Wiki updates
Pipes Output
Updated: 2 hours 57 min ago
Debian installation notes
ins.insert {background-color:#AFA;color:#080;text-decoration:inherit;}
del.delete {background-color:#F88;color:#800;text-decoration:inherit;}
...aptitude install acct apt-show-versions at bc bind9-host bzip2 deborphan \
debsums file ftp isag less logwatch lsof lsscsi ltrace make openssl patch \
... psmisc rsync screen ssh strace... subversion sysvconfig telnet \
time
telnet time vim
Purge exim config:
aptitude purge exim4 exim4-base exim4-config exim4-daemon-light
debsums file ftp isag less logwatch lsof lsscsi ltrace make openssl patch \
... psmisc rsync screen ssh strace... subversion sysvconfig telnet \
time
telnet time vim
Purge exim config:
aptitude purge exim4 exim4-base exim4-config exim4-daemon-light
Categories: main
SpamAssassin
ins.insert {background-color:#AFA;color:#080;text-decoration:inherit;}
del.delete {background-color:#F88;color:#800;text-decoration:inherit;}
Distributing a standardised config file with puppet
Categories: main
killing me softly
ins.insert {background-color:#AFA;color:#080;text-decoration:inherit;}
del.delete {background-color:#F88;color:#800;text-decoration:inherit;}
...kill -KILL (a.k.a. -9)
The only thing that can ignore a KILL signal is I/O. If your process still won't die when you use KILL, there is often no option but to reboot the system. This is one of my pet peeves about Linux.
Template
Here's a bash function to do the job:
kill_softly()
{
for sig in TERM HUP INT QUIT PIPE KILL; do
echo "kill -$sig $@"
if ! kill -$sig "$@"; then
# the kill command failed - this usually means that the process is now dead
break
fi
sleep 2
done
}
The only thing that can ignore a KILL signal is I/O. If your process still won't die when you use KILL, there is often no option but to reboot the system. This is one of my pet peeves about Linux.
Template
Here's a bash function to do the job:
kill_softly()
{
for sig in TERM HUP INT QUIT PIPE KILL; do
echo "kill -$sig $@"
if ! kill -$sig "$@"; then
# the kill command failed - this usually means that the process is now dead
break
fi
sleep 2
done
}
Categories: main
Cheat sheets
ins.insert {background-color:#AFA;color:#080;text-decoration:inherit;}
del.delete {background-color:#F88;color:#800;text-decoration:inherit;}
...fdisk
GRUB
killing me softly
MySQL basics
NUT - Network UPS Tools
GRUB
killing me softly
MySQL basics
NUT - Network UPS Tools
Categories: main
About this wiki
ins.insert {background-color:#AFA;color:#080;text-decoration:inherit;}
del.delete {background-color:#F88;color:#800;text-decoration:inherit;}
... the focus. If you're interested in exploring Linux, you might want
This wiki would not exist without the kind support of my clients, some of whom have paid for the time to start with develop the notes on major distributions. procedures and their documentation which can be found here. My thanks is extended to them.
You can contact me about anything here at my company's home page. If you'd like to keep up-to-date with changes to this wiki, you can subscribe to the RSS feed.
Please note that the advertising on this wiki is in no way endorsed or checked by myself. Following the links will help to support Wikispaces, the free provider of infrastructure for this wiki.
This wiki would not exist without the kind support of my clients, some of whom have paid for the time to start with develop the notes on major distributions. procedures and their documentation which can be found here. My thanks is extended to them.
You can contact me about anything here at my company's home page. If you'd like to keep up-to-date with changes to this wiki, you can subscribe to the RSS feed.
Please note that the advertising on this wiki is in no way endorsed or checked by myself. Following the links will help to support Wikispaces, the free provider of infrastructure for this wiki.
Categories: main
Creating a cron job with puppet
ins.insert {background-color:#AFA;color:#080;text-decoration:inherit;}
del.delete {background-color:#F88;color:#800;text-decoration:inherit;}
...class remote_office_server {
...
include avupdate avupdates
...
}
...
include avupdate avupdates
...
