Tag Archives: linux

Linux

Remotely repartition the HDD.

Have you or do you know someone that has performed a reinstall of an OS and left the partition options at the default ie everything under / and omitted setting up the partitions?
All is not lost.. this guide was performed on a RHEL 5.5 install and worked flawlessly. :)

In a nutshell, we're dumping the filesystem on to the swap partition, repartitioning the drive and then dumping the data back into the respective partitions.  The pitfall in this is your swap partition HAS to be large enough to store your data.  Are we sitting comfortably?... then I'll begin.

execute lvdisplay to get LogVol01 size, then do a df -h and see if / will fit on swap.

Copy the FS to SWAP.
1) Edit /boot/grub/grub.conf
change root=/dev/VolGroup00/LogVol00 to root=/dev/VolGroup00/LogVol01 (the default swap partition)
2) Edit /etc/fstab
comment /dev/VolGroup00/LogVol00 and change LogVol01 to / ext3 (swap becomes the new root)
3) run swapoff -a
4) mkfs -t ext3 -m 1 -v /dev/VolGroup00/LogVol01 (format the swap partition)
5) mount /dev/VolGroup00/LogVol01 /mnt
6) tar clf - -C / .| tar xf - -C /mnt (this is better than cp as it keeps the file attributes)

clf -     create, sym links, file 
-C /      Change directory to / <source>
.|        pass everything to 
xf -      extract, file
-C /mnt   Change directory to /mnt <destination>

REBOOT
(execute a df -h and check the size of /, it should be the size of swap previous)

Create the new partitions.
7) lvremove /dev/VolGroup00/LogVol00 (this completely deletes the / partition)
8) lvcreate -L30G -n rootvol VolGroup00 (this creates a 30G partition named rootvol)
9) lvcreate -L30G -n usrlocalvol VolGroup00
10) lvcreate -L4G -n varvol VolGroup00
11) lvcreate -L4G -n optvol VolGroup00
12) mkfs -t ext3 -m 1 -v /dev/VolGroup00/rootvol (format the new partitions)
13) mkfs -t ext3 -m 1 -v /dev/VolGroup00/usrlocalvol
14) mkfs -t ext3 -m 1 -v /dev/VolGroup00/varvol
15) mkfs -t ext3 -m 1 -v /dev/VolGroup00/optvol
16) vi /etc/fstab and add the new partitions: (make the partitions available)

/dev/VolGroup00/rootvol        /               ext3    defaults   1 1
/dev/VolGroup00/usrlocalvol    /usr/local      ext3    defaults   1 1
/dev/VolGroup00/varvol         /var            ext3    defaults   1 1
/dev/VolGroup00/optvol         /opt            ext3    defaults   1 1

Now to restore the data:
17) mkdir /media/root /media/var /media/opt /media/usr
18) mount /dev/VolGroup00/rootvol /media/root
19) mount /dev/VolGroup00/usrlocalvol /media/usr
20) mount /dev/VolGroup00/varvol /media/var
21) mount /dev/VolGroup00/optvol /media/opt
22) tar clf - -C / .| tar xf - -C /media/root
23) tar clf - -C /var/ .| tar xf - -C /media/var
24) tar clf - -C /opt/ .| tar xf - -C /media/opt
25) tar clf - -C /usr/local/ .| tar xf - -C /media/usr
26) edit /media/root/etc/fstab (ensure new mounts are present & comment
LogVol01)
27) edit /boot/grub/grub.conf
change root=/dev/VolGroup00/LogVol01 to root=/dev/VolGroup00/rootvol
28) rm -rf /media/root/usr/local/* /media/root/var/* /media/root/opt/*

REBOOT

Reactivate the swap partition
29) lvremove /dev/VolGroup00/LogVol01
30) lvcreate -L16G -n swapvol VolGroup00
31) mkswap /dev/VolGroup00/swapvol
32) Edit /etc/fstab
change LogVol01 / ext3 to swapvol swap swap
33) swapon /dev/VolGroup00/swapvol

REBOOT

Congratulations.. your server is now in a sensible condition.  Sit back, relax and give yourself a pat on the back for not looking like a complete n00b!

Audio, Linux

Cowon X7 on Linux

I needed an MP3 player with plenty on space, and none of the flash memory devices could accommodate.  Enter the Ipod Classic.  Bought the 160Gb Black knowing that there was Linux support.. How naive of me to think that it would just work...!  I settled on Banshee as this suited my needs.. but alas, it was shorted lived.. playlists became a big no-no.  I tried other applications, all with the same results.  Nothing would either read or write the list to the ipod.  GTKPod however, did manage the playlists, but that had it's own issues with track order being impossible.

Being completely sick to the back teeth with constantly battling with Apple's pretty yet crippled player, I bought the Cowon X7 after reading plenty of reviews on it's quality of sound etc.  Yep.. frustration endless frustration..

1) Player not detected by any media managers.
(even after quite awhile hacking libmtp-1.0.6 to see the X7)
2) Completely unable to create playlists.
3) Several UI annoyances :(
4) Device become read only if invalid characters are present (corrupted) in the file/folder names.  The only way I could fix this was rename my source files, format the device and start again.

