All posts by dee

Using pam_mysql for authentication

On the occasion of moving the server to amazon, I decided to stop using LDAP. I was making very little use of it, having started to keep my contacts elsewhere. All it was really doing was providing the authentication file for apache logins. And there were so few of those it was quite easy to manage with an htpasswd file.

But recently I’ve begun providing mail to some friends, and while I am happy to provide them with system accounts the problem is that they don’t really WANT system accounts – they just want mail. So the husband asked me, how do I change my password? And the only answer I have is, you have to log on. Worse than that of course, I can’t really even allow him to log on without making him set up for public key authentication.

I would like to enable people to use the server for mail, and to be able to authenticate with apache, and I would like them to manage their own passwords for this, without making them log on via ssh, which would require that they have a key pair registered with me. I looked into being able to change the system password via a webpage, but it looks very messy, and seriously – system passwords are supposed to require a human being – that is intentional.

So I looked into authenticating the mail, and apache, using a database. I found a pam module called pam_mysql which I can use with saslauthd. I set /etc/pam.d/imap and smtp to point to a new pam entry called mail, which uses pam.mysql to autheticate against the database (and still also authenticate against system accounts as well if there is no entry in the database).
Continue reading Using pam_mysql for authentication

Boinc client: No usable GPUs

The first thing I had to do to get this to work was to obtain the updates for GPUs, for ubuntu this was boinc-amd-opencl.

Then I had to add into /etc/init.d/boinc-client the xhost command, which would give access to the GPU to the boinc username.

The information on the web was wrong about this. The command I had to add was:

xhost si:localuser:boinc

si means server interpreted, and the kinds of strings accepted are described in man xsecurity. Localuser implies a local username. The web articles I found claimed one needed to do xhost local:boinc, but the description of xhost:local is that it doesn’t take a username, and it makes LOCAL connections available. Which sounds good, but didn’t work. After doing xhost local:boinc it was the same as if I had just done xhost local, and I got an entry “LOCAL” when I did xhost, but it didn’t work.

Apache Configuration Issues

Trying to set up a new Zend Framework (ZF) website, I struggled once again with getting the setup correct. I learned some lessons, and this post is supposed to help me remember them.

First, the requirements.

1) ZF websites need rewrite rules to force all the urls through index.php so the can be picked apart. Also, ZF websites using the ZF config mechanisms need an APPLICATION_ENV php variable set somewhere in the site configuration, so the website can figure out where it is running and make hosting specific decisions (like, e.g. where the database will be, whether to turn on debugging, etc.).

2) I want to keep the website in a repository, and check it out onto different web-hosts  for testing, development, production. So any configuration stuff which is web-host specific should not be in the repository but in the host configuration files.

3) Although the urls for the ZF website need to be rewritten to index.php, there may be other urls (like phpmyadmin) that should not be rewritten. So the configuration has to allow for this. In particular on some websites (like wmbuck.net) the website itself redirects non-logged in users to the blog (this blog) with a redirect to /blog/. The rules need to allow normal handling of this url (to select /blog/index.php) in the normal way.

The rewrite rules and application environment stuff can be put in an .htaccess file within the DocumentRoot. Most ZF documentation describes doing it this way. But for me, at least the application environment variable can’t be here because everything under DocumentRoot is in the repository. So I want APPLICATION_ENV oregano on one box, APPLICATION_ENV tarragon on another box, and if I put this in .htaccess, and .htaccess is in the repository the file can only have one or the other setting.
Continue reading Apache Configuration Issues

New Server

The server for wmbuck.net (tarragon is its name) has been moved to Amazon EC2.

In part this was an experiment, motivated by curiosity about the ease or difficulty of maintaining a server in the cloud. But also in part it was motivated by dissatisfaction with the previous hosting environment, superb hosting. I needed to upgrade the server capacity. It had not been improved for 7 years, and it was ancient hardware when I got it. But at superb I ran into a lot of trouble, because I wanted to use btrfs (see earlier post  about using btrfs on the home computer, oregano). Superb offers old stable kernels, but I really  needed a kernel new enough to have a stable btrfs in it. After I lost all my work owing to btrfs driver problems in an old CentOS kernel, I was highly motivated to try another hosting arrangement where I could have my kernel of choice.

In mid May I set about creating a new tarragon. It took less than a week to set up, including all my learning curve, and all the migration issues, data transfer, etc. It has been running as wmbuck.net for over a month. The few hiccups were mistakes of transition on my part. Up to this moment I have had no problem which has turned out to be of any but my own making.
Continue reading New Server

New disk layout using btrfs

Preparatory to doing an upgrade of Fedora on one of my linux boxes, I decided it was time to revise the disk layouts. Specifically, I finally got around to building a separate partition for /home. After doing a little reading, it looked to me like a good way to do this was to use btrfs. Initially I also made a separate /var, but decided that was both unneeded and error prone, and went another way. The main objective of this work was to reduce the drag in upgrading Fedora.

