Suppose you want to limit access to some servers, only people member of a specific group (or multiple groups) may log in.

The following is one way to tackle this. In this example I will configure ssh access in such a way that only people from the admin group can login. The nice thing is that this will work regardless of any Kerberos or LDAP usage.

Preparation

In /etc/pam.d find the “service” which you want to add a group policy to. For instance sshd, edit that file (this is with Ubuntu):

Mental note to self

Having a host listed in a listprincs output isn’t enough to have single-sign-on working.

You have explicitly add it with ktadd host/your.host.com

So in my case:

# kdadmin.local
....
kadmin.local:  addprinc -randkey host/charm.atoom.net
...
kadmin.local:  quit

And then you can do a (on charm.atoom.net):

% kinit
Password for miekg@ATOOM.NET: 
% slogin elektron.atoom.net

And have a password-less login to my server.

I wanted some git information in the prompt I currently have. While thinking and googling about this, a quote on Bart’s log got me thinking. I don’t need to see my current host, nor do I need to see my current user name.

I always login under my own account (miekg) and if I do change accounts, I probably will be forced to use bash. So showing the current user name is quite useless.

Oh my God — why?? This is a 250 GB disk with a USB2 interface, so I’m in for a long wait apparently.

# mkfs.ntfs /dev/sdc1
Cluster size has been automatically set to 4096 bytes.
Initializing device with zeroes:   4%

It this the Windows-way or is mkfs.ntfs a little bit brain dead?

I’ve update the teletekst script a little. It now outputs utf8 and uses LWP::Simple so no external commands are called anymore.

You can find it here.

I could not agree more with Christoph Haas.

I’ve tried KDE briefly during the last 6 months or so, but it never really stuck.

Some observations.

1. I’ve bought an EeeBox (Dual Atom, with 1 GB of ram), boy, how slow is KDE. Do I really need a Vista capable machine to run KDE?

2. I like my current (XFCE) desktop. Why? Because it’s nice and clean. I have no use for desktop icons. I have no use for fancy clocks running on my desktop. I have no use for any fancy stuff running on my desktop. Why?

I want to grow my RAID1 array from 2x250GB to 2x500GB. The following resource has helped my a lot.

Update

It all worked, allthough the kernel decided to crash during the offline ext4 resize. But I finally have my extra disk space

% df -h | grep md6

before: /dev/md6 77G 67G 6.7G 91% /vol

after: /dev/md6 306G 67G 224G 23% /vol

Now to my problem/solution:

On Linux you often have the following problem: You are looking or touching some piece of hardware and you are asking yourself: “is this card eth0 or eth1?” or “is this disk /dev/sda or /dev/sdb?”.

I’m rebuilding my RAID1 array, so everything is a bit slow at the moment.

I’ve always kept my first Linux CDs as a reminder of that great time when I was first exploring this unexplored territory.

These are two (bad) shots of the actual CD, maybe I should put the content of them online again? Kernel version 1.2.8, gcc version old, non working X on the default install, that kind of stuff… I was hooked forever to this stuff.

I’ve never like (Open)Solaris. Maybe the kernel rules, but the userland completely sucks, something like apt should have been implemented in (Open)Solaris years ago.

Now that Oracle owns SUN and thus Solaris they should rebrand it. Maybe OpenSoracle or even OpenSorry.

Found this very nice howto, which I almost followed to the letter, except I did it in Ubuntu and currently more stuff is working out of the box, so you don’t need to do all the steps.

I’m working on an USB stick which is /dev/sdb1 in my system.

Steps I did take:

1. apt-get install cryptsetup hashalot
2. cryptsetup --verbose --verify-passphrase luksFormat /dev/sdb1
3. cryptsetup luksOpen /dev/sdb1 funnydiskname
4. mkfs.ext4 -O extents,uninit_bg,dir_index /dev/mapper/funnydiskname
5. cryptsetup luksClose /dev/mapper/funnydiskname

Now pull out your disk and re-insert. If everything went well, your GNOME, XFCE, KDE env should now popup an ‘This disk is encrypted, please enter the passphrase’ question.

In kernel version 2.6.29.1:

# /bin/echo -n 40000 > /proc/sys/kernel/pid_max 
/bin/echo: write error: Invalid argument

In one older kernel I tried it still worked, so I’ve submitted a bug.

OpenLDAP uses a cn=config DIT to configure the server since version 2.4. I’m always into new stuff, but I must admit that I rather liked editing /etc/ldap/slapd.conf to configure the server. Anyhow being able to store ACLs in the tree is a big plus, but for configuring minor stuff (like indexes) it makes live more difficult.

