vanutsteen.nl => nerds only » Linux http://v3.vanutsteen.nl A blog on rails, php, computing, my bass guitar and stuff Thu, 20 Sep 2012 06:26:30 +0000 en-US hourly 1 http://wordpress.org/?v=3.5 Some handy bacula commands http://v3.vanutsteen.nl/2012/09/20/some-handy-bacula-commands/ http://v3.vanutsteen.nl/2012/09/20/some-handy-bacula-commands/#comments Thu, 20 Sep 2012 06:26:30 +0000 LeonB http://www.vanutsteen.nl/?p=806 Show what files will be backed up:

echo "estimate job=client.vanutsteen.nl listing client=client.vanutsteen.nl fileset=Server" | bconsole

List all files backuped in a particular job:

echo "list files jobid=12"  | bconsole
]]>
http://v3.vanutsteen.nl/2012/09/20/some-handy-bacula-commands/feed/ 0
How to repair an SQLite database http://v3.vanutsteen.nl/2012/09/17/how-to-repair-an-sqlite-database/ http://v3.vanutsteen.nl/2012/09/17/how-to-repair-an-sqlite-database/#comments Mon, 17 Sep 2012 06:14:48 +0000 LeonB http://www.vanutsteen.nl/?p=803 echo ".dump" | sqlite3 old.db | sqlite3 new.db

Explanation: pipe “.dump” to sqlite and use that output (the dump itself) to fill the new.db database.

]]>
http://v3.vanutsteen.nl/2012/09/17/how-to-repair-an-sqlite-database/feed/ 0
Cleaning up Git http://v3.vanutsteen.nl/2012/09/15/cleaning-up-git/ http://v3.vanutsteen.nl/2012/09/15/cleaning-up-git/#comments Sat, 15 Sep 2012 13:13:21 +0000 LeonB http://www.vanutsteen.nl/?p=801 I had this huge git repository (1.9 gigabyte) and I couldn’t discover WHY is was SO big. After reading up on some git cleaning et cetera I did a `git gc`. I went from 1.9g to 12mb (megabytes yes). Unbelievable…

git-gc – Cleanup unnecessary files and optimize the local repository

]]>
http://v3.vanutsteen.nl/2012/09/15/cleaning-up-git/feed/ 0
Ubuntu & special characters http://v3.vanutsteen.nl/2012/09/11/ubuntu-special-characters/ http://v3.vanutsteen.nl/2012/09/11/ubuntu-special-characters/#comments Tue, 11 Sep 2012 21:20:46 +0000 LeonB http://www.vanutsteen.nl/?p=798 https://help.ubuntu.com/12.04/ubuntu-help/tips-specialchars.html

I set my Compose Key to Right Alt.

]]>
http://v3.vanutsteen.nl/2012/09/11/ubuntu-special-characters/feed/ 0
OpenWrt OpenVPN & Gnome Network Manger + tls-remote http://v3.vanutsteen.nl/2012/08/29/openwrt-openvpn-gnome-network-manger-tls-remote/ http://v3.vanutsteen.nl/2012/08/29/openwrt-openvpn-gnome-network-manger-tls-remote/#comments Wed, 29 Aug 2012 15:12:37 +0000 LeonB http://www.vanutsteen.nl/?p=781 I’ve bought myself a Netgear WNDR3800 and put OpenWrt on it. I’m loving it! It’s not as easy to use as Tomato but it is much, much more modular and configurable.
One of the first things I did was installing OpenVPN on it. Currently I have OpenVPN running on my Pandaboard but if it was possible I would like to have OpenVPN running on my router.

After that was done and it ran ok I decided to have another look at the settings of my OpenVPN client: Gnome Network Manager

My previous setup used three separate certificates/keys: a user certificate, a CA certificate and a private key (and actually a ta.key). I used the `build-key` command to generate a new user certificate on the router which generated a *.p12 file. I first wanted to extract the three different certificates from the PKCS12 file but it appears that Network Manager can use those files.

After I figured that out I wanted to make OpenVPN a little securer. I had three things in mind:

  1. CRL (certificate revocation list)
  2. Additional TLS authentication
  3. Certificate Subject Match

CRL

Add this to `/etc/config/openvpn`:

option 'crl_verify' '/etc/easy-rsa/keys/crl.pem'

Then I wanted to create the (empty) crl.pem with this command:

ca -config /etc/easy-rsa/openssl.cnf -gencrl -out /etc/easy-rsa/keys/crl.pem

But it kept throwing errors: `27215:error:0E065068:lib(14):func(101):reason(104)`

It turned out to be that I had to add these lines to `/etc/easy-rsa/vars`:

export KEY_OU=""
export KEY_CN=""
export KEY_NAME=""

After that the creation of the crl.pem succeeded.

