Controlling Shell-Fork-Bombing in linux User's

ulimit: Provides control over the resources available to the  shell  and to  processes started by it, on systems that allow such control. The -H and -S options specify that the hard or soft limit is set for  the  given resource.  A hard limit cannot be increased by a non-root user once it is set; a soft limit may be  increased  up to  the value of the hard limit.  If neither -H nor -S is speci- fied, both the soft and hard limits are set.  The value of limit can be a number in the unit specified for the resource or one of the special values hard, soft, or unlimited, which stand for the current  hard  limit,  the  current  soft  limit,  and no limit, respectively.  If limit is omitted, the  current  value  of  the soft  limit  of the resource is printed, unless the -H option is given.  When more than one resource is specified, the limit name and unit are printed before the value. 

 Other options are inter-preted as follows:
-a     All current limits are reported
-b     The maximum socket buffer size
-c     The maximum size of core files created
-d     The maximum size of a process’s data segment
-e     The maximum scheduling priority ("nice")
-f     The maximum size of files written by the  shell  and  its children
-i     The maximum number of pending signals
-l     The maximum size that may be locked into memory
-m     The  maximum resident set size (many systems do not honor this limit)
-n     The maximum number of open file descriptors (most systems do not allow this value to be set)
-p     The pipe size in 512-byte blocks (this may not be set)
-q     The maximum number of bytes in POSIX message queues
-r     The maximum real-time scheduling priority
-s     The maximum stack size
-t     The maximum amount of cpu time in seconds
-u     The maximum number of processes available to a single user
-v     The maximum amount of virtual memory available to the shell
-x     The maximum number of file locks
-T     The maximum number of threads

You can add the following to bashrc file for protecting the local shell users from fork bomb attack.

#unlimit so we can run the whoami
ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev/null

LIMITUSER=$USER
if [ -e "/usr/bin/whoami" ]; then
        LIMITUSER=`/usr/bin/whoami`
fi
if [ "$LIMITUSER" != "root" ]; then
        ulimit -n 100 -u 35 -m 200000 -d 200000 -s 8192 -c 200000 -v unlimited 2>/dev/null
else
        ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev/null
fi

Nova issue with deleting Vm

We can delete the nova instance which are in error/deleting state by following the steps mentioned below.

Get the instance ID from command “nova list ” and reset the state using “nova reset-state <ID>” command

nova list

[root@controller1 ~]# nova list
+--------------------------------------+-----------------+--------+------------+-------------+----------------------------------------------+
| ID                                   | Name            | Status | Task State | Power State | Networks                                     |
+--------------------------------------+-----------------+--------+------------+-------------+----------------------------------------------+
| 0ccfa148-97de-4be9-b85d-4283037746b1 | Ha-Porxy-F5     | ACTIVE | -          | Running     | Trusted-Internal-NIC=10.0.0.157, 10.1.15.140 |
| e61a759d-528c-423b-bb24-dcf7e3a5618e | Ha-Porxy-Mysql  | ACTIVE | -          | Running     | Trusted-Internal-NIC=10.0.0.158, 10.1.15.139 |

nova reset-state 0ccfa148-97de-4be9-b85d-4283037746b1


You can also use the --active parameter to force the instance back to an active state instead of an error state. For example:

$ nova reset-state --active c6bbbf26-b40a-47e7-8d5c-eb17bf65c485

Neutron check Commands

To list all the virtual routers and dhcp server
>> ip netns ls

[root@neutronww1 ~]# ip netns
qrouter-641ca25a-7832-4818-b7ww5b-559c8f75ba5c
qdhcp-71ed8a34-a2d5-4d84-9dww47-e5e107dd8d7e
qdhcp-35a33370-d641-4dca-9wwdab-4ac2d9ffc7c6
qdhcp-e0b51c09-57dd-4b3a-a1ww1f-c83903d52e4d
qrouter-3b7f1bcc-0c95-47d7-a2ww17-9fe2aef7f0c0
qrouter-ac17d3c5-9bf4-4788-b2www6c-ca8aa249613b
[root@neutron1 ~]#

Here the virtual routers are once which start with extension qrouter and dhcp server are those which start with extension qdhcp.


