DaveQB's Rambles

wget, PCLinuxOS and ssl certs

david — 2012-02-15T10:38:13+10:00

I found that wget has been having issues with SSL certs on PCLinuxOS since about November 2011. It was producing an error like this:

ERROR: Cannot open directory /etc/openssl/certs.

A little google found this blog entry on the matter: http://andrzejl.no-ip.org:10101/wordpress/2011/11/11/solved-wget-https-error-cannot-open-directory-etcopensslcerts/
I didn't even have the folder /etc/openssl. So in stead I just did this:

cat ~/.wgetrc
ca-directory=/etc/ssl/certs/

Creating that wget rc file and putting in that variable solved it for my local user. Of course doesn't solve it for all users. I could perhaps create /etc/wgetrc but this is a single user machine anyway.

-----

wget's file save name.

DaveQB — 2011-12-08T14:11:46+10:00

When using wget to download files with URL's that give a 302 redirect, wget uses the name in the original URL not the name in the final URL. To use the file name in the final URL, add the switch --trust-server-name.

How to avoid the “S to Skip” message on boot in Ubuntu

DaveQB — 2011-11-20T20:53:51+10:00

On he odd occasions I boot up my Muthbuntu system without a disk in it that is in the fstab, I am asked on the boot screen what to do with this missing disk. Press M to manually mount or S to skip. Well this is not practical on a headless system; I end up having to go kind a keyboard and monitor. Drag them over and plus them in to resolve this issue. To avoind this add the nobootwait option to the mounts you want not be skipped if not present. I added it to all but the slash mount. Happy days!

Fail2Ban

DaveQB — 2011-10-13T10:50:48+10:00

I had some issues getting fail2ban working on my CentOS server. I finally worked out some core rules with setting this up. By the way, the manual is here and is helpful.

The fail2ban.conf file is the main file and doesn't need to be edited much normally. Setting the log level up higher here helps debugging.
The jail.conf file is where you do all your work. Here you definte a rule with brackets like so [apache]. Then we have key words. the one I had issue with was the filter setting. I thought the title, in the brackets is the name that linked to the regex file but it is in fact the filter option. So setting the filter to equal a name means you want to call that file (plus a .conf) from the filter.d/ dir. For example, "filer = apache" would mean this rule calls the filter.d/apache.conf file. The action setting sets what happens on a match. You can have many actions with each action on its own line. For example:

action   = hostsdeny[file=/etc/hosts.deny]
           iptables[name=sasl, port=smtp, protocol=tcp]
	   sendmail[name=Postfix, dest=me@email.com]

Log path means the log this rule is watching. So this is important too. Setting it to the current log means old logs won't be processed and you won't have previously banned IP's banned again.
That is about it.

apcupsd on Lenny

DaveQB — 2011-05-11T13:59:50+10:00

I am surprised it took me this long to work this out but the init script for apcupsd on my Proxmox VE server, which runs Debian Lenny, is broken. Two things it does wrong, 1) It does not create a pid file when it starts which is not terrible, but the stop procedure relies on their being a pid to stop it and gives up if there is not one. And 2) it does not pass the default /etc/apcupsd/apcupsd.conf file as the -f argument. So any changes you make to it are ignored in the running daemon. Add to that some other little scripting best practices are not followed, I have edited it and here it is. All working for me. Any feedback welcome:

#!/bin/sh

### BEGIN INIT INFO
# Provides:             apcupsd
# Required-Start:       $syslog
# Required-Stop:        $syslog
# Should-Start:         $local_fs
# Should-Stop:          $local_fs
# Default-Start:        2 3 4 5
# Default-Stop:         0 1 6
# Short-Description:    Starts apcupsd daemon
# Description:          apcupsd provides UPS power management for APC products.
### END INIT INFO

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/sbin/apcupsd
CONFIG=/etc/default/apcupsd
NAME=apcupsd
DESC="UPS power management"
PID=/var/run/apcupsd.pid
test -x $DAEMON || exit 0
test -e $CONFIG || exit 0

set -e

. $CONFIG

if [ $ISCONFIGURED = no ]
then
        echo "Please check your configuration ISCONFIGURED in /etc/default/apcupsd"
        exit 0
fi


case "$1" in
        start)
                echo -n "Starting $DESC: "

                rm -f /etc/apcupsd/powerfail

                if [ "$(pidof apcupsd)" == "" ]
                then
                        start-stop-daemon --start --quiet --make-pidfile --pidfile $PID --exec $DAEMON -- -f /etc/apcupsd/apcupsd.conf
                        echo "$NAME."
                else
                        echo ""
                        echo "A copy of the daemon is still running.  If you just stopped it,"
                        echo "please wait about 5 seconds for it to shut down."
                        exit 0
                fi
                ;;

        stop)
                echo -n "Stopping $DESC: "
                start-stop-daemon --stop --oknodo --pidfile $PID|| echo "Not Running."
                rm -f $PID
                echo "$NAME."
                ;;

        restart|force-reload)
                $0 stop
                sleep 10
                $0 start
                ;;

        status)
                $APCACCESS status
                ;;

        *)
                echo "Usage: $0 {start|stop|restart|force-reload}" >&2
                exit 1
                ;;
esac

exit 0

DaveQB — 2011-05-08T00:12:53+10:00

I have used No-Ip (Maybe 10 years now). It is a Dynamic DNS service like DyDNS etc. It is good but it is limited how many clients you can have much like all others. So I have toyed with setting up something myself as I have a public Linux DNS server to receive the updated IP info. After trying a few methods that had varying success, I concluded that the following was the best method. DOMAIN would equal a domain name you have set aside for this purose.

