Updating the Postfix HOWTO

The time has come to update the Postfix HOWTO for Debian and Ubuntu on the website. There are lots of changes done in the Postfix and Dovecot distribution, as well as input from lots of commenters. The release of the latest Debian distribution called Etch, there have been some major improvements of various components.

Within the next couple of weeks, I will publish an updated version with hopefully additional features such as DSPAM and other important components for creating an enterprise grade mail server.

I have realized that it is impossible to manage such a large document as a normal post, so if there is time, I will create it using Latex or some other tool to manage large documents.

Automate system administration tasks using Nagios

As a system administrator, one often have to do repetitive tasks such as checking for free disk space, check mail queues and monitor critical services. If there are only a handful of servers, this task may not be very intimidating, but there are many times when there are many servers to monitor, or just for the sake of automation. This is where Nagios comes in.

Nagios is a host and service monitor designed to inform you of network problems before your clients, end-users or managers do.

This is exactly what we need to make an automated system for monitoring! I will not go into details on how to set this up, since there is an excellent quick start guide available on the website. Instead I will focus on how Nagios has eased the burden of managing a large number of servers.

I have ready made templates for servers and when a new server is added, I just create a copy of the template and add or remove the services needed to monitor the server.

Public services are easy to monitor directly from Nagios, but private data such as disk space and CPU load demands a local service running on each of the servers. This is where NRPE comes into play. NRPE is a daemon which listens on the network and will respond to Nagios queries, using standard Nagios plugins. In Debian and Ubuntu, just install the nagios-nrpe-server package, and in Windows NSClient is very usable and easy to configure.

The last thing is alerts management. All servers that someone else manages, or is in charge of, should receive the Nagios alerts for that server. It will dramatically lighten the administration burden if it is possible to delegate as much as the server / service responsibility to other people. For extremely critical services, there should be an SMS gateway, which sends a message to the administrator or someone in charge of the server. This ensures that attention is immediately brought to the problem.

Create a fixed size network storage for Time Machine

Time Machine is a backup program built into Mac OS 10.5, Leopard. It saves all files on the computer on a USB  or network drive, which can be used for restoration of individual files or the whole computer.

The normal behavior of Time Machine is to keep

  • hourly backups for the past 24 hours
  • daily backups for the past month
  • weekly backups until your backup disk is full

It is the last point that might cause some trouble for some people, since many people might share the drive with other type of data. There has to be some way to limit the size of the backup volume. This is my approach.

Preparing an image

The first step is to create an image to hold the backup filesystem. If you want this filesystem encrypted, have a look at Mounting encrypted volumes, otherwise just follow the following steps. The image will be created as /ext/timemeachine.img and it will be mounted in /ext/timemachine.mnt.

dd if=/dev/zero of=/ext/timemachine.bin bs=1G seek=250 count=1
losetup /dev/loop1 /ext/timemachine.bin
mkfs.ext3 /dev/loop1
tune2fs -c0 -i0 /dev/loop1
losetup -d /dev/loop1
mkdir /ext/timemachine.mnt

The first thing is to create an image file, and using the dd command we create an empty 250GB file, which will contain the backups. The next step is to setup the image as a loop device, which makes it possible to mount it as usual. loop1 is currently used, but if you know that it is occupied, feel free to choose another device.

The next step is to edit /etc/fstab and add a line which will automatically mount the filesystem when the computer boots.

/ext/timemachine.bin /ext/timemachine.mnt ext3 loop=/dev/loop1 0 0

Then we will mount all filesystems and verify that it has indeed been mounted.

df -h
/ext/timemachine.bin  248G  188M  235G   1% /ext/timemachine.mnt

There should be a line like the above if everything is working correctly. The last step is to set the correct permissions for the directory for your user.

chown -R joch /ext/timemachine.mnt/

Setting up the Samba share

To connect to the server, it is necessary to setup the Samba server. Create a share like the following in /etc/samba/smb.conf.

