Category Archives: Linux - Page 2

Nagios plugin for TEMPer USB thermometer

Posted by on October 12, 2009 11 comments

As I said in a previous post, I finally got my TEMPer USB thermometer to work on Fedora, thanks to a patch by Tollef Fog Heen that has now been incorporated into the Fedora kernel.

I’m not familiar with C so I only made minor tweaks to Tollef Fog Heen’s code, which returns a temperature as a number. I wrote a wrapper in Perl that crudely interfaces this program to Nagios. In reality, I should wise up on my C a little and write the whole thing in C. When I do this, I’ll submit it to Monitoring Exchange.

For the time being, I’ll publish my Nagios plugin on this blog, in the hope that it might be useful to someone, despite being incredibly hacky.

First you’ll need the code for the program that reads the temperature from the TEMPer. Compile it like this:

g++ -o get_temper TEMPer2.c

Note that the path to the TEMPer device is hard-coded in the C If yours isn’t at /dev/ttyUSB0 then you’ll need to change the source before compiling.

Then download my Nagios plugin (check_temper), and put both the plugin and the program get_temper in your Nagios plugin directory. This is likely to be /usr/local/nagios/libexec if you built from source, and /usr/lib/nagios/plugins if you installed from RPM in the Fedora repository.

Now all you have to do is the usual Nagios magic for adding any other plugin. Simple!

Update

Forget all that you’ve read above! I’ve now rewritten the entire plugin in C, so there is no need for the perl wrapper. You can download it from MonitoringExchange.

TEMPer USB thermometer on Linux

Posted by on October 12, 2009 5 comments

Some time ago I bought a cheap USB thermometer called TEMPer. I was disappointed to find that it didn’t work on Fedora. It would only work on Windows using a poor piece of proprietary software.

I eventually found the blog of Tollef Fog Heen, who had managed to get his TEMPer to work. Unfortunately his solution involved patching and compiling a kernel.

However since then, it seems his patch has been integrated into the stock Fedora kernel and it is now possible to read the temperature from it.

The TEMPer device appears to be a USB-serial adapter, with a serial I2C device at the end of it. It’s not straightforward to extract the temperature from it, but Tollef Fog Heen has written a simple C program to return the temperature.

His program polls the TEMPer every second and prints the temperature to the command line. It doesn’t stop until you kill the program. I made a couple of tweaks to the code so it prints the temperature once, formatted as a raw number with no extra text, and then quits. You can find my modified source here.

Disclaimer: I don’t know C. I haven’t changed any of the logic of the code, only the way it prints the output. If the code is buggy, it wasn’t me! ;)

Now I have an executable that returns the temperature from the TEMPer, I can think about building some application that could use this. How about a Nagios plugin?

Escaping usernames during RADIUS accounting

Posted by on October 7, 2009 No comments

Today I encountered a problem in my FreeRADIUS setup. Usernames can be sent to my RADIUS servers as a simple username (e.g. jonathan) or with a realm prepended (e.g. DOMAIN\jonathan).

When a username with a realm gets sent to a RADIUS authentication server that is doing MSCHAP, the domain is automatically stripped and you never notice. But when it gets sent to an accounting server (clearly no MSCHAP) there is no stripping or escaping done automatically.

This caught me out.

Users were authenticating on my network successfully. DOMAIN\rachel and DOMAIN\thomas were happily authenticated against the domain controllers and gained access to the wireless. But when they started sending accounting packets, the \r and \t portions of their usernames were sent to the database unquoted, where they were interpreted as a Unix newline and a tabspace respectively.

Eeek!

I didn’t notice until I saw that MySQL had converted these \r and \t characters to the hex equivalents. Where my accounting table should have contained rachel, it actually contained DOMAIN=0Dachel.

Yikes!

I fixed this by creating a local proxy realm. At the end of my proxy.conf, I added these lines:

realm DOMAIN {
}

Obviously substituting DOMAIN for the real name of my domain.

Then in the preacct section of my virtual server I added the module ntdomain to populate the variable %{Stripped-User-Name} with the domain part of the username that was originally in %{User-Name}.

Now, looking at the top of whichever dialup.conf suits your database architecture, make sure the following line is uncommented:

sql_user_name = "%{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}"

…and that all other definitions of sql_user_name are commented.

Once you’ve done this, your accounting detail logs will contain username likes DOMAIN\\username (with an escaped backslash) and your database table will simply have username.

Upgrading samba breaks it

Posted by on October 2, 2009 16 comments

I have a samba fileserver which has been happily running for a couple of years with identical config but on different versions of samba, and on Fedora and CentOS.

