pwrusr.com

Recently I was making some modifications to my website, in fact, I moved the whole site from a windows server to a linux one.

After almost 24h (and once OpenDNS online servers got updated), I was still browsing the old one, so I discovered the problem was lying inside my client's DNS cache. I found many suggestions, but the bullet proof™ ones (at least for me!) are the following:

how to clean windows dns cache:

ipconfig /flushdns

how to clean ubuntu dns server, dns cache:

rndc flush

how to clean MAC OS X dns cache:

sudo dscacheutil -flushcache

I'm used to Ubuntu and I appreciate its funny sudo apt-get goodness, but for some reasons (spoiler: new job), I got involved with Centos administration.

After learning some yum quirks (if you're used to apt-get and dpkg, believe me, it's easy!), I was given the task to migrate a 32 bit Centos 4.7 Final install to Centos 5.3.

Some useful yum commands I learned:

• yum install package
• yum remove package
• yum clean all

For the migration task, I followed these guidelines: http://wiki.centos.org/HowTos/MigrationGuide/ServerCD_4.4_to_5

I can confirm it worked, except some expected, minor issues, solved by using some sanity. To manually download my packages, I choose a local italian mirror (the garr mirror – ftp://mi.mirror.garr.it/pub/1/centos/5.3/os/i386/CentOS/).

I'm not in the mood for a step-by-step howto (too busy ATM, just follow the wiki over there…), but here are some tips, notes and issues I encountered during the process and how I overcame them.

Follow the wiki guidelines, at the section:

- remove 2.6.9 bits

rpm -e kernel-2.6.9-42.EL kernel-devel-2.6.9-42.EL kernel-doc-2.6.9-42.EL

make sure you remove ALL 2.6.9x kernel iterations. To know how many kernel iterations you have, just type:

rpm -qa | grep kernel

then, when launching your rpm -e command, make sure you choose ALL kernel-2.6.9X, kernel-devel-2.6.9x and kernel-doc-2.6.9x instances.

Recently I was evaluating the final Alfresco Labs 3 document management nifty program, inside my little, trusty (and quite overloaded…), Ubuntu home server. I experienced a lot of problems related to the 8080 port, because Zenoss defaults to that and Alfresco wants that too.

I searched for some info on how to change alfresco default 8080 apache tomcat port and here’s what I found (from alfresco wiki page):

Edit those files and change 8080 to something else (like for example 8099):

• $ALF_HOME/tomcat/conf/server.xml
• $ALF_HOME/tomcat/webapps/share/WEB-INF/urlrewrite.xml
• $ALF_HOME/tomcat/webapps/share/WEB-INF/classes/alfresco/pagerenderer-config.xml
• $ALF_HOME/tomcat/webapps/share/WEB-INF/classes/alfresco/webscript-framework-config-test.xml
• $ALF_HOME/tomcat/webapps/share/WEB-INF/classes/alfresco/webscript-framework-config.xml
• $ALF_HOME/tomcat/webapps/share/WEB-INF/classes/alfresco/webscripts/org/alfresco/indexall.get.mediawiki.ftl
• $ALF_HOME/tomcat/shared/classes/alfresco/extension/custom-repository.properties and add an entry to overide the default: repo.remote.endpoint.url=http://localhost:8080/alfresco/service

They say the following about this mess:"It is planned for future versions to allow for central configuration of the port. It is not fixed yet, when this will be included."

I tried the modifications, but essentially I screwed my alfresco setup (more on this later maybe), so I removed and purged my alfresco.

I then decided to search for some info on how to change the default Zenoss 8080 port, and so I found that editing /usr/local/zenoss/zenoss/etc/zope.conf

and uncommenting line 840 with:

port-base 1000

1. Avoid changing Alfresco’s port mess.
2. Proceed with the Alfresco installation process.

Hope that helps!

Today I was searching for a fast and easy way to burn an .ISO image from windows, nothing more natural, you’d say: grab NERO Bloating Rom and burn ‘ur iso, except that:

1. NERO is a complete commercial burning software suite, and (rightfully), you have to pay a license for it.
2. I just needed to burn a pretty standard ubuntu ISO image!