Changing the USB to MSC on the device and just rsyncing my music did the trick, but that still didn't fix the playlist issue.  Manually knocked up a playlist, which obviously didn't work.  After a few hours of scratching my head I managed to fix it.. In short it was the the format of the file.  I use VI and stupidly overlooked that it prefers unix not dos format file output.  Any playlist created under Linux will need to be converted, this can be done in a couple of steps.

1) Convert the file to dos.  I used the command ":e ++ff=dos" from within VI and then saved the file.  This works if you manually create the file, if you saved the playlist from say Audacious then you'll need to use unix2dos as there will be no carriage returns (CR) for VI to process.
2) Change the path to the music files to the absolute path to the player ie what it sees not the absolute path including the mount point ie /media/******.
3) Change the directory dividers to Windows format.
4) Use SED to append a '\r' to the end of each line.

sed 's/$'"/`echo \\\r`/"

My local library is /home/cdstealer/Music and the X7 library is /Music, so my playlist was just copied into the root of the players HDD as the paths in the m3u file were relative.  If you store your playlists anywhere else ie /Playlists, then the paths in the m3u file need to be absolute.

If using mtp to transfer your playlist, it will be copied into the root of the 2Gb Flash memory and not the HDD.  I found this does not work :(

eg to change the directory slashes:

sed -i 's/\//\\/g' cdstealer.m3u

So now I can create playlists with banshee, audacious etc etc and just run the above commands to make them compatible.

I small bash script that could help:

#!/bin/bash
# make an extended playlist from an mp3 directory

echo "#EXTM3U"
for i in *.mp3; do
   if [ -e "$i" ]; then
      title=`id3v2 -l $i | grep TIT2 | awk -F": " '{print $2}'`
      seconds=`mp3info -p "%S" "$i"`
      echo "#EXTINF:$seconds,$title"
      echo $(pwd | sed 's/home\/cdstealer\///'|sed 's/\//\\/g')\\$i
   fi
done

Playlist sorted :)

Also, when adding new music, although there is a menu for listing tracks transferred in the last day/week/month etc, it does not organise then in a useful fashion.  You get a list of all the tracks list in alphabetical order (which is pointless IMHO).  So the script below that I use for syncing my music will also create a separate playlist for every album.
The downfall to this is, if you a lot of music at once or wipe the device a transfer your entire collection, you WILL have a large amount of playlists!

Transfer/playlist script

Now for the filenames.  Both the ipod and X7 use the fat32 file system and as such, they don't handle UTF-8 characters in file/directory names.  Because the ipod stores everything in a database, all transferred files/directories are renamed to some string of numbers, so this isn't and issue.  But, for the X7,  it is drag n' drop and doesn't rely on a database in the same way as Ipod, filenames are vital as they are untouched.  I found an easy gui app to do this called "Easytag".  A very good all-in-one app that renames the files in dos format, writes the id3tag and embeds artwork into the files.
What I ended up doing is renaming all my MP3 to "TrackXX.mp3".  This isn't an issue for me as the X7 and MythTV list everything from tags.
What I have found is EasyTag writes id3 information to the end of the mp3 file, where as id3v2 read/writes from/to the header at the beginning.  So this means any files tagged with EasyTag will not be compatible with the id3v2 command.

You could also rename files using the script I found below that will rename anything passed to it to remove any illegal characters.  To invoke it (before you transfer to the X7), for example:

To rename your file:
find ~/Music -type f -name "*" | perl fat_rename.pl

To rename your directories:
find ~/Music -type d -name "*" | perl fat_rename.pl

This is the magic:

#!/usr/bin/perl -w

# This script renames all the files supplied as command-line args
# where necessary so that the filename is acceptable to MS Windows
# Cameron Hayne (macdev@hayne.net), June 2004

use strict;

chomp(@ARGV = <STDIN>) unless @ARGV;

# The Microsoft document at
# http://support.microsoft.com/default.aspx?scid=kb;EN-US;100108
# says that the following characters are not allowed in filenames
# in each of the specified filesystems:
# FAT: . " / \ [ ] | : ; , =
# NTFS: ? " / \ < > | : *

# We don't do anything with the dot (.) since it clearly is allowable
# in spite of what that document says.
# And we don't do anything with the slash (/) since that character
# will not occur in OS X filenames and modifying it would cause
# troubles when a file path (with directories) is specified.
# The changing of the filenames is done via the 'tr' statements below.
# Each occurence of a character in the first curly brackets
# is replaced by the character in the second curly brackets.

foreach my $filename (@ARGV)
{
my $orig_filename = $filename;

$filename =~ tr{\\}{-};
$filename =~ tr{*?}{-};
$filename =~ tr{"><[]|:;,=}{-};

unless ($filename eq $orig_filename)
{
print "About to rename $orig_filename to $filename\n";
if (-e $filename)
{
print "Oops, there already exists a file named $filename\n";
print "Skipping the rename - you will have to do it manually\n";
}
else
{
rename($orig_filename, $filename);
}
}
}

But I must admit, after getting used to the UI, the BBE3 sound processor is amazing.  And after all, I did purchase this to listen to music.  I set my BBE to "user1" and spent quite a while tweaking the sound for my headset and ears.. it does exactly what it says.. very very pleased.

