Linux Memory Usage

Published
by
btm
on May 8, 2008
in Uncategorized
. Comments

I’ve been trying to debug some memory problems on a ReadyNAS 1100. It has munin-node running, and I see the ‘app’ memory slowly raise something like 50-100MB a day. What’s odd is that Munin reports that it’s using 230MB of ram for ‘apps’ while memstat only reports 118224k (118MB or so), making it difficult to track down where the memory is going.

‘free’ and ‘/proc/meminfo’ only report the amount of free memory, and the amount of memory in buffers and cache other other little kernel bits. There’s no clear value for memory used. Munin calculates the used memory by subtracting other bits from memory total. I can’t find a lot of information about meminfo beyond this sort of descriptive bits about what each value means. It seems to be that if the memory is allocated, but not to buffers or cache or other small things, we assume it’s used by applications but that doesn’t pan out with tools that I can find to tell me how much memory an application is using.

The description here of the difference between VSZ (virtual size) and RSS (resident set size) is useful for looking at ‘ps aux’ output, but there’s nothing there that is using a ton of memory and feels like it’s count is pretty close to that generated by ‘memstat’.

The smugmug discussion about swappiness is interesting, as that was originally my problem because running out of memory with vm.swappiness set to 0 got the OOM killer going buck wild.  This discussion has recently made it to the lkml.

I’ll probably post to the lkml if I don’t figure something out this afternoon, as I’ve been staring at a lot of numbers lately.

Vista says you need permission to perform this action

Published
by
btm
on May 2, 2008
in Uncategorized
. Comments

Man this is annoying. A file tree ended up with a .svn folder which contains files marked read-only. When copied with Vista all is fine until you try to delete the folder, when you’re told “you need permission to perform this action” with “try again” and “cancel” with options, trying again many times didn’t do as much as I would have hoped. Eventually we found the files with the read-only attributes. These files are stored on a samba server so I suppose I’ll see if I can get get samba or a cron script to strip those attributes. Removing the read only attribute allows you to delete the file, but I can’t find any way to enable the old XP style dialog that tells you it is marked read only but allows you to delete it anyways if you have permissions. UAC is off, by the way.

update:

Raidiator, the debian based distro that runs on infrant (i always say infarant) / netgear readynas products has ’store dos attributes = 1′ in the global section of /etc/samba/smb.conf. This stores the read-only / hidden / archive / system attributes in an extended attribute called user.DOSATTRIB:

getfattr -d entries
# file: entries
user.DOSATTRIB=”0×21″

Normally this is off and newer versions of samba use ‘map read only’ to determine what read only should be set to, based on the user write bit (default) (yes), the effective permissions of the user (permissions), or ignoring permissions and only using ’store dos attributes’ (no).

I put ’store dos attributes = 0′ in the share definition to override the global (/etc/frontview/samba/Shares.conf in raidiator) and reloaded samba (/etc/init.d/samba reload) and then the files properties showed that the file was not read only any longer, thus working around the problem of Vista not letting me delete read-only files.

Putting munin on your infarant / netgear readynas

Published
by
btm
on May 1, 2008
in Uncategorized
. Comments

How slick is this. Start with root access.

wget http://www.infrant.com/beta/raidiator/4.0/dpkg/apt_0.5.28.6_sparc.deb
dpkg -i apt_0.5.28.6_sparc.deb
rm apt_0.5.28.6_sparc.deb
apt-get update
apt-get install munin-node
cd /etc/munin
vi munin-node.conf
 # update host_name
 # update allow
/etc/init.d/munin-node restart

Sharepoint 2007 - Excel locked for editing

Published
by
btm
on May 1, 2008
in Uncategorized
. Comments

Excel crashed the other day and the document from the sharepoint server could not be opened read/write due to it being ‘locked for editing’. Choosing ‘Check out’ in Sharepoint, then editing the document resolved the issue. Lots of Sharepoint 2003 discussion here.

Exchange 2007 Public Folder Security Groups

Published
by
btm
on April 30, 2008
in Uncategorized
. Comments

Tried to add an Exchange 2007 Global Security Group to a tree of public folders today. Exchange wouldn’t see the group unless it was mail enabled, but trying to switch it to a distribution group would break the NTFS ACLs that use it. Changing the group to be a universal security group however allowed me to mail enable it under recipient configuration, distribution groups, new distribution group in the exchange management console (EMC).

