Services tab

Enable LDAP
Enable SMB/CIFS if you want sharing with Windows machines.

If you are looking for other services you should already be familiar with them (NFS or iSCSI).
One the right, Services section, click “SMB/CIFS Setup”
All of the default settings should be sufficient. Click Apply.

Accounts tab

(default) On the right, Accounts section, click “Authentication”

check “Use LDAP”
Local LDAP server: check “Use Local LDAP Server”
LDAP Security: (default) uncheck “Use TLS” (I would rather use TLS, but it is local and I got an error with it enabled)
Server: 127.0.0.1 (default)
Base DN: dc=san,dc=revantine,dc=net
Root bind DN: cn=Manager,dc=san,dc=revantine,dc=net
Root Password: (write it down somewhere)
SMB LDAP Configuration: check “Login SMB server to root DN”
User password policy: check “Allow users to set password:
Click submit.

IMPORTANT: When you submit here, it initializes the local LDAP. If you do it again later it could potentially erase changes you have made.

Click the sub-tab “Expert View”, scroll to “UID/GID Synchronization” and check “Synchronize UID/GID information to LDAP”.

You need to restart ldap. Go to the Services tab and out beside LDAP server click “Disable” wait for the refresh and click “Enable”.

On the right, Accounts section, click “Admin Password”

The default password is “password”
Type a new one (and again to confirm it) and click Submit.

On the right, Accounts section, click “Administration”

Since the cached password just changed, you need to login again.

Group Administration sub-tab, Add new group,
Group Name: Users
Override automatic GID, uncheck (default)
Click “Add Group”

User Administration sub-tab, Add new user,
Username: charles
Password: asdfgh
Retype the password
Primary Group: “500: Users”
Override automatic UID, uncheck (default)
Click “Add User”

System tab

On the right, System section, click “Network Setup”

Scroll down to “Network Access Configuration”
We are going to add networks to permit access to

Click “Update”
Scroll down to “Network Access Configuration”

Click “Update”

Volumes tab

This walk through is tailored to systems using software raid. The software raid is preferable to fakeraid (if it is on a motherboard or you paid less than $150 it is probably fakeraid) and hardware raid is expensive.

On the right, Volumes section, click “Block Devices”

/dev/sda may be your system drive, if so choose /dev/sdb and continue. You can tell this by looking at the “Partitions” column and your data drives should have 0 partitions.
Edit Disk column, Click /dev/sda,
scroll to the bottom,
Mode: Primary (default)
Partition Type: RAID array member
Leave these default, Starting cylinder, Ending cylinder, Size
Click Create

You are taken to an “Edit partitions” page, click the link “Back to the list of physical storage devices”.
Edit Disk column, Click /dev/sdb
…And repeat for each storage drive…

On the right, Volumes section, click “Software RAID”

Select RAID array type, “RAID-5 (parity)”
Check mark all the devices that you just made “RAID array member” partitions on, /dev/sda1, sdb1, sdc1…
Click “Add array”

It will report back that the State is “Clean & degraded” and Synchronization is “Not started”.

There is a bug in 2.3 that prevents the Physical Volume creation from detecting software raid volumes (/dev/md0).
You can work around the issue by using ssh, login as root and run the commands below.

[root@lumpy ~]# pvcreate /dev/md0
  Physical volume "/dev/md0" successfully created
[root@lumpy ~]# pvscan
  PV /dev/md0                      lvm2 [2.73 TB]
  Total: 1 [2.73 TB] / in use: 0 [0   ] / in no VG: 1 [2.73 TB]
[root@lumpy ~]# vgcreate store /dev/md0

Volumes tab

On the right, Volumes section, click “Add Volume”

Scroll down,
Volume Name: a
Volume Description:
Required Space (MB): 514702
Filesystem / Volume type: Ext3

Shares tab

Network Shares, click the “a” (/mnt/store/a)
Folder Name: photographs
Click “Create Sub-folder”

Click the “photographs” (/mnt/store/a/photographs/)
Click “Make Share”

Edit share /mnt/store/a/photographs/
Share Access Control Mode:
select “Controlled access”
Scroll to “Group access configuration”

Click “Update”
Scroll to “Host access configuration (/mnt/store/a/photographs/)”
I have two networks that I configured earlier, LAN and VPN. I want both to be able to read and write.
In the SMB/CIFS column, check “Restart services”
LAN 192.168.0.0 put the dot under RW
VPN 192.168.1.0 put the dot under RW
Click “Update”

They used to be sda, sdb and sdc but one of those moved to sdd. Fortunately Linux software raid is smart and used the metadata so everything “just worked.” Next I removed the old partitions and made a new partition that took up the whole drive of type “fd”. Then I added the partition to the existing raid array.
[root@lumpy ~]# fdisk /dev/sdc
[root@lumpy ~]# mdadm --add /dev/md0 /dev/sdc1

I cat’d the /proc/mdstat and the new drive is a “S” spare. Now we tell it the md0 (zero) has four devices (3 previous plus the new one).
[root@lumpy ~]# cat /proc/mdstat
[root@lumpy ~]# mdadm --grow /dev/md0 --raid-devices=4

14 hours later…

Now that the drive is bigger, we need to resize the physical volume (pv) to include the new space.
[root@lumpy ~]# pvresize /dev/md0
Physical volume "/dev/md0" changed
1 physical volume(s) resized / 0 physical volume(s) not resized

I then used the OpenFiler web interface to expand the volume group/logical volume. If you had to do it be hand, you could look here http://tldp.org/HOWTO/LVM-HOWTO/commontask.html

The hardware I have used was my desktop until I upgraded in 2003, with a few minor changes over time that were mostly due to failures. Power supply, video card, added a hard drive, etc. When we moved at the end of April 2009 I decided it was time to re-engineer my solution. I love Debian, it is lean and you can make it do exactly what you want and only that. The ability to limit ancillarary functions was great since it is only a single core 1.3GHz CPU and at one time it was encoding XVID on a single tuner Hauppauge card (about $40). Slow enough that you could not watch live tv.