 

 

Linux

Squid Cache Server

How to setup a Squid Proxy.

The /etc/squid/squid.conf File

The main Squid configuration file is squid.conf, and, like most Linux applications, Squid needs to be restarted for changes to the configuration file can take effect.
The config file is extensive and very well commented.  Here is an example.

the config

The Visible Host Name (optional)

Squid can fail to start if you don't give your server a hostname. You can set this with the visible_hostname parameter.

Logging Options

Be default, the time stamp in the log files are EPOCH.  To change this to a more human readable format, uncomment/add this line in the "log_format" section of /etc/squid/squid.conf.

logformat squid %tl %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt PORT_REQUEST = %>p

Access Control Lists

You can limit users' ability to browse the Internet with access control lists (ACLs). Each ACL line defines a particular type of activity, such as an access time or source network, they are then linked to an http_access statement that tells Squid whether or not to deny or allow traffic that matches the ACL.

Squid matches each Web access request it receives by checking the http_access list from top to bottom. If it finds a match, it enforces the allow or deny statement and stops reading further. You have to be careful not to place a deny statement in the list that blocks a similar allow statement below it. The final http_access statement denies everything, so it is best to place new http_access statements above it

Note: The very last http_access statement in the squid.conf file denies all access. You therefore have to add your specific permit statements above this line. In the chapter's examples, I've suggested that you place your statements at the top of the http_access list for the sake of manageability, but you can put them anywhere in the section above that last line.

Squid has a minimum required set of ACL statements in the ACCESS_CONTROL section of the squid.conf file. It is best to put new customized entries right after this list to make the file easier to read.

Restricting Web Access By Time

You can create access control lists with time parameters. For example, you can allow only business hour access from the home network, while always restricting access to host 192.168.1.23.

#
# Add this to the bottom of the ACL section of squid.conf
#
acl home_network src 192.168.1.0/24
acl business_hours time M T W H F 9:00-17:00
acl RestrictedHost src 192.168.1.23

#
# Add this at the top of the http_access section of squid.conf
#
http_access deny RestrictedHost
http_access allow home_network business_hours

Or, you can allow morning access only:

#
# Add this to the bottom of the ACL section of squid.conf
#
acl mornings time 08:00-12:00

#
# Add this at the top of the http_access section of squid.conf
#
http_access allow mornings

Restricting Access to specific Web sites

Squid is also capable of reading files containing lists of web sites and/or domains for use in ACLs. In this example we create to lists in files named /usr/local/etc/allowed-sites.squid and /usr/local/etc/restricted-sites.squid.

# File: /usr/local/etc/allowed-sites.squid
www.openfree.org
linuxhomenetworking.com

# File: /usr/local/etc/restricted-sites.squid
www.porn.com
illegal.com

These can then be used to always block the restricted sites and permit the allowed sites during working hours. This can be illustrated by expanding our previous example slightly.

#
# Add this to the bottom of the ACL section of squid.conf
#
acl home_network src 192.168.1.0/24
acl business_hours time M T W H F 9:00-17:00
acl GoodSites dstdomain "/usr/local/etc/allowed-sites.squid"
acl BadSites  dstdomain "/usr/local/etc/restricted-sites.squid"

#
# Add this at the top of the http_access section of squid.conf
#
http_access deny BadSites
http_access allow home_network business_hours GoodSites

Restricting Web Access By IP Address

You can create an access control list that restricts Web access to users on certain networks. In this case, it's an ACL that defines a home network of 192.168.1.0.

#
# Add this to the bottom of the ACL section of squid.conf
#
acl home_network src 192.168.1.0/255.255.255.0

You also have to add a corresponding http_access statement that allows traffic that matches the ACL:

#
# Add this at the top of the http_access section of squid.conf
#
http_access allow home_network

Password Authentication Using NCSA

You can configure Squid to prompt users for a username and password. Squid comes with a program called ncsa_auth that reads any NCSA-compliant encrypted password file. You can use the htpasswd program that comes installed with Apache to create your passwords. Here is how it's done:

1) Create the password file. The name of the password file should be /etc/squid/squid_passwd, and you need to make sure that it's universally readable.

[root@cdstealer tmp]# touch /etc/squid/squid_passwd
[root@cdstealer tmp]# chmod o+r /etc/squid/squid_passwd

2) Use the htpasswd program to add users to the password file. You can add users at anytime without having to restart Squid. In this case, you add a username called www:

[root@cdstealer tmp]# htpasswd /etc/squid/squid_passwd www
New password:
Re-type new password:
Adding password for user www
[root@cdstealer tmp]#

3) Find your ncsa_auth file using the locate command.