Then in the exchange management shell (EMS) I ran:

get-publicfolder -identity "publicfolder" -recurse |
add-publicfolderclientpermission -user "Some Kind of Managers" -accessright publishingeditor

It’s perplexing how pipes work in powershell. That ‘get-publicfolder -identity “\foo”‘ produces very little information while ‘get-publicfolder -identity “\foo” | format-list” produces extended information is confusing to say the least, coming from a DOS/UNIX background, made worse by the command being named FORMAT rather than GETMEMOREINFORMATION. Oh well. Note that in the past I’ve seen that add-publicfolderclientpermission breaks if the user has some degree of permissions already, and you have to run a get command into a pipe to a remove command to clean up first.

git commit email notification on debian etch

Published
by
btm
on April 30, 2008
in Uncategorized
. Comments

We use git with a single bare repository for our puppet configuration, and each systems administrator has a local git repository clone which they push back to the origin. I wanted to set up email notification on this main repository which lives on a debian etch server.

I found post-receive-email in the git gitweb repository and assumed that it was not included in the debian package because it has a copyright with no OSS license included. It pulls its configuration from the git config, which is repository specific and kind of neat, but I had to modify it to call ‘git-repo-config’ instead of ‘git config’ because that’s all etch had. Again, assuming some weird debian problem, but I didn’t bother looking.

Then when I had trouble with it not working I noticed my ubuntu hardy box had a newer major revision of git-core than the debian etch box. That is 1.5.4.3-1ubuntu2 and 1.4.4.4-2 respectively. I poked around the git documentation a little bit and found that the post-receive hooks weren’t added until 1.5.1. But there is a 1.5.4 git-core deb in etch-backports.

If you want to upgrade multiple boxes with a local repository, you’ll need a copy more than git-core to meet the dependences. otherwise you can just use apt-get install after adding the backports repo.

add ‘deb http://www.backports.org/debian etch-backports main’ to /etc/apt/sources.list

sudo apt-get update
sudo apt-get install debian-backports-keyring
sudo apt-get update
sudo apt-get install apt-move
sudo rm /var/cache/apt/archives/git*
for package in gitk gitweb `apt-cache search '^git-*' --names-only | awk '{ print $1 }'` ; do sudo /usr/lib/apt-move/fetch $package ; done

latest debs are in /var/cache/apt/archives, for copying to a local repository.

git-core 1.5.4.2-1~bpo40+2 includes git-config and ‘post-receive-email’.

cd /path-to-bare-git-repo/.git/hooks
ln -sf /usr/share/doc/git-core/contrib/hooks/post-receive-email post-receive
sudo chmod a+x /usr/share/doc/git-core/contrib/hooks/post-receive-email
git-config hooks.mailinglist "to@example.org"

git-config --global user.name "Your Name"
git-config --global user.email "Your Email"

tinkering with ruby, activeldap and active directory, part 2

Published
by
btm
on April 24, 2008
in Uncategorized
. Comments

These are my notes from tonights reading after trying to get activeldap working with active directory today at work. Here is when they renamed ActiveLDAP to ActiveLdap, around 0.8.0, so if you’re looking at examples using the capital case, they’re fairly old and really should probably ignore them. v0.8.0 and later is also when Base.connect went away and we got Base.establish_connection, and dnattr became dn_attribute. The most sane examples live in the rdoc in active_ldap.rb. Still not 100% there though.