Well, the easier method I found was to download and install Mr. Alex Feinmann’s ISO Recorder, insert a blank CD and then right-click on my ISO; from the contextual menu I choose "Burn something" and some minutes later I was done!

Sorry I couldn’t donate, right now I couldn’t spare any bucks, but take this post as good reference and, hopefully, someone is gonna send some coins in my place!

There exists really paranoid SSH access methods! For my everyday use I’m going to accept and implement a less paranoid one: 4096 bit RSA keys + complex passhphrase (but none-the-less, almost secure).

Let’s assume you have two Ubuntu boxes with SSH installed and enabled: the client and the server ("sudo apt-get install ssh" on both, just in case…). Your objective is to gain access to the server from a terminal launched on the client.

From the client open a terminal and type:

ssh-keygen -b 4096

Now, when asked, insert your desired passhphrase (use letters, numbers, and commas – just don’t forget it!), then:

vi .ssh/id_rsa.pub

…select and copy the file’s content.

Now open _another_ terminal window, and gain access to your server (if it’s ubuntu, you should use your ordinary user, the one that will be enabled and authorized for the server access), let’s type:

ssh user@server_IP
vi ~/.ssh/authorized_keys

…let’s paste the content of the client’s id_rsa.pub inside the server’s authorized_keys file (TIP: if it doesn’t work, make sure what you’re pasting lies on a single line).

As of now you should be able to gain access to your server from your client, on a more secure way (test it to be sure – you’ll be asked for your passphrase).

To test it, from the client launch a ssh session to your server and check if you’re asked for the passphrase and that’s it!

THEORY: SSH essentially may authenticate users with differents methodology, the ones I know are:

1. user + password.
2. user + rsa private/public key exchange (no pwd asked).
3. user + rsa public key exchange + passphrase (passphrase is different from password).

The user’s password is the standard, default and unconfigured method that just works, the second, is a more sophisticated one, it is useful when you are almost sure your client is "enough" secure (when you 100% trust your client).

The third method is the the second method plus a passphrase appended to the key (or if you wish, an authorization to use such key); this is useful when you 99% trust your client and still wish to keep control on the remaining 1% (and so the subject of my post).

OPTIONAL – how to secure the ssh server.

I wanted to update my post with some tips I found interesting and useful to tweak my SSH server settings, just open the  /etc/ssh/sshd_config and apply something like this settings:

# Change to no to disable tunnelled clear text passwords -
# PAY ATTENTION TO THE FOLLOWING OPTION!!! IT MAY PREVENT ACCESS TO YOUR SERVER;
# BEFORE APPLYING, MAKE SURE YOU HAVE DIRECT ACCESS TO YOUR SERVER (aka "your server sits next to you")
PasswordAuthentication no

# Maximum Login Attempts
MaxAuthTries 3

# root can't login via SSH
PermitRootLogin no

# if you are logging, a warning is useful.
Banner /etc/issue.net

# keeps some brute force attacks off
MaxStartups 10:50:20

Take care and have fun!

I’m going to post some really easy steps to slightly nicefy the standard ubuntu boot manager (grub for friends); please note the following steps are very easy and, most importantly, they are not disruptive of your currently working setup: you just have to add stuff to your already working system. The advantage of doing so lies on the fact that you’ll not break your standard repository tree, resulting on an apt-updatable-friendly system.

Said that, let’s move:

sudo apt-get install grub-splashimages startupmanager

Ok, now let’s open SUM:

sudo startupmanager

…now, from the "Aspect" tab, let’s choose a splashimage that fits and let’s close the program. After that, reboot the system and see if it worked.

If everything is OK, the next boot will sport a nice 14 colors (!) grub spashimage. Frankly, is not that great, but it’s better than the ugly default black/white (or the other usable two-color combinations) curses mode.

If you wish more, you should try the better multicolor grub-gfxboot, but this will have to wait for another post ;)

I’m going to upgrade my _old_ Ubuntu Hardy Heron X86_64 laptop to the fresh _new_ (autumnal) Ubuntu Intrepid Ibex X86_64, the CLI way (it should apply perfectly for the 32 bit version too). Open a new virtual terminal and type:

cd
dpkg −−get−selections > ~/my-installed-programs

…this way you’ll make a backup copy of the synaptic choices you already made [about your already installed programs].