[tmbup]
comment = Time machine backups
path = /ext/timemachine.mnt
browseable = yes
read only = No
inherit permissions = no
guest ok = no
printable = no

Now just reload Samba and add a user if you have not done so before.

invoke-rc.d samba reload
smbpasswd -a joch

Setting up Time Machine

Connect to the share in Finder as usual.

Finder window

Open up the Time Machine preferences and click Change Disk. It should give you a dialog like this, and Time Machine should then be enabled.

Time Machine setupTime Machine enabled

If you get the error “Time Machine Error: The backup disk image could not be created.”, you will need to do some magic on the server.

Time Machine error

You need to start the backup once again, but this time you will have to be quick and copy the directory it creates on the server. Once Time Machine has finished, the original directory will be deleted, so just copy the saved directory back to the same place.

cp -rp Johnnys\ MacBook\ Pro_001ec2123456.sparsebundle/ ..
# Wait until Time Machine has finished
cp -rp Johnnys\ MacBook\ Pro_001ec2123456.sparsebundle/ timemachine.mnt/

Now run the backup again, and it should complete successfully!

Time Machine run

This behaviour is very strange, but the above trick always solves the problem.

Run virtual servers using XEN

Running virtual servers may save you a bundle on server costs, but in the same time create a more secure environment by separating services into logical hosts. This guide will show you how to setup a XEN virtual server using Debian, but it may also be used on Ubuntu if that it preferred.

Installation

The first task is to install all required software packages. Installing the virtual xen package will in turn install all required programs like a new libc6, kernel with virtual support and the xen hypervisor. Installing xen-tools makes it very easy to create new virtual servers.

# aptitude install xen-linux-system-2.6.18-6-xen-vserver-686 xen-tools

After installing the new kernel and libs, you will need to reboot the computer to use it.

Configuration

The virtual hosts need some way to access the network, so we have to create a network bridge for them to use. Open the file /etc/network/interfaces and create a section like the following. Be sure to change the network settings to reflect your own network.

iface xenbr0 inet static
address 10.10.10.100
netmask 255.255.255.0
network 10.10.10.0
broadcast 10.10.10.255
gateway 10.10.10.1
bridge_ports eth0

Open up the xen configuration file /etc/xen/xend-config.sxp in your favorite editor and make the following changes.

(network-script network-bridge)
(vif-script vif-bridge)
(dom0-min-mem 196)
(dom0-cpus 0)

The configuration file contains lots of comments, so I will not go into detail about every change.

The last configuration is for the xen-tools package /etc/xen-tools/xen-tools.conf, which we will use to create the virtual machines. Be sure to change the network settings and home directory to match your envionment.

dir = /home/xen
dist   = etch
gateway   = 10.10.10.1
netmask   = 255.255.255.0
cache = no
passwd = 1
mirror = http://ftp.se.debian.org/debian/

The rest of the values can probably be left alone, but do take a look at them to see if you need to custmize anything.

Now to create a new virtual host, just write the following and debootstrap should start installing a fresh Debian system.

xen-create-image –ip=10.10.10.101 –hostname=host1.chadda.se

When the installation part is finished, just start the host (or create in xen speak), using the following command.

xm create /home/xen/domains/host1.chadda.se/host1.chadda.se.cfg

If you add the -c option, you will attach to the virtual console and you will see all output from the guest.

Enjoy

Now enjoy your new virtualized server!

Ubuntu 7.10 – The Gutsy Gibbon released

The time has come for the new Ubuntu version to be released. The Gutsy Gibbon is here with lots of new features including desktop search, NTFS writing, encrypted hard disks and AppArmor. You can read more about the new features in the release notes.

Updating to 7.10 is very easy and just involves starting the update manager and press upgrade.

updatemanager.png

If you don’t want to upgrade or is doing a new installation, just head over to Ubuntu.com and download your ISO image now!

There was a small meetup in Stockholm yesterday with people from the Ubuntu-SE forums and #ubuntu-se IRC channel. My camera photos did not turn out very well, but hopefully someone else will have some images.

