debian
- ipv6
- wheezy
- systemd
- avoiding systemd
- nexus4 mounting
- keys
- journald filling
- apache SSL auth
- sbuild
- Failed to connect: org.bluez.Error.Failed br-connection-profile-unavailable
- clang
- mariadb
- load local infline
- upgrade
- mail queue of spam
- logrotate but keep existing file perms
- ajp marshal
- userauth_pubkey: signature algorithm ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]
- varnish vcl
- imaps login
This is mostly a work in progress of snippets for things which I have stumbled across.
ipv6
Using he.net's tunnelbroker.
The tunnel broker gave me the following:
IPv6 Tunnel Endpoints
Server IPv4 address: 216.66.80.26
Server IPv6 address: 2001:470:1f08:ed8::1/64
Client IPv4 address: 91.212.182.147
Client IPv6 address: 2001:470:1f08:ed8::2/64
Available DNS Resolvers
Anycasted IPv6 Caching Nameserver: 2001:470:20::2
Anycasted IPv4 Caching Nameserver: 74.82.42.42
Routed IPv6 Prefixes and rDNS Delegations
Routed /48: 2001:470:9411::/48
Routed /64: 2001:470:1f09:ed8::/64
RDNS Delegation NS1: ns2.ednevitable.co.uk
RDNS Delegation NS2: ns1.ednevitable.co.uk
in this situation I've made the following for the interface file
/etc/network/interfaces:
auto 6in4
iface 6in4 inet6 v4tunnel
address 2001:470:1f08:ed8::2
netmask 64
endpoint 216.66.80.26
gateway 2001:470:1f08:ed8::1
ttl 64
pre-up /bin/sleep 5
up /sbin/ip link set mtu 1280 dev $IFACE
up /sbin/ip address add 2001:470:1f08:ed8::3/64 dev $IFACE
up /sbin/ip address add 2001:470:1f08:ed8::4/64 dev $IFACE
up /sbin/ip address add 2001:470:9411::1/48 dev $IFACE
up /sbin/ip address add 2001:470:9411::2/48 dev $IFACE
up /sbin/ip address add 2001:470:9411::3/48 dev $IFACE
up /sbin/ip address add 2001:470:9411::4/48 dev $IFACE
up /sbin/ip address add 2001:470:1f09:ed8::1/64 dev $IFACE
up /sbin/ip address add 2001:470:1f09:ed8::2/64 dev $IFACE
up /sbin/ip address add 2001:470:1f09:ed8::3/64 dev $IFACE
up /sbin/ip address add 2001:470:1f09:ed8::4/64 dev $IFACE
The important thing here is the sleep (since at boot time the eth0 interface isn't always ready) and the fact that I'm using the routed /64 and /48 blocks rather than the endpoint prefix. I found that the routed blocks were usable with reverse dns which I was banging my head against the wall over.
If you need help with reverse DNS for blocks like this please feel free to give me a shout and I can provide the reverse DNS for your block.
wheezy
So, I got a little frustrated with Ubuntu 12.04 being slow and just irritating me. It is very hard to put my finger on what it was exactly that made me decide to drop the axe on it and split the laptop and Ubuntu asunder.
One of the nice things that Ununtu provided was a working install with random proprietary firmware, such as that for the laptops Intel Corporation PRO/Wireless 3945ABG [Golan] Network.
So, first things first, the net-install disk didn't work very well, despite trying to get the firmware onto my mobile phone and pointing it at that USB device. Time was short so I got the first full ISO and installed from that. This was enough to give me a working system.
It would not have been possible to get the network running without my mobile phone. Thankfully the system was complete enough to recognise the USB tethering, from which I could get the firmware-iwlwifi package and bingo, the wireless worked.
Why was this required? Some vendors don't release free drivers, shamefully. Intel, I'm looking at you.
The default pointer scheme wasn't to my liking either, so I needed to get the dmz-cursor-theme package and set that to default.
# apt-get install dmz-cursor-theme # update-alternatives --config x-cursor-theme
to set the pointer scheme. It was nice getting a blast from the past though.
systemd
If you're wanting to experiment with systemd on wheezy, you can do so as simply as:
# apt-get install systemd
to pull down and deploy all the systemd packages required. If this all works to plan then you'll want to modify the init process during a grub boot:
# vi /etc/defaults/grub
and modify GRUB_CMDLINE_LINUX_DEFAULT="quiet" to GRUB_CMDLINE_LINUX_DEFAULT="quiet init=/bin/systemd".
So that this takes effect you'll need to run
# update-grub
This takes care of the preparation, next you'll need to reboot, do this at a time that suits you best. If you wish to boot into regular SysV, at boot time modify the grub target using 'e' and remove the init argument or set to /sbin/init.
To investigate systemd have a play with:
# systemctl # systemd-journalctl
avoiding systemd
So, if you're thinking of going systemd less, there's something else you can try:
# apt-get install sysvinit-core && reboot
That's it. Job done. Debian seem to have gone to a lot of trouble to make the systemd alteration as compatible with other init systems as possible. In my opinion they've done a good job.
