While browsing around the MySQL site last night I discovered a number of nice new features of mysql 5.1 that relate to logging.

These are:

• Logging to DB instead of log files
• Runtime configuration of logging.

Logging to DB instead of log files

Coming from a web development background rather than a sysadmin background I'm far more comfortable manipulating and analysing data using SQL. So to be able to log all the queries or just the slow queries for an application to the db during application development or load testing is a huge benefit.

To enable logging to DB you can add the following to your my.cnf

The logs will be written to the 'slow_log' and 'general_log' tables in the mysql database.

Note - logging to tables has more overhead than logging to file, so would suggest using it primarily for development purposes.

Full details of the options are on the mysql manual on log tables

Runtime configuration of logging.

This allows you to turn on and off logging without restarting MySQL - which just saves a little bit of time and makes it much nicer for debugging problems.

To turn on the logging of all queries run:

And for just the slow query log:

And to turn them both off use:

If you also want to see queries not using indexes in the slow query log you can set the following variable:

Hope it helps, Mark

I've just received a copy of the Tomcat 6 Developer's Guide from packt publishing to review.

It's nice timing as I've been working with Tomcat 6 a bit lately and in the new year plan to move some of our production systems over to running Railo on top of Tomcat.

After the extremely busy year Learnosity has had I'm looking forward to reading a few books over the break and coming back in the New Year with lots more ideas and technology to implement.

For my own reference, settings to turn on apache mod_deflate.

This sets turns it on for everything except gif,jpeg,png or mp3, as these are already well compressed.

Cheers, Mark

While working with a client recently setting up a Netgear VPN so he could securely access his internal file server. The VPN setup was straightforward but every time the VPN client connected to the VPN server the VPN server/firewall would crash - leaving no connectivity.

In order to come up with a reliable solution to this we decided to use the SSH server we had available and tunnel the windows sharing across the local port forwards, much simpler and more reliable.

Thanks to this article it was a breeze to set up.

Steps are as follows:

• Create loopback adapter on windows
• Configure loopback adapter on windows
• Reboot
• Configure SSH connection
• Test it all out

Create loopback adapter on windows

We'll give your computer an additional (fake) IP address, and we'll port forward to that address instead of the computer's real IP. Windows XP will continue to do file sharing on the real IP address. We'll assign it an IP of 10.0.0.1 (that's what we configured putty to use above.)

1. System->Control Panel->Add Hardware
2. Yes, Hardware is already connected
3. Add a new hardware device (at bottom of list)
4. Install the hardware that I manually select
5. Network adapters
6. Microsoft , Microsoft Loopback Adapter
7. (Go through the installation procedure.)

Configure loopback adapter on windows

1. Open your new fake ethernet adapter (Network Connections) , enter a made-up IP address (I suggest 10.0.0.1, which is a privately routable address that most folk don't use.)
2. Enable Client for Microsoft Networks.
3. Disable File and Printer Sharing for Microsoft Networks
4. Enable Interent Protocol (TCP/IP)
5. Click on properties for TCP/IP.
6. Enter your chosen IP address (10.0.0.1), subnet mask (255.255.255.0). You can leave gateway blank.
7. Under advanced->WINS, Enable LMHosts Lookup and Disable NetBIOS over TCP/IP

Reboot

In order to make it all work now it he appropriate time to reboot so windows initialises everything correctly.

Configure SSH connection

• Download Putty
• Enter IP address
• Enter Auth Key (if using SSH keys)
• Enter Port forwards for: (these connect the ports on you local machine to
  • 10.0.0.1:137 to 127.0.0.1:137
  • 10.0.0.1:138 to 127.0.0.1:138
  • 10.0.0.1:139 to 127.0.0.1:139
  • 10.0.0.1:445 to 127.0.0.1:445
• Save the config.

Test it all out

Now to connect you need to do the following steps:

• Open putty, load the settings and connect.
• Open Exporer and type in: \\10.0.0.1\

You should now be connected to your remote windows system over a secure encrypted tunnel.

Cheers, Mark

One of my backup scripts started reporting errors recently about running out of space:

Running the command df was showing lots of free space.

However, a quick google on cp "no space left on device" turned up the suggestion to try:

This showed up the problem straight away - I had run out of inodes.

Once the problem is identified it is generally easy to resolve, so I figured out that there was a cron job that was running a wget task and not discarding the output, and so had saved 600,000+ files in their home directory.

However, when I tried to delete them I encountered another problem:

There were so many files that I couldn't use standard delete commands.

Another quick google turned up this gem:

I ran the following command to check that I was going to delete the correct files:

And then added the command to actually do the delete:

One final thing was to fix up the cron job that was causing the problem. Adding the parameter --delete-after to wget kept the directory nice and clean.

All fixed. One of the things this has reinforced for me is how important it is to have /home on a seperate partition. If this had not been the case then the problem would have taken longer to happen (due to larger filesystem) but would have been more destructive - as all systems and processes would not have been able to create new files.

Here are two quick tips that I've recently found for server admins:

• Automatically fixing file system errors
• Ignoring directories from updatedb

Automatically fixing file system errors

If you have a remote server, i.e. at a data center 10km or 1000km away this should prevent some panic when rebooting the server remotely.