It would also be a good idea to keep a backup copy of your third party repository sources (don’t forget to keep their respective keys! – I keep them as inline comments inside my files), so:

mkdir 3rdparties

cp /etc/apt/sources.list.d/* 3rdparties/

Save your /etc (just in case):

tar cvf etc.tar /etc

Now it would be safe to make a backup copy of your important stuff; here I suggest you a simple tbz2 backup archive of your important stuff:

cd 

tar cvjf $(whoami)-backup.tbz2 ~

After some time (depending by the amount of your data and your CPU’s juice), move the resulting backup file somewhere (use your imagination and DIY…flash keys, ext HDDs, other PCs….). OK, now we may proceed for the distribution upgrade, so:

sudo apt-get install update-manager-core

then type:

sudo do-release-upgrade

Respond to the first one or two basic questions, wait for the process to be finished, reboot when asked, and (hopefully) you should end up with a new (hopefully…) working version of your open source os of choice to play with!

IMPORTANT NOTE: If you have an almost standard system, the process should be easy and mandatory. BUT if you have applied strong modifications to your /etc, probably you’ll be asked many questions regarding your config files. In this case take your time and review your settings before just pressing "ENTER".

If bad stuff happens (well, sometimes it just happens!), install a clean (upgraded) system with the ubuntu official CD image and uncompress your home backup on your new system’s home, restore your third parties sources.list and use the following commands to restore your synaptic selections:

cd 

sudo dpkg --set-selections < my-installed-programs
sudo apt-get update

then apply your changes with the follwing command:

sudo apt-get upgrade
sudo apt-get dselect-upgrade

ADDENDUM: In case you wish to live on the edge and track developer's releases, when switching the distribution, alternatively type:

sudo do-release-upgrade --devel-release

Once you're at it, create a launchpad account and submit bug reports to Canonical developers by clicking the "Send"-button when an app crashes.

I needed to install FreeNX Server on my wive’s Ubuntu Hardy Heron 8.04.1 LTS X86_64 PC fast.

I opened a Terminal and typed the following:

sudoedit /etc/apt/sources.list

I pasted the following at EOF:

# Launchpad freenx-server
deb http://ppa.launchpad.net/freenx-team/ubuntu hardy main
deb-src http://ppa.launchpad.net/freenx-team/ubuntu hardy main

:wq, then:

sudo apt-get update; sudo apt-get install freenx-server

After that I got a working free-nx server accessible from my windows gaming rig (using nomachine NX client).

References: https://help.ubuntu.com/community/FreeNX

At work, for business needs, we decided it would have been better to adopt a local debian mirror.

After some search, I choosen total flexibility, by adopting the anonftpsync shell script. It is a self-descriptive-log-and-mail kind of script. Just customize and use it. Here for convenience I’m gonna post the one I used (it’s just commented, there are some parts that need to be uncommented out):