[root@cdstealer tmp]# locate ncsa_auth
/usr/lib/squid/ncsa_auth
[root@cdstealer tmp]#

4) Edit squid.conf; specifically, you need to define the authentication program in squid.conf, which is in this case ncsa_auth. Next, create an ACL named ncsa_users with the REQUIRED keyword that forces Squid to use the NCSA auth_param method you defined previously. Finally, create an http_access entry that allows traffic that matches the ncsa_users ACL entry. Here's a simple user authentication example; the order of the statements is important:

#
# Add this to the auth_param section of squid.conf
#
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd

#
# Add this to the bottom of the ACL section of squid.conf
#
acl ncsa_users proxy_auth REQUIRED

#
# Add this at the top of the http_access section of squid.conf
#
http_access allow ncsa_users

5) This requires password authentication and allows access only during business hours. Once again, the order of the statements is important:

#
# Add this to the auth_param section of squid.conf
#
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd

#
# Add this to the bottom of the ACL section of squid.conf
#
acl ncsa_users proxy_auth REQUIRED
acl business_hours time M T W H F 9:00-17:00

#
# Add this at the top of the http_access section of squid.conf
#
http_access allow ncsa_users business_hours

Remember to restart Squid for the changes to take effect.

Forcing Users To Use Your Squid Server

If you are using access controls on Squid, you may also want to configure your firewall to allow only HTTP Internet access to only the Squid server. This forces your users to browse the Web through the Squid proxy.

Making Your Squid Server Transparent To Users

It is possible to limit HTTP Internet access to only the Squid server without having to modify the browser settings on your client PCs. This called a transparent proxy configuration. It is usually achieved by configuring a firewall between the client PCs and the Internet to redirect all HTTP (TCP port 80) traffic to the Squid server on TCP port 3128, which is the Squid server's default TCP port.

Squid Transparent Proxy Configuration

Your first step will be to modify your squid.conf to create a transparent proxy. The procedure is different depending on your version of Squid.

Prior to version 2.6: In older versions of Squid, transparent proxy was achieved through the use of the httpd_accel options which were originally developed for http acceleration. In these cases, the configuration syntax would be as follows:

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

Version 2.6 and Beyond: Newer versions of Squid simply require you to add the word "transparent" to the default "http_port 3128" statement. In this example, Squid not only listens on TCP port 3128 for proxy connections, but will also do so in transparent mode.

http_port 3128 transparent

Configuring iptables to Support the Squid Transparent Proxy

Only the Squid server has access to the Internet on port 80 (HTTP), because all HTTP traffic, except that coming from the Squid server, is redirected.

If the Squid server and firewall are the same server, all HTTP traffic from the home network is redirected to the firewall itself on the Squid port of 3128 and then only the firewall itself is allowed to access the Internet on port 80.

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 \
        -j REDIRECT --to-port 3128
iptables -A INPUT -j ACCEPT -m state \
        --state NEW,ESTABLISHED,RELATED -i eth1 -p tcp \
        --dport 3128
iptables -A OUTPUT -j ACCEPT -m state \
        --state NEW,ESTABLISHED,RELATED -o eth0 -p tcp \
        --dport 80
iptables -A INPUT -j ACCEPT -m state \
        --state ESTABLISHED,RELATED -i eth0 -p tcp \
        --sport 80
iptables -A OUTPUT -j ACCEPT -m state \
        --state ESTABLISHED,RELATED -o eth1 -p tcp \
        --sport 80

Note: This example is specific to HTTP traffic. You won't be able to adapt this example to support HTTPS web browsing on TCP port 443, as that protocol specifically doesn't allow the insertion of a "man in the middle" server for security purposes. One solution is to add IP masquerading statements for port 443, or any other important traffic, immediately after the code snippet. This will allow non HTTP traffic to access the Internet without being cached by Squid.

If the Squid server and firewall are different servers, the statements are different. You need to set up iptables so that all connections to the Web, not originating from the Squid server, are actually converted into three connections; one from the Web browser client to the firewall and another from the firewall to the Squid server, which triggers the Squid server to make its own connection to the Web to service the request. The Squid server then gets the data and replies to the firewall which then relays this information to the Web browser client. The iptables program does all this using these NAT statements:

iptables -t nat -A PREROUTING -i eth1 -s ! 192.168.1.100 \
        -p tcp --dport 80 -j DNAT --to 192.168.1.100:3128
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 \
        -d 192.168.1.100 -j SNAT --to 192.168.1.1
iptables -A FORWARD -s 192.168.1.0/24 -d 192.168.1.100 \
        -i eth1 -o eth1 -m state
         --state NEW,ESTABLISHED,RELATED \
        -p tcp --dport 3128 -j ACCEPT
 iptables -A FORWARD -d 192.168.1.0/24 -s 192.168.1.100 \
        -i eth1 -o eth1 -m state --state ESTABLISHED,RELATED \
        -p tcp --sport 3128 -j ACCEPT

In the first statement all HTTP traffic from the home network except from the Squid server at IP address 192.168.1.100 is redirected to the Squid server on port 3128 using destination NAT. The second statement makes this redirected traffic also undergo source NAT to make it appear as if it is coming from the firewall itself. The FORWARD statements are used to ensure the traffic is allowed to flow to the Squid server after the NAT process is complete. The unusual feature is that the NAT all takes place on one interface; that of the home network (eth1).

You will additionally have to make sure your firewall has rules to allow your Squid server to access the Internet on HTTP TCP port 80.

Manually Configuring Web Browsers To Use Your Squid Server

If you don't have a firewall that supports redirection, then you need to configure your firewall to only accept HTTP Internet access from the Squid server, as well as configure your PC browser's proxy server settings manually to use the Squid server. The method you use depends on your browser.

