Today I’ve decided to renew my GPG key and revoke my old keys.
My new key (RSA 4096 bits long):
pub 4096R/3AD7C937 2011-10-29
Key fingerprint = 7DC2 7830 9240 D00B 5701 1122 863D F001 3AD7 C937
uid Ilya A. Otyutskiy <sharp@thesharp.ru>
uid Ilya A. Otyutskiy <sharp@ukhta-uug.org>
uid Ilya A. Otyutskiy <ilya.otyutskiy@gmail.com>
sub 4096R/22BA2768 2011-10-29
The following keys were revoked:- 63FDED7B
- 6497DDB3
- AFF567C4
- C55710EF
I’ve lost the private key of FD535F42 a long long time ago, so you shouldn’t use it.
Just in case here’s the armored version of my new public key:
A quick note to myself.
Up-to-dated natty has the subj problem on my Asus 1201T netbook. Here’s the way to fix it:
# echo "options snd-hda-intel model=auto" >> /etc/modprobe.d/alsa-base.conf
# alsa force-reload
A couple of days ago I’ve decided to play with xen virtualization. At that moment there were no opportunity to install it on a proper hardware so I decided to deploy it on one of the laptops in the office. It was HP 510 (don’t like that model cos it has only one RAM slot). I started to install CentOS there and selected only core packages (uncheck all of the checkboxes).
After successful installation I discovered that it has xen installed. And I was like “oh what the hell is that I’ve unchecked everything it should be the minimal installation”. But it wasn’t. It had xen there.
Here is my anaconda-ks.cfg from that host:
# Kickstart file automatically generated by anaconda. install url --url http://mirror.yandex.ru/centos/5.5/os/i386 lang en_US.UTF-8 keyboard us network --device eth0 --bootproto dhcp --hostname xen01 rootpw --iscrypted [ hash was there :) ] firewall --enabled --port=22:tcp authconfig --enableshadow --enablemd5 selinux --enforcing timezone Europe/Moscow bootloader --location=mbr --driveorder=hda # The following is the partition information you requested # Note that any partitions you deleted are not expressed # here so unless you clear all partitions first, this is # not guaranteed to work #clearpart --linux #part / --fstype ext3 --size=10240 --asprimary #part swap --size=2048 --asprimary #part pv.9 --size=100 --grow --asprimary #volgroup vg00 --pesize=32768 pv.9 %packages @core
As you can see there is only @core stuff in %packages section. But the hostname says “xen01”. So what’s that? An artificial intelligence in anaconda? :)
I have an Android-driven HTC Hero phone. During past few weeks I’ve noticed that my battery is almost dead at the end of the day. It was very strange because my phone told me that the battery condition is ‘Good’. Usually I’m charging my phone once in two days. So I started to thinking about what it could be. I realized that one thing changed during that period: I started to experience a wireless problems at work. So eight hours a day I’m using battery-draining 3G connection to update gmail, twitter and stuff.
Here at office we have two different wireless access points. First one is D-Link DWL-900AP+. I just can’t connect to it. The phone keeps printing “Connecting…” line and nothing happens next no matter how long you will wait. We had a Linksys one before and it worked just fine. And I have Asus WL-500GPV2 at home and it perfectly works.
The second one is our current topic of interest. It is a IBM ThinkPad A31 laptop with D-Link DWL-AG660 pcmcia-card plugged in. That whole setup was made by my junior admin. He just grabbed the first installation CD from the box and it was Ubuntu Lucid. So we have here a wireless access point with gnome and stuff. It has a software called hostapd which turns it into access point. That access point previously worked fine but couple of weeks ago the problem appeared.
Once again I tried to connect to our second access point but it simply refused my correct password. That’s the problem I mentioned in the end of the previous paragraph. I double checked it with hostapd.conf and it was correct.
There was something like that in logfiles:
Dec 3 17:37:03 wi-fi hostapd: wlan0: STA 00:23:76:3f:31:29 IEEE 802.11: authenticated
Dec 3 17:37:03 wi-fi hostapd: wlan0: STA 00:23:76:3f:31:29 IEEE 802.11: associated (aid 1)
Dec 3 17:37:06 wi-fi hostapd: wlan0: STA 00:23:76:3f:31:29 IEEE 802.11: deauthenticated due to local deauth request
In dpkg log files (/var/log/dpkg*) I saw that the system was installed at 23rd of September (that’s why it was Lucid, there was no Maverick at that date) and was never updated. Also motd had a notice about enormous amount of packages for upgrade. I ran an upgrade using aptitude via screen and went home. Next morning I rebooted the laptop into new kernel after updates and tried once again.
