Bootstrap Typeahead with OnSelect
I struggled a bit with trying to get Twitter's Bootstrap autocomplete to function properly loading a dynamic array while typing and passing an ID associated with that list upon onselect. It really isn't that difficult, but I took the long way around for sure.
First, you'll need to replace bootstrap-typeahead.js with the modified version from Yavari located here. This version adds the onselect component.
Now add a simple search form. The hidden field here is used for the onselect function to fill an ID value when option is chosen.
<input type="hidden" name="user_id" value="0" />
<input type="text" name="searchinput" value="" id="searchinput" data-provide="typeahead" data-source="[]" maxlength="30" autocomplete="off" />
<button name="submit" type="submit">Search</button>
</form>
For the PHP or backend, all that needs to be printed is array in json format. In this example I'm returning a user id, first name, last name, city, and state in an array from another model. The CodeIgniter framework is being used in this particular case. To keep the backend query to the database simple, the ajax request (noted later) is sending a max row limit along with the search key.
{
if ($this->input->post('ajax') == 1)
{
$this->load->model('User_model');
$retval = json_encode($this->User_model->search_user($this->input->post('search_key'), $this->input->post('max_rows')));
echo $retval;
}
}
Now for the jQuery. As the user types, a query is being sent to the lookup function above and formatted by the Javascript. Upon onselect, the hidden field is being populated so that when the search form is submitted, we can do a full lookup on the user (address, email, etc) based on the ID that was posted.
<script type="text/javascript">
$('#searchinput').typeahead({
source: function(typeahead, query) {
$.ajax({
url: "search/lookup_user')?>",
dataType: "json",
type: "POST",
data: {
max_rows: 15,
search_key: query,
ajax: 1
},
success: function(data) {
var return_list = [], i = data.length;
while (i--) {
return_list[i] = {id: data[i].user_id, value: removenull(data[i].last_name) + ', ' + removenull(data[i].first_name) + ' (' + removenull(data[i].city) + ', ' + removenull(data[i].state) + ')'};
}
typeahead.process(return_list);
}
});
},
onselect: function(obj) {
$('[name="user_id"]').val(obj.id);
}
});
function removenull(str) {
var new_str = str;
if (str == '') {
new_str = str.replace('', "N/A");
}
else if (str == null) {
new_str = "N/A";
}
return new_str;
}
</script>
Note that when the user is selected and value of the hidden field is populated, you won't see the change in the source. After submitted the form and taking a look at the post array, you'll see that the ID was successfully passed. Hope this helps!
SharePoint 2010 Error in Managed Service Accounts
When working with SharePoint 2010 Central Administration, I ran into an issue where the page would display a generic "object not set to an instance of an object" when clicking on Configure managed accounts or Configure service accounts. My specific issue was that I changed the SPTimerV4 service to use a different account; I had previously setup an sp_timer account and instead used the sp_farm account. This is changed on the OS level since it is not listed in the Configure service accounts.
Where I went wrong is that I deleted the sp_timer account out of Active Directory before I removed it from Configure managed accounts. It seems that SharePoint should be able to handle this change, but it doesn't. Create the domain account that you removed in Active Directory again. Then open up SharePoint 2010 Management Shell, and be sure to open it As Administrator. The following commands will remove the account from the list of managed accounts:
# make sure the variable output is coming up and there are no typos
$rmacct
Remove-SPManagedAccount $rmacct
Now you should be able to load the Central Administration web pages that were giving errors before properly. Feel free to remove the old account from Active Directory.
NIC Teaming on Debian Squeeze
NIC teaming on the newest version of Debian is incredibly easy. You'll need to know first what type of team you'd like to create:
- mode=0 (balance-rr) Round-robin policy: Transmit packets in sequential order from the first available slave through the last. This mode provides load balancing and fault tolerance.
- mode=1 (active-backup) Active-backup policy: Only one slave in the bond is active. A different slave becomes active if, and only if, the active slave fails. The bond’s MAC address is externally visible on only one port (network adapter) to avoid confusing the switch. This mode provides fault tolerance. The primary option affects the behavior of this mode.
- mode=2 (balance-xor) XOR policy: Transmit based on source MAC address XOR'd with destination MAC address. This selects the same slave for each destination MAC address. This mode provides load balancing and fault tolerance.
- mode=3 (broadcast) Broadcast policy: Transmits everything on all slave interfaces. This mode provides fault tolerance.
- mode=4 (802.3ad) IEEE 802.3ad Dynamic link aggregation: Creates aggregation groups that share the same speed and duplex settings. Utilizes all slaves in the active aggregator according to the 802.3ad specification. Ethtool support in the base drivers for retrieving the speed and duplex of each slave. A switch that supports IEEE 802.3ad Dynamic link aggregation. Most switches will require some type of configuration to enable 802.3ad mode.
- mode=5 (balance-tlb) Adaptive transmit load balancing: Channel bonding that does not require any special switch support. The outgoing traffic is distributed according to the current load (computed relative to the speed) on each slave. Incoming traffic is received by the current slave. If the receiving slave fails, another slave takes over the MAC address of the failed receiving slave. Ethtool support in the base drivers for retrieving the speed of each slave.