For example, to make these changes using Internet Explorer

  1. Click on the "Tools" item on the menu bar of the browser.
  2. Click on "Internet Options"
  3. Click on "Connections"
  4. Click on "LAN Settings"
  5. Configure with the address and TCP port (3128 default) used by your Squid server.

Here's how to make the same changes using Mozilla or Firefox.

  1. Click on the "Edit" item on the browser's menu bar.
  2. Click on "Preferences"
  3. Click on "Advanced"
  4. Click on "Proxies"
  5. Configure with the address and TCP port (3128 default) used by your Squid server under "Manual Proxy Configuration"

Squid Disk Usage

Squid uses the /var/spool/squid directory to store its cache files. High usage squid servers need a large amount of disk space in the /var partition to get optimum performance.

Every webpage and image accessed via the Squid server is logged in the /var/log/squid/access.log file. This can get quite large on high usage servers. Fortunately, the logrotate program automatically purges this file.

Troubleshooting Squid

Squid logs both informational and error messages to files in the /var/log/squid/ directory. It is best to review these files first whenever you have difficulties.The squid.out file can be especially useful as it contains Squids' system errors.

Another source of errors could be unintended statements in the squid.conf file that cause no errors; mistakes in the configuration of hours of access and permitted networks that were forgotten to be added are just two possibilities.

Conclusion

Tools such as Squid are popular with many company mangers. By caching images and files on a server shared by all, Internet bandwidth charges can be reduced.

Squid's password authentication feature is well liked because it allows only authorized users to access the Internet as a means of reducing usage fees and distractions in the office. Unfortunately, an Internet access password is usually not viewed as a major security concern by most users who are often willing to share it with their colleagues. Although it is beyond the scope of this book, you should consider automatically tying the Squid password to the user's regular login password. This will make them think twice about giving their passwords away. Internet access is one thing, letting your friends have full access to your e-mail and computer files is quite another.

Taken from LinuxHomeNetworking

Linux

gitorrent

Get giTorrent

Download gitorrent and unzip into you webroot.

For this I created a sub directory "gitorrent" and unpacked into there.

Configure:

GITORRENT:

Edit gitorrent/gihome/JSXAPPS/giTorrent/giTorrentConfig.xml and enter your details.

Security:

.HTACCESS:
For me, I do the following.  This just forces SSL:

SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "cdstealer.com"
ErrorDocument 403 https://cdstealer.com/error/403.html
AuthType Basic
AuthUserFile /path/to/my/htpasswd
AuthName "Please enter your username and password."
require valid-user

I believe if everything is correct and has been restarted ie apache & rtorrent, pointing your browser to https://<your_domain>/gitorrent/apps/giTorrent.html should start the GUI.  If you have no active torrents, clicking on the "settings" tab should display completed port settings etc.  This shows that everything is working.

Linux

Rtorrent Web GUI

Sometimes you just don't have ssh access to your server ;)  This is where web based applications come in really handy.  There are a few web frontends for rtorrent.  See here

I'm not going to go into detail on how to setup rtorrent or apache, only how to setup for the guis.

Install the apps:

Emerge rtorrent with xmlrpc enabled:
net-p2p/rtorrent-0.8.6-r1  USE="ipv6 xmlrpc -daemon -debug"

Emerge the scgi apache module:
www-apache/mod_scgi-1.13

Emerge xmlrpc
dev-java/xmlrpc-2.0.1  USE="-doc -examples -source -test"

Configure:

APACHE:
Add "-D SCGI" to APACHE2_OPTS in /etc/conf.d/apache2
Add "LoadModule scgi_module modules/mod_scgi.so" to /etc/apache2/httpd.conf
Add "SCGIMount /RPC2 127.0.0.1:5000" in the <VirtualHost _default_:443> of /etc/apache2/vhosts.d/00_default_ssl_vhost.conf (you can also this for non ssl if security is not an issue)

RTORRENT:
Add "scgi_port = localhost:5000" to your ~/.rtorrent.rc file

That should be the ground work for most frontends as rtorrent only uses XMLRPC.

Frontends (gentoo stylee)

GITORRENT

Linux

Roundcube Webmail

You will need to have mysql and apache installed and running!

Install it:

# emerge -av roundcubeThese are the packages that would be merged, in order:

Calculating dependencies... done!

[ebuild N ] dev-libs/libmcrypt-2.5.8-r1 1,304 kB

[ebuild N ] app-admin/php-toolkit-1.0.1 6 kB

[ebuild NS ] sys-devel/automake-1.10.3 [1.9.6-r3, 1.11.1] 0 kB

[ebuild N ] app-admin/webapp-config-1.50.16-r1 102 kB

[ebuild N ] media-libs/t1lib-5.1.2 USE="X -doc" 1,829 kB

[ebuild N ] net-libs/c-client-2007e USE="pam ssl -kolab" 2,725 kB

[ebuild N ] virtual/httpd-cgi-0 0 kB

[ebuild N ] app-text/aspell-0.60.6-r1 USE="nls -examples" LINGUAS="en -af -be -bg -br -ca -cs -cy -da -de -el -eo -es -et -fi -fo -fr -ga -gl -he -hr -is -it -la -lt -nl -no -pl -pt -pt_BR -ro -ru -sk -sl -sr -sv -uk -vi" 1,737 kB

