Re: Heimdal 0.6.3 in FreeBSD 7.1
Is there any chance that a more recent version of heimdal would be included in a future release of FreeBSD? The current version is pretty archaic. Meanwhile, you can always install the security/heimdal port. http://www.freebsd.org/cgi/url.cgi?ports/security/heimdal/pkg-descr heimdal-1.0.1 A popular BSD-licensed implementation of Kerberos 5 Long description : Sources : Changes : Download Maintained by: sh...@freebsd.org Also listed in: ipv6 Requires: libtool-1.5.26 HTH, DA+ -- David Robillard UNIX team leader Oracle DBA CISSP, RHCE, SCSA SCSECA Montreal: +1 514 966 0122 If you receive something that says Send this to everyone you know, then please pretend you don't know me. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: High Performance Computing Mini-Cluster
You might want to talk to the author of this: http://www.bsdcan.org/2007/schedule/events/6.en.html Reflections on Building a High-performance Computing Cluster Using FreeBSD by Brooks Davis. Regards, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 If you receive something that says Send this to everyone you know, then please pretend you don't know me. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: High Performance Computing Mini-Cluster
On Tue, Oct 21, 2008 at 2:25 PM, Gerardo Paredes [EMAIL PROTECTED] wrote: From what i have read, Matt Olander and Brooks Davis are the foremost experts at cluster building on FreeBSD. However i believe a document needs to be written explaining in detailed steps how to do it, so the common user can do it. Obviously not every common man needs a cluster. In my case i am pitching the project of a big cluster to our University here in Honduras to run some kinds of apps we have, like a Trade Exchange Market Simulation written in Python we have about two years developing which we plan to run distributed across the cluster. Since I cannot attend that seminar, i will be expecting for at least the presentation to be posted. Actually, this was a presentation I attended last year. So the slides already exist. You can also grab their old paper at http://people.freebsd.org/~brooks/papers/bsdcon2003/ but this is a bit out-dated. My advice would be to try and contact Mr. Brooks Davis directly. If you can't find him, try and send an email to the organisers of BSDCan from http://www.bsdcan.org/2008/contact.php. I believe you should talk to Dan Langille on the BSDCan commitee http://www.bsdcan.org/2008/committee.php Good luck and have fun! Your project seems quite interesting :) David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 If you receive something that says Send this to everyone you know, then please pretend you don't know me. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: how to simulate a user's crontab?
Actually, I highly recommend a Mac program called Yojimbo, that is a kind of general purpose memory tool. You can throw all sorts of information into it, and find it very easily when you need it. Fantastic program and I don't know of anything like it on other platforms. If you're looking for the same type of Remember everything functionality as Yojimbo, but platform independent, then you might want to take a look at http://www.evernote.com. It's web based (but .Mac free) plus it also has a MacOS X and a Windows client if you need them. HTH, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 If you receive something that says Send this to everyone you know, then please pretend you don't know me. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Problem in checking machine architecture.
the output is: amd64 When I run: sysctl -a | less and search for: CPU I see that: hw.model: Intel(R) Xeon(R) CPU5140 @ 2.33GHz ... hw.machine_arch: amd64 I know it's slightly off topic, but when comes the time to verify hardware details, then you might want to take a look at dmidecode(8). It's available in the FreeBSD ports as sysutils/dmidecode or from it's website at http://www.nongnu.org/dmidecode/ This tool enables you to retrieve things like bios-vendor, bios-version, bios-release-date, system-manufacturer, system-product-name, system-version, system-serial-number, system-uuid, baseboard-manufacturer, baseboard-product-name, baseboard-version, baseboard-serial-number, baseboard-asset-tag, chassis-manufacturer, chassis-type, chassis-version, chassis-serial-number, chassis-asset-tag, processor-family, processor-manufacturer, processor-version, processor-frequency, etc. It's also available for other UNIX flavors too, so it's nice when you have a heterogeneous environment where sysctl and uname don't have the exact same flags. I've tried it successfully on various versions of FreeBSD, RedHat Enterprise Linux Ubuntu Linux. HTH, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 If you receive something that says Send this to everyone you know, then please pretend you don't know me. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Would ZFS and gmirror work well together in a two-node failover cluster?
I am looking to put together a two-node high-availability cluster where each node has identical data storage consisting of a set of internal data drives (separate from the boot drive). I want ZFS to manage the drives as a JDBOD in a RAIDZ2 configuration. Thus, if an individual drive misbehaves or fails, ZFS detects and handles the fault. But I'm also looking to mirror this entire setup in real time to a second identical server. Basically, my question is can this work well on FreeBSD while taking full advantage of ZFS? Specifically, my understanding is that the only way to handle the real time mirror is with gmirror and ggated, but it's not clear how gmirror would interact with ZFS. I am assuming that gmirror operates only on individual drives, so if I had a set of 24 drives on each server, there would be 24 mirrored drive pairs. One concern I have is that this setup could run into trouble with gmirror's potentially sabotaging ZFS's RAIDZ2. For example, when a drive starts failing, won't gmirror see it before ZFS does and take the unfavorable action of substituting the corresponding drive in the failover server in subsequent I/O, leaving ZFS's RAIDZ2 out of the loop? This is just one particular scenario, but in general, it's not entirely clear that it's possible to have fine-grained control of when, how much and in what direction gmirror manages synchronization among drive pairs. Hello Maurice, Which type of connection do you intend to use for the shared storage JBOD? SAN or direct attached SCSI? Don't forget to change the SCSI initiator ID on one of the nodes if you go the direct attached SCSI road. I had this setup running back in 1999 with two Solaris boxes using Solstice Disk Suite with shared disks. Both nodes knew about the existance of the other and hence it worked quite well. But I don't know if it can work with two FreeBSD nodes? Now for the filesystem choice, keep in mind that ZFS is not a native cluster, distributed, or parallel file system and cannot provide concurrent access from multiple hosts as ZFS is a local file system. Which means your two node cluster won't be active/active. You'll have an active node and a failover node. That may be alright or it may not. Depends on your application, how deep your pockets are and your the level of risk your organization is willing to live with. You might want to take a look at clustered file systems for your setup. Check out Lustre (http://wiki.lustre.org/) or OpenGFS (http://opengfs.sourceforge.net/) for instance. If your cluster requires mostly reads and not much write, check out OpenAFS (http://www.openafs.org/) which is a distributed filesystem. You could always use NFS too, but then it depends on where you want to deploy the cluster, as NFS is rather hard to secure. Now if we come back to the problem at hand, mainly using zfs under gmirror. I've never heard of anyone using this. It does sound a bit strange to me since both zfs and gmirror will do mirroring. I would advise to test and retest very carefully before you go into production with such a setup. If you do try it, I'd be interested in reading what you've tried and what conclusions you came to. Good luck! HTH, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 If you receive something that says Send this to everyone you know, then please pretend you don't know me. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Ldap NSS PAM Samba
I am trying to setup a FreeBSD server with samba that uses OpenLdap. I have installed everything and was doing some configuring. I set this all up once before on a Linux box, but I basically just went through the motions and really was not sure what all I did...but it worked. Now I want to understand everything so that I know exactly what all I did. :) I have the following: I installed OpenLdap which put ldap.conf in /usr/local/etc/openldap. I installed PAM which put ldap.conf.dist in /usr/local/etc. I installed NSS which put nss_ldap.conf in /usr/local/etc. From looking at them I assume that the last two are the same file and one of them just needs to be renamed to ldap.conf and configured for PAM and NSS, is that correct? The ldap.conf in /usr/local/etc/openldap is a different config file even though it has the same name? It is used for openldap and the other is used for PAM and NSS? Thanks for any info. openldap/ldap.conf is the OpenLDAP client configuration. You're likely looking for the LDAP server configuration, openldap/slapd.conf True. etc/ldap.conf is for PAM, and etc/nss_ldap.conf are not to be merged. False. You can symlink nss_ldap.conf to ldap.conf. Keep them seperate if you like to edit configuration files that contain the exact same data. This way you can make mistakes. (Just kidding :) Both nss_ldap and pam_ldap use the same configuration when they both need to query the same LDAP server. If, for a reason, your company uses different LDAP servers for PAM and NSS (say you just purchased another company or something), then you need to keep etc/nss_ldap.conf and etc/ldap.conf(5) files seperate. Otherwise, IMHO you should try and use a single LDAP server for all your data. Using several LDAP repository is the path to the dark side... (and to a lot of problems!) If you do have more then one LDAP server (say an OpenLDAP, an Oracle Internet Directory and a Microsoft Active Directory for instance), then setup referals between them. Or better yet, dump an LDIF file of one and import it to another and drop one of the LDAP server altogether (or just use it as a referal point for it's data if you can't rip it out of your network). It's not an easy task, but it sure is possible. I've played ***VERY*** briefly with LDAP authentication through PAM and NSS, and both were required. I can't quote easily what the difference between NSS and PAM is, but all the docs I referenced from Google when I searched said I needed both. NSS stands for Name Service Switch. Normally it's achieved via /etc/nsswitch.conf file. Basically it's telling applications where to look for data (i.e. local files, NIS, NIS+, LDAP, DNS) for the various data sources (i.e. groups, users, hosts, etc). See nsswitch.conf(5) and getent(1) and http://www.padl.com/OSS/nss_ldap.html for details. PAM stands for Pluggable Authentication Modules. It's an easy way to plug various authentication methods into an existing infrastructure. It basically allows you to use the local files, a Kerberos realm, an LDAP directory and such to decides who can login to your machines without having to rewrite the entire authentication mechanisms. See pam.conf(5) and pam(3) plus http://www.padl.com/OSS/pam_ldap.html for details. Why do you need both NSS and PAM? Well, suppose you decide that you want to use a Kerberos realm to authenticate and that the Kerberos principals (or users if you prefer) are stored in an LDAP directory. Now suppose an SSH connection comes in from user bob. Your machine will check the PAM configuration as to which PAM modules it should check for authentication. It will use NSS to know where to check in order to find out who is this bob user (will it be in the local passwd file or in the LDAP directory?) Once it finds where bob is stored (if he exists) then it will compare the passwd string (or the Kerberos ticket if our example) and use PAM to locate which module it has to compare the ticket or password against. HTH, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 If you receive something that says Send this to everyone you know, then please pretend you don't know me. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Amanda port update
I need to install the current version of Amanda (misc/amanda-client and misc/amanda-server) and would like to install from the ports collection. However the port maintainer has not updated Amanda in quite some time. Can someone give me some advice on how to roll my own ports install from the source tarball? Thanks. Did you try to contact the port maintainer? You probably want to check with him/her before you update the port no? In any case, it's a good idea to update the port because we're going to need it here too! Good luck, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 If you receive something that says Send this to everyone you know, then please pretend you don't know me. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: to scsi or not to scsi
i've heard scsi hard drives are really good. i've also seen at least one site which claims that ide easily outperform scsi. I seriously doubt that. Maybe if you take a single old first generation SCSI disk and compare it to a modern IDE drive. But that's not exactly comparing apples to apples. Granted that IDE may beat SCSI in peak performance in a test environment. But IMHO, SCSI is far superior in sustained performance in real life scenarios. for the server we got (dual P3 1GHz 2M which will use raid), is one preferable over the other? and what about sata? Choosing between SCSI or IDE or SAS or SATA or FC is mostly a question of Cost, Performance, Reliability and Expected Workload. If you plan to have two users on that dual P3 machine, then go for any cheap drive in RAID1, be it IDE or SATA. That's going to work alright. But if you're going to install a database on this machine with 100+ concurent users. Then I'd go for SCSI or SAS (and a new hardware for that matter :) Generally speaking, SCSI, SAS and FC disks are Enterprise class disks while IDE and SATA are Workstation/Home class disks. SCSI/SAS/FC disks are not cheap, but more robust (i.e. MTBF is better then for IDE/SATA disks) and generally faster (I've never seen a 15,000 rpm IDE disk for instance). You use SCSI/SAS/FC disks for high workload machines where you need speed and reliability (such as Oracle databases, Java Application servers, Microsoft Exchange servers or ERP servers for instance). You use IDE/SATA on easy workloads or when you prefer disk space over speed and reliability. FC disks are usually found in Enterprise storage arrays sold by EMC, NetApp, StorageTek, IBM, HP and friends. You might be interested in reading chapter 7 from Linux Administration Handbook, 2nd ed from Nemeth, Snyder, Hein al at Prentice Hall publishing. Or http://www.scsi-planet.com/vs/ Cheers, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 If you receive something that says Send this to everyone you know, then please pretend you don't know me. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Vsftpd rotate logs with newsyslog...
Thank u all very much guysi will see if i do a graceful or simply a restart cause i dont think the apache will be getting too many connections all the timebut that clarifications was quite good Davidand thank u for the examplethat is always the best way to understand things...much appreciated... Will try bothjust a question about compression...What i understood from your mail is that as apache takes some time to let his children close all connections i shouldn zip those logs cause, newsyslog wont wait till apache finishes and probably will xip logs that are still being access by the children? if htat is the case using a HUP will close all and allow me to use compresion? Yes it would. But if you go this route, you might loose some logs from the childrens. If you don't run a busy server with lots of hits and lots of VirtualHosts, then that might not be a problem for you. Like Ruben said, YMMV. IMHO, if the Apache Best Practices and documentation say you should use USR1 and not compress the logs automatically via newsyslog(8) or logrotate(8), then that's what I do. Of course, you can compress the logs at a later time once the files have been rotated of course. But with today's disk sizes and SAN storage, I'd be surprised that a few Apache log files can pose a disk space problem. Think of it another way. If today you run a single very small site, then you might want be tempted to use HUP and compression simply because it's easier and, well, it works. Agreed that using USR1 seems a little more complicated (a little) and might seem like an overkill setup for a single small site. But tomorrow you might end up working for a very large site that runs a huge number of VirtualHosts with thousands of hits per seconds on a three-tier web platform that has a cluster of web servers, application servers and backend databases. If you've learned and used the Best Practices back in the days when you had your single little web site, then it won't be a secret to you and you'll be ready to tackle the demands of a bigger site. Besides, it's not like using USR1 is some form of arcane black sysadmin magic, right? :) If you need more info on this topic, check out the official documentation (i.e. RTFM ;-) Apache 1.3 http://httpd.apache.org/docs/1.3/stopping.html Apache 2.0 http://httpd.apache.org/docs/2.0/stopping.html Apache 2.2 http://httpd.apache.org/docs/2.2/stopping.html Sorry guys...got one more doubtWhy do u use B (binary) if apache logs are simple text? any particular reason? From the newsyslog.conf(5) man page: B indicates that the log file is a binary file, or has some special format. Usually newsyslog(8) inserts an ASCII message into a log file during rotation. This message is used to indicate when, and sometimes why the log file was rotated. If B is specified, then that informational mes- sage will not be inserted into the log file. Indeed, the Apache logs are ASCII files. I use the B flag in newsyslog.conf(5) simply because I don't want to have newsyslog(8) to write anything in the Apache logs. Why? Because it confuses our Apache log file analyzers. That's all. I mean, I know the reasons why the logs are rotated and I know that it's newsyslog(8) that did it (I should know, I'm the one who configured it). So I don't need a reminder inside the logs about it. Once again, YMMV. HTH, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Vsftpd rotate logs with newsyslog...
Well yes, this is precisely the reason why we use a SIGHUP (equivalent to apachectl restart) instead of a SIGUSR1 (apachectl graceful). We don't really care about a few broken client connections since the logs are rotated at a quiet time. Of course, YMMV. Yes, of course :) regards, Ruben Cheers, DA+ -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Vsftpd rotate logs with newsyslog...
