The eternal fight between admins and computers

If you get a message like this and you are sure that your mod_rewrite rules are OK:

Tue Jun 10 11:18:59 2008] [error] [client 192.168.1.85] Options FollowSymLinks or SymLinksIfOwnerMatch is off which implies that RewriteRule directive is forbidden: /var/www/enterprise/file.html

You need to enable FollowSymLinks in the directory that uses mod_rewrite, if not, you will get a friendly 403 error message :)

<Directory /path/of/your/dir>
Options -All
Options +FollowSymLinks
</Directory>

To enable globally, use httpd.conf with

<Directory />
 Options +FollowSymLinks
</Directory>

See you!

Replication

• the --read-only switch (or read_only in my.cnf) it’s the best way to block unwanted writes in a replication slave. So, ditch your specific user’s privileges :) EDIT: this only applies to Mysql > 5.1.15
• log-slave-updates in my.cnf needs underscores _ because with normal dashes doesn’t work at all (at least with Mysql 5.1.22). So, it’s log_slave_updates
• Talking about log_slave_updates again, it’s fundamental if you’re mounting a circular replication system. Without it, replication will stop at first hop.
• SET GLOBAL SQL_SLAVE_SKIP_COUNTER=n could be usefull if you have to skip on a replication error. Be careful anyway because it can lead to logical inconsistences in your data if abused.

Cluster

• When starting up data nodes using ndbd, you can add the --nostart flag to have the process in memory without doing nothing. Then, you can tell the node to actually start working from the management console with ID_node start. Moreover, you can put the nostart flag in your config.ini, in the [ndbd default] section, if you want the change to apply to every node.
• in the management console, as said, you can start (or stop, or restart) the data nodes manually, but if you try with the SQL nodes, you’ll get a strange error. That’s because SQL nodes can only be restarted from the local machine, as it were a normal mysql installation (in fact, it is a normal mysql install :)

Mysql Proxy

• If you are trying to execute mysql-proxy with a LUA script, and you have the scripts tree in /usr/share/mysql-proxy, then you have to issue a command like this, otherways mysql-proxy will complain about LUA includes that cannot be found:
  LUA_PATH=/usr/share/mysql-proxy/?.lua mysql-proxy --proxy-backend-addresses=192.168.45.112:3306 --proxy-lua-script=/usr/share/mysql-proxy/rw-splitting.lua

Ok, maybe you have no problems while dealing with web caches but I (and my workmates as well :P ) do, so here it goes this post.

Let imagine you are behind a classical transparent proxy on port 80 and you’re visiting a web site running an internal web cache (so, another proxy). If you inspect your HTTP headers looking for some info, you can find two lines that look like this, given domain.tld as the local website and proxy.local as your internal transparent proxy.


X-Cache HIT from proxy.domain.tld, MISS from proxy.local
X-Cache-Lookup HIT from proxy.domain.tld:3128, MISS from proxy.local:3128

What does this mean? That this is the first time you visit that website (MISS from proxy.local) and that their proxy has a valid copy of the page in its cache (X-Cache HIT proxy.domain.tld). I’ll explain X-Cache-Lookup meaning later


X-Cache MISS from proxy.domain.tld, MISS from proxy.local
X-Cache-Lookup HIT from proxy.domain.tld:3128, HIT from proxy.local:3128


Now, we’ve just refreshed the page (F5, Ctrl+R, you name it) but wait… what’s happening? It seems both proxies are not serving any page, and we’ve got two mysterious HITs in Cache-Lookup. Well, it’s very simple. We are not counting another level of cache. The browser web cache. So, the page now is not pulled at all from the net, instead Firefox (or your web browser of choice) is using it’s own cache to show the page, so we’ve got two MISSes in X-Cache but nonetheless both proxies are telling us that they would send the cache copy if asked. So, if you’re debugging your proxy system, it means it’s working correctly.

