Linux – Page 5 – A changelog by Daniel Mettler

April 28, 2009April 28, 2009

Linux: Saving energy using auto-poweroff

I used to have a headless Linux LAN server that ran 24/7, i.e. even when I actually didn’t use it. Now, it powers itself off automatically as soon as it doesn’t detect any running workstations/notebooks (with dynamically assigned IP addresses) in the LAN.

Here’s how to do it:

In /usr/local/bin, create a new bash script named “shutdown_if_no_dhcp_client_in_lan” with the following content:

#!/bin/sh
# Shutdown the box if there aren't any (not ignored)
# DHCP clients in the LAN

# ignore the skype base station
ignored_macaddr="aa:bb:cc:dd:ee:ff"

# dhcp range starts at 192.168.1.$dhcpstart
dhcpstart=32

# dhcp range ends at 192.168.1.$dhcpend
dhcpend=46

for i in $(seq $dhcpstart 1 $dhcpend)
do
  # returns 0, if ip reachable. returns 1, if not reachable
  ping -w 1 -q 192.168.1.$i >/dev/null
  if [ "$?" = "0" ]; then
    # check whether this ip should be ignored
    if [ "`ip neighbor|grep 192.168.1.$i|grep $ignored_macaddr|wc -l`" = "1" ]; then
      echo "192.168.1.$i is reachable but ignored"
    else
      echo "192.168.1.$i is reachable and NOT ignored"
      # exit the program without shutting down the box
      exit;
    fi
  else
    echo "192.168.1.$i is NOT reachable"
  fi
done
# we didn't find any (not ignored) DHCP client in the LAN
# we can thus shutdown this box
echo "warning the users and shutting down the box in 5 minutes"
shutdown -h -P +5 Please save your work now!

(Adjust the script to your LAN environment)

In /etc/crontabs, add:

*/20  * * * * root /usr/local/bin/shutdown_if_no_dhcp_client_in_lan >/dev/null 2>&1

Now the LAN server will shutdown automatically after a while when no workstations/notebooks are running anymore. Note that this can happen 5 to 25 minutes after the last activity and isn’t fault-tolerant at all. The script can easily be improved however.

April 26, 2009April 26, 2009

Gentoo Anti-Spam: iXhash Ebuild

As spam levels increased quite a bit lately, I made a Gentoo Ebuild for the iXhash SpamAssassin plugin by Bert Ungerer / Heise iX, Germany.

So far, it’s available on bugs.gentoo.org only. In order to install it, download

iXhash-1.5.5.ebuild

and put it in your local Portage Overlay.

YMMV, but it performs really well on my server (particularly for German spam which is difficult to catch without). Don’t forget to adjust the according penalty scores to your liking, though!

April 21, 2009

Gentoo: Greylisting for Postfix using Postgrey

Finally, I’ve had to enable greylisting for this domain due to ever increasing levels of spam. Fortunately, setting it up is very easy. For Gentoo and Postfix, here’s a nice walkthrough:

postfix greylisting on gentoo (postgrey) | andreas d.’s.

Let’s hope that this, in conjunction with other anti-spam measures, will do it for a while.

Non-spammers shouldn’t experience any problems due to this change, but if you do, please contact me using Skype (mettlerd), phone or SMS.

March 9, 2009March 8, 2009

Gentoo ebuild for Lx-Office ERP 2.6.0 beta 1

Finally, I’ve created Gentoo ebuilds for Lx-Office ERP 2.6.0 beta 1 and its dependencies. Lx-Office is a fork of the server-based open source accounting solution SQL-Ledger and customized for the German market (and to some extent, the Swiss and Austrian markets).

A screenshot of Lx-Office ERP 2.6.0 beta 1 showing the XUL menu:

And here’s a flash video of Lx-Office ERP 2.6.0 beta 1 showing the XUL menu in action.

Lx-System (the company backing Lx-Office ERP) and LINET Services host a public demo of Lx-Office ERP 2.4.3 (user: demo, password: demo).

To install Lx-Office ERP 2.6.0 beta 1 on Gentoo, follow these steps:

1) Set up a local portage overlay (e.g. at /usr/local/portage), if you haven’t done so already.

