|
|
Burapha Linux Server FAQ |
| home | progress | about | bugs | install |
This is the Burapha Linux Server Frequently Asked Questions (FAQ) list. Here we try and answer the common questions people have about Burapha Linux Server. If you cannot find the answer to your question here or elsewhere on the website, you can contact us and we will try and answer your question.
${HOME}/public_html
web pages?
Please see the instructions for running BLS inside of QEMU on a BLS client machine.
The BLS development is done by John Ham, who does not know Thai. The Thai people at Burapha prefer Microsoft Windows and see adding Thai support to BLS as a waste of time.
These BSD operating systems are all good open source operating systems. However, fewer people use them. This means getting help for installation, configuration, and such will be more difficult. Most documentation for these systems assumes you are familiar with Unix already. To be fair, the BSD machines have superior behavior under heavy network load, but worse behavior under heavy disk load. Their virtual memory system is also better in a worst-case situation, but worse on a lightly loaded workstation. You can learn more here:
Red Hat is the most popular linux distribution. SuSE is the most popular linux distribution in Europe. Debian is a popular distribution among technical users. Slackware is the oldest distribution still in common use, and is the basis for the BLS. Any of these distributions will work on any machine that BLS runs on. However, these distributions are much harder to install and usually require more resources than BLS does. They provide more options, and have more packages. This means they are necessarily more complex to install and configure. BLS is designed to be easy to install so you can start using it right away without a lot of special technical skill.
No. However, if you bring your machine to us, we can assist you with installing the software.
This seems to confuse a lot of people. All of the commands I show here are run on the machine you want to connect from. That is, when I say 'user@host' I mean the username on the remote host specified by 'host'. So if you want to connect as user joe on machine tserver.mycorp.co.th to a machine funblog.org as user larry, then you will use 'larry@funblog.org' everywhere I use 'user@host'. When you are asked for a password, it will be the password larry.
cd ssh-keygen -t rsa ssh user@host mkdir -p .ssh cat .ssh/id_rsa.pub | \ ssh user@host 'cat >>.ssh/authorized_keys' ssh user@host chmod 640 .ssh/authorized_keys
There are two easy ways to determine the kernel version you are running. The first way is to use the command:
$uname -a Linux www.buraphalinux.org 2.6.32.7 #1 SMP Fri Jan 29 16:17:32 ICT 2010 x86_64 GNU/Linux
The first element is 'Linux', the second element is your hostname 'www.mydomain.net',
the third element is your version. You can do man uname to
learn more.
The second easy way to determine the kernel version is to use the command:
$cat /proc/verison Linux version 2.6.32.7 (nobody@www.buraphalinux.org) (gcc version 4.3.4 (crosstool-NG-1.5.3) ) #1 SMP Fri Jan 29 16:17:32 ICT 2010
The 3rd element is your version number. This also tells you who compiled the kernel and what compiler they used.
They have different sets of installed packages. Check the map.* files in installcd1/setdir and installcd2/setdir to learn precisely what packages are in which set. Roughly,
The LinuxTLE distribution is a popular RPM-based distribution localized for Thai support. If you like RPM-based Linux distributions like Red Hat and you do not care about trying to build the packages yourself, or you need Thai language support in X windows, then LinuxTLE may be the right choice for you.
According to Patcharin Kosonpothisakun, one change is required to get this working. It is:
In file slapd.conf, add the command "allow bind_v2" to allow
LDAP_V2.
Please see the step-by-step guide to mysql replication.
I am getting mysterious hangs on my internet connections. If there is a burst of screen output the application hangs forever.
This is almost certainly a problem with your MTU. A lot of low-budget equipment and dialup stuff cannot really do an MTU of 1500 which is our default and the default of ethernet. You can adjust this at runtime like this:
ip link set eth0 mtu 576
You can adjust it permanently in the etc/rc.d/rc.netmaster
script where you see MTU. 576 is the number to try and if it works you can
try larger numbers if you are an optimist.
Debugging this is painful because often it is an intermittent problem. All it takes is one router between you and the destination to have a bad mtu, and if you have "don't fragment" packets you lose; also some firewalls cannot handle fragments; when somebody between you and the destination reboots, the problem no longer occurs.
