Me in IT UNIX/Linux Consultancy is based in Utrecht, The Netherlands and specialized in UNIX and Linux consultancy. Experience with Red Hat Enterprise Linux (Red Hat Certified Architect), Fedora Project, CentOS, OpenBSD and related released Open Source products makes Me in IT UNIX/Linux Consultancy a great partner in implementing, maintaining and upgrading your environment.

Open Source software is an important aspect of any Linux distribution. Me in IT UNIX/Linux Consultancy tries to use Open Source software where possible and tries to share experiences actively. In the articles section you will find many UNIX/Linux adventures shared for others to benefit.

Price of an average webserver on Amazon Elastic Compute Cloud (EC2)

It's very difficult to get grip on the estimates price of a "simple" LAMP server. Here are some numbers to help you get an accurate estimate of a LAMP server.

The setup

  • One small Linux (Fedora) instance in Europe.
  • One 30 Gb volume in Europe.
  • Two 1 Gb volumes in Europe.
  • Apache, Mysql on the same machine and PHP.
  • Average daily visitors: 8000.

The price and numbers

  • 730 small instance hours = $ 80.30
  • 32 Gb of provisioned storage = $ 3.84
  • 95 Gb traffic in = $ 9.50
  • 27 Gb traffic out = $ 4.59
  • 5 million IO requests = $ 0.55
  • TOTAL $ 98.78 (Without tax)

So as a conclusion: One average webserver costs around $ 120,- (with tax) per month to run on the EC2. There are cheaper solutions to host your website(s), but Amazon EC2 provides the option to add a machine in a couple of minutes or even automated. This flexibility is not found in many other products.

Howto use Amazon Elastic Compute Cloud. (EC2)

While experimenting with Amazons interpretation of cloud computing, here is what I did to create persistent storage, create an instance and attach the storage to the instance.

Install and configure the local tools.

Go to Amazons developer section and download, unpack and install the files. Now edit ~/.bashrc (or any other file that is executed at login) and add this:

export EC2_HOME=~/.ec2
export PATH=$PATH:$EC2_HOME/bin
export EC2_PRIVATE_KEY=$(ls $EC2_HOME/pk-*.pem)
export EC2_CERT=$(ls $EC2_HOME/cert-*.pem)
export JAVA_HOME=/System/Library/Frameworks/JavaVM.framework/Home/
export EC2_URL=https://eu-west-1.ec2.amazonaws.com

As you can see, I have the tools installed in ~/.ec2, the JAVA_HOME is set for a Mac OS X machine and I use the European Amazon infrastructure. Get a list of these regions with ec2-describe-regions.

Create a keypair.

Check out the wonderful section on Paul Stamatiou's website at "Getting Started". It describes how to create and use the keys.

Open ports 22 and 80.

You will have to authorize access from the internet to port 22 and 80, or any other. Here is how it's done:

ec2-authorize default -p 22
ec2-authorize default -p 80

default refers to all machines unless specified differently.
The option -p refers to a port number.

Create an instance.

An instance can be seen as an individual machine. It's virtual, but who cares about that? I use the image "ami-2a0f275e", but see other images can be used as well. Use ec2-describe-images -o amazon to get a list of available images owned (-o) by amazon.

ec2-run-instances -z eu-west-1a -k ec2-keypair ami-2a0f275e

The option -z specifies an "availability zone". Get a list of these zones with ec2-describe-availability-zones.
The option -k specifies what key to use. If you don't use this option, you will not be able to login using SSH.

Create a volume.

To allocate some space on the S3 infrastructure of Amazon, use this command:

ec2-create-volume -s 1 -z eu-west-1a

The option -s 1 specifies that the size is 1 Gib.
The option -z is used to determine the availability zone, it needs to match the instance's zone.

Attach the volume to the instance.