Connecting to Active Directory using ruby and Activeldap

Published
by
btm
on April 24, 2008
in Uncategorized
. Comments

ruby-activeldap requires ruby-ldap and ruby-log4r (hah @ log4r). On Activeldap 0.7.4 via debian etch packages:

Remember that AD doesn’t like anonymous binds:

require 'activeldap'

ActiveLDAP::Base.connect(
  :host => "ad.example.org",
  :base => "dc=ad,dc=example,dc=org",
  :bind_dn => "cn=ldapbind,ou=service,dc=ad,dc=example,dc=org",
  :password => "password",
)
/usr/lib/ruby/1.8/activeldap/base.rb:312:in `connection': Unable to retrieve schema from server (plain) (ActiveLDAP::ConnectionError)

This error is deceiving though. I noticed via wireshark that it was trying to bind as ‘cn=username,dc=localdomain’, failing, and trying an anonymous bind, at which point AD was letting it search that weird referral land that typically breaks other ldap searches. After adding:

  :allow_anonymous => false

I got:

/usr/lib/ruby/1.8/activeldap/base.rb:1225:in `do_bind': Invalid credentials (LDAP::InvalidCredentials)

Using this worked:

ActiveLDAP::Base.connect(
  :host => "ad.example.org",
  :base => "dc=ad,dc=example,dc=org",
  :bind_format => "cn=%s,ou=service,dc=ad,dc=example,dc=org",
  :user => "ldapbind",
  :password => "password",
  :allow_anonymous => false
)

I’ve lost the class block using ldap_mapping I was using, but you could do things like:

class User < ActiveLdap::Base
  ldap_mapping :dn_attribute => ‘uid’, :prefix => “”
end

user = User.new(”myusername”)
puts user.mail

Awesomely enough you have to pay strict attention to what version of Activeldap you’re using. in Later versions ActiveLDAP becomes ActiveLdap and the Base.connect method becomes Base.establish_connection and works a little differently (using Activeldap 0.10.0 via gem). dnattr used with ldap_mapping becomes dn_attribute. ri is your friend here. Something like this works:

#!/usr/bin/ruby
# requires ruby-activeldap (libactiveldap-ruby1.8)
#     ruby-ldap (libldap-ruby1.8) ruby-log4r (liblog4r-ruby1.8)
# this particular syntax requires ruby-activeldap 0.10.0
# rubygems is required because I installed via gem. I don't know why.
# Bryan McLellan 

require ‘rubygems’
require ‘active_ldap’

ActiveLdap::Base.establish_connection(
  :host => “ad.example.org”,
  :base => “dc=ad,dc=example,dc=org”,
  :bind_dn => “cn=ldapbind,ou=service,dc=ad,dc=example,dc=org”,
  :password => “password”,
)

class User < ActiveLdap::Base
  ldap_mapping :dn_attribute => ‘uid’, :prefix => ‘ou=MyUsers, :classes => [”user”]
end

user = User.find(”myusername”)
puts user.mail

You need classes to tell activeldap what schema to load. Standard classes are things like [’top’, ‘account’, ‘posixAccount’]. You can list multiple schema’s in an array like I just did. I found user by ‘puts user.attribute_names’ and looking for the attribute I wanted. Note also that we’re using User.find instead of User.new. Previously User.find didn’t contain any attributes, now it does, whereas User.new will have empty attributes because it is in fact creating a new user class as one would expect (albeit in memory).

I’m going to post this as WP like to destroy my PRE blocks, and I haven’t looked for a solution yet.

moving mysql databases with innodb tables with foriegn keys

Published
by
btm
on April 23, 2008
in Uncategorized
. Comments

I was trying to move an old IRM database from a mysql 4 to a mysql 5 install. I dumped the usual way and had issues, and ended up using ‘mysqldump –opt database > date.file’ then instead of the usual ‘mysql database < date.file’ to import I ran ‘mysql database’ then the mysql command ‘SET FOREIGN_KEY_CHECKS = 0;’ followed by ’source date.file’ then ‘SET FOREIGN_KEY_CHECKS = 1;’

ERROR 1217 (23000) at line 927: Cannot delete or update a parent row: a foreign key constraint fails

ERROR 1044 (42000) at line 2: Access denied for user ‘root’@'%’ to database ‘db’

Published
by
btm
on April 22, 2008
in Uncategorized
. Comment 
ERROR 1044 (42000) at line 2: Access denied for user 'root'@'%' to database 'irm'

When I create the ‘root’@'%’ user via mysql, I forgot the grant option:

grant all on *.* to 'root'@'%' identified by 'password' with grant option;