The new deployment runs MythDora, a distribution tuned for MythTV and has several wizards to assist in easy setup. I am using a split backend/frontend design now with only a UPnP setup on the frontend in my livingroom. The backend was a budget off-lease system that has a dual core 3GHz CPU, a 750GB hard drive and a 1.5TB hard drive. With LVM that gives me a 10GB OS partition and almost 2.2TB of video storage. I have a Hauppauge PVR-500 dual analog tuner with MPEG2 hardware encoder and HDHomerun dual digital HD tuner with MPEG2 hardware encoder. The installs were very easy, and by selecting backend AND frontend on the server, and frontend on the client stations it went very smoothly through setup.

I have run in to a couple of minor problems. The most recent first then working backwards. I use schedulesdirect for the TV listings, and after two weeks I did not have my guide anymore. I checked, and there was not a cronjob to run mythfilldatabase. Since MythTV is running as the mythtv user, I edited /etc/crontab and added a line to run it once a day:
32 2 * * * mythtv /usr/bin/mythfilldatabase &
That means to run it every day at 2:32am (arbitrary time when I wasn’t likely to be using the system) as the mythtv user (so permissions definately will not be messed up and to maintain security). I provided the full path, and used the ampersand to tell it to run in the background.

The second problem was more insideous. MythDora uses Network Manager for the network configuration. Since this is supposed to be an appliance, and I want the backend (required) and frontend (optional) to have static IPs. To facilitate this, I modified /etc/sysconfig/network-scripts/ifcfg-eth0 and setup the IP, subnet, etc
DEVICE=eth0
HWADDR=00:17:a4:42:82:93
ONBOOT=yes
IPADDR=192.168.0.80
GATEWAY=192.168.0.1
Normally I would put GATEWAY in /etc/sysconfig/network but I opted to place it in the interface configuration since it only has one interface and I was feeling lazy. After I did this, and possibly restarted, NetworkManager emptied the /etc/resolv.conf and so dns lookups failed. Stupid NetworkManager, we will fix its wagon:
chkconfig NetworkManager off
service NetworkManager stop
And then put something useful in /etc/resolv.conf:
nameserver 192.168.0.1

Since the new house is not cabled for ethernet and MPEG2 is bandwidth intensive I bought a pair of NETGEAR Powerline A/V Ethernet Adapters, model XAVB101-100NAS. I had a pair of the 85Mb adapters and the video would stutter occasionally. The higher speed 200Mb adapters do not suffer from this problem at all. They are still limited to 100Mb on the interface, but have 200Mb on the shared network domain.

Now everything works.

apt-get install busybox
cd ~/
vi setuplinks.sh

#!/bin/bash
which busybox &>/dev/null
if [ $? != 0 ]
then

echo "Busybox is not present in the working path."
exit 1
fi
oIFS=$IFS
IFS=" ,
"
export BB=`which busybox`
for i in `cat busycmds`
do
if [ $i == "busybox" ]
then
continue
fi
which $i &>/dev/null
if [ $? == 0 ]
then
ln -f $BB `which $i`
ls -i `which $i`
else
ln $BB /usr/bin/$i
echo make $i
fi
done
IFS=$oIFS

vi busycmds

[, [[, adjtimex, ar, arping, ash, awk, basename, bunzip2,
bzcat, cal, cat, chgrp, chmod, chown, chroot, chvt, clear, cmp,
cp, cpio, cut, date, dc, dd, deallocvt, df, dirname, dmesg, dos2unix,
du, dumpkmap, dumpleases, echo, egrep, env, expr, false, fgrep,
find, fold, free, ftpget, ftpput, getopt, grep, gunzip, gzip,
head, hexdump, hostid, hostname, httpd, id, ifconfig, ip, ipaddr,
ipcalc, iplink, iproute, iptunnel, kill, killall, klogd, last,
length, ln, loadfont, loadkmap, logger, login, logname, logread,
losetup, ls, md5sum, mkdir, mkfifo, mknod, mktemp, more, mount,
mt, mv, nameif, nc, netstat, nslookup, od, openvt, patch, pidof,
ping, ping6, printf, ps, pwd, rdate, readlink, realpath, renice,
reset, rm, rmdir, route, rpm, rpm2cpio, run-parts, sed, setkeycodes,
sh, sha1sum, sleep, sort, start-stop-daemon, strings, stty, swapoff,
swapon, sync, syslogd, tail, tar, tee, telnet, telnetd, test,
tftp, time, top, touch, tr, traceroute, true, tty, udhcpc, udhcpd,
umount, uname, uncompress, uniq, unix2dos, unzip, uptime, usleep,
uudecode, uuencode, vi, watch, watchdog, wc, wget, which, who,
whoami, xargs, yes, zcat

Then:
sh ~/setuplinks.sh

If you missed this free opportunity to play with studio lighting and portrait, I encourage you to sign up for the mailing list so you can find out when we have another photo opportunity! http://www.zoegames.com/lists/?p=subscribe&id=2

The biggest problem on owl was a combination of selinux and a xen bug, so I upgraded the kernel and moved the virtual machines to /var/lib/xen/images where selinux thinks they should exist. I did create a soft link to /xen so the configs would work. On an up note, the VMs now start on boot correctly which had been a problem.

My brother was caring for our dog while we traveled last week. Oreo was on a chain with a clasp and someone stole her while my parents were out and my brother was sleeping. Now I have two crying girls – my wife and daughter – and my 2 year old son doesn’t understand that she is gone and not coming back.

If you care to read the extended version of my upgrade and relinking it is in the “More…”

Detailed Description

    SELinux denied xen access to /. If this is a XEN image it has to have a file
    context label of xen_image_t. The system is setup to label image files in
    /var/lib/xen/images correctly.  We recommend that you copy your image file
    to this directory. If you really want to have your xen image files in this
    directory, you can relabel the / to be a xen_image_t file/directory using
    chcon.  If you do this you should also execute semanage fcontext -a -t
    xen_image_t $TATGET_PATH to add this new path to the system defaults.If you
    did not intend to use / as a xen image it could indicate either a bug or an
    intrusion attempt.

