Skip to content

Debian jessie ist Geschichte

Dieses Mal war ich schnell. Gerade zwei Monate nach dem Release von Debian stretch habe ich letzte Woche den letzten noch auf Debian jessie laufenden Host aktualisiert. Es bleiben die bekannten Altlasten, die schon vor zwei Jahren nicht auf jessie aktualisiert wurden.

Wir arbeiten dran.

Ein paar interessante Dinge sind bei der Migration dieses Blogs aufgefallen. Nach der schieren Anzahl des Trackback-Spams, der hier aufschlägt, könnte sogar das Kommentieren wieder funktionieren. Wollt Ihr mal probieren?

Debian blind installieren

Ich habe mir nach langer Abstinenz mal wieder einen Server bei Hetzner gemietet. In der Serverbörse verschachert der Anbieter ältere Geräte als Einzelstücke, die von ihrem bisherigen Mieter zurückgegeben wurden und die teilweise aufgrund individueller Ausstattung nicht in den Mainstream hineinpassen. Dabei kann man als Kunde auch richtige Schnäppchen machen.

So bin ich seit zwei Wochen stolzer Mieter eines Hetzner-Servers mit Core i7-Vierkerner der Bloomfield-Generation mit Hyperthreading mit stolzen 48 GB RAM. Die Miete liegt bei unter 40 Euro im Monat und lässt den ähnlich alten, zum Mai gekündigten 1&1 Rootserver, der mit nur 4 GB RAM ähnlich viel Geld kostet, ziemlich alt aussehen.

Aber so ein Schnäppchen hat natürlich auch Nachteile. So gibt es nur eine einzige IPv4-Adresse, und IPv6-Adressraum, der über das standardmäßig dazugehörende einzelne /64 hinausgeht, lässt sich der Anbieter mit einer Einrichtungsgebühr in der Größenordnung von zwei Monatsmieten relativ fürstlich bezahlen. Und es gibt keine serielle Konsole. Man kann sich für einen bestimmten Zeitraum ein KVM-over-IP-Gerät anschließen lassen und die ersten x Stunden sind sogar inklusive, aber das ist natürlich nur ein magerer Ersatz. Die vom Anbieter angepriesene vnc-Installation funktioniert freilich nur für die von ihm vorbereiteten Systeme; bei näherer Betrachtung liegt das aber auch auf der Hand: Wie soll das sonst ohne Spezialhardware gehen.

In diesem Artikel soll es darum gehen, wie ich mein zgserver-Debian "blind" auf die Maschine bekommen habe.

Continue reading "Debian blind installieren"

Login als technischer User mit ssh forced commands

Oftmals hat man die Aufgabe, einen maschinenübergreifenden Zugriff automatisiert stattfinden zu lassen, ohne dass man der einen Seite gleich "vollwertige" Credentials für einen interaktiven Login auf der anderen Seite geben möchte. Wenn der Zugriff automatisiert stattfinden soll, fällt auch noch die Sicherheitsstufe eines ssh passphrases weg, da niemand da ist um diesen einzugeben.

ssh forced commands bieten eine Möglichkeit, einen solchen Zugriff zu erlauben, ohne gleich die Büchse der Pandora zu öffnen. Selbst ein automatischer Zugriff mit root-Rechten ist auf diese Weise "reasonably secure" realisierbar.

Continue reading "Login als technischer User mit ssh forced commands"

openssh authorized_keys "restrict" option lessens worries

Starting with OpenSSH 7.2, a new "restrict" option for authorized_keys lines has become available. It sets all available restrictions that the current OpenSSH version can do (like no-agent-forwarding, no-x11-forwarding etc). One can individually turn on those features again by corresponding new options.

This saves one from sorrows when a new capability of OpenSSH is introduced through an update which is enabled by default, since one has to remember that restricted authorized_keys lines are in unse and then to manually add the restrictions.

On the downside, Debian jessie and CentOS 7 don't have a recent enough OpenSSH. So we'll have to continue worrying about new features being inadvertendly enabled for a while.

P.S.: Yes, I haven't blogged about Linux and Debian in English in a while.

PowerDNS (pdns) 3.3-1~exp1 in Debian experimental

I have just uploaded PowerDNS 3.3-1~exp1 to Debian experimental. This new upstream version has introduced its own include directive, so Debian was able to drop its patch. Hence, our conffiles had to grow a .conf extension, which most of them didn't have in previous version.

If anybody wants to test updates from PowerDNS 3.1 to the new 3.3-1~exp1 in Debian unstable, please go ahead and report bugs in the Debian BTS. The package is known to not offer seamless DNSSEC, I'll work on that before I upload to unstable.

