Linux Server management tools

I have started exploring options to manage 15-20 linux servers running CentOS 6.  This is the list of what I’ve found.  I’d love to get some opinions, pros vs cons, evaluation procedure recommendations, etc.

Environment: 15-20 CentOS 6 (well, two 5.8 that will be going away soon) and one Oracle Linux servers. most are VMWare VMs but a couple are on Hyper-V and one is a physical box.  These run a variety of applications on Apache, some on Tomcat, a few MySQL servers, and and Oracle server.

I don’t deploy new machines very often, and given my current setup they are manually installed and configured via an internal checklist.  I’d like to find a better way to manage patching, users, and configurations that can do group dependent deployment (like production vs test, web vs mysql, etc) instead of ClusterSSH which is my current “bulk management” tool.

Chef
http://www.opscode.com/chef/
etckeeper
http://joeyh.name/code/etckeeper/
Puppet
http://puppetlabs.com/
Spacewalk
http://spacewalk.redhat.com/
CFEngine
http://cfengine.com/
reposync
http://docs.fedoraproject.org/en-US/Fedora/14/html/Software_Management_Guide/ch08s04.html
(Not really a deployment/management tool, more a local repo management tool.)
Katello
http://www.katello.org/
Pulp
http://www.pulpproject.org/
Foreman
http://theforeman.org/

Any relevant comments would be appreciated.

Blog Migration

I’m moving this blog to WordPress to try and combat the ongoing spam comments.  No, they never get seen because I vet all of them manually, but it’s getting annoying.

Unfortunately, doing the migration means losing all previous comments, but since there wasn’t really that much here, I don’t see it as a big problem…

phpns and silentium uploader – two great scripts that go great together

phpns a while back, and it’s been used effectively on one of the sites I designed. However, it’s missing one feature that would make it so much more useful for me: an upload facility. I started hunting around for a decent, simple file upload script that could be incorporated into phpns, and found Silentium Uploader from HyperSilence.net. After spending a couple of hours playing with it, I now have hacked Silentium into phpns. Like peanut butter and chocolate…they go great together! The download is available here: http://www.noidea.us/download.php?f=phpns-upload-patch.zip. I’ve also submitted it to the phpns developers if they want to incorporate it into their next version (if there is one…)
]]>

Linux traffic shaping in Fedora Core 4

CBQ.init to do some limiting of outbound SMTP traffic. You see, I run a mailing list that has multiple large attachments that are resent to 50+ subscribers, and trying to send that out effectively kills my DSL line. When I set up the new server, I set up CBQ.init 0.7.3 using the same configuration as on the old (Fedora Core 1) machine. Today, I found out that my limiting was not working…seems that there is an error in the CBQ.init script that prevented it from running correctly. The error manifests as follows:
[root@server rc.d]# ./cbq.init compile
find: warning: you have specified the -maxdepth option after a non-option argument (, but options are not positional (-maxdepth affects tests specified before it as well as those specified after it). Please specify options before other arguments. find: warning: you have specified the -maxdepth option after a non-option argument (, but options are not positional (-maxdepth affects tests specified before it as well as those specified after it). Please specify options before other arguments.
The error is actually a mistake in the find command syntax of two lines in the script. Here is the corrected script (those are line numbers in front).
577 ### Get a list of configured classes
578 CLASSLIST=`find $1 -maxdepth 1 \( -type f -or -type l\ ) -name 'cbq-*' \
579 -not -name '*~' -printf "%f\n"| sort`
580 [ -z "$CLASSLIST" ] &&
581 cbq_failure "no configuration files found in $1!"
582
583 ### Gather all DEVICE fields from $1/cbq-*
584 DEVFIELDS=`find $1 -maxdepth 1 \( -type f -or -type l \) -name 'cbq-*' \
585 -not -name '*~'| xargs sed -n 's/#.*//;
586 s/[[:space:]]//g; /^DEVICE=[^,]*,[^,]*(,[^,]*)?/ \
587 { s/.*=//; p; }'| sort -u`
The change is the location of the -maxdepth 1 argument: it must be immediately after the last path in the statement, and before any other options. The original looked like this:
### Get a list of configured classes
CLASSLIST=`find $1 \( -type f -or -type l \) -name 'cbq-*' \
-not -name '*~' -maxdepth 1 -printf "%f\n"| sort`
[ -z "$CLASSLIST" ] &&
cbq_failure "no configuration files found in $1!" ### Gather all DEVICE fields from $1/cbq-*
DEVFIELDS=`find $1 ( -type f -or -type l ) -name 'cbq-*' \
-not -name '*~' -maxdepth 1| xargs sed -n 's/#.*//; \
s/[[:space:]]//g; /^DEVICE=[^,]*,[^,]*\(,[^,]*\)\?/ \
{ s/.*=//; p; }'| sort -u`
After making this change, the script works as expected! I’m posting this on the off-chance that someone else might be having the same issue I did, and this will help them, too. Oh, and if anyone is interested, here is my script to limit SMTP outbound traffic on my 3Mbit/768Kbit DSL line. It’s called cbq-0256.SMTP-out:
DEVICE=eth1,3Mbit,384Kbit
RATE=256Kbit
WEIGHT=25Kbit
RULE=,:25
Good luck!]]>

