lost and found ( for me ? )

How to set up MRTG on Fedora 11






How to set up MRTG on Fedora 11

[root@arizona ~]# cat /etc/fedora-release 
Fedora release 11 (Leonidas)

[root@arizona ~]# uname -r
2.6.30.10-105.2.23.fc11.x86_64

- net-snmp をインストール

[root@arizona ~]# yum install -y net-snmp.x86_64 net-snmp-utils.x86_64

[root@arizona ~]# snmpd -v
NET-SNMP version:  5.4.2.1

net-snmp-utils に snmpwalk などのツールがはいっている。
snmpd は net-snmp 。

- net-snmp の設定

[root@arizona ~]# egrep -v "^#" /etc/snmp/snmpd.conf | grep -v "^$"
com2sec local     localhost       public
com2sec mynetwork 0.0.0.0/0       public
group MyRWGroup  any        local
group MyROGroup  any        mynetwork
view all    included  .1                               80
access MyRWGroup ""      any       noauth    0      all    all    all
syslocation Unknown (edit /etc/snmp/snmpd.conf)
syscontact Root (configure /etc/snmp/snmp.local.conf)
pass .1.3.6.1.4.1.4413.4.1 /usr/bin/ucd5820stat

- 起動

[root@arizona ~]# /etc/init.d/snmpd start
snmpd を起動中:                                            [  OK  ]

- snmpget できるかチェック

[root@arizona ~]# snmpbulkwalk -c public -v 2c 127.1 . | head -5
SNMPv2-MIB::sysDescr.0 = STRING: Linux arizona.localdomain 2.6.30.10-105.2.23.fc11.x86_64 #1 SMP Thu Feb 11 07:06:34 UTC 2010 x86_64
SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (12173) 0:02:01.73
SNMPv2-MIB::sysContact.0 = STRING: Root (configure /etc/snmp/snmp.local.conf)
SNMPv2-MIB::sysName.0 = STRING: arizona.localdomain

- MRTG をインストール

[root@arizona ~]# yum install -y mrtg.x86_64

- MRTG の設定

cfgmaker コマンドを使うとインターフェースの情報、コミュニティ名を mrtg.conf に登録してくれる。

[root@arizona ~]# cfgmaker public@localhost > /etc/mrtg/mrtg.cfg

ためしに mrtg を起動

[root@arizona ~]# mrtg /etc/mrtg/mrtg.cfg
-----------------------------------------------------------------------
ERROR: Mrtg will most likely not work properly when the environment
       variable LANG is set to UTF-8. Please run mrtg in an environment
       where this is not the case. Try the following command to start:

       env LANG=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg 
-----------------------------------------------------------------------

[root@arizona ~]# env LANG=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg
Use of uninitialized value $dir in concatenation (.) or string at /usr/bin/mrtg line 2530.
Use of uninitialized value $dir in concatenation (.) or string at /usr/bin/mrtg line 2548.
Use of uninitialized value $dir in concatenation (.) or string at /usr/bin/mrtg line 2564.
ERROR: "WorkDir" not specified in mrtg config file

またもやエラー。

mrtg.conf を編集

下記3つを追加。あとはそのまま。

WorkDir: /root/mrtg
Options[_]: growright, bits
Language:eucjp

ディレクトリの作成。この下にファイルが生成される。

[root@arizona ~]# mkdir /root/mrtg

mrtg を再度起動

warning だからいいや。

[root@arizona ~]# env LANG=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg
2010-02-26 02:38:01, Rateup WARNING: /usr/bin/rateup could not read the primary log file for localhost_2
2010-02-26 02:38:01, Rateup WARNING: /usr/bin/rateup The backup log file for localhost_2 was invalid as well
2010-02-26 02:38:01, Rateup WARNING: /usr/bin/rateup Can't remove localhost_2.old updating log file
2010-02-26 02:38:01, Rateup WARNING: /usr/bin/rateup Can't rename localhost_2.log to localhost_2.old updating log file
2010-02-26 02:38:02, Rateup WARNING: /usr/bin/rateup could not read the primary log file for localhost_3
2010-02-26 02:38:02, Rateup WARNING: /usr/bin/rateup The backup log file for localhost_3 was invalid as well
2010-02-26 02:38:02, Rateup WARNING: /usr/bin/rateup Can't remove localhost_3.old updating log file
2010-02-26 02:38:02, Rateup WARNING: /usr/bin/rateup Can't rename localhost_3.log to localhost_3.old updating log file


[root@arizona ~]# ls /root/mrtg/
localhost_2-day.png    localhost_2.log        localhost_3-year.png  mrtg-m.png
localhost_2-month.png  localhost_2.old        localhost_3.html      mrtg-r.png
localhost_2-week.png   localhost_3-day.png    localhost_3.log
localhost_2-year.png   localhost_3-month.png  localhost_3.old
localhost_2.html       localhost_3-week.png   mrtg-l.png

[root@arizona ~]# google-chrome /root/mrtg/localhost_2.html  ( <- eth0 の情報 )



- CPU使用率の表示を追加
CPU使用率は以下の OID でとれる。

ssCpuRawUser.0(.1.3.6.1.4.1.2021.11.50.0) <- ユーザのCPU使用率
ssCpuRawSystem.0(.1.3.6.1.4.1.2021.11.52.0) <- システムのCPU使用率

[root@arizona ~]# snmpget -v 2c -c public 127.1 .1.3.6.1.4.1.2021.11.50.0
UCD-SNMP-MIB::ssCpuRawUser.0 = Counter32: 33717

[root@arizona ~]# snmpget -v 2c -c public 127.1 .1.3.6.1.4.1.2021.11.52.0
UCD-SNMP-MIB::ssCpuRawSystem.0 = Counter32: 18507

/etc/mrtg/mrtg.cfg

#CPU Usage 
Target[cpu]: .1.3.6.1.4.1.2021.11.50.0&.1.3.6.1.4.1.2021.11.52.0:public@localhost
MaxBytes[cpu]: 100
Options[cpu]: growright, noinfo, nopercent
YLegend[cpu]: CPU usage(%)
ShortLegend[cpu]: (%)
LegendI[cpu]: user  
LegendO[cpu]: system
Legend1[cpu]: CPU Usage(user)(%)
Legend2[cpu]: CPU Usage(system)(%)
Title[cpu]: CPU Usage
PageTop[cpu]:CPU Usage

