As you can see by another post, I decided to reinstall the server. This isn’t really a problem, I have pretty good backups. I’ve installed apache and friends a bagillion times. However, Postfix(chroot)+Dovecot authenticating from MySQl, that doesn’t install quite so smoothly.
Just for my future reference, and maybe helpful for somebody, someday. Clearly not a tutorial. The postfix chroot = /var/spool/postfix

cannot connect to saslauthd server: No such file or directory

First, get the saslauthd files into the postfix chroot. Edit /etc/conf.d/saslauthd (or /etc/default/saslauthd), and add this:

SASLAUTHD_OPTS="-m /var/spool/postfix/var/run/saslauthd"

Second, add it to the init script.

stop() {
        ebegin "Stopping saslauthd"
        start-stop-daemon --stop --quiet /
--pidfile /var/spool/postfix/var/run/saslauthd/saslauthd.pid
        eend $?
}

Third, maybe, change /etc/sasl2/smtpd.conf (or /etc/postfix/sasl/smtpd.conf) and add this:

saslauthd_path: /var/run/saslauthd/mux

Ok, that error should go away now.

Recipient address rejected: Domain not found;

(Host or domain name not found. Name service error for name=domain.com

These are actually the same type of error. Copy /etc/resolv.conf into the chroot.

fatal: unknown service: smtp/tcp

Copy /etc/services into the chroot.
I searched google for these answers, to a certain degree at least, but couldn’t really find much. Then I remembered “oh, this is a chroot, it needs things” – and fixed stuff. If you came here from google, and these super quick notes were helpful, feel free to leave a comment, or contact me directly if you have any questions.

I have a love-hate relationship with Linux. I love it because if there is a problem, I can actually tinker and find the problem and fix it. But I hate it because I like to tinker.

Recently I’ve been doing a fair amount of Django programming – enjoying every minute of it. After completing several of my projects I decided to do some benchmarks, and the results are in! Generally I can server cached/semi-cached pages at about 200req/sec. 200req! Considering this is 5,000,000 or so requests a day, and a number I am never going to reach, I still began to wonder: why isn’t it higher? I mean, serving a static html page is at like 1000+ req/sec, so why would a cached page be significantly different? I started exploring and noticed that Apache would spike the CPU. Ok, time to be thorough, and as I said, I like to tinker.

I tried lighttpd as a fastcgi to python – not a significant different, basically the same. Next I tried several versions of python – one from 2.4 and one from 2.5, one as a package and one from source – same results. High cpu usage. Thinking it could be something related to my VPS (or some odd limit within Debian) I decided, ok, I’ll reinstall.

I reinstalled and got things working pretty quickly. The only slight hiccup was postfix/dovecot, cause postfix insists on being in a jail (and my configs are all setup for that). Also, Chinese support in Apache isn’t working. Regardless, I re-ran the benchmarks and the results were the same – so, it isn’t related to my previous install after all. Doh.

I’ll evaluate Gentoo as a server setup for a little while, but I’m thinking I’ll do a quick reinstall of Debian.

I have the need to generate an SSL cert (Apache2) about once every 3 months. And since I’m cheap, I don’t ever actually buy one, I just self-sign it. And every time I forget the commands needed. So, here they are, for my reference only.
1) Generate Private Key

openssl genrsa -des3 -out server.key 1024

2) Generate a CSR

openssl req -new -key server.key -out server.csr

3) Remove passphrase

cp server.key server.key.org
openssl rsa -in server.key.org -out server.key

4) Generate Self-Signed Cert

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

I’m writing this just in case somebody runs into this same issue. I’m about to go live with a website and figured it would be best to have the latest SVN snapshot checked out from Django. I updated, and noticed that my voting module didn’t quite work as expected. I was getting the following error:

'module' object has no attribute 'GenericForeignKey'

I jumped into Trac and noticed that just yesterday some things were rearranged. In short, if you are using generic relations, you’ll need to change two parts of your code. First, the generic relations field must be imported out of conttenttype.

from django.contrib.contenttypes import generic

And second, you’ll need to change the ’location prefix’ (for lack of a better description:
From:

generic_field = models.GenericRelation(SomeOtherModel)

To:

generic_field = generic.GenericRelation(SomeOtherModel)

All should be find from there on out. For more information, take a look at the reference wiki article.

