# uname -a - Hacks

Configure a 3CX extension with Big Blue Button conferencing bridge (Freeswitch)

Mathieu — Fri, 23 Oct 2020 16:43:00 +0200

Just a quick note for reference.

I managed to successfully configure the phone bridge with FreePBX as a SIP provider for Big Blue Button using this documentation : https://docs.bigbluebutton.org/2.2/customize.html#add-a-phone-number-to-the-conference-bridge . My trunk is connectd to the SIP server running FreePBX and Big Blue Button is registering as a phone extension to receive phone calls and route them to the conference room.

But using a similar architecture with 3CX instead of FreePBX as a provider was failing. Actually, you have to add the AuthID as "auth-username" attribute (see https://freeswitch.org/confluence/display/FREESWITCH/Sofia+Gateway+Authentication+Params )

In Big Blue Button, the profile file would looks like :

<include>
  <gateway name="ANY-NAME-FOR-YOUR-PROVIDER">
    <param name="proxy" value="sip.example.net"/>
    <param name="username" value="EXTENSION NUMBER (for instance 100)"/>
    <param name="auth-username" value="THE AUTHID"/>
    <param name="password" value="PASSWORD"/>
    <param name="extension" value="CALLED-NUMBER"/>
    <param name="register" value="true"/>
    <param name="context" value="public"/>
  </gateway>
</include>

I hope it will help someone stuck with the official documentation.

Redémarrer une machine lorsqu'un programme l'étouffe inopinément (Debian 10)

Mathieu — Wed, 14 Oct 2020 12:40:00 +0200

Admettons que vous ayez une machine avec un programme bugué. Typiquement, un logiciel métier avec une fuite de mémoire, qui va pour une raison inconnue saturer la mémoire vive et provoquer son propre crash ou le crash des autres services sur la machine.

Vous pourriez lui mettre une limite de mémoire via /etc/security/limits.conf mais ça ne fera que planter le programme (segmentation fault) pour protéger les autres, et dans le cas d'un logiciel métier cela veut dire prendre ensuite d'autres actions, manuelles ou automatiques, via un système de monitoring approprié.

C'est vrai, le monitoring est la bonne solution quand on suit un logiciel aussi critique qu'un logiciel métier, mais dans le cas d'un logiciel qui doit "juste tourner", d'une équipe de maintenance réduite ou n'ayant pas la possibilité d'astreintes, une solution simple pour s'assurer que la machine tourne même en cas d'incident, c'est de redémarrer la machine lors d'un incident. Pour cela, on peut utiliser le programme watchdog.

Cela doit être fait avec motivations et circonspection, une analyse "post-mortem" doit suivre chaque reboot, dans le cas d'une tentative d'élévation de privilèges par Buffer Overflow, rien ne dit que l'attaque n'a pas réussie même si le système a redémarré.

Watchdog : Configuration

Watchdog s'installe via les paquets :

apt install watchdog

Il y a ensuite deux choses à configurer : les règles pour déclencher le reboot, et le mode de chargement du programme ("no actions" ou actif).

Dans mon cas, je voulais redémarrer si le serveur avait moins de 20% de RAM disponible, ce serveur tourne en permanence à 50% de consommation de RAM et n'est jamais sensé dépasser, ou alors c'est signe d'un problème, d'où le reboot à déclencher.

La configuration de watchdog se trouve dans /etc/watchdog.conf et fournit deux valeurs à régler : min-memory et allocatable-memory . Attention, ces valeurs sont à renseigner en taille de page RAM.

Pour identifier la taille des pages sur le système, utilisez la commande :

getconf PAGESIZE

Ensuite, un simple calcul permet d'identifier la valeur à mettre dans min-memory et allocatable-memory. Par exemple, pour un PAGESIZE de 4096 (4 kB), 2 GB (2048 MB) de RAM et 20% de ce total :

( 20 % * 2048 * 1000 ) / 4096

Une fois min-memory et allocatable-memory configurés, il convient de tester le trigger avant de le démarrer;

Les options de lancement se trouvent dans /etc/default/watchdog . Modifier watchdog_options pour y renseigner :

watchdog_options="-v --no-action"

Désactivez Watchdog du démarrage automatique, puis démarrez-le :

systemctl disable watchdog
service watchdog start

Vous en verrez la trace dans les logs via service watchdog status ou journalctl -f .

Watchdog : Activation

Si les essais sont concluants, retournez dans /etc/default/watchdog pour activer le module noyau. Cela évitera que Watchdog se fasse tuer par un processus quelconque (oom-killer par exemple) :

watchdog_module="softdog"

Si vous ne voulez laisser aucune chance pour éviter le reboot (par exemple si oom-killer a réussi à baisser la consommation de ram sous le seuil acceptable et que le reboot n'est plus nécessaire), rajoutez nowayout :

watchdog_module="softdog nowayout"

Attention, une fois chargé en nowayout, le module noyau restera actif même si watchdog est stoppé (légitimement ou non), le seul moyen de le retirer est de retirer softdog des modules noyau (via rmmod), ou de rebooter.

Activez ensuite watchdog :

systemctl enable watchdog
service watchdog start

watchdog doit être visible dans les modules noyau chargés :

lsmod | grep softdog

Sources

Maman, j'ai patché Debian

Mathieu — Thu, 19 Mar 2020 15:33:00 +0100

Un billet en forme de note à moi-même sur ce qu'il faut faire pour correctement :

Récupérer un package depuis upstream
Appliquer un ou plusieurs patches
Le signer et le re-déployer en production

Préparer l'environnement

Pour compiler et signer un paquet simplement il vous faut :

Un utilisateur (non root)
Une clé GPG
Les build-essentials et les devscripts (parce qu'on est feignasse)

Créez un utilisateur non-root et loguez-vous avec. N'utilisez pas "su" à partir de root, parce que sinon GPG ne pourra pas vous demander la phrase de passe (des histoires de droits sur les TTY).

Créez une clé GPG, et paramétrez-la :

gpg --full-generate-key

Récupérez l'identifiant de clé à la fin de la procédure, ou avec gpg --list-keys si vous l'avez loupé.

Modifiez ou créez le fichier ~/.devscripts et ajoutez :

DEBUILD_SET_ENVVAR_DEBSIGN_KEYID=xxxxxxxx

Avec le xxxxxx qui correspond à votre identifiant de clé.

Récupérer le paquet et les dépendances de compilation

Le plus simple c'est quand le paquet existe déjà et qu'il faut simplement patcher. S'il n'existe aucun paquet, il faut créer un nouveau paquet, éventuellement debianizer la configuration, et c'est une autre paire de manches (et c'est pas le sujet ici).

Pour récupérer le paquet upstream :

apt-get source nomdupaquet

Si le paquet est introuvable, ajoutez les dépôts src à votre sources.list :

deb-src http://deb.debian.org/debian/ buster main contrib
deb-src http://security.debian.org/debian-security buster/updates main contrib
deb-src http://deb.debian.org/debian/ buster-updates main contrib

Il faut ensuite récupérer les paquets nécessaires à la compilation. Coup de bol, si vous avez pu avoir le paquet source à l'étape précédente, c'est facile :

apt-get build-dep nomdupaquet

Patcher le paquet

Le format dpatch est obsolète, en principe votre package utilise quilt comme tout paquet récent. Il suffit de télécharger le patch depuis git et le placer dans le dossier debian/patches.

Ensuite, ajoutez le nom du fichier que vous avez ajouté au fichier debian/patches/series . Attention, l'ordre dans series est important.

Déclarer les changements

Ce n'est pas nécessaire la première fois, mais si vous re-compilez un paquet, il faut ajouter un commentaire dans le Changelog. Le plus simple : utilisez la commande dch -i et modifiez la ligne de changelog, en changeant bien la version du paquet pour qu'elle soit consécutive à la précédente.

Compiler le paquet

Rendez-vous dans le dossier du paquet, et lancez la commande debuild . C'est tout. Rentrez votre phrase de passe pour la clé à la fin de la procédure.

Déployer en production

Pour déployer un paquet, deux solutions :

Envoyer le paquet puis l'installer avec dpkg -i lefichier.deb ou un outil d'orchestration
Installer un DPA (Debian Private Repository) et l'ajouter au sources.list

L'installation du serveur DPA fera l'objet d'un autre billet (un jour).

Sources

Setup Letsencrypt certificates on Gitlab and Mattermost

Mathieu — Thu, 19 Oct 2017 13:01:00 +0200

The new versions of Gitlab are embedding the Mattermost server. Here is how to setup the certificates for these instances.