#! /bin/sh set -e
# This script originates from http://www.debian.org/mirror/anonftpsync
# modified by Andrea Matesi
# CVS: cvs.debian.org:/cvs/webwml - webwml/english/mirror/anonftpsync
# Version: $Id: anonftpsync,v 1.30 2007/09/06 18:05:44 joy Exp $
# Note: You MUST have rsync 2.6.4 or newer, which is available in sarge
# and all newer Debian releases, or at http://rsync.samba.org/
# Don't forget:
# chmod u+x anonftpsync
# Set the variables below to fit your site. You can then use cron to have
# this script run daily to automatically update your copy of the archive.
# TO is the destination for the base of the Debian mirror directory
# (the dir that holds dists/ and ls-lR).
# (mandatory)  TO=/mnt/backup/mirror
# RSYNC_HOST is the site you have chosen from the mirrors file.
# (http://www.debian.org/mirror/list-full)
# (mandatory)  RSYNC_HOST=debian.fastweb.it
# RSYNC_DIR is the directory given in the "Packages over rsync:" line of
# the mirrors file for the site you have chosen to mirror.
# (mandatory)  RSYNC_DIR=debian/
# LOGDIR is the directory where the logs will be written to
# (mandatory)  LOGDIR=/var/log
# ARCH_EXCLUDE can be used to exclude a complete architecture from
# mirrorring. Please use as space seperated list.
# Possible values are:
# alpha, amd64, arm, hppa, hurd-i386, i386, ia64, m68k, mipsel, mips, powerpc, s390, sh and sparc
#
# There is one special value: source
# This is not an architecture but will exclude all source code in /pool
#
# eg. ARCH_EXCLUDE="alpha amd64 arm hppa hurd-i386 ia64 m68k mipsel mips powerpc s390 sh sparc"
#
# With a blank ARCH_EXCLUDE you will mirror all available architectures
# (optional)  #ARCH_EXCLUDE=
# EXCLUDE is a list of parameters listing patterns that rsync will exclude, in
# addition to the architectures excluded by ARCH_EXCLUDE.
#
# Use ARCH_EXCLUDE to exclude specific architectures or all sources
#
# --exclude stable, testing, unstable options DON'T remove the packages of
# the given distribution. If you want do so, use debmirror instead.
#
# The following example would exclude mostly everything: EXCLUDE="\ --exclude stable/ --exclude testing/
 --exclude unstable/ \ --exclude source/ \ --exclude *.orig.tar.gz --exclude *.diff.gz --exclude *.dsc
\ --exclude /contrib/ --exclude /non-free/ \ "
# With a blank EXCLUDE you will mirror the entire archive, except the
# architectures excluded by ARCH_EXCLUDE.
# (optional)  #EXCLUDE=
# MAILTO is the address to send logfiles to;
# if it is not defined, no mail will be sent
# (optional)  MAILTO=myself@mywork-co.it
# There should be no need to edit anything below this point, unless there
# are problems.
#-----------------------------------------------------------------------------
#
# If you are accessing a rsync server/module which is password-protected,
# uncomment the following lines (and edit the other file).
# . ftpsync.conf
# export RSYNC_PASSWORD
# RSYNC_HOST=$RSYNC_USER@$RSYNC_HOST
#-----------------------------------------------------------------------------
#
# Check for some environment variables if [ -z $TO ] || [ -z $RSYNC_HOST ] || [ -z $RSYNC_DIR ] || [ -z $LOGDIR ];
then echo "One of the following variables seems to be empty:" echo "TO, RSYNC_HOST, RSYNC_DIR or LOGDIR" exit 2 fi

if ! [ -d ${TO}/project/trace/ ]; then
# we are running mirror script for the first time umask 002 mkdir -p ${TO}/project/trace fi
# Note: on some non-Debian systems, hostname doesn't accept -f option.
# If that's the case on your system, make sure hostname prints the full
# hostname, and remove the -f option. If there's no hostname command,
# explicitly replace `hostname -f` with the hostname.  HOSTNAME=`hostname`
# The hostname must match the "Site" field written in the list of mirrors.
# If hostname doesn't returns the correct value, fill and uncomment below
# HOSTNAME=mirror.domain.tld  LOCK="${TO}/Archive-Update-in-Progress-${HOSTNAME}"
# The temp directory used by rsync --delay-updates is not
# world-readable remotely. It must be excluded to avoid errors. TMP_EXCLUDE="--exclude .~tmp~/"
# Exclude architectures defined in $ARCH_EXCLUDE for ARCH in $ARCH_EXCLUDE; do EXCLUDE=$EXCLUDE"\ --exclude binary-$ARCH/
\ --exclude disks-$ARCH/ \ --exclude installer-$ARCH/ \ --exclude Contents-$ARCH.gz \ --exclude Contents-$ARCH.diff/
\ --exclude *_$ARCH.deb \ --exclude *_$ARCH.udeb " if [ "$ARCH" == "source" ]; then SOURCE_EXCLUDE="\ --exclude *.tar.gz
\ --exclude *.diff.gz \ --exclude *.dsc " fi done
# Logfile LOGFILE=$LOGDIR/debian-mirror.log
# Get in the right directory and set the umask to be group writable
# cd $HOME umask 002
# Check to see if another sync is in progress if [ -f "$LOCK" ]; then if [ "`find $LOCK -maxdepth 1 -amin -360`" = "" ]; then
# Note: this requires the procps ps; for other ps', adjust as necessary if ps ax | grep '[r]'sync | grep -q $RSYNC_HOST;
then echo "stale lock found, but a rsync is still running, aiee!" exit 1
else echo "stale lock found (not accessed in the last 6 hours), forcing update!" rm -f $LOCK fi
else echo "current lock file exists, unable to start rsync!" exit 1 fi fi  touch $LOCK
# Note: on some non-Debian systems, trap doesn't accept "exit" as signal # specification.
If that's the case on your system, try using "0". trap "rm -f $LOCK" exit  set +e
# First sync /pool rsync --recursive --links --hard-links --times --verbose \ $TMP_EXCLUDE $EXCLUDE $SOURCE_EXCLUDE \
$RSYNC_HOST::$RSYNC_DIR/pool/ $TO/pool/ >> $LOGFILE 2>&1 result=$?  if [ 0 = $result ]; then
# Now sync the remaining stuff rsync --recursive --links --hard-links --times --verbose --delay-updates --delete-after \
 --exclude "Archive-Update-in-Progress-${HOSTNAME}" \ --exclude "project/trace/${HOSTNAME}"
 \ $TMP_EXCLUDE $EXCLUDE $SOURCE_EXCLUDE \ $RSYNC_HOST::$RSYNC_DIR $TO >> $LOGFILE 2>&1  LANG=C
date -u > "${TO}/project/trace/${HOSTNAME}" else echo "ERROR: Help, something weird happened" | tee -a $LOGFILE
echo "mirroring /pool exited with exitcode" $result | tee -a $LOGFILE fi  if ! [ -z $MAILTO ];
then mail -s "debian archive synced" $MAILTO < $LOGFILE fi  savelog $LOGFILE >/dev/null  rm $LOCK

