Smokes your problems, coughs fresh air.

Category: Technology (Page 16 of 47)

Fixing a Xen DomU’s grub config

When you use xen-create-image to bootstrap an ubuntu, it sets up a grub config file menu.lst. However, this boot config is not kept up-to-date with newer ubuntu’s because they use grub2 (which uses grub.cfg and not menu.lst). And Xen’s pygrub first looks at menu.lst, so if you have a stale file, it will always boot an old kernel.

I ‘Fixed’ it like this (a real fix I have yet to devise, but this works. Actually, I think it is a bug):

The grub hooks in Debian and Ubuntu don’t take the fact into account that the machine might be running as paravirtualized VM. Therefore, it can’t find /dev/xvda to install grub on, which it shouldn’t try. Bug reports exist about this, but it is not deemed important, it seems. The result is that the menu.lst that was created by xen-create-image is never updated and updates to the kernel are never booted.

Pygrub considers menu.lst over grub.cfg (which would give problems with upgrading to grub2). But you can also use it to your advantage. You can edit /etc/kernel-img.conf to look like this (do_symlinks = yes and no hooks):

do_symlinks = yes
relative_links = yes
do_bootloader = no
do_bootfloppy = no
do_initrd = yes
link_in_boot = no
postinst_hook =
postrm_hook   =

And then make /boot/grub/menu.lst with this:

default         0
timeout         2
 
title           Marauder
root            (hd0,0)
kernel          /vmlinuz root=/dev/xvda2 ro
initrd          /initrd.img

Then uninstall grub. This way, you always boot the new kernel. (actually, I found that you can’t always uninstall grub. I now have machines with grub-pc and grub-common installed, but have an empty /boot/grub with only a menu.lst there. This will keep aptitude from complaining about grub-pc not being able to configure, because it’s unable to detect the bios device for /dev/xvda2 (or whatever)

CUPS printer driver for my HP4050

My HP4050 has a million different drivers to choose from. Some don’t have the maximum DPI, some don’t have other options, like selecting paper output. The one that works the best seems to be “HP LaserJet 4050 Series Postscript (recommended) (grayscale, 2-sided printing)”. However, I have no idea anymore if that came from hplip, foomatic, gutenprint, or whatever.

Converting a MySQL database from latin1 to utf8

mysqldump dbname > dbname_bak_before_messing_with_it.sql
mysqldump --default-character-set=latin1 --skip-set-charset dbname > dump.sql
sed -r 's/latin1/utf8/g' dump.sql > dump_utf.sql
mysql --execute="DROP DATABASE dbname; CREATE DATABASE dbname CHARACTER SET utf8 COLLATE utf8_general_ci;" 
mysql --default-character-set=utf8 dbname < dump_utf.sql

Setting up a postfix fallback MX

These are some short stepts and pointers to setup a postfix fallback MX. It does not describe postfix basics, nor how to install Mailscanner (a necessisity, because spammers like sending spam to fallback MX’s because they’re usually not as well protected).

First, postfix has a special transport, called ‘relay’, which is the same as SMTP, except that it doesn’t send to the backup MX. In this case, that means it doesn’t send to itself, avoiding loops. The relay transport is the default for all the domains you specify in the relay_domains parameter.

Should the machine have a relayhost defined, you need to disable that for each of the domains you’re a backup MX for. You can do that with transport_maps. In my case, the transport_maps is hash:/etc/postfix/transport_maps. That is a key-value file on which you run ‘postmap’ after you’ve edited it. In it, specify this (the comments explain it):

# When you specify a transport without nexthop, it resets the relay to the
# recipient domain (see man 5 transport). And, when the transport is relay,
# postfix will not relay to the backup MX, to prevent loops back to itself. So,
# because this host has a default relayhost, use the folowwing when you want to
# specify a domain for which we are backup MX: 
# example.com            relay 

The next step you want to do is take measures to prevent mails to non-existent users piling up in the queue. Because spam is sent to the backup MX all the time, it will relay it to the primary, which rejects it. Your backup host will then bounce all kinds of spam mails…

To fix that, we instruct postfix to use recipient address verification. This causes it to probe the primary host to check the address exists (and caches that info) before relaying.

To enable it, do this:

smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, reject_unknown_recipient_domain, reject_unverified_recipient
unverified_recipient_reject_reason = Address lookup failed
# Prevent caching non-existent users, to prevent delivery failures when new users are unknown still.
address_verify_negative_cache = no
# Setting to 550 to make a reject a fatal error, not a defer.
unverified_recipient_reject_code = 550
# The point of a backup MX is to accept mail when the primary is down, so setting this prevents incoming mail being deferred when the address probe cannot be done.
# TODO: find out how to actually implement it, because it doesn't work; permit it not a valid option here.
#unverified_recipient_tempfail_action = permit 

The reject_unknown_recipient_domain prevents probes to domains that don’t exist.