I’ve vowed to not use transparent PNGs until almost everybody has switched to IE7, where they are actually supported (despite being supported by every other major browser). I’ve done the hacks, and have had good results. I like using PNGs, I’ll admit it. Inkscape exports them directly, however one slight problem: transparency still exists. This isn’t really a problem since I’m not layering images, or is it?
My initial assumption is that IE would simple pull the white background and everything would be dandy. Well, we all know what they say about assumptions.

A few options exist:

• Convert them to GIFs
• Try some sneaky PNG IE hack
• Do a rewrite and send all IE6 traffic to download firefox. Err… Do a rewrite and send all IE6 traffic to download firefox
• Open each in GIMP and add a white background
• Use ImageMagick and convert the background to white.

We have a winner! The problem is, for the life of me, I couldn’t figure out a simple convert command to do this. The quick bash script would suffice:

#/bin/bash
CONVERT=/usr/bin/convert
for image in *.png; do
 $CONVERT -background white $image $image
 echo "Finished converting: $image"
done

**Note:**This is gonna convert all PNGs.

So, no the transparent GIFs have a “white” base layer, IE renders them fine, normal browswers render the images fine, and I’m allowed a cup of coffee. I hope this helps somebody, if so, leave a note!

I really like using PSAD, both on my server and my laptop. You never know where the mean people are. I also seem to use syslog-ng quite often, meanwhile PSAD seems oriented to syslog. This is fine, and I’m pretty sure the install.pl for the source built will configure syslog-ng.conf automatically. However, I almost always tend to stick with packages if I can – if they are even remotely close to the current version.
Anyways, if you need to get syslog-ng.conf configured for PSAD, this is what you need to do:
Add this code to the “# pipes” section, maybe stick to keeping it alphabetical.

destination psadpipe { pipe("/var/lib/psad/psadfifo"); };

Next, go down a little to the “# filters” section, add this:

filter f_kerninfo { facility(kern); };

And finally in the last section, add this:

log {
        source(s_all);
        filter(f_kerninfo);
        destination(psadpipe);
};

Restart syslog-ng, and you are good to go. Cheers to Michael Rash at Cipherdyne for his work on PSAD.

You might be asking: why would you want to chroot ssh? Why use ssh anyways? Here are the quick answers:

• FTP usually isn’t great. Unless sent over SSL, all information is sent cleartext.
• SSH usually is much better. SSH sends all data over an encrypted channel – the main drawback is: you can often browse around the system, and if permissions aren’t set right, read things you shouldn’t be able to.
• Chroot’d SSH rocks. The solution to both the above problems.

So, let me tell a quick story.
When I started uni in 2001 I was a nerd. Still a nerd, I guess. I was cramped in my apartment on campus with like 5 boxes, most of them old p100s running Linux or OpenBSD. Life was good.
I started a CS degree (shifted into Business with a focus on IT), and we were told to use the school’s main servers to compile our programs. The other interesting thing is that all user accounts were visible when logged in via ssh – but hey, that is just the nature of Linux. I knew this, but asked the head I.T. person “why don’t you jail the connections?” He responded quickly telling me to go away.
Well, shortly after making the comment (although solutions existed at the time being), pam-chroot was released. This is right about the time students figured they could spam everybody in the school, some 25,000 emails, quickly and easily – ‘cause all the accounts were displayed. Sweet – now we can chroot individual ssh connections.
This quick demo will be on Debian, we’ll create a pretend user named “karl.” (I’ll assume you’ve already added the user before beginning these steps). Also, the jails will be in /var/chroot/{username}

First: Install libpam-chroot and makejail

session required pam_chroot.so

kelvin@server ~$ sudo apt-get install libpam-chroot makejail

Second: makejail config file

Put the following in /etc/makejail/create-user.py:

#Clean the jail

cleanJailFirst=1
preserve=["/html", "/home"]
chroot="/var/chroot/karl"
users=["root","karl"]
groups=["root","karl"]
packages=["coreutils"]

Edit: If you need to use SFTP also, try this config:

cleanJailFirst=1
preserve=["/html", "/home"]
chroot="/home/vhosts/karl"
forceCopy=["/usr/bin/scp", "/usr/lib/sftp-server", /
 "/usr/bin/find", "/dev/null", "/dev/zero"]
users=["root","karl"]
groups=["root","karl"]
packages=["coreutils"]

As you’ll see, there is a “preserve” directive. This is so that when you “clean” the jail (if you need to refresh the files, for instance), you won’t wipe out anything important. I created an /html so that the user can upload their web docs to that file.