1. Install certbot

Read the docs here (choose Nginx on the appropriate system) : certbot.eff.org

2. Make a webroot

mkdir -p /var/www/letsencrypt/.well-known

3. Configure Gitlab and Mattermost to answer /.well-known to this webroot

Edit /etc/gitlab/gitlab.rb and add :

nginx['custom_gitlab_server_config']="location ^~ /.well-known/ {\n alias /var/www/letsencrypt/.well-known/;\n}\n"
mattermost_nginx['custom_gitlab_mattermost_server_config']="location /.well-known/ {\n alias /var/www/letsencrypt/.well-known/;\n}\n"

And reconfigure Gitlab :

gitlab-ctl reconfigure

4. Create the certificates

Run the certbot command :

certbot certonly --staging --webroot --webroot-path=/var/www/letsencrypt/ -d gitlab.your-domain.com
certbot certonly --staging --webroot --webroot-path=/var/www/letsencrypt/ -d mattermost.your-domain.com

5. Tell Gitlab to use the certificates

Edit /etc/gitlab/gitlab.rb again, and add :

nginx['redirect_http_to_https'] = true
nginx['ssl_certificate']= "/etc/letsencrypt/live/gitlab.your-domain.com/fullchain.pem"
nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/gitlab.your-domain.com/privkey.pem"

mattermost_nginx['redirect_http_to_https'] = true
mattermost_nginx['ssl_certificate'] = "/etc/letsencrypt/live/mattermost.your-domain.com/fullchain.pem"
mattermost_nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/mattermost.your-domain.com/privkey.pem"

6. Done

Reconfigure Gitlab again :

gitlab-ctl reconfigure

Elasticsearch, Kibana : mapper [hits] cannot be changed from type [long] to [integer]

Mathieu — Tue, 10 Oct 2017 23:34:00 +0200

Every time I upgrade my ELK stack, it breaks. This time, it was the Kibana index with this obscurous errors :

[DEBUG][o.e.a.a.i.m.p.TransportPutMappingAction] [logs] failed to put mappings on indices [[[.kibana]]], type [timelion-sheet]
java.lang.IllegalArgumentException: mapper [hits] cannot be changed from type [long] to [integer][DEBUG][o.e.a.a.i.m.p.TransportPutMappingAction]

[DEBUG][o.e.a.a.i.m.p.TransportPutMappingAction] [logs] failed to put mappings on indices [[[.kibana]]], type [timelion-sheet]
java.lang.IllegalArgumentException: mapper [version] cannot be changed from type [long] to [integer]

Here is how to fix it. You will have to re-create an index with the correct mapping, and then reindex it.

First, export your Kibana index mapping and settings :

curl localhost:9200/.kibana/_settings?pretty
curl localhost:9200/.kibana/_mapping?pretty

Then, Create and index template with your settings and mapping (don't forget to change the type of the offending fields) :

curl -XPUT "http://localhost:9200/_template/kibana" -H 'Content-Type: application/json' -d'
{
    "template":".kibana-5.6",
    "settings":{
        "number_of_shards":1
    },
    "mappings":{
        "dashboard":{
            "properties":{
                "description":{
                    "type":"string"
                },
                "hits":{
                    "type":"integer"
                },
                "kibanaSavedObjectMeta":{
                    "properties":{
                        "searchSourceJSON":{
                            "type":"string"
                        }
                    }
                },
                "optionsJSON":{
                    "type":"string"
                },
                "panelsJSON":{
                    "type":"string"
                },
                "timeFrom":{
                    "type":"string"
                },
                "timeRestore":{
                    "type":"boolean"
                },
                "timeTo":{
                    "type":"string"
                },
                "title":{
                    "type":"string"
                },
                "uiStateJSON":{
                    "type":"string"
                },
                "version":{
                    "type":"integer"
                }
            }
        },
        "_default_":{
            "dynamic":"strict"
        },
        "url":{
            "dynamic":"strict",
            "properties":{
                "accessCount":{
                    "type":"long"
                },
                "accessDate":{
                    "type":"date",
                    "format":"strict_date_optional_time||epoch_millis"
                },
                "createDate":{
                    "type":"date",
                    "format":"strict_date_optional_time||epoch_millis"
                },
                "url":{
                    "type":"string",
                    "fields":{
                        "keyword":{
                            "type":"string",
                            "index":"not_analyzed",
                            "ignore_above":2048
                        }
                    },
                    "fielddata":false
                }
            }
        },
        "search":{
            "properties":{
                "columns":{
                    "type":"string"
                },
                "description":{
                    "type":"string"
                },
                "hits":{
                    "type":"integer"
                },
                "kibanaSavedObjectMeta":{
                    "properties":{
                        "searchSourceJSON":{
                            "type":"string"
                        }
                    }
                },
                "sort":{
                    "type":"string"
                },
                "title":{
                    "type":"string"
                },
                "version":{
                    "type":"integer"
                }
            }
        },
        "index-pattern":{
            "properties":{
                "fieldFormatMap":{
                    "type":"string"
                },
                "fields":{
                    "type":"string"
                },
                "timeFieldName":{
                    "type":"string"
                },
                "title":{
                    "type":"string"
                }
            }
        },
        "server":{
            "dynamic":"strict",
            "properties":{
                "uuid":{
                    "type":"string",
                    "index":"not_analyzed"
                }
            }
        },
        "config":{
            "properties":{
                "buildNum":{
                    "type":"string",
                    "index":"not_analyzed"
                },
                "defaultIndex":{
                    "type":"string"
                },
                "discover:aggs:terms:size":{
                    "type":"long"
                }
            }
        },
        "visualization":{
            "properties":{
                "description":{
                    "type":"string"
                },
                "kibanaSavedObjectMeta":{
                    "properties":{
                        "searchSourceJSON":{
                            "type":"string"
                        }
                    }
                },
                "savedSearchId":{
                    "type":"string"
                },
                "title":{
                    "type":"string"
                },
                "uiStateJSON":{
                    "type":"string"
                },
                "version":{
                    "type":"integer"
                },
                "visState":{
                    "type":"string"
                }
            }
        }
    }
}
'

Then, reindex (copy) the values of your old kibana index to the new one :

curl -XPOST "http://localhost:9200/_reindex" -H 'Content-Type: application/json' -d'
{
  "source": {
    "index": ".kibana"
  },
  "dest": {
    "index": ".kibana-5.6"
  }
}'

And finally, change your kibana index in /etc/kibana/kibana.yml :

kibana.index: ".kibana-5.6"

Sources

Mémo rsync pour mes collègues

Mathieu — Mon, 17 Jul 2017 15:01:00 +0200

Un rappel de l'usage pratique de rsync pour mes collègues qui oublient tout le temps les commandes à taper.

Format de base

rsync arguments source destination

Arguments courants

-r : récursif (copie les dossiers et leur contenu)
-a : récursif + conserve permissions et propriétaire (si root)
-u : ne pas changer les fichiers plus récents dans la destination
-v : verbeux (affiche les fichiers et dossiers affectés)
-z : compression du tunnel (pour une connexion fibrée vers des machines lowcost, on peut omettre le paramètre pour soulager le CPU)
--exclude : exclus certains chemins d'accès de la synchronisation. Attention, les chemins sont relatifs au chemin la source.
--dry-run : montre les opérations sans rien toucher
--delete : efface les dossiers supplémentaires de la destination

Format de "source" et "destination"

login@hôte:/chemin/dacces/

Attention avec l'utilisation du récursif (activé avec "-r" ou "-a"), le / à la fin du chemin de la source est important.

Exemples d'usages corrects

Usage	Source	Destination	Résultat	Remarques
Envoyer un fichier dans un dossier	/chemin/source/fichier	/chemin/destination/dossier/	/chemin/destination/dossier/fichier
Envoyer des fichiers dans un dossier	/chemin/source/*	/chemin/destination/dossier/	/chemin/destination/dossier/fichier1 /chemin/destination/dossier/fichier2 /chemin/destination/dossier/fichier3 ...
Envoyer un dossier dans un dossier	/chemin/source/dossier	/chemin/destination/	/chemin/destination/dossier	Ne pas confondre avec la ligne 5 !
Synchroniser deux fichiers	/chemin/source/fichier1	/chemin/destination/fichier2	/chemin/destination/fichier2
Synchroniser deux dossiers	/chemin/source/dossier1/	/chemin/destination/dossier2/	/chemin/destination/dossier2	Ne pas confondre avec la ligne 3 !

Exemples de mésusages

Mésusage

Source

Destination

Résultat

Remarques

Envoyer un dossier dans un dossier

/chemin/source/dossier/

/chemin/destination/

Va synchroniser les deux dossiers au lieu de placer dossier/ dans destination/

Si des fichiers ont le même nom, ils seront remplacés. Particulièrement dangereux aussi avec --delete

Exemples d'utilisations correctes

Usage	Commande	Résultat
Envoyer un fichier dans un dossier distant	rsync --dry-run -azv /source/fichier login@serveur:/destination/dossier/	Sur serveur : /destination/dossier/fichier
Envoyer des fichiers dans un dossier distant	rsync --dry-run -azv /source/* login@serveur:/destination/dossier/	Sur serveur : /destination/dossier/fichier1 /destination/dossier/fichier2 /destination/dossier/fichier3 ...
Envoyer des fichiers dans un dossier distant et efface les autres fichiers contenus dans le dossier de destination	rsync --dry-run --delete -azv /source/* login@serveur:/destination/dossier/	Sur serveur : /destination/dossier/fichier1 /destination/dossier/fichier2 /destination/dossier/fichier3 ...
Envoyer un dossier dans un dossier	rsync --dry-run -azv /source/dossier login@serveur:/destination/	Sur serveur : /destination/dossier
Synchroniser deux fichiers	rsync --dry-run -azv /source/fichier1 login@serveur:/source/fichier2	Sur serveur : /destination/fichier2
Synchroniser deux dossiers	rsync --dry-run -azv /source/dossier1/ login@serveur:/source/dossier2/	Sur serveur : /destination/dossier2
Synchroniser deux dossiers et efface les autres fichiers présents dans le dossier de destination	rsync --dry-run --delete -azv /source/dossier1/ login@serveur:/source/dossier2/	Sur serveur : /destination/dossier2

Configure Wordpress for Performance and Stability

Mathieu — Tue, 11 Jul 2017 10:05:00 +0200

Wordpress is a very common CMS nowadays, and works well out-of-the-box. But when it comes to Performance and Security, its default options are not hardening it enough.