Proxying Alfresco with mod_proxy and mod_rewrite

Published
by
btm
on April 22, 2008
in Uncategorized
. Comments 

Order allow,deny
Allow from all

ProxyRequests Off
RewriteEngine On
RewriteRule ^/alfresco/(.*) /$1 [PT]
ProxyPass / http://127.0.0.1:8080/alfresco/
ProxyPassReverse / http://127.0.0.1:8080/alfresco/

The wordpress visual editor has a frustrating desire to mess with text inside pre tags, but above is my alfresco redirect apache configuration, for the record.

copying a disk with lvm

Published
by
btm
on April 21, 2008
in Uncategorized
. Comments

I dug this out of the LVM HOWTO. I had an Ubuntu linux install on an IDE disk and I was moving this install to a newer SATA only box. I got both the disks running in the old computer and booted up on System Rescue CD. I copied my boot partition using gparted, then ran:

pvcreate /dev/newdiskpartition
vgextend oldvolumegroup /dev/newdiskpartition
pvmove /dev/olddiskpartition /dev/newdiskpartition
vgreduce oldvolumegroup /dev/olddiskpartition

I’d recommend thinking about all of this carefully before hitting enter. It took an hour or two to move 80GB of physical extents from IDE to SATA. Since I’m running ubuntu, I also mounted the new partition as /mnt, and ran ‘chroot /mnt /bin/bash’ then mounted the boot partition in /boot. I ran grub-install, updated /boot/menu.lst, and updated the UUID’s in /etc/fstab.

Short ATI Config for Ubuntu Gutsy (7.10)

Published
by
btm
on April 21, 2008
in Uncategorized
. Comments

I don’t know why this was so hard. Lots of hacks out there for getting dual head working on an ATI Radeon. This is an X1300.

I started up and Ubuntu detected that there was a Radeon installed and the restricted drivers manager wanted to install the fglrx (ati) drivers. I did this and rebooted, then ran this command with a fairly clean xorg.conf:

aticonfig –initial=dual-head –dtop=horizontal

resizing the text box in pidgin 2.4

Published
by
btm
on April 17, 2008
in Uncategorized
. Comment

I downloaded Pidgin (formerly gaim) on a new machine, like I normally do. I quickly noticed that I could no longer change the size of the text input area. I subscribed to ticket #4986 and watched the arguments roll until eventually the developers simply closed the ticket as wontfix. I’ve heard rumors there is some turmoil within development, but really only the developer to user turmoil is externally visible. I’ve just been using pidgin 2.3 while this was all being discussed but I’m switching to the funpidgin fork now that the developers have expressed that pidgin will not have an option to manually resize the text input area.

While it seems like a lame fork, it’s up to the pidgin developers I suppose as to see where things go from here. Hopefully if the pidgin developers keep contributing new code that doesn’t suck, the funpidgin developers will keep integrating it and keep up with releases. Of course, what would just be best is a damn option in pidgin to enable manual resizing again. Looks like that’s not happening with the current developer hierarchy though.

Getting manual input sizing back is a matter of  Tools -> Plugins, then Enable Entry Area Manual Size. You will likely need to close the conversation window and re-open it.

dell suu on debian linux

Published
by
btm
on April 16, 2008
in Uncategorized
. Comments

I mounted an SUU (Server Update Utility) dvd on a debian etch blade today and poked around it. ‘autorun.sh’ started X (over ssh to my ubuntu desktop) but the window was all white, although I did get a normal looking exit yes/no prompt when I closed it.

running ’suu -u’ from the command prompt worked fine (mount the cd with a full mount /dev/device /mnt otherwise you risk inheriting ‘user’ from fstab which can muck with permissions).

It ran three times and each time wanting to reboot. After the third time I checked the log and found:

/var/log/dell/suu# cat update.log
Wed Apr 16 16:55:36 PDT 2008  PE1955_BIOS_LX_1.4.2_1.BIN - reboot required to complete update
Wed Apr 16 16:55:37 PDT 2008  PE1955_FRMW_LX_R168472.BIN - reboot required to complete update
Wed Apr 16 16:55:37 PDT 2008  PE1955_ESM_FRMW_LX_R158506.BIN - update successful
Wed Apr 16 17:04:51 PDT 2008  PE1955_BIOS_LX_1.4.2_1.BIN - reboot required to complete update
Wed Apr 16 17:13:29 PDT 2008  PE1955_BIOS_LX_1.4.2_1.BIN - reboot required to complete update

OMSA confirmed that the BIOS is v1.0.0. Apparently the BIOS upgrade isn’t taking but ‘omreport storage controller’ confirmed that the PERC firmware took, which is what I cared about the most. I assume if the BIOS update took it’d stop asking me to reboot.

