Recent Posts

gitolite install
posted on 2017-01-02 22:37

A fast setup of a proper gitolite server setup, since the current debian package is either borked, or I just need sleep. Keep in mind this was written on the fly and may have errors.

assumptions

  • this will use the user git (hope its not used already)
  • put the files in `/var/lib/gitolite
  • use the latest gitolite.
  • GITSERVER: ip or domain name or /etc/hosts alias of your git server
  • debian was used, adopt accordingly if you use redhat derivates or (god help) suse

setup and install

On the server: (as root)

apt install git -y
mkdir -p /var/lib/gitolite/bin
useradd -d /var/lib/gitolite/ -U -s /bin/bash git
passwd git
ssh-keygen -trsa -b4096
cp /root/.ssh/id_rsa.pub /var/lib/gitolite/admin.pub
chown -R git:git /var/lib/gitolite

su - git

cat << EOF > .bash_profile
alias l='ls -alh --color'
export PATH=/var/lib/gitolite/bin:\$PATH
EOF
echo $PATH  ## gitolite path missing
logout
su - git
echo $PATH  ## gitolite path not missing anymore, and 'l' works, too

git clone git://github.com/sitaramc/gitolite
gitolite/install -ln /var/lib/gitolite/bin
gitolite setup -pk admin.pub
logout
cd

git clone git@localhost:gitolite-admin
cd gitolite-admin/conf

Now we're mostly set, but no 'testing.git' repo is needed, so let's just delete it. This is also a showcase how to use the admin repo on the server, in case you manage to fuck up your workstation or ssh key, which we will setup later:

vim conf/gitolite.conf  ## remove 'repo testing' line and the one following it
git add -A .
git commit -m '-testing repo'
git push

In case the rhabarber of 'git config' stuff is annoying:

git config --global user.name root
git config --global user.email root@GITSERVER
git config --global push.default simple  ## adopting default behaviour is usually the way to go

So far, so good.

on deleting repositories

Repositories that existed but were deleted later on will still exist under `/var/lib/gitolite/repositories after deletion:

git@git-1:/var/lib/gitolite/$ gitolite list-repos
gitolite-admin
git@git-1:/var/lib/gitolite/$ gitolite list-phy-repos
gitolite-admin
testing

If you want it to be gone, simple delete the repo folder on disk.

adding your workstation key to gitolite, too?

Likely you want ssh access to root via key (you disable key logins for root in ssh, don't you?), so lets set this up and put the key into gitolite, too. I'll provide an example, my user is called 'sjas', of course.

On my workstation:

ssh-copy-id root@GITSERVER  ## in case you didn't do that already
scp ~/.ssh/id_rsa.pub root@GITSERVER:/root/gitolite-admin/keydir/sjas.pub
ssh root@GITSERVER
cd gitolite-admin

# ... now edit gitolite config... 
# ... see next section how I prefer doing things ...

git add -A .
git commit -m '+workstation key'
git push

splitting the gitolite.conf and groups

I prefer having two files, one for the group definitions, one for repositories. Here are how that these files would look like:

root@git-1:~/gitolite-admin/conf# tail -n +1 *
==> gitolite.conf <==
include "groups.conf"
include "repos.conf"

==> groups.conf <==
@sjas   = sjas
@admins = @sjas admin

==> repos.conf <==
repo    gitolite-admin
    RW+ = @admins admin
repo    ansible
    RW+ = @sjas

The @'s depict groups. Actually you can group users to usergroups and repositories to repository-groups, in case you'd ever need that.

Comments also do work, via #.

Only remember to first define a group prior to ever using it, and first cite the groupnames and then the users in group definitions. That is, on the right side after the equals sign, in case you have no idea what the last sentence meant.

On more about this, go here and here. There's way more you can do, but this should be everything as a bare minimum to do most work you'd ever need to do.

