debian

Have been seeing segmentation faults coming from "drush cron" runs recently.

Seems that the issue is related to a conflict between the curl and pgsql php components.

On debian - the php cli config loads the config files under /etc/php5/cli/conf.d

If it loads curl.so before it loads pgsql.so then when releasing a postgres connection it will segfault.

Workaround is simply to load pgsql first. Files in the conf.d directory are loaded alphabetically.

After update from virtualbox 3.x to 4.x the scroll wheel of my mouse stopped working - just behaved as a three button mouse.

Newer versions of debian no longer have an xorg.conf file - since it's not normally needed.

After some searching I found that it has a config loading directory /usr/share/X11/xorg.conf.d/ and virtualbox had added a 50-vboxmouse.conf there.

I changed this file from

There are three steps to this:

1. Tunnel configuration
2. Firewall configuration
3. Client configuration

Tunnel configuration

Sign up for an account at http://tunnelbroker.net

Once signed up - choose "Create Regular Tunnel"

Enter the IPv4 address of the external interface of your firewall. Note - this must be able to receive and respond to ping from arc.he.net - the webpage will give you an IP address to allow ping for if it can't ping your firewall.

Running some porting scripts (command line PHP) for drupal yesterday - and for the first time trying out postgres.

I kept getting a segmentation fault at the end of each script.

Turns out that there is some issue with the curl and postgres php modules.

For a workaround on debian see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=411982#120 - it changes the order of loading.

My glassfish process kept dying with "Too many open files" in the log.

I'm not surprised that it has too many - it has quite a few large applications running - but how to increase this?

ulimit -n shows that the user has a default of 1024.

But ulimit -n 2048 gives -su: ulimit: open files: cannot modify limit: Operation not permitted

Some digging leads to /etc/security/limits.conf

Here we added:

As part of Building a debian firewall on a CF card I was trying to make sure that disk writes to the firewall CF card were kept to a minimum.

However - I've never really been able to test this. So I was pleased to find http://samwel.tk/laptop_mode/faq - under section 5 there is a question titled "My disk spins up all the time and I have no clue what causes this. Can I debug this?".

With the backported git 1.6 packages installed (see Backport git 1.6 for debian) - to add mailing lists for commits/tags:

git 1.6 is available in debian experimental. I want to use it under debian stable (etch).

Let's backport it.

Kudos to Steve Kemp for walking me through this.

First you need dget installed:

aptitude install devscripts

Now - let's grab the experimental source and unpack it:

dget http://ftp.de.debian.org/debian/pool/main/g/git-core/git-core_1.6.0.6-1.dsc dpkg-source -x *.dsc

Let's take a look - change into the directory:

A good source of entropy is needed for random number generation. This affects services that go via SSL amongst other things.

However - in 2.6.x kernels the entropy sources of a system were reduced - as far as I can see it now is only affected by keyboard, mouse and some IRQ interrupts.

I noticed that some of my scripts in /etc/cron.daily were not running.

It turns out that filenames with a dot in them (foo.sh, bar.pl) etc simply don't run.

Remove the dots (drop the extension - of course linux doesn't need them - they were only for my convenience) and it all works.

When you install grub to debian and forget to run update-grub the first time before you reboot then there is no menu.lst file in /boot/grub so you boot to the grub shell

I had the following config

/dev/hda2 - /
/dev/hda3 - /boot

To boot this from the grub shell

root=(hda0,2)

This points to /boot (hd0 is /dev/hda - the number after the comma is zero indexed partition number - so ,2 is /dev/hda3)

kernel=/vmlinuz-... root=/dev/hda2 ro

I've been using self-signed certificates for a while - but - that means getting the users to approve them each time they change. Instead - lets generate a Certificate Authority (CA) certificate with a reasonably long life - get them to install that and then new certificates signed with that will be valid for them.

We will install a CA area on /etc/ssl/ca and then create a certificate signed with this.

Setup
We're going to use the script CA.pl which on debian is installed on /usr/lib/ssl/misc. But - we need to make some changes

This is a copy of an article I have recently had published on www.debian-administration.org

Imagine you have denyhosts installed and it is adding new attackers to /etc/hosts.deny. Wouldn't it be great to inform the relevant people so that some action could be taken? With the right plugin that is possible, but there is a problem with the default reporting that we'll explain here.

For more info on the debian security announcement see:

http://lists.debian.org/debian-security-announce/2008/msg00152.html

Server keys for this host have been updated - any ssh users may well need to remove the old ones from their .known_hosts file (or equivalent). Just to let them know that the keys are changed and intentionally so.

I was having the issue that if clamav died (usually due to freshclam update taking too long) that exim4 would start temporary rejecting ALL mail.

Here's a suggestion from Mike Cardwell on the exim users mailing list. It adds a check on the file existing and adds a header if not instead of rejecting.

warn !condition = ${if exists{/var/run/clamav/clamd.ctl}}
     add_header = X-Virus-Checked: False
deny condition  = ${if exists{/var/run/clamav/clamd.ctl}}
     malware    = *

I currently have an OpenBSD firewall running on an ancient 586. I have a mini-itx board, CF/IDE converter and a CF card and have been intending to upgrade.

However - rather than OpenBSD I'm going to try for debian (since I know that much better).

This post will end up being a "how I did it" - but at the minute is just a collection of the notes I'm grabbing for now.

