A quick example of how to configure on Debian both a static and a dynamic (DHCP) IP address using single interface.

Your interfaces file should look like this:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug eth0
auto eth0
iface eth0 inet dhcp

auto eth0:1
iface eth0:1 inet static
        address 192.168.31.81
        netmask 255.255.255.0
        network 192.168.31.0
        gateway 192.168.31.254

People that need to adapt SQL files to isql format, which means 1 SQL command per line (No "new line" characters are not allowed) can use this great tip from waldner & prince_jammys @ Freenode #awk channel :

awk '/^--|^$/ {print; next} !/;$/ {printf("%s ", $0); next} { print }'

This comes in handy for people that are happy with MySQL integrated into their Software where suddenly the big bad Oracle comes along and you need to do bells and whistles to make it tick.

isql is a great utility that can allow you from the command line work with every datasource UnixODBC supports.

Have fun...

A quick note about python.

People anxious understanding lambda functions, take a look at this code:

#!/usr/bin/env python

# Define nameless (lambda) function.
# This means that we:
# a) Create a function object.
# b) Assign "f" a reference to this object (function).
f = lambda x: x+42

# Call this function, passing it 1 variable.
print f(0)


# Do the same thing, simply replace the nameless with a "FULL" function.
def func(x):
return x + 42

# Assign variables "g" a reference to function "func"
g = func

# Call this function, passing it 1 variable.
print g(0)

Mail Server - The perfect setup using postfix MTA from A to Z.

Debian 4 (etch) based email server, including configuration, security and performance considerations. Using Linux, BIND, Postfix, SpamAssassin, Mutt, Apache, SquirrelMail. (incomplete list- more will we added with time).

• Please note: WRONG IN PROGRESS, IT MAY VERY WELL BREAK YOUR SYSTEM

I've got me a bare minimum debian VPS from gplhost.com
First thing to do is obviously - getting that postfix running.

Here how I did it, to get the ultimate pleasure of having my own mail server.

Install the relevant packages:

aptitude install mutt # Mail reader (That is important, at least for first time install).
aptitude install postfix
aptitude install chrony # So that we will always have correct time set on the machine.
* take offline out off /etc/chrony/chrony.conf, chrony by itself is great but it comes customized for non constant Internet connection. I really prefer to use it over all the other obscure packages (ntpdate and co.)

Update your DNS record, mine looks like this

@ 500 IN MX 1 mx1.rfsee.net.
mx1.rfsee.net. 500 IN A 205.134.246.209

Which basicly says that my main (and only) MX server for the domain rfsee.net is "mx1.rfsee.net", the second line is a simple A record resolving the name to my server IP address.

Time for some postfix conf

Edit /etc/mailname to contain "rfsee.net"
Edit /etc/postfix/main.cf, mydestination should be equal to something like "node0180.gplhost.com, xen018013, localhost.localdomain, localhost, $myorigin". while myorigin = /etc/mailname

Now, one specific email alias I would like to forward to my main email account, so I'll tell postfix to never locally store it. I'm using hq4ever at the general account for system messages and co.
cat 'hq4ever@gmail.com' >> /home/hq4ever/.forward

My aliases file looks like this:

$ cat /etc/aliases
# /etc/aliases
mailer-daemon: postmaster
nobody: root
hostmaster: root
usenet: root
news: root
webmaster: root
www: root
ftp: root
abuse: root
noc: root
security: root
root: hq4ever
postmaster: hq4ever
foo: hq4ever@gmail.com

remember to run newaliases after each edit made to this file, otherwise postfix won't catch up with changes. Reason for this being: postfix uses hash based lookup for the aliases file, when you run newaliases it actually created aliases.db and thats the file postfix reads.

Now comes the fun part, let the spam begin.

First I set an SPF record for rfsee.net domain , it's done in the DNS file (the guys at gandi are using bind, which is great and easy to operate.) My add record looks like this:

rfsee.net. 28800 IN TXT "v=spf1 mx include:gmail.com -all"

which says, for domain "rfsee.net", use spf version 1, trust every mx defined in the dns, and also trust every mx defined in the dns for the domain gmail.com, everything else is bad so block it. The include:gmail.com part is very nice, because I mostly do my emailing from gmail, being able to change my FROM address could fail if I hadn't added this "include" record.

