Running is therapy

Sometimes virt-manager (over a less than optimal link) will be unusable. Never fear, it’s simply creating an ssh tunnel, and then connecting you to vnc. No reason to let it have all the fun.

First find out what port the vnc server you want to talk to is listening on

root@vm.foo.com:~# virsh dumpxml dns | grep graph
Connecting to uri: qemu:///system



There we see it’s port 5904, now tunnel that port over ssh

ssh -L 5904:localhost:5904 root@vm.foo.com

Then open the vnc session in a viewer

npowell@malaise:~$ vncviewer localhost::5904


Cibatta bing. You in!

Lately I have taken a small personal interest in LDAP, and OpenDS in particular.

The Directory concept is startlingly easy to grasp, while the finer points of actually working with a directory are a little harder. I decided it might be cool to toss together a little rails app to work with LDAP. First though, I have been getting a little more familiar with the command line tools.

If you install OpenDS as a regular user in Linux, it makes the default port 1389, instead of the typical 389.

To change that, use dsconfig to change the port.

dsconfig -h directory.urcompany.com -D cn=Directory\ Manager -w password -X -n \
set-connection-handler-prop --handler-name "LDAP Connection Handler" --set listen-port:389


To get rid of all the crazy ^M’s that appear in files from windows boxes. In vim:


:%s/C-vC-m//g


(That’s Control-v, Control-m).

Let’s say you belong to some high volume lists and generally get a load of email everyday.

You need a way to highlight important message. Using PATTERNS in your muttrc is an easy way to make that happen.

This pattern says if the message is (~f) from her@herdomain.com, AND it’s (~N) new, make it appear brightcyan in color in your index.

color index brightcyan black '~f her@herdomain.com ~N'



function smv(){
scp $1 $2 && rm $1;
}


Oddly, when restarting Bind 9 on Ubuntu I noticed it would tell me it restarted OK, but in fact wouldn’t be running.

npowell@chihiro:~$ sudo /etc/init.d/bind9 restart
* Stopping domain name service... [ ok ]
* Starting domain name service... [ ok ]
npowell@chihiro:~$ ps aux | grep bind
npowell 23418 0.0 0.0 2880 800 pts/1 S+ 09:16 0:00 grep bind


Also, Ubuntu’s penchant for breaking up absolutely ALL the logs is a little annoying (maybe they got this from Debian, I dunno). Nonetheless, if you look in the daemon.log, you will see the error

root@chihiro:/var/log# tail -n 9 /var/log/daemon.log
Apr 28 09:16:06 chihiro named[23411]: starting BIND 9.3.2 -u bind
Apr 28 09:16:06 chihiro named[23411]: found 2 CPUs, using 2 worker threads
Apr 28 09:16:06 chihiro named[23411]: loading configuration from '/etc/bind/named.conf'
Apr 28 09:16:06 chihiro named[23411]: listening on IPv4 interface lo, 127.0.0.1#53
Apr 28 09:16:06 chihiro named[23411]: listening on IPv4 interface eth1, 192.168.0.1#53
Apr 28 09:16:06 chihiro named[23411]: listening on IPv4 interface eth2, 192.168.1.1#53
Apr 28 09:16:06 chihiro named[23411]: /etc/bind/named.conf.local:14: undefined ACL 'wtf'
Apr 28 09:16:06 chihiro named[23411]: loading configuration: not found
Apr 28 09:16:06 chihiro named[23411]: exiting (due to fatal error)


I made up that error, but you get the idea. Why it returns ‘OK’ when it didn’t start, I do not know.

I ran into a package today that I couldn’t find in the repos for Dapper. So I had to figure out a way to get it on there.

Luckily I ran into mah online, and I asked him for some dpkg-fu. He was kind enough to give me a hand getting this working. Here is what we did.

First, I added a Feisty repo to my sources.list so I could grab the source files and patch them for Debian.

echo "deb-src http://us.archive.ubuntu.com/ubuntu/ feisty main universe" >> /etc/apt/sources.list

Next we had to increase the cache size for apt so it wouldn’t choke on the new repo

echo "APT::Cache-Limit \"33554432\";" >> /etc/apt/apt.conf

Then, you can update and install the source files

sudo apt-get update
apt-get source php5-ming

This should, among other things create a directory called ming-0.3.0. Next, see what deps are missing. Install them.

cd ming-0.3.0/
debuild -uc -us -b

This will tell you all the packages you need. The only one you won’t be able to install is python-central…who cares python sucks anyway. Let’s get rid of the need for it.

vi debian/rules

Change lines 25 and 26 to

#PYDEF=$(shell pyversions -d)
#PYVERS=$(shell pyversions -r)

And lines 181 and 182 to

#dh_pycentral
#dh_python

Now we are ready to build…but we’ll have to force it.

debuild -uc -us -b -d

In the parent directory (after that finishes) there will be a bunch of deb’s. Just install the lib-ming, and the php5-ming deb’s.

sudo dpkg -i php5-ming_0.3.0-11ubuntu1_i386.deb libming0_0.3.0-11ubuntu1_i386.deb

One last thing, you have to enable the use of ming in the php.ini file

echo "extension=ming.so" >> /etc/php5/apache2/php.ini

Then restart Apache.

That’s it. You can also now take those deb’s and use them on any Dapper machine…though, as mah pointed out…I wouldn’t use the Python ones if I were you :)

**EDIT, don’t use this :) I am pretty sure it’s not working properly, see previous edit, I am running out of time today to fix it. If I don’t get it right soon, I am going to take this down till I do get it working right**
**EDIT: I am not convinced the auth takes place before the rewrite to SSL, I am looking at that now **

So…you want to use PAM to do authentication for Cacti over SSL? Sweet, here is how. (These directions are for Ubuntu, but could probably be extrapolated to other distros).

First, install mod_ssl (This is something separate that I am not going over here, it’s pretty straight forward).

Now, install mod_auth_pam

apt-get install libapache2-mod-auth-pam

And add the apache user to the shadow group

usermod -G shadow www-data


At this point, www-data can talk to PAM for authentication.

Now we need to force SSL so that our communication with the server is encrypted:

vi /etc/apache2/sites-available/default

Adding this to the file (in the < virtualhost *:80> section):

RewriteEngine on
RewriteCond %{REQUEST_URI} ^\/cacti\/.*
RewriteRule ^(.*)$ https://%{SERVER_NAME}$1 [L,R=301]

Now, reload Apache

/etc/init.d/apache2 reload

There, now visit http://yoursite.com/cacti. It should reroute you to https, and the login page of Cacti. Login, and go to settings (in the lower left hand corner). Then click the ‘authentication’ tab. The first config param should be a checkbox with ‘ Use Cacti’s Builtin Authentication’ checked. Uncheck that. Now, anyone can get into your Cacti install! Wooo! Actually, let’s fix that.

Open the apache conf file for cacti:

vi /etc/apache2/conf.d/cacti.conf

And add these lines (after the Alias directive):

    AuthType Basic
    AuthName "Cacti"
    Require valid-user
< /location>

Reload apache, and go back to the url. It should prompt you for your username/password (this will be your system username/password).

That is all.

(note, in < /location> and < virtualhost> there is a space after the < symbol…wordpress keeps doing weird things. Take that space out)

Since Zenoss runs inside of Zope, you have to do a couple of things to get it to run over ssl. There are zope plugins, and perhaps there is another way that Zenoss would recommend, but I have never been one for reading when I can stomp full speed ahead :)

I just created a vhost and used modproxy to proxy all the connections to https:



ServerAdmin bignate@yourwindowsbox.com
ServerName zen.domain.com

Update: the plugin I use to format code is messing that up