Additional TLS authentication

This was a lot simpler. Generate the ta.key on the router:

openvpn --genkey --secret /etc/openvpn/ta.key

Add this to `/etc/config/openvpn`:

option 'tls_auth' '/etc/openvpn/ta.key 0'

And as last,  make sure the advanced section of the openvpn connection of Gnome Network Manager looks like this (copy the ta.key to your local machine):

Certificate Subject Match

I tried some time ago to make the Subject Matching work in Network Manager but I kept getting errors. This time I persisted and I got it working. It all had to do with the format of tls-remote (same thing, but this is the way openvpn calls it).

First, on the router, do this:

openssl x509 -in router.vanutsteen.nl.crt -text -noout | grep "Subject:"

You get something like:

C=MyCountry, ST=MyState, L=MyCity, O=example.tld, CN=host.example.tld/name=MyFirstName MyLastName/emailAddress=myname@example.com

First, append the string with a ‘/’. Next, replace all occurences of ‘ ,’ with ‘/’. Now you have something like:

/C=MyCountry/ST=MyState/L=MyCity/O=example.tld/CN=host.example.tld/name=MyFirstName MyLastName/emailAddress=myname@example.com

So far, so good. Now the tricky part. It seems that openssl/openvpn substitutes dots and spaces in X509 names as underscores. I could not find any documentation on it…

So change `name=MyFirstName MyLastName` to `name=MyFirstName MyLastName`. You then end up with:

/C=MyCountry/ST=MyState/L=MyCity/O=example.tld/CN=host.example.tld/name=MyFirstName_MyLastName/emailAddress=myname@example.com

 Now, everything should work as planned!

]]>
http://v3.vanutsteen.nl/2012/08/29/openwrt-openvpn-gnome-network-manger-tls-remote/feed/ 0
Gitlab reque & supervisord http://v3.vanutsteen.nl/2012/08/07/gitlab-reque-supervisord/ http://v3.vanutsteen.nl/2012/08/07/gitlab-reque-supervisord/#comments Tue, 07 Aug 2012 08:38:16 +0000 LeonB http://www.vanutsteen.nl/?p=765 Gitlab needs at least one resque daemon. I always forget to start it when I boot the (virtual) pc where gitlab resides. So I installed supervisord an set up this conf file:
/etc/supervisor/conf.d/resque.conf:

[program:resque]
command=bundle exec rake environment resque:work
# Do not use BACKGROUND=No, it only checks if BACKGROUND is set
environment=QUEUE="post_receive,mailer,system_hook",RAILS_ENV="production"
process_name=resque
numprocs=1
directory=/home/gitlab.tim-online.nl/public_html
autostart=true
autorestart=true
user=gitlab.tim-online.nl
]]>
http://v3.vanutsteen.nl/2012/08/07/gitlab-reque-supervisord/feed/ 0
Upgrading OpenElec on the Raspberry Pi http://v3.vanutsteen.nl/2012/07/30/upgrading-openelec-on-the-raspberry-pi/ http://v3.vanutsteen.nl/2012/07/30/upgrading-openelec-on-the-raspberry-pi/#comments Mon, 30 Jul 2012 19:32:12 +0000 LeonB http://www.vanutsteen.nl/?p=756

I’ve installed openelec on my Rasberry Pi. It worked great! I upgraded regularly with the prebuild openelec binaries. The upgrade from r11493 to r11691 however went wrong. The system still booted but the screen kept black. After some awesome help on the #openelec irc channel I solved it. I always updated openelec by moving the files from the “target/” folder in the openelec packages to /storage/.update on the Raspberry Pi. However on the irc channel I learned I also should update the bootloader and driver files.

This are the steps to update the bootloader and driver files. On the Pi:

ssh openelec
mount -o remount,rw /flash

Then copy the files from 3rdparty/bootloader in the openelec package to /flash on the Raspberry Pi. I did it using gvfs in nautilus (ssh://openelec/flash).

I rebooted and my Raspberry Pi worked again!

In the proces of finding how to solve my problem I also found another source for prebuild Raspberry Pi openelec packages. They aren’t “official” packages from openelec but they worked very well for me.