Abandoned? No, just ignored….

blown caps issue). I was unable to keep much of the filtering running because of the RAM requirements, and thus was making do with only Postfix’s RBL checks and Policyd greylisting service. Now it’s all running, and I’m much happier with the systems…. Final note, I’m now also an admin/developer for PluggedOut Blog, the blog script that runs this site. If you’re looking for an easily customizable, flexible, feature-rich blog script in PHP, check it out!
]]>

Who is really responsible?

filed a lawsuit against the MySpace social networking website. According to this article from The Register: “Myspace didn’t act quickly enough to protect users who are minors from adult predators. The plaintiffs say their daughters were solicited and abused by adults using the site.” [rant mode on]
At what point did parents stop being responsible for the care of their children, and children stop being responsible for their own actions? When did MySpace (or Facebook, or Yahoo, or any other website) take over that role in the raising of a child? I’ve talked with parents, and I’m going to be one in a few months. Parents must take an active role in their child’s development, including monitoring what they do on the computer, or who their friends are. This includes knowing the parents of their friends and how those parents raise their own children.
[rant mode off] In the Houston case, I seem to recall that the mother had blocked internet access on their home computer, or they didn’t have a computer. So, the daughter used her cell phone’s browser to go to MySpace, or a computer at a friend’s house. This goes back to being involved, both with the child and the parents of the child’s friends. MySpace cannot be responsible because someone using their free, unmonitored service lied about their age or lured an irresponsible teenager into a compromised situation. Consider MySpace and the other sites as “common carriers”: just like the phone company is not responsible for someone using the telephone to plan a robbery, or Cingular would not responsible for someone using a cell phone to trigger a bomb, MySpace and other social networking sites cannot be victimized by someone who is willing to lie to get somewhere. If MySpace implements the new rules they are discussing, it’s simply going to generate hundreds of additional profiles; more people who will lie that they are either over age or under age to meet the people they are targeting. Short of turning into a pay service, and alienating their current major userbase (most of whom probably don’t have credit cards or paypal accounts), I don’t see any changes that will substantially alter the current situation. I really hope that the courts decide to throw out this case, with prejudice, and make those filing the lawsuit pay their own legal fees. Along with a stern lecture about parenting. Maybe that will make people think twice in this “I don’t like you I’m going to sue” society.]]>

lessons in system configuration

I started setting up the box last week with custom-compiled versions of Postfix, Dovecot IMAP server and several other packages. Now I’m starting to configure things to closely match the existing mail server, including Samba. This makes some administrative tasks a bit easier, like updating some web pages (this basically only hosts SquirrelMail and PostfixAdmin). There’s not much web service to do, but Samba makes it easier to move logfiles to the Windows box and copy new files over without having to run FTP or wget all the time. The problems started after I copied the smb.conf file (Samba config) from the existing server to the new box. I tweaked it, fixed some server-specific settings, and set it off. First, it wouldn’t even see itself as an SMB server. found and fixed that. Then, it appeared to be fighting with my WINS server (another Linux box) to be the master browser. Fixed that setting too. Finally was able to resolve itself by name and local IP. Now to get it to see the rest of the network (and the rest of the network to see it, as well). OK…started through the diagnostics document from Samba. Step 1…good. Step 2…good. Step 3…er…step 3….errors. Troubleshooting was going nowhere. 45 minutes later, had a thought…firewall? Iptables was running, since this box faces both the internet and my local lan on different NICs. turned off iptables and gee…it works! Start tweaking around with firewall rules. Seems the syntax has changed slightly between the Fedora Core 1 and Fedora Core 4 versions, so the rules from the old box don’t quite work on the new one. Found the system-config-firewall-tui utility, and set up custom rules for the right ports, and restarted both iptables then samba. Gee wiz, it works now! I can see it from the other computers, and it finds the rest of the network too! Well, that was a good waste of several hours that I’ll never get back. I guess the next step is to set up Postfix, policyd, amavisd and the new MailZu web interface for amavis. Oh, and pray that Dovecot 1.0 final will make it out in the next two weeks before I’m ready to bring the new monster live….
]]>

