Posted on

Problem starting XEN guest

Notice to my future self: In case there are problems starting a domU, and /var/log/xen/xend.log says something about “Cannot allocate memory” then look at the memory consumption of dom0 with:

xm list

If this value is near the maximum available memory, just use

xm mem-set Domain-0 6500

or whatever looks good.

Posted on

Key transition, move to stronger key

Finally I was able to do the enormous paperwork (no, it is not that much) to switch my old 1024D key to a new 4096R one. I was a bit afraid that there might be something bad happening, but my fear was without any reason. After the RT bug was closed, I could upload and sent signed emails to mailing lists. So thanks alot to everyone involved.

old key, 0xD362B62A54B99890

pub   1024D/54B99890 2008-07-23
      Key fingerprint = 36E2 EDDE C21F EC8F 77B8  7436 D362 B62A 54B9 9890
uid                  Thorsten Alteholz (...)
sub   4096g/622D94A8 2008-07-23


new key, 0xA459EC6715B0705F

pub   4096R/0xA459EC6715B0705F 2014-02-03
  Schl.-Fingerabdruck = C74F 6AC9 E933 B306 7F52  F33F A459 EC67 15B0 705F
uid                 [ uneing.] Thorsten Alteholz (...)
sub   4096R/0xAE861AE7F39DF730 2014-02-03
  Schl.-Fingerabdruck = B8E7 6074 5FF4 C707 1C77  870C AE86 1AE7 F39D F730
sub   4096R/0x96FCAC0D387B5847 2014-02-03
  Schl.-Fingerabdruck = 6201 FBFF DBBD E078 22EA  BB96 96FC AC0D 387B 5847
Posted on

My Debian Activities in September 2014

FTP assistant

Starting an article with self laudation might be bad style, but this month I was busy as a bee and could accept 312 packages, 75 packages more than last month. 34 times I contacted the maintainer to ask a question and 51 times I had to reject a package. These numbers remain constant.

The number of packages in NEW dropped to about 180. If you want your package included in Jessie, please double-check it and upload an improved version.

Squeeze LTS

This was my third month that I did some work for the Squeeze LTS initiative, started by Raphael Hertzog at Freexian.

All in all I got assigned a workload of 11h for September and I spent these hours to upload new versions of

  • [DLA 43-1] eglibc security update
  • [DLA 64-1] curl security update
  • [DLA 67-1] php5 security update
  • [DLA 68-1] fex security update

I further tried to upload a new version of python-django. Unfortunately I could not figure out why some of the internal tests of the package failed. So I fowarded the package to Raphael, who could resolve all issues.

The Squeeze version of PHP5 contains 140 patches. According to quilt 47 of them are identified to be already in 5.3.29 and 48 patches need to be revised. Some of them are really big, rather old and not really supported in the new 5.3.n version.
As nobody will talk about Squeeze LTS in a few months, I better better avoid the hassle of preparing a point release and concentrate only on security patches further on.

Other packages

This month I uploaded a new version of net-dns-fingerprint, which closes an RC bug. Unfortunately the package does not work with all DNS servers anymore. Patches or hints what happened are very welcome :-).

Support

If you would like to support my Debian work you could either be part of the Freexian initiative (see above) or consider to send some bitcoins to 1JHnNpbgzxkoNexeXsTUGS6qUp5P88vHej. Contact me at donation@alteholz.eu if you prefer another way to donate. Every kind of support is most appreciated.

Posted on

My Debian activities in August 2014

FTP assistant

By pure chance I was able to accept 237 packages, the same number as last month. 33 times I contacted the maintainer to ask a question about a package and 55 times I had to reject a package. The reject number increased a bit as I also worked on packages that already got a note but had not been fully processed. In contrast I only filed three serious bugs this month.

Currently there are about 200 packages still waiting in the NEW queue As the freeze for Jessie comes closer every day, I wonder whether all of them can be processed in time. So I don’t mind if every maintainer checks the package again and maybe uploads an improved version that can be processed faster.

Squeeze LTS

This was my second month that I did some work for the Squeeze LTS initiative, started by Raphael Hertzog at Freexian

All in all I got assigned a workload of 16.5h for August. I spent these hours to upload new versions of

  • [DLA 32-1] nspr security update
  • [DLA 34-1] libapache-mod-security security update
  • [DLA 36-1] polarssl security update
  • [DLA 37-1] krb5 security update
  • [DLA 39-1] gpgme1.0 security update
  • [DLA 41-1] python-imaging security update

As last month I prepared these uploads on the basis of the corresponding DSAs for Wheezy. For these packages backporting the Wheezy patches to Squeeze was rather easy.

I also had a look at python-django and eglibc. Although the python-django patches apply now, the package fails some tests and these issues need some further investigation. In case of eglibc, my small pbuilder didn’t have enough resources and trying to build the package resulted in a full disk after more than three hours of work.

For PHP5 Ondřej Surý (the real maintainer) suggested to use point releases of upstream instead of applying only patches. I am curious about how much effort is needed for this approach. Stay tuned, next month you will be told more details!