# mkdir -p /usr/local/portage

In /etc/make.conf, set

PORTDIR_OVERLAY=/usr/local/portage

2) Download lx-office-erp-2.6.0_beta_p1-r1_plus_dependencies.tgz and extract it to your local portage overlay

# cd /usr/local/portage

# tar xzvf lx-office-erp-2.6.0_beta_p1-r1_plus_dependencies.tgz

3) In /etc/portage/package.keywords, add the line

www-apps/lx-office-erp ~amd64

(or ‘www-apps/lx-office-erp ~x86‘, depending on the architecture of your machine)

4) In /etc/portage/package.use, add the line

www-apps/lx-office-erp vhosts

5) Install Lx-Office ERP on your system by executing

# emerge -av lx-office-erp

Depending on your current portage settings and installed ebuilds, you may need to unmask additional ebuilds.

6) Use webapp-config to link your Lx-Office ERP installation to a specific host, e.g. by executing

# webapp-config -I -h localhost -d lx-erp lx-office-erp 2.6.0_beta_p1-r1

7) Follow the steps displayed on the screen to setup and configure Lx-Office ERP. Some of these steps might be automated in a later release of the ebuild.

8) Have fun using Lx-Office ERP on Gentoo! :)

(These ebuilds are sponsored by my company Printscreen GmbH, dedicated to the developers of Lx-Office ERP and Gentoo and released for free use under the terms and conditions of the GNU GPLv2 license.)

January 31, 2009

Gentoo: TLS/SSL and name-based Apache virtual hosts using mod_ssl

With the introduction of the TLS SNI extension (transport layer security server name indication), name-based virtual hosts (i.e. virtual hosts sharing the same IP address) can now use distinct SSL certificates.

Here’s how to configure TLS SNI on Gentoo, using Apache:

1) DON’T try to set up TLS SNI using mod_gnutls. When I tried it on January 30, 2009, mod_gnutls still seemed to be too experimental and unstable for reliable TLS SNI (I observed some non-deterministic behaviour).

2) It does work fine though with a reasonably current version of OpenSSL and a patched Apache mod_ssl. And here, Gentoo shines once again: With Gentoo, you don’t need to manually patch Apache or OpenSSL! All you have to do is add the “sni” use flag to Apache in /etc/portage/package.use:

www-servers/apache sni

and remerge Apache (’emerge -auDNv apache’).

Note that Gentoo’s OpenSSL is already SNI-enabled by default (since openssl-0.9.8g-r2.ebuild) – remerge/update OpenSSL if required.

The configuration of SNI-enabled name-based virtual hosts in Apache is transparent, i.e. works the same way as for SSL-enabled, non-SNI name-based virtual hosts (of course you’ll want to use different certificates for every virtual host and specify them, as explained on Kaspar Brand’s TLS SNI test site).

Have fun!

January 29, 2009

Thunderbird Add-on: S/MIME Security for Multiple Identities

I’ve just found and installed the following add-on for Mozilla Thunderbird:

S/MIME Security for Multiple Identities

It allows you to use a different S/MIME certificate for each of the different identities (i.e. “e-mail address aliases” or “profile aliases”) you defined in your Thunderbird profile.

It’s currently still marked as an experimental add-on and I’ve noticed a minor glitch in v0.3.0 when using it (see my add-on review), but this might also be related to the fact that I also use the Virtual Identity add-on (another nice add-on which allows you to use an arbitrary sender address for sending messages).

The “S/MIME Security for Multiple Identities” add-on is very convenient if you have multiple e-mail accounts and want to use S/MIME message signing and/or encryption with all of them.

Bonus hint: You can get your own, personal S/MIME certificates for free at Thawte (for e-Mail only) or StartCom/StartSSL (also offers free class 1 SSL/TLS certificates for FTP servers, web servers etc. -> the latter don’t “work” with Internet Explorer, however).

