Linux.com

Community Blogs



How to Configure (And Troubleshoot) Pulp: The Ultimate Repository Management Tool

Pulp is a nifty piece of python code which I recently deployed to manage some ( a lot, actually) external linux repositories. Pulp is a great tool if you want to manage a lot of repositories and related content like packages, arches, distros and erratas etc. It'll not only help you to mirror the repositories but also to do remote installs to the clients (pulp calls it consumers) and groups. So, let us get started.
Make sure that you have a good amount of disk space on your server.
There is a really good documentation here on how the installation works. I'll write about some tips and tricks which are not there in the documentation.
1. How do I install it on Scientific Linux and other Enterprise Linux Servers, nss package is not of the latest version?
You need to enable the rolling repo for in Scientific Linux for this. It is not included in the yum.conf.d by default so chances are that you'll get an older version of nss if rolling repo is not added.
2. I am getting a "SSL WrongHost" error. How do I fix that?
First, you need to pick a hostname for the server (localhost.localdomain is a bad choice). Set the hostname using command "hostname ". Now we are going to generate a certificate for this domain to get rid of ssl error.
Just do a "cd /etc/pki/tls/certs/" and there will be a localhost.crt. Just rename it to something else and run "make testcrt" to get a new certificate. Follow the said steps closely in order.
3. I installed both pulp and pulp-cds on same server and now I am getting httpd alias problem. How to resolve?
Well, I understand the enthusiasm of trying out stuff but pulp and pulp-cds are not supposed to be installed on same server, not unless you know the ins and outs of pulp and what you are doing. The problem occurs because both pulp.conf and pulp-cds.conf in conf.d has same alias defined but for different targets. So comment out the Alias in pulp-cds.conf or get rid of the pulp-cds package all together, I would do the later one.
4. I want to use the repo using http. How do I do that?
Just find out the lines mentioned below in httpd conf directory and comment them out using "#".
SSLRequireSSL
SSLVerifyClient optional_no_ca
SSLVerifyDepth 2
SSLOptions +StdEnvVars +ExportCertData

 

Migrate Bugzilla 3.0 Server to a Bugzilla 4.0 Server

Summary

I recently did a migration from Bugzilla 3.0 running on one server to Bugzilla 4.0 running on a new server.  Since I was already writing these down as I went, I thought that I would share these instructions with the greater Linux community.  You may find that some of these instructions may need to be run in a slightly different order, but this is a pretty complete account of what it took to get this going on the new server.  I know that I had to periodically go back the the ./checksetup.pl script over and over throughout the process to check myself and figure out what needed to occur next.  I tried to arrange all of these in an order that will work, but if you have to install the bugzilla folder first and continually re-run ./checkseutp.pl, it's pretty much what I had to do.

These instructions are for RedHat 5.5.

Backup Your Current Bugzilla 3.0 Database

These directions all assume that you have a Bugzilla 3.0 database that you've backed up with teh following commands: 

sudo mkdir /data/backups/mysql-bugzilla-3.0
sudo chown www-data.www-data /data/backups/mysql-bugzilla-3.0
mysqldump -u bugs --password=XXXXXXXXX bugs | gzip -9v > `date '+/data/backups/mysql-bugzilla-3.0/bugs_%Y%m%d.sql.gz'`

 

Setup Apache

Install the Web Server, set the run levels, and start the service:

[root@mybugzilla]# yum groupinstall "Web Server"
[root@mybugzilla]# yum chkconfig --levels 2345 httpd on
[root@mybugzilla]# service httpd restart


Try the main site to ensure that apache is setup correctly by browsing to your site name or to http://localhost

You should see the default apache site showing that the webserver is installed properly.


Modify the httpd.conf file

Open the /etc/httpd/conf/httpd.conf file in your favorite editor.  Add these lines to the end of your httpd.conf file:

PerlSwitches -w -T
PerlConfigRequire /var/www/html/bugz/mod_perl.pl

Also make sure that you have the line "KeepAlive Off" per the bugzilla install instructions.

Restart Apache

[root@mybugzilla]# service httpd restart

Setup MySQL

Install MySQL, set the service to start on boot, and set the mysql root password:

[root@mybugzilla]# <b>yum groupinstall "MySQL Database"</b>
[root@mybugzilla]# <b>chkconfig --levels 2345 mysqld</b>
[root@mybugzilla]# <b>service mysqld restart</b>
[root@mybugzilla]# <b>/usr/bin/mysqladmin -u root password 'XXXX'</b>


Now login to mysql:

[root@mybugzilla]#  <b>mysql -pXXXX</b>


Once logged into mysql as root, create the bugs user and the database:

mysql> create user 'bugs'@'localhost' IDENTIFIED BY 'XXXpasswordXXX';
mysql> create database bugs;
mysql> show databases;

Restore data

These instructions assume that you followed the above instructions for exporting your bugzilla database from Bugzilla 3.0.