とれるかチェック

[root@arizona ~]# env LANG=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg
2010-02-26 02:56:40, Rateup WARNING: /usr/bin/rateup could not read the primary log file for cpu
2010-02-26 02:56:40, Rateup WARNING: /usr/bin/rateup The backup log file for cpu was invalid as well
2010-02-26 02:56:40, Rateup WARNING: /usr/bin/rateup Can't remove cpu.old updating log file
2010-02-26 02:56:40, Rateup WARNING: /usr/bin/rateup Can't rename cpu.log to cpu.old updating log file

[root@arizona ~]# ls /root/mrtg/
cpu-day.png    localhost_2-day.png    localhost_2.old        localhost_3.log
cpu-month.png  localhost_2-month.png  localhost_3-day.png    localhost_3.old
cpu-week.png   localhost_2-week.png   localhost_3-month.png  mrtg-l.png
cpu-year.png   localhost_2-year.png   localhost_3-week.png   mrtg-m.png
cpu.html       localhost_2.html       localhost_3-year.png   mrtg-r.png
cpu.log        localhost_2.log        localhost_3.html

[root@arizona ~]# google-chrome /root/mrtg/cpu.html


- 空きメモリ量

[root@arizona ~]# snmpget -v 2c -c public 127.1 .1.3.6.1.4.1.2021.4.6.0
UCD-SNMP-MIB::memAvailReal.0 = INTEGER: 2891720 kB

[root@arizona ~]# snmpget -v 2c -c public 127.1 .1.3.6.1.4.1.2021.4.4.0
UCD-SNMP-MIB::memAvailSwap.0 = INTEGER: 8387220 kB

[root@arizona ~]# snmpget -v 2c -c public 127.1 .1.3.6.1.4.1.2021.4.4.0
UCD-SNMP-MIB::memAvailSwap.0 = INTEGER: 8387220 kB
[root@arizona ~]# free
             total       used       free     shared    buffers     cached
Mem:       4018048    1130472    2887576          0      38468     440504
-/+ buffers/cache:     651500    3366548
Swap:      8387220          0    8387220

[root@arizona ~]# cat /etc/mrtg/mrtg.cfg

# Memory Free 
Target[mem]: .1.3.6.1.4.1.2021.4.6.0&.1.3.6.1.4.1.2021.4.4.0:public@localhost
MaxBytes1[mem]: 4018048 
MaxBytes2[mem]: 8387220  
Unscaled[mem]: dwmy
Options[mem]: gauge, absolute, growright, noinfo
YLegend[mem]: Mem Free(Bytes)
ShortLegend[mem]: Bytes
kilo[mem]: 1024
kMG[mem]: k,M,G,T,P
LegendI[mem]: Real
LegendO[mem]: Swap
Legend1[mem]: Free Memory[MBytes]
Legend2[mem]: Free Swap Memory[MBytes]
Title[mem]: Free Memory
PageTop[mem]:Free Memory


[root@arizona ~]# env LANG=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg
2010-02-26 03:17:21, Rateup WARNING: /usr/bin/rateup Can't remove mem.old updating log file

[root@arizona ~]# ls /root/mrtg/
cpu-day.png          localhost_2-month.png  localhost_3-week.png  mem-year.png
cpu-month.png        localhost_2-week.png   localhost_3-year.png  mem.html
cpu-week.png         localhost_2-year.png   localhost_3.html      mem.log
cpu-year.png         localhost_2.html       localhost_3.log       mem.old
cpu.html             localhost_2.log        localhost_3.old       mrtg-l.png
cpu.log              localhost_2.old        mem-day.png           mrtg-m.png
cpu.old              localhost_3-day.png    mem-month.png         mrtg-r.png
localhost_2-day.png  localhost_3-month.png  mem-week.png


- 起動スクリプト

mrtg.cfg のワーキングディレクトリを変更

WorkDir: /var/www/mrtg

[root@arizona ~]# cat mrtg.sh 
#!/bin/bash
LOCK=/var/www/mrtg/mrtg_l
CONFCACHE=/var/www/mrtg/mrtg.ok
export LANG=ja_JP.UTF-8
mrtg /etc/mrtg/mrtg.cfg --lock-file $LOCK --confcache-file $CONFCACHE

[root@arizona ~]# chmod u+x mrtg.sh 
[root@arizona ~]# 

3回実行 ( 三回目以降エラーがなくなる )

[root@arizona ~]# ./mrtg.sh 
2010-02-26 03:32:35, Rateup WARNING: /usr/bin/rateup could not read the primary log file for localhost_2
2010-02-26 03:32:35, Rateup WARNING: /usr/bin/rateup The backup log file for localhost_2 was invalid as well
2010-02-26 03:32:35, Rateup WARNING: /usr/bin/rateup Can't remove localhost_2.old updating log file
2010-02-26 03:32:35, Rateup WARNING: /usr/bin/rateup Can't rename localhost_2.log to localhost_2.old updating log file
2010-02-26 03:32:36, Rateup WARNING: /usr/bin/rateup could not read the primary log file for localhost_3
2010-02-26 03:32:36, Rateup WARNING: /usr/bin/rateup The backup log file for localhost_3 was invalid as well
2010-02-26 03:32:36, Rateup WARNING: /usr/bin/rateup Can't remove localhost_3.old updating log file
2010-02-26 03:32:36, Rateup WARNING: /usr/bin/rateup Can't rename localhost_3.log to localhost_3.old updating log file
2010-02-26 03:32:36, Rateup WARNING: /usr/bin/rateup could not read the primary log file for cpu
2010-02-26 03:32:36, Rateup WARNING: /usr/bin/rateup The backup log file for cpu was invalid as well
2010-02-26 03:32:36, Rateup WARNING: /usr/bin/rateup Can't remove cpu.old updating log file
2010-02-26 03:32:36, Rateup WARNING: /usr/bin/rateup Can't rename cpu.log to cpu.old updating log file
2010-02-26 03:32:36, Rateup WARNING: /usr/bin/rateup could not read the primary log file for mem
2010-02-26 03:32:36, Rateup WARNING: /usr/bin/rateup The backup log file for mem was invalid as well
2010-02-26 03:32:36, Rateup WARNING: /usr/bin/rateup Can't remove mem.old updating log file
2010-02-26 03:32:36, Rateup WARNING: /usr/bin/rateup Can't rename mem.log to mem.old updating log file
[root@arizona ~]# ./mrtg.sh 
2010-02-26 03:32:38, Rateup WARNING: /usr/bin/rateup Can't remove localhost_2.old updating log file
2010-02-26 03:32:38, Rateup WARNING: /usr/bin/rateup Can't remove localhost_3.old updating log file
2010-02-26 03:32:38, Rateup WARNING: /usr/bin/rateup Can't remove cpu.old updating log file
2010-02-26 03:32:38, Rateup WARNING: /usr/bin/rateup Can't remove mem.old updating log file
[root@arizona ~]# ./mrtg.sh 
[root@arizona ~]# 