That was all more painless than I expected.

bugzilla and subversion integration with scmbug

Published
by
btm
on April 15, 2008
in Uncategorized
. Comments

We recently switched to subversion from cvs and after patching together a Bugzilla 3.0.3 install since the debian buzgilla package is currently orphaned, the dev lead stepped into the IT office and informed me that we needed svn + bugzilla integration for checkins. Meh. There’s a nice long howto here that covers everything, almost step by step, but most of it’s manual. If you ignore that it explains how to install everything, the configuration is somewhat short but still involved hacks with email due to the lack of an API in bugzilla that’s widely used.

SCMBug releases however, have debs, the latest being 0.23.4. you can download these and run:

dpkg -i scmbug-server_0.23.4_all.deb scmbug-common_0.23.4_all.deb ; apt-get install -f

I’m sure there’s a cleaner way to do that, but I haven’t stumbled across it yet and that works.

Installation documentation is nested deep in here.

Upon scmbug_daemon starting I saw:

** Scmbug error 77: The userlist mappings are enabled, but no mappings are configured.

My bugzilla install is currently in /usr/local/bugzilla due to the lack of a package, so I went in there and grabbed the corresponding information from localconfig to update /etc/scmbug/daemon.conf including database information (I keep my mysql databases consolidated in production), and made a point to update installation_directory to ‘/usr/local/bugzilla’.

I also enabled the mapping_regexes section (enabled =>1) and modified the “unix user mapping” to email addresses, since that’s what bugzilla uses.

I then installed scmbug-common and scmbug-tools on the subversion server and configured it like:

scmbug_install_glue --scm=Subversion --product=myproduct --repository=file:///srv/code/svn --daemon=10.0.0.19 --binary-paths=/bin,/usr/bin --bug 845

I made up the bug number, used the first one that didn’t exist in bugzilla yet. It requires all of those options. the ‘file://’ part of the svn url is required or you get the error “** Scmbug error 25: file:// prefix not specified for Subversion repository path.”

I was a little iffy about the product, because we separate out our repository by product but it’s all in one svn repository. There is chat about it all matching up here and having product be required in the scmbug_install_glue script was a little disconcerting in the way that I expect things to not work.

I used TortoiseSVN on a windows box to quickly make a new directory and tag it with a bug I made (845, after the fact of running the install script). I hit a couple default policy problems like that the bug wasn’t open yet, then that my commit message wasn’t over 50 characters. All this can be tuned in ‘/srv/code/svn/hooks/etc/scmbug/glue.conf’ after you’ve installed the glue.

Low and behold though, the install worked. Props to the scmbug folks, that was much cleaner than the alternatives.

update: checkin linkification

I modified some older diffs against bugzilla to linkify the file list on checkin. The were on bug #266 in bugzilla for scmbug, but I can’t create a login right now for whatever reason. hopefully people find it here, since I’m using this on 3.0.3 and viewsvn, which is different than what’s on the bug right now.

WP doesn’t like me pasting the diff, wrapping in pre or code tags, so it is here in my git repo.

wordpress

Published
by
btm
on April 14, 2008
in Uncategorized
. Comments

Moved this over to wordpress 2.2 from blogger. Easy enough to to do except for two things.

 1) “We were not able to gain access to your account. Try starting over.” after authorizing blogger, required an update to blogger.php locally for 2.2. Note I ’switched’ from ftp to blogspot hosting in the process of debugging this too, which was seamless and immediate.

2) The default way that wordpress allows multiple sites on debian (which is much nicer than that of gentoo btw) uses the hostname to determine which site you’re connecting to, so I moved the blog to http://blog.loftninjas.org from http://loftninjas.org/blog.

flame) And the text window is resizable, unlike pidgin.

