Excalibur Partners, LLC

Hot Adding a SCSI Device

Admin — Fri, 11 Jul 2008 16:17:29 +0000

When hot adding a SCSI device, such as a hard drive, you might have noticed that it doesn’t show in /dev. You can either reboot, which defeats the purpose of hot adding the device, or notify Linux to rescan the SCSI bus.

If you know the host adapter number use this command replacing 0 with the host adapter.
echo "- - -" > /sys/class/scsi_host/host0/scan

Otherwise rescan all the host adapters with this command.
for f in /sys/class/scsi_host/host*; do echo "- - -" > $f/scan; done

Now your SCSI device should show up in the /dev list.

Patching Postfix for mySQL and Quotas

Admin — Sun, 20 Apr 2008 16:33:40 +0000

If you are hosting email for more than one domain you might want to look into virtual hosting. With virtual hosting most choose to use database vs files to store the mailbox information. Not only does this allow a more flexible configuration, but the ability to use a web interface such as Postfix Admin. Out of the box Fedora Core 8 Postfix RPM does not support mySQL or quota support. However a simple recompile and install of the resulting package will get you up and running.

First we need to download the postfix SRPM
cd ~ wget http://download.fedoraproject.org/pub/fedora/linux/releases/8/Fedora/source/SRPMS/postfix-2.4.5-2.fc8.src.rpm

Next setup the RPM build area
fedora-buildrpmtree

Install the SRPM into the rpmbuild directory
rpm -ivh postfix-2.4.5-2.fc8.src.rpm

Now download the quota patch
cd ~/rpmbuild/SOURCES wget http://vda.sourceforge.net/VDA/postfix-2.4.5-vda-ng.patch.gz gunzip postfix-2.4.5-vda-ng.patch.gz

Let’s enable mysql and quota support
cd ~/rpmbuild/SPECS vim postfix.spec Line 2: -%define MYSQL 0 +%define MYSQL 1 Line 82: Patch10: postfix-2.4.5-open_define.patch +Patch11: postfix-2.4.5-vda-ng.patch Line 140: %patch10 -p1 -b .open_define +%patch11 -p1 -b .vda-ng

Now we can build the modified RPM and install it
rpmbuild -ba postfix.spec sudo rpm -ivh ~/rpmbuild/RPMS/`uname -p`/postfix-2.4.5-2.`uname -p`.rpm

SMF and MediaWiki Bridge

Admin — Tue, 12 Feb 2008 20:13:30 +0000

After testing out both bridges currently available for SMF and MediaWiki I decided to write my own. Let me first go through what I liked and didn’t like about the existing bridges.

First Bridge:
http://www.mediawiki.org/wiki/Extension:SMF_Authentication

This bridge allows for auto authentication by using the smf_api.php. Due to the number of files required I did not test this bridge. I didn’t want to deal with the hassle when upgrading software down the road. Especially because SMF 2.0 database tables are different and I wasn’t sure if the smf_api.php would be updated.

From looking at the code if a user is demoted from the administrator position it does not remove him from the wiki sysop group. It is also lacking the ability to declare an SMF group that is only allowed to edit the wiki.

Second Bridge:
http://www.mediawiki.org/wiki/Extension:SMF/Users_Integration

This bridge does not do anything with auto authentication. It does allow you to specify a SMF group that is allowed to edit the wiki. Another plus is that it is a single file. The downside is the configuration does not use the values from SMF’s Settings.php. You have to specify the database tables and permissions. It also doesn’t set wiki sysop privileges for SMF administrators.

I did test this one out and found a small issue where they did not disable the change password option in the wiki. This only requires a change of true to false, which must have been an oversight. Neither of these two bridges check to make sure the users are activated and not banned before logging them in.

My Bridge:
http://www.mediawiki.org/wiki/Extension:SMF_Auth_Integration

The SMF and MediaWiki integration I built only requires one file placed in the wiki extensions directory. To get started you only need to configure the relative path to your SMF forum and the forum’s version. The version will either be 1.1 or 2.0 (which only applies to charter members as 2.0 has not been released). In the default configuration the wiki login is separate from the forum. It will assign and remove sysop privileges to SMF administrators and allow you to lock down editing to an SMF group. You can even supply additional groups to be granted wiki sysop privileges.

For the auto authentication I have decided not to use the smf_api.php file for the above reasons. When you click login / logout the wiki redirects you to the SMF page and then back to the wiki. A couple of gotchas are that you must be using SMF database sessions (default setting). You also need to configure SMF to make sure local storage of cookies are disabled. You might not need to do this if your wiki is inside your forum folder.

