admin's blog

Log your boot messages

You ever want to see what your server is doing on boot up, but it's a remote server? You can log the boot messages to a file. I'm a little late to come across this, but it's still a mighty cool tip. First you need to emerge showconsole.

emerge -v showconsole

Next, we need to edit /etc/conf.d/rc and change this value to 'yes'.

RC_BOOTLOG="yes"

On your next boot up, it will write to /var/log/boot.msg. Basically everything seen on console (except boot splash) will be written to this file. Very handy if you're having some boot issues.

MySQL Problems! - RED ALERT

The last two days have been maddening for me. On two servers, out of the blue, MySQL is freakin' and freakin' hard. It all started with corrupted tables, to memory preformance issues. I then jacked up some mem values, and now both servers are crashing. I think I might be dealing with two problems (second problem related to the first problem). I posted on the Gentoo forum, but another classic 'talking-to-myself' thread. Man, I miss the days when you'd get several reponses within minutes. My problems/questions seem pretty difficult lately, and that's probably a big reason for the lack of replies.

Below is my basic thread of the problem.. if anyone has any suggestions, please comment!

I'm getting desperate for some MySQL help on one of my servers. It started mysteriously lastnight. One of my applications (code has not changed in serveral months to a year), complained about corrupted tables. Viewing the logs, I was definitely seeing MyISAM corruption, which I could replicate by issuing a OPTIMIZE after the sql performed a UPDATE. Again, this code has been like this for many months. I commented out the OPTIMIZE and repaired the tables, and that seemed to have fixed the problem.

Uno-Code RSS Subscriptions Now Available!

Hello All

I now have RSS feed subscriptions available. Get site updates via your RSS reader of choice to see what pain in the ass problem I'm currently dealing with.

Just click the the 'readers' widget to the right, or click this link:
http://feeds.feedburner.com/uno-code

OpenVPN - Masquerade Iptable Issues

So if you've haven't been following what I've been working on.. I've been working on a OpenVPN system on a Gentoo Linux firewall where remote users can connect and access files, but have the ability to authenticate against PAM as well as shared keys (dual layer authentication).

Most of the how-to documentation out there talk about a few iptable rules to put in place on your tap interface (link)....

IPT=/sbin/iptables
LANIFACE=eth0
VPNIFACE=tap0
VPN=10.1.0.0/24
$IPT -A INPUT -i $VPNIFACE -j ACCEPT
$IPT -A FORWARD -i $VPNIFACE -j ACCEPT
$IPT -t nat -A POSTROUTING -s $VPN -o $LANIFACE -j MASQUERADE

OpenVPN with dual layer authentication (keys and pam)

Currently, my original 'how-to' on getting OpenVPN running with OpenVPN-GUI used the standard key based authentication. You can configure your client to password protect your connection, but I wasn't comfortable with that scheme. If a laptop is stolen, it would be possible (and not hard to bypass this password). Now, we can add a additional layer with pam and server side interaction.

We still need keys to create the tunnel and send our authentication, so the 'base' security layer is untouched, but now we're going to add pam to authenticate our user. This can be handy if you're creating multiple VPN users, simply removing their system account, will remove their ability to VPN, etc.

Unusably short session_id provided - bug in openssl-0.9.8f

According to this thread I started, the 'unusably short session_id provided' issue I discussed earlier is related to a bug in openssl-0.9.8f. I've added 0.9.8g to package.keywords and I'm currently doing some testing.

For those that don't know how to do this, simply add this to your /etc/portage/package.keywords:

=dev-libs/openssl-0.9.8g ~x86

and re-emerge openssl. You might want to do a revdep-rebuild as well. I'll let you know if I notice any weirdness. I'll be testing on one box for now.

Pam upgrade procedure (1 box down.. more to go)

So the Pam upgrade wasn't too bad. I updated one box, restarted services, and rebooted to ensure that everything is working correctly. All you really need to do is update some of the files in pam.d.

cd /etc/pam.d
grep pam_stack.so *

When I did this, I also saw rexec, rlogin and rsh. I basically looked for service=system-auth and replaced it with the new format:

OLD:

auth       required    /lib/security/pam_stack.so service=system-auth
account    required    /lib/security/pam_stack.so service=system-auth
password   required    /lib/security/pam_stack.so service=system-auth
session    required    /lib/security/pam_stack.so service=system-auth

NEW:

auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    include      system-auth

Linux-PAM 0.99 upgrade

Hmmm, greated this morning with a pam upgrade. The einfo message looked somewhat hairy:

>> Merging sys-libs/pam-0.99.8.1-r1 to /
*
* Your current setup is using the pam_stack module.
* This module is deprecated and no more supported, and since version
* 0.99 is no more installed, nor provided by any other package.
* The package will be built (to allow binary package builds), but will
* not be installed.
* Please replace pam_stack usage with proper include directive usage,
* following the PAM Upgrade guide at the following URL
*   http://www.gentoo.org/proj/en/base/pam/upgrade-0.99.xml
*
*
* ERROR: sys-libs/pam-0.99.8.1-r1 failed.
* Call stack:
*   ebuild.sh, line 1670:   Called dyn_preinst
*   ebuild.sh, line 1107:   Called pkg_preinst
*   pam-0.99.8.1-r1.ebuild, line 162:   Called die
*
* deprecated PAM modules still used
* If you need support, post the topmost build error, and the call stack if relevant.
* A complete build log is located at '/var/tmp/portage/sys-libs/pam-0.99.8.1-r1/temp/build.log'.
*
!!! FAILED preinst: 1

Unusable short session_id provided - Apache and openssl

So with the latest update for openssl (dev-libs/openssl-0.9.8f), I've been seeing the following in my error_log with SSL sites:

[Tue Oct 23 10:45:46 2007] [error] unusably short session_id provided (0 bytes)
[Tue Oct 23 10:45:52 2007] [error] unusably short session_id provided (0 bytes)
[Tue Oct 23 11:04:13 2007] [error] unusably short session_id provided (0 bytes)
[Tue Oct 23 11:04:14 2007] [error] unusably short session_id provided (0 bytes)
[Tue Oct 23 11:45:57 2007] [error] unusably short session_id provided (0 bytes)
[Tue Oct 23 11:45:57 2007] [error] unusably short session_id provided (0 bytes)
[Tue Oct 23 11:58:26 2007] [error] unusably short session_id provided (0 bytes)

PHP4 is now masked - PHP migration how to

So as most of you already know, PHP4 is now masked in portage. It' will reach end of life upstream at the end of the year. You can read more about the "PHP 4 end of life announcement".

Most of you know me as a server administrator, but I'm also heavily involved with developing PHP applications for myself or clients. So this move, is a big on in my eye. Now, for the most part, the transition from PHP4 to PHP5 is fairly simple, but I do a lot of XML web service calls, custom error handling, and use specialized extensions in some of my apps. First, I'll discuss my procedure for upgrading 4 to 5, and then show a few issues with code changes.

To keep portage from wanting to upgrade to 5 in the past, I masked it. So the first step was to remove that mask so I can get 5. After doing so, portage will bring down the latest PHP for me.

emerge -pv php

Syndicate content