16 Set 11 How to change drupal 6 admin password
Changing the password of the “admin” user on drupal 6 it’s as simple as to run this mysql query:
UPDATE users SET pass = md5(‘YOUR__NEW_PASSWORD‘) WHERE uid = 1;
Hope to help someone in big problems because of a unknown/lost drupal password.
Ciao, Dino.
16 Set 11 Lettera del Sindaco di Roma ai suoi cittadini
Oggi leggendo la posta elettronica ho visto una mail proveniente niente popò di meno che dal Sindaco di Roma Giovanni Alemanno.
Si tratta della protesta che stanno facendo molti Comuni italiani dopo i gravi tagli previsti dalla manovra finanziaria del Governo italiano.
Segue la trascrizione del testo:
I TAGLI AI COMUNI SONO TAGLI AI TUOI DIRITTI
Carissimi cittadini,
oggi ho comunicato al Prefetto e al Ministro dell’Interno che Roma Capitale non è
più in grado di garantire i servizi ai cittadini. Come è stato deciso
dall’Associazione Nazionale Comuni Italiani (ANCI), chiuderò simbolicamente
l’ufficio Anagrafe e stato civile come stanno facendo quasi tutti i miei colleghi Sindaci.
Si tratta di una forma di protesta molto forte, alla quale i Comuni italiani
sono arrivati perché, fino ad ora, non sono riusciti a far cambiare in modo
significativo una manovra economica necessaria ma troppo pesante per le
istituzioni territoriali.
Non vogliamo peggiorare la qualità della vostra vita ma cercare di migliorare
i servizi e difendere i vostri diritti.
Infatti, fino a quando sarà possibile tutti i servizi saranno garantiti grazie
allo sforzo della struttura comunale.
Oggi non è più possibile percé si preferisce togliere ai Comuni invece di
andare a vedere dove le risorse si sprecano realmente.
Ogni anno i Comuni portano soldi alle casse dello Stato per un totale di oltre
3 miliardi di euro. Queste risorse si perdono in mille rivoli, mentre noi veniamo
costretti ad aumentare le tasse o a chiudere i servizi.
Ho deciso di scrivervi perché ognuno di voi possa rendersi conto che la
protesta che Roma Capitale e l’ANCI stanno facendo non è una polemica politica
o una rivendicazione istituzionale.
Al contrario il nostro obbiettivo è solo quello di trovare un nuovo accordo con
il Governo per rendere le nostre città e il nostro Paese sempre più solidi,
competitivi e vivibili.
Per ulteriori informazioni potete consultare il sito www.anci.it.
Un cordiale saluto.
Il Sindaco di Roma
In qualità di Ufficiale di Governo
(Giovanni Alemanno)
Alemanno: I tagli ai Comuni sono tagli ai tuoi diritti
15 Set 11 How to compile apache httpd 64 bits on Solaris 10 sparc
As usual we try to consider the “do it right (r)” way of doing configurations.
Today we will compile Apache HTTPD on Sun Solaris 10 OS (SPARC).
The first thing to do is to install the gcc c compiler if it is not already installed.
To do so, download and install the package from www.sunfreeware.com. Double read the package release notes.
You have to download the latest gcc package and its dependencies. You probably will need also libiconv and libintl.
Now download openssl-0-9.X package.
For each downloaded package install it with the command: dpkg -d <full_path>/your_package
When finished, go into your apache source directory and:
export LD_LIBRARY_PATH=/usr/sfw/lib/sparcv9:/usr/local/lib/sparcv9
export PATH=/usr/sfw/bin:/usr/ccs/bin:/usr/local/ccs/bin:/usr/local/bin:$PATH
# if you want it 64 bits:
export CFLAGS=”-m64″
# if you want it 32 bits:
# export CFLAGS=”-m32″
export LDFLAGS=”-L/usr/sfw/lib/sparcv9″
./configure –with-included-apr –with-expat=builtin –prefix=<your_installation_path> –enable-mods-shared=most –enable-ssl –with-ssl=/usr/sfw –enable-proxy –enable-proxy-connect –enable-proxy-http –enable-proxy-balancer
If the configure process terminated successfully, you can now call:
make
When finished, as usual, call:
make install
I recommend you to use gnu make. You can download it from sunfreeware.
