blog [AdminSysGNULinux]

Recent linux kernels have a feature called Address Space Layout Randomization (ASLR). ASLR is a feature that is activated by default on some of the newer linux distributions. It is designed to load shared memory objects in random addresses. In Oracle, multiple processes map a shared memory object at the same address across the processes.

With ASLR turned on Oracle cannot guarantee the availability of this shared memory address. This conflict in the address space means that a process trying to attach a shared memory object to a specific address may not be able to do so, resulting in a failure in shmat subroutine.

However, on subsequent retry (using a new process) the shared memory attachment may work. The result is a “random” set of failures in the alert log.

SOLUTION

It should be noted that this problem has only been positively diagnosed in Redhat 5 and Oracle 11.2.0.2. It is also likely, as per unpublished BUG:8527473, that this issue will reproduce running on Generic Linux platforms running any Oracle 11.2.0.x. or 12.1.0.x on Redhat/OEL kernels which have ASLR.

This issue has been seen in both Single Instance and RAC environments.

ASLR also exists in SLES10 and SLES 11 kernels and by default ASLR is turned on. To date no problem has been seen on SuSE servers running Oracle but Novell confirm ASLR may cause problems. Please refer to

http://www.novell.com/support/kb/doc.php?id=7004855 mmap occasionally infringes on stack

You can verify whether ASLR is being used as follows:

# /sbin/sysctl -a | grep randomize
kernel.randomize_va_space = 1

If the parameter is set to any value other than 0 then ASLR is in use.

On Redhat 5 to permanently disable ASLR.

add/modify this parameter in /etc/sysctl.conf

/etc/sysctl.conf

kernel.randomize_va_space=0
kernel.exec-shield=0

You need to reboot for kernel.exec-shield parameter to take effect.

Note that both kernel parameters are required for ASLR to be switched off.

There may be other reasons for a process failing to start, however, by switching ASLR off, you can quickly discount ASLR being the problem. More and more issues are being identified when ASLR is in operation.

Note: “In RHEL/OEL 7 exec-shield is not modifiable anymore, so changing the exec-shield parameter produces an error.”

2025/03/24 15:06

brouillon, kernel, securite

Ansible uri - Tower API

Avec curl

curl -k -u username:'P@ssw0rd' -H 'Content-Type: application/json' -X GET https://tower.acme.fr/api/v2/job_templates/93/launch/ -d '
{
    "extra_vars": {
        "git_path": "/project/plop",
        "git_user": "gittoken"
    }
}'

Via Ansible

#!/usr/bin/env ansible-playbook
---

- hosts: localhost

  tasks:
    - name: call api
      register: plop
      uri:
        url: https://tower.acme.fr/api/v2/job_templates/93/launch/
        method: POST
        force: true
        force_basic_auth: true
        user: username
        password: 'P@ssw0rd'
        validate_certs: false
        # body_format: form-urlencoded
        body_format: json
        headers:
          Content-Type: "application/json"
        body: |
          {
              "extra_vars": {
                  "git_path": "/project/plop",
                  "git_user": "gittoken"
              }
          }
        status_code: 201

    - name: DEBUG 10
      debug: var=plop

Ou encore

#!/usr/bin/env ansible-playbook
---

- hosts: localhost

  tasks:
    - name: call api
      register: plop
      uri:
        url: https://tower.acme.fr/api/v2/job_templates/93/launch/
        method: POST
        force: true
        force_basic_auth: true
        user: username
        password: 'P@ssw0rd'
        validate_certs: false
        body_format: json
        headers:
          Content-Type: "application/json"
        src: plop.json
        status_code: 201

plop.json

          {
              "extra_vars": {
                  "git_path": "/project/plop",
                  "git_user": "gittoken"
              }
          }

Pb

Pb de logs tronqués

Consulter la sortie : https:<tower-FQDN>/api/v2/job_templates/<job-template-id>/

2025/03/24 15:06

ansible, ca

Linux pile TCP/IP TIME_WAIT Apache

Voir

man netstat
mode Prefork Vs Worker

ps -efL |grep http | wc -l

netstat -nat |sed '2d' | awk '{print $6}' | sort | uniq -c | sort -n

      1 Foreign
      4 SYN_RECV
     12 LISTEN
    131 ESTABLISHED
    191 CLOSE_WAIT
    270 TIME_WAIT

Source: https://www.skyminds.net/serveur-dedie-reduire-les-connexions-time_wait-des-sockets-et-optimiser-tcp/

