pwrusr.com

I'm used to Ubuntu and I appreciate its funny sudo apt-get goodness, but for some reasons (spoiler: new job), I got involved with Centos administration.

After learning some yum quirks (if you're used to apt-get and dpkg, believe me, it's easy!), I was given the task to migrate a 32 bit Centos 4.7 Final install to Centos 5.3.

Some useful yum commands I learned:

• yum install package
• yum remove package
• yum clean all

For the migration task, I followed these guidelines: http://wiki.centos.org/HowTos/MigrationGuide/ServerCD_4.4_to_5

I can confirm it worked, except some expected, minor issues, solved by using some sanity. To manually download my packages, I choose a local italian mirror (the garr mirror – ftp://mi.mirror.garr.it/pub/1/centos/5.3/os/i386/CentOS/).

I'm not in the mood for a step-by-step howto (too busy ATM, just follow the wiki over there…), but here are some tips, notes and issues I encountered during the process and how I overcame them.

Follow the wiki guidelines, at the section:

- remove 2.6.9 bits

rpm -e kernel-2.6.9-42.EL kernel-devel-2.6.9-42.EL kernel-doc-2.6.9-42.EL

make sure you remove ALL 2.6.9x kernel iterations. To know how many kernel iterations you have, just type:

rpm -qa | grep kernel

then, when launching your rpm -e command, make sure you choose ALL kernel-2.6.9X, kernel-devel-2.6.9x and kernel-doc-2.6.9x instances.

Recently I was evaluating the final Alfresco Labs 3 document management nifty program, inside my little, trusty (and quite overloaded…), Ubuntu home server. I experienced a lot of problems related to the 8080 port, because Zenoss defaults to that and Alfresco wants that too.

I searched for some info on how to change alfresco default 8080 apache tomcat port and here’s what I found (from alfresco wiki page):

Edit those files and change 8080 to something else (like for example 8099):

• $ALF_HOME/tomcat/conf/server.xml
• $ALF_HOME/tomcat/webapps/share/WEB-INF/urlrewrite.xml
• $ALF_HOME/tomcat/webapps/share/WEB-INF/classes/alfresco/pagerenderer-config.xml
• $ALF_HOME/tomcat/webapps/share/WEB-INF/classes/alfresco/webscript-framework-config-test.xml
• $ALF_HOME/tomcat/webapps/share/WEB-INF/classes/alfresco/webscript-framework-config.xml
• $ALF_HOME/tomcat/webapps/share/WEB-INF/classes/alfresco/webscripts/org/alfresco/indexall.get.mediawiki.ftl
• $ALF_HOME/tomcat/shared/classes/alfresco/extension/custom-repository.properties and add an entry to overide the default: repo.remote.endpoint.url=http://localhost:8080/alfresco/service

They say the following about this mess:"It is planned for future versions to allow for central configuration of the port. It is not fixed yet, when this will be included."

I tried the modifications, but essentially I screwed my alfresco setup (more on this later maybe), so I removed and purged my alfresco.

I then decided to search for some info on how to change the default Zenoss 8080 port, and so I found that editing /usr/local/zenoss/zenoss/etc/zope.conf

and uncommenting line 840 with:

port-base 1000

1. Avoid changing Alfresco’s port mess.
2. Proceed with the Alfresco installation process.

Hope that helps!

There exists really paranoid SSH access methods! For my everyday use I’m going to accept and implement a less paranoid one: 4096 bit RSA keys + complex passhphrase (but none-the-less, almost secure).

Let’s assume you have two Ubuntu boxes with SSH installed and enabled: the client and the server ("sudo apt-get install ssh" on both, just in case…). Your objective is to gain access to the server from a terminal launched on the client.

From the client open a terminal and type:

ssh-keygen -b 4096

Now, when asked, insert your desired passhphrase (use letters, numbers, and commas – just don’t forget it!), then:

vi .ssh/id_rsa.pub

…select and copy the file’s content.