The following site was an excellent tool in helping me configure OpenLDAP. For a list of current attributes names, see for instance here

Well, today I was looking into using LVM snapshots to allow a client OCN use Linux as a Netapp replacement…. Boy was I in for a disappointment.

LVM an sich is working great, but the moment you turn on snapshots the (in this case) write performance goes to hell. Using LVM is easy enough. The system I was on has 32 GB ram and 2 disk arrays with hardware RAID.

Setting up:

See this?

bond0: Warning: failed to get speed and duplix from eth*

Do this:

insmod bonding miimon=100

why?

When using Linux network bonding the kernel may be to quick to enslave the interfaces. When an interface is too slow to report it capabilities it will be set to 100Mbit and Full Duplex. Which is a bit sad when you have 6 Gigabit network cards…

For a few weeks months now I’m learnings how to use VIM text-objects. There is an extended help wth help text-objects in VIM. I’m trying to condense the VIM help in a smaller blog entry here.

What are a text-objects in vim? Text-objects are things like a ‘paragraph’ or the text between braces or something like a word. Text-objects can be used with the normal vim commands y, d and c. To make you really understand it, I can recommend using control-V to actually visually select your text object.

As I’m on an upgrade roll I decided to upgrade my new server too. It is configured with kerberos and ldap… and this is were the trouble.

ldap

When a service is upgraded in Ubuntu/Debian it is first stopped and than later restarted when the new files are there. When all your user information is kept in ldap, the following sucks:

Preparing to replace slapd 2.4.11-0ubuntu6.1 (using
    .../slapd_2.4.15-1ubuntu3_i386.deb) ...
Stopping OpenLDAP: slapd.
  Dumping to /var/backups/slapd-2.4.11-0ubuntu6.1:
- directory dc=atoom,dc=net... done.
Unpacking replacement slapd ...

And there goes the neighborhood… everything slows to a crawl, because every getpwnam call needs to timeout before /etc/passwd and friends are consulted.

A short guide on how to build the new notification system, which is scheduled for Jaunty, for Intrepid.

First download the source packages from: http://packages.ubuntu.com/source/jaunty/notify-osd

You will need the .dsc and the .tar.gz files, then you need to follow the Debian way of building the package.

dpkg-source -x notify-osd_0.9ubuntu2.dsc
cd notify-osd-0.9ubuntu2/

One important tweak, otherwise it will not install in Intrepid and will complain about an human-icon-theme that is tool old

I’ve used the Debian xfce pkg stuff to build Ubuntu packages of xfce 4.6.

The … release … rocks :)

You can find the debs in files/xfce/.

Be my guest…

Today if removed two annoyances I had with VIM.

Command mistyping

I often mistype the following:

:w! becomes :W!

or

:q! becomes :Q!

Which is annoying because W and Q do not mean anything, and I don’t write or VIM does not quit. VIM has a nifty feature called commands which you can (re)define or add new commands.

Lets try some to fix this, in a running vi:

:com -bang W write!

or

The following might be helpful to others too. I was trying to setup a new raid1 device from two partitions /dev/sda4 and /dev/sdb4. I wanted to do this the “right way” and use UUID everywhere, i.e. in /etc/mdadm/mdadm.conf and in /etc/fstab.

I hit a few snags along the way.

create the array

# mdadm --create --verbose /dev/md6 --level=1 --raid-devices=2 \
/dev/sda4 /dev/sdb4

Get the uuid mdadm uses:

# mdadm --detail  /dev/md6 | grep UUID
  UUID : dc9aba5e:ed1a70d4:770765d8:b0f56d86 (local to host elektron2)

Check. Add that to /etc/mdadm/mdadm.conf:

In bash (and other shells) you can use the [[ construct

From the bash manpage:

[[ expression ]]
          Return a status of 0 or 1 depending on  the  evaluation  of  the
          conditional  expression expression.  Expressions are composed of
          the primaries described  below  under  CONDITIONAL  EXPRESSIONS.

          Word  splitting  and pathname expansion are not performed on the

          words between the [[ and  ]];  tilde  expansion,  parameter  and
          variable  expansion, arithmetic expansion, command substitution,
          process substitution, and quote removal are  performed.   Condi‐
          tional operators such as -f must be unquoted to be recognized as
          primaries.

So no word splitting and pathname expansion.

Re-selection of a visual

When you use control-v or shift-v in vim to do a visual selection and then use (for instance) y to copy the selected text, you loose the selection.

More often than not you want to do another thing with the selection you just had. How?

gv

Copy to clipboard

Make a selection and use

"*yy

Now the selection is ‘under your mouse’. If think I’m going to bind this sequence to something more easy, like *Y.

