Way of the exploding head

The last remaining problem for the F7 upgrade was a conflict between getweb cgi and selinux. I fixed it by allowing the transgression that was reported in the log. There is quite a bit of conflicting information on the web for how to make a local policy change.

First I found out what would allow the action that was being defeated using audit2allow

# echo "avc: denied { read } for pid=3736 comm="gitweb.cgi" name="cgi-bin" dev=md7 ino=5079272 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_sys_script_exec_t:s0 tclass=dir" | audit2allow
#============= httpd_sys_script_t ==============
allow httpd_sys_script_t httpd_sys_script_exec_t:dir read;


Basically the gitweb cgi calls some perl that does the equivalent of getcwd(), and this was being disallowed. The advice that was correct for setting local policy on F7 was found here. In short I did

# mkdir /root/tmp; cd /root/tmp
# touch local.te local.if local.fc
# yum install selinux-policy-devel
# vi local.te
policy_module(local, 1.0)

require {
attribute httpdcontent;
type httpd_sys_script_t;
type httpd_sys_script_exec_t;
}
allow httpd_sys_script_t httpd_sys_script_exec_t:dir read;
# make -f /usr/share/selinux/devel/Makefile
# semodule -i local.pp

Immediately after doing this gitweb was back working normally again.

The new server at 1&1 has been showing signs of unreliability, it has crashed and died mysteriously three times, the last while I was away for a couple of days. Late at night when I got back, I decided it was time to actually make it into a Fedora box with a kernel later than 2.6.16 and to get rid of the xfs-formatted partitions, which I suspect of causing the instability. So here are my notes on how to force-upgrade the weird FC4-based OS on those boxes to fully true Fedora 7, grub, ext3 and selinux. The notes might not be complete, but they contain all the major steps and will be useful for anyone contemplating changing their server over to “Genuine Fedora”.

Don’t embark on this unless you have some Linux-fu and know how to get yourself out of trouble, because at every step you can easily trash your server and lose all your data. We are literally going to format the main filesystems and install a new bootloader on a remote server… we can call that “not a beginner project”.

(more…)

Pretty strange version of Fedora running on 1&1 dedicated Linux servers.

First it is FC4, which is out of security update coverage, and Fedora Legacy has gone away too. I update it to FC6 via yum (worried about the libata change in the F7 kernels making it unbootable… needn’t've worried since I can make it unbootable all by myself). After the update the /boot/grub/grub.conf looks a bit strange, grubby did not make an entry for the FC6 kernel so I add it by hand.

On reboot, it ignores the new kernel and boots the old one. Further digging reveals that it is set up to use LILO, not grub. They provide and cook their own 2.6.17 kernel which was built on a Debian box and does not use an initrd: it has all the drivers it needs built into the monolithic kernel. Hm.

(more…)

Well I already knew that Jamendo allowed you to download their catalogue in Ogg, but by itself it was just an interesting side-note. (Jamendo being the primary site to get liberally licensed music, often biased towards francophone nymphs)

But to my surprise I tried Fedora 7 Rhythmbox a few minutes ago, expecting nothing much but the pile of Gnomic crud that assaulted me last time I tried it. Ah no, mashed up with Jamendo (but apparently not as planned Magnatune) Rhythmbox has become more than the sum of the parts and has crashed uninvited into iTunes territory.

It has become a native client app you can start up and listen to a big catalogue of liberally licensed music, not only without the expectation of having money sucked from your living veins but even with the expectation of being moved to voluntarily donate to the people sending you their hard work for free, when you especially appreciated what they offered.

And there on the menu bar is the legal, sanctioned, intentional “download album” button. In the face of this must you go and give money to the lawyer loving corporate coke snorting beast-creatures for mainstream crud? Or should you not set out to make a direct connection with the artists and show them your appreciation in a direct and personal way?

An extraordinary advance for standard Linux media players!

My in-laws have a Fedora box on residential ADSL in Spain. They experienced trouble with the terra.es mailservers, so I installed Postfix for them and set Thunderbird to use this local Postfix to directly forward their mail to the destination.

This works well except for a correspondent in Australia, who is on bigpond.com. They use a blackholing service which has blackholed the whole residential ADSL netblock for their ISP, on the basis a lot of spam is coming directly from compromised Windows boxes, meaning that the Postfix on their box doesn’t get anywhere talking to bigpond (and annoyingly bigpond rejects the mail with a 450 not a 550, delaying notification that there are problems).