A good source for dns troubleshooting is http://www.dnsstuff.com/tools/dnsreport.ch?domain=rfsee.net, from there I've learned that my Postfix greeting was wrong. Lets fix that:

1. Edit /etc/postfix/main.cf
2. myhostname = mx1.rfsee.net (old value = xen018013)
   
3. mydestination = "node0180.gplhost.com, xen018013, localhost.localdomain, localhost, $myorigin, $myhostname" (old value = "node0180.gplhost.com, xen018013, localhost.localdomain, localhost, $myorigin")
   

DNS caching only server

One might ask why do we even need a local DNS server?
The answer is simple: SMTP protocol is heavily depended on DNS data (MX records). Now, because Postfix uses DNS queries for email delivery decisions (SPF, DomainKeys, RBL's and MX) having a (remote / slow / stupid) 3rd party DNS resolver is a major performance burden.

The idea is to install BIND in a caching only mode[1]. Shell we begin? (yes! we bash)

aptitude install module-init-tools
aptitude install bind9
aptitude install dnsutils

Lets bluntly ignore that Stanford warnings about "bind on localhost" and configure our bind9 to listen ONLY on localhost. The logic is - We are setting up a local caching DNS server, I don't want others to waste my bandwidth using me as their DNS resolver (I wouldn't mind doing it for you temporarily if you ask me to, but not globally for the whole worm infesteded Internet). So we follow the instructions here[2], [3]

1. Edit /etc/bind/named.conf.options
2. The options section should look like this:

   options {
   directory "/var/cache/bind";
   
   // If there is a firewall between you and nameservers you want
   // to talk to, you might need to uncomment the query-source
   // directive below. Previous versions of BIND always asked
   // questions using port 53, but BIND 8.1 and later use an unprivileged
   // port by default.
   
   // query-source address * port 53;
   
   // If your ISP provided one or more IP addresses for stable
   // nameservers, you probably want to use them as forwarders.
   // Uncomment the following block, and insert the addresses replacing
   // the all-0's placeholder.
   
   // forwarders {
   // 0.0.0.0;
   // };
   
   auth-nxdomain no; # conform to RFC1035
   listen-on-v6 { 0:0:0:0:0:0:0:1; };
   listen-on { 127.0.0.1; };
   };
   

3. /etc/init.d/bind9 restart
   Stopping domain name service...: bind.
   Starting domain name service...: bind.
4. Lets test our BIND:

   root@srv-il:/# dig @127.0.0.1 example.com
   
   ; <<>> DiG 9.3.2-P1 <<>> @127.0.0.1 example.com
   ; (1 server found)
   ;; global options: printcmd
   ;; Got answer:
   ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14378 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;example.com. IN A ;; ANSWER SECTION: example.com. 172800 IN A 192.0.34.166
   
   ;; AUTHORITY SECTION:
   example.com. 21600 IN NS a.iana-servers.net.
   example.com. 21600 IN NS b.iana-servers.net.
   
   ;; ADDITIONAL SECTION:
   a.iana-servers.net. 172799 IN A 192.0.34.43
   b.iana-servers.net. 172799 IN A 193.0.0.236
   
   ;; Query time: 1390 msec
   ;; SERVER: 127.0.0.1#53(127.0.0.1)
   ;; WHEN: Sat Jan 13 17:08:50 2007
   ;; MSG SIZE rcvd: 125
   
   root@srv-il:/# dig @127.0.0.1 example.com
   
   ; <<>> DiG 9.3.2-P1 <<>> @127.0.0.1 example.com
   ; (1 server found)
   ;; global options: printcmd
   ;; Got answer:
   ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40396 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;example.com. IN A ;; ANSWER SECTION: example.com. 172795 IN A 192.0.34.166
   
   ;; AUTHORITY SECTION:
   example.com. 21595 IN NS b.iana-servers.net.
   example.com. 21595 IN NS a.iana-servers.net.
   
   ;; ADDITIONAL SECTION:
   a.iana-servers.net. 172794 IN A 192.0.34.43
   b.iana-servers.net. 172794 IN A 193.0.0.236
   
   ;; Query time: 0 msec
   ;; SERVER: 127.0.0.1#53(127.0.0.1)
   ;; WHEN: Sat Jan 13 17:08:55 2007
   ;; MSG SIZE rcvd: 125

5. If everything goes well, we can continue configuration the system-wide DNS server changes. Note: Make sure your BIND server DOES WORK!! Do some more dig queries.
   