Now, if everything gone ok, you can try to start your brand new 64 bits apache full of powerfull modules.
You may want to set your LD_LIBRARY_PATH variable into <apache>/bin/envvars file so that apachectl can find all the library it needs to start or stop the server.
Ciao, Dino.
12 Set 11 How to install the “Apache Tomcat Native” libtcnative module
The Apache Tomcat Native module, also called “TC-Native library” or “libtcnative”, is a library that implements HTTP, HTTPS and AJP connectors in tomcat using the Apache APR library. This ensure great scalability and performance because permits tomcat to access server native technologies like openssl, system calls like sendfile() or epoll(), advanced I/O, OS level functionality and native Inter Process Communication.
To install libtcnative you must first have a working C compiler environment, a valid “apr” and “openssl” installation with the development libraries, a working apache tomcat 6.0.X and a Java JDK.
On debian it’s as simple as to run:
apt-get install build-essential libapr1-dev libssl-dev
The libtcnative source software can be found in the Tomcat binary bundle, in the bin/tomcat-native.tar.gz archive, but if you want the latest version you can find it here: http://tomcat.apache.org/native-doc/
Untar the tomcat-native archive, then:
cd tomcat-native-1.*/jni/native
./configure –with-apr=`which apr-1-config` –with-java-home=$JAVA_HOME –with-ssl=yes –prefix=$CATALINA_HOME
If you want or need to, you can pass the correct path of APR and OpenSSL libraries to the –with-apr and –with-ssl parameters.
CATALINA_HOME and JAVA_HOME are the path of the Java JDK and Tomcat installations.
After the configure script succeeded, you have to:
make
make install
Now, the libtcnative library should be correctly installed into “$CATALINA_HOME/lib”.
If you want you can now configure tomcat with the new connectors parameters.
The official project page of libtcnative is here: http://tomcat.apache.org/native-doc/
The documentation page of the tomcat 6 APR native functionality is here: http://tomcat.apache.org/tomcat-6.0-doc/apr.html
Hope this help someone to speed installation.
Ciao a tutti, Dino Ciuffetti.
08 Set 11 orientdb.sh: line 52: return: can only `return’ from a function or sourced script
If you are using the powerful orientdb engine on linux/unix you may catch the following error when executing bin/orientdb.sh:
./orientdb.sh: line 52: return: can only `return’ from a function or sourced script
This is because of bash that does not permit the use of “return” from the main script body.
I prepared (and published to the orientdb list) a small patch that you can use if you don’t want to recompile the entire orientdb engine to solve this simple problem.
The problem it’s solved in SVN revision 3804 or greater.
07 Set 11 How to map DNS responses based to user’s geo location
In this short abstract I’ll show you how did I make my work on trying to create a highly scalable, geo localized and distributed system using the DNS.
What we are going to create is a simple but powerful DNS system that can handle queries for a domain returning records based on the user’s geo location.
To accomplish this task we have to choose a good opensource DNS server. My choice was powerdns (http://wiki.powerdns.com/trac).
Powerdns is a great piece of software. It’s a powerful DNS server daemon that can be configured to fit in different DNS environments.
You can save domain zones into different backends (MySQL, Oracle, bind zone file, ldap, etc), and you can have primary and secondary DNS servers with automatic zone replication. This is all what you need to create a full featured DNS system.
One of the powerdns backends do accomplish the geo lookup task, and it’s called “geobackend” (http://wiki.powerdns.com/trac/browser/trunk/pdns/modules/geobackend/README).
Our test environment will consist in a primary DNS server (powerdns as a master), a secondary DNS server (powerdns as a slave) and a geo lookup DNS server (powerdns as master with geobackend enabled). We will enable automatic zone transfer between the primary and the slave server, so that if you add a new record on the master it will be automatically created on the slave.
So, we need 3 servers with powerdns installed. The installation process may be different in each case, but if you are using debian, the task can be as simple as running by root the following command:
apt-get install pdns-server
Now you need the backend where you will save the zone data. May be you want to choose “MySQL” for the master and “bind format file” for the slave DNS. The geo dns server will not need a zone backend because its single task is to retrieve the caller’s IP address and fetch its geographic location from a particular location file, then lookup this location from a map file and return back to the calling user the associated CNAME record that’s into the map file.