Why the switch? I was hosting this on my server using blogger’s “SFTP” interface and about 50% of the time I used it I’d get a “Your publish is taking longer than expected. To continue waiting for it to finish, click here.” error when trying to publish.

vmware timekeeping part 3

Published
by
btm
on April 14, 2008
in Uncategorized
. Comments

earlier posts here and here.

A review:
1) We removed ntp from the linux guests and left it running on the vmware hosts.
2) We installed open-vm-tools on the guest and live enabled timesync using vmware-guestd

Notes revealed we were gaining about 40s a day.

3) set clock=pit (use clocksource=pit now) in the grub config as a kernel option and restarted a guest

That looks like about 40s over three weeks.

4) today I noticed a lot of “/dev/vmmon[3685]: host clock rate change request 500 -> 998″ messages on the vmware hosts (linux) and I set up the recommendations here which is ‘host.cpukHz = cpuspeedinkhz’, ‘host.noTSC = TRUE’, and ‘ptsc.noTSC = TRUE’ to work around possible speed step issues.

I accidentally used khz = mhz * 100 instead of khz = mhz * 1000 which made the time get way off when I stopped and then started the vm I testing was on. This was interesting though because I was afraid I’d have to stop vmware-server, not just an individual vmware-vmx process to get it to re-read /etc/vmware/config.

Looping ntpdate shows about 8/10th of a second gain over 20 minutes. Still more gain than I’d like to see. Will watch the graph and then try again in a week or two.

Avocent KVMoIP LDAP Configuration

Published
by
btm
on April 11, 2008
in Uncategorized
. Comments

The manual is way too confusing about this:

It works like this:
LDAP Overview:
LDAPS works fine with Server 2003 R2 AD, and is preferred (leave it on port 636). If you’re using fqdn’s, make sure you have DNS servers set in the network section.

On the Search page:
‘Search DN/Password’ is the Bind DN/Password.
‘Search Base’ is similarly the ‘Base DN’.
‘UID Mask’ should be ‘attribute=%1′, replace attribute with the name of the attribute storing the username, so generally with AD this is ’sAMAccountName=%1′

Query page:
If ‘Group Container Mask’ = ‘ou=%1′ and Group Container = ‘KVM’ then we’re looking for ou=KVM in the above configured BaseDN. This is where we’ll set everything up. I recommend staying at the top of the tree for simplicity.

Target mask should be ‘cn=%1′ because we’re looking for objects and * Access Control Attribute will be ‘info’ because that corressponds to ‘notes’ in the ADUC UI.

In this OU container:

1) Create a computer object with the same name as the KVM name under ‘Appliance -> Overview’. I renamed this to KVM01. I had to do this on a DC as MMC was crashing on my terminal server when creating a computer object, probably unrelated.

2) Now create a group, call it whatever. In the notes section put ‘KVM Appliance Admin’. This is how we define what you can do. Add the KVM computer object to this group, and any users (or groups, ie domain admins) you want.

3) These people will have full access to the kvm and all objects. It sounds like adding access into individual objects requires being in a group with info of ‘KVM User’ and the computer objects for the actual server names in the group as well. Bah.

Vista trust relationship login failures

Published
by
btm
on April 10, 2008
in Uncategorized
. Comments

A local Vista computer started having intermittent login failures when a domain user tried to log in about a trust problem with the account database.

Since Vista disables the local administrator account even though it had a password. I used Nordahl’s ntpasswd linux boot cd to enable the local administrator account (if I hadn’t known the password I could have changed it as well). Of course the CD requires access to the syskey as the SAM is encrypted, but it always finds it automatically since nobody puts the syskey on floppy.

Then I logged in and removed the computer to the domain, changed it’s name, and rejoined it and things were fine.

Domain profiles were kept intact by the way.

FHS Compliance for NFS mounts

Published
by
btm
on April 3, 2008
in Uncategorized
. Comments

Where should one mount shared NFS data?

FHS 2.3 has no advice. All the NFS talk is about how you might NFS mount /usr and the likes.

Options: /opt, /mnt, /srv. mnt is the old school way, but FHS uses the key word ‘temporary’ which makes sense these days, even though we’ve started using /media for most things temporary. opt? I stay away from opt since I touched oracle.