Allowing Access

    You can alter the file context by executing chcon -t xen_image_t /

    The following command will allow this access:

    chcon -t xen_image_t /

Shutdown all xen VMs

[root@owl /]# mount
/dev/mapper/VolGroup00-LogVol00 on / type ext3 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
/dev/sda1 on /boot type ext3 (rw)
tmpfs on /dev/shm type tmpfs (rw)
/dev/mapper/VolGroup00-LogVol03 on /home type ext3 (rw)
/dev/mapper/VolGroup00-LogVol02 on /tmp type ext3 (rw)
/dev/mapper/VolGroup00-LogVol01 on /var type ext3 (rw)
/dev/mapper/VolGroup00-LogVolStore01 on /xen type ext3 (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
[root@owl /]# vi /etc/fstab
#/dev/VolGroup00/LogVolStore01 /xen                    ext3    defaults        1 2
/dev/VolGroup00/LogVolStore01 /var/lib/xen/images       ext3    defaults        1 2

[root@owl /]# umount /xen
[root@owl /]# rmdir /xen
[root@owl /]# mount -a
[root@owl /]# ln -s /var/lib/xen/images /xen

—

I am getting a number of selinux denials and the networking is not working. On the console I am getting the error “xen_net: memory squeeze in netback driver”. Searching indicated this was a bug that was fixed. I need to update the kernel and xen tools.

I made the mistake earlier of running the chcon in the selinux dialog and it changed all the selinux contexts on the root / and upon rebooting the system no longer functioned. I added “selinux=0″ to the kernel line and found that the kernel options were actually being passed on the module line immediately following the kernel line. This is out of the ordinary, but at least the system booted successfully. After getting the system up I used system-config-security to disable selinux.

[root@owl boot]# ls -l
total 14798
-rw-r--r-- 1 root root   61057 Jul 10  2007 config-2.6.18-8.1.8.el5xen
-rw-r--r-- 1 root root   61053 Mar 15  2007 config-2.6.18-8.el5xen
drwxr-xr-x 2 root root    1024 Aug  6  2007 grub
-rw------- 1 root root 2330839 Aug  6  2007 initrd-2.6.18-8.1.8.el5xen.img
-rw------- 1 root root 2348337 Aug  6  2007 initrd-2.6.18-8.1.8.el5xenU.img
-rw------- 1 root root 2330731 Aug  7  2007 initrd-2.6.18-8.el5xen.img
lrwxrwxrwx 1 root root      37 Aug  6  2007 initrd-2.6-xenU.img -> /boot/initrd-2.6.18-8.1.8.el5xenU.img
drwx------ 2 root root   12288 Aug  7  2007 lost+found
-rw-r--r-- 1 root root   80032 Apr  1  2007 message
-rw-r--r-- 1 root root   84906 Jul 10  2007 symvers-2.6.18-8.1.8.el5xen.gz
-rw-r--r-- 1 root root   84906 Mar 15  2007 symvers-2.6.18-8.el5xen.gz
-rw-r--r-- 1 root root  868084 Jul 10  2007 System.map-2.6.18-8.1.8.el5xen
-rw-r--r-- 1 root root  868062 Mar 15  2007 System.map-2.6.18-8.el5xen
-rw-r--r-- 1 root root 2076151 Jul 10  2007 vmlinuz-2.6.18-8.1.8.el5xen
-rw-r--r-- 1 root root 2074835 Mar 15  2007 vmlinuz-2.6.18-8.el5xen
lrwxrwxrwx 1 root root      33 Aug  6  2007 vmlinuz-2.6-xenU -> /boot/vmlinuz-2.6.18-8.1.8.el5xen
-rw-r--r-- 1 root root  274228 Jul 10  2007 xen.gz-2.6.18-8.1.8.el5
-rw-r--r-- 1 root root  274722 Mar 15  2007 xen.gz-2.6.18-8.el5
-rwxr-xr-x 1 root root  608568 Jul 10  2007 xen-syms-2.6.18-8.1.8.el5
-rwxr-xr-x 1 root root  608564 Mar 15  2007 xen-syms-2.6.18-8.el5

[root@owl boot]# yum update kernel*
=============================================================================
 Package                 Arch       Version          Repository        Size
=============================================================================
Installing:
 kernel-xen              i686       2.6.18-53.1.21.el5  updates            14 M
Updating:
 kernel-headers          i386       2.6.18-53.1.21.el5  updates           789 k
Removing:
 kernel-xen              i686       2.6.18-8.el5     installed          35 M

Transaction Summary
=============================================================================
Install      1 Package(s)
Update       1 Package(s)
Remove       1 Package(s)

Removed: kernel-xen.i686 0:2.6.18-8.el5
Installed: kernel-xen.i686 0:2.6.18-53.1.21.el5
Updated: kernel-headers.i386 0:2.6.18-53.1.21.el5
Complete!

initrd-2.6-xenU.img -> /boot/initrd-2.6.18-8.1.8.el5xenU.img
vmlinuz-2.6-xenU -> /boot/vmlinuz-2.6.18-8.1.8.el5xen

[root@owl ~]# cd /boot
[root@owl boot]# mkinitrd --with=xennet --with=xenblk /boot/initrd-2.6.18-53.1.21.el5xenU.img `uname -r`
[root@owl boot]# ln -sf initrd-2.6.18-53.1.21.el5xenU.img initrd-2.6-xenU.img
[root@owl boot]# ln -sf vmlinuz-2.6.18-53.1.21.el5xen vmlinuz-2.6-xenU
[root@owl boot]# shutdown -r now

[root@owl boot]# yum update
=============================================================================
 Package                 Arch       Version          Repository        Size
=============================================================================
Installing:
 sos                     noarch     1.7-9.2.el5      updates           108 k
     replacing  sysreport.noarch 1.4.3-10.el5

Updating:
...

Installing for dependencies:
 device-mapper-multipath  i386       0.4.7-12.el5_1.4  updates           2.0 M
 dnsmasq                 i386       2.39-2.el5       base              150 k
 keyutils-libs           i386       1.2-1.el5        base               18 k
 yum-metadata-parser     i386       1.0-8.fc6        base               22 k

Transaction Summary
=============================================================================
Install      5 Package(s)
Update     169 Package(s)
Remove       0 Package(s)

Total download size: 234 M

[root@owl boot]# shutdown -r now

All of the VMs started and email is working again.

