Archive for the ‘Servers’ Category
compile python bytecode at RPM build time
From the world of quick hacks – I needed to rebuild the Puppet RPM from the EPEL folks for a customer, they need it deployed at kickstart time with custom configs (hundreds of servers). Using the EPEL source RPM the “yumhelper.py” file wasn’t getting compiled into .pyc and .pyo objects on a standard RHEL 5 system (which I’ve seen before with MySQL-python RPMs).
The quick hack was to simply run Python’s compileall module on it:
%install
rm -rf %{buildroot}
ruby install.rb --destdir=%{buildroot} --quick --no-rdoc
# Precompile python modules to avoid selinux issues later
python -mcompileall %{buildroot}%{ruby_sitelibdir}/puppet/provider/package
python -O -mcompileall %{buildroot}%{ruby_sitelibdir}/puppet/provider/package
Is it ugly and dirty? Yes. Does it work? Yes. Problem solved, walk away and get other work done.
online regex testers
I finally got around to creating a site that links all the regex testers I use now and again to work with patterns while I’m doing mod_rewrite rules, (e)grep work, nginx location matches and things like that. Enjoy!
RegEx Testers – Collection of browser based RegEx testers
I claim no ownership to the code, just a handy way to find it all quickly.
RHCS 5 NFS cluster node not releasing TCP 2049 on relocate
Imagine if you will you have a 2 node Red Hat NFS Cluster; each node is RHEL5.4 64bit and they share a SAN LUN for the data. The primary interface on each server is HA failover bonded (bond0, eth0+eth1) and there is a standard floating cluster resource IP for NFS. The cluster configuration is set up with standard Red Hat tools and NFS has static ports defined in /etc/sysconfig/nfs in order to work through a firewall. So far so good, right? Very by the book, best practices – nothing funky or strange used in the server or cluster setup.
The core of the problem is when the clients are using TCP to mount the exported NFSv4 share; on a cluster service relocate to the other node the newly-passive node retains a 2049/tcp (nfs daemon) ESTABLISHED connection using the now-missing cluster IP to the clients even though that’s technically impossible (as far as I’m aware). The “solution” was to move to using UDP when mounting from the clients as we were unable to figure out what was happening (and more importantly how to fix it). Any clues as to why are welcome, details below.
mmlistarc.sh: quickly set all mailman list archives private
Here’s a quick script to change all your mailman archive settings to private; useful if you have dozens of privates lists and didn’t realize that even though the list was locked down, the archives were left open to the world. The script is based on an older mailing list post by Daniel Clark.
#!/bin/bash
# http://mail.python.org/pipermail/mailman-users/2007-February/055670.html
DDB=/usr/lib/mailman/bin/dumpdb
MCL=/usr/lib/mailman/bin/config_list
DBH=/var/lib/mailman/lists
echo "mlist.archive_private = 1" > /tmp/mmlistarc.dat
for direc in ${DBH}/* ; do
if [ -f $direc/config.pck ]; then
listname=${direc##*/}
echo "$listname before, after"
$DDB $direc/config.pck | grep -i archive_private
if [ ! -f $direc/config.pck.backup ]; then
cp -a $direc/config.pck $direc/config.pck.backup
fi
$MCL -i /tmp/mmlistarc.dat $listname
$DDB $direc/config.pck | grep -i archive_private
fi
done
rm -f /tmp/mmlistarc.dat
exit 0
I highly advise making a complete backup of all your configs first, can’t be too safe.
sslkeygen.sh: complete SSL cert creation helper script
Here’s a handy shell script for creating SSL certs for use in things like Apache, Exim, Dovecot, etc – it can handle creating a local certificate authority to self-sign as well if you aren’t using an official CA. In typical usage one would run makekey, makecsr and send server.csr to a CA to get signed. After receiving server.crt back, run makedh and makepem to make a nice single PEM file that can be used with most software.
#!/bin/sh
if [ $# -lt 2 ]; then
echo "This script takes 2 params"
echo
echo "$0 <mode> <key filename>"
echo
exit 1
fi
SERVER=$2
case "$1" in
makeca)
/usr/bin/openssl genrsa -des3 -out ca.key 4096
/usr/bin/openssl req -new -x509 -days 1825 -key ca.key -out ca.crt
;;
makekey)
/usr/bin/openssl genrsa -des3 2048 > ${SERVER}.key.encrypted
/usr/bin/openssl rsa -in ${SERVER}.key.encrypted -out ${SERVER}.key
;;
makecsr)
if [ ! -f ${SERVER}.key ]; then
echo "${SERVER}.key missing, run \"$0 makekey\" first."
exit 1
fi
/usr/bin/openssl req -new -key ${SERVER}.key -out ${SERVER}.csr
;;
signcrt)
if [ ! -f ca.key ] || [ ! -f ca.crt ]; then
echo "ca.key missing, run \"$0 makeca\" first."
exit 1
fi
if [ ! -f ${SERVER}.csr ]; then
echo "${SERVER}.csr missing, run \"$0 makecsr\" first."
exit 1
fi
/usr/bin/openssl x509 -req -days 1825 -in ${SERVER}.csr -CA ca.crt \
-CAkey ca.key -set_serial 01 -out ${SERVER}.crt
;;
makedh)
/bin/dd if=/dev/urandom of=ssldh.rand count=1 2>/dev/null
/usr/bin/openssl gendh -rand ssldh.rand 512 > ${SERVER}.dh
;;
makepem)
if [ ! -f ${SERVER}.key ]; then
echo "${SERVER}.key missing, run \"$0 makekey\" first."
exit 1
fi
if [ ! -f ${SERVER}.crt ]; then
echo "${SERVER}.crt missing, obtain from CA or run \"$0 signcrt\" first."
exit 1
fi
cat ${SERVER}.key > ${SERVER}.pem
cat ${SERVER}.crt >> ${SERVER}.pem
;;
*)
echo
echo $"Usage: $0 {makeca|makekey|makecsr|signcrt|makedh|makepem} <key filename>"
echo
exit 2
esac
exit 0
Enjoy!
