admin's blog

Portage-2.1.3.9.. very nice!

I have to say, I like the recent upgrade to portage. I've noticed a few a great improvements. With the upgrade of portage-2.1.3.9, they implemented some subtle but great improvements. First off, I set up egress filtering with iptables, and I only allow certain process limited port access out of my box. This is a security measure that I like implement on my boxes. Since the portage upgrade, I noticed that emerge was unable to fetch packages. I thought this was odd, and checked the egress rule for root and port 80, and sure enough it was allowed. Looks like the dropped privs, and are running emerge as 'portage' when fetching files. Very nice. So I simply added that owner to have port 80/443/21 out.

The other feature that I noticed was the color coding. I'm still not fully understanding the bright green vs dark green colors (even with man color.map), but I'm hoping that it applies to system update vs package update, if so, that's handy for a quick glance.

mod_chroot + cURL and SSL leads to extremely slow performance

I've been fighting this problem for months now. When using cURL to connect to a API over SSL in my chroot'd web server, the application appeared to hang perpetually. After additional investigation, I discovered that it eventually get's the content but takes FOREVER to finish (approximately an hour). Restarting Apache without mod_chroot and everything works as expected. So I definitely had a problem with my jail.

Common cause of SSL/cURL/chroot was misplaced certificates or missing libraries. As stated in my article about creating a chroot'd environment for apache, strace is your pal. I ran a few straces and was noticing the following at the point of connecting to the API:

6923  waitpid(-1, 0xbfdb0248, WNOHANG|WSTOPPED) = 0
6923  select(0, NULL, NULL, NULL, {1, 0}) = 0 (Timeout)
6923  waitpid(-1, 0xbfdb0248, WNOHANG|WSTOPPED) = 0
6923  select(0, NULL, NULL, NULL, {1, 0}) = 0 (Timeout)
6923  waitpid(-1, 0xbfdb0248, WNOHANG|WSTOPPED) = 0
6923  select(0, NULL, NULL, NULL, {1, 0}) = 0 (Timeout)
6923  waitpid(-1, 0xbfdb0248, WNOHANG|WSTOPPED) = 0
6923  select(0, NULL, NULL, NULL, {1, 0}) = 0 (Timeout)
6923  waitpid(-1, 0xbfdb0248, WNOHANG|WSTOPPED) = 0
6923  select(0, NULL, NULL, NULL, {1, 0}) = 0 (Timeout)
6923  waitpid(-1, 0xbfdb0248, WNOHANG|WSTOPPED) = 0

Server profile warning message after emerges -- corrected with eselect

Since the last portage upgrade, I've been seeing the following messages after emerging packages.

* Messages for package sys-libs/ss-1.40.2:

* This profile has not been tested thoroughly and is not considered to be
* a supported server profile at this time.  For a supported server
* profile, please check the Hardened project (http://hardened.gentoo.org).
* This profile is merely a convenience for people who require a more
* minimal profile, yet are unable to use hardened due to restrictions in
* the software being used on the server. This profile should also be used
* if you require GCC 4.1 or Glibc 2.4 support. If you don't know if this
* applies to you, then it doesn't and you should probably be using
* Hardened, instead.

I wanted to get to the bottom of this, and see exactly what's going on. It turns out the profile that I have set in /etc/make.profile is a profile that is no longer available. Here is what I currently have:

Web Hosting Unleashed - Hosting Research

Lately my hosting provider for Uno_code has been less than stellar. You definitely get what you pay for, and what I have is no exception. So, I thought it would be nice to look for other alternatives. But wading through all the landing pages and affliate traps for hosting providers can get annoying.

With this sponsored post, I wanted to talk about Web Hosting Unleashed. Here we have a nice research portal for hosting providers. I'm sure this is all for affiliate benefits, but the tools and resources are very nice to help find a decent host, at least at the feature level. You never know what you're getting yourself until you spend some time with a company... also the fact that things might be great for years, then turn sour as they over subscribe, etc.

apache-2.0.59-r5 to apache-2.2.4-r12 ... WTF?

Okay, so after the weirdness with apache-2.0.59-r5, I finally have a working apache install with my apache-tools (apache2ctl, htpasswd2, etc). The problem was the original ebuild did not include these and app-admin/apache-tools as being blocked. To get apache-tools you needed to upgrade to apache-2.2.24-r12, which I was not comfortable with.

After various bug reports (and previously mentioned here), they were able to get a working apache 2.0.59, without the need for apache-tools and everything was looking good. I saw some weird behavious with apache2ctl (needing -D flags when apache2ctl is trying to test the config), but that is something I can live with while they sort this out.

