Raskas’ blog

A Mediawiki has it’s own authentication, the users and all user information is stored in the database. Our current infrastructure has our users stored in a central ldap database and the authentication happens by apache’s Basic Auth.

This means that when a user tries to access the wiki for the first time he has to authenticate to the apache, then he needs to create an account on the mediawiki and he has to login on the mediawiki. The other times he still has to login 2 times.

These 2 things (mediawiki registration and authentication) can go automatically, you only need to edit 1 file and add 1 file.
read more »

I updated my dump script.

2 features are added:
* dump a package list of the rpm database (command: rpm -qa)
* dump the partition table (command: sfdisk -d)

The different dump-commands are now placed in a “if” structure, this means you can define at the top if you want to run that specific dump or not. The next thing I will change is to let the script decide you can dump something or not. So if the specific dump command exists it will run it otherwise it will just skip that dump-section.

You can find the dump script here. More Information about the dumping of the partition table can be found on MDLog:/sysadmin.

For every svn project you have a <Location> section in your apache configuration. Whenever you add a svn project you have to manually add a section in that configuration file.
The configuration file gets very long and whenever you have to change something you have to change it for every project.

You can write a script that generates the big file, but when you add a repositorie you have to run the script and restart apache.

This can be solved by adding a “perl script” inside the apache configuration. First you have to install the mod_perl which allows you to use the module “mod_perl.c”.
Now you can write some perl scripts inside your apache configuration, these scripts will be executed whenever the configuration file is parsed (with a restart/reload).

This is how the mod_perl section in my configuration looks like:

<IfModule mod_perl.c>
<Perl>
#!/usr/bin/perl

sub loop_dir {

  my $base = shift;
  my $sub  = shift;
  if($sub) { $sub .= "/";}

  opendir(DIR, "$base$sub")
    or die "Unable to open SVN repository base '$base$sub'\n";

  foreach $project (readdir(DIR)) {
    next unless $project =~ /^[[:alnum:]_\-]+$/;
    next unless -d "$base$sub$project";

    if( -e "$base$sub$project/format"){

      print "\nHandling project: $sub$project";

      $Location{"/$sub$project"} = {
        DAV => 'svn',
        SVNPath => "$base$sub$project",

        AuthType => 'Basic',
        AuthName => "'Cronos CVSVN server'",

        AuthLDAPAuthoritative => 'on',
        AuthLDAPURL => ' ldap://localhost/ou=users,dc=cronos,dc=be?uid',
        AuthLDAPGroupAttribute => 'memberUid',
        AuthLDAPGroupAttributeIsDN => 'off',

        Require => "group cn=$project,ou=groups,dc=cronos,dc=be",
      }
    } else {
      &loop_dir("$base", "$sub$project");
    }
  }
  closedir(DIR);
}

&loop_dir ('/var/lib/svn/');

</Perl>
</IfModule>

This part of the configuration file will create a <Location> section for every svn-project inside /var/lib/svn it will also looks inside the subdirectories (if the directory is not a project).

I really don’t like the configuration of perdition…

The configuration file (/etc/perdition/perdition.conf) is a collection of arguments the daemon will use when it is started. Seems pretty easy unless you start 4 daemons with that configuration file and every daemon has an other protocol to process (imap, imaps, pop3, pop3s).

This is what I want to accomplish:
From the outside you can connect through imap, imaps, pop3 or pop3s and perdition will make connection to the real server through imap or pop3. This way you only have to configure 1 certificate, and the traffic on the internel network is secure so it doesn’t have to be encrypted.

How I accomplished it:
I created my configuration file but very general, the specific stuff is placed in /etc/sysconfig/perdition. With specific stuff I mean the ssl_mode and the outgoing_port and maybe some others will folow. This makes it able to say that imap doesn’t need ssl (–ssl_mod none) and that the outgoing connection may not be secure (–outgoing_port 143).