]]>
http://v3.vanutsteen.nl/2012/07/30/upgrading-openelec-on-the-raspberry-pi/feed/ 0
Upgrading gitlab to the new stable http://v3.vanutsteen.nl/2012/07/22/upgrading-gitlab-to-the-new-stable/ http://v3.vanutsteen.nl/2012/07/22/upgrading-gitlab-to-the-new-stable/#comments Sun, 22 Jul 2012 16:20:18 +0000 LeonB http://www.vanutsteen.nl/?p=722 cd ~/public_html/ git checkout stable RAILS_ENV=production rake db:migrate bundle install --without development test --deployment sudo service nginx restart ]]> http://v3.vanutsteen.nl/2012/07/22/upgrading-gitlab-to-the-new-stable/feed/ 0 Git: an easy way to change authors name http://v3.vanutsteen.nl/2012/07/16/git-an-easy-way-to-change-authors-name/ http://v3.vanutsteen.nl/2012/07/16/git-an-easy-way-to-change-authors-name/#comments Mon, 16 Jul 2012 16:25:27 +0000 LeonB http://www.vanutsteen.nl/?p=741 git filter-branch --commit-filter 'if [ "$GIT_AUTHOR_NAME" = "LeonB" ]; then export GIT_AUTHOR_NAME="Leon Bogaert"; export GIT_AUTHOR_EMAIL=leon@tim-online.nl;

After this is done you can do:

git push -f

It says some scary things like:

# Your branch and 'origin/v3' have diverged,
# and have 75 and 75 different commits each, respectively.

But you can Ignore those.

]]>
http://v3.vanutsteen.nl/2012/07/16/git-an-easy-way-to-change-authors-name/feed/ 0
Installing & using flexget http://v3.vanutsteen.nl/2012/07/16/installing-using-flexget/ http://v3.vanutsteen.nl/2012/07/16/installing-using-flexget/#comments Sun, 15 Jul 2012 22:05:18 +0000 LeonB http://www.vanutsteen.nl/?p=704 Install dependencies from Ubuntu repositories
sudo apt-get install python-setuptools python-transmissionrpc

Edit ~/.pydistutils.cfg

[easy_install]
user = true

Install flexget

easy_install flexget
mkdir ~/.flexget

Edit ~/.flexget/config.yml


feeds:
  Coder Radio Video:
    rss: http://feeds.feedburner.com/coderradiovideo
    exists: /media/freenas/podcasts/Coder Radio Video/
    download: /media/freenas/podcasts/Coder Radio Video/

  Dev1.tv:
    rss: http://feeds.feedburner.com/dev1tv
    exists: /media/freenas/podcasts/Dev1.tv/
    download: /media/freenas/podcasts/Dev1.tv/

  FauxShow HD:
    rss: http://www.jupiterbroadcasting.com/feeds/FauxShowHD.xml
    exists: /media/freenas/podcasts/FauxShow HD/
    download: /media/freenas/podcasts/FauxShow HD/

  In Depth Look HD:
    rss: http://www.jupiterbroadcasting.com/feeds/indepthlookihd.xml
    exists: /media/freenas/podcasts/In Depth Look HD/
    download: /media/freenas/podcasts/In Depth Look HD/

#  TechSNAP Large Video:
#    rss: http://feeds.feedburner.com/techsnaplarge
#    exists: /media/freenas/podcasts/TechSNAP Large Video/
#    download: /media/freenas/podcasts/TechSNAP Large Video/

  The Changelog:
    rss: http://feeds.feedburner.com/thechangelog
    exists: /media/freenas/podcasts/The Changelog/
    download: /media/freenas/podcasts/The Changelog/

#  The Linux Action Show! Video:
#    rss: http://feeds.feedburner.com/computeractionshowvideo
#    exists: /media/freenas/podcasts/The Linux Action Show! Video/
#    download: /media/freenas/podcasts/The Linux Action Show! Video/

  unfilter HD:
    rss: http://www.jupiterbroadcasting.com/feeds/unfilterHD.xml
    exists: /media/freenas/podcasts/unfilter HD/
    download: /media/freenas/podcasts/unfilter HD/

  Linux Action Show Torrent:
    rss: http://www.jupiterbroadcasting.com/feeds/lasstorrent.xml
    exists: /media/freenas/podcasts/The Linux Action Show! Video/
    set:
      transmission:
        enabled: yes
      path: /media/freenas/podcasts/The Linux Action Show! Video/

  TechSNAP Torrent:
    rss: http://www.jupiterbroadcasting.com/feeds/TechSNAPTorrent.xml
    exists: /media/freenas/podcasts/TechSNAP Large Video/
    set:
      transmission:
        enabled: yes
      path: /media/freenas/podcasts/TechSNAP Large Video/

presets:
  global:
    accept_all: yes
    limit_new: 2
    transmission:
      host: localhost
      port: 9091
      username: transmission
      password: transmission
      honourlimits: yes
      maxdownspeed: 200
      maxupspeed: 20
      enabled: no

Now test it:


flexget --check
flexget --test

Mark all current feed items as seen


flexget --learn

Download one feed


flexget --feed "unfilter HD"

