I’m using Puppet to manage some apt repositories on Ubuntu and have had a dependency problem. I want to write the source configs before running
apt-get update and I want to run that before installing any packages. Otherwise, a manifests that tries to install a package from a custom repository will fail, either because the repository is not configured or the apt metadata hasn’t been retrieved yet.
Due to Puppet changes being idempotent, this is usually solvable by running puppet a few times (ew). Or you can do this properly by diligently setting all the dependencies for all of your packages on your
apt-get update command, and having that depend on your source configs, but that’s pretty fiddly.
Continue reading Puppet dependencies and run stages
# apt-get install hello
# hello --help
Usage: hello [OPTION]...
Print a friendly, customisable greeting.
-h, --help display this help and exit
-v, --version display version information and exit
-t, --traditional use traditional greeting format
-n, --next-generation use next-generation greeting format
-g, --greeting=TEXT use TEXT as the greeting message
My News Sniffer project needs to regularly do some back-end stuff like checking a bunch of rss feeds and downloading web pages. I do this with some rake tasks, which I call using the cron daemon. Recently I’ve been having problems where some tasks take a bit longer than usual to complete and end up running in parallel. This slows things down, which means more tasks end up running in parallel and then my little virtual machine eventually falls on it’s face under memory pressure.
I could implement some locking in my application, but it’s always good to avoid as much new code as possible so, in the good old *NIX fashion, I cobbled together a short bash script taking advantage of existing tools. What this does is executes the given rake task in the given rails root using the Debian/Ubuntu tool
start-stop-daemon (provided by the
dpkg package, which is therefore always installed).
start-stop-daemon uses a pid file to keep track of the rake program for the given task, so it will never run a second concurrent instance of rake for this task. Cron just keeps trying to run it every 5 minutes or whatever, but it only runs once concurrently.
Continue reading Reliable rake task execution
I found a great HOWTO on getting a Xen virtual machine up and running on Ubuntu Edgy. Unfortunately, Xen is pretty broken on Edgy. I managed to get one virtual machine running easily but on starting a second one, Dom0 panics and the whole box freezes. It’s been reported on launchpad but as it’s in universe I guess it’s just not a priority.
As a workaround, I installed the Xen kernels from Debian testing (Etch). These pulled in the Debian Xen userspace packages too, but they didn’t clobber anything. So now I have a couple of mostly Edgy virtual machines which I plan to use as a little test lab.
Whilst troubleshooting, I also found another good Debian specific Xen HOWTO with lots of good general advice too.
Etch is looking good. I work with Sarge a lot on servers and firewalls but I’ve not played with Etch much. I think I’ll get it installed in a Xen machine and have a play. I feel bad for not helping with its testing though.
I figured out how to set up an encrypted partition on Ubuntu the other day. There are a bunch of ways of doing it but I found this to be the simplest. It should work on Debian too, since all the relevant packages are Debian ones anyway. In my example I’m encrypting an LVM partition (logical volume), but it should work with any device, including removable USB keys (see end notes). UPDATE: This is broken in Edgy but I figured out a simple fix, see below.
Continue reading Encrypted partitions with Ubuntu/Debian
UPDATE: The info in this post is deprecated. See the new post about eAccelerator instead.
I installed Turck MMCache PHP accelerator and I got a big improvement.
ApacheBench reported 4.52 pages per second before and 12.47 pages after installation (a WordPress 1.5.2 page on a 1.2Ghz PIII). That a 275% increase in performance, with currently no observed problems. I tested this with both Apache2 and lighttpd, and got a similar boost with both.
There is only a package for Debian unstable at the moment, so I downloaded the package source and backported it to Debian sarge. I put the package in my apt repository (along with a backported openswan package I’m using). Add to your sources.list:
deb http://johnleach.co.uk/downloads/debian sarge backports
apt-get update ; apt-get install turck-mmcache
See PHP fly (comparatively)
UPDATE: I’m running into a few problems now actually. WordPress runs fine, but an application of my own is having some serious problems. MMTurck is kicking out the following log message:
 MMCACHE: PHP crashed on opline 1 of main() at /path/to/webapp/cligs-app.php:24
I’ve disabled the extension for now until I investigate further.