Now, what if we empty Firefox’s cache ??
Here it is:

X-Cache MISS from proxy.domain.tld, HIT from proxy.local
X-Cache-Lookup HIT from proxy.domain.tld:3128, HIT from proxy.local:3128

Our transparent proxy has got the page we need so it sends it to us (HIT from proxy.local), the remote proxy doesn’t need to do anything and both could send the page in case we want.

Although it could seem complicated, once you get it it’s very very simple, and you can easily nest more and more cache levels.

If you don’t kown Apache’s mod_rewrite, then you should, because it’s a very nice and flexible piece of software when you need to do URL mangling and L7 HTTP proxy. You cand do all sort of redirections, set cookies based on data like incoming URL, browser version etc or even set an environment variable with a value matching a regexp pattern.

You can find on the net very good tutorials about mod_rewrite, so I won’t waste your bandwith with a worse explication… anyway, today I want to share with you a little tip I found while working with mod_rewrite.

Imagine you need to write a rule involving two or more RewriteCond, and you want to use RewriteCond’s pattern matching backreferences in your rule (with %1, %2 … %N). Well, you have to keep in mind that you can use a backreference only from the LAST RewriteCond you have used. Example:

RewriteCond %{HTTP_HOST} (.*)\domain\.tld
RewriteCond %{REQUEST_URI} ^/(css|images|js)/
RewriteRule ^/(.*) http://www.domain.tld/%1/static/$1 [L]

At a first glance, if the original URI is

http://foo.domain.tld/js/script.js,

then the rewrited URI should be something like

http://www.domain.tld/foo/static/script.js

but that’s not true, because mod_rewrite is evaluating only the last RewriteCond! So, eventually the URL will be

http://www.domain.tld/js/static/script.js

that’s not what we (or at least I) were expecting. The solution, in this case, is to join the REQUEST_URI condition with the RewriteRule:

RewriteCond %{HTTP_HOST} (.*)\domain\.tld
RewriteRule ^/(css|images|js)/(.*) http://www.domain.tld/%1/static/$2 [L]

but you can easily see that it’s something you should be aware of when the conditions are more variegate.

A little tip that maybe it’s not so well known. When passing an argument to the -f option (–file) to GUN tar, you can specify a remote address using the standard colon format. For example

tar cfv user@remotehost:/path/to/tar /files/to/archive

will try to connect to remotehost via SSH and authenticate as user (asking password or using your preferred ssh auth method). Obviously you have to have rsh on your local machine and an sftp capable server on the other side.

This is a second version of this other guide that applied to previous Ubuntu versions.
With Ubuntu 8.04 (Hardy Heron) it comes the Likewise Open package that makes basic Active Directory authentication in Ubuntu a breeze.

Just follow these steps:

1. sudo apt-get update
2. sudo apt-get install likewise-open
3. sudo domainjoin-cli join fqdn.of.your.domain Administrator
4. sudo update-rc.d likewise-open defaults
5. sudo /etc/init.d/likewise-open start

and you can now log into your machine using your DOMAIN\user credentials. Remember that the DOMAIN\ part is mandatory and that it represents the short name of your Active Directory domain. You can join the domain using any user with sufficient privileges (there’s no need to use Administrator), and you can even directly join the PC in a particular OU passing the –ou argument to domainjoin-cli. The fourth point maybe won’t be necessary when Ubuntu 8.04 LTS wil be released because it seems to be a bug in the package (it won’t start likewise on reboot, so if you don’t issue this command it would seem that nothing is working after a reboot).

I’ve just started to use this method on a test machine so I’ll leave more opinions on this product in the future.

EDIT: First impressions

After some days of not so extensive usage, I’ve seen a couple of things that it’s worth notice:

• the likewise-open process seems to “die” from time to time, blocking all your login accesses with a “ERROR” message. Restarting it through init script solves the issue… but it’s something that definitely should not happen
• It informs you on login if your password is going to expire in X days (as set in your GPO). Very nice indeed.

Notes to the readers: if you’re experiencing installation problem, the best way is to report them to the likewise-open-discuss mailing list. There you can contact directly likewise developers (of Samba fame) and solve your problems or doubts.

