# uname -a

Mot-clé - debian

mercredi 22 juin 2016

Debian 8 : Configure Nginx and Passenger to supercharge your PuppetMaster

The Puppet master comes by default with a basic WEBrick server. It allow a quick start for those that are not familiar with Puppet, but when the number of Puppet nodes grows, the performances of the default WEBrick server are going down quickly.

The Puppet documentation show how to configure Apache and Passenger to replace the default WEBrick server, but what if you have a lot of nodes ? What if you want to apply your configuration within minutes, instead of the default half-hour threshold before the agent asks the master if something changed ?

Or you may just want a fancy Nginx instead of your plain-old-reliable Apache.

Here is how.

mardi 19 avril 2016

"SQLSTATE[HY000] [2002] No such file or directory" for compiled PHP

Let's say you connect to MySQL using "localhost"

Let's say you compiled PHP

Let's say you didn't specify the --with-mysql-sock= parameter in your configure command when you built mysql

And let's suppose you cannot connect to MySQL using PHP. CLI works fine, but not CGI.

Solution : fix the default sockets in php.ini (use your own working socket paths) :

pdo_mysql.default_socket=/var/run/mysqld/mysqld.sock
mysqli.default_socket = /var/run/mysqld/mysqld.sock

# You shouldn't use mysql_ extension, but if you did:
mysql.default_socket = /var/run/mysqld/mysqld.sock

I suppose that automatically converting "localhost" to an unix socket is done for performance reason on unix systems.

jeudi 18 février 2016

Debian 8 : Limit SSH users to SFTP

Let’s say you want to configure a secure remote file access for you users, but you can’t use FTPS for some reasons (problems with passive mode and commercial firewalls ? Yes !). Your only secure solution is either a VPN, or a SFTP access.

SFTP is great, but it may implies giving full command line access to your end users.  In order to prevent that, you could set-up a jailed SSH access with Jailkit and some bind mount, but it’s not that trivial to configure and to maintain ; and it may not work with software virtualization (Docker, LXCs…). There is a simpler solution.

The solution is : use the native chroot and limitations abilities of OpenSSH. Here is how.

mardi 16 février 2016

Here is the configuration I use to make Drush working inside a Jailkit chrooted shell :

/etc/jailkit/jk_init.ini :

[php]
comment = the PHP interpreter and libraries
executables = /usr/bin/php5, /usr/bin/php
directories = /usr/lib/php5, /usr/share/php, /usr/share/php5, /etc/php5, /usr/share/php-geshi, [B]/usr/share/zoneinfo[/B]
includesections = env

[env]
comment = environment variables
executables = /usr/bin/env

[mysql-client]
comment = mysql client
executables = /usr/bin/mysql
paths = /usr/lib/x86_64-linux-gnu/libmysqlclient.so.18

[drush]
comment = drush (drupal command line)
includesections = php, mysql-client, uidbasics, netbasics
directories = /usr/share/zoneinfo, /etc/ssl/certs, /usr/share/ca-certificates

Once the jailed shell works, add the Drush dependencies to the jail :

jk_init -v -c /etc/jailkit/jk_init.ini -f -k -j /absolute/path/to/jail/ drush

dimanche 6 décembre 2015

Set-up SQL quarantine with Amavisd-new and ISPConfig

It’s documented, but it took me two days to do it correctly, so here is how to reconfigure an ISPConfig installation of Amavis to store quarantined mail in SQL database, in order to install a quarantine viewer like Mailzu.

- page 1 de 6