Use the blsprintconfig to configure your printing. You can do
man blsprintconfig to learn more. After completing
the configuration, you can print a text file or a Postscript file
using the lpr command like this:
lpr somefile
Our enhanced security in BLS requires that in order to successfully
use the su command you must either be root
or a member of the wheel group. As root, you can add
a user joe to the wheel group like this:
usermod -a -G wheel joe
The user joe needs
to log out and then log back in to have the change take effect.
Our enhanced security in BLS puts limits on the resources a non-root
user can allocate. The file which controls this is
/etc/security/limits.conf and is only editable by the
root user. To allow a user joe to have
no filesize limit, you would add a line like this:
# for hacker joe hard fsize unlimited
You need to add line just before the comment line that says this:
# default values for normal users
This is controlled by PAM. The documentation for PAM is in
/usr/doc/linux_pam*/html and you can access it like
this:
lynx file:///usr/doc/linux_pam-0.80/html/index.html
Start with the link to System Administrator's Guide to begin
the process of learning about PAM.
The user joe needs
to log out and then log back in to have the change take effect.
Please see the instructions for remote logging with rsyslog.
Patcharin Kosonpothisakun said this in response to the question:
I use this command to test "Is ldap working with SSL?" ldapwhoami -x -H ldaps://192.168.0.1 -D "cn=Manager,dc=blsldap,dc=sci,dc=buu,dc=ac,dc=th" -W I use this command to test "Is ldap working without SSL?" ldapwhoami -x -h 192.168.0.1 -D "cn=Manager,dc=blsldap,dc=sci,dc=buu,dc=ac,dc=th" -W You need to change the IP to be the IP of the OpenLDAP server. Patcharin
As root, edit the file /etc/php/php.ini and find the
section for Mysql. It will start something like this:
[MySQL] ; Uncomment this to load the mysql module ;extension=mysql.so ; Allow or prevent persistent links. mysql.allow_persistent = On ; Maximum number of persistent links. -1 means no limit. mysql.max_persistent = -1
Remove the semicolon (;) from the line about mysql.so,
then restart your web server. If you are running the default lighttpd web server,
then you would do this:
/etc/rc.d/rc.lighttpd restart
If you are unfortunate, you may have a PC with a bad CMI9739 sound chip. Many intel boards have these awful chips. Do this:
cat /proc/asound/cards
If you see something like this:
0 [ICH5 ]: ICH4 - Intel ICH5
Intel ICH5 with CMI9739 at 0xf8001000, irq 10
then you have the bad sound card. You will notice that you cannot set the volume with alsamixer and the volume controls in xine do not work. The important part here is the 'CMI9379'. You have two options:
Oh no, you are still reading this? That means you are poor and have the piece of detritus known as the CMI9739 that masquerades as a modern sound card. I pity you. Here follows a guide showing what has to be done....
You need to create a file ${HOME}/.asoundrc with these contents:
pcm.!default {
type plug
slave.pcm {
type softvol
slave.pcm "hw:0,0"
control {
card 0
name "PCM Playback Volume"
}
}
}
This will tell ALSA to use software sound control (the CMI9739 has no hardware volume register) and finally you will be able to control your sound volume level.
For xine, you would do this:
rm -fr ${HOME}/.xine
Now the next time you start xine, it will work.
Please see the instructions for setting up quotas.
If you are not sure what distribution to use, then BLS is probably not for you. With BLS you get support from Mr. Ham, including a moderate level of customization of the distribution to meet your needs.
By default nobody can log in remotely to your machine to enhance security,
even when the sshd daemon is running. For a user to be permitted the
remote login privilege, they must be a member of the canlogin
group. To add user xyzzy to the canlogin group,
you would do this as root (do not enter the leading '#'; that is the
command prompt):
#usermod -a -G canlogin xyzzy
After the user is added to the group, they can login with ssh if you
have activated the ssh daemon with servsetup. The
root user cannot log in remotely ever; log in as a normal user
and use the su command.
Many people request GNOME. GNOME is extremely hard to build because it depends on compiling literally hundreds of libraries with particular options in a particular order to work. The garnome system is the only way to build it officially, and that takes days, has many crashes, and when you finish you have to use 3 CD-ROMS for the binary results, since it duplicates just about every library on your system. So it is hard to build, buggy, huge, and impossible to support. If you must have GNOME, try the Ubuntu linux distribution. Servers do not need GNOME. For client mode, we provide XFCE.
