Category: Linux

Linux

DNS and multiple VPNs: Using dnsmasq to access multiple dns suffixes

On my Fedora 15 laptop, I'm almost always connected to several VPNs simultaneously. One VPN to my office or to my home (depending on where I am), one to the data center, one to a customer. These connections all have their own DNS server with their own suffix.

To make all dns suffixes working, I created a script that redirects all outgoing DNS traffic to dnsmasq running on localhost, which in turn forwards all requests for .lan to 192.168.15.254 and all requests for .gl to 192.168.1.254.

The script was put in /etc/NetworkManager/dispatcher.d/10-DNS:

if [ -e /var/run/dnsmasq.localhost ]; then
        cat /proc/`cat /var/run/dnsmasq.localhost`/cmdline |grep dnsmasq >/dev/null 2>/dev/null && \
        kill `cat /var/run/dnsmasq.localhost`
fi
 
if [ "$2" == "up" ]; then
        cp /etc/resolv.conf /etc/resolv.conf.dhcp
        echo nameserver 127.0.0.1 >  /etc/resolv.conf
        echo domain $DHCP4_DOMAIN_NAME >> /etc/resolv.conf 
        echo search $DHCP4_DOMAIN_NAME >> /etc/resolv.conf 
        /usr/sbin/dnsmasq -C /dev/null -r /etc/resolv.conf.dhcp --server=/gl/192.168.1.254 \
            --server=/lan/192.168.15.254 --bind-interfaces --listen-address 127.0.0.1 \ 
            --pid-file=/var/run/dnsmasq.localhost
fi

Once I had to fix resolv.conf manually when I connected my laptop to my Samsung Galaxy SII as well. This may mean I need to improve the script some day, but for the time being, it works good enough.

© GeekLabInfo DNS and multiple VPNs: Using dnsmasq to access multiple dns suffixes is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...
IT

My Dymo label writing process

This page contains raw notes and/or untested notes. They may be incorrect, parts may be missing or the article may contain parts that are not needed and more. An update will probably follow some day.

To print labels on my Dymo, I'm running a custom built webapp that allows users in the entire network to print. It has a memory, prints KIX-codes (that make it easier for the postal service to process letters) and prints a logo.

In my setup, the server generating the logo and the server printing it are two different machines. But even if they weren't, this method keeps the webserver in its SELinux confinement.

Requirements

We need some tools, install the packages with the following command:
yum install ripmime

Add the printer to CUPS

Add the printer to CUPS, so you can spool jobs to it. I'm not explaining this part.

Generate a label

Using PHP's GD extensions I generate a new image with width=1010 and height=540. Using this high resolution results in good quality prints.

The image is exported as a .png file, named [something-random].dymo.png and transported to the printserver through a special email-address.

Prepare the mailserver

I'm running a Postfix mailserver. This mailserver has a special address that accepts print jobs, extracts the files and prints them.

In /etc/postfix/master.cf, add the following lines:

printer unix  -       n       n       -       -       pipe
  flags=F  user=nobody argv=/etc/postfix/bin/printserver $sender $recipient

Then in /etc/postfix/transport, we put:

printer.geeklab.info    printer:

The domain printer.geeklab.info doesn't necessarily need to exist, as long as you smtp right to this mailserver.

Finally in /etc/postfix/main.cf we enable the transport maps, if that hasn't been done before:

transport_maps = hash:/etc/postfix/transport

Write a script

In master.cf we start the script /etc/postfix/bin/printserver. Add this content to said script:

#!/bin/bash
TMPDIR=/var/spool/mailprinter/$$_${RANDOM}_${RANDOM}
MESSAGE_FILE=${TMPDIR}_the_message
mkdir -p $TMPDIR
cat > $MESSAGE_FILE
ripmime -i $MESSAGE_FILE -d $TMPDIR
for i in ${METAMAIL_TMPDIR}/*.dymo.png; do
lpr -PDymo -o PageSize=w167h288 -o landscape -o page-left=0 -o page-top=0 -o page-right=0 -o page-bottom=26 -o orientation-requested=5 -o scaling=100
done
rm -rf $MESSAGE_FILE $TMPDIR

Manage SELinux settings

The script we just write uses ripmime and lpr and runs as the Postfix pipe user. To allow the Postfix pipe program to use these tools, run postfix_pipe_t in a permissive state:
semanage permissive -a postfix_pipe_t
Always remember to manage SELinux, not disable it.

Ubuntu/Debian

I'm running RedHat-based software on all of my machines. Above information may be useful for Ubuntu/Debian users, but it's not tested and I'm not supporting it.

Servers: RedHat Enterprise Linux/CentOS is more suitable for servers, as there's a lot of professional level support available. I think that's important, because if I say, get a car accident, I want the servers to be managable by another professional.

Desktops/Laptops: RPM packages are pretty exchangable between RedHat-based platforms. That's a good reason to run Fedora on the desktop.
© GeekLabInfo My Dymo label writing process is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...
IT

Using Ctrl+Alt+F1 in a VMWare Virtual Machine

When you're running Linux, pressing CTRL+ALT+F1 will bring you to console #1. If you want to go to the console of a vmware guest, this won't work, because the host will go to the console instead of the guest. Making it pretty hard to get to a console.

The correct combination for linux-in-vmware-on-linux is CTRL+ALT+SPACE, release space while holding down CTRL+ALT, then add the F1 key.

© GeekLabInfo Using Ctrl+Alt+F1 in a VMWare Virtual Machine is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...
IT

Syslog kills Postfix performance

This night, some scriptkiddie decided it'd be fun to overload one of my servers by bruteforcing the FTP. The FTP server taking 90% of the CPU made the whole server slow. Especially the Postfix mailserver experienced a huge delay.

