In this article I'll explain how to install IBM Spectrum Protect client well known over the years with TSM (Tivoli Service Manager) which as of time of writting perhaps the best backup solution for Linux / Unix server. The install process is rather trivial, but there are few configuration things worthy to mention and explain. IBM Tivoli is a 2 component system consisting of Client and Server just like most solutions, we know thus before proceeding you should already have setup a functional backup server with attached and configured storages but this is a topic for another future article.
1. Login and configure TSM server to add the backup host machine you'll be connecting
If you don't have the access to remote server if you're in a Corporation network and you don't have the Admin credentials to Tivoli Server, ask a colleague who has access to add you the hostname you would like to backup.
He should generate you as a minimum a connect password and hand it back to you in encrypted form (GPG / PGP etc.). Besides setting the new client to connect password, it is necessery to communicate when and how frequently the backup is to be prepared and respectively he should set the required backup schedule configuration etc.
2. Check OS version
As minimum this article assumes you'll be using some kind of RPM based distribution.
[root@centos ~]# cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)
In my case this was CentOS, any other RPM based distribution should work. For specifics check out
README_*.htm
3. Remove version lock If version lock is there
On our servers we do use one feature of yum called versionlock to prepare some colleague to install or update some package with yum by mistake.
If you don't know versionlock and you want to install and use it you will have to install RPM package yum-plugin-versionlock
[root@centos ~]# yum install -y yum-plugin-versionlock
…
Versionlock is used for Restricting a Package to a Fixed Version Number with yum.
In case if you have versionlock installed to list the versionlock restricted versions to not be ovewritten do:
[root@centos ~]# yum versionlock list
…
….
……
0:gskcrypt64-8.0-55.14.*
0:lm_sensors-libs-3.4.0-8.20160601gitf9185e5.el7.*
0:sysstat-10.1.5-19.el7.*
0:TIVsm-API64-8.1.10-0.*
versionlock list done
- To clean up already set lock for current installed packages
[root@centos ~]# yum versionlock clear
4. Install TSM Backup API and Backup Archiver Client RPMs
If you have already created a /etc/yum.repos.d/3party.repo with a mirror of IBM binaries and repository is enabled you can perhaps do something like:
[root@centos ~]# yum install -y Tivsm-BA
Otherwise go and follow official IBM Tivoli installation instructions
In short once .rpms are downloaded from IBM’s site, this comes to:
4.1. Install the required dependent library gskcrypt64
[root@centos ~]# rpm -U gskcrypt64-8.x.x.x.linux.x86_64.rpm gskssl64-8.x.x.x.linux.x86_64.rpm
4.2. Install Tivoli Storage Manager API
Application programming interface (API) is API which contains the Tivoli Storage Manager API shared libraries and samples, default directory install location is /opt/tivoli/tsm/client/api/bin64
[root@centos ~]# rpm -i TIVsm-API64.x86_64.rpm
4.3. Install the backup-archive client
[root@centos ~]# rpm -i TIVsm-BA.x86_64.rpm
Its most files will be stored under dir /opt/tivoli/tsm/client/ba/bin.
This directory is considered to be the default installation directory for many backup-archive client files. The sample system-options file (dsm.sys.smp) is written to this directory. If the DSM_DIR environment variable is not set, the dsmc executable file, the resource files, and the dsm.sys file are stored in this directory.
If DSM_CONFIG is not set, the client user-options file must be in this directory.
If you do not define DSM_LOG, writes messages to the dsmerror.log and dsmsched.log files in the current working directory.
Optionally: Install the Common Inventory Technology package that is used by the API. This package depends on the API so it must be installed after the API package is installed.
[root@centos ~]# rpm -i TIVsm-APIcit.x86_64.rpm
Optionally: Install the Common Inventory Technology package the client uses to send PVU metrics to the server. This package depends on the client package so it must be installed after the client package is installed.
