grep regular expressions -OR-

To match word1 or word2 use this regexp:


word1|word2

for characters you have 2 options:
a|b
[ab]


In grep you either use:
grep "word1\|word2"
or
grep -E "word1|word2"


If you want to match 2 different word in grep:
grep -e "word1" -e "word2"


To match either word1 or word2 at the beginning of line and exclude word3 use this:
grep "\(^word1\)\|\(^word2\).*[^word3].*$"

which is (almost) the same as:
grep -e "^word1" -e "^word2" -v word3

Special characters in Vi editor

# to display special characters in Vi:
:set list

# to insert special ^C character type:
<ctrl>+v and then <ctrl>+c

#to hide special characters:
:set nolist

Microsoft SQL Report Builder - Hyperlink in textbox

This will create a hyperlink in table's cell or in any text box:

:

sudo basics

1) config is in /etc/sudoers

2) edit it with visudo command, which can check syntax

3) basic configuration line:

user ALL=(ALL) ALL

1st ALL means on any computer - hostname
2nd =(ALL) means as any user - sudo -u user
3rd ALL means any command

This should always be there, to allow root run everything:
root ALL=(ALL) ALL

Example:

adam earth=(xena) /bin/kill

adam can run /bin/kill command only on computer hostname "earth" and only if logged as xena:
adam runs: sudo -u xena /bin/kill


4) user groups
till now we had users
groups are:
%group_name ALL=(ALL) ALL


5) Aliases:
User_Alias ADMINS=adam, xena
Cmnd_Alias COMMAND1=/bin/kill

now let's use it

ADMINS ALL=(ALL) COMMAND1


6) no password:
%admins_group ALL=(ALL) NOPASSWD: ALL


7) negation - allow all commands apart some:

Cmnd_Alias PASSWD_ROOT=/sbin/passwd root

user1 ALL=(ALL) !PASSWD_ROOT


8) (default) logfile:
/var/log/sudo.log

Linux iptables - open some ports to allow some traffic

1) in RH/CentOS is good to run this command :
$  system-config-securitylevel

2) it creates  basic iptables structure in /etc/sysconfig/iptables:
[root@CentOS log]# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
[root@CentOS log]#

3)  and also creates new chain called  RH-Firewall-1-INPUT which is inserted in INPUT and FORWARD existing chains:

[root@CentOS log]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
[root@CentOS log]#



4) Imagine that some connection is blocked by FW, for example remote syslog messages (=syslog events sent from other host (/etc/syslog.cong: user.* @IP) to this host which acts as syslog server (/etc/sysconfig/syslog.conf: -r))
To catch this traffic into log for analysis is good to insert following rule
after all ACCEPT rules
and
in front of first REJECT or DROP rule, so it will print all not ACCEPTED and not DROPPED or REJECTED packets into /var/log/messages from where we can easily setup new rule to allow this traffic:

[root@CentOS log]# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -i eth0 --sport 67:68 --dport 67:68 -j DROP
-A RH-Firewall-1-INPUT -p udp -i eth0 --sport 67:68 --dport 67:68 -j DROP
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j LOG
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
[root@CentOS log]#
(of course "service iptables restart" after each edit of config file)

5)lets send test syslog message from remote host:
[root@XENtest2 ~]# logger -i -t user "test" 

6) And here is the taken traffic:
[root@CentOS log]# tail -f /var/log/messages
Jul 4 15:54:39 CentOS kernel: IN=eth0 OUT= MAC=00:0c:29:52:d2:58:00:16:3e:6f:99:86:08:00 SRC=192.168.0.128 DST=192.168.0.1 LEN=50 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=514 DPT=514 LEN=30

7) Lets setup iptable rule (more general - just based on protocol UDP and source and destination port 514)

[root@CentOS log]# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -i eth0 --sport 67:68 --dport 67:68 -j DROP
-A RH-Firewall-1-INPUT -p udp -i eth0 --sport 67:68 --dport 67:68 -j DROP
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --sport 514 --dport 514 -j ACCEPT
-A RH-Firewall-1-INPUT -j LOG
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
[root@CentOS log]#


8) and here it is, syslog message appears on syslog server:
[root@CentOS ~]# tail -f /var/log/messages
Jul 4 16:02:07 192.168.0.128 user[5369]: test

