,

Linux Convert ext3 to ext4 File system

3 comments

Some time ago ext4 was released and available for Linux kernel. ext4 provides some additional benefits and perforce over ext3 file system. You can easily convert ext3 to ext4 file system. The next release of Fedora, 11, will default to the ext4 file system unless serious regressions are seen. In this quick tutorial you will learn about converting ext3 to ext4 file system.

ext4 Filesystem Features

The ext4 filesystem has more features and generally better performance than ext3, which is showing its age in the Linux filesystem world. Features include:

Delayed allocation & mballoc allocator for better on-disk allocation

  • Sub-second timestamps
  • Space preallocation
  • Journal checksumming
  • Large (>2T) file support
  • Large (>16T) filesystem support
  • Defragmentation support
WARNING! Once you run following commands, the filesystem will no longer be mountable using the ext3. Please note that ext4 may have some bugs so do not use for production servers (wait for sometime watch Linux kernel mailing list for ext4 bugs). It's recommended that you keep /boot in a ext3 partition for sometime.

You need ext4 patch applied into kernel and compile kernel with ext4 support. Once done type the following command to convert an existing ext3 filesystem to use ext4, type:

# tune2fs -O extents,uninit_bg,dir_index /dev/dev-name

For example convert /dev/sdb1 to ext4, enter:

# cd /; umount /dev/sdb1
# tune2fs -O extents,uninit_bg,dir_index /dev/sdb1

Next run fsck, enter:

# fsck -pf /dev/sdb1

How do I mount ext4 partition?

mount -t ext4 /dev/sdb1 /path
mount -t ext4 /dev/sdb1 /share
mount -t ext4 /dev/disk/by-uuid/YOUR-PARTITION-UUID /share

Use blkid to get UUID.

How do I boot from ext4 (/boot)?

If you have converted /boot file system (or / used for /boot), update /boot/grub.conf (/boot/grub/menu.lst). Open file and find out current kernel config file and append the following:

rootfstype=ext4

Here is sample config (note I've custom kernel names): 

title           Ubuntu 8.10, kernel2.6.28.1-vmware-guest-server		

root            (hd0,1)	

kernel/boot/vmlinuz-2.6.28.1-vmware-guest-serverroot=UUID=8c2da865-13f4-47a2-9c92-2f31738469e8 ro quiet splash rootfstype=ext4

initrd		/boot/initrd.img-2.6.28.1-vmware-guest-server

quiet

Save and close the file. And run update-grub:

$ sudo update-grub


Next, update your /etc/fstab file so that it can be mounted as ext4 file system:

UUID=41c22818-fbad-4da6-8196-c816df0b7aa8 	/share	ext4	defaults,errors=remount-ro,relatime 0       1

Finally, reboot the system:

$ sudo reboot

Continue reading Linux Convert ext3 to ext4 File system
,

Search for all account without password and lock them

No comments

For security, reason it is necessary to disable all account(s) with no password and lock them down. Solaris, Linux and FreeBSD provide account locking (unlocking) facility.

Lock Linux user account with the following command:

passwd -l {user-name}

Solaris UNIX display password status

passwd  -u {user-name}

-l : This option disables an account by changing the password to a value, which matches no possible encrypted value.

Lock FreeBSD user account with the following command:

pw lock {username}

FreeBSD unlocking the account use:

pw unlock {username}

Lock Solaris UNIX user account with the following command:

passwd -l {username}

Lock HP-UX user account with the following command:

passwd -l {username}

For unlocking the HP-UX account you need to edit /etc/passwd file using text editor (or use SAM):

vi /etc/passwd

However, how will you find out account without password? Again, with the help of 'passwd -s' (status) command you can find out all passwordless accounts.

Linux display password status

passwd -S {user-name}

Where,
-S : Display account status information. The status information consists of total seven fields. The second field indicates the status of password using following format:

  • L : if the user account is locked (L)
  • NP : Account has no password (NP)
  • P: Account has a usable password (P)
# passwd -S radmin

radmin P 10/08/2005 0 99999 7 -1

Solaris UNIX display password status

passwd -s {user-name}

Where,
-s : Display account status information using following format:

  • PS : Account has a usable password
  • LK : User account is locked
  • NP : Account has no password

FreeBSD
I have already written about small awk one line approach to find out all passwords less accounts.

Automated Scripting Solution
However, in real life you write a script and execute it from cron job. Here is small script for Linux:

#!/bin/sh
USERS="$(cut -d: -f 1 /etc/passwd)"
for u in $USERS
do
passwd -S $u | grep -Ew "NP" >/dev/null
if [ $? -eq 0 ]; then
passwd -l $u
fi
done

FreeBSD script:

#!/bin/bash
USERS="$(awk -F: 'NF > 1 && $1 !~ /^[#+-]/ && $2=="" {print $0}'
/etc/master.passwd | cut -d: -f1)"
for u in $USERS
do
pw lock $u
done

Sun Solaris script:

#!/bin/sh
USERS=`passwd -sa | grep -w NP | awk '{ print $1 }'`
for u in $USERS
do
passwd -l $u
done

You can easily add email alert support to script so that when ever scripts finds passwordless account(s) it will send an email alert. See the complete working example of script here.