- mode=6 (balance-alb) Adaptive load balancing: Includes balance-tlb plus receive load balancing (rlb) for IPV4 traffic, and does not require any special switch support. The receive load balancing is achieved by ARP negotiation. The bonding driver intercepts the ARP Replies sent by the local system on their way out and overwrites the source hardware address with the unique hardware address of one of the slaves in the bond such that different peers use different hardware addresses for the server.
Once you choose your team method, install the ifenslave package
Now open the file /etc/network/interfaces and add the bonded interface:
auto bond0
iface bond0 inet static
address 192.168.20.20
netmask 255.255.255.0
broadcast 192.168.20.255
network 192.168.20.0
gateway 192.168.20.1
bond_mode active-backup
bond_miimon 100
bond_downdelay 200
bond_updelay 200
slaves eth0 eth1
Note that bond_mode is the teaming option you selected above. You can restart the networking service, or just reboot the server to ensure the team comes up after shutdown.
Nagios Setup on Debian Lenny
Below are instructions on building Nagios from scratch on Debian Lenny. These instructions also make it very easy to update the build when new ones come out.
Apache Configuration
First install the essential packages needed to compile and use Nagios.
Modify the file /etc/apache2/apache2.conf so that it's a bit cleaner.
LockFile /var/lock/apache2/accept.lock
PidFile ${APACHE_PID_FILE}
Timeout 300
KeepAlive On
MaxKeepAliveRequests 25
KeepAliveTimeout 15
<IfModule mpm_prefork_module>
StartServers 5
MinSpareServers 5
MaxSpareServers 10
MaxClients 150
MaxRequestsPerChild 0
</IfModule>
<IfModule mpm_worker_module>
StartServers 2
MaxClients 150
MinSpareThreads 25
MaxSpareThreads 75
ThreadsPerChild 25
MaxRequestsPerChild 0
</IfModule>
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
AccessFileName .htaccess
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>
DefaultType text/plain
HostnameLookups Off
ErrorLog /var/log/apache2/error.log
LogLevel warn
# Include module configuration:
Include /etc/apache2/mods-enabled/*.load
Include /etc/apache2/mods-enabled/*.conf
# Include all the user configurations:
Include /etc/apache2/httpd.conf
# Include ports listing
Include /etc/apache2/ports.conf
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
CustomLog /var/log/apache2/other_vhosts_access.log vhost_combined
# Include generic snippets of statements
Include /etc/apache2/conf.d/
# Include the virtual host configurations:
Include /etc/apache2/sites-enabled/
Now create the Apache configuration file for Nagios so it can load the web interface. Create the file /etc/apache2/conf.d/nagios.conf with the following:
<Directory "/usr/local/nagios/sbin">
Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all
AuthName "Nagios Access"
AuthType Basic
AuthUserFile /etc/nagios/htpasswd.users
Require valid-user
SetEnv TZ "US/Eastern"
</Directory>
Alias /nagios "/usr/local/nagios/share"
<Directory "/usr/local/nagios/share">
Options None
AllowOverride None
Order allow,deny
Allow from all
AuthName "Nagios Access"
AuthType Basic
AuthUserFile /etc/nagios/htpasswd.users
Require valid-user
</Directory>
Modify /etc/apache2/ports.conf to have just one line to listen for SSL:
Modify /etc/apache2/mods-available/ssl.conf to clean up the SSL configuration, we'll enable this later.
SSLRandomSeed startup builtin
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect builtin
SSLRandomSeed connect file:/dev/urandom 512
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/run/apache2/ssl_scache(512000)
SSLSessionCacheTimeout 300
SSLMutex file:/var/run/apache2/ssl_mutex
SSLCipherSuite HIGH:MEDIUM:!ADH
SSLProtocol all -SSLv2
</IfModule>
Create the file /etc/apache2/sites-available/nagios-ssl for the virtual directory routing information.
<VirtualHost *>
ServerAdmin webmaster@localhost
CustomLog /var/log/apache2/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/private/apache-self-signed.crt
SSLCertificateKeyFile /etc/ssl/private/apache-priv.key
</VirtualHost>
Modify the file /etc/apache2/httpd.conf so it has just one line:
Now we can enable our modules and sites in Apache.
a2dissite default
a2ensite nagios-ssl
Now create a self signed certificate to use for the site, or a third party if necessary.
Nagios Install
Prerequisites
Setup our users and groups that will run Nagios. Note that the www-root user is specific to Debian since that user runs the Apache web process:
groupadd -g 9001 nagcmd
usermod -G nagcmd www-data
useradd -u 9000 -g nagios -G nagcmd -d /usr/local/nagios -c "Nagios Admin" nagios
Now setup the initial directories and permissions where we'll keep the files. I chose to create /var/nagios because that's where I'll store the data files since it's the largest partition and meant for variable data.
chown nagios:nagios /usr/local/nagios /etc/nagios /var/nagios
Download the Nagios source and unpack.
wget http://superb-east.dl.sourceforge.net/sourceforge/nagios/nagios-3.x.x.tar.gz
tar zxvf nagios-3.x.x.tar.gz
cd nagios-3.x.x
Install
Configure and build Nagios for the proper directories and options.
make all
make install
make install-init
make install-commandmode
make install-config
Set Nagios to start on boot and set the password Apache file to authenticate users.
cd /etc/nagios/
htpasswd -c htpasswd.users nagios
chown www-data htpasswd.users
chmod 600 htpasswd.users
To add more users to the htpasswd.users file just type
since the -c is only for file creation.