[root@mybugzilla]# cd /path/to/restore/file
[root@mybugzilla]# gunzip bugs_20110414.sql.gz
[root@mybugzilla]# mysql -u root -pXXXX bugs < bugs_20110414.sql

Grant Permissions

Login to mysql as above and run

mysql> grant all on bugs.* to 'bugs'@'localhost';

 

Fix MySQL Defaults in /etc/my.cnf

Edit the /etc/my.cnf file and add these lines under the [mysqld] section:

[mysqld]
# Allow packets up to 4MB
max_allowed_packet=4M

# Allow small words in full-text indexes
ft_min_word_len=2


This ensures that uploaded attachments to bugs is now 4MB instead of the default 1MB.

Restart MySQL

Restart the service to ensure any changes above are loaded:

service mysqld restart

 

Setup Bugzilla

Prep Bugzilla

Create the directories and download Bugzilla:

[root@mybugzilla]# cd /var/www
[root@mybugzilla]# mkdir bugz
[root@mybugzilla]# cd bugz
[root@mybugzilla]# wget http://ftp.mozilla.org/pub/mozilla.org/webtools/bugzilla-4.0.tar.gz
[root@mybugzilla]# tar xzvf bugzilla-4.0.tar.gz
[root@mybugzilla]# cd /var/www/html
[root@mybugzilla]# ln -s ../bugz/bugzilla-4.0 bugz
[root@mybugzilla]# cd /var/www/bugz/bugzilla-4.0

 

Install Bugzilla Dependencies

./checksetup.pl --check-modules


You will be told you should run several commands to install all the perl modules.  For example,
I was told to run these:

[root@mybugzilla]# /usr/bin/perl install-module.pl Digest::SHA
[root@mybugzilla]# /usr/bin/perl install-module.pl Date::Format
[root@mybugzilla]# /usr/bin/perl install-module.pl DateTime
[root@mybugzilla]# /usr/bin/perl install-module.pl DateTime::TimeZone
[root@mybugzilla]# /usr/bin/perl install-module.pl Template
[root@mybugzilla]# /usr/bin/perl install-module.pl Email::Send
[root@mybugzilla]# /usr/bin/perl install-module.pl Email::MIME
[root@mybugzilla]# /usr/bin/perl install-module.pl List::MoreUtils


or just simply:

  [root@mybugzilla]# /usr/bin/perl install-module.pl --all

  DateTime won't build so I'm trying this:

  [root@mybugzilla]# yum install mysql-devel gd gd-devel perl-DBD-MySQL mod_perl-devel

    (per instructions at http://www.bugzilla.org/docs/4.0/en/html/installation.html)
  The perl-DBD-MySQL package is 3.07 which is too old (4.0 is needed) so I had to be sure to
run the cpan install:

[root@mybugzilla]# /usr/bin/perl install-module.pl DBD::mysql

  I noticed that DateTime complains that I only have Archive::Tar 1.3901 which it found in the
perl-Archive-Tar package.  I upgraded with the following:

[root@mybugzilla]# /usr/bin/perl install-module.pl Archive::Tar

  Which got me Archive::Tar 1.76, which stopped the complaints in DateTime.  I installed datetime
running these:

[root@mybugzilla]# /usr/bin/perl install-module.pl Module::Build
[root@mybugzilla]# /usr/bin/perl install-module.pl DateTime

 

Install Additional Modules

I installed these extra modules:

[root@mybugzilla]# /usr/bin/perl install-module.pl Net::LDAP
[root@mybugzilla]# /usr/bin/perl install-module.pl GD
[root@mybugzilla]# /usr/bin/perl install-module.pl Chart::Lines
[root@mybugzilla]# /usr/bin/perl install-module.pl Email::Reply
[root@mybugzilla]# /usr/bin/perl install-module.pl Apache2::SizeLimit
[root@mybugzilla]# /usr/bin/perl install-module.pl GD::Graph
[root@mybugzilla]# /usr/bin/perl install-module.pl PatchReader
[root@mybugzilla]# /usr/bin/perl install-module.pl Email::MIME::Attachment::Stripper

    I know that out of the above, if you don't have Apache2::SizeLimit then there will be a problem when restarting the httpd server, which (per the above instructions) includes a reference to the mod_perl.pl script in the bugzilla folder, which in turn uses Apache2::SizeLimit.  If you have trouble (as I did), make sure you have the =mod_perl-devel= package installed in order to install Apache2::SizeLimit.

Edit Configuration

Now you'll need to edit the localconfig file to setup the variables.  Make sure you have these variables set.  You'll probably have to manually set
those listed in bold:

$create_htaccess = 1;
$webservergroup = 'apache';
$use_suexec = 0;
$db_driver = 'mysql';
$db_host = 'localhost';
$db_name = 'bugs';
$db_user = 'bugs';
<b>$db_pass = 'XXXpasswordXXX';</b>
$db_port = 0;
$db_sock = '';
$db_check = 1;
$index_html = 0;
$cvsbin = '/usr/bin/cvs';
$interdiffbin = '/usr/bin/interdiff';
$diffpath = '/usr/bin';
$site_wide_secret = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX';

 

Re-Run CheckSetup

Now re-run checksetup now that you've fixed the localconfig file.  This should test the settings in the localconfig to ensure the correct db name, user name and password:

./checksetup.pl --check-modules


The script may remind you to perform some actions documented above.  If you've missed anything, go ahead and fix it now before continuing.