/srv : Data for services provided by this system
Sounds good to me. nfs mounts will go in /srv, since it’s all data for services provided by this system.

further vmware timekeeping

Published
by
btm
on March 27, 2008
in Uncategorized
. Comments

I’ve talked about this in other posts. I’ve been automating vmware guest creation and configuration. Time has been one of the bigger hassles. The best reading about it is here.

I automated vmware tools install using the open-vm-tools deb (backport to etch). Then used puppet to run vmware-cmd to enable timesync on all of the guests. See here.

This keeps time from falling behind, but we set up some munin graphs and saw time was gaining about 40s a day. so I just wrote another puppet exec to add ‘clock=pit’ to the end of the kernel lines. Newer kernels use time algorithms that try to correct time for lost cycles. Lost cycles are common in virtualized environments. I’ll note how this works out after a week or so.

Anti-spam gateway design notes

Published
by
btm
on March 26, 2008
in Uncategorized
. Comment

Once again I’m rebuilding an anti-spam gateway. This time I’m puppetizing it as I go, so I wanted to take some time today to think about the design.

MTA (flame war #1)
About four years ago I built a personal mail server and used qmail. Before that I don’t remember what I used, probably sendmail. Qmail’s nice because it’s small and well designed, but the author had some RFC fixation and support for things like TLS had to be patched in. This qmail install was on gentoo though, and the emerge auto-patched about over 20 features in as it built it. I believe the idea was that these features wouldn’t make it into the official source, so they wouldn’t be in a binary build either. Pain in the ass really.

I do have memories of using sendmail. Actually, horrible dreams of youthful innocence being torn to shreds by m4. We’ll stay away from the beast.

A couple years ago I built an anti-spam gateway using postfix and it was easy enough.

Queueing
In the past I’ve used amavisd with postfix to run the clamav and spamassassin checks. This has worked by taking incoming smtp messages to postfix and routing them to amavisd on another locally bound port, which scans them and then redelivers them to another locally bound port. One neat thing about this design is you could have amavis running on seperate boxes, with one doing spam, one doing antivirus, and just route between them all, with the final one doing the delivery to the internal mail servers.

qmail had qmail-scanner-queue which tied all of this together in a way that looks similar to MailScanner, that picks up the messages in one folder and when its done leaves them somewhere else.

postfix uses content_filter to tie into antispam otherwise. The trouble with this is that it’s already accepted a message by the time it’s gotten all of this far.

When you decide something is spam, you can do a couple things. If you’re still in the SMTP phase, you can reject it before you accept it. I prefer this. Otherwise you’ve accepted it and you can delete it, return it, tag it (modify the subject), or grey list it somewhere. Option #1 is bad because it may not have been spam. #2 is bad because you have to generate a email message back to the sender address saying “We think this is spam” and if it was spam, whoever gets it is certainly not the person that sent it. This is better than #1 though because you get less support calls for disappearing email. #3 and #4 are annoying because you still have to look at the mail.

In the past I’ve used RBLs in postfix to reject mail, which gets a lot of spam, then tagging in spamassassin so it’ll filter into users JunkMail folders so at least they only look at it if they’re looking for something. This is probably acceptable still. Sometimes I’ll delete mail based on spamassassin score if it’s really high, because if someone sends you a legitimate email that gets a score that high, you probably don’t want to talk to them anyway.

Ubuntu 7.10 GRUB Error 21

Published
by
btm
on March 25, 2008
in Uncategorized
. Comments

A recent install of Ubuntu Gutsy 7.10 on a slave IDE disk (cable select) with an existing master IDE disk with XP Pro on it rebooted and got a GRUB Error 21. I was about to boot off the network again to go into rescue mode and look at the grub configs, but when I saw the boot menu I wondered what the boot order since I just added the disk. When I got into BIOS I saw that Primary Slave was OFF. Ubuntu had seen the disk even though the BIOS had it disabled, and since GRUB talks to the BIOS it couldn’t find the disk. Enabling the disk by setting it to auto in the Dell BIOS fixed GRUB.

dimdim on centos (fail)

Published
by
btm
on March 24, 2008
in Uncategorized
. Comments


I managed to track down a copy of centos 4.5 i386 and made a VM to try to get dimdim running. I had all sorts of fun earlier trying to get it running on the much preferred debian. I was talking to a friend of mine about this attempt and he noted that when someone requests him to install some OSS software, one of his major filters is “does it install on debian?”. If it doesn’t have a deb, it fails the bar. This is a pretty good bar. There are exceptions for things like java before they relicensed it. Perhaps, “does it install on ubuntu?” is a better question.