I’ve put this script auto-executing inside crontab, then I configured apache http for the file-serving purpose at a different standard name. When I had to manually install a debian distribution, I pointed the installer to grab deb packages from this http server and everything worked as expected, but especially, it was fast, since it was inside our lan.

Since my job deals mainly with Networking stuff, I’m gonna post a summary for me, to remember always how does it works. The following takes into account the structure of LAN Networks with TCP/IP Suite of Protocols.

In the past, I (as many others), have fallen into confusion when talking about IP Addresses/Subnets-Subnet Mask, Broadcasts and Binary Conversion.

The following is my 2cents to help draw this confusion away.

Who invented IPv4 protocols, introduced the Classes concept to better separate and distinguish a Network from another (even if today we have CIDR – but ignore it for now). The Classes concept is just a theory and is not constraining at all; you can have a Class C address layout and yet have a different network. Let’s say you have a 192.168.1.0 Network; it is obviously a class C Network, because the address is on the range 192..203, but if you specify a Subnet Mask that is not the usual one (say 255.0.0.0), you can!

The fact I wish to underline is that, saying it is a class C address, and the Subnet Mask is 255.0.0.0 is not related: the Subnet and the Class simply are unrelated concepts (for the foretold network you’d usually apply the 255.255.255.0 Subnet Mask, but this is just to simplify things). This way we’ll have the Network (aka Subnet) address masked with its own mask, and for the example we would have a 192.0.0.0 network.

Usually the difference between a class A, B or C address lies in the first 4 bits of the first octet.

Octet: a series of 8 bits composing an IP Address; this is an octet -> | 1 1 1 1 1 1 1 1 | wich translates as 255 on decimal, for us humans (try it with the calculator!)

A class A address does have the FIRST bit of the octet as a ZERO, so -> | 0 1 1 1 1 1 1 1 | translates to 127, but 127 class A address is reserved for loopback, so the range for Class A Network is 1..126 (126 is | 0 1 1 1 1 1 1 0 | ) (loopback is a special address that refer always to "YOUR_PC").

Class B address does have the SECOND bit of the octet as a ZERO, so -> | 1 0 0 0 0 0 0 0 | translates to 128, then the range assigned to class B is 128..191 (191 is | 1 0 1 1 1 1 1 1 | ).

Class C address does have the THIRD bit of the octet as a ZERO, so -> | 1 1 0 0 0 0 0 0 | translates to 192, then the range assigned to class B is 192..203 (203 is | 1 1 0 1 1 1 1 1 | ).