Anyway, I just firewalled out the scriptkiddie and Postfix could start processing the queue. But for some reason, it delivered no more than 5-10 mails a second. That would mean that processing the queue of 18.000 mails would take 30-60 minutes.

I've tried to figure out why Postfix was so slow before. Without any luck. Using the well known tuning pages didn't help me at all. Today, I opened up /usr/bin/top, to see that the system was doing a lot of I/O. I accidently found out why: I like to have syslog write *.* to /var/log/allmessages.

This simple rule caused so much extra I/O, that postfix was slowed down 90%. After disabling "allmessages" performance went up, and the queue was processed within minutes. Makes me wonder what happens if I...

  • disable logging at all, which is a bad idea as you can no longer spot abuse
  • find a way to enable write-cache - the default syslog of CentOS 5 does not support this AFAIK
  • write logs to another device

Interesting...

© GeekLabInfo Syslog kills Postfix performance is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...
IT

Install mod_auth_ntlm_winbind on CentOS 6.0

Step 1. Install ntp and synchronize clocks

We'll be using winbind, kerberos and ntlm to authenticate the user. This requires the clocks of the AD server and the proxy server to be synchronized.

yum -y install ntp

sed -i "s/^server /#server /g" /etc/ntp.conf

echo "server YOURSERVERNAME" >> /etc/ntp.conf

ntpdate YOURSERVERNAME #synchronize right now

service ntpd start #and keep in sync

chkconfig ntpd on #after reboot as well

Step 2. Update system and install required software

yum update
yum install mc vim httpd php svn httpd-devel make autoconf gcc ntp krb5-workstation \
samba-common authconfig samba-winbind

Step 3. Connect to active directory

Please note that MYCOMPANY.local and mycompany.local may be different domains due to the upper/lowercase.
ADSERVER=sbs.MYCOMPANY.local
DOMAIN=MYCOMPANY.local
WORKGROUP=MYCOMPANY
authconfig --enableshadow --enablemd5 --passalgo=md5 --krb5kdc=$ADSERVER \
--krb5realm=$DOMAIN --smbservers=$ADSERVER --smbworkgroup=$WORKGROUP \
--enablewinbind --enablewinbindauth --smbsecurity=ads --smbrealm=$DOMAIN \
--smbidmapuid="16777216-33554431" --smbidmapgid="16777216-33554431" --winbindseparator="+" \
--winbindtemplateshell="/bin/false" --enablewinbindusedefaultdomain --disablewinbindoffline \
--winbindjoin=Administrator --disablewins --disablecache --enablelocauthorize --updateall
service winbind start ; chkconfig winbind on
setsebool -P allow_httpd_mod_auth_ntlm_winbind on

Now check your winbind connection using the following commands:
wbinfo -u
wbinfo -g

The socket /var/lib/samba/winbindd_privileged/pipe should be writable by the webserver. To allow that access, I add user apache to the group wbpriv: usermod -G wbpriv apache

Step 4. Download and compile mod_auth_ntlm_winbind

svn co svn://svnanon.samba.org/lorikeet/trunk/mod_auth_ntlm_winbind mod_auth_ntlm_winbind
cd mod_auth_ntlm_winbind/
autoconf
./configure
apxs -DAPACHE2 -c -i mod_auth_ntlm_winbind.c

Step 5. Configure it

In /etc/httpd/conf.d/mod_auth_ntlm_winbind.conf I put the following configuration
LoadModule auth_ntlm_winbind_module /usr/lib64/httpd/modules/mod_auth_ntlm_winbind.so

Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all
AuthName "NTLM Authentication"
AuthType NTLM
Require valid-user
NTLMAuth on
NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
NTLMBasicAuthoritative on

In /etc/httpd/conf/httpd.conf, change KeepAlive Off to KeepAlive On. Preferably, also set MaxKeepAliveRequests and KeepAliveTimeout to a high value. On my intranet server, they're set to 1000 requests and 600 seconds.:w

Step 6. Change your firewall to enable incoming HTTP

iptables -I INPUT -p tcp --dport 80 -j ACCEPT
service iptables save

Step 7. Go!

Run service httpd restart, make httpd start on reboot using chkconfig httpd on and test your configuration.

© GeekLabInfo Install mod_auth_ntlm_winbind on CentOS 6.0 is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading...
Linux

X11 over SSH

CentOS 5's and Fedora 15's base installations are pretty good prepared to use X11 over SSH. You just need to install one more package on the server you're connecting to: xorg-x11-xauth. According to yum info, the purpose of this package is:
xauth is used to edit and display the authorization information used in connecting to an X server.
This editting probably means synchronising X11 authority cookies between SSH peers.

Installing is done using:
yum install xorg-x11-xauth

Then ssh into the box using:
ssh -X [servername]

© GeekLabInfo X11 over SSH is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...
IT

Fedora 15: Nagios errors

Installation of Nagios on Fedora 15 is easy as yum install nagios nagios-plugins* php nrpe. I only found one problem: Error: Could not read object configuration data!

The webserver runs as user apache, which cannot access /etc/nagios/objects by default. Chmod or chown the directory to fix it, or add user apache to the group nagios.

You may also want to check the selinux settings, which can be restored by typing restorecon /etc/nagios

© GeekLabInfo Fedora 15: Nagios errors is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info

1 Star2 Stars3 Stars4 Stars5 Stars (7 votes, average: 5.00 out of 5)
Loading...