The official documentation looks rather sketchy at first, but is pretty good and all you need is covered there.

apache proxy ssl directives
posted on 2016-12-29 18:01

Likely you'd need these:

SSLEngine on
SSLProxyEngine on
SSLProxyVerify none 
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
SSLCertificateFile      CERTFILE
SSLCertificateKeyFile   PRIVKEY
SSLCACertificateFile    CACERTFILE
clustershell
posted on 2016-12-29 13:26

When needing to run commands on several servers over ssh, there's always that for-loop for you.

But you could also try running clustershell:

sjas@ws:~$ clush -w server-[01,02,05,11,12] -b hostname -f
---------------
server-01
---------------
server-01.some-domain.com
---------------
server-02
---------------
server-02.some-domain.com
---------------
server-05
---------------
server-05.some-domain.com
---------------
server-11
---------------
server-11.some-domain.com
---------------
server-12
---------------
server-12.some-domain.com

-b to use it non-interactively and to get the shown aggregated results (the hosts are colored), -w to specify the hosts. Use [ ] instead of { } like you would in bash.

-B also includes STDERR.

A problem you may run into, is when you try to run commands with pipes.

Further you can also predefine hostgroups and copy files from/to remote hosts. This is a rather nice tool.

notes on using vimdiff
posted on 2016-12-29 11:55

Bare minimum to do some work with it:

do - Get changes from other window into the current window.
dp - Put the changes from current window into the other window.

]c - Jump to the next change.
[c - Jump to the previous change.

Ctrl W + Ctrl W - Switch to the other split window.

If you load up two files in splits (:vs or :sp), you can do :diffthis on each window and achieve a diff of files that were already loaded in buffers. :diffoff can be used to turn off the diff mode.

Also helpful: :help copy-diffs, and this link here.

apache webdav configuration
posted on 2016-12-29 10:27

notes up front

  • don't use suexec. just don't.
  • you should be able to configure a vhost on your own, else the apache config will not be of use to you
  • we'll use ssl certifcates, too

setup

Load the apache modules:

a2enmod dav
a2enmod dav_fs

Create certificate:

cd /etc/apache2/ssl
openssl genrsa -out mydomain.de 1024  ## create private key
openssl req -new -key mydomain.de.key -out mydomain.de.csr  ## create certificate signing request
openssl x509 -in mydomain.de.csr  -out mydomain.de.crt -req -signkey mydomain.de.key -days 3650  ## create certificate
rm mydomain.de.csr 

Create a vhost config for your apache, and enable it:

<VirtualHost *:80>

        ServerName mydomain.de
        ServerAlias www.mydomain.de

        DocumentRoot /var/www/mydomain.de/htdocs

        <Directory /var/www/mydomain.de/htdocs/>
                Options Indexes MultiViews
                AllowOverride None
                Order allow,deny
                allow from all

                DAV on

                AuthType Basic
                AuthName DAV
                AuthUserFile /var/www/mydomain.de/.htpasswd
                Require valid-user
        </Directory>

        ErrorLog /var/www/mydomain.de/logs/error.log
        LogLevel warn
        CustomLog /var/www/mydomain.de/logs/access.log combined

</VirtualHost>

<VirtualHost *:443>

        ServerName mydomain.de
        ServerAlias www.mydomain.de

        DocumentRoot /var/www/mydomain.de/htdocs

        <Directory /var/www/mydomain.de/htdocs/>
                Options Indexes MultiViews
                AllowOverride None
                Order allow,deny
                allow from all

                DAV on

                AuthType Basic
                AuthName DAV
                AuthUserFile /var/www/mydomain.de/.htpasswd
                Require valid-user
        </Directory>

        ErrorLog /var/www/mydomain.de/logs/error.log
        LogLevel warn
        CustomLog /var/www/mydomain.de/logs/access.log combined

        sslengine on
        sslcertificatefile      /etc/apache2/ssl/mydomain.de.crt
        sslcertificatekeyfile   /etc/apache2/ssl/mydomain.de.key

</VirtualHost>

Create a htpasswd file:

htpasswd -c /var/www/mydomain.de/.htpasswd USERNAME

USERNAME and the password you'll enter will be your access credentials.

testing (on linux)

apt install -y cadaver
cadaver https://mydomain.de

Then your are promted for entering the user credentials. ls and help should help you onwards then.

using it with windows

Since this is a setup with SSL (doensn't make much sense to use plain http from my POV), you'll need to import the certifate (mydomain.de.crt) in windows.