Continue reading Search for all account without password and lock them
,

A script to add user in Linux

26 comments 
# Path to files
pfile=/etc/passwd
gfile=/etc/group
sfile=/etc/shells

# Paths to binaries
useradd=/usr/sbin/useradd
chfn=/usr/bin/chfn
passwd=/usr/bin/passwd
chmod=/bin/chmod

# Defaults
defhome=/home
defshell=/bin/bash
defchmod=711 # home dir permissions - may be preferable to use 701, however.
defgroup=users
AGID="audio cdrom floppy plugdev video" # additional groups for desktop users

# Determine what the minimum UID is (for UID recycling)
# (we ignore it if it's not at the beginning of the line (i.e. commented out with #))
export recycleUIDMIN="$(grep ^UID_MIN /etc/login.defs | awk '{print $2}' 2>/dev/null)"
# If we couldn't find it, set it to the default of 1000
if [ -z "$recycleUIDMIN" ]; then
 export recycleUIDMIN=1000 
fi


# This setting enables the 'recycling' of older unused UIDs.
# When you userdel a user, it removes it from passwd and shadow but it will
# never get used again unless you specify it expliticly -- useradd (appears to) just
# look at the last line in passwd and increment the uid.  I like the idea of
# recycling uids but you may have very good reasons not to (old forgotten
# confidential files still on the system could then be owned by this new user).
# We'll set this to no because this is what the original adduser shell script
# did and it's what users expect.
recycleuids=no

# Function to read keyboard input.
# bash1 is broken (even ash will take read -ep!), so we work around
# it (even though bash1 is no longer supported on Slackware).
function get_input() {
local output
if [ "`echo $BASH_VERSION | cut -b1`" = "1" ]; then
  echo -n "${1} " >&2 # fudge for use with bash v1
  read output
else # this should work with any other /bin/sh
  read -ep "${1} " output
fi
echo $output
}

# Function to display the account info
function display () {
local goose
goose="$(echo $2 | cut -d ' ' -f 2-)"  # lop off the prefixed argument useradd needs
echo -n "$1 "
# If it's null then display the 'other' information
if [ -z "$goose" -a ! -z "$3" ]; then
  echo "$3"
else
  echo "$goose"
fi
}

# Function to check whether groups exist in the /etc/group file
function check_group () {
local got_error group
if [ ! -z "$@" ]; then
for group in $@ ; do
  local uid_not_named="" uid_not_num=""
  grep -v "$^" $gfile | awk -F: '{print $1}' | grep "^${group}$" >/dev/null 2>&1 || uid_not_named=yes
  grep -v "$^" $gfile | awk -F: '{print $3}' | grep "^${group}$" >/dev/null 2>&1 || uid_not_num=yes
  if [ ! -z "$uid_not_named" -a ! -z "$uid_not_num" ]; then
    echo "- Group '$group' does not exist"
    got_error=yes
  fi
done
fi
# Return exit code of 1 if at least one of the groups didn't exist
if [ ! -z "$got_error" ]; then
  return 1
fi
} 

#: Read the login name for the new user :#
#
# Remember that most Mail Transfer Agents are case independant, so having
# 'uSer' and 'user' may cause confusion/things to break.  Because of this,
# useradd from shadow-4.0.3 no longer accepts usernames containing uppercase,
# and we must reject them, too.

# Set the login variable to the command line param
echo
LOGIN="$1"
needinput=yes
while [ ! -z $needinput ]; do
if [ -z "$LOGIN" ]; then
  while [ -z "$LOGIN" ]; do LOGIN="$(get_input "Login name for new user []:")" ; done
fi
grep "^${LOGIN}:" $pfile >/dev/null 2>&1  # ensure it's not already used
if [ $? -eq 0 ]; then
  echo "- User '$LOGIN' already exists; please choose another"
  unset LOGIN
elif [ ! -z "$( echo $LOGIN | grep "^[0-9]" )" ]; then
  echo "- User names cannot begin with a number; please choose another"
  unset LOGIN
elif [ ! "$LOGIN" = "`echo $LOGIN | tr A-Z a-z`" ]; then # useradd does not allow uppercase
  echo "- User '$LOGIN' contains illegal characters (uppercase); please choose another"
  unset LOGIN
elif [ ! -z "$( echo $LOGIN | grep '\.' )" ]; then
  echo "- User '$LOGIN' contains illegal characters (period/dot); please choose another"
  unset LOGIN
else
  unset needinput
fi
done

# Display the user name passed from the shell if it hasn't changed
if [ "$1" = "$LOGIN" ]; then
echo "Login name for new user: $LOGIN"
fi

