blog.zelut.org

I have a domain that I use to hold my notes, personal wiki, html versions of books and magazines, and other assorted resources. Much of this I want to remain private so I’ve implemented Lighttpd access restrictions at the root of those directories. I had a little bit of trouble this evening adding additional directories to my restriction list, so I thought I would make a note of it here. Hopefully it’ll help anyone else running into similar trouble. <br /> $HTTP["host"] =~ "domain.tld" {<br /> auth.require = (<br /> "/secret/" => (<br /> "method" => "basic",<br /> "realm" => "Password Protected Area",<br /> "require" => "valid-user",<br /> ),<br /> "/private/" => (<br /> "method" => "basic",<br /> "realm" => "Password Protected Area",<br /> "require" => "valid-user",<br /> )<br /> )<br /> } The cause of my problem was the missing comma between the directory names. If you’re going to limit access to multiple directories in a list like this it needs to be a comma separated list. Read more

One of my first assignments when I signed on with my new job was to rebuild and improve the internal repository server. When I started it was quite a mess! It only mirrored the last two revisions of Red Hat Enterprise, and didn’t have a whole lot of functionality. Now that I’m done it supports Red Hat 3-5, both i386 and x86_64 as well as the respective CentOS releases. It mirrors Ubuntu, Fedora, openSUSE and I added a few little tricks to the PXE server which allows us to build or destroy machines without needing to burn a CD. One of the features that I really like is the addition of DBAN to the PXE setup, allowing us to securely wipe drives on multiple machines without the need for any CDs or other boot media. Here is how I went about it: Create Required Directories mkdir /tftpboot/dban/ Download Latest Dban Read more

I spent Saturday at the office finalizing some of the network functionality in our two offices. One of the main things we needed to implement was a DHCP server at the sattelite office, because our DHCP needs go beyond what the Cisco router we use can offer. Primarily the limitation is in regards to requiring multiple domains in our search path for the DHCP clients. In any case, we decided to simply install a Linux server (Debian 5.0 in this case) and run DHCP from there. Installing and configuring DHCP is nothing new for me, and it was configured fairly quickly for the three subnets we use in that office. The difficult part, and the part I had to spend some time on Google looking up, was in regards to our Cisco Phones. Because we would be disabling the Cisco router DHCP functionality it all had to be replaced on the Linux server. Read more

Not so long ago I wrote about how you can configure FreeBSD to email you regarding available updates on a weekly basis. This is something that I have had in place for a while now, and I really enjoy the ability to keep things on the patched (read: bleeding) edge. Recently I found a small issue with the setup I had been using. I wanted to share the fix with anyone that may have been doing the same thing. First of all, let me tell you about the issue I came across. When I would recieve an email regarding available updates I would connect to the FreeBSD Jail and use portmaster -a -d to apply all available updates. I noticed that the number of updates applied did not match the number of updates listed in the email. Odd. Well, after thinking about it for a bit I realized what the problem was. Read more

Just the other day we were auditing some of the packages on our production application servers and found a few that we were surprised about. None of us remember installing them, so we set out to try and find out who might have done it, and when it might have happened. The other two admins started grepping through the history files and looking at old, archived log data. I used the information within the RPM database and simply asked the machine when it was installed: <br /> [root@repo ~]# rpm -qi htop<br /> Name : htop Relocations: (not relocatable)<br /> Version : 0.7 Vendor: Dag Apt Repository, http://dag.wieers.com/apt/<br /> Release : 1.el5.rf Build Date: Sat 24 Nov 2007 07:24:19 AM MST<br /> Install Date: Tue 04 Nov 2008 04:02:40 PM MST Build Host: lisse.leuven.wieers.com<br /> Group : Applications/System Source RPM: htop-0.7-1.el5.rf.src.rpm<br /> Size : 148330 License: GPL<br /> Signature : DSA/SHA1, Sat 24 Nov 2007 07:29:40 AM MST, Key ID a20e52146b8d79e6<br /> Packager : Dag Wieers <dag@wieers. Read more