Ou mieux

# ss -s
Total: 281 (kernel 3060)
TCP:   10 (estab 4, closed 0, orphaned 0, synrecv 0, timewait 0/0), ports 0

Transport Total     IP        IPv6
*         3060      -         -
RAW       0         0         0
UDP       2         2         0
TCP       10        7         3
INET      12        9         3
FRAG      0         0         0

Voir commande ss

ss -t4 state time-wait
ss -t4 state established

Pile TCP/IP

cat /proc/sys/net/ipv4/tcp_fin_timeout
0
cat /proc/sys/net/ipv4/tcp_tw_recycle
0
cat /proc/sys/net/ipv4/tcp_tw_reuse
60

echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout 
echo 1 > /proc/sys/net/ipv4/tcp_tw_recycle
echo 1 > /proc/sys/net/ipv4/tcp_tw_reuse

      1 Foreign
      1 SYN_RECV
     12 LISTEN
     29 CLOSE_WAIT
     58 ESTABLISHED
    217 TIME_WAIT

2025/03/24 15:06

brouillon, reseau, web

Linux Network Bridge

Voir :

Voir aussi :

ebtables

iproute2

Voir :

Création

ip link add br0 type bridge
ip link set br0 up
 
ip link set enp0s8 up
#ip addr flush enp0s8
ip link set enp0s8 master br0

Affichage et configuration

bridge link
bridge fdb show dev br0
bridge vlan show
 
ip addr add dev br0 192.168.56.11/24

Supression

ip addr flush br0
ip link set enp0s8 nomaster
#ip link set enp0s8 down
ip link del br0 type bridge

brctl (deprecated)

brctl (deprecated). Use ip link instead

brctl show

tunctl (deprecated).

tunctl (deprecated). Use ip tuntap and ip link instead

SystemD

Voir : https://wiki.archlinux.org/index.php/Systemd-networkd#Bridge_interface

nmcli

nmcli connection add type bridge autoconnect yes con-name br0 ifname br0
nmcli con show
nmcli -f bridge con show br0

Disable STP

sudo nmcli con modify br0 bridge.stp no

Afficher la conf

nmcli con show
nmcli -f bridge con show br0

Pour ajouter, ou pour mettre une interface en esclavage

nmcli con add type bridge-slave ifname team0 master br0

ça va créer un fichier

/etc/sysconfig/network-scripts/ifcfg-br0

STP=no
TYPE=Bridge
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=dhcp
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=br0
UUID=8ddf2382-7458-4f94-8986-40e95415ea20
DEVICE=br0
ONBOOT=yes

Un nouveau fichier est apparu

/etc/sysconfig/network-scripts/ifcfg-bridge-slave-team0

TYPE=Ethernet
NAME=bridge-slave-team0
UUID=93645ead-7177-4794-88f3-0a43c95bf179
DEVICE=team0
ONBOOT=yes
BRIDGE=br0

RedHat

     Edit /etc/sysconfig/network-scripts/ifcfg-eth0
        comment out BOOTPROTO
        Add BRIDGE=br0
    Create /etc/sysconfig/network-scripts/ifcfg-br0
        The content should be:

DEVICE=br0
BOOTPROTO=dhcp
ONBOOT=yes
TYPE=Bridge

Source : https://www.linux-kvm.org/page/Networking

Debian

/etc/network/interfaces

# Replace old eth0 config with br0
auto eth0 br0

# Use old eth0 config for br0, plus bridge stuff
iface br0 inet dhcp
    bridge_ports    eth0
    bridge_stp      off
    bridge_maxwait  0
    bridge_fd       0

Source : https://www.linux-kvm.org/page/Networking

Macvlan

Voir :

https://mghrepo.github.io/pse-mdbook/PSE_Res/virtualisation_reseau/macvlan.html

MacVTap

Voir :

2025/03/24 15:06

network

<< Billets récents | Anciens billets >>

blog.txt · Dernière modification : 2025/03/24 15:06 de 127.0.0.1