[root@arizona ~]# ls /var/www/mrtg/
cpu-day.png            localhost_2-week.png   localhost_3.log  mrtg-l.png
cpu-month.png          localhost_2-year.png   localhost_3.old  mrtg-m.gif
cpu-week.png           localhost_2.html       mem-day.png      mrtg-m.png
cpu-year.png           localhost_2.log        mem-month.png    mrtg-r.gif
cpu.html               localhost_2.old        mem-week.png     mrtg-r.png
cpu.log                localhost_3-day.png    mem-year.png     mrtg-ti.gif
cpu.old                localhost_3-month.png  mem.html         mrtg-ti.png
favicon.ico            localhost_3-week.png   mem.log          mrtg.ok
localhost_2-day.png    localhost_3-year.png   mem.old
localhost_2-month.png  localhost_3.html       mrtg-l.gif

cron で定期的に回す

edit

[root@arizona ~]# crontab -e
*/5 * * * * /root/mrtg.sh

list

[root@arizona ~]# crontab -l
*/5 * * * * /root/mrtg.sh

- web でみれるようにする

httpd起動時に httpd.conf の設定より conf.d/*.conf を読む。

[root@arizona ~]# egrep -v "^#" /etc/httpd/conf.d/mrtg.conf
Alias /mrtg /var/www/mrtg

    Order deny,allow
    Deny from all
    Allow from all
    Allow from 127.0.0.1
    Allow from ::1

[root@arizona ~]# apachectl start

- index ページの作成

[root@arizona ~]# indexmaker --columns=1 --addhead='' /etc/mrtg/mrtg.cfg > /var/www/mrtg/index.html

トップ画面

http://127.0.0.1/mrtg/index.html



文字化けしてる。。まぁーいっか。




Fedora 11 : yum エラー fix 方法 Cannot retrieve repository metadata (repomd.xml)

Fedora 11 : yum エラー

理由はわからんが、アップデートしようとしたら、こんなエラーがでて、yum update ができなくなった。

[root@arizona ~]# yum update -y
読み込んだプラグイン:refresh-packagekit
エラー: Cannot retrieve repository metadata (repomd.xml) for repository: fedora. Please verify its path and try again

修正方法

/etc/yum.d.repo の fedora.repo , fedora-update.repo を編集
fedora.repo , fedora-update.repo 内の すべての baseurl を非コメント化する。
すべての mirrorlist をコメントアウトにする

こんな感じ。

baseurl=http://download.fedoraproject.org/pub/fedora/linux/releases/$releasever/Everything/$basearch/os/
#mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch

yum-fastestmirror をインストール

# yum install -y yum-fastestmirror

yum がなおった。( エラーがでなくなった )

確認

# yum update -y
読み込んだプラグイン:fastestmirror, refresh-packagekit
Loading mirror speeds from cached hostfile
更新処理の設定をしています
更新と設定されたパッケージがありません
[root@arizona yum.repos.d]#

[root@arizona yum.repos.d]# yum list | head -10
読み込んだプラグイン:fastestmirror, refresh-packagekit
Loading mirror speeds from cached hostfile
インストール済みパッケージ
Canna-libs.x86_64 3.7p3-27.fc11 installed
ConsoleKit.x86_64 0.3.0-8.fc11 installed
ConsoleKit-libs.x86_64 0.3.0-8.fc11 installed
ConsoleKit-x11.x86_64 0.3.0-8.fc11 installed
DeviceKit.x86_64 003-1 installed
DeviceKit-disks.x86_64 004-5.fc11 installed
DeviceKit-power.x86_64 010-0.3.20090810git.fc11 installed
[root@arizona yum.repos.d]#

expect コマンド: プロセス監視

telnet での一連の処理を作成できる。( xx を送信して、xx という応答を待機して,,, )
例えば、これを使用してプロセス監視などに使用できる。

[root@arizona ~]# cat /etc/fedora-release
Fedora release 11 (Leonidas)

[root@arizona ~]# uname -r
2.6.30.10-105.2.23.fc11.x86_64

[ expect パッケージのインストール ]

[root@arizona ~]# yum install -y expect.x86_64

[ autoexpect コマンドで、expect コマンドを使用したスクリプトの元ネタを作成 ]

autoexpect コマンドを使用すると script.exp というファイルに結果が出力される。
これを修正していくと楽。

[root@arizona ~]# autoexpect telnet 127.1 80
autoexpect started, file is script.exp
Trying 127.0.0.1...
Connected to 127.1.
Escape character is '^]'.
GET / HTTP1.0

HTTP/1.1 200 OK
Date: Tue, 23 Feb 2010 01:12:20 GMT
Server: Apache/2.2.13 (Fedora)
Last-Modified: Tue, 23 Feb 2010 01:12:13 GMT
ETag: "4b027d-0-4803a3d5ff540"
Accept-Ranges: bytes
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

Connection closed by foreign host.
autoexpect done, file is script.exp


- 結果ファイルは script.exp に出力される

[root@arizona ~]# egrep -v "^#" script.exp

set force_conservative 0 ;# set to 1 to force conservative mode even if
;# script wasn't run conservatively originally
if {$force_conservative} {
set send_slow {1 .1}
proc send {ignore arg} {
sleep .1
exp_send -s -- $arg
}
}

set timeout -1 <- タイムアウト。-1 はずっと待つ。
spawn telnet 127.1 80 <- telnet を実施
match_max 100000
expect -exact "Trying 127.0.0.1...\r\r <- -exact は文字列完全一致 ( "xxx" に記載されている文字列が完全一致 )
Connected to 127.1.\r\r
Escape character is '^\]'.\r\r
"
send -- "GET / HTTP1.0\r" <- telnetで接続後、GETを送信
expect -exact "GET / HTTP1.0\r
"
send -- "\r"
expect eof <- End of file


[ スクリプトを実行 ]

[root@arizona ~]# ./script.exp
spawn telnet 127.1 80
Trying 127.0.0.1...
Connected to 127.1.
Escape character is '^]'.
GET / HTTP1.0

HTTP/1.1 200 OK
Date: Tue, 23 Feb 2010 01:17:25 GMT
Server: Apache/2.2.13 (Fedora)
Last-Modified: Tue, 23 Feb 2010 01:12:13 GMT
ETag: "4b027d-0-4803a3d5ff540"
Accept-Ranges: bytes
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

Connection closed by foreign host.