[root@centos ~]# rpm -i TIVsm-BAcit.x86_64.rpm
If finally no optional stuff is installed the minumum for operational (Tivoli) Spectrum Protect is to at least below 2 RPMs being installed:
[root@centos ~]# rpm -qa |grep -i TivSM
TIVsm-BA-8.1.10-0.x86_64
TIVsm-API64-8.1.10-0.x86_64
5. Create /var/tsm log directory
[root@centos ~]# mkdir /var/tsm
[root@centos ~]# chown root:root /var/tsm
6. Hardcode to /etc/hosts TSM server hosts / addresses somewhere at File EOF
[root@centos ~]# vim /etc/hosts
Includfe at End of File
### TSM Server Records ###
10.50.8.1 tsmserver1.backup-server-fqdn.com tsmserver1
10.50.8.2 tsmserver2.backup-server-fqdn.com tsmserver2
Hardcoding records is a good idea if you don't use DNS at all, e.g. for security /etc/resolv.conf is empty or if you have configured the machine Name Record resolve order to be first read from /etc/hosts. For those who don't know in Linux this is done via /etc/nsswitch.conf (for more how it is configured – man nsswitch.conf command)
7. Create /opt/tivoli/tsm/client/ba/bin/{dsm.sys,dsm.opt,inclexcl.tsm}
configs
- dsm.sys main config mandatory file
[root@centos ~]# vi /opt/tivoli/tsm/client/ba/bin/dsm.sys
Paste inside and save :wq!:
*=================================================================
*
* File: /usr/tivoli/tsm/client/ba/bin/dsm.sys
*
* Who:
*
* Project: TSM
*
* Purpose: Tivoli Storage Manager client user options
*
* Release: Tivoli BA client 5.3.4
*
* Author:
*
*=================================================================
*
* Modification history:
*
* [Chg.] [When] [Who] [What]
* 1. 19.11.2021 Georgi Georgiev Creation.
*
*=================================================================
* TSM Server Location
* Servername tsmserver1
* COMMmethod TCPip
* TCPPort 1500
* TCPServeraddress tsmserver1.backup-server-fqdn.com
* Passwordaccess generate
* SCHEDLOGNAME /logs/tivoli/sched.log
* SCHEDLOGRETENTION 21 D
* SCHEDMODE PROMPT
* ERRORLOGNAME /logs/tivoli/dsmerror.log
* ERRORLOGRETENTION 30 D
* INCLEXCL /opt/tivoli/tsm/client/ba/bin/inclexcl.tsm
*=========================================================================
*TSM SERVER
Servername tsmserver2
COMMmethod TCPip
TCPPort 1400
TCPServeraddress tsmserver2.backup-server-fqdn.com
NodeName server-hostname1
Passwordaccess generate
SCHEDLOGNAME /var/tsm/sched.log
SCHEDLOGRETENTION 21 D
SCHEDMODE prompted
MANAGEDServices schedule
ERRORLOGNAME /var/tsm/dsmerror.log
ERRORLOGRETENTION 30 D
* INCLEXCL /opt/tivoli/tsm/client/ba/bin/inclexcl.tsm
##########
TCPServeraddress – should equal to the complete hostname where the TSM backup server is configured
Nodename – should be your server hostname from where you create backup usually returned by hostname command
- dsm.opt Additional options file
[root@centos ~]# vi /opt/tivoli/tsm/client/ba/bin/dsm.opt
*=================================================================
*
* File: /opt/tivoli/tsm/client/ba/bin/dsm.opt
*
*
* Project: TSM
*
* Purpose: Tivoli Storage Manager client user options
*
* Release: Tivoli BA client 5.3.4
*
* Author:
*
*=================================================================
*
* Modification history:
*
* [Chg.] [When] [Who] [What]
*
*
*=================================================================
* Quiet
SERVERNAME TSMSERVER2
* Sample config you might want to modify it according to your preferences
Archsymlinkasfile no
Subdir yes
dateformat 2
followsymbolic yes
guitreeviewafterbackup yes
quiet
DOMAIN "/"
DOMAIN "/boot"
DOMAIN "/home"
* below line is commented
* DOMAIN "/var"
########
- Define what directories files / shuld be excluded from backup
# vi /opt/tivoli/tsm/client/ba/bin/inclexcl.tsm
exclude.dir /tmp
exclude.dir /var/cache
exclude /var/lock/*
exclude.dir /var/log
exclude /var/spool/*
exclude.dir /var/tmp
exclude.dir /var/tsm
exclude.dir /var/run
- Note ! Within dsm.sys you have also to have define SCHEDMODE prompted instead of SCHEDMODE polling:
Config should be as:
SCHEDMODE prompted
managedservices schedule
8. Authenticate to tsmserver2 host for a first time to remote Tivoli Backup Serv
Run the Tivoli connect client dsmc
# dsmc
→ empty username (if TSMServer configured so or otherwise provide the user provided by an Admin)
→ enter password given by TSM Admin
q sched → should answer with a schedule
tsm> q sched
Schedule Name: INC_DAILY_PROD
Description: 03:30 Days Schedule Prod
Schedule Style: Classic
Action: Incremental
Options:
Objects:
Priority: 5
Next Execution: 13 Hours and 38 Minutes
Duration: 2 Hours
Period: 1 Day
Day of Week: Any
Month:
Day of Month:
Week of Month:
Expire: Never
Schedule Name: Archives_365_DAYS_prod
Description: 365 Days Archive monthly Prod
Schedule Style: Classic
Action: Archive
Options: -archmc=ARCHIVE_365_DAYS-description="Archive of Logfiles" -deletefiles
Objects: /var/log/*.gz
Priority: 5
Next Execution: 492 Hours and 38 Minutes
Duration: 2 Hours
Period: 1 Month
Day of Week: Any
Month:
Day of Month:
Week of Month:
Expire: Never
tsm>
As you see above you get some details on when backup is to be executed, e.g. what time it is scheduled (in this case it is 03:30 Days Schedule Prod early morning), how often it is supposed to re-run, what is it priority, what is the type of backup (i.e. incremental) and how long is left until next execution.