That the “installer” for dimdim installs a pile of rpms from dimdim’s website that have nothing to do with the product (glibc? wtf?) is a great example of why we don’t use rpm based linux distributions.

1) People who don’t understand the differences between rpm/deb distros tend to not respect why packaging is essential, and do stupid shit like put system library rpms in their installer.

2) RPMs suck, and therefore RPM based distros suck. I’m not going to get into a flame war over this, but simply try to take your major RPM distro and upgrade it from one major version to the next. Then try to convince me how the steps you took are not cruel and unusual punishment. (”apt-get update && apt-get upgrade && apt-get dist-upgrade” Wow.)

Anyways, I ran the installer per the PDF documentation that reads like it was made by the marketing department. It managed to make it through after doing a bunch of kooky stuff to remind me that it is just a shell script, not a packaging system. (Note that if you run it twice, it’ll fail because lighttpd is already installed. Maybe this bug that was supposedly fixed last year?).

Once you run the startup script, if you connect to the host you’ll get something like this: 

404 Not FoundThe path ‘/’ was not found.

Traceback (most recent call last):  File “/usr/lib/python2.3/site-packages/cherrypy/_cprequest.py”, line 551, in respond    cherrypy.response.body = self.handler()  File “/usr/lib/python2.3/site-packages/cherrypy/_cperror.py”, line 198, in __call__    raise selfNotFound: (404, “The path ‘/’ was not found.”)

You need to go to http://host/dimdim/, the trailing slash is essential.

This time around the site was less responsive. Sometimes when you start a meeting and you install the plugins the first time, the connect to the meeting fails. Attempts to start a new meeting fail with “Exceeded server limit of meetings”. I thought this was a bug, which I worked around by restarting the server. But this time I restarted the server, joined a meeting, then tried to create another one and got this message. Let’s make this clear since dimdim doesn’t.

The Open Source Edition of Dimdim is intentionally crippled.

You can only have one active meeting at a time. While their editions page mentions that ‘dimdim pro’, a SaaS product, only allows one meeting at a time, the OSS column merely says ‘Free’ in that box. This is really perturbing. It wouldn’t be so bad if they were up front about it. There’s a thread here and here on the official sourceforge forums with no official responses. Someone there talks of having reverse engineered the limitation, but it’s a “email me” type talk, not an open discussion.

Grepping for ‘maxConcurrentConferences’ in the dimdim install shows it set to 50 in the dimdim.properties file. The forum post refers to a comment of:

## NOTE : In this Open Source Edition only 1 Meeting at a time is allowed. If you need a Dimdim Meeting Server with higher capabilities then please
## contact sales@dimdim.com.

However my dimdim.properties lacks any such note. Perhaps in the source code rather than the slightly older centos installer it says this. This value is set to 50 by default in my config files, I recall seeing some mention somewhere that this limit was in a jar file.

I later found a thread by a user complaining that only five or six users could get into a meeting. This response appears to be by a dimdim employee and states:

Open Source SF edition of dimdim is a personal edition of the meeting server and is meant to cater to single meeting. We have currently placed the restrction to upto 5 participants. For larger meetings, the resources required increase significantly and require dedicated servers.
Please use the hosted dimdim edition - for hosting larger meetings. We also provide an enterprise server build for on-premise installations.

Someone replies with the same sort of arguments that seem obvious to any OSS fan, and links to a webarchive copy of dimdim’s website where they say:

Dimdim makes extensive usage of open source components and products and hopes that someday Dimdim itself will be useful to others in the way others have been useful to it. Big thanks to the communities and individuals of all the open source projects used in Dimdim.

I assume at some point the company had OSS fans, and management has pushed it away from OSS.

Sigh. Dimdim is a very pretty waste of time.