Bugzilla Upgrade

Upgrading can cause serious harm to the database.  Make sure you've backed up or you have a file migrated from another server that you can use to restore the database 'bugs' table in case the following fail.  There are probably more ways to migrate, but these are the actions that I took.

Ensure the character encoding is correct

Your database must be in UTF-8.  If the previous database used another encoding, you should fix it with the recode.pl script.

[root@mybugzilla]# /usr/bin/perl install-module.pl Encode::Detect
[root@mybugzilla]# cd /var/www/bugz/bugzilla-4.0/
[root@mybugzilla]# contrib/recode.pl --dry-run --guess


Review what changes then do the command for real:

[root@csobugzilla]# contrib/recode.pl --guess

 

Continue with the checksetup.pl

Try the checksetup.pl script again.  You can now safely continue when prompted about the UTF-8 stuff.

References

http://www.bugzilla.org/docs/4.0/en/html/configuration.html
http://www.velikan.net/import-sql-dump-file-to-mysql-database/
http://dev.mysql.com/doc/refman/5.1/en

 

Simple Kexec example

Some time ago I was helping a friend with some kexec problems and written some notes on how to use it - here a CentOS based server was used, but the process should be pretty similiar also for other distributions. The main advantage is in skipping the BIOS init part which on servers takes quite some time. I personally use it for the gateway server (it has also other functions, like dns, dhcp, openvpn server) and testing servers reboots with minimal downtime. A nice kexec description is on its man page:

kexec is a system call that enables you to load and boot into another kernel from the currently running kernel. kexec performs the function of the boot loader from within the kernel. The primary difference between a standard system boot and a kexec boot is that the hardware initialization normally performed by the BIOS or firmware (depending on architecture) is not performed during a kexec boot. This has the effect of reducing the time required for a reboot.

CentOS, Fedora users can install it using yum:

[root@cent:~]# yum install kexec-tools

To switch between kernels you have to install a new one, here for example after running a ''yum update'' also a new kernel was installed - the 2.6.18-194.11.4.el5 version.

[root@cent:~]# yum update
[...]
Installed:
  kernel.x86_64 0:2.6.18-194.11.4.el5  kernel-devel.x86_64 0:2.6.18-194.11.4.el5
[...]

Current kernel is 2.6.18-194.11.3.el5

[root@cent:~]# uname -r
2.6.18-194.11.3.el5

For kexec, kernel and initrd path will be specified; paths (not full) can be found for example in the grub.conf file which was already updated.

[root@cent:~]# cat /etc/grub.conf
[...]
title CentOS (2.6.18-194.11.4.el5)
        root (hd0,0)
        kernel /vmlinuz-2.6.18-194.11.4.el5 ro root=LABEL=/
        initrd /initrd-2.6.18-194.11.4.el5.img
title CentOS (2.6.18-194.11.3.el5)
        root (hd0,0)
        kernel /vmlinuz-2.6.18-194.11.3.el5 ro root=LABEL=/
        initrd /initrd-2.6.18-194.11.3.el5.img
[...]

Also the arguments passed to the kernel at boot time are needed, you can look at your current arguments in the /proc/cmdline file. Later these same arguments will be given for the new kernel.

[root@cent:~]# cat /proc/cmdline
ro root=LABEL=/

Now to load the new kernel:

[root@cent:~]# kexec -l /boot/vmlinuz-2.6.18-194.11.4.el5 
--initrd=/boot/initrd-2.6.18-194.11.4.el5.img 
--command-line="$( cat /proc/cmdline )"

Start the magic and boot to the new loaded kernel:

[root@cent:~]# kexec -e

Hope this post will be helpful and inspire others to some kexec experiments :)

 

Midnight Commander Notes

Midnight commander is a popular file manager available from repositories in almost all major Linux distributions. Many new users find it difficult to work on servers only from command line so midnight commander is a welcomed help. Here are some tips and notes how to use this tool together with my most used shortcuts that I used to give users that never worked with it before. As always for a complete list of keyboard shortcuts and much more man mc or info mc should work.

 

Usage tips

To start midnight commander simply type mc.

[podlevak@55cent:~]$ mc

 

If you want the panels pointing to some specific directories append a path (or two) after the mc:

[podlevak@55cent:~]$ mc /etc/httpd/ /var/log/

 

To go back to command line you don't have to quit midnight commander with F10 - on most shells, here bash is used, ctrl-z will put mc into background and it can be put back to foreground with fg command.

[podlevak@55cent:~]$ mc /etc/httpd/ /var/log/

[1]+  Stopped                 /usr/bin/mc -P "$MC_PWD_FILE" "$@"

[podlevak@55cent:~]$ fg

Another way is using the ctrl-o shortcut for hiding the panels; to show them press ctrl-o again.