Some extra options, not strictly related to being a backup MX:

smtpd_sender_restrictions = reject_unknown_sender_domain, reject_unknown_helo_hostname
unknown_address_reject_code = 550
# Override the default of 5 days, because the point of a backup MX is to keep it around for a while.
maximal_queue_lifetime = 21d

Adding SPF support to Postfix

(Hmm, this suggests the python version might be better).

Source.

aptitude -P install postfix-policyd-spf-perl

Add this to master.cf (but perhaps change the path to the script):

policy  unix  -       n       n       -       -       spawn
        user=nobody argv=/usr/bin/perl /usr/lib/postfix/policyd-spf-perl

Add this to main.cf, directly below/after reject_unauth_destination (if you do it before, you are an open relay):

check_policy_service unix:private/policy

So:

smtpd_recipient_restrictions = permit_mynetworks,
  permit_sasl_authenticated,
  reject_unauth_destination,
  check_policy_service unix:private/policy
  reject_unauth_pipelining,
  reject_non_fqdn_recipient

The source article has stuff about testing.

Tracking Xen domU’s with munin

To view statistics of your xen server with Munin (source):

cd /usr/local/share/
mkdir -p munin/plugins
cd munin/plugins
wget http://wiki.kartbuilding.net/xen_traffic_all
wget http://wiki.kartbuilding.net/xen_cpu_percent
chmod 755 xen_traffic_all xen_cpu_percent
ln -s /usr/local/share/munin/plugins/xen_traffic_all /etc/munin/plugins/
ln -s /usr/local/share/munin/plugins/xen_cpu_percent /etc/munin/plugins/
vim /etc/munin/plugin-conf.d/munin-node

#add the following:
[xen_traffic_all]
user root
[xen_cpu_percent]
user root

/etc/init.d/munin-node restart

Original links:

I wanted to attach the scripts, but because of upload problems, I can’t…

Getting a better MySQL prompt

When you want to see which user you are and which database you’re working with, put this in .my.cnf:

prompt=(\\u@\\h) [\\d]>\\_

Too bad mysql doesn’t support color. You can make it work with rlwrap, but that’s kind of clumsy.

edit: hmm, this destroys mysqldump… argh.

Installing a commercial SSL certificate in Zimbra

Edit: now in 2020, with Zimbra 8, and Startcom out of business, things have changed a bit. So, here are the steps now, for a Sectigo certificate (and referring to their directory structure):

  • Copy ‘Linux/mail.example.com.ca-bundle’ to ‘/tmp/ca_bundle.crt’. Run ‘chown zimbra:zimbra /tmp/ca_bundle.crt’. (the name of the file suggests that your certificate is in the bundle, but it’s just the authority’s)
  • Copy ‘mail.example.com.crt’ to ‘/tmp/ssl.crt’ and run ‘chown zimbra:zimbra /tmp/ssl.crt’
  • Copy ‘mail.example.com.key’ to ‘/opt/zimbra/ssl/zimbra/commercial/commercial.key’ and ‘chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key’
  • ‘su – zimbra’ and then ‘/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/ssl.crt /tmp/ca_bundle.crt’
  • A restart may not even be necessary. My monitoring already started alerting me about the recovery before hand, but just in case, also as user zimbra: ‘zmcontrol stop && zmcontrol start’

Old post:

I installed a commercial (free) SSL certificate from Startcom SSL in Zimbra. I basically followed this, except the java keytool thing. I don’t know why that is necessary… I did this on Zimbra 6.0.10_GA_2692.UBUNTU8_64 UBUNTU8_64 FOSS edition.

  • Download the ca.pem and sub.class1.server.ca.pem (the CA for the free class 1 validation) to /tmp/
  • Cat the CA certs to form a single CA certificate chain file: cat ca.pem sub.class1.server.ca.pem > ca_bundle.crt
  • Place server certificate in /tmp/ssl.crt.
  • Place the private key in /opt/zimbra/ssl/zimbra/commercial/commercial.key
  • Deploy the commercial certificate with zmcertmgr as the root user: /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/ssl.crt /tmp/ca_bundle.crt
  • Restart zimbra: su zimbra, then zmcontrol stop && zmcontrol start
« Older posts Newer posts »

© 2024 BigSmoke

Theme by Anders NorenUp ↑