Unmark feed as seen

flexget --forget "unfilter HD"

Add it to cron


/usr/bin/nice -n19 /home/leon/.local/bin/flexget --cron

]]>
http://v3.vanutsteen.nl/2012/07/16/installing-using-flexget/feed/ 0
How to install gitlab on Ubuntu Server 12.04 (precise) the right way http://v3.vanutsteen.nl/2012/07/09/how-to-install-gitlab-on-ubuntu-server-12-04-precise-the-right-way/ http://v3.vanutsteen.nl/2012/07/09/how-to-install-gitlab-on-ubuntu-server-12-04-precise-the-right-way/#comments Mon, 09 Jul 2012 19:21:08 +0000 LeonB http://www.vanutsteen.nl/?p=705 This weekend I’ve been installing Gitlab on a LXC guest. The host is running Ubuntu 12.04 and so is the guest. I tried to document my steps the best I could so I could share my experiences with it. Sometimes I had to go back a few steps so maybe something are garbled up but I believe this is still a good starting point on setting up gitlab on a Ubuntu server.

My main goals were:

  • use as much software from the Ubuntu repositories as possible so I don’t have to worry about security updates et cetera
  • keep the installation as simple as possible so I know when I look at it over 6 months
  • keep the software (gitolite) in the default Ubuntu location(s)
This tutorial assumes you have some good knowledge about Linux (servers) so I doesn’t spell out everything.

The steps found on the Gitlab website are quite accurate so keep them in mind:

  1. login as user, install git & generate ssh key
  2. Install ruby 1.9.2
  3. Install gitolite with umask 0007 and add your user to git group
  4. logout & login again
  5. Clone & setup gitlab (checkout project wiki on github)
  6. Start server. Enjoy!

My global setup

  • Installed Gitolite, Redis and Ruby from the default Ubuntu repositories
  • Installed Nginx (nginx-full) with Ruby/Phusion Passenger support from the Brightbox testing repositories (stable didn’t yet support Ubuntu 12.04 Precise)
  • Gitlab + dependencies are managed by bundler (build from source)
  • Nginx is running as the gitlab user

Step 1: installing Nginx with Phusion Passenger (mod_rails) support on Ubuntu 12.04

add-apt-repository ppa:brightbox/passenger-nginx-testing
apt-get update
apt-get install nginx-full
cat <<EOF > /etc/nginx/conf.d/passenger.conf
passenger_root /usr/lib/phusion-passenger;
EOF

I had some troubles with this version of Nginx from Brightbox because of some missing mime-type config file. That was quickly solved by copying it from another server.

The configuration file of my gitlab virtual host I put in: /etc/nginx/sites-available/gitlab.host.tld.

The contents of that file can be found here.

Step 2: installing dependencies from Ubuntu sources

apt-get install gitolite ruby1.9.3 redis-server ruby-budler rake

For the gitolite configure screens: just keep hitting enter

Step 3: installing build dependencies for ruby gems needed by gitlab

apt-get install make libxml2-dev g++ libicu-dev ruby2.9.1-dev libmysqlclient-dev libsqlite3-dev

Step 4: setting up your gitlab user: creating it, giving it permissions and generating a ssh key

adduser --disabled-login --disabled-password --force-badname gitlab.host.tld
usermod --append --groups gitolite gitlab.host.tld
su -s /bin/bash gitlab.host.tld
ssh-keygen
exit

Step 5: configuring gitolite with the ssh public key of your gitlab user

(as root)

dpkg-reconfigure gitolite

The question about the public key can be answered with the contents of `/home/gitlab.host.tld/.ssh/id_rsa.pub`

Step 6: loosening the permissions so the gitlab user can reach the gitolite files

Only do this when you know what you’re doing!

chmod g+rw /var/lib/gitolite/repositories --recursive
chmod g+rw /var/lib/gitolite/.gitolite.rc

This works because we added our user gitlab.host.tld to the gitolite group remember?

Next: edit /var/lib/gitolite/.gitolite.rc and change this line:

$REPO_UMASK = 0077; # gets you 'rwx------'

to:

$REPO_UMASK = 0007; # rwxrwx---

This makes sure newly created files/directories by gitolite are also writable by the gitolite group.

Step 7: installing gitlab itself

If everything worked out the system is ready and gitlab itself can be installed:

su -s /bin/bash gitlab.host.tld
cd ~/public_html
git clone git://github.com/gitlabhq/gitlabhq.git .