#: Get the UID for the user & ensure it's not already in use :#
#
# Whilst we _can_ allow users with identical UIDs, it's not a 'good thing' because
# when you change password for the uid, it finds the first match in /etc/passwd
# which isn't necessarily the correct user
#
echo
needinput=yes
while [ ! -z "$needinput" ]; do
_UID="$(get_input "User ID ('UID') [ defaults to next available ]:")"
grep -v "^$" $pfile | awk -F: '{print $3}' | grep "^${_UID}$" >/dev/null 2>&1
if [ $? -eq 0 ]; then
  echo "- That UID is already in use; please choose another"
elif [ ! -z "$(echo $_UID | egrep '[A-Za-z]')" ]; then
  echo "- UIDs are numerics only"       
else
  unset needinput
fi
done
# If we were given a UID, then syntax up the variable to pass to useradd
if [ ! -z "$_UID" ]; then
U_ID="-u ${_UID}"
else
# Will we be recycling UIDs?
if [ "$recycleuids" = "yes" ]; then
  U_ID="-u $(awk -F: '{uid[$3]=1} END { for (i=ENVIRON["recycleUIDMIN"];i in uid;i++);print i}' $pfile)"
fi 
fi

#: Get the initial group for the user & ensure it exists :#
#
# We check /etc/group for both the text version and the group ID number
echo
needinput=yes
while [ ! -z "$needinput" ]; do
GID="$(get_input "Initial group [ ${defgroup} ]:")"
check_group "$GID"
if [ $? -gt 0 ]; then
  echo "- Please choose another"
else
  unset needinput
fi
done
# Syntax the variable ready for useradd
if [ -z "$GID" ]; then
GID="-g ${defgroup}"
else
GID="-g ${GID}"
fi

#: Get additional groups for the user :#
#
echo "Additional UNIX groups:"
echo
echo "Users can belong to additional UNIX groups on the system."
echo "For local users using graphical desktop login managers such"
echo "as XDM/KDM, users may need to be members of additional groups"
echo "to access the full functionality of removable media devices."
echo
echo "* Security implications *"
echo "Please be aware that by adding users to additional groups may"
echo "potentially give access to the removable media of other users."
echo
echo "If you are creating a new user for remote shell access only,"
echo "users do not need to belong to any additional groups as standard,"
echo "so you may press ENTER at the next prompt."
echo
needinput=yes
while [ ! -z "$needinput" ]; do
history -c
history -s "$AGID"
echo "Press ENTER to continue without adding any additional groups"
echo "Or press the UP arrow to add/select/edit additional groups"
AGID="$(get_input ": " | tr -d '[:punct:]' | tr -s ' ' | sed 's?^ $??g' )"
if [ ! -z "$AGID" ]; then
  check_group "$AGID" # check all groups at once (treated as N # of params)
  if [ $? -gt 0 ]; then
    echo "- Please re-enter the group(s)"
    echo
  else
    unset needinput # we found all groups specified
    AGID="-G $(echo $AGID | tr ' ' ,)" # useradd takes comma delimited groups
  fi
else
  unset needinput # we don't *have* to have additional groups
fi
done

#: Get the new user's home dir :#
#     
echo
needinput=yes
while [ ! -z "$needinput" ]; do
HME="$(get_input "Home directory [ ${defhome}/${LOGIN} ]")"
if [ -z "$HME" ]; then
  HME="${defhome}/${LOGIN}"
fi
# Warn the user if the home dir already exists
if [ -d "$HME" ]; then
  echo "- Warning: '$HME' already exists !"
  getyn="$(get_input "  Do you wish to change the home directory path ? (Y/n) ")"
  if [ "$(echo $getyn | grep -i "n")" ]; then
    unset needinput
    # You're most likely going to only do this if you have the dir *mounted* for this user's $HOME
    getyn="$(get_input "  Do you want to chown $LOGIN.$( echo $GID | awk '{print $2}') $HME ? (y/N) ")"
    if [ "$(echo $getyn | grep -i "y")" ]; then
       CHOWNHOMEDIR=$HME # set this to the home directory
    fi
  fi
else
  unset needinput
fi
done         
HME="-d ${HME}"

#: Get the new user's shell :#
echo
needinput=yes
while [ ! -z "$needinput" ]; do
unset got_error
SHL="$(get_input "Shell [ ${defshell} ]")"
if [ -z "$SHL" ]; then
  SHL="${defshell}"
fi
# Warn the user if the shell doesn't exist in /etc/shells or as a file
if [ -z "$(grep "^${SHL}$" $sfile)" ]; then
  echo "- Warning: ${SHL} is not in ${sfile} (potential problem using FTP)"
  got_error=yes
fi
if [ ! -f "$SHL" ]; then
  echo "- Warning: ${SHL} does not exist as a file"
  got_error=yes
fi
if [ ! -z "$got_error" ]; then
  getyn="$(get_input "  Do you wish to change the shell ? (Y/n) ")"
  if [ "$(echo $getyn | grep -i "n")" ]; then
    unset needinput
  fi
else
  unset needinput
fi
done         
SHL="-s ${SHL}"

#: Get the expiry date :#
echo
needinput=yes
while [ ! -z "$needinput" ]; do
EXP="$(get_input "Expiry date (YYYY-MM-DD) []:")"
if [ ! -z "$EXP" ]; then
  # Check to see whether the expiry date is in the valid format
  if [ -z "$(echo "$EXP" | grep "^[[:digit:]]\{4\}[-]\?[[:digit:]]\{2\}[-]\?[[:digit:]]\{2\}$")" ]; then
    echo "- That is not a valid expiration date"
  else
    unset needinput
    EXP="-e ${EXP}"
  fi
else
  unset needinput
fi
done

