Stefano's World

I helped Robbster out on #clug today, building php4 for feisty (it’s been dropped after edgy, in favour of php5). If you want to install it, don’t care about security holes, and want to use the debs I created, add this line to your apt sources list, and go wild:

deb http://ftp.leg.uct.ac.za/pub/stuff/tmp/php4-feisty ./

If on the other hand you want to know how to do it (so when the next PHP security hole appears tomorrow, you can build the latest version yourself), read on:

I’ve never used pbuilder before, so it was fun:

# aptitude install pbuilder

Edit /etc/pbuilderrc to point to your closest mirror, and uncomment the COMPONENTSline (so that you get universe included)

# pbuilder create

Now pbuilder is ready for work. Get the latest sources from debian (Download those 3 files at the end, dsc, orig.tar.gz and diff)

# pbuilder build *.dsc

Sit back and watch…

When it’s done, you probably want to create a trivial repository of your debs:

# cd /var/cache/pbuilder/result/; dpkg-scanpackages . /dev/null | gzip -c -9 > Packages.gz

Then add this to your sources.list

# deb file:///var/cache/pbuilder/result/ ./

Wohoo. Remember to watch out for those security holes…

I’ve just spent an afternoon tweaking an OpenVPN install, and I thought it would be a good idea to document it here. Not the world’s most interesting post, but it’s my method, and I want to document it.

OpenVPN:

The best solution I found was to have the server on it’s own subnet:

dev tun0
comp-lzo
keepalive 10 120
server 10.20.2.0 255.255.255.0
push "dhcp-option DNS 10.20.1.1"
push "dhcp-option DOMAIN rivera.co.za"
push "route 10.20.1.0 255.255.255.0"
ca /etc/ssl/vpn-cacert.pem
dh /etc/ssl/dh1024.pem
cert /etc/ssl/certs/vpn.rivera.co.za.pem
key /etc/ssl/certs/vpn.rivera.co.za.key.pem

This sets up a Windows-friendly, routed OpenVPN. (TAP32, the windows tap driver, can’t handle arbitrary IP routed VPNs, each link has to have a private /30 network)

Then, the Windows client side:

client
dev tun
dev-node VPN-Connection
proto udp
remote vpn.rivera.co.za 1194
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ca cacert.pem
cert winlaptop.pem
key winlaptop.key.pem
ns-cert-type server
comp-lzo
verb 3
pull
keepalive 10 60
explicit-exit-notify 2

This is nice and simple, and has the advantage of pulling a lot of configuration from the server rather than statically storing it on the client.

WPAD:

My network has Proxy Autodetection. While I wanted DNS queries to go through the VPN, I didn’t want web traffic to. (DNS through vpn, is ugly, but necessary for finding private servers).

My solution was: dnsmasq.conf:

dhcp-option=252,"http://ixia.rivera.co.za/wpad.dat"

Apache, default site config snippet:

<Location /wpad.dat>
        ForceType "application/x-ns-proxy-autoconfig"
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/8
        Allow from 10.20.1.0/24
</Location>

And a fallback, in-case the wpad is already cached, this at the top of the wpad:

// VPN:
if (isInNet(myIpAddress(), "10.20.2.0", "255.255.255.0")) return "DIRECT";

Finally, there is a decent way to use openoffice as a file-converter!

I keep an eye on a (currently dysfunctional) e-mail->fax system. The hard part is converting random incoming files to PDF. Especially nasty proprietary-format ones…

I first used WV, a venerable library, which was capable of getting text out of MS word files and into LaTeX. Great for linux sysadmins, but not so good for people who expect their formatting to survive the transition.

Then I moved on to AbiWord. AbiWord has supposedly taken on the WV torch, but it’s given it’s fair share of problems too:

• It’s command-line PDF conversion has been broken for a while
• It’s command-line PS conversion was broken for a while, but has since been fixed.
• Excepting the latest development versions, it requires an X server. I got away with using Xvfb.

Now, I read about unoconv. This looks like exactly what I’ve been looking for! It’ll support all the document types supported by openoffice. Sure the fax server is going to be using a lot more RAM, but this could make it a hell of a lot nicer to work with!

I’ve migrated my teeny-weenie Xen web/mail server to Debian/etch. It hasn’t even been rebooted (it would be a shame to spoil the uptime :-) ):

$ uprecords
     #               Uptime | System                                     Boot up
----------------------------+---------------------------------------------------
->   1   198 days, 06:16:44 | Linux 2.6.16.13-xenU      Thu Oct 12 10:12:51 2006
     2    99 days, 19:25:00 | Linux 2.6.12-xenU         Sun Oct  9 03:58:58 2005

It runs Lighttpd, a small and fast little webserver, popular in the Rails world. Lighttpd with PHP-fastcgi is probably faster than apache, and uses much less RAM.