Build the distribution

I will walk through the steps I used, and they do deviate from the original author on some points. Because of the limited write cycles on flash memory, it is important to limit paging, journaling and files that are constantly updated. I used a Debian virtual machine that I had handy to build up the filesystem.

mkdir /cf
apt-get install debootstrap
debootstrap –arch i386 etch /cf http://ftp.debian.org

Now that the base OS is present we can chroot.

mount -t proc none /cf/proc
mount –bind /dev /cf/dev
LC_ALL=C chroot /cf /bin/bash

I’m not sure what the LC_ALL=… is for because you can “chroot /cf” and it will work too. I needed a kernel, bootloader, udev and ssh. I chose dropbear for ssh because it is a little more compact.

apt-get install dropbear linux-kernel grub udev

Since this will be my gateway router I chose to put a few network utilities on it so they would be available to track, and provide additional functionality.

apt-get install dhcpd ntop iptraf ngrep tshark dnsmasq screen less dnsutils ethtool

Now it is clean-up time. mtab gets written to frequently, and the proc filesystem reports the same information. resolve.conf needs to be writeable and our filesystem will be read-only most of the time so we will move it and create a link.

rm /etc/mtab
ln -s /proc/mounts /etc/mtab
mv /etc/resolv.conf /var/log/
ln -s /var/log/resolv.conf /etc/

We need to create some config files. From the link at the top, with a modification to fstab to use labels instead.

• /etc/fstab
  

  LABEL=/root / ext2 defaults,noatime 0 0 proc /proc proc defaults 0 0 tmpfs /var/run tmpfs defaults 0 0 tmpfs /var/lock tmpfs defaults 0 0 tmpfs /var/log tmpfs defaults 0 0 tmpfs /tmp tmpfs defaults 0 0 tmpfs /var/lib/dhcp3/ tmpfs defaults 0 0

• /sbin/dhclient-script
  Set new_resolv_conf to “/tmp/resolv.conf.dhclient-new”.
  Change “mv -f $new_resolv_conf /etc/resolv.conf” to “cat $new_resolv_conf > /etc/resolv.conf”
• /etc/network/interfaces
  

  auto lo eth0 allow-hotplug eth0 iface eth0 inet dhcp iface lo inet loopback

• /etc/hosts
  

  127.0.0.1 localhost.localdomain localhost your_hostname

• /etc/syslog.conf
  Comment the lines where /dev/xconsole is mentioned
• /etc/init.d/checkroot.sh
  Change ROOTMODE to ro
• /etc/init.d/bootlcean.sh
  Add the following lines before the line stateing [ -f /tmp/.clean ] && … (located at the end of the file)

  touch /var/log/resolv.conf touch /var/log/dmesg

A lot of the more active directories for writes are created in a ram disk. This will prevent errors.

Kristof suggests a couple of aliases to make changing read-only to read-write and back easier. Edit /root/.bashrc and at the end add:

alias ro=”/sbin/cleanup all;mount -o remount,ro /”
alias rw=”mount -o remountrw /”

The cleanup file is available on the link at the top of this post. It removes man pages, doc files and cleans up Debian cached packages so your filesystem will stay compact. I’ve quoted it below.

#!/bin/bash

function doc() {
	echo "Removing documentation ..."
	find / -type d -regex '.*\(/doc/\|/info/\).*' -exec rm -r {} \; 2>/dev/null
}

function man() {
	echo "Removing man pages ..."
	find / -type d -regex '.*\(/man/\).*' -exec rm -r {} \; 2>/dev/null
}

function deb() {
	echo "Removing Debian packages and cleaning apt-cache ..."
	find / -type f -regex '.*\(\.deb$\).*' -exec rm -r {} \; 2>/dev/null
	rm /var/cache/apt/*.bin
	rm /var/lib/apt/lists/*dists*
}

if [ $# -ne 1 ]; then
	echo "Usage: $0 doc|man|deb|all"
	exit 1
fi

if [ $1  == "all" ]; then
	echo "remove all"
	doc
	man
	deb
else

	eval \$1
fi

When you have finished building the installation, exit the chroot (type “exit” and hit enter). Unmount the dev and proc in /cf and this is a good time to tar a backup copy. Then use fdisk to remove existing partitions and make a single partition (default is type “Linux” which is correct).

umount /cf/dev
umount /cf/proc
tar czvf ~/cf.tar.gz /cf
fdisk /dev/sda
(d for delete, n for new, primary partition 1)
mkdir /mnt/cf
mount /dev/sda1 /mnt/cf
cp -aR /cf/* /mnt/cf
mount -t proc none /cf/proc
mount –bind /dev /cf/dev

After you have finished copying, cd /mnt/cf and create a chroot. Then we will install grub on the MBR and configure the bootloader.

cd /mnt/cf
chroot ./
grub-install /dev/sda
update-grub

When it offers, create a new config file. Because we are using labels instead of dev nodes, we will edit /boot/grub/menu.lst

Make sure that hdd(0,0) and not 1,0. Find the kernel lines and locate the section (your device name may vary):
root=/dev/sda1
Change it to:
root=LABEL=/root

You should now be able to boot to the new flash memory OS.

A little more configuration

# vi /etc/hostname
router

# vi /etc/resolv.conf
nameserver 192.168.0.36

# vi /etc/network/interfaces

auto lo eth0 eth1 eth2 eth3
#allow-hotplug eth0
#iface eth0 inet dhcp
iface lo inet loopback
# outside
iface eth0 inet static
        address 151.x.y.z
        netmask 255.255.255.252
        gateway 151.x.y.z
#       dns-search somedomain.org
        dns-nameservers 192.168.0.36
# dmz
iface eth1 inet static
        address 64.x.y.z
        netmask 255.255.255.0
# inside (lan)
iface eth2 inet static
        address 192.168.0.1
        netmask 255.255.255.0

I used firewall builder from fwbuilder.org to build an iptables script. With my complex internal network it was fairly easy to create objects for each network segment and host, then build rules to allow limited network access in and out. I put the script in /etc/firewall/router.fw, used chmod to make it 500 (executable, read-only for root) and then added it to rc.local. I have the default behavior setup to not forward packets so until the firewall is active there is limited exposure – incoming ssh from the outside for a period of 30 seconds on a reboot.

resolv.conf is not persistent. I will revisit this later if it starts to matter. There would be negative effects on dnsmasq I believe, but I’m not using it at this time. It is also required for apt-get to work. As a side note, once cleanup runs you will need to run “apt-get update” again to download the package database.

