Just my blog

YUM repo fails with koji/mock when base URL is used

Posted on: July 4, 2012 | By: Pieter de Rijk – Comments Off

Recently I started playing around with Koji for package building.

Everything was set-up pretty fast… but the first attempts to build a build-root failed…

After some troubleshooting I found the cause…

If you use the repo-data as available on an installation ISO (served via a webserver) and use mergerepos the location of an RPM will look like:

<location xml:base="CentOS" href="pam-0.99.6.2-6.el5_5.2.x86_64.rpm"/>

The entry as available on the ISO is:

<location xml:base="media://1330913492.861127#1" href="CentOS/pam-0.99.6.2-6.el5_5.2.x86_64.rpm"/>

The way to workaround this issue, is be recreated the repodata using createrepo:

# createrepo -u http://172.16.3.240/repo/centos/5.8/base/x86_64/-o ${WEBSERVERPATH}/new-repo/ /media/cd/

And then the entry will look like:

The bug can be found in bugzilla.

SSL Chain

Posted on: July 4, 2012 | By: Pieter de Rijk – Comments Off

I’ve ordered via http://www.cheapssls.com/ a simple SSL-certificate signed by Comodo for use with apache… although a lot of browsers (Firefox on Mac OS X, all browsers in Linux) didn’t accepted it (CA was not know…)
After some discussion with …

Upgrade packages on Centos 4 for WordPress 3.3

Posted on: December 16, 2011 | By: Pieter de Rijk – Comments Off

Recently I had to upgrade MySQL and PHP to enable the latest and greatest version of WordPress on a server.

The server is currently still running CentOS 4, but didn’t want to upgrade it to a newer major version. Thanks to the builds of Jason Litka for RHEL4/CentOS 4, I was able to upgrade the packages…

Finally I was able to upgrade the following packages:

MySQL from version 4.1.22 to 5.1.58

PHP from version 4.3.9 to 5.2.17

Apache from version 2.0.52 to 2.2.21

You can easily enable the repo by adding a .repo file to /etc/yum.repos.d/ on your box with the following content:

[utterramblings] name=Jason's Utter Ramblings Repo baseurl=http://www.jasonlitka.com/media/EL$releasever/$basearch/ enabled=1 gpgcheck=1 gpgkey=http://www.jasonlitka.com/media/RPM-GPG-KEY-jlitka

Please note that some modules are changed if you upgrade Apache from 2.0 to 2.2, for example mod_access functionality moved into mod_authz_host.

Another “weird” thing was that the dovecot package had a dependency on /usr/lib/mysql/libmysqlclient.so.14, this can be solved by installing the mysqlclient14.i386 rpm. :-)

Block mail from certain countries with sendmail

Posted on: December 12, 2011 | By: Pieter de Rijk – Comments Off

If you have your own MTA running… you are probably known with the spam-problems… Once you’ve tuned the filters, you have to do it again… because a new spam-run comes in. I also blocked whole /8 subnets in different countries (India/China/…)… but that is not a “real” solution… aka I want to block the whole country…

The “DNSBL” countries.nerd.dk allows you to do so… the map ip-adresses to countries based on whois-information… so on my MTAs I added the following lines to the mc sendmail file:

FEATURE(dnsbl,`br.countries.nerd.dk', `554 - Rejected - SPAM from Brazil:$&{client_addr} rejected')dnl

FEATURE(dnsbl,`in.countries.nerd.dk', `554 - Rejected - SPAM from India:$&{client_addr} rejected')dnl

FEATURE(dnsbl,`kr.countries.nerd.dk', `554 - Rejected - SPAM from Korea:$&{client_addr} rejected')dnl

FEATURE(dnsbl,`cn.countries.nerd.dk', `554 - Rejected - SPAM from China:$&{client_addr} rejected')dnl

FEATURE(dnsbl,`ro.countries.nerd.dk', `554 - Rejected - SPAM from Romenia:$&{client_addr} rejected')dnl

FEATURE(dnsbl,`co.countries.nerd.dk', `554 - Rejected - SPAM from Colombia:$&{client_addr} rejected')dnl

FEATURE(dnsbl,`mk.countries.nerd.dk', `554 - Rejected - SPAM from Macedonia:$&{client_addr} rejected')dnl

FEATURE(dnsbl,`vn.countries.nerd.dk', `554 - Rejected - SPAM from Vietnam:$&{client_addr} rejected')dnl

FEATURE(dnsbl,`ru.countries.nerd.dk', `554 - Rejected - SPAM from Russia:$&{client_addr} rejected')dnl

And within a few hours the first are already blocked… I hope this will reduce the amount of incomming spam at the “front door”. Because simply… I don’t know people in these countries…

FreeBSD upgrade a prerelease to a release

Posted on: November 30, 2011 | By: Pieter de Rijk – Comments Off

Some while ago I installed a FreeBSD server with 7.3-PRERELEASE, although now I wanted to have it properly upgraded to 7.3-RELEASE.
I looked into it quite often… although run into the issue that it didn’t work…
# uname -r7.3-PRERELEASE# free…

How to update Python bindings to subversion.