I used to build KDE for BLS, but nobody used it. It has bad screen saver crashes, the audio system does not work with xine, and the help indexer (htdig) is abandonware and doesn't work. Unlike GNOME, a mere mortal can build KDE, but like GNOME it is frightfully unstable and buggy. Servers do not need KDE. For client mode, we provide XFCE.
Today BLS is known to run reasonably well on Acer Aspire 4720 laptops, but the built-in camera does not work. The wireless networking works for dynamic IP in a network that does not use encryption. The bluetooth may work, but I have no gear for testing so I don't know. The intel 965GM graphics work well, and DRI works. The DVD burner works. The USB ports work.
If you upgraded an existing system and you have many users, you need to add all of the users you want to be able to ssh into the machine to the canlogin group. Some people think this is difficult. Actualy, it is easy, just use this script:
#! /sbin/bash
exec 3< /etc/passwd
while read -u 3 ALINE
do
# get username
username=${ALINE%%:*}
ALINE=${ALINE#*:}
# skip unused password field
ALINE=${ALINE#*:}
# get user id
userid=${ALINE%%:*}
((userid<1000)) && continue
ALINE=${ALINE#*:}
# skip groupid
ALINE=${ALINE#*:}
# skip username field
ALINE=${ALINE#*:}
# get home directory
userhome=${ALINE%%:*}
[[ "${userhome}" == "/" ]] && continue
[[ "${userhome}" == "/dev/null" ]] && continue
[ ! -d "${userhome}" ] && continue
ALINE=${ALINE#*:}
# get shell
usershell=${ALINE%%:*}
((${#usershell}<1)) && continue
[[ "${usershell}" == "/" ]] && continue
[[ "${usershell}" == "/bin/false" ]] && continue
! grep -q "^${usershell}$" /etc/shells && continue
# if we get here then the user has a uid > 1000, they have a
# reasonable home directory, the shell is ok, etc.
NOWGROUPS=$(groups ${username})
ADDIT=1
for group in ${NOWGROUPS}
do
[[ "${group}" == "canlogin" ]] && ADDIT=0 && break
done
((ADDIT>0)) && printf "usermod -a -G canlogin %s\n" "${username}"
done
exec 3<&-
exit 0
Please see the instructions for managing users and groups.
Please see the instructions for making backups.
Please see the instructions for running batch jobs.
Please see the instructions for upgrading BLS.
Please see the instructions for setting up anonymous FTP service on BLS.
Please see the instructions for setting up WWW service on BLS.
${HOME}/public_html
web pages?
Please see the instructions for setting up
user directory (public_html) WWW service on BLS.
Please see the instructions for setting up anonymous rsync service on BLS.
The apache web server is not supported on BLS. If you insist on using it, you must provide your own support. We do not support apache since it will not obey resource and connection limits properly, and tends to consume all resources and crash the machine under load.
Please see the instructions for running your icecast ogg stream.
This is best explained by example. Here are the step-by-step instructions for adding a calculator to the desktop in XFCE4. You will need to know the full path to your application executable.
This is best explained by example. Here are the step-by-step instructions for adding a calculator to the menu system in XFCE4. You will need to know the full path to your application executable.
This is best explained by example. Here are the step-by-step instructions for adding a calculator to the panel system in XFCE4. You will need to know the full path to your application executable.
This is best explained by example. Here are the step-by-step instructions for adding a second hard disk for storage. In this example we are on a system with libata-based disks (/dev/sd[abcd]). Some older systems use /dev/hd[abcd] instead.
dmesg and sfdisk to verify
the kernel sees the drive. I will assume the new drive is /dev/sdb in
this example.
pvcreate /dev/sdbvgcreate datavg /dev/sdblvcreate -l +50%FREE -n datalv datavgmke2fs -c -c -L datalv -b 4096 -i 4096 -j -m 3 /dev/datavg/datalvdatalv
logical volume. For a large disk, this can take a long time. Start it
up before you sleep, and when you wake up it should be done. This will
check the hard disk for bad blocks for you - you need to do this for any
new disk.
mkdir /dataecho '/dev/datavg/datalv /data ext3 defaults 1 2' >>/etc/fstabmount /data/data mountpoint so you
can use it. Since you added this to the /etc/fstab file, in the future
the system will automatically mount this filesystem when you boot the computer.
This is best explained by example. Here are the step-by-step instructions for adding a second hard disk for storage. In this example we are on a system with libata-based disks (/dev/sd[abcd]). Some older systems use /dev/hd[abcd] instead.