This topic has been discussed a lot on Internet, but here are my tips, as a web developer and sysadmin.

Performance : the main culprits

On a public websites, the slowness can com from :

Network : your provider has as slow network, a huge traffic load, or the user simply has a bad connection
Database access : the provider's database may be under load, you query's sizes may be too important, or the access time between the script and the datbase is just "usually slow".
Disk access : the disk where is stored your files may be slow, or does not have proper in-ram caching
CPU : the CPU of the machine where you site is hosted may be slow, or you are on a low-cost VPS

There is no "miracle solution" for a badly designed website, but in the vast majority of cases, we could help a bit with simple solutions.

Security : the main threats

The main threat in a Wordpress installation is the updates execution. You should update your modules, themes, and core as soon as possible.

Custom and unmaintained modules and themes can also become a threat as they are not updated anymore, and can contain exploitable leaks.

There are several way to prevent your site from leaking too many informations on its "healthiness". It can give you some time to update your website before its exploitation by hackers.

Security : Disable XMLRPC

Unless you are absolutely sure that you are using it (in particular if you are using Jetpack), disable XMLRPC. XMLRPC is a sort of "remote control" for Wordpress and is widely used as an attack vector for Wordpress : bruteforce, denial of service, scans and other nasty things.

Save yourself from the unexpected, disable XMLRPC either with a module or web server rules.

Security : Enable Brute Force Protection

Brute force is a technique that aims at guessing the administrator password by testing common or stolen passwords. Even if they have little chance to succeeed, they are sucking CPU and network acess for your users.

Many modules are offering basic brute force protection, please check that your WAF (if you have one) does not provides one already.

Performance : Install a cache plugin

Caching is very important. It can save you hours of CPU and database access time, and is widely standardized. There are various techniques :

Static cache : the web page is stored "as the user sees it", and is served immediately without executing all the databases queries
In-RAM (object) cache : the PHP processor keeps in-memory objects, to load faster. Some assets like images or CSS files can also be cached in-memory by the web server.
Browser cache : expiry time can be set for static elements or pages, so that the browser does not query back the file when it is not needed.

All these techniqes are widely known and used in cache plugins. Please use (and configure) one of them.

Security : Install a WAF

A WAF (Web Application Firewall) is a sort of filter that will prevent your website from being attacked, scanned, or inflitrated by hackers. It is not an absolute protection, but it easily kicks out script kiddies that could scan your website, saving you resources for real users.

A WAF can be available from your hosting provider, in that case a simple button can enable it. Several modules are also available for Wordpress to do it.

Beware, these modules are often heavy as they filter every requests, use it combined with a properly configured cache system.

Performance : Watch database size and optimize

You probably does not need so many content revisions. The revisions are backups of your articles and pages, stored in the database. You can regularly delete older revisions.

Some modules can do it for you, for instance WP-Optimize. It is advised to do a backup before executing the purge.

It should not be a problem, but if your hosting provider does not optimize databases automatically, it can become one.

Performance : Use a CDN if possible

A CDN is a server designed to give you static content faster that the original site, by using well-located servers, and long retry-times.

You can have many benefits on using a CDN : caching, faster loading of assets, default compression and optimization, etc.

If you can afford and configure one, you can really see a performance improvement.

Performance : Tweak Apache settings

Some actions can be taken if you have access to Apache configuration :

Enable gzip compression : gzip compression can be enabled on top of Apache configuration, to compress assets and pages and improve the network overload.
Set high expiration duration : you can tell the user's browser to cache the content by setting Expiration headers in your htaccess.
Enable Google's mod_pagespeed : Google provides an auto-optimization module that can help if your theme is messy. Warning : you must have a good I/O rate in order to use this plugin, it makes many accesses to disks.

Sample public calendar for ownCloud using ICS parser

Mathieu — Sat, 30 Jul 2016 08:09:00 +0200

When ownCloud removed the ability to share a calendar publicly, I had no other choice than forcing my acquaintances to register to my ownCloud.

I didn't want that, so I implemented my own solution.

1. Abstract

My calendar works like this :

I write events in a particular calendar.

I share this calendar with a special ownCloud user, dedicated for this.

The script will login on the CalDAV API with the credential of the special user, and get the content of the shared calendar.

The script compile the events and compile a nice table, with the content of the calendar.

Please note that the events I write are special: I only use the title field to specify a "color" that will be displayed for the day. The colors are corresponding to my « level of availability » (to show my holidays dates, for instance)

2. Create the calendar and the user

In owncloud, create the second user. I called it public, for instance.

In ownCloud, create the shared calendar on your own account, and give public access to it. Do not tick write permissions.

Create a test event, and log out.

3. Download the library

I used this ICS parser to parse the CalDAV respponses. Download it on your web hosting to the direcory ics-parser/.

4. Install the script

Here is the script I use:

<?php
// Require ICS parser library
require_once('ics-parser/class.iCalReader.php');

// Use it to debug, the previously included parser disables the errors
error_reporting(E_ALL);
ini_set('display_errors', '1');

// Simple caching system, feel free to change the delay
if (file_exists('calendar.cache.html')) {
    $last_update = filemtime('calendar.cache.html');
} else {
        $last_update = 0;
}
if ($last_update + 60*60 < time()) {

// Get events

$headers = array(
        'Content-Type: application/xml; charset=utf-8',
        'Depth: 1',
        'Prefer: return-minimal'
    );

// Setup the calendar URL and the credentials here
$calendar_url = 'https://example.com/remote.php/caldav/calendars/public/public_shared_by_YOU';
$calendar_user = 'public';
$calendar_password = 'public_password';

// Prepare request body
$doc  = new DOMDocument('1.0', 'utf-8');
$doc->formatOutput = true;

$query = $doc->createElement('c:calendar-query');
$query->setAttributeNS('http://www.w3.org/2000/xmlns/', 'xmlns:c', 'urn:ietf:params:xml:ns:caldav');
$query->setAttributeNS('http://www.w3.org/2000/xmlns/', 'xmlns:d', 'DAV:');

$prop = $doc->createElement('d:prop');
$prop->appendChild($doc->createElement('d:getetag'));
$prop->appendChild($doc->createElement('c:calendar-data'));
$query->appendChild($prop);

$prop = $doc->createElement('c:filter');
$filter = $doc->createElement('c:comp-filter');
$filter->setAttribute('name', 'VCALENDAR');
$prop->appendChild($filter);
$query->appendChild($prop);

$doc->appendChild($query);
$body = $doc->saveXML();

// Debugging purpose
//echo '<pre>' . htmlspecialchars($body) . '</pre>';

// Prepare cURL request
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $calendar_url);
curl_setopt($ch, CURLOPT_USERPWD, $calendar_user . ':' . $calendar_password);
curl_setopt($ch, CURLOPT_VERBOSE, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'REPORT');
curl_setopt($ch, CURLOPT_POSTFIELDS, $body);

$response = curl_exec($ch);
if (curl_error($ch)) {
    //echo curl_error($ch);
    exit();
}
curl_close($ch);

// Debugging purpose
//echo '<pre>' . htmlspecialchars($response) . '</pre>';

// Get the useful part of the response
$xml = simplexml_load_string($response);
$data = $xml->xpath('//cal:calendar-data');

// Debugging purpose
//echo '<pre>' . htmlspecialchars($data[0]) . '</pre>';

// Parse events
$calendar_events = array();
foreach ($data as $vcalendars) {
    $ical = new ICal();
    $vcalendars = $vcalendars->__tostring();

    $lines = explode("\n", $vcalendars);
    $ical->initLines($lines);
    $events = $ical->events();

    foreach ($events as $event) {
        $start = $ical->iCalDateToUnixTimestamp($event['DTSTART']);
        $end = $ical->iCalDateToUnixTimestamp($event['DTEND']);
        $summary = $event['SUMMARY'];
        $calendar_events[] = array(
            'start' => $start,
            'end' => $end,
            'summary' => $summary,
        );
    }
}

// Function to sort the events by start date
function _sort_events($a, $b) {
    return ($a['start'] > $b['start']);
}

// Sort the events by start date
// By doing so, you can have overlapping events, the newest event will superseed the previous
usort($calendar_events, '_sort_events');

// Function to convert my "special titles" into hex colors
function color2hex($color) {
    $color = strtolower($color);

    switch($color) {
        case 'green':
        return '#00ff00';
        break;

        case 'orange':
        return '#ffaa00';
        break;

        case 'red':
        return '#ff0000':
        break;

        case 'black':
        return '#000000';
        break;

        case 'blue':
        return '#0000ff';
        break;
    }
}

// Bufferize output for caching system
ob_start();

// Get current date
$now = mktime(0,0,0);

// Initiate the color array
// Each day in our calendar table will have a color
// Each color is an hex color, corresponding tu the event title (see the switch-case block upper)
$day_color = array();