 

Midnight commander comes with an integrated editor and viewer - you can use them also directly:

[podlevak@55cent:~]$ mcview /etc/hosts

[podlevak@55cent:~]$ mcedit new_file

 

Shortcuts

I've divided the shortcuts into three groups according to their usage. A little note on how to use them:

  1. when using a shortcut like ctrl-r, hold down the control key and then press the r key
  2. for shortcut like ctrl-x-o hold down the control key and then press the x key, let go and press the o key

File manipulation and shell commands

  • ctrl-x-c change permissions
  • ctrl-x-o change owner
  • ctrl-x-s create symlink
  • ctrl-x-ctrl-s edit symlink
  • esc-tab completion, like tab in shell
  • alt-s search in active panel, after pressing keys just write
  • alt-p previous entered command
  • alt-n next entered command
  • ctrl-space show directory size
  • ctrl-x-i shows file / directory info, press again to return to panel
  • ctrl-x-q quick view - view content of files in a preview window (F7 for search works), press again to return to panel

Displaying content

  • ctrl-o turn off/hide the panels, 2x turns them on
  • ctrl-r rescan (refresh active panel)
  • ctrl-u flip panels
  • alt-o open path in other panel
  • ctrl- frequently used directories, directory hot-list

Selecting

  • Insert select single file
  • * (asterisk) select all files, 2x un-selects if all files were selected, or inverts selection if files were selected (using a mask or insert)
  • + (plus) select mask, regular expression can be used
  • - (minus) un-select mask, regular expression can be used
 

VPN-O-Rama : IPCop to PFSense with IPSec

Introduction

Here's another episode of my VPN saga, this time we'll connect IPCop to PFSense with IPSec.

Just few words about PFSense (http://www.pfsense.org/) if you don't know it; I've always used BSD and I'm a big fan of it, OK we're in a Linux site but many of you may possibly argue about BSD proof of scalability, stability, security, simplicity (IMHO) and networking capabilities (even after recent events, fake or not).

BSD PF (http://www.openbsd.org/faq/pf/) (Packet Filter) if a great technology and I totally love it, I don't want to start a flame war between Packet Filter and IPTables, this article is just focused on building an IPSec connection between Linux and a particular BSD distro (PFSense). I've done some research after dealing with M0n0wall, Smoothwall and so on and I've decided to give PFSense a try. It's one of my favorite firewall distributions, SOHO installations but even heavy duty connections and features (NAT traversal or load balancing for example), it's not a project for hobbyists, it may scale to business class installations easily.

Following this “VPN by examples” guide I'll connect PFSense to IPCop with an IPSec connection, both machines have static IP addresses, in later examples I'll use even dynamic IPs; I didn't find anything related to IPCop to PFSense available on the web so I've decided to publish my documentation with a lot of screenshots as usual.

 

This article will follow my previous “VPN-O-Rama: IPCop to IPCop with IPSec” (http://www.linux.com/community/blogs/vpn-o-rama-ipcop-to-ipcop-with-ipsec.html) and I'll add a new machine to the same network, so it will be:

 

Network topology:

 

Office

Network

Subnet

Headquarter (Coruscant)

10.0.2.0

255.255.255.0

Subsidiary 1 (Alderaan)

10.0.3.0

255.255.255.0

Subsidiary 1 (Tatooine)

10.0.4.0

255.255.255.0

 

 

Firewalls:

 

Location/Name

Firewall Distro

Private IP (LAN)

Public IP (WAN)

Coruscant

IPCop v1.4.21

10.0.2.94

10.0.0.94

Alderaan

IPCop v1.4.21

10.0.3.95

10.0.0.95

Tatooine

PFSense v1.2.3

10.0.4.96

10.0.0.96

 

 

I've skipped PFSense installation process to focus on a ready new installed PFSense machine named Tatooine, let me know if you need an article on it.

 

My Goal

 

I'd like to achieve an IPSec connection between two static machines (Tatooine and Coruscant), no firewalls or other port blocking rules on public WAN between these two firewalls, variations on this task may follow on following articles

 

PFSense Configuration

Here's PFSense main GUI in the private network example:

 

WARNING:

Before every configuration please consider we're creating an example and we're using private networks (10.0.0.0 Class A IPs on WAN), on PFSense there's an option made for blocking private network traffic on WAN, before starting with our example you need to disable this rule ! Under Menu Interfaces / WAN there's an option named “Block private networks”. Just forget it if you're using a real network on public classes (on WAN), see screenshot and disable this rule if you're in my case

 

Now go under VPN menu, option IPSec

Enable “Enable IPSec” check box and hit “Save” button, see:

 

then click the “Add tunnel” icon on the right side of the page, now you've a new page where you can specify VPN tunnel options. Here's what I've done:

General parameters (PFSense related)

  • Tunnel enabled, so disable this tunnel check box is unchecked

  • Interface WAN, in my case I need to use WAN to reach remote subnet

  • DPD interval (dead peer detection), in my case 60 seconds (it should be enough for everyone)

  • Remote Subnet, in this example is 10.0.2.0 (Coruscant network) with a 24 bit mask (255.255.255.0)

  • Remote Gateway, in this example is 10.0.0.94 (Coruscant firewall on public network)

 

VPN Phase 1 Authentication (VPN Parameters for phase 1)