While we're at it: I would appreciate help with the PostgreSQL backend. Myself, I use mainly MySQL and am not too proficient in PostgreSQL. I'll accept both patches and more formal co-maintenance.

How to amd64 an i386 Debian installation with multiarch

Migrating a Debian installation between architectures has always been difficult. The recommended way to "crossgrade" an i386 Debian to amd64 Debian is to reinstall the system, move over data and configuration. For the more brave, in-place crossgrades usually involved chroots, rescue CDs, a lot of ar p | tar xf - data.tar.gz and luck.

I have never been brave when it comes to system administration, have done a lot of architecture migrations with reinstallation, and have always taken the opportunity to clear out the contamination that accumulates itself when a system is running for a long time. I would even recommend doing this to most people even now. However, I have a few very ugly systems in place that are still on i386 because I didn't dare going the reinstallation path.

Doing in-place crossgrades has become a lot easier since wheezy's release, since once now can have both i386 and amd64 libraries installed in parallel, which allows to replace foo:i386 with foo:amd64 without influencing the other parts of the system. The process is still full of pitfalls:

  • In wheezy, many library packages are multiarch capable. This means that you can have those library packages installed for more than one architecture. This is a technical must for this way of crossgrade, so never use that for an older-than-wheezy system. It won't work, it needs at least Debian wheezy. Unfortunately, not all libraries in wheezy are multiarch capable. This makes the process harder and a lot less predictable, since a crosscrade including such packages is going to spew incomprehensible and misleading apt error messages. In my experience, for example the libaprutil-1-dbd-* packages and libonig2 are of this kind.
  • apt removes a package before it reinstalls its new counterpart. This results in apt calling dpkg to remove dpkg, and then calling dpkg again to install dpkg. Guess which operation fails and the state of the system after this failure. Same applies to coreutils, which leaves the system without rm, which in turn dpkg of either architecture doesn't like. Using apt-get --download-only install to resolve dependencies and downloading the debs, followed by a traditional dpkg --install solves this issue since multiarch dpkg will replace a package with another one without deinstalling the first one first.
  • At least for the process, you need a kernel that can run both 32bit and 64bit binaries for the i386 architecture. AFAIR, setting CONFIG_64BIT, CONFIG_X86_64 and CONFIG_IA32_EMULATION in the kernel configuration takes care of this.
  • During the process, apt will temporary go into a badly broken state where it will refuse most operations. Be aware that you might need to manually download packages from the Internet. Be sure to have wget, curl, or a browser (maybe a text based one like elinks) available. dget is not going to help you here since it will only downloda packages for the native arch.
  • During the process, apt wants to remove the better part of your system. It is important to not let it do this, as it wants to deinstall essential packages as well.
  • Watch what your system does. During some steps, it might remove packages you might need. Keep track of the packages that were removed during the process and re-install them manually after finishing the crossgrade. Be sure not to purge packages that you might still need.
  • It looks like the process is not always exactly reproducible. During the first tries, I found myself without an initrd at all, with an initrd that lacked the ext[234].ko kernel modules, without working e2fstools and in a number of other undesireable states of the system.

I have only tried this yet with a freshly installed minimal wheezy server system. Trying the process with "real life" systems has shown to be full of more surprises. I will document other pitfalls I have fallen into here at a later time. My minimal wheezy system was running in a KVM VM with its virtual disk as a LVM LV in the host system. I took a snapshot before beginning and used lvconvert --merge numerous time to return my LV to the original state. Be aware that lvconvert --merge removes the snapshot after merging it, so you'll need to re-create the snapshot before trying again.

The process is absolutely not for the faint of the heart, and intimate knowlegde of Debian mechanisms is required at many points in the process. Please seriously consider a reinstall+migrate approach instead of using this process, and be sure to practice it on a working copy of your system before touching the live system. And always have a backup.

During the process, I discussed things with Paul Tagliamonte, who has done this before, but on a live system and with a slightly more invasive approach. He has blogged about this. Thank you very much, your hints were very helpful.

Continue reading "How to amd64 an i386 Debian installation with multiarch"

Heute mal wieder Debian

In den letzten 24 Stunden habe ich endlich mal wieder was für Debian gemacht: dnstop und sipcalc vom bisherigen Maintainer übernommen, auf Vordermann gebracht und uploaded, und immerhin einen Alibi-Upload von pdns-recursor, damit auch der recursor mit der neuen Maintainer-Mailingliste im Maintainerfeld und dem korrekten Alioth-Vcs-Link im debian/control nach Wheezy kommt.

Next PowerDNS version for Debian ready for testing

I have published PowerDNS version 3.1-1.0 on https://ivanova.notwork.de/~mh/debian/pdns/

This is a preliminary package and a release candidate to be 3.1-2 in Debian. If you're interested in PowerDNS on Debian, please test this package.