Posted on: July 13, 2011 | By: Pieter de Rijk – Comments Off

Recently I run into the problem that a team had a requirement for subversion 1.6.6 (while CentOS 5u3 was not supporting this… but the vendor didn’t provide a newer release). This team also had a requirement to have TRAC… TRAC is depended on Python… but I was not allowed to update the subversion bindings for python by updating the it on the whole system… so… this is what I did:

Installed a number of devel packages:

   # yum install apr-devel neon{,-devel} apr-util-devel

Compiled sqlite version 3.6.13 and installed it on NFS:

  $ ./configure --prefix=/nfs/apps/webservices/trac-parent/sqlite/3.6.13

  ...

  $ make ; make install

  ...

Compiled subversion 1.6.6 and installed it on NFS:

$ make clean; ./configure 

 --prefix=/nfs/apps/webservices/trac-parent/subversion/1.6.6 

 --with-sqlite=/nfs/apps/webservices/trac-parent/sqlite/3.6.13 

 --without-neon 

...

$ make -j8 ; make install ; make swig-py ; make install-swig-py

…

Added the following line to /etc/sysconfig/httpd:

export LD_LIBRARY_PATH=/nfs/apps/webservices/trac-parent/sqlite/3.6.13/lib/

Modified /etc/httpd/conf.d/trac.conf by adding a ‘PythonPath’ to the location-directive:

<Location /projects>

  ...

  PythonPath "['/nfs/apps/webservices/trac-parent/subversion/1.6.6/lib/svn-python'] + sys.path"

</Location>

Restart the trac daemon:

# service httpd stop

# service httpd start

Now you’ve to resync the trac-instance with Subversion (the
repository_dir value in the trac.ini of the instance).. but make sure
you use the correct bindings in Python:

# export LD_LIBRARY_PATH=/nfs/apps/webservices/trac-parent/sqlite/3.6.13/lib/

# export PYTHONPATH=/nfs/apps/webservices/trac-parent/subversion/1.6.6/lib/svn-python

# trac-admin ${TRAC_INSTANCE_PATH} repository resync "*"

CentOS 5 enabling Two-factor SSH authentication via Google

Posted on: June 21, 2011 | By: Pieter de Rijk – Comments Off

Today I noticed a very nice article about enabling Google’s two-factor authentication for Linux SSH.

After reading it… I found some time to play with it… so I enabled it within 10 minutes on my CentOS 5 64bit play-ground server… but there are some small ‘caveats’.

hg – Command

To checkout the code, you must make install the mercurial RPM… this one is available via the EPEL repositories.

So after having the EPEL repositories enabled, run as root:

yum -y install mercurial

Compiling the PAM module

When you checked out the code.

hg clone https://google-authenticator.googlecode.com/hg/ google-authenticator/

You cannot compile directly the module… therefor you must apply a small change to the Makefile.

Change where /usr/lib/libdl.so is stated to /usr/lib64/libdl.so (3 occurrences)

$ make
$ sudo make install

Now you’ve to update the /etc/pam.d/sshd so it contains:

#%PAM-1.0
auth       required     pam_google_authenticator.so
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so

Configure SSH

You also have to make sure that in /etc/ssh/sshd_config the following settings are set on yes:

ChallengeResponseAuthentication yes
UsePAM yes

And restart the SSH-daemon

Set up your smartphone/credentials on the system

$ google-authenticator
https://www.google.com/chart?chs=200×200&chld=M|0&cht=qr&chl=otpauth://totp/user@server%3Fsecret%3DSAEP64T5VZAVWAFB
Your new secret key is: SAEP64T5VZAVWAFB
Your verification code is 376046
Your emergency scratch codes are:
67868696
26247332
54815527
54336661
71083816
Do you want me to update your “~/.google_authenticator” file (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) n
If the computer that you are logging into isn’t hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

And you’re done :-D

Give it a try to SSH to that box…

TIP: Make sure you’ve an SSH session still open… or you might lock yourself out of the system…

WordPress template with jQuery flippage

Posted on: May 24, 2011 | By: Pieter de Rijk – Comments Off

Recently I’ve been working on creating a template for WordPress for my brother in law’s company. My brother in law is photographer so I had also had to implement albums/galleries using “jQuery jFlip“. So I decided to use the “NextGEN Gallery” plugin for WordPress.

