Blog di Bernardino (Dino) Ciuffetti

30 Set 15 apache [error] (13)Permission denied: Cannot create SSLMutex

On one of the servers of one of my clients, a Solaris 5.8 sparc host, apache did not want to start.
It wrote the following error message on the error_log file:
cojo1@myserver $ cat error_log
[Wed Sep 30 12:24:11 2015] [error] (13)Permission denied: Cannot create SSLMutex

The problem, in my case, was about the permissions on /tmp.
Since these machines can be accessed by hundred people, someone thought well to change /tmp permissions to 0775. Everybody knows that if whould be 1777 instead.
The lack of both the sticky bit and write permissions to other did not make apache starting for non root users.

Hope this help someone.
Ciao, Dino.

27 Gen 15 How to get the device mapper name associated to LVM logical volumes

This is how to get the device mapper name (dm-1, dm-2, etc) associated to each LVM logical volume:

lvdisplay|awk '/LV Name/{n=$3} /Block device/{d=$3; sub(".*:","dm-",d); print d,n;}'

15 Nov 14 Dump and restore block device data on the fly by the network

Sometimes you may need to copy data from a block device (or LVM logical volume or snapshot) from one server to another., but you don’t want to dump the image to disk, move to the other server, then import. You may need (or just want) to copy on the fly, transfering data on the net.

To do this, and have ETA on the operation you need the pv executable. The command nc is used to stream data on the network, while pigz is used to compress data (gzip uses just one CPU, while pigz uses all available CPU, and it’s much faster).

On the origin server (server1) you have a block device (lvm logical volume in this case) called /dev/vg0/vm-111-disk-1, while on the destination server (server2) you want to overwrite a LVM logical volume called /dev/vg0/vm-112-disk-1 with data coming from the origin server.
To do this, assuming the device is big 20GB, you may run those commands:

Server side (destination server, server2, ip

nc -l -n -p 2102 -q 2 | pigz -d | pv -pre –size=20G | dd iflag=fullblock bs=512k of=/dev/vg0/vm-112-disk-1

Client side (origin server, server1,

dd if=/dev/vg0/vm-111-disk-1 bs=512k | pv -pre –size=20G | pigz | nc -q 2 2102

Data will be read, compressed, transfered on the network on (port TCP 2102 on our case, from to, uncompressed on the destination server and restored on disk, and you’ll have ETA and progress indication:

Output server side (destination server, server2):

root@server2 ~ # nc -l -n -p 2102 -q 2 | pigz -d | pv -pre –size=20G | dd iflag=fullblock bs=512k of=/dev/vg0/vm-112-disk-1
[71.2MB/s] [=========================================================================================================================================>] 100%
40960+0 records in
40960+0 records out
21474836480 bytes (21 GB) copied, 296.436 s, 72.4 MB/s

Output client side (origin server, server1):

root@server1 ~ # dd if=/dev/vg0/vm-111-disk-1 bs=512k | pv -pre –size=20G | pigz | nc -q 2 2102
40960+0 records
40960+0 records out
21474836480 bytes (21 GB) copied, 283.531 s, 75.7 MB/s

30 Ott 14 WPA2 connection without NetworkManager in Debian linux

This is a memo that I can use to remember how to enable WPA2 protected WiFI connections with debian without using NetworkManager.

All that you have to do is:

  • create the file /etc/wpa_supplicant/wpa_supplicant.conf with the following content:

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev

ssid=”My WiFI SSID”
psk=”mysupersecret password”
pairwise=CCMP TKIP

  • if you want to set a static IP, add the following content to the file /etc/network/interfaces

iface wlan0 inet static
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

  • if, instead, you want a dynamic address assigned by a DHCP server, add the following to /etc/network/interfaces

iface wlan0 inet dhcp
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

  • now, setup the connection with this command by root (sudo before the command if you are on ubuntu):

ifup wlan0

  • when you have finisched with the connection, close it up with the command by root (sudo before the command if you are on ubuntu)

ifdown wlan0


28 Ott 14 Best rsync options to mirror a remote directory

If you want to mirror a remote directory via SSH, you may want to use the wonderful rsync command.

The rsync executable has many options, so, which is the correct option list to make an exact copy of a remote directory, maintaining permissions, ownerships, timestampts, copying only the modified files, and updating only the pieces of modified files?