That time connection went well and everything worked as it was supposed to be. And we could see this:
Dec 7 11:14:42 wi-fi hostapd: wlan0: STA 00:23:76:3f:31:29 IEEE 802.11: authenticated
Dec 7 11:14:42 wi-fi hostapd: wlan0: STA 00:23:76:3f:31:29 IEEE 802.11: associated (aid 2)
Dec 7 11:14:43 wi-fi hostapd: wlan0: STA 00:23:76:3f:31:29 WPA: received EAPOL-Key 2/4 Pairwise with unexpected replay counter
Dec 7 11:14:43 wi-fi hostapd: wlan0: STA 00:23:76:3f:31:29 RADIUS: starting accounting session 4CFCFCD8-00000013
Dec 7 11:14:43 wi-fi hostapd: wlan0: STA 00:23:76:3f:31:29 WPA: pairwise key handshake completed (WPA)
Dec 7 11:14:43 wi-fi hostapd: wlan0: STA 00:23:76:3f:31:29 WPA: group key handshake completed (WPA)
The mainline here is to update everything to latest available version before starting to fix the problem.
As I mentioned before now we have a molly-guard package for CentOS. My amount of CentOS servers at work is huge. Luckily I’m successfully using puppet software to configure my servers. As all of them are in puppet I can install a package on all of them with a little effort.
First of all, I decided to setup a repository for molly-guard. I did yum install lighttpd on one of my servers and put in its www-root a directory called molly. Then I moved my package there. The package itself has noarch architecture so I decided that I don’t need a proper directory structure for my repo. A handy tool which helped me to build a repo is createrepo (yum install createrepo). I did createrepo /var/www/lighttpd/molly and the repository was ready.
To use that repository we need a .repo-file which we will put in /etc/yum.repos.d directory. Mine is something like this:
[molly] name=molly-guard noarch baseurl=http://domain.tld/molly/ enabled=1 gpgcheck=0Now we have a valid repository from which we can install
molly-guard via yum. It’s time for puppet to do its job. I decided to make two separate modules for puppet: one to add a repository and another to install a package. It is completely your call to keep it separated or united, I just felt to do like this.
My fist module called yumrepo looks like this:
class yumrepo {
file { "/etc/yum.repos.d/molly.repo":
owner => "root",
group => "root",
mode => "644",
source => [ "puppet:///yumrepo/default/molly.repo" ],
}
}
And my second module called molly_guard looks like this:
class molly_guard {
package {
"molly-guard": ensure => present;
}
}
So now we can include those two modules in node definitions and all the magic will be done. And do not forget to edit your fileserver.conf to correctly serve molly.repo file.
As I mentioned before in my previous post, molly-guard is pretty neat package. But it is written for Debian/Ubuntu and officially available only in those distributions. I have a large amount of CentOS servers at work and I want to have molly-guard there. I decided to write a .spec file for molly-guard and make a .rpm package. Just after I did an update for my personal builder, I thought that there is a chance that someone has already made such package. So I did a google search and found one. It is mirrored here.
The package has /etc/profile.d/molly-guard.sh and /etc/profile.d/molly-guard.csh files which purpose is to reorder the $PATH environment, because Redhat’s $PATH ordering differs from Debian’s. Redhat’s has /sbin before /usr/sbin.
There is a neat package in debian/ubuntu repository called molly-guard.
Its main purpose is to protect a host from accidental shutdown/reboot. I believe every adminstrator typed ‘poweroff’ command into wrong terminal at least once. Unplanned downtime is such a pain in the arse. It’s no big deal if it was your personal router or something but IT IS a big deal if it was a web-frontend of a big corporate project. And the explanation “I accidently typed poweroff into wrong terminal” for 15 minutes downtime (usual time here in Moscow to call DC’s NOCs and make a ticket to press the power button on the host) of very important project is just unacceptable. So it’s better to be prepared for such things.
The package consists of bunch of shell scripts (poweroff, halt, reboot, shutdown) deployed in /usr/sbin. When you type, for example, a halt command, molly-guard’s wrapper will run instead of your original halt binary, because it’s located in /usr/sbin directory which is before /sbin in your $PATH environment.
So here’s a little request to any debian/ubuntu administrator out there: type apt-get install molly-guard and have a cute solution for such annoying problem.