There are two known issues. The first involves the wiki’s limitation with user names containing an underscore. The wiki converts underscores to spaces. For example john_doe would become John doe. The workaround I implemented was to look for both the user name with spaces and underscores. The first registered SMF user name is used. If you happen to have a conflict you’ll need to change the later registered user name.

The second is when wgSMFLogin is disabled. If you register a new account from the wiki you will not be redirected back to the wiki as SMF does not have support for this in their code.

You can download the bridge from http://wgnrs.dynalias.com/smf/Auth_SMF.php

Patching Apache’s Suexec Module Improved

Admin — Sat, 05 Jan 2008 22:18:52 +0000

This tutorial improves on my last tutorial Patching Apache’s Suexec Module by adding in alternate docroots and a trusted uid/gid to check when the uid/gid mismatch. This is an added security measure over just ignoring the uid/gid check or using / as the docroot. If you haven’t read my previous tutorial the following quote should bring you up to speed.

Apache’s suexec module is useful for running CGI and SSI scripts as a defined user. However all scripts must be located under the compiled in docroot and the uid/gid of the user running the script must match the script’s uid/gid.

This can be a problem if you have a shared CGI app like awstats as unless you make each user a copy the uid/gid will not match. Not to mention that the docroot on Fedora is /var/www so if you want to store your virtual hosts elsewhere your out of luck. Not to worry recompiling apache isn’t as hard as you might think.

Since we are modifying suexec there is always the potential that the modifications may cause a security hole. Proceed at your own risk!!

The patch allow you to specify three docroots. The default /var/www, one for virtual hosts (in my case /home), and one for shared scripts (most are stored in /usr/share). It also allows for the specification of a trusted uid/gid. Basically if the uid/gid of the suexec user doesn’t match the uid/gid of the file it will check to see if it matches the trusted uid/gid. If it does the execution will continue, otherwise it will log an error. This is great for shared scripts like awstats.

First we need to grab the httpd SRPM from FC5 updates
cd ~ wget http://mirrors.kernel.org/fedora/core/updates/5/SRPMS/httpd-2.2.2-1.3.src.rpm

Next we setup the RPM build area
fedora-buildrpmtree

Install the SRPM into the rpmbuild directory
rpm -ivh httpd-2.2.2-1.3.src.rpm

Grab the suexec patch
cd rpmbuild/SOURCES wget http://www.excalibur-partners.com/wp-content/uploads/2008/01/httpd-222-suexec.patch

Configure the docroots and trusted UID/GID
cd ~/rpmbuild/SPECS vim httpd.spec Line 192: --with-suexec-docroot=%{contentdir} \ + --with-suexec-docroot-virtual=/home \ + --with-suexec-docroot-shared=/usr/share \ + --with-suexec-trust-uid=500 --with-suexec-trust-gid=500 \


Modify the httpd.spec to include the patch

vim httpd.spec

Line 48:

 Patch73: httpd-2.2.3-CVE-2007-3304.patch

+ Patch80: httpd-2.2.2-suexec.patch

Line 131:

 %patch73 -p1 -b .cve3304

+ %patch80 -p1 -b .suexec
Now we can build the modified RPM

rpmbuild -ba httpd.spec
Instead of reinstalling apache I recommend just extracting and replacing the suexec file

cd ~/rpmbuild

rpm2cpio RPMS/`uname -p`/httpd-2.2.2-1.3.src.rpm | cpio -imVd ./usr/sbin/suexec

sudo cp -p /usr/sbin/suexec /usr/sbin/suexec.orig

sudo cp ./usr/sbin/suexec /usr/sbin/suexec

sudo chown root:apache /usr/sbin/suexec

sudo chmod 4510 /usr/sbin/suexec



Slow Browsing of Network Drives
Admin — Sun, 16 Dec 2007 21:53:55 +0000
One frustrating thing I noticed after using Vista was what seemed to be a compatibility issue with Windows 2003 Server 64bit Edition. Browsing network shares and folders on the server from the Vista machine was painfully slow. It would take five plus seconds to just display a directory listing or open a text file. After an hour or so of searching Google I found the answer.
The fix involves changing two settings from the command prompt. You need to run the command prompt as an administrator. You can do this by right-clicking and selecting run as administrator. Type in the following commands