Well, i take this opportunity also to ask about Apache toowhich signal should i send? A HUP signal should work for apache. Actually, the Apache documentation says that one must use USR1 instead of HUP to send a gracefull restart instead of a hangup. This is to let the children httpd processes some time to finish their transactions before the master restarts. It is also for this reason that the logs should not be compressed by newsyslogd. This is what we use in newsyslog.conf(5) for our Apache servers: /var/log/httpd/access.log640 5 1024 * B /var/run/httpd.pid 30 /var/log/httpd/error.log640 5 1024 * B /var/run/httpd.pid 30 /var/log/httpd/ssl.log 640 5 1024 * B /var/run/httpd.pid 30 Of course, your log file names will vary according to your preferences and VirtualHosts. HTH, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Reverse proxy recommendation
On Sat, 2008-05-31 at 10:26 -0400, Thomas Mullins wrote: Hello, We have three internal web servers that we make accessible to the internet. Right now we simply use pf and port redirection. Works great. But, we would like to tighten up security. I know you can do this with squid, apache and a few others. Could someone please make a recommendation on what solutions they have used or seen in the past? Thanks Shane You may want to check the www/varnish port. From the ports description: This is the Varnish high-performance HTTP accelerator. Documentation and additional information about Varnish is available on URL:http://varnish.projects.linpro.no/. Technical questions about Varnish and this release should be addressed to [EMAIL PROTECTED]. Questions about commercial support and services related to Varnish should be addressed to [EMAIL PROTECTED]. WWW: http://www.varnish-cache.org/ And from wikipedia: http://en.wikipedia.org/wiki/Varnish_cache I've never used it myself, but looks interesting since it's been created by Poul-Henning Kamp which is a major FreeBSD developer. HTH, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Large filesystems help/ideas
Hi, I'm implementing a backup solution at work.We've bought a x86 server with two hardware raid 5 with for a total storage capacity of about 7Tb. For the software we are using for backups, the ideal scenario would be to have just one big disk so that no space problems would appear. I've tried to install FreeBSD 7 with no success, as it seems... the sysinstall tool doesn't support such big slices. I've read about the Large Data Storage on FreeBSD but I'm still confused. I've also thought on using slices of 1Tb, and join all them using vinum. What do you think about this last option? Thanks a lot for your help. I would suggest to use different partitions for your OS and another big one for your backup data. In fact, if you can use two smaller disks in RAID 1 for the OS and leave your two RAID 5 for the backup data alone, that would be even better. This way you can both a) install the OS without any problem and b) prevent a *very* long fsck in case the machine crashes and your 7TB partition is broken beyond the background fsck process. Once you have the OS installed on the smaller partitions, you can then use gpt(8) to create your 2TB+ filesystems. YMMV. We use a scenario quite identical as what you're trying to do. We use a few ports to do so, like sysutils/rsnapshot and shells/rssh with rsync and OpenSSH along with an encrypted backup volume and OpenPGP to encrypt the tapes. For VMWare images, we use sysutils/rdiff-backup. It works very well for 100+ mixed FreeBSD, RedHat, Ubuntu and AIX hosts. If you need any help with the backup setup and all, just ask, I'll send you the howto. Have fun, DA+ -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OpenLDAP/FreeBSD: How to implement attribute HOST without STRUCTURAL account?
On Wednesday 30 April 2008 16:43, David Robillard wrote:
On Wednesday 30 April 2008 11:00, O. Hartmann wrote:
[ --- 8 --- SNIP! --- 8 --- ]
That sounds very interesting Jonathan. Could you please share with us
the complete LDIF data used to create such a user?
This is live from my LDAP server:
# jfm, group, hst.org.za
dn: cn=jfm,ou=group,dc=hst,dc=org,dc=za
objectClass: posixGroup
gidNumber: 1001
cn: jfm
# jfm, people, hst.org.za
dn: uid=jfm,ou=people,dc=hst,dc=org,dc=za
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: extensibleObject
sn: McKeown
cn: Jonathan McKeown
uidNumber: 1001
gidNumber: 1001
mail: [EMAIL PROTECTED]
loginShell: /usr/local/bin/bash
host: charlotte.hst.org.za
host: clare.hst.org.za
uid: jfm
homeDirectory: /home/jfm
There is, of course, also a userPassword attribute in the user account. (You
didn't expect me to show you that, did you?!)
lol Well, if it's in {SSHA} format and you change a few digits here
and there, that's not a security issue :)
Using posixGroup, the attribute for adding additional members to a group is
memberUid.
There's a bit more to getting this all working: configuring slapd.conf with
appropriate schemas, installing and configuring pam_ldap and nss_ldap, and
setting up PAM correctly. I can go into excruciating detail if you like...
Well, I'd certainly love to see how you've set things up. We could
compare with what I've published on my wiki. The documentation is not
finished, but it's a start. I'd really appreciate if people could
check it out and tell me where the document could be enhanced, if I
made any mistakes, things like that. Check it out here:
http://wiki.zerocatastrophe.com/wiki/UNIX/FreeBSD/Kerberos+OpenLDAP
Notice that I've updated my documentation to reflect your LDIF data as
I believe it to be the very flexible. Thanks!
I know that Edward Capriolo (in Cc: to this email) has also published
some Kerberos OpenLDAP documentations online. Edward, care to join
us here?
My only irritation is that although passwd(1) in 6.3 has the code within it to
allow it to be controlled by PAM, it's all currently diked out, so that you
can't use passwd(1) transparently with LDAP users. (As far as I know this
hasn't changed in 7.0).
Indeed, that's also a problem I have. How do you go about to solve this?
inetOrgPerson gives you a huge number of optional fields for other
information, up to and including a JPEG photo. It inherits from
organizationalPerson which inherits from person, so you need to combine all
three sets of attributes to get the complete spec for inetOrgPerson (note the
only MUST attributes are sn and cn from person):
[ --- 8 --- SNIP! --- 8 --- ]
We're hardly using any of these, but it seemed to make more sense to build it
in, in case.
You're right, I totally agree.
Jonathan
Cheers!
DA+
--
David Robillard
UNIX systems administrator Oracle DBA
CISSP, RHCE Sun Certified Security Administrator
Montreal: +1 514 966 0122
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OpenLDAP/FreeBSD: How to implement attribute HOST without STRUCTURAL account?
On Wednesday 30 April 2008 11:00, O. Hartmann wrote:
[ --- 8 --- SNIP! --- 8 --- ]
It's true that an object can only belong to one structural class (although it
can belong to many auxiliary classes).
I use the auxiliary class extensibleObject, which allows you to add any
attribute to an LDAP object. My user accounts have three object classes:
inetOrgPerson (the structural class), posixAccount and extensibleObject. The
rules for the first two are still enforced, but I am able to add the Host:
attribute.
Jonathan
That sounds very interesting Jonathan. Could you please share with us
the complete LDIF data used to create such a user?
Something like this for example:
# test.user.ldif
#
# Create a test user.
dn: cn=test.user, ou=users, dc=domain, dc=com
objectclass: top
objectclass: person
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: Test User
sn: test.user
uid: test.user
userPassword: {SSHA}GmbwsRvJugoiT5NIIJ2bk+5YVfWMUVa1
uidNumber:
gidNumber:
gecos: Test User
mail: [EMAIL PROTECTED]
telephonenumber: 123 456 7890 x1234
loginShell: /usr/local/bin/bash
homeDirectory: /nfs/home/test.user
# Link this user to it's group.
dn: cn=test, ou=groups, dc=domain, dc=com
objectClass: top
objectClass: posixGroup
cn: test
gidNumber:
memberUid: test.user
# EOF
Many thanks,
DA+
--
David Robillard
UNIX systems administrator Oracle DBA
CISSP, RHCE Sun Certified Security Administrator
Montreal: +1 514 966 0122
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Support for Stallion Serial Controllers in FreeBSD 7
From some reading I have been doing including here: http://www.freebsd.org/doc/en_US.ISO8859-1/articles/console-server/setting-up-server.html ...I have been given to understand that FreeBSD supports Stallion multiport serial cards, provided that I enable it in the kernel. However, the link in the document above to stl comes up with nothing, I can find no other references doing a site search and doing: grep -r -i stallion * We still have an old FreeBSD 4.11-RELEASE-p26 machine lying around only because it's using those Stallion multiport serial cards. It's working, but it's quite annoying to keep such an old FreeBSD version online. We had to isolate this machine into it's own network DMZ since version 4.11 isn't covered by the FreeBSD Security team. To get around this problem, we recently built another console server with a Digi Digiboard PCI PC/Xem card on FreeBSD 6.2-RELEASE-p12. It's working great, so we're going to ditch the old Stallion cards. Unless of course someone ports the stl(4) driver to FreeBSD 7.x If you'd like to read the documentation on how I've setup the console server with both the Digi board and the Stallion cards, check http://wiki.zerocatastrophe.com/wiki/UNIX/FreeBSD/ConsoleServer HTH, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Openldap server install failure - openldap client conflict
On Wed, 2008-04-16 at 10:37 -0400, David Robillard wrote: I'm trying to install OpenLDAP as a server to attempt to try it out for our network. The problem is the openldap client is already installed for other apps as php, apache, asterisk, etc. So my question is: is it possible to uninstall the client? Will the server include the client required for these other apps? You can always remove the old client and install the new version. You simply need to shutdown the services which depend on the client before you remove the old one and install the new one. Then start the services again. Of course you should do this on a test machine and make sure all your applications work as expected with the new client (i.e. don't do this on your production machine AND backup before you do!). For what it's worth, I've removed and installed the OpenLDAP client from a few machines and never had any problems with Apache nor with PHP. But I did have a problem with sudo(8). If you use sudo (you probably should IMHO) and it was compiled with LDAP support, then the minute you remove the old OpenLDAP client, sudo will be broken. It's easy to work around this by using su(1) and switch to root. Of course, make sure you know the root password and that you're part of the wheel group before you do this. Here's how I proceed to update the OpenLDAP client. I use SASL also, but it's not mandatory. Notice that I run a first make(1) without options. This will help reduce the time required between the `make deinstall` and `make install clean`. cd /usr/ports/net/openldap24-sasl-client sudo make sudo /all/your/ldap/dependent/applications/rc.d/scripts stop sudo make deinstall sudo make install clean sudo /all/your/ldap/dependent/applications/rc.d/scripts start Also, on a side note, I would suggest adding a few lines to make.conf(5) so that all your applications will require the same OpenLDAP versions (and the same Berkeley DB too). That change did help me quite a lot. The downside of this is that if you have many hosts, you may have to edit quite a few make.conf(5) files when either OpenLDAP or BDB changes versions. Using rsync, rdist WANT_OPENLDAP_VER= 24 WITH_BDB_VER= 46 Good luck with OpenLDAP. Should you need help with it, SASL and Kerberos integration, feel free to contact me. I did just get it worked out, but those other apps were worrying me (see last post). At least I know where to look now... Indeed. I've never used Asterisk myself so you'll have to test it. I'd be surprised if a change in the LDAP client breaks anything, but you never know. Better test it first on a non-production system. I am very interested in kerberos integration if you could provide some hints. I looked into before for another reason and set it aside in the too hard basket for a while... I posted back to the list to help others if they're interested too. I've successfully integrated OpenLDAP with SASL and Kerberos along with nss_ldap, pam_ldap, sudo and ssh on FreeBSD. I agree with you that it's not very easy to find good documentation on this subject on the web. So I'll try to post my own setup online in case it can help anyone. But before I do, I still need to clean up my notes :) I'd also like to publish documentation on these items: - Setup the OpenLDAP replication with a Kerberos user. - Describe a backup and recovery plan. - Configure Apache to use mod_auth_kerb to achieve Single Sign-On. - Describe how to replace NIS with OpenLDAP. - Configure the OpenLDAP/Kerberos setup in HA using Open Source tools. - Test some web based applications to manage the OpenLDAP accounts (so that I can give the user management to a junior admin or first level support teams) So unless you really need my docs right away, I would suggest waiting a bit for me to clean the whole thing. I'd like to have all that up and running around the first week of May. One thing, I installed the lam webapp for administration (and I did also try this manually too) but when I'm asked for a password I have no idea what password its looking for (I do feel rather stupid!). Hummm, I've never used LAM before. But my (wild) guess would be that it's looking for your rootdn user's password. Or any other user in which you've granted full read/write access in your OpenLDAP acls. This was something I was going to try to solve next time I get back to this project- it was late at night and I had only just got it installed and running. It says in the install guide that it will ask for the secret once you add a ldif file, so I assumed it would set it then- I was wrong... Well, the first password you setup is the rootdn's password. You generate the Salted-SHA1 hashed password with slappasswd(8C). Simply copy the ouput of `slappasswd -v` into your /usr/local/etc/openldap/slapd.conf file. That's in the rootpw configuration such as this: # Specify the rootdn's passwd. See slappasswd(8). rootpw
Re: Openldap server install failure - openldap client conflict
I'm trying to install OpenLDAP as a server to attempt to try it out for our network. The problem is the openldap client is already installed for other apps as php, apache, asterisk, etc. So my question is: is it possible to uninstall the client? Will the server include the client required for these other apps? You can always remove the old client and install the new version. You simply need to shutdown the services which depend on the client before you remove the old one and install the new one. Then start the services again. Of course you should do this on a test machine and make sure all your applications work as expected with the new client (i.e. don't do this on your production machine AND backup before you do!). For what it's worth, I've removed and installed the OpenLDAP client from a few machines and never had any problems with Apache nor with PHP. But I did have a problem with sudo(8). If you use sudo (you probably should IMHO) and it was compiled with LDAP support, then the minute you remove the old OpenLDAP client, sudo will be broken. It's easy to work around this by using su(1) and switch to root. Of course, make sure you know the root password and that you're part of the wheel group before you do this. Here's how I proceed to update the OpenLDAP client. I use SASL also, but it's not mandatory. Notice that I run a first make(1) without options. This will help reduce the time required between the `make deinstall` and `make install clean`. cd /usr/ports/net/openldap24-sasl-client sudo make sudo /all/your/ldap/dependent/applications/rc.d/scripts stop sudo make deinstall sudo make install clean sudo /all/your/ldap/dependent/applications/rc.d/scripts start Also, on a side note, I would suggest adding a few lines to make.conf(5) so that all your applications will require the same OpenLDAP versions (and the same Berkeley DB too). That change did help me quite a lot. The downside of this is that if you have many hosts, you may have to edit quite a few make.conf(5) files when either OpenLDAP or BDB changes versions. Using rsync, rdist WANT_OPENLDAP_VER= 24 WITH_BDB_VER= 46 Good luck with OpenLDAP. Should you need help with it, SASL and Kerberos integration, feel free to contact me. Cheers, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Remote backups using ssh and dump
Has anyone done this? I'm presently using rsync over ssh, but I think dump would be better if it will work. I've been reading the man page, but I'm wondering if anyone is doing this successfully and would like to share their cmdline. Hi Paul, We're not using dump over ssh but I was curious to know why you'd prefer dump over rsync? We're using rsync and it's been good to us. So, I'd like to share with you our backup strategy. Just in case it can help you or anyone running various UNIX flavors. We use FreeBSD, RedHat Enterprise Linux, Ubuntu Linux and IBM AIX in this setup. This is a disk to disk to tape scenario. All clients are configured with a user called backup with a UID of zero (so that he can read everything). It's shell is set to rssh which in turn is configured to allow rsync only to the backup user. We limit who can connect to each clients via sshd_conf's AllowUsers config. Each client has the central backup server's special ssh key file installed in ~backup/.ssh/authorized_keys edited to have from=backup.domain.com, in it to restrict which machine can use this key. The central FreeBSD backup server has ssh access to every clients and has rsnapshot installed. We have an rsnapshot configuration for each client. Each backup run is scheduled via the server's crontab. Backup data is stored on the server's encrypted backup volume. The nice thing about rsnapshot is that it uses efficient links to save disk space. In the first run of a new client it takes the entire data set. But each subsequent run only takes the changes. But the backup data is kept online so you can actually browse it live and use scp/tar/rsync to perform a restore. Be it a single file or the entire file system. Using rsnapshot enables us to save a week's worth of data of all our 100+ machines without using more than 300Gb of disk space on the backup server (lots of machines, but not much data, we're quite lucky :) Each day, the backup data is passed with dd into OpenPGP before being sent to tape with tar. This way our tapes are encrypted and impossible to read without the appropriate password. That password is kept on an encrypted file. We can therefore send our tapes off site with any company knowing our data is safe. All the admins keep a detailed howto and the important encrypted password files on a USB stick in case the data center fails and we loose our wiki and the file server. If anyone is interested in the exact configuration of this backup setup, we have it all in a wiki, so it's easy to share it. Hope that can help anyone, Cheers, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD on IBM Blade Servers
Somebody using FreeBSD IBM Blade hardware in production? Hello Maximillian, I'm not using it myself, but a friend of mine is running FreeBSD 6.1-STABLE on IBM BladeCenter LS20, AMD Opteron 2.4GHz/800 MHz. He says the big problems are getting the BladeCenter's USB console working across reboots and multipathing the HBAs. His FreeBSD blades boot of the SAN and they all have dual HBAs. Since FreeBSD 6.1 has zero multipath support, he has to disable one of the HBA for the boot process to work. I think FreeBSD 7.0 is a *lot* better with respect to the USB console. But I have no idea about the HBA multipath support? Anyway, if you do have more specific questions, please feel free to send them to me. I'd forward them to my friend or hook you two together. HTH, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Sudo Commands on New 6.2 System Cause Last Login Message.