Step 8: Install the gitlab dependencies

This one is tricky. Maybe I forgot to list some build dependencies or maybe the added some extra dependencies since I wrote this. If this doesn’t succeed: read the logs (especially mkfm.log).

bundle install --deployment

Step 9: configure gitlab

cp config/database.yml.example config/database.yml
cp config/gitlab.yml.example config/gitlab.yml

Here is my gitlab.yml

It has admin_uri defined twice because of bug #1052
If you wouldn’t define it twice (in git_host and git) the rake task `gitlab:app:status` would always fail when you run gitolite under the user `gitolite`.

You can find out the contents of your own database.yml :)

Step 10: installing the database and compiling the assets

bundle exec rake db:setup RAILS_ENV=production
bundle exec rake db:seed_fu RAILS_ENV=production
rake assets:precompile

Step 11: check if your gitlab user has access to gitolite

RAILS_ENV=production rake gitlab:app:status

Rembember bug #1052!

Step 12: starting resque workers

Start at least one resque worker:

./resque.sh

And maybe another one:

./resque.sh

The resque workers are background workers that do `stuff` in the background. I believe for example the adding of ssh keys to gitolite and the parsing of a commit and putting that in the database.

At first I forget to start the resque workers and my keys weren’t properly added to gitolite. The solution to that was in my case:

RAILS_ENV=production rake gitlab:gitolite:update_hooks
RAILS_ENV=production rake gitlab:gitolite:update_keys
RAILS_ENV=production rake gitlab:gitolite:update_repos

Step 13: restart nginx & surf to http://gitlab.host.tld

The title says it all :)

Finally

I copied all the commands from the servers’ bash history command. The order of the commands I wrote down on top of my head so there could be some mistakes there. If you spot something wrong or missing: just contact me of leave a comment.

Some excellent resources:

]]>
http://v3.vanutsteen.nl/2012/07/09/how-to-install-gitlab-on-ubuntu-server-12-04-precise-the-right-way/feed/ 2
Fixing the “IPv6 addrconf: prefix with wrong length 48″ on Ubuntu (server) http://v3.vanutsteen.nl/2012/07/07/fixing-the-ipv6-addrconf-prefix-with-wrong-length-48-on-ubuntu-server/ http://v3.vanutsteen.nl/2012/07/07/fixing-the-ipv6-addrconf-prefix-with-wrong-length-48-on-ubuntu-server/#comments Fri, 06 Jul 2012 22:44:40 +0000 LeonB http://www.vanutsteen.nl/?p=701 touch /etc/sysctl.d/60-ipv6.conf echo "net.ipv6.conf.default.autoconf = 0 net.ipv6.conf.default.accept_ra = 0 net.ipv6.conf.all.autoconf = 0 net.ipv6.conf.all.accept_ra = 0 " > /etc/sysctl.d/60-ipv6.conf

This will fix it after a reboot. I you want to change it imediately:

echo 0 > /proc/sys/net/ipv6/conf/all/autoconf
echo 0 > /proc/sys/net/ipv6/conf/all/accept_ra
]]>
http://v3.vanutsteen.nl/2012/07/07/fixing-the-ipv6-addrconf-prefix-with-wrong-length-48-on-ubuntu-server/feed/ 0
Combining 4 images and aligning them next to eachother http://v3.vanutsteen.nl/2012/03/11/combining-4-images-and-aligning-them-next-to-eachother/ http://v3.vanutsteen.nl/2012/03/11/combining-4-images-and-aligning-them-next-to-eachother/#comments Sun, 11 Mar 2012 17:35:39 +0000 LeonB http://www.vanutsteen.nl/?p=653 The workflow: make two new images out of 4: combining 2×2 to make hdr’s. Then aligning them

sudo apt-get install hugin-tools enfuse
enfuse DSC_166* -o 1.jpg
enfuse DSC_167* -o 2.jpg
align_image_stack -a test.jpg 1.jpg 2.jpg

Then I put them next to eachother in GIMP :p

 

]]>
http://v3.vanutsteen.nl/2012/03/11/combining-4-images-and-aligning-them-next-to-eachother/feed/ 0
The continuing story of Zend Studio 5.5.1 (part 2) http://v3.vanutsteen.nl/2012/03/05/the-continuing-story-of-zend-studio-5-5-1-part-2/ http://v3.vanutsteen.nl/2012/03/05/the-continuing-story-of-zend-studio-5-5-1-part-2/#comments Mon, 05 Mar 2012 09:59:17 +0000 LeonB http://www.vanutsteen.nl/?p=655 Everytime I install a new version of Ubuntu / Linux I’m hoping Zend Studio (the old/good one) will still be working. This time with Ubuntu 12.04 I again had to do this but it didn’t take longer than a couple of minutes.

