Fix macport ruby “Connection reset by peer” with openssl 1.0.1

Due to openssl 1.0.1 introducing TLS v1.2 as the default for SSL connections you can find yourself facing an error like this:

Connection reset by peer - SSL_connect (Errno::ECONNRESET)

This will happen if you’re using macports with openssl 1.0.1 (latest one right now is 1.0.1c) and try to either use curl or ruby (no matter if it’s 1.8 or 1.9). OpenSSL 1.0.1 introduces support for TLS v1.2 which is not yet supported by most code, unfortunately it’s used as default and it’ll break your code with bizarre error messages about certificate trust.

The recommended resolution so far is to simply downgrade openssl, thanks to macports running svn this can be easily done by running the following lines into your terminal:

svn checkout -r 90715 http://svn.macports.org/repository/macports/trunk/dports/devel/openssl
cd openssl
sudo port install

This will install the last 1.0.0 version of OpenSSL available on macports (1.0.0h) so your problematic code can work again. If you’re writing your own code in ruby you can also add this option before pulling your https connection:

https = Net::HTTP.new(request_url.host, request_url.port)
https.instance_eval { @ssl_context = OpenSSL::SSL::SSLContext.new(:TLSv1) }

Fix ldap_route `null’ in sendmail 8.14.4

I’ve got a sendmail setup with ldap_routing, it’s very convenient if you’ve got a distributed sendmail environment, in my case I’ve just got ldap_routing for mail hosts and not for addresses, so it’s expressed in the following form in sendmail.mc:

FEATURE(`ldap_routing',`ldap -T<TMPF> -k (mailacceptinggeneralid=%0) -v maildrophost',`null',`')dnl

When upgrading my sendmail platform to the new Ubuntu 12.04 LTS (Precise Pangolin) I’ve found the following error:

readcf: config K line, map ldapmra: no map class

This is due to a change in behaviour in ldap_routing.m4 in 8.14.4, it’ll try to automatically add  -T<TMPF> which breaks the special `null’ behaviour.

The way recommended to fix this is to replace ldap_routing.m4 with the version from 8.14.3 which is available here.

In my case (Ubuntu) I just had to replace the file located at /usr/share/sendmail/cf/feature/ldap_routing.m4, then process sendmail.mc again and everything went back to normal :)

MySQL upgrade to Ubuntu 12.04

Ubuntu 12.04 LTS (Precise Pangolin) has updated MySQL to version 5.5, the update is not as straight forward as in other releases so some caution must be always taken.

Updating from MySQL 5.x

This is a fairly easy case, if you have any extra config in /etc/mysql/conf.d there’s a high chance that the new package will actually uninstall your old packages without replacing them, be extremely careful with that, also check that all your parameters are in line with MySQL 5.5 syntax.

First of all once the upgrade to 12.04 is finished, check which packages for mysql-server are installed:

$ sudo dpkg -l | grep mysql-server
ii mysql-server 5.5.22-0ubuntu1 MySQL database server (metapackage depending on the latest version)
rc mysql-server-5.1 5.1.61-0ubuntu0.11.10.1 MySQL database server binaries and system database setup
ii mysql-server-5.5 5.5.22-0ubuntu1 MySQL database server binaries and system database setup
ii mysql-server-core-5.5 5.5.22-0ubuntu1 MySQL database server binaries

If you see all the 5.5 packages installed congratulations, your upgrade was flawless, but in any other case you’ll only see the mysql-server-5.1 package, so you’ll need to install manually the packages.

$ sudo apt-get install mysql-server-5.5

This should in all cases suffice to get MySQL server running again if there’s no errors in your my.cnf.

Updating from MySQL 4.x

In this case the binary structure changes slightly so you’ll need to dump all your data and upload it to a fresh new MySQL 5.5 instance, there’s not much way around this unfortunately and not following this can result in corrupt data.

Precise Pangolin (12.04 LTS) released!

Today Ubuntu 12.04 LTS (Precise Pangolin) has been released, this is a LTS release and as such the preferred choice for lots of sysadmin/devops folks like me.

In this release I’ve been involved in Cloudfoundry, but also in packaging puppet, mcollective, mcollective-plugins, rabbitmq-server, and ipxe. All of which I’m quite happy about, if you feel like yelling at someone you know where to find me.

This release also makes the official debut of juju as a stable technology, the slogan says its Devops Distilled but I see it more as a giant application deployer with amazing orchestration skills, all of them make it a great solution, which you can also mix up with your usual puppet and mcollective of course :)

Go ahead and take the tour, and start playing with it in the Cloud or on your computer.