To get more details about the virtual routers and dhcp server we can use following command

>>[root@n1 ~]# ip netns exec <virtual router/dhcp server IP from ip netns command> <network command>

Examples

ip netns exec qrouter-641ca25a-7832-4818-b7ww5b-559c8f75ba5c ip a
ip netns exec qrouter-641ca25a-7832-4818-b7www5b-559c8f75ba5c ifconfig
ip netns exec qrouter-641ca25a-7832-4818-b7www5b-559c8f75ba5c route -n
ip netns exec qrouter-641ca25a-7832-4818-bwww75b-559c8f75ba5c ping

In the above examples we use the commands like “ip a”, “ifconfig” and “route” to list different parameters of the virtual router and dhcp server.  We can use the route command to add up more routing rules if needed.  There we can use the commands like ip, ifconfig, route, ping etc just as we use it on the physical system. To tweak/troubleshoot the entire system. 

Bridge Interface shown down in Horizon Dashboard @ Openstack

sudo ovs-vsctl br-get-external-id br-ex returns nothing, and so br-ex is excluded from the list of ancillary bridges and so the gateway port always shows as DOWN.
A workaround is to set the bridge-id to br-ex and restart the L2 agent:

ovs-vsctl br-set-external-id br-ex bridge-id br-ex
ovs-vsctl br-set-external-id br-ex-2 bridge-id br-ex-2

Changing qpidd to rabbitmq for Openstack

Stopping qpidd on all server

service qpidd stop

chkconfig qpidd off

Installing packages

yum install ntp rabbitmq-server

Configuring Cluster

On Controller1

yum install ntp rabbitmq-server

chown rabbitmq:rabbitmq /var/lib/rabbitmq/*

chown rabbitmq:rabbitmq /var/lib/rabbitmq/.erlang.cookie

/etc/init.d/rabbitmq-server restart

scp /var/lib/rabbitmq/.erlang.cookie root@controller2:/var/lib/rabbitmq/

On Controller2

yum install ntp rabbitmq-server

yum install ntp rabbitmq-server

rabbitmqctl stop_app

rabbitmqctl join_cluster rabbit@controller1

rabbitmqctl start_app

rabbitmqctl cluster_status

Edit the configuration Files

Comment out the Qpidd entries In all the configuration and enter the below details. As Rabbitmq is default message broker other entries are not needed.

rabbit_host = controller

In Both the controller set the rabbitmq policy as below

rabbitmqctl set_policy HA '^(?!amq\.).*' '{"ha-mode": "all"}'

Configure HA using Corosync and pacemaker

Opening needed Ports in Iptables if We are using IPtables
/etc/sysconfig/iptables. Towards the end of the file, but before any REJECT statements, we add the following lines:
-A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
-A INPUT -m tcp -p tcp --dport 7788 -j ACCEPT
-A INPUT -m tcp -p tcp --dport 3306 -j ACCEPT

Installing modules
yum -y install wget
rpm -Uvh http://elrepo.org/elrepo-release-6-5.el6.elrepo.noarch.rpm
yum -y install drbd84-utils kmod-drbd84 --enablerepo=elrepo
yum -y install pacemaker corosync cluster-glue

wget -P /etc/yum.repos.d/ http://download.opensuse.org/repositories/network:/ha-clustering:/Stable/CentOS_CentOS-6/network:ha-clustering:Stable.repo
yum install crmsh