First I had to install the java executable (otherwise I got a “java: not found” error message. Because the Sun JRE isn’t available anymore for Ubuntu (12.04) I installed the default one (icedtea I believe). To my amazing that worked perfectly!

Then I had to install some (i386) libs and it worked! libxcursor is need or else you’ll get a really ugly cursor in Zend Studio 5.

sudo apt-get install default-jre
sudo apt-get install libc6-i386 libxp6:i386 libxtst6:i386 libxcursor1:i386
ln -s /lib32/libc.so.6 /lib/libc.so.6
]]>
http://v3.vanutsteen.nl/2012/03/05/the-continuing-story-of-zend-studio-5-5-1-part-2/feed/ 1
msmtp and the aliases file (/etc/aliases) http://v3.vanutsteen.nl/2012/03/04/msmtp-and-the-aliases-file-etcaliases/ http://v3.vanutsteen.nl/2012/03/04/msmtp-and-the-aliases-file-etcaliases/#comments Sun, 04 Mar 2012 15:09:10 +0000 LeonB http://www.vanutsteen.nl/?p=650 Since version 1.4.25 msmtp has support for a aliases file. I edited my ~/.msmtprc and added:

aliases ~/.aliases

~/.aliases:

root:           myemail@mydomain.tld

Only ~/.aliases didn’t get expanded to the full path:

http://sourceforge.net/mailarchive/forum.php?thread_name=1330871670.3229.1.camel%40polly&forum_name=msmtp-users

Other than that, it worked perfectly! Now I can send e-mails to root and have them delivered to my personal e-mailaddress.

]]>
http://v3.vanutsteen.nl/2012/03/04/msmtp-and-the-aliases-file-etcaliases/feed/ 0
Removing the password from an (open) ssl key http://v3.vanutsteen.nl/2012/02/22/removing-the-password-from-an-open-ssl-key/ http://v3.vanutsteen.nl/2012/02/22/removing-the-password-from-an-open-ssl-key/#comments Wed, 22 Feb 2012 09:40:24 +0000 LeonB http://www.vanutsteen.nl/?p=645 openssl rsa -in www_silverpower_nl.key -out www_silverpower_nl.key.unencrypted ]]> http://v3.vanutsteen.nl/2012/02/22/removing-the-password-from-an-open-ssl-key/feed/ 0 Securing chromium-browser with apparmor on Ubuntu 11.10 http://v3.vanutsteen.nl/2012/02/19/securing-chromium-browser-with-apparmor-on-ubuntu-11-10/ http://v3.vanutsteen.nl/2012/02/19/securing-chromium-browser-with-apparmor-on-ubuntu-11-10/#comments Sun, 19 Feb 2012 17:42:03 +0000 LeonB http://www.vanutsteen.nl/?p=633 I wanted to make chromium (chrome) more secure. Just to be safe. I found out that the package apparmor-profiles on Ubuntu contained an apparmor profile for chromium-browser. I installed it and tried to enforce it without using the aa-enforce binary (which required the apparmor-utils package) but I couln’t get that to work. So I installed apparmor-utils anyway.

sudo apt-get install apparmor-profiles apparmor-utils
sudo aa-enforce /usr/bin/chromium-browser /usr/lib/chromium-browser/chromium-browser

When all is done, quit the chromium browser and restart it. Then, when you run aa-status it should list chromium-browser as ‘enforced’.

I tried to do the same thing for /usr/sbin/dovecot but that didn’t quite work. Dovecot threw errors like:

init: dovecot main process (8738) terminated with status 84

I tried fixing it but I didn’t get it to work so I gave up.

]]>
http://v3.vanutsteen.nl/2012/02/19/securing-chromium-browser-with-apparmor-on-ubuntu-11-10/feed/ 0
Nginx + sabnzbd + sickbeard + couchpotato + spotweb on my pandaboard http://v3.vanutsteen.nl/2012/02/04/nginx-sabnzbd-sickbeard-couchpotato-spotweb-on-my-pandaboard/ http://v3.vanutsteen.nl/2012/02/04/nginx-sabnzbd-sickbeard-couchpotato-spotweb-on-my-pandaboard/#comments Sat, 04 Feb 2012 18:02:30 +0000 LeonB http://www.vanutsteen.nl/?p=605 I got Apache- (mpm-itk), sickbeard, sabnzbd, couchpotato and spotweb running on my pandaboard. But apache really used up a lot of resources. So I decided to replace it with nginx. Nginx would be a reverse proxy and communicate via fastcgi with php.

This post describes how to set up Nginx. Not how to install sabnzbd, sickbeard, couchpotato or spotweb on your machine. I assume you know how to do that.