When the volume is created; assign it to an instance with this command:

ec2-attach-volume vol-38a24751 -i i-c2f2c5b6 -d sdb

This only makes the device available, you will have to partition, format and mount it to use it.
The argument vol-38a24751 describes the volume to attach. Use ec2-describe-volumes to get a list of available volumes.
The option -i specifies the instance. Use ec2-describe-instances to get a list of available instances.
The option -d specifies the name under which Linux will recognize the volume. Login to you machine, type dmesg to see if attaching has worked. This is the ouput I got:
dmesg | tail -n 1
sdb: unknown partition table

Logging into your instance

Login to your machine using SSH:

ssh -i .ec2-keypair root@MACHINE

The option -i specifies the identity to use.
The argument MACHINE needs to be replaces with the public DNS name of you instance. Get a list of the named using describe-instances.
If you like to type less; add this to your ~/.ssh/config file:
Host *.compute.amazonaws.com
IdentityFile ~/.ec2/ec2-keypair
User root

From the moment on that you have added this configuration, you can simply login to your instance without any options, just the DNS name of the instance.

Formatting and mounting the volume.

Now that you are ready, login and type:

mkfs.ext3 /dev/sdb

Mount the volume (once) by issuing:

mount /dev/sdb /mnt

There is 924 Megabytes (Mb) available. so you'll lose some 80 Mb's for the filesystem.

Setting a static IP.

You can continue to use the instance with this "static" IP, but to associate one IP with this instance, follow these steps. First register an IP:

ec2-allocate-address

You will see the IP printed on your screen.

Now link the IP with an instance.

ec2-associate-address 79.125.5.49 -i i-0ca09678

Conclusion.

The Amazon elastic compute cloud and S3 facilities work great, I'm not sure about the availability of EC2, not about S3, but Amazon states that S3 should be more "secure" then storing stuff in the local storage of the instance.

Linux permission numberic table

Permissions in Linux (or UNIX) can be difficult to understand. Here is a step-plan to determine the right combination of permissions.

Either read in the "Explanation" field in the table below what you want to do, or do ls -l and see what it means. Each object (file, directory, sockets, device, etc) has 10 positions to indicate what's possible with the object. For example you could see -rwxr-x---. You can split the 10 positions up into these parts:

  • The 1st character: what kind of object is it; - for file, d for directory, s for socket.
  • The 2nd until and including the 4th character: the permissions for the owner of the object.
  • The 5th until and including the 7th character: the permissions for the group that owns the object.
  • The 8th until and including the 10th character: the permissions for others.
Numeric Readable Explanation
0 --- No access.
1 --x Execute access.*
2 -w- Write access.**
3 -wx Write and execute access.***
4 r-- Read access.
5 r-x Read and execute access.
6 rw- Read and write access.
7 rwx Read, write and execute access.

*= This is an odd combination, executing something that's not readable is not possible.
**= A strange combination; writing when you are not able to read.
***= This is an weird combination, you can't execute when you can't read the file, though you may write the file.

There are some special permission sets. When you see an "s" or an "S" on the location where you'd expect an "x", this means:

  • "s" for the owner - If somebody is allowed to execute the script (group or other) then it's executed as if it was executed by the user. This is called a "set user id bit" or "suid" and can be set by appending a 4 to a permission set. For example: chmod 4755 object.
  • S for the owner - The set user id bit was set, but no execute permissions were set in the first place. This is a broken set of permissions, but may be achieved by chmod 4650 object.
  • s for the group - When somebody is allowed to execute a script (user or other) then it's executed as if it was executed by the group. This is called a "set group id bit" or "sgid" and can be set by appending a 2 to a permission set. For example: chmod 2775 object. This bit on a directory means all files in that directory that will be created, will be owned by the group that owns the directory.
  • S for the group - The set group id bit was set, but no execute permissions were set in the first place. This is a broken set of permissions, but can be achieved by executing chmod 2745 object.

ksh(3) survival guide for bash(1) users

So you like bash, just like me. There are times though where you'd need to work on a machine where there is no bash, but ksh(3). Here is a list of commands and keys to help you:

Go back in history

Hit escape a few times, now hit "k" and "j" to move back and forward into the history.
Edit the command with the letters "h" and "l".