[ 調整 ]

set force_conservative 1

文字を送信するときに少し間隔をあける
入力が早すぎるのをふせぐのが目的。

-exact の完全文字列のところを修正。
-exact をと削除。文字列が含まれていればOK

- タイムアウト処理

set timeout -1 だと、応答がない場合ずっと待ち続ける
set timeout 3 に変更

- エラーの処理

タイムアウトしたときの処理。
Failed を表示して終了

proc abort {} {
send_error "Failed\n"
exit 1
}

#set timeout -1
set timeout 3
spawn telnet 127.1 80
match_max 100000

default abort = タイムアウトしたときの処理
または、
Escape character is '^\]'.\r\r をまつ

expect {
default abort
"Escape character is '^\]'.\r\r"
}

send -- "GET / HTTP1.0\r"
expect {
default abort
"GET / HTTP1.0\r"
}

send -- "\r"

timeout abort は timeout したとき abort する
または
End of File を待つ。

expect {
timeout abort
eof
}

- 引数の設定

set host [lindex $argv 0]
set port [lindex $argv 1]

#set timeout -1
set timeout 3
#spawn telnet 127.1 80
spawn telnet $host $port

引数を指定して実行

[root@arizona ~]# ./script.exp 192.168.1.150 80
spawn telnet 192.168.1.150 80
Trying 192.168.1.150...
Connected to 192.168.1.150.
Escape character is '^]'.
GET / HTTP1.0

HTTP/1.1 200 OK
Date: Tue, 23 Feb 2010 01:45:12 GMT
Server: Apache/2.2.13 (Fedora)
Last-Modified: Tue, 23 Feb 2010 01:12:13 GMT
ETag: "4b027d-0-4803a3d5ff540"
Accept-Ranges: bytes
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

Connection closed by foreign host.
[root@arizona ~]#
[root@arizona ~]# ./script.exp 127.1 80
spawn telnet 127.1 80
Trying 127.0.0.1...
Connected to 127.1.
Escape character is '^]'.
GET / HTTP1.0

HTTP/1.1 200 OK
Date: Tue, 23 Feb 2010 01:45:24 GMT
Server: Apache/2.2.13 (Fedora)
Last-Modified: Tue, 23 Feb 2010 01:12:13 GMT
ETag: "4b027d-0-4803a3d5ff540"
Accept-Ranges: bytes
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

Connection closed by foreign host.
[root@arizona ~]#

cron で適当にまわす。メールでアラートを追加すると汎用性があがる。
メールのアラートはまたの機会に。

#!/usr/bin/expect -f
set force_conservative 1 ;# set to 1 to force conservative mode even if
;# script wasn't run conservatively originally
if {$force_conservative} {
set send_slow {1 .1}
proc send {ignore arg} {
sleep .1
exp_send -s -- $arg
}
}

proc abort {} {
send_error "Failed\n"
exit 1
}

set host [lindex $argv 0]
set port [lindex $argv 1]

set timeout 3
spawn telnet $host $port
match_max 100000
expect {
default abort
"Escape character is '^\]'.\r\r"
}

send -- "GET / HTTP1.0\r"
expect {
default abort
"GET / HTTP1.0\r"
}

send -- "\r"
expect {
timeout abort
eof
}


KVM PCI pass through

host: Fedora11 64bit
guest: WinXP Pro

qemu-kvm-0.10.6-9.fc11.x86_64

仮想マシン -> 詳細 -> add hardware -> physical host device


pass through するデバイスを指定

NIC ( eth0 ) をアサイン。

02:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168B PCI Express Gigabit Ethernet controller (rev 01)



アサインするとホスト上の eth0 が消える。

- アサイン前

[root@arizona ~]# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:1D:60:77:A1:38
inet addr:192.168.1.150 Bcast:192.168.255.255 Mask:255.255.0.0

- アサイン後

[root@arizona ~]# ifconfig eth0
eth0: error fetching interface information: Device not found

シスログより eth0 がホストよりはずされたのが確認できる。

arizona avahi-daemon[1535]: Interface eth0.IPv4 no longer relevant for mDNS.
arizona avahi-daemon[1535]: Leaving mDNS multicast group on interface eth0.IPv4 with address 192.168.1.150.
arizona avahi-daemon[1535]: Withdrawing address record for fe80::21d:60ff:fe77:a138 on eth0.
arizona avahi-daemon[1535]: Withdrawing address record for 192.168.1.150 on eth0.
arizona kernel: r8169 0000:02:00.0: PCI INT A disabled

VMを起動して終わり

CLI で pass through をする場合は、-pcidevice host=bus:dev.func[,dma=none][,name=string]
bus:dev.func は lspci コマンドで確認できる。

[root@arizona ~]# ps aux | grep kvm | grep -v grep
root 2831 25.1 13.4 967728 541180 ? Sl 09:33 1:06 /usr/bin/qemu-kvm -S -M pc -m 512 -smp 1 -name winxp-vm -uuid 3870f9f5-0025-4a83-37de-45f8a6b6f4b5 -monitor pty -pidfile /var/run/libvirt/qemu//winxp-vm.pid -localtime -boot c -drive file=/var/lib/libvirt/images/winxp-vm.img,if=ide,index=0,boot=on -drive file=,if=ide,media=cdrom,index=2 -net none -serial pty -parallel none -usb -usbdevice tablet -vnc 127.0.0.1:0 -soundhw es1370 -pcidevice host=02:00.0

[root@arizona ~]# lspci
00:18.3 Host bridge: Advanced Micro Devices [AMD] K8 [Athlon64/Opteron] Miscellaneous Control
01:00.0 VGA compatible controller: nVidia Corporation GeForce 8500 GT (rev a1)
02:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168B PCI Express Gigabit Ethernet controller (rev 01)

BIND , unbound ANYクエリ 処理の違い

ANYクエリの回答が異なるので、キャプチャしてみたら、
BIND と unbound で ANYクエリの処理に違いがあるみたい。

BIND 9.6.2rc1
unbound 1.4.1

BIND は x.gtld-servers.net に ANY クエリを問い合わせて終わり。

unbound は x.gtld-servers.net の ANY クエリのあとに、google.com の NS ( ns1-4.google.com )
にも ANY クエリを問い合わせる。

- BIND

# dig @127.1 google.com any

; <<>> DiG 9.6.2rc1 <<>> @127.1 google.com any
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8129
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;google.com. IN ANY

;; ANSWER SECTION:
google.com. 172800 IN NS ns2.google.com.
google.com. 172800 IN NS ns3.google.com.
google.com. 172800 IN NS ns4.google.com.
google.com. 172800 IN NS ns1.google.com.