# Display the info about the new impending account
echo
echo "New account will be created as follows:"
echo
echo "---------------------------------------"
display "Login name.......: " "$LOGIN"
display "UID..............: " "$_UID" "[ Next available ]"
display "Initial group....: " "$GID"
display "Additional groups: " "$AGID" "[ None ]"
display "Home directory...: " "$HME"
display "Shell............: " "$SHL"
display "Expiry date......: " "$EXP" "[ Never ]"
echo

echo "This is it... if you want to bail out, hit Control-C.  Otherwise, press"
echo "ENTER to go ahead and make the account."
read junk

echo
echo "Creating new account..."
echo
echo

# Add the account to the system
CMD="$useradd "$HME" -m "$EXP" "$U_ID" "$GID" "$AGID" "$SHL" "$LOGIN""
$CMD

if [ $? -gt 0 ]; then
echo "- Error running useradd command -- account not created!"
echo "(cmd: $CMD)"
exit 1
fi

# chown the home dir ?  We can only do this once the useradd has
# completed otherwise the user name doesn't exist.
if [ ! -z "${CHOWNHOMEDIR}" ]; then
chown "$LOGIN"."$( echo $GID | awk '{print $2}')" "${CHOWNHOMEDIR}"
fi

# Set the finger information
$chfn "$LOGIN"
if [ $? -gt 0 ]; then
echo "- Warning: an error occurred while setting finger information"
fi

# Set a password
$passwd "$LOGIN"
if [ $? -gt 0 ]; then
echo "* WARNING: An error occured while setting the password for"
echo "           this account.  Please manually investigate this *"
exit 1
fi

# If it was created (it should have been!), set the permissions for that user's dir
HME="$(echo "$HME" | awk '{print $2}')"  # We have to remove the -g prefix
if [ -d "$HME" ]; then
$chmod $defchmod "$HME"
fi

echo
echo
echo "Account setup complete."
exit 0
Continue reading A script to add user in Linux
,

How To Delete Mails From Or To A Specific Email Address From Your Mail Queue (Postfix)

No comments

If you get hit by a spam attack that floods your server with hundreds/thousands of emails from the same sender email address or to the same recipient email address, you can clean your mail queue from these emails with one single command before the mail flood takes your server to its knees.

You can check your current mail queue like this:

postqueue -p

To delete all mails from the mail queue that come from falko@example.com or are sent to falko@example.com (the command is the same regardless of if it's the sender or recipient address), you can use this command:

mailq | tail +2 | awk 'BEGIN { RS = "" } / falko@example\.com$/ { print $1 }' | tr -d '*!' | postsuper -d -

Afterwards check your mail queue again:

postqueue -p

It should now be much shorter.

Continue reading How To Delete Mails From Or To A Specific Email Address From Your Mail Queue (Postfix)
,

Setting, Changing And Resetting MySQL Root Passwords

No comments
This tutorial explains how you can set, change and reset (if you've forgotten the password) MySQL root passwords. Time and again I see problems like mysqladmin: connect to server at 'localhost' failed error: 'Access denied for user 'root'@'localhost' (using password: YES)'. So I thought it's time to remind you how to solve MySQL related password problems. If you are just looking for a quick fix how to reset a MySQL root password you can find that at the bottom of this tutorial.

mysqladmin Command To Change Root Password

Method 1 - Set up root password for the first time

If you have never set a root password for MySQL, the server does not require a password at all for connecting as root. To set up a root password for the first time, use the mysqladmin command at the shell prompt as follows:

$ mysqladmin -u root password newpass

If you want to change (or update) a root password, then you need to use the following command:

$ mysqladmin -u root -p oldpassword newpass

Enter password:

If you get...

mysqladmin: connect to server at 'localhost' failed
error: 'Access denied for user 'root'@'localhost' (using password: YES)'

then follow the instructions below on how to recover your MySQL password.

Change MySQL password for other users

To change a normal user password you need to type:

$ mysqladmin -u user-name -p oldpassword newpass

Method 2 - Update or change password

MySQL stores usernames and passwords in the user table inside the MySQL database. You can directly update a password using the following method to update or change passwords:

1) Login to the MySQL server, type the following command at the shell prompt:

$ mysql -u root -p

2) Use the mysql database (type commands at the mysql> prompt):

mysql> use mysql;

3) Change password for a user:

mysql> update user set password=PASSWORD("newpass") where User='ENTER-USER-NAME-HERE';

4) Reload privileges:

mysql> flush privileges;
mysql> quit

This method you need to use while using PHP or Perl scripting.

Recover MySQL root password

You can recover a MySQL database server password with the following five easy steps:

Step # 1: Stop the MySQL server process.

Step # 2: Start the MySQL (mysqld) server/daemon process with the --skip-grant-tables option so that it will not prompt for a password.

Step # 3: Connect to the MySQL server as the root user.

Step # 4: Set a new root password.

Step # 5: Exit and restart the MySQL server.

Here are the commands you need to type for each step (log in as the root user):

Step # 1 : Stop the MySQL service:

# /etc/init.d/mysql stop

Output:

Stopping MySQL database server: mysqld.

Step # 2: Start the MySQL server w/o password:

# mysqld_safe --skip-grant-tables &

Output:

[1] 5988
Starting mysqld daemon with databases from /var/lib/mysql
mysqld_safe[6025]: started

Step # 3: Connect to the MySQL server using the MySQL client:

# mysql -u root

Output:

Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 1 to server version: 4.1.15-Debian_1-log

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql>


Step # 4: Set a new MySQL root user password:

mysql> use mysql;
mysql> update user set password=PASSWORD("NEW-ROOT-PASSWORD") where User='root';
mysql> flush privileges;
mysql> quit

Step # 5: Stop the MySQL server:

# /etc/init.d/mysql stop

Output:

Stopping MySQL database server: mysqld
STOPPING server from pid file /var/run/mysqld/mysqld.pid
mysqld_safe[6186]: ended

[1]+ Done mysqld_safe --skip-grant-tables

Start the MySQL server and test it:

# /etc/init.d/mysql start
# mysql -u root -p

Continue reading Setting, Changing And Resetting MySQL Root Passwords

Operating System Usage Over the Next 4 Years

No comments

These figures are extrapolated from W3Schools.com. I have predicted data for the next 4 years with a linear scale based on the last 5 years. The vertical axis has a logarithmic scale so the OSX and Linux data is meaningful. The graph shows a very slight decline in Windows usage and a notable increase in Apple OSX and Linux usage.


Obviously there are plenty of unforseen changes that could have an effect on this graph. I see the move towards OSX from Windows in the mainstream as inevitable, and I would imagine the change is more likely to be a sudden surge over a period of months rather than a smooth decline of Windows usage over a number of years.

It is interesting to compare the initial Vista predictions made by Steven York just before Vista’s release with the real stats in hindsight. The obviously low take up of Vista leaves most users on Windows XP, which when you compare to the look and feel of modern environments (for example: Websites, Mobile Phones, Latest Apple OS) it’s very clunky and unintuitive.

Continue reading Operating System Usage Over the Next 4 Years

4 Simple Apache tweaks to speed up delivery of your web site

No comments

Add these simple directives into your Apache configuration and you should notice a considerable increase in speed in the delivery of pages. As a working example, I performed these tweaks on http://www.shortlist.com/. Here are the before and after stats:

Shortlist Before Tweaks
Shortlist After Tweaks





The changes are:

  • Homepage on an empty cache from 956.6k to 658.9k, both 133 requests.
  • Homepage on a primed cache from 153.9k and 128 requests, to 25.9k and 8 requests.

Starting point for client side caching
To be added in the directive.

Adds a 1 week client side cache to GIFs, CSS, JS, SWF and JPEGs. Note once in place this cannot be revoked on the client end, the cache is in the user’s web browser. Be sure the site doesn’t overwrite images etc when using this, images need unqiue names.

Requires mod_expires (expires.load)
#Add client side caching for 604800 seconds
ExpiresActive On
ExpiresByType image/gif A604800
ExpiresByType text/css A604800
ExpiresByType application/x-javascript A604800
ExpiresByType image/jpeg A604800
ExpiresByType application/x-shockwave-flash A604800

If needed you can add more or custom MIME types for the ExpiresByType directive to process by editing /etc/mime.types and adding your own lines to the end.

Enable gzip
To be added in the directive.

Should be used on all sites. This used to effect render time, but PCs are plenty fast enough these days.

Requires mod_deflate (deflate.load) and mod_headers (headers.load)

#Add compression on everything except images, with netscape fix and make sure proxys don't override agent
SetOutputFilter DEFLATE
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE[E] !no-gzip !gzip-only-text/html
SetEnvIfNoCase Request_URI \
\.(?:gif|jpe?g|png)$ no-gzip dont-vary
Header append Vary User-Agent env=!dont-vary

Configure ETAGs
To be added in the directive.

This is best used on HTTP load balancers. It prevents the client seeing 2 pages that are identical on 2 servers as different pages and pulling unnecesarily. If this is added to a site on a single web server, HTML will never get cached increasing the load, but this can have good effects as well.

#Disable ETags to hide multiple servers and aid caching
FileETag none

Prefork Configuration
To be modified in the httpd.conf/apache2.conf directive.

The default configuration top’s out way to fast. Any modern server can handle the load this will allow.

ServerLimit 1024

StartServers 8
MinSpareServers 5
MaxSpareServers 20
MaxClients 1024
MaxRequestsPerChild 4000

Further Reading
Yahoo!’s performance rules: http://developer.yahoo.com/performance/rules.html

Continue reading 4 Simple Apache tweaks to speed up delivery of your web site

Installing PHP 5.2.x on RedHat ES5, CentOS 5, etc

No comments

I’ve had to follow this tutorial a few times myself now so decided I should share it with the world.

A few of our applications which make use of SOAP get a Segmentation Fault if run with PHP 5.1.x or lower. We believe this is due to a bug in PHP but can’t be sure, regardless it works fine in PHP 5.2.4 and above.

Problem is, RedHat ES5 does not have support at this time for anything higher than 5.1.6, and we didn’t want to break RPM dependancys etc by installing from source.

