SysAdmin Irix Guide

–CONTENT GOES HERE (static)–

–CONTENT GOES HERE (static)–

Antarctica/Climbing/Hack/Humor/Photo

• Briansoft fr
• Spam prevention notes
• Old MacOSX notes
• Windows/Cygwin notes
• IRIX & Linux Cluster notes
• LCD dead pixel test
• Book reviews
• Digital imaging workflows
• Computer quotes

Freeware:

• BinToAscii.exe
• GenPalette.exe
• LargeImage.exe
• PanelToForm.exe
• PanoWarp.exe
• PngSnapShot.exe
• RotAndStack.exe
• Thumbnailer.exe
• FileNbExt/RollLog/ImDim
• XSynch.exe

Source code:

• LabWindows/CVI
• C Source Code
• Search engine analysis
• Casio FX-8000G & Oric 1

Navigation: < Previous or Next >
$upport my site

Other relevant pages:

• Hack: Hard/software quotes, Bug report form, C programming, Highway, Programming quotes, RAW files

Some notes about IRIX Sysadmin stuff

Based on many books and Usenet groups comp.unix.admin and comp.sys.sgi.admin contributions.

“There are two major products that come out of Berkeley: LSD and UNIX. We don’t believe this to be a coincidence.”    — Jeremy S. Anderson

On this page:

• Configuring a new machine
• PRNGB, SSL and SSH
• Increasing system security
• Hard Drives
• Samba
• Tapes
• Stack
• Resource files
• Job priority
• E-mail
• Scripts
• Misc
• Unix Books

Note: I stopped using SGI machines in 2003, so this page is getting outdated.

---

Configuring a new machine

For network configuration using static IPs, change the following files:

/etc/sys_id

<machinename>

/etc/hosts

127.0.0.1 localhost

<machineIP> <machinename> <machinename.domain>

/etc/resolv.conf

domain <domain>

nameserver <DNSIP1>

nameserver <DNSIP2>

/etc/config/static-route.options

$ROUTE $QUIET add net default <gatewayIP>

/etc/config/ifconfig-1.options

netmask 0xfffffc00

Once you get the machine to see the world, login with

Add swap space: “/usr/sbin/mkfile 4g /dev/swap2; /sbin/swap -a /dev/swap2; nedit /etc/fstab” and add the line “/dev/swap2 swap swap pri=3 0 0” in your /etc/fstab.

Exports/mounts: “nedit /etc/exports“

---

PRNGB, SSL and SSH

SSH replaces all of the following: telnet, rlogin, ftp which should be disabled manually… For copying files securely you are better off using scp which relies on ssh, but otherwise, some useful SSH tricks include:

Login

ssh -X user@remotemachine.com with X-Windows

ssh -Cx user@remotemachine.com on a slow line using compression and no X-Windows

Execute prog on remote machine

ssh user@remotemachine.com "prog"

Copy a file securely to a remote machine

cat file | ssh user@remotemachine.com "cat >file" but you loose the chmod

Or better scp dir/file user@remotemachine.com:dir/file

Copy a file securely from a remote machine

ssh user@remotemachine.com "cat file" >file but you loose the chmod

Or better scp user@remotemachine.com:dir/file dir/file

For copying entire directories between machines with scp

scp -r username@machine:path/dir username@othermachine:path/dir for instance scp -vr billybob@inbred.net:family . to make a local copy of the family directory (notice the dot at the end).

And the best of all, use rsync to synchronise entire directory trees. It builds a database of CRCs by computing it on each side and then moving only the differences themselves (incredibly efficient after the 1st run and secure over ssh).

rsync -Cvaze ssh --delete source_dir/ username@remote_host.com:destination_dir/ to copy from source to destination. It can go thousands of times faster than scp !!! rsync can also be used to synchronize two directories by doing a second call in reverse. There are tons of options.

---

Increasing system security

/etc/services

You can remoove some of the ports, but it doesn’t actually close them, just make them impossible to open via an alias. Opening them via their port number will still work….