incr command→ Start the backup (will create first incremental full backup)
q fi command→ To show (list) backuped FileSystems
tsm> q fi
# Last Incr Date Type File Space Name
——————————————————————————–
1 10-11-2021 12:08:43 EXT2 /
2 10-11-2021 12:09:01 EXT4 /boot
3 10-11-2021 12:09:03 EXT4 /home
4 10-11-2021 12:09:24 EXT4 /var
5 10-11-2021 12:03:17 EXT4 /vz
As you can see we have a recent backup of our OpenVZ machine Hypervisor host 🙂
quit → logout from dsmc
9. Check entires within defined /var/tsm/{dsmsched.log, sched.log, dsmerror.log}
If problems connecting check /var/tsm/dsmerror.log
Once incr backup command is finished check that all is backupped normal within /var/tsm/sched.log
10. Start dsmcad process
[root@centos ~]# /etc/init.d/dsmcad start
Or
[root@centos ~]# systemctl start dsmcad
11. Add service to auto start on server boot time
Depending on where, the machine is old legacy System V system or a systemd RedHat / CentOS you should either add it in chkconfig tool to auto start or enable the systemctl service.
11.1. Enable dsmcad autoboot on SystemV legacy machine
[root@centos ~]# chkconfig –add dsmcad
11.2 Enable dmscad boot on recent systemd machine as of year 2021
[root@centos ~]# systemctl enable dsmcad.service
or
[root@centos ~]# systemctl start dsmcad.service
12. Enable back yum versionlock for all installed RPM packages (Optional)
[root@centos ~]# yum versionlock \*
How to install and configure Jabber Server (Ejabberd) on Debian Lenny GNU / Linux
Wednesday, December 28th, 2011I've recently installed a jabber server on one Debian Lenny server and hence decided to describe my installations steps hoping this would help ppl who would like to run their own jabber server on Debian . After some research of the jabber server softwares available, I decided to install Ejabberd
The reasons I choose Ejabberd is has rich documentation, good community around the project and the project in general looks like one of the best free software jabber servers available presently. Besides that ejabberd doesn't need Apache or MySQL and only depends on erlang programming language.
Here is the exact steps I followed to have installed and configured a running XMPP jabber server.
1. Install Ejabberd with apt
The installation of Ejabberd is standard, e.g.:
debian:~# apt-get --yes install ejabberd
Now as ejabberd is installed, some minor configuration is necessery before the server can be launched:
2. Edit /etc/ejabberd/ejabberd.cfg
Inside I changed the default settings for:
a) Uncomment%%override_acls.. Changed:
%%%% Remove the Access Control Lists before new ones are added.%%%%override_acls.
to
%%
%% Remove the Access Control Lists before new ones are added.
%%
override_acls.
b) Admin User from:
%% Admin user
{acl, admin, {user, "", "example.com"}}.
to
%% Admin user
{acl, admin, {user, "admin", "jabber.myserver-host.com"}}.
c) default %% Hostname of example.com to my real hostname:
%% Hostname
{hosts, ["jabber.myserver-host.com"]}.
The rest of the configurations in /etc/ejabberd/ejabberd.cfg can stay like it is, though it is interesting to read it carefully before continuing as, there are some config timings which might prevent the XMPP server from user brute force attacks as well as few other goodies like for example (ICQ, MSN , Yahoo etc.) protocol transports.
3. Add iptables ACCEPT traffic (allow) rules for ports which are used by Ejabberd
The minimum ACCEPT rules to add are:
/sbin/iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp --dport 5222 -j ACCEPT
/sbin/iptables -A INPUT -p udp -m udp --dport 5222 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp --dport 5223 -j ACCEPT
/sbin/iptables -A INPUT -p udp -m udp --dport 5223 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp --dport 5269 -j ACCEPT
/sbin/iptables -A INPUT -p udp -m udp --dport 5269 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp --dport 5280 -j ACCEPT
/sbin/iptables -A INPUT -p udp -m udp --dport 5280 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp --dport 4369 -j ACCEPT
/sbin/iptables -A INPUT -p udp -m udp --dport 4369 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp --dport 53873 -j ACCEPT
Of course if there is some specific file which stores iptables rules or some custom firewall these rules has to be added / modified to fit appropriate place or chain.