;; AUTHORITY SECTION:
google.com. 172800 IN NS ns2.google.com.
google.com. 172800 IN NS ns4.google.com.
google.com. 172800 IN NS ns3.google.com.
google.com. 172800 IN NS ns1.google.com.

;; ADDITIONAL SECTION:
ns1.google.com. 172800 IN A 216.239.32.10
ns2.google.com. 172800 IN A 216.239.34.10
ns3.google.com. 172800 IN A 216.239.36.10
ns4.google.com. 172800 IN A 216.239.38.10

BINDのIP は 192.168.73.128
C.GTLD-SERVERS.NET. A 192.26.92.30

# tshark -i eth0 port 53
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
0.000000 192.168.73.128 -> 192.26.92.30 DNS Standard query ANY google.com
0.194115 192.26.92.30 -> 192.168.73.128 DNS Standard query response NS ns1.google.com NS ns2.google.com NS ns3.google.com NS ns4.google.com

- unbound

# dig @127.1 google.com any

; <<>> DiG 9.6.2rc1 <<>> @127.1 google.com any
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18219
;; flags: qr rd ra; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;google.com. IN ANY

;; ANSWER SECTION:
google.com. 300 IN A 66.249.89.103
google.com. 300 IN A 66.249.89.104
google.com. 300 IN A 66.249.89.147
google.com. 300 IN A 66.249.89.99
google.com. 345600 IN NS ns1.google.com.
google.com. 345600 IN NS ns2.google.com.
google.com. 345600 IN NS ns3.google.com.
google.com. 345600 IN NS ns4.google.com.
google.com. 86400 IN SOA ns1.google.com. dns-admin.google.com. 1406920 7200 1800 1209600 300
google.com. 900 IN MX 100 google.com.s9a1.psmtp.com.
google.com. 900 IN MX 400 google.com.s9b2.psmtp.com.
google.com. 900 IN MX 200 google.com.s9a2.psmtp.com.
google.com. 900 IN MX 300 google.com.s9b1.psmtp.com.
google.com. 3600 IN TXT "v=spf1 include:_netblocks.google.com ip4:216.73.93.70/31 ip4:216.73.93.72/31 ~all"


unbound の IP は 192.168.73.127
M.GTLD-SERVERS.NET. A 192.55.83.30
216.239.36.10 は ns3.google.com

# tshark -i eth0 port 53
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
0.000000 192.168.73.128 -> 192.55.83.30 DNS Standard query ANY google.com
0.092377 192.55.83.30 -> 192.168.73.128 DNS Standard query response NS ns1.google.com NS ns2.google.com NS ns3.google.com NS ns4.google.com
0.092825 192.168.73.128 -> 216.239.36.10 DNS Standard query ANY google.com
0.135005 216.239.36.10 -> 192.168.73.128 DNS Standard query response A 66.249.89.103 A 66.249.89.104 A 66.249.89.147 A 66.249.89.99 NS ns1.google.com NS ns2.google.com SOA ns1.google.com MX 100 google.com.s9a1.psmtp.com NS ns3.google.com TXT NS ns4.google.com MX 400 google.com.s9b2.psmtp.com MX 200 google.com.s9a2.psmtp.com MX 300 google.com.s9b1.psmtp.com

Unbound DNSSEC ITAR

[root@arizona unbound]# cat /etc/fedora-release
Fedora release 12 (Constantine)

unbound 1.3.4

ITAR をダウンロード

http://unbound.nlnetlabs.nl/svn/trunk/contrib/update-itar.sh をダウンロード

シェルスクリプト update-itar.sh は PGP key の作成、anchor.mf ( ITAR ) をダウンロードしてくれる。

ためしに実行してみる。

[root@arizona ~]# ./update-itar.sh
creating default IANA ITAR pgp key file
Updating ./anchors.mf

[root@arizona ~]# cat update-itar.key
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.5

mQGiBElr2DcRBAC+6YK6eSP7rzstvnMPQXMrpvVfuIR5FeTpGuwae9JP78V/iOXr
N0yW8Dn6kdAztCMuRizL1Ij9IgaD7pjn8h09VgR4cN4LDv75rcQeWLzNxKy4UNRF

[root@arizona ~]# cat anchors.mf
;
; Interim Trust Anchor Repository
; (Master file format)
;
; See https://itar.iana.org/ for details. This is currently an
; experimental service.
;
; Generated: 2010-01-14 05:45:03.891648
; Serial: 35
;

BG. DS 46846 5 1 1D83F503CCED4A4B6F7F8DB1CF43D38F9133A3EA
CH. DS 54624 7 1 66B273B62A7282590410B4E6831A665A930CC2E9
CZ. DS 7978 5 1 9B6C3898470914CDDA98D0CC001688CB32C17A09

- unbound.conf の修正

trust-anchor-file: "/etc/unbound/anchors.mf"

- シェルスクリプト update-itar.sh を /etc/unbound にコピー

[root@arizona ~]# cp update-itar.sh /etc/unbound/

- PGPの作成、anchors.mf ダウンロード , unbound のリロード

実行前

[root@arizona ~]# cd /etc/unbound/
[root@arizona unbound]# pwd
/etc/unbound
[root@arizona unbound]# ls
unbound.conf unbound_control.key unbound_server.key update-itar.sh
unbound.conf.bak unbound_control.pem unbound_server.pem

実行

[root@arizona unbound]# ./update-itar.sh && unbound-control reload
creating default IANA ITAR pgp key file
Updating ./anchors.mf
ok

実行後

[root@arizona unbound]# ls
anchors.mf unbound_control.key unbound_server.pem
unbound.conf unbound_control.pem update-itar.key
unbound.conf.bak unbound_server.key update-itar.sh

確認。ad ビットがたっている。鍵の validation をパスした。

[root@arizona unbound]# dig @127.1 org SOA +dnssec +multiline

; <<>> DiG 9.6.1-P3-RedHat-9.6.1-16.P3.fc12 <<>> @127.1 org SOA +dnssec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1077
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;org. IN SOA

;; ANSWER SECTION:
org. 900 IN SOA a0.org.afilias-nst.info. noc.afilias-nst.info. (
2009012953 ; serial
1800 ; refresh (30 minutes)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
org. 900 IN RRSIG SOA 7 1 900 20100227030417 (
20100213020417 32114 org.
QeOfzn4qX2d2dJZCtTkfo5ulOO2LQ/F4EfTe7bddfJNr
cUUz+gJbUTCsccbl02nuXUq8UxyWwb/gcj5/ktNIXgtM
bABwFqBCkI2cgNZYdrD4rGGEwwu/TMUdnZG5qHJElq4r
0hbkKHQnZPAMuZS65BiSPtoAejO9y5CT3ZLPZHs= )

