/bin/sudosh
SUDOSH captures all keystrokes on the tty and
the user cannot forge them! There is also a
replay command to check what the user did:
sudosh-replay
Note that sudosh can be a login Shell too!
Bingo: SUDOSH was a perfect and relatively easy method that made the customer happy.
General way
====================
Add the below line in /ets/ssh/sshd_config file
DenyUsers
Hartford Way
=====================
Here we put the restricted users list in /etc/profile.no.direct.login.IDs
Need to put the below script in /etc/profile.
# DENY DIRECT LOGIN #
# The following section denys direct login of certain id's.
# To utilize this code: create a file /etc/profile.no.direct.login.IDs.
# Set ownership of above file to root, protection to 444.
# Each line in the file contains one ID for which direct login is prohibited.
# Each entry in the file must begin in column 1.
#
if [ -f /etc/profile.no.direct.login.IDs ]
then
cat /etc/profile.no.direct.login.IDs | while read ID_ENTRY;
do
if [ "`logname`" == $ID_ENTRY ]
then
echo ""
echo "###########################################"
echo "# Direct login not allowed for this ID !! #"
echo "###########################################"
echo ""
echo "Exiting..."
sleep 2
exit
fi
done
Fi
# END DENY DIRECT LOGIN #
--------------------------------------------------------------------------
Last however is a simple add in to /etc/profile
REALNAME=$(who am i)
if [ "$LOGNAME" == "$REALNAME" ]
echo "Naughty child, direct login disabled $LOGNAME"
exit 1
fi
Note that who am i is different than LOGNAME when su - is used.
You will have to add a loop to only check these users, lets say they are in a list
while read -r uname
if [ "$LOGNAME" == "$uname"
then
REALNAME=$(who am i)
if [ "$LOGNAME" == "$REALNAME" ]
then
echo "Naughty child, direct login disabled $LOGNAME"
exit 1
fi
fi
done < /etc/specialusers
-----------------------------------------------------------------------------
For Bourne and POSIX shells, add the following to /etc/profile:
#unsupported statements to prevent users from login but allow su.
name=`logname`
if [ $name = username ]
then
echo $name not allowed to login...only su
logout
fi
#end
Note: username should be replaced with the name of the user to
whom direct login access is denied.
For C shell, add the following to /etc/csh.login:
#unsupported statements to prevent users from login but allow su.
set name=`logname`
if ( $name == username ) then
echo $name not allowed to login...only su
exit
endif
#end
----------------------------------------------------------------------
Hello,
This is the final solution. I will write a
Knowledge Brief about it:
a) As in any good company, inetd-based
protocols were disabled (telnet, rsh, rlogin).
b) Ordinary users have access to the server
via SSH only.
c) Added into sshd_config:
DenyUsers oracle prdadm
d) Installed SUDO and SUDOSH.
Everyone is familar with sudo, and
sudosh is available at:
http://sourceforge.net/projects/sudosh
For example, to log in as oracle:
/bin/sudo -u oracle /usr/local/bin/sudosh
SUDOSH captures all keystrokes on the tty and
the user cannot forge them! There is also a
replay command to check what the user did:
sudosh-replay
Note that sudosh can be a login Shell too!
Bingo: SUDOSH was a perfect and relatively easy method that made the customer happy.
Friday, December 11, 2009
Console RSC
================================================================================
Access the System Controller command line interface (CLI). This is
accomplished using the console escape characters. (normally "#.")
{0} ok #.
sc>
================================================================================
Please login: admin
Password: sun123 (default password)
rsc>console
================================================================================
SC Alert: SC Request to send Break to host.
vi /etc/default/kbd
#this will keep a spurious break from being sent
KEYBOARD_ABORT=alternate
From OS, while on console, do the following:
~
^b
xir #send break
================================================================================
Navigating between the OS level and the RSC card level using tip (serial)
or telnet (ehternet) sessions on the Sun Fire(TM) 280R, V480, and V880
Server products.
Document Body Top
There are two methods to switch from the OS level to the RSC card. Choose
the appropriate method depending on how you are connected to the RSC card.
Navigating between RSC and the OS using telnet
-----------------------------------------------
Execute the following command from the OS level: ~.
This will return the console to the rsc> prompt
To resume your connection with the OS type "console" at the rsc> prompt.
Navigating between RSC and the OS using tip
--------------------------------------------
Execute the following command: ~~.
You may have to run the command 1-2 times before the console will return to
the rsc> prompt.