Ringing in my ears?! Turn off the bell!

I had to turn off the bell before it drove me nuts. I used the blacklist method, but here are several that all work.

xset -b
in ~/.bashrc

Most easier is to set in ~/.inputrc
set bell-style none

sudo modprobe -r pcspkr
vi /etc/modprobe.d/blacklist
blacklist pcspkr

OpenFiler Server
OpenFiler 2.2
2G system
2G data raid 5 member
2G data raid 5 member
2G data raid 5 member
256M

Most servers have static IPs. You network is probably using 192.168.x.x. I would recommend that you pick a range of addresses to assign statically. I keep my records in spreadsheet. Something like:

192.168.1.x subnet 255.255.255.0
Gateway 192.168.1.1
P.DNS 192.168.1.1
.1 router
.3 openFilerGenerally if you are using a SOHO Router (you know, the kind Best Buy, Fry’s, etc sells) your Gateway and DNS will be your router.

—

dn means Distinguished Name and is similar to referring to you by your full name to identification in a group.
dc means Domain Component, and is it one part of the name.
objectClass defines what purpose the entry serve; as a person (not LDAP) I might have father, husband, technician, bugSquisher.

openfiler

I would recommend that you have a small “system” drive and then a group of “data” drives.

Installing openFiler 2.2, boot from the CD
openfiler screen, Next
U.S. English, Next
Automatically partition, Next, Yes I am sure
Select (check mark) only the system drive
Select Remove all Linux partitions on this system, Next
Take a look at the partition layout, smile, nod and click, Next
Network, Click Edit
Uncheck Configure using DHCP
Assign the IP Address and Subnet Mask from your IP Log (remember, the one you wrote earlier), Click OK
Assign a hostname: san.example.com
Assign Gateway and Primary DNS, Click Next
Timezone: Hopefully you know where you live. System clock uses UTC is already unchecked. Click Next
Root password, I would make it the same. You could be paranoid and make it different, but if you choose that I would recommend that you get a good password wallet. And Click Next.
Click Next to begin installing.
Reboot when it completes.

Open a browser and go to https://192.168.1.3:446
Scroll down the license, read it, and if you agree continue. If you do not, quit reading.
The default login is username: openfiler, password: password

Services tab

• Enable/Disable sub-tab

Enable LDAP

Enable SMB/CIFS if you want sharing with Windows machines.

If you are looking for other services you should already be familiar with them (NFS or iSCSI).

• SMB Settings

All of the default settings should be sufficient.

• LDAP Settings

Base DN: dc=example,dc=com
Root bind DN: cn=Manager,dc=example,dc=com
Root Password: (write it down somewhere)
Allow users to set password: checkmark
Click submit.

IMPORTANT: When you submit information from the LDAP Settings it initializes LDAP. If you do it again later it could potentially erase changes you have made.

Accounts tab

Click the Accounts tab, and Admin Password sub-tab. Change the password, and write it down.

Back to the Authentication sub-tab
Check mark “Use LDAP”
Un-Check mark “Use TLS”; This is encryption so you are not sending you password over the network in plain text – You are sending it local so it is not quite as big a deal.
Server: localhost
Base DN: dc=example,dc=com
Root bind DN: cn=Manager,dc=example,dc=com
Root bind password: (the one you wrote down a minute ago)
click Submit

• Account Administration sub-tab

Group Administration, Add new group,
Group Name: Users
Uncheck “Override automatic GID” (unchecked is default)
Click “Add Group”
Success

User Administration, Add new user,
Username: charles
password: asdfgh
type the password again
Primary Group: 500: Users
Uncheck “Override automatic GID” (unchecked is default)
Success

— Side Note

I fought with this error for a while. It was because I did not have the samba.schema on the LDAP server. I am leaving it so if someone else is having this error they will know what I had to fix.

An error has occured:
Error changing password.
Failed to add entry for user Charles.
Failed to modify password entry for user Charles

The List of users and List of Groups is empty. I am going to continue since it shows users and I will come back to it if they don’t populate after I create volumes and shares. (FIXED)

— END Side Note

Go check the sub-tab List of users, List of groups and Account Administration to see if you can view your users.

General Tab

There are two sets of security, user based and IP based. Next we navigate to the General tab.

I’m going to create two networks.

Name       Network/Host Netmask          Type
localhost  127.0.0.1    255.255.255.255  Share
nat        192.168.1.0  255.255.255.0    Share

Navigate to the Clock sub-tab and set the time and date.

Navigate to the Notification sub-tab. I strongly recommend that you set an email so you will be notified if a drive fails.

Volumes tab

The tabs will seem “backwards” since you will use them right to left. This walk through is tailored to systems using software raid. The software raid is preferable to fakeraid (if it is on a motherboard or you paid less than $150 it is probably fakeraid) and hardware raid is expensive.

• Physical Storage Mgmt. sub-tab

The first drive should be your system drive. Each of the others is a data drive.

Click /dev/sdb,
Scroll down to the section to “Create a partition” ,
Change the Partition Type to “RAID array member”,
The other options are fine with defaults,
Click Create.

You are taken to an “Edit partitions” page, click the link “Back to the list of physical storage devices”.

I repeated that process on /dev/sdc and /dev/sdd, and you should continue on the remaining members of this RAID array. Then continue…

• Software RAID Mgmt. sub-tab

Select RAID array type: RAID-5 (parity),
Checkmark all of the RAID members,
If you have a “Spare” you can also select it here, if you do not or you are not sure what it means don’t worry about it now and read about it later,
Click “Add array”,
Move on…

• Volume Group Mgmt. sub-tab

“Create a new volume group”,
Fill in the “Volume group name” – realize that this will appear as part of the path. I will call mine VolGroup01.
Select the /dev/md0 – this is the RAID you just created,
Click “Add volume group”,
Move on…

• Create New Volume sub-tab

Now we are down to the meat. This is where you start carving out chunks to share. You will probably use this tab fairly frequently until you have your shares completed.

“Create a volume in “volgroup01″”,
Volume Name – Avoid spaces, use letters, numbers, dashes or underscores – I used “store”,
Describe the store – you may use any character you would like – I used “A new store for example”,
Required Space (MB): 100 – 100MB for this example,
Filesystem type – I would recommend Ext3 with a few exceptions:
If you want an iSCSI share choose iSCSI,
If the Filesystem is 8TB for 32 bit or 16TB for 64 bit you will need a different filesystem,
Click Create – This can take quite a long time for large filesystems, go get a coke.

