diehn.net/blog

One of our developers is using openSuSE 11.2 as his desktop machine and reported that xemacs from RPM xemacs-21.5.29.b604d235f028-1.1.1.x86_64 wasn’t working.  As soon as you start it, the status line at the bottom displays:

Loading this file requires xemacs, (null(function-max-args ‘throw))

I goggled that and found a thread on the opensuse forums recommending we:

zypper in xemacs-el
for i in /usr/share/xemacs/xemacs-packages/lisp//.elc
do
grep -q ‘null (function-max-arg’ $i && rm $i
grep -q ‘null (function-max-arg’ $i && rm $i
done

Here’s a link to the thread: xemacs broken after security update

We were trying to install a QLogic card and it’s drivers on one of our SLES11 servers this morning and mkinitrd kept barking at us:

lebsvn2:/boot/grub # mkinitrd -v

Kernel image:   /boot/vmlinuz-2.6.27.19-5-default
Initrd image:   /boot/initrd-2.6.27.19-5-default
Root device:    /dev/root (mounted on / as ext3)
Resume device:  /dev/disk/by-id/scsi-SATA_FUJITSU_MHZ2080_K85CT9925KBH-part3 (/dev/sda3)
Device root not found in sysfs
Script /lib/mkinitrd/setup/72-block.sh failed!

Found some magic at an openSuse forum:

rootdev=<root block device> mkinitrd

In our case it was rootdev=/dev/sda3 mkinitrd.  And it worked like magic.


via Corrupt kernel update breaks mkinitrd - cannot boot.

A friend of mine, Tony Krch, wrote this nearly ten years ago and I’ve used it ever since.  When ever I edit a system config file, like /etc/named.conf, I first do

cd /etc
backup resolv.conf

Then I edit.  The backup script makes a copy using “cp -a” of the file, puts it in a sub-directory called backups and appends a date-time extension to the file.  When I need to revert or see what I’ve done, I can vimdiff the current to anyone of the backups.

Now, there are “better” ways to manage your system configs – like using cfengine, puppet or even just rcs, cvs, svn or one of the other SCM systems.  I like this script better though.  Simple, quick, easy.  Here it is, with many thanks to Tony:

#!/bin/bash

# Make backup of system file(s) in directory ./backups
# Tony Krch - 03/24/00 - tony@krch.net
# useage: backup 
# user must cd to directory files to back up reside in prior to making backup

# let's make sure we were invoked correctly
if  echo $@ | grep "/" > /dev/null
  then
    echo "usage: please cd to dir containing files to back up"
    exit 1
fi

# let's see if we already have our backups dir, if not, create it.
if [ -f "./backups" ]; then
  echo "Can't create dir ./backups, file by that name exists"
  exit 1
elif [ ! -d "./backups" ]; then
  mkdir ./backups
    if [ ! $? ]; then
        echo "*** ERROR: couldn't create ./backups dir"
        exit 1
    fi
elif [ ! -w ./backups ]; then
  echo "*** ERROR: No write access to backups dir"
  exit 1
fi

# everything looks reasonable, let's go ahead and do the real work.

DATESTR=$(date +%Y%m%d)         #format the date for use in the file name
STATUS=0                        #assume sucessful execution

# process ARG list
if
  [ $# -lt 1 ]; then
    echo "usage: backup  [] ..."
    exit 1
fi

#back up the files
for ARG
  do
    if [ ! -f "$ARG" ]; then
        echo "*** backup: $ARG: not found"
        STATUS=1
        continue
    fi
    let SEQ=1
    while [ "$SEQ" -lt 100 ]
      do
        if [ $SEQ -lt 10 ]; then
          SEQSTR="0$SEQ"
        else
          SEQSTR=$SEQ
        fi
        if [ ! -f "./backups/$ARG.$DATESTR$SEQSTR" ]; then
          cp -p $ARG ./backups/$ARG.$DATESTR$SEQSTR
          echo "copied $ARG to ./backups/$ARG.$DATESTR$SEQSTR"
          break
        elif [ "$SEQ" = 99 ]; then
          echo "*** ERROR: too many copies of $ARG, no backup made"
          STATUS=1
          break
        else
          let SEQ=$SEQ+1
        fi
      done
  done
exit $STATUS

We bought a real SSL cert for our OpenSSO server.  That means I need to “install it” on the Glassfishv2 installation that runs the OpenSSO app.  The new cert came with three other certs, that I now understand are the “chain” that legitimize our cert by associating it (somehow) with the external authority.

After much thrashing, I learned these important bits of info that I don’t want to forget:

• In my servers $DIR is /opt/SDK.  That’s where GlassfishV2 is installed.
• GlassfishV2 uses a Java keystore to hold it’s SSL cert
• the default keystore location is in $DIR/domains/domain1/config and is named keystore.jks.
• the default password for that keystore is ‘changeit’
• there’s a cacerts.jks in there also – ignore it.  But it’s password is also ‘changeit.’
• the tool of choice for working with Java keystores is ‘keytool’
• keytool comes with GlassfishV2.  It’s in $DIR/bin/
• the default, self-signed SSL cert that comes with a GlassfishV2 installation is named ‘s1as’
• it is smart to work only with copies of your keystores.  🙂

The process for replacing that default SSL cert is this:

• Create a new server key to be used when you create your CSR (certificate signing request)  Here’s the command:

keytool -genkeypair -keyalg RSA -keystore keystore.jks.new -validity 730  -alias lebabc.ansys.com

• Create a CSR:

keytool -certreq -alias lebabc.ansys.com -file lebabc.ansys.com.generated.2010062301.csr -keystore keystore.jks.new