I plan to upload next week. This package will vanish from the web server once the package is visible in Debian.

What are interface labels for

Dear Lazyweb, for a long time I have been using iproute2's label feature to assign arbitrary labels to IP addresses configured on Interfaces:

40: int152@dotqa: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
link/ether 00:25:b3:01:e5:6c brd ff:ff:ff:ff:ff:ff
inet 10.1.152.254/24 brd 10.1.152.255 scope global int152:98fe8

Recently, this has shown to at least confuse both isc-dhcp-relay (#617258) and dhcp-helper (#617264).

As I have never seen interfaces labels used outside my firewalls (which happen to use ifupdown-scripts-zg2 (Debian PTS)) and ifupdown's rather twisted handling of multiple IP addresses per interface (using Alias Interfaces), I'd like to know whether my usage is a legitimate one and whether there are other uses for interface labels.

At the moment, I'm tempted to remove label support from ifupdown-scripts-zg2 in the next release, or to make it optional. Please comment if you have an opinion.

How much added complexity in packages to cater for apt's shortcomings?

It is well known that apt has an issue when it comes to resolving circular dependencies. Therefore, Debian bug reporters have set out to eradicate circular dependencies from the archive. This does, however, add significant bloat to the actual packages, and I am questioning why this is really necessary.

Continue reading "How much added complexity in packages to cater for apt's shortcomings?"

Booting from a large hard disk II

Four days before my wedding, I spent some time researching booting a PC from a large hard disk, where large means "larger than two Terabytes". These days, single disks are approaching this size, so we are near the state where this issue pops up for your run-of-the-mill computer rather than the data store RAID. Today, the per-gigabyte price is however still significantly cheaper if you go for a 1 T or an 1.5 T disk.

The old blog article shows that I spent considerable time in finding out today's limitations below the 2 T limit by using conventional partitioning schemes to boot a 2 T disk. Since I don't have this much storage available at the moment, I had to use virtualization and to take advantage of nearly empty virtual disks taking up much less space than their raw capacity suggests. This works fine as long as you don't start actually using the disk.

Back then, the only combination that worked for a raw disk larger than 2 T (only using the first 2 T) was Virtualbox and grub 0 (now grub-legacy). I regret to admit that the results of my experiments from June are not any more reproducible (most probably due to changes in Virtualbox since then) and that I was not able to boot any disk larger than 2 T any more, even if the partitions were well below the 2 T limit. I chose to ignore these results and to finally start the GPT research.

Continue reading "Booting from a large hard disk II"

Samba Help Needed

Dear Lazyweb, sorry to bother you again, but I have tried to get this question answered on IRC, on Usenet and on the Samba Mailing List, and was not able to get an answer (not even a remotely clueless one) there. Can you help?

I currently have an "interesting" task to accomplish: An IT environment with about 90 % Windows and 10 % Linux machines would like to unify backup. Currently, the Windows world backs itself up to tape using Backup Exec; the Linux world has Amanda backing up to a big disk RAID.

This RAID is acting up and is scheduled to disappear. The current plan is to back up the Linux world with Amanda to a Samba share which is then backed up to tape by the Backup Exec installation running in the Windows world.

The Linux systems are in a diffent network, and the firewall people would like to keep the ports being open between the two networks to the bare minimum. I don't want to see NETBIOS Broadcasts inside the Linux world, I don't want to see this server in any network neighborhood, and the system acting as the Samba server for the backup should have as few open ports as possible. Of course, the share should be read only and to be as secure as possible.

Continue reading "Samba Help Needed"

How to have socat open a listening socket in the file system?

Dear Lazyweb, can anybody with some advanced socat-foo tell me the command line needed to have socat create a socket in the local file system and to listen on it, so that I can have Virtualbox connect a virtual serial console to it?

The material available on socat on the web is sparse, and virtualbox-related docs usually contain "tick the create pipe option", which is not helpful here since I would like to see the first output the virtual machine prints to its serial port. It would be vastly more useful to have the socket already created with socat listening so that I can immediately see what is being printed to the socket.

Unified Kernel for etch, lenny and sid

Traditionally, the Linux kernel is software that I compile myself from pristine upstream sources for various reasons. I have three major kernel flavours that get built (server, desktop and notebook), and I am pretty current in running a bleeding edge kernel. This is not really necessary any more nowadays, but it's a tradition that works pretty well.

My kernels get built on sid and are packaged up with kernel-package, and equivs builds a dependency helper package which pulls in the kernel's dependencies such as initramfs-tools and takes care of cross-version updates like going from 2.6.29 to 2.6.30. Up to now, I was always able to run a kernel built this way on all my systems which can range from oldstable to unstable.

Continue reading "Unified Kernel for etch, lenny and sid"