[ebuild N ] app-dicts/aspell-en-6.0.0 179 kB

[ebuild N ] dev-lang/php-5.2.13 USE="apache2 berkdb bzip2 cli crypt ctype curl gd gdbm iconv imap ipv6 json mysql ncurses nls pcre posix readline reflection session sockets spell spl ssl truetype unicode xml xmlrpc xpm zip zlib -adabas -bcmath -birdstep -calendar -cdb -cgi -cjk -concurrentmodphp -curlwrappers -db2 -dbase -dbmaker -debug -discard-path -doc -empress -empress-bcs -esoob -exif -fastbuild -fdftk -filter -firebird -flatfile -force-cgi-redirect -frontbase -ftp -gd-external -gmp -hash -inifile -interbase -iodbc (-java-external) -kerberos -kolab -ldap -ldap-sasl -libedit -mcve -mhash -msql -mssql -mysqli -oci8 -oci8-instant-client -odbc -pcntl -pdo -pic -postgres -qdbm -recode -sapdb -sharedext -sharedmem -simplexml -snmp -soap -solid -sqlite -suhosin -sybase -sybase-ct -sysvipc -threads -tidy -tokenizer -wddx -xmlreader -xmlwriter -xsl -yaz" 8,882 kB

[ebuild N ] dev-php/PEAR-PEAR-1.9.0 285 kB

[ebuild N ] virtual/httpd-php-5.2 0 kB

[ebuild N ] mail-client/roundcube-0.3.1 USE="mysql spell ssl -ldap -postgres -vhosts" 1,873 kB

Once installed, you will need setup the database:

Login to mysql as root and run the 3 commands below (make changes to username and password)

CREATE DATABASE roundcubemail DEFAULT CHARACTER SET utf8 COLLATE utf8_general_ci;
GRANT ALL PRIVILEGES ON roundcubemail.* TO roundcube@localhost IDENTIFIED BY 'password';
\q;

Import the tables etc:

mysql -uroot -p roundcubemail < /var/www/localhost/htdocs/roundcube/SQL/mysql.initial.sql

Edit the files in /var/www/localhost/htdocs/roundcube/config/

db.inc.php = Database details.  username, password and DB... nuff said!

main.inc.php = email server details and security.
Go through this file with a fine tooth comb.. there are many very important options.

Or you can enable the $rcmail_config['enable_installer'] = true; option in main.inc.php.  SET TO FALSE WHEN FINISHED!!!!!

You may need to enable $rcmail_config['auto_create_user'] = TRUE; for the first time login to create the user.  SET TO FALSE WHEN FINISHED!!!!!

Thats more or less about it for the installation.

Linux

Gentoo Multiboot CD

I've not seen this anywhere on t'interweb so this is what I have done so far which seems to work.

Only for arch x86 & amd64.

Tools & Files.

Syslinux Version 3.86 at the time of writing this.

Grub (more commonly used)

Gentoo (amd64, x86) You'll need the iso files.
Stage3 and portage archives are optional, but handy to get the install started.

Prep.

Create a folder somewhere.  This will be the root of the DVD

ISOLINUX METHOD

Unpack the syslinux archive.

cd in the syslinux directory and run "make".

cd back into the root of the DVD directory.

mkdir -p boot/isolinux

cp syslinux/com32/menu/vesamenu.c32 boot/isolinux (needed for boot menu)
cp syslinux/core/isolinux.bin boot/isolinux (needed to boot)

create isolinux.cfg in boot/isolinux (needed for boot menu)
put a 640x480 png image in boot/isolinux (optional background

GRUB METHOD

mkdir -p boot/grub

cp /boot/grub/stage2.eltorito boot/grub (needed boot image)
cp /boot/grub/splash.xpm.gz boot/grub (optional background picture)

create menu.lst in boot/grub (needed for boot menu)

put the stage and portage archives in the root folder of your CD. (optional)

touch livecd in the root folder of your CD. (needed for livecd to load)

mount each iso and copy the gentoo.efimg and image.squashfs files into the root folder of your CD.  (contains the gentoo environment)
I found here that you will need to rename the files.  I just replaced "gentoo" & "image" with the arch.
ie x86.efimg & amd64.efimg etc
copy the gentoo.efimg.mountPoint directory into the root folder of your CD.  (contains the kernel and initrd)
Again replacing the "gentoo" with the arch.

Create the ISO.

cd outside of the root of your CD folder and run

ISOLINUX METHOD

mkisofs -N -V gentoo -b boot/isolinux/isolinux.bin -d -iso-level 4 -no-emul-boot -boot-load-size 4 -boot-info-table -o Gentoo.iso gentoo-multiboot

(the isolinux.bin is in your CD root.  the gentoo-multiboot is the name of the root of your CD

GRUB METHOD

mkisofs -R -b boot/grub/stage2_eltorito -no-emul-boot -boot-load-size 4 -boot-info-table -o Gentoo.iso gentoo-multiboot

Testing.