}
Categories: main
device-based VLANs
ins.insert {background-color:#AFA;color:#080;text-decoration:inherit;}
del.delete {background-color:#F88;color:#800;text-decoration:inherit;}
...ip igmp
exit
DHCP server
Here's an example snippet from /etc/dhcpd.conf for VLAN 1003 using the ISC DHCP server:
subnet 10.10.3.0 netmask 255.255.255.0 {
option routers 10.10.3.1;
option broadcast-address 10.10.3.255;
range 10.10.3.32 10.10.3.254;
option subnet-mask 255.255.255.0;
}
Procedures
Adding a new edge VLAN
exit
DHCP server
Here's an example snippet from /etc/dhcpd.conf for VLAN 1003 using the ISC DHCP server:
subnet 10.10.3.0 netmask 255.255.255.0 {
option routers 10.10.3.1;
option broadcast-address 10.10.3.255;
range 10.10.3.32 10.10.3.254;
option subnet-mask 255.255.255.0;
}
Procedures
Adding a new edge VLAN
Categories: main
organisation-based VLANs
ins.insert {background-color:#AFA;color:#080;text-decoration:inherit;}
del.delete {background-color:#F88;color:#800;text-decoration:inherit;}
Criteria for grouping machines in VLANs
Number of machines
Bandwidth utilization of machines
Data access requirements
Similarity of function
Physical exposure of network devices & ports
A number of these will likely need to be balanced against each other.
Foundations
Printers and other embedded devices (e.g. IP cameras, UPSes, disk arrays) that you rely on should be in a separate VLAN only accessible from those who absolutely require them; for some reasons why, see:
http://www.blackhat.com/html/bh-europe-03/bh-europe-03-speakers.html#FX
http://www.sans.org/newsletters/newsbites/newsbites.php?vol=10&issue=4#sID308
http://news.softpedia.com/news/Xerox-Printers-Vulnerability-Unveiled-at-Black-Hat-32021.shtml (more info here)
It is very unlikely that there is any reason for an external or public entity to access anything on your staff members' workstations or laptops. (I would have said "There is never any reason ..." rather than "It is very unlikely ...", but i'm sure if i said "never", a reason would come up. ;-)
Some VLAN suggestions for school networks
In a typical large school environment you might consider putting each of these groups on its own VLAN:
servers
administration PCs
student PCs
teacher PCs
staff wireless
student wireless
public wireless
IP security cameras
printers
VPN
DMZ
Criteria for grouping machines in VLANs
Number of machines
Bandwidth utilization of machines
Data access requirements
Similarity of function
Physical exposure of network devices & ports
A number of these will likely need to be balanced against each other.
Foundations
Printers and other embedded devices (e.g. IP cameras, UPSes, disk arrays) that you rely on should be in a separate VLAN only accessible from those who absolutely require them; for some reasons why, see:
http://www.blackhat.com/html/bh-europe-03/bh-europe-03-speakers.html#FX
http://www.sans.org/newsletters/newsbites/newsbites.php?vol=10&issue=4#sID308
http://news.softpedia.com/news/Xerox-Printers-Vulnerability-Unveiled-at-Black-Hat-32021.shtml (more info here)
It is very unlikely that there is any reason for an external or public entity to access anything on your staff members' workstations or laptops. (I would have said "There is never any reason ..." rather than "It is very unlikely ...", but i'm sure if i said "never", a reason would come up. ;-)
Some VLAN suggestions for school networks
In a typical large school environment you might consider putting each of these groups on its own VLAN:
servers
administration PCs
student PCs
teacher PCs
staff wireless
student wireless
public wireless
IP security cameras
printers
VPN
DMZ
Categories: main
Thoughts on VLAN deployment
ins.insert {background-color:#AFA;color:#080;text-decoration:inherit;}
del.delete {background-color:#F88;color:#800;text-decoration:inherit;}
VLANs
Introduction
VLANs are becoming... of organisations. They They offer the... than location.
The The primary motivation... your LAN. They They are not... security benefits.
Criteria
Strategies
There are two common strategies for grouping machines in VLANs
Number of machines
Utilization of machines
Data access requirements
Similarity of function
Physical exposure of network devices & ports
A number of these will likely need to be balanced against each other.
Foundations
Printers implementing VLANs: device- or location-based, and other embedded devices (e.g. IP cameras, UPSes, disk arrays) that you rely on should be in a separate organisation-based. This document originally assumed an organisation-based VLAN only accessible from those who absolutely require them; for some reasons why, see:
http://www.blackhat.com/html/bh-europe-03/bh-europe-03-speakers.html#FX
http://www.sans.org/newsletters/newsbites/newsbites.php?vol=10&issue=4#sID308
http://news.softpedia.com/news/Xerox-Printers-Vulnerability-Unveiled-at-Black-Hat-32021.shtml (more info here)
It is very unlikely that there is any reason for an external or public entity to access *anything* strategy. Since i first wrote it, i've re-considered my strategy on your staff members' workstations or laptops. (I would have said "There is never any reason ...", but this, and i'm sure if i said "never", a reason would come up. ;-)
Some VLAN suggestions now rolling out device-based VLANs on my largest client's network. I've therefore separated this page into two: one for school networks
In a typical large school environment you might consider putting each of these groups on its own VLAN:
servers
administration PCs
student PCs
teacher PCs
staff wireless
student wireless
public wireless
IP security cameras
printers
VPN
DMZ strategy:
device-based VLANs
organisation-based VLANs
Introduction
VLANs are becoming... of organisations. They They offer the... than location.