To install PHP 5.2.5 (Highest in repository at this time) you can make use of a RPM repository maintained by Remi. He has a repository for each distro, but to save you translating for the ES5 one I’ll give you the commands here. Run the following to get up and running:

wget http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-2.noarch.rpm
wget http://rpms.famillecollet.com/el5.i386/remi-release-5-4.el5.remi.noarch.rpm
rpm -Uvh remi-release-5*.rpm epel-release-5*.rpm

You now have the Remi repository on your system, however it is disabled by default. Obviously you don’t want all of your packages been effected by this repository, however to enable it for a specific package, run the following:

yum --enablerepo=remi update php

You should now have the latest PHP5 installed:

# php -v

PHP 5.2.5 (cli) (built: Nov 10 2007 10:52:30)

Copyright (c) 1997-2007 The PHP Group

Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies
Continue reading Installing PHP 5.2.x on RedHat ES5, CentOS 5, etc

Setting Up a yum Repository

No comments
While there are many Linux users who prefer other tools for doing their patch management, yum is designed for RPM-based distributions. Its popularity has grown as Fedora Linux has adapted yum as its primary patch management tool. This chapter will help you set up and configure a yum repository for your Linux distribution.

Configuring a Local yum Server

The skills you need to configure a local yum server are not related to yum. They require knowledge of the FTP, Apache, or NFS services. While this section is not designed to provide a complete guide to any of these services, it provides a description of how you can configure a yum repository server based on the settings described earlier for Fedora Core 4 updates.

Because I personally prefer the efficiency of the FTP and NFS services for sharing files, I’ve covered the configuration steps required only for those services. For completeness, I’ve described how you can configure an Apache server to share files on a RHEL 4 yum repository near the end of this chapter. If you’re configuring a yum server, what you do will vary based on the following factors:

  • Distribution and version

  • Preferred version of a server (configuration steps vary for different FTP and HTTP servers and, to some extent, the way different distributions implement NFS servers)

  • Availability of yum for the distribution (i.e., if it isn’t available, be prepared to compile yum from a source RPM)

As with other network services, yum servers may be sensitive to any firewalls that you may configure. If you have a firewall between the yum server computer and associated clients, you’ll need to make sure traffic can travel through appropriate TCP/IP ports; for example, Apache services require access through TCP/IP port 80. Sure, there are ways to "tunnel" data through other services, such as SSH, but that should not be necessary for updates limited to your internal network. In any case, that level of detail is beyond the scope of this book.

Configuring an FTP yum Server

On current Red Hat/Fedora distributions, the default FTP server is vsFTP. According to its home page at http://vsftpd.beasts.org/, it’s the default FTP server used to share a number of Linux distributions, including Red Hat and Debian. It’s even used to share kernels through ftp.kernel.org.

The default version of vsFTP is configured in the vsftpd RPM. The default installation works well in most cases. The vsFTP configuration file is stored in /etc/vsftpd/vsftpd.conf for Red Hat/Fedora distributions (/etc/vsftpd.conf for SUSE and Debian distributions). In this case, we’re working from the RHEL 4 version of vsFTP.

By default, vsFTP files are stored in the /var/ftp directory. By convention, files that you copy for downloads are stored in the pub/ subdirectory. Therefore, the repository that you create should be in the /var/ftp/pub directory. For the example described earlier, update RPMs are stored in the following directory:

/var/ftp/pub/yum/4/i386/updates

If you’ve used the commands described earlier for Fedora Core 4, you’ll find the update header database in the repodata/ subdirectory.

There is a substantial number of options for vsFTP, most of which you can configure in the vsftpd.conf configuration file. The following is a review of active options in the RHEL 4 version of this file. If you want to check the current defaults for these and other options, read the vsftpd.conf man page associated with your vsFTP RPM. 

anonymous_enable=yes

You absolutely want to enable anonymous access for a FTP-based yum server. Anonymous access is normally enabled by default on a vsFTP server.

local_enable=yes

It’s normally best to disable access by regular users to a FTP-based yum server. As it is disabled by default, all you need to do is comment out this option.

write_enable=yes

Naturally, because you do not want anyone (unless authorized) to overwrite (or even add) to a yum-repository, you should disable write access. 

local_umask=022

If you do authorize write access (I believe you should not do so on an FTP-based yum server), this option sets the umask for any files created by users who are logged into your FTP server.

dirmessage_enable=yes

If active, this option looks for and reads any .message file that exists in the local directory. This can be useful if you want to send messages to other administrators.

xferlog_enable=yes

If active, this option logs downloads (and uploads) on the vsFTP server in the /var/log/xferlog file. For example, when I downloaded an updated version of yum, the vsFTP server placed the following entry in that file:

Mon Sep 2 17:18:25 2005 1 192.168.0.20 390363 /pub/yum/4/i386/updates/yum-2.4.0-0.fc4.noarch.rpm b _ o a anonymous@ ftp 0 * c

As you can see, this lists the date and time of the transfer, the client IP address, as well as the size and location of the file. This is a standard format shared with the WU-FTP server and can be mined as a database for more information on client computers that connect to your server.

