Wednesday, February 22, 2006
SystemImager (sisuite) Boot Loader Problems
I've found that SystemImager doesn't always install the boot loader correctly for Ubuntu systems. After much stuffing around the problem lies with the fact that Ubuntu and many other distros use devfs manage the entries under /dev. So when system imager comes along and chroots itself into the newly installed file system it can't find the devices it needs to install grub or LILO.
The solution is to modified the autoinstall script as such:
Replace it with this:
Then in the Unmount filesystem section make it look like this:
Without clean umounts the autoinstall script fails to complete.
This info came from a post on the sisuite mailing list (link).
The solution is to modified the autoinstall script as such:
## BEGIN mount proc in image for tools like System Configurator ###
#echo "mkdir -p /a/proc || shellout"
#mkdir -p /a/proc || shellout
#echo "mount proc /a/proc -t proc -o defaults || shellout"
#mount proc /a/proc -t proc -o defaults || shellout
#### END mount proc in image for tools like System Configurator ###
Replace it with this:
echo "Doing devfs specific bind stuff..."
mkdir -p /a/proc || shellout
mkdir -p /a/dev || shellout
mount -o bind /dev /a/dev || shellout
mount -o bind /proc /a/proc || shellout
echo "Done doing bind stuff..."
Then in the Unmount filesystem section make it look like this:
echo "umount /a/proc || shellout"
umount /a/proc || shellout
echo "umount /a/dev || shellout"
umount /a/dev || shellout
echo "umount /a/ || shellout"
umount /a/ || shellout
Without clean umounts the autoinstall script fails to complete.
This info came from a post on the sisuite mailing list (link).
Tuesday, February 21, 2006
Qmail - Valid User Checking
One thing that has always irked me about qmail is the lack of valid user checking. The qmail-smtpd will always accept mail for delivery regardless of weather the address given in the rcpt to: field exists for the given domain. The message is then processed at which time qmail realizes that's not a valid user and generates a bounce message. In the case of spam where the from address is probably forged the bounce bounces back or worse still the spammer things he has a live email address and spams it even harder.
A bit of a scratch around on the net reveals 2 solutions to this problem.
qpsmtpd
magic mail
As I read it qpsmtpd needs the real smtp daemon to sit on another port (eg 2525) and it passes sessions through to that port after it passes the checks qpsmptd makes. That kind of approach seems a little out of place to me, but qpsmtpd does have some nice features.
In the end I went for magic mail. It is a direct replacement for qmail-smtpd. What follows is my notes on getting started with magic mail on Ubuntu 5.10:
I installed this on to of a qmail installation based on the one outlined by Qmail Rocks.
A bit of a scratch around on the net reveals 2 solutions to this problem.
qpsmtpd
magic mail
As I read it qpsmtpd needs the real smtp daemon to sit on another port (eg 2525) and it passes sessions through to that port after it passes the checks qpsmptd makes. That kind of approach seems a little out of place to me, but qpsmtpd does have some nice features.
In the end I went for magic mail. It is a direct replacement for qmail-smtpd. What follows is my notes on getting started with magic mail on Ubuntu 5.10:
I installed this on to of a qmail installation based on the one outlined by Qmail Rocks.
Download magic mail 0.8.4
To get it to work with gcc4 remove line from the file magicmail-0.8.4-2/magic-smtpd/magic-smtpd.h:
extern lm_string_t smtp_from_addr;
(Will be fixed in next version)
I changed Makefile.inc to USE_TLS
Run through the installation instructions.
Be sure to create the /etc/magic-mail/control directory.
I wanted valid user checking
echo true > /etc/magic-mail/control/check_valid_users
Which tells magic mail to check valid users
cp magicmail-0.8.4-2/scripts/vpopmail-check-user.sh /home/vpopmail/bin
chown vpopmail:vchkpw vpopmail-check-user.sh
Doesn't appear to work correctly unless chown'ed correctly
This program does the valid user check
Tell magic-mail to use it
vi /etc/magic-mail/control/ext_check_user_prog
Make this file contain the following line only
/home/vpopmail/bin/vpopmail-check-user.sh
Tuesday, February 14, 2006
Apache2 SSL -Ubuntu
Thursday, February 09, 2006
Samba/smbfs in fstab
I had success with this.
Put this line in /etc/fstab
The file /etc/file-server-credentials.conf contains the log on information
Then lock down the permissions on /etc/file-server-credentials.conf to restrict read access.
Edit /etc/groups and add the approriate users to fileserverusers group.
Put this line in /etc/fstab
//file-sever/thing /mymountpoint smbfs credentials=/etc/file-server-credentials.conf,gid=fileserverusers,fmask=660 0 0The file /etc/file-server-credentials.conf contains the log on information
username=someusername
password=apassword
Then lock down the permissions on /etc/file-server-credentials.conf to restrict read access.
gid=fileserverusers is to allow a group of users on the local linux box read write access to the /mymountpoint. This access is controlled my the fmask=660groupadd fileserverusersEdit /etc/groups and add the approriate users to fileserverusers group.
Monday, February 06, 2006
Ubuntu/Debian Run level configuration
There is a simple tool to do run level configuration. It only allows you to switch on or off a service/rc script/server in the rc.d (no run level selection). It also seems that "the debian way" is to have everyintg started at run level 2.
The tool is call rcconf
There is also update-rc.d but I have not had much luck getting it to change anything.
The tool is call rcconf
sudo apt-get install rcconf Then you can execute rcconf as the root user:
sudo rcconf
There is also update-rc.d but I have not had much luck getting it to change anything.
Thursday, February 02, 2006
Bind9 on Ubuntu
apt-get install bind9
For security reasons we want to run BIND chrooted so we have to do the following steps:
/etc/init.d/bind9 stop
Edit the file /etc/default/bind9 so that the daemon will run as the unprivileged user 'bind', chrooted to /var/lib/named. Modify the line: OPTS="-u bind" so that it reads OPTIONS="-u bind -t /var/lib/named":
OPTIONS="-u bind -t /var/lib/named"
Create the necessary directories under /var/lib:
Then move the config directory from /etc to /var/lib/named/etc:
mv /etc/bind /var/lib/named/etc
Create a symlink to the new config directory from the old location (to avoid problems when bind is upgraded in the future):
ln -s /var/lib/named/etc/bind /etc/bind
Make null and random devices, and fix permissions of the directories:
We need to modify the startup script /etc/init.d/sysklogd of sysklogd so that we can still get important messages logged to the system logs. Modify the line: SYSLOGD="-u syslog" so that it reads: SYSLOGD="-u syslog -a /var/lib/named/dev/log":
Restart the logging daemon:
/etc/init.d/sysklogd restart
Start up BIND, and check /var/log/syslog for any errors:
Restart the logging daemon:
/etc/init.d/sysklogd restart
Start up BIND, and check /var/log/syslog for any errors:
/etc/init.d/bind9 start
Source HowToForge
For security reasons we want to run BIND chrooted so we have to do the following steps:
/etc/init.d/bind9 stop
Edit the file /etc/default/bind9 so that the daemon will run as the unprivileged user 'bind', chrooted to /var/lib/named. Modify the line: OPTS="-u bind" so that it reads OPTIONS="-u bind -t /var/lib/named":
OPTIONS="-u bind -t /var/lib/named"
Create the necessary directories under /var/lib:
mkdir -p /var/lib/named/etc
mkdir /var/lib/named/dev
mkdir -p /var/lib/named/var/cache/bind
mkdir -p /var/lib/named/var/run/bind/run
Then move the config directory from /etc to /var/lib/named/etc:
mv /etc/bind /var/lib/named/etc
Create a symlink to the new config directory from the old location (to avoid problems when bind is upgraded in the future):
ln -s /var/lib/named/etc/bind /etc/bind
Make null and random devices, and fix permissions of the directories:
mknod /var/lib/named/dev/null c 1 3
mknod /var/lib/named/dev/random c 1 8
chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
chown -R bind:bind /var/lib/named/var/*
chown -R bind:bind /var/lib/named/etc/bind
We need to modify the startup script /etc/init.d/sysklogd of sysklogd so that we can still get important messages logged to the system logs. Modify the line: SYSLOGD="-u syslog" so that it reads: SYSLOGD="-u syslog -a /var/lib/named/dev/log":
Restart the logging daemon:
/etc/init.d/sysklogd restart
Start up BIND, and check /var/log/syslog for any errors:
Restart the logging daemon:
/etc/init.d/sysklogd restart
Start up BIND, and check /var/log/syslog for any errors:
/etc/init.d/bind9 start
Source HowToForge