Configuration
Edit the file /etc/nagios/cgi.cfg and modify any "authorized" line to include the users you created in the htpassswd.users file, for example:
Create a folder in /etc/nagios to contain all the configuration files. Typically the site name is a good choice. Once the folder is created, modify the file /etc/nagios/nagios.cfg and remove all the "cfg_file" entries and add the line:
Or whatever folder you created for your config files, site1 in this example.
Now add some images for icon view to the base install. These packs can usually be downloaded from the Nagios Exchange.
tar zxvf image_logos.tar.gz
Third Party Tools
Plugins
The Nagios plugins are necessary to run checks on server processes and health. In the configure statement, be sure to use the same folder locations as when Nagios itself was configured. Plugins will be installed in the /usr/local/nagios/libexec directory.
wget http://superb-east.dl.sourceforge.net/sourceforge/nagios-plugins/nagios-plugins-1.4.xx.tar.gz
tar zxvf nagios-plugins-1.4.xx.tar.gz
cd nagios-plugins-1.4.xx
./configure --sysconfdir=/etc/nagios --localstatedir=/var/nagios --enable-perl-modules
make
make check
make install
NRPE
This install adds the NRPE plugin so that checks can be done on other servers securely and remotely. The NRPE client/server doesn't need to be installed on the Nagios server; it just needs the plugin to run the checks. The remote servers of course need the NRPE client installed. Again, take note of the configure directors and that --enable-ssl=yes is set to yes. This allows for a secure SSL handshake.
wget http://superb-east.dl.sourceforge.net/sourceforge/nrpe/nrpe-2.xx.tar.gz
tar zxvf nrpe-2.xx.tar.gz
cd nrpe-2.xx
./configure --sysconfdir=/etc/nagios --localstatedir=/var/nagios --enable-ssl=yes
make all
make install
PNP Graphing
A couple packages are needed first as well as mod_rewrite for Apache:
a2enmod rewrite
Open /etc/php5/apache2/php.ini and make sure the following is set to Off:
Then restart Apache to have the setting take effect:
Download, configure and install PNP. Note directory locations in configure.
wget http://voxel.dl.sourceforge.net/project/pnp4nagios/PNP-0.6/pnp4nagios-0.6.x.tar.gz
tar zxvf pnp4nagios-0.6.x.tar.gz
cd pnp4nagios-0.6.x
./configure --sysconfdir=/etc/pnp --localstatedir=/var/pnp4nagios
make all
make install
make install-webconf
make install-config
Setup the base configuration:
cp process_perfdata.cfg-sample process_perfdata.cfg
cp rra.cfg-sample rra.cfg
cd /etc/nagios
Edit /etc/nagios/nagios.cfg to turn on some switches and make performance data go to PNP. Typically these are commented out to start.
process_performance_data=1
Add the new command to commands.cfg in /etc/nagios/site1 or wherever your commands for the site are stored:
command_name service-perfdata-pnp
command_line /usr/bin/perl /usr/local/pnp4nagios/libexec/process_perfdata.pl
}
Modify /etc/apache2/conf.d/pnp4nagios.conf to include the same password file that Nagios uses. This file is created by the install scripts.
Restart Apache for the changes to take effect. You can now navigate to https://hostname/pnp4nagios and see the install checklist. If all is complete, remove the /usr/local/pnp4nagios/share/install.php file.
General Use
For Nagios to function, it first needs to be started with this command:
If a configuration or syntax error in your configuration occurs, you can test the output and find out where it is by running this command:
Now you can try starting Nagios again. If you make configuration changes, the configuration must be reloaded. Do this use:
To access Nagios through the web, Apache must be started, or restarted if it already was running. This will also accept the new web configurations that may have been made:
/etc/init.d/apache2 restart
Server path error in vSphere 4.1
First off, this is related to the post in VMware Communities here: http://communities.vmware.com/message/1576370
I recently updated a VMware Infrastructure to vCenter 4.1. All ESX servers were still on ESXi 3.5. This shouldn't be a problem, you just can't use some of the new features available in 4.1. That's fine, except that I couldn't view the managed paths in the ESX servers. I would get the error below. I would get the same error when trying to manually migrate a virtual machine to a different ESX server.
You can see the error states Item has already been added. Key in dictionary: 'Vmomi.Host.PlugStoreTopology+Path' Key being added: 'Vmomi.Host.PlugStoreTopology+Path'. And of course you can see that two entries are listed.
I tried multiple solutions, including completely reinstalling vCenter with a new database and reconfiguring. Restarting the ESX servers didn't matter. The real solution was upgrading all of the ESXi servers to 4.1. This shouldn't seem necessary, but the upgrade through Upgrade Manager (they got rid of the Host Update Utility after 4.0) was relatively easy and smooth. After having issues with vCenter 4.1 I was reluctant to move the ESX servers there, but so far everything is working great, including migrations and managed paths.