The commands always work but I would rather not get that message
each time. Am I missing something obvious?
A quick google search will show you that it's the
${LOCALBASE}/etc/pam.d/sudo file which is the root of your problem.
It's pam_lastlog(8) which makes the message. If you don't need it,
comment out the...
session include system
... line in ${LOCALBASE}/etc/pam.d/sudo to get rid of this behavior.
Cheers,
David
--
David Robillard
UNIX systems administrator Oracle DBA
CISSP, RHCE Sun Certified Security Administrator
Montreal: +1 514 966 0122
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: VMWare Tools for FreeBSD
Basically the only reason I have for using VM Tools is for the ability of Vmotion and such with our ESX Server farm. It's really the only benefit that the VM tools will give me on FreeBSD as all my virtual machines which are running FreeBSD are servers and don't use any GUI's either. Currently there is nothing that doesn't run correctly under VMWare and I have not seen any lack of performance or anything compared to a physical machine. Maybe if enough of us push to have the VMWare Tools developed and certified for use with VMWare that they might actually get started. I might develop some sort of E-Petition for it, what you think? Why not? I'm in the exact same position as you are with ESX FreeBSD. Hence I'd love to have VMWare Tools developed and certified for use with FreeBSD. Actually, I'd really like to see VMWare Server and Player certified for FreeBSD i386 and amd64. David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: compiling kernel with PAE
Getting an error when trying to compile a kernel on 5.4 and 6.2 with the PAE option. I've tried NO_MODULES in make.conf as well... se2 -ffreestanding -Werror /usr/src/sys/dev/advansys/advansys.c /usr/src/sys/dev/advansys/advansys.c: In function `adv_action': /usr/src/sys/dev/advansys/advansys.c:260: warning: cast from pointer to integer of different size *** Error code 1 Stop in /usr/obj/usr/src/sys/WEBTENT. *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src. This is a custom kernel build with the QUOTA option, I take out the PAE option and all makes fine. I did a src-all update with RELENG_VER tag prior to building. I assume this is a driver issue compatible with PAE? Also, can I run amd64 release on this Intel Xeon dual proc with 6GB RAM? Thinking about loading 6.3 amd64 if possible. Excuse my ignorance, I am not a hardware guy, I am a programmer. CPU: Intel(R) Xeon(TM) CPU 3.00GHz (3000.12-MHz 686-class CPU) Origin = GenuineIntel Id = 0xf41 Stepping = 1 Features=0xbfebfbffFPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,C MOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE Features2=0x641dSSE3,RSVD2,MON,DS_CPL,CNTX-ID,CX16,b14 AMD Features=0x2010NX,LM Logical CPUs per core: 2 According to http://www.freebsd.org/platforms/amd64.html the Intel Xeon (3000-sequence, 5000-sequence, and 7000-sequence) processors use the Intel(R)64 architecture. Therefore if your Intel Xeon is in the 3000-sequence, 5000-sequence or 7000-sequence, then you can use FreeBSD/amd64 and use the memory above 4Gb. IMHO it should be more simple and efficient than compiling a kernel with PAE support. HTH, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: How backup huge pgsql ?
I want to known how can I make backup of huge postgresql database (huge mean ~ 2To). I can stop the access of the database during N1 hours. Any idea about this ? I came around this particular problem by setting up a read only mirror of an Oracle instance using Oracle DataGuard. Of course the product is Oracle-specific, but the idea should apply to PostgreSQL databases as well and its what we're in the process of installing here. The idea is to setup an identical but read-only copy of the production database on a seperate machine. This read-only copy is kept in sync with the production database using the various PostgreSQL High-Availability features (discussed here postgresql.org/docs/8.2/static/high-availability.html) Such as a Master-Slave Replication or a Synchronous Multi-Master Replication. Say you're using a Master-Slave Replication. With this setup, you can stop the Master-Slave replication before running the backup on the read-only copy on the slave machine. This way you have a consistent view of your data while you backup and the production database is still online. Once your backup is over, you simply turn on the replication again to update your slave's data with what has changed on the master while the replication was offline. Simple and effective. Beware, you will take a performance hit when you turn replication on. What's more, since you now have a read-only database, you can use it in your pre-production and test environments without any impact on your production systems. HTH, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Sun Fire X4600 Server FreeBSD
Those who have experience with Sun Fire X4600 Server FreeBSD, please respond. Hi Susanth, Your best option is to contact your Sun sales rep and arrange a test of the system. Sun and it's resellers usually grant access to their hardware at their facilities for you to try before you buy. In this way you can use the FreeBSD/amd64 install CD and perform a real life test of the x4600. David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: common filesystem for Linux and FreeBSD
That being the case, there is some data I would like to keep available to both FreeBSD and Linux systems, in stable read/write access with reasonably high access performance for both (fast enough to achieve decent frame rates, for instance). This seems to rule out both ext3 and UFS2. What filesystem(s) meet(s) my needs in this case? NFS would probably do it. You can use either OS as the NFS server and use which ever file system you desire. David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: How to install FreeBSD remotely from Debian Linux Environment?
Maybe you can get some ideas from this (now outdated) script I used for this purpose years ago: http://www.bzerk.org/files/mk-livecd thank you - this is what I've been looking for. Not a complete solution - but a base to avoid figuring out those nasty hacks by myself :) Say Steve, If you make it out alive and everything works as planned, may I suggest you post your solution online so that the entire FreeBSD community can benefit from your efforts? Good luck Have fun! David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Issues configuring cyrus-imapd
rc.conf(5) too: cyrus_imapd_enable=YES# Enable imapd(8). cyrus_imapd_flags=-d# Flags to imapd program. saslauthd_enable=YES # Enable saslauthd(8) (or NO). If you need more detailed info, I can send you my cyrus.conf(5) and imap.conf(5) files. As you can see, it's quite a lot more complicated then with Dovecot :) HTH, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: named.conf - unable to set control bit
Hi list,
I have got the following issue. I have added the following settings in
named.conf but am unable to get it working. If I read the man page it
seems that what I have put in is completely correct.
REason to put it in is that I want the DHCP server to automatically update
the DNS zone.
the error I get is:
Nov 30 14:09:31 hulk named[6848]: reloading configuration failed: failure
Nov 30 14:09:45 hulk named[6848]: /etc/namedb/named.conf:20: expected
'allow' near ';'
Nov 30 14:09:45 hulk named[6848]: reloading configuration failed:
unexpected token
head -n 25 /etc/named/named.conf
# generated with dnssec-keygen -a HMAC-MD5 -b 128 -n USER DHCP_UPDATER
key DHCP_UPDATER {
algorithm HMAC-MD5.SIG-ALG.REG.INT;
secret hashedstring==;
};
acl home {10.202.77.0/24;127.0.0.1;};
options {
// Relative to the chroot directory, if any
directory /etc/namedb;
pid-file/var/run/named/pid;
dump-file /var/dump/named_dump.db;
statistics-file /var/stats/named.stats;
allow-query {home; };
};
controls {
inet 127.0.0.1 port 953;
allow { 127.0.0.1;10.202.77.110; } keys { DHCP_UPDATER; };
};
Line 20 is where controls start.
Any help much appreciated.
rgds,
Patrick
Patrick,
When you update your named.conf file, make sure you run a syntax check
before (re)starting named. Here's how you do it:
named-checkconf /path/to/your/named.conf echo $?
If echo returns zero, then you're good to go. Otherwise, fix whatever
problem is displayed.
In your case, you need to remove one semi-colomn (;) to fix your
problem. Here's what your control statement should look like:
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1;10.202.77.110; }
keys { DHCP_UPDATER; };
};
Cheers,
David
--
David Robillard
UNIX systems administrator Oracle DBA
CISSP, RHCE Sun Certified Security Administrator
Montreal: +1 514 966 0122
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Does anyone know how to get the required downloads from Sun to build Java?
It appears as if jdk 1.5 is now at version 14, but the FreeBSD ports still requires version 13. Luckily, Sun is run by a bunch of Nazis, and doesn't use a standard directory tree to distribute their stuff. After 15 minutes of searching I can't figure out how to get the version 13 stuff off their site, and thus I can't build OpenOffice.org for my shiny, new laptop ... Does anyone have any advice on how to get the required files from Sun? Hi Bill, If you need to run Java on FreeBSD, get it from the FreeBSD Foundation. As it says on the website: The FreeBSD Foundation has a license with Sun Microsystems to distribute FreeBSD binaries for the Java Runtime Environment (JRE) and Java Development Kit (JDK). These implementations have been made possible through the hard work of the FreeBSD Java team as well as through donations to the FreeBSD Foundation that supported hardware, developer costs, and legal fees. Here's the direct link: http://www.freebsdfoundation.org/downloads/java.shtml HTH, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: syslog time resolution
I would like to increase the number of decimals reported in logfiles by syslogd(8), anyone knows if it is possible and perhaps a hint on how to do it? tcpdump for instance, has six decimals: 21:25:20.160833 whereas the standard syslog has zero decimal secs. I am only referring to events within a single system so it's not related to clock accuracy. Thanks and sorry if I missed the obvious! You might want to try changing the base system's syslogd(8) for a more feature rich syslog solution. I'd suggest using syslog-ng which is available in the FreeBSD ports as sysutils/syslog-ng2 http://www.freebsd.org/cgi/url.cgi?ports/sysutils/syslog-ng2/pkg-descr It has quite a lot more features then the base system's syslogd(8) as you can see from the online Administrator's Guide http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/bk01-toc.html Should you like to check out other syslogd replacements, check the Library at http://www.loganalysis.org/ Have fun! David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Recommended servers for FreeBSD.
On Oct 29, 2007 10:45 AM, Andrew Wasilczuk [EMAIL PROTECTED] wrote: On Mon, Oct 29, 2007 at 09:08:12AM -0400, David Robillard wrote: We run FreeBSD 6.2-RELEASE on several IBM x3550 machines with the onboard RAID controller using the aac(4) driver. We haven't had any problems, the machines are stable and backed by IBM Professional Services. Nice, I think those use the ServeRAID-8k controller. Have you tried hot-swapping the disks? Does it work on FreeBSD? I've finally found some spare time to test the hot-swap capability of the IBM x3550 machines with FreeBSD 6.2-RELEASE-p8. Good news, it works as expected. Here's the info required to make it happen: Kernel configuration lines to include. Note that you can omit the AAC_DEBUG line. If you do so, you won't see anything in the logs when the controller is working. I've only tried debug level zero and you'll see below that it generates quite a lot of info. device aac # Adaptec FSA RAID device aacp# SCSI passthrough for aac (requires CAM) options AAC_DEBUG=0 # Set debug level from 0 to 3. Here's what FreeBSD reports: grep -i raid /var/run/dmesg.boot aac0: IBM ServeRAID-8k port 0x4000-0x40ff mem 0xcce0-0xccff,0xcafe-0xcaff irq 17 at device 0.0 on pci2 aac0: Adaptec Raid Controller 2.0.0-1 aacd0: RAID 1 (Mirror) on aac0 Now when you pull a drive out from the machine, wait a around a minute or so and then plug it back in, you'll get those messages in /var/log/messages: +aac0: EventNotify(0) +aac0: (EnclosureManagement) EMPID 0 unit 1 event 17 +aac0: EventNotify(0) +aac0: (DeviceFailure) handle 1 +aac0: EventNotify(0) +aac0: (EnclosureManagement) EMPID 0 unit 1 event 31 +aac0: EventNotify(0) +aac0: (23) +aac0: EventNotify(0) +aac0: (ConfigChange) +aac0: EventNotify(0) +aac0: (FailoverChange) +aac0: EventNotify(0) +aac0: (ContainerChange) container 0,0 +aac0: EventNotify(0) +aac0: (23) +aac0: EventNotify(0) +aac0: (23) +aac0: EventNotify(0) +aac0: (ContainerChange) container 0,-1 +aac0: EventNotify(0) +aac0: (ContainerEvent) container 0 event 7 +aac0: EventNotify(0) +aac0: (ContainerChange) container 0,-1 +aac0: EventNotify(0) +aac0: (ConfigChange) +aac0: JobProgress (1) - running (3123200, 312317952) +aac0: (ConatainerRebuildMirror) container 0 +aac0: JobProgress (2) - running (6246400, 312317952) +aac0: (ConatainerRebuildMirror) container 0 [ ... removed a lot of similar JobProgress lines ... ] +aac0: (ConatainerRebuildMirror) container 0 +aac0: JobProgress (100) - finished (312317952, 312317952) +aac0: (ConatainerRebuildMirror) container 0 +aac0: EventNotify(0) +aac0: (23) +aac0: JobProgress (101) - success (312317952, 312317952) +aac0: (ConatainerRebuildMirror) container 0 +aac0: EventNotify(0) +aac0: (ContainerChange) container 0,-1 +aac0: EventNotify(0) +aac0: (ConfigChange) There you go. Thanks to the aac(4) FreeBSD teams. Enjoy! David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Recommended servers for FreeBSD.
Nice, I think those use the ServeRAID-8k controller. Have you tried hot-swapping the disks? Does it work on FreeBSD? No, I haven't tried to hot-swap the disks. The machines are redundant web heads and DNS servers which we can bring down without service down-time. But come to think of it, I have one here in the lab. I'll see if I can spare a few minutes to test the hot-swap. I'll let you know how it turns out. David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Recommended servers for FreeBSD.
I'm interested to see what servers people use for FreeBSD. I used to buy the IBM xSeries x306 for firewalls and web servers and the x206 for low budget file servers, but both aren't being sold anymore. I recently got a few IBM x3200 and x3550. They are really nicely built and I hardly have any problems. However, the on-board RAID controllers (Adaptec AIC-9580W) aren't supported under FreeBSD so I fit them with 3ware 9000 series RAID cards. Although I really like those 3ware cards, it seems like an extra expense that could be avoided. We run FreeBSD 6.2-RELEASE on several IBM x3550 machines with the onboard RAID controller using the aac(4) driver. We haven't had any problems, the machines are stable and backed by IBM Professional Services. Cheers, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Backup Solution
I am relatively new to the FreeBSD game and have a bit of a problem which I am not sure how to tackle. I recently build a server running VMWare ESX Server 3 which will eventually run 6-7 small production VM's. These Virtual Machines obviously have the need for backups and it poses quite a problem for me unless I connect 6-7 external tape drives and give each VM it's own tape device. I have looked into a few solutions using VM products (consolidated backup) but it can only be done if you utilise a SAN. The server is running RAID 5 with around 700GB of space. Each VM may take up to 50GB and backups might be around 15-20GB per VM. The machine itself has an internal LTO3 tape drive, has anyone come across this kind of situation before, and if so what would be a good way to backup each VM? It is easy enough to backup the image files from the host machine but I need file level backups within each VM also. I will be very grateful for suggestions or ways people have tackled this kind of problem in a production environment. We use rdiff-backup to perform incremental backups of VMWare machine files. It works very well. Check it out at http://www.nongnu.org/rdiff-backup/ Let me know if you need help on the setup. On the other hand, if you prefer to backup the VMWare machines as if they were physical ones, then I suggest rsnapshot. Of course, this will only work with UNIX VMs. More info here http://www.rsnapshot.org/ Have fun, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: named-bind-9
I am having problems with my zone file... There used to be a command to run and check zone files/Named files.. I can't seem to locate it...?? See named-checkzone(8) and named-checkconf(8) David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Configuring OpenLDAP on FreeBSD 6.2 Release, Problems.