To resume your connection with the OS type "console" at the rsc> prompt.
Executing the command ~. will disconnect the tip session with the RSC card.
If the escape character ~ does not work
----------------------------------------
If the escape character ~ fails to return the console session to the rsc>
prompt, run the following command:
# ./rscadm show escape_char
escape_char="*"
The escape character is ~ by default, but can be user defined. To return to
the rsc> prompt, type the escape_char followed by a period (.). In this
example, you would type *. or ~*. to return to the rsc> prompt.
How to clear open console sessions
-----------------------------------
rsc> console
Console session already in use.
If the console is busy, run either of the following commands to reset the
console and clear any open sessions:
From the rsc prompt:
rsc> resetrsc
From the OS:
./rscadm resetrsc
================================================================================
RSC Commands at the rsc> prompt.
environment Displays current environmental information
showenvironment (The showenvironment command is not available on Sun
Enterprise[TM] 250 servers.)
shownetwork Displays the current network configuration
console Connects you to the server console
break Puts the server in debug mode
xir Generates an externally initiated reset to the server
bootmode Controls server firmware behavior, if followed by a server reset
within 10 minutes (similar to L1-key combinations on Sun keyboards)
-u
Force the server to direct the console to RSC; the -u option must precede any
boot_mode you specify; requires server reset
normal
Normal boot; server runs low-level diagnostics; requires server reset
forth
Enter Forth interpreter as soon as possible (equivalent to L1-F on keyboard);
requires server reset
reset_nvram
Reset all NVRAM variables to default values (equivalent to L1-N on keyboard);
requires server reset
diag
Force the server to run full diagnostics (equivalent to L1-D on keyboard);
requires server power-off and power-on
skip_diag
Force the server to skip diagnostics (equivalent to L1-S on the keyboard);
requires server power-off and power-on
reset Resets the server immediately
poweroff Powers off the server
poweron Powers on the server
loghistory Displays the history of all events logged in the RSC event buffer
consolehistory Displays the history of all console messages logged in the
buffer
consolerestart Makes the current boot and run console logs "original"
set Sets a configuration variable
Table 1.
serial_baud
serial_stop
serial_data
serial_hw_handshake
ppp_local_ip_addr
ppp_remote_ip_addr
ppp_enabled
page_enabled
mail_enabled
page_info1
page_init1
page_password1
page_baud1
page_data1
page_parity1
page_stop1
page_info2
page_init2
page_password2
page_baud2
page_data2
page_parity2
page_stop2
customerinfo
hostname
mailuser
mailhost
ip_mode
ip_addr
ip_netmask
ip_gateway
escape_char
country_code +
page_verbose *
tpe_link_test
+rsc 2.0 and above
*not available for the 250
show Displays one or more configuration variables
date Displays or sets the current time and date
password Changes your RSC password
useradd Adds an RSC user account
userdel Deletes an RSC user account
usershow Shows characteristics of an RSC user account
userpassword Sets or changes a user's password
userperm Sets the authorization for a user
resetrsc Resets RSC immediately
help Displays a list of RSC shell commands and a brief description of each
version Displays the RSC firmware version
showsc (The showsc command is not available on Sun Enterprise 250 servers.)
logout Ends your current RSC shell session
setlocator Turn the system locator LED on or off (Sun Fire[TM] V480 servers
only).
showlocator Show the state of the system locator LED (Sun Fire V480 servers
only).
showdate Same as the date command without arguments. (Not available for Sun
Enterprise 250 servers.)
setdate Same as the date command with arguments. (Not available for Sun
Enterprise 250 servers.)
rscadm subcommands
help Displays a list of rscadm commands and brief descriptions for each
date Displays or sets the current time and date
set Sets a configuration variable
show Displays one or more configuration variables
shownetwork Shows current RSC card network configuration (RSC 2.0 and above)
loghistory Returns the most recent log entries (RSC 2.0 and above)
resetrsc Resets RSC immediately
download Downloads firmware to the RSC flash PROM
send_event Logs an event; can also send an alert message
modem_setup Changes configuration of the modem connected to the RSC serial
port
useradd Adds an RSC user account
userdel Deletes an RSC user account
usershow Shows characteristics of an RSC user account
userpassword Sets or changes a user's password
userperm Sets the authorization for a user
version Reports the RSC version on the host (RSC 2.0 and above)
status Same as the version -v command. (RSC 2.0 and above)
OBP Commands
rsc-hard-reset Performs a hard reset of RSC; this is the same as using the
command rscadm resetrsc.
rsc-soft-reset Performs a soft reset of RSC; this is the same as using the
command rscadm resetrsc -s.
diag-output-to rsc*|rsc-console**|ttya Directs POST output to either RSC (1)
or ttya (0). This command takes effect after the next server reset. (E250
only)
diag-console rsc*|rsc-console**|ttya This command directs power-on self-test
(POST) output to either RSC (1) or ttya (0). This command takes effect after
the next server reset. (Not available for the 250)
rsc-mac-update Updates the RSC Ethernet address from the contents of the
server ID PROM. Use this command after replacing the server NVRAM module.