Latest and greatest Subversion on Debian Lenny
Debian has its own package for Subversion, but most of the time you want to use the latest Subversion package that's out there. This explains how to build and use that over Apache and HTTPS.
Installation
This particular install does not use the Berkeley DB method of code repository storage, but rather the flat file system storage method. Both have their advantages, but the file is believed to be faster. Read more here.
First setup Apache and get all the Subversion dependencies.
apt-get build-dep subversion
cd /usr/src
wget http://subversion.tigris.org/downloads/subversion-1.6.13.tar.gz
tar zxvf subversion-1.6.13.tar.gz
cd subversion-1.6.13
./configure --prefix=/usr/local
Then we get this warning, but FSFS is fine to use instead of Berkeley.
configure: WARNING: we have configured without BDB filesystem support You don't seem to have Berkeley DB version 4.0.14 or newer installed and linked to APR-UTIL. We have created Makefiles which will build without the Berkeley DB back-end; your repositories will use FSFS as the default back-end. You can find the latest version of Berkeley DB here: http://www.oracle.com/technology/software/products/berkeley-db/index.html
Continue with the build:
make install
After install, this error comes up, but it can be ignored and the next few steps will fix.
apxs:Error: Activation failed for custom /etc/apache2/httpd.conf file.. apxs:Error: At least one `LoadModule' directive already has to exist.. make: *** [install-mods-shared] Error 1
Create the file /etc/apache2/mods-available/dav_svn.load with the following:
LoadModule dav_svn_module /usr/lib/apache2/modules/mod_dav_svn.so
LoadModule authz_svn_module /usr/lib/apache2/modules/mod_authz_svn.so
Copy over the modules from source and install them in the Apache directories; also enable SSL since we want to push this over a secure channel:
cp /usr/src/subversion-1.6.11/subversion/mod_authz_svn/.libs/mod_authz_svn.so /usr/lib/apache2/modules/
a2enmod dav_svn
a2enmod ssl
Configuration
Create the file /etc/apache2/sites-available/svn so that Apache knows about the SVN repository:
<VirtualHost svn.mysite.com:443>
DocumentRoot /var/svn
# SSL Definitions
SSLEngine on
SSLCertificateFile /etc/ssl/private/myserver_svn.crt
SSLCertificateKeyFile /etc/ssl/private/myserver_svn.key
# Subversion
<Location /svn>
DAV svn
SVNListParentPath on
SVNParentPath /var/svn
AuthType Basic
AuthName "Subversion Repository"
AuthUserFile /etc/svn/dav_svn.passwd
AuthzSVNAccessFile /etc/svn/dav_svn.control
Require valid-user
</Location>
</VirtualHost>
Now enable the site and start/restart Apache:
/etc/init.d/apache2 restart
Setup the initial repository with the svncreate command and make the user running the web service the owner, since they will be the user actually modifying the repository files.
svnadmin create /var/svn/myproject
chown -R www-data:www-data /var/svn/myproject
Now we can create the username/password files along with the access files.
touch /etc/svn/dav_svn.passwd
htpasswd -mb /etc/svn/dav_svn.passwd myuser mypassword
Create the access file to your repositories.
And now edit the file. You can set users using r and rw access writes. First you list the repository, and then the folder location after that for more fine grained permissions.
myuser = r
[myproject:/trunk/base/code]
myuser = rw
Now reboot the server and test access; it should start up automatically.
Maintenance and Use
The best way to use SVN over HTTPS is with Tortoise for Windows or some other tool if using Linux, like RapidSVN.
Adding Additional Users
To add more users, just run the htpasswd command linked to your dav_svn.passwd file, same as the initial configuration for users.
And now edit the access file containing the other users and defined in the Apache configuration. You can set users using r and rw access writes. First you list the repository, and then the folder location after that for more fine grained permissions.
myuser = r
newuser = r
[myproject:/trunk/base/code]
myuser = rw
newuser = rw
Backing Up the Repositories
To backup a repository, use the svnadmin dump command which will export the entire database and revisions. You can then tar up and gzip the dump file for compression, and back it up to tape or disk somewhere else. There are also incremental backups that can be done of disk/tape space is an issue.
Restoring the Repositories
Restoring the SVN database is simply rewriting all the revisions from the dump back into a database. The restore process also works well for moving an older repository over to a new one since restoring the dump into a new SVN database will update it to that version.
svnadmin load /home/svn/restoredproject < /home/backups/myproject_dumpfile
chown -R www-data:www-data /home/svn/restoredproject
chmod -R 770 /home/svn/restoredproject
Duplicity Install and Backup Samples
Duplicity is a backup tool that works off of rsync and rdiff libraries to copy only changes to a backup location. It can use compression and encryption tools on the data and also has the ability to save to Amazon's S3 service. More details can be found here.