netsh int tcp set global autotuninglevel=disabled

netsh int tcp set global rss=disabled
You will need to restart your machine afterwards. The difference is night and day. I wonder what the reasoning was for not having Vista set like this out of the box?
If you are unhappy with the changes you can restore the default settings with

netsh int tcp set global autotuninglevel=normal

netsh int tcp set global rss=enabled



Useful Mdadm Commands
Admin — Sun, 16 Dec 2007 21:43:41 +0000
Below is a collection of commands for mdadm that I have found useful. Use these at your own risk.
Create RAID

mdadm --create /dev/md0 --level=5 --raid-devices=4 /dev/sd[bcde]1

mkfs.ext3 /dev/md0
Remove disk from RAID

mdadm --fail /dev/md0 /dev/sda1

mdadm --remove /dev/md0 /dev/sda1
Copy the partition structure (when replacing a failed drive)

sfdisk -d /dev/sda | sfdisk /dev/sdb

mdadm --zero-superblock /dev/sdb
Add a disk to a RAID array (to replace a removed failed drive)

mdadm --add /dev/md0 /dev/sdf1
Check RAID status

cat /proc/mdstat

mdadm --detail /dev/md0
Reassemble a group of RAID disks

mdadm --assemble /dev/md0 /dev/sdb1 /dev/sdc1 /dev/sdd1 /dev/sde1
Steps to emulate mdrun (which has been depreciated)

mdadm --examine --scan --config=partitions > /tmp/mdadm.conf

mdadm --assemble --scan --config=/tmp/mdadm.conf
Convert a RAID 1 array to RAID 5 (follow the steps to add a disk after running this command)

mdadm --create /dev/md0 --level=5 -n 2 /dev/sda1 /dev/sdb1
Add a disk to an existing RAID and resize the filesystem

mdadm --add /dev/md0 /dev/sdg1

mdadm --grow /dev/md0 -n 5

fsck.ext3 -f /dev/md0

resize2fs /dev/md0
Stop and remove the RAID device

mdadm --stop /dev/md0

mdadm --remove /dev/md0



RAID Explained
Admin — Sun, 16 Dec 2007 21:39:55 +0000
RAID, which stands for “redundant array of independent” disks provides a way to group disks into one volume and/or provide fault tolerance. There are three way to implement RAID: hardware, a combination of hardware/software, and software only.
Hardware RAID uses an add in card (PCI, PCI Express, PCI-X). The card has on-board memory and a processor to compute the RAID calculations. The RAID is stored in the controllers proprietary format and most likely you will need to use their drivers. The price is around $300-400 for a 4 port SATA card. The CPU load is basically non-existent with this setup.
Hardware/software RAID uses an add in card as well. However the card doesn’t contain memory or a RAID processor. It instead off-loads the RAID calculations to the CPU. The data is still in a proprietary RAID format and most likely you’ll need to use the card’s RAID drivers. These run around $100-150 for a 4 port card. Personally I think this form of RAID is pointless unless it is used for RAID 1 or 0 for reasons explained below.
Software RAID is proprietary to the software format. In linux you can move the drives easily between systems and linux distros provided the kernel support is the same. I’ve moved between Debian and Ubuntu without an issue. All the RAID calculations are performed by the CPU. However with today’s processors this will most likely not be an issue. The advantage to software RAID is the support as it is widely used.
No matter which implementation you choose make sure to test all possible scenarios before putting the RAID into production. Practice failing a drive, replacing it, and rebuilding the array. If you are going the software RAID route VMWare allows easy and fast testing. You can create multiple 1 GB drives which will rebuild much faster than 500GB real drives.



Installing Debian/Ubuntu on an Existing RAID/LVM
Admin — Thu, 13 Dec 2007 04:26:24 +0000
I like to test all the possible scenarios before putting a server into production. One of these tests was whether I could reinstall linux without disturbing the RAID arrays. Unfortunately the Debian and Ubuntu installers do not make this easy. When you reach the partitioning stage it will just show you the physical drives with the linux raid partitions and not the md devices. Here are the steps that worked for me.
When starting the installer proceed until you reach the network configuration screen where it asks for the hostname. At this point you’ll want to switch to another virtual terminal (alt+f2). Run the following commands

modprobe raid1

modprobe dm_mod

mdrun
Mdrun might return command not found as it has been depreciated in later linux releases. Don’t worry we can use mdadm instead.

mdadm --examine --scan --config=partitions > /tmp/mdadm.conf

mdadm --assemble --scan --config=/tmp/mdadm.conf
Let’s verify that the RAID arrays were found and started.

cat /proc/mdstat
If you are using LVM we can now scan and activate the volumes.

lvscan

vgchange -a y
Now you can return to the installer with alt+f1. When you reach the partitioning stage select manual and assign the RAID / LVM volumes mount points.



