I noticed that my jabber client crashes (segmentation fault) whenever i try to close last chat tab or try to open Appearance tab in Options. Version of psi is 0.11-3.

Seems like it has to do with new Qt version. There's a bug reported already. But it's not fixed yet. Fortunely, there's a fixed version available in Debian/unstable: 0.11-8.

If you run e.g. two dns servers and one goes down, some applications start to work slower. This happens because they pick one dns server in order to resolve some address, and if this server is down, you'll have to wait untill timeout. Then they try the other(s).

All this may lead to a number of unpleasunt situations, like:

• High load on servers
• High number of connections to the server
• Insufficient resources b/c of former and so on..

To prevent such situations when 1 of dns servers goes down, we decided to run DNS service under keepalived. So that if one dns server goes down, keepalived on the other server brings ip of the gone dns server up. Dns servers are setup on IPVS directors (where keepalived servers running on). Typical keepalived config for dns may look like this:

[...]
vrrp_instance DNS1 {
    state MASTER
    virtual_router_id 1
    interface eth0
    priority 150
    authentication {
        auth_type PASS
        auth_pass s3cr3t
    }
    virtual_ipaddress {
        10.1.1.1
    }
    smtp_alert
}

vrrp_instance DNS2 {
    state BACKUP
    virtual_router_id 2
    interface eth0
    priority 100
    authentication {
        auth_type PASS
        auth_pass s3cr3t
    }
    virtual_ipaddress {
       10.1.1.2
    }
    smtp_alert
}
[...]

And vise versa on the other director.

We use powerdns in our setup. Unfortunely it cannot bind to ``all`` ip's on box. Actually it can, but there's no guarantee the you'll get the answer from ip you was quering. Because of this you have to bind to concrete ip's. This is not a problem at all unless you need to bind to different ip's automaticly if the other server goes down. In the begining i was trying to use some scripts to change pdns' config with notify_master/notify_backup. But recently i found a much more simple solution. All you need to do is to specify all ip's in every pdn's config on every dns server. And just to let pdn bind to ip's the box doesnt own, simply do:

# sysctl -w net.ipv4.ip_nonlocal_bind=1

This lets pdns to bind to all ip's and if the other server goes down, the one that alive will serve all queries to all ip's.

Setting up Heimdal Kerberos with LDAP backend i faced a weird problem. In kadmin i got following errors:

• opening database: ldap_sasl_bind_s: Can't contact LDAP server
• kadm5_get_principals: Wrong database version

Slapd was running and KDC had all permissions though. Despite such attempts, there were no activity in slapd logs.

The problem was simple: whereas slapd creates its socket as /var/run/slapd/ldapi, Kerberos(/libldap?) tries to open it as /var/run/ldapi. So ln -s /var/run/slapd/ldapi /var/run/ldapi has solved the problem.

Several days ago i updated my Ubuntu «Gusty Gibon» installation. And after that Firefox keeps crashing randomly, saying ``Floating point exception`` in console.

The reason of this issue seems changes in libcairo2 made by security update. Latest version of this library is libcairo2_1.4.10-1ubuntu4.1. Downgrading it to libcairo2_1.4.10-1ubuntu4 fixes the problem.

The bug is reported already and I hope libcairo2 will be fixed soon. But untill that moment sudo apt-get install libcairo2=1.4.10-1ubuntu4 can help.

UPD: Issue is fixed in 1.4.10-1ubuntu4.2:

libcairo (1.4.10-1ubuntu4.2) gutsy-security; urgency=low

  * Fix debian/patches/91_malloc-overflow-fixes.dpatch to avoid
    divide-by-zero; patch from upstream fixes (LP: #173861):
[...]

To export data aggregated by flow-capture to Postgresql, similar table structure must be created:

After this, flow-capture must be launched as following:

#file: /etc/flow-tools/flow-capture.conf
-w /var/flowdata -n 95  -N 3 -R /usr/local/bin/flowdata-export.sh 0/0/555

This means that it will run /usr/local/bin/flowdata-export.sh script every time it rotates its log file. With the first argument as the flow file name after rotating. Here's is the simple script:

#!/bin/sh

LOGS=/var/flowdata
DB=dbuser:dbpass:dbhost:dbport:dbname:dbtable

if [ $# -lt 1 ]; then
    echo "USE: $0 <filename>"
    exit
fi

flow-export -f 5 -m UNIX_SECS,DOCTETS,SRCADDR,DSTADDR,SRCPORT,DSTPORT,PROT -u $DB < $LOGS/$1

There can be a lot of data in db, and it could be wise to split it into smaller chunks. This can be done using postgresql table partitioning. Here's how we can improve our database/table setup:

After this, there will be a dedicated table for every month. Data can be insterted into flowdata table as before (as well as selected), though in fact it will reside in its corresponding table. Such structure is good for keeping logs for the last year. All we need to do is to flush current month table every first day of the month. Thus we'll always have data for the last 12 monthes.