// Loop through ALL events (old events included)
foreach ($calendar_events as $event) {

    // Discard passed events
    if ($event['end'] < time()) {
        continue;
    }

    // Calculate the timestamp of the "start" date of the event
    $current_day = mktime(0,0,0, date('n', $event['start']), date('j', $event['start']), date('Y', $event['start']));
    $first_loop = true;
    // Loop to fill the color array from the event start date to the event end date
    for ($d = $current_day; ($first_loop || $d < $event['end']); $d+=(60*60*24)) {

        // Debugging purpose
        //var_dump(date('r', $current_day) . ' ' . date('r', $d) . ' ' . date('r', $event['start']) . ' ' . date('r', $event['end']));

        // Handle overlapping events: stack color at the beginning of the sub-array
        if (isset($day_color[$d]) && is_array($day_color[$d])) {
            array_unshift($day_color[$d], color2hex($event['summary']));
        } else {
            $day_color[$d][0] = color2hex($event['summary']);
        }

        $first_loop = false;
    }
}

// Debugging purpose
//var_dump($day_color);

// Output the final table
/ My week starts on Monday, but you can change it

$week_day = date('N', $now);

echo '<table class="forecast">';
echo '<tr><th></th><th>Mon</th><th>Tue</th><th>Wed</th><th>Thu</th><th>Fri</th><th>Sat</th><tH>Sun</th></tr>';

// Loop through the color array
for ($row = 0; $row < 10; $row++) {
    echo '<tr>';

    echo '<td class="week">' . (date('W', $now) + $row) . '</td>';
    for ($col = 0; $col < 7; $col++) {

        // Skip past days from the first week (leave it blank)
        if ($row == 0 && $col < $week_day-1) {
            echo '<td></td>';
            continue;
        }

        $current_day = $now + ($row)*(7*60*60*24) + ($col-($week_day-1))*(60*60*24);
        $current_day = mktime(0,0,0, date('n', $current_day), date('j', $current_day), date('Y', $current_day)); // Working around daylight saving time
        if (isset($day_color[$current_day]) && isset($day_color[$current_day][0])) {
            // We choose to get the first color of the array,
            //   but if you want to display overlapping events colors,
            //   you can use the other values of the array
            $color = $day_color[$current_day][0];
            echo '<td class="' . $color . '">';
        } else {
            echo '<td>';
        }
        // Debugging purpose
        //echo '<pre>' . $current_day . '</pre>';
        //echo date('r', $current_day);
        // Label the cell with the current day
        echo date('j', $current_day) . ' ' . date('M', $current_day) . ' ' . date('Y', $current_day);
        echo '</td>';
    }
    echo '</tr>';
}

echo '</table>';

$html = ob_get_clean();
ob_end_flush();

file_put_contents('calendar.cache.html', $html);

} else {
    $html = file_get_contents('calendar.cache.html');
}

echo $html;

Copy and paste it to an empty PHP file.

Please note that it has a small caching system (calendar.cache.html) to prevent fetching events every time someone loads the page. You can easily reduce the delay or deactivate this feature.

Refer to the comments to extend it.

Drupal 8 : create a custom Rule Action

Mathieu — Wed, 27 Jul 2016 10:56:00 +0200

Warning : the Rule plugin for Drupal 8 was not considered stable when I wrote this post.

1. Drupal 8: the new modules paradigm

Drupal 8 modules structure changed, and many modules are now using the new API.

No more plain old functions name like hook_something, no more obscurous PHP for menu entries. Instead, Object Oriented programming, YAML configuration files, magic comments, and Symfony routing.

Let's give it a try, let's make our first simplest module.

2. Base module configuration

If you already know how to do this, jumb to next section.

Create a directory for your module, for instance mymodule.

Create an info file in YAML format : mymodule/mymodule.info.yaml:

name: 'My Module'
type: module
core: 8.x
package: Custom

You don't need more! You don't need routing as you will plug into Rules.

3. File names and Namespaces

Create the RulesAction directory and its parents: mymodule/src/Plugin/RulesAction/

Create a PHP file for your class: MyAction.php. The class will be loaded with the autoload system.

Edit the file you just created, and specify the namespace at the beginning of the file:

/**
 * @file
 * Contains \Drupal\mymodule\Plugin\RulesAction\MyAction.
 */
namespace Drupal\mymodule\Plugin\RulesAction;
use Drupal\rules\Core\RulesActionBase;

The namespace must correspond to your module name and class name!

4. Rule Action specifications and parameters

Comments are very important as they are also specifications. You will define your Action id, description, and parameters. For instance, here is a copied sample from the predefined action DataSet:

/**
 * Provides a 'My action' action.
 *
 * @RulesAction(
 *   id = "rules_myaction",
 *   label = @Translation("Set a data value"),
 *   category = @Translation("Data"),
 *   context = {
 *     "data" = @ContextDefinition("any",
 *       label = @Translation("Data"),
 *       description = @Translation("Specifies the data to be modified using a data selector, e.g. 'node:author:name'."),
 *       allow_null = TRUE,
 *       assignment_restriction = "selector"
 *     ),
 *     "value" = @ContextDefinition("any",
 *       label = @Translation("Value"),
 *       description = @Translation("The new value to set for the specified data."),
 *       default_value = NULL,
 *       required = FALSE
 *     )
 *   }
 * )
 */

The Rule id is rules_myaction.

The category of the action in the dropdown menu is Data and it will be labeled Set a data value.

The current action will have two parameters : the data that will be changed, and the corresponding value.

5. Rule Action callback

Again, no more plain callback, the function doExecute will be called to execute your Action:

class MyAction extends RulesActionBase {

  /**
   * Executes the Plugin.
   *
   * @param mixed $data
   *   Original value of an element which is being updated.
   * @param mixed $value
   *   A new value which is being set to an element identified by data selector.
   */
  protected function doExecute($data, $value) {
    $typed_data = $this->getContext('data')->getContextData();
    $typed_data->setValue($value);
  }

  /**
   * {@inheritdoc}
   */
  public function autoSaveContext() {
    // Saving is done at the root of the typed data tree, for example on the
    // entity level.
    $typed_data = $this->getContext('data')->getContextData();
    $root = $typed_data->getRoot();
    $value = $root->getValue();
    // Only save things that are objects and have a save() method.
    if (is_object($value) && method_exists($value, 'save')) {
      return ['data'];
    }
    return [];
  }

}

The class name has to correspond to your file name.

In this sample, the parameter $value will be set to $data.

6. Troubleshooting

Uncaught PHP Exception Drupal\\Component\\Plugin\\Exception\\PluginException: "Plugin (rules_myaction) instance class "Drupal\\tbh_system\\Plugin\\RulesAction\\MyAction" does not exist."

Your namespace/classname/filename/directoryname is probably wrong.

Source

Drupal 8 Rules Action documentation

Debian 8 : Configure Nginx and Passenger to supercharge your PuppetMaster

Mathieu — Wed, 22 Jun 2016 21:16:00 +0200

The Puppet master comes by default with a basic WEBrick server. It allow a quick start for those that are not familiar with Puppet, but when the number of Puppet nodes grows, the performances of the default WEBrick server are going down quickly.

The Puppet documentation show how to configure Apache and Passenger to replace the default WEBrick server, but what if you have a lot of nodes ? What if you want to apply your configuration within minutes, instead of the default half-hour threshold before the agent asks the master if something changed ?

Or you may just want a fancy Nginx instead of your plain-old-reliable Apache.

Here is how.

Check your hostname

Your hostname is the base configuration for your node, you should check that it's correct, otherwise you will run into problems after Puppet installation.

# hostname -f

If everything is okay, check your hosts file

# cat /etc/hosts

If your hostname is inside your host file, carry on. Otherwise, set it.

Install Puppet and Puppetmaster

I suppose that you also need the puppet agent installed on the Puppetmaster server.

Install Puppet and Puppetmaster :

# apt-get install puppet puppetmaster

Stop the Puppetmaster :

# service puppetmaster stop

Prevent the puppetmaster from starting. Nginx will spawn on the right port instead of the WEBrick server, previously spawn by Puppetmaster service. Edit the file /etc/defaults/puppetmaster :

# Start puppetmaster on boot?
START=no

Configure the Puppet agent : edit the file /etc/puppet/puppet.conf to point your agent on the master (for instance puppetmaster.example.com).

Also, comment the two lines that are "needed for passenger", our configuration don't need them. Actually, if you keep it, it will not work.

[main]
logdir=/var/log/puppet
vardir=/var/lib/puppet
ssldir=/var/lib/puppet/ssl
rundir=/var/run/puppet
factpath=$vardir/lib/facter
prerun_command=/etc/puppet/etckeeper-commit-pre
postrun_command=/etc/puppet/etckeeper-commit-post
server=puppetmaster.example.com

[master]
# These are needed when the puppetmaster is run by passenger
# and can safely be removed if webrick is used.
#ssl_client_header = SSL_CLIENT_S_DN
#ssl_client_verify_header = SSL_CLIENT_VERIFY

[agent]
report = true

Enable your puppet agent :

# puppet agent --enable

Install Nginx and Passenger

We will install the bundle Nginx+Passenger shipped by Phusion repositories.

