I find the whole clamav subsystem to be fragile. I think this is because it is written as a tool which stands on its own, but I’m only using it as a subsystem hung onto the side of amavisd. So there is some hand-waving and jiggery pokery with the sockets and the permissions to enable the two to communicate, which has to be done manually, and is not properly a part of either subsystem.
I have another article on setting up this subsystem here, which records some of the stuff being done. I think basically, amavisd has to know where the shared socket is, in order to send messages to clamav to check, and they have to agree on the ownership and permissions of the socket and its directory.
Once in a while that stuff gets crosswise, and since I only vaguely understood what was going on, and only did the hand-waving by rote, I got annoyed with it. I’ve grown used to being able to just have things slot in and work, without my having to actually dig in and understand them. The nerve of these people, to expect me to know what is going on in order to make it work! Irony intended. Continue reading Clamav and Amavisd
I wanted a way to be able to determine roughly how long it had been since a user had been active. I defined active to mean that the user had had to authenticate onto a system. This is so that a box on which the user had logged in has gone into screen lock, and the user has then authenticated again to the display manager.
I used the audit log of auditd to detect when a user has authenticated to a display manager. Auditd comes installed on Fedora, but I had to install it on the ubuntu boxes. Continue reading Recording last authentication
I have been plagued by this error in subversion particularly when trying to commit from some of the boxes which I use less frequently:
svn: E175002: Unexpected HTTP status 200 ‘OK’ on ‘POST’ request to ‘/svn/!svn/me’
I have spent hours doing searches, reading posts, but have never found anyone whose issue was exactly like mine, not been able to figure it out based on other peoples issues. I resolved today to pay serious attention to figuring it out.
The solution turned out to be related to the url I used when I check something out of the svn repository. Long ago I set up a cname in dns for svn.wmbuck.net, and for a long time I used it. There is an apache config file for the servername svn.wmbuck.net, and it redirects http to https. Then at some point I began to just use https://wmbuck.net/svn/… to check things out. And that is where I went wrong, because that will work fine to do checkout, but when I try to commit from a box with that url (wmbuck.net) the http request is being routed to the default server, and the setup of the SSL session is failing.
I’m unsure exactly what is happening to cause the request to go to the default server. Perhaps the commit request does not specify SNI information.
What I do know is how to fix it. Do the checkout with https://svn.wmbuck.net/svn/ and commits work fine.
I had some trouble on the development box with permissions and decided it would be “easy” to just have apache run under user dee, that would just make everything so much easier. Right.
Two things have come up so far, and more likely to follow. One, I had to change the ownership on /var/lib/php/session from apache to dee. Second, I had to add dee into tlsusers so the media stuff can read the certificate.
This may have been a bad idea.
1/31/18: Went back to using apache user, when I moved to Fedora 27. Fedora now uses php-fpm service, and now apache needs to open a socket to it, and it just became complicated.
I’ve been using this Samsung 4K screen for 3 years. I never adjusted any of the parameters for making things larger. I just got used to the small fonts, and blew things up by application when I needed to.
I’ve been doing some reading in anticipation of getting a new laptop maybe with hidpi. Learned stuff about changing resolution.
With Gnome-Tweak tool->Windows->HIDPI Window scaling, can blow up everything in Gnome. Can only have integer values, so with 2, I can double the size. But after several years of smaller sizes I don’t really like this. Might need it on the laptop though.
With Firefox and Thunderbird, use config editor and find layout.css.devPixelsPerPx. This can have non integer values and 1.5 in Thunderbird is better for me. For Firefox I currently have it set at 1.3.
Continue reading 4K Screen
I have some problem using mod_xsendfile on tarragon. I’ve been working on getting this working for 2 days. I have had to get into the source code of the apache module to figure it out, and I want to turn on the debugging option to see what is going on.
So I have to recompile the c source file, with the define of _DEBUG, and install the it as a module. Had to figure out how to do this. It is very easy. But easy doesn’t mean I’ll remember it, thus this post.