Third: configure libpam_chroot

Add the following to /etc/pam.d/ssh:

# Set up chrootd ssh

session required pam_chroot.so

Forth: allow the actual user to be chrootd

Edit /etc/security/chroot.conf and add the following:

karl /var/chroot/karl

Fifth: create/chown the chroot’d dir

kelvin@server ~$ sudo mkdir -p /var/chroot/karl/home

kelvin@server ~$ sudo chown /var/chroot/karl/home

Now you should be able to log in, via the new username karl.

For one of my webapp projects I’m needing to layer two images. This isn’t a problem on my laptop – I just fire up GIMP, do some copy ’n pasting, and I’m done. However, since everything needs to be automated (scripted), and on a server – well, you get the point.
The great ImageMagick toolkit comes to the rescue. This is highly documented elsewhere, so I’m going to be brief.

Take this:

And add it to this:

I first tried to use the following technique:

convert bg.jpg -gravity center world.png -composite test.png

This generated a pretty picture, what I wanted. What I didn’t want was the fact that the picture was freaking 1.5 megs large, not to mention the resources were a little high:

real    0m7.405s
user    0m7.064s
sys     0m0.112s

Next, I tried to just use composite.

composite -gravity center world.png bg.png output.png

Same results, although the resource usage was just a tad lower. So, what was I doing wrong? I explored a little and realized I was slightly being a muppet. I was using a bng background that was 1.2 megs large (long story). I further changed the compose type to “atop,” as that is what appeared to have the lowest resource usage. I modified things appropriately:

 composite -compose atop -gravity center world.png bg.jpg output.jpg

This also yielded an acceptable resource usage.

The result:

I have the pleasure of owning an old T23 laptop. To show you how old this puppy is, the current T series is at T60, and those have been out for over a year. This laptop was made in 2012, and I picked it up somewhat discounted late in 2003. It is now March 2007, and this puppy is still rock solid.

You heard me, it is almost six years old and still working fine – that is testimony to how well this laptop was built. There are several small cracks around the case, but nothing you would notice by just walking by. This laptop has been to more countries than many people.

I had the first problem this weekend, and it isn’t even related to the laptop. The hard drive, a 30G I put in at some point, started to crap out on me. Bad sectors were everywhere, so some of the programs were slightly unhappy (e.g. I couldn’t boot into X).

I’m going to buy a new laptop soon, I promise, about the time my MBA goals are reached. Until then, I’ll continue to be frugal, and deal with the bad sectors. Being a good IT nerd, everything is backed up to an external hard drive (and most stuff backed up remotely).

Luckily I’m using Linux – so was able to runs fsck/smartmontools a few times in recovery mode, make the bad blocks happy, and continue as “normal.” Phew, disaster averted.

It should come as a surprise that I enjoy using Linux. For the record, the first time I booted into Linux on my own was 1997, this was just before entering high school. So, while some of my tech friends played with NT, I was rumbling with the Penguin. Starting in 2000 I was using Linux as my main operating system, sometimes supplemented by OS X, and only using Windows when the gaming urge surfaced. In 2004 I mostly dropped playing any games, which resulted in dropping Windows – and besides for work, I haven’t used it since.

For me, I’ll admit, there are three things that Linux still lacks:

• Simplistic video conferencing support
• Video editing support
• Gaming

I know that all of these are supported, but, in my opinion, not particularly well. Well, I don’t care about any of these enough to actually need windows, but it would be nice to see them improve.

So, I’m set. I’m 100% legal (don’t steal a single piece of software). And don’t have to be too afraid of virus’. What prompted me to write this little excerpt? A recent article at the Washington Post scared the beejeepers out of me, and makes me wish even more for Vista to either cure security problems, or everybody move over to Linux. The article details the aftermath a virus can cause, not on damaging one’s computer, but on capturing information. The author further details his experience hunting down the data. This was one of the better articles I’ve read, and I thoroughly enjoyed the further details. If you want a little more motivation to move to Linux (or just tighten your machine), then I suggest you take a few moments to read the articles as well.