Complete commands

Type a part of your command, hit escape a few times, now hit "\" to complete the command.
You can't display what your options are, (in bash just tab a few times)

Get a decent prompt

Either run this command once, or add it to your ~/.profile:

export PS1="${USER}@$(hostname) ${PWD##*/} $ "

One major problem; the PWD variable does not change when changing directories!

A group password in Linux

Have you ever heard of (or used) a group password in Linux? For me this strange concept was new, but here's what you can use it for.

A group password in Linux allows a user to temporarily (in a subshell) gain extra permissions of a group, after successfully entering the group password.

To set a group password use gpasswd:

# gpasswd finance
New Password:
Re-enter new password:

To gain those extra permissions you can use newgrp:

$ newgrp finance

Some of the disadvantages are:

  1. Sharing a password is not good; a password should be personal.
  2. You can also solve this by adding the user to a secondary group.
  3. Another way to solve it is to use sudo.
  4. Usage of the group password is not accountable.

Why a umask of 0027 creates files like 0640

The User Mask (umask) can be managed with the command umask. A umask is the reverse value of the octal permission set that files and directories are created with.

So, a umask of 0777 creates files with an octal permission value of 0000; no permissions to read, write or execute.

But; there is a strange thing about the umask; it never allows to make files executable. Here is a demonstration of this "flaw"/"security feature".

$ umask 0027
$ touch me
$ ls -l me | awk '{print $1}'
-rw-r-----

I would have expected 750, instead 640 is produced. This is default security behaviour of UNIX/Linux.

The longest left hand typed word

On slashdot somebody desribes that you can find the longest left hand typed password with UNIX tools like grep. That's a simple solution for a difficult problem!

Here is a script that would print the longest words typable with the left hand side of a keyboard. The list shows the longest word on top.

#!/bin/sh

status="notfound"
cat /usr/share/dict/words | while read word ; do
  for letter in y u i o p h j k l n m ; do
   echo "$word" | grep "$letter" > /dev/null
   if [ "$?" = 0 ] ; then
    status="found"
   fi
  done

  if [ "$status" = "notfound" ] ; then
   echo "$word"
  fi
done | while read match ; do
  length=$(echo "$match" | wc -c)
  echo "$length $match"
done | sort -nr | awk '{print $2}'

Howto use NAT on Fedora Core 9 machine with iptables

Network Address Translation is a technique to masquerade IP addresses on your internal LAN to the outside world. In other words; the outside world will not be able to look into your network.

This technique is easy to setup and maintain, saves IP addresses and is likely more secure that pure routing. To set it up, you require:

  1. A Linux machine, for this example Fedora Core 9
  2. Two network cards, eth0 attached to you LAN, eth1 connected to the internet.
  3. A little bit of Linux/UNIX knowledge
  4. 30 minutes or so

Enable IP forwarding

To be able to use IP forwarding, you must tell the kernel that it's okay to forward traffic from one network card to another. This setting is found in /etc/sysctl.conf. Set net.ipv4.ip_forward to 1.
To do this, execute:

echo 1 > /proc/sys/net/ipv4/ip_forward
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf

The first command enables IP forwarding now, a reboot would undo this setting. To enable this setting for every reboot, also execute that second line.

Enable the firewall (IPtables)

Make sure the service IPtables is running now and is started at bootup:

# service iptables status
<output omitted>
# chkconfig --list iptables
iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off

Configure the firewall (IPtables)

Now that the kernel knows it's allowed to forward traffic from one NIC to another, configure the firewall. The firewall is the intelligent part of setting up NAT, IPtables actually 'does the work'. Here are the commands to set it up:

/sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Safe the firewall rules

You have only configured the firewall for now, a reboot would undo all settings. Run this command once you are happy with the setup:

# /sbin/service iptables save

Reboot to test the setup. Your LAN client will have to set the default route to the IP address of the NAT machine's LAN NIC.