   Edit your /etc/resolve.conf, we need our local bind server at the highest priority 127.0.0.1; Mine looks like this:

   nameserver 127.0.0.1
   search gplhost.com
   nameserver 66.251.193.21
   nameserver 205.134.246.194

   * Note: if "nameserver 127.0.0.1" has "magicly" appeared in your resolve.conf after you installed bind the means you use resolvconf(8), bind9 has a hook in it's init script for resolveconf so this step can be safely skipped.
   

References:

[1] http://www.stanford.edu/~riepel/dns/Caching.html
[2] http://www.unixwiz.net/techtips/bind9-chroot.html
[3] http://www.digitalpeer.com/id/configuringa

TWiki 4.0.4 setup on debian stable (sarge) HowTo.

Step by step guide for TWiki 4.0.4 setup on debian stable (sarge) 3.1-r2 - Fresh Install.
Enjoy.

-- Pre Install --

Start by downloading and installing debian stable.
I recommend you select linux26, it just sounds better.
Select "Web Server" from server roles during d-i.

# -- Post Install --

# We'll be installing some packages required by TWiki to run in apache2 cgi mode.
aptitude install libalgorithm-diff-perl
aptitude install libdigest-sha1-perl
aptitude install libmime-base64-perl
aptitude install libnet-perl
aptitude install libtext-diff-perl
aptitude install libcgi-session-perl

# Disable unneeded apache2 modules to increase security
cd /etc/apache2/mods-enabled && rm perl.* php4.* mod_python.load

# Configure your exim MTA to use smarthost (no local delivery)
dpkg-reconfigure -plow exim4-config

# Now looks like a good time create the soon to be twiki setup dir
mkdir /var/www/twiki

# -- TWiki setup --

cd /var/www/twiki
wget http://twiki.org/p/pub/Codev/Release/TWiki-4.0.4.tgz
tar xzvf TWiki-4.0.4.tgz

# Save original setup for future reference, good safty-net in case something borks.
mkdir /root/nondeb_install
mv TWiki-4.0.4.tgz /root/nondeb_install

# Set some config files, "the debian way". Well... almost
cd /var/www/twiki
mv root-htaccess.txt .htaccess
mkdir /etc/twiki && cd /etc/twiki
mv /var/www/twiki/twiki_httpd_conf.txt twiki.conf
sed -i -e 's@/home/httpd@/var/www@' /etc/twiki/twiki.conf

# Set proper permissions on twiki cgi runtime files.
chown -R root:www-data /var/www/twiki
chmod -R 750 /var/www/twiki/
chown -R www-data:www-data /var/www/twiki/pub/
chown -R www-data:www-data /var/www/twiki/data/

# Cool, lets link twiki.conf to apache2 main config
cd /etc/apache2/conf.d
ln -s /etc/twiki/twiki.conf twiki.conf

# -- TWiki configurations --

# Time to edit some config files.
# use either vi(m), gedit, nano, pico, emacs, ed or check Debian Reference - Editors
# I use sed to speed things up, this allows this whole HowTo to be step-by-step copy & run.

# Tell twiki script where it should look for his perl modules
mv LocalLib.cfg.txt LocalLib.cfg
sed -i -e '/twikiLibPath/ { s@/absolute/path/to/your/lib@/var/www/twiki/lib@ }' LocalLib.cfg

# And set apache to "by default" redirect to our twiki
# (This replaces the string "apache2-default" with "/twiki/bin/view/")
sed -i -e '/RedirectMatch/ { s@/apache2-default/@/twiki/bin/view/@ }' /etc/apache2/sites-available/default


# -- TWiki Security --

# Lets set apache and twiki to use basic authentication
htpasswd -c /var/www/twiki/data/.htpasswd USERNAME
chown www-data:root /var/www/twiki/data/.htpasswd
chmod 750 /var/www/twiki/data/.htpasswd

# We'll add a few lines to twiki.conf, making the server require valid-user

sed -i '/<Directory "\/var\/www\/twiki\/bin">/ a AuthType Basic\nAuthName "TWiki - Knowledge is Power"\nAuthUserFile /var/www/twiki/data/.htpasswd' /etc/twiki/twiki.conf

# -- Twiki web configurations --

# Let's access the web interface and configure the wiki
http://YOUR-SERVER.local/twiki/bin/configure

Things to pay attention to :

Security Setup >> Authentication >> {LoginManager} =TWiki::Client::ApacheLogin
Security Setup >> Passwords >> {PasswordManager} =TWiki::Users::HtPasswdUser
Security Setup >> Passwords >> {Htpasswd}{FileName} =/var/www/twiki/data/.htpasswd

# -- System cron --

# Let's have twiki mailing us at 2AM

echo '0 2 * * * root (cd /path/to/twiki/bin; ./mailnotify -q)' >> /etc/crontab

# -- User Setup --

We're almost there, the last thing you should do is educate yourself.