/etc/inetd.conf

Remove most services from /etc/inetd.conf, in particular the ‘r’ services, telnet, ftp, finger… They are either useless or can be better replaced by ssh. Here’s a restrictive list:

ftp	stream	tcp	nowait	root	/usr/etc/ftpd	ftpd -S -l -l -l -p
pop-3	stream	tcp	nowait	root	?/usr/freeware/bin/ipop3d	ipop3d
mountd/1,3    stream  rpc/tcp wait/lc    root    /usr/etc/rpc.mountd     mountd
mountd/1,3   dgram   rpc/udp wait/lc    root    /usr/etc/rpc.mountd     mountd
sgi_mountd/1 stream rpc/tcp wait/lc    root    /usr/etc/rpc.mountd     mountd
sgi_mountd/1 dgram  rpc/udp wait/lc    root    /usr/etc/rpc.mountd     mountd
rquotad/1   dgram   rpc/udp wait    root    /usr/etc/rpc.rquotad    rquotad
imaps	stream	tcp	nowait	root	?/usr/freeware/bin/imapd.ssl	imapd
imap	stream	tcp	nowait	root	?/usr/freeware/bin/imapd	imapd
pop3s	stream	tcp	nowait	root	?/usr/freeware/bin/ipop3d.ssl	ipop3d

chkconfig

Run that command and disable all useless services with “chkconfig service off”

showprods -D1

Run the above command an possibly disable unwanted software.

versions

Run the following command: “showprods -D1” and possibly disable unwanted software with versions.

/var/adm/SYSLOG

Look at it regularly and grep it for anything strange.

/var/adm/sulog

Look at it regularly for who impersonates whom, particularly root.

shadow

Enable shadow passwords with pwconv.

ftp

Are you sure ssh/scp is not enough ? If you really must have ftp running:

• Log what users are doing and hackers are trying to do with the following line in the /etc/inetd.conf line: “ftp stream tcp nowait root /usr/etc/ftpd ftpd -S -l -l -l -p“. Yes, you’ll be able to see every single ftp command in the /var/adm/SYSLOG file; but heh, who’s talking about privacy here ?
• Make sure it’s chrooted (man ftp will explain it).
• If you have both user ftp and anonymous ftp, make sure there aren’t any world writable directories in the ~ftp directory (if you chrooted it properly they can’t get out of ~ftp). And the only way to be sure of that, since your users can create them, is to have a cron job call a script such as:

  #! /bin/sh
  # remove world writable directories
  find ~ftp -perm -002 -exec chmod o-w {} \;
  # remove group write for ftp or guest
  find ~ftp -perm -020 \( -user ftp -o -group guest \) -exec chmod g-w {} \;

• If your ftp has important read only directories, an excellent trick is to mount them as read-only NFS. In /etc/exports, put a line with “/dirname machinename.domain localhost“; make an empty dir “mkdir ~ftp/pub/ReadOnly” and finally make the mount with the following /etc/fstab line: “localhost:/dirname ~ftp/pub/ReadOnly nfs ro,intr,bg 0 0“. The directory will be visible in ftp://machinename/pub/ReadOnly/ and will be truly read-only, even if the permissions in it say something different.

---

Hard Drives

Adding a new HD:

• Insert the drives and do “scsiha -p <controler number>; ioconfig -f /hw“. Yes, the machine can be on.
• Create an empty dir for the mount point
• For a raid, run ssmgui and mess around with it for hours.
• Run toolchest, [System][System Manager] then [Hardware and devices][Disk Manager]
• [Initialize] the disk
• [Mount] the disk

---

Samba

Samba is a utility that runs on IRIX and allow it to trade files with PCs on a local network. It is not too easy to intall, every PC needs a registry hack and it is sometimes flaky (particularly in its handling of file permissions), but quite useful.

Remember to registry hack Windows machines to allow for clear text passwords to be sent over the local network. I don’t like this but there doesn’t seem to be an easy way around it.

Adding a new user to the list of Samba users: “cd /usr/samba; bin/addtosmbpass username <private/smbpasswd >>private/smbpasswd“. Then edit private/smbpasswd to make sure there aren’t any duplicates. Changing a user’s Samba password is achieved with “bin/smbpasswd -U user password“

---

Tapes

Problems going from IRIX 6.5.8 to IRIX 6.5.11 with our DLT8000. Have to use TS drivers instead of TPS (TS must be turned on manually with chkconfig ts on).

Backups script, with BackupList.txt containing the list of folders to save:

	/usr/sysadm/privbin/backup -f /dev/tape1c -v -n -s BackupList.txt
	mt -f /dev/tape1c rewind
	mt -f /dev/tape1c offline

Installing Quantum SuperDLT 220 on IRIX 6.5.11. Add the following inside the /var/sysgen/master.d/scsi:

	{ DECDLT, TPDLT, 7, 9, "QUANTUM", "SuperDLT1", 
	0, 0, {0}, 
	MTCAN_BSF | MTCAN_BSR | MTCAN_APPEND | MTCAN_SPEOD | 
	MTCAN_CHKRDY | MTCAN_VAR | MTCAN_SETSZ | MTCAN_SILI | 
	MTCAN_SEEK | MTCAN_SYNC | MTCAN_CHTYPEANY | MTCAN_COMPRESS, 
	20, 8*60, 20*60, 5*60, 3*3600, 4096, 64*1024,
	tpsc_default_dens_count, tpsc_default_hwg_dens_names, tpsc_default_alias_dens_names, 
	{0}, 0, 0, 0, 0, (u_char *)0 },

Then do the usual /etc/autoconfig; /etc/reboot; ...; cd /dev; ./MAKEDEV

If the SuperDLT tape drive gives you random errors like I/O error, Device busy or Error 16, just shut down the drive, it should clear the error. Apparently, putting a normal DLT tape into the SuperDLT can sometimes mess up its default density configuration.