EDIT2: it seems that with the final Ubuntu 8.04 update, likewise-open package is now 100% stable, I didn’t have a single failure since last update (one week up, while before it died at least once per day)

If you are using a maintainance user executing scheduled cronjobs, maybe you’ve found yourself needing to report the result of these jobs to different email addresses. Everyone knows for sure the MAILTO parameter, as explained in the crontab(5) manpages.

But maybe you don’t know that MAILTO is interpreted sequencially, when it’s found, so you can have different recipients in the same crontab, like in this example:


MAILTO=”user1@domain.tld”
* * * * * echo “abc”
MAILTO=”user2@domain.tld”
* * * * * echo “dfe”

so user1 will get mailed with “abc” and user2 with “dfe”.
It works in the standard “cron” program, so for example you can use this tip in Debian or FreeBSD (and in other Unices to, I guess)

This is not a howto/tip, it is only to remember the location of this hide option :D

Hello,

If you are lazy (as we are) or you don’t want to waste all your time adding DNS entries manually, you can use dnscmd via command line on Windows. It’s a nice way to put a large entries from a file or something that needs further configuration.

PROMPT> dnscmd help
dnscmd yourdnsserver /RecordAdd yourdomain.com mynewrecord A ip
so
(creates ftp.domain.com that points to 192.168.1.20)
dnscmd localhost /RecordAdd domain.com ftp A 192.168.1.20

(creates www.domain.com that points to 192.168.1.21)
dnscmd localhost /RecordAdd domain.com www A 192.168.1.21

You can use A, CNAME, PTR, TXT etc.

An example of a batch file putting entries in the same IP using loops.

PROMPT> type records.txt
record1
record2
record2
etc …

type dns.bat
@echo off

set dnshost=localhost
set domain=yourdomain.com
set type=A (dns type, PTR, CNAME etc)
set ipserver=192.168.1.20

echo “We are reading line by line records.txt”
for /f %%record in (records.txt) do dnscmd %dnshost% /RecordAdd %domain% %%record %type% %ipserver%

See you!

If you happen to have to manage some Dell server running some exotic-not-supported-at-all distribution like, for example, Slackware or Gentto, there’s a trick you can use that can saves you a lot of PITA. It envolves using debootstrap and some well known unofficial Debian Dell repository. Here we go:

1. First of all, check your kernel has IPMI support. If it doesn’t, rebuild it to have IPMI enabled (Device Drivers -> Character Devices -> IPMI). Build every module you find here.
2. Load the just built modules:
   modprobe ipmi_msghandler
modprobe ipmi_si
modprobe ipmi_devintf
3. Install debootstrap. With Gentoo, it’s a simple emerge debootstrap
4. mkdir -p /var/debian
5. debootstrap --arch amd64 etch /var/debian http://http.us.debian.org/debian
   You can obviously change the –arch parameter with the one that better fits your needs, say i386
6. Now, let’s wait while debootstrap does all the dirty work :)
7. mount -o bind /dev /var/debian/dev
8. mount -t proc none /var/debian/proc
9. cp /etc/resolv.conf /var/debian/etc
10. chroot /var/debian/ /bin/bash
11. Now we are in our new Debian-lite environment.
12. edit /etc/apt/sources.list to look like this, for example:
    

    deb http://ftp.belnet.be/debian/ etch main non-free contrib
    deb-src http://ftp.belnet.be/debian/ etch main non-free contribdeb http://security.debian.org/ etch/updates main contrib non-free
    deb-src http://security.debian.org/ etch/updates main contrib non-free

    deb ftp://ftp.sara.nl/pub/sara-omsa dell sara
    deb http://linux.dell.com/repo etch dell-software

13. apt-get update
14. apt-get install dellomsa
15. And we are done! If all went well, you should now be able to run tools like “omreport” to inspect your hardware status and “omconfig” to change BIOS settings and much more!

On a side note, after a reboot you have to repeat steps 7,8 and 10 and once in the chroot, issue a /etc/init.d/dataeng start