Author: Joar Jegleim

proftpd: PAM unable to dlopen(/lib64/security/pam_stack.so) in CentOS 6.5

After updating packages in CentOS 6.5 proftpd started logging

1
proftpd: PAM unable to dlopen(/lib64/security/pam_stack.so)

It seems the proftp pam module is wrong.
The non working /etc/pam.d/proftpd config look like this:

1
2
3
4
5
6
#%PAM-1.0
auth       required     pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
auth       required     pam_stack.so service=system-auth
auth       required     pam_shells.so
account    required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth

When I instead use the following config, which I found on the internet, I got it working again:

1
2
3
4
5
6
#%PAM-1.0M-1.0
auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
auth required pam_shells.so
auth include system-auth
account include system-auth
session required pam_loginuid.so

sources:
syamkumar-linux.blogspot.no
blog.justla.me

php debug from a sysadmin’s perspective’ish

As I’m helping a dev figuring out a broken wp theme, I came over this, imho, super-tip on howto print contents of a variable to the httpd log file.

In this particular case I’ve narrowed it down to a variable that seem to behave different between a 2 minor wordpress versions.

1
file_put_contents('php://stderr', print_r($foo, TRUE))

Will print the content of variable $foo to the httpd log, in my case I put that into places in the code to track content for a couple variables in the code, I added a ‘mark’ as well to easily grep it from the weblog

1
file_put_contents('php://stderr', print_r('Here man: $foo', TRUE));

I found this over at stackoverflow.com

Stuff todo in Ubuntu 14.04 after install

The atareao-team ppa ( Install on your own risk ) got some neat indicators for Ubuntu:

1
2
3
4
# add-apt-repository ppa:atareao/atareao
# apt-get update
# apt-get install calendar-indicator
# apt-get install my-weather-indicator

The FFmpeg plugin for GStreamer 0.10 is not available in the official Ubuntu 14.04 repositories (because FFMpeg is not available either – libav is used instead) and because of this, Firefox doesn’t support the H.264 codec.
The mc3man trusty-media ppa fix this for you ( Install on your own risk ) .

1
2
3
# add-apt-repository ppa:mc3man/trusty-media
# apt-get update
# apt-get install gstreamer0.10-ffmpeg

You can check you H.264 support at http://www.youtube.com.html5

If you use skype (which is 32bit) and are on 64bit, install these packages to enable support for your default desktop theme as well as enable the skype tray icon

1
# apt-get install gtk2-engines-murrine:i386 sudo apt-get install gtk2-engines-pixbuf:i386 sni-qt:i386

Latest chromium-browser have removed flash support, the pepper-flash-plugin enable flash :

1
# pepperflashplugin-nonfree

I mostly ripped off these customizations from webupd8.org .

CentOS 6.x, fail2ban and proftpd

fail2ban in CentOS 6.x can sometimes be a bit troublesome, at least compared to the Debian/Ubuntu implementation (imho) .
I suspect I’ve solved the CentOS 6.x, fail2ban and proftpd integration different every time I’ve set it up so this tim ‘Ill write it down.
With this configuration I got fail2ban to ban failed proftpd ftp login’s with ‘default’ fail2ban config apart from enabling the proftpd-iptables ‘jail’ in /etc/fail2ban/jail.conf

1
2
3
4
5
6
7
8
[proftpd-iptables]
 
enabled  = true
filter   = proftpd
action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
           sendmail-whois[name=ProFTPD, dest=root@localhost]
logpath  = /var/log/secure
maxretry = 4

What did the trick was to have proftpd to log AUTH to /var/log/secure, in the right format.
In /etc/proftpd.conf comment out the default LogFormat auth directive and add your own:

1
2
3
#LogFormat                      auth    "%v [%P] %h %t \"%r\" %s"
ExtendedLog /var/log/secure AUTH auth
LogFormat auth "%v %t "%r" [%h] %s"

Partition alignment

I’ve known for a while the importance of partition alignment both for raid and for the (not so)new 4k harddrives.
Thinking about sector size of 512 bytes VS. 4k for newer drives, I’ve been a bit puzzled by the fact that 512 bytes x 4 = 4k .
I’ve read articles explaining the size of mbr causing unalignment, but I’ve yet to find an article explaining this issue more clear than http://www.thomas-krenn.com/en/wiki/Partition_Alignment .

Reload your vcl in Varnish without restart

Using varnishadm you can reload your vcl after editing it, without restarting varnish.
That means your cache is intact:

1
2
3
4
5
6
7
8
# varnishadm
varnish> vcl.load default /usr/local/varnish/etc/varnish/default.vcl
200
VCL compiled.
varnish> vcl.use default
200
 
varnish>

What I found really practical was that this way I also could detect and fix errors in my vcl config, without varnish going down.