;; AUTHORITY SECTION:
org. 86400 IN NS a0.org.afilias-nst.info.
org. 86400 IN NS a2.org.afilias-nst.info.
org. 86400 IN NS b0.org.afilias-nst.org.
org. 86400 IN NS b2.org.afilias-nst.org.
org. 86400 IN NS c0.org.afilias-nst.info.
org. 86400 IN NS d0.org.afilias-nst.org.
org. 86400 IN RRSIG NS 7 1 86400 20100223154523 (
20100209144523 32114 org.
OU7YwbDZm+30Ycqk8vCxCx0hqLPOPhFGfggoNMxtGJMG
SjHYW//Jj557AsS7+LN1T9huJczJsdRA98w36qlKTWZ3
TZeW6YahsJeXScbPd7oBLcKyXOPCkQUxz3g1pVcHjlUU
UCC98BkgUaEHK5VJa1WrrrCvRkVqh47xlDIfhlI= )

このシェルスクリプト便利だなー。

Fedora12 X11 解像度

Fedora 12 X11 解像度 おかしくなる件解決したっぽい。

グラフィックボード ATI Radeon X1250

[root@arizona ~]# cat /etc/fedora-release
Fedora release 12 (Constantine)

[root@arizona ~]# uname -r
2.6.31.12-174.2.3.fc12.x86_64

インストールして、初めて起動したときは解像度が、1024x768なのに、再起動後
解像度が 800x600 になってしまう現象に困ってたら、解決できたみたい。

カーネルパラメータに nomodeset を追加したら解像度が 1024x768 になった。

[root@arizona ~]# egrep -ni nomod /etc/grub.conf
16: kernel /boot/vmlinuz-2.6.31.12-174.2.3.fc12.x86_64 ro root=UUID=4f227b43-321b-4ed4-9bf0-6124eb0fbb04 nomodeset LANG=ja_JP.UTF-8 KEYBOARDTYPE=pc KEYTABLE=jp106 rhgb quiet


Fedora11のときはこの事象はおきなかった。( xorg.conf はない状態 )

Fedora12 で、xorg.conf を system-config-display で作成し、解像度 1024x768 指定してもダメで、ずっと 800x600 で使用していたがやっとこ解決。。。
10回くらい再起動してみたが、ちゃんと 1024x768 になっている。

しばらくこれで様子をみてみよう。

http://fedoraproject.org/wiki/Common_F12_bugs の Miscellaneous problems with ATI / AMD graphics adapters に GUI が不安定だったり、ハングする場合に nomodeset をいれたら解決するかもってのを見つけたので試したらうまくいった感じー。

SSL クライアント認証 ブラウザはセッションIDをReuseする?

ブラウザを閉じると、また クライアント認証が走る
セッションIDの Reuse はしないようだ。

クライアント認証までする環境で、新規セッションで、クライアント認証すっ飛ばして、セッションIDの
Reuseで認証OKにしちゃったら、セキュリティレベルが低下するだろうから、妥当な動作だと思う。

SSL クライアント認証環境で、ブラウザと開いて、閉じてを3回行ったあとのキャプチャデータ。

Session ID は毎回異なる。
毎回、クライアント認証を求められる。

ブラウザ: Firefox 3.6
Apache/2.2.14 ( Fedora 12 )

# tshark -r https_client_auth_firefox.pcap -V | grep -i "session id:" | uniq
Session ID: 02EE3BAE95127C2F638B8BD549447377F1FDBB9EC1488FE3...
Session ID: 3BDA2066314EE28B5478EE88C7C18F3917AF4B567073DD8B...
Session ID: 38976C180DA4FAF4F41E814A14CA8C1F6D2747AD7A33D3F2...

Linux Bonding設定方法

# cat /etc/fedora-release
Fedora release 12 (Constantine)

# uname -r
2.6.31.5-127.fc12.i686.PAE

- bonding モジュールの設定

# pwd
/etc/modprobe.d

# cat bonding
alias bond0 bonding
options bond0 mode=1 miimon=100

mode=0 : round robin
mode=1 : active-backup
miimon=0 : MIIを使用しない
miimon=100 : MIIを使用しリンクのモニタをする

- ネットワークインターフェースの設定

eth1 , eth2 をボンディング。

# pwd
/etc/sysconfig/network-scripts

# cp ifcfg-eth1 ifcfg-bond0

# cat ifcfg-bond0
DEVICE=bond0
ONBOOT=yes
BOOTPROTO=static
IPADDR=192.168.100.200
NETMASK=255.255.255.0

# cat ifcfg-eth1
DEVICE=eth1
ONBOOT=yes
BOOTPROTO=none
MASTER=bond0
SLAVE=yes

# cat ifcfg-eth2
DEVICE=eth2
ONBOOT=yes
BOOTPROTO=none
MASTER=bond0
SLAVE=yes

# reboot

# lsmod | grep bonding
bonding 94356 0
ipv6 239428 22 bonding,sit,ip6t_REJECT,nf_conntrack_ipv6

# ifconfig bond0 | grep "inet addr"
inet addr:192.168.100.200 Bcast:192.168.100.255 Mask:255.255.255.0

どちらが、active かは /proc/net/bonding/bond0 ファイルを確認すればわかる。

Currently Active Slave: eth1 <- active は eth1

# cat /proc/net/bonding/bond0
Ethernet Channel Bonding Driver: v3.5.0 (November 4, 2008)

Bonding Mode: fault-tolerance (active-backup)
Primary Slave: None
Currently Active Slave: eth1 <- active は eth1
MII Status: up
MII Polling Interval (ms): 100
Up Delay (ms): 0
Down Delay (ms): 0

Slave Interface: eth1
MII Status: up
Link Failure Count: 0
Permanent HW addr: 00:0c:29:4b:cf:e5

Slave Interface: eth2
MII Status: up
Link Failure Count: 0
Permanent HW addr: 00:0c:29:4b:cf:ef

ためしに、eth2 が active になるか、eth1 を down , up する。

# ifdown eth1;ifup eth1

eth2が active になった。

# egrep -i active /proc/net/bonding/bond0
Bonding Mode: fault-tolerance (active-backup)
Currently Active Slave: eth2 <- active は eth2

eth1にフェイルバックはしないみたい。

同じMACをもつ。

# ifconfig | grep -i HWaddr
bond0 Link encap:Ethernet HWaddr 00:0C:29:4B:CF:E5
eth1 Link encap:Ethernet HWaddr 00:0C:29:4B:CF:E5
eth2 Link encap:Ethernet HWaddr 00:0C:29:4B:CF:E5

