I wrote this super script to print the WWIDs of SCSI devices 
If you have coded using LDAP libraries you should have notice about functions that ends with and without “_s”. That “s” means synchronous: the functions return when the operation is finished. The functions without the “s” are asynchronous: the functions return instantaneously without waiting for the end of the operation. The idea behind async functions is that you can call several LDAP functions to do different things and then you can pick the results when you need them, without blocking the program.
I’m writing this post because you should be careful using these functions. Today I was writing a small Python script to modify some object from a DIT and I lost 30 minutes trying to figure out why the script wasn’t working. I was using the function “bind()” and then “search_s()”. The second didn’t return anything but If I searched using the command line tools with the same parameters I got the objects. What was the problem? I missed the “_s” at the end of “bind()”. I was using the async version so I was calling “search_s()” before the end of the bind operation. 
Jan 092012
This is a small HOWTO about doing source routing with Squid and Linux. With Squid you can specifiy the outgoing IP address using ACLs. That means that you can select the outgoing IP using the information inside HTTP messages, thing that you can’t do with a firewall. The syntax is simple:
acl somedomain dstdomain somedomain.com
tcp_outgoing_address 1.2.3.4 somedomain
Those two lines say: “If the request is asking for somedomain.com, go to the world using IP 1.2.3.4″.
Now the Linux part. If you have more than one public IP address and you want to make the Squid configuration to work you need some iproute lines.
ip rule add table 10 from 1.2.3.4
ip route add table 10 default via GW
And those two lines says: “If the source IP of the packaet is 1.2.3.4, go via GW”.
Source routing with Linux is simple. What you do is to create a new table. This table will be used by that packets that match the criteria specified in “ip rule”. The “default table” is the table main, everything goes there if there is no rule. Is the table that you see with “ip route” or “route -n” (please, don’t use the last command anymore).
I documented the procedure in the 389DS Wiki: http://directory.fedoraproject.org/wiki/Howto:DebianPackages
Tested on Debian Squeeze, current status: works for me
Feedback is welcome!
Nov 012011
One of the tools that I’ve looked for in Linux was a good graphical LDAP client. I had ADS (Apache Directory Studio) in my list but I’ve never tried until today. It’s very complete and the interface is very good. It’s a pure LDAP client, it’s not a frontend for LDAP user administration or things like that. One of the great things that I found using it today is the “intelligent copy&paste” . If you copy and paste an entry in the same container ADS opens a windows called “Select copy strategy” with the following options:
- Stop copy process
- Ignore entry and continue
- Overwrite entry and continue
- Rename entry and continue: This is great, because you can use an object as templete and then you copy it with the new name in two-clicks.
Another great things are the connection wizard, attribute auto-completion, etc, etc… I’ve been using it for a few minutes and I’ve found a lot of useful things.
It’s a very well known issue that if you award sudo to an user and he/she executes a shell, you lost what the user does. I receive a requirement in a project to find out how to have a registry of the user actions after sudo. Linux offers a way to this, using the “Audit” system. With this piece of the kernel and its user space tools you can log the system calls invoked (and other things too). The most important one to observe is the “execve” system call. Having record of its invocations you’ll know what the users are doing after “sudo some_shell”.
There are some things to note about audit:
- What is going to be audited is configured by a set of rules.
- Rules define things like what system call, what user id, etc.
- The rules are persistent if they are set in /etc/audit/audit.rules. This means, for example, that if you set audit for some user and he restarts a daemon or executes something with nohup, the system will continue sending records to the system log even if the user log out.
- auditctl is a command line tool that can be used to load rules without using the configuration file.
- auid is the user ID of the user. This value is set in the pam stack at login an persist after sudo or su execution.
The third point is problematic. If you don’t fix that a lot of useless things will appear in the log files. What I used to avoid this is the pam_script module. It permits to execute scripts when the user opens and closse a session. Instead of persistent rules I execute auditctl to add/remove rules at every login and logout.