- Installation on OpenBSD 4.4
- Installation on OpenBSD 4.6
- Installation on Debian Lenny 5.0
- Sample Backup Scripts
Installation on OpenBSD 4.4
The 4.4 version was the most difficult to get working since the majority of the issues came from the given OpenBSD libraries. Even installing the Duplicity port from the packages didn't function right.
First we need to add a few packages. You can use the pkg_add function with whatever mirror to obtain the following, some depend on others so there will be others in the file install list:
- python-2.5.2p4
- py-boto-1.3
- gpgme-1.1.5
- librsync-0.9.7
- ncftp-3.2.1
When the main Python package is installed, it will ask you to create a few symbolic links, so create those.
ln -sf /usr/local/bin/pydoc2.5 /usr/local/bin/pydoc
Version 4.4 needs a separate Python XML package to work properly. If it's not installed, you'll get a series of errors when trying to send data to S3; I believe the XML error is when it tries to read the response. Something like this will error out:
File "/usr/local/bin/duplicity", line 482, in <module>
with_tempdir(main)
File "/usr/local/bin/duplicity", line 477, in with_tempdir
fn()
File "/usr/local/bin/duplicity", line 468, in main
full_backup(col_stats)
File "/usr/local/bin/duplicity", line 174, in full_backup
col_stats.set_values(sig_chain_warning = None).cleanup_signatures()
File "/usr/obj/ports/duplicity-0.4.12/fake-amd64/usr/local/lib/python2.5/site-packages/duplicity/collections.py", line 476, in set_values
File "/usr/obj/ports/duplicity-0.4.12/fake-amd64/usr/local/lib/python2.5/site-packages/duplicity/backends.py", line 802, in list
File "/usr/local/lib/python2.5/site-packages/boto/s3/bucketlistresultset.py", line 31, in bucket_lister
delimiter=delimiter)
File "/usr/local/lib/python2.5/site-packages/boto/s3/bucket.py", line 205, in get_all_keys
xml.sax.parseString(body, h)
File "/usr/local/lib/python2.5/xml/sax/__init__.py", line 43, in parseString
parser = make_parser()
File "/usr/local/lib/python2.5/xml/sax/__init__.py", line 93, in make_parser
raise SAXReaderNotAvailable("No parsers found", None)
xml.sax._exceptions.SAXReaderNotAvailable: No parsers found
To avoid that, a separate Python XML package needs to be downloaded and installed:
wget http://downloads.sourceforge.net/project/pyxml/pyxml/0.8.4/PyXML-0.8.4.tar.gz
tar zxvf PyXML-0.8.4.tar.gz
cd PyXML-0.8.4
python setup.py install
Now we can install Duplicity.
wget http://code.launchpad.net/duplicity/0.6-series/0.6.06/+download/duplicity-0.6.06.tar.gz
cd duplicity-0.6.06
python setup.py --librsync-dir=/usr/local build
python setup.py install --prefix=/usr/local
If you run the Duplicity jobs as root in a cron job, there is something about OpenBSD (I'm sure a security issue) that causes it to fail. I would get the output below in my log only when it ran as a cron job:
File "/usr/local/bin/duplicity", line 583, in <module>
with_tempdir(main)
File "/usr/local/bin/duplicity", line 577, in with_tempdir
fn()
File "/usr/local/bin/duplicity", line 558, in main
full_backup(col_stats)
File "/usr/local/bin/duplicity", line 234, in full_backup
bytes_written = write_multivol("full", tarblock_iter, globals.backend)
File "/usr/local/bin/duplicity", line 148, in write_multivol
globals.gpg_profile, globals.volsize)
File "/usr/local/lib/python2.5/site-packages/duplicity/gpg.py", line 240, in GPGWriteFile
bytes_to_go = data_size - get_current_size()
File "/usr/local/lib/python2.5/site-packages/duplicity/gpg.py", line 232, in get_current_size
return os.stat(filename).st_size
OSError: [Errno 2] No such file or directory:'/tmp/duplicity-gM4CN9-tempdir/mktemp-iZknw0-2'
Odd that it can't read the temporary folder that it created. Changing the folder location also did not work. The solution is to create a separate user for only backups. The can be an issue if you have files that cannot be read by all users and need backup, but I found in my case this worked for the specific files that needed to be saved.
usermod -G nogroup dpbackup
mkdir /home/dpbackup/log
Make sure to add the new user to the deny list in SSH with DenyUsers dpbackup in the file /etc/ssh/sshd_config; there isn't any reason for it to log in.
Now su as this new user. A GPG key needs to be created so that the compressed backups can be encrypted and signed. This way no one else that may have access to our S3 account (Amazon employees) can read the data.
$ cd
$ gpg --list-keys
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/pubring.gpg' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
$ gpg --gen-key
There will be a series of questions, most of the defaults are fine.
- Choose option 1 for DSA and Elgamal (the default)
- Choose the default key size of 2048
- Leave the default that the key will not expire, option 0
- Enter a User ID, Email address, and comment for the key.
- Type O for OK to accept.
- Enter a long passphrase for the key and allow it to be generated. I usually do at least 20 characters since the password will just sit in a script anyway.
Move the keys to some other safe place so that they can't be lost. No key means the backups are worthless. Typically a second backup source is a good idea.