  • Negotiation Mode, set to “main

  • My Identifier, left as it is (my IP address). In my case I've a quite easy network connection with two static IP addresses, no NAT traversal or other stuff around. We'll see advanced configurations with NAT and dynamic IP addresses the next time

  • Encryption algorithm, I'm using Blowfish, much better than 3DES. Please remember all your parameters, they must match settings chosen on the remote side

  • Hash algorithm, MD5 for hashing, I've chosen MD5 here and on IPCop side

Let me show you first page with parameters from above

 

Let's go on with:

  • DH key group, select option “5” (on IPCop I've chosen 1536 bits)

  • Lifetime, set it to 3600 seconds (1 hour)

  • Authentication Method, I'm now using “pre-shared key”, CA (Certification Authorities) are not available as native services on PFSense. Developers are focusing their software on firewall features and I respect their ideas related on keeping CAs outside even if it would be great to have something inside (like IPCop and other Linux distros). Creating a CA from scratch on an another PC requires a lot of time and it's out of this article tasks, I'll write down some notes on it if you need it. To keep things as simple as I can I've chosen to use Pre Shared Key, this is not a roadwarrior connection but a connection between two offices so it's something a common user never see

  • Pre-Shared Key, I'm using “12345” (“I've got the same combination on my luggage” cit.: http://en.wikiquote.org/wiki/Spaceballs )

And here's another shot:

 

VPN Phase 2 proposal (SA/Key Exchange)

Here's the second round of a VPN connection: key proposal and exchange, here are my parameters:

  • Protocol: ESP, encryption

  • Encryption algorithms, I'm using Blowfish, I've disabled everything else to avoid confusion so VPN server avoids even their proposal

  • Hash algorithms, SHA1 and MD5, keep them as they are

  • PFS key group, we're using 1536 bit so option “5” is the way to go

  • Lifetime, is 28800 (8 hours)

No keep alive host, use something if you detect drops on your line

Here's my shot:

I'll repeat it again, please keep in mind all these parameters are mandatory , you need to fill them even if PFSense tells you they're optionals and even more important: write them to a notepad and report them as they are on the IPCop side.

 

Finally hit SAVE button to create your VPN connection, now on the VPN:IPSec page hit Apply Changes button to confirm your new VPN connection.

 

IPCop Configuration

Now it's time to create the VPN connection on the IPCop side, back again on Coruscant, you'll probably see past article information (http://www.linux.com/community/blogs/vpn-o-rama-ipcop-to-ipcop-with-ipsec.html) but we don't care.

On VPNs menu, VPNs option here's the situation:

now press “Add” button in the middle of the screen to create a new PSK VPN connection with IPSec and select Net-to-Net Virtual Private Network to continue, we want to connect these two nets, then press Add to go on (see screenshot)

Here are the parameters for this VPN connection:

  • Name, Tatooine. The name of your VPN connection, choose the name you want, it really doesn't matter

  • Host IP Address: 10.0.0.94. Where VPN starts: red interface, WAN (see previous information about it)

  • Remote Host/IP: 10.0.0.96. Where your remote firewall (Tatooine) is, static IP address in my case

  • Local Subnet: 10.0.2.0/255.255.255.0 It should be already set to your own subnet LAN on Coruscant network

  • Remote Subnet: 10.0.4.0/255.255.255.0 Tatooine network information for our example

  • Check “Edit advanced settings when done” check box because you need to deal with Phase 1 & 2 advanced parameters for VPN settings, important

  • In authentication window below select “Use a Pre-Shared key” and enter “12345” as the PSK password (please choose a different one on real cases, we already have Spaceballs http://en.wikiquote.org/wiki/Spaceballs)

Here's another shot

 

Then hit Save on the bottom of the page to edit advanced settings.

Now You're in the advanced settings page where you can specify connection parameters for phase 1 & 2 (VPN)

Here you need to set:

Phase 1

  • IKE Encryption to Blowfish (both 256bit and 128bit)

  • IKE Integrity to SHA1 and MD5

  • IKE Grouptype to MODP-1536 (remember 1536 bit above ???)

  • IKE Lifetime to 1 hour

Phase 2

  • ESP Encryption to Blowfish (both 256bit and 128bit)

  • ESP Integrity to SHA1 and MD5

  • ESP Grouptype to MODP-1536

  • ESP Keylife to 8 hours

Keep additional parameters (checkboxes below) as they are, so everything unchecked except "Perfect Forward Secrecy (PFS)"

See screenshot for details

Now under main VPN menu on IPCop wait for a while (how much ? a while...) and you'll probably see something like that (open status is green)


 

On PFSense side you need to go to Status menu, IPSec option and in the Overview tab you'll see this (status with green arrow is for the on line link):

 

As you may see from this example all efforts are related to match proper VPN parameters, phase 1 and phase 2 settings needs to have same values on both sides, it's also important to mention IKE lifetime and keylife, if they don't match you don't even have the connection.

 

I hope this guide could be pretty clear for anyone, I've tried to search something like that when I was dealing with my first connection but unlikely I didn't found anything on the web.

