I wanted a way to be able to determine roughly how long it had been since a user had been active. I defined active to mean that the user had had to authenticate onto a system. This is so that a box on which the user had logged in has gone into screen lock, and the user has then authenticated again to the display manager.
I used the audit log of auditd to detect when a user has authenticated to a display manager. Auditd comes installed on Fedora, but I had to install it on the ubuntu boxes.
I wrote a script “lastauthentication” which takes a username, and an optional switch for the type of output to generate:
- -t last authentication as a timestamp
- -d last authentication as a formatted date
- -s time since last authentication in seconds as an integer
- -f time since last authentication formatted
- -r record the time since last authentication for this user on this box to tarragon
I installed that script in the /usr/local/bin on oregano, cinnamon, lemongrass and paprika.
On oregano and cinnamon, I updated the backup scripts so that they perform the script with -r flag for user dee during the night. On lemongrass (laptop) often the lid is closed so I put in a cron to update tarragon with the -r flag every hour, so if I have the laptop on for at least an hour it will record. I also used cron on paprika (the kodi box), but for user “tv” instead of user “dee”. Here I used a cron because paprika doesn’t run a backup script.
What the -r flag does is simply record the -t timestamp of last authentication into a file, and transfer that file to tarragon in the /root/lastauthentication directory under the name of the box, e.g. oregano, cinnamon etc. So the directory /root/lastauthentication will have a file containing a timestamp for each box.
Then I wrote another script on tarragon, called mostrecentauth, also installed in /usr/local/bin. This script runs on tarragon from cron and it checks the lastauthentication directory to find out the last time that user dee authenticated to any of his computers. If there has been no authentication on any computer for more than 2 days, including no logon to the kodi computer to watch tv, then there might be something wrong. If the script detects no logon for MAXDAYS (currently set to 2), then it sends both and email and a text to a selected person (currently my sister) to suggest she might want to call and see if I’m still kicking.
I have been plagued by this error in subversion particularly when trying to commit from some of the boxes which I use less frequently:
svn: E175002: Unexpected HTTP status 200 ‘OK’ on ‘POST’ request to ‘/svn/!svn/me’
I have spent hours doing searches, reading posts, but have never found anyone whose issue was exactly like mine, not been able to figure it out based on other peoples issues. I resolved today to pay serious attention to figuring it out.
The solution turned out to be related to the url I used when I check something out of the svn repository. Long ago I set up a cname in dns for svn.wmbuck.net, and for a long time I used it. There is an apache config file for the servername svn.wmbuck.net, and it redirects http to https. Then at some point I began to just use https://wmbuck.net/svn/… to check things out. And that is where I went wrong, because that will work fine to do checkout, but when I try to commit from a box with that url (wmbuck.net) the http request is being routed to the default server, and the setup of the SSL session is failing.
I’m unsure exactly what is happening to cause the request to go to the default server. Perhaps the commit request does not specify SNI information.
What I do know is how to fix it. Do the checkout with https://svn.wmbuck.net/svn/ and commits work fine.
I had some trouble on the development box with permissions and decided it would be “easy” to just have apache run under user dee, that would just make everything so much easier. Right.
Two things have come up so far, and more likely to follow. One, I had to change the ownership on /var/lib/php/session from apache to dee. Second, I had to add dee into tlsusers so the media stuff can read the certificate.
This may have been a bad idea.
1/31/18: Went back to using apache user, when I moved to Fedora 27. Fedora now uses php-fpm service, and now apache needs to open a socket to it, and it just became complicated.
I’ve been using this Samsung 4K screen for 3 years. I never adjusted any of the parameters for making things larger. I just got used to the small fonts, and blew things up by application when I needed to.
I’ve been doing some reading in anticipation of getting a new laptop maybe with hidpi. Learned stuff about changing resolution.
With Gnome-Tweak tool->Windows->HIDPI Window scaling, can blow up everything in Gnome. Can only have integer values, so with 2, I can double the size. But after several years of smaller sizes I don’t really like this. Might need it on the laptop though.
With Firefox and Thunderbird, use config editor and find layout.css.devPixelsPerPx. This can have non integer values and 1.5 in Thunderbird is better for me. For Firefox I currently have it set at 1.3.
Continue reading 4K Screen
I have some problem using mod_xsendfile on tarragon. I’ve been working on getting this working for 2 days. I have had to get into the source code of the apache module to figure it out, and I want to turn on the debugging option to see what is going on.
So I have to recompile the c source file, with the define of _DEBUG, and install the it as a module. Had to figure out how to do this. It is very easy. But easy doesn’t mean I’ll remember it, thus this post.
I cloned the source:
git clone https://github.com/nmaier/mod_xsendfile (into my local git repo), and then cd into the directory, and
apxs -D_DEBUG -i -c mod_xsendfile.c
This creates the module with debugging defined, and puts it in /usr/lib64/httpd/modules/mod_xsendfile.so
It still needs to be loaded into apache. Instructions at his site say to use the -a flag, to activate, but while that would work on a simple site, it tries to put the LoadModule into /etc/httpd/conf/httpd.conf, and all my LoadModule statements are in files in the directory /etc/httpd/conf.modules.d so I need to create /etc/httpd/conf.modules.d/xsendfile.conf containing:
LoadModule xsendfile_module modules/mod_xsendfile.so
The module will log debug statements, but this still won’t actually get you any log records until you set LogLevel debug in the apache config file.