The majority of the systemd "the world's going to split open and we're going to die" posts on slashdot et al seem to be blown out of proportion. Basically trolling.
If you have gnome3, then you're screwed as they're the guys who seem to be pushing the systemd infection. Find something else, IMO. I'm using evilwm... and it works well, especially on small displays. Ratpoison is also a favourite of mine.
Installing XFCE will bring in xfce4-session which requires libsystemd-daemon0, libsystemd-login0 and libpam0-systemd.
So, time to find another Window Manager, not distro. I think this is all stemming from gnome3, rather than debian. Annoyingly the default is now systemd, but I think this is just to keep the desktop install hassle-free, else you'd have to reboot to use gnome, which I think would annoy desktop users more.
nexus4 mounting
Unlike phones which came before it, the Nexus doesn't act as a USB mass storage device. Instead if you wish to copy data onto it you'll need to interface with it as a mtpfs device.
# apt-get install libmtp-dev fuse libmtp9 pkg-config libfuse-dev libglib2.0-dev libmad0-dev libid3tag0-dev
get mtpfs-1.1.tar.gz from http://www.adebenham.com/mtpfs/
$ tar zxvf mtpfs-1.1.tar.gz $ cd mtpfs-1.1 && make && sudo make install $ mkdir nexus && mtpfs nexus
As this is a fuse mounted device, you'll need to umount using
$ fusermount -u nexus
keys
W: GPG error: http://ftp.debian.org bookworm InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9 ... W: There is no public key available for the following key IDs: F8D2585B8783D481
either:
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 0E98404D386FA1D9
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 648ACFD622F3D138
or:
apt-get install debian-archive-keyring
journald filling
I dislike system'd log defaults. Here's a one-liner to change them:
(cat /etc/systemd/journald.conf | grep -v -E '^#+?SystemMaxUse=' | sed -e 's/^\[Journal\]/[Journal]\nSystemMaxUse=50M/') > /etc/systemd/journald.conf.$$ && mv /etc/systemd/journald.conf.$$ /etc/systemd/journald.conf && systemctl restart systemd-journald.service
To just rotate it now:
journalctl --rotate --vacuum-size=100M
apache SSL auth
See also apache.
Forbidden You don't have permission to access this resource.Reason: Cannot perform Post-Handshake Authentication.
Chances are your mysql connector no longer speaks to mysql or mariadb. Try adding the libmariadb-java and including that in your CLASSPATH or downloading the mariadb/mysql connector and referencing that.
sbuild
To use sbuild inside a lxc, I found I needed to do something a bit like this:
please apt-get -y update && apt-get -y upgrade && apt-get -y dist-upgrade && apt-get -y install rustc cargo build-essential git debcargo sbuild devscripts reprepro debootstrap dh-cargo schroot autopkgtest vim please useradd -m ed please usermod -a -G tty ed please sbuild-adduser ed # replace ip address with your local apt-cacher-ng please sbuild-createchroot \ --include=eatmydata,ccache,gnupg,dh-cargo,cargo,lintian,perl-openssl-defaults \ --chroot-prefix debcargo-unstable unstable \ /srv/chroot/debcargo-unstable-amd64-sbuild \ http://192.168.1.100:3142/ftp.us.debian.org/debian please sed -i -e 's,^union-type=none,union-type=overlay,' /etc/schroot/chroot.d/debcargo-unstable-amd64-sbuild-*
Failed to connect: org.bluez.Error.Failed br-connection-profile-unavailable
This may happen because pulse audio is unavailable
$ systemctl enable pulseaudio $ systemctl start pulseaudio
Then reconnect via the bluetooth panel/or bluetoothctl connect.
clang
thread 'main' panicked at 'Unable to find libclang: "couldn't find any valid shared libraries matching: ['libclang.so', 'libclang-*.so', 'libclang.so.*', 'libclang-*.so.*'], set the `LIBCLANG_PATH` environment variable to a path where one of these files can be found (invalid: [])"', /home/... note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
clang libraries were missing:
please apt-get install libclang-dev
mariadb
Exporting from MySQL dump to MariaDB:
ERROR 1227 (42000) at line : Access denied; you need (at least one of) the SUPER, BINLOG ADMIN privilege(s) for this operation
This can be done with a trivial sed:
mysqldump ... | \ sed -e 's/^\(SET @@GLOBAL.GTID_PURGED=\|SET @@SESSION.SQL_LOG_BIN\)/--\1/g' \ | mysql ...