We setup passwordless ssh to the server. Do a search online with your favourite search engine as there is losts of tutorials already published for this.

On client side we run every 10mins

FILE="DOMAIN-ip"
curl  ifconfig.me/ip -o  "$FILE"  &>/dev/null
scp  -q "$FILE" dward.name:
exit 0

Setup the zone to accept updates by adding the following to your named.conf for bind9:
```
allow-update { localhost;};
```
Restart bind9

On the server side run hourly cronjob or anything to your hearts content:

PHY="$(cat DOMAIN-ip)"
TEMP="$(/bin/mktemp)"
CMDS="$(/bin/mktemp)"
CUR="$(host -t A DOMAIN localhost |grep DOMAIN|cut -d' ' -f4)"
if [ ! "$CUR" == "$PHY" ]
then
        TIME="$(date +%s)"
	cat > $CMDS <

Edit anything there to your needs of course.
References: https://www.debian-administration.org/users/JulienV/weblog/4
http://www.shakabuku.org/writing/dyndns.html

"waiting for device sdd2 to appear (timeout 1min)"

DaveQB — 2011-01-20T11:22:42+10:00

This thread has most of the information apart from dealing with this issue if you can not boot into your PCLinuxOS install. I added my bit to the thread and will add it here aswell.

I have to add this for people who have this issue but are unable to boot because of it (like I couldn't after a motherboard upgrade)
Its almost like a Windows issue with a motherboard swap causing the system to fail to boot.
To add to old-polack comments. I found that inspecting the initrd script inside the initrd there is reference to a UUID of the root partition. I found this odd ad my root partition resides on an LV.
So to resolve this (after many hours of online searching and reading and re-reading this thread)

Boot into a live environment similar to your PCLinuxOS. I used PClinuxOS minime 2010.
mkdir /mnt/root
mount /dev/mapper/main-slash (or /dev/sda2 or where ever your root partition is) /mnt/root.
mount -o bind /proc /mnt/root/proc
mount -o bind /sys /mnt/root/sys
mount -o bind /dev /mnt/root/dev
chroot /mnt/root
bootloader-config --action rebuild-initrds
Reboot

I am going from memory so commands might be slightly off.

VirtualHosts Apache IPs 443 SSL

DaveQB — 2010-10-22T13:16:59+10:00

Well I found out the hard way why apache was failing to start, silently. It turns out I had a VHost listening on "NameVirtualHost 1.2.3.4:443" but it did not have "SSLEngine On" in its directives. This breaks apache without it understanding enough to tell you. A handy tip for all you system admins out there.

Multi-line grepping

DaveQB — 2010-10-22T12:40:44+10:00

So you want to search for a pattern and then print that pattern and everything after it up until another pattern. Say for example a bash function, search for the name of the function and then print until the function is closed with }. Well this can be done with sed. The script here: multiline-grep can do this. Just run it without an argument for the small help message. Enjoy!

Poor mans Specto

DaveQB — 2010-05-09T17:19:05+10:00

I loved the idea of Specto when I stumbled upon it. But using CentOS at work and Mandriva at home, I did not have access to it in the repositories. So I simply made my own cron job to monitor for a websites change.

My idea was simple. Grab the default home page, store it, then at the next time interval grab it again and do an ms5sum comparison before the new page and the previous. Then I found wget has a Timestamp switch [-N Turn on time-stamping.] So using that, I came up with the below cron job command to check if a page has changed using the timestamp of modification.

01      *       *       *       *       cd /home/david/website_diffs/wsp && wget -N http://wspirates.com/ 2>&1 |grep -q "o newer" || printf "Wspirates web page appears to have updated.\n\nSuggest you check it out.\n\n"|mail -s "Pirates page updated." david@email.com

To break this down

We have a this run every hour. We have first created the folder /home/david/website_diffs/ and then create a folder in there for each web page. wsp in this example.

We change to this folder.
We grab the current page with wget with the -N switch on. This will check if a file of the same name in the working directory has the same or newer timestamp. If it does, it does not download it and prints a message saying "Server file no newer than local file `index.html' -- not retrieving." and a 0 exit status. The command here sends all of wget's output, both errors and standard output to the standard output stream so it can be piped over to grep.
We grep silently for "o newer" which is a way to search for the message above. If we find this, meaning, the page it not newer, we end there.
If we do not find this message and grep exits with a non-zero status, then the 'or' (||) control operator kicks in and we run the ensuing command.
The final command simply emails someone about our discovery.

So quiet simple really. It doesn't work as well as Specto, as Specto allows for a percentage change option which is good for sites with advertising. This could possibly we done with using diff to compare the previously downloaded page and the new one [every hour or so] and work out a percentage of lines that have changed compared to the whole page. But this I did not need as all I want to know if it a page has been updated. I hope this is useful for someone.