This is not really documented, I found it in the mailinglist. So if you’re stuck with something, check the mailinglist maybe your answer is already there.

note to the developers: Isn’t it possible to split the configuration. 1 section for the general stuff and 4 sections for the daemon specific stuff. Or just 4 seperate configurationfiles, 1 file for each daemon… eg. perdition.imap.conf, …
It would make it much easier to configure.

Yesterday I worked with perdition. My mission was to let it get its information from an existing ldap tree.

There is not much documentation about the ldap configuration of perdition. ok it’s not much to configure, but if it doesn’t work it’s hard to find the problem.
There is this pdf document and this man page (scroll down till the LDAP part).

I included the perdition schema in my openldap configuration but I wasn’t able to add the perdition objectClass to my already configured objectClasses. It seems that the perditionPopmap objectClass is STRUCTURAL just like inetOrgPerson objectClass, and it is not possible to have 2 STRUCTURAL objectClasses. The solution is to change the perdition.schema and put AUXILIARY in stead of STRUCTURAL.

I got it all configured but I didn’t see any connection with my ldap. I put on the debugging and saw this message appearing in my log file.

dbserver_get: ldap_initialize: No such file or directory

If found in this mailinglist post that it is a bug, and it will be fixed in the next release, but it isn’t!
So let’s fix it ourself.

I downloaded the .src.rpm and installed it. Unpacked the perdition archive in the SOURCES directory, edited perdition/db/ldap/perditiondb_ldap.c and repacked the archive. Finally I’ve build the rpms from the .spec file.
This is the important part in the changed file, only the #IF line has changed.

        /* Open LDAP connection */
#if 0
// #if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
        if (ldap_initialize(&connection, pldap_filter) != LDAP_SUCCESS) {
                VANESSA_LOGGER_DEBUG_ERRNO("ldap_initialize");
                goto leave;
        }
#else
        connection = ldap_init(lud->lud_host, lud->lud_port);
        if (!connection) {
                VANESSA_LOGGER_DEBUG_ERRNO("ldap_init");
                goto leave;
        }
#endif

When the new rpm’s are installed it just worked!

This is how my ldap-specific configuration looks like in the perdition.conf

M /usr/lib/libperditiondb_ldap.so
m "ldap://localhost/dc=x-tend,dc=be?uid,mailhost?sub?(uid=%s)?!BINDNAME=cn=Manager%2cdc=x-tend%2cdc=be,X-BINDPW=xxXXxx"

Today I tested an APC Smart-UPS 750.

Both the serial and usb cable are connected to my laptop, no devices are taking power of the ups.
I first tried the PowerChute from APC, It installed correctly but it doesn’t want to connect to the ups. It seems it can only connect over ttySx but even when that cable is in place I still got some strange errors in my log files.
I unplugged the power cable of the ups to let it run on battery, no changes appear in those log files.

At that moment I noticed this:

FC5 recognised the ups through usb.

Google took me to the site of apcupsd. The project looks nice, let’s test it.

[root@raskas ~]# yum install apcupsd
[root@raskas ~]# /etc/init.d/apcupsd start
[root@raskas ~]# /etc/init.d/apcupsd status

CABLE    : USB Cable
MODEL    : Smart-UPS 750
UPSMODE  : Stand Alone
STATUS   : ONLINE
LOADPCT  :   0.0 Percent Load Capacity
BCHARGE  : 100.0 Percent
...

… nice

Again I unplugged the power cable of the ups.
I got this in my console:

Broadcast message from root (Fri Jul 14 14:30:16 2006):
Warning power loss detected on UPS raskas.ocean.be

Broadcast message from root (Fri Jul 14 14:30:22 2006):
Power failure on UPS raskas.ocean.be. Running on batteries.

and this in my /var/log/messages

Jul 14 14:30:16 raskas apcupsd[15487]: Power failure.
Jul 14 14:30:21 raskas apcupsd[15487]: Running on UPS batteries.

