Archive for September 2011

apcupsd on RHEL5 / CentOS5

By pcfe on 2011-09-30

While the current Smart-UPS (aka SMT) range of UPS from APC has much fewer variables exposed in a way that is useful for fancy apcupsd usage (you’ll find apcupsd in EPEL), they are still amply sufficient for home use. Basically, the UPS gives an estimated time left at current load and the remaining battery level. At home these are anyway the only two readings I want to trigger scripts on.

On the machine that has a USB connection to the UPS

Connect the UPS via USB to your server. Then install apcupsd

# yum install apcupsd

and adjust /etc/apcupsd/apcupsd.conf. I changed the following from defaults to be a bit more conservative;

BATTERYLEVEL 10
MINUTES 7

Be sure to set an email address you read often in the scripts that are run on events (e.g.: /etc/apcupsd/onbattery ), ideally using an email to SMS gateway. For USB based SMT series, no further changes are necessary as that type of connection is the default.

For the next step to work, you’ll want to allow access to the daemon through the local firewall. Something along the lines of

# iptables -I defaults 1 -i eth0 -p tcp -m tcp --dport 3551 -j ACCEPT

Or use system-config-firewall to allow 3551 TCP.

On machines that get power from the same UPS and can reach the main box over the network

Install and configure /etc/apcupsd/apcupsd.conf as before, but this time point it at a machine called server. Additionally, I shut down most of these boxes earlier.

UPSCABLE ether
DEVICE server:3551
BATTERYLEVEL 15
MINUTES 10

And you may want to take more drastic action in the /etc/acpupsd/commfailure script if you want to react to network outages.

All the other options are sane if all you want is your machines to shut down cleanly before the UPS runs fully out of juice.

Unimportant things (e.g. the WLAN AP) get plugged into the secondary ports (caveat the SMT750I does not have these) and the behaviour of these ports configured on the UPS front panel.

Mind bug 661304, as RHEL5 is still using SysV init, my /etc/init.d/halt reads near the bottom:

...
# Now halt or reboot.
echo $"$message"
if [ -f /fastboot ]; then
 echo $"On the next boot fsck will be skipped."
elif [ -f /forcefsck ]; then
 echo $"On the next boot fsck will be forced."
fi

if [ "$command" = /sbin/halt -a -r /etc/ups/upsmon.conf -a -f /etc/killpower -a -f /etc/sysconfig/ups ] ; then
        . /etc/sysconfig/ups
        if [ "$SERVER" = "yes" -a "$MODEL" = "upsdrvctl" ] ; then
                /sbin/upsdrvctl shutdown
        elif [ "$SERVER" = "yes" -a "$MODEL" != "NONE" -a -n "$MODEL" -a -n "$DEVICE" ] ; then
                $MODEL $OPTIONS_HALT -k $DEVICE
        fi
fi

# First, try kexec. If that fails, fall back to rebooting the old way.
[ -n "$kexec_command" ] && $kexec_command -e -x >& /dev/null
...
This entry is filed under braindump and tagged , , , .

Secure dynamic DNS howto notes for RHEL5

By pcfe on 2011-09-23

The must read Secure dynamic DNS howto has all the steps you need to set up DDNS updates with BIND.

What follows are some very terse notes for RHEL5, highlighting steps not directly obvious from that howto.

name of the key

Whenever you need to choose a keyname, take the fqdn of the DHCP server, with a trainign dot! e.g dhcp-server.example.com.

allowing the dhcp server to not update more than expected

If my reading of DNS and BIND (5th Edition), ISBN 9780596100575, published by O'Reilly Media, Inc. was correct, then the following update policies are as tight as can be. Obviously, somewhere earlier in /etc/named.conf there is a section defining the key dhcp-server.example.com. which I will not paste here.
For the forward zone I used this

zone "wlan.example.com." {
    type master;
    file "named.wlan.example.com";
    update-policy {
        grant dhcp-server.example.com. wildcard *.wlan.example.com. A TXT;
    };
};

While for the reverse zone I used

zone "2.168.192.in-addr.arpa." {
    type master;
    file "named.192.168.2";
    update-policy {
        grant dhcp-server.example.com. wildcard *.2.168.192.in-addr.arpa. PTR;
    };
};

SELinux

As BIND will now be modifying it’s own files, you need to allow this

setsebool -P named_write_master_zones 1

see the RHEL6 documentation for more details.

logging

logfile should go to the data subdirectory

logging {
        // for logging see
        // from: http://www.netadmintools.com/part233.html
        // and:  http://www.netadmintools.com/html/5named.conf.man.html
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
        category dnssec   { security_log; };
        category update   { security_log; };
        category security { security_log; };

        channel security_log {
            file "data/dns-security.log" versions 5 size 20m;
                // every time the log grows over 20 Mbyte, it will
                // backup and rollover. Maximum 5 backups will be kept.
            print-time yes;
            print-category yes;
            print-severity yes;
            severity info;
        };

Yes, all of the above is not sufficient for you to copypasta a config together, that is intended. Read the Secure dynamic DNS howto, it is much better written and has more depth than I could ever provide in a quick braindump.

This entry is filed under braindump and tagged , , .

Speedtest.net Mini on your own box

By pcfe on 2011-09-18

sometimes I need a quick and dirty speed test of an internet connection. Speedtest.net Mini allows just that, but I did not want random surfers to eat my bandwith.