More Good Reasons to Stay AWAY from Windows Vista

This article by Peter Gutmann talks a lot about the DRM risks and limitations in Windows Vista (especially if you have SPDIF or component video), but several items mentioned are important to malware fighters as well, especially regarding future reverse-engineering issues. Executive Summary:

Windows Vista includes an extensive reworking of core OS elements in order to provide content protection for so-called “premium content”, typically HD data from Blu-Ray and HD-DVD sources. Providing this protection incurs considerable costs in terms of system performance, system stability, technical support overhead, and hardware and software cost. These issues affect not only users of Vista but the entire PC industry, since the effects of the protection measures extend to cover all hardware and software that will ever come into contact with Vista, even if it’s not used directly with Vista (for example hardware in a Macintosh computer or on a Linux server). This document analyses the cost involved in Vista’s content protection, and the collateral damage that this incurs throughout the computer industry.

]]>

Exactly what is Christmas for, anyway?

CHRIST. So, why does it seem that the bible churches, mega-churches (yes, I mean you, Joel Osteen and Ed Young) and most of the other protestant congregations have decided that actually holding a service ON Christmas Day is such a big inconvenience to their members? Is taking an hour or two out of your Christmas morning too much to ask to give for the child Jesus who ultimately gave us Himself? Anyone who says “But Christmas is ‘family time’!” doesn’t get the real reason we celebrate this day. Sure, spend the day with your family. But FIRST, spend it with the birthday Boy. It’s no secret to anyone reading this that I’m Catholic, and proud of it. Catholics, this year, will be attending Mass on Sunday for the weekly obligation, and on Monday for the Christmas Holy Day (at least, they’re *supposed* to….) Now, for a little rambling and perhaps a history story…. It’s widely accepted that Christ was not actually born on December 25, 1 A.D. Which, since the Gregorian calendar we now go by wasn’t even created at the time, makes sense…. If Jesus was born ~5-6 B.C., as is supposed, and Herod had all children under the age of 2 killed shortly before his own death in ~4 B.C., and Herod’s action was triggered by the appearance of the “three wise men”, then the Eastern astrologers didn’t show up in Bethlehem, but two years after Jesus birth, most likely in Nazareth! The “12 days of Christmas” start on either December 25th or 26th, and end on January 5 or 6th, depending on which source you check. January 6th is the celebration of the Epiphany, and also referred to as the “Feast of the Three Kings”. This is at the end of the celebration of the Christmas season, preceding the return the following Sunday to “Ordinary Time” in the Church calendar. And one more related topic…about those Three Kings and their strange gifts. Why gold? Why frankincense (incense)? Why myrrh? If you read the words of the traditional carol “We Three Kings”, you get your answers. Each of the second, third and fourth verses are spoken from the view of each of the kings: Balthasar, Melchior and Gaspar. Born a King on Bethlehem’s plain/Gold I bring to crown Him again/King forever, ceasing never/Over us all to reign Frankincense to offer have I;/Incense owns a Deity nigh;/Prayer and praising, all men raising,/Worship Him, God most high. Myrrh is mine, its bitter perfume/Breathes a life of gathering gloom;/Sorrowing, sighing, bleeding, dying,/Sealed in the stone cold tomb. So, that comes out to: Gold for Christ’s kingship; Frankincense for His divinity, and Myrrh for the sacrifice of the Crucifixion. Prophetic and practical, all in there! Enough for tonight…Merry Christmas, ya’ll!
]]>

Firefox 2 Tweaks

about:config — browser.tabs.closeButtons = 3
browser.tabs.tabMinWidth = 10 Install Tabbrowser Preferences: tabbrowser_preferences-1.3.1.1-fx.xpi Edit UserChrome.css (in user profile directory): /* Disable “List all Tabs” Button */
.tabs-alltabs-button {
display: none !important;
} /* Disable Container box for “List all Tabs” Button */
.tabs-alltabs-box {
display: none !important;
}
/* remove new tab button */
.tabs-newbutton { display: none; }
Edit: one more tweak for download dialogs
Edit the file %programfiles%\Mozilla Firefox\components\nsHelperAppDlg.js Find the line // hide featured choice
edit the line below that:
this.mDialog.document.getElementById(“normalBox”).collapsed = true;
change “true” to “false”
]]>