Archive for the ‘computers’ Category

« Older Entries

setting up subversion on dapper

Wednesday, June 20th, 2007

these are just some notes for myself on how i setup a subversion repository on ubuntu dapper using ssh for the access method. these should probably be combined into a script.

install software

you, obviously, have to have dapper installed and also subversion and an ssh server. on our network, you can just network boot and then type “server” at the ubuntu prompt which should install the os. make sure that you either disable network booting or if in the dmz, configure an ip in the dhcp server for that specific mac address in order to not network boot anymore. after everything’s up:

sudo apt-get install subversion openssh-server

you now should be ready to go.

setup the basic subversion area

  1. create a subversion (svn) user:

    sudo adduser –disabled-password –home /var/lib/svn svn

  2. create a directory for the repositories and backups.

    sudo mkdir -m 2770 -p /var/lib/svn/repos /var/lib/svn/repos-backup

  3. make sure the owners are correct:

    sudo chown -R svn:svn /var/lib/svn

setup a new repository

  1. create a group for permissions for the new repository. i would make the group name the same as the name of the repository to reduce confusion.

    sudo addgroup [repo-group]

  2. create a directory where the repository will be located with the correct permissions. setting these permissions will make sure that all of the directories and files that are created when the repository is created will have the proper group set.

    mkdir -m 2770 -p /var/lib/svn/repos/[repo-group]

  3. set the owner and group for the new repository:

    sudo chown svn:[repo-group] /var/lib/svn/repos/[repo-name]

  4. create the repository:

    svnadmin create –fs-type fsfs /var/lib/svn/repos/[repo-name]

  5. make sure the user and group is create on the files.
  6. add users to the group who need access to this repository:

    sudo adduser [user] [repo-group]

i think that’s basically it. it seems best to create a separate repository for each project. that way it’s easy to keep permissions separated by project group. it’s also appears to not be a requirement with subversion to keep everything in one repository to be able to include them in other projects using modules as in cvs. i haven’t tested this functionality yet though. see external definitions for more information.

repository backups

once you have your repositories setup, clearly you’re going to want to be backing up your precious data. at the current time, i’m taking the fairly simple approach of just backing up the entire repository every night using svnadmin hotcopy.

simple subversion backup script

i just run this script for each repository every night using cron as the svn user. might should be looping through all repositories in the repos directory, but currently i’m just individually adding each to the crontab. the script doesn’t do any pruning of the backups. that’s the responsibility of the backup machine. what needs to be done is to setup a cronjob on the backup server under the target backup user that uses find to remove old backup files. each new backup has a timestamp in the name.
the script just tars up the hotcopy directory and the pipes it to ssh and stores it on a machine we use for backups. to add a user to the backup machine:

sudo adduser –disabled-password –home /home/backups/$USER $USER

after creating the user, you should create a directory in the new user’s home directory that is the hostname from which you will be backing up. this way you could have backups from multiple machines going to the same user. alternatively, i guess you could create a user for each machine. then do backups as the root user on that machine (necessary for certain directories). this still needs to be worked out a bit.

then you have to generate an ssh key on the subversion machine to use for the backups and put the key on the backup machine under the user you just created. this command (all on one line) would be run as the svn user (or whatever user your doing backups for in the general case).

ssh-keygen -b 4096 -t rsa -C $USER-backup@$HOSTNAME -f $HOME/.ssh/$USER-backup

adding new users

this isn’t really specific to subversion, but is generally how servers should be configured. the only way to log into the server is using ssh with public keys. you can disabled root and password authentication in the /etc/ssh/sshd_config file. the best thing to do seems to be to add a default .ssh/authorized_keys file when the machine is first installed that includes the known ssh keys for admins. then, when a new user is added, these keys will be there by default. it’s then fairly easy for an admin to copy in the real user key and remove any admin keys if desired.

the passwords for all non-admin users are disabled. admins need there password in order to be able to run sudo. therefore, all admin users have to also be in the admin group (sudo adduser [user] admin). the same command for generating an ssh key as mentioned above can be used for generating keys.

this information should probably more flushed out in a different post. oh well. that should do for now.

reference

Posted in backups, computers, ssh, subversion | No Comments »

using gnu screen to launch server apps from inittab

Thursday, August 31st, 2006

all of this is on ubuntu 6.06 lts dapper drake. it most likely equally applies to all linuxes (possibly other unixes) that have gnu screen installed and use inittab. the runlevels may be different.

i spent a several hours yesterday looking into how to use screen to launch an app from inittab and still maintain a console to it. the initial goal was related to how to start a common lisp server application at boot, but the testing was done using a java app. unfortunately, there’s no console control on the java application, but it does print out some messages at startup and if something goes horribly wrong, the exception is dumped to stderr. it might be worth while to write one.

at any rate, the initial lead came from a post to comp.lang.lisp from like 2004 that i didn’t have the forsight to bookmark. there wasn’t any specifics and searching on google for anything related to screen is practically useless, as one might, due to “screen” being a fairly generic word. hopefully, including “gnu screen” will make it better. probably not.

so, here’s what i found/figured out. i figure the best way is to create a specific screen config file to pass on the command line with “-c”. this makes the command in inittab shorter and possibly makes it easier to keep things separate if you’re starting multiple applications. the main thing to watch out for is that when starting gnu screen with a config file and using the “chdir” command in the file you need to specify the absolute path to the config file. if you don’t, when you try to re-attach, you’ll get an “Unable to open ” message and the detached screen process will exit. not very useful.