• List of Existing Volumes sub-tab

So, you are sitting here now. If you have an Ext3 partition and need more space you can make it bigger with the Properties: Edit.

Shares tab

List of Current Shares

You should see a tree with:

volgroup01

A new store for example

Click the Volume (“A new store for example”),
Name the folder (I will name it “folder”) and click Create a Sub-folder,
Click the folder,
There are several options to create a sub-folder, rename the folder, create a description, delete the folder, but most importantly,
Click Make Share.

First, the settings I used and then an explanation.

Controlled access
Users: PG and RW
Click Update

Host access configuration
Under SMB/CIFS
localhost RW
nat RW
The Restart services automatically checks
Click Update

— Explanation

You will remember earlier I said there is user and IP security…

Group access configuration

You have 2 options, Public guest and Controlled access. Public guest permits access without authentication and Controlled provides authentication.

Each share must have a “Parent Group” or PG. Think of this as the owner group.
You can also assign each group permission with NO Access, Read Only (RO) or Read and Write (RW).

—

Host access configuration

SMB/CIFS
Enable oplocks – leave this at default
Restart services – this will automatically become marked if you change something
that requires a service restart

Each of the services provides the option to advertise the share on the respective protocol. Make something available here does NOT enable the service, but it is possible to have one share available to Windows clients and another as an NFS share, or even both options on the same share.

Each network you created earlier can have NO Access, Read Only or Read Write.

NFS provides options for Root Access and Run Insecure; Explaining these is beyond the scope of this article and you really should do some more reading before you enable either one.

— END Explanation

You have enough configuration now that you should be able to browse it on your Windows workstation. Just type \\192.168.1.3 and you should be able to see the share. At some point it will ask you for your username and password.

LDAP Server
CentOS 5.1
2G hdd
256M RAM

OpenFiler Server
OpenFiler 2.2
2G system
2G data raid 5 member
2G data raid 5 member
2G data raid 5 member
256M

LDAP Server
256M is required for a graphical install.
Some options have not been developed for the text install, so this is the way to go.

Boot from the CD and press <ENTER> for a graphical install
If you burned media and have not used it before, test the CDs or DVD before you begin installing.

• CentOS 5 screen, Next
• Language, English, Next
• Keyboard, English, Next
• Partitioning, (defaults) Remove linux partitions on selected drives and create default layout, Next
• Networking…
  Most servers have static IPs. You network is probably using 192.168.x.x. I would recommend that you pick a range of addresses to assign statically. I keep my records in spreadsheet. Something like:
  192.168.1.x subnet 255.255.255.0
  Gateway 192.168.1.1
  P.DNS 192.168.1.1
  .1 router
  .2 LDAP
  .3 openFiler

Generally if you are using a SOHO Router (you know, the kind Best Buy, Fry’s, etc sells) your Gateway and DNS will be your router.

• …Networking
  Click Edit
  check Enable IPv4 support
  Manual configuration
  (you should use your IP scheme, but I will stay consistent with my notes above)
  IP Address 192.168.1.2
  Prefix (Netmask) 255.255.255.0
  un-check Enable IPv6 support
  Click OK
  hostname ldap.example.com
  You will use the domain during LDAP configuration as well, and we will use example.com.
  gateway 192.168.1.1
  Primary DNS 192.168.1.1
  Secondary DNS (leave it blank)
• Timezone
  America/Chicago (because that is my timezone, duh)
  un-check System clock uses UTC
• root account password
  Choose something complex but easy to remember. I am fond of using a phrase or long word with letters, numbers and symbols mixed in. For example, I would think linux is good and my password would be 1!Nuxisgood. The first “letter” is a one, and the exclamation reminds me of an i upside down.
  Click Next
• Package Selection
  I uncheck Desktop – Gnome. There are a couple of reasons; Gnome takes about 800MHZ to maintain, where a simple text linux install could run samba or ldap with 200MHz. There is also memory overhead. You could very easily get a $30 PC from oklahomabargains.com (sign up for the email newsletter and he will eventually have a good buy on low end desktops).
  Customize later
  Click Next
  Click Next to begin the installation
  A kickstart will be created in /root/anaconda-ks.cfg

And now a Reboot

—

Now to install the packages I am sure I will need (maybe more later)…
yum install openldap-servers openldap-clients apache php php-ldap samba
cp /usr/share/doc/samba-3.0.25b/LDAP/samba.schema /etc/openldap/schema/
cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIGYou will need an LDAP Manager password. Think of a password, write it down and then run:
(It does not really display the password you type)
# slappasswd -h {crypt}
New password: 1!Nuxisgood
Re-enter new password: 1!Nuxisgood
{CRYPT}MW4NYF1pNdc/Anano /etc/openldap/slapd.conf

In the schema part at the top, add:
include /etc/openldap/schema/samba.schema

We will enable TLS so you can securely query LDAP. It automatically generates a self signed Certificate Authority (CA) and a certificate for the LDAP daemon.

Find these lines, and remove the “# ” at the beginning of the line. (The # makes the line a note or remark so the rest of the line is ignored):
# TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# TLSCertificateFile /etc/pki/tls/certs/slapd.pem
# TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem

Find these lines:
database bdb
suffix “dc=my-domain,dc=com”
rootdn “cn=Manager,dc=my-domain,dc=com”

Change them, and add the additional line:
database bdb
suffix “dc=example,dc=com”
rootdn “cn=Manager,dc=example,dc=com”
rootpw {CRYPT}MW4NYF1pNdc/A

At the bottom of the file add these access lines:
access to attrs=userPassword,shadowLastChange
by dn=”cn=Manager,dc=example,dc=com” write
by anonymous auth
by self write
by * none
access to dn.base=”" by * read
access to *
by dn=”cn=Manager,dc=example,dc=com” write
by * read

nano /var/run/openldap/slapd.args
/usr/sbin/slapd -h ‘ldap:// ldaps:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock’ -u ldap

[root@ldap openldap]# /etc/init.d/ldap restart
Stopping slapd: [ OK ]
config file testing succeeded
[ OK ]
Starting slapd: [ OK ]

[root@ldap openldap]# chkconfig ldap on
[root@ldap openldap]# ldapsearch -D “cn=Manager,dc=example,dc=com” -x -W

Now that LDAP is working, we will migrate a little structure from the newly installed system so we have a base to build on.