Ext2/3 will do a filesystem check after a certain number of reboots or time. Most of the time any errors are fixed automatically, but certain errors by default require the root shell and the administrator to fix them. I've seen a few of these happen, but I have always replied yes to the prompts as I don't know enough about file systems to fix it I said no.

So, to prevent the need to rush to a data center and plug in a keyboard and mouse just to press the "Y" key there is and option to automatically assume yes.

On Ubuntu in the file /etc/default/rcS you need to change the following:

Ignoring directories from updatedb

If you have a backup server you may not want it to update the locate db for all your backup files, as it can take a very long time.

To tell locate to ignore a directory you need to add it to the PRUNEPATHS line in the /etc/updatedb.conf file like so:

In the above code I have added the /srv entry to make it ignore all my backups which are held under the /srv directory.

Note: These tips were tested on Ubuntu linux, other distributions will have similar functionality but the file locations may vary.

Cheers, Mark

I found this article on Installing Dell OpenManage Server Administrator on Ubuntu x64 on Keith's Code and am posting here with modifications for 32 bit for my own reference

Dell's OpenManage Server Administrator is a powerful tool for keeping track of your server's health and making sure everything is running as it should. Unfortunately, Dell only released packages for RedHat and SuSE, so installing the software on Ubuntu can be tricky, at best.

There is some information on the Internet about getting the package to install on exotic distributions, but I never found anything definitive. This tutorial will guide you through installing the software and getting the web access up and running. 

My setup is: Dell 2950 with 1 Intel 2.2GHz Processor, 2GB RAM, PERC 5/i SCSI Raid Controller with 2 73GB 15K RPM SAS disks running Ubuntu 8.04.2 LTS 32-bit.

1. Install the kernel modules

The first step is installing the needed kernel modules to support IPMI:

Next,you will want to add those modules to the end of the /etc/modules file. This will allow them to be loaded at boot time.

2. Setup Apt to get the OMSA package

As stated before, Dell only released the OpenManage Server Administrator for RedHat and SuSE. However, someone was kind enough to create an installable Debian based package for us. In order to get access to that package, you will need to add the following line to /etc/apt/sources.list:

Then, you will need to install the Pulic Key for that repository. To do that, create a temporary directory in your home folder and run the following commands from that folder:

3. Install the needed packages

Now it's time to install all the packages that will be needed:

4. Start SNMP

The following commands will enable SNMP and get it going:

If you get and error like:

You may need to reconfigure the dynamic linker so that it knows the new libraries are.

5. Start the web services

Start the Dell OMSA web interface:

6. Add a user to access the OMSA site

If your system is setup properly, you shouldn't have a password for the root user. To access the OpenManage client, you need to have root access. There is a way to do this without giving the root user a password. I created a user called dellroot that will be able to access the OMSA client:
sudo useradd dellroot
sudo usermod -g root dellroot
sudo passwd dellroot

Enter a secure password for the user when prompted.

7. Check it out

Now you should be able to access the OpenManage web interface by going to https://<servername>:1311 (e.g., https://www.example.com:1311)

Make sure you are using https and you add the port number of 1311 to the end of the URL. You can login using the dellroot user you just created. 

If you are using firefox, you will have to add a security exception for the self-signed certificate the server is using.

Thanks Keith for the helpful reference.

Cheers, Mark

I've been using SSH portforwards extensively for getting access to remote networks securely for years, but today I came across another very useful thing you can do with SSH. That is use it as a SOCKS proxy.

This is useful if you are on a corporate network that has specific restrictions on certain sites that you need to access. You can use the following command so set it up:

This will create a socks proxy on port 8080 and if you configure your browser proxy settings to use a socks proxy on localhost port 8080 - see picture.

Once this is done all your browser traffic will go through the proxy network.

Preventing Port Forwards on your SSH server

However, you may not want everyone who has a login to your ssh server from being able to do this, so you can conditionally limit access to who can do portforward with the following in you sshd_config file:

or

I found that little gem here on nabble.

I ran across some permissions errors on content that some users uploaded to a website. The files uploaded were not world readable so were coming up as forbidden:

This simple find command shows the offending files:

A quickie but a goodie.

Cheers, Mark

One of the features of CF8 that I was most interested in and most let down on was per application mappings. The reason I was so keen was so that we could keep core library application files out of the webroot for additional security, but still have different versions of the same codebase. I.e. some sites running farcry3 some running farcry5 for example.

This didn't transpire and so now we use the following technique on apache to map the folder in and then lock it down with apache.

In the vhost section add the following:

Note: it is important that there is no /farcry mapping defined in the CF Administrator or it will override this setting.

What the above does, is to map in the non-web accessible folder, but then locking it down so it cannot be browsed from the web. This seems pointless but CF can still see the files and correctly resolves the paths even though they are secure from the outside world.

This then allows us to version our sites independently - i.e. if we want to upgrade from farcry 5 to 5.1 we can do it one site at a time, instead of having to test them all at once.

Note - Railo already has per vhost mappings which solve the same problem as this. But if you are on CF7 or CF8 then this works a treat.

Cheers, Mark