4. Restart ejabberd via init.d script
debian:~# /etc/init.d/ejabberd restart
Restarting jabber server: ejabberd is not running. Starting ejabberd.
5. Create ejabberd necessery new user accounts
debian:~# /usr/sbin/ejabberdctl register admin jabber.myserver-host.com mypasswd1
etc.debian:~# /usr/sbin/ejabberdctl register hipo jabber.myserver-host.com mypasswd2
debian:~# /usr/sbin/ejabberdctl register newuser jabber.myserver-host.com mypasswd3
debian:~# /usr/sbin/ejabberdctl register newuser1 jabber.myserver-host.com mypasswd4
...
ejabberdctl ejabberd server client (frontend) has multiple other options and the manual is a good reading.
One helpful use of ejabberdctl is:
debian:~# /usr/sbin/ejabberdctl status
Node ejabberd@debian is started. Status: started
ejabberd is running
ejabberctl can be used also to delete some existent users, for example to delete the newuser1 just added above:
debian:~# /usr/sbin/ejabberdctl unregister newuser jabber.myserver-host.com
6. Post install web configurations
ejabberd server offers a web interface listening on port 5280, to access the web interface right after it is installed I used URL: http://jabber.myserver-host.com:5280/admin/
To login to http://jabber.myserver-host.com:5280/admin/ you will need to use the admin username previously added in this case:
admin@jabber.myserver-host.com mypasswd1
Anyways in the web interface there is not much of configuration options available for change.
7. Set dns SRV records
I'm using Godaddy 's DNS for my domain so here is a screenshot on the SRV records that needs to be configured on Godaddy:
In the screenshto Target is the Fually qualified domain hostname for the jabber server.
Setting the SRV records for the domain using Godaddy's DNS could take from 24 to 48 hours to propagate the changes among all the global DNS records so be patient.
If instead you use own custom BIND DNS server the records that needs to be added to the respective domain zone file are:
_xmpp-client._tcp 900 IN SRV 5 0 5222 jabber.myserver-host.com.
_xmpp-server._tcp 900 IN SRV 5 0 5269 jabber.myserver-host.com.
_jabber._tcp 900 IN SRV 5 0 5269 jabber.myserver-host.com.
8. Testing if the SRV dns records for domain are correct
debian:~$ nslookup
> set type=SRV
> jabber.myserver-host.com
...
> myserver-host.com
If all is fine above nslookup request should return the requested domain SRV records.
You might be wondering what is the purpose of setting DNS SRV records at all, well if your jabber server has to communicate with the other jabber servers on the internet using the DNS SRV record is the way your server will found the other ones and vice versa.
DNS records can also be checked with dig for example
$ dig SRV _xmpp-server._tcp.mydomain.net
[…]
;; QUESTION SECTION:
;_xmpp-server._tcp.mydomain.net. IN SRV
;; ANSWER SECTION:
_xmpp-server._tcp.mydomain.net. 259200 IN SRV 5 0 5269 jabber.mydomain.net.
;; ADDITIONAL SECTION:
jabber.mydomain.net. 259200 IN A 11.22.33.44
;; Query time: 109 msec
;; SERVER: 212.27.40.241#53(212.27.40.241)
;; WHEN: Sat Aug 14 14:14:22 2010
;; MSG SIZE rcvd: 111
9. Debugging issues with ejabberd
Ejabberd log files are located in /var/log/ejabberd , you will have to check the logs in case of any issues with the jabber XMPP server. Here is the three files which log messages from ejabberd:
debian:~$ ls -1 /var/log/ejabberd/
ejabberd.log
erl_crash.dump
sasl.log
I will not get into details on the logs as the best way to find out about them is to read them 😉
10. Testing ejabberd server with Pidgin
To test if my Jabber server works properly I used Pidgin universal chat client . However there are plenty of other multiplatform jabber clients out there e.g.: Psi , Spark , Gajim etc.
Here is a screenshot of my (Accounts -> Manage Accounts -> Add) XMPP protocol configuration
Tags: admin, apache, best free software, brute force, cfg, com, configure, custom, default hostname, default settings, DNS, doesn, dport, ejabberd, ejabberdctl, exact steps, file, GNU, goodies, hostname, hosts, init, INPUT, Install, installation, Jabber, Linux, Lists, mypasswd, necessery, override, ports, ppl, programming language, Protocol, quot, quot quot, rich documentation, server, servers, software, tcp, transports, uncomment, User, xmpp
Posted in Linux, System Administration, Various | 9 Comments »