—

There is a lot of good LDAP material out there. When I initially wrote this, I included detail on how to export information from the new install to use in LDAP. We really only need a base directory and we will use OpenFiler to populate LDAP. There are two articles at the bottom of this post that would be useful if you are migrating an existing environment.

dn means Distinguished Name and is similar to referring to you by your full name to identification in a group.
dc means Domain Component, and is it one part of the name.
objectClass defines what purpose the entry serve; as a person (not LDAP) I might have father, husband, technician, bugSquisher.

Create a file named base.ldif and paste these lines. Change example, com and example.com to match your setup.

dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: domain
objectClass: domainRelatedObject
associatedDomain: example.com

dn: ou=People,dc=example,dc=com ou: People
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: example.com 

dn: ou=Group,dc=example,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: example.com

ldapadd -D “cn=Manager,dc=example,dc=com” -x -W -f /tmp/base.ldif

nano /etc/openldap/ldap.conf

 BASE    dc=example,dc=com
 URI     ldap://localhost

ldapsearch -D “cn=Manager,dc=example,dc=com” -x -W

Firewall

Run: system-config-securitylevel,
tab to Customize and select it,
tab to WWW (HTTP) and use SPACE to select it,
tab to Other ports and add “389:tcp,636:tcp” (LDAP and LDAP with SSL),
Select OK until you are back at a prompt.
/etc/init.d/iptables restart

phpldapadmin

You can do user administration with OpenFiler, so if that is your only ldap application you don’t need phpldapadmin. I include it because it is not much trouble and gives you the ability to investigate the ldap layout.

nano /etc/php.ini
find: memory_limit = 16M
change if to: memory_limit = 32M
[root@ldap openldap]# /etc/init.d/httpd start
[root@ldap openldap]# chkconfig httpd on

http://phpldapadmin.sourceforge.net/

I’m going to install 1.1.0.5, and I used wget to pull the file directly in to /var/www/html, but you can use another method if you prefer.
[root@ldap html]# tar xzvf phpldapadmin-1.1.0.5.tar.gz
[root@ldap html]# ln -s phpldapadmin-1.1.0.5 phpldapadminThe link makes it easier later to upgrade.
cd phpldapadmin/config
cp config.php.example config.php
nano config.php
Find the section:
/*********************************************/
/* Define your LDAP servers in this section */
/*********************************************/
Unremark the line:
$config->custom->session['blowfish'] = ‘randomstring125678!@#$%^’;
$ldapservers->SetValue($i,’server’,'host’,'127.0.0.1′);
# This should work, but didn’t:
# $ldapservers->SetValue($i,’server’,'host’,'ldaps://127.0.0.1′);
$ldapservers->SetValue($i,’login’,'dn’,'cn=Manager,dc=example,dc=com’);

Bring up the web interface somewhere and login.
Login DN: cn=Manager,dc=example,dc=com
Password:

You can expand Groups and click “Create new entry here”, and on the next screen select Posix Group. Give it a name and name users.You can expand People and click “Create new entry here”, and on the next screen select User Account. Fill in the fields and select a default group.

—

openfiler

I would recommend that you have a small “system” drive and then a group of “data” drives.

Installing openFiler 2.2, boot from the CD
openfiler screen, Next
U.S. English, Next
Automatically partition, Next, Yes I am sure
Select (check mark) only the system drive
Select Remove all Linux partitions on this system, Next
Take a look at the partition layout, smile, nod and click, Next
Network, Click Edit
Uncheck Configure using DHCP
Assign the IP Address and Subnet Mask from your IP Log (remember, the one you wrote earlier), Click OK
Assign a hostname: san.example.com
Assign Gateway and Primary DNS, Click Next
Timezone: Hopefully you know where you live. System clock uses UTC is already unchecked. Click Next
Root password, I would make it the same. You could be paranoid and make it different, but if you choose that I would recommend that you get a good password wallet. And Click Next.
Click Next to begin installing.
Reboot when it completes.Open a browser and go to https://192.168.1.3:446
Scroll down the license, read it, and if you agree continue. If you do not quit reading.
The default login is username: openfiler, password: password

Accounts tab

Click the Accounts tab, and Admin Password sub-tab. Change the password, and write it down.

Back to the Authentication sub-tab
Check mark “Use LDAP”
Check mark “Use TLS” (This is encryption so you are not sending you password over the network in plain text)
Server: 192.168.1.2
Base DN: dc=example,dc=com
Root bind DN: cn=Manager,dc=example,dc=com
Root bind password: 1!Nuxisgood
click Submit

• Account Administration sub-tab

Group Administration, Add new group,
Group Name: Users
Uncheck “Override automatic GID” (unchecked is default)
Click “Add Group”
Success

User Administration, Add new user,
Username: charles
password: asdfgh
type the password again
Primary Group: 500: Users
Uncheck “Override automatic GID” (unchecked is default)
Success

— Side Note

I fought with this error for a while. It was because I did not have the samba.schema on the LDAP server. I am leaving it so if someone else is having this error they will know what I had to fix.

An error has occured:
Error changing password.
Failed to add entry for user Charles.
Failed to modify password entry for user Charles

The List of users and List of Groups is empty. I am going to continue since it shows users and I will come back to it if they don’t populate after I create volumes and shares. (FIXED)

— END Side Note

Go check the sub-tab List of users, List of groups and Account Administration to see if you can view your users.

General Tab

There are two sets of security, user based and IP based. Next we navigate to the General tab.

I’m going to create two networks.

Name       Network/Host Netmask          Type
localhost  127.0.0.1    255.255.255.255  Share
nat        192.168.1.0  255.255.255.0    Share

Navigate to the Clock sub-tab and set the time and date.

Navigate to the Notification sub-tab. I strongly recommend that you set an email so you will be notified if a drive fails.

Services tab

Enable/Disable sub-tab
If you want sharing with Windows machines, enable SMB/CIFS. If you are looking for other services you should already be familiar with them (NFS or iSCSI).