Add proper SSL/TLS support for all applications using stunnel

I really like Evolution both for email and its calendaring features. The problem is that one of my email accounts requires an SSL client certificate to be able to connect. Thunderbird supports this out of the box, but Evolution does not. Instead of patching Evolution itself, it would be much easier to just proxy the requests. Here is where stunnel comes in.

Using stunnel, it is possible to setup an SSL connection and have Evolution run an unencrypted channel through it. Since this will open a tunnel directly to the mail-server, it is very important to only bind stunnel to localhost. Otherwise, anyone will be able to use your tunnel to connect to your server!

So in my scenario I want to use a client certificate in SSL. The following command does everything I need:

stunnel -d localhost:9930 -r mail.xx.yy:993 -c -p ~/mail.pem

It will setup a listening socket on port 9930 and connect it to mail.xx.yy port 993 and use mail.pem for the client certificate. Evolution can now be setup using localhost:9930 as the email server and not using SSL encryption, since it will be added by stunnel.

If you would want this for SMTP, which usually uses explicit SSL (you need to start it using STARTTLS), stunnel even has support for that. Just extend the previous command to this.

stunnel -d localhost:20025 -r smtp.xx.yy:25 -c -p ~/mail.pem -n smtp

Using -n smtp will tell stunnel to create the TLS connection before it lets Evolution proceed with its connection.

Test Ubuntu without repartitioning your harddrive

Many people in the support channels on IRC ask if there is a way to try Ubuntu without having to repartition the drive. There is of course the possibility to run it from the live-CD, but it is very slow and the settings are not permanently stored.

Let me introduce Wubi.

Wubi is a free software installer, specialized for installing Ubuntu and its derivates (Kubuntu and Edubuntu). What makes Wubi special is that it is a Windows based installer, which installs everything into a special loop-device. The user will see this disk images as a normal file within Windows, but it contains the entire Ubuntu installation.

wubi.png

I have not yet had the opportunity to try the Wubi installer, but will of course test this when the time is right. Do note that this is beta software, so don’t be surprised if everything still does not work.

It is the perfect way for people interested in trying out Ubuntu for a while without committing to change the filesystem or having to format or other potentially dangerous operations.

VirtualBox 1.5.0 – Getting rid of dual boot

I dual boot with Windows on my work laptop, since there are occasionally things that can only be done in Windows. VirtualBox released 1.5.0 a while back, with support for seamless window integration between the virtual environment and the real Linux desktop. Cool!

That particular feature does have some problems tough which makes it not usable in its current state, but it will most definitely be fixed in future releases. It has to do with a black desktop and that the window mappings are somewhat out of place.

I need to access USB smartcards, dongles and other things within this virtual machine. In the default Ubuntu settings, this seems to not work correctly. The following message is displayed when trying to access an external device:

Not permitted to open the USB device, check usbfs options.

The solution is simple and consists of the following steps:

  1. Add yourself to the “vboxusers” group
  2. Edit /etc/udev/rules.d/40-permissions.rules and find SUBSYSTEM==”usb_device” and change the arguments to GROUP=”vboxusers”, MODE=”0664″.
  3. sudo invoke-rc.d udev restart

Now most of your USB thingies should work.

Ubuntu month of screencasts

This month, the Ubuntu screencast team will release one video per day. They contain information on how to accomplish various tasks, such as printing, file sharing and even how to download and burn a Ubuntu CD using Windows.

The project is called Month Of Screencasts 2007, and is available in lots of different formats.

This relates to an earlier post about using videos to describe tasks, and it seems that the screencast team has come a long way and are doing well.

Full Circle Magazine issue 4 – not only new content

The Ubuntu-centric magazine Full Circle Magazine released their fourth issue earlier this week. Of course there is lots of new interesting content as usual, but this time there is another thing to take note of.

The format of the magazine has wandered away from the regular A4/letter format and uses a format perfect for on-screen reading. This is some serious thinking outside the box, and makes for some interesting design opportunities, and constraints.

fullcircle.png

Great work as always!

Edit: Ops, I accidentally wrote the wrong issue number.