1
2
3
4
5
6
7
8
9
10
11
varnish> vcl.load default /usr/local/varnish/etc/varnish/default.vcl
106       
Message from VCC-compiler:
Expected ')' got '{'
(program line 73), at
('input' Line 105 Pos 51)
        if ( !( req.url ~  "(login_form|manage)") {
--------------------------------------------------#
 
Running VCC-compiler failed, exit 1
VCL compilation failed

Ubuntu 13.10 console resolution

Switching to the binary Nvidia driver usually ‘break’ the nice boot splash and console resolution in Ubuntu. It has something to do with Linux being gpl licensed and the kernel code will be tainted if you integrate non-gpl code / or the kernel crew simply won’t integrate binary code, which I personally respect .

I’ve been using some VESA framebuffer since like for many years, and for the last 3-4 years I’ve been using the uvesafb module to get high resolution console and boot splash on my desktop.
I just noticed my ‘howto’ for getting this stuff setup in Ubuntu 13.10 no longer works, well it did actually work but I was put off when the ‘hwinfo’ package no longer was available.

I google’ed this for about 20 minutes, and tried a couple solutions that didn’t work, so I’m pasting my personal ‘howto’ on how I got this working on my 13.10.

1
# apt-get install v86d

Reboot, and in grub type ‘c’, then type ‘vbeinfo’ to list resolutions supported by your card.

Edit your /etc/default/grub file and make sure you use your desired resolution and bit depth listed from ‘vbeinfo’

1
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash nomodeset video=uvesafb:mode_option=1280x800x32,mtrr=3,scroll=ywrap"

Now scroll down a bit in that file and edit this line also to match your previous change

1
GRUB_GFXMODE=1280x800

Now force the use of framebuffer

1
# echo FRAMEBUFFER=y | tee /etc/initramfs-tools/conf.d/splash

Now update grub and your initramfs image and you’re done!

1
# update-grub2 && update-initramfs -u

What I used to do was installing hwinfo which would show me supported console resolutions from terminal in my X session (Unity in my case), but since Ubuntu 13.10 has dropped support for HAL ( if I got it right) that package is no longer available.
I kind of solved it with vbeinfo from within grub, but that isn’t really optimal since vbeinfo listed a lot more resolutions than could fit within 1 page, and I couldn’t pipe that command to less. Luckily I saw one of the resolutions I wanted to use so that wasn’t really a problem after all.

Note that since I’m using the uvesafb, I don’t get like really hardware accelerated console, and that if I use 1920x1080x32 which my card supports as a maximum, stuff get imho a bit slow. That is, text rolling off screen is slow and a bit stuttering.
I’ve found that 1280×800 is a perfect compromise in my case.

strace to the rescue

So I’m installing the latest servicepack from HP on a proliant server running CentOS 6.4 .
Running

1
# ./hpsum

just died with a returncode of 127 .

Strace is just great for situations like these.

1
2
3
4
5
# strace ./cpsum
[...]
old_mmap(0xb30c000, 195144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb30c000
brk(0xb33c000)                          = 0xb3d9000
open("/lib/ld-linux.so.2", O_RDONLY)    = -1 ENOENT (No such file or directory)

Sooo I was missing som library. Finding the package that provides that lib is easy:

1
2
3
4
5
6
7
# yum provides /lib/ld-linux.so.2
[...]
glibc-2.12-1.107.el6_4.2.i686 : The GNU libc libraries
Repo        : updates
Matched from:
Filename    : /lib/ld-linux.so.2
[...]

The hpsum is ELF 32-bit, and I’m running X86-64, so I had to install several 32bit packages:

# yum install glibc.i686 libuuid.i686 libSM.i686 libXrender.i686 fontconfig.i686 zlib-1.2.3-29.el6.i686

Finding out which packages I needed was a matter of running hpsum and a mix of yum search / yum provides / yum install .

Exim and sendmail compatibility

I’ve maintained a rather large mail cluster using the Exim mta .
Configuring an MTA is something that is a lot more complicated than one would expect, until you try it. I know Exim now, and aren’t really motivated at learning sendmail or postfix, so I tend to switch to exim as the default mta for any server I administer .

I just did some debugging where a Mojolicious application didn’t send out email, and it turned out the exim ‘sendmail’ compatibility wasn’t 100% compatible with sendmail’s sendmail …
( Long story short: first there was sendmail in every Unix. Then came postfix and exim, but because a lot of Unix utilities already was programmed to using sendmail ‘they’ [postfix and exim] made a sendmail binary/wrapper that accept the same options as sendmail )

Anyway after some debugging I noticed that it seemed like the perl Mail lib was default’ing to adding -t to sendmail . And I had a look in the exim documentation and noticed that they _do_ support -t, but as they wrote:

If the command has any arguments, they specify addresses to which the message is not to be delivered. That is, the argument addresses are removed from the recipients list obtained from the headers. This is compatible with Smail 3 and in accordance with the documented behaviour of several versions of Sendmail, as described in man pages on a number of operating systems (e.g. Solaris 8, IRIX 6.5, HP-UX 11). However, some versions of Sendmail add argument addresses to those obtained from the headers, and the O’Reilly Sendmail book documents it that way. Exim can be made to add argument addresses instead of subtracting them by setting the option extract_addresses_remove_arguments false.

soooo I tried adding

1
extract_addresses_remove_arguments = true

to exim.conf, and it seem to have solved the problem.