The Oneiric Ocelot is here!

Finally Ubuntu 11.10 has just been released, this is the last version before our next LTS (12.04) so it’s a big technological preview.

You can take an online tour here http://www.ubuntu.com/tour/

In this version I’ve contributed packages in mcollective, puppet and rabbitmq, but most of all I’ve been working in Openstack, Juju and Orchestra, have a look and enjoy! The next LTS will be very exciting.

mcollective 1.0 plugins in natty

We’ve been working very intensively these last three months with mcollective on Ubuntu, and it’ll be finally be available in natty, another great addition for this release alongside with cobbler.

Unfortunately, our plugins package didn’t make it on time for the natty release freeze, which makes mcollective on natty’s release on Apr 28th a bit limited, but we have the package available for your enjoyment \o/.

In order to be able to install mcollective-plugins into your system you should add this PPA by executing:
add-apt-repository ppa:lynxman/mcollective-1.0-plugins-natty

Once you added the new repo you can see all the plugins available by running apt-cache search mcollective-plugins and install them based on your mcollective needs.

The DevOps movement

I’m quite intrigued by the new devops movement that has been arising lately in the ops community.

A devops is basically a sysadmin with a deep knowledge of several languages and in touch with the code running over the platform he’s providing, normally related to new trends in systems administration as the ones used by Facebook, Google, Twitter, etc.

I can’t say I can’t feel identified with this movement since this is what I’ve been advocating for the last years, I’m quite happy to see that it has finally got enough intertia to develop into a full fledged movement that will take the sysadmin field into a new era, I’m completely giddy with excitement.

If you want to read more about what devops is about I think these are some of the most interesting blogs to follow:
http://www.planetdevops.net/
http://londondevops.org/
http://vuksan.com/blog/

Also there’s a couple Google Groups, devops-toolchain and agile-system-administration

Configuring samba server in Mac OS X Leopard

If you don’t have Mac OS X Leopard server you have a Samba implementation limited mostly to home directories and a lot of borking around, if you’re a typical Unix Admin as I am you’ll want to take things in your hands and add the shares you want yourself in the command line.

Leopard uses Samba 3 and its own authentication and locking methods connected to its auth layer and afp locking so a typical samba config file won’t work, it also has a dynamically modificable part which is configured via System Preferences.

This is not the smartest method neither prepared for faint hearted people, but it’ll work if you’re used to Linux.

If you had samba already working on Tiger the changes are only at locking, vfs and user auth, which is what enables all the new Leopard system to work properly.

This are the exact changes from Tiger to Leopard


# Changes affecting user mapping and authentication
passdb backend = odsam
idmap domains = default
idmap config default: default = yes
idmap config default: backend = odsam
idmap alloc backend = odsam
idmap negative cache time = 5
obey pam restrictions = yes
security = USER
auth methods = guest odsam
ntlm auth = yes
lanman auth = no
use kerberos keytab = yes
com.apple: lkdc realm = LKDC:SHA1.xxx
realm = LKDC:SHA1.xxx


# Changes affecting the FS interaction and locks
vfs objects = darwinacl,darwin_streams
use sendfile = yes
ea support = yes
darwin_streams:brlm = yes
enable core files = yes
max smbd processes = 10
log level = 1
map to guest = Bad User

You want to take a look at the realm SHA1 strings since they’re dependant on your installation, you can always check the new /etc/smb.conf in Mac OS X Leopard and then merge it up with your previous config, or replace the config as I did and just add this.

The Leopard samba configuration is brilliant, but at the same time limited to push you to buy the Server version, at the same time it’s interesting to play with the includes it adds too, but this at least will get your previous samba config out and running fine.

Optimize network throughput on your Apple TV

This is specially helpful if you are using your Apple TV wireless adapter instead of plugging it directly to the network with an Ethernet cable.

This small tweak assumes that you already have sshd access to your Apple TV, if not please check out AwkwardTV on how to do that.

I had some problems watching HD DivX files in my AppleTV, they were skipping frames and freezing in the most awkward moments, I have all of my files in a mac mini and shared on the network using AFP. The files are mounted in the Apple TV using the ATVFiles plugin and the aTV-ShareMounter plugin.

What needs to be added to give the network buffer enough buffer space on the network is tweak the kernel options at startup, that can be done as in Mac OS X editing the file /etc/sysctl.conf which in the Apple TV version of Mac OS X does not exist by default, you’ll have to create it, don’t worry I’ll put here two quick ways to do it.