On RHEL5/CentOS5

  1. download the zip file
  2. mkdir /var/www/speedtest-mini
  3. unpack in there
  4. chown -R apache.apache /var/www/speedtest-mini
  5. create /etc/httpd/conf.d/speedtest-mini.conf with this content 
    #
# This configuration file restricts access to speedtest-mini
# http://httpd.apache.org/docs/current/howto/htaccess.html
# 

Alias /speedtest-mini /var/www/speedtest-mini

<directory "/var/www/speedtest-mini">
    Options Indexes
    AllowOverride AuthConfig
    AuthType Basic
    AuthName "Password Required"
    AuthUserFile /var/www/speedtest-mini.passwords
    Require valid-user
</directory>
  6. htpasswd -c /var/www/speedtest-mini.passwords speedtest
  7. restart apache
  8. Access as http://yourserver.example.com/speedtest-mini
This entry is filed under braindump and tagged , .

visiting Helsinki

By pcfe on 2011-09-15

Every time a friend comes to visit, I tend to give out the same travel information. Being lazy, turning that into a posting seems sensible.

Airports

There are 3 good airports to take a plane to. HEL, TMP and TLL.

Helsinki Airport

This page shows you all possible ways to get from the airport to the centre of town. My preferred in the Finnair City bus, you can find it’s schedule in plain text here. A taxi ride from the airport to my home costs me between 35€ and 40€, while the bus costs under 10€. Both take pretty much the same time for the journey.

Tampere-Pirkkala Airport

If you fly to Tampere, you will need to take public transport from the airport to Tampere itself, and from there on a train to Helsinki. That train journey is 1:26 or 1:46 hours, depending on which connection you take. Schedules for Finnish trains are found here.

Lennart Meri Tallinn Airport

If you fly to Tallinn, then you’ll have to go from Tallinn to Helsinki by boat. You can find schedules here.

For the adventurous or impatient, you can also take a helicopter.

Helsinki itself

Check the official city pages to get an overview of what’s happening here. The site also includes a 1 week weather forecast.

This entry is filed under travel and tagged .

From time to time people ask me what my motorbike looks like.
Here’s some pictures I took shortly after I bough it.

'Gallery' Post | By pcfe on 2011-09-15

DynDNS updates with TSIG and NetworkManager dispatcher

By pcfe on 2011-09-13

for paid accounts (DynDNS Pro and Dyn Standard DNS), one can do the updates with TSIG.

This allows us to not use ddclient, thus not having our DynDNS.com password in a config file on disk. Obviously, if the key is leaked, an attacker can still wreak havoc with your DynDNS zone configurations, but at least they will not be able to log onto the web interface of DynDNS under your name.

Create /etc/NetworkManager/dispatcher.d/20-nsupdate-tsig with this content

#!/bin/bash
#
# NetworkManager dispatcher script to update dyndns via TSIG using nsupdate
#
# adaptation of http://messinet.com/trac/browser/networkmanager-nsupdate-gss-tsig/20-nsupdate-gss-tsig
# IPv6 and reverse support has been ripped out as I do not need them for DynDNS
# read https://www.dyndns.com/support/kb/ddns_updates_and_tsig.html
# pcfe, 2011-09-13
#

#
# Function definitions
#

# Invoke nsupdate
# (vars defined below)
updateRRs() {
  (echo "server update.dyndns.com"
   echo "zone ${ZONE}"
   echo "key ${KEY_NAME} ${KEY_HMAC}"
   echo "update add ${HOST}.${ZONE} ${TTL} A ${ADDR}"
   echo "send"
  ) | nsupdate -t 60 || exit 1
}

#
# Start working...
#

# Set the host name and ttl
ADDR=`/sbin/ifconfig $1 | grep "inet addr:" | awk '{print $2}' | awk -F ":" '{print $2}'`
# while it's elegant to have the TTL based on lease time, we want short TTL
# so that one can hop between e.g. LAN and WLAN and have a caching DNS
# get the new entry quickly
#TTL=${DHCP4_DHCP_LEASE_TIME:-86400}
TTL=60
# the DynDNS hostname and zone you want to update, e.g. myserver.mydomain.net
HOST="myserver"
ZONE="mydomain.net"
# get the next two values from https://www.dyndns.com/account/settings/tsig.html
KEY_NAME="MyKeyName"
KEY_HMAC="MyKeyHMAC"

# Proceed based on NetworkManager STATUS, passed as "$2"
[[ "$2" =~ ^(up|dhcp[46]-change)$ ]] && {
  # Wait a short while for IPv6 autoconfiguration to complete
  #sleep 10
  updateRRs
}
exit 0

nail down the file permissions:

cd /etc/NetworkManager/dispatcher.d/
chmod 700 20-nsupdate-tsig
chown root.root 20-nsupdate-tsig
restorecon -v /etc/NetworkManager/dispatcher.d/20-nsupdate-tsig

I’ve only used this on Fedora 15, but you should get this working on all distributions which use NetworkManager.

If the above makes no sense to you, then you probably want to continue updating your DynDNS entries with ddclient.

nsupdate can be found in the bind-utils RPM. yum install bind-utils.

When having trouble with bind, I find that the book DNS and BIND (5th Edition), ISBN 9780596100575, published by O'Reilly Media, Inc. always comes in handy.

This entry is filed under braindump and tagged , , , , , .