The latest incarnation was running samba 3.2.11.

But the other day, my samba package was upgraded to 3.4.1

Samba shares on the server immediately stopped working and access is immediately denied to all users.

I looked at the config and nothing has changed during the upgrade.

I looked at the logs and no access attempts are recorded; no errors are logged.

I noticed that the new template config file is a little different from previous versions, so I made the necessary changes and migrated my config to the new file. No change to samba’s behaviour at all.

For a while I wondered if I had a rogue samba server on my network, but stopping my samba service causes requests to time out rather than be denied. So it’s definitely my samba daemon that’s responding, but goodness knows why it behaving like this.

Restarting samba puts the following in the log file:

[2009/10/02 10:33:54,  0] smbd/server.c:1065(main)
smbd version 3.4.1-0.41.fc11 started.
Copyright Andrew Tridgell and the Samba Team 1992-2009
[2009/10/02 10:33:54,  0] smbd/server.c:457(smbd_open_one_socket)
smbd_open_once_socket: open_socket_in: Address already in use
[2009/10/02 10:33:54,  0] smbd/server.c:457(smbd_open_one_socket)
smbd_open_once_socket: open_socket_in: Address already in use

I will keep hunting until I find what’s caused this. Unfortunately I can’t watch any of my recorded TV programmes until then!

I’ll post back here when I’ve tracked it down.

Update: I managed to get Samba working again. Sort of. This is a snippet from my now-working smb.conf:

# ----------------------- Standalone Server Options ------------------------
#
# Scurity can be set to user, share(deprecated) or server(deprecated)
#
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.

security = user
#       passdb backend = tdbsam
passdb backend = smbpasswd

As you can see, I simply reverted to the older smbpasswd authentication after yum upgraded Samba and switched to tdbsam and my shares magically sprung back to life. It’s a shame, because I don’t like going backwards. I like going forwards – hence I run Fedora.

I can confirm that this “fix” works with the latest version of Samba at the time of writing – version 3.4.2.

So despite the claim that tdbsam requires no extra configuration, clearly there’s more to it than that. I will once again post back here when I’ve found a way to enable tdbsam without breaking everything. :)

SSH tunnelling to your home network

Posted by on September 24, 2009 No comments

SSH tunelling is no big secret, and there are loads of guides out there that explain how it is done in generic terms. This guide is slightly different, as it explains how to tunnel to hosts that are not publicly addressable.

For example, if you have a Linux server as your home network gateway then you can simply open ports on it, e.g. port 80 for a web server.

If you want to access a service on a computer on your network other than your server, you will have to set up port forwarding.

But there’s another way. Today while I was at work, I needed to change something on my home network printer’s web interface. The printer has a private IP address in the range 192.168.0.0/24 and there is no port forwarding set up (why would I want to share my printer’s control panel on the internet?).

Supposing my server is called jonathangazeley.com then I can enter a command like this from my work PC:

ssh -f jonathan@jonathangazeley.com -L 2000:192.168.0.105:80 -N

This command sets up port 2000 on localhost to point to port 80 on my printer at home.

Then I open my browser at work and navigate to http://localhost:2000

Hey presto, I can now see my printer’s config page remotely. As a nice by-product, the connection is also encrypted by the ssh protocol.

Configuring sendmail to use a Smart Host

Posted by on September 24, 2009 No comments

Chances are if you have a Linux server in your home, you’ll want it to be able to send you emails, e.g. its daily logwatch or the output from cron jobs.

But most ISPs block SMTP so you can’t directly send emails from your server to wherever they need to go, which is what the default config of sendmail does.

So you need to tell sendmail to forward its mail through something called a Smart Host, which is just an SMTP server that your ISP runs.

First, find out from your ISP what their Smart Host or SMTP server is called. This is usually available somewhere on their website.

Now open up /etc/mail/sendmail.mc for editing. Locate the following block, remove the dnl markers and change the name of the server to match your ISP’s.

dnl # Uncomment and edit the following line if your outgoing mail needs to
dnl # be sent out through an external mail server:
dnl #
define(`SMART_HOST', `mail.my-isp.com')

After editing, you have to run the /etc/mail/make program to write the sendmail config file. Then restart the sendmail daemon.

service sendmail restart

Your server is now capable of sending outoing mail through an external mail server. But there’s one final tweak. Open /etc/aliases and change the very last line so that you receive root’s mail.