With etch, I’ve finally been able to get mod_rewrite to work. So my Zapiro archive has nice URLs now :-)

Lighttpd has a very nice configuration style:

# No WWW
$HTTP["host"] =~ "^www\.((.+\.)?rivera\.za\.net)$" {
  url.redirect = ( ".*" => "http://%1$1" )
}
# Add WWW:
$HTTP["host"] =~ "^((foobar|someclient)\.co\.za)$" {
  url.redirect = ( ".*" => "http://www.%1$0" )
}

############################################
# PHP Apps:
$HTTP["host"] =~ "^(zapiro\.rivera\.za\.net)$" {
  url.redirect = ( "^/\?/(.*)" => "http://%1/$1" )
  url.rewrite-once = ( "^/(feed)$" => "/index.php?/$1",
                       "^/([0-9]+/[0-9]+/[0-9]+)$" => "/index.php?/$1" )
}

It’s more logical than apache, but you have to watch out for rewrite->redirect->rewrite loops. So if you change to a clean URL syntax, you can’t put in rewrites from index.php?/uglurl to /uglyurl because /uglyurl rewrites back to /index.php?/uglyurl, and you get a loop :-)

I’ve done etch upgrades in the past (i.e. before etch came out), and they were sometimes quite hairy. Especially the transition from ssh to openssh-server and openssh-client. I had a few broken upgrades…

Since etch has come out, I’ve been upgraded a few machines, and it’s a piece of cake. In fact the CLUG webserver and backup-server have been upgraded.

My servers tend to use custom kernels without initrds, so upgrading is quite simple. The release notes seem to cover it pretty well. There are only a couple of gotchas I’ve had:

Upgrade vim with an aptitude install vim before you do any dist-upgrading. Personally, I like to use vimdiff for configuration file changes. This means I can keep the configuration file format and comments of the latest package, and my configuration changes from when the machine was originally set up. If vim is half installed, you can’t run vimdiff…

When you are done, you might need to purge hotplug:

aptitude purge hotplug

You can also remove non-US from your sources.list.

Planet GeekDinner has been filling up with lots of non-geek-dinner related cruft. So I’ve taken advantage of Planet Venus’s cool filtering system.

Any feed that doesn’t have a “GeekDinner” category feed, is being filtered, and only posts containing the regex [gG]eek[ -]?[dD]inner are being displayed. I.e. If you mention GeekDinner in your post, it will appear on the planet.

I’m also filtering Rafiq’s geekdinner category, as he seems to post everything under “geekdinner” :-)

Oh, BTW, Nice job with the skin, Joe.

UPDATE: Rafiq is unfiltered again - I didn’t read thoroughly enough to see the geekdinner reference as a footnote in your Dell IdeaStorm Post. You have quite a busy site, I thought I’d reached the end of the article when it said “REad more… | Digg Story”).

BTW, Rafiq, seeing as you will probably see this, can you sort out your avatar on the CLUG Park planet? I had to resize it to be the standard size, and it now looks very pixellated.

OK, so joe got me into sorting out a planet venus for geekdinner. And I’ve also tweaked their mediawiki a little.

Planet Venus is the first time I’ve used bzr, it’s really quite a cool RCS, I think I’ll use it more often… While I’m quite a subversion user, working away from home is a pain. SVK helps but it doesn’t go as far as a real distributed RCS like bzr. Nice job ubunteros :-)

I’ve spent some time beefing up CLUG Park.

All the people who seem clueless about making avatars of the correct dimensions (ahem Rafiq), or cropping all the uncessary transparency around their avatar, I’ve sorted them out.

I’ve also switched us from Planet 2.0, to Planet Venus. This allows us to do funky things like filters (for you geeks with nasty RSS feeds). It also partitions out the theme far better, and above all does multi-threaded RSS harvesting.

Is anyone is keen on a tech-only (or CLUG-only) CLUG park, where we limit the subscriptions down to posts about CLUG or technology (using category RSS feeds), let me know, we can easily do this. While some of us like to read all about what CLUG Park members are up to, others probably only want to read tech-related articles?

I spent a lovely weekend morning setting up monitoring on servers - yes, what fun :-)

I like all my servers to run logcheck, smartmontools, sysstat, and lm-sensors.

logcheck means watching your email every hour, and adding in yet more ignore rules for things your server thinks it’s perfectly OK to spit out.

smartmontools means waiting to see which attributes it’s going to complain about, making sure it’s set up to mail you about bad sectors, and getting this all in inside the 128-character line-length limit.

And lm-sensors, well that takes a lot of tweaking, to get all the alarms to stop ringing, labelling the right temperatures, and ignoring the disconnected pins.

Ugh, it’s painful work, but it helps in the long-run…

I finally found a good blog post on the subject of getting Postfix to do SMTP-AUTH via SASL.

I went one step further, and instead of moving /var/run/saslauthd/ to the Postfix chroot, I did a bind mount:

/etc/fstab:
/var/run/saslauthd /var/spool/postfix/var/run/saslauthd none bind 0     0

Postfix was announcing methods like CRAM-MD5 which can’t be supported by the PAM backend, so I restricted them down to PLAIN and LOGIN (over TLS only, obviously):

/etc/postfix/sasl/smtpd.conf:
pwcheck_method: saslauthd
mech_list: plain login

Now, it’s working nicely, and I can IMAPS and SMTP-AUTH-TLS to my mail server from anywhere.