Cover V07, I05
Article

may98.tar


Questions and Answers

Bjorn Satdeva

 Q Is there a way to do a complete copy of a sun4m system to a sun4u system?

 A As far as I know, those two systems are using different hardware architectures of some kind. However, I do not understand why you would want to make a complete copy crossing hardware architecture boundaries. Whatever the problem, it might be that the medicine you are trying to prescribe is much worse than the symptom you want to cure.

 Q Is there any more to fsck when trying to recover from panic or other file size and block errors?

 A I am not sure I understand your question. However, fsck is a program that checks internal file system integrity and corrects any corruption in that structure. It will not fix damaged files, and although it often can recover lost files, it might not be able to place them in the directory the original was in. In those cases, it will place the recovered file in the lost+found directory in the root of the file system. It is always a good idea to allocate this directory ahead of time. Some versions of fsck will allocate this directory if it missing, but you are then writing to an already damaged disk, possible making the problem worse.

If the files themselves have been damaged, for example due to a damaged disk controller, you will need to go to your last backup (you do daily backups, right?).

If you are seeing bad blocks, it could be that the disk is developing bad spots. Depending on the type of disk and the version of the OS, there may be ways to fix the problem, such as using the alternative block section on the disk. If there is a limited number of bad blocks, it will fix the disk for the future but will not undo potentially damaged files, which now may have missing pieces. As above, restore damaged files as necessary.

If you are seeing a lot of file size and bad block problems, either the disk or the disk controller is going bad. Save yourself a lot of frustration and replace one or both as soon as possible. The cost of hardware is small compared to the cost of people time.

 Q I need to repartition a drive on a Sun Solaris 2.6 system. Is there any utility that I can use to make this happen without rebuilding the system?

 A I do not think that you can repartition file systems on the fly on Solaris. The only UNIX-based OS on which you can do this is, to my knowledge, AIX. However, unless it is the root partition that needs repartitioning, you can simply add a disk, partitioning it appropriately, and then move the file systems which need to be changed to that disk. Doing this is much faster and simpler than a reinstallation and restore of the system.

If you need a fast fix without shutting down the system, you can move a directory to another file system and use a symbolic link from its original position. This will work in most cases. It will not work well, however, for /etc and the spool directory for the news server (if you have any). Also, be careful that you do not develop the symbolic links from hell. It is best only to use this solution for a temporary workaround if possible.

 Q Under a BSD style (FreeBSD) syslog.conf, when the selector field selects a message and the action to be taken starts with a vertical bar | followed by a command, this command is passed to a /bin/sh for evaluation, so usual shell metacharacters or input/output redirection can occur. So, it is possible to mail the message to a user with | mail root@localhost. Linux works differently. After the vertical bar, Linux expects a named pipe (fifo), which should be created with mkfifo.

What's the use of a named pipe (I found none in an entire FreeBSD root file system and only one, /dev/initctl, in a Linux root fs.), and how can I use a named pipe to mail a syslog message to a user?

 A Named pipes are used by some programmers, and are mostly an application-based thing. I do not currently have easy access to a Linux system, so I cannot verify your description of syslogd there. However, I would think that you could probably replace syslogd on the Linux system with a BSD 4.4 one if you desire. Alternatively, you will need to write a small wrapper program, which takes the named pipe as input and mails that to the desired user.

Be careful, however, not to generate too many email messages. They can easily become noise that the system administrator or users tend to overlook. You might be better off by logging the information to a file and processing that file (perhaps with a small Perl program) once every night, unless there is a real time constraint in the message.

 Q How can I get single sign-on between my heterogeneous UNIX environment (SunOS, AIX, IRIX, and Linux) and my Windows NT environment?

 A I assume that you are asking whether you can create user IDs that are shared between UNIX and NT, using only a single user database. I don't think you can do this. NT is simply too different form UNIX to be able to share a single user database. You might be able to hack all your system to use a third-party authentication scheme, using something like the Livingston Radius authentication service. This can certainly be done in UNIX, but I am not sure about NT. I wonder if any of our readers has created a solution.

 Q When downloading large files via ftp to my home machine (PPP connection, 28.8, Linux V2.x), I see the following behavior. Watching the modem lights, I see packets streaming in, with acks going back out. Then after about 10-20 seconds, my machine fails to ack. The sender continues sending unabated for about 2-3 seconds longer, then stops. Then, there is an annoying 5-10 second period where the two sides slowly exchange packets to get back into sync, and the cycle repeats itself. Thus, overall download performance is less than optimal. (The Linux command pppstats quantifies this pattern.)

The behavior suggests an overrun problem on my machine; eventually it can't keep up the pace set by the sender and drops the ball, forcing the pause and re-sync. If so, I suspect that with judicious tuning, I could attain optimal download speeds. What is a general approach to diagnosing these sorts of problems?

 A From your description of the problem, I don't think it has anything to do with your PPP implementation. It sounds very much like a hardware problem instead. There are several problems that can create this situation.

First of all, make sure that you are using hardwired handshaking between the serial port and the modem. A software handshake is simply not fast enough for this type of application. Typically, the transfer speed between modem and computer is one of 38.4, 57.6, or 115.2 Kbaud. The faster the speed the better, but only if your hardware can keep up.

Many serial ports that are part of the system motherboard will not be able to function reliably at these speeds, and you will be much better off purchasing a serial board that can. A four-port serial card that can operate at these speeds can be purchased for about $100. If you are using a lap-top, get a PC-CARD modem. Again, it is possible that the built-in serial ports cannot keep up.

 Q What is the best tool for verifying your DNS configuration, and how is it used?

 A My favorite tool is one called nslint. It checks the server, and reports all problems it finds, such as multiple A records, missing reverse records, and missing periods after fully qualified hostnames. You can configure it to ignore certain issues, such as an IP address that occurs in multiple A records. Although this generally is a mistake, there are times when the sys admin does this to achieve a special effect (for example if a host has several names, but it is not possible to use CNAME records). You can find nslint at:

ftp://ftp.sysadmin.com/pub/admin/tools/networking/nslint

 Q What is the best way of synchronizing NIS+ configuration with DNS?

 A You can use the tools described in the bind book (DNS and Bind, Second Edition by Albitz and Liu, O'Reilly and Associates). They will allow you to build DNS zone files from your host table, or you can use my dns2hosts script to build a host file by querying your name server. Also, you can configure your systems to only use the DNS, if your environment allows this. If you are using both NIS and DNS, it is a good idea to implement a strategy that ensures that the two hostname resolution methods will yield the same answers.

The dns2hosts can be found at:

ftp://ftp.sysadmin.com/pub/admin/tools/networking/dns2hosts

 Q Is there a simple way of safely connecting a LAN to the Internet through a firewall or other security barrier without becoming a security expert?

 A If you do not understand what you are doing, you are better off hiring a consultant to configure your firewall. Simple firewalls, which only allow minimal services through (e.g., email and outgoing WWW and ftp) are not rocket science, but unless you know what you are doing, the result can be disastrous. If you do not have a background in Internet security, do not try to do this overnight. If, however, you have time to spare, looking at the firewall toolkit from TIS (ftp://ftp.tis.com) will allow you to get up to speed on the subject.

About the Author

Bjorn Satdeva is the president of /sys/admin, inc., a consulting firm which specializes in large installation system administration. Bjorn is also co-founder and former president of Bay-LISA, a San Francisco Bay Area user's group for system administrators of large sites. Bjorn can be contacted at /sys/admin, inc., 2787 Moorpark Ave., San Jose, CA 95128; electronically at bjorn@sysadmin.com; or by phone at (408) 241-3111.