Author Archives: james

Solaris – List zones / status in a container

Posted on by

Include only running zones:

<cmsys1:114># zoneadm list -v
  ID NAME             STATUS     PATH                           BRAND    IP
   0 global           running    /                              native   shared
   1 sirls            running    /data/zones/sirls              native   shared

Include halted zones:

<cmsys1:2392># zoneadm list -vi
  ID NAME             STATUS     PATH                           BRAND    IP
   0 global           running    /                              native   shared
   7 sasvn            running    /data/zones/sasvn              native   shared
   8 saldp            running    /data/zones/saldp              native   shared
   9 nagios           running    /data/zones/nagios             native   shared
  10 garls            running    /data/zones/garls              native   shared
  11 dvrls            running    /data/zones/dvrls              native   shared
  12 sirls            running    /data/zones/sirls              native   shared
  13 qarls            running    /data/zones/qarls              native   shared
   - saweb            installed  /data/zones/saweb              native   shared
   - sacvs            installed  /data/zones/sacvs              native   shared

Is Solaris 32 or 64 bit?

Posted on by 
<cmsys8:457># isainfo -v
64-bit amd64 applications
        amd_lzcnt popcnt amd_sse4a tscp cx16 mon sse3 sse2 sse fxsr amd_3dnowx
        amd_3dnow amd_mmx mmx cmov amd_sysc cx8 tsc fpu
32-bit i386 applications
        amd_lzcnt popcnt amd_sse4a tscp cx16 mon sse3 sse2 sse fxsr amd_3dnowx
        amd_3dnow amd_mmx mmx cmov amd_sysc cx8 tsc fpu

<cmsys8:858># isainfo -kv
64-bit amd64 kernel modules

Python script – Jenkins job copy

Posted on by

This is a script which uses the XML parsing tool ElementTree to copy one Jenkins job to another & replaces the SVN location to be the latest created tag.

import urllib
import urllib2
from urllib2 import URLError
import logging
import re
import os
import base64
import sys
import time
import pysvn
import xml.etree.ElementTree
from xml.etree.ElementTree import ElementTree, Element, SubElement

# ElementTree XML tutorial -> http://www.bigfatalien.com/?p=223

"""
get_svn_login is required for pysvn to set credentials
"""
def get_svn_login(realm, username, may_save):
   return True, "svninfoforbuild", "svninfoforbuild", False
   
"""
query SVN for a list of tags. Look through that list for tags matching regex. 
figure out which of these was created last. return this tag.
"""
def svn_get_latest_tag(device, client):
   logging.debug( "svn_get_latest_tag(" + device + ", Client)")
   reponame = svn_url + "/" + svn_repo_list[device] + "/tags"
   logging.debug( "reponame = " + reponame)
   taglist = client.list(reponame)
   logging.debug("taglist = " + str(taglist))
   maxtime = 0
   maxtag = None
   tagname = None
   for tag in taglist:
      #for x in tag[0]:
      #   logging.debug( str(x) + " = " + str(tag[0][x]))
      m = re.search(r"/(" + device + "-d+.d+.d+.d+)$", tag[0]["path"])
      if m is not None:
         if tag[0]["time"] > maxtime:
            tagname = m.group(1)
            maxtime = tag[0]["time"]
            maxtag = tag[0]["path"]
   logging.debug( "maxtime = " + str(maxtime))
   logging.debug( "maxtag = " + str(maxtag))
   logging.debug( "tagname = " + str(tagname))
   return maxtime, maxtag, tagname

"""
query SVN for a list of branchs. Look through that list for branchs matching regex. 
figure out which of these was created last. return this branch.
"""
def svn_get_latest_branch(device, client):
   logging.debug( "svn_get_latest_tag(" + device + ", Client)")
   reponame = svn_url + "/" + svn_repo_list[device] + "/branches"
   logging.debug( "reponame = " + reponame)
   branchlist = client.list(reponame)
   maxtime = 0
   maxtag = None
   branchname = None
   for branch in branchlist:
      logging.debug( "------------------------")
      for x in branch[0]:
         logging.debug( str(x) + " = " + str(branch[0][x]))
      logging.debug( str(branch[0]["time"]) + " > " + str(maxtime))
      m = re.search(r"/(" + device + "-d+.d+.d+.[dw]+)$", branch[0]["path"])
      if m is not None:
         logging.debug( "m is not None")
         if branch[0]["time"] > maxtime:
            branchname = m.group(1)
            maxtime = branch[0]["time"]
            maxbranch = branch[0]["path"]
            logging.debug( "********* branchname == " + branchname)
            logging.debug( "------ maxtime == " + str(maxtime))
      logging.debug( "------------------------")
      