Several days ago there was a report about critical vulnerability in lighttpd's mod_fastcgi, which can lead to arbitrary code execution in fastcgi application.

This vulnerability is fixed in 1.4.18. In Ubuntu there's an update for lighttpd which fixes this vulnerability, so it's enough to apt-get update && apt-get upgrade. But still there's no update in Debian, so i just did following:

• apt-get build-dep lighttpd
• apt-get install libgamin-dev libterm-readline-perl-perl libterm-readkey-perl
• wget http://archive.ubuntu.com/ubuntu/pool/universe/l/lighttpd/lighttpd_1.4.13-9ubuntu4.2.dsc http://archive.ubuntu.com/ubuntu/pool/universe/l/lighttpd/lighttpd_1.4.13.orig.tar.gz http://archive.ubuntu.com/ubuntu/pool/universe/l/lighttpd/lighttpd_1.4.13-9ubuntu4.2.diff.gz
• dpkg-source -s ./lighttpd_1.4.13-9ubuntu4.2.dsc
• cd lighttpd-1.4.13; dpkg-buildpackage -uc -us
• dpkg -i ../lighttpd_1.4.13-9ubuntu4.2_i386.deb

Now I consider switching of Debian servers to Ubuntu

Ipset is very usefull thing when you need to make your firewall check thousands of ip's/networks/ports and/or combinations of them. It is possible e.g. to add rules to your tables in a loop, using some shell script, but it becomes very slow when you have several thousands rules and more. In such cases, ipset (IP Sets) can be a very handy addition.

Here is the quote from the ipset's site

IP sets are a framework inside the Linux 2.4.x and 2.6.x kernel, which can be administered by the ipset utility. Depending on the type, currently an IP set may store IP addresses, (TCP/UDP) port numbers or IP addresses with MAC addresses in a way, which ensures lightning speed when matching an entry against a set.

If you want to

• store multiple IP addresses or port numbers and match against the collection by iptables at one swoop;
• dynamically update iptables rules against IP addresses or ports without performance penalty;
• express complex IP address and ports based rulesets with one single iptables rule and benefit from the speed of IP sets

then ipset may be the proper tool for you.

Whereas ipset tool is included in Debian distro, you still need to patch kernel. Here's how i did this:

# apt-get install linux-source-2.6.18 build-essential kernel-package initramfs-tools
# cd /usr/src
# tar xjf linux-source-2.6.18.tar.bz2
# cp /boot/config-2.6.18-4-686 ./linux-source-2.6.18/.config
# wget http://ipset.netfilter.org/patch-o-matic-ng-20070524.tar.bz2
# tar xjf patch-o-matic-ng-20070524.tar.bz2
# apt-get source iptables
# cd patch-o-matic-ng
# KERNEL_DIR=/usr/src/linux-source-2.6.18 IPTABLES_DIR=/usr/src/iptables-1.3.6.0debian1/iptables ./runme set
# cd ../linux-source-2.6.18
# make oldconfig
# make-kpkg --bzimage --initrd --append-to-version=-ipset --revision=00.01 kernel_image

That's all! After this, you should find a ready-made package linux-image-2.6.18-ipset_00.01_i386.deb in /usr/src.

Yesterday I had a hard time making PowerDNS (pdns) start working using gmysql backend. Like I figured out later, this was a «Chicken and Egg problem». To start working, pdns must connect to mysql, to send its queries. But mysql needs DNS to resolve pdns' ip in order to authenticate it.

To avoid such situations in future, i added skip-name-resolve into /etc/my.cnf and substituted all hostnames with corresponding ip's in mysq.user table and some config files.

Microsoft has a site for downloads of various software products, not just their own. It's called Windows ® Marketplace. For some time, people could download Ubuntu «Feisty Fawn» from this site. Later it was removed.

It's still available in Google cache.

About a half year ago, when i upgraded my Ubuntu installation from "Dapper Drake" to "Edgy Eft", i wrote a small job for upstart to spawn svscanboot, since inittab was no longer used.
Up to today, it looked like this:

# svscanboot

start on runlevel-2
start on runlevel-3
start on runlevel-4
start on runlevel-5

stop on shutdown

respawn /command/svscanboot

But it seems, something has changed in upstart since that time.
initctl list didn't show me any svscanboot job at all.

Here is the updated version of /etc/event.d/svscanboot:

# svscanboot
#

start on runlevel 2
start on runlevel 3
start on runlevel 4
start on runlevel 5

stop on runlevel 0                                                              
                                                             
stop on runlevel 1                                                              
                                                             
stop on runlevel 6

respawn
exec /command/svscanboot