Also, those commands might come in handy:

scsicontrol

send scsi commands

scsiha

used to reset and probe scsi bus

stacker

jukebox control

---

Stack

Fortran program hosing the stack ? 3 complementary solutions:

‘unlimit stacksize‘

To use all available stack. Put this line in your ~/.cshrc file.

Increase the kernel max stacksize

Add the line ‘rlimit_stack_max = 0x40000000 ll‘ to the file /var/sysgen/stune/ (here increase to 1Gb) or, better, use systune. Run /etc/autoconfig and /etc/reboot.

-static

Make the compiler use the heap instead of the stack with the ‘-static’ option.

---

Resource files

Some stuff you migh want to add to your ~/.cshrc file:

alias ll 'ls -alF'
alias lc 'ls *.{c,h,cc,hh,inc,f,f90}'
alias ln 'ln -i'
alias psg 'ps -ef | grep'
alias cd.. cd ..

set history = 400

# For interactive shells, set the prompt to show the host name and event number.
if ( (! $?ENVONLY) && $?prompt ) then
        if ( -o /bin/su ) then
                set prompt="`hostname -s`(`whoami`) \!# "
        else
                set prompt="`hostname -s`(`whoami`) \!% "
        endif
endif

# rwxr-xr-x
umask 022
unlimit stacksize

---

Job priority

How to control big running jobs so they don’t hose all the CPU available ? We typically run jobs that take several days to complete on 4 processor machines, so we want the ability to lower their priority, run them on specific processors, suspend them during the day… Here are a few options:

“nice Job“

Has virtually no effect, even if the job is 100% CPU, no I/O.

“npri -w Job“

Make Job a weightless process that will run only if no other process uses the CPU.

“runon CpuNum Job“

Run a job on a specific processor (0 to 3). Can be combined with npri. Warning, incompatible with cpuset.

“kill -STOP” and “kill -CONT“

Will suspend/resume a running process (which still retain virtual memory, so you may need a very large swap file if you use this a lot).

cpuset

Ability to specify groups of processors and run jobs on them. For instance, do as root:

% cat >TwoCPU.cfg
MEMORY_LOCAL
CPU 2
CPU 3
^D
% cpuset -q TwoCPU -c -f TwoCPU.cfg

Now a user can run a job that will be restricted to processor 2 and 3 (while other processes can still use all 4): “cpuset -q TwoCPU -A Job“. In the evening, if you want the job to use all available processors you can release it to all CPUs with: “cpuset -q TwoCPU -d” (as root). But in the morning you cannot put the job back into the bottle of TwoCPU. Warning, if you have some processors configured with cpuset, even non exclusively, you cannot use runon on them.

miser

I haven’t looked at it in details, but that’s the most complete and complex solution, you can even mothball a process across reboots !

---

 

E-mail

Working installation of Qpopper, allowing for Authenticated POP (APOP) retrieval. Compiled with the following:

./configure --enable-apop=/etc/pop.auth --enable-popuid=pop --with-openssl --disable-specialauth --enable-timing Check the /etc/services for pop services and also add the following line to /etc/inetd.conf:

pop3 stream tcp nowait root /usr/local/bin/popper popper -s -t /var/spool/popper/popper.log To add yourself (as a user) to the APOP list, do “popauth” and then type a password (same as your login or a specific one for your email). Then change the option in Eudora to APOP (yeah, it won’t work in Netscape or Outlook express).

---

Scripts

Choice of shell

Use tcsh as a shell script and ksh as a programming script.

Debugging

You can debug (trace) a ksh script by doing “ksh -x script” or writing #! /bin/ksh -x on the first line of the script.

cut vs awk

It is much easier to use “cut -d: -f2-5” than awk/sed for filtering columns.

Time handling scripts

I have some source code on a separate page to manipulate dates in (YY)YYMMDDHHMMSS format.

Where is the script located ?

This will work in the following calling cases:

• script.sh # same directory
• /path/script.sh # absolute path specified
• ../subpath/script.sh # relative path specified
• script.sh # location found in the PATH variable — DOES NOT WORK !