I’ve built Ubuntu Dapper Epiphany 1.9 and Firefox 1.4.99 packages for Ubuntu Breezy. I’ve also enabled the Epiphany Adblock extension which seems to work fine. You can’t specify your own advert signatures with a GUI yet (afaikt) but the built-in database seems to cover most bases.
I’ve only built for i386 as that’s all I need it for right now. Tbh, it’s really not that difficult to build you own, but here they are anyway:
UPDATE: I’ve setup an apt repository for all this nonsense.
deb http://johnleach.co.uk/downloads/ubuntu breezy backports
I don’t really have plans to keep this up to date, but I might expand it to a few other packages I want to play with, so feel free to use.
I’ve come to the realisation that yum and up2date completely and utter suck. Why is it yum has spent the last 20mins downloading rpm headers from the dag repository? Why is it up2date can’t search properly? why does yum return search results in an unreadable way? why do both of them, at the mere hint of something going wrong, spurt out a big python backtrace that is very little use to very many people. Why are these tools SO BAD? How difficult IS THE PROBLEM? Debian have got it right with apt. Headers are downloaded in 30 seconds, search supports regular expressions! There is even an RPM ENABLED version of apt. Why wasn’t this used in Fedora? Why up2date with it’s crappy secretive SSL and XML and SOAP and crapness.
I can only imagine it’s due to RedHat wanting the world to develop their Enterprise updatering system for free. Well I’m not contributing until I at least see that either a) I’m doing something wrong and it can all be fixed with an option. or b) someone can explain the good reason why these tools exist.
Also, I have a new job. It’s lots of fun. I’m responsible for the security of some 30 million UK NHS patient records.
I’ve built some Firestorm debs for x86 from the latest snapshot (0.5.5-pre3). I had to remove a little bit of verbose debug code from the linux capture driver. available here..
The Debian ipsec-tools package doesn’t work properly with the Debian 2.4.21 kernel (you can’t specify “ipsec” as policy, it only recognises “discard” and “none”). Herbert Xu helped me out and I’ve rebuild the packages against the 2.4.21 kernel sources, and now it seems to work ok. I’ve made the packages available here.
I’ve ported my Ethereal ELOG patch to the latest version (0.9.14) and fixed a bug handling pcap captured alerts. Created Debian debs for powerpc and i386. Matt is working on some RPMS for RedHat 9
RedHat’s latest change of support plans for RedHat Linux seems to be doing what was intended, getting more people to purchase Advanced Server (and the new Enterprise Server and Workstation) rather than leeching off them. Good for RedHat. There have been too many idiots selling RedHat Linux-based solutions expecting the coloured headgear company to do the hard work of beta testing, bug fixing etc.etc. for free.
I’m currently working on a preprocessor for the Firestorm NIDS to detect dodgy looking arp activity. So far it keeps track of hardware and protocol addresses in arp packets and alert if things change. It will soon monitor IP traffic too (and IPX/Appletalk etc. I guess) and detect a bunch of other ettercap style trickery.
I’m also working with some Cisco PIX firewalls to make them play nice with FreeS/WAN on Linux. I’ll put some example configs up here at some point. I’m going to take the Cisco VPN exam and be one step closer to a CCSP (I’m really not sure if this is a good or a bad thing career-wise). The original Cisco press VPN book has some serious problems with factual content. The authors seems to have little understanding of the underlying technology. I guess you don’t need to know it to parrot-type the Cisco commands in (or copy and paste them, as I often see) and charge 200 quid an hour, but it would be nice to be a bit professional about things.
My Mozilla/Galeon is broken on Debian unstable. Using gdb I found /usr/lib/mozilla/components/libimglib2.so to be the culprit, so just moved it out the way. I now have Galeon working with no images which suits me fine. In fact, as everything loads so quickly and is far less offensive to the eye, I may keep it this way permanently.
Program received signal SIGSEGV, Segmentation fault.
0x0de9de98 in NSGetModule () from/usr/lib/mozilla/components/libimglib2.so