connect_from_port_20=yes

Some FTP clients require this option, which uses TCP/IP port 20 for data transfers.

xferlog_std_format=yes

If you’ve activated the xferlog_enable option noted earlier, this option supports a standard format shared with the WU-FTP server.

pam_service_name=vsftpd

The pam_service_name option defers to Pluggable Authentication Modules to help secure the vsFTP service. This particular option sets rules in /etc/pam.d/vsftpd. One of the key options in this file prohibits users listed in /etc/vsftpd.ftpusers from logging into this vsFTP server.

userlist_enable=YES

As configured, this is redundant with the previous command. When enabled, it makes the vsFTP server read the /etc/vsftpd.user_list file and deny access to all who attempt to connect as one of the users listed in this file. By default, this file contains the same list of users as shown in /etc/vsftpd.users.

listen=YES

By default, Red Hat / Fedora configures the vsFTP server as a standalone service, with a vsftpd activation script in the /etc/rc.d/init.d directory. In contrast, SUSE does not configure vsFTP as a stand-alone service and configures listen=NO by default.

tcp_wrappers=YES

As configured, Red Hat / Fedora configures the vsFTP server for one more level of security, through TCP Wrappers support, which allows you to configure more security related commands in the /etc/hosts.allow and /etc/hosts.deny files.When you’re satisfied with the configuration, you should activate the vsFTP server with the following command (which is not required if you’ve set listen=NO):

/etc/init.d/vsftpd start

Finally, you can make sure that vsFTP is active the next time you reboot Linux with the following command:

chkconfig vsftpd on

This command activates the vsFTP server whenever you’re in run levels 2, 3, 4, or 5. (If you configure vsFTP in xinetd, it activates it in the /etc/xinetd.d directory.) For the purpose of this chapter, assume the name of this server is yum.example.com.

Configuring a yum Client for an FTP-Based yum Repository

After you’ve configured this FTP yum server, configuring the associated yum client is a straightforward process. As you’ve seen in Chapter 6, yum configuration files that point to yum servers are normally configured in the /etc/yum.repos.d directory. For Fedora Core 4, we will examine the client file that points to the yum Update server: fedora-updates.repo.

For the yum FTP server as configured, all you need to include in the fedora-updates.repo file is the following:

[updates-released]
name=Fedora Core $releasever - $basearch - Released Updates
baseurl=ftp://yum.example.com/pub/yum/4/i386/updates
enabled=1
gpgcheck=1

As described earlier, for a vsFTP server, this means that update RPMs as well as the associated repodata/ subdirectory are stored on the yum.example.com computer in the /var/ftp/pub/yum/4/i386/updates directory.

Configuring an NFS yum Server

On current Red Hat/Fedora distributions, an NFS server is installed by default, courtesy of the nfs-utils RPM. The default installation works well in most cases. You can specify shared NFS directories in the /etc/exports configuration file. In this case, we’re working from the RHEL 4 version of NFS.

You can share directories as configured on an NFS server. For the example described earlier, update RPMs are stored in the following directory:

/var/ftp/pub/yum/4/i386/updates

Therefore, you can share this directory at any level, as long as the mount point on the NFS client is consistent. For example, I’ve added the following line to my /etc/exports configuration file:

/var/ftp/pub  192.168.1.0/24(ro,sync)

This particular configuration command shares the /var/ftp/pub directory. It limits access to clients in the noted IP address range. Clients are allowed read-only (ro) access. Changes are committed to disk before any new requests are made (sync).

NOTE

The notation shown in /etc/exports is associated with Classless Inter-Domain Routing (CIDR). The 192.168.1.0/24 address corresponds to a range of client IP addresses from 192.168.1.1 and 192.168.1.254 (the range excludes network and broadcast addresses).

For more information, see the exports man page Linux Administration Handbook by Evi Nemeth, Garth Snyder, and Trent Hein (Upper Saddle River, NJ: Prentice Hall, 2002). After you’re satisfied with the configuration in /etc/exports, deactivate the NFS server with the following command:

/etc/init.d/nfs stop

NOTE

Remember, this chapter is focused on Fedora/Red Hat. The NFS server script goes by different names on other Linux distributions.

By default, this should stop any NFS services, quotas, the NFS daemon, as well as the mountd daemon. Next, export the changes to /etc/exports with the following command:

exportfs -a

Now restart the NFS services with the following command:

/etc/init.d/nfs start

Confirm the exports in from the local list with the following command:

showmount -e

If you’re on another system, you can find the shared NFS directories. For example, you can list those on a server named yum.example.com with the following command:

showmount -e yum.example.com

Finally, you can make sure that NFS is active the next time you reboot Linux with the following command:

chkconfig nfs on

This command activates the NFS server whenever you’re in run levels 2, 3, 4, or 5.

Configuring an NFS yum Client

You’ll need to mount the NFS share on an appropriate local directory, and then configure the associated file in /etc/yum.repos.d to point to that share. Because we’re configuring a share for Fedora updates, we’ll modify the fedora-updates.repo file.