I love FreeBSD for how efficient and minimalistic it can be. For my web servers I like to add to this efficiency by using Lighttpd instead of the larger, older, Apache. The one little issue with Lighttpd vs Apache is getting all the same module support setup for all the little tweaks that you’ve come to enjoy. I should mention that Lighttpd supports many of the same modules that Apache does, and once you learn how they work I think they are even more intuitive than Apache’s config. One of the most important to me is the mod_rewrite for use with my WordPress blogs. As you can see from the URL I use fancy addresses for my posts. %date%/%name%, etc. I think this is more user friendly (not to mention Google-friendly) than something like php?=53. What kind of URL is that? In any case, a very simple way to achieve this in Lighttpd is to use the following single line in your lighttpd. Read more

Update: I have suggested a minor improvement to this setup. Read More… For some time now I’ve been maintaining about a dozen FreeBSD jails, each running a different set of services. Everything from email to BIND, DHCP to nagios. One of the difficulties of trying to maintain so many servers has been tracking and applying updates, particularly servers that use the ports system which is updated so frequently. The solution that I’ve come up with is to use portmaster inside a weekly cron job to notify me of available updates on each machine. This requires a slightly different cron job on the host system that within the jails. Here is an example of what I’m running within each: #!/usr/local/bin/bash /usr/sbin/portsnap cron /usr/local/bin/ezjail-admin update -P /usr/local/sbin/portmaster -L | egrep -B1 ‘(ew|ort) version|Aborting|installed|dependencies|IGNORE|marked|reason:|MOVED’ | grep -v ‘^–‘ | mail -s “Portmaster Weekly Check for $(hostname)” [email protected] <br /> #! Read more

I have had all kinds of problems getting dhcpd running properly inside a FreeBSD jail. I finally got it running this morning and wanted to document what I’ve done in hopes that I can recreate it. On the host system I had to allow sockets within jails. This is done by adding this line to your /etc/sysctl.conf: security.jail.allow_raw_sockets=1 The above will make it a persistent change, but you’ll also need to make it an immediate change using the sysctl tool directly: sysctl -w security.jail.allow_raw_sockets=1 Within the jail I then installed the net/isc-dhcp30-server port. I configured this with just two of the available options. Allow sockets instead of bpf (jails-only) Use base openSSL After this was compiled I configured my /usr/local/etc/dhcpd.conf and added the following lines to my /etc/rc.conf: ## dhcpd options dhcpd_enable=”YES” dhcpd_flags=”-q” dhcpd_conf=”/usr/local/etc/dhcpd.conf” dhcpd_ifaces=”” Read more

I want to thank one of the readers who left a comment recently regarding the use of cvsup. Apparently, some time ago, cvsup was replaced with a smaller, faster utility which comes included in the base OS. This tool is simply: csup. Some of the benefits of using csup instead of cvsup are: It comes preinstalled in the base OS. No need to build cvsup and all its dependencies. No need to install base ports in order to build cvsup in order to update your ports. I tried csup and noticed that it should be a drop-in replacement for those that still use cvsup. You should be able to use the same options and command arguments that you did previously. Here is an example of something I’ve setup which allows me to update my base OS + ports using csup and one command: /etc/make.conf ## csup config (just use 'make update' in /usr/ports or /usr/src)<br /> SUP_UPDATE=yes<br /> SUP= /usr/bin/csup<br /> SUPFLAGS= -g -L2<br /> SUPHOST= cvsup. Read more

I spent some time this afternoon on the bus ride home setting a new theme to the blog here. I’ve also cleaned up the categories. Ohh, and the most exciting part (even if it is transparent to the end-user), I upgraded to WordPress trunk. If you have not seen the new dashboard in WP 2.7 you should really check it out. Its really clean and slick–I really like it. In any event, I hope to continue my FreeBSD and miscellaneous posts here while the ‘buntu specific stuff will be on Ubuntu Tutorials.