Add the key to your keyring :

# apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 561F9B9CAC40B2F7

The Phusion repository uses HTTPS, add HTTPS transport to APT :

# apt-get install apt-transport-https ca-certificates

Finally, install Nginx and Passenger :

# apt-get update
# apt-get install nginx-extras passenger

Configure Nginx and Puppetmaster application

Edit /etc/nginx/nginx.conf and uncomment the reference to passenger config :

    ##
    # Phusion Passenger config
    ##
    # Uncomment it if you installed passenger or passenger-enterprise
    ##

    include /etc/nginx/passenger.conf;

Create the file /etc/nginx/nginx/sites-available/puppet.conf with the following content :

server {
    listen                     8140 ssl;
    server_name                puppet puppetmaster puppetmaster.example.com;

    passenger_enabled          on;
    passenger_app_env          production;

    passenger_set_header       X-Client-Verify  $ssl_client_verify;
    passenger_set_header       X-Client-DN $ssl_client_s_dn;
    passenger_set_header       X-SSL-Subject    $ssl_client_s_dn;
    passenger_set_header       X-SSL-Issuer     $ssl_client_i_dn;

    access_log                 /var/log/nginx/puppet_access.log;
    error_log                  /var/log/nginx/puppet_error.log;

    root                       /etc/puppet/rack/public;

    ssl_certificate            /var/lib/puppet/ssl/certs/puppetmaster.example.com.pem;
    ssl_certificate_key        /var/lib/puppet/ssl/private_keys/puppetmaster.example.com.pem;
    ssl_crl                    /var/lib/puppet/ssl/ca/ca_crl.pem;
    ssl_client_certificate     /var/lib/puppet/ssl/certs/ca.pem;
    ssl_ciphers                'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
    ssl_prefer_server_ciphers  on;
    ssl_verify_client          optional;
    ssl_verify_depth           1;
    ssl_session_cache          shared:SSL:128m;
    ssl_session_timeout        5m;
}

Remove the default virtual host from Nginx as we don't need it :

# rm /etc/nginx/sites-enabled/default

And enable your newly created server :

# ln -s /etc/nginx/sites-available/puppet.conf /etc/nginx/sites-enabled/puppet.conf

Before restarting Nginx, we will configure the Ruby application for Puppetmaster.

Create the directory /etc/puppet/rack and its subdirectories /etc/puppet/rack/public and /etc/puppet/rack/tmp

# mkdir -p /etc/puppet/rack/public /etc/puppet/rack/tmp

Create the file /etc/puppet/rack/config.ru with the following content :

# a config.ru, for use with every rack-compatible webserver.
# SSL needs to be handled outside this, though.

# if puppet is not in your RUBYLIB:
# $LOAD_PATH.unshift('/opt/puppet/lib')

$0 = "master"

# Set the PATH in environment variable
ENV['PATH'] = "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# if you want debugging:
# ARGV << "--debug"

ARGV << "--rack"

# Rack applications typically don't start as root.  Set --confdir, --vardir,
# --logdir, --rundir to prevent reading configuration from
# ~/ based pathing.
ARGV << "--confdir" << "/etc/puppet"
ARGV << "--vardir"  << "/var/lib/puppet"
ARGV << "--logdir"  << "/var/log/puppet"
ARGV << "--rundir"  << "/var/run/puppet"
#ARGV << "--codedir"  << "/etc/puppet/code"

# always_cache_features is a performance improvement and safe for a master to
# apply. This is intended to allow agents to recognize new features that may be
# delivered during catalog compilation.
ARGV << "--always_cache_features"

# NOTE: it's unfortunate that we have to use the "CommandLine" class
#  here to launch the app, but it contains some initialization logic
#  (such as triggering the parsing of the config file) that is very
#  important.  We should do something less nasty here when we've
#  gotten our API and settings initialization logic cleaned up.
#
# Also note that the "$0 = master" line up near the top here is
#  the magic that allows the CommandLine class to know that it's
#  supposed to be running master.
#
# --cprice 2012-05-22

require 'puppet/util/command_line'
# we're usually running inside a Rack::Builder.new {} block,
# therefore we need to call run *here*.
run Puppet::Util::CommandLine.new.execute

Chown the file for Puppet user :

# chown puppet:puppet /etc/puppet/rack/config.ru

And finally, restart Nginx :

# service nginx restart

Then, test you configuration by running the agent :

# puppet agent --test

Troubleshooting and errors

Error 500

Warning: Error 500 on SERVER: Internal Server Error

Read the logs at /var/log/nginx/error.log and /etc/nginx/puppet_error.log

Error 403

Warning: Error 403 on SERVER: Forbidden request: localhost(127.0.0.1) access to /node/puppetmaster.example.com [find] at :119

Check that your hostname resolves, and that your host file is clean. In particular, you should have the host name of your server on the same line than localhost :

127.0.0.1    localhost puppetmaster puppetmaster.example.com

Also check that your Puppet configuration is correct, in particular check that the two lines "required for Passenger" are commented.

Sources

"SQLSTATE[HY000] [2002] No such file or directory" for compiled PHP

Mathieu — Tue, 19 Apr 2016 22:52:00 +0200

Let's say you connect to MySQL using "localhost"

Let's say you compiled PHP

Let's say you didn't specify the --with-mysql-sock= parameter in your configure command when you built mysql

And let's suppose you cannot connect to MySQL using PHP. CLI works fine, but not CGI.

Solution : fix the default sockets in php.ini (use your own working socket paths) :

pdo_mysql.default_socket=/var/run/mysqld/mysqld.sock
mysqli.default_socket = /var/run/mysqld/mysqld.sock

# You shouldn't use mysql_ extension, but if you did:
mysql.default_socket = /var/run/mysqld/mysqld.sock

I suppose that automatically converting "localhost" to an unix socket is done for performance reason on unix systems.

Debian 8 : Limit SSH users to SFTP

Mathieu — Thu, 18 Feb 2016 10:38:00 +0100

Let’s say you want to configure a secure remote file access for you users, but you can’t use FTPS for some reasons (problems with passive mode and commercial firewalls ? Yes !). Your only secure solution is either a VPN, or a SFTP access.

SFTP is great, but it may implies giving full command line access to your end users. In order to prevent that, you could set-up a jailed SSH access with Jailkit and some bind mount, but it’s not that trivial to configure and to maintain ; and it may not work with software virtualization (Docker, LXCs…). There is a simpler solution.

The solution is : use the native chroot and limitations abilities of OpenSSH. Here is how.

Warning!

You should not configure this on your primary SSH access. By doing so, you will simply lock you out of your server.

In this article, we will set up a completely new instance of OpennSSH server, running next to the original, and handling SFTP only.

1. Setup the secondary SSH access (SFTP-only)

Create a new configuration file by copying the primary configuration :

cp /etc/ssh/sshd_config /etc/ssh/sftp_config

Now edit the file /etc/ssh/sftp_config and change the listening port (for instance 10022) :

Port 10022

Change the PID file for this new instance, set something meaningful :

PidFile /var/run/sftp.pid

Then add these lines to /etc/ssh/sftp_config :

ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no

Here is a sample of a full configuration :

# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 10022
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

PidFile /var/run/sftp.pid

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile    %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding no
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

Now, let’s configure autostart. Copy /lib/systemd/system/ssh.service to /lib/systemd/system/sftp.service and adjust settings :

[Unit]
Description=OpenBSD Secure Shell server (SFTP only)
After=network.target auditd.service
ConditionPathExists=!/etc/ssh/sshd_not_to_be_run

[Service]
EnvironmentFile=-/etc/default/ssh
ExecStart=/usr/sbin/sshd -D $SSHD_OPTS -f /etc/ssh/sftp.conf
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure

[Install]
WantedBy=multi-user.target
Alias=sftp.service

And enable your service :

systemctl enable sftp.service

Make sure the symlink /etc/systemd/system/sftp.service is created.

And try to start it :

service sftp start

2. Reconfigure the primary SSH access

In order to prevent normal users to log into a full shell, we have to change the primary configuration.

The configuration file should be located in /etc/ssh/sshd_config . Add an AllowUsers or AllowGroups directive to this file :

# One or the other but not both!
AllowUsers root admin
#AllowGroups sudo

Here is a sample of a full configuration :

# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin without-password
StrictModes yes
AllowUsers root admin

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile    %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding no
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

UsePAM yes

Restart your primary SSH access, but don’t close your terminal afterwards :

service ssh restart

Now open a new terminal and check that your primary SSH is still working. If not, rollback your configuration.

3. Conclusion

Now you should have two SSH sockets listening : one for everyone using exclusively SFTP, and the other with full SSH access for authorized accounts.

Don’t hesitate to reply in comments if you encounter problems.

