There might be time when you want to make sure that a file will be protected from accidental/automated change/deletion. While one can protect a file/directory in some ways by removing write permissions using standard file permission on Unix already can save you from some situations, there is more that can be done on Linux.

Read the rest of this entry »

Many times you will end up tailing multiple files simultaneously. There is a sweet linux utility called multitail that will let you tail multiple files at the same time within the same shell.

And not only will you be able to tail multiple files! You will also be able to run multiple commands and tail their outputs!

Read the rest of this entry »

Ever had your linux box getting Out of Memory (OOM)? Cleaning up after the OOM killer kicked in to find out that even though OOM killer did a decent job at trying to kill the bad processes, your system ends up in an unknown state and you might be better of rebooting the host to make sure it comes back up in a state that you know is safe.

Read the rest of this entry »

Let’s continue the network monitoring serie with yet another use case…. the “What program is using my bandwidth?” problem while not imposible to solve, still remains a pain. What if there were some kind of top for network?

NetHogs is a nifty tool that will do that for you and will help you finding what is hogging your connection.

Read the rest of this entry »

There is many tools out there that help in monitoring network usage, collect statistics and generate graphs so we can view what happened at a given date/time. Anyhow, finding the bandwidth usage over an hour/day/week/month can be really tricky.

vnstat is a suite of daemon and client programs that monitor network bandwidth usage.

Read the rest of this entry »

Last time we saw how bash can help us in handling default values out of the box using parameter expansion. This time we will see how basic string operations (nonetheless common and useful) can also be achieved using bash.

There is many ways to do string manipulation with bash, like finding a filename extension using expr, separating the directory part from a filename using dirname and basename…. or even more sophisticated ones based on regex, sed….

Why using a sledgehammer to crack a nut when you could use bash builtin functionalities!

Read the rest of this entry »

Bash is a sh-compatible command language interpreter that executes commands read from the standard input or from a file.
There is much more to bash than running a sequence of commands, one of the features bundled with bash is parameter expansion.

Any shell user has most likely used shell variables, be it $1 or $myvar, to save values… but there is more to it. This tutorial will cover a subset of shell parameter expansion that can become really handy and save you a lot of time.

Read the rest of this entry »

top is most likely one of the most known Linux command and also one of the most used one, however most people do not take full advantage of its capabilities.

In this tutorial, we will see a few usages of top that will make allow you to get more out of it.

Read the rest of this entry »

Creating the configuration

Now that we have our certificates ready, we need to create a set of config for the server and the client.

Server side

On the server side, you will need to create the file /etc/openvpn/server.conf and edit it with:

dev tun
proto udp
port 1194
# since OpenVPN 2.1 we can use topology subnet
topology subnet
# if we want to change the temp directory location
; tmp-dir /dev/shm
# certs
ca keys/ca.crt
cert keys/server01.crt
key keys/server01.key
dh keys/dh1024.pem
# TLS
tls-auth keys/ta.key 0
# Keepalive
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120
comp-lzo
# Write operational status to this file
status openvpn-status.log
# Drop privileges
user nobody
group nogroup
# As we dropped privileges, make sure we dont
# close/reopen tun interface amd re-read key files
# accross SIGUSR1
persist-key
persist-tun
# Our subnet
server 10.8.0.0 255.255.255.0
# Redirect all traffic to our OpenVPN server
push "redirect-gateway def1 bypass-dhcp"
# We want client to use our DNS server
push "dhcp-option DNS 10.8.0.1"
ifconfig-pool-persist ipp.txt
# If you want OpenVPN clients
# to be able to connect directly
# to each others
; client-to-client
# Use PAM authentication
plugin /usr/lib/openvpn/openvpn-auth-pam.so login
# we dont want to use client certificate
client-cert-not-required
username-as-common-name
# enable mgmt over telnet
management localhost 1194 mgmt-pw-file
verb 3

Then, we need to copy the certificates/keys in the keys directory of /etc/openvpn:

mkdir /etc/openvpn/keys
cp /etc/openvpn/easy-rsa/2.0/keys/{ca.crt,server01.crt,server01.key,dh1024.pem,ta.key} /etc/openvpn/keys/