1. Read http://twiki.org/cgi-bin/view/TWiki/TWikiReferenceManual
2. Check http://twiki.org/cgi-bin/view/TWiki/WebHome
3. Play with the system before you take it into production.

My 2cent's :
1. The system uses rcs to store it's data (no rational db such as mysql & co.)
2. All system configurations are done from within the wiki itself, a somewhat new but interesting concept : You use the same interface to edit both the wiki pages & the wiki configuration files. Once you hit the "Save" button the change is applied, and the cherry on the cake is you get to use the same revision system to revert back if you mess something up with the config.


That's about all, enjoy your new wiki.
I hope this helps someone.
Maxim V.

Comments are welcome.

Block Device copying over LAN (Using Linux LiveCD)

To copy an entire block device or a single partition from one machine to the other over the network, use the following procedure :

• Make sure the ssh daemon is running on the target machine.
• Make sure the ssh daemon is running on the source machine.
• Execute the following dd (1) command on the source machine.

dd if=/dev/hda bs=1k conv=sync,noerror | gzip -c | ssh -c blowfish user@hostname "gzip -d | dd of=/dev/hda bs=1k"

You can also use the great g4u (2) project that is based on BSD and is amazing in it's simplicity and usefulness.

Good for 1-to-1 copy of server machines, great for rapid restore in case of a crash.
Also can be used for intrusion detection analyses: Just copy the hard drive and use all the the data analyzing software you want on the clone, knowing that the original hard drive is still intact.

Reference :

1. http://www.inference.phy.cam.ac.uk/saw27/notes/backup-hard-disk-partitions.html
2. http://fbim.fh-regensburg.de/~feyrer/g4u/

Quick and dirty NIS+NFS+AutoFS configuration for RH (RedHat) based distributions.
This will allow your Linux users to work in a distributed environment and have the warm roaming profile feeling.

~~ NOTE: Careful, work in progress. I'm editing the post from time to time ~~

On the server you go like this :
1. yum install ypserv
2. set nis domain in /etc/sysconfig/network
NISDOMAIN=your_nis
3. make -C /var/yp
4.

Where as on the client side, this is what you do :

1. yum install autofs
2. yum install ypbind
3. yum install portmap
4. Set nis domain in /etc/sysconfig/network
NISDOMAIN=your_nis
5. Make your autofs config file(s) to look like this :

cat /etc/auto.master
[snip]
/home/exports /etc/auto.home

cat /etc/auto.home
* NFS_SERVER_ADDRESS:/home/exports/&

6. Tell the system where to look for user info :

cat /etc/nsswitch.conf
[snip]
passwd: nis files
shadow: nis files
group: nis files

7. Make sure the needed network daemons awake on boot :
chkconfig --level 345 autofs on
chkconfig --level 345 ypbind on
chkconfig --level 345 portmap on

8. Set your NIS server
cat /etc/yp.conf
[snip]
ypserver ADDRESS_OF_YOUR_NIS_SERVER


You're done.
Reboot and witness the magic of the ages (; (NIS has been with us since the 80's).


Reference :
1. http://www.tldp.org/HOWTO/NIS-HOWTO/
2. http://userpages.umbc.edu/~jack/ifsm498/llb-nis.html
3. http://hq4ever.googlepages.com/NIS-NFS-Autofs.ppt

For Debian system administrators that are looking for a way to globally alter the default application associated with various mime types, the file to edit is /etc/mailcap

This way you could have your default pdf viewer be Evince instead of that awful gpdf.

Hi everyone.

So? What do we have here? Well... not much actually.

Sorry for getting you all over exited, this blog is sole purpose in life is being a textbox for my random bits from the IT world. Technical and Social alike. Nice to read, not much of a value.

OTOH, From time to time I do have some useful tips I gather around that would be very nice to remember (for future reference of course). A Blog just seems like the right textbox at the right place at the right time.


What, and you really thought I'm doing this for your entertainment? Ha.
Here we go, stick around if you like.


Love you all.
Maxim.