$ chmod 600 gpg_keys.tar
See sample scripts below for backup jobs.
Installation on OpenBSD 4.6
First we need to add a few packages. You can use the pkg_add function with whatever mirror to obtain the following, some depend on others so there will be others in the file install list:
- python-2.5.4p1
- py-xml-0.8.4p8
- py-boto-1.7a
- gpgme-1.1.5p0
- librsync-0.9.7p0
- ncftp-3.2.2
When the main Python package is installed, it will ask you to create a few symbolic links, so create those.
ln -sf /usr/local/bin/python2.5-config /usr/local/bin/python-config
ln -sf /usr/local/bin/pydoc2.5 /usr/local/bin/pydoc
Now we can install Duplicity.
wget http://code.launchpad.net/duplicity/0.6-series/0.6.06/+download/duplicity-0.6.06.tar.gz
cd duplicity-0.6.06
python setup.py --librsync-dir=/usr/local build
python setup.py install --prefix=/usr/local
If you run the Duplicity jobs as root in a cron job, there is something about OpenBSD (I'm sure a security issue) that causes it to fail. I would get the output below in my log only when it ran as a cron job:
File "/usr/local/bin/duplicity", line 583, in <module>
with_tempdir(main)
File "/usr/local/bin/duplicity", line 577, in with_tempdir
fn()
File "/usr/local/bin/duplicity", line 558, in main
full_backup(col_stats)
File "/usr/local/bin/duplicity", line 234, in full_backup
bytes_written = write_multivol("full", tarblock_iter, globals.backend)
File "/usr/local/bin/duplicity", line 148, in write_multivol
globals.gpg_profile, globals.volsize)
File "/usr/local/lib/python2.5/site-packages/duplicity/gpg.py", line 240, in GPGWriteFile
bytes_to_go = data_size - get_current_size()
File "/usr/local/lib/python2.5/site-packages/duplicity/gpg.py", line 232, in get_current_size
return os.stat(filename).st_size
OSError: [Errno 2] No such file or directory:'/tmp/duplicity-gM4CN9-tempdir/mktemp-iZknw0-2'
Odd that it can't read the temporary folder that it created. Changing the folder location also did not work. The solution is to create a separate user for only backups. The can be an issue if you have files that cannot be read by all users and need backup, but I found in my case this worked for the specific files that needed to be saved.
usermod -G nogroup dpbackup
mkdir /home/dpbackup/log
Make sure to add the new user to the deny list in SSH with DenyUsers dpbackup in the file /etc/ssh/sshd_config; there isn't any reason for it to log in.
Now su as this new user. A GPG key needs to be created so that the compressed backups can be encrypted and signed. This way no one else that may have access to our S3 account (Amazon employees) can read the data.
$ cd
$ gpg --list-keys
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/pubring.gpg' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
$ gpg --gen-key
There will be a series of questions, most of the defaults are fine.
- Choose option 1 for DSA and Elgamal (the default)
- Choose the default key size of 2048
- Leave the default that the key will not expire, option 0
- Enter a User ID, Email address, and comment for the key.
- Type O for OK to accept.
- Enter a long passphrase for the key and allow it to be generated. I usually do at least 20 characters since the password will just sit in a script anyway.
Move the keys to some other safe place so that they can't be lost. No key means the backups are worthless. Typically a second backup source is a good idea.
$ chmod 600 gpg_keys.tar
See sample scripts below for backup jobs.
Installation on Debian Lenny 5.0
The Debian install is a little bit simpler and can run the backup job as root inside cron. Get some install packages first:
Install Duplicity:
wget http://code.launchpad.net/duplicity/0.6-series/0.6.06/+download/duplicity-0.6.06.tar.gz
tar zxvf duplicity-0.6.06.tar.gz
cd duplicity-0.6.06
python setup.py build
python setup.py install
Creating a user is optional, but good security practice for it not to be root.
mkdir /home/dpbackup/log
Make sure to add the new user to the deny list in SSH with DenyUsers dpbackup in the file /etc/ssh/sshd_config; there isn't any reason for it to log in.
Now su as this new user. A GPG key needs to be created so that the compressed backups can be encrypted and signed. This way no one else that may have access to our S3 account (Amazon employees) can read the data.
$ cd
$ gpg --list-keys
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/pubring.gpg' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
$ gpg --gen-key
There will be a series of questions, most of the defaults are fine.
- Choose option 1 for DSA and Elgamal (the default)
- Choose the default key size of 2048
- Leave the default that the key will not expire, option 0
- Enter a User ID, Email address, and comment for the key.
- Type O for OK to accept.
- Enter a long passphrase for the key and allow it to be generated. I usually do at least 20 characters since the password will just sit in a script anyway.
Move the keys to some other safe place so that they can't be lost. No key means the backups are worthless. Typically a second backup source is a good idea.
$ chmod 600 gpg_keys.tar
See sample scripts below for backup jobs.
Sample Backup Scripts
The first portion of the script defines the variables we'll need to use. The AWS keys are defined for you when you sign up for S3. Passphrase is the GPG passphrase set on the key generated from gpg --gen-key. The S3 bucket should be fairly unique, so I use the host name of the server. The others are pretty obvious but will be explained later.
# Variables
export AWS_ACCESS_KEY_ID=ABABAB3333338888WWWW
export AWS_SECRET_ACCESS_KEY=BBBBBBBBBBTTTTTTTTTT8888888888VVVVVVVVVV
export PASSPHRASE=somelongpassphrase
DBHOST='dbserver1'
TIMESTAMP=`date +%m%d%Y%H%M`
FILE_PREFIX_DB='mydb_'
FILE_PREFIX_SVN_REPO='repo_'
GPG_PUB_KEY='AAEE66BB'
BACKUP_LOG_FILE='/home/dpbackup/log/s3_backup.log'
FULL_IF_OLDER_THAN='7D'
KEEP_MAX_SETS='2'
S3_BUCKET='serverhostname'
CURRENT_HOST='server-hostname'
TO_EMAIL='sysadmin@example.com'
Just some sample backup methods for MySQL or Subversion if needed.
/usr/local/bin/svnadmin dump /home/svn/repo > /home/dpbackup/svn/$FILE_PREFIX_SVN_REPO$TIMESTAMP.svnbk
This is only necessary on OpenBSD since it's a security feature. We open it up now from 128 and close it back down later.
ulimit -n 1024
Most of these options can be read in the man page of Duplicity, and there are many more to choose from. Basically this backup is going to do a full backup ever 7 days (from the $FULL_IF_OLDER_THAN variable), and use encryption with the highest bzip compression, before sending it to S3. It will write a fresh backup log to the defined file, which we'll email out later.
/usr/local/bin/duplicity --s3-use-new-style --tempdir /home/dpbackup --full-if-older-than $FULL_IF_OLDER_THAN --encrypt-key "$GPG_PUB_KEY" --sign-key "$GPG_PUB_KEY" --gpg-options='--compress-algo=bzip2 --bzip2-compress-level=9' --include /etc/apache2 --include /home/dpbackup/svn --include /home/dpbackup/mysql --exclude '**' / s3+http://$S3_BUCKET > $BACKUP_LOG_FILE
This line just gives us some space in the log file; really it's just for email formatting.
echo -e '\n\n==== REMOVE OLD BACKUP SETS ====\n\n' >> $BACKUP_LOG_FILE
This command will check how many full backup sets are already on S3, and remove any more than what is defined in KEEP_MAX_SETS.
/usr/local/bin/duplicity remove-all-but-n-full $KEEP_MAX_SETS s3+http://$S3_BUCKET >> $BACKUP_LOG_FILE
Again, for formatting purposes.
echo -e '\n\n==== CURRENT FILES IN BACKUP SET ====\n\n' >> $BACKUP_LOG_FILE
This command lists out the current files in our backup set so they can be reviewed in the email, making sure everything is working out it should.
/usr/local/bin/duplicity list-current-files s3+http://$S3_BUCKET >> $BACKUP_LOG_FILE
Now we can mail out the log file. The -s flag is for the subject line, and the TO_EMAIL is defined in our variables. We're just writing the log file as the body of the email.
mail -s "$CURRENT_HOST Backup Log for $TIMESTAMP" $TO_EMAIL < $BACKUP_LOG_FILE
Since we exported the keys and passphrases, we want to make sure we don't leave those around any longer than we have to; set them null.
export AWS_ACCESS_KEY_ID=
export AWS_SECRET_ACCESS_KEY=
export PASSPHRASE=
Just a little clean up so we don't waste space.
rm /home/dpbackup/mysql/*
rm /home/dpbackup/svn/*
This is for OpenBSD only. Since we opened the open file limit up at the beginning of the script, close it back down.
ulimit -n 128
End it.
exit 0
Slackware 13 on Lenovo T61, Trackpad and scrolling
Out of the box the trackpad didn't scroll or have "click" capability. Just creating these two files fixed the issue.
/etc/hal/fdi/policy/x11-synaptics.fdi
<deviceinfo version="0.2">
<device>
<match key="info.capabilities" contains="input.touchpad">
<merge key="input.x11_driver" type="string">synaptics</merge>
<merge key="input.x11_options.SHMConfig" type="string">true</merge>
<merge key="input.x11_options.TapButton1" type="string">1</merge>
<merge key="input.x11_options.MaxTapMove" type="string">2000</merge>
<merge key="input.x11_options.VertEdgeScroll" type="string">true</merge>
<merge key="input.x11_options.HorizEdgeScroll" type="string">true</merge>
</match>
</device>
</deviceinfo>
/etc/hal/fdi/policy/mouse-wheel.fdi
<merge key="input.x11_options.EmulateWheel" type="string">true</merge>
<merge key="input.x11_options.EmulateWheelButton" type="string">2</merge>
<merge key="input.x11_options.YAxisMapping" type="string">4 5</merge>
<merge key="input.x11_options.Emulate3Buttons" type="string">true</merge>
<merge key="input.x11_options.EmulateWheelTimeout" type="string">200</merge>
</match>
Reboot and give it a try.
QuickBooks Enterprise Install on Debian
Operating System: Debian Lenny 5.0
This server needs an /opt directory for the package install, so the partitioning is a little bit different than a typical Linux setup. This is what mine ended up looking like:
| Filesystem | Size | Mounted on |
|---|---|---|
| /dev/sda1 | 2G | / |
| /swap | X | /swap |
| /dev/sda9 | (rest) | /home |
| /dev/sda6 | 2G | /opt |
| /dev/sda7 | 1G | /tmp |
| /dev/sda5 | 3G | /usr |
| /dev/sda8 | 2G | /var |
Setup a few packages necessary for the server first.
Now users and groups need to be added for permissions and the Samba folder share access.
useradd -d /home/user1 -g quickbooks user1
useradd -d /home/user2 -g quickbooks user2
useradd -d /home/user3 -g quickbooks user3
useradd -d /home/user4 -g quickbooks user4
smbpasswd -a user1
smbpasswd -a user2
smbpasswd -a user3
smbpasswd -a user4
Create the folder where the QuickBooks data files will be stored and set the appropriate permissions.
chown user1:quickbooks /home/qbdata/
chmod 775 /home/qbdata/
Now configure Samba by moving the built in configuration and writing your own.
mv smb.conf smb.conf.orig
cp smb.conf.orig smb.conf
vi smb.conf
The configuration file should read:
workgroup = WORKGROUP
server string = %h server
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
[qbdata]
path = /home/qbdata
comment = Quickbooks Enterprise database share
valid users = user1,user2,user3,user4
public = no
writeable = yes
printable = no
create mask = 0765
Now restart Samba and test the permissions using a Windows client. You should be able to see the logs created by each client and who was accessing the share.
tail /var/log/samba/log.smbd
tail /var/log/samba/log.rst-win-utl3
Using Alien, we'll create a deb package from an rpm so it can be installed. Some other directories and files need to be created for logging purposes since Debian uses rsyslog and QuickBooks won't create them on its own.
wget http://http-download.intuit.com/http.intuit/CMO/qbes/resources/qbdbm-20.0-5.i386.rpm
alien qbdbm-20.0-5.i386.rpm
mkdir /var/lock/subsys
dpkg -i qbdbm_20.0-6_i386.deb
touch /var/log/qbdbfilemon.log
touch /var/log/qbdbmgrn_20.log
touch /var/lock/subsys/qbdbfilemon
touch /var/lock/subsys/qbdbmgrn_20
We need to add a line to the syslog configuration in /etc/rsyslog.conf, just put it at the end.
Setup the QuickBooks binaries to startup automatically.
update-rc.d qbdbmgrn_20 defaults
Modify the file /opt/qb/util/qbmonitord.conf in include the directory where the QuickBooks data will live.
Restart the server and you should be able to run a ps -e and see the following processes running indicating the server is up. There also should be a /home/qbdata/qbdir.dat file created automatically.
1994 ? 00:00:02 gam_server
1995 ? 00:25:40 QBDBMgrN_20
Slackware 13 on Lenovo T61, Intel Wireless 4965
I had some trouble getting the wireless to function properly on my T61 with Slackware 13. I tried combinations of wicd (the wireless network manager) and DHCP clients, different drivers, but nothing seemed to work. I could see the wireless points, but they always showed up as "hidden" and appear to connect, but would dever be able to get an IP address.
At this point I moved to Debian to see if that would connect using wicd. Sure enough, wicd connected and authenticated fine, but a kernel panic in Lenny using that wireless adapter would only leave it connected for about 5 minutes and then lock. Enough of that.
Back to Slackware. One thing I noticed was that Debian used the latest wicd, version 1.6.2.2 where the Slackware extras includes the 1.6.2.1 Slackware package. Even the wicd site recommends using the included package in the extras.
Slackware also came with the same firmware for the 4965 wireless as Debian, so I know if I used that, I should be good to go on that end. First, enable the firmware as root:
Restart your computer and make sure the wireless adapter is loading properly on boot. You should be able to do an lsmod | grep iwlagn and see a few lines with the module enabled. Now grab wicd 1.6.2.2 from source; you can view them here: http://sourceforge.net/projects/wicd/files/. Unpack it and install wicd.
wget http://sourceurl/wicd-1.6.2.2.tar.gz
tar zxvf wicd-1.6.2.2.tar.gz
cd wicd-1.6.2.2
python setup.py configure
python setup.py install
You can check /etc/rc.d and find a rc.wicd executable. This means the daemon should start on it's own when booting. Start the wicd daemon and then the curses version of the client.
wicd-curses
The curses GUI is pretty easy to understand and you should be able to configure the network no problem. When you hit Shift+C to connect to an AP, you can see that it will authenticate and grab an IP this time...finally. I've been able to connect to WPAv2 and WPAv1. Previously I could connect to neither, although I never tried plain old WEP. Others clamined WEP would work and WPA would not, but not being able to connect to a WPA network was a big show stopper for me.
Recent Posts
- Bootstrap Typeahead with OnSelect
- SharePoint 2010 Error in Managed Service Accounts
- NIC Teaming on Debian Squeeze
- Nagios Setup on Debian Lenny
- Server path error in vSphere 4.1
Tags
Archives
Photos