.rsc Displays RSC information, including the diag-output-to setting and the
RSC POST status word.
*Available for Sun Enterprise 250 servers only. For other supported workgroup
servers, you must set input-device and output-device to rsc-console rather
than to rsc. The test we made on SF280R showed that we had to use rsc rather
than rsc-console argument. So, it's apparently not applicable to E250 ONLY.
To be checked.
**For Sun Enterprise 250 servers, you must set input-device and output-device
to rsc rather than to rsc-console.
OBP Environment Variable Properties
input-device rsc|rsc!|ttya
output-device rsc|rsc!|ttya
diag-out-console true|false ( SF280R and V480 only ???? should be checked
also on V880 and E250 servers. )
================================================================================
What to do if RSC is configured and the password is forgotten.
STEP BY STEP SOLUTION TO THIS PROBLEM:
1. STEP 1:
Access the system as root to create a new RSC user: If root can
login into system remotely
then proceed to Step 2 If root can not access system remotely
and RSC is currently the active
console then the only other way to gain access to the system
console would be through ttya,
but because RSC is configured we would need to change the
system's output and input devices
back to their default settings. Setting these defaults can be
accomplished by using one of
the following two methods:
* Method 1:
After turning on the power to your system, watch the front
panel wrench LED for rapid
flashing during the boot process. Press the front panel Power
button twice (with a short,
one-second delay in between presses).
Notes:
The above procedure sets all nvram parameters to their default
settings.
These changes are temporary and the original values will be
restored after the next
hardware or software reset.
* Method 2:
Remove RSC card. By removing the RSC card the output and input
devices will forced to ttya.
For information on how to remove the RSC card please refer to
your Server Owner's Guide.
2. STEP 2:
a. Execute the following 3 commands in order to create a new RSC
user with full permissions:
/usr/platform/`uname -i`/rsc/rscadm useradd
/usr/platform/`uname -i`/rsc/rscadm userperm cuar
/usr/platform/`uname -i`/rsc/rscadm userpassword
Notes: You may need to delete an RSC user if there are 4
existing users defined. If you
did not remove the RSC card, please proceed to step c.
b. Reinstall RSC card. For information on How to install the RSC
card please refer to your
Server's Owner's Guide.
c. Reboot the RSC card.
d. Log into RSC using the login and password created in Step a.
================================================================================
Access the System Controller command line interface (CLI). This is
accomplished using the console escape characters. (normally "#.")
{0} ok #.
sc>
================================================================================
Please login: admin
Password: sun123 (default password)
rsc>console
================================================================================
SC Alert: SC Request to send Break to host.
vi /etc/default/kbd
#this will keep a spurious break from being sent
KEYBOARD_ABORT=alternate
From OS, while on console, do the following:
~
^b
xir #send break
================================================================================
Navigating between the OS level and the RSC card level using tip (serial)
or telnet (ehternet) sessions on the Sun Fire(TM) 280R, V480, and V880
Server products.
Document Body Top
There are two methods to switch from the OS level to the RSC card. Choose
the appropriate method depending on how you are connected to the RSC card.
Navigating between RSC and the OS using telnet
-----------------------------------------------
Execute the following command from the OS level: ~.
This will return the console to the rsc> prompt
To resume your connection with the OS type "console" at the rsc> prompt.
Navigating between RSC and the OS using tip
--------------------------------------------
Execute the following command: ~~.
You may have to run the command 1-2 times before the console will return to
the rsc> prompt.
To resume your connection with the OS type "console" at the rsc> prompt.
Executing the command ~. will disconnect the tip session with the RSC card.
If the escape character ~ does not work
----------------------------------------
If the escape character ~ fails to return the console session to the rsc>
prompt, run the following command:
# ./rscadm show escape_char
escape_char="*"
The escape character is ~ by default, but can be user defined. To return to
the rsc> prompt, type the escape_char followed by a period (.). In this
example, you would type *. or ~*. to return to the rsc> prompt.