Sorry, I am pretty new with LDAP too :) I have no documentation beside the one I found from Googling around. Hi Olivier, There are a few good books about LDAP out there, but most of them are quite old unfortunately. Anyhow, I found that reading LDAP System Administration by Gerald Carter from O'Reilly was a good help in understanding LDAP, deploying OpenLDAP and configuring applications to fetch data from the LDAP directory (i.e. sendmail, replace NIS, PAM, FTP, Apache, DNS, etc). Get more info at http://www.oreilly.com/catalog/ldapsa/index.html For a more in depth look into LDAP itself, get your hands on Understanding and Deploying LDAP Directory Services by Timothy A. Howes al. from Addison-Wesley. Again, it's rather old, but will still help your understanding of LDAP quite a lot. Check it out on Amazon at http://www.amazon.ca/Understanding-Deploying-LDAP-Directory-Services/dp/0672323168/ref=wl_itt_dp/702-7398595-5616835?ie=UTF8coliid=IDX1KGHZ13UXHcolid=CWBQ1L7F8P6P Next is the Oracle Internet Directory Administrator's Guide document which covers LDAP very well, just don't read the Oracle specific stuff if you're not interested. You can reach this doc for free at http://download-east.oracle.com/docs/cd/B14099_11/idmanage.1012/b14082/toc.htm Finally, for a more OpenLDAP centric book, look for OpenLDAP by Example: Practical Exercises in LDAP Directory Deployment by John H. Terpstra Benjamin Coles from Prentice Hall PTR. Contrary to the other books, this one is not yet published (as you can see from http://www.amazon.ca/OpenLDAP-Example-Practical-Exercises-Deployment/dp/0131488732/ref=wl_itt_dp/702-7398595-5616835?ie=UTF8coliid=I1YEUBXAR8YIE3colid=CWBQ1L7F8P6P ;) Seems quite promising. We'll see Good luck, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Best practice for SMTP relay with user authentication.
I have my postfix authenticate users before accepting mail for non-local delivery. Till now, users can connect to port 25 and 465 (smtps) use STARTTLS and authenticate. But, I stumbled upon submission port 587 which is not reserved - it appeas - for a protocol but for a use? I'd like to align my configuration with best practice. Should I just move postfix to bind to port 587 or did I misunderstand that submission is indeed a different protocol? Is there any best practice for which protocol should be used for submission? Port 587 is used by the Mail Submission as defined in section 3.1 of RFC 2476 - Message Submission: 3.1. Submission Identification Port 587 is reserved for email message submission as specified in this document. Messages received on this port are defined to be submissions. The protocol used is ESMTP [SMTP-MTA, ESMTP], with additional restrictions as specified here. While most email clients and servers can be configured to use port 587 instead of 25, there are cases where this is not possible or convenient. A site MAY choose to use port 25 for message submission, by designating some hosts to be MSAs and others to be MTAs. Basically, port 25 is used by Mail Transfer Agents (MTA) while 587 is used by the Mail Submission Programs (MSP). If you need more info, check the Bat Book (i.e. Sendmail by O'Reilly) which is pretty clear on that topic. You can also check Sendmail Cookbook also from O'Reilly for tips, tricks and recipies on what you can do with MSP. Of course, it's sendmail related. But I'm quite sure you can adapt it to Postfix or whatever your organisation uses to handle emails. Finally, IMHO the best description of the what, where and why of Submission is described in the UNIX System Administration Handbook by Nemeth, Snyder, Seebass Hein. Check it out at http://www.admin.com. It's a must read for all UNIX systems administrators. HTH, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: scponly chroot doesn?t work FB6.2
I can´t seem to make scponly work with a chrooted jail. I´ve read many articles on how FREEBSD´s scripts on making jails really don´t work and a manual mknod of $jail/dev/null must be done, but it still does´t work... I´d appreciate any help You might want to check out the port shells/rssh instead of shells/scponly. http://www.freebsd.org/cgi/url.cgi?ports/shells/rssh/pkg-descr I'm not sure it does exactly what you're looking for, but it has similar features as scponly. HTH, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: RSA SecurID Pam Module Support?
We have recently purchased an RSA SecurID Appliance and there are no native libraries for *BSD OS's. I have downloaded and installed the appropriate files within the Linux Compat environment, but I'm not having any success making it work. Specifically, the key file in question is /compat/linux/lib/pam_securid.so. When I add the appropriate configuration line to /etc/pam.d/sshd and attempt to log in I get the following: May 3 09:43:01 ad-mon01 sshd[30508]: in openpam_load_module(): no /compat/linux/lib/pam_securid.so found May 3 09:43:01 ad-mon01 sshd[30508]: fatal: PAM: initialisation failed Of course, the file actually does exist. -rwxr-xr-x 1 1047 900 895304 May 2 11:13 /compat/linux/lib/pam_securid.so Has anyone had any success getting this .so to work under FreeBSD, specifically 6.2 Release? Hi Michael, We're also running some RSA SecurID Appliances. Since we need the support from RSA and that FreeBSD is not listed in their supported OS matrix, we decided to use RedHat for the front-end HTTP servers to run their module. All the rest of our business application that requires RSA authentication is running under FreeBSD. IMHO you should only use an RSA supported OS to run their module. Because otherwise you won't receive any help from them if they know you're running this under FreeBSD. Sad, but unfortunately true. Good luck, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IBM / FreeBSD - Install Update - Seems to be ACPI
In our initial posts, we stated that we seemed to be having issues getting the machine to boot with the 4 processors, so to bypass this we disabled ACPI on boot. This allowed us to get past the CPU error and continue to boot. However down the track we noticed things like the ethernet adapater not getting picked up, and the big problem - none of the disks getting recognised. We have since tried a few things, one of which was removing all but one of the CPU's. If we do this, and boot with ACPI enabled, all is totally fine. All disks are found, and I receive no CPU panic error. So it appears to me that by disabling ACPI in an attempt to bypass the QUAD CPU problem, we are causing another issue behind the scenes. The root of the problem now appears to be, that if we have anything over 1 CPU, directly after the kernel is loaded (when booting from the CD), we receive the error message panic: madt_probe_cpus_handler: CPU ID 38 Too High. The moment a second CPU to the machineit bombs out. Have you tried to present this issue to some specific FreeBSD mailing lists? I believe some of these might be more suited to help you. These lists come to mind: FreeBSD Bugs http://lists.freebsd.org/mailman/listinfo/freebsd-bugs FreeBSD ACPI http://lists.freebsd.org/mailman/listinfo/freebsd-acpi FreeBSD Hardware http://lists.freebsd.org/mailman/listinfo/freebsd-hardware Good luck ! David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: sendmail with dovecot with nologin account
I am using dovecot imap and I am having a problem directing mail to go to users in Maildir format when they do not have a login shell. It seems that the .procmailrc file is ignored and the mail is put in mbox format into /var/mail For mail-only users with-out a shell, what is the best way to direct mail to them in Maildir format within ~/Maildir - maybe directly from .forward? Hello David, We run dovecot + sendmail + procmail and also store mails in Maildirs. All of our 3500+ users don't have any access to the mailserver and it works like a charm. The trick is to keep things as simple as possible. No home directory for users nor any valid shell plus a global procmailrc file which is used for all of the users. For example, start by instructing sendmail to use procmail in the /etc/mail/`hostname`.mc FEATURE(`local_procmail')dnl Then make sure dovecot knows where the mail is stored: default_mail_env = maildir:/var/mail/%u Our example mail user has this entry in master.passwd(5) : example.user:encrypted password string:13431:231::0:0:Example User:/nonexistent:/sbin/nologin And the Global procmail configuration is very simple: cat /usr/local/etc/procmailrc # procmailrc # # $Id: procmailrc,v 1.1 2006/10/20 13:08:25 drobilla Exp $ # # System wide procmail(1) configuration file. # This configuration causes procmail(1) to deliver mail # to maildir format as the recipient's UID. DROPPRIVS = yes :0 /var/mail/$LOGNAME/ # EOF bad referenceA single file to rule them all/bad reference Sorry, couldn't resist :) Let me know if you need any help with this setup. Cheers, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Locking SSH Users to $HOME
Using the SSHD server, how can I lock users SSH'ing into a box into their home directory, without having access to the /usr/home directory as a whole? You can try to use the security/ssh2 port to replace the base system's sshd(8). This version of ssh supports additional chroot configuration options which lets you do exactly what you're looking for. Here's a link to the port: http://www.freebsd.org/cgi/url.cgi?ports/security/ssh2/pkg-descr Here's an article which shows you how to do what your looking for: http://freebsdrocks.net/index.php?option=com_contenttask=viewid=51Itemid=1 Have fun, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Monitoring tool for Compaq Smart Array 5300
Hi we would like to monitor the status of a Compaq Smart Array 5300 installed on a HP Proliant DL360. Is there any tool for FreeBSD 6.2? Thanks for the help Check out this HP + FreeBSD site. It's a bit old, but looks like it has want you're looking for. http://people.freebsd.org/~jcagle/ David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: remote logging with syslogd
Thnx for the tip. Found out that it was not the airport UDP port. It is some misconfiguration in my DNS, but still don't get why it doesn't work as expected. For some reason my DNS-name is snipped just before the TLD. Oh btw i changed some configs I prepended to /etc/syslog.conf the next and deleted what I wrote above # Log remote Airport Express +airport.intranet.mydomain.org *.* /var/log/airport.log +* !* And in rc.conf I changed the above to: syslogd_enable=YES syslogd_flags=-b myhostname.intranet.mydomain.org -a airport.intranet.mydomain.org So what comes in on syslogd looks like airport.intranet.mydomain so no .org or something. I really don't get where that comes from. But now syslogd rejects because of name mismatch. If you're having DNS problems, you can always check if your rc.conf(5) and syslog.conf(5) configurations are good by using IP addresses. Don't forget to restart syslogd(8) of course. That will help you find out if your configurations are good. Now that should not prevent you from fixing your DNS :) Have fun. David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: remote logging with syslogd
Hello, I'm trying to put up a remote logging server. I want to let my Airport Express send its logs to my FreeBSD server. So I said to my Airport to send its logs to the internal ip of my server, I suppose it works because that's what Apple hardware does. Now I did the following things on my bsdbox: I appended to syslog.conf: # Log remote Airport Express +airport *.* /var/log/airport.log !* I touched /var/log/airport.log and it has rw-r- root:wheel rights And to rc.conf I added: syslogd_enable=YES syslogd_flags=-b myhostname.intranet -a *.intranet I restarted syslogd via: # /etc/rc.d/syslogd restart I suppose it should work, but nothing appears in /var/log/airport and there should be something that it listens for input or not? Also I checked netstat -a | grep syslog udp4 0 0 myhostname.intranet..syslo *.* So it looks like it is not listening. Anyone any ideas what I'm doing wrong? The Apple AirPort products, both Extreme and Express, do not use the standard syslog UDP port 514. They send it at a higher port. Just like most Cisco devices do. So to enable logging on a FreeBSD host, you must change your rc.conf(5) syslog_flags line to enable other non-standard syslog ports. Try something like this: syslogd_flags=-b myhostname.intranet -a *.intranet:* Since you're using names instead of IP addresses in your configuration, make sure your DNS resolves both A and PTR records for the AirPort. Have fun, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Serial Port Problems (Solved)
On Thu, 2007-03-01 at 15:27 -0600, Dan D Niles wrote:
If I disconnect and come back later
(sometimes), or if I hit return without entering a login name (always)
it starts spitting out junk like:
nooo~:Woo{;6(|uww~now~nou})|t}}t9-
I found a solution, although I'm not sure why it works.
When you just hit enter getty goes back to the beginning of its loop.
This also happens if you enter a name starting with - or consisting of
just spaces. These also causes the output to become garbled.
At the beginning of the loop it calls setttymode(0). If I insert a
sleep(1) before this call, everything works correctly. If I insert the
sleep after that, the output still gets garbled.
Like I said, I don't know why it works, but it does.
I don't think a short delay is unreasonable after entering invalid or no
information. I am going to submit a PR with a patch.
I have the same behavior as you do on some machines here. But I
originally thought it was caused by the (old) serial port card I used
to build a serial console server.
The card is an EasyIO PCI 8-port card from Stallion Technologies as
suggested by Gregory Bond's article Console Server from
http://www.freebsd.org/doc/en_US.ISO8859-1/articles/console-server/index.html
(BTW, don't buy this card today because it's driver was not ported
from FreeBSD 4.x to neither 5.x nor 6.x.)
That being said, I checked /usr/src/libexec/getty/main.c to find out
how to recreate your fix. But I'm not a huge C programmer, so I tried
other ways to solve this.
That brought me to gettytab(5) which says that the de field controls
the delay secs and flush input before writing first prompt as the
man page puts it.
So I changed a test machine's gettytab default entry from:
default:\
:cb:ce:ck:lc:fd#1000:im=\r\n%h (%t)\r\n\r\n:sp#1200:\
:if=/etc/issue:
To:
default:\
:cb:ce:ck:lc:fd#1000:im=\r\n%h (%t)\r\n\r\n:sp#1200:\
:if=/etc/issue:de=2:
And restarted (not sure if a reboot is necessary here?). I had to
fiddle a bit with the delay, but it did help.
HTH,
David
--
David Robillard
UNIX systems administrator Oracle DBA
CISSP, RHCE Sun Certified Security Administrator
Montreal: +1 514 966 0122
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: mirror without destroying existing contents
Anyone made a mirror w/o destroying what's in the disk already? The atacontrol man page is less than adequate in this respect...is is even possible? Oh, yes-- it's certainly possible to create a mirror with live data, but one is advised to be cautious and have a full backup available in case of problems. With hardware-based ATA controllers like Promise, 3ware, etc, they should have a BIOS utility which you can use to create the mirror-- make sure to add the drive with valid data first, and then add the second or additional drives to the mirror set. The same approach ought to work with software-mirroring such as (g) vinum. I'd add gmirror(8) to the list of software RAID solutions. Man page: http://www.freebsd.org/cgi/man.cgi?query=gmirrorapropos=0sektion=0manpath=FreeBSD+6.2-RELEASEformat=html Handbook: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/book.html#GEOM-MIRROR Cheers, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: remote install of 6.2
I have a remote machine running 4.8-p21. The system has two disks in it, but only one is used on a daily basis (the other is filled via dd every now and then). I want to get this remote machine running 6.2, so I figured I'ld install the new OS on the second disk, then boot off the second disk, leaving the original first disk with all the user data on it (plus as a way to back out). When I try to use /stand/sysinstall for this it seg-faults early in the installation, but after the Commit step. Hi Jerry, If you have a 6.2 machine handy, you can create dump files of each filesystem using dump(8), cpio(1) or pax(1) or whatever you're used to. Ship those dump files to your 4.8 machine via scp(1). Then use bsdlabel(8) to partition your second hard disk (the one you whish to install 6.2 on). Create filesystems on those new partitions. Mount those new filesystems into a chroot, for example /mnt/root, /mnt/usr, /mnt/var, etc. Then extract your dump files onto those new partitions. Don't forget to install a boot block on your disk with `bsdlabel -B` or with boot0cfg(8). That should do it. If you need more detailed step-by-step instructions, just say so, I'll send something on the list. Have fun, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: remote install of 6.2
OK. First, it was someone else who posted. I was one of the responders. My mistake! Sorry about this. That can be a good way of doing it. I have posted a list of steps for doing essentially that (slightly different circumstances) a couple of times in the past. But there is one disadvantage in this particular case. Since the OP is running 4.xx and wants to move to 6.xx, he would probably also want to take advantage of the new UFS2 filesystem improvements. But, if he builds the file system using the 4.xx fdisk and disklabel (before bsdlabel replaced it) then it will use the older file system missing some performance and feature improvements. So, he will want to find a way to fdisk and bsdlabel using a 6.xx system if at all possible. Of course, it is not the end of the world to be stuck with the older file system, but is less than optimal. It would be possible for the person to sort of double up on your suggestion and do a first build with the existing fdisk and bsdlabel and then restore 6.2 dumps. Then build a 6.2 system that can run from memory that includes the essentials such as fdisk, bsdlabel and newfs and tink with booting to boot to that memory system, which would then allow that second disk to remain unmounted or accessed anywhere -- essential for building the file systems. Then use that memory mounted system to build the file systems and finally do the restores from dumps. It should work, but will take some figuring out. The last time I built anything resembling that was back in about FreeBSD 4.9 and I made a file of it and burned it to CD and did the boots from CD. But it should be possible to get it to run from a memory file system. Indeed, you're absolutely right. An easy way to circumvent this filesystem issue would be to mount the ISO image of a 6.2 install CD as a virtual filesystem and use the binaries from there. This shows you how to proceed: http://www.freebsddiary.org/iso-mount.php Of course, you'll need a fair bit of RAM to do this. There's also this from Colin Percival that can be usefull: http://www.daemonology.net/depenguinator/ HTH, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Apache Rotate Logs and Log Rotate.