Let me begin with an example. We want to full mirror the directory /mystuff on server into /mystufflocal. The files deleted on from the previous rsync will be removed locally too, so pay attention! If you don’t want to locally remove deleted files you can remove the “–delete” option.
If you want to compress the stream in transit you can add the “-z” option.
All we have to do is:

rsync -vartuh –inplace –delete –progress –stats -e “ssh -carcfour128” root@ /mystufflocal/

The trailing slashes are important because are used by rsync to understand precisely what should be transferred and where.

27 Ago 14 Squid: how to get rid of “All url_rewriter processes are busy”

If you check your squid forward (transparent or not) proxy log files you may found errors like those:

WARNING: All url_rewriter processes are busy.
WARNING: up to 6 pending requests queued

This is true if you use the directive “url_rewrite_program”, for example with SquidGuard.
In this case, squid tells you that it cannot spawn more helper processes to externally scan your requests in parallel, so it’s queuing your requests.
This is not a great problem, but you may be annoyed to see this stuff in your log files, or there are cases in which the default may be too low!

You may raise this limit with the parameter called url_rewrite_children.

To solve, add something like this to your squid.conf configuration file, and restart squid:

url_rewrite_children 32

Ciao, Dino.

21 Ago 14 How to enable apache NameVirtualHost with SSL

If you want to create name based virtualhosts in apache with SSL Certificates, you need openssl with SNI and TLS support (0.9.8f or better) and good apache 2.2.X version.

It’s a simple task, after you’ve read this official article:

12 Giu 14 How to declare a read only variable in bash

I didn’t know that it was possible to declare a read only variable in bash.

It’s as simple as to run the following statement:

declare -r a=10

This will create a read only variable called $a with value 10 that you cannot overwrite or unset.

21 Feb 14 HOWTO generate a SAN (Subject Alternative Names) SSL CSR with OpenSSL

There is a cool SSLv3 protocol extension that’s called SAN (Subject Alternative Names). With this extension you can create a single SSL X509 certificate that is valid for several domain names, instead of a classic certificate that’s valid for one domain name only.

You can ofcourse create this kind of certificate with OpenSSL. We are now going to see how to do that.
Fist you have to create a file called openssl.cnf and put it for example into a temporary dir. The file should begin with:

distinguished_name = req_distinguished_name
req_extensions = v3_req

This is to enable SSLv3 req extensions.
Now, you have to add your custom informations to the openssl.cnf file: those informations will be reflected on the next steps.
Add something like this to openssl.cnf:

countryName = Country Name (2 letter code)
countryName_default = IT
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Italy
localityName = Locality Name (eg, city)
localityName_default = Rome
organizationName = Organization name
organizationName_default = My company name Srl
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = System Techies
commonName = Common Name (eg, YOUR name)
commonName_max = 64
#commonName_default =
emailAddress = Email Address
emailAddress_max = 40

The informations above are used by the “openssl req” command to ask you data to generate your certificate request.
Then, add this block of informations into the openssl.cnf file:

keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names

Those informations will enable some extra useful things on your certificate request that will hopefully became valid on your brand new SSLv3 certificate. For example you are requesting your Certification Authority to release a X509 SSLv3 certificate with server and client authentication purposes, plus other certificate goodies.

Now the cool part: this is where you are asking your CA to release a certificate with Alternative Names (certificate valid for several domains). Append this stuff in openssl.cnf:

DNS.1   =
DNS.2   =
DNS.3   =
# you could also specify IP addresses like this:
# IP.1 =

OK. You are almost ready to create your CSR, but first you have to generate your private key.
NOTE that many CA are now requesting a private key of 2048 bits or more. Warned: a key of 1024 bits is not recommended!
To generate a 2048 bits private key, as usual, execute this command:

openssl genrsa -out server.key 2048

Perfect. It’s time to create the Certificate Request (PKCS#10) with SSLv3 extensions:

openssl req -new -out server.csr -key server.key -config openssl.cnf

Now, send your new server.csr file to your Certification Authority that will hopefully accept the request and relase a valid X509 SSLv3 certificate with SAN.

Good luck and enjoy.

05 Dic 13 As you can see, this site is reachable via IPv6!

If you are using IPv6 (like me) you can see that this blog is reachable via IPv6. Pretty cool!

ipv6 ready