December 30, 2008

Gentoo: MOTD printed twice

With some recent changes, Gentoo now seems to print the message of the day (MOTD) twice, when logging in using SSH:

Last login: Mon Dec 29 04:45:22 UTC 2008 from box on ssh

(message of the day)

Last login: Mon Dec 29 22:55:09 2008 from box

(message of the day)

I tried the following solution

Looks like the answer was in the /etc/pam.d/login and /etc/pam.d/system-login files. I had to comment out the pam_motd.so lines.

as described on http://stackoverflow.com/questions/190912/etcmotd-printing-twice-on-gentoo-linux. With these quick fixes, the MOTD doesn’t get printed twice anymore.

In addition, I also had to comment out the

session optional pam_lastlog.so

lines in /etc/pam.d/login and /etc/pam.d/system-login in order to prevent the “last login” line from being printed twice.

November 1, 2008

Best practice tips for Gentoo sysadmins

Currently, there are some critical ebuild dependency issues in Gentoo’s portage tree that might seriously hurt your box. Symptoms: When updating your system, portage might display an error message similar to this one:

[ebuild     U ] sys-fs/e2fsprogs-1.41.2 [1.40.9] USE=”nls (-static%)” 4,263 kB
[ebuild N    ] sys-libs/e2fsprogs-libs-1.41.2 USE=”nls” 479 kB
[blocks B     ] sys-libs/ss (is blocking sys-libs/e2fsprogs-libs-1.41.2)
[blocks B     ] <sys-fs/e2fsprogs-1.41 (is blocking sys-libs/e2fsprogs-libs-1.41.2)
[blocks B     ] sys-libs/com_err (is blocking sys-libs/e2fsprogs-libs-1.41.2)
[blocks B     ] sys-libs/e2fsprogs-libs (is blocking sys-libs/ss-1.40.9, sys-libs/com_err-1.40.9)

The important thing: DON’T unmerge ss or com_err, as it will break wget and other essential parts of your system! Portage thus won’t be able to download e2fsprogs-libs-1.41.2 which is required to replace the removed ss and com_err libraries (which are part of e2fsprogs-libs starting with v1.41.2).

Solution: Either wait until this issue gets resolved by the Gentoo core dev team or read through the following posts and Gentoo bug reports:

If you really know what you do, you might want to try this suggested quickfix (Important disclaimer: Looks reasonable and fine as a quick workaround to me, but I haven’t tried it yet. You apply it at your own risk, as usual! Note that this workaround doesn’t solve the real problem.)

As serious issues like these are quite common in Gentoo, here are some best practice tips for Gentoo sysadmins that help prevent some of the potential problems:

First of all, try to use stable ebuilds only. If this is not possible for some reason, try to minimize the number of unstable ebuilds (~amd64 etc.) on your system.
It’s rather tempting, but DON’T setup a cronjob to do automatic emerges! Portage only catches the most evident issues, but emerging new ebuilds is never without risks (not updating your system is risky too, however). The best approach would be testing any updates on a test box first before installing them on a production system. The second best approach is probably doing a monitored, manual update in small, incremental steps with immediate testing afterwards. This helps isolating problems, should they occur (it’s difficult to isolate a problem that was detected after an automatic update of hundreds of ebuilds).
Automate ’emerge –sync’ by putting it in your daily crontab in order to refresh your portage tree regularly. That’s neither particularly safe nor unsafe, but it guarantees that you don’t emerge that weeks-or-months-old broken ebuild that has been fixed in the meantime.
Regularly fetch new source packages by setting up a cronjob for ’emerge -uDN –fetchonly world’ (or -f). Like this, portage uses some additional hard disk space for the package sources (always make sure you have enough free space and properly setup partitions/volumes!). It makes sense though as one day, you’ll use most of these source packages anyway and having a source package locally can be very helpful in a situation like the one described in this post. IOW: If you aren’t able to download anything anymore due to a severely broken system, chances are, that you can still solve the problem on localhost, if you have source packages at hand.
Append “buildpkg” to the FEATURES variable in /etc/make.conf. Like this, portage will additionally create binary packages in /usr/portage/packages/All when emerging new ebuilds. This will require some spare free space on your hard disk again, but having a prebuilt, binary package at hand can be very helpful if there are any problems with the gcc toolchain or any other compiler chain needed. If you don’t like to enable this feature permanently, you can use the -b or –buildpkg option when executing emerge.
If you haven’t used the “buildpkg” feature so far, you can create binary packages of all the installed ebuilds on your system using the “quickpkg” utility and my quickpkg_all bash script.
Keep old, compiled kernel images in /boot and listed in your /boot/grub/menu.lst. Booting a new manually configured and compiled kernel is always a bit of an adventure (unless it was tested on an identical box before), and it’s good to keep previous kernels that are known to work. Even if it doesn’t work perfectly, it can take you to a console login prompt at least.
Instead of doing things the regular “remove old packages first, then install new packages” way, get used to the Gentoo way of doing things: “install new packages first, then remove old packages (if at all)”. Avoids serious problems that can occur when accidentally deinstalling an old, seemingly no longer used package that other important packages depend on and don’t work without.
When merging new configuration files, use dispatch-conf instead of etc-update. dispatch-conf uses CVS to create backups of old config files (which can be a helpful source of information in some situations). See the value of the “archive-dir” setting in /etc/dispatch-conf.conf.
Add files and directories to CONFIG_PROTECT, if in doubt. It’s better to have one ._cfg0000_XXX file too much than an important configuration file accidentally overwritten by portage.
Use emerge’s -D option for improved (deep) dependency checking.
Do regularly use revdep-rebuild to check for broken dependencies and to remerge the according ebuilds.
And of course, create automated, incremental backups of your systems regularly. You’ll sleep better, believe me ;)
Monitor your systems for errors. I do it with some custom bash scripts I wrote, but there are many full-fledged monitoring solutions for general purpose health monitoring.
As a fallback for (some) DNS problems with DHCP-based systems, I regularly send a heartbeat of a DHCP system to a box in another network, revealing the DHCP system’s last known/assigned IP address.
Not limited to Gentoo sysadmins: Having a (hardware) remote console accessible via a different IP address is worth a lot in case there are serious troubles with the operating system or the hardware.

Feel free to add other helpful best practice tips for Gentoo sysadmins!

September 2, 2008September 2, 2008

Google Chrome from a business and “techie” view

If Google will really deliver what it promises with its new Chrome browser plans (Google blog) (personally, I have no doubts about this), the line between web applications and standalone applications will further blur and hereby enable a better, seamless user experience and probably a whole new class of powerful applications.

Some thoughts:

From a technical point of view, Google’s Chrome will be the WebOS others have been dreaming about for a long time already. It basically offers memory management, process management, markup renderers, a GUI and a VM with a JIT compiler (V8).
It will finally unify the ideas behind the WebOS, “The network is the computer”, cloud computing, SaaS, RIA and virtualization.
Actually, it’s astonishing it took so long for someone to come up with something like this. The concepts as such are not new at all, but the combination of all these different concepts is what makes the thing cool. It’s typical for a good idea that, once you’ve heard of it, you almost can’t imagine living without it anymore, as it seems all so natural.
Detachable tabs on top: Not a new idea either. For example, I remember that the Fluxbox window manager actually offered the same feature back in 2001/2002 (or even earlier) already. I remember it as I used it myself too (and I liked it a lot, despite of its “suboptimal” scalability), as illustrated in these animations:
Fluxbox Window Grouping Feature (2002) 1/2 (small animated GIF screenshot)
Fluxbox Window Grouping Feature (2002) 2/2 (large animated GIF screenshot)