How to clear open console sessions
-----------------------------------
rsc> console
Console session already in use.
If the console is busy, run either of the following commands to reset the
console and clear any open sessions:
From the rsc prompt:
rsc> resetrsc
From the OS:
./rscadm resetrsc
================================================================================
RSC Commands at the rsc> prompt.
environment Displays current environmental information
showenvironment (The showenvironment command is not available on Sun
Enterprise[TM] 250 servers.)
shownetwork Displays the current network configuration
console Connects you to the server console
break Puts the server in debug mode
xir Generates an externally initiated reset to the server
bootmode Controls server firmware behavior, if followed by a server reset
within 10 minutes (similar to L1-key combinations on Sun keyboards)
-u
Force the server to direct the console to RSC; the -u option must precede any
boot_mode you specify; requires server reset
normal
Normal boot; server runs low-level diagnostics; requires server reset
forth
Enter Forth interpreter as soon as possible (equivalent to L1-F on keyboard);
requires server reset
reset_nvram
Reset all NVRAM variables to default values (equivalent to L1-N on keyboard);
requires server reset
diag
Force the server to run full diagnostics (equivalent to L1-D on keyboard);
requires server power-off and power-on
skip_diag
Force the server to skip diagnostics (equivalent to L1-S on the keyboard);
requires server power-off and power-on
reset Resets the server immediately
poweroff Powers off the server
poweron Powers on the server
loghistory Displays the history of all events logged in the RSC event buffer
consolehistory Displays the history of all console messages logged in the
buffer
consolerestart Makes the current boot and run console logs "original"
set Sets a configuration variable
Table 1.
serial_baud
serial_stop
serial_data
serial_hw_handshake
ppp_local_ip_addr
ppp_remote_ip_addr
ppp_enabled
page_enabled
mail_enabled
page_info1
page_init1
page_password1
page_baud1
page_data1
page_parity1
page_stop1
page_info2
page_init2
page_password2
page_baud2
page_data2
page_parity2
page_stop2
customerinfo
hostname
mailuser
mailhost
ip_mode
ip_addr
ip_netmask
ip_gateway
escape_char
country_code +
page_verbose *
tpe_link_test
+rsc 2.0 and above
*not available for the 250
show Displays one or more configuration variables
date Displays or sets the current time and date
password Changes your RSC password
useradd Adds an RSC user account
userdel Deletes an RSC user account
usershow Shows characteristics of an RSC user account
userpassword Sets or changes a user's password
userperm Sets the authorization for a user
resetrsc Resets RSC immediately
help Displays a list of RSC shell commands and a brief description of each
version Displays the RSC firmware version
showsc (The showsc command is not available on Sun Enterprise 250 servers.)
logout Ends your current RSC shell session
setlocator Turn the system locator LED on or off (Sun Fire[TM] V480 servers
only).
showlocator Show the state of the system locator LED (Sun Fire V480 servers
only).
showdate Same as the date command without arguments. (Not available for Sun
Enterprise 250 servers.)
setdate Same as the date command with arguments. (Not available for Sun
Enterprise 250 servers.)
rscadm subcommands
help Displays a list of rscadm commands and brief descriptions for each
date Displays or sets the current time and date
set Sets a configuration variable
show Displays one or more configuration variables
shownetwork Shows current RSC card network configuration (RSC 2.0 and above)
loghistory Returns the most recent log entries (RSC 2.0 and above)
resetrsc Resets RSC immediately
download Downloads firmware to the RSC flash PROM
send_event Logs an event; can also send an alert message
modem_setup Changes configuration of the modem connected to the RSC serial
port
useradd Adds an RSC user account
userdel Deletes an RSC user account
usershow Shows characteristics of an RSC user account
userpassword Sets or changes a user's password
userperm Sets the authorization for a user
version Reports the RSC version on the host (RSC 2.0 and above)
status Same as the version -v command. (RSC 2.0 and above)
OBP Commands
rsc-hard-reset Performs a hard reset of RSC; this is the same as using the
command rscadm resetrsc.
rsc-soft-reset Performs a soft reset of RSC; this is the same as using the
command rscadm resetrsc -s.
diag-output-to rsc*|rsc-console**|ttya Directs POST output to either RSC (1)
or ttya (0). This command takes effect after the next server reset. (E250
only)
diag-console rsc*|rsc-console**|ttya This command directs power-on self-test
(POST) output to either RSC (1) or ttya (0). This command takes effect after
the next server reset. (Not available for the 250)
rsc-mac-update Updates the RSC Ethernet address from the contents of the
server ID PROM. Use this command after replacing the server NVRAM module.
