Category: System Administration

A lesson in software licenses

Post author By otmar
Post date July 22, 2010

Just a quick remark: a “aptitude install ddd” showed that this package depended on lesstif2 which is an Open Source re-implementation of the Motif GUI library.

Most of the reader here will never have heard about Motif.

Back when I started working with X, there were two competing GUI standards: OpenLook and Motif. Free Software (the term Open Source wasn’t invented yet) stuck to the basic Athena Widgets or (later) used Tk. Despite the strict licensing scheme of Motif some projects (e.g. the original Mosaic Browser) went with Motif nevertheless — motivating the Lesstif project.

It could have owned the Unix GUI market, but it wasn’t compatible with free software, so it lost the battle for developer mindshare and fell into obscurity. Qt almost made the same mistake, but they were a bit more liberal in the beginning and as GTK took off, they had to open up even more to stay relevant.

In other words, the decision not to support free software with Motif killed it.

System Administration

Dear Cisco

Post author By otmar
Post date April 30, 2010

I’m doing a bit of network monitoring with SNMP again, and stumbled upon yet another cisco SNMP bug. Back when I wrote the pan-european NMS for KPNQwest, I had to work-around a good number of bugs in the IOS snmp agent, but this time it’s a bug in the MIB file:

Using the CISCO-BGP4-MIB, I can graph the state of my BGP peerings. All fine, when looking at


    CbgpPeerAddrFamilyPrefixEntry ::= SEQUENCE {
        cbgpPeerAcceptedPrefixes        Counter32,
        cbgpPeerDeniedPrefixes          Gauge32,
        cbgpPeerPrefixAdminLimit        Unsigned32,
        cbgpPeerPrefixThreshold         Unsigned32,
        cbgpPeerPrefixClearThreshold    Unsigned32,
        cbgpPeerAdvertisedPrefixes      Gauge32,
        cbgpPeerSuppressedPrefixes      Gauge32,
        cbgpPeerWithdrawnPrefixes       Gauge32
        }

you notice that the Gauge32 vs. Counter32 types are mixed up.

cbgpPeerAcceptedPrefixes is the only Gauge here, whereas cbgpPeerDeniedPrefixes, cbgpPeerAdvertisedPrefixes, cbgpPeerSuppressedPrefixes and cbgpPeerWithdrawnPrefixes are actually Counters, e.g.


    cbgpPeerWithdrawnPrefixes  OBJECT-TYPE
        SYNTAX      Gauge32
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
                "This counter is incremented when a route prefix,
                 which belongs to an address family, is withdrawn on
                 this connection. It is initialized to zero when the
                 connection is undergone a hard reset."
        ::= { cbgpPeerAddrFamilyPrefixEntry 8 }

Pet Peeves System Administration

Windows 7 Fail

Post author By otmar
Post date March 27, 2010

Initially, Windows 7 looked nice. But the longer I worked with it, it’s starting to show the usual Windows cruft:

I already wrote about the empty lists within Windows Update. Yes, that still happens.

Hibernate does not work.

And now I tried to setup a backup, and ended up with:

System Administration

A blast from the past: mod_epp

Post author By otmar
Post date December 16, 2009

I recently got contacted by SIDN regarding some problems with mod_epp. They were running into issues when combining mod_epp with mod_proxy and needed me to find a fix. We came to an agreement, I spend some time programming C again, and here it is: mod_epp version 1.6.

Changes:

* Bugfix: Internal EPP error messages work again * Default value for EPPAuthURI * New config statement: EPPReturncodeHeader - Backend can signal EPP RC to mod_epp * New feature: implicit login - EPPAuthURI = implicit - no special request to authenticate - uses either HTTP error code or via EPPReturncodeHeader of the command. * New feature: User-Agent: header set * Bufix/Feature: Connection close now works on mod_proxy - X-Connection - via EPP return code

* A mod_proxy setup is now fully supported. See README.