# Person who should get root's mail
root:           me@jonathangazeley.com

Forgetting something?

Posted by on September 14, 2009 No comments

Today I wrote an email in Thunderbird and clicked send. It gave me this message:

Forgetting something?

It has never asked me this before, so I wonder what prompted it to do so today. Turns out new builds of Thunderbird scan your email for keywords such as attachment or attached and reminds you to check for attachments if you used these words.

In my email I had said “It’s in my name because it’s attached to my account” so this must be what triggered it.

Pretty nifty – the number of times I’ve accidentally sent an email without its attachment…

Search and replace in vim

Posted by on September 11, 2009 No comments

I use vim all the time, but I can never remember off the top of my head. I have to look it up every time. So I’ve made a note of it here.

This command simply replaces all occurrences of string with replace. Simple!

:%s/search/replace/g

Federated tables in MySQL

Posted by on September 10, 2009 7 comments

Yesterday at work I had the need to create a federated table in MySQL. I read about the federated engine and thought I had it sussed. I noted:

Beginning with MySQL 5.1.26, the FEDERATED storage engine is not enabled by default in the running server; to enable FEDERATED, you must start the MySQL server binary using the --federated option.

Turns out it’s also possible simply to add the line federated in the [mysqld] section of /etc/my.cnf

The version of MySQL currently installed on my CentOS box was an older one (5.0.45) but I added this line anyway. The server refused to start. It quickly became clear that the MySQL binary packaged with CentOS was not compiled with the federated engine.

Fedora is currently packaging MySQL 5.1.37 but it seems that this too is lacking the federated engine. That’s annoying – I had wanted to install a version of MySQL from some yum repo or other, so I don’t have to keep upgrading the package every time a new version is released.

Perhaps the lack of federated support is a Red Hat (and derivatives) issue. I downloaded the rpm from MySQL directly, and installed it. Guess what – no federated engine compiled in.

So I downloaded the source tarball. I explicitly configured it with the federated engine, like so:

./configure --with-plugins=federated

And then I built and installed it. Nothing worked properly out of the box, and I was annoyed to find that the make install command doesn’t do half of the things I would normally expect it to do. I found this information and followed the steps to get it working. I had to steal and tweak the /etc/init.d/mysqld script from a different box which was running the bog-standard CentOS package.

Woohoo! The federated engine was finally available.

mysql> show engines;
+------------+---------+----------------------------------------------------------------+--------------+------+------------+
| Engine     | Support | Comment                                                        | Transactions | XA   | Savepoints |
+------------+---------+----------------------------------------------------------------+--------------+------+------------+
| InnoDB     | YES     | Supports transactions, row-level locking, and foreign keys     | YES          | YES  | YES        |
| MRG_MYISAM | YES     | Collection of identical MyISAM tables                          | NO           | NO   | NO         |
| BLACKHOLE  | YES     | /dev/null storage engine (anything you write to it disappears) | NO           | NO   | NO         |
| CSV        | YES     | CSV storage engine                                             | NO           | NO   | NO         |
| MEMORY     | YES     | Hash based, stored in memory, useful for temporary tables      | NO           | NO   | NO         |
| FEDERATED  | YES     | Federated MySQL storage engine                                 | NO           | NO   | NO         |
| ARCHIVE    | YES     | Archive storage engine                                         | NO           | NO   | NO         |
| MyISAM     | DEFAULT | Default engine as of MySQL 3.23 with great performance         | NO           | NO   | NO         |
+------------+---------+----------------------------------------------------------------+--------------+------+------------+
8 rows in set (0.00 sec)

But I can’t understand why none of the binary builds of MySQL include it. Fair enough that isn’t enabled by default in the running server – it’s no problem to add a line to my.cnf on a standard CentOS box. But it is a nuisance to have to build from source. It doesn’t break anything to have it enabled in a build, even if unused.

Of course CentOS won’t change the way they build their packages until Red Hat does. So I’m doing what I can, and I have filed a feature request with Fedora in the hope that in the next major release, there will be a version of MySQL built with the federated engine.

An easy way to generate an iptables config

Posted by on August 31, 2009 No comments

This is a +1 for Easy Firewall Generator for iptables.

Of course any self-respecting sysadmin should be able to set up iptables, but sometimes starting off can be tricky. So I use the this website, which lets you define the basics using a handful of checkboxes, and it generates a script that configures your computer’s iptables firewall.

It works for single hosts and servers that do NAT, and includes protection against a great many nasties.

Once you have this, it’s then an easy task to hand-configure the result to your heart’s content.