.rsc Displays RSC information, including the diag-output-to setting and the
RSC POST status word.
*Available for Sun Enterprise 250 servers only. For other supported workgroup
servers, you must set input-device and output-device to rsc-console rather
than to rsc. The test we made on SF280R showed that we had to use rsc rather
than rsc-console argument. So, it's apparently not applicable to E250 ONLY.
To be checked.
**For Sun Enterprise 250 servers, you must set input-device and output-device
to rsc rather than to rsc-console.
OBP Environment Variable Properties
input-device rsc|rsc!|ttya
output-device rsc|rsc!|ttya
diag-out-console true|false ( SF280R and V480 only ???? should be checked
also on V880 and E250 servers. )
================================================================================
What to do if RSC is configured and the password is forgotten.
STEP BY STEP SOLUTION TO THIS PROBLEM:
1. STEP 1:
Access the system as root to create a new RSC user: If root can
login into system remotely
then proceed to Step 2 If root can not access system remotely
and RSC is currently the active
console then the only other way to gain access to the system
console would be through ttya,
but because RSC is configured we would need to change the
system's output and input devices
back to their default settings. Setting these defaults can be
accomplished by using one of
the following two methods:
* Method 1:
After turning on the power to your system, watch the front
panel wrench LED for rapid
flashing during the boot process. Press the front panel Power
button twice (with a short,
one-second delay in between presses).
Notes:
The above procedure sets all nvram parameters to their default
settings.
These changes are temporary and the original values will be
restored after the next
hardware or software reset.
* Method 2:
Remove RSC card. By removing the RSC card the output and input
devices will forced to ttya.
For information on how to remove the RSC card please refer to
your Server Owner's Guide.
2. STEP 2:
a. Execute the following 3 commands in order to create a new RSC
user with full permissions:
/usr/platform/`uname -i`/rsc/rscadm useradd
/usr/platform/`uname -i`/rsc/rscadm userperm
/usr/platform/`uname -i`/rsc/rscadm userpassword
Notes: You may need to delete an RSC user if there are 4
existing users defined. If you
did not remove the RSC card, please proceed to step c.
b. Reinstall RSC card. For information on How to install the RSC
card please refer to your
Server's Owner's Guide.
c. Reboot the RSC card.
d. Log into RSC using the login and password created in Step a.
================================================================================
Mount an ISO image on a Solaris filesystem with lofiadm
Mount an ISO image on a Solaris filesystem with lofiadm
Many software packages can be downloaded in the form of an ISO image. Rather than burning the image to a CD-ROM to access its contents, it is easy to mount the image directly into the filesystem using the lofiadm and mount commands.
Given an ISO image in /export/temp/software.iso, a loopback file device (/dev/lofi/1) is created with the following command:
lofiadm -a /export/temp/software.iso /dev/lofi/1
The lofi device creates a block device version of a file. This block device can be mounted to /mnt with the following command:
mount -F hsfs -o ro /dev/lofi/1 /mnt
These commands can be combined into a single command:
mount -F hsfs -o ro `lofiadm -a /export/temp/software.iso` /mnt
Unmount and detach the images :-
Use umount command to unmount image:
# umount /mnt
Now remove/free block device:
# lofiadm -d /dev/lofi/1
For more information read lofiadm and lofi man pages by typing the following command:
man lofiadm
Many software packages can be downloaded in the form of an ISO image. Rather than burning the image to a CD-ROM to access its contents, it is easy to mount the image directly into the filesystem using the lofiadm and mount commands.
Given an ISO image in /export/temp/software.iso, a loopback file device (/dev/lofi/1) is created with the following command:
lofiadm -a /export/temp/software.iso /dev/lofi/1
The lofi device creates a block device version of a file. This block device can be mounted to /mnt with the following command:
mount -F hsfs -o ro /dev/lofi/1 /mnt
These commands can be combined into a single command:
mount -F hsfs -o ro `lofiadm -a /export/temp/software.iso` /mnt
Unmount and detach the images :-
Use umount command to unmount image:
# umount /mnt
Now remove/free block device:
# lofiadm -d /dev/lofi/1
For more information read lofiadm and lofi man pages by typing the following command:
man lofiadm
Subscribe to:
Posts (Atom)