Get it here.

System Administration

More upgrading tidbits

Post author By otmar
Post date September 17, 2009

As mentioned before, I disabled xen before the etch->lenny upgrade. Now I’ve re-enabled xen, and the following bits may be of wider interest:

My server at the Hetzner hosting center has one static IP address and a small network that is routed towards that IP address. So my plan was to use this small network (88.198.160.176/28) for the virtual switch inside the xen Dom0 and connect all the domUs to it. I solved this the following way:

In /etc/network/interfaces I tell Debian to create the bridge and use br0 as the interface of the dom0 into that bridge:

auto br0
iface br0 inet static
        pre-up brctl addbr br0
        address 88.198.160.177
        netmask 255.255.255.248
        bridge_fd 0
        bridge_hello 0
        bridge_stp off

That way, the xen scripts themselves have little to do. The settings in /etc/xen/xend-config.sxp are:

(vif-script 'vif-bridge bridge=br0')
(network-script network-route)

In the config-file for each individual domU, I just use something like

vif  = [ 'ip=88.198.160.178,mac=00:16:3e:77:e2:79,bridge=br0' ]

but I’m not sure whether that’s actually needed at this point.

Concerning the domUs: The hints in the Debian Wiki were helpful, especially about changes to the console handling.

System Administration

Upgrading from etch to lenny

Post author By otmar
Post date September 14, 2009

Just in case somebody was wondering why this blog was down over the weekend:

I finally bit the bullet and upgraded my server from Debian etch to Debian lenny. And while doing that ran into Bug #541371.

Otherwise the upgrade was pretty painless. But as timid (some might say sane) as I am, I disabled xen before the upgrade. Getting that up and running with a new kernel will be the next step. This is especially tricky as I do not have a remote console, just the Hetzner rescue system.

Oh, and as I’m no longer running a pre-historic wordpress, this blog might get a new design sooner than later.

CERT System Administration

Crypt::OpenSSL:X509 and UTF-8 strings

Post author By otmar
Post date August 27, 2009

Bumped to top due to updates.

For my current project I look at a lot of X.509 certificates using Dan Sully’s Crypt::OpenSSL:X509 Perl module. I’m not using the version from CPAN, but his current codebase straight from his git repository.

While trying to store information about certs in a PostgreSQL DB which is set to UTF-8 strings, I encountered errors. Some debugging later I found that some of the certs had Umlauts in the subject field. The XS code from Crypt::OpenSSL:X509 wasn’t UTF-8 aware, causing automatic down-conversion to ISO-8859-1, which produced illegal byte sequence when parsed as UTF-8.

After some cursing and debugging I came up with this patch:

--- ../dsully-perl-crypt-openssl-x509/X509.xs 2009-03-06 22:22:44.000000000 +0100 +++ X509.xs 2009-08-17 14:46:00.000000000 +0200 @@ -73,6 +73,15 @@ return sv; }


+static SV* sv_bio_utf8_on(BIO *bio) {

+

+       SV* sv;

+       sv = (SV *)BIO_get_callback_arg(bio);

+       SvUTF8_on(sv);

+       return sv;

+}

+

+

 /*

 static void sv_bio_error(BIO *bio) {
@@ -293,8 +302,10 @@

                        name = X509_get_issuer_name(x509);

                }
+               /* this need not be pure ascii, try to get a native perl character string with utf8 */

+               sv_bio_utf8_on(bio);

                /* this is prefered over X509_NAME_oneline() */

-               X509_NAME_print_ex(bio, name, 0, XN_FLAG_SEP_CPLUS_SPC);

+               X509_NAME_print_ex(bio, name, 0, (XN_FLAG_SEP_CPLUS_SPC | ASN1_STRFLGS_UTF8_CONVERT) & ~ASN1_STRFLGS_ESC_MSB);
        } else if (ix == 3) {
@@ -799,7 +810,8 @@

             n = OBJ_nid2sn(nid);