Else you will get an error along the lines of Mutual Authentication Failed. The Server's Password Is Out Of Date At The Domain Controller.

It needs to go there: (in windows)

  • win + r
  • certmgr.msc
  • enter
  • trusted root certificates
  • certificates
ubuntu 10.04 change ulimit
posted on 2016-12-27 16:31

When trying to change the ulimit setting for open files this did not work system-wide by changing the /etc/security/limits.conf:

root@server:~# grep -v ^# /etc/security/limits.conf 


* soft nofile 4096
* hard nofile 10240

The only solution was to change the init script of the service needing more open files.

In my case it was a tomcat:

...

case "$1" in
  start)
        ulimit -n 10240

...

That way both the hard and the soft limit gets set to 10240, instead of setting them separately via -Hn and -Sn.

Of course (haha) you need to have enough capability to allow that many files systemwide, either put it into /etc/sysctl.conf and do sysctl -p or just do:

sysctl -w fs.file-max=1000000

Related bug report here.

proxmox delete and recreate cluster
posted on 2016-12-21 22:48

In case you have the questionable idea of renaming a hypervisor of your proxmox cluster, you are going to feel some pain. (It won't work and you will get scared wether you fucked your system landscape up or not. Been there, done that.)

The only viable and reproducible approach I found was removing all cluster configurations from all HV's, rebooting them, then recreating the cluster on one HV and readding all the others again.

read this, or continue at your own peril

To sum it up again, some notes before:

  • tested with proxmox 4.4
  • do all the next steps on all hosts
  • rebooting is neccessary aftwards, of all hv's. maybe not, but at least the first node had to be rebooted
  • the sqlite output, if any is shown, should only appear once
  • working ssh between your hv's is neccessary, errors or warning will prevent you from readding nodes after the cluster recreation
  • backup /etc/pve before doing anything, as you will lose all your vm configurations in the process, but these can be copied back afterwards.
  • no guarantee that this post will cover everything

howto remove all clusterconfigs

Let's go: (this is completely paste-able)

# backup
cp -va /etc/pve /root

systemctl stop pvestatd.service
systemctl stop pvedaemon.service
systemctl stop pve-cluster.service
systemctl stop corosync
systemctl stop pve-cluster
pmxcfs -l
rm /etc/pve/corosync.conf
rm /etc/corosync/*
rm /var/lib/corosync/*
rm -rf /etc/pve/nodes/*
sqlite3 /var/lib/pve-cluster/config.db "select * from tree where name='corosync.conf'"
sqlite3 /var/lib/pve-cluster/config.db "delete from tree where name='corosync.conf'"
sqlite3 /var/lib/pve-cluster/config.db "select * from tree where name='corosync.conf'"

Check for error messages, then:

reboot

Recreate the cluster on the first HV: (or whichever one you see fit)

pvecm create CLUSTER-NAME

Then readd all other HVs to your newly created cluster. From each of them, do:

#test ssh
ssh IP-OF-FIRST-HV

if that does work, add, else see below how to troubleshoot
pvecm add IP-OF-FIRST-HV

troubleshooting SSH issues

Adding nodes works best with keyauth (Don't know wether I ever tried it without, to be honest, but I doubt it works.). In case you have reinstalled a node or something, try connecting via ssh from the host in question to your 'first' hv.

Read the error message closely, as known hosts are stored in /etc/ssh/ssh_known_hosts, not ~/.ssh/known_hosts:

# in case you have trouble on a certain host
> /root/.ssh/known_hosts
> /etc/ssh/ssh_known_hosts
ssh-copy-id FIRST_HV

As said before, ssh errors or warnings won't let you add vm's to a cluster.

browser not working

Once you have completed the stuff above, close all browsertabs you had opened to access your cluster. Simply refreshing them does not seem to work.

finishing touches (fix your vms before you become stressed out)

When looking at the webgui, you might become scared, as all your virtual hosts seem to be missing. This happens with VM's, but I guess the same happens with Containers, too.