The configuration of this is simple. First install auditd and pam_script packages (I used Debian) and then put this line in the session section of service where you want to enable audit:
session required pam_script.so onerr=success dir=/etc/pam-scriptThe place where you put that line depends on when do you want to enable audit. For example, I only want to know what the user does after sudo, so that line is in the sudo pam service config file. If you want to watch the user just after login, you must put that line in every pam service that is an entry point (ssh, login, etc).
Next, you have to configure the pam_loginuid.so module.
session required pam_loginuid.so
The line above must be in every entry point. It sets the auid variable that I mentioned before. It doesn’t work if you use it in sudo or su pam files.
To finish, you have to create the scripts to be executed by pam_script. The location of the scripts depends on the “dir=” options of the pam module. The scripts must be called pam_script_ses_open and pam_script_ses_close. In my setup they execute the following lines:
AUID=$(getent passwd $USER | cut -d: -f3)
/sbin/auditctl [-a|-d] entry,always \
-S execve \
-F auid=$AUID
-a to add the rule, -d to remove.
You can see the logs in /var/log/audit/audit.log
There are a lot of people that don’t understand how to configure /etc/hosts. There are services that complains about that, for example: Zimbra, Apache, Squid, etc. The right syntax of every entry in /etc/hosts file MUST be:
For example:
1.2.3.4 myserver.example.com myserver
If you write that wrong, there are some functions of libc that don’t work properly because they are expacting “
To be sure that you /etc/hosts ir right, run hostname -f and hostname. They should return the FQDN and the hostname respectively.
Oct 062011
Today I calculated the space saved in one of the stores thanks to archiving+compression in one of the Zimbra servers that I’ve installed more than one ayer ago. The archiving volume has 273GB of email that uses 159GB of disk after compression. That’s 42% of saving.
I’m using a script to archive mails in the Open Source Edition that I’ve developed last year, running without any problems for more that 12 months.
It’s in my toolbox: https://github.com/diegows/toolbox
Today I had a problem with cron. One of that typical situation where a cron job doesn’t run and you don’t know the reason. If I ran the cron daemon from the command line, the cron job was executed. If I ran the daemon from the init script, nothing. Debugging the problem I executed the init script with “bash -x” where I saw that the script set the variable TZ with the content of /etc/timezone. This file had a different timezone from /etc/locatime link. The problem was that the job was working, but at different time. Cron has been a source of headaches…
Conclusion, if you have a problem with check, check /etc/localtime and /etc/timezone. They should point to the same timezone.
Today chatting via IRC I remembered a problem that I had some years ago with virtualization, iptables, nat and bridge. The situation of the guy asking was pretty similar. He has a one virtual machine (Qemu/KVM) connected to the world using a bridge and its default gateway is the virtualization host. He was trying to apply destination NAT to the VM in the host machine but it didn’t work. The rule was simple:
iptables -t nat -A POSTROUTING -s 10.0.3.11 -o eth0 -j MASQUERADE
It is perfect, there is nothing wrong there but he never saw the packet in the POSTROUTING chain. Why? The quick answer is “packets don’t cross nat table twice”. There is a flag in the Linux bridge to enable filtering with Iptables. Packets go to Iptables in the kernel when they are forwarded by the bridge. This includes the NAT table.
In the bridging process, you don’t know the outgoing interface so the previous rule doesn’t work. He needs the interface because he’s using MASQUERADE. In the routing process, the packets go to iptables but they never cross NAT tables because the packet already crossed the table in the bridging process.
How can we fix this? There are two options I think:
- echo 0 > /proc/sys/net/bridge/bridge-nf-call-iptables #To disable Iptables in the bridge.
- Raw table: Some years ago appeared a new tables in Iptables. This table can be used to avoid packets (connection really) to enter the NAT table: iptables -t raw -I PREROUTING -i BRIDGE -s x.x.x.x -j NOTRACK.
If you still don’t understand why this happens, I’ll try to explain one more thing. If you have an scenario with Virtualization and you host is your gateway, the packets follow this steps: [VM]->[bridge]->[virtual interface]->[host]->[physical interface]->[net]. When they cross the host, you have the routing process there.