On 3/3/07, Peter Pluta [EMAIL PROTECTED] wrote: I see, thanks. Does the shell script you use automatically delete the original logs after verbalizer or awstats makes it's own? I imagine the ones those programs use are smaller in size? No, the shell script does not delete any logs. Log rotation and compression is the job of newsyslog. Alright, after some more RTFM on Apache logs, here's what your newsyslog.conf(5) configuration should look like. /var/log/httpd/access.log640 5 1048576 * B /var/run/httpd.pid 30 /var/log/httpd/error.log640 5 1048576 * B /var/run/httpd.pid 30 Of course, you should taylor this to suit your own needs (like the size, ownership and number logs kept on disk, etc.) But keep the B flag for Binary which will prevent newsyslog from adding a line in your logs which says it was rotated. It _may_ confuse some log analyser (depends on your log analyser software). Also make sure to add the 30 at the end of each line. This is the kill(1) number for signal -USR1 which gracefully restarts Apache. Now the reason I removed the Z flags, which eliminates compression, is to make sure all of your children httpd processes have enough time to write their logs into the log file. If a request on your site is rather long, them this is the best way to go. Of couse, that means you will need a little bit more disk space. But not that much depending on how much logs you keep (i.e. 5 in the example above). HTH, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Apache Rotate Logs and Log Rotate.
On 3/5/07, Peter Pluta [EMAIL PROTECTED] wrote: Thanks, David. I had already configured it like that the first time around after reading up on it a bit. Most articles/tips I have read say to wait 10 minutes or so and then compress the logs with a shell script in order to be sure Apache finished logging to the files. Another thing, just to be sure. If I had 30 vhosts on my server and each had logs in their home directory, I would still use newsyslog to rotate and delete them, correct? I assume one needs tons of disk space to do that if the sites are rather large. Well, if you do use newsyslog to rotate Apache log files, then it's just a matter of setting the number of files you whish to keep. From newsyslog.conf(5) count Specify the maximum number of archive files which may exist. This does not consider the current log file. Let's say you rotate your files once they reach 2Mb for example and that you've configured 10 in your newsyslog,conf count field. Then that means a maximum of 10 x 2Mb = 20Mb will be kept for one VirtualHost. Now if you have 100 virtual hosts all configured this way, then you will need 100 x 20Mb = 2000Mb or 2Gb for all your Apache logs. Considering today's disk drive sizes are well beyond the 300Gb, I don't think this is a problem at all. Of course, YMMV so check your own needs and do the math. Cheers, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Apache Rotate Logs and Log Rotate.
On 3/5/07, Peter Pluta [EMAIL PROTECTED] wrote: Gotcha, do you use a script to compress the logs after the SIGUSR1 and after waiting for a bit for apache to clear it's logging buffer (to not have missing logs)? No I don't. I don't even see why one would want to do this? Newsyslog deletes extra logs. So if our disk space is enough to hold the amount of logs we require (see math below), then there's no need to compress any Apache logs at all. Right!?!! If we come back to my example of 100 VirtualHost with log files of 2Mb each and we keep only 10 of them. Using USR1 as the kill signal, For an httpd children to miss any log entry would mean that this children writes more than 10 times 2Mb of logs in a very short period of time. Check your VirtualHost load and determine the average response time for each httpd children. If it's 2min (which is HUGE for an httpd children) That would mean that you'd need to have more than 20Mb of logs generated in less than 2min. In ASCII, that's a whole lot of logs. I'd say your best bet would be to switch your LogLevel from debug to info in your httpd.conf and restart Apache... ;) Or you run a really busy website. Or your web application code/architecture may need a revision. Have fun! David Well, if you do use newsyslog to rotate Apache log files, then it's just a matter of setting the number of files you whish to keep. From newsyslog.conf(5) count Specify the maximum number of archive files which may exist. This does not consider the current log file. Let's say you rotate your files once they reach 2Mb for example and that you've configured 10 in your newsyslog,conf count field. Then that means a maximum of 10 x 2Mb = 20Mb will be kept for one VirtualHost. Now if you have 100 virtual hosts all configured this way, then you will need 100 x 20Mb = 2000Mb or 2Gb for all your Apache logs. Considering today's disk drive sizes are well beyond the 300Gb, I don't think this is a problem at all. Of course, YMMV so check your own needs and do the math. Cheers, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Apache Rotate Logs and Log Rotate.
On 3/3/07, Peter Pluta [EMAIL PROTECTED] wrote: I see, thanks. Does the shell script you use automatically delete the original logs after verbalizer or awstats makes it's own? I imagine the ones those programs use are smaller in size? No, the shell script does not delete any logs. Log rotation and compression is the job of newsyslog. Webalizer creates and maintains his own files which grow slowly over time. How fast they grow depends on how busy your site is and how much data you need to extract from the logs. Try it on one VirtualHost and you'll see. If you like it, then extend your configuration to your other VirtualHosts. Talking about logs, you might want to send them to syslog. Here's a quick article on this topic: http://www.oreillynet.com/pub/a/sysadmin/2006/10/12/httpd-syslog.html Cheers, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Linux equivalent to freebsd
If you have a (Free)BSD mindset and like your rc.conf but don't mind typing pacman instead of pkg_* or portupgrade -P * and you don't mind using something called ABS for src packages, which is like ports, only with a stage install before live-system install, then you may just like ArchLinux. Yes, I agree with Danny. Arch Linux is as close to FreeBSD that you can get with Linux. I don't run any core business services on it, but a friend does run his webservers on it and so far he's happy. Again, my 0.02 on this topic :) David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Apache Rotate Logs and Log Rotate.
On 3/1/07, Peter Pluta [EMAIL PROTECTED] wrote: What I did was made a new log format to include the %v (it includes the vhost name in the logs). Lowered my error log to just info. I also got rid of the errorlog and customlog in my vhost brackets and setup newsyslog to rotate the http-access.log and http-error.log after 24 hours. This is what I pretty much wanted. I have more space in /home/ now since there are no log files in there and I also have 1 main log that I can rotate and view or separate if needed. It makes it a lot easier. I have a quick question though. Say I am hosting a few sites for customers and they want to run their own statistics programs that rely on log files. How would I deal with the logs if they were in each users home directory? Those logs add up after a week or so; not to mention if someone had a larger site that generated larger logs. What exactly could be done in that situation to allow stats and still have a functional web server? Hi Peter, What I do with stats is use webalizer which is available from the ports directory as www/webalizer. Webalizer keeps the history of your logs, so you don't have to keep the old ones around. I run webalizer from cron once and a while to generate stats. I've wraped it in a simple shell script to check all my virtual sites listed in a custom config file in /usr/local/etc and dump the stats file into /path/to/virtual/host/stats. I then setup a /stats Alias in httpd.conf for each virtual site and protect it with a simple .htpasswd. Easy. BTW, may I suggest you also include the freebsd-questions list in Cc when you write back? Some people might be interested by what we're talking about. In fact, ideally we should only 'talk' via the list, but that's ok with me. Cheers, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: mysql50-server on FreeBSD 6.2 w/ LINUX_THREADS?
Is it still advisable to build the mysql50-server on FreeBSD 6.2 using the LINUX_THREADS option? I'm using the SMP kernel on an older dual 1.0GHz Pentium III. This page http://wiki.freebsd.org//MySQL suggests that the libthr library in FreeBSD 6.x is optimized for MySQL and perhaps better than using linuxthreads. Any thoughts? Hi Patrick, We're running several MySQL databases on FreeBSD 6.1 and 6.2 RELEASE and we don't use LINUX_THREADS. So far so good as they say. Concerning MySQL performance on FreeBSD, I recently saw this article which could be of interest to you: Linux vs FreeBSD using mysql and sysbench http://jeffr-tech.livejournal.com/5705.html Aside from a potential holy flame war from FreeBSD vs Linux, this article does present you with an interesting my.cnf configuration file. Maybe that could interest you? Have fun, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Apache Rotate Logs and Log Rotate.
On 2/28/07, Peter Pluta [EMAIL PROTECTED] wrote: Hey David, quick question. I found this while doing a bit of reading. Is it safe for Syslogd to send a kill -HUP to apache? This site is extremely high traffic and I wouldn't want it cutting off users during the HUP to rotate the logs. I'm running Apache 2.2.4 and FreeBSD 6.2 http://www.freebsddiary.org/startstop.php It looks like Apachectl graceful is the only safe way to restart apache. Hi Peter, The article you're refering to is for Apache 1.3.x and you seem to be running 2.2.x Should you want, you can get more detailed information on how Apache 1.3.x handles kill signals here: http://httpd.apache.org/docs/1.3/stopping.html It's basically the same for Apache 2.2.x which is covered here: http://httpd.apache.org/docs/2.2/stopping.html Having said that, if your site is really busy, then consider changing the kill signal in newsyslog.conf from -HUP to -USR1 which will gracefully ask running httpd processes to restart once they have finished talking to their user. As the article says: ''The USR1 signal causes the parent process to advise the children to exit after their current request (or to exit immediately if they're not serving anything). The parent re-reads its configuration files and re-opens its log files. As each child dies off the parent replaces it with a child from the new generation of the configuration, which begins serving new requests immediately.'' Check the man page for newsyslog.conf(5) at http://www.freebsd.org/cgi/man.cgi?query=newsyslog.confapropos=0sektion=0manpath=FreeBSD+6.2-RELEASEformat=html The last field in newsyslog.conf is where you setup which signal is used. Here's what the man page says: signal_number This optional field specifies the signal number that will be sent to the daemon process (or to all processes in a process group, if the U flag was specified). If this field is not present, then a SIGHUP signal will be sent. Cheers, David David Robillard wrote: Hi Peter, Someone told me that I need to gracefully restart apache for it to make a new log; and then wait till Apache's memory buffer is emptied to disk before gziping or bziping the files. Well, I've never had to do this. Newsyslog send a `kill -HUP` to apache's master PID. Which causes Apache to reopen it's log files. For me anyway, the newsyslog configuration I gave you never caused me any problem at all. Keep in mind that you do have to send Apache a -HUP signal, otherwise you'll lose logs when newsyslog rotates them. Also, is it wise to have logs for each user in their home directory? Someone told me this is a serious security issue; but I can't see why it would be. It is a security issue if the user has the rights to login to you machine. If he dosen't, then you shouldn't be worried. But I just don't take that chance and make all of my Apache log files under /usr/local/www/virtalhost1/logs which is not accessible from Apache itself because I setup my DocumentRoot under /usr/local/www/virtalhost1/public_html. This way, I know for sure that everything for virtualhost1 is under a single directory, but that my logs can't be seen by anyone via Apache. David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Using source control to manage system configs
On 2/27/07, Rob [EMAIL PROTECTED] wrote: David Chuck, I'm already using RCS, and I've built a somewhat clunky mechanism around it. One machine holds the master copies of - site-wide files (/etc/ntp.conf, /etc/resolv.conf, /etc/syslog.conf) - host-specific files (/etc/hosts, /etc/passwd, /etc/rc.conf) for each server At install time, both sets of files are tarred up and copied to the new server. If there's a conflict, the host-specific files win. Problem: It's a good system for installs, but then I update the files on the working server. I always mean to merge the changes back to the master copy, but it never quite happens. Solution: CVS with a remote repository looks good - updates on the server, and a central record of all changes. Reinstalling a server should be as easy as 'cvs co $HOST'. Problem: I don't want 6 identical copies of /etc/ntp.conf under version control, so the site-wide files and host-specific files should be in separate modules. But they have the same working directory, and this is where I run into problems with CVS - it's impossible to check them both out to the same server. Is there some way to do this with Subversion? Or can a file be shared by different modules? Or am I going about this all wrong? Hi Rob, Well, I'm not quite sure that it will answer all of your questions, but take a look at Luke Kanies's article called ''Using version control in system administration''. It's available from the USENIX website at http://www.usenix.org/publications/login/2005-12/pdfs/kanies.pdf HTH, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Using source control to manage system configs
If you don't have strong ties to CVS, already, I suggest using Subversion. It handles many of your complaints about permissions and symlinks better than CVS does. I agree, Subversion is better then CVS. We've switched from CVS to Subversion a year ago and so far the entire dev team is very happy. If you do have an existing CVS infrastructure, it's also possible to switch to Subversion with cvs2svn which is in the ports tree (i.e. devel/cvs2svn). You might find that using something like cfengine from ports suits your goals better than rolling your own pushing mechanism. The issue that you'll run into is that you tend to need a human or at least a decent set of rc scripts to properly adjust config files and make sure that services come back up after a significant config change or major version update exposing some compatibility problem. Again, Chuck is absolutely right. Cfengine is great, but you must know what you're doing. If you simply want to track changes and be able to roll back your configuration files, then go with a more simple approach like using RCS locally. RCS is part of the base FreeBSD system. Just create a directory named RCS (in capital letters) and use the RCS commands. Check the man pages for rcs(1) ci(1) co(1) rcsdiff(1) and rcsintro(1). Actually, rcsintro(1) is probably where you want to start. http://www.freebsd.org/cgi/man.cgi?query=rcsintroapropos=0sektion=0manpath=FreeBSD+6.2-RELEASEformat=html Now if you want to keep your changes on another machine, then it's just a simple question of running a backup of your machines. (you do backup right? ;) I've been using RCS for 10 years now and it's simple, fast and does not depend on your network. So it's always there even in worst case scenarios. RCS is also present under a whole bunch of different UNIX flavors like FreeBSD, NetBSD, OpenBSD, RedHat, SuSE, Solaris, AIX, IRIX and HP-UX. So you're never lost because it's always the same :) Have fun, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Question:encryption tool.
I am looking for any suggestion on using the right tool that I can use to perform the encryption/decryption for flat files. We have a requirement to encrypt 15 flat files and be dumped on tape and be stored in remote site facility for later business resumption. or in the crash/fire/emergency situation for the recovery purposes. For consistency I am planning to use the same tool across our Solaris, Linux and Freebsd OS oracle database environments. Check out SysAdmin magazine's article Backup Encryption from the March 2007 issue. It looks like exactly what you're looking for: http://www.samag.com/documents/s=10118/sam0703b/0703b.htm HTH, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Apache Rotate Logs and Log Rotate.
I have Apache making separate log files for each of my virtual hosts and putting them in /home/vhostname/log. Rotate logs makes a new log every 24 hours, but the logs quickly add up and since the sites are fairly busy the logs are at times over 5gigs. Is there any way to make rotate logs delete the log files after two days? Someone recommended me Log Rotate (from the ports tree), but this program does basically what Rotate logs does; except it makes things more complicated because it needs to restart apache and such. Is there a easy way to just have Apache's rotatelogs rotate the logs and then delete them after two days? Any feedback, suggestions, or comments would be greatly appreciated. Hi Peter, I personaly don't use neither Log Rotate nor Rotate Logs, but configure newsyslog.conf(5) to handle the job of Apache log rotation and clean-up. The newsyslog software is part of FreeBSD's base system, so you don't need to install anything. Just configure /etc/newsyslog.conf and that's it. No need to restart anything because newsyslog is already active in FreeBSD's base system via /etc/crontab. It can rotate the logs, compress them with either gzip(1) or bzip2(1) and remove the old ones to preserve disk space. For example, let's say you have two virtual host's logs into /home/vhostname1/log and /home/vhostname2/log, you can configure newsyslog to: a) Keep only 10 log files. Remove the older ones as they grow. (i.e. 10 in the config below) b) Create files with chmod 640 and owner root:www (i.e. root:www and 640) c) Rotate the files when they reach 1Mb in size. (i.e. 1048576) d) Compress the files with gzip(1) to preserve compatibility with webalizer. (i.e. Z) # logfilename [owner:group]mode count size when flags [/pid_file] [sig_num] # Host vhostname1. # /home/vhostname1/log/access.log root:www640 10 1048576 * Z /var/run/httpd.pid /home/vhostname1/log/error.log root:www640 10 1048576 * Z /var/run/httpd.pid # Host vhostname2. # /home/vhostname2/log/access.log root:www640 10 1048576 * Z /var/run/httpd.pid /home/vhostname2/log/error.log root:www640 10 1048576 * Z /var/run/httpd.pid Check the man pages for newsyslog(8) and newsyslog.conf(8) for more information. I've been using this for more then two years now and it works like a charm. HTH, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Ksh Shell script security question.