Now open _another_ terminal window, and gain access to your server (if it’s ubuntu, you should use your ordinary user, the one that will be enabled and authorized for the server access), let’s type:

ssh user@server_IP
vi ~/.ssh/authorized_keys

…let’s paste the content of the client’s id_rsa.pub inside the server’s authorized_keys file (TIP: if it doesn’t work, make sure what you’re pasting lies on a single line).

As of now you should be able to gain access to your server from your client, on a more secure way (test it to be sure – you’ll be asked for your passphrase).

To test it, from the client launch a ssh session to your server and check if you’re asked for the passphrase and that’s it!

THEORY: SSH essentially may authenticate users with differents methodology, the ones I know are:

1. user + password.
2. user + rsa private/public key exchange (no pwd asked).
3. user + rsa public key exchange + passphrase (passphrase is different from password).

The user’s password is the standard, default and unconfigured method that just works, the second, is a more sophisticated one, it is useful when you are almost sure your client is "enough" secure (when you 100% trust your client).

The third method is the the second method plus a passphrase appended to the key (or if you wish, an authorization to use such key); this is useful when you 99% trust your client and still wish to keep control on the remaining 1% (and so the subject of my post).

OPTIONAL – how to secure the ssh server.

I wanted to update my post with some tips I found interesting and useful to tweak my SSH server settings, just open the  /etc/ssh/sshd_config and apply something like this settings:

# Change to no to disable tunnelled clear text passwords -
# PAY ATTENTION TO THE FOLLOWING OPTION!!! IT MAY PREVENT ACCESS TO YOUR SERVER;
# BEFORE APPLYING, MAKE SURE YOU HAVE DIRECT ACCESS TO YOUR SERVER (aka "your server sits next to you")
PasswordAuthentication no

# Maximum Login Attempts
MaxAuthTries 3

# root can't login via SSH
PermitRootLogin no

# if you are logging, a warning is useful.
Banner /etc/issue.net

# keeps some brute force attacks off
MaxStartups 10:50:20

Take care and have fun!

I’m going to post some really easy steps to slightly nicefy the standard ubuntu boot manager (grub for friends); please note the following steps are very easy and, most importantly, they are not disruptive of your currently working setup: you just have to add stuff to your already working system. The advantage of doing so lies on the fact that you’ll not break your standard repository tree, resulting on an apt-updatable-friendly system.

Said that, let’s move:

sudo apt-get install grub-splashimages startupmanager

Ok, now let’s open SUM:

sudo startupmanager

…now, from the "Aspect" tab, let’s choose a splashimage that fits and let’s close the program. After that, reboot the system and see if it worked.

If everything is OK, the next boot will sport a nice 14 colors (!) grub spashimage. Frankly, is not that great, but it’s better than the ugly default black/white (or the other usable two-color combinations) curses mode.

If you wish more, you should try the better multicolor grub-gfxboot, but this will have to wait for another post ;)

I’m going to upgrade my _old_ Ubuntu Hardy Heron X86_64 laptop to the fresh _new_ (autumnal) Ubuntu Intrepid Ibex X86_64, the CLI way (it should apply perfectly for the 32 bit version too). Open a new virtual terminal and type:

cd
dpkg −−get−selections > ~/my-installed-programs

…this way you’ll make a backup copy of the synaptic choices you already made [about your already installed programs].

It would also be a good idea to keep a backup copy of your third party repository sources (don’t forget to keep their respective keys! – I keep them as inline comments inside my files), so:

mkdir 3rdparties

cp /etc/apt/sources.list.d/* 3rdparties/

Save your /etc (just in case):

tar cvf etc.tar /etc

Now it would be safe to make a backup copy of your important stuff; here I suggest you a simple tbz2 backup archive of your important stuff:

cd 

tar cvjf $(whoami)-backup.tbz2 ~

After some time (depending by the amount of your data and your CPU’s juice), move the resulting backup file somewhere (use your imagination and DIY…flash keys, ext HDDs, other PCs….). OK, now we may proceed for the distribution upgrade, so:

sudo apt-get install update-manager-core

then type:

sudo do-release-upgrade

Respond to the first one or two basic questions, wait for the process to be finished, reboot when asked, and (hopefully) you should end up with a new (hopefully…) working version of your open source os of choice to play with!