In fact, we worked on proxmox cluster filesystem where it stores a lot of its settings, which gets mounted at /etc/pve aftwards. Which happens to be stored completely under /var/lib/pve-cluster/config.db as a sqlite3 database.

There all file contents (the actual character that get written into the config file(s)), the inode of the file that shall be created, along with the folder structure etc. etc. .

Once your cluster is running, try diff / colordiff to spot the exact differences. (I.e. colordiff /root/pve /etc/pve to see the file contents) Or a simple find /root/pve -iname "*conf" might also do.

Copy the configs back to their original locations, and everything should be fine.

spacemacs org-mode in very short
posted on 2016-12-14 23:34

Some notes to get up to speed with orgmode AFAP:

  • Header to make emacs recognize org files regardless of file extension: -*- mode: org -*-
  • create bullet point: m-enter
  • bullet-point indenting: tab
  • change indentation of non-bulleted text: tab
  • insert bullet-points without m-enter: start a new line with one or several *'s followed by a space.
  • move bullet point up/down: m-up and m-down
  • change bullet point indentation: m-left and m-right
  • change DONE / TODO for bulletpoint: s-left and s-right
  • show TODO items: spc m T
  • TODO tags can be defined up to in file: #+TODO: TODO IN-PROGRESS WAITING DONE
  • unordered lists (not bulletpointed) start with a - (+ will work, too)
  • exit into normal mode and use o to insert a new list-line
  • descriptions use not just a single colon, but two with leading space: ::
  • change list type with s-left and s-right
  • opening/closing folds of current item: c-tab
  • insert source code block, in insert mode, do: <sTAB (<, s, tab)

There's more, but these are the very basics. A lot of these plus some other stuff can be found here.

On logging time:

  • start timer for current item: spc m I
  • stop timer for current item: spc m O
  • expand LOGBOOK: c-tab
  • insert deadline: spc m d
plesk onyx phpioncube install
posted on 2016-12-13 14:35

install php7 in plesk

plesk sbin autoinstaller --select-product-id plesk --select-release-current  --install-component php7.0

get files

http://www.ioncube.com/loaders.php

Copy to the server, und tar xzvf it.

copy file

cd ioncube
cp ioncube_loader_lin_7.0.so /opt/plesk/php/7.0/lib/php/modules/

link it with php

Into /opt/plesk/php/7.0/etc/php.ini put this:

zend_extension=ioncube_loader_lin_7.0.so

(Somewhere to the other zend options.)

reload php

  plesk bin php_handler --reread

test

/opt/plesk/php/7.0/bin/php -v

Will show you ioncube php loader (enabled) ... so it actually works.

Now don't use the OS php version (i.e. if you already have php 7 available from ubuntu 16.04), but the plesk one from the dropdown menu in the php settings of your hosting.

bonus

If you cannot upload zip files, install php-zip from your OS's package management. (apt install php-zip -y)

postfixadmin update and php7
posted on 2016-12-09 08:52

After a dist upgrade from ubuntu 14.04 to 16.04 and updating to php7 the postfixadmin in version 2.3.7 stopped working due to php5 modules naturally being amiss. These were the steps I took so the upgrade to postfixadmin 3.0 worked. The major roadblocks were the changed php modules and updating the mysql tables during the update.

  • mkdir /root/postfixadmin-backup; cd /root/postfixadmin-backup
  • mysqldump <POSTFIX-DB-NAME> > <POSTFIX-DB-NAME>.sql so I'd have a database backup.
  • Copied the old htdocs to /root/htdocs, to have a webdata backup in case I'd fuck up renaming the htdocs later.
  • cd /path/to/postfixadmin/webroot
  • The apache setup was fine so already, so I renamed the old htdocs (docroot), created a new one and extracted the newly downloaded postfixadmin there.
  • Copied the old config.inc.php over into the new docroot, named config.local.php.disabled so it would not get read upon opening the postfixadmin webinterface.
  • Copied the new config.inc.php to config.local.php.
  • diff config.local.php.disabled config.inc.php to show me the differences to the new installation.
  • Adjust database settings and the other settings I wanted to conserve.
  • Browser: https://domain.of.postfixamin/setup.php

Then it showed:

...