I am am puzzled how to secure this code when this shell script is
being executed.
${ORACLE_HOME}/bin/sqlplus -s EOF | tee -a ${RESTOREFILE}
connect system/ugo8990d
set heading off
set feedback off
set pagesize 500
select 'SCN_TO_USE | '||max(next_change#) from V\$LOG_HISTORY;
quit
EOF
When I run this code from shell script in /tmp directory it spews
file called /tmp/sh03400.000 in that I have this entire code visible.
Hi Dak,
The reason you can see the code in ${RESTOREFILE} is because of the
tee command. With `tee -a` you're actually asking to have the code
installed in ${RESTOREFILE}.
Now, one way to secure this is to set a restrictive umask at the start
of the script. For example, setting `umask 0077` will cause your
script to generate files which will only be read/write for the user
who runs the script. But the files will still have you username/passwd
in them.
To remove the username/passwd from the files, may I suggest you change
your code to include the username/passwd into the sqlplus command.
Like this for example:
export ORACLE_SID=your_oracle_sid
sqlplus ${USERNAME}/${PASSWORD} -s -EOF | tee -a ${RESTOREFILE}.
set heading off
set feedback off
set pagesize 500
select 'SCN_TO_USE | '||max(next_change#) from V\$LOG_HISTORY;
quit
EOF
This will still generate a file, but the username/password won't be
there. Of course, that means you need to hide your credentials in an
encrypted file eslwhere on your machine.
You can then setup code that will check the md5 sum of the password
file and use something like OpenSSL or GPG to encrypt/decrypt the
file.
Have fun,
David
--
David Robillard
UNIX systems administrator Oracle DBA
CISSP, RHCE Sun Certified Security Administrator
Montreal: +1 514 966 0122
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Anyone running FreeBSD 6.x on HP DL320 G5?
If anyone is running FreeBSD 6.x on a HP DL320 G5 ? The following URL contains good information on running FreeBSD on Compaq/HP systems. http://people.freebsd.org/~jcagle/ HTH, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Question:encryption tool.
Thanks a lot, Our current backup system is veritas netbackup, and changing that to entire bacula is best thing for me, May I ask why you would prefer Bacula over NetBackup? I'm just curious, because having worked with both, I personally prefer NetBackup. so they wanted me encrypt these files, that is on the backup location before the netbackup scheduler picks up these files. Database is getting backed up to a disk location and from there netbackup agent picks up and writes it into the tape , but we have these 13 flat files that go into offsite which really needs encryption and decryption logic in place upon after restore back to disk . If those databases are all Oracle instances, then you might want to take a look at Oracle Secure Backup. It does exactly what you need. More info here: http://www.oracle.com/technology/products/secure-backup/index.html Cheers, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Question:encryption tool.
On 2/6/07, Dak Ghatikachalam [EMAIL PROTECTED] wrote: [...snip!...] Thanks a lot , but we are on Oracle9i database, the Oracle secure backup they are talking would be nice on 10G onwards Well, not according to the FAQ. Here is what it says: -- What Oracle database versions does Oracle Secure Backup support? Oracle Secure Backup installs with a native integration of Oracle Database's via Oracle Recovery Manager (RMAN), which supports Oracle9i forward. So if you're running 9i, you should be alrgiht. You can get your hands on the FAQ at http://www.oracle.com/technology/products/secure-backup/pdf/FAQ.pdf HTH, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [Opinions Wanted] Dell PowerEdge 2950 Servers ...
Have a friend that swears by them, but ... he's in the Linux camp, so tends to have a quasi-inside track ... What are ppls opinions on them as far as FreeBSD is concerned? Also, interested in what sort of specs ppl are running ... I'm interested in going with an 8xSAS drive system, dual-dual-core, figuring 10 or 16G of RAM ... redundant power and the Dell Remote Access Card ... My personal experience with Dell is that it's ok until you hit a problem. Then it's hell. So bad, in fact, that we don't purchase them anymore and have gone with IBM and HP systems for our FreeBSD, RedHat and Windows machines. IMHO, the problem with Dell is not their hardware, but their support (or lack of it). If you plan on running your Business on Dell, be prepared for Incredibly bad and horrible support. Be it consumer product support or Enterprise 24/7/365 type support. Dell support is a total waste of money and time, but a superb source of frustration. (so if you're looking to get frustrated, there's your chance :) I even had to way two complete days (!) to resolve a 24/7/365 type support call ! Pathetic, really. Not to say that the hardware is good, far from that. Place equivalent IBM, Dell, HP and Sun machines next to one another and you quickly see that Dell uses sub-quality parts. There is less precise documentation printed directly on the machine (a technique IBM and Sun have mastered). You often need two or three different screwdrivers to take the various pieces apart. While with the other Tier-1 vendors, most pieces don't even require any tool at all. Finally, the Documentation that is shipped with the Dell machines is of dubious quality compared with the other top vendors. So, to sum up, I strongly recommend going with either IBM or HP for FreeBSD systems. With them, you get quality hardware and real support. Of course it might be a bit more expensive. But it's worth it. Well, you get what you pay for don't you? YMMV of course. Cheers, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: cvsup'dating several machines
I will soon update FreeBSD on several machines from 4.11 to 5.5, they are all at the same level of 4.11. I would like to save network bandwidth, would it be OK/enough if I cvsup one machine and then copy /usr/src from that opne to the others? Hi Olivier, If you run an infrastructure of multiple FreeBSD machines, then you should consider building a local CVSup mirror. This way, you'll prevent the error-prone and tedious process copying /usr/src from one machine to the others by hand. Plus, with a local update server, you make sure all your machines have the exact same FreeBSD sources. You can also use this machine not only for CVSup, but for all your ports repository, thus saving even more bandwith. Not to mention the speed increase every time you run cvsup. It's way faster to cvsup on the local LAN then from the internet. To get you started, check out this article from O'Reilly ONLamp's author Michael Lucas at http://www.onlamp.com/pub/a/bsd/2001/08/30/Big_Scary_Daemons.html Now, we've made several modifications to the above article to include a generic update user on our machines which uses scponly(8) and sudo(8) with ssh keys to encrypt all of our CVS and porteasy(8) updates. It also permits you to delegate the cvsup(1) of the machines to other admins without giving them the root password. If you're interested, I can send you the documentation. Have fun! David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Sun Fire x2100
: OHCI (generic) USB controller mem 0xfe02f000-0xfe02 irq 21 at device 2.0 on pci0 ohci0: [GIANT-LOCKED] usb0: OHCI version 1.0, legacy support usb0: SMM does not respond, resetting usb0: OHCI (generic) USB controller on ohci0 usb0: USB revision 1.0 uhub0: nVidia OHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub0: 8 ports with 8 removable, self powered ehci0: EHCI (generic) USB 2.0 controller mem 0xfeb0-0xfeb000ff irq 22 at device 2.1 on pci0 ehci0: [GIANT-LOCKED] usb1: EHCI version 1.0 usb1: companion controller, 4 ports each: usb0 usb1: EHCI (generic) USB 2.0 controller on ehci0 usb1: USB revision 2.0 uhub1: nVidia EHCI root hub, class 9/0, rev 2.00/1.00, addr 1 uhub1: 8 ports with 8 removable, self powered atapci0: nVidia nForce4 UDMA133 controller port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xe800-0xe80f at device 6.0 on pci0 ata0: ATA channel 0 on atapci0 ata1: ATA channel 1 on atapci0 atapci1: nVidia nForce4 SATA150 controller port 0x9f0-0x9f7,0xbf0-0xbf3,0x970-0x977,0xb70-0xb73,0xd400-0xd40f mem 0xfe02c000-0xfe0 2cfff irq 23 at device 7.0 on pci0 ata2: ATA channel 0 on atapci1 ata3: ATA channel 1 on atapci1 atapci2: nVidia nForce4 SATA150 controller port 0x9e0-0x9e7,0xbe0-0xbe3,0x960-0x967,0xb60-0xb63,0xc000-0xc00f mem 0xfe02b000-0xfe0 2bfff irq 21 at device 8.0 on pci0 ata4: ATA channel 0 on atapci2 ata5: ATA channel 1 on atapci2 pcib1: ACPI PCI-PCI bridge at device 9.0 on pci0 pci_link16: BIOS IRQ 23 for 0.7.INTA is invalid pci_link19: BIOS IRQ 21 for 0.8.INTA is invalid pci_link17: BIOS IRQ 22 for 0.10.INTA is invalid pci1: ACPI PCI bus on pcib1 pci1: display, VGA at device 5.0 (no driver attached) nve0: NVIDIA nForce MCP9 Networking Adapter port 0xbc00-0xbc07 mem 0xfe02a000-0xfe02afff irq 22 at device 10.0 on pci0 nve0: Ethernet address 00:e0:81:58:cf:71 miibus0: MII bus on nve0 ukphy0: Generic IEEE 802.3u media interface on miibus0 ukphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseT, 1000baseT-FDX, auto nve0: Ethernet address: 00:e0:81:58:cf:71 nve0: [GIANT-LOCKED] pcib2: ACPI PCI-PCI bridge at device 11.0 on pci0 pci2: ACPI PCI bus on pcib2 pcib3: ACPI PCI-PCI bridge at device 12.0 on pci0 pci3: ACPI PCI bus on pcib3 pcib4: ACPI PCI-PCI bridge at device 13.0 on pci0 pci4: ACPI PCI bus on pcib4 bge0: Broadcom BCM5721 Gigabit Ethernet, ASIC rev. 0x4101 mem 0xfdaf-0xfdaf irq 19 at device 0.0 on pci4 miibus1: MII bus on bge0 brgphy0: BCM5750 10/100/1000baseTX PHY on miibus1 brgphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseTX, 1000baseTX-FDX, auto bge0: Ethernet address: 00:e0:81:58:cf:72 pcib5: ACPI PCI-PCI bridge at device 14.0 on pci0 pci5: ACPI PCI bus on pcib5 sio0: 16550A-compatible COM port port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0 sio0: type 16550A orm0: ISA Option ROMs at iomem 0xc-0xc7fff,0xc8000-0xcbfff,0xce000-0xcf7ff on isa0 atkbdc0: Keyboard controller (i8042) at port 0x60,0x64 on isa0 atkbd0: AT Keyboard flags 0x1 irq 1 on atkbdc0 device_attach: atkbd0 attach returned 6 ppc0: cannot reserve I/O port range sc0: System console at flags 0x100 on isa0 sc0: VGA 16 virtual consoles, flags=0x300 sio1: configured irq 3 not in bitmap of probed irqs 0 sio1: port may not be enabled vga0: Generic ISA VGA at port 0x3c0-0x3df iomem 0xa-0xb on isa0 ukbd0: DELL DELL USB Keyboard, rev 1.10/1.04, addr 2, iclass 3/1 kbd0 at ukbd0 Timecounter TSC frequency 2211343400 Hz quality 800 Timecounters tick every 1.000 msec acd0: CDROM TEAC CD-ROM CD-224E/K.9A at ata0-master UDMA33 ad4: 76319MB Seagate ST380013AS 3.00 at ata2-master SATA150 Trying to mount root from ufs:/dev/ad4s1a Have fun, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
IBM ServeRAID-8k SAS controller support in FreeBSD/i386 6.1-RELEASE.
Hello everyone, Has anyone tried the IBM ServeRAID-8k SAS controller under FreeBSD/i386 6.1-RELEASE ? I can't find info about this particular model in the FreeBSD/i386 6.1-RELEASE Hardware Notes. I've found that the ServeRAID 6i/6M controllers are supported by the ips(4) driver, but nothing about the ServeRAID-8k SAS one. Nothing in the mailing lists also. Many thanks, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Legato Client for freeBSD.
Hi Phillip, Appreciate your help. Sure, no problem :) If you do try it out, I'd like to know if it actually works ! And if it doesn't, well, I've been thinking of other ways you could solve your problem. One is to enable FreeBSD's Linux Compatibility and use Letgato's Linux client (I suppose they have one?) Another way of doing would be to either rsync, dump, cpio or tar your data over to another Legato supported platform and then backup that one. Something like this works great once you've setup ssh keys without passphrases: dump -0uaL -f - / | ssh [EMAIL PROTECTED] gzip -9 /path/to/backup/directory/root.dump Finally, I also found those: http://ftp8.ua.freebsd.org/FreeBSD/FreeBSD-current/commerce/networking/legato/ (no idea if it's any good?) http://www.freebsd.uwaterloo.ca/twiki/bin/view/Freebsd/LegatoNetworker (looks good, but does it work?) Good luck! DA+ On 12/15/06, Phillip Upchurch [EMAIL PROTECTED] wrote: David - No - as a matter of fact - I haven't tried ftp://ftp.legato.com/pub/Unsupported/FreeBSD_Client That would be doing things the easy way - dont ya think ? ;-) Appreciate your help. Thanks David Phillip -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Legato Client for freeBSD.
I am running Legato on a sun server. I have a server running freeBSD that needs the legato backup client installed. Is there a working legato client for freeBSD ?? Have you tried this? ftp://ftp.legato.com/pub/Unsupported/FreeBSD_Client David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: remote syslog to specific file
Hello, I am trying to log my sonicwall FW log to a specific file… For the moment all logs are sent to /var/log/messages I would like them to go to /var/log/sonic.log I have tried couple of things which does not seem to work, among them : +fw.xxx.yyy local0.* /var/log/sonic.log +@ -- not working local0.* /var/log/sonic.log -- not working either In /var/log/messages my log are of that format : Dec 14 14:50:49 fw id=firewall sn=0006Bxxx4D6C time=2006-12-14 14:50:45 fw=80.98.206.97 pri=5 c=64 m=36 msg=TCP connection dropped n=183 src=80.97.99.70:3763:WAN:89-90-99-70.pde.norby.ee dst=192.168.2.3:135:LAN:newmail.rmm.fr proto=tcp/135 Any help would be welcome. Try installing those two lines in your syslog.conf(5) file and make sure you use TAB instead of spaces. !fw *.* /var/log/sonic.log Then issue a `sudo touch /var/log/sonic.log` as the file must exist before syslogd(8) can write to it (i.e. syslogd(8) does not create files). After this run `sudo /etc/rc.d/syslogd restart` to instruct syslogd(8) of the changes you've made to syslog.conf(5). Finally, make sure you edit newsyslog.conf(5) with something like this to keep your /var file system from filling up. /var/log/sonic.logwww:wheel 640 7 100 * J man newsyslog.conf for more on newsyslog.conf(5)'s syntax. Cheers, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Which live CD for recovery
Which live CD is recommended for recovery? What I'd like is to have as many disk analysis tools at hand just in case. There are a lot to choose from, as you can see from this list: http://www.frozentech.com/content/livecd.php I believe one of two things has happened: the anti virus placed a system file in the vault, or running windows update the genuine windows disadvantage tool disabled the system because it may have been pirate (don't know). AFAIK the Windows Genuine Advantage never prevents you from booting your machine. It will annoy you with pop-ups about your license (or lack of it). Fortunately, you can disable the pop-ups. Keep in mind that a non-legit Windows machine can only perform the Security updates, but cannot perform the other Windows Updates. This can be confusing for a technologically challenged user. So, I need to recover data to some other machine, and then see if I can recover the system file without a full reinstall. Do you have a USB drive? Can you mount it on the crippled Windows Box? If so, then I would suggest that you backup the user's data, format the crippled box's disk drive and do a clean Windows install. After all, there probably was a virus on this box. Are you sure you want to take chances? Good luck, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Which live CD for recovery
On 12/6/06, Erik Norgaard [EMAIL PROTECTED] wrote:
Do you have a USB drive? Can you mount it on the crippled Windows Box?
If so, then I would suggest that you backup the user's data, format
the crippled box's disk drive and do a clean Windows install. After
all, there probably was a virus on this box. Are you sure you want to
take chances?