IMPORTANT NOTE: If you have an almost standard system, the process should be easy and mandatory. BUT if you have applied strong modifications to your /etc, probably you’ll be asked many questions regarding your config files. In this case take your time and review your settings before just pressing "ENTER".

If bad stuff happens (well, sometimes it just happens!), install a clean (upgraded) system with the ubuntu official CD image and uncompress your home backup on your new system’s home, restore your third parties sources.list and use the following commands to restore your synaptic selections:

cd 

sudo dpkg --set-selections < my-installed-programs
sudo apt-get update

then apply your changes with the follwing command:

sudo apt-get upgrade
sudo apt-get dselect-upgrade

ADDENDUM: In case you wish to live on the edge and track developer's releases, when switching the distribution, alternatively type:

sudo do-release-upgrade --devel-release

Once you're at it, create a launchpad account and submit bug reports to Canonical developers by clicking the "Send"-button when an app crashes.

I needed to install FreeNX Server on my wive’s Ubuntu Hardy Heron 8.04.1 LTS X86_64 PC fast.

I opened a Terminal and typed the following:

sudoedit /etc/apt/sources.list

I pasted the following at EOF:

# Launchpad freenx-server
deb http://ppa.launchpad.net/freenx-team/ubuntu hardy main
deb-src http://ppa.launchpad.net/freenx-team/ubuntu hardy main

:wq, then:

sudo apt-get update; sudo apt-get install freenx-server

After that I got a working free-nx server accessible from my windows gaming rig (using nomachine NX client).

References: https://help.ubuntu.com/community/FreeNX

At work, for business needs, we decided it would have been better to adopt a local debian mirror.

After some search, I choosen total flexibility, by adopting the anonftpsync shell script. It is a self-descriptive-log-and-mail kind of script. Just customize and use it. Here for convenience I’m gonna post the one I used (it’s just commented, there are some parts that need to be uncommented out):

#! /bin/sh set -e
# This script originates from http://www.debian.org/mirror/anonftpsync
# modified by Andrea Matesi
# CVS: cvs.debian.org:/cvs/webwml - webwml/english/mirror/anonftpsync
# Version: $Id: anonftpsync,v 1.30 2007/09/06 18:05:44 joy Exp $
# Note: You MUST have rsync 2.6.4 or newer, which is available in sarge
# and all newer Debian releases, or at http://rsync.samba.org/
# Don't forget:
# chmod u+x anonftpsync
# Set the variables below to fit your site. You can then use cron to have
# this script run daily to automatically update your copy of the archive.
# TO is the destination for the base of the Debian mirror directory
# (the dir that holds dists/ and ls-lR).
# (mandatory)  TO=/mnt/backup/mirror
# RSYNC_HOST is the site you have chosen from the mirrors file.
# (http://www.debian.org/mirror/list-full)
# (mandatory)  RSYNC_HOST=debian.fastweb.it
# RSYNC_DIR is the directory given in the "Packages over rsync:" line of
# the mirrors file for the site you have chosen to mirror.
# (mandatory)  RSYNC_DIR=debian/
# LOGDIR is the directory where the logs will be written to
# (mandatory)  LOGDIR=/var/log
# ARCH_EXCLUDE can be used to exclude a complete architecture from
# mirrorring. Please use as space seperated list.
# Possible values are:
# alpha, amd64, arm, hppa, hurd-i386, i386, ia64, m68k, mipsel, mips, powerpc, s390, sh and sparc
#
# There is one special value: source
# This is not an architecture but will exclude all source code in /pool
#
# eg. ARCH_EXCLUDE="alpha amd64 arm hppa hurd-i386 ia64 m68k mipsel mips powerpc s390 sh sparc"
#
# With a blank ARCH_EXCLUDE you will mirror all available architectures
# (optional)  #ARCH_EXCLUDE=
# EXCLUDE is a list of parameters listing patterns that rsync will exclude, in
# addition to the architectures excluded by ARCH_EXCLUDE.
#
# Use ARCH_EXCLUDE to exclude specific architectures or all sources
#
# --exclude stable, testing, unstable options DON'T remove the packages of
# the given distribution. If you want do so, use debmirror instead.
#
# The following example would exclude mostly everything: EXCLUDE="\ --exclude stable/ --exclude testing/
 --exclude unstable/ \ --exclude source/ \ --exclude *.orig.tar.gz --exclude *.diff.gz --exclude *.dsc
\ --exclude /contrib/ --exclude /non-free/ \ "
# With a blank EXCLUDE you will mirror the entire archive, except the
# architectures excluded by ARCH_EXCLUDE.
# (optional)  #EXCLUDE=
# MAILTO is the address to send logfiles to;
# if it is not defined, no mail will be sent
# (optional)  MAILTO=myself@mywork-co.it
# There should be no need to edit anything below this point, unless there
# are problems.
#-----------------------------------------------------------------------------
#
# If you are accessing a rsync server/module which is password-protected,
# uncomment the following lines (and edit the other file).
# . ftpsync.conf
# export RSYNC_PASSWORD
# RSYNC_HOST=$RSYNC_USER@$RSYNC_HOST
#-----------------------------------------------------------------------------
#
# Check for some environment variables if [ -z $TO ] || [ -z $RSYNC_HOST ] || [ -z $RSYNC_DIR ] || [ -z $LOGDIR ];
then echo "One of the following variables seems to be empty:" echo "TO, RSYNC_HOST, RSYNC_DIR or LOGDIR" exit 2 fi