Step 1: install nginx

leon@panda:~$ sudo apt-get install nginx-light

Step 2: proxy stuff

Add all the important proxy stuff in one file so it can be included later on.

leon@panda:~$ cat /etc/nginx/conf.d/proxy.conf

proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffers 32 4k;

allow 192.168.1.0/24;
deny all;

Step 3: set up all the locations

Set up alle the locations (subdirectories on you http server) for sabnzbdplus, sickbeard, couchpotato and spotweb.

The important part from /etc/nginx/sites-enabled/default:

server {

location /sabnzbd {
include /etc/nginx/conf.d/proxy.conf;

proxy_pass http://localhost:9090;
}

location /sickbeard {
include /etc/nginx/conf.d/proxy.conf;

proxy_pass http://localhost:8081;
}

location /couchpotato {
include /etc/nginx/conf.d/proxy.conf;

proxy_pass http://localhost:5000/;
rewrite ^/couchpotato/?$ /couchpotato/movie/ permanent;
}

location /spotweb {
alias /home/leon/src/spotweb/spotweb.git; #not root directive

location ~* \.php$ {
fastcgi_pass localhost:9001; #defined in /etc/php5/fpm/pool.d/leon.conf
include fastcgi_params;
fastcgi_index index.php;
}
}

}

Sorry about the indentation… Anyone recomend a good code plugin for wordpress?

Step 4: setup php

Now we’re going to set up php for nginx with php5-fpm. This is a new module and isn’t available on older versions of ubuntu. I think it’s only available from ubuntu 10.10 and onwards.

leon@panda:~$ sudo apt-get install php5-fpm

Then edit /etc/php5/fpm/pool.d/leon.conf (in my case). I created another pool for my user (‘leon’) because I don’t want it to run under the user www-data or similar.

cat /etc/php5/fpm/pool.d/leon.conf


; Start a new pool named 'leon'.
[leon]
listen = 127.0.0.1:9001
user = leon
group = leon

pm = dynamic
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 4
pm.max_children = 4

Step 5: Restart everything and admire your work

leon@panda:~$ sudo service nginx restart
leon@panda:~$ sudo service php5-fmp restart

Footnotes:
I also tried to get it working with chroot = /home/leon in /etc/php5/fpm/pool.d/leon.conf but I couldn’t get spotweb working with mysql on port 3306. When chrooted you can’t access /var/run/mysqld/mysqld.sock. I’ll have to investigate that a bit more.

Also, you could remove /etc/php5/fpm/pool.d/www.conf if you don’t use it (like in my case):

cd /etc/php5/fpm/pool.d/
sudo mv www.conf www.conf.disabled
sudo service php5-fpm restart
]]>
http://v3.vanutsteen.nl/2012/02/04/nginx-sabnzbd-sickbeard-couchpotato-spotweb-on-my-pandaboard/feed/ 2
Access a pandboard with a ‘screen’ serial console http://v3.vanutsteen.nl/2012/01/30/access-a-pandboard-with-a-screen-serial-console/ http://v3.vanutsteen.nl/2012/01/30/access-a-pandboard-with-a-screen-serial-console/#comments Mon, 30 Jan 2012 22:56:58 +0000 LeonB http://www.vanutsteen.nl/?p=600 Easy as:

/usr/bin/screen /dev/ttyUSB0 115200
]]>
http://v3.vanutsteen.nl/2012/01/30/access-a-pandboard-with-a-screen-serial-console/feed/ 0
Ubuntu 11.10 on my laptop and ufw http://v3.vanutsteen.nl/2011/12/24/ubuntu-11-10-on-my-laptop-and-ufw/ http://v3.vanutsteen.nl/2011/12/24/ubuntu-11-10-on-my-laptop-and-ufw/#comments Fri, 23 Dec 2011 23:44:31 +0000 LeonB http://www.vanutsteen.nl/?p=589 I decided on enabling ufw (uncomplicated firewall) on my laptop (you can’t be secure enough). Too bad it isn’t enabled by default on Ubuntu. So I had to do this:

sudo ufw enable
sudo ufw default deny
sudo ufw deny "Dovecot POP3"
sudo ufw deny "Dovecot IMAP"
sudo ufw deny "Dovecot Secure IMAP"
sudo ufw deny "Dovecot Secure POP3"
sudo ufw status verbose
]]>
http://v3.vanutsteen.nl/2011/12/24/ubuntu-11-10-on-my-laptop-and-ufw/feed/ 0
Listing contents of a tar.gz and extracting one specific directory http://v3.vanutsteen.nl/2011/12/09/listing-contents-of-a-tar-gz-and-extracting-one-specific-directory/ http://v3.vanutsteen.nl/2011/12/09/listing-contents-of-a-tar-gz-and-extracting-one-specific-directory/#comments Thu, 08 Dec 2011 23:04:03 +0000 LeonB http://www.vanutsteen.nl/?p=587 # tar -ztvf babyhuiscasita.nl.tar.gz |grep sql # tar -xzvf babyhuiscasita.nl.tar.gz ./.backup/babyhuiscasita.nl_mysql