You can grow any logical volume, such as /usr, /opt,
/var, and /tmp using the same technique.
dmesg and sfdisk to verify
the kernel sees the drive. I will assume the new drive is /dev/sdb in
this example.
pvcreate /dev/sdbvgextend blsvg /dev/sdblvextend -l +50%FREE /dev/blsvg/homeresize2fs -p /dev/blsvg/home/home filesystem to fit the newly
enlarged size of the /dev/blsvg/home logical volume. This
is on-line resizing.
This was tested with a Solomon SEGM-520 Edge air card that connects to a USB port. It might work with other hardware but then again it might not. I have no way of knowing.
On a BLS 1.1.004 system, you will need to upgrade to kernelpack 2.6.26.2 or
newer, and netmaster-3.0-noarch-60 or newer. You also will need to add the
ppp, wvstreams, and wvdial packages. After all of this reboot so your
new kernel will be running. Then if you use DTAC, do this as root in
runlevel 3 (if you used GUI login, you need to init 3 from an
xterm as the root user first):
cp /usr/doc/wvdial-*/wvdial.conf.SEGM-520_SOLOMON.DTAC /etc/wvdial.conf wvdial
You only need to copy in the wvdial.conf once; later you
just use wvdial.
It may take a few tries to get connected; the wvdial tool will take care of all the retries for you. After connection it may take about a minute for the networking to adjust itself to the new DNS name server and get the firewall activated. After that, you can change VTs using alt-FX (FX is F1, F2, etc.) until you get an unused VT. Now log in as a normal user and work. When you are ready to break the connection, log out of that user and use alt-FX to return to the VT that wvdial is in. Press ctl-C to stop wvdial. It will take about a minute for networking to return to normal.
If you are not using DTAC, good luck. Adjust the /etc/wvdial.conf to match your user, password, and telephone number.
If you have 3 non-boot hard drives on your system, you can setup a software RAID5 array. This allows the system to recover from errors if one of the hard disks fails. If you have a fourth drive you can even have a hot spare drive. RAID5 is explained many places on the internet; use your favorite seach tool to learn more about the concept.
Let us assume your system has 4 non-boot drives, /dev/sd[bcde], that you will use for software RAID5. These drives ideally will be identical models purchased at the same time. Here are the commands to setup your RAID array:
modprobe raid456 mdadm --create /dev/md0 --level=5 --raid-devices=3 --spare-devices=1 /dev/sd[bcde] dd if=/dev/zero of=/dev/md0 bs=512 count=1 pvcreate /dev/md0 vgcreate archive /dev/md0 lvcreate -l 100%FREE -n archivelv archive chmod 0755 /data mke2fs -b 4096 -i 4096 -j -m 3 -c -c /dev/archive/archivelv mount -t ext3 -o rw /dev/archive/archivelv /data echo '/dev/mapper/archive-archivelv /data ext3 defaults,noauto 1 3' >>/etc/fstab
For a large array, the format (mke2fs) can take hours - start
this up when you go to sleep, and it should be done when you wake up the
next morning.