if ! [ -d ${TO}/project/trace/ ]; then
# we are running mirror script for the first time umask 002 mkdir -p ${TO}/project/trace fi
# Note: on some non-Debian systems, hostname doesn't accept -f option.
# If that's the case on your system, make sure hostname prints the full
# hostname, and remove the -f option. If there's no hostname command,
# explicitly replace `hostname -f` with the hostname.  HOSTNAME=`hostname`
# The hostname must match the "Site" field written in the list of mirrors.
# If hostname doesn't returns the correct value, fill and uncomment below
# HOSTNAME=mirror.domain.tld  LOCK="${TO}/Archive-Update-in-Progress-${HOSTNAME}"
# The temp directory used by rsync --delay-updates is not
# world-readable remotely. It must be excluded to avoid errors. TMP_EXCLUDE="--exclude .~tmp~/"
# Exclude architectures defined in $ARCH_EXCLUDE for ARCH in $ARCH_EXCLUDE; do EXCLUDE=$EXCLUDE"\ --exclude binary-$ARCH/
\ --exclude disks-$ARCH/ \ --exclude installer-$ARCH/ \ --exclude Contents-$ARCH.gz \ --exclude Contents-$ARCH.diff/
\ --exclude *_$ARCH.deb \ --exclude *_$ARCH.udeb " if [ "$ARCH" == "source" ]; then SOURCE_EXCLUDE="\ --exclude *.tar.gz
\ --exclude *.diff.gz \ --exclude *.dsc " fi done
# Logfile LOGFILE=$LOGDIR/debian-mirror.log
# Get in the right directory and set the umask to be group writable
# cd $HOME umask 002
# Check to see if another sync is in progress if [ -f "$LOCK" ]; then if [ "`find $LOCK -maxdepth 1 -amin -360`" = "" ]; then
# Note: this requires the procps ps; for other ps', adjust as necessary if ps ax | grep '[r]'sync | grep -q $RSYNC_HOST;
then echo "stale lock found, but a rsync is still running, aiee!" exit 1
else echo "stale lock found (not accessed in the last 6 hours), forcing update!" rm -f $LOCK fi
else echo "current lock file exists, unable to start rsync!" exit 1 fi fi  touch $LOCK
# Note: on some non-Debian systems, trap doesn't accept "exit" as signal # specification.
If that's the case on your system, try using "0". trap "rm -f $LOCK" exit  set +e
# First sync /pool rsync --recursive --links --hard-links --times --verbose \ $TMP_EXCLUDE $EXCLUDE $SOURCE_EXCLUDE \
$RSYNC_HOST::$RSYNC_DIR/pool/ $TO/pool/ >> $LOGFILE 2>&1 result=$?  if [ 0 = $result ]; then
# Now sync the remaining stuff rsync --recursive --links --hard-links --times --verbose --delay-updates --delete-after \
 --exclude "Archive-Update-in-Progress-${HOSTNAME}" \ --exclude "project/trace/${HOSTNAME}"
 \ $TMP_EXCLUDE $EXCLUDE $SOURCE_EXCLUDE \ $RSYNC_HOST::$RSYNC_DIR $TO >> $LOGFILE 2>&1  LANG=C
date -u > "${TO}/project/trace/${HOSTNAME}" else echo "ERROR: Help, something weird happened" | tee -a $LOGFILE
echo "mirroring /pool exited with exitcode" $result | tee -a $LOGFILE fi  if ! [ -z $MAILTO ];
then mail -s "debian archive synced" $MAILTO < $LOGFILE fi  savelog $LOGFILE >/dev/null  rm $LOCK