 

Please let me know if you need further details on this connection, in the next episodes I'll show you some variations of this Config and I'll connect new distros as well, share your comments if any

 

Previous:
VPN-O-Rama: VPNs intro, practical HOWTOs
VPN-O-Rama: IPCop to IPCop with IPSec

Next:
IPSec connection between a static and dynamic IP Address



Regards

Andrea (Ben) Benini

 

 

HOWTO MySQL: Reset root password

Few days ago I've had in front of me a Gentoo installation with a MySQL Daemon, no documentation provided with the machine and absolutely no root password for the DB. I've tried to obtain the root password for MySQL and that's what I've done. These instructions are valid for every linux distro, no matter about the release or flavor.

First of all, you need to stop mysql daemon and all running instances of mysql, something like that:

~# /etc/init.d/mysql stop
* Stopping mysql ...
* Stopping mysqld (0)                                                    [ ok ]

Starting/stopping services may vary according to your linux distribution documentation, make a double check to remove even zombie processes or mysql opened instances (ps aex|grep mysql) and kill them if any

Now you can run this command to start the daemon with full privileges and no authentication:

mysqld_safe --skip-grant-tables &

Even if not reported in the man page or not documented with:

~# mysqld_safe --help
Usage: /usr/bin/mysqld_safe [OPTIONS]
  --no-defaults              Don't read the system defaults file
  --defaults-file=FILE       Use the specified defaults file
  --defaults-extra-file=FILE Also use defaults from the specified file
  --ledir=DIRECTORY          Look for mysqld in the specified directory
  --open-files-limit=LIMIT   Limit the number of open files
  --core-file-size=LIMIT     Limit core files to the specified size
  --timezone=TZ              Set the system timezone
  --mysqld=FILE              Use the specified file as mysqld
  --mysqld-version=VERSION   Use "mysqld-VERSION" as mysqld
  --nice=NICE                Set the scheduling priority of mysqld
  --skip-kill-mysqld         Don't try to kill stray mysqld processes
  --syslog                   Log messages to syslog with 'logger'
  --skip-syslog              Log messages to error log (default)
  --syslog-tag=TAG           Pass -t "mysqld-TAG" to 'logger'

All other options are passed to the mysqld program.

you can find more info on it at http://dev.mysql.com/doc/refman/5.0/en/resetting-permissions.html (wish to have this link or just read the doc before doing it...)

Now enter in the DB with root privileges:

mysql -u root

and locate mysql default schema

use mysql;

"user" table is where you can find/reset/update information related to mysql users (not that strange...)

mysql> show columns from user;
+-----------------------+-----------------------------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+-----------------------+-----------------------------------+------+-----+---------+-------+
| Host | char(60) | NO | PRI | | |
| User | char(16) | NO | PRI | | |
| Password | char(41) | NO | | | |
| Select_priv | enum('N','Y') | NO | | N | |
| Insert_priv | enum('N','Y') | NO | | N | |
| Update_priv | enum('N','Y') | NO | | N | |
| Delete_priv | enum('N','Y') | NO | | N | |
| Create_priv | enum('N','Y') | NO | | N | |
| Drop_priv | enum('N','Y') | NO | | N | |
| Reload_priv | enum('N','Y') | NO | | N | |
| Shutdown_priv | enum('N','Y') | NO | | N | |
| Process_priv | enum('N','Y') | NO | | N | |
| File_priv | enum('N','Y') | NO | | N | |
| Grant_priv | enum('N','Y') | NO | | N | |
| References_priv | enum('N','Y') | NO | | N | |
| Index_priv | enum('N','Y') | NO | | N | |
| Alter_priv | enum('N','Y') | NO | | N | |
| Show_db_priv | enum('N','Y') | NO | | N | |
| Super_priv | enum('N','Y') | NO | | N | |
| Create_tmp_table_priv | enum('N','Y') | NO | | N | |
| Lock_tables_priv | enum('N','Y') | NO | | N | |
| Execute_priv | enum('N','Y') | NO | | N | |
| Repl_slave_priv | enum('N','Y') | NO | | N | |
| Repl_client_priv | enum('N','Y') | NO | | N | |
| Create_view_priv | enum('N','Y') | NO | | N | |
| Show_view_priv | enum('N','Y') | NO | | N | |
| Create_routine_priv | enum('N','Y') | NO | | N | |
| Alter_routine_priv | enum('N','Y') | NO | | N | |
| Create_user_priv | enum('N','Y') | NO | | N | |
| ssl_type | enum('','ANY','X509','SPECIFIED') | NO | | | |
| ssl_cipher | blob | NO | | NULL | |
| x509_issuer | blob | NO | | NULL | |
| x509_subject | blob | NO | | NULL | |
| max_questions | int(11) unsigned | NO | | 0 | |
| max_updates | int(11) unsigned | NO | | 0 | |
| max_connections | int(11) unsigned | NO | | 0 | |
| max_user_connections | int(11) unsigned | NO | | 0 | |
+-----------------------+-----------------------------------+------+-----+---------+-------+
37 rows in set (0.00 sec)

Now update your password with something like that:

update user set password=PASSWORD("rememberyournewpassword") where User='root';

And don't forget to flush privileges to have everything updated

flush privileges;

and quit from DB

quit;

then stop/kill the running daemon and restart it in "normal" mode

/etc/init.d/mysql stop
## Even stop running daemons if any
ps aex |grep mysqld # to find sockets
kill -SIGKILL <pid> # to kill running mysqld pid's

Now test your new password with something like that

mysql --host=127.0.0.1 --user=root -p

and insert your new password

 

that's it

Ben

 

 

Error: Could not stat() command file '/var/lib/nagios3/rw/nagios.cmd'!