SMB Settings
All of the default settings should be sufficient.

Volumes tab

The tabs will seem “backwards” since you will use them right to left. This walk through is tailored to systems using software raid. The software raid is preferable to fakeraid (if it is on a motherboard or you paid less than $150 it is probably fakeraid) and hardware raid is expensive.

• Physical Storage Mgmt. sub-tab

The first drive should be your system drive. Each of the others is a data drive.

Click /dev/sdb,
Scroll down to the section to “Create a partition” ,
Change the Partition Type to “RAID array member”,
The other options are fine with defaults,
Click Create.

You are taken to an “Edit partitions” page, click the link “Back to the list of physical storage devices”.

I repeated that process on /dev/sdc and /dev/sdd, and you should continue on the remaining members of this RAID array. Then continue…

• Software RAID Mgmt. sub-tab

Select RAID array type: RAID-5 (parity),
Checkmark all of the RAID members,
If you have a “Spare” you can also select it here, if you do not or you are not sure what it means don’t worry about it now and read about it later,
Click “Add array”,
Move on…

• Volume Group Mgmt. sub-tab

“Create a new volume group”,
Fill in the “Volume group name” – realize that this will appear as part of the path. I will call mine VolGroup01.
Select the /dev/md0 – this is the RAID you just created,
Click “Add volume group”,
Move on…

• Create New Volume sub-tab

Now we are down to the meat. This is where you start carving out chunks to share. You will probably use this tab fairly frequently until you have your shares completed.

“Create a volume in “volgroup01″”,
Volume Name – Avoid spaces, use letters, numbers, dashes or underscores – I used “store”,
Describe the store – you may use any character you would like – I used “A new store for example”,
Required Space (MB): 100 – 100MB for this example,
Filesystem type – I would recommend Ext3 with a few exceptions:
If you want an iSCSI share choose iSCSI,
If the Filesystem is 8TB for 32 bit or 16TB for 64 bit you will need a different filesystem,
Click Create – This can take quite a long time for large filesystems, go get a coke.

• List of Existing Volumes sub-tab

So, you are sitting here now. If you have an Ext3 partition and need more space you can make it bigger with the Properties: Edit.

Shares tab

List of Current Shares

You should see a tree with:

volgroup01

A new store for example

Click the Volume (“A new store for example”),
Name the folder (I will name it “folder”) and click Create a Sub-folder,
Click the folder,
There are several options to create a sub-folder, rename the folder, create a description, delete the folder, but most importantly,
Click Make Share.

First, the settings I used and then an explanation.

Controlled access
Users: PG and RW
Click Update

Host access configuration
Under SMB/CIFS
localhost RW
nat RW
The Restart services automatically checks
Click Update

— Explanation

You will remember earlier I said there is user and IP security…

Group access configuration

You have 2 options, Public guest and Controlled access. Public guest permits access without authentication and Controlled provides authentication.

Each share must have a “Parent Group” or PG. Think of this as the owner group.
You can also assign each group permission with NO Access, Read Only (RO) or Read and Write (RW).

—

Host access configuration

SMB/CIFS
Enable oplocks – leave this at default
Restart services – this will automatically become marked if you change something
that requires a service restart

Each of the services provides the option to advertise the share on the respective protocol. Make something available here does NOT enable the service, but it is possible to have one share available to Windows clients and another as an NFS share, or even both options on the same share.

Each network you created earlier can have NO Access, Read Only or Read Write.

NFS provides options for Root Access and Run Insecure; Explaining these is beyond the scope of this article and you really should do some more reading before you enable either one.

— END Explanation

You have enough configuration now that you should be able to browse it on your Windows workstation. Just type \\192.168.1.3 and you should be able to see the share. At some point it will ask you for your username and password.

—

I referenced this article for some information. There are parts of the configuration that cause informational errors and I have omitted those sections. http://howtoforge.com/linux_ldap_authentication.
Another good article is http://www.grennan.com/ldap-HOWTO.html

# cd /xen
# mkdir www1
# cd www1/
# tar xjvf ../debian-4.0-20070801.tar.bz2
debian-4.0.img
debian-4.0.xen3.cfg
debian.swap
# mv debian-4.0.xen3.cfg proxy.cfg
# dd if=/dev/zero of=debian.swap bs=1M count=256
# dd if=/dev/urandom bs=1 count=3 2>/dev/null | od -tx1 | head -1 | cut -d' ' -f2- | tr -d ' ' | tr '[a-f]' '[A-F]'
7E0E41
# vi proxy.cfg
kernel = "/boot/vmlinuz-2.6-xenU"
memory = 128
name = "proxy"
vif = [ 'bridge=xenbr0,mac=00:16:3e:7E:0E:41' ]
dhcp = "dhcp"
disk = ['file:/xen/debian/debian-4.0.img,sda1,w'
, 'file:/xen/debian/debian.swap,sda2,w'
]
root = "/dev/sda1 ro"
ramdisk = "/boot/initrd-2.6-xenU.img"
# xm create -c ./proxy.cfg
...
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 5
receive_packet failed on eth0: Network is down
DHCPOFFER from 192.168.0.36
DHCPREQUEST on eth0 to 255.255.255.255 port 67
DHCPACK from 192.168.0.36
bound to 192.168.0.215 -- renewal in 300 seconds.
done.
...
# ssh 192.168.0.215
Password: password
# vi /etc/hostname
proxy
# passwd
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
# apt-get update
...
# vi /etc/network/interfaces
auto eth0
iface eth0 inet static
address 192.168.0.52
netmask 255.255.255.0
gateway 192.168.0.1   

auto lo
iface lo inet loopback
# /etc/init.d/networking restart
...lost network connection...
# ssh 192.168.0.52
# apt-get install squid3
# apt-get dist-upgrade 

I will continue the configuration tomorrow. It will only allow local connections (192.168.0.x).

nano /etc/squid3/squid.conf
I searched for acl all to find the area and added two acls.

acl privnat src 192.168.0.0/255.255.255.0
acl dmz src 10.0.0.192/255.255.255.224

I searched a couple of times for “http_access all” and following the INSERT line, added my new rules:

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
http_access allow privnat
http_access allow dmz

Save and close the file, then restart squid.

/etc/init.d/squid3 restart