Sources

https://wiki.archlinux.org/index.php/SFTP_chroot

Add Drush to Jailkit

Mathieu — Tue, 16 Feb 2016 10:16:00 +0100

Here is the configuration I use to make Drush working inside a Jailkit chrooted shell :

/etc/jailkit/jk_init.ini :

[php]
comment = the PHP interpreter and libraries
executables = /usr/bin/php5, /usr/bin/php
directories = /usr/lib/php5, /usr/share/php, /usr/share/php5, /etc/php5, /usr/share/php-geshi, [B]/usr/share/zoneinfo[/B]
includesections = env

[env]
comment = environment variables
executables = /usr/bin/env

[mysql-client]
comment = mysql client
executables = /usr/bin/mysql
paths = /usr/lib/x86_64-linux-gnu/libmysqlclient.so.18

[drush]
comment = drush (drupal command line)
includesections = php, mysql-client, uidbasics, netbasics
directories = /usr/share/zoneinfo, /etc/ssl/certs, /usr/share/ca-certificates

Once the jailed shell works, add the Drush dependencies to the jail :

jk_init -v -c /etc/jailkit/jk_init.ini -f -k -j /absolute/path/to/jail/ drush

DomPDF : load custom local fonts in you own folder

Mathieu — Fri, 12 Feb 2016 23:28:00 +0100

I needed custom fonts for domPDF, but I didn’t want to use the “remote” capabilities of domPDF, and I didn’t wanted to spoil my “contrib” folder with my own fonts. Dependencies should remain clean.

My domPDF version was 0.6.3.

To use your own “fonts” folder in order to autoload you own fonts, do :

Creates a directory for your fonts and font cache :

mkdir myfonts

Copy your .ttf files in this folder.
Creates a file named dompdf_font_family_cache.php in the myfonts folder, and reference your files. As a sample, you can use the file dompdf/lib/fonts/dompdf_font_family_cache.dist.php
In your configuration (dompdf_config.custom.inc.php), change the DOMPDF_FONT_DIR and DOMPDF_FONT_CACHE to point on your folder myfonts (relative use realpath on relative paths).
Use your fonts like native fonts in font-family declarations.

I hope it will be useful to you.

Set-up SQL quarantine with Amavisd-new and ISPConfig

Mathieu — Sun, 06 Dec 2015 16:56:00 +0100

It's documented, but it took me two days to do it correctly, so here is how to reconfigure an ISPConfig installation of Amavis to store quarantined mail in SQL database, in order to install a quarantine viewer like Mailzu.

1. Prerequisites

A working Postfix+Amavis stack with ISPConfig
A working SQL (PostgreSQL, MySQL...) database
Optional : a working mail server with PHP (for Mailzu)

Jump to Installation if you know what you are doing.

2. Off-subject generic explanations

2.1 Amavis and ISPConfig policies

ISPConfig policies, Tag-Levels

In a default ISPConfig installation per-user ISPConfig policies are loaded. The configuration file for Amavis, written by ISPConfig contains :

@lookup_sql_dsn =
   ( ['DBI:mysql:database=dbispconfig;host=127.0.0.1;port=3306', 'ispconfig', 'xxxx'] );
$sql_select_policy =
   'SELECT *,spamfilter_users.id'.
   ' FROM spamfilter_users LEFT JOIN spamfilter_policy ON spamfilter_users.policy_id=spamfilter_policy.id'.
   ' WHERE spamfilter_users.email IN (%k) ORDER BY spamfilter_users.priority DESC';
$sql_select_white_black_list = 'SELECT wb FROM spamfilter_wblist'.
    ' WHERE (spamfilter_wblist.rid=?) AND (spamfilter_wblist.email IN (%k))' .
    ' ORDER BY spamfilter_wblist.priority DESC';

It means that whatever you would set as $sa_spam_subject_tag, $sa_tag_level_deflt, $sa_tag2_level_deflt, $sa_kill_level_deflt, $sa_dsn_cutoff_level, it will be overridden by per-user policies.

The ISPConfig policies can be changed in tab Email => Spamfilter => Policy in ISPConfig panel. If you struggle wondering why your message keeps getting smashed at level 4.5, look at the sa_tag_level in policies. We will have to change values in that policies, to make the SQL quarantine working.

2.2 Lookup DSN and Storage DSN

DSN (Data Source Name) are the connection strings with host, username, and password, used to connect to databases.

Amavis can set two DSN : one for Policies lookup (used to retrieve ISPConfig policies from Panel), and one for storage of mail meta informations and quarantine. We will use the Storage DSN to set up a secondary database for quarantine storage, to not mess with existing ISPConfig database.

2.3 Levels and cutoffs

Amavis uses Spamassassin to score the mail, in order to decide what to do with it. The category of test (spam test, antivirus, etc) and the score along with levels determines the actions Amavis will trigger, and the final destiny where the mail belongs.

Spamassassin levels are :

tag_level : a message above that score will be tagged with X-Spam-Status, X-Spam-Score and X-Spam-Level headers.
tag2_level : a message above that score will be marked as X-Spam-Status: Yes and the subject is changed if sa_spam_modifies_subj is set to true.
kill_level : a message above that score is taken to the final_spam_destiny, and quarantined, it will not be delivered unless D_PASS is set to final_spam_destiny.
dsn_cutoff_level : a message above that level will never trigger a bounce or a reject, whatever spam_destiny is.
quarantine_cutoff_level : a message above that level will not be quarantined.

2.4 Final destinations

Once the message is categorized by Amavis tests (through SpamAssassin, ClamAV, etc), Amavis decides if it should be delivered to user mailbox or not, and if a bounce will be issued.

This is the purpose of $final_virus_destiny, $final_spam_destiny, $final_banned_destiny, $final_bad_header_destiny.

They can take the following values :

D_PASS : mail will be delivered to inbox.
D_BOUNCE : mail will not be delivered, and a delivery status notification will be returned by Postifx to sender (except if the score exceeds the dsn_cutoff level)
D_REJECT : Postfix will answer REJECT to the distant mail server, and the distant mail server may produce a delivery status notification to the user
D_DISCARD : forgive and forget : the mail will not be delivered and the sender is not informed. The mail may be quarantined if the quarantine_cutoff level is not exceeded.

3. Installation

For Amavis : Nothing ! Amavis comes out-of-the-box with SQL storage.
For Mailzu : see Mailzu section.

4. Configuration

4.1 Database

Create an user and a database for quarantine storage :

# mysql -u root -p
mysql> CREATE DATABASE amavis_storage;
mysql> CREATE USER 'amavis_storage'@'localhost' IDENTIFIED BY 'xxxx';
mysql> GRANT ALL PRIVILEGES ON amavis_storage.* TO 'amavis_storage'@'localhost';
mysql> FLUSH PRIVILEGES;

Load the initial schema from Amavis docs (usually located in /usr/share/doc/amavisd-new/ ).

Delete unnecessary tables, as we will be using this database only for mail storage and not for lookups :

# mysql -u amavis_storage -p amavis_storage
mysql> DROP TABLE users;
mysql> DROP TABLE mailaddr;
mysql> DROP TABLE policy;
mysql> DROP TABLE wblist;

Nota Bene : while executing DROP TABLE users, don't be silly, and do not remove mysql users database.

4.2 Amavis

Update your Amavis configuration /etc/amavis/conf.d/50_user :

@storage_sql_dsn = ( ['DBI:mysql:database=amavis_storage;host=127.0.0.1;port=3306', 'amavis_storage', 'xxxx'] );  # none, same, or separate database

# Quarantine SPAM into SQL server.
$spam_quarantine_to = 'spam-quarantine';
$spam_quarantine_method = 'sql:';

# Quarantine VIRUS into SQL server.
$virus_quarantine_to = 'virus-quarantine';
$virus_quarantine_method = 'sql:';

# Quarantine BANNED message into SQL server.
$banned_quarantine_to = 'banned-quarantine';
$banned_files_quarantine_method = 'sql:';

# Quarantine Bad Header message into SQL server.
$bad_header_quarantine_method = 'sql:';
$bad_header_quarantine_to = 'badheader-quarantine';

# Do not store non-quarantined messages info
# You can set it to 1 (the default) to test if Amavis is filling correctly the tables maddr, msgs, and msgcrpt
$sql_store_info_for_all_msgs = 0;

#
# SQL Select statements
#

$sql_select_policy =
   'SELECT *,spamfilter_users.id'.
   ' FROM spamfilter_users LEFT JOIN spamfilter_policy ON spamfilter_users.policy_id=spamfilter_policy.id'.
   ' WHERE spamfilter_users.email IN (%k) ORDER BY spamfilter_users.priority DESC';

$sql_select_white_black_list = 'SELECT wb FROM spamfilter_wblist'.
    ' WHERE (spamfilter_wblist.rid=?) AND (spamfilter_wblist.email IN (%k))' .
    ' ORDER BY spamfilter_wblist.priority DESC';

#
# Quarantine settings
#

$final_virus_destiny = D_BOUNCE;
$final_spam_destiny = D_DISCARD;
$final_banned_destiny = D_BOUNCE;
$final_bad_header_destiny = D_PASS;

# Default settings, we st this very high to not filter aut emails accidently
$sa_spam_subject_tag = '[SPAM] ';
$sa_tag_level_deflt  = 20.0;  # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 60.0; # add 'spam detected' headers at that level
$sa_kill_level_deflt = 60.0; # triggers spam evasive actions
$sa_dsn_cutoff_level = 100;   # spam level beyond which a DSN is not sent
#$sa_debug = 1;

#
# Disable spam and virus notifications for the admin user.
# Can be overridden by the policies in mysql
#

$virus_admin = undef;
$spam_admin = undef;

#
# Enable Logging
#

$DO_SYSLOG = 1;
$LOGFILE = "/var/log/amavis.log";  # (defaults to empty, no log)

# Set the log_level to 5 for debugging
$log_level = 0;                # (defaults to 0)

4.3 ISPConfig policies

Remember that ISPconfig policies are overriding a lot of our configuration in 50_user. In order to majke the quarantine work, you have to reconfigure all the available policies in ISPConfig Panel.

