Tuesday, 29 June 2021

Opening port in firewall - SuSE Linux

Recently I stumbled upon a problem of opening a port in firewall in SuSE Linux. I did follow the steps mentioned in https://www.digitalocean.com/community/tutorials/iptables-essentials-common-firewall-rules-and-commands. The problem is that once you start the firewall service, the rules set using iptables are gone. No new SSH connections are allowed. Thankfully the existing SSH connection was active. I was searching for iptables-save command in SuSE Linux to save this iptables configuration. But there is no such command.

To open a port in firewall in SuSE Linux, there are 2 steps. One is to use YaST. The other is to modify /etc/sysconfig/SuSEfirewall2 file.

As I was using ssh to connect to the linux box, I had to use the 2nd option of modifying /etc/sysconfig/SuSEfirewall2 file.

First we need to know the service that is listening on the port uses TCP or UDP. If the service is TCP, we need to find FW_SERVICES_EXT_TCP property in the file. If it is UDP, we need to find FW_SERVICES_EXT_UDP property in the file.

Then we need to insert the port number that we need to open in the firewall.

Assume the existing property looks like this:

FW_SERVICES_EXT_TCP = "61491 61492"

If we need to open port 5000, the property need to be changed as:


FW_SERVICES_EXT_TCP = "61491 61492 50000"

It is better to keep the port numbers sorted in asc/desc order so that it will be easier to search for any port.

FW_SERVICES_EXT_TCP = "50000 61491 61492" - This would be the final configuration.


References:

 


 

Wednesday, 26 May 2021

How to find primary key of a table in different databases?

Here are the queries to find primary key of a table in Postgres, SQL Server and Oracle. Replace the <TABLE_NAME> with the table name that we are interested in.


Postgre

SELECT a.attname, format_type(a.atttypid, a.atttypmod) AS data_type
FROM   pg_index i
JOIN   pg_attribute a ON a.attrelid = i.indrelid
                     AND a.attnum = ANY(i.indkey)
WHERE  i.indrelid = '<TABLE_NAME>'::regclass
AND    i.indisprimary;

SQL Server

select C.COLUMN_NAME FROM  
    INFORMATION_SCHEMA.TABLE_CONSTRAINTS T  
    JOIN INFORMATION_SCHEMA.CONSTRAINT_COLUMN_USAGE C  
    ON C.CONSTRAINT_NAME=T.CONSTRAINT_NAME  
    WHERE  
    C.TABLE_NAME='<TABLE_NAME>'  
    and T.CONSTRAINT_TYPE='PRIMARY KEY'  

Oracle

SELECT COLUMN_NAME FROM all_cons_columns WHERE constraint_name = (
  SELECT constraint_name FROM user_constraints
  WHERE UPPER(table_name) = UPPER('<TABLE_NAME>') AND CONSTRAINT_TYPE = 'P')

Saturday, 6 March 2021

Converting PEM cert to X509Certificate object in Java

 In firefox, when we select the certificate of the website and click on view certificate, it gives us the option to download PEM cert or PEM cert chain. For my use case, I need to work with java.security.cert.X509Certificate. The code to do this is:

 

InputStream is = ...//read the PEM cert file
java.security.cert.CertificateFactory cf = java.security.cert.CertificateFactory.getInstance("X.509");
java.security.cert.X509Certificate cert = (java.security.cert.X509Certificate)cf.generateCertificate(is);

 

Reference:

https://stackoverflow.com/questions/9739121/convert-a-pem-formatted-string-to-a-java-security-cert-x509certificate

Tuesday, 21 July 2020

Linux file system goes to read only mode

When I was working on a SLES 12 sp4 machine(/etc/SuSE-release file has the OS information), I want to edit some service file to change it to run in debug mode. But I couldn't edit that file as the editors like vi/gedit were complaining that the file system is read only. I have edited these files successfully in the past. I was wondering why I couldn't do this now.

I was able to find the fix from one stackoverflow post.

https://askubuntu.com/questions/197459/how-to-fix-sudo-unable-to-open-read-only-file-system

I ran "sudo fsck.ext4 -f ..." and gave yes to all the questions. Then a reboot was asked. Once the machine got rebooted, I was able to successfully edit the file.

To know the file system type (ext3/ext4/...), you can use "df -T" command. As I was editing one file which was present in /usr/lib/systemd, I had to look for the file system type of / in my case.

Wednesday, 19 February 2020

RateLimiter from Guava library - My understanding


To get an understanding of Guava library's RateLimiter, I was going through this article https://guava.dev/releases/22.0/api/docs/index.html?com/google/common/util/concurrent/RateLimiter.html




After looking at the above piece of code, I had a doubt of how the acquire method works as I was wondering what will happen if the packet length is more than 5k. I wrote this program.





The output is this:


2020-02-19T10:43:40.249Z - Time before our actual logic gets executed
2020-02-19T10:43:40.446Z - Time after first acquire(5)
2020-02-19T10:43:45.448Z - Time after acquire(3)
2020-02-19T10:43:46.946Z - Time after acquire(1)
2020-02-19T10:43:47.447Z - Time after 2nd acquire(1)
2020-02-19T10:43:47.946Z - Time after 3rd acquire(1)


As mentioned in the https://guava.dev/releases/22.0/api/docs/index.html?com/google/common/util/concurrent/RateLimiter.html, if an expensive task arrives at an idle RateLimiter, it will be granted immediately, but it is the next request that will experience extra throttling thus paying for the cost of the expensive task.

There is no waiting at the acquire(10). But the next acquire had to wait for 5 seconds. The reason for 5 seconds is because we have created the RateLimiter with "2 permits per second". So, 5 seconds is required to generate 10 permits. After 5 seconds are done, the next acquire(3) is served immediately. But the next acquire had to wait for 1.5 seconds.

After waiting for 1.5 seconds as mentioned above, the next acquire(1) is executed immediately. But subsequent each acquire(1) has to wait for 0.5 seconds because RateLimiter ensures 2 permits per second which mean 1 permit per 0.5 seconds.

Coming back to the initial example mentioned in the guava official link, if the packet length is 10k, the first call will return immediately but guava library will maintain a clock which will ensure that the next acquire waits for 2 seconds (10k / 5k permits per second = 2 seconds) 
(Copied from official doc: It is important to note that the number of permits requested never affects the throttling of the request itself (an invocation to acquire(1) and an invocation to acquire(1000) will result in exactly the same throttling, if any), but it affects the throttling of the next request. I.e., if an expensive task arrives at an idle RateLimiter, it will be granted immediately, but it is the next request that will experience extra throttling, thus paying for the cost of the expensive task.)

RateLimiter uses Token Bucket algorithm which is explained in https://dzone.com/articles/detailed-explanation-of-guava-ratelimiters-throttl

References




Wednesday, 12 February 2020

Git - Fixing accidental commit to master

I frequently run into a problem where I commit something to master by mistake which should be in some brand new branch. How to fix this?

I found the below commands from https://ohshitgit.com/#accidental-commit-master which helped me.

# create a new branch from the current state of master
git branch some-new-branch-name
# remove the last commit from the master branch
git reset HEAD~ --hard
git checkout some-new-branch-name
# your commit lives in this branch now :)