Root is on a small (64GB) SSD, LUKS encrypted which has /boot and an LVM VG for / and swap. / is ext4. I built a 2GB mdadm raid-1 mirror with LUKS encryption on top of it, and then layered a btrfs file system on that called oreganodata. The root of oreganodata is not typically mounted, but has the following subvolumes automounted at boot time:

  1. /home -> oreganodata/home
  2. /mail->oreganodata/mail,  /var/lib/imap and /var/spool/imap symlink to the /mail/lib and /mail/spool directories.
  3. /var/lib/mysql->oreganodata/maria
  4. /usr/local/bin->oreganodata/bin
  5. /etc/pki/mycerts->oreganodata/certs
  6. /var/webdata->oreganodata/webdata (websites have symlinks to /var/webdata as needed)

Continue reading New disk layout using btrfs

Boot Disk Encryption, Cryptsetup and Initramfs

Setting up Cinnamon so that the boot disk is encrypted has been a source of frustration for 3 releases now.

Most recently I installed Saucy. As with Roaring it doesn’t seem to be possible to install onto an encrypted root successfully with the desktop installer. Everything seemed to work until it was time to install the boot loader. That seems to have failed and I wasn’t able to get it to work.

Ultimately, I went back to installing the server version, and then doing an apt-get install ubuntu-desktop. Although this seemed to work out of the chute, I had a few issues.

The configuration files for lightdm changed structure, and my “after the reinstall script” which endeavours to restore all the tweaks I have in config files, put a file named /etc/lightdm/lightdm.conf out there, which seemed to croak lightdm. When I moved the file into the new lightdm.conf.d scheme that problem was solved. All that was about getting synergy client running as soon as the display manager comes up.
Continue reading Boot Disk Encryption, Cryptsetup and Initramfs

Ruby and Rails

I haven’t done any Ruby or Rails for about 5 years. I decided to get back into it a little. Maybe do a simple site to brush up on my fairly meager skills. Recent posts about the updates in the Flight apps were all about doing the same thing with Java. I hadn’t done much Java for a pretty long time.

I find that Rails has changed quite a lot. In fact, I threw away the book I had which was so far out of date that it was misleading me. Some of the problems that used to bother me about Rails have been resolved. I used to hate that one had to resort to various jiggery-pokery like FastCGI to bring up the Ruby environment from within Apache. This seems to have been nicely resolved with the mod_rails thing, And I I reminded again that I love Ruby. I think it is a delightful language.

Broken bones

Clambering around working on the garage I took a spill last Tuesday (9/18) and broke my ankle in three places. I’ve been having to get around the house on crutches.

You know the worst thing about crutches? That you can’t carry anything! To get the coffee from the kitchen to the desk where I work requires a succession of steps where I crutch to a location, stand still on one leg and move the coffee from the brewing location to a different spot in the kitchen, reposition myself, and stand on one leg while I move the coffee from that location to the pass-through counter, walk around into the other room, position and move the coffee from the pass-through to the worktable, reposition and move the coffee from the worktable to the desk. Then crutch over to the desk sit down, turn on the chair and I’m finally able to reach the coffee.

I won’t even describe what I have to do to carry stuff up the steps to bed at night.

Stupid TFR

It is a beautiful day today. Friday I tried to go flying but there was so much haze from the fire up near Wyoming that it was just no fun. So I’ve been looking forward to flying today. But I can’t.

OBAMA is in town.

I have no interest in this. I don’t care if he wants to try to drum up votes from the students.

But because of him, I cannot fly. There is a stupid Temporary Flight Restriction over the whole city – Denver and Boulder. I think this is insanity. I’ve been told that back in the 40’s Harry Truman used to walk around on the street in DC. People would say hello. Now the President thinks he is a God, and that all the citizens in the country are serfs that he can just walk on. Probably not fair — it probably isn’t really him that thinks he is a God – it is probably all the retinue of fascists around him. And I guess it is true that there are a lot of crazy people out there who want to do violence. But stopping air traffic over the whole city? Isn’t that too much?

Getting tomcat running again

It has been a hell of a struggle to upgrade the server (which hosts this site) from Fedora 13 to Fedora 17. The last step was to get my flying apps running in Tomcat again. I confess I don’t track what happens in the java world very closely. And it is a very active world – lots of stuff happening. So it is no surprise I suppose that when you jump four releases there are some adjustments to be made.

To get tomcat running I had to make the following adjustments, in addition to the obvious stuff of adding the FlightPlan war file to /usr/share/tomcat/webapps, installing the mysql jdbc connector, and updating /etc/tomcat/tomcat-users.xml.

Tomcat was unable to find org.apache.tomcat.dbcp.dbcp.BasicDataSourceFactory. I had to add:  JAVA_OPTS=”$JAVA_OPTS -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory” in /etc/sysconfig/tomcat. It may be that this is a problem of my own making somehow. In an earlier post I commented about the ongoing evolution in the methods available to connect java apps/servlets with databases. My servlets now use java Datasources, which I think are the “latest thing”, and I’m a little surprised that I have to make special provision for finding the classes. This makes me think it probable that if I understood this better, and did things according to “best practice” in the java world, I wouldn’t have this problem. But as I said before, catching up with all the advancements in java over 7 years is a tall order.

Then Tomcat was unable to find apache-commons-pool.jar, so I had to add a symlink: commons-pool.jar -> /usr/share/java/apache-commons-pool.jar in /usr/share/tomcat/lib. This is less surprising I think. The reference to this part of apache commons is coming from the previous (BasicDataSourceFactory) classes. If the former aren’t there, we don’t need this.

The flying apps seem to be running properly now.