The benefit of NextGEN Gallery is that it allows you to add custom gallery templates to your WordPress template/theme by having in your theme-folder a nggallery folder and files named gallery-{template_name}.php.

To enable jQuery jFlip with NextGEN Gallery I had to do the following modifications:

Add to $TEMPLATE_PATH/header.php the following lines in the head section:

<!–[if IE]><script src=”<?php bloginfo(‘template_url’); ?>/js/excanvasX.js” type=”text/javascript”></script><![endif]–>
<script src=”<?php bloginfo(‘template_url’); ?>/js/jquery-1.6.1.min.js” type=”text/javascript”></script>
<script src=”<?php bloginfo(‘template_url’); ?>/js/jquery.jflip-0.4.min.js” type=”text/javascript”></script>

Make sure you put jquery-1.6.1.min.js and jquery-jflip-0.4.min.js and excanvasX.js (for IE support) in your template, or deep link to the developer sites.

And now create a NextGEN template $TEMPLATE_PATH/nggallery/gallery-flippage.php:

<?php if (!defined (‘ABSPATH’)) die (‘No direct access allowed’); ?><?php if (!empty ($gallery)) : ?>
<script type=”text/javascript”>
jQuery.noConflict();
$(function(){
    $(“#gallery1″).jFlip(600,300,{background:”transparent”,cornersTop:false,scale:”fit”});
   })
</script>
<p> </p>
<center>
<ul id=”gallery1″>
   <?php foreach ( $images as $image ) : ?>
     <li><img src=”<?php echo $image->imageURL ?>” /></li>
    <?php endforeach; ?>
</ul>
</center>
<?php endif; ?>

Please note the ‘jQuery.noConflict()’… please make sure it’s there other wise it will drive you crazy :-(

Now make sure the NextGen gallery plugin is active and make a page in WordPress with the following content:

[nggallery id=5 template=flippage]

That’s all :-)

And the results can be checked here.

Use maildrop to forward a mail to another mail box

Posted on: November 11, 2010 | By: Pieter de Rijk – Comments Off

I recently had the need to forward e-mail based on the from field to another mailbox. I know, it’s possible with a simple .forward in your $HOME, but that will forward all the mail. :-(

So after some further searching I end up with the following rule for your maildrop filter… it simply checks if the mail (in this example) is from [email protected] and will forward it to [email protected]:

if ( /^From: .*[email protected].*/ )
{
        dotlock “forward.lock” {
          log “Forward mail”
          to “|/usr/sbin/sendmail [email protected]”
        }
}

And that’s all you need to put add to your $HOME/.mailfilter

Use Picasa RSS Feed to show album on my own website

Posted on: October 19, 2010 | By: Pieter de Rijk – Comments Off

Recently I’ve moved the web albums of my kids from my own webserver to Google Picasa. But… I wanted to keep my nice javascript based carousel :-)

In the current code I already had some PHP-code that creates the content of the carousel using an array. Now I added two new features in the ‘website’.

Config files

Downloading the RSS (XML) feed and cache it

Extract the URLs with the photos from the XML feed.

1. Config files

One ‘global’ config:

<?php
cacheLocation=”/tmp/picasa-cache/”;
$cacheTTL = 60;
?>

Per album I’ve a config.php in that directory, so for example we’ve the following content:

<?php
$xmlURL=’http://picasaweb.google.com/data/feed/base/user/k/id/123456970123ASBD1?alt=rss’;
$AlbumDescription=”Rick de Rijk”;
$PicasaURL=”http://picasaweb.google.com/paderijk/Rick”;
$ShortName=”rick”;
$xmlFile=”$cacheLocation/$ShortName.xml”;
?>

2. Download the RSS (XML) feed and cache it:

<?php
# Code that takes care of the caching
#
if (!(file_exists($xmlFile) &&
    (time() – $cacheTTL < filemtime($xmlFile))
)) {
    //unlink($xmlFile);
    $data = file_get_contents($xmlURL);
    $f = file_put_contents($xmlFile, $data);
}
?>

3. Extract the URLs with the photos from the feed

<?php
$foto_array = array();
$xml = new SimpleXMLElement($xmlFile, null, true);

$urls = $xml->xpath(“channel/item/enclosure/@url”);

foreach ($urls as $image_url)
{
array_push($foto_array, $image_url);
}
?>

That’s all :-)