Look at your policies list, you have to change the quarantine settings for every policies :

ISPConfig Mail Spamfilter Policy

When editing a policy, on the Quarantine tab, set the destinations :

ISPConfig Mail Spamfilter Policy Quarantine destinations

If you do not fill something in these fields, Amavis will not store quarantined mails in SQL database, and will just discard it !

These fields correspond to the virus_quarantine_to, spam_quarantine_to, banned_quarantine_to, bad_header_quarantine_to variables in Amavis configuration, and an empty value is overriding those we set in Amavis configuration.

4.4 Test

Send some spam to your server, check if the tables are populated :

mysql> SELECT * FROM maddr;

Check if meta informations are populated :

mysql> SELECT * FROM msgs;
mysql> SELECT * FROM msgrcpt;

And if quarantine is filling :

mysql> SELECT * FROM quarantine;

5. Cleanup !

You should not "setup and forget" your quarantine SQL storage. Messages has to be deleted periodically, otherwise your database will grow forever. Look at the documentaion in /usr/share/docs/amavisd-new to make a cronjob like this :

#!/bin/bash

SQL_HOST="localhost";
SQL_LOGIN="amavis_storage"
SQL_PASSWORD="xxxx"
SQL_DB="amavis_storage"

mysql --user="$SQL_LOGIN" --password="$SQL_PASSWORD" --host="$SQL_HOST" $SQL_DB -e " \
  DELETE FROM msgs WHERE time_num < UNIX_TIMESTAMP() - 30*24*3600; \
  DELETE FROM msgrcpt WHERE NOT EXISTS (SELECT 1 FROM msgs WHERE mail_id=msgrcpt.mail_id); \
  DELETE FROM quarantine WHERE NOT EXISTS (SELECT 1 FROM msgs WHERE mail_id=quarantine.mail_id); \
  DELETE FROM maddr WHERE NOT EXISTS (SELECT 1 FROM msgs WHERE sid=id) AND NOT EXISTS (SELECT 1 FROM msgrcpt WHERE rid=id); \
"

6. Mailzu

I have to admit, Mailzu seems a bit obsolete as I had to patch to make it working with Amavis 3.3 tables. But it still works pretty well for a simple task like reading and releasing quarantine mails.

6.1 Installation

Download the source files at http://sourceforge.net/projects/mailzu/.

62. Patch

The existing Mailzu source code is quite old, and the schema of Amavis SQL tables changed. Download and apply this patch in to make Mailzu work.

6.3 Configuration

I suppose that you know how to spawn PHP with CGI to serve the Mailzu files.

Configure your database login and password in config/config.php :

$conf['db']['dbType'] = 'mysql';
$conf['db']['dbUser'] = 'amavis_storage';
$conf['db']['dbPass'] = 'xxxx';
$conf['db']['dbName'] = 'amavis_storage';
$conf['db']['hostSpec'] = 'localhost:3306';

I am using IMAP login to authenticate in Mailzu. Unfortunately, I had to turn off SSL authentication, as it wasn't working. Here is my configuration :

$conf['auth']['serverType'] = 'imap';
$conf['auth']['imap_hosts'] = array( 'localhost:143' );
$conf['auth']['imap_type'] = 'imaptls';
$conf['auth']['imap_domain_name'] = 'example.com';

Don't forget to set yourself "super" :

$conf['auth']['s_admins'] = array ('me@example.com');

And to set your web uri :

$conf['app']['weburi'] = 'https://example.com/mailzu';

6.4 Configure in-app release

Mailzu can also release quarantined mail. I did not implement this function, but you have to set up the amavisd-release internface on an inet socket on port 9998, instead of the existing unix socket located at /var/lib/amavis/amavisd.sock . Read more.

References

Owncloud : batch set calendar events to "CONFIDENTIAL"

Mathieu — Mon, 09 Nov 2015 13:11:00 +0100

You are sharing your owncloud calendar with others. Good.

You don’t want others to see the details of your events, you only want to share the fact that your are “not available”, so you set the event to “CONFIDENTIAL”.

By default, Owncloud sets the events to “PUBLIC” (visible by anyone who have read access).

How to change all the default public events to “CONFIDENTIAL” ? Here is how.

The iCal standard used by Owncloud sets three event types :

PUBLIC : the event is fully visible by anyone.
CONFIDENTIAL : the event is fully visible to owner, but only shows time segment for those who have a read access to the calendar.
PRIVATE : the event is only visible to owner and fully hidden to others (no time segment).

Owncloud stores the events in its database in iCal format, setting the value “CLASS” to the privacy level if needed, and nothing if not specified.

So, let’s change all the default events to CONFIDENTIAL :

UPDATE clndr_objects SET calendardata = REPLACE(calendardata, 'END:VEVENT', 'CLASS:CONFIDENTIAL
END:VEVENT') WHERE objecttype='VEVENT' AND calendardata NOT LIKE '%CLASS:CONFIDENTIAL%' AND calendardata NOT LIKE '%CLASS:PRIVATE%' AND calendardata NOT LIKE '%CLASS:PUBLIC%';

Note that the new line after “CONFIDENTIAL” is mandatory and should not trigger the query until you type the ” ; ” and press enter.

Note that it will change the events for all users.

Backup your database before executing the query.

Configurer dibbler-client pour IPv6 sur une Dedibox (Online.net) avec Debian 8 (Jessie)

Mathieu — Wed, 21 Oct 2015 14:24:00 +0200

La documentation d’Online pour IPv6 ne traite pas le cas de Debian, Ubuntu, ou toute distribution utilisant systemd (CentOS6, etc). La documention doit être étendue pour ajouter le service sysetmd au démarrage, en lieu et place de l’init script.

Vérifiez que l’IPv6 est activé

Cela devrait normalement être le cas, puisque le noyau par défaut de Debian 8 inclut nativement IPv6 et ne peut pas être désactivé. Mais au cas où vous ne verriez pas le link-local sur vos interfaces :

Changer dans /etc/modprobe.d/local.conf :

options ipv6 disable=0

Ajouter dans /etc/modules :

ipv6

Il faudra sans doute redémarrer pour appliquer les changments.

Récupérez votre préfixe et votre DUID depuis la console d’Online

Vous devez demander l’activation de IPv6 au support et créer votre /64 dans la console d’Online pour obtenir votre DUID.

Créez un /64 et n’utilisez pas le /48 ou le 56 directement, vous pourriez le regretter si vous souhaitez redécouper le réseau. Vous n’avez qu’un seul /48 par compte, un /56 pour chaque serveur, et un /64 pour chaque failover souscrit.

Configurez l’interface réseau

Encore une fois, c’est sans doute facultatif puisque Dibbler reconfigure l’interface lorsqu’il se lance, donc explicitons ça dans le fichier /etc/network/interfaces, juste au cas où :

iface eth0 inet6 static
    address your_ipv6_address
    netmask 64
    accept_ra 2

Notes sur Proxmox et le forwarding

Sous Proxmox on travaille sur l’interface bridge, c’est vmbr0 et non pas eth0.

Si le forwarding est activé, vous devez forcer le accept_ra à 2, une valeur de 1 fera ignorer les router advertisements lorsque le forwarding est activé. Explications. Ajoutez dans sysctl.conf :

net.ipv6.conf.vmbr0.accept_ra = 2

Notez bien que dans le cas où vous adressez vos machines virtuelles en IPv6 vous ne devez pas brancher l’interface IPv6 de vos VM directement sur l’interface vmbr0. Voilà pourquoi.

Compilez et installez Dibbler

Téléchargez Dibbler 1.0.1 à partir du site officiel
Installez build-essential : apt-get install build-essential
Décompressez Dibbler : tar -xzf dibbler-1.0.1.tar.gz && cd dibbler-1.0.1
Compilez et installez Dibbler : ./configure && ./make

Configurez Dibbler

Créez les dossiers et fichiers de configuration comme le précise la documentation :

Configurez le DUID dans /var/lib/dibbler/client-duid :

mkdir /var/lib/dibbler/
touch /var/lib/dibbler/client-duid
chmod 640 /var/lib/client-duid
# Set up you duid in client-duid
vim /var/lib/client-duid

Configurez /etc/dibbler/client.conf :

mkdir /etc/dibbler
vim /etc/dibbler/client.conf

Voici le contenu de mon client.conf :

auth-protocol reconfigure-key
auth-replay monotonic
auth-methods digest-hmac-md5
duid-type duid-ll
inactive-mode
log-level 8
iface eth0 {
    pd
    ia
}

Encore une fois, c’est à adapter en fonction du nom de votre interface.

Démarrez le client pour tester la connectivité :

dibbler-client run

Pour vérifier que Dibbler a configuré l’interface, pressez CTRL+Z pour suspendre le processus et vérifiez que l’IP et les routes sont bien configurées. Tapez la commande “fg” pour retourner au processus en cours d’exécution, et tapez CTRL+C pour stopper Dibbler.

Si pendant l’opération les routes et les IPs sont incorrectes, vérifiez que votre pare feu accepte les connexions entrantes par le port 546 UDP.

Configurez Dibbler au démarrage

Cette section est différente de la documentation d’Online.

