Kostas' random thoughts » SysAdmin

IcedTea on it’s way to Fedora 8

Kostas Georgiou — Sat, 25 Aug 2007 16:29:12 +0000

I wasn’t expecting to see IcedTea available so soon in Fedora but it looks like it’s going to be on Fedora 8 if everything goes well with the package review. Not sure how usable it is yet but I am building an rpm right now so I’ll find out soon I guess.

Xen to the rescue

Kostas Georgiou — Sat, 21 Jul 2007 11:33:17 +0000

The fan at my shuttle at home died last week so the temperature inside the case reached around 65C and the disk drive couldn’t cope with it. So I moved the disk on my desktop and now the machine is running as a domU in xen. Surprisingly no problems so far beyond mplayer stuttering every time munin runs in domU (every five minutes). Time to play with xen scheduling I guess or upgrade my cpu to a dual core one. I don’t think I’ll bother replacing the fan in the shuttle box with only a socket 775 cpu there isn’t much use for it really.

glexec or why changing suexec is a bad idea

Kostas Georgiou — Tue, 05 Jun 2007 10:23:07 +0000

I can not really believe that the LHC grid people want to use glexec in every batch system. The thought of thousands of machines running this really scares me.

The suexec sources+documentation say it clearly but I am going to repeat it one more time “Do not make any changes in the source code unless you really know what you are doing”. Just count the security holes introduced in glexec for an example on what not to do.

Ruby 1.8.5-p35 and puppet in FC6

Kostas Georgiou — Tue, 17 Apr 2007 01:01:45 +0000

I was looking todat at a puppet ticket and I found this little gem in ruby’s svn. No wonder poor puppet got upset. I guess I’ll have to build new ruby rpms with a fix for this for my fedora machines at home until there is a new fedora rpm :(

Creating selinux modules

Kostas Georgiou — Thu, 15 Mar 2007 00:37:28 +0000

Here is how to compile and install an selinux module since I’ll forget if I don’t save it somwehere (based on audit2allow -M mysaslauthd -i /var/log/audit/audit.log output).

# cat mysaslauthd.te
module mysaslauthd 1.0.8;

require {
class dir { search write add_name remove_name };
class file { getattr lock read write create rename unlink };
type krb5_keytab_t;
type saslauthd_t;
type tmp_t;
role system_r;
};

allow saslauthd_t krb5_keytab_t:file read;
allow saslauthd_t krb5_keytab_t:file lock;
allow saslauthd_t tmp_t:dir search;
allow saslauthd_t tmp_t:file { getattr read write create rename unlink };
allow saslauthd_t tmp_t:dir { search write add_name remove_name };

# checkmodule -M -m -o mysaslauthd.mod mysaslauthd.te
# semodule_package -o mysaslauthd.pp -m mysaslauthd.mod
# semodule -i mysaslauthd.pp

Wordpress upgrade

Kostas Georgiou — Sun, 04 Mar 2007 01:01:58 +0000

Upgraded to 2.1.2 today since 2.1.1 was tainted. There is nothing in the logs to suggest an exploit attempt and with SELinux in enforcing mode it is unlikely that it an attempt would have been succesful but I really need to audit the machine to make sure that everything is OK.

cyrus-imapd and GSSAPI authentication

Kostas Georgiou — Sat, 03 Mar 2007 21:36:12 +0000

This is driving me crazy, I found out why it wasn’t working with sasl_keytab: … (#200892) and rebuilding the cyrus-sasl rpm with the patch fixed this problem. Now after a reboot it stopped working!! I suspect that SELinux is somehow affecting the kerberos server but I can’t see anything related in the audit logs. Really strange.

Java6 rpms

Kostas Georgiou — Wed, 07 Feb 2007 13:16:35 +0000

No srpm for sun’s java 6 on jpackage.org yet, I guess I would have to look at the available patches in the maling list and and test them. Probably a good opportunity to merge the plugin related changes from the ibm spec file. The existing setup fails once firefox/mozilla/seamonkey gets updated and the users start screaming. Since there is still no java plugin for x86_64 users will complain anyway I guess as we move more desktops to x86_64.

OpenLDAP or Fedora Directory Server

Kostas Georgiou — Tue, 06 Feb 2007 18:16:05 +0000

I’ve been thinking for a while now on which one to use and I still haven’t decided. It seems that RedHat after RHEL5 will be pushing FDS but it’s not clear if it will be a $$$ addon or not. In my testing both fullfil my requirements so it’s not clear which one is better for my needs. Building FDS from the sources is possible now so vendor lockin isn’t a problem but the community seems small at the moment, although if it gets added to fedora things might start moving fast.

web frameworks

Kostas Georgiou — Tue, 06 Feb 2007 17:54:23 +0000

I am trying to decide on which language/framework to use for the frontend of a “hosts” database here at work. It seems that if I want good integration with kerberos/ldap only java (maybe Zope?) is the only choise. Rails/TurboGears/Django fail short in this area from what I can see.