DHCP packets in Wireshark

Capture filter in Wireshark to grab DHCP packet:



and the result:

For tcpdump:
$ tcpdump -vv -s 0 -i eth0 udp port 67 || udp port 68

IPtables filter:
vi /etc/sysconfig/iptables

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -i eth0 --sport 67:68 --dport 67:68 -j DROP
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

Bash "while" loop

1) Either:

while read line
do
...
done < my_file.txt

2) Or:

cat my_file.txt | while read LINE
do
...
done


http://www.tldp.org/LDP/abs/html/internal.html#READPIPEREF

Find domain controlers for domain

1) For DNS based on MSWin:

$ nslookup -type=srv _ldap._tcp.dc._msdcs.your_domain
#this should work in Win and Lin

#the same with dig:
$ dig -t any _ldap._tcp.dc._msdcs.your_domain
#doesn't work in all cases ;-(

2) For general DNS:

$ dig -t any domain
#or:
$ dig ALL domain
#or:
$ dig +short ALL domain
#these gives IP's of all domain controllers in domain, now get hostnames from IP:
$ dig -x IP | awk ' /PTR/ {print $NF}'
# -x is reverse nslookup, then grep for PTR regexp and then print last filed, which is hostname
#since not all PTR have hostname, grep -v them with awk \!/PTR/:
for NS in `dig +short ALL your_domain`
do
dig -x $NS | awk ' /PTR/ { print $NF } ' | awk \!/PTR/
done
#or:
$ nslookup IP

3) list of DNS record types:
http://en.wikipedia.org/wiki/List_of_DNS_record_types

awk tips

1) Search for regular expression "test" in file "my_file" and print first and last field of matched line:
$ awk '/test/ { print $1, $NF }' my_file

2) Regular expression comparison is made by ~ or !~ which result is true or false:

3) Search for lines where first field contains "A" and print that line:
$ awk '$1 ~ /A/' my_file
#or 
awk '{ if ($1 ~ /A/) print }' my_file
#where $1 ~ /A/ means "does first field contains A?"
#print is the same as print $0, thus print whole line = all fields

4) grep -v with awk:
awk \!/text/ my_file
5) filed delimiter different than default space:
gawk -F: '{ print $1 }' /etc/passwd



GNU AWK manual:
http://www.gnu.org/software/gawk/manual/gawk.html

Don't redirect Picasa to Google +

No redirect link which also adds cookie for future attempts:

https://picasaweb.google.com/lh/myphotos?noredirect=1

Destroy Xen Domain (virtual host)

#list active domains:
xm list

#some domain can be in bad state - unable to start and unable to create another one with the same name, because configuration file with this name already exists
#to remove domain do these steps:

#terminate domain (remove it from xm list):
xm destroy domainID

#remove autostart link:
rm /etc/xen/auto/domainID*

#remove configuration file
rm /path/to/disk/file
#or remove physical disk or LogicalVolume


#list of all "xm" commands:
console Attach to <Domain>'s console.
create Create a domain based on <ConfigFile>.
destroy Terminate a domain immediately.
dump-core Dump core for a specific domain.
help Display this message.
list List information about all/some domains.
mem-set Set the current memory usage for a domain.
migrate Migrate a domain to another machine.
pause Pause execution of a domain.
reboot Reboot a domain.
restore Restore a domain from a saved state.
save Save a domain state to restore later.
shutdown Shutdown a domain.
trigger Send a trigger to a domain.
top Monitor a host and the domains in real time.
unpause Unpause a paused domain.
uptime Print uptime for a domain.
vcpu-set Set the number of active VCPUs for allowed forthe domain.