After connecting the ups to the power i got this message:

Broadcast message from root (Fri Jul 14 14:32:23 2006):
Power has returned on UPS raskas.ocean.be...

and this in my /var/log/messages

Jul 14 14:32:22 raskas apcupsd[15487]: Mains returned. No longer on UPS batteries.
Jul 14 14:32:22 raskas apcupsd[15487]: Power is back. UPS running on mains.

You can define and fine-tune the actions from apcupsd in /etc/apcupsd/. In the file /etc/apcupsd/apccontrol you can find all states and all actions, in the /etc/apcupsd/apcupsd.conf file you find the main configuration.

Due to some problems we needed to restore the backup of 1 mysql database. I’ve got my mysql dump script installed on that system so that won’t be any problem.
Think again… There are 37 mysql database, with a total of almost 300Meg data. This is stored in one single gziped file of 30Meg. It isn’t easy to find the correct database.

Let’s fix this… We want 1 .tar.gz file containing the dumps of all database, every database is stored in a seperate file.
With the command mysqlshow you get a list of all database in mysql. The command mysqldump with the databasename as an argument will dump only that database.

Put this all together and you have version 0.4 of my mysqldump script.

When installing my backup script on a redhat 9 i got this fatal error:

remote ip : Connection refused
rsync: connection unexpectedly closed (0 bytes read so far)
rsync error: error in rsync protocol data stream (code 12) at io.c(165)

It seems that I was working with old version of rsync (rsync version 2.5.7 protocol version 26). That old version uses default rsh, the recent versions use ssh. And ssh is what i need.
There is an option, called rsh, that allows you to set the remote shell to ssh.

# rsync --rsh=ssh ....

Ok, here is the situation:
We have a gateway connected to the internal network and the internet. We have one public ip and several dns names. The dns names *.x-tend.be are linked to the public ip address of the gateway, *.internal.x-tend.be are linked to the servers on the internal network.

This is what we want to accomplish:
You browse to a url from the internet and you get the website from the server located on the internal network. When you browse to another url, you get a different website from the same server on the internal network.

The first step is to configure the internal server. It is a normal virtual host configuration.
red.internal.x-tend.be and blue.internal.x-tend.be are linked to the same server. But you will get a different webpage.

The second step is the configuration of the gateway. It is also based on a virtual host configuration.
red.x-tend.be and blue.x-tend.be are linked to the gateway, and each has his virtual host. In that virtual host declaration you say it has to reverse-proxy to red.internal.x-tend.be and blue.internal.x-tend.be.

A basic configuration on the gateway can look like this:

NameVirtualHost *:80

<VirtualHost *:80>
     ServerName blue.x-tend.be

     ProxyRequests off
     ProxyPass / http://blue.internal.x-tend.be/
     ProxyPassReverse / http://blue.internal.x-tend.be/
</VirtualHost>

<VirtualHost *:80>
     ServerName red.x-tend.be

     ProxyRequests off
     ProxyPass / http://red.internal.x-tend.be/
     ProxyPassReverse / http://red.internal.x-tend.be/
</VirtualHost>

Ever noticed there exists a route for the 168.254.0.0 network in your route table?

[root@raskas ~]# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.0.0.0        *               255.255.0.0     U     0      0        0 eth0
169.254.0.0     *               255.255.0.0     U     0      0        0 eth0
default         gw              0.0.0.0         UG    0      0        0 eth0

This is the network used by windows when there is no dhcp server available. Technologies behind this are Zeroconf (Zero Configuration Networking) and APIPA (Automatic Private IP Addressing).

But on a linux server, or even desktop, we don’t want to see that route.

We can manually remove this route by

[root@raskas ~]# route del -net 169.254.0.0/16

but after a network reboot the route will be back.

The route can be permanently removed by adding following line in /etc/sysconfig/network

NOZEROCONF=yes

note: tested on redhat based distros