Avant systemd, le système d’init par dépendances se contentait d’un script dans /etc/init.d/. Avec systemd, il faut créer un fichier service dans /etc/systemd/system/ .

Créez le fichier suivant : /etc/systemd/system/dibbler.service :

[Unit]
Description=Dibbler
After=network.target

[Service]
Type=simple
ExecStart=/usr/local/sbin/dibbler-client start
ExecStop=/usr/local/sbin/dibbler-client stop
PrivateTmp=true
NonBlocking=yes

[Install]
WantedBy=multi-user.target

Lancez la commande suivante pour que systemd lise le fichier :

systemctl daemon-reload

Et activez le service :

systemctl enable dibbler.service

Et essayez de le lancer pour la première fois :

systemctl start dibbler.service

Vérifions que tout est correct :

service dibbler status
ifconfig
route -6
ping6 whatever-you-want.com

Si tout va bien, redémarrez et l’IPv6 fonctionnera dès le démarrage !

Addendum : juste au cas où, n’utilisez pas resolvconf pour pousser les DNS IPv6 automatiquement, conservez autant que possible vos DNS IPv4. Ça serait tellement dommage que votre connectivité IPv6 saute et que vous vous retrouviez sans DNS (oui ça m’est arrivé…).

Sources

Configure dibbler-client for IPV6 networking on Dedibox (or any Online.net) servers with Debian 8 (Jessie)

Mathieu — Wed, 21 Oct 2015 12:50:00 +0200

The Online documentation for IPv6 is not dealing with the case of Debian 8, Ubuntu, or any distribution using systemd. Systemd replaces upstart, so the procedure has to be extended to add systemd service for startup, replacing the previoux behavior that was using init scripts.

Ensure that you are IPv6-proof

It should be the case as Debian 8 is shipping a kernel with native IPv6, but just to be sure :

In /etc/modprobe.d/local.conf :

options ipv6 disable=0

In /etc/modules :

ipv6

You may have to reboot in order to apply the changes.

Set up your IPv6 prefix and get your DUID on Online console

You have to request IPv6 activation to support and create your /64 on Online console before getting your DUID working.

Make a /64 and do not use your /48 or your /56 directly, as you may regret it. You can have only one /48 by account, one /56 by server, and one /64 by IP failover (the /48 is divided to make the /56 and so on).

Configure your network interface

It may not be mandatory as Dibbler will reconfigure your interface, but you have to ensure that you accept router advertisements. Add to /etc/network/interfaces :

iface eth0 inet6 static
    address your_ipv6_address
    netmask 64
    accept_ra 2

Notes about Proxmox and forwarding

On Proxmox, you are working on the bridge interface, it should be vmbr0 instead of eth0.

If you enabled forwarding on this interface (to give your VM an access to IPv6 network), you have to force the accept_ra to 2, while the default value of 1 wil make your Debian to ignore router advertisements when forwarding is enabled ! Read more. Add to sysctl.conf :

net.ipv6.conf.vmbr0.accept_ra = 2

Also do not set the IPv6 interface of your VM to vmbr0, as you can break your network access. Read more.

Compile and install Dibbler

Download Dibbler 1.0.1 from the offical website.
Install build-essential : apt-get install build-essential
Extract Dibbler : tar -xzf dibbler-1.0.1.tar.gz && cd dibbler-1.0.1
Compile and install Dibbler : ./configure && ./make

Configure Dibbler

Make the directories and set up according to the documentation :

Set up duid :

mkdir /var/lib/dibbler/
touch /var/lib/dibbler/client-duid
chmod 640 /var/lib/client-duid
# Set up you duid in client-duid
vim /var/lib/client-duid

Set up client.conf :

mkdir /etc/dibbler
vim /etc/dibbler/client.conf

The content of my client.conf :

auth-protocol reconfigure-key
auth-replay monotonic
auth-methods digest-hmac-md5
duid-type duid-ll
inactive-mode
log-level 8
iface eth0 {
    pd
    ia
}

Note that if your interface name is different you have to change it accordingly. For instance, on a Proxmox host server, it should be vmbr0 instead of eth0.

Start dibbler to try the connectivity :

dibbler-client run

Hit CTRL+Z to suspend the process and check that the IP and routes are configured. Type the command “fg” to get back to the running process and hit CTRL+C to stop it.

If it doesn’t work, check your firewall, dibbler needs to listen port 546 UDP.

Set Dibbler at startup

This section differs from Online documentation.

Before systemd, the dependency-based boot sequence only needed an init script, for instance /etc/init.d/dibbler . With systemd, you have to make a service file in /etc/systemd/system/ .

Make the following file : /etc/systemd/system/dibbler.service :

[Unit]
Description=Dibbler
After=network.target

[Service]
Type=simple
ExecStart=/usr/local/sbin/dibbler-client start
ExecStop=/usr/local/sbin/dibbler-client stop
PrivateTmp=true
NonBlocking=yes

[Install]
WantedBy=multi-user.target

Run the following command to make systemd read file :

systemctl daemon-reload

Enable the service :

systemctl enable dibbler.service

And then, try to start it :

systemctl start dibbler.service

Check everything is fine :

service dibbler status
ifconfig
route -6
ping6 whatever-you-want.com

Reboot and the IPv6 networking should work at startup !

Addendum : just in case, don’t use resolvconf with IPv6 DNS pushing and if possible keep IPv4 DNS, it would be such a pity if the IPv6 networking crashes while your DNS servers are set to IPv6 addresses (yeah, it happened to to me)…

Sources

Un dotclear vous manque et tout est dépeuplé

Mathieu — Sat, 17 Oct 2015 19:24:00 +0200

Aujourd’hui je n’arrivais pas à accéder au panel d’administration de mon Dotclear aujourd’hui. Après avoir rentré le bon mot de passe, La page tournait en boucle pour terminer sur une erreur 500.

Le blog fonctionnait toujours et toutes les autres pages utilisant PHP n’afichaient aucun problème.

Dans les logs Apache, j’avais :

mod_fcgid: read data timeout in 40 seconds
End of script output before headers: index.php
mod_fcgid: process 3114 graceful kill fail, sending SIGKILL

Aucun processus n’était à 100% de CPU, la BDD était au repos, le processus PHP semblait se “figer” au moment d’ouvrir la page d’administration.

Le site de Dotclear était down lui aussi. Coincidence ?

Juste pour voir, j’ai rajouté dans le fichier host de mon serveur la ligne suivante :

127.0.0.1    download.dotclear.org

Après avoir relancé Apache, l’administration s’est mise à fonctionner !

Ce n’était donc pas une coincidence, si Dotclear essaie de recherche ses mises à jour alors que le site download.dotclear.org est en panne (pour des causes naturelles ou non), le panel d’administration reste en attente d’une connexion et on ne peut plus s’y connecter. Évidemment, plus on raffraichit la page, plus on tape sur ce pauvre serveur de Dotclear.

Pour ceux qui n’ont pas accès à leur serveur, vous pouvez changer l’URL de DC_UPDATE_URL dans le fichier inc/prepend.php pour le faire pointer ailleurs, temporairement :

define('DC_UPDATE_URL','http://download.dotclear.org/versions.xml');

N’oubliez pas de le remettre comme avant une fois le site download.dotclear.org réparé, sinon vous n’aurez plus jamais de mises à jour automatiques

Mise à jour : à priori, il y a aussi les flux RSS qui s’affichent sur le côté de l’admin qui sont aussi à désactiver, j’ai fais un gros patch dans le fichier admin/index.php pour finir par faire marcher l’administration :

--- admin/index.php    2015-10-17 19:58:19.873121948 +0200
+++ admin/index.php    2015-10-17 19:58:08.713227238 +0200
@@ -80,6 +80,7 @@
 $favs = $core->favs->getUserFavorites();
 $core->favs->appendDashboardIcons($__dashboard_icons);
 
+/*
 # Check plugins and themes update from repository
 function dc_check_store_update($mod, $url, $img, $icon)
 {
@@ -165,7 +166,7 @@
 }
 
 $core->callBehavior('adminDashboardItems', $core, $__dashboard_items);
-
+*/
 # Dashboard content
 $dashboardContents = '';
 $__dashboard_contents = new ArrayObject(array(new ArrayObject,new ArrayObject));

Postfix : configure postmaster, hostmaster, and abuse catchall for RFC compliance

Mathieu — Sat, 29 Aug 2015 18:02:00 +0200

This short howto will show you how to set up a catchall for common required email addresses. Some mail servers are testing if mail is accepted on this addresses to detect spammymail servers. Hostmaster address can also be used for domain Trading, to check the ownership of the domain.

1. Create a file named /etc/postfix/regexp-catchall.cf with the following content:

# Catchall to comply with RFC standards
/^postmaster@/    youshouldreadit@mydomain.com
/^hostmaster@/    youshouldreadit@mydomain.com
/^abuse@/         youshouldreadit@mydomain.com

Replace youshouldreadit@mydomain.com with a mail address you actually read.

2. Open /etc/postfix/main.cf and locate (or create) the line virtual_alias_maps, and add at the end regexp:/etc/postfix/regexp-catchall.cf, for instance:

virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, regexp:/etc/postfix/regexp-catchall.cf

3. Restart Postfix.

Warning : read comment #4 for issues with this setup.