A quick brain guideline is given below.
My system (yourdomain.com) is composed like this:
ns1.yourdomain.com (primary DNS server with mysql backend)
ns2.yourdomain.com (secondary DNS server with auto zone replication on bind zone file)
ns1.geo.yourdomain.com (geo lookup DNS server with geobackend)
I executed the steps below:
On ns1.yourdomain.com you have to:
1) install powerdns with the gmysql backend
2) install MySQL server, create a database and grant a user on that DB
3) configure powerdns as master, with gmysql backend connecting to MySQL
4) please note that this server is authoritative to the “yourdomain.com” zone
5) delegate the “geo” zone with a NS record to the geo dns server: “geo IN NS ns1.geo.yourdomain.com”
6) create the glue record for the geodns with the record: “ns1.geo IN A ip_geo_dns_server”
On ns2.yourdomain.com you have to:
1) install powerdns with the bind backend
2) configure powerdns to be a slave with bind backend and enable ns1.yourdomain.com as a supermaster
3) please note that this server is authoritative to the “yourdomain.com” zone
On ns1.geo.yourdomain.com you have to:
1) install powerdns with the geo backend
2) configure powerdns as master with geobackend
3) please note that this server is authoritative to the “geo.yourdomain.com” zone
4) create a map file to handle the association between your country location (eg: uk) and the CNAME that the server will reply
5) download the location database zone, for example I use: zz.countries.nerd.dk (http://countries.nerd.dk/)
If you need how to do that in details please do not hesitate to write me a email. You will find it into my contact page.
Ciao, Dino.
31 Ago 11 CVE-2011-3192 – Apache killer DOS vulnerability
Hi people. On August 2011 has been discovered that apache httpd server is vulnerable to a simple to perform DOS attack. A simple perl exploit has been released called apache killer that make a big number of parrallel crafted HTTP calls (HEAD method) with the “Range” header. This make possibile to the attacker to consume memory and cpu on the attacked server bringing apache and the system down in no time. The attacker does not need large bandwidth to perform the attack.
Anyone using apache httpd in production environment is encouraged to upgrade to the latest apache version that solve the security problem.
If you cannot upgrade to >= 2.2.20 you can use mod_rewrite to deny requests with the Range header like the rewrite regexp below. This is what you need on your httpd.conf:
RewriteCond %{HTTP:range} ^bytes=[^,]+(,[^,]+){0,4}$
RewriteRule .* – [F]
You can find the exploit script on google. I will not put it here.
Ciao, Dino.
12 Ago 11 Apache: [error] (28)No space left on device: Cannot create SSLMutex
When you work as a horizontal support tech consultant for a very big company you may have to do with people that has basic linux/opensource knowledge and commercial system stuff (win, unix) skills. You may even have to do (… !?!?) with very prepared people (…).
Someone here takes care of apache installations and apache itself is very robust and stable so we all can sleep quietly, the problem comes out when someone with less OS system skills fires “kill -9” on apache processes to stop it.
[Thu Aug 11 17:47:01 2011] [error] (28)No space left on device: Cannot create SSLMutex
Configuration Failed
And apache does no longer come up and running.
The trouble may be weird because one could read “No space left on device” without reading the real error message: “Cannot create SSLMutex”.
But the problem is really easy to understand if you try to figure out what is going on at syscall OS level when apache starts up. This can be done with “strace” command on linux (“truss” or “tusc” on other expensive unix environments…).
The problem is caused by IPC SysV semaphores still standing up on the system from the previous apache kill.
The definitive solution here is to stop apache with “apachectl” command or calling “kill -15” (and not kill -9 !!!!) on the apache father process. This way you are instructing apache to stop gracefully, the father kills his childs and cleanup semaphores and the like, the clean way.
To solve your problem you have to cleanup hanging semaphores. You could reboot linux, but this is avoided on any serious environment, so which is the magic command?