#! /bin/sh
# Script that determines its own location
current_directory=`pwd`
cd `dirname $0`
script_directory=`pwd`
cd $current_directory

---

Misc

System updates

Download the various tardists images in /dist/disk[1234] then inst -f /dist/disk1 -f /dist/disk2 -f /dist/disk3 -f /dist/disk4 followed by inst upgrade, conf and go. You can also do this in swmgr

Fot the freeware stuff, you can install over http with inst -f http://freeware.sgi.com/Inst/. Then do keep *, install updated and go

More tricks here.

Recommended options for compiling Fortran programs on the SGI 2100:

FFLAGS= -col120 -n32 -mips4 -r12000 -O3 -static

Recommended options for compiling C programs on the SGI 2100:

CFLAGS= -n32 -mips4 -r12000 -O3

Debugging code:

Use option -g instead of -O3 in the Makefile, then run cvd ExeFileName and then type the command line parameters inside the debugger. Basic use is fairly easy; advanced use is… well, advanced.

Immediate power shutdown:

shutdown -y -g0 -p or /etc/reboot. Use -g120 or wall to warn users.

Lost the root password on IRIX ?

Simplest is if you have another SGI handy. Mount the system disk with the missing password as a slave into the other SGI and simply edit the /etc/passwd file. And write the stupid password down !

Adding a user:

/usr/sysadm/privbin/addUserAccount -l username -u UID -g 20 -P -G "Full User Name" -C -H /Users/username -S /bin/tcsh -R and type user password.

Add to Samba with addtosmbpass if PC user.

Add to popauth if Eudora user (must then use APOP and not POP3).

Add to group mailing (see below) list if daily user.

Add client machine to /etc/exports for NFS access if Mac. Update NFS with “exportfs -a; killall -HUP inetd“.

Add client machine to /etc/hosts.

Setting up a quick mailing list (for small groups only):

Add the following line in /etc/aliases: “group::include:/etc/group.list” and create a file /etc/group.list with the list of email addresses (complete emails, no aliases). Then run newaliases.

Stuck printer:

If a print job seems to be stuck, do a “lpstat -t” to determine the job (for instance ariane-31415) and then cancel it with “cancel ariane-31415“.

Quick cron job modification:

type the following: crontab -l > cron; nedit cron; crontab <cron; rm cron

Mount an ISO image

mount -o loop rh7.2-i386-disc1.iso /mnt

Find what uses a file/devices, use either:

fuser -muv /mnt/cdrom

lsof -t /dev/cdrom

Delete files with odd characters in filename

rm -i * or ls -id *; find . -inum [inode number from ls] -ok rm {} \; will deletes everything in the current directory but ask you for confirmation (yes/no) before each file (allows the shell to do automatic escaping).

Sort IP addresses

sort -n -t. -k 1,1 -k 2,2 -k 3,3 -k 4,4

Replacing underlines with spaces on all files within a directory

for f in `ls -1 *_*`; do mv "$f" "$(echo "$f" | sed "s/_/ /g")"; done

Replacing underlines with spaces on all files (but not directories) under a directory tree

Repeat the following commands until it tells you ’0′: find . -type f -name "*_*" | sed -e "s%\(.*/[^/]*\)_\([^/]*\)%mv \"\" \"\1 \2\"%" >/tmp/$$; wc -l /tmp/$$; . /tmp/$$

Lost root password

Tsssk! Tssk! Tssk!… Find another SGI, mount the main drive as a slave, edit the /etc/passwd file. Put the HD back.

---

Unix Books

The Good

The Bad and the Ugly

The UNIX System Administration Handbook, although not concerned with IRIX, is a very valuable source of information gathered from experience. Deals with all the glitches that can happen on a Unix box. It does not replace a Unix book, but it teaches you the politics and pitfalls of system administration. The UNIX Hater’s Handbook, gives some insight as to why Unix is sometimes so flaky (command names ? vi ? X-Windows ?…) If you program in C, Harbison and Steele’s C: A Reference Manual is the best book around; it’s not a shelf book since it’s always on my desk right at hand. And for security’s sake, although it’s a bit old: C Traps and Pitfalls by Andy Koenig.

On the other hand, I do not recommend getting The New Kornshell: even the experienced script writer will be at a loss in the details the authors go (it’s no introduction to scripting at all). The examples are useless: they never say what they are supposed to do and they never tell you the results. And main criticism: I have yet to find a system where the new kornshell (which came out in 93) is installed… You’d be much better off learning perl through its main two books. Another book to steer clear of: The Programmer’s Guide to Fortran 90: a programming book without a single figure or drawing, with the poorest pagination I’ve ever seen. Impossible to find the options for open() for instance. Worthless. And who wants to see Fortran survive another century anyway ?

---