I have qemu installed but any VM will do.

qemu -k en-gb -enable-kvm -m 1024 -cpu qemu32 -cdrom gentoo.iso -boot d

note: Add "-vnc :0.0" if qemu is on a remote server.  The just vnc to it :)

Linux

Jack-3.1.1

Jack (not to be confused with the jackd audio daemon) is a cdripper for Linux written in python.  You can download via your package manager or from the homesite.  I have found on Gentoo and Fedora that jack depends on python-2.4 which is a pain when just about everything else builds against python-2.5 or higher which causes problems.  I was forever getting:

$ jack
Traceback (most recent call last):
 File "/usr/bin/jack", line 42, in <module>
 import jack_argv
 File "/usr/lib/python2.6/site-packages/jack_argv.py", line 22, in <module>
 import jack_utils
 File "/usr/lib/python2.6/site-packages/jack_utils.py", line 26, in <module>
 import jack_functions
 File "/usr/lib/python2.6/site-packages/jack_functions.py", line 222
 def starts_with(str, with):
                         ^
SyntaxError: invalid syntax

I had my fill of fixing this every time I needed to rip a cd, so I fixed it.  All you need to do after it has been installed is run this script jack python-2.6 patch

If you look at the script, you'll see that it just changes any definitions from starts_with to startswith.
Another common problem is a gcc memory leak.  To fix this add MALLOC_CHECK_=1 at the start of your command.  I have added this as an alias in my .bash_profile eg.

alias jackflac='MALLOC_CHECK_=1 jack --device=/dev/sr0 --append-year=yes --dir-template "%a/%l" -C -Q -R --rename-fmt "%n - %a - %l - %t" --workdir /home/cdstealer/Desktop/ -E flac'

alias jackmp3='MALLOC_CHECK_=1 jack --device=/dev/sr0 --append-year=yes --dir-template "%a/%l" -C -Q -R --rename-fmt "%n - %a - %l - %t" --workdir /home/cdstealer/Desktop/ -E lame --vbr=no -b 320 -e 2 --write-id3v2=yes'

Please make sure that jack and its dependencies have been built against python-2.6+.

dev-python/id3-py
dev-python/cddb-py
dev-python/pyogg
media-libs/id3lib
dev-python/pyid3lib
dev-python/pyvorbis
media-sound/jack

I edited the files below to add high quality and forced stereo.  Just add "-q0 -ms" to the end of the 4 line in each file.  eg:

'cmd': "lame --preset cbr %r --strictly-enforce-ISO %i %o -q0 -ms",
'vbr-cmd': "lame -V %q --vbr-new --nohist --strictly-enforce-ISO %i %o -q0 -ms",
'otf-cmd': "lame --preset cbr %r --strictly-enforce-ISO - %o -q0 -ms",
'vbr-otf-cmd': "lame -V %q --vbr-new --nohist --strictly-enforce-ISO - %o -q0 -ms",

/usr/lib/python2.6/site-packages/jack_helpers.py
/usr/lib/python2.6/site-packages/jack_main_loop.py
/usr/lib/python2.6/site-packages/jack_plugin_lame.py

Linux

DNS/DHCP server

Generating an RNDC key.

The rndc tool is used to managed the named daemon.
We need to generate a keyfile called /etc/bind/rndc.key which is referenced both by /etc/bind/rndc.conf and /etc/bind/named.conf

To do this we use the following command;

# rndc-confgen -a -c /etc/bind/rndc.key

BIND (NAMED) /etc/bind/named.conf

IP addresses and host names have obviously been changed.. I'm not *THAT* stupid ;)

The config file

Forwarder file: /etc/bind/pri/forwarddns

The config file

Reverse zone: /etc/bind/pri/reversedns

The config file

Trouble Shooting Bind

Depending on your connection/setup you may see the following in your log.

09-Feb-2011 11:19:14.234 edns-disabled: info: success resolving 'markmail.org/AAAA' (in 'org'?) after disabling EDNS

or

09-Feb-2011 11:18:38.986 edns-disabled: info: success resolving 'lists.isc.org/A' (in 'isc.org'?) after reducing the advertised EDNS UDP packet size to 512 octets

These on their own are harmless enough.. they just flood your log :)  They can be turned off by adding the following to your named.conf:

logging {
category lame-servers {null; };
category edns-disabled { null; };
};

Another issue I came across at the same time as above was 95% of all my DNS requests were timing out.  This, coincidentally was when I upgraded my internet connection to a 30Mbit VirginMedia with "super hub".   I found this was caused by the "IP flood protection" in the router settings.  Disabling this solved the timeout issue and also stopped any edns errors flooding the logs.

You may receive one or both of the following lines in bind log.

pri/example.com.signed:10: signature has expired

To remedy this this, run the following command (manual signing only):

cd /etc/bind/pri
dnssec-signzone -A -3 $(head -c 10 /dev/random | sha256sum | cut -b 1-16) -N INCREMENT -o example.com -t example.com

OR

/var/bind/named.cache:2: signature has expired

To remedy this this, run the following command:

/usr/bin/wget --user=ftp --password=ftp ftp://ftp.rs.internic.net/domain/root.zone -O /var/bind/named.cache
/usr/sbin/rndc reload

CHROOT

If you are security conscious then you can "jail" the named process which if broken into will lock the perp in the chrooted named directories only... as these files are replaced upon restarting bind, it doesn't matter if they are damaged/compromised.