Probably you want to have the system automatically mount this drive every time you boot the machine. You can do this easily using /etc/rc.d/rc.local by adding some lines to the local_start() and local_start() functions. Add this to your local_start() just after the line that says '# add your stuff after this line'
if ! grep -q '[[:space:]]\+/data[[:space:]]\+' /proc/mounts
then
# assemble raid data area
modprobe raid456
mdadm --assemble /dev/md0 /dev/sd[bcde]
vgchange --ignorelockingfailure -ay archive
mount -t ext3 -o rw /dev/mapper/archive-archivelv /data
fi
In your local_stop() you need to add these lines immediately after the line that says '# add your stuff after this line in reverse order of local_start':
if grep -q '[[:space:]]\+/data[[:space:]]\+' /proc/mounts
then
if ! umount /data
then
# show the bad people
fuser -mv /data
# and kill them
fuser -km /data -HUP
sleep 2
# and nuke them
fuser -km /data
# and try umount again
if ! umount /data
then
printf "Man you are doomed - I cannot umount /data"
return 1
fi
fi
fi
if vgs --noheadings -o vg_name | grep -q " archive"
then
vgchange --ignorelockingfailure -an archive
fi
if [ -e /proc/mdstat ]
then
mdadm --stop /dev/md0
fi
if grep -q '^raid456[[:space:]]\+' /proc/modules
then
modprobe -r raid456
fi
After the array is working, you can learn more about it with this command:
mdadm --detail /dev/md0
You can have procmail automatically file them in their own folder. Log in as root
and do this:
cat >/root/.procmailrc <<"EOF"
SHELL=/bin/sh
FORMAIL=/usr/bin/formail
SENDMAIL=/usr/bin/sendmail
PATH=/usr/bin:/bin
DEFAULT=/var/spool/mail/${LOGNAME}
MAILDIR=${HOME}/mail
LOGFILE=${HOME}/.procmail.log
LINEBUF=8096
VERBOSE=on
:0
* ^Subject: \[Fail2Ban\] SSH: (banned|stopped|started)
* ^From: Fail2Ban
${MAILDIR}/Fail2Ban
EOF
chmod 0600 /root/.procmailrc
First, download curler.sh, then do this as the root user:
chmod 0700 curler.sh ./curler.sh
You can learn more at the curl-loader web site here: http://curl-loader.sourceforge.net/
The lighttpd web server does not support the .htaccess files some people are familiar with. You can still easily password protect a directory, however. We will use digest authentication. First append the following to the end of your /etc/lighttpd.conf file:
auth.debug = 1
auth.backend = "htdigest"
#
# create user/password entries like this:
# htdigest 'john' 'Party Zone' 'password' >>/etc/lighttpd_htdigest.user
# Note: the 'Party Zone' must match the "realm" entry below...
#
auth.backend.htdigest.userfile = "/etc/lighttpd_htdigest.user"
auth.require = ( "/party/" =>
(
"method" => "digest",
"realm" => "Party Zone",
"require" => "valid-user"
)
)
Now change the /party/ to be the relative path to the directory you want to protect. For instance, if you want to protect the directory /var/www/htdocs/download/special/, you would use /download/special. The realm allows you to have separate security sets for different areas. This means that user 'john' in 'Party Zone' is not the same as user 'john' in 'Work Zone', for instance, and those two john users can have different passwords. Anyway, after you change the /etc/lightttpd.conf file, you need to restart the web server like this:
/etc/rc.d/rc.lighttpd restart
Now you need to create some user/realm/password entries, one for each user/realm that you plan to use. You do this like this:
htdigest 'john' 'Party Zone' 'password' >>/etc/lighttpd_htdigest.user
When you decide to add, remove, or change a PCI LAN card, you need to delete the old udev configuration which contains the MAC address. To do this you just do this (as root) BEFORE you shutdown the machine to make the hardware change:
rm -f /etc/udev/rules.d/70-persistent-net.rules
That file will be regenerated by udev during the bootup next time, and then it will have the correct MAC addresses. You will need to run the netmaster utility to reconfigure your system. If your system is configured as an 'Authentication Gateway' system then you must contact BLS technical support to reconfigure your sytem.
This is tricky, since you have to have MS-DOS line endings for the HTTP/1.1 protocol. MS-DOS line endings are 0D 0A (hexadecimal). Here is how you can do it:
printf "GET / HTTP/1.1\r\nHost: localhost\r\nConnection: close\r\n\r\n" | nc6 -4 -v 127.0.0.1 80
Of course you can use shell redirection to capture the output. This gives you a way to get the raw response from the web server including all headers, even if you cannot run firefox with LiveHTTPHeaders (maybe you are a server without Xorg, for instance). The Host: header is required for HTTP/1.1 to work.
If you want to test the older HTTP/1.0 protocol, you can do this:
printf "GET / HTTP/1.0\r\n\r\n" | nc6 -4 -v 127.0.0.1 80
NOTE: Some web servers will let you get by without the special MS-DOS line endings, but all will accept them. For instance, apache seems to break the protocol and accept a request that does not have the required carriage returns, but lighttpd will not respond to the incorrect protocol since that would break the compliance to the HTTP/1.1 standard.
In all of these commands, change 127.0.0.1 to the IP of the server you want to test. Change the port 80 to the port you want to test, if the server is using a non-standard port (like 8080). For the HTTP/1.1 protocol, change localhost to the hostname on the server you are trying to reach.
| Last modified: Fri Feb 5 21:53:15 ICT 2010 | Copyright (C) 2005-2010 by John Gatewood Ham |