Well, the system won't boot, not even in safemode, so there is no such
alternative. I hope this is just some systemfile in the vault of AVG
anti virus.
Take the chance... well it can't get much worse. If at least the system
gets back working then I can try other ways to clean it.
If you can get the machine to mount the USB drive or have it's network
connection online, you can simply backup the contents of
C:\Documents and Settings\All Users
C:\Documents and Settings\${username} (replace ${username} with the
various usernames configured on the crippled box).
Once you backup the content of those two directories, you should have
all of your user's data. Therefore you should be ok to wipe the disk
and perform a clean Windows install.
I suggest, however, that you upload those backup onto another Windows
machine and have your user double-check to see if you have everything.
Better be safe than sorry.
Cheers,
David
--
David Robillard
UNIX systems administrator Oracle DBA
CISSP, RHCE Sun Certified Security Administrator
Montreal: +1 514 966 0122
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Looking for a cookbook on Oracle clients...
I have a task that requires I extract a data set from a MySQL server, and push it on to an Oracle (9i) server. Hi Brian, If you're familiar with perl (or have a perl programmer handy) you can choose from a whole bunch of perl modules which interact with MySQL and Oracle databases. For example, in the FreeBSD ports tree you will find databases/p5-DBD-Oracle and databases/p5-DBD-mysql ports. Once you have both of these, it should be quite easy to write your perl script to pump data from the MySQL database with databases/p5-DBD-mysql port, perform the data manipulation your business requires and the dump the results into the Oracle instance with databases/p5-DBD-Oracle. Now, if your objective is to migrate all of your data from MySQL into Oracle, then you can check out the Oracle Migration Workbench. More info on this at http://www.oracle.com/technology/tech/migration/workbench/index.html Good luck, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Configuring DNS (BIND) in isolation
Hello, I have a need to make my own DNS system on an isolated network. Years ago, I administered DNS for a couple of different companies, but that was quite a while ago and since I've turned to programming I haven't done much in the way of network administration. I recall from using BIND 4, when I was reading up on it, that it is most certainly possible to configure an entire DNS system on a totally isolated network. Would I need zone files for the root, ., zone and any other zones I configure; e.g. isolation.? This would seem to be the way to go about it, but I'm having some difficulty visualizing it in my head. I just did some searches online for the O'Reilly book DNS BIND. I recall using this book in the past and it was quite helpful (and unfortunately for me, belonged to my former employers). Would this book be a good reference for this task as well, or are there better books that I might want to look into getting for this? Or, are there good on-line resources that could help me muddle through? Any help is greatly appreciated. Thanks, Andy Hello Andy, First, you need to know that BIND has jumped from version 4 directly to version 8 and is now at version 9. There is a whole world of difference between the version 4 that you've worked with in the past and the latest version 9 (such as Views, DNSSEC, IXFR, etc). Now, the book you mentioned above is still THE reference on the topic. O'Reilly recently published the 5th edition of DNS BIND which covers everything BIND 9 has to offer. Plus an extended chapter on the DNS architecture itself. It's a great book, you should get yourself a copy if you're interested by DNS. Third, while DNS BIND is a fine book, you'll have more direct help from another O'Reilly book called DNS BIND Cookbook from Cricket Liu. It presents some common DNS related tasks in the form of easy to follow recipes. It sure is a great help when it actually is time to build and configure your DNS servers. Moreover, FreeBSD is an excellent platform for building DNS servers. I've built DNS servers out of Solaris, AIX, RedHat and FreeBSD machines and BSD is by far the easiest and more flexible to setup and secure. shameless plug Finally, if for various reasons you don't have the time or expertise to setup your own DNS machine. Then have a look at the appliances from the author of DNS BIND Cricket Liu's company called Infoblox at http://www.infoblox.com. /shameless plug Cheers, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: How to choose an UPS?
Usually, if you are willing to interface the UPS with your Computer, like it should automatically shutdown the computer when there's a power failure, then you may want to buy one with USB support. But I am not sure that you can interface it with FreeBSD. It can be done with Linux and Windows. :) Check out the port sysutils/apcupsd According to the documentation on the project's website http://www.apcupsd.com, it works with both USB and with a serial cable. I've seen other people on this list reporting that it works with both of those solutions. For a network solution, you can also check the sysutils/nut port which also has a USB driver. More info on the project's website at http://www.networkupstools.org/. Cheers, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Building Sendmail from ports
[ ---8--- Text has been removed! ---8---]
But, where will the port install my *.mc and *.cf files? This I can't
seem to figure out. I would like to know before I hit 'make install' in
the port dir. I would think it will install them into
/usr/local/share/sendmail/cf, would that be correct?
Hi DAve,
When you use the mail/sendmail port, it does install files in
/usr/local/share/sendmail. Think of it as the base system's sendmail
files in /usr/share/sendmail.
Now, the .mc and .cf files are still kept in /etc/mail and not in
/usr/local/etc/mail as one could think by using a port.
Note that you will find two scripts in /usr/local/etc/rc.d when you
install the sendmail port. They are `sendmail.sh.sample' and
`sm-client.sh.sample'. But you don't need to use them. The base
system's /etc/rc.d/sendmail script handles both the base system's
sendmail and the port's sendmail.
The key for a pain free mail/sendmail ports usage is to do what you
said. That is to edit make.conf(5) and to use special make(1) targets
from the mail/sendmail's Makefile.
Briefly, here's the way I do things when I update mail/sendmail (YMMV of course)
sudo vi /etc/make.conf
##
# mail/sendmail port configuration.
##
# Do not build and install the base distribution of sendmail.
#
NO_SENDMAIL= TRUE
# Specify where the configuration directory is located.
#
SENDMAIL_CF_DIR=/usr/local/share/sendmail/cf
.if ${.CURDIR:M*/mail/sendmail}
SENDMAIL_WITHOUT_IPV6=yes \
SENDMAIL_WITHOUT_NIS=yes \
SENDMAIL_WITH_TLS=yes \
SENDMAIL_WITH_SMTPS=yes \
SENDMAIL_WITH_LDAP=yes \
SENDMAIL_WITH_BERKELEYDB_VER=42 \
SENDMAIL_WITH_SOCKETMAP=yes \
SENDMAIL_WITH_PICKY_HELO_CHECK=yes \
SENDMAIL_WITH_SHARED_MILTER=yes
.endif
sudo porteasy -uv mail/sendmail
sudo porteasy -uv security/openssl
sudo porteasy -uv security/gnutls
cd /usr/ports/mail/sendmail
sudo make
# -OR if you don't want to edit make.conf(5), you can run something like this:
sudo make -DSENDMAIL_WITHOUT_IPV6 -DSENDMAIL_WITHOUT_NIS
-DSENDMAIL_WITH_TLS -DSENDMAIL_WITH_SMTPS \
-DSENDMAIL_WITH_BERKELEYDB_VER=42 -DSENDMAIL_WITH_SOCKETMAP
-DSENDMAIL_WITH_PICKY_HELO_CHECK -DSENDMAIL_WITH_SHARED_MILTER
sudo make tls-install
sudo make install
sudo make mailer.conf
sudo make clean
Now, you might not need the exact same features of Sendmail as I do,
of course. But the `make mailer.conf' is quite important. That's going
to edit /etc/mail/mailer.conf which instructs the OS to use
/usr/local/sbin/sendmail instead of the base system's sendmail. You
don't have to change your PATH either.
Why? Because if take a look at /usr/sbin/sendmail, it's not a binary,
it's a symbolic link to `/usr/sbin/mailwrapper'. Just read the
mailwrapper(8) man page and you'll understand how things work.
I want to make certain that when I build new sendmail.in.cf and
sendmail.out.cf the correct files are used by m4. Currently I run the
following when making changes to my *.mc files
/usr/bin/m4 -D_CF_DIR_=/usr/share/sendmail/cf/
/usr/share/sendmail/cf/m4/cf.m4 sendmail.in.mc sendmail.in.cf
Take a look at the /etc/mail/Makefile and you'll see that it can
determine your _CF_DIR_. But it takes a wrong decision. It uses either
/usr/share/sendmail/cf or /usr/src/contrib/sendmail/cf.
To work around this, you can edit /etc/mail/Makefile or use the
following at the top of your sendmail.mc files:
dnl include.
dnl Use the following m4 macro file.
dnl
include(`/usr/share/sendmail/cf/m4/cf.m4')dnl
That's it. If you need any help, don't hesitate to contact me.
Have fun :)
David
--
David Robillard
UNIX systems administrator Oracle DBA
CISSP, RHCE Sun Certified Security Administrator
Montreal: +1 514 966 0122
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Fwd: solutions for web hosting server
- ftp server ... I don't really know what to install, proftpd it's good ? I personnaly switched from proftpd to vsftpd. I find it easier to configure and is built with security in mind from the ground up. It's also in the ports tree. Using vsftpd (or even most other ftp daemons) you can chroot your users into the root of their public_html site. So that when they connect to you FTP daemon, they will se the root directory as their files. Also enable FTP over SSL to prevent clear-text passwords from going unencrypted on the web. Have fun, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Best laptop for Freebsd
Hi Folks, Well I stayed off the beer and other sinful delights for a while (month or so P:) and have raked together enough cash to buy a new laptop. For those of you out there with experience what would you advise. The plan would be for ..unfortunately Windoze (vba stuff for work), Freebsd, and most likely fedora. I had no problems getting my wireless to work on the old one using the ndis stuff and freebsd beat the other two hands down for performance. Is there any one model or product that would be better for Freebsd 6 (as this is my day in day out operating system). Any experiences and or advise would be much appreciated. thanks Geoff Hi Geoff, It's not FreeBSD, but may I suggest an Apple PowerBook running MacOS X ? Or the new MacBook line? I use a PowerBook G4 under MacOS X 10.4.8 as an administration system everyday to manage around 50+ FreeBSD servers. I connect to my server's serial consoles via a USB-to-Serial adapter from Keyspan with ZTerm. You also have access to a ports-like environement on MacOS X via http://www.macports.org/ and http://www.darwinports.com/. It works great. My two cents. David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Bug with tcsh? : if evaluating true instead of false
I appreciate the help thanks! Sure, I'll send the script to you in an individual email instead of as an attachement to the list. Should anyone on the list want a copy, just drop me an email. I'd appreciate the script though, definitely, as any resource I have to learn all Unix script languages properly will only help in my becoming a better Unix admin as well as script more common tasks to help make my life a bit easier. When I've started to write shell scripts, I read a nice book which covered sh, csh and ksh with lots of examples. That was the first edition, but it's now in it's fourth edition and now have coverage of bash and tcsh plus you get info on sed awk. UNIX Shells By Example, Ellie Quigley, Prentice Hall PTR; 4th edition (Sep 24 2004), 1200 pages, ISBN: 013147572 On amazon.ca: http://www.amazon.ca/UNIX-Shells-Example-Ellie-Quigley/dp/013147572X/sr=1-1/qid=1161886975/ref=sr_1_1/701-2925611-9451566?ie=UTF8s=books Otherwise, you can always Google around for unix shell script and such. There are a lot of sites on the topic. I would select one from a University. Have fun! David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Bug with tcsh? : if evaluating true instead of false
Ok, so I tried to make a simple script to add users so I wouldn't have to type in groups/pw over and over again... the problem is that it's not behaving like it should =o. [ ...8... Removed a bunch of lines ...8... ] IMHO, if you need to script something, use /bin/sh. It's the standard shell interpreter on all flavors of UNIX and Linux (except maybe MacOS X). All of the rc scripts are written with it. So why bother with another shell? Here's an interesting read on the topic: http://www.faqs.org/faqs/unix-faq/shell/csh-whynot/ BTW, Tom Christiansen who wrote this is co-author of Programming Perl from O'Reilly. So, Garret, if you need help with this, I have a /bin/sh version of the script you're trying to do. Just drop me a line and I'll send it to you. Just my two cents :) David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: problems ssh'ing debug1: An invalid name was supplied (OSX client)
any clues why ssh is hanging before a prompt is provided from the server side. this prompt stalling behavior is only happening when I am coming from my OSX ssh client. Any clues on this? I have never see this betwe. I had this problem when DNS was broken for the FreeBSD server and the MacOS X client. Make sure the DNS you're using can resolve both forward and reverse for the client and the server. Then your ssh session will be fast and free of this error. Regards, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Does mpd (multi-link PPP daemon) support IPv6?
I want to know whether mpd (multi-link PPP daemon) could possibly support IPv6. When I want to establish a PPTP connection with a PPTP server running mpd, could I use IPv6CP instead of IPv4CP to set up the PPP? If it supports, how could I configure the related parameters in the configuration files? I could only find the ipcp syntax. I run mpd and I did a simple `grep -i ipv6 /usr/local/share/doc/mpd/*`. It came up with nothing. No mention of IPv6 in the mpd(8) man page either. Try to contact the project admins, they probably know more then us on this topic. Get their email at http://sourceforge.net/projects/mpd Cheers, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Is Active Directory integrated file sharing possible on FreeBSD?
I just wanted to sanity check that it is possible. I think he just doesn't want to work on our server because it isn't Linux :) Have you looked into Windows Services for UNIX from Microsoft ? http://www.microsoft.com/technet/interopmigration/unix/sfu/default.mspx I've tried version 2.0 while at another company and it was already pretty good. They're at version 3.5 now, so one could think it's better now. David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: freeBSD certified server hardware ?
Does anyone know if any server manufacturer of high regard is currently certifying for freeBSD 6.1? I know the general answer is check the components on the release notes. I also know there are a few integrators on the community list (wow, some of their list pricing is much higher than the big names!!). Doesn't HP, Sun, IBM, Dell have anything they certify for FreeBSD? Is this expected to get better over the next year or so? thanks, ke han Hello ke han, To my knowledge, none of the top vendors have any certification for FreeBSD. What I suggest you do is have one of the sales rep set you up with a test machine. The easiest way to do so is to go at their offices with a FreeBSD install disk and try to boot/install it on the hardware you're interested in. That's what I do with HP, Sun and IBM (IMHO, try to avoid Dell). On the other hand, there is a company at http://www.freebsdsystems.com/. By their name, one would think that the hardware they push should work fine with FreeBSD. I never dealt with them, so I really have no idea if they're good? Have fun, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
jdk -- jar directory traversal vulnerability (CVE-2005-1080).