Then restart apache and Bob’s your uncle.
I’ve been using cyrus imap for about 15 years. I’m probably the last user. Carnegie Mellon recently announced that they were abandoning cyrus-imap. I never tried to get any help from them anyway, so I guess that isn’t a big deal, but it did make clear that I was using an out of date product. I also knew the product to be fragile and brittle, and tools for repair were not really available. Also, I had some things wrong with my cyrus files that were nagging. Overall it was past time to move on.
I didn’t look far for a replacement, in fact I didn’t do much research at all. Dovecot seemed the place to go. So after doing some reading I set about to convert. My plan was to convert first on oregano, my local development machine, and get it working there. I get almost no mail there. Then, once I thought I knew what I was doing, I would convert to it on one of the client websites I maintain where, again, there is very little mail, but there is some, and there are two or three accounts only, and the mail is mostly error things. Not very important. Finally, after those two, I would convert the mail on tarragon, where there is some 13GB of mail for about a dozen or so users. Continue reading Migrating to dovecot
At one point I was getting low on space on tarragondata, so I added an additional physical device to the btrfs filesystem containing tarragondata.
[root@tarragon backup_scripts]# btrfs fi show
Label: 'tarragon_data' uuid: d6e4b6fc-8745-4e6e-b6b4-8548142b5154
Total devices 2 FS bytes used 92.04GiB
devid 1 size 120.00GiB used 120.00GiB path /dev/xvdf1
devid 2 size 30.00GiB used 30.00GiB path /dev/xvdg
This is fine, but there are a couple of problems. The main one is that I can no longer use the EC2 snapshot capability on tarragondata, which meant that the nightly EC2 snapshot feature I was using had to be deimplemented.
But now I am about to create a new tarragon instance, and it would be really helpful to be able to snapshot tarragondata (Amazon snapshot, not btrfs snapshot) and then create a new Amazon volume with a consistent snapshot for testing.
So to do that, I am going to use the btrfs feature of adding and removing physical volumes to consolidate tarragondata on a single physical volume.
1) create a new 150GB physical volume in Amazon EC2 dashboard, and attach it to tarragon.
2) On tarragon, add the new physical volume to the tarragondata btrfs filesystem.
btrfs device add /dev/xvdh /mnt/tarragondata
3) Remove the older smaller physical devices one at a time:
btrfs device delete /dev/xvdg /mnt/tarragondata
btrfs device delete /dev/xvdf1 /mnt/tarragondata
This successfully moved all the data and metadata to a new 150GB drive, which enabled me to snapshot it.
On ubuntu it seems there is an automatic mdadm array check provided in /etc/cron.d/mdadm, automatically installed with mdadm. This invokes a utility /usr/share/mdadm/checkarray and the cron is set to run this on the first Sunday of every month at 12:57am. And it is set to do this check on all arrays at one time.
This is horrible! So with 5 arrays, totalling 25TB, when this sucker fires up it quickly saturates the i/o capacity of cinnamon, slows to a crawl and settles in to run forever.
I’ve commented that out, and added my own /etc/cron.d/dee_mdadm which doesn’t do all the goofy shenanigans to try to ensure the thing runs on a Sunday (WHY?! Because the guy who wrote it doesn’t work on Sunday?). Instead, my version simply runs on the first of the month, at 12:57am, and on each month it starts the consistency check on a different array. I have 5 arrays, so 3 are checked twice a year, and 2 are checked thrice. Checking just one at a time means there is a good chance it will be done before morning, at least for the small arrays.
I don’t really think the whole consistency check idea is doing me much good, but at least this doesn’t unaccountably bring the system to its knees on the first Sunday of every month.
I’ve used a variety of certificate providers over the years, Thawte, CA-Cert, Verisign, Comodo, Startcom. Until about six months ago I was using Startcom, and had spent a fair amount of energy setting that up for my own site (this one) as well as all the other sites I manage.
Then Wo-Sign acquired Startcom, and browsers starting distrusting Startcom. I ended up buying a cert from Comodo for this site.
But then I found out about Let’s Encrypt. Not only are they free, but they have this whole ACME auto update thing worked out, using various ACME clients. I’ve been using Certbot from EFF. Continue reading Updating certificates to “Let’s Encrypt” with ACME
The current 128GB (119.2GiB) Plextor M.2 disk on cinnamon was created with a very small (256MB/243MiB) /boot partition. Turns out this was a mistake, as it will only hold 3 kernels, so I’m constantly having to go in and remove kernel n-3 to make room.
The remainder of the drive is a single extended partition, containing a 119GiB LUKS container, which contains a 119GiB LVM volume group, which has a root of 107.3GiB and an 11.7GiB swap. The root is only 13% utilized, and while it may grow a little it is in no danger or running out of space. The swap is also far larger than needed. I want to steal a couple of GB from one of them to increase the /boot, but I want to do this while retaining the contents of both the / and the /boot.
Long story short, turns out I wasn’t able to do it. But the journey was a great learning experience for me, so I’ve kept the notes, for future reference.
Continue reading Fail: Resizing /boot on Cinnamon