Class D is another form of Classes, intuitively Class D range from 224..239 (wich is | 1 1 1 0 0 0 0 0 | to | 1 1 1 0 1 1 1 1 |), where ZERO Lies on the fourth bit position.

After the preview, now let’s analyze how subnetting works.

To understand subnetting, it is important to remember that, inside a Network, there are some constraints:

1. A network have a well-defined IP address that have usually a zero (ex. 192.168.1.0) [but it can be different from zero just in case].
2. A Network does have always a Broadcast address (usually in the form of network-address plus last bits set at 1, i.e.: 192.168.1.255).
3. The Network is an address masked with a Subnet Mask (in fact a Network can also be called just a Subnet).
4. There is a limited number of possible addresses (based on the Subnet mask).

It is almost impossible to make a huge single network (like a pure class B – 65536 hosts), without considering subnetting, because the network will become clogged, slow and unmaintainable (technically there happens "collisions"). The problem lies on broadcasting: when you have a huge segment, and a client broadcasts, this broadcast spread to the entire, 65536 hosts’ network! So when you logically separate a network from the other, the broadcasts are limited to a subnet.

For this reason we use subnetting, by separating a Network Segment from another and by joining them accordingly by using a router, usually a device with two I/Fs, one on either end, connecting two different networks (maybe next article..).

Enter Subnet Mask.

The Subnet Mask is an IP-like address composed of binary ONES and ZEROS. The SM is a layer applied to an IP Address to "identify" and distinguish a network from the hosts.

An IP address is composed of bits, these bits can be one or zeros; when you specify a mask, you have to apply this mask to the IP address to identify precisely what the network is.

Example:
IP: 192.168.1.0 – netmask: 255.0.0.0

Open questions:

1. What is the class?
2. What is the network?
3. What is the Broadcast?
4. What IP address the Network’s hosts should have?

 Answers:

1. The Class of the Network is Class C, because 192 translates to | 1 1 0 0 0 0 0 0 | and the ZERO lies on the third bit.
2. The Network is 192.0.0.0, because the subnet mask is composed of all | 1 1 1 1 1 1 1 1 | on the first octet, and when we have all 1s on the octet, we want to distinguish the network part from the host part [by assigning a 1 to the net and a 0 to the host]. This is how it works intuitively, in reality it is the result of a logical AND operation.
3. The Broadcast address is 192.255.255.255, that is because all the host bits part should be set at all 1s, since the hosts part of the network is the 0.0.0 of the 192.0.0.0 network, and we set them to all 1s ( | 1 1 1 1 1 1 1 1 | -> 255 decimal).
4. A host inside this network could have an address like 192.1.10.14 or 192.100.25.1 or whatever.

Extension of answer 3:
The logical AND operation gives 1 only when applied to two 1s, so:

0 AND 0 -> 0;

0 AND 1 -> 0;

1 AND 0 -> 0;

1 AND 1 -> 1;

If we put into column IP plus Subnet Mask, and we apply the AND operation on ‘em, we’d obtain the right Network address:

IP: | 1 1 0 0 0 0 0 0 | . | 0 0 0 0 0 0 0 0 | . | 0 0 0 0 0 0 0 0 | . | 0 0 0 0 0 0 0 0 |

AND

M: | 1 1 1 1 1 1 1 1 | . | 0 0 0 0 0 0 0 0 | . | 0 0 0 0 0 0 0 0 | . | 0 0 0 0 0 0 0 0 |

we gain the right Network Address:

N: | 1 1 0 0 0 0 0 0 | . | 0 0 0 0 0 0 0 0 | . | 0 0 0 0 0 0 0 0 | . | 0 0 0 0 0 0 0 0 |

Addendum:

Today we can find some address expressed in the form IP.Address/number (like 192.168.1.0/24).

What this mean is simple: It is a network that dedicates the first 24 bits on the Subnet Mask (as 1s for the network part), and the rest 8 bits as 0s (on the hosts part). So we intuitively identify this network as 192.168.1.0 (given by the AND operation between the IP and the Subnet Mask,  192.168.1.0 AND 255.255.255.0 -> CONVERTED TO BINARY -> AND OPERATION -> CONVERT THE RESULT TO DECIMAL -> 192.168.1.0 as Network Address).

That seems all.