here’s the (sort of) contents of my screen config file:

sessionname app

chdir

screen -t ces -L 0 java -jar [full path]/app.jar [args]

the sessionname is whatever you want to use for when you re-attach with “screen -r app”. you may or may not need to use chdir, but it’s probably helpful for most apps if that’s somewhere that the user the application is running as can write to or maybe not. your call. the “screen” command is what starts the application. “-L” does logging to the default file (which is in wherever the current working dir for screen is. in this case, the dir after “chdir”). “-t” is probably unnecessary as it’s just the screen window title. we’re only using one in this case so i doubt it’s important. the rest is the command to launch the application. fairly simple.

the next step is the command to start screen. this is (sort of) what i have in /etc/inittab:

app:23:respawn:/bin/su – [user] -c “screen -D -m -c [fullpath]/app.screenrc”

the “-D -m” will cause the screen process to start detached without forking to a new process. this is important because when the screen process exits, init will respawn it. the app at the beginning of the line can be whatever you want as long as it’s unique to the file and 4 characters or less. currently, we are starting some java applications by just directly calling it from inittab and redirecting the stderr and stdout to files. to get it active, just do a “kill -HUP 1″ as root.

now, to re-attach to the screen session you just use “screen -r app” or whatever you used for sessionname in the config file. you should see any output from your application now and have full terminal access just like if you had started it from a shell. gnu screen has support for password protecting the session, but i haven’t tried it yet. it’s probably less important in this specific case since you can’t input/control anything and you have to be either the user or root to re-attach to the session.

there may be a question of screen stability, but i find it unlikely to be a problem as gnu screen has been around for a while and is only getting bug fixes. what a plus to have an application that is feature complete.

an alternative might be to not use screen at all and directly start the application on an empty console instead of a getty program. the downside is that you would have to have physical access to the console in order to access the program. wasn’t really an option for me.

there’s also a program called detachtty written by a lisper that he thinks works better than screen. supposedly, you can access it over the network using ssh, but it’s not immediately apparent how this is done from my extremely limited scanning of the webpage. it appears to be targeted at use in a real init.d script and doesn’t seem like it would work from within inittab.
hopefully, this post will help me save some time in the future when i finally get around to using this method.

Posted in computers | No Comments »

how to add an ipsec connection on ubuntu dapper

Wednesday, August 23rd, 2006

this is using racoon for ike and ipsec tools. i didn’t use the racoon-tool or whatever the debian added config thing is for racoon because it wouldn’t startup properly for me. problems loading modules.

i believe the only extra packages installed passed the server defaults was shorewall firewall, racoon and ipsec-tools.

here’s the notes i took for adding a connection to a new remote host.

  • add pre shared key to /etc/racoon/psk.txt
  • update /etc/racoon/racoon.conf by adding a remote and sainfo sections similar to an existing entry. sainfo requires encryption_algorithm, authentication_algorithm and compression_algorithm entries.
  • add spdadd entry pairs for both local to remote network and remote to local in /etc/ipsec-tools.conf.
  • stop racoon: /etc/init.d/racoon stop
  • restart ipsec: /etc/init.d/setkey restart
  • start racoon: /etc/init.d/racoon start
  • if racoon doesn’t start, check /var/log/daemon.log for config errors.
  • add an entry to /etc/shorewall/tunnels to define the remote gateway
  • add an entry to /etc/shorewall/zones to create a zone to use for rules. the zone name can’t be more than 5 characters long.
  • add entries in the /etc/shorewall/hosts to define what hosts are in the zone
  • add entires to /etc/shorewall/policy for whatever firewalling rules need to be created for the vpn. at a minimum an entry to allow full access from loc to vpn and vpn to loc would be necessary. everything gets dropped by default.
  • restart shorewall: /etc/init.d/shorewall restart

Posted in computers | 2 Comments »

google releases firefox synchronization tool

Tuesday, June 13th, 2006

this is the short review from arstechnica. it sounds promising, but requires a google account. keeping passwords synced is my main problem. it’s not really that frequent that i need to so just a way to export and then import manually would be fine for me.

Posted in computers, eurotrip-2006 | No Comments »

lot of links

Wednesday, May 31st, 2006

sun is going to apparently ship the t1000 and t2000 servers (the niagra sparc models) with ubuntu linux. it shows the good of ubuntu and the bad of java. currently, there is no linux/sparc version. surely it’s coming. still doesn’t change the fact that it would seem to be a huge win for sun/java to gpl it and have it distributed with every linux distro. i still don’t really see where they’re making a lot of money from java other than keeping a set of software that runs on something other than windows. then again, most linux distros ship with python, c, perl, php, ruby, etc.

this leads to another project from sun named phobos that will eventually see a javascript interpreter for the jvm. it is interesting to use the same programming language for both the client and server. when was it that netscape shipped this in their enterprise server, 1995/96?

a bad video of the colombian goalkeeper scoring against poland during their friendly the other day.

everything a girl needs to know about the offsides rule in football from a book “everything a girl needs to know about football“.

marginally interesting video about hdtv and the world cup.

enjoy.

Posted in computers, eurotrip-2006, football | No Comments »

« Older Entries