Here's a viable solution on my debian server:

dpkg-statoverride --update --add nagios www-data 2710 /var/lib/nagios3/rw dpkg-statoverride --update --add nagios nagios 751 /var/lib/nagios3

And... et voilà!

The proper permissions have been set and everything should work as expected

Regards
 

2 Cent Tip - Extend (resize) a whole device partition.

Occasionally I have to resize partitions on iSCSI or Fiber-Channel attached SAN storage.  Both technologies allow you to easily extend the available storage for a host by extending LUNs, or volumes.  A common problem after extending the size of the LUN, or volume, is resizing partitions to fill out the new size.

 

For the most part, I usually fire up PartedMagic  and its a snap, even with Fiber-Channel attached enterprise storage.  Once the HBA's have been zoned to Fiber-Channel switches, then the HBAs do all the heavy lifting.  In other words on Fiber-Channel, it doesn't matter if you're using PartedMagic, or Knoppix, the server just knows where the storage is, and that its certainly attached.  The only dependency for this working on a Live boot disk are drivers for the HBA cards.

 

iSCSI is a bit different.  Because, iSCSI relies on commodity Network Interface Cards, this technology is largely implemented in software.  One perceived advantage is iSCSI may seem less complicated to use than Fiber-Channel storage.  Unfortunately, in this case, PartedMagic did not have open-iscsi software, and I could install open-iscsi in the Knoppix Live ramdisk. However, because Knoppix came with an outdated iSCSI kernel module, it was not new enough to inter-operate with the open-iscsi software.

 

Furthermore, the version of parted that shipped with RHEL 5 threw an incompatible filesystem error, refusing to modify the filesystem. So, in the end, I twiddled some bits on the partition table with fdisk, and used resize2fs to extend the partition.

 

Assuming you have a backup of the filesystem you are working on, you can proceed with the following steps to extend a single partition to the end of the extended volume.  If you have multiple partitions on a volume, you may want to stick to more reliable methods of resizing and extending.  If you screw up the cylinder boundaries on a device with multiple partitions, you'll definitely lose data.  A single partition, in this example, is a much simpler scenario.

 

The device name in this example is /dev/mapper/u02, the first partition is /dev/mapper/u02p1:

  • Run fdisk -l /dev/mapper/u02 to get the starting cylinder.
Disk /dev/mapper/u02: 100.9 GB, 108340550042 bytes

255 heads, 63 sectors/track, 13171 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot Start End Blocks Id System
/dev/mapper/u02p1 1 13171 26450329 83 Linux

  • Reboot the server, after extending the volume or LUN on your SAN, and before proceeding to extend the partition in your Operating System.  The Operating System needs to re-read sector 0 on the extended SAN volume, before continuing. Note, that fdisk will report 26109 cylinders instead of 13171, after I rebooted the server.
  • Next, we will run: fdisk /dev/mapper/u02, and then hit the keys: d, n, p, 1, [enter], [enter], w
WARNING: DOS-compatible mode is deprecated. It's strongly recommended to
switch off the mode (command 'c') and change display units to
sectors (command 'u').

Command (m for help): d
Selected partition 1

Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4): 1
First cylinder (1-26109, default 1):
Using default value 1
Last cylinder, +cylinders or +size{K,M,G} (1-26109, default 26109):
Using default value 26109

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.
Syncing disks.
  • Finally, run resize2fs on /dev/mapper/u02p1. If you are using ext3, you can do an on-line resize while the volume is mounted.  It is probably safest to umount the partition to be re-sized, however.
resize2fs 1.39 (29-May-2006)
Filesystem at /dev/mapper/u02p1 is mounted on /u02; on-line resizing required
Performing an on-line resize of /dev/mapper/u02p1 to 52430127 (4k) blocks.
The filesystem on /dev/mapper/u02p1 is now 52430127 blocks long.


Refer to the resize2fs for more information on the command, and its proper usage.

 

Analyzing Apache Logs interactively from the terminal with GoAccess

I have always been analyzing my Apache logs with the popular tail -f, which to a certain point is quite neat that you can see the whole request in real time. However, there is a point where you may be interested to know more details about your web logs.

Here it is where I find really interesting GoAccess. Whilst Awstats, Analog, Webalizer all generate HTML statistics, this application will let you analyze your Apache Web server logs straight from the terminal. It generates statistics really fast and it displays them in a nice ncurses interface.

More information about this project at: http://goaccess.prosoftcorp.com/

 

RAID Disk Configuration (mdadm.conf)

Back again with a very quick tip: RAID disk array configuration.