Syslog-ng : How-to increase max connections

On one of my servers, I get pretty hefty mailserver action. I also do remote syslog using syslog-ng and stunnel. Today I started noticing a few of these messages in the logs.

Sep  5 14:00:02 comp syslog-ng[22273]: Error accepting AF_UNIX connection, opened connections: 100, max: 100
Sep  5 14:00:02 comp syslog-ng[22273]: Error accepting AF_UNIX connection, opened connections: 100, max: 100
Sep  5 14:00:02 comp syslog-ng[22273]: Error accepting AF_UNIX connection, opened connections: 100, max: 100
Sep  5 14:00:02 comp syslog-ng[22273]: Error accepting AF_UNIX connection, opened connections: 100, max: 100
Sep  5 14:00:02 comp syslog-ng[22273]: Error accepting AF_UNIX connection, opened connections: 100, max: 100
Sep  5 14:00:02 comp syslog-ng[22273]: Error accepting AF_UNIX connection, opened connections: 100, max: 100
Sep  5 14:00:02 comp syslog-ng[22273]: Error accepting AF_UNIX connection, opened connections: 100, max: 100

Opening Stupid Windows WinMail.dat attachments with net-mail/tnef

I have a client that sends me files using Microsoft's propriety binary format (MS-TNEF MIME - Winmail.dat). I would see the text, but my claws-mail (sylpheed) is unable to view them. I'm primarily making this blog post so I don't forget how to do this in the future. Also, if anyone has a built in way for claws to open it, please let me know.

The only way that I currently know how to retrieve the embedded attachment is using net-mail/tnef. Here is the basic info:

[I] net-mail/tnef
     Available versions:  1.3.3 1.3.4 ~1.4.3
     Installed versions:  1.3.4(09:22:19 09/04/07)
     Homepage:            http://world.std.com/~damned/software.html
     Description:         Decodes MS-TNEF MIME attachments

To open the attachement, save the attachment to a directory and execute the following command:

tnef --file=winmail.dat

Apache-2.0.59-r5 Missing Tools

Today's challenge is related to the upgrade of Apache to www-servers/apache-2.0.59-r5. I upgraded on one of my servers, and immediately noticed something odd. Before I ever restart, I always like to do a config check with apache2ctl -t. For some reason apache2ctl was not compiled and installed. I figured it was a new 'feature' and something that I would just need to learn, so I restarted without checking. I had a small hiccup with the start/stop since the init script was changed, so I had to manually kill processes and zap the service, not a problem though.

A short while later, I started receiving log messages from webalizer.

sh: /usr/sbin/logresolve2: No such file or directory

I have a webalizer wrapper script that basically resolves DNS from the access logs every 15 minutes, so my Apache doesn't get bogged down in real time doing these lookups. I like to see the host names in the stats vs. just the IPs. So now, we don't have apache2ctl or logresolve2. Something is definitely up. I put a post up on the Gentoo forums hoping for a clue or an answer. Lately, the Gentoo Forums are not as quick as they use to be a few years ago.. but we'll see.

Windows Live Password Recovery

I'm always on the look out for helpful 'tools' and services. Usually, I work with Linux tools, but sometimes I need tools that work for Windows. There are a lot of great tools that have been developed for network and system maintenance for Windows, but since Windows is a Micro$oft product, they usually come with a price tag. Granted, there are some pretty sweet Open Source tools for Windows, and thank God for Linux tools that have been ported to Windows (ie: Nmap, WireShark, etc).

With this sponsored post, I wanted to talk about Windows Live Password Recovery. Just like all 'useful' tools, they can often be used for good and/or evil, and this is no exception. Here we have a very simple tool that recovers Windows Live passwords and versions including (Windows Live Messenger, Messenger Beta, MSN Messenger and Windows Messenger).

Libexpat upgrade causes some problems

This morning I saw that libexpat was upgraded to 2.0.0. I simply emerged that and I thought all was good, but within minutes, I saw issues with my PHP CLI apps having problem. I noticed that expat was a USE flag, and I need to rebuild PHP against the new libexpat. No problem, so I did that. Shortly after, I noticed that Apache's logresolve2 was complaining as well. At this point, I thought I would do a revdep-rebuild, since there clearly are reverse dependency issues.

revdep-rebuild -p

This generated the oneshot emerges that needed to be rebuilt on the system, and I was on my way. On another box running kdelibs and gnome packages... this was a whole different story.

I was seeing various messages similar to these during rebuilds:

/usr/kde/3.5/bin/kde-config: error while loading shared libraries: libexpat.so.0: cannot open shared object file: No such file or directory

Syndicate content