Apache SSL Client 認証

# cat /etc/redhat-release
Fedora release 12 (Constantine)

1. 自己認証局(CA)の構築

CAスクリプト

/etc/pki/tls/misc/CA

CAのディレクトリ

CAスクリプト

CATOP=/etc/pki/CA <- CAのディレクトリ
CAKEY=./cakey.pem <- CAの秘密鍵
CAREQ=./careq.pem
CACERT=./cacert.pem <- CAの証明書

CAの構築

# pwd
/etc/pki/tls/misc

[root@localhost misc]# ./CA -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 2048 bit RSA private key
........................................+++
.............................................+++
writing new private key to '/etc/pki/CA/private/./cakey.pem'
Enter PEM pass phrase:secret
Verifying - Enter PEM pass phrase:secret
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:test
Locality Name (eg, city) [Default City]:test
Organization Name (eg, company) [Default Company Ltd]:test
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your server's hostname) []:test
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/./cakey.pem:secret
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Jan 27 17:30:25 2010 GMT
Not After : Jan 26 17:30:25 2013 GMT
Subject:
countryName = JP
stateOrProvinceName = test
organizationName = test
organizationalUnitName = test
commonName = test
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
6D:70:EF:11:84:67:08:5B:46:50:2E:E3:43:00:BB:AD:42:ED:38:7E
X509v3 Authority Key Identifier:
keyid:6D:70:EF:11:84:67:08:5B:46:50:2E:E3:43:00:BB:AD:42:ED:38:7E

Certificate is to be certified until Jan 26 17:30:25 2013 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated
[root@localhost misc]#

CAの秘密鍵 /etc/pki/CA/private/cakey.pem
CAの証明書 /etc/pki/CA/cacert.pem

# openssl x509 -in cacert.pem -text | head -5
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha1WithRSAEncryption

# openssl rsa -in cakey.pem -text | head -5
Enter pass phrase for cakey.pem:secret
writing RSA key
Private-Key: (2048 bit)
modulus:
00:bf:3c:59:56:49:8d:69:0e:50:2a:d6:f0:cd:0a:
67:82:ff:ed:18:a2:07:1d:26:c8:94:4c:63:f8:07:
de:32:aa:9d:05:5c:d7:16:9f:08:dc:f1:50:cb:50:


2.サーバの秘密鍵と署名要求書の作成

# mkdir /usr/local/ssl-server
# cd /usr/local/ssl-server/

サーバの秘密鍵の作成

[root@localhost ssl-server]# openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
...............................................................................++++++
...++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:server
Verifying - Enter pass phrase for server.key:server

秘密鍵のパスフレーズを解除。

# openssl rsa -in server.key -out server_no_pass.key
Enter pass phrase for server.key:server
writing RSA key

署名要求書(CSR)の作成

同一サーバ上の自己認証局を利用する場合、CAと同じ情報を入力する。
異なると、同じにしろとエラーがでる。

CAと別の情報を入力した場合、下記のようなエラーがでる。
このエラーにはまったー。

The stateOrProvinceName field needed to be the same in the
CA certificate (test) and the request (aaa)

[root@localhost ~]# cd /usr/local/ssl-server/
[root@localhost ssl-server]# openssl req -new -days 365 -key server.key -out csr.pem
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:test
Locality Name (eg, city) [Default City]:test
Organization Name (eg, company) [Default Company Ltd]:test
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your server's hostname) []:test
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
作成したCSR ( csr.pem ) を CAに署名してもらう。

3. CAでサーバ証明書の作成

# pwd
/etc/pki/tls

# cp openssl.cnf openssl_server.cnf

openssl_server.cnf の下記をコメントアウト

nsCertType = server

署名

同一サーバ上の自己認証局を利用する場合、CAと同じ情報を入力する。
異なると、同じにしろとエラーがでる。

[root@localhost tls]# openssl ca -config /etc/pki/tls/openssl_server.cnf -in /usr/local/ssl-server/csr.pem -keyfile /etc/pki/CA/private/cakey.pem -cert /etc/pki/CA/cacert.pem -out /usr/local/ssl-server/cert.pem
Using configuration from /etc/pki/tls/openssl_server.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jan 27 17:49:01 2010 GMT
Not After : Jan 27 17:49:01 2011 GMT
Subject:
countryName = JP
stateOrProvinceName = test
organizationName = test
organizationalUnitName = test
commonName = test
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
D7:F7:97:42:BA:BA:EA:56:B1:1B:5F:C7:9D:C7:DE:EB:DC:84:11:3D
X509v3 Authority Key Identifier:
keyid:6D:70:EF:11:84:67:08:5B:46:50:2E:E3:43:00:BB:AD:42:ED:38:7E

Certificate is to be certified until Jan 27 17:49:01 2011 GMT (365 days)
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2

ん、エラーが出た。。

failed to update database
TXT_DB error number 2

ググると、oepnssl のコンフィグ ( openssl_server.cnf ) の dir のディレクトリにある index.txt を削除、
空のものと作成するとうまくいくらしい。

# less /etc/pki/tls/openssl_server.cnf
dir = /etc/pki/CA

[root@localhost CA]# pwd
/etc/pki/CA
[root@localhost CA]# ls *.txt
index.txt
[root@localhost CA]# cat index.txt
V 130126173025Z 00 unknown /C=JP/ST=test/O=test/OU=test/CN=test

削除

[root@localhost CA]# rm index.txt
rm: remove 通常ファイル `index.txt'? y

作成

[root@localhost CA]# touch index.txt

再度実行。うまくいった。

[root@localhost CA]# openssl ca -config /etc/pki/tls/openssl_server.cnf -in /usr/local/ssl-server/csr.pem -keyfile /etc/pki/CA/private/cakey.pem -cert /etc/pki/CA/cacert.pem -out /usr/local/ssl-server/cert.pem
Using configuration from /etc/pki/tls/openssl_server.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jan 27 17:57:48 2010 GMT
Not After : Jan 27 17:57:48 2011 GMT
Subject:
countryName = JP
stateOrProvinceName = test
organizationName = test
organizationalUnitName = test
commonName = test
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
D7:F7:97:42:BA:BA:EA:56:B1:1B:5F:C7:9D:C7:DE:EB:DC:84:11:3D
X509v3 Authority Key Identifier:
keyid:6D:70:EF:11:84:67:08:5B:46:50:2E:E3:43:00:BB:AD:42:ED:38:7E