   logging.debug( "maxtime = " + str(maxtime))
   logging.debug( "maxbranch = " + str(maxbranch))
   logging.debug( "branchname = " + str(branchname))
   return maxtime, maxbranch, branchname

def jenkins_get_project_xml(device, timestr):
   jobxmlurl = jenkins_url + "/job/" + jenkins_project_list[device] + "/config.xml"
   req = urllib2.Request(jobxmlurl)
   base64string = base64.encodestring("%s:%s" % (jenkins_id, jenkins_pwd))[:-1]
   req.add_header("Authorization", "Basic %s" % base64string)
   response = urllib2.urlopen(req)
   jobxml = response.read()
   f = open("./" + device + "_config_" + timestr + ".xml", "w")
   f.write(jobxml)
   f.close()
   return "./" + device + "_config_" + timestr + ".xml"
   #logging.debug( jobxmlurl)

def jenkins_push_project_xml(new_proj_name, source_proj, new_proj_xml):
   # READ XML INTO MEMORY
   xml_contents = ""
   file = open(new_proj_xml, "r")
   for line in file:
      xml_contents += line
   file.close()
   
   # 1) CREATE A NEW JOB IN JENKINS
   job_create_url = jenkins_url + "/createItem?name=" + new_proj_name
   logging.debug( job_create_url)
   req = urllib2.Request(job_create_url, data=xml_contents, headers={"Content-Type":"text/xml"})
   base64string = base64.encodestring("%s:%s" % (jenkins_id, jenkins_pwd))[:-1]
   req.add_header("Authorization", "Basic %s" % base64string)
   response = urllib2.urlopen(req)
   create_results = response.read()
   
def jenkins_project_exists(pname):
   logging.debug("jenkins_project_exists(" + pname + ")")
   jobxmlurl = jenkins_url + "/job/" + pname
   logging.debug( "jobxmlurl = " + jobxmlurl)
   req = urllib2.Request(jobxmlurl)
   base64string = base64.encodestring("%s:%s" % (jenkins_id, jenkins_pwd))[:-1]
   req.add_header("Authorization", "Basic %s" % base64string)
   try:
      response = urllib2.urlopen(req)
   except URLError, e:
      return False
   return True
   
def svn_get_trunk_url(device):
   return svn_url + "/" + svn_repo_list[device] + "/trunk"

def process_xml(device, tagname, jobxml, svn_trunk_url, svn_maxtag_url, timestr):
   
   # Element - XML elements containing:
   #           the label (tag), 
   #           a list of attributes
   #           a list of chilren elements (forming the XML tree hierarchy)
   # Elementtree - The wrappers around Element objects which provide facilities to output the Element as an xml file
   #               You can also read an xml file into an ElementTree then access teh Elements within.
   
   # CREATE AN ELEMENT TREE OBJECT
   et = ElementTree()
   # PARSE THE XML FILE.
   project_elem = et.parse(jobxml)
   
   
   logging.debug( "--------------------------------------------")
   # REPLACE THE SCM LOCATION POINTING TO TRUNK WITH ONE POINTING TO THE NEW TAG
   # Structure = 
   #
   #  ...
   #  projectname
   #  ...
   #  
   #     
   #        
   #           ...
   #           ...
   #        
   #        ...
   #     
   #     ...
   #  
   #  ...
   #
   # FIND THE FIRST description ELEMENT 
   de = project_elem.find("description")
   de.text = device + " TAG " + tagname
   scme = project_elem.find("scm")
   loce = scme.find("locations")
   location_children = list(loce)
   logging.debug( "svn_trunk_url = " + svn_trunk_url)
   for l in location_children:
      remote = l.find("remote")
      local = l.find("local")
      m = re.search(r"^" + svn_trunk_url + "(/src)?$", remote.text) 
      if m is not None:
         newstr = svn_maxtag_url
         if m.group(1) is not None:
            newstr += m.group(1)
         logging.debug( newstr)
         remote.text=newstr
   newxmlname = "./" + device + "_config_new_" + timestr + ".xml" 
   et.write(newxmlname);
   return(newxmlname);
   
   
   
svn_url="https://svn.company.com"
#device_type="ios"
jenkins_url="http://jenkins.corp.company.com:8080"
job_sub_http="job"

svn_repo_list={}
svn_repo_list["android"] = "android"
svn_repo_list["ios"] = "ios"
svn_repo_list["blackberry"] = "blackberry"

jenkins_project_list={}
jenkins_project_list["android"] = "android_trunk"
jenkins_project_list["ios"] = "ios_trunk"
jenkins_project_list["blackberry"] = "blackberry_trunk"

jenkins_id = "tag_creator"
jenkins_pwd = "1qazxsw2"

job_file="config.xml"

logging.basicConfig(level=logging.DEBUG)

timestr = time.strftime("%Y-%m-%d_%H%M%S", time.localtime())