You are using the ControlMaster feature of ssh and you are having problems remembering which shell is the master?

That’s why I’ve made zsh display this in the prompt. You get a m@ when a connection is a master connection and an @ if it is a slave.

setting up

The check if we are a master works by creating a file which has $SSH_CLIENT as the name, as the following snippet shows.

The script in using git and vi together was a little bit borked, as too many git repo’s were created. Hence a new and improved version. This one will look up the directory tree to spot an existing git repository - is nothing found a new one will be created in $PWD.

code

#!/bin/zsh
# a wrapper around git and vi
# expands $Hash$ to $Hash: file short_hash epoch committer $
# git checkout HEAD $file? when would I need this
# TODO: spaces in filename

[[ ! -x =git ]] && exit 1

who=$SUDO_USER
who=${who:-$LOGNAME}

function search_git_dir {
    gpath="$1"

    [[ -d "$gpath/.git" ]] && echo "$gpath" && return
    [[ -z "$gpath" ]] && echo "" && return

    # strip that last path component and try again
    search_git_dir "${gpath%/*}"
}

for file in "$@"; do
dir=$(dirname $file); cd $dir
base=$(basename $file)

if [[ -z $(search_git_dir $PWD) ]]; then
    # make a new one in $PWD
    git init || exit 1
else
    #echo FOUND ONE
fi
chmod +w $base 2> /dev/null

if vi $base; then
    [[ ! -e $base ]] && exit 0
    git add $base
    # collapse $Hash: id $ line
    sed -i -e 's/\$Hash:.*\$/$Hash$/' $base
    git commit $base
fi

id=$(git-show -s --pretty=format:$base\ %h\ %ct\ $who%n -- $base) 
[[ -z $id ]] && exit 1

# re-add $Hash: sha1hash$ line
sed -i -e 's/\$Hash\$'/\$Hash:\ $id\ \$/ $base

chmod a-w $base 2> /dev/null
done

manpage And ofcourse the manpage.

A long while back I used vi together with rcs to manage files in /etc. This worked, but I found rcs to be clunky. So welcome to the 21st century and my git + vi script.

It is a wrapper around git, which will create a new git repository, add the file and commit it when changed.

The script will also expand $Hash$ to

$Hash: basename-of-file short-commit-hash epoch committer`

a typical example is

Ok, so far I’ve created a cfengine setup that works. On my main host ’elektron’ I’ve created a /export/nfsroot/x86 directory. This holds the general files for the x86 Ubuntu lazy clients. With 2 scripts (see below) I can easily create a whole new x86 from scratch. Bringing up new lazy clients is even more easy, once the groundwork is there. I only need to do three things:

• fix the DNS (forward and reverse)
• fix the DHCP and add an ip address.
• add this ip address to some cfengine file (2 in total)
• optionally add some extra configuration in cfengine for this specific host.

Create a generic lazy client from scratch

There is one script that creates a new host in a chrooted environment, it starts a debootstrap and after that calls a follow-up script to finish the configuration for this host - after this step cfengine takes over. The second stage script takes care of setting up the sources.list for apt and a preliminary /etc/hosts file. Cfengine fixes everything else.

In my ongoing effort to make my lazy client work I’ve embarked on the next phase of the project: Making a client boot from a generic NFS mounted root partition and then giving it its own /etc on a ramdisk.

This way I’m saving disk space and administration overhead on my server. The virtual /etc is provisioned by cfengine. This allows for small changes between the lazy clients while they still share the bulk of the rest of the files.

while playing with cfengine I kept seeing these messages:

Cfengine input file had no explicit version string

Well, I greped in the source of cfengine and this has helped me find the solution, in the file install.c we have the following:

3359 void VersionAuditFile()
3360 
3361 { char *sp;
3362 
3363 if (sp = GetMacroValue(CONTEXTID,"cfinputs_version"))
3364    {
3365    AUDITPTR->version = strdup(sp);
3366    }
3367 else
3368    {
3369    Verbose("Cfengine input file had no explicit version string\n");
3370    }
3371 }

(Line numbers are from VIM).

I want to quiet, full blown PC, without fans nor a harddisk in my living room. See my other blog about this subject

Currently I’m thinking about the following setup:

• NFS4 root
• some sort of configuration management

I wanted to use puppet, but after seeing it use more than 30% of my main memory – This is on a AMD64 Ubuntu server – I was ready to ditch it.

I’ve also have experience with cfengine, so I’m going to use that. In conjunction with svn. I’m going to store all my configs + cfengine files in one repository. The modus operandi will become: