Geek Projects – Linux, Apache, MySQL, PHP, DNS A Linux Sysadmin

September 4, 2015

Automatically Rotate Rail’s Development Log (development.log)

Filed under: Rails,Web Development — Matt @ 7:52 pm

By default, Ruby on Rails writes to the same development log, located at log/development.log indefinitely. This can lead to a large log file. Fortunately, it’s possible to rotate this log file without having to depend on any external applications, like syslog. Here’s how:

  1. Add the following to your config/environments/development.rb file. Feel free to replace “daily” with your preferred interval, like “weekly”, or “monthly”:

    config.logger = Logger.new("log/#{Rails.env}.log", "daily")

  2. Restart Rails:

    touch tmp/restart.txt

That’s it! While you’re at it, you’ll probably also want to rotate your test.log file. You can do so by editing config/environments/test.rb, and applying the same update that’s shown above for config/environments/development.rb.

July 29, 2015

Increase CentOS 7’s MTU

Filed under: Linux — Matt @ 10:09 pm

Ethernet interfaces normally use an MTU of 1500 bytes.

I recently needed to increase the MTU use by the NICs on a point-to-point link to 9000 bytes in order to improve DRBD performance. This is sometimes referred to as enabling jumbo frames.

In the past I’ve used ifconfig to test this change out. For example, to increase the MTU of the eth0 interface from the default of 1500 bytes to 9000 bytes, I would run

ifconfig eth0 mtu 9000

I could then verify that the new MTU had been applied by running:

ifconfig eth0

Unfortunately for me the two servers that I was working on, like many CentOS 7 systems did not have the ifconfig command installed.

If you want the ifconfig command, then you can install it by installing the net-tools package:

yum install net-tools

However, I wanted to avoid making any changes other than increasing the MTU, so I use the ip command instead.

The ip command can be used in place of ifconfig for many purposes, including increasing the MTU. For example, to increase the MTU of the eth0 interface from the default of 1500 bytes to 9000 bytes, run:

ip link set mtu 9000 dev eth0

You can then verify that the new MTU has taken effect by running:

ip link show dev eth0

After you’ve applied the new MTU, and verified that all is working as expected, be sure to update the interface’s configuration file, so that this change persists the next time the server is rebooted.

To edit the MTU for the eth0 interface, add an “MTU=” line to the /etc/sysconfig/network-scripts/ifcfg-eth0 file. For example:

MTU=9000

July 22, 2015

How to configure a BIND DNS Cache in CentOS 7

Filed under: DNS,Linux — Matt @ 9:33 pm

Introduction

I recently configured a CentOS 7 server to run BIND as a DNS caching server. This post documents the process.

Although I used CentOS 7, these instructions should be equally applicable to CentOS 5 through 7, and Red Hat Enterprise Linux 5 through 7.

If you already know why and where you want to configure a DNS caching server, feel free to skip ahead to this page’s “DNS Cache Setup” section. Otherwise, read on.

A DNS Cache is normally setup accomplish one or more of the following:

  • Improve performance. This can be especially true for mail servers, which make a large number of DNS queries.
  • Bypass a flaky DNS resolver.

The DNS caching server configuration that’s described on this page is applicable to both situations.

It’s important to restrict which clients can query your DNS caching server, so that you don’t create an open resolver. This document includes instructions for doing so using BIND’s “allow-recursion” directive.

Performance Considerations

All other things being equal, I recommend placing your DNS caching server as close as possible to the clients which will query it.

If the DNS cache will be used by a single client, it could make sense to run the DNS cache on that client. For example, you could install a DNS cache on your mail server. By running the cache on the same system as the querying application, you bypass the network latency that there would normally be between the DNS cache, and client.

If the clients are primarily in a single data center or geographic area, try to place the DNS cache within that same datacenter or area. Network latency is the main factor here.

DNS caching servers do not have much overhead, so if you do setup a dedicated cache, you probably won’t need much in the way of hardware. For example, I opted to use a dedicated VM, so I selected a VM with 512MB of RAM and a single CPU core at Digital Ocean. That doesn’t sound like much, but it’s usually plenty for a dedicated DNS cache.

If you want this caching server to be be able to query IPv6 name servers, or be queried by IPv6 clients, then it pays to have it located on a network with native IPv6 support. A tunnel broker will work in a pinch, but the extra network latency that it introduces comes with a performance cost.

DNS Cache Setup

Now we’re ready to setup our DNS cache. The BIND configuration file that we end up with is included in the “BIND Configuration File” section:

  1. Install BIND:

    yum -y install bind

  2. Update BIND’s configuration file (/etc/named.conf) using your text editor of choice:
    • Allow the desired clients using the “allow-recursion” directive within the global options clause. For example, I’m allowing the localhost (127.0.0.1) and one of DNS Check’s servers (represented as 1.2.3.4) to query this name server:

      allow-recursion { 127.0.0.1; 1.2.3.4; };

    • BIND’s default CentOS 7 configuration listens for queries on the localhost interface only for both IPv4 and IPv6. If you allowed any other IP addresses to query your DNS cache in the previous step, then you’ll probably also want to listen for queries on at at least one additional interface by updating the “listen-on” directive for IPv4 and/or the “listen-on-v6” directive for IPv6. For example, to listen on all IPv4 and IPv6 interfaces, add the following within the global options clause:

      listen-on {any;};
      listen-on-v6 {any;};

    • Optionally, adjust how long entries are cached. For example, if you wish to cache positive answers (successful lookups) for 15 minutes (900 seconds), and negative answers (failed lookups) for 1 minute (60 seconds), then you would add the following within the global options clause:

      max-cache-ttl 900;
      max-ncache-ttl 60;
  3. Start BIND’s “named” service, and configure it to automatically start at boot time:

    chkconfig named on
    service named restart

  4. Make the operating system that you just configured the DNS cache on query its own cache:

    echo "nameserver 127.0.0.1" > /etc/resolv.conf

  5. Add the new DNS cache’s IP address to /etc/resolv.conf on any other servers that you would like to query it. For example if the DNS cache’s IP address is 1.2.3.4, run:

    echo "nameserver 1.2.3.4" >> /etc/resolv.conf

  6. Run a test query from a client to verify that the DNS cache is working end-to-end:

    dig mx gmail.com

BIND Configuration File

Here are the final contents BIND’s configuration file (/etc/named.conf). If you copy this configuration, then at a minimum, you’ll want to either remove 1.2.3.4, or replace it with the IP address(es) that you want to be able to query the DNS caching server:


// named.conf

options {
listen-on {any;};
listen-on-v6 {any;};
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; };
allow-recursion { 127.0.0.1; 1.2.3.4; };
max-cache-ttl 900;
max-ncache-ttl 60;

/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;

dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";

managed-keys-directory "/var/named/dynamic";

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};

logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

zone "." IN {
type hint;
file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

April 9, 2010

Reset the GroundWork Monitor 6.0 Password

Filed under: Linux,Systems Administration — Matt @ 8:38 pm

The GroundWork Monitor is a simple way to deploy Nagios monitoring to networks. It does a great job of monitoring Linux servers, and anything that speaks SNMP.

I recently needed to make some updates to a GroundWork Community Edition VM, and found myself in a situation where the admin user’s dashboard (web browser interface) password had been changed to an unknown value. I was able to SSH into the GroundWork VM though (it’s CentOS Linux based). There’s info floating around the net on how to reset the admin password, but it was written for older versions of GroundWork, so some of the default password, and MySQL schema details have changed.

Here’s what I did to reset the admin user’s password on GroundWork Monitor 6.0 Community Edition:

  • SSH into the GroundWork VM. If you haven’t changed the root user’s default password, then it’s going to be “opensource”
  • Login to MySQL, and run a query to reset the “admin” user’s password to “admin”. The admin password entered below uses a hash:

    • /usr/local/groundwork/mysql/bin/mysql -u root monarch
    update users set password='21232f297a57a5a743894a0e4a801fc3' where user_name='admin';

January 23, 2010

Updating a Soekris net4511’s BIOS

Filed under: Linux — Matt @ 12:55 pm

I performed BIOS updates on a stack of Soekris net4511s and net4521s today. Here’s a quick-and-dirty howto for anyone who wants to do the same thing from a Linux host running minicom. Note that these instructions should work on any net45xx series Soekris board, including the net4501.

  1. Download the BIOS update from Soekris’ Downloads Page. As of the time of this writing, if you’re using anything prior to version 1.20 (my Soekris boards were all running 1.15), you’ll want to start with the update to 1.26a, then consider whether you want to upgrade to the latest BIOS from there. Soekris publishes a changelog of their BIOS updates to their website.
  2. Connect your serial port to the Soekris net45xx using a null-modem cable, and use minicom, or your  terminal emulator of choice to establish a connection. Connection settings should be 9600,8,N,1 with hardware and software flow control both turned off.
  3. If your Soekris net45xx’s serial console isn’t already configured to work at 9600bps, you can set this by entering Ctrl-P to enter the Monitor, then set the console speed to 9600bps, and reboot:
    > set ConSpeed=9600
    > reboot
  4. Start up your Soekris box, and enter Ctrl-P when prompted to enter the Monitor. This should bring to you a “>” prompt.
  5. Enter the “download” command, and press Enter.
    > download
  6. In another terminal, run the following command to initiate an xmodem transfer of the updated Soekris BIOS. Substitute in name of the BIOS file:
    # sx -X b4501x_126a.bin > /dev/ttyS0 < /dev/ttyS0
  7. Switch back to your minicom terminal. You should see a “File downloaded succesfully” message. If so, run the following commands to apply the update, and reboot:
    flashupdate
    reboot

That’s it! Your Soekris net4501, net4511 or net4521 should now have an updated BIOS.

January 20, 2010

Install UltraVNC from within an RDP Session

Filed under: Systems Administration — Matt @ 11:29 pm

Here’s how to install and start up an UltraVNC server from within an RDP session. This has been tested with UltraVNC 1.0.8 and a remote desktop session into a Windows XP Professional SP3 installation, but should work in other Windows / UltraVNC combinations as well.

  1. RDP into the target system, and install UltraVNC. Be sure to select the checkboxes for registering VNC as a service, and starting up the service at boot time.
  2. Set a VNC password for the currently logged in user by starting up the VNC server (Start > All Programs > UltraVNC > UltraVNC Server > Start UltraVNC Service), then entering a password when prompted
  3. Open up Regedit (Start > Run > regedit)
  4. Copy the HKEY_CURRENT_USER\Software\ORL\WinVNC3\Password entry’s current value
  5. Create a new binary value entry located at “HKEY_LOCAL_MACHINE\SOFTWARE\ORL\WinVNC3\Default\Password”. Paste in the value you copied in the previous step to this new entry’s value
  6. Reboot

That’s it! It may be possible to get VNC going without the reboot, but this is the combination that got a working installation going for me.

November 12, 2009

Update From ESXi 3.5 to ESXi 4.0 without VirtualCenter

Filed under: Virtualization — Matt @ 7:00 pm

The centerpiece of my lab is white box ESXi host. It’s been running ESXi 3.5 without issue for about a year now. A lot of my clients also run ESXi, with a few potential 3.5 to 4.0 updates coming down the pipe, so I decided it was time to update the lab to ESXi 4.0. Since I’m using the free version of ESXi in my lab, here’s what I did to perform the upgrade without VirtualCenter:

  1. Go to VMware’s ESXi Download Page. You’ll need to log in with your existing account, or create a new one to continue
  2. Download and install VMware vSphere Client and Host Update Utility on a Windows based system
  3. Save the VMware ESXi 4.0 (upgrade ZIP) file
  4. Log into your ESXi host using vSphere Client, and shutdown all VMs, then right click on the host, and select Enter Maintenance Mode
  5. Start up the VMware vSphere Host Update Utility, and follow the wizard. You’ll be asked to select which host to update, browse to the VMware ESXi 4.0 (upgrade ZIP) file that you downloaded earlier, and confirm that you want to proceed. The ESXi host will reboot during the upgrade process.
  6. Once the update is complete, log back into your ESXi host using vSphere Client, then right click on the newly updated ESXi host, and select Exit Maintenance Mode

October 26, 2009

Directadmin and “Error Parsing Cron File”

Filed under: Linux — Matt @ 2:22 pm

I migrated my web hosting servers from cPanel to Directadmin earlier this year. The transition was smooth for the most part, but one problem was that users with blank crontabs with cPanel had corrupted crontabs post-migration. They could ssh in, and issue crontab -e, but any attempts to manipulate the crontab via Directadmin’s web interface resulted in the following error:

Error Parsing Cron File

The fix for this problem is to clear out all the lines in /usr/local/directadmin/data/users/username/crontab.conf.

August 28, 2009

Allowing @ Signs in MediaWiki User Names

Filed under: Web Development — Matt @ 1:56 pm

If you attempt to create a new MediaWiki account with its user name set to the same as the email address, you’ll be greeted by a cryptic “You have not specified a valid user name” error message. The reason for this is that MediaWiki forbids the @ sign in user names by default. Fortunately, the fix is easy, but took some Googling to find buried in MediaWiki’s 1.15 Release Notes.

To fix this, open your MediaWiki’s LocalSettings.php file, and add the following lines:

# enable user names with an @ sign
$wgInvalidUsernameCharacters = "";

Note that having an @ sign within a MediaWiki account’s user name can cause issues with InterWiki User Rights, but this shouldn’t be an issue for most MediaWiki installs.

August 16, 2009

Changing Mosets Tree’s Root Directory Page Title

Filed under: Web Development — Matt @ 10:31 pm

About half of the LAMP (Linux, Apache, MySQL, PHP/Python/Perl) stack websites that I develop or sysadmin for use the Joomla CMS. I like Joomla because it has a number of excellent extensions, including Mosets Tree – my favorite web directory software. A problem that I ran into recently while installing their latest 2.1 release was that by default, the root directory’s page is given  a page title of “Directory” with no way to be updated within Joomla. Here’s how I updated the title to something more search engine optimization friendly.

  1. Open up the language/en-GB/en-GB.com_mtree.ini file with your favorite text editor.
  2. Update the following line with your title of choice:

ROOT=Directory

Older Posts »

Powered by WordPress