First, on the NFS client, you should confirm your ability to connect to a shared NFS directory. The following command connects to the yum.example.com NFS server to find what shares are available on that server:

showmount -e yum.example.com

You’ll see the shared directories that you configured earlier, including /var/ftp/pub. I’ve mounted it on the local /var/yum directory with the following command:

mount yum.example.com:/var/ftp/pub /var/yum

If the /var/yum directory does not yet exist, you’ll get an error message. Now you can configure your fedora-updates.repo file in your /etc/yum.repos.d directory. For the yum NFS server as configured, all you need in fedora-updates.repo is the following:

[updates-released]
name=Fedora Core $releasever - $basearch - Released Updates
baseurl=file:///var/yum/yum/4/i386/updates
enabled=1
gpgcheck=1

As described earlier, for a vsFTP server, this means that update RPMs as well as the associated repodata/ subdirectory are stored in the yum/4/i386/updates subdirectory, mounted on the /var/yum directory.

Note the syntax associated with the baseurl command. The file: command works in place of ftp: or http:. The triple forward slash (///) is the standard syntax required for mounted directories.

If you’ve configured a Fedora Updates repository on a Fedora Core server, this command may be slightly different. Based on the directory specified earlier, you would substitute the following baseurl command:

baseurl=file:///var/ftp/pub/yum/4/i386/updates

Naturally, you may want to configure this shared directory as part of the boot process for each NFS client. It’s possible to configure it in the default /etc/fstab configuration file, as well as through the Automounter daemon. I recommend the latter, which avoids hangups when there are network problems. The Automounter daemon is easy to configure; it requires the autofs RPM. After that RPM is installed, here’s how you can configure a NFS client for Fedora updates as configured in this chapter:

  1. Install the autofs RPM; if you’ve configured yum, the simplest way is with the following command. Even if you’re not sure if autofs is installed, this command makes sure that you have the latest version of the Automounter:

    yum install autofs

  2. Configure the Automounter master file to read from /etc/auto.misc. Open the /etc/auto.master configuration file. You’ll see sample commands; activate the following to read from the noted file. The timeout prevents your system from hanging if there’s a problem with your network or the NFS server.

    /misc /etc/auto.misc --timeout=60

    Automounter shares configured in /etc/auto.misc are configured as subdirectories of /misc.

  3. Configure the Automounter /etc/auto.misc file to read from the shared NFS directory. Based on the shared directory and NFS server name described earlier, add the following line to that file:

    yum  -ro,soft,intr   yum.example.com:/var/ftp/pub

  4. Start the Automounter service with the following command:

    /etc/init.d/autofs start

    NOTE

    Yes, it is possible to use the /etc/auto.net script to find and connect to shared NFS directories. But it might not be compatible with SE Linux. For more information, see bug 174156 on http://bugzilla.redhat.com.

  5. Test the result. If your network is connected and the NFS server is running, you should be able to see the shared NFS directory with the following command:

    ls /misc/yum

    Occasionally, you may need to run this command more than once to establish the connection.

  6. Configure the /etc/yum.repos.d/fedora-updates.repo file to point to this directory as shared. Based on the previously shared NFS directory, the baseurl command would be

    baseurl=file:///var/ftp/pub/yum/4/i386/updates

  7. Test the result with the yum update command. You should see messages similar to a regular yum update from other local or remote servers.

Continue reading Setting Up a yum Repository

Adding Yum to CentOS 5

No comments

Adding Yum to CentOS 5

I use a lot of VPS and often times, they don’t actually have yum to make my life easier. So here is a quick HOWTO on installing yum on a CentOS box. This assumes that you have rpm and wget already installed. Note: This will only work on CentOS 5.2 while the mirror is still active.

Run the following code in a temporary directory to download all the RPMs.

#!/bin/bash

for file in \
elfutils-0.125-3.el5.i386.rpm \
elfutils-libs-0.125-3.el5.i386.rpm \
expat-1.95.8-8.2.1.i386.rpm \
gmp-4.1.4-10.el5.i386.rpm \
libxml2-2.6.26-2.1.2.1.i386.rpm \
libxml2-python-2.6.26-2.1.2.1.i386.rpm \
m2crypto-0.16-6.el5.2.i386.rpm \
python-2.4.3-21.el5.i386.rpm \
python-elementtree-1.2.6-5.i386.rpm \
python-iniparse-0.2.3-4.el5.noarch.rpm \
python-sqlite-1.1.7-1.2.1.i386.rpm \
python-urlgrabber-3.1.0-2.noarch.rpm \
readline-5.1-1.1.i386.rpm \
rpm-4.4.2-48.el5.i386.rpm \
rpm-libs-4.4.2-48.el5.i386.rpm \
rpm-python-4.4.2-48.el5.i386.rpm \
sqlite-3.3.6-2.i386.rpm \
yum-3.2.8-9.el5.centos.1.noarch.rpm \
yum-metadata-parser-1.1.2-2.el5.i386.rpm
do wget http://mirror.centos.org/centos-5/5.2/os/i386/CentOS/$file;
done

Once you have downloaded the necessary files. Install them all by typing:
# rpm -Uvh *.rpm

Then feel free to # yum -y update to bring your system up to date.

Continue reading Adding Yum to CentOS 5