DEBUG INFORMATION:
Invalid query: Invalid default value for 'created'

...

Upon using https://domain.of.postfixadmin/setup.php?debug=1 I found out that that was related to the vacation table in the database. To be exact, this line shown by describe vacation at the mysql client prompt:

| created       | datetime     | NO   |     | 0000-00-00 00:00:00 |       |

The ALTER TABLE statement could not run the change due to mysql's strict mode being active, and a date of 0000-00-00 00:00:00` being forbidden.

At first I tried to alter the table to something like 1970-01-01 01:01:01 but that wouldn't work.

mysql's strict mode is controlled by the variable sql_mode:

mysql> show variables like 'sql_mode'\G
*************************** 1. row ***************************
Variable_name: sql_mode
        Value: ONLY_FULL_GROUP_BY,STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION
1 row in set (0.00 sec)

To set this variable upon mysql's starting process, I edited /etc/mysql/my.cnf and added under the [mysqld] section:

sql_mode = ''

Then service mysql stop, service mysql start and upon reopening https://domain.of.postfixamin/setup.php the setup went through and all was well again in postfix-land.

I removed the sql_mode parameter from /etc/mysql/my.cnf again, service mysql stop, service mysql start and I was free to go off to other ventures again.

Previous Next

This blog covers .csv, .htaccess, .pfx, .vmx, /etc/crypttab, /etc/network/interfaces, /etc/sudoers, /proc, 10.04, 14.04, AS, ASA, ControlPanel, DS1054Z, GPT, HWR, Hyper-V, IPSEC, KVM, LSI, LVM, LXC, MBR, MTU, MegaCli, PHP, PKI, R, RAID, S.M.A.R.T., SNMP, SSD, SSL, TLS, TRIM, VEEAM, VMware, VServer, VirtualBox, Virtuozzo, XenServer, acpi, adaptec, algorithm, ansible, apache, apachebench, apple, arcconf, arch, architecture, areca, arping, asa, asdm, awk, backup, bandit, bar, bash, benchmarking, binding, bitrate, blackarmor, blowfish, bochs, bond, bonding, booknotes, bootable, bsd, btrfs, buffer, c-states, cache, caching, ccl, centos, certificate, certtool, cgdisk, cheatsheet, chrome, chroot, cisco, clamav, cli, clp, clush, cluster, coleslaw, colorscheme, common lisp, console, container, containers, controller, cron, cryptsetup, csync2, cu, cups, cygwin, d-states, database, date, db2, dcfldd, dcim, dd, debian, debug, debugger, debugging, decimal, desktop, df, dhclient, dhcp, diff, dig, display manager, dm-crypt, dmesg, dmidecode, dns, docker, dos, drivers, dtrace, dtrace4linux, du, dynamictracing, e2fsck, eBPF, ebook, efi, egrep, emacs, encoding, env, error, ess, esx, esxcli, esxi, ethtool, evil, expect, exportfs, factory reset, factory_reset, factoryreset, fail2ban, fbsd, fedora, file, filesystem, find, fio, firewall, firmware, fish, flashrom, forensics, free, freebsd, freedos, fritzbox, fsck, fstrim, ftp, ftps, g-states, gentoo, ghostscript, git, git-filter-branch, github, gitolite, gnutls, gradle, grep, grml, grub, grub2, guacamole, hardware, haskell, hdd, hdparm, hellowor, hex, hexdump, history, howto, htop, htpasswd, http, httpd, https, i3, icmp, ifenslave, iftop, iis, imagemagick, imap, imaps, init, innoDB, innodb, inodes, intel, ioncube, ios, iostat, ip, iperf, iphone, ipmi, ipmitool, iproute2, ipsec, iptables, ipv6, irc, irssi, iw, iwconfig, iwlist, iwlwifi, jailbreak, jails, java, javascript, javaws, js, juniper, junit, kali, kde, kemp, kernel, keyremap, kill, kpartx, krypton, lacp, lamp, languages, ldap, ldapsearch, less, leviathan, liero, lightning, links, linux, linuxin3months, lisp, list, livedisk, lmctfy, loadbalancing, locale, log, logrotate, looback, loopback, losetup, lsblk, lsi, lsof, lsusb, lsyncd, luks, lvextend, lvm, lvm2, lvreduce, lxc, lxde, macbook, macro, magento, mailclient, mailing, mailq, manpages, markdown, mbr, mdadm, megacli, micro sd, microsoft, minicom, mkfs, mktemp, mod_pagespeed, mod_proxy, modbus, modprobe, mount, mouse, movement, mpstat, multitasking, myISAM, mysql, mysql 5.7, mysql workbench, mysqlcheck, mysqldump, nagios, nas, nat, nc, netfilter, networking, nfs, nginx, nmap, nocaps, nodejs, numberingsystem, numbers, od, onyx, opcode-cache, openVZ, openlierox, openssl, openvpn, openvswitch, openwrt, oracle linux, org-mode, os, oscilloscope, overview, parallel, parameter expansion, parted, partitioning, passwd, patch, pdf, performance, pfsense, php, php7, phpmyadmin, pi, pidgin, pidstat, pins, pkill, plesk, plugin, posix, postfix, postfixadmin, postgres, postgresql, poudriere, powershell, preview, profiling, prompt, proxmox, ps, puppet, pv, pvecm, pvresize, python, qemu, qemu-img, qm, qmrestore, quicklisp, r, racktables, raid, raspberry pi, raspberrypi, raspbian, rbpi, rdp, redhat, redirect, registry, requirements, resize2fs, rewrite, rewrites, rhel, rigol, roccat, routing, rs0485, rs232, rsync, s-states, s_client, samba, sar, sata, sbcl, scite, scp, screen, scripting, seafile, seagate, security, sed, serial, serial port, setup, sftp, sg300, shell, shopware, shortcuts, showmount, signals, slattach, slip, slow-query-log, smbclient, snmpget, snmpwalk, software RAID, software raid, softwareraid, sophos, spacemacs, spam, specification, speedport, spi, sqlite, squid, ssd, ssh, ssh-add, sshd, ssl, stats, storage, strace, stronswan, su, submodules, subzone, sudo, sudoers, sup, swaks, swap, switch, switching, synaptics, synergy, sysfs, systemd, systemtap, tar, tcpdump, tcsh, tee, telnet, terminal, terminator, testdisk, testing, throughput, tmux, todo, tomcat, top, tput, trafficshaping, ttl, tuning, tunnel, tunneling, typo3, uboot, ubuntu, ubuntu 16.04, udev, uefi, ulimit, uname, unetbootin, unit testing, upstart, uptime, usb, usbstick, utf8, utm, utm 220, ux305, vcs, vgchange, vim, vimdiff, virtualbox, virtualization, visual studio code, vlan, vmstat, vmware, vnc, vncviewer, voltage, vpn, vsphere, vzdump, w, w701, wakeonlan, wargames, web, webdav, weechat, wget, whois, wicd, wifi, windowmanager, windows, wine, wireshark, wpa, wpa_passphrase, wpa_supplicant, x2x, xfce, xfreerdp, xmodem, xterm, xxd, yum, zones, zsh

View posts from 2017-03, 2017-02, 2017-01, 2016-12, 2016-11, 2016-10, 2016-09, 2016-08, 2016-07, 2016-06, 2016-05, 2016-04, 2016-03, 2016-02, 2016-01, 2015-12, 2015-11, 2015-10, 2015-09, 2015-08, 2015-07, 2015-06, 2015-05, 2015-04, 2015-03, 2015-02, 2015-01, 2014-12, 2014-11, 2014-10, 2014-09, 2014-08, 2014-07, 2014-06, 2014-05, 2014-04, 2014-03, 2014-01, 2013-12, 2013-11, 2013-10


Unless otherwise credited all material Creative Commons License by sjas