Archive for February, 2010
Thursday, February 25th, 2010
So I’m here setting up a simple Trac environment on a Debian 5 server, and I’m about to add the essential graphviz plugin from trac-hacks.org …
# easy_install http://trac-hacks.org/svn/graphvizplugin/0.11
Downloading http://trac-hacks.org/svn/graphvizplugin/0.11
error: Unexpected HTML page found at http://trac-hacks.org/svn/graphvizplugin/0.11
Wait, what? This exact same commandline works just fine on my laptop (Ubuntu, that is) … the URL is valid, I get the page I expect generated by subversion itself …
A quick Google later, it looks like the Debian packaged version can’t handle the latest subversion web pages. Thanks to coffeecoders.de we have a simple description of the problem & a workaround … upgrade easy_install underneath the Debian package.
# easy_install -U setuptools
Searching for setuptools
Reading http://pypi.python.org/simple/setuptools/
Best match: setuptools 0.6c11
Downloading http://pypi.python.org/packages/2.5/s/setuptools/setuptools-0.6c11-py2.5.egg#md5=64c94f3bf7a72a13ec83e0b24f2749b2
Processing setuptools-0.6c11-py2.5.egg
Moving setuptools-0.6c11-py2.5.egg to /usr/lib/python2.5/site-packages
Adding setuptools 0.6c11 to easy-install.pth file
Installing easy_install script to /usr/bin
Installing easy_install-2.5 script to /usr/bin
Installed /usr/lib/python2.5/site-packages/setuptools-0.6c11-py2.5.egg
Processing dependencies for setuptools
Finished processing dependencies for setuptools
This fixes the problem that easy_install has in grabbing resources from a subversion 1.5+ webserver. On the other hand it breaks the python-setuptools file …
# cd /
# md5sum -c /var/lib/dpkg/info/python-setuptools.md5sums
usr/bin/easy_install: FAILED
usr/bin/easy_install-2.5: FAILED
usr/bin/easy_install-2.4: OK
...
md5sum: WARNING: 2 of 53 computed checksums did NOT match
If you’re in the habit of verifying binaries against the package contents (e.g. with debsums), you need to know what you have just done … and look out for any upgrades of this package too (well, you could always pin this version in place, but let’s hope any future update of python-setuptools fixes this bug, eh).
Posted in Technology | No Comments »
Wednesday, February 24th, 2010
A Linux/Unix server usually needs to be able to send email, even if only for internal reporting purposes. There’s no point in having a full-featured mail server for this, so you should configure the server to send messages via some other MTA, a “smarthost”. This could be one of your own machines, or perhaps it’s one belonging to your ISP.
Of course, when submitting to the smarthost you need to be able to differentiate yourself from spammers; this generally means you have to authenticate yourself. And if you’re doing that, it should be over an encrypted connection and you should authenticate the smarthost too. Let’s see a minimal Exim configuration that does just that …
# This is the Exim4 configuration for "leaf node".
# It provides the following behaviour :-
# • NO SMTP listeners
# • Local process submission only
# • NO local delivery
# • qualify_domain @mydomain.tld
# • /etc/aliases remapping
# • ALL mail sent to smarthost smarthost.tld
# •• with verified TLS and AUTH/LOGIN
# •• Whitelisted at smarthost
### Main
# No SMTP listeners is not a config item, it’s based on daemon invocation
# Debian packaged exim: update-exim4defaults –queuerunner queueonly
qualify_domain = mydomain.tld
### Routers
begin routers
etc_aliases:
driver = redirect
data = ${lookup{$local_part}lsearch{/etc/aliases}}
# Send everything to a smarthost
send_to_smarthost:
driver = manualroute
route_list = * smarthost.tld
transport = smarthost
### Transports
begin transports
smarthost:
driver = smtp
hosts_require_tls = smarthost.tld
hosts_require_auth = smarthost.tld
tls_verify_certificates = /etc/exim4/tls/smarthost-ca.crt
### Authenticators
begin authenticators
smarthost_login:
driver = plaintext
public_name = LOGIN
hide client_send = : MTAuserid : MTAuserpassword
Posted in Technology | No Comments »
Wednesday, February 24th, 2010
So you’re using Exim4, and you want to verify the TLS certificates of the MTA you are sending email to (especially useful if you want to use a smarthost).
Here’s my smarthost transport :-
smarthost:
driver = smtp
hosts_require_tls = my smarthost
tls_verify_certificates = /etc/exim4/tls/my_smarthost-ca.crt
I was reading Philip Hazel’s ‘The Exim SMTP mail server’, and it claimed that tls_verify_certificates could be a link to a directory instead of a single (possibly large) file.
However, there’s a gotcha … this is only possible if you are using the OpenSSL library with Exim4; the Debian 5 packaged version uses GnuTLS, and that can only accept the file version. You get a cryptic error in the logs if you try …
TLS error on connection to my_smarthost [IP Address] (setup_certs): Error while reading file.
See http://www.exim.org/exim-html-current/doc/html/spec_html/ch30.html for the clarifying documentation. To be fair, this has been ‘well known’ for many years …
Posted in Technology | No Comments »
Tuesday, February 23rd, 2010
I was using s3sync to copy masses of files to Amazon S3 from a customer machine, and after the first run was complete, I just re-ran the same command to check elapsed time. It failed with 403 Forbidden errors …
Looking at the detailed error, it turned out that the machine’s clock was set about 20 minutes into the future (come back Max Headroom …), and this was breaking things. Quite reasonable.
So, I installed openntpd, and set the correct time from the date command. Well, I tried to set the date … it was being ignored. Very odd.
A bit more digging later, and I realised that this machine was a Xen guest, and had been set to follow the Xen host time — in this case, you can try to set the time until you’re blue in the face, and you will be ignored (without any errors being emitted, I note. Well, that’s under Debian 4, anyway).
The long-term answer is to get the Xen host fixed — having incorrect time is terribly inexcusable. Looking at a handy Xen FAQ, the short-term fix is to decouple the guest clock using /proc/sys/xen/independent_wallclock …
# cat /proc/sys/xen/independent_wallclock
0
# echo 1 > /proc/sys/xen/independent_wallclock
# date -u --set 03:09:45
Tue Feb 23 03:09:45 UTC 2010
# date
Tue Feb 23 03:09:47 GMT 2010
Now I can continue to sync files into S3 …
Posted in Technology, Uncategorized | No Comments »
Monday, February 8th, 2010
Inode is now a member of the NTP Pool, in the NZ and Oceania zones. The time server is running ntpd and is connected to NZ-based Stratum 1 & 2 time sources.
Please don’t use our server directly, instead just configure yourself to use the closest country or continental zone from pool.ntp.org -
http://www.pool.ntp.org/en/use.html
You can see the NTP Pool’s page about our server status here :-
http://www.pool.ntp.org/scores/60.234.72.6
Posted in Technology | No Comments »