I am in a similar position, I run my own MX at home where I work, so mail is sent directly to me, but I am unable to reliably send outgoing mail directly due to some blackhole lists including my whole netblock. My solution is to run a Postfix instance on warmcat.com, which is not used for incoming mail and is firewalled off from everyone except my home IP address. As a belt-and-braces, the Postfix on warmcat.com is configured to only relay from my IP address anyway.

So the obvious solution to the problem with the in-laws would be to also route their outgoing mail through warmcat.com, which pretty much everybody will talk to since it is sat in a server farm. But the fly in the ointment is that they are on residential ADSL, their IP address is changing every boot. I don’t want to add an authentication layer because I don’t want to disrupt their mail any further while I get it working and the pinhole in the Firewall method is working fine for me too.

The first move was to regularize their dynamic IP using dyndns.org and the perl client from there. This gave me a reliable FQDN that always resolves to their machine. Then the problem was simplified to “how can I get Postfix to accept a list of clients allowed to relay using FQDNs? And to track changes where the DNS mapping is dynamic?”. It seems that you can’t, it only accepts netblocks.

To solve this problem I created the following script which runs from a cronjob. See inside the script for instructions. (more…)

Hum the wonderful czech guy who provides

http://ftp.cvut.cz/vmware/

allows VMware to work fine on Fedora normally (I have an XP install that runs inside VMware to provide Protel). But since I migrated the VM to this laptop, networking seems to be fixed on host-only. I can ping the host from inside the VM but nothing else, despite (or because of perhaps) I selected “bridged”.

Going to have a fiddle.

Edit: Hm, looks like arp proxying is broken on the wlan0 interface. Moving to a brdige on eth0 works fine.

AMD Athlon 64 x2 4400+ box has been working fine for about a year with a Western Digital 10KRPM SATA drive. This is a DFI Lanparty motherboard and a 450W PSU IIRC. The machine was up 24/7 for most of that year since it was acting as my mailserver amongst other things.

A few weeks ago the drive started acting erratically, I would waken in the morning and find that the ext3 filesystem on there had been remounted read-only because filesystem corruption had been detected. I was able to fsck the filesystem back into sanity and the drive would act fine for several days. Well these stories always end the same way, with a drive that won’t complete a boot, and that was the case for this idiot too.

The particular disease was that the area of the disc that contained the LVM structure — Fedora sends in LVM by default now — was spewing hard IO errors when touched. Therefore it couldn’t get past trying to bring up the LVM on boot and simply dropped dead. I documented the evasive actions I took on this fedora-list mail , basically I was able to recover the ext3 filesystem that was inside the LVM block on to a new SATA drive. “LVM”‘s physical footprint is basically an 0×30000 byte header before the ext3 filesystem starts.
I installed FC5 on the new drive and brought over most of the data from the copy of the ext3 filesystem from the damaged drive, and went on pretty much as normal, with brief interruptions while I fished something I had forgotten I needed from the old filesystem. But then to my disbelief, after just a week, the new drive — the only drive in the machine — blew chunks in a similar way, hard IO errors one morning. I came in my work room and heard it performing the click of death.
I recovered from this rather grimly from backups, I did not fancy attempting a second recovery of 60GB of data from a second drive inside of a week. I stared at the AMD box for a minute or two though… I could think of two likely causes, the most likely one being the power supply. If it was having trouble with its 12VDC line, serious trouble, it might cause the drive to reset itself as if a poweron was happening repeatedly. It’s not hard to imagine that a set of such resets at random intervals might eventually catch the drive out in its initialization phase and cause it to throw a fit ending it its head scratching the surface. The other possible cause is a bit more uncertain, both boxes were running the new FC5 2.6.17 kernel which has had a lot of work going on with libata and the kernel code for SATA. I wonder if that is repeatedly attempting drive resets as a last resort.
Anyway it had caused enough trouble, I swore off it and migrated back to running from this Centrino Duo laptop, it is plenty fast enough for a main workstation. One nice feature of vmware is that the XP I am running inside it has no idea that it has moved machine, there is no activation crap — although this is of course a genuine retail copy of XP, one of two I own. I shall probably have cause to write about it another time but I have to have XP for Protel. It runs on top of Fedora Core thanks to Vmware workstation.