Patching Apache’s Suexec Module
Admin — Fri, 30 Nov 2007 20:38:49 +0000
Apache’s suexec module is useful for running CGI and SSI scripts as a defined user. However all scripts must be located under the compiled in docroot and the uid/gid of the user running the script must match the script’s uid/gid. 
This can be a problem if you have a shared CGI app like awstats as unless you make each user a copy the uid/gid will not match. Not to mention that the docroot on Fedora is /var/www so if you want to store your virtual hosts elsewhere your out of luck. Not to worry recompiling apache isn’t as hard as you might think.
Since we are modifying suexec there is always the potential that the modifications may cause a security hole. Proceed at your own risk!!
First we need to grab the httpd SRPM from FC5 updates

cd ~

wget http://mirrors.kernel.org/fedora/core/updates/5/SRPMS/httpd-2.2.2-1.3.src.rpm
Next we setup the RPM build area

fedora-buildrpmtree
Install the SRPM into the rpmbuild directory

rpm -ivh httpd-2.2.2-1.3.src.rpm
Grab the suexec no UID/GID check patch

cd rpmbuild/SOURCES

wget http://www.excalibur-partners.com/wp-content/uploads/2007/11/suexec_nocheck.patch
Modify the docroot

cd ~/rpmbuild/SPECS

vim httpd.spec

Line 192:

- --with-suexec-docroot=%{contentdir} \

+ --with-suexec-docroot=/ \
Modify the httpd.spec to include the patch

vim httpd.spec

Line 48:

 Patch73: httpd-2.2.3-CVE-2007-3304.patch

+ Patch80: suexec_nocheck.patch

Line 131:

 %patch73 -p1 -b .cve3304

+ %patch80 -p1 -b .nocheck
Now we can build the modified RPM

rpmbuild -ba httpd.spec
Instead of reinstalling apache I recommend just extracting and replacing the suexec file

cd ~/rpmbuild

rpm2cpio RPMS/`uname -p`/httpd-2.2.2-1.3.src.rpm | cpio -imVd ./usr/sbin/suexec

sudo cp -p /usr/sbin/suexec /usr/sbin/suexec.orig

sudo cp ./usr/sbin/suexec /usr/sbin/suexec

sudo chown root:apache /usr/sbin/suexec

sudo chmod 4510 /usr/sbin/suexec



Virtual Web Site Hosting
Admin — Sun, 04 Nov 2007 18:24:08 +0000
A common practice is to use one apache server to host websites for multiple domain names. Apache supports virtual servers out of the box making this easy to setup. This tutorial is based on Fedora Core 5, but should apply to most other linux distros.
To get started you need to have a folder to store the data for each virtual website. On my system I have a created a new user for each website following the pattern.

/home/*/public_html/
For example to add jsmith. Note that the /home/jsmith folder must have execute permissions and the public_html folder must have read permissions for apache.

useradd jsmith

cd /home/jsmith

mkdir public_html

chown jsmith:jsmith public_html

chmod 711 .

chmod 755 public_html
Lets open up the apache config and add the required sections.

vim /etc/httpd/conf/httpd.conf
Scroll down to the end of the file and you will see the virtual hosting section. The first thing we must do is let apahce know what IPs and ports it will be serving for virtual hosts. The * wild card is supported. The line below states that apache will server requests for port 80 on all incoming IPs.

NameVirtualHost *:80
Now we set the individual settings for each virtual host. If you are a hosting provider you probably will want a catchall host to display if the user goes to the server’s IP or hostname. To do this we use the _default_ attribute.



   ServerAdmin email@domain.com

   DocumentRoot /var/www/html

   ServerName www.domain.com


On the rest of your virtual hosts I recommend to fill in a ServerAlias. Lets say your site is http://www.jsmith.com/. Without a ServerAlias if a visitor points his/her browser to http://jsmith.com/ they will get the default host instead of http://www.jsmith.com/.



   ServerAdmin email@jsmith.com

   DocumentRoot /home/jsmith/public_html

   ServerName www.jsmith.com

   ServerAlias jsmith.com *.jsmith.com


Make sure to verify the apache config first

apachectl configtest
If it comes back syntax OK you are ready to reload the config

service httpd reload
or start up the apache server if it is not already running.

service httpd start