ERROR 1273 (HY000) at line : Unknown collation: 'utf8mb4_0900_ai_ci'
Another sed!
mysqldump ... | sed -e 's/utf8mb4_0900_ai_ci/utf8mb4_unicode_ci/g' | mysql ...
load local infline
java.sql.SQLException: The used command is not allowed because the MariaDB server or client has
disabled the local infile capability
at com.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:130)
at
com.mysql.cj.jdbc.exceptions.SQLExceptionsMapping.translateException(SQLExceptionsMapping.java:122)
at com.mysql.cj.jdbc.ClientPreparedStatement.executeInternal(ClientPreparedStatement.java:916)
at com.mysql.cj.jdbc.ClientPreparedStatement.execute(ClientPreparedStatement.java:354)
Enable it in the server's cnf, something like pleaseedit /etc/mysql/mariadb.conf.d/50-client-local.cnf:
[client] loose-local-infile = 1
Or in the connection string:
conn = DriverManager.getConnection(
"jdbc:mysql://" + host + "/" + database
+ "?" + "user=" + user + "&password=" + pass
+ "&allowLoadLocalInfile=true");
upgrade
/var/log/syslog filling?
2023-08-27T09:55:08.352813+01:00 ns1 mariadbd[7909]: 2023-08-27 9:55:08 155693 [ERROR] Incorrect definition of table mysql.column_stats: expected column 'hist_type' at position 9 to have type enum('SINGLE_PREC_HB','DOUBLE_PREC_HB','JSON_HB'), found type enum('SINGLE_PREC_HB','DOUBLE_PREC_HB').
2023-08-27T09:55:08.352868+01:00 ns1 mariadbd[7909]: 2023-08-27 9:55:08 155693 [ERROR] Incorrect definition of table mysql.column_stats: expected column 'histogram' at position 10 to have type longblob, found type varbinary(255).
mysql_upgrade --user=root --password as either the root user or mysql `
mail queue of spam
Debian normally ships with postfix these days. If the queue gets populated with spam, you can either drop the whole queue, or be more selective.
Deleting the whole queue is pretty straight forward:
postsuper -D all
To be more selective, use mailq, to get the queue ID:
-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
126D85ECDD 655 Fri Jul 24 06:25:05 root
root
and feed it into postcat:
postcat -qv 126D85ECDD ... regular_text: Subject: ...
The message lines will be prefixed with regular_text. You
have to find something common between each spam message in order to then
feed the message ID into postsuper -d
mailq | grep -E '^[A-Z0-9]+\s' | sed -e 's/\s.*//g' \ | while IFS= read ID; do postcat -vq "$ID" | grep -E '^regular_text: Subject: (nasty|strings)' && postsuper -d "$ID"; done
This will not work for every situation as it is highly dependant on the exact spam that is in the queue.
If this is from web spam, you can try and align the date (Fri Jul 24 06:25:05 in this case) with something in the web logs:
grep 06:25: /var/log/apache2/*log
That might help a little.
logrotate but keep existing file perms
Sometimes you need to use the existing file perms, you might not know what they are ahead of time, such as with a path that includes a glob with multiple file owners.
"/path/to/*/file" {
daily
rotate 7
postrotate
touch "$1"
chown --reference "$2" "$1"
chmod --reference "$2" "$1"
endscript
}
ajp marshal
[proxy_ajp:error] [pid 836016] [client 127.0.0.1:57040] AH02646: ajp_marshal_into_msgb: Error appending attribute AJP_LOCAL_ADDR=127.0.0.1 [proxy_ajp:error] [pid 836016] [client 127.0.0.1:57040] AH00988: ajp_send_header: ajp_marshal_into_msgb failed [proxy_ajp:error] [pid 836016] (120001)APR does not understand this error code: [client 127.0.0.1:57040] AH00868: request failed to 127.0.0.1:8009 (127.0.0.1:8009) SEVERE [ajp-nio-8009-exec-10] org.apache.coyote.ajp.AjpMessage.processHeader Invalid message received with signature 514
In short, apache/tomcat are trying to send too much to each other.
In your vhost (not within a location etc), set the proxyiobuffersize:
ProxyIOBufferSize 16384
Also set the packsetSize in the conf/server.xml:
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443"
packetSize="16384"
socket.appReadBufSize="16384"
connectionTimeout="20000"
/>
userauth_pubkey: signature algorithm ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]
Add to etc/ssh/sshd_config:
PubkeyAuthentication yes
PubkeyAcceptedKeyTypes=+ssh-rsa
varnish vcl
There's a neat feature of varnish that helps weed out expensive (backend) requests.
Within a vcl you can hook into the cache 'miss' target:
sub vcl_miss {
if (req.http.CIDR_RS_CC ~ "^(CC|CODE)$" ) {
return(synth(491, "Access denied"));
}
}
Replace CC with a lits of | separated country codes.
What this does is effectively abort the request if the cache content doesn't exist already, you'd use this potentially in a case where a bot in another country is hitting the backend a little too greedily.
imaps login
Helpful test for IMAPS authentication with openssl:
$ openssl s_client -quiet -connect imap.server:993 -crlf
* OK ...
a login USERNAME PASSWORD
a OK [CAPABILITY ... ] Logged in
a logout
* BYE Logging out
a OK Logout completed.