The The primary motivation... your LAN. They They are not... security benefits.
Criteria
Strategies
There are two common strategies for grouping machines in VLANs
Number of machines
Utilization of machines
Data access requirements
Similarity of function
Physical exposure of network devices & ports
A number of these will likely need to be balanced against each other.
Foundations
Printers implementing VLANs: device- or location-based, and other embedded devices (e.g. IP cameras, UPSes, disk arrays) that you rely on should be in a separate organisation-based. This document originally assumed an organisation-based VLAN only accessible from those who absolutely require them; for some reasons why, see:
http://www.blackhat.com/html/bh-europe-03/bh-europe-03-speakers.html#FX
http://www.sans.org/newsletters/newsbites/newsbites.php?vol=10&issue=4#sID308
http://news.softpedia.com/news/Xerox-Printers-Vulnerability-Unveiled-at-Black-Hat-32021.shtml (more info here)
It is very unlikely that there is any reason for an external or public entity to access *anything* strategy. Since i first wrote it, i've re-considered my strategy on your staff members' workstations or laptops. (I would have said "There is never any reason ...", but this, and i'm sure if i said "never", a reason would come up. ;-)
Some VLAN suggestions now rolling out device-based VLANs on my largest client's network. I've therefore separated this page into two: one for school networks
In a typical large school environment you might consider putting each of these groups on its own VLAN:
servers
administration PCs
student PCs
teacher PCs
staff wireless
student wireless
public wireless
IP security cameras
printers
VPN
DMZ strategy:
device-based VLANs
organisation-based VLANs
Categories: main
Distributing a standardised config file with puppet
ins.insert {background-color:#AFA;color:#080;text-decoration:inherit;}
del.delete {background-color:#F88;color:#800;text-decoration:inherit;}
...source => "puppet:///spamassassin/local.cf",
}
... file itself. Under puppet 0.25,
The The puppetmaster file... files for the any module... in /etc/puppet/modules/spamassassin/files/.
Caveat: Under puppet 0.25, the URI should read "puppet:///modules/spamassassin/local.cf", because the unqualified form used above has been deprecated.
Unfortunately, the above definition hard-codes the location of the file, and it is not consistent under different distributions of Linux. So rather than use a fixed file name, we'll put in a variable for the SpamAssassin base directory, and assign that variable based on which distribution our puppet client is running. The location of local.cf will be relative to the base directory. Here's a configuration snippet which does sets a default location, and provides an alternate location for CentOS:
$spamassassin_dir = $operatingsystem ? {
...}
It's also possible to get Puppet to make sure the service is started by adding the attribute ensure => running, but again, i'd prefer to control this manually rather than have Puppet come along and start a service which i might have stopped for maintenance reasons.
... to restart. Two Two changes to
...
service { $spamassassin_svc:
...file { "$spamassassin_dir/local.cf":
...
# other contents of the file directive are the same as above
notify => Service[$spamassassin_svc],
...
}
The Caveat: The "hasrestart" attribute... this is usually a good idea.
For this... relevant nodes. Place Place an include... it includes). Here's Here's an example
...
class mailserver {
...killall -USR1 puppetd
Then check that your package, service, and file have been installed and enabled correctly.
Finished product
Here's the file /etc/puppet/modules/spamassassin/manifests/init.pp in its entirety: {spamassassin.pp} . (It's named spamassassin.pp here to ensure its name on this wiki is unique, but you should call it init.pp when you place it in that location.
Links
Puppet Type Reference
}
... file itself. Under puppet 0.25,
The The puppetmaster file... files for the any module... in /etc/puppet/modules/spamassassin/files/.
Caveat: Under puppet 0.25, the URI should read "puppet:///modules/spamassassin/local.cf", because the unqualified form used above has been deprecated.