Hi everyone, Are there any workaround or a patch for this security problem? FreeBSD Foundation's Java JDK and JRE 5.0 Update 7 binaries for FreeBSD 6.1/i386: Affected package: diablo-jdk-freebsd6.i386.1.5.0.07.00 Type of problem: jdk -- jar directory traversal vulnerability. Reference: http://www.FreeBSD.org/ports/portaudit/18e5428f-ae7c-11d9-837d-000e0c2e438a.html Many thanks, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: trouble with a pair of bind9 servers
the trouble im having is, that my slave (5.5-p3) will not transfer the zone from the master (6.1-p4). my /var/log/messages is filled with these: Sep 7 21:50:24 fbsd55-2 named[1847]: exiting Sep 7 21:50:26 fbsd55-2 named[1924]: starting BIND 9.3.2 -t /var/named -u bind Sep 7 21:50:26 fbsd55-2 named[1924]: /etc/namedb/named.conf:40: option 'allow-update' is not allowed in 'slave' zone 'dlptest.com' Hi Jonathan, First, I would recommend you to send this question to the BIND mailing list at [EMAIL PROTECTED]. See ISC's website for more subscribing at http://www.isc.org/index.pl?/sw/bind/bind-lists.php and the archives at http://marc.theaimsgroup.com/?l=bind-users Now, this first error is self explanatory: you can't use 'allow-update' in a slave zone, only in the master. It makes sense, because if the slave had updates, then it would not be able to tell the master about those updates and the zones would become inconsistent between your machines (resulting in quite a mess). The other way around is better: update the master which will then send notifiiy messages to your slave who in turn will download the updates. So just remove 'allow-update' in the slave's named.conf(5). Sep 7 21:50:26 fbsd55-2 named[1924]: zone dlptest.com/IN/internal: has 0 SOA records Sep 7 21:50:26 fbsd55-2 named[1924]: zone dlptest.com/IN/internal: has no NS records These point to a bad zone file. You should double check your /etc/namedb/dlptest.com.i.hosts file. Make sure you have both SOA and NS records in them. Consider using the named-checkzone(8) command to check your zone files. See the man page for named-checkzone(8) for more info. Hummm, I know it's not my business, but may I suggest you another name for your zone files? I personally use db.dlptest.com.internal and db.dlptest.com.external for the master files. For the slave, I use bak.dlptest.com.internal and bak.dlptest.com.external. IMHO it's a little more clear whether you're working on a internal slave file or an external master file :) Sep 7 21:50:26 fbsd55-2 named[1924]: running Sep 7 21:50:27 fbsd55-2 named[1924]: dumping master file: /etc/namedb/tmp-UZF5mCCxZP: open: permission denied Sep 7 21:50:27 fbsd55-2 named[1924]: transfer of 'dlptest.com/IN' from 192.168.125.91#53: failed while receiving responses: permission denied Sep 7 21:51:20 fbsd55-2 named[1924]: dumping master file: /etc/namedb/tmp-SaWWYxV06u: open: permission denied Sep 7 21:51:20 fbsd55-2 named[1924]: transfer of 'dlptest.com/IN' from 192.168.125.91#53: failed while receiving responses: permission denied this was giving me the impression that the bind user was not able to write to /var/named/etc/namedb, but every time i make a chmod or chown adjustment, it just gets changed back: fbsd55-2# /etc/rc.d/named restart Stopping named. etc/namedb changed user expected 0 found 53 modified Starting named. fbsd55-2# I'm afraid I'm not quite sure this problem is? Maybe check your fstab(5) for special options such as noexec or nosuid and friends. Check the mount(8) man page if you find anything. Also have you played with chflags(1) ? Finally, I would check the ISC's BIND mailing list archives to see if you can come up with something. Good luck, David ive been dinking around with this for a few hours now, and im about to pull what little hair i have left out. can someone shed light on this for me please? any help at all would be much appreciated! cheers, jonathan -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: need a restricted shell
I am looking for a shell that will allow Subversion to be run over ssh but not allow interactive login or if it allows interactive login, will only allow Subversion commands to be run... Any ideas on how to accomplish this? Hi Chad, You could install the shells/scponly port and build it with it's chroot option. (i.e. sudo make -DWITH_SCPONLY_CHROOT install) Don't run the `make clean` just yet, because you will need the setup_chroot.sh script which is inside the work/scponly-port_version directory. Use the script to create a chroot directory. Then populate this new chroot directory with the files required by the commands and libraries which you want to give to your users (such as Subversion). Next, use vipw(8) to assign /usr/local/sbin/scponlyc as the shell and the chroot directory for the user(s) which you want to limit only to your Subversion commands. Assign a password to those users then test if you can connect and use the Subversion commands. Basically, this is Hack number 63 on page 269 in the book BSD Hacks, 100 Industrial-Strength Tips Tools by Dru Lavigne published by O'Reilly. (ISBN: 0-596-00679-9). Also, to further restrict access to your machine, configure sshd(8) to allow only a limited subset of users. See AllowUsers and AllowGroups in sshd_config(5) for this. Finally, if you happen to know the origin of the connections, then configure TCP_WRAPPERS via /etc/hosts.allow to limit ssh connections. See hosts_access(5) and section 14.6 of the FreeBSD Handbook for info on how to set this up. Alright, if you have any questions, please be my guest and send them up to me. Cheers! David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: LVM support in FreeBSD
Hi list, I'm wondering whether FreeBSD is able to support reading (at least, but preferably also writing) Linux LVM volumes? I have an itch to try FreeBSD on a desktop but all my data is in a Linux LVM. Is it possible? I really have no idea if it works, but have you tried to export your LVM volume via NFS and then mount it on your FreeBSD machine? All what FreeBSD will see is an NFS volume which we all know work very well. Just an idea, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Mirroring: gvinum or gmirror?
On 8/31/06, Elliot Finley [EMAIL PROTECTED] wrote: Well yes, if you do it this way, you are correct. Why not just install the OS on the smaller drive, skip the dump step and just use the installed drive as the first drive in your mirror. That's how I've been doing it and it works great. I've got a write-up of the steps required to do this if you or anyone else needs them. I also routinely disconnect one of the drives in my mirror before a major upgrade to the OS or ports so that if I mess it up, I can boot back to the previous state. I have a write-up of the steps needed to do this remotely over ssh (again, if you or anyone else needs them). Elliot Sounds like a good idea indeed. I've always followed Ralf S. Engelschall's instructions at http://people.freebsd.org/~rse/mirror/ which involves using dump(8) to transfer the data onto the second disk once it's setup as a gmirror provider. I must admit I never thought back on those instructions because they work very well. It was only recently that I had to deal with older hardware for which I had to salvage some old 4Gb disk drives. So, if you don't mind, I would very much appreciate if you could share your documentation with me. In case you're interested, I can offer you a space on my website should you want to have them online. Cheers, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: MONOWALL WAN
I have a client who would like to share a DSL connection with a neighboring office. I would like to put my clients network (they only need to share Internet) on a separate IP network behind a monowall. My question is, will monowall allow a private address (the LAN IP of router) to be its WAN address? Thanks Laurie Hi Laurie, I'm not sure about monowall, but I know for sure that an OpenBSD or FreeBSD machine running OpenBSD's packet filter will do the trick very nicely. Check out pf(4) and pf.conf(5) or the FreeBSD Handbook on the subject. You can also grab a copy of Jacek Artymiak's book Building Firewalls with OpenBSD and PF, 2nd edition which covers pf(4) very well. Some URL on the subject: - FreeBSD Handbook Section 26.4 The OpenBSD Packet Filter (PF) and ALTQ http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-pf.html - pf(4) http://www.freebsd.org/cgi/man.cgi?query=pfapropos=0sektion=0manpath=FreeBSD+6.1-RELEASEformat=html - pfctl(8) http://www.freebsd.org/cgi/man.cgi?query=pfctlsektion=8apropos=0manpath=FreeBSD+6.1-RELEASE - pf.conf(5) http://www.freebsd.org/cgi/man.cgi?query=pf.confsektion=5apropos=0manpath=FreeBSD+6.1-RELEASE - Jacek Artymiak's book Building Firewalls with OpenBSD and PF, 2nd edition http://www.artymiak.com/books/index.html Have fun, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: what happed to mod_perl in 6.1?
Hi, my cgi scripts doesnt work in 6.1, and i dont see any entry about mod_perl in httpd.conf, how do i enable it? For Apache 1.3.x http://www.freebsd.org/cgi/url.cgi?ports/www/mod_perl/pkg-descr For Apache 2.x http://www.freebsd.org/cgi/url.cgi?ports/www/mod_perl2/pkg-descr David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Mirroring: gvinum or gmirror?
I'm setting up a remote server with two identical hard drives, running FreeBSD-6.1. I want to set the drives up as a mirror for data redundancy. I also want to be able to break the mirror when I need to update the OS or installed software, so that if anything goes wrong with the update on one drive I can boot back to the other one, or if all is well, re-establish the mirror and synchronise to the updated system. I have serial console access including BIOS console redirection. Based on web and Usenet/mailing list searches, gmirror looks more straightforward for this simple case, gvinum more flexible but poorly documented, and the most recent comments I can find (still all 6+ months ago) seem to suggest that gvinum hasn't completely stabilised for production yet. Is this a fair assessment? Are there any factors I've missed? Which solution is likely to suit the situation better? Jonathan Hello Jonathan, I run gmirror on all machines which don't have a hardware RAID controller. I've had drive failures in the past and gmirror handled it very well. It's now a lot better under 6.1 then 5.x (mostly concerning the kernel dump area and the swapoff option in rc.conf(5)). Take a look at Ralf S. Engelschall's documentation on the subject: http://people.freebsd.org/~rse/mirror/ Bonus Tip of the day! If you ever have two disk drives which are not identical, such as these: ad0: 4112MB WDC AC24300L 09.09M08 at ata0-master UDMA33 ad3: 4028MB Maxtor 84320D4 NAVXAA21 at ata1-slave UDMA33 Then make sure you install FreeBSD on the bigger one (i.e. here that would be ad0) then setup gmirror. If you do the oposite, you will have a Consumers too small error when you try to bring the mirror together. Finally, keep in mind that gmirror is only good for RAID 1. If you need more powerfull volume management tools such as Veritas Volume Manager or Sun DiskSuite, then you need gvinum. Regards, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Mirroring: gvinum or gmirror?
On 8/31/06, Elliot Finley [EMAIL PROTECTED] wrote:
ad0: 4112MB WDC AC24300L 09.09M08 at ata0-master UDMA33
ad3: 4028MB Maxtor 84320D4 NAVXAA21 at ata1-slave UDMA33
Then make sure you install FreeBSD on the bigger one (i.e. here that
would be ad0) then setup gmirror. If you do the oposite, you will have
a Consumers too small error when you try to bring the mirror
together.
I could be wrong, but that seems backwards.
I know, that's also what I thought before I had the problem. (hence
the Tip of Day!)
It's quite easy to understand when you think about it. Let's say we
have the same disk drives as above in which ad0 is bigger then ad3.
So you install the OS on the smaller ad3 disk first. Then you setup
gmirror on the bigger disk ad0. You then dump(8) the OS from ad3 onto
the broken mirror gm0 which is made up of ad0. Next you reboot on gm0
(hence on ad0). You clear ad3 which is not used anymore and try to
`sudo gmirror insert gm0 /dev/ad3` = WRONG!
Why? Because what you're actually doing is trying to synchronise a
bigger submirror disk (ad0) onto a smaller submirror disk (ad3). Hence
gmirror(8) complains that the container is too small.
What you want to do is the oposite. Which is to first install FreeBSD
on the bigger drive, then setup a broken submirror gm0 onto the
smaller disk. Dump(8) FreeBSD onto this new gm0 mirror. Reboot on that
gm0 mirror. Then finally synchronise the small submirror onto the
bigger disk onto which you had FreeBSD installed first.
But be my guest, try it out and you'll see :)
Here's what you get once the whole thing is finished:
[EMAIL PROTECTED] ~ {336}$ gmirror list
Geom name: gm0
State: COMPLETE
Components: 2
Balance: round-robin
Slice: 4096
Flags: NONE
GenID: 0
SyncID: 1
ID: 2054366258
Providers:
1. Name: mirror/gm0
Mediasize: 4223729152 (3.9G)
Sectorsize: 512
Mode: r5w5e6
Consumers:
1. Name: ad0
Mediasize: 4311982080 (4.0G)
Sectorsize: 512
Mode: r1w1e1
State: ACTIVE
Priority: 0
Flags: NONE
GenID: 0
SyncID: 1
ID: 4020171026
2. Name: ad3
Mediasize: 4223729664 (3.9G)
Sectorsize: 512
Mode: r1w1e1
State: ACTIVE
Priority: 0
Flags: NONE
GenID: 0
SyncID: 1
ID: 411377980
Cheers,
David
--
David Robillard
UNIX systems administrator Oracle DBA
CISSP, RHCE Sun Certified Security Administrator
Montreal: +1 514 966 0122
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Fw: lothlorien.nagual.nl security run output
I'm a little worried after reading the security output this morning. It seems some files [ping, ping6, shutdown, at, atq and atrm] have setuid diffs. I really don't know why this could have happened. I updated some ports yesterday, but I don't think any port writes in /sbin (?) Could someboddy advice me on what can have happened? What ports have you updated? You can check if any of them has installed new files in /sbin by running `pkg_info -L your_updated_port-version`. See the -L option of pkg_info(1) in the man page http://www.freebsd.org/cgi/man.cgi?query=pkg_infoapropos=0sektion=0manpath=FreeBSD+6.1-RELEASEformat=html You can also consider installing a Host Based Integrity Monitoring software. I use Osiris which is quite simple to setup and administer. It's already in the ports as security/osiris which you can get there: http://www.freebsd.org/cgi/url.cgi?ports/security/osiris/pkg-descr. Of course, don't install osiris on a machine which you're not sure if it has been tampered with, it would defeat the purpose... You can also take a look at other integrity checking software such as Samhain, Tripwire or aide. Regards, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Hostile vs. Friendly instances of Sendmail
On Aug 25, 2006, at 12:57 PM, Brett Glass wrote: A company for whom I do consulting has a FreeBSD mail server. Because they're being deluged with connections from spammers (who have responded to the increasing use of graylisting by ordering their armies of bots to try again and again even when spam is rejected), they've subscribed to some DNS blacklists and set Sendmail to limit the number of processes it can spawn at any one time. This reduces the load on the system due to spamming, but also prevents internal users from getting the mail server's attention when they want to send legitimate outgoing mail. What's the best way to set things up so that more trusted, internal users can access their own instance of Sendmail (with less restrictive process limits, no blacklist checks, etc.) while the outside world sees an instance of Sendmail with blacklisting, process limits, connection limits, load limits, etc.? Will there be problems with file locking, queues, etc. if a third instance of Sendmail is started on a standard FreeBSD install (which normally runs two)? I totally agree with what Chuck Swiger has suggested here: You could also configure an external and an internal mailservers, have the internal mailserver be entirely firewalled from outside so that internal users and internal email are handled there without issues, and just worry about tuning the external mailserver which will then only need to do SMTP relaying and anti-spam stuff for the external mail traffic rather than serve dual-duty as a reader box. To help you with sendmail architecture, take a look at page 547 of the UNIX system administration handbook, 3rd edition by Nemeth, Snyder, Seebass and Hein. Don't be fooled by the funny images on this book, it's very clear and quite possibly the best UNIX administration book around with real world examples. You can find it at http://www.admin.com/Pages/USAH.html. Aside from the huge bat book, O'Reilly also publishes sendmail Cookbook which is great when it comes to configure sendmail. Check it out at http://www.oreilly.com/catalog/sendmailckbk/. Have fun, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Linux-HA howto for FreeBSD.
Hi, I am looking for a good howto or a detailed explanation in order to deploy Linux HA on two BSD boxes. You can grab heartbeat from the FreeBSD ports at sysutils/heartbeat (i.e. http://www.freebsd.org/cgi/url.cgi?ports/sysutils/heartbeat/pkg-descr) But unfortunately, it is only at version 1.2.4 in the ports while the actual software is now at version 2.0.7. I haven't tested if version 2.0.7 is operational on FreeBSD. Has anyone tried it? Should you want to give it a try since 1.2.4 is stable, the instructions on the website are fairly straight forward: http://linux-ha.org/GettingStarted#gettingstarted but it's RedHat specific. So just make sure you translate any RedHat hardware paths to the FreeBSD paths. Now, you'll need two seperate heartbeat links. So for the first one, you need an empty serial port on both machines along with a serial cable to link them together. For the second link, make sure you have a seperate network interface card on both machines and link them with a cross-link ethernet UTP cable. Use different network interface cards for your application networks. Ideally, your machines should have two serial ports, so that you can use one for the heartbeat link and the other for the serial console. Also ideally, both machines should have identical hardware. I'd also suggest to setup the disk drives in all your machines under gmirror(8) control. Read more about gmirror(8) at http://www.freebsd.org/cgi/man.cgi?query=gmirrorapropos=0sektion=0manpath=FreeBSD+6.1-RELEASEformat=html Make sure you two have identical hard disks and follow the instructions on how to set a RAID 1 FreeBSD OS under gmirror(8) from Ralf S. Engelschall at http://people.freebsd.org/~rse/mirror/ Keep in mind that all this setup is not really usefull if the rest of your network infrastructure is not also redundant. Therefore, consider installing your firewalls under linux-ha/heartbeat and setup a linux virtual server cluster (also under heartbeat) which redirects http/ftp/sql requests to multiple web/ftp/database servers. You can find more information on linux virtual server (a.k.a. LVS) at http://www.linuxvirtualserver.org/ There is a FreeBSD port of LVS under net/ipvs. You can get more information about LVS for FreeBSD on the author's web page at http://dragon.linux-vs.org/~dragonfly/htm/lvs_freebsd.htm Finally, you'll need to sync the data on all those nodes. For databases, consider MySQL real-time replication or Oracle Dataguard. For ftp and http data sets, take a look at net/rsync. For mail servers, it's a bit more tricky, but there is mail/maildirsync which I've never tried. David Thank you very much. -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