I’ve put this script auto-executing inside crontab, then I configured apache http for the file-serving purpose at a different standard name. When I had to manually install a debian distribution, I pointed the installer to grab deb packages from this http server and everything worked as expected, but especially, it was fast, since it was inside our lan.

Ubuntu Linux aims at being a good OS solution for the desktop. The fact that it aims doesn’t necessarily means it is already…I heard 2008 will have more to say about this.
Form me, I think it is good enough, and I enjoy using it everyday, yet sometimes I encounter “strange” & “correlated” errors that I haven’t saw into a “more” commercial OS couterpart combo (XP+Office+Live Search in that case).
And that’s the great effort were I think Canonical is fully committed to: integration between “bazaar” software.

My actual OS is an upgraded Feisty 7.04 -> Gutsy 7.10.
I’m not saying everything went perfect the first time, but with some sanity, I tried to keep things working correctly as they were. And at 99% I made it behave just fine (without buying anything).

A (bad) reminiscence of Feisty was a little sniffy guardian Beagle (dog).

Beagle is an indexing tool that scans your HD for metadata and indexes it for faster searches (like Google Desktop Search).
In Gutsy, Beagle was (reasonably) replaced by Tracker, another, perhaps more stable, indexing solution.

The error I expected was related to a remnant of beagle that I forgot to remove; so, I had this process in memory, automatically booted everyday, that insanely tracked and Indexed every file inside my PC (maybe more than once).
I ended up locked and with no space left (I have a WD 250Gb HD).
My routine is made of daily emails, browsing (I never delete its cache), and I/O ( I always keep my recycle bin full), etc… well…ordinary stuff as everyone else, but not so much to fill a 250Gb HD with stuff (ex. my Home folder actually is almost 5 Gb).

The (mad) beagle-related process, day after day, filled my home folder (and consequently my HDD), with tons of indexed CRAP. What it was, exactly, I simply ignore it.
So recently I ended up having with a full (99.9%) /.

I figured it after the other (open) programs started complaining,and popped strange errors, especially my email client, Evolution.

The error message received from Evolution was stating: “Error while storing folder ‘inbox’ Summary and folder mismatch even after a sync”. WTF???
So I started to digg and figure what the problem was.

First thing:

• rm -r /home/andy/.beagle

…to free up some space.

Next, Synaptic and (complete) removal of beagle and beagle-evolution.

Then a fast close/open Send/Receive with Evolution: error message still there :(

Some more research, some more infos: I had to close all Evolution processes, this way:

• evolution –force-shutdown

…from a terminal.

Next thing: I cd to “.evolution” inside my home folder and searched for the main Inbox folder.