• Use the contents of file lebabc.ansys.com.generated.2010062301.csr to apply for a signed certificate from one of the SSL agencies.  Like Thawte or Network Solutions.
• Somehow (e-mail, download) you’ll get a zip file containing your new, signed cert and some other certificates.
• install those other certificates first. In my case, the exact commands were:

keytool -importcert -trustcacerts -alias utnaddtrustserverca -keystore keystore.jks.new -file UTNAddTrustServer_CA.crt
keytool -importcert -trustcacerts -alias addtrustexternalcaroot -keystore keystore.jks.new -file AddTrustExternalCARoot.crt
keytool -importcert -trustcacerts -alias networksolutionsca -keystore keystore.jks.new -file NetworkSolutions_CA.crt

• install your new, signed cert last

keytool -importcert -trustcacerts -alias lebabc.ansys.com -keystore keystore.jks.new -file LEBABC.ANSYS.COM.crt

• copy your new keystore into place and restart Glassfish

This guy’s post saved what’s left of my hair:  Nathan Robertsons weblog: PositiveSSL and Apache Tomcat 6.

At work, we have many Unix and Linux systems, so we use NIS to coordinate the authentication and authorization of users.  One of our Unix groups has so many members that the older Unix systems can’t “see” them all.  So, we split up the membership into a set of entries in the /etc/group file that all have the same numeric GID.

Looks like this:

dev:*:110:userAA,userAB,userAC,...,userBZ
dev1:*:110:userCA,userCB,userCC,...,userDA
dev2:*:110:userDB,userDC,userLastOne

And it’s been working pretty well. Until today, that is.

Today, I found a bug.

On “openhouse”, one of our SLES 11 machines, none of the users in the dev and dev1 groups were being recognized as being members of GID 110.  Only the members of dev2 had access to group 110.  It seems that dev2 appears last in the two group NIS maps.

On openhouse, /etc/nsswitch.conf had “compat” specified for passwd, shadow and group.

Now, “Compat” mode is to offer support for the +/- syntax we tend to use at the bottom of our /etc/{passwd, shadow, group} files.  The resolvers in “modern” distributions can manage without that +::: syntax if you simply include nis on the line in nsswitch.conf, but you loose a bit of functionality. For example, without compat mode, you couldn’t use this at the bottom of a file to allow access only for the members of a specific netgroup:

+@netgroup
-

Since we aren’t limiting access with netgroups on openhouse, I changed openhouse’s nsswitch.conf to the newer ‘files nis’ mode for passwd, shadow and group and now all the members of dev, dev1 and dev2 appear to be in group 110 again.

If we find systems on which we need to restrict access by using netgroups and yet can’t use “compat” mode, it’s likely that we can recover the access limiting functionality by using /etc/security/access.conf

Anyone else get colds in summer?  I’ve got one and it sucks.  I’d say it’s an allergy attack, but it’s behaving just like a cold – itchy throat, then runny nose, then cough and fever…. ack!

When I read this, I thought of all the poor kids whose parents constantly correct them and scold them for making mistakes and prevent them from taking risks – intellectual risks, social risks, physical risks.  There’s strong motivation here for expanding your parenting style to incorporate allowing your kids to screw up.  And even for learning to be comfortable taking some risks your self.  Enjoy!

The bright side of wrong – The Boston Globe.

Turns out that for some cases, awking is much, much faster than grep.

Just now, I wanted to know how many unique MAC addresses appeared in our DHCP server’s log file asking for a lease but not getting it.  There are a few ways to skin this cat.  What’s interesting is that some ways are *much* faster than others and when you’re searching through large log files, speed helps:

This is all on openSUSE 10.3 (X86-64) with kernel 2.6.22.17-0.1-default. Your milage will vary, of course, but the ratio should be about the same.

wc daemon.log
  90145 1044693 9287866 daemon.log

So, 90,000 lines, about 9.2 MB. Not a huge file. Searching for a fixed phrase, no fancy regexp.

With GNU grep 2.5.2:

time (grep 'no free leases' daemon.log > t1)
real    0m12.512s
user    0m12.505s
sys    0m0.004s

I tried various switches to optomize – like -F, -E, and with a $ at the end of the search string. No help. Looks like the builtin optomizer knows as much as I do in this case.

With GNU Awk 3.1.5g

time (awk '/no free leases/ {print}' daemon.log > t1)
real	0m0.558s
user	0m0.548s
sys	0m0.012s

So, learn the basic awk syntax and start using it instead of always reaching for grep.

I follow this guy’s blog, Stephen Mills.  He wrote a piece today that explains very well one of the choices I’ve been trying to finishing making for the past five years or so.  Would You Rather Be Right or Be At Peace?.  Good stuff, Stephen.  Thanks!

Remember the pain we used to have to go through to cancel a credit card?  Well, not anymore.  And that’s weird.  You’d think that with the recession so close behind them the creditors would be trying hard to keep customers.

Luca and I just got back from fishing – caught a nice, 18″ large mouth and a 10″ horned pout.  The Citi Diamond Visa card statement was waiting.  Andi asked if I knew anything about the $60 charge on it.  “Nope.  Hmm… says ‘fees.'”  So I called them.

It’s an anual membership fee they started charging back in February.  I told the woman on the phone that they could either reverse the charge or close my account.  She didn’t even bat an eye, just asked if I’d like a letter confirming the closure.

Wow.  They’d rather loose a customer than give up the $60 fee?  Dumb, dumb, dumb.  I guess we’ll be buying our new furnace on the AmEx.