After few articles like:
Installing GRUB on the other disks
Replacing faulted raid drive
I'm just adding my configuration related to one of my RAID installations on a linux server.

Machine has Gentoo Linux (current portage, AMD64 arch) and a RAID system with only two SATA drives with a simple RAID1 config. Nothing more, nothing less

Quite easy config to have a virtual disk composed like this:

Filesystem           1K-blocks      Used Available Use% Mounted on
/dev/md2 4806824 997012 3809812 21% /
tmpfs 449108 0 449108 0% /lib/init/rw
udev 10240 144 10096 2% /dev
tmpfs 449108 0 449108 0% /dev/shm
/dev/md0 90195 11088 79107 13% /boot
/dev/mapper/storage-storage 306966528 82096984 224869544 27% /home

I've a boot partition (md0), a swap partition (md1), root partition (md2) and a logical volume manager (LVM) on /dev/md3

Nothing strange, nothing spectacular, every configuration is maded by hand, no fancy graphical tools involved. Config related to RAID5 installations have the same layout

Here's the array configuration file (mdadm.conf)

# scan all partitions (/proc/partitions) for MD superblocks.
DEVICE partitions

# auto-create devices
CREATE owner=root group=disk mode=0660 auto=yes

# tag arrays as belonging to the local system
HOMEHOST
# Monitoring daemon instructions
MAILFROM FileServer Administrator
MAILADDR This e-mail address is being protected from spambots. You need JavaScript enabled to view it

# MD array
ARRAY /dev/md0 level=raid1 num-devices=2 UUID=d4eb97cf:da422dd0:36eb05f3:bbd531f4
ARRAY /dev/md1 level=raid1 num-devices=2 UUID=a614ae3f:a9afcbfc:91f980c8:762e06bc
ARRAY /dev/md2 level=raid1 num-devices=2 UUID=19d6f845:358ff0a9:188cf822:397115dc
ARRAY /dev/md3 level=raid1 num-devices=2 UUID=24346f3b:bad36d8b:961a4a14:4eae9079

# Modified by Ben

Again, nothing strange here, hope it helps newbies or contributors interested in a RAID installation, please share your thoughts if this simple config can be better

Next step: LVM configuration sample

 

Hope it helps you
Glad to read your comments

 

Andrea (Ben) Benini

 

Creating XLS file on the fly from a PHP application

Here's a quick and dirty solution for a common problem, if you've a web application used by common Windows users and you publish data on it sometimes you receive this kind of question:

"Are your information exportable into an XLS (Excel) file ?"

For example I've an accounting application exporting some data on a web page, the user just wants to download an Excel file or open it directly from the web page, there's no rocket science here, this is just what I've done, let's roll some php code:

Create an header section (adapted from http://www.php.net/manual/en/function.header.php):

$export_file = "my_name.xls";
ob_end_clean();
ini_set('zlib.output_compression','Off');
header('Pragma: public');
header("Expires: Sat, 26 Jul 1997 05:00:00 GMT"); // Date in the past header('Last-Modified: '.gmdate('D, d M Y H:i:s') . ' GMT');
header('Cache-Control: no-store, no-cache, must-revalidate'); // HTTP/1.1
header('Cache-Control: pre-check=0, post-check=0, max-age=0'); // HTTP/1.1
header("Pragma: no-cache");
header("Expires: 0");
header('Content-Transfer-Encoding: none');
header('Content-Type: application/vnd.ms-excel;'); // This should work for IE & Opera
header("Content-type: application/x-msexcel"); // This should work for the rest
header('Content-Disposition: attachment; filename="'.basename($export_file).'"');

Put your data in a string (of course init it first):

$sBuffer = "";

Then start adding your data in a loop

for (...your loop statement goes here...) {
    $sBuffer .= "column1column2column3column4 ";
}

Example above creates 4 columns with your raw data, quite easy to adapt to your own needs. Then finally output your data with this:

echo($sBuffer);

put this final part after the header section expressed above and that's it ! nothing spectacular I mean but it works fine with every computer with an office automation suite. When the user press your button it gets an XLS sheet and he can open it with Office or OpenOffice as well, it doesn't matter client or server operating system, this trick follows just Excel v1 and v2 specs (very acient but still working).

Please don't deal with ActiveX, proprietary grids or closed source solutions, this is just what you need to keep it simple

 

Hope it helps
Glad to hear your comments

 

Andrea (Ben) Benini

 
Page 4 of 9

Upcoming Linux Foundation Courses

  1. LFD320 Linux Kernel Internals and Debugging
    15 Sep » 19 Sep - Virtual
    Details
  2. LFS220 Linux System Administration
    22 Sep » 25 Sep - Virtual
    Details
  3. LFS520 OpenStack Cloud Architecture and Deployment
    29 Sep » 02 Oct - Costa Mesa
    Details

View All Upcoming Courses


Who we are ?

The Linux Foundation is a non-profit consortium dedicated to the growth of Linux.

More About the foundation...

Frequent Questions

Join / Linux Training / Board