device_type = None
svn_loc = "tags"
for arg in sys.argv:
   args = re.search(r"^--(S+)=(S+)$", arg)
   if args is not None:
      if re.search(r"^device_type$", args.group(1)):
         device_type = args.group(2).lower()
         logging.debug("device_type = " + device_type)
      elif re.search(r"^svn_loc$", args.group(1)):
         svn_loc = args.group(2)
         logging.debug("svn_loc = " + svn_loc)


try:
   repo = svn_repo_list[device_type]
   logging.debug("repo = " + repo)
except KeyError, e:
   sys.exit("ERROR: device_type does not match the required list of options (android, ios, blackberry)")
   
svn_trunk_url=svn_url +  repo + "/trunk"
logging.debug("svn_trunk_url = " + svn_trunk_url)

client = pysvn.Client()
client.callback_get_login = get_svn_login

maxtime = None
svn_maxtag_url = None
reponame = None


if svn_loc == "tags":
   maxtime, svn_maxtag_url, reponame =  svn_get_latest_tag(device_type, client)
elif svn_loc == "branches":
   maxtime, svn_maxtag_url, reponame =  svn_get_latest_branch(device_type, client)
else:
   sys.exit("ERROR: You cannot use svn_loc = " + svn_loc)
   
logging.debug("maxtime = " + str(maxtime))
logging.debug("svn_maxtag_url = " + str(svn_maxtag_url))
logging.debug("reponame = " + str(reponame))


project_exists = jenkins_project_exists(reponame)
logging.debug("project_exists = " + str(project_exists))
if project_exists:
   sys.exit("ERROR: The Jenkins job " + reponame + " already exists.")
   
origxml = jenkins_get_project_xml(device_type, timestr)
newxml = process_xml(device_type, reponame, origxml, svn_trunk_url, svn_maxtag_url, timestr)
jenkins_push_project_xml(reponame, jenkins_project_list[device_type], newxml)

os.remove(origxml)
os.remove(newxml)

Configure iptables (firewall) in Fedora

Posted on by

Basic Setup:

Here I have mentioned the basic configurations for enabling iptables in fedora linux.

List your current iptables configuration.:

[root@cmlin02:~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:bb 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:snmp 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:snmp 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:netbios-ns 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:netbios-dgm 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:netbios-ssn 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:microsoft-ds 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ldap 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ldaps 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ndmp 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:49222 
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:mdns 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

1) To allow established sessions to receive traffic

# iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

2) You could start by blocking traffic, but you might be working over SSH, where you would need to allow SSH before blocking everything else.

To allow incoming traffic on the default ssh port (22) 

# iptables -A INPUT -p tcp --dport 22 -j ACCEPT

To allow incoming traffic on the default Squid port (3128) 

# iptables -A INPUT -p tcp --dport 3128 -j ACCEPT

To allow incoming traffic on the default Apache port 

# iptables -A INPUT -p tcp --dport 80 -j ACCEPT

To allow incoming traffic on the default samba port 

# iptables -A INPUT -p udp --dport 137 -j ACCEPT
# iptables -A INPUT -p udp --dport 138 -j ACCEPT
# iptables -A INPUT -p udp --dport 139 -j ACCEPT 
# iptables -A INPUT -p tcp --dport 139 -j ACCEPT
# iptables -A INPUT -p tcp --dport 445 -j ACCEPT

To allow incoming traffic on the default SNMP port (161)

# iptables -A INPUT -p tcp --dport 161 -j ACCEPT
# iptables -A INPUT -p udp --dport 161 -j ACCEPT

Now check the current configuration

[root@cmlin02:~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            udp dpt:netbios-ns
ACCEPT     tcp  --  anywhere             anywhere            udp dpt:netbios-dgm
ACCEPT     tcp  --  anywhere             anywhere            udp dpt:netbios-ssn
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:netbios-ssn
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:snmp
ACCEPT     tcp  --  anywhere             anywhere            udp dpt:snmp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:microsoft-ds 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:squid

3) Once we enabled the above port.we can drop all other incoming ports.

# iptables -A INPUT -j DROP

Now check the rule

# iptables -L

For Interface based access for eth0 specify -i eth0

4) In the final step we have to enable loopback interface. After all the traffic has been dropped. We need to insert this rule before that. Since this is a lot of traffic, we’ll insert it as the first rule so it’s processed first.