Unfortunately, the above definition hard-codes the location of the file, and it is not consistent under different distributions of Linux. So rather than use a fixed file name, we'll put in a variable for the SpamAssassin base directory, and assign that variable based on which distribution our puppet client is running. The location of local.cf will be relative to the base directory. Here's a configuration snippet which does sets a default location, and provides an alternate location for CentOS:
$spamassassin_dir = $operatingsystem ? {
...}
It's also possible to get Puppet to make sure the service is started by adding the attribute ensure => running, but again, i'd prefer to control this manually rather than have Puppet come along and start a service which i might have stopped for maintenance reasons.
... to restart. Two Two changes to
...
service { $spamassassin_svc:
...file { "$spamassassin_dir/local.cf":
...
# other contents of the file directive are the same as above
notify => Service[$spamassassin_svc],
...
}
The Caveat: The "hasrestart" attribute... this is usually a good idea.
For this... relevant nodes. Place Place an include... it includes). Here's Here's an example
...
class mailserver {
...killall -USR1 puppetd
Then check that your package, service, and file have been installed and enabled correctly.
Finished product
Here's the file /etc/puppet/modules/spamassassin/manifests/init.pp in its entirety: {spamassassin.pp} . (It's named spamassassin.pp here to ensure its name on this wiki is unique, but you should call it init.pp when you place it in that location.
Links
Puppet Type Reference
Categories: main
Moving a root VG to a new disk
ins.insert {background-color:#AFA;color:#080;text-decoration:inherit;}
del.delete {background-color:#F88;color:#800;text-decoration:inherit;}
Categories: main
Major distributions
ins.insert {background-color:#AFA;color:#080;text-decoration:inherit;}
del.delete {background-color:#F88;color:#800;text-decoration:inherit;}
...If you have an existing investment in Novell NetWare that you want to preserve or integrate with, one of SUSE's distributions should be your first choice.
If you have experience with Red Hat products that you want to utilise, you should use one of their distributions.
... Server (SLES) 10. 10). These "Enterprise"
Debian over OpenSUSE
OpenSUSE over SLES
...Linux distribution chooser
Steven J. Vaughan-Nichols on choosing a distribution
The Register's distribution guide
If you have experience with Red Hat products that you want to utilise, you should use one of their distributions.
... Server (SLES) 10. 10). These "Enterprise"
Debian over OpenSUSE
OpenSUSE over SLES
...Linux distribution chooser
Steven J. Vaughan-Nichols on choosing a distribution
The Register's distribution guide
Categories: main
Linux distribution rankings
ins.insert {background-color:#AFA;color:#080;text-decoration:inherit;}
del.delete {background-color:#F88;color:#800;text-decoration:inherit;}
...Gateway
Debian with Shorewall as the firewall
IPcop Endian Firewall Community Edition
Smoothwall
Debian with Shorewall as the firewall
IPcop Endian Firewall Community Edition
Smoothwall
Categories: main
Debian
ins.insert {background-color:#AFA;color:#080;text-decoration:inherit;}
del.delete {background-color:#F88;color:#800;text-decoration:inherit;}
Debian GNU/Linux is the premiere (only viable?) community-driven Linux project (i.e. that is not managed or sponsored by any company). It has a reputation for rock-solid stability (sometimes at the expense of lagging behind on major versions of new software), a massive software library, and best-in-breed software management tools. It is the basis of a number of distributions, including Ubuntu.
... Debian stable (etch) as my... for Linux server tasks. servers.
... Debian stable (etch) as my... for Linux server tasks. servers.
Categories: main
CentOS
ins.insert {background-color:#AFA;color:#080;text-decoration:inherit;}
del.delete {background-color:#F88;color:#800;text-decoration:inherit;}
CentOS (Community ENTerprise Operating System) is a free recompile of Red Hat Enterprise Linux. You should choose the latest stable version of CentOS if you prefer a Red Hat distribution with good stability and 3rd-party software compatibility but do not need commercial support. (If none of these is a priority, Fedora is a bleeding edge distribution which is similar to CentOS.)
... you are just starting out with Linux, there are other Debian (for servers) or Ubuntu (for desktops/laptops) would be better options to choose - see
... you are just starting out with Linux, there are other Debian (for servers) or Ubuntu (for desktops/laptops) would be better options to choose - see
Categories: main
LVM
ins.insert {background-color:#AFA;color:#080;text-decoration:inherit;}
del.delete {background-color:#F88;color:#800;text-decoration:inherit;}
...Adding a new disk to the root VG
filesystem layers overview
Moving a root VG to a new disk
Links
These have some useful info, but skip reading the comments if you are new to LVM and/or RAID - they will only confuse you:
filesystem layers overview
Moving a root VG to a new disk
Links
These have some useful info, but skip reading the comments if you are new to LVM and/or RAID - they will only confuse you:
Categories: main