Anyway, this is still a lot of fun and I hope I can finish python-django, eglibc and php5 in September.

Other packages

This month my meep packages plus mpb have been part of a small hdf5 transition. All five packages needed a small patch and a new upload. As the patch was already provided by Gilles Filippini, this was done rather quickly.

Support

If you would like to support my Debian work you could either be part of the Freexian initiative (see above) or consider to send some bitcoins to 1JHnNpbgzxkoNexeXsTUGS6qUp5P88vHej. Contact me at donation@alteholz.eu if you prefer another way to donate. Every kind of support is most appreciated.

Posted on

Moving WordPress to another server

Today I moved this blog from a vServer to a dedicated server. The migration went surprisingly smooth. I just had to apt-get install the Debian packages apache2, mysql-server and wordpress. Afterwards only the following steps were necessary:

  • dumping the old database with basically just one command:

    mysqldump -u$DBUSER -p$DBPASS –lock-tables=false $DBNAME > $DBFILE

  • creating the database on the new host:

    CREATE DATABASE $DBNAME;
    \r $DBNAME
    GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP,ALTER ON $DBNAME TO ‘$DBUSER’@’localhost’ IDENTIFIED BY ‘$DBPASS’;
    GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP,ALTER ON $DBNAME.* TO ‘$DBUSER’@’localhost’ IDENTIFIED BY $DBPASS’;
    FLUSH PRIVILEGES;

  • importing the dump with something like:

    mysql –user=$DBUSER –password=$DBPASS $DBNAME < $DBFILE

and almost done …

Finally some fine tuning of /etc/wordpress/htaccess and access rights of a few directories to allow installation of plugins. As I wanted to clean up my wp-content-directory, I manually reinstalled all plugins instead of just copying them. Thankfully all of the important plugins store their data in the database and all settings survived the migration.

Posted on

My Debian activities in July 2014

FTP assistant
This month I was able to accept 237 packages, 27 times I contacted the maintainer to ask a question about a package and 40 times I had to reject a package. Additionally I needed to file nine serious bugs.
In the light of recent events I want to make clear that there is no automatism to create such bugs. They are all handmade and you can be quite sure that there are no false positives but only real issues.

The highlight of this month has been my first patch to dak, the software which is used to manage the Debian archive. Well, it was just a patch of an email template but at least it closes Bug #754805. Now the new Debian tracker at https://tracker.debian.org/ (a replacement for the Debian Package Tracking system (PTS)) is able to detect in which suite new uploads appear.

Squeeze LTS
This month the initiative to support Squeeze LTS, which was started by Freexian, got some momentum. I would like to thank every sponsor of this initiative (please see a list at
the Freexian LTS page) and of course Raphael Hertzog for organizing everything.

All in all I got assigned a workload of 10.5h for July. I spent these hours to upload new versions of tiff, libxml2, php5 and fail2ban. I prepared these uploads on the basis of the corresponding DSAs for Wheezy. So most of the time the patches for all CVEs could be applied smoothly and only line numbers had to be adjusted. For a few CVEs the difference between the code in Squeeze and Wheezy was too huge and things became more difficult. Luckily all CVEs contained good descriptions of what was wrong, so at the end I could find solutions for all security fixes. In this context I am a bit sad about the feedback on the Debian LTS mailing list. I had hoped to get more responses to my calls to test packages before uploading them to the archive. Of course I do some testing on my own, but I am sure I don’t cover all use cases.

I also used some time to fix the information in the security tracker. Three CVEs for dbus were marked as relevant for Squeeze, but the corresponding code didn’t exist in the Squeeze version.

Anyway, this was a lot of fun and I definitely want to be part of that initiative in the future.

Other packages
I tried to fix #752401 of net-dns-fingerprint. Unfortunately the new version does not really work and upstream is a bit silent.

Support
If you would like to support my Debian work you could either be part of the Freexian initiative (see above) or consider to send some bitcoins to 1JHnNpbgzxkoNexeXsTUGS6qUp5P88vHej. Contact me at donation@alteholz.eu if you prefer another way to donate. Every kind of support is most appreciated.

Posted on

My Debian activities in June 2014

FTP assistant
With my FTP assistant hat on, I accepted 285 packages. 29 times I had to ask the maintainer a question or had to give a comment. Unfortunately I also had to reject 33 packages. Most of the time due to mistakes in debian/copyright. The review of NEW also resulted in about ten serious bugs in packages that had incomplete copyright information. Dear fellow developers and maintainers: please be more careful when you collect copyright and license information. The better you do your homework, the faster your package will pass NEW!

Squeeze LTS
I also started to contribute to Debian Squeeze-LTS. In June I uploaded security fixes for scheme48 and lxml. Freexian, a French company run by Debian Developer Raphaël Hertzog, started an initiative to establish LTS (Long Term Support) for Debian Squeeze. Via Freexian you can hire other Debian Developers who provide security updates for some more months. So if you still need a stable security support for Debian please consider joining the initiative and visit the Squeeze LTS website at Freexian.