To setup a chroot envirnnment, just do the following.

1) Setup named as above so that everything is working.
2) Uncomment 'CHROOT="/chroot/dns"' in /etc/conf.d/named
3) execute emerge --config net-dns/bind
4) restart named

You should get the following:

* Starting chrooted named ...
* Mounting chroot dirs
* mounting /etc/bind to /chroot/dns/etc/bind
* mounting /var/bind to /chroot/dns/var/bind
* mounting /var/log/named to /chroot/dns/var/log/named                                                                                                                                [ ok ]

DNSSEC

Automagically

In the "options" block of named.conf, make sure the below lines are present.

dnssec-enable yes;
dnssec-validation yes;
key-directory "/var/bind/pri";
inline-signing yes;

Further down where your zones are defined, you should have something like this.

zone "example.com" IN {
type master;
file "pri/example.com";
notify yes;
allow-update { key "rndc-key"; };
inline-signing yes;
auto-dnssec maintain;
};

Restart named and you should see for each zone with inline-signing enabled.

example.com
example.com.jbk
example.com.jnl
example.com.signed
example.com.signed.jnl

 The auto signing way seems to be more reliable as using the manual method, named would fail to find the private keys randomly several times per day.

Manually

In /etc/bind/named.conf, ensure the following are present in the options block:

dnssec-enable yes;
dnssec-validation yes;
key-directory "/var/bind/pri";

Next cd to either /var/bind/pri or /etc/bind/pri.

Now we'll create a Zone Signing Key (ZSK):

dnssec-keygen -a RSASHA256 -b 2048 -n ZONE example.com

Note: You need to create telemetry or this will take hours. Start a big emerge or fire up a VM.

Next we'll create a Key Signing Key (KSK)

dnssec-keygen -f KSK -a RSASHA256 -b 2048 -n ZONE example.com

Note: You need to create telemetry or this will take hours. Start a big emerge or fire up a VM.

You should have 1 pair of KSK and ZSK files.

Kexample.com.+008+00712.key
Kexample.com.+008+00712.private
Kexample.com.+008+12951.key
Kexample.com.+008+12951.private

Now add the key files to the bottom of the zone file. eg

$INCLUDE Kexample.com.+008+00712.key
$INCLUDE Kexample.com.+008+12951.key

Now we need to sign the zone file:

dnssec-signzone -A -3 $(head -c 10 /dev/random | sha256sum | cut -b 1-16) -N INCREMENT -o example.com -t example.com

This creates a new file named example.com.zone.signed which contains RRSIG records for each DNS record. We have to tell BIND to load this "signed" zone.
Open the bind config file /etc/bind/named.conf and add the signed file to the zone block. eg

zone "example.com" IN {
        type master;
        file "pri/example.com.signed";
        notify yes;
        allow-update { key "rndc-key"; };
        inline-signing yes;
};

That's it. Reload/restart bind and you should be golden ;)

If you're using a 3rd party DNS, you will need to add the DS and DNSSEC public keys.

There should be a dsset-example.com file within /var/bind/pri, cat this and you will see:

example.com. IN DS 8449 10 2 817AC0B85419C947608AAF54ED52F137137DA157F3B86C1B08509495 5E917C14

You may have several .key files, if you need to add another DS record, you can run the command:

dnssec-dsfromkey <Kexmaple.com....key>

Add the output to the dsset-example.com file and also the external nameserver provider.

Note: Remove the space from the Digest key.

We would also need to add the corresponding DNSSEC public key.  To do this, we need to cat the contents:

# cat /var/bind/keys/Kexample.com.+010+08449.key
; This is a key-signing key, keyid 8449, for example.com.
; Created: 20151115172130 (Mon Nov 15 17:21:30 2015)
; Publish: 20151115172130 (Mon Nov 15 17:21:30 2015)
; Activate: 20151115172130 (Mon Nov 15 17:21:30 2015)
example.com. IN DNSKEY 257 3 10 AwEAAdi4syP6xRyXjjGngSvFn51GR85AvWSqUCyST9CM6tJWEiRwEpTJ ....

Unfortunately this was unavailable with the provider I was with.

Testing

To varify that DNSSEC is used by the 3rd party nameservers, you can use this tool: https://dnssec-analyzer.verisignlabs.com/

You can also test your internal DNS by executing:

named-checkzone -D -f raw -o - example.com example.com.signed

This will output the encryption for each entry in the zone file.

# named-checkzone -D -f raw -o - cdstealer.com cdstealer.com.signed
zone cdstealer.com/IN: loaded serial 201421440 (DNSSEC signed)...

How to setup a DHCP that will update the dns records of bind.

 

DHCP /etc/dhcp/dhcp.conf

The config file

Then add the following to the top of /etc/conf/named

OPTIONS="-4"
ENABLE_ZONE_WRITE=yes

Now restart named & dhcpd. If you get any errors, check /var/log/messages and double check your work.