#iptables -I INPUT 1 -i lo -j ACCEPT

5) To enabling logging

# iptables -I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

6) To save this configuration

# iptables-save >  /etc/sysconfig/iptables

or 

#service iptables save  
#service iptables start

This configuration will enable ssh port and disable all other incoming ports.
To manually edit iptables config
Also you can manual edit /etc/sysconfig/iptables

IP Tables configuration for other Services

1) Iptables for default ldap port

# iptables -A INPUT -p tcp --dport 389 -j ACCEPT
# iptables -A INPUT -p tcp --dport 636 -j ACCEPT

or manually edit /etc/sysconfig/iptables and add the below mentioned line

-A INPUT -p tcp -m tcp --dport  389 -j ACCEPT

2) Iptables for Backup Exec

3) IP tables for smtp

 #iptables -A INPUT -p tcp --dport 25 -j ACCEPT

or manually edit /etc/sysconfig/iptables and add the below mentioned line

-A INPUT -p tcp -m tcp --dport  25 -j ACCEPT

4) iptables for smtps

 #iptables -A INPUT -p tcp --dport 465 -j ACCEPT

or manually edit /etc/sysconfig/iptables and add the below mentioned line

-A INPUT -p tcp -m tcp --dport  465 -j ACCEPT

5) iptables for pop3 , pop3s

 #iptables -A INPUT -p tcp --dport 110 -j ACCEPT
 #iptables -A INPUT -p tcp --dport 995 -j ACCEPT

or manually edit /etc/sysconfig/iptables and add the below mentioned line

-A INPUT -p tcp -m tcp --dport  110 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport  995 -j ACCEPT

6) iptables for imap , imaps

 #iptables -A INPUT -p tcp --dport 143 -j ACCEPT
 #iptables -A INPUT -p tcp --dport 993 -j ACCEPT

or manually edit /etc/sysconfig/iptables and add the below mentioned line

-A INPUT -p tcp -m tcp --dport  143 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport  993 -j ACCEPT

7) iptables for webmin default port 

 #iptables -A INPUT -p tcp --dport 10000 -j ACCEPT

or manually edit /etc/sysconfig/iptables and add the below mentioned line

-A INPUT -p tcp -m tcp --dport  1000 -j ACCEPT

8) IPtables for named, domain

 #iptables -A INPUT -p tcp --dport 53 -j ACCEPT
 #iptables -A INPUT -p udp --dport 53 -j ACCEPT

or manually edit /etc/sysconfig/iptables and add the below mentioned line

-A INPUT -p tcp -m tcp --dport  53 -j ACCEPT 
-A INPUT -p udp -m udp --dport  53 -j ACCEPT

9) iptables for TFTP server 

 #iptables -A INPUT -p udp --dport 69 -j ACCEPT

or manually edit /etc/sysconfig/iptables and add the below mentioned line

-A INPUT -p udp -m udp --dport  69 -j ACCEPT

10) iptable configuration for DHCP server

 #iptables -A INPUT -p udp --dport 67 -j ACCEPT 
 #iptables -A INPUT -p udp --dport 68 -j ACCEPT

or manually edit /etc/sysconfig/iptables and add the below mentioned line

-A INPUT -p udp -m udp --dport  67 -j ACCEPT 
-A INPUT -p udp -m udp --dport  68 -j ACCEPT

11) iptables for NFS server- click here

12) iptables for FTP server – click here

13) iptables for NTP server 

 #iptables -A INPUT -p udp --dport 123 -j ACCEPT

or manually edit /etc/sysconfig/iptables and add the below mentioned line

-A INPUT -p udp -m udp --dport  123 -j ACCEPT

One of my iptables files:

[root@cmlin02:~]# more /etc/sysconfig/iptables
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [85:9266]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
# HTTP
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
# XYMON
#-A INPUT -p tcp --destination-port 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 1984 -j ACCEPT
# SSH
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
# SNMP
-A INPUT -p tcp --dport 161 -j ACCEPT
-A INPUT -p udp --dport 161 -j ACCEPT
# SAMBA
-A INPUT -p udp -m udp --dport 137 -j ACCEPT
-A INPUT -p udp -m udp --dport 138 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT
# HTTPS
-A INPUT -p tcp -m state --state NEW --dport 443 -j ACCEPT
# BIND
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp --dport 53 -j ACCEPT
# LDAP
-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT
# WEBMIN
-A INPUT -m state --state NEW -m tcp -p tcp --dport 10000 -j ACCEPT

#-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited 
-A FORWARD -j REJECT --reject-with icmp-host-prohibited 

# avahi
-A INPUT -m state --state NEW -p udp --dport 49222 -j ACCEPT
-A INPUT -m state --state NEW -p udp --dport 5353 -j ACCEPT
COMMIT

Get port usage report on Solaris

Posted on by 
#!/usr/bin/ksh

for pid in `ps -ef -o pid | tail +2`
do
  foundport=`pfiles $pid 2>&1 | grep "sockname: AF_INET" | grep -v "port: 0" | awk '{print $NF}'`
  if [ "$foundport" != "" ]; then
    foundproc=`pfiles $pid 2>&1 | grep "^$pid:"`
    echo "$foundprocn$foundport"
  fi
done

exit