Other packages
For my own packages I uploaded some new versions for different kinds of meep.

Support
If you would like to support my Debian work please consider to send some bitcoins to 1JHnNpbgzxkoNexeXsTUGS6qUp5P88vHej. Contact me at donation@alteholz.eu if you prefer another way to donate. Every kind of support is most appreciated.

Posted on

Configure services – Apache (3.3)

Much to my consternation I noticed that my last post appeared almost six months ago. I hope I can increase again my posting frequency this year.

The last topic has been DNS resolving and this article shall be about IPv6 configuration in apache.

First we need to check whether our apache already listens to requests comming from IPv6. The default configuration on Debian in /etc/apache2/ports.conf says something like

     NameVirtualHost *:80
     Listen 80


This means: listen on port 80 of all addresses on this machine, including IPv6 ones. So in principle we are already done.

In case we want to restrict some interfaces to IPv4 or IPv6 access, we need to replace the general listen-directive with more restrictive ones, so for example:

     listen 1.2.3.4:80
     listen [1:2::4:5:6:7]:80


In the whole apache configuration IPv6 addresses need to be put in square brackets.

The same is also valid for virtual host configuration:

In this case any request, either via IPv4 or IPv6, will be handled by our apache:

     <virtualhost *:80>
       ServerName example.com
       ServerAlias all.example.com
       DocumentRoot /www/example.com/public_html
       ErrorLog /www/example.com/logs/error_log
       Customlog /www/example.com/logs/combined_log combined
    </virtualhost>

In this case, the vhost is available only on a specific IPv6 address:

    <virtualhost [1:2::4:5:6:7]:80>
       ServerName example.com
       ServerAlias ipv6.example.com
       DocumentRoot /www/example.com/public_html
       ErrorLog /www/example.com/logs/error_log
       Customlog /www/example.com/logs/combined_log combined
    </virtualhost>

In this case, the vhost is available only on a specific IPv4 address:

    <virtualhost 1.2.3.4:80>
       ServerName example.com
       ServerAlias ipv4.example.com
       DocumentRoot /www/example.com/public_html
       ErrorLog /www/example.com/logs/error_log
       Customlog /www/example.com/logs/combined_log combined
    </virtualhost>

In this case, the vhost is available on specific IPv4 and IPv6 adresses:

    <virtualhost 1.2.3.4:80, [1:2::4:5:6:7]:80>
       ServerName example.com
       ServerAlias special.example.com
       DocumentRoot /www/example.com/public_html
       ErrorLog /www/example.com/logs/error_log
       Customlog /www/example.com/logs/combined_log combined
    </virtualhost>

So there is really no magic in IPv6 and it is easy to use.

Posted on

Configure services – bind (3.1)

After preparing everything, we can start to configure different services now. The first one shall be bind9. There are lots of information out there about configuring bind9 for IPv4, so I assume that there is a bind already running.

A newly installed bind (remember I am mainly writing about Debian systems) has the following option configured in /etc/bind/named.conf.options


options {
listen-on-v6 { any; };
};

Thus this daemon listens on all IPv6 interfaces to answer queries.

In the next step we just need to configure AAAA-records for every IPv6-address that we want to distribute. They look like A-records:

dummyhea.ipv6.alteholz.net. IN A 78.47.192.125
dummyhea.ipv6.alteholz.net. IN AAAA 2a01:4f8:d12:1b03::dead:2

Voila, we are done:


~$ dig dummyhea.ipv6.alteholz.net AAAA

; <> DiG 9.8.4-rpz2+rl005.12-P1 <> dummyhea.ipv6.alteholz.net AAAA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25822
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 5

;; QUESTION SECTION:
;dummyhea.ipv6.alteholz.net. IN AAAA

;; ANSWER SECTION:
dummyhea.ipv6.alteholz.net. 5706 IN AAAA 2a01:4f8:d12:1b03::dead:2


~$ ping6 -c5 dummyhea.ipv6.alteholz.net
PING dummyhea.ipv6.alteholz.net(2a01:4f8:d12:1b03::dead:2) 56 data bytes
64 bytes from 2a01:4f8:d12:1b03::dead:2: icmp_seq=1 ttl=49 time=66.8 ms
64 bytes from 2a01:4f8:d12:1b03::dead:2: icmp_seq=2 ttl=49 time=67.1 ms
64 bytes from 2a01:4f8:d12:1b03::dead:2: icmp_seq=3 ttl=49 time=66.8 ms
64 bytes from 2a01:4f8:d12:1b03::dead:2: icmp_seq=4 ttl=49 time=71.6 ms
64 bytes from 2a01:4f8:d12:1b03::dead:2: icmp_seq=5 ttl=49 time=66.3 ms

--- dummyhea.ipv6.alteholz.net ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 66.378/67.782/71.678/1.969 ms

This was pretty easy.