Configure Corosync 

vi /etc/corosync/corosync.conf
totem {
version: 2
secauth: off
threads: 0
interface {
ringnumber: 0
bindnetaddr: 10.0.0.0
mcastaddr: 226.94.1.1
mcastport: 5405
ttl: 1
}
}

logging {
fileline: off
to_stderr: no
to_logfile: yes
to_syslog: yes
logfile: /var/log/cluster/corosync.log
debug: off
timestamp: on
logger_subsys {
subsys: AMF
debug: off
}
}

amf {
mode: disabled
}

service {
        # Load the Pacemaker Cluster Resource Manager
        ver:       1
        name:      pacemaker
}

aisexec {
        user:   root
        group:  root
}


chkconfig --level 3 corosync on
service corosync start
chkconfig --level 3 pacemaker on
service pacemaker start

Checking the Cluster Connectivity
corosync-objctl runtime.totem.pg.mrp.srp.members

Check the service and cluster status
crm_mon -1


Configuring the cluster
>>crm configure
property no-quorum-policy="ignore" pe-warn-series-max="1000" pe-input-series-max="1000" pe-error-series-max="1000" cluster-recheck-interval="5min"
property stonith-enabled=false
commit

Adding a Cluster server for common IP (VIP)
>>crm configure
primitive p_api-ip ocf:heartbeat:IPaddr2 params ip="10.0.0.199" cidr_netmask="24" op monitor interval="30s"
commit

Now we need to configure the needed services in the CRM.

  

Checking loadspeed of a Site Using phantomjs

Using  phantomjs to check different parameters of a site.

 Installing the module
sudo yum install fontconfig freetype libfreetype.so.6 libfontconfig.so.1 libstdc++.so.6

wget https://bitbucket.org/ariya/phantomjs/downloads/phantomjs-1.9.7-linux-i686.tar.bz2
tar jxvf phantomjs-1.9.7-linux-i686.tar.bz2
mv phantomjs-1.9.7-linux-x86_64 phantomjs

export PATH=$PATH:/root/phantomjs/bin/

In the  phantomjs directory there are examples for js script. We use a test script provided by them for checking the load speed of site. 

phantomjs loadspeed.js http://www.adminz.in

Page title is Linux Conquering Cloud

Loading time 4559 msec

Basic examples

• arguments.js shows the arguments passed to the script
• countdown.js prints a 10 second countdown
• echoToFile.js writes the command line arguments to a file
• fibo.js lists the first few numbers in the Fibonacci sequence
• hello.js displays the famous message
• module.js and universe.js demonstrate the use of module system
• outputEncoding.js displays a string in various encodings
• printenv.js displays the system's environment variables
• scandir.js lists all files in a directory and its subdirectories
• sleepsort.js sorts integers and delays display depending on their values
• version.js prints out PhantomJS version number
• page_events.js prints out page events firing: useful to better grasp page.on* callbacks

Rendering/rasterization

• colorwheel.js creates a color wheel using HTML5 canvas
• rasterize.js rasterizes a web page to image or PDF
• rendermultiurl.js renders multiple web pages to images
• technews.js captures Google News as a PNG image

Page automation

• direction.js uses Google Maps to print driving direction
• follow.js shows the number of followers of some Twitter accounts
• imagebin.js uploads an image to imagebin.org
• injectme.js injects itself into a web page context
• ipgeocode.js deduces the location via IP geocoding
• movies.js lists movies from kids-in-mind.com
• phantomwebintro.js uses jQuery to read #intro element text from phantomjs.org
• pizza.js uses yelp.com to find pizza places in Mountain View
• seasonfood.js displays the BBC seasonal food list
• tweets.js displays the most recent tweets
• unrandomize.js modifies a global object at page initialization
• waitfor.js waits until a test condition is true or a timeout occurs

Network

• detectsniff.js detects if a web page sniffs the user agent
• loadspeed.js computes the loading speed of a web site
• netlog.js dumps all network requests and responses
• netsniff.js captures network traffic in HAR format
• post.js sends an HTTP POST request to a test server
• postserver.js starts a web server and sends an HTTP POST request to it
• server.js starts a web server and sends an HTTP GET request to it
• serverkeepalive.js starts a web server which answers in plain text
• simpleserver.js starts a web server which answers in HTML