If apache runs with “apache” user you can call this command to clean up semaphores created by the “apache” user:
ipcs -s | grep apache | perl -e ‘while (<STDIN>) {@a=split(/\s+/); print `ipcrm sem $a[1]`}’
You could do “ipcs -s | grep apache” to see the semaphores first, and then call ipcrm on each to clean it up.
Try to start apache now and the problem would solve.
The other way is to change the apache serialization mechanism from semaphores to pthread mutexes or fcntl. To do so you have to:
1) set “AcceptMutex fcntl” on httpd.conf
2) set “SSLMutex pthread” on httpd-ssl.conf
Hope this help someone… 🙂
Ciao, Dino.
09 Ago 11 DNSBL GeoIP service at countries.nerd.dk
I recently discovered a wonderful DNSBL service reporting you where public Internet IPs are from.
The service is countries.nerd.dk: http://countries.nerd.dk/more.html
You can for example block any mail at your mailserver coming from china or russia, simply integrating this DNSBL with your MTA.
You can even get the country of your IP with dig!
Warning: You need to swap IP octets. If for example the IP to check is 192.162.132.171, you have to call 171.132.162.192.zz.countries.nerd.dk.
root@nbvirtdns1:/# dig TXT 201.65.24.151.zz.countries.nerd.dk
…
201.65.24.151.zz.countries.nerd.dk. 1047 IN TXT “it”
…
04 Lug 11 How to use Huge Pages with Java and Linux
Hi.
Today we get how to use Huge Pages with Java from a Linux powered system.
While a Linux system generally splits memory segments into pages of 4 kb, Huge Pages are memory pages large 2Mb or more.
This is proved to increment speed when the application make use of large quantity of ram, like Java with a large heap (2 GB or more).
It’s correct to say that this is not always the correct configuration choice because the memory setted to be dedicated to Huge Pages cannot be accessed by the kernel (buffer cache) or by the applications, so that memory is subtracted from the virtual memory pool of the system. Since it’s very fast to make it a try and decide if use it or not, let me play with it.
Here in this example we will set 2,5 GB of RAM to be used as Huge Pages. Your mileage may vary.
HPM (huge page memory) is expressed in GB.
First: set the quantity of memory (bytes) to be defined as a shared memory segment
This is quickly found calculating this simple formula: ((HPM * 1024 * 1024 * 1024) – 1).
In our example: ((2,5 * 1024 * 1024 *1024) – 1) = 2684354559
Set it up online with this command:
echo 2684354559 > /proc/sys/kernel/shmmax
If you want to set it permanent at the next system reboot, append those two lines to your /etc/sysctl.conf file:
# Shared memory – max segment size: 2,5 Gb (-1 b)
kernel.shmmax = 2684354559
Second: set the number of reserved large memory pages
This is the number of reserved pages. Each page is large 2 Mb, so finding the number of pages to reserve is simple:
((HPM * 1024) / 2). In our example: ((2,5 * 1024) / 2) = 1280
Set it up online with this command:
echo 1280 > /proc/sys/vm/nr_hugepages
If you want to set it permanent at the next system reboot, append those two lines to your /etc/sysctl.conf file:
# Enable kernel to reserve 2,5GB / 2Mb large pages
vm.nr_hugepages = 1280
Third: set the system group id enabled to use huge pages
Java programs usually should not be fired by the root user. In my case, the group id of my program is “1001”.
Set it up online with this command:
echo 1001 > /proc/sys/vm/hugetlb_shm_group
If you want to set it permanent at the next system reboot, append those two lines to your /etc/sysctl.conf file:
# System group id that can use huge pages (hugepages gid: 1001)
vm.hugetlb_shm_group = 1001
Fourth: run the java program with the Huge Page support
In our example we are using the JVM distributed by Oracle. Other Java vendors may use different parameters to enable Huge Pages. They can even call Huge Pages differently.
The program can now be fired with “-XX:+UseLargePages -XX:LargePageSizeInBytes=2m”
My complete java parameters for my java program are:
java -d64 -server -Xms1900m -Xmx1900m -Xss192k -XX:+UseLargePages -XX:LargePageSizeInBytes=2m -XX:+UseParNewGC
Ciao ciao.
Dino Ciuffetti.
Follow me!
Stack Overflow
IPv6 Certified (he.net)