• cd .evolution/mail/local

There I found a file called Inbox.ibex.index;
I renamed this file with something else, then restarted Evolution.

Everything clean and fixed.

Note: if you like me, never delete something, unless 100% sure, you can now safely rm the previously renamed file.

Back to work, now :-P

Today I’ll post my rsync fav options;
rsync is a lil program that automates syncronization between two folders, FS or partitions, even remotely by using ssh credentials (better used with keys…).
Its main use is to move every kind of data inside the network, keeping it synchronized. That mean that he check all the files that are on one side and confront them withe the files that are on the other side, transferring efficiently only the stuff that change!
Every standard Linux System Administrator should know it (man rsync), but I understand there is too much options.

At its basic it is used so:
rsync $SOURCE $DESTINATION

were $SOURCE and $DESTINATION can be a local folder or a remote folder accessed via ssh (ex.: andy@192.168.1.1:/home/andy/backup)

But if you tweak it a bit you can gain some more functions/performance.
I usually play with it through bash scripts but occasionally I use it directly from the console. When I use it from console, I need to remember the various settings I like, that I’m gonna share here for convenience.

Generally, for a basic rsync between two places, and with no deletion, I use this:
rsync -aHvzh –progress SRC DST

-a is synonym to using -rlptgoD, “a” does stand for archive; the included “a” options will be analized next.
-H stand for preservation of Hard Links (a synonymous name for an inode, ex. “DATA” is the real, meaningful, data and A.txt and B.txt is a pointer to that data).
-v is for verbose; I like talkative programs.
-z is for gzip compression during transfer (not where it puts the files, it is real time) — Best with powerful processors.
-h is for human readable sizes (in place of telling me: “transfered 10737418240 bytes”, he would say: “Hey mate, your 10Gb it’s already there!”).
–progress does show progress in real time with ASCII gfx.

Now let’s check what does -rlptgoD mean (they are simpler…):

-r is for recursive, essentially I need this to move entire directories, not only files.
-l keeps the symbolic links so.
-p keeps the same file permissions on the receiving side (r,w & x).
-t keeps the same date and time modification (better keep it for efficiency purposes, rsync this way know if the file changed or else).
-g similar as g, keep the same group on the receiving side.
-o similar as o, keep the same owner (the user) on the receiving side.
-D mean that it preserves character devices and block devices (ls /dev to see what these are) on the receiving side.

A very useful option I used in the past was -n

-n does stand for DRY RUN, it means that you are still not sure about wich option to use, and wanna still just try and experiment with the thousand options how the transfer will be, but without making it happen for real…very useful!

Then there are the various –delete-when? They are useful when you are sure that the transfer is ONE WAY (if not sure, don’t use it!) only.
You can use:
–delete-before
–delete-after &
–delere-during
Wich all do DELETE the transfered files at the specified time.

Then we have the exclude-from=files, a good option that allow rsync NOT to transfer the specified directories & files following the “=”. After the “=” can be used also a file containing all the files/dirs not needed during the transfer (say /sys, /dev, /tmp & all).
Example:
Let’s say I do not want to transfer the following folders: tmp, dev, proc, sys, floppy, cdrom, rsync, mnt, media ;
I create a file wich contain, for every line, the name of a folder I don’t need:
echo -e “/tmp\n/dev\n/proc\n/sys\n/floppy\n/cdrom\n/rsync\n/mnt\n/media\n” > /tmp/excluded.txt

…then I recall my rsync with the option exclude-from=/tmp/excluded.txt and the joke is done!

I stuck into a little problem related to a hostname change; basically I needed to change hostname for a basic debian install.

I then powered up my fav browser with my fav search engine (FF + Google), then searched for that stuff.

Easy as that! You change Hostname by simply doing

vi /etc/hostname (and put your new hostname inside this file, in place of the old one)

and that’s all. NOT!!!

Now launch

vi /etc/hosts

…and change also the other stuff were you see the old name.

Now you can safely reboot (or simply logoff/logon) to see changes take effect immediately.