I guess there were other window managers and GUIs that had the same features even before fluxbox had them.
With this move, Google will be gradually taking control and power away from traditional Desktop OS manufacturers such as Microsoft and Apple. Being open source, Chrome and its components like V8 will be the “Linux of the web” and thus a big threat particularly to Microsoft that still generates most of its revenue with Windows and standalone applications like Office.
The ongoing process, that (desktop) operating systems are becoming commodities more and more, will further be accelerated. Will there be an “unsacred” alliance between Apple and Microsoft to fight these tendencies or will they shift their businesses further into the “web” application (SaaS), content (music, videos, TV, e-books, multimedia etc.) and lifestyle (design, hardware, ethics) spaces?
Of course that’s in the best interest of Google (as their business is data/content and webapps/SaaS). I wouldn’t call this move an evil move, but it’s definitely not a friendly move in the eyes of the competition.
From a “techie” point of view, this move will enable many interesting applications in the future. As the framework will be open source, the dev community will potentially be as vital and dynamic as in other high-profile OSS projects (like Mozilla, Linux)
What about the Mozilla, Safari, IE, Opera camps? They will have to adapt themselves to the concept and try to top it. IE (and perhaps also Safari) might try to take the “embrace and extend” route.
With the birth of the WebOS, there will probably be a need of an open, standardized webapp GUI toolkit and webapp GUI guidelines soon (and there’s a big potential for conflicts here). Who will provide these? What will be the roles of the current big players? Also, standardized, open specs for user authentication and user data exchange will be required – here, there’s already some progress with OpenID, OAuth etc.
I like that Google communicates its plans using an easy-to-follow cartoon and that they give credit to individual internal and external contributors and players (though I assume there were much more people involved in the process than those mentioned)
The thing that disappoints me a bit is that when talking about V8, they only talk about targeting JavaScript. I’d prefer a more generic approach providing a VM and JIT for various languages (similarly to a CLI VM – why not re-use/extend Mono, for example?). Maybe that’s what V8 actually provides and they just don’t emphasize it at this point in order to not confuse or upset end-users, devs, big players etc..
Taking a look at the big picture, it seems that there’s a very pragmatic driver behind this whole development: It’s the laziness of us end-users (just as a fact, not meant in a negative sense – being “lazy” is usually quite rational). Or in other words: The information takes the line of the least resistance. And so far, that line for the “Network OS” happens to be the web, i.e. basically HTTP, despite of its known shortcomings.

[UPDATE 20080902: Corrected a typo. And here’s a statement regarding the Google Chrome news by John Lilly, CEO of Mozilla Corp.]

August 26, 2008August 26, 2008

Setting up Procmail and Postfix with maildir for mobile usage

When I’m on the road, I can check my private and business e-mail using my very handy Nokia e61i smartphone (which I like a lot, apart from its rather unstable web browser). However, as I’ve never been far away from a computer for a long time so far, I’ve only used to check mail that was delivered to my inbox, and not to any of its about 200 subfolders (I once tried to subscribe to all folders – the mail client of the e61i simply crashed ;). Now, I figured I’d need to do something about this in order to not miss any of the mails that are automatically moved to a subfolder by the server-side procmail mail filter.

The solution: Simply create a new procmail rule that copies (that’s what the c stands for) any incoming message to a special folder (I named it “mobile”; note that my postfix uses the maildir format to store messages):

:0 c
.mobile/

Preferably, this rule should be placed after the spam filtering rules (you don’t want to pay for spam on your mobile, do you? ;) and before the normal procmail mail filter rules (which move every incoming mail to the appropriate subfolder). You can also use a dedicated rules file for every group of similar rules. For example, I include the files spam.rc, mobile.rc, lists.rc (with their according rules) in the main .procmailrc config file.

Now every mail that wasn’t filtered by the spam filter gets copied to the “mobile” subfolder of your inbox prior to getting moved to the appropriate subfolder (by the rules in lists.rc).

On my e61i, I hence only need to subscribe to the “mobile” subfolder in order to catch all incoming messages. As you can’t unsubscribe from the inbox subfolder itself, you should set the maximum number of caught new inbox mails to 1 (which is the minimum) in order to avoid fetching things twice. You can further configure that only headers are fetched to minimize the amount of data[1] that is automatically downloaded with every mail check (also: switch off polling if you don’t need it).

Note that another advantage of this solution is that you won’t tamper with any of the original messages (that are either in your inbox or in any of its subfolders). Some might call this a disadvantage though.

That’s it, have fun! :)

[1] I pay 0.10 CHF per 20 KB, i.e. 5 CHF (5 USD) per MB (which is incredibly expensive as I currently don’t have any flat rate data plan -> please don’t send me a mail bomb just for fun, else I’ll have to write a more sophisticated procmail rule that only copies messages < 100 KB to the mobile folder)