Certificate is to be certified until Jan 27 17:57:48 2011 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated


サーバの証明書 /usr/local/ssl-server/cert.pem

[root@localhost ssl-server]# cat /usr/local/ssl-server/cert.pem | head -5
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption


4. Apache SSL の設定

サーバの証明書 /usr/local/ssl-server/cert.pem <- CAに署名してもらった
サーバの秘密鍵 /usr/local/ssl-server/server_no_pass.key

/etc/httpd/conf.d/ssl.conf を修正

SSLCertificateFile /usr/local/ssl-server/cert.pem
SSLCertificateKeyFile /usr/local/ssl-server/server_no_pass.key

起動

[root@localhost ~]# apachectl start

[root@localhost ~]# lsof -i:443 | head -2
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
httpd 1599 root 6u IPv6 9209 0t0 TCP *:https (LISTEN)



[ クライアント認証 ]

CAに署名してもらうクライアント署名要求書を作成。
クライアントの秘密鍵の作成。

[root@localhost ~]# mkdir /usr/local/ssl-client

[root@localhost ~]# cd /usr/local/ssl-client/

[root@localhost ssl-client]# openssl genrsa -des3 -out client.key 1024
Generating RSA private key, 1024 bit long modulus
.++++++
..........++++++
e is 65537 (0x10001)
Enter pass phrase for client.key:client
Verifying - Enter pass phrase for client.key:client


CSRの作成

[root@localhost ssl-client]# openssl req -new -days 365 -key client.key -out client_csr.pe
m
Enter pass phrase for client.key:client
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:test
Locality Name (eg, city) [Default City]:test
Organization Name (eg, company) [Default Company Ltd]:test
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your server's hostname) []:test
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:


CAでクライアント証明書の作成

openssl.cnf の修正

[root@localhost tls]# pwd
/etc/pki/tls

[root@localhost tls]# cp openssl.cnf openssl_client.cnf

コメントアウト

nsCertType = client, email

署名

[root@localhost ssl-client]# pwd
/usr/local/ssl-client

[root@localhost ssl-client]# rm /etc/pki/CA/index.txt
rm: remove 通常ファイル `/etc/pki/CA/index.txt'? y
[root@localhost ssl-client]# touch /etc/pki/CA/index.txt

[root@localhost ssl-client]# openssl ca -config /etc/pki/tls/openssl_client.cnf -in client_csr.pem -out client_cert.pem
Using configuration from /etc/pki/tls/openssl_client.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Jan 28 14:57:07 2010 GMT
Not After : Jan 28 14:57:07 2011 GMT
Subject:
countryName = JP
stateOrProvinceName = test
organizationName = test
organizationalUnitName = test
commonName = test
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client, S/MIME
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
25:EE:8E:80:2D:6D:E7:0A:C0:F2:F9:C8:2A:40:89:00:EA:C2:6B:BE
X509v3 Authority Key Identifier:
keyid:6D:70:EF:11:84:67:08:5B:46:50:2E:E3:43:00:BB:AD:42:ED:38:7E

Certificate is to be certified until Jan 28 14:57:07 2011 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost ssl-client]#

クライアント証明書 /usr/local/ssl-client/client-cert.pem

PKCS12形式へ変換

CAの証明書も含めること。

[root@localhost ssl-client]# openssl pkcs12 -export -in client_cert.pem -inkey client.key
-certfile /etc/pki/CA/cacert.pem -out client_cert.p12
Enter pass phrase for client.key:client
Enter Export Password:client
Verifying - Enter Export Password:client

バイナリーのファイル。

[root@localhost ssl-client]# file client_cert.p12
client_cert.p12: data


CA証明書のハッシュ.0 とう名前のCA証明書へのシンボリックリンクの作成 ( これも必要 )

# pwd
/etc/pki/CA

# ln -s cacert.pem `openssl x509 -noout -hash -in cacert.pem`.0

# ls -l
lrwxrwxrwx 1 root root 4665d33.0 -> cacert.pem

- httpd の設定

CAの証明書 /etc/pki/CA/cacert.pem
クライアントの秘密鍵 /usr/local/ssl-client/client.key
クライアント証明書 /usr/local/ssl-client/client_cert.pe

- /etc/httpd/conf.d/ssl.conf

ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

SSLEngine on

SSLProtocol all -SSLv2

SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

SSLCertificateFile /usr/local/ssl-server/cert.pem <-サーバの証明書

SSLCertificateKeyFile /usr/local/ssl-server/server_no_pass.key <- サーバの秘密鍵

SSLCertificateChainFile /etc/pki/CA/cacert.pem <- CAの証明書

SSLCACertificatePath /etc/pki/CA <- CAのパス
SSLCACertificateFile /etc/pki/CA/cacert.pem <- CAの証明書

SSLVerifyClient require
SSLVerifyDepth 10

# apachectl start

- ブラウザ(Firefox)に証明書をインポート

ツール -> オプション -> 詳細 からインポート




- アクセス。

クライアント認証のポップアップ画面がでる。



けっこう、めんどくさい。。

Windows 2000 server ファイル アクセスログ記録

Windows 2000 server ファイル アクセスログ記録 ( いまごろ、win 2000 server ... )

ファイル名を指定して実行 -> mmc
コンソール -> スナップインの追加と削除 -> 追加 -> グループポリシー
グループポリシーオブジェクトはローカルコンピュータ -> 完了
コンソールルート -> ローカルコンピュータポリシー -> セキュリティの設定 -> ローカルポリシー -> 監査ポリシー


オブジェクト アクセスの監視 をダブルクリック

成功、失敗のチェックボックスを on にする。



開始するフォルダの設定

監視したいフォルダのプロパティ -> セキュリティ -> 詳細設定 -> 監査
監査対象のユーザ、グループを入力
関西したい項目をチェック -> OK



OKを押して完了。

イベントビューア -> セキュリティ ログにログが記録される。

書評: 相手を洗脳する文章テクニック


相手を洗脳する文章テクニック
宮川明
日本実業出版社

タイトルの洗脳という文字に、えーっと感じたので読んでみた。
正直自分にとってはあまり、本書で特に役に立ちそうな内容はなかったかな。

本書は、神経言語プログラミング ( Neuro-Linguistic Programming: NLP ) を用い、
相手にどうやって自分の意図をうまく伝えるか、という手法が解説されている。

正直これを読んだあと、相手を洗脳する文章がかけるかは??
強いて言うなら、NLPってさっくりどんな感じというのを知るのにはよかったかも。。