         }

         BIO_printf(bio, "%s=", n);

-        ASN1_STRING_print(bio, X509_NAME_ENTRY_get_data(name_entry));

+       sv_bio_utf8_on(bio);

+        ASN1_STRING_print_ex(bio, X509_NAME_ENTRY_get_data(name_entry),ASN1_STRFLGS_UTF8_CONVERT & ~ASN1_STRFLGS_ESC_MSB);

        RETVAL = sv_bio_final(bio);

OUTPUT:

Basically, this just tells the openssl library to output UTF-8 and the perl core that the new strings are encoded in UTF-8.

This might be overkill in the cases where it’s not actually needed, but it should do no harm.

Update: My patch is now in the git repository.

Update2: Life is not that easy. Looking at more X.509 certs in the wild shows that openssl does not check whether it returns a valid UTF8 string. So stay tuned for additional patches in Dan’s git repository.

Update3: My patches are now integrated in the git version.

System Administration

Fun with RT Scrips

Post author By otmar
Post date July 24, 2009

This might be of broader interest to users or RT:

I recently hacked up a small Scrip that tries to merge new tickets generated by mail bounces into the original ticket.

This is similar to what RtBounceHandler is doing, just that it’s implemented as a scrip and not as an external program which runs on incoming mail.

I’ve added my code to the RT wiki.

Pet Peeves System Administration

Broadcom woes

Post author By otmar
Post date July 16, 2009

The company laptop (Windows XP) of my wife came with the Broadcom software for controlling the Wifi settings.

I’ve already had so many troubles getting that box to talk WPA to my local WLAN at home (an OpenWrt Kamikaze running on an Alix box) that I switched back to WEP.

Last week I tried to get the Broadcom junk to talk WPA to the Linksys ADSL/WLAN CPE at my mother’s place. No go. Just once, for a few seconds it managed to get the TKIP key. Most of the time it failed to negotiate an AES key. Whatever.

I’m so glad I convinced her tech department to give us local admin rights. That way I finally just nuked that dysfunctional piece of sh*** and went back to the default Windows WLAN configuration tool.

That just worked.

Instantly. No hassle at all.

System Administration

Rate-limit for swatch

Post author By otmar
Post date July 6, 2009

At work, we installed swatch to have a look at our combined logfiles. (see techrepublic or linsec for a swatch intro.)

But contrary to most of the examples, we’re using swatch not to check for known events, but to look out for unexpected entries. So basically our config is “ignore the known, send mail for the rest”:

ignore=/…/
ignore=/…/

watchfor=/./
mail=…..

This has one severe drawback: every single unexpected line in a logfile will send one mail. This just doesn’t scale.

The threshold feature won’t really help us, as it rejects notifications over its limit, whereas for email notifications it’s better to collect more messages into a single email.

So I dived into the code and added a ratelimit feature for the mail Action.

Apply the patch in Actions.pm.diff and then you can write:

watchfor=/./
mail=addresses=joe\@example.com,subject=”swatch alert”,ratelimit=600,ratetag=foo

and joe will get no more than one mail per 10 mins, without missing a single message.

As written, this config has one problem: I need to flush the messages I held back once I’m allowed to send mail again. In theory, I should have added some sort of timer-based event-handling to swatch, but I considered that to be overkill. Especially if you have multiple mail statements with different rate-limits. So I added another option to the mail Action that tells it just to flush spooled messages and do nothing more. You should trigger that option frequently, e.g. with a stanza like this at the top of your config-file:

watchfor=/./
mail=addresses=joe\@example.com,subject=”swatch alert”,ratelimit=600,ratetag=foo,rateflush=1
continue

ignore=/ /
ignore=/…/

watchfor=/./
mail=addresses=joe\@example.com,subject=”swatch alert”,ratelimit=600,ratetag=foo

Recent Posts

Archives

Categories