How to edit /etc/sysctl.conf (if it does not exist)

First Option – The fast kamikaze strategy (will work for everybody, but be really careful!).

echo “kern.ipc.somaxconn=512″ > /etc/sysctl.conf
echo “net.inet.tcp.mssdflt=1460″ >> /etc/sysctl.conf
echo “net.inet.tcp.sendspace=98304″ >> /etc/sysctl.conf
echo “net.inet.tcp.recvspace=98304″ >> /etc/sysctl.conf
echo “kern.ipc.maxsockbuf=1048576″ >> /etc/sysctl.conf
echo “net.inet.udp.maxdgram=57344″ >> /etc/sysctl.conf
echo “net.inet.udp.recvspace=42080″ >> /etc/sysctl.conf
echo “net.local.stream.sendspace=98304″ >> /etc/sysctl.conf
echo “net.local.stream.recvspace=98304″ >> /etc/sysctl.conf
echo “net.inet.tcp.delayed_ack=0″ >> /etc/sysctl.conf
echo “net.inet.tcp.rfc1323=1″ >> /etc/sysctl.conf
echo “net.inet.tcp.rfc1644=1″ >> /etc/sysctl.conf
echo “net.inet.tcp.newreno=1″ >> /etc/sysctl.conf

Second Option – The slow wise monk strategy (this will work in all cases)

Edit a sysctl.conf in your computer (just be sure that if you’re in a Posix system you’re not editing your local /etc/sysctl.conf).

Add these values to the file

kern.ipc.somaxconn=512
net.inet.tcp.mssdflt=1460
net.inet.tcp.sendspace=98304
net.inet.tcp.recvspace=98304
kern.ipc.maxsockbuf=1048576
net.inet.udp.maxdgram=57344
net.inet.udp.recvspace=42080
net.local.stream.sendspace=98304
net.local.stream.recvspace=98304
net.inet.tcp.delayed_ack=0
net.inet.tcp.rfc1323=1
net.inet.tcp.rfc1644=1
net.inet.tcp.newreno=1

Copy it to your Apple TV through scp and make sure it ends up in its correct position at /etc/sysctl.conf on your Apple TV

The changes you do will be available on the next reboot, I find it better to do it this way so you’re 100% sure that all the changes are loaded at the same time.

I hope this solves Leo Laporte streaming problems to his Apple TV ;)

Trunking between a Cisco Catalyst and a 3Com SuperStack

Trunking between this equipments is problematic at best, the meaning of trunk in the 3com is not the same as in the Catalyst, also the vlan methods are not the same either.

Trunk in the 3Com SuperStack is port aggregation between two 3Com devices, whether in the Cisco is really a downlink trunk, luckily both devices speak 802.1q so the trunk configuration shouldn’t be a big problem.

First of all we need to establish the trunk port between the Catalyst and the SuperStack, so we’ll start by defining the port in the Catalyst.

interface FastEthernet0/14
description Trunk to 3com 3300
switchport access vlan 905
switchport trunk native vlan 905
switchport trunk allowed vlan 10,11,13,14
switchport mode trunk
speed 100
duplex full

Some considerations on this config. It’s always recommended by Cisco and security-wise to use another vlan than vlan 1 for trunking, that’s what we’re doing here, also we’re restricting which vlans we will accept and retransmited to the 3Com switch.

There’s a huge implementation difference between the trunking trunking transmission between Cisco and 3Com, the 3Com switches tag all the vlans by default, but the Cisco switch won’t tag the trunk vlan, this is a really annoying factor that made me waste some hours!

The trick resides in adding all the vlans tagged into the port that you’re using as a trunk, you don’t really need to add the trunking vlan that you configured back on the cisco, it doesn’t work that way. So let’s add one by one all the vlans in the trunk port. In order to do that we need to use the bridge menu in the 3com switch.

Select menu option (bridge/vlan): addPort
Select VLAN ID (1-4094) [1]: 10
Select Ethernet port (1-12, all): 12
Enter tag type (none, 802.1Q) [802.1Q]: 802.1Q

Repeat this in the trunk port for each vlan you’re adding in the Cisco trunk side. When you have your trunk port configured properly (also be careful with duplex and speed configs) you just need to add the ports into the vlan untagged. So let’s say we want to add port 1 to the vlan 10.

Select menu option (bridge/vlan): addPort
Select VLAN ID (1-4094) [1]: 10
Select Ethernet port (1-12, all): 1
Enter tag type (none, 802.1Q) [802.1Q]: none

As soon as that’s done the port will be talking head to head with all the other ports in vlan 10 also in the Cisco switch.

The difficult thing is making the 3Com switch accesible through an IP address, since the 3Com switch will only publish its public IP address though VLAN 1, this one is a though cookie.