5 ways to configure at what runlevel daemons are started

There are a few ways to start (and stop) daemons at specific runlevels. For Fedora you could use modify how Apache (httpd) is started:

chkconfig --level 4 httpd on

This is a simple command line tool to tell the the startup facility to enable (on) the Apache (httpd) daemon at runlevel 4 (--level 4). Works great and fast, but the script httpd must have some parameters in the file to let chkconfig know what to do with it:

# chkconfig: 4 85 15
# description: Apache is a World Wide Web server. It is used to serve HTML files and CGI.
# processname: httpd
# config: /etc/httpd/conf/httpd.conf
# config: /etc/sysconfig/httpd
# pidfile: /var/run/httpd.pid

The lines chkconfig and description are mandatory. In this example, the chkconfig line tells the startup facility to start in runlevel 4, with a "priority" of 85. This priority can be seen with ls /etc/rc4.d. The numbers of the startup script represent the order of how they are started.

ln -s /etc/init.d/httpd /etc/rc4.d/S85httpd

A much simpler, more simplistic method to start Apache. This command symbolically links /etc/rc4.d/S85httpd to the startup script of Apache. Don't forget to also stop the daemons with this set of links:

ln -s /etc/init.d/httpd /etc/rc0.d/K15httpd
ln -s /etc/init.d/httpd /etc/rc1.d/K15httpd
ln -s /etc/init.d/httpd /etc/rc2.d/K15httpd
ln -s /etc/init.d/httpd /etc/rc3.d/K15httpd
ln -s /etc/init.d/httpd /etc/rc5.d/K15httpd
ln -s /etc/init.d/httpd /etc/rc6.d/K15httpd

ntsysv

A text-based graphical menu to enable or disable services.

serviceconf and system-config-services

A graphical interface to enable or disable services.

Where the Linux boot process can fail and how to solve it

Booting a computer to run Linux is quite a complex procedure. Happily it's understandable, so correctable when things break.

  1. P.O.S.T. The computer is powered on, the computer shows you a screen to configure some basic settings, the BIOS and tests itself. Not much Linux here!
  2. Boatloader Grub, Lilo or some other boot loader is started. The bootloader is a small piece of code that is able to start loading the kernel. Mostly you will have some options to edit boot parameters, like "single" to start in single user mode.
  3. The kernel This is where Linux starts, you'll see all kinds of (cryptic) messages scrolling over your screen. Use dmesg to see them again after booting.
  4. INIT The process "init" is started, the first process on a Linux machine. Init read /etc/inittab and launches RC.
  5. RC This facility is responsible for starting all the daemons and programs that make Linux a server.

Bootloader errors and fixes

The bootloader could point to a kernel that's not there, or adds a boot parameter that incorrect. A.k.a. a typo. Review your Grub or Lilo configuration and try again. Grub is a lot easier to debug, is has a minimalistic shell included.

Kernel errors and fixes

You could have built a kernel that's not suitable for your computer. I hope you have left and old kernel on your system, use Grub to select that kernel and boot it.

Init errors and fixes

Init is quite simple, it reads /etc/inittab and starts RC. When you have "played around with" /etc/inittab and made a typo somewhere, you might need to boot of a CD to fix the typo.

RC errors and fixes

This is the part where many "errors" can occur, like: "Apache is not starting". Review the startup script in /etc/init.d, review that there a script and it has no errors in it. Also read the article about controlling daemons.

About Consultancy Articles Contact




References Red Hat Certified Architect By Robert de Bock Robert de Bock
Curriculum Vitae By Fred Clausen +31 6 14 39 58 72
By Nelson Manning [email protected]
Syndicate content