I cloned the source:
git clone https://github.com/nmaier/mod_xsendfile (into my local git repo), and then cd into the directory, and
apxs -D_DEBUG -i -c mod_xsendfile.c
This creates the module with debugging defined, and puts it in /usr/lib64/httpd/modules/mod_xsendfile.so
It still needs to be loaded into apache. Instructions at his site say to use the -a flag, to activate, but while that would work on a simple site, it tries to put the LoadModule into /etc/httpd/conf/httpd.conf, and all my LoadModule statements are in files in the directory /etc/httpd/conf.modules.d so I need to create /etc/httpd/conf.modules.d/xsendfile.conf containing:
LoadModule xsendfile_module modules/mod_xsendfile.so
The module will log debug statements, but this still won’t actually get you any log records until you set LogLevel debug in the apache config file.
Then restart apache and Bob’s your uncle.
I’ve been using cyrus imap for about 15 years. I’m probably the last user. Carnegie Mellon recently announced that they were abandoning cyrus-imap. I never tried to get any help from them anyway, so I guess that isn’t a big deal, but it did make clear that I was using an out of date product. I also knew the product to be fragile and brittle, and tools for repair were not really available. Also, I had some things wrong with my cyrus files that were nagging. Overall it was past time to move on.
I didn’t look far for a replacement, in fact I didn’t do much research at all. Dovecot seemed the place to go. So after doing some reading I set about to convert. My plan was to convert first on oregano, my local development machine, and get it working there. I get almost no mail there. Then, once I thought I knew what I was doing, I would convert to it on one of the client websites I maintain where, again, there is very little mail, but there is some, and there are two or three accounts only, and the mail is mostly error things. Not very important. Finally, after those two, I would convert the mail on tarragon, where there is some 13GB of mail for about a dozen or so users. Continue reading Migrating to dovecot
At one point I was getting low on space on tarragondata, so I added an additional physical device to the btrfs filesystem containing tarragondata.
[root@tarragon backup_scripts]# btrfs fi show
Label: 'tarragon_data' uuid: d6e4b6fc-8745-4e6e-b6b4-8548142b5154
Total devices 2 FS bytes used 92.04GiB
devid 1 size 120.00GiB used 120.00GiB path /dev/xvdf1
devid 2 size 30.00GiB used 30.00GiB path /dev/xvdg
This is fine, but there are a couple of problems. The main one is that I can no longer use the EC2 snapshot capability on tarragondata, which meant that the nightly EC2 snapshot feature I was using had to be deimplemented.
But now I am about to create a new tarragon instance, and it would be really helpful to be able to snapshot tarragondata (Amazon snapshot, not btrfs snapshot) and then create a new Amazon volume with a consistent snapshot for testing. Continue reading Adjusting the size of the tarragondata volume
I’ve used a variety of certificate providers over the years, Thawte, CA-Cert, Verisign, Comodo, Startcom. Until about six months ago I was using Startcom, and had spent a fair amount of energy setting that up for my own site (this one) as well as all the other sites I manage.
Then Wo-Sign acquired Startcom, and browsers starting distrusting Startcom. I ended up buying a cert from Comodo for this site.
But then I found out about Let’s Encrypt. Not only are they free, but they have this whole ACME auto update thing worked out, using various ACME clients. I’ve been using Certbot from EFF. Continue reading Updating certificates to “Let’s Encrypt” with ACME
The current 128GB (119.2GiB) Plextor M.2 disk on cinnamon was created with a very small (256MB/243MiB) /boot partition. Turns out this was a mistake, as it will only hold 3 kernels, so I’m constantly having to go in and remove kernel n-3 to make room.
The remainder of the drive is a single extended partition, containing a 119GiB LUKS container, which contains a 119GiB LVM volume group, which has a root of 107.3GiB and an 11.7GiB swap. The root is only 13% utilized, and while it may grow a little it is in no danger or running out of space. The swap is also far larger than needed. I want to steal a couple of GB from one of them to increase the /boot, but I want to do this while retaining the contents of both the / and the /boot.
Long story short, turns out I wasn’t able to do it. But the journey was a great learning experience for me, so I’ve kept the notes, for future reference.
Continue reading Fail: Resizing /boot on Cinnamon