Add watermark in batch with ImageMagic

This adds 2 colored text slightly moved side by side. Size 70 is appropriate for resolution ~2000pixels:


for i in `ls -1 IMG*.jpg`; do echo $i; convert $i -pointsize 70 -draw "gravity southeast fill black text 0,12 'Copyright' fill white text 1,11 'Copyright' " ../new/edit-$i; done


Thanks to:
http://www.imagemagick.org/Usage/annotating/#wmark_image

Change hostname to permanent on RedHat like Linux server

edit
[root@localhost ~]# grep HOSTNAME /etc/sysconfig/network
HOSTNAME=localhost.localdomain
[root@localhost ~]#
and then run:
[root@localhost ~]# hostname your_hostname

Create (install) new Xen Virtual Machine in text mode

Either you can use graphical tool virt-manger
or this text tool:

[root@localhost ~]# virt-install --prompt
What is the name of your virtual machine? test2
How much RAM should be allocated (in megabytes)? 500
What would you like to use as the disk (file path)? /home/tomas/test2
How large would you like the disk (/home/tomas/test2) to be (in gigabytes)? 4
What is the install URL? http://merlin.fit.vutbr.cz/mirrors/centos/5.9/os/i386


Starting install...
Retrieving file .treeinfo... | 413 B 00:00
Retrieving file vmlinuz... | 2.2 MB 00:01
Retrieving file initrd.img... | 11 MB 00:08
Creating storage file... | 4.0 GB 00:00
Creating domain... | 0 B 00:02
Connected to domain test2
...



also you can continue in text installation or you can start VNC server:

Welcome to CentOS

+-----------+ VNC Configuration +------------+
| |
| A password will prevent unauthorized |
| listeners connecting and monitoring your |
| installation progress. Please enter a |
| password to be used for the installation |
| |
| Password: ********________ |
| Password (confirm): ********________ |
| |
| |
| +----+ +-------------+ +------+ |
| | OK | | No password | | Back | |
| +----+ +-------------+ +------+ |
| |
| |
+--------------------------------------------+



Probing for video card: Unable to probe
No video hardware found, assuming headless
Starting VNC...
The VNC server is now running.
Please connect to 172.16.79.130:1 to begin the install...
Press <enter> for a shell
Starting graphical installation...
XKB extension not present on :1



and continue in graphical mode with "vncviewer" command.

Xen server inside VMWare host and problem with promisc mode of network card

Running Xen server inside VMWare host (with xen kernel) can cause problem with switching network card into Promiscuous Mode and thus can lead into network card not operational state.
Here is a simple solution of this security problem:

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=287

Suse 12.3 GRUB2 single user mode

Suse Linux 12.3 came with GRUB2 which has different configuration files and other things
To go into single user mode from graphical menu:

1) press "e" to edit startup entry

2) this screen will appear:

3) scroll down and add "single" on this line:

4) finally press F10 key to confirm and boot

Edit a script inside a RPM package

I'm unable to install this RPM package, because I didn't pass through package preinstallation script(let) which detects the size of SWAP space:
NOTE: rpmrebuild is in EPEL repo for Fedora/RedHat

tomas@suse123:~/TEMP/Disk1> sudo rpm -ivh ./oracle-xe-11.2.0-1.0.x86_64.rpm
Preparing...                          ################################# [100%]
This system does not meet the minimum requirements for swap space.  Based on
the amount of physical memory available on the system, Oracle Database 11g
Express Edition requires 2048 MB of swap space. This system has 818 MB
of swap space.  Configure more swap space on the system and retry the
installation.
error: %pre(oracle-xe-11.2.0-1.0.x86_64) scriptlet failed, exit status 1
error: oracle-xe-11.2.0-1.0.x86_64: install failed
tomas@suse123:~/TEMP/Disk1> 

Here is the script which is not passing:

tomas@suse123:~/TEMP/Disk1> rpm -qp --scripts ./oracle-xe-11.2.0-1.0.x86_64.rpm|grep "^requiredswapspace="
requiredswapspace=`min 2047 $reqswapspace`
tomas@suse123:~/TEMP/Disk1>

Let's modify it with rpmrebuild (not rpmbuild) tool.
(To install it use: zypper or yum install rpmrebuild)

tomas@suse123:~/TEMP/Disk1> rpmrebuild --edit-pre -p ./oracle-xe-11.2.0-1.0.x86_64.rpm

--edit-pre
             to edit rpm preinstallation scriptlets
-p, --package
              to use with rpm package file, not with installed rpm (this option is like rpm's -p option)


vi editor will appear. Edit the script:

#requiredswapspace=`min 2047 $reqswapspace`
requiredswapspace=`min 247 $reqswapspace`

and save it. New RPM is created in:
$HOME/rpmbuild/RPMS/x86_64