For the initial install - I hung a CD-ROM as the slave IDE unit on the primary IDE channel.

I used the 4.0r3 etch netinst CD downloaded from debian.org.

My exim4 process is configured based on this post and other points noted here.

Today it started failing - clamav failed to read its db (locked) possibly due to freshclam runs.

Debian bug [debbug:454587] gave the hint - the packages in volatile have this fixed (a non-security update that fixes this issue in stable).

So - added to my apt-config:

When you create a new user - it helps to remember to create their Maildir (if you are using Maildir).

maildirmake ~/Maildir/

After upgrading sarge to etch - spamassassin was installed - but sa-exim wasn't running (the headers in mail showed it to be to do with the setting of SAEximRunCond stating that it should not run).

After a lot of looking at the default line in /etc/exim4/sa-exim.conf I found lower down the line:

SAEximRunCond: 0

Comment this out if you want sa-exim to run spamassassin on the mail!

LDAP authentication started giving:

(9)Bad file descriptor: Could not open password file: (null)

This is because apache 2.2 needs to be told what provider.

Add:

AuthBasicProvider ldap

In addition - to be allowed to use require valid-user add:

AuthzLDAPAuthoritative off

So - in full - the old config:

<Location /location>
  AuthName "Auth NAme"
  AuthType Basic
  AuthLDAPURL ldap://host:port/basedn?attribute
  require valid-user
</Location>

changes to

The following problems:

I use the java-package make-jpkg to install java JVM's. I have mostly used sun's JVM's up to now.

I wanted to easily switch between them (which the alternatives mechanism handles well) but also to keep the relevant JAVA_HOME in sync (for things that still need this in the environment).

The following script I added to my .bashrc

switch_java () {
case $1 in
4 ) JAVA_HOME=/usr/lib/j2sdk1.4-sun ;;
5 ) JAVA_HOME=/usr/lib/j2sdk1.5-sun ;;
esac

I have two servers running debian sarge (stable). Etch is nearly ready to go stable (in hard freeze) so I decided to test the upgrade on the least important box.

I have most of my debian boxes using lvm2. On one (sadly my main server I was getting):

Incorrect metadata area header checksum

but everything seemed to be working.

So - I ran vgscan. This stated that there was a problem on /dev/hdd. Well - /dev/hdd is a cdrom unit - so no lvm there.

I edited /etc/lvm/lvm.conf and changed

filter = [ "r|/dev/cdrom|" ]

to

filter = [ "r|/dev/cdrom|", "r|/dev/hdd|" ]

which solves the issue for me.

I was using courier-imap and courier-pop until today. I've just installed the -ssl versions of both.

At install they both create a certificate for localhost based in New York. This doesn't work unless it really is localhost.

In /etc/courier there are imapd.pem, imapd.cnf, pop3d.pem and pop3d.cnf

1. Delete the .pem files
2. Edit the .cnf files - make sure that you set CN to be the hostname or the mail server
3. Run mkimapdcert
4. Run mkpop3dcert
5. Restart the services

I left the non-ssl IMAP running but only for 127.0.0.1 for squirrel

Been using autofs to automount nfs for a long time - but it suddenly stopped working. Only thing in the logs was an "unable to mount" error.

The problem was that auto.net in /etc was no longer executable (maybe an update or something - not sure). Setting it executable - and suddenly - ba-bing - all nfs automounts came back :)

One of my machines has an lvm2 volume group spread across three disks. One died - here's how I rescued some of the data

Very luckily - the dead disk contained one whole logical volume - used for media storage. This meant that all the other logical volumes were there - but - lvm wouldn't start.

If I'd found out about it in time then this should have been enough:

vgreduce --removemissing vg0

However - by the time I found that the system was in a worse state (wouldn't boot even to single user mode).

So - here's how I got the data off using knoppix.

Boot to knoppix then switch to a tty.

There are two kinds of certificates available - self-certified (free - but people will have to either accept the certificate or manually install it) or paid for (you buy it from a Certificate Authority and as long as that CA is a common one then it will just work in most browsers).

First you will need a private key:

cd /etc/ssl
openssl genrsa -des3 -out private/your.domain.tld.key 2048

Drop the -des3 if you don't want a password (this will allow auto-startup of apache - but is much much less secure). Note - if you are going to purchase a certificate - check how many bits the provider wants you to use.

The 2.6 series kernel only allows one owner of a block device (http://evms.sourceforge.net/install/kernel.html). I need to use the BD Claim patch.

This is the only change made to the default debian kernel. First get the config file of the debian binary (since we want it as identical as possible)
aptitude download linux-image-2.6.15-1-686
mkdir boot
dpkg-deb -x linux-image...deb boot/config-2.6.15-1-686

The config is now in the boot/config-2.6.15-1-686/boot dir

Now install the source (not sure of the dependencies)

This is a shortened version of udev and DVD/CD RW under debian unstable for non-udev systems.

To get CD and DVD burning running under debian on a 2.6.x kernel

Under 2.6 ide-scsi (SCSI emulation) is deprecated. It's recommended to use ide-cd instead.

So - you need to make sure you're using ide-cd. Any references to ide-scsi need to be removed from lilo (and grub if that required the references).

Make sure that ide-cd is loaded (modprobe ide-cd) - you may want to add it to /etc/modules

Now - make sure that your /dev directory is correctly set up