-t = list
-x = extract

]]>
http://v3.vanutsteen.nl/2011/12/09/listing-contents-of-a-tar-gz-and-extracting-one-specific-directory/feed/ 0
Asus k53sv & ubuntu power management http://v3.vanutsteen.nl/2011/11/23/asus-k53sv-ubuntu-power-management/ http://v3.vanutsteen.nl/2011/11/23/asus-k53sv-ubuntu-power-management/#comments Wed, 23 Nov 2011 22:48:32 +0000 LeonB http://www.vanutsteen.nl/?p=580 Using my new Asus k53sv with Ubuntu 11.10 resulted in 2 hours of battery time. I know the k53 doesn’t have a fancy battery (quite the opposite) but I thought 2 hours was really bad.

With the power regression bug of the Linux kernel in my mind, I started searching. A lot of posts suggested using “pcie_aspm=force”. I tried that by editing the grub menu, but that didn’t really help (at all). dmesg kept complaining about the bios not letting it so that was a dead end.

Phoronix suggested enabling some power options for the i915 chipset (onboard videocard).

So I changed the following in /etc/default/grub:

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"

to:

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash pcie_aspm=force i915.i915_enable_rc6=1 i915.i915_enable_fbc=1 i915.lvds_downclock=1"

After a reboot the remaining battery time had changed from 2 hours to a little less than 3 hours. That’s an improvement of almost 50%!

The only downside was that after a suspend (to memory) the screen gets garbled. But after a ctrl+F1 and ctrl+F8 that’s fixed. So I’m actually quite happy know. Thanks Phoronix!

]]>
http://v3.vanutsteen.nl/2011/11/23/asus-k53sv-ubuntu-power-management/feed/ 0
3 useful route commands http://v3.vanutsteen.nl/2011/11/09/2-useful-route-commands/ http://v3.vanutsteen.nl/2011/11/09/2-useful-route-commands/#comments Wed, 09 Nov 2011 12:24:43 +0000 LeonB http://www.vanutsteen.nl/?p=571 To route an ip address through a (vpn) connection:

sudo route add -net XX.192.85.XX netmask 255.255.255.255 gw 192.168.1.1
sudo route add -net 10.76.122.0 netmask 255.255.255.0 gw 192.168.1.1
route -n

Or maybe add a whole range / subnet:

sudo route add -net 95.170.89.0 netmask 255.255.255.224 gw 10.76.122.152

Or maybe dynamic?

route add -net 95.170.89.0 netmask 255.255.255.224 gw `ip addr show ppp0 | awk '/inet/{print$2}'`
]]>
http://v3.vanutsteen.nl/2011/11/09/2-useful-route-commands/feed/ 0
Sublime Text 2 http://v3.vanutsteen.nl/2011/10/26/sublime-text-2/ http://v3.vanutsteen.nl/2011/10/26/sublime-text-2/#comments Wed, 26 Oct 2011 21:36:30 +0000 LeonB http://www.vanutsteen.nl/?p=562 I installed sublime text on my Ubuntu 11.10 box but I had some troubled loading external python modules:

loaded 937 snippets
&gt;&gt;&gt; import distutils
Traceback (most recent call last):
  File "&lt;string&gt;", line 1, in &lt;module&gt;
ImportError: No module named distutils

This is how I solved it:

Edited ~/.local/share/applications/sublime.desktop
Especially this line:

Exec="/home/leon/Software/bin/sublime" %U

/home/leon/Software/bin/sublime contains this:

#!/bin/bash
cd /usr/lib/python2.7
/home/leon/Software/SublimeText2/sublime_text

Then I installed some excellent plugins:

]]>
http://v3.vanutsteen.nl/2011/10/26/sublime-text-2/feed/ 0
Chaning the glippy indicator icon http://v3.vanutsteen.nl/2011/10/24/chaning-the-glippy-indicator-icon/ http://v3.vanutsteen.nl/2011/10/24/chaning-the-glippy-indicator-icon/#comments Mon, 24 Oct 2011 21:25:26 +0000 LeonB http://www.vanutsteen.nl/?p=559 Copy the mono paste icon over to ~/.icons/Humanity/actions/22/edit-paste.svg

 

]]>
http://v3.vanutsteen.nl/2011/10/24/chaning-the-glippy-indicator-icon/feed/ 0