And, in order to be able to manage openvpn from a telnet connection, we will create a file called /etc/openvpn/mgmt-pw-file with password “password”:

echo password > /etc/openvpn/mgmt-pw-file
chmod 700 /etc/openvpn/mgmt-pw-file
chown root:root /etc/openvpn/mgmt-pw-file

Everything should be setup for the server side, now we need to edht /etc/default/openvpn to make sure that this configuration get started when using the init script. So, edit that file and make sure it contains:

AUTOSTART="server"

O’rite, you can now restart openvpn service with:

# /etc/init.d/openvpn restart

Now, our server should be up and running. If anything went wrong, /var/log/daemon.log is the place to look into.

At this stage, you should also be able to connect to localhost on TCP port 1194 using telnet. You will be prompted for a password, this is the password you have set in /etc/openvpn/mgmt-pw-file.
Once you logged in, you will be able to access the management interface of openvn!

Enabling IP forwarding

As we will be routing packets, we need to enable IP forwarding. To do this create a file called /etc/sysctl.d/forwarding.conf which contains:

net.ipv4.ip_forward=1

And apply the change with:

root@ovpnrouter:~# sysctl -p /etc/sysctl.d/forwarding.conf
net.ipv4.ip_forward = 1

IPTable

At this stage, the openvpn server could handle clients, forward packets, but packets would be routed with their original private IP. To give proper network connectivity to our OpenVPN clients, we will need to NAT the traffic.
This can be done by using the following command:

root@ovpnrouter:~# iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Configuring Iptable is not in the scope of this article. You might want to refer to IPtables: how to share your internet connection.

Anyhow, let’s move forward and set up a client!

Munin 2.0 has been released and a .deb package has even been backported to Debian Squeeze!.

Version 2.0 comes with a bunch of new features and scalability improvements. This how-to will explain how to install and configure Munin 2.0 using Apache and mod-fcgid on Debian Squeeze.

The feature that I was really looking forward in Munin 2 was graph zooming which makes it really easy and convenient to visualize what happened at a given moment in time.

Most of the install process is actually detailed in http://munin-monitoring.org/wiki/CgiHowto2 but there were some missing bits to get it properly working on my set up (Debian Squueze + Apache2), hence while this how-to will look pretty similar to that wiki page, it should hopefully fill the gaps.

I will not cover the munin-node part as there should not be anything different since 1.4 and this old tutorial should still be accurate: How-To: Monitoring A Server With Munin.

Installing Munin

Debian backport is providing a .deb for Debian Squeeze, so once you have added debian backports repository, installing Munin is nearly an apt-get away.

Adding Debian Backport Repository

Create and edit /etc/apt/sources.list.d/backports.list and add:

deb http://backports.debian.org/debian-backports squeeze-backports main

Update your repositories:

# apt-get update

and finally, install Munin from the squeeze-backports:

# apt-get install munin -t squeeze-backports

The default /etc/munin/munin.conf is enough to monitor localhost. Within the next 5 minutes, a cron job will be ran and will start collecting metrics.

Now, we need to configure Apache to serve munin pages.

Apache settings

This new version of Munin now defaults to using CGI to generate HTML and GRAPH, so if you don’t have any CGI module installed yet, get it rolling and install one and enable it:

# apt-get install libapache2-mod-fcgid
# a2enmod fcgid

Then, we will create a new virtual host that will serve Munin graphs. So, let’s create /etc/apache2/sites-available/munin and edit it with:

<VirtualHost *:80>
        DocumentRoot /var/cache/munin/www
        ServerName munin.example.com
        Alias /static /etc/munin/static
        # Rewrites
        RewriteEngine On
        # HTML
        RewriteCond %{REQUEST_URI} !^/static
        RewriteCond %{REQUEST_URI} .html$ [or]
        RewriteCond %{REQUEST_URI} =/
        RewriteRule ^/(.*)           /usr/lib/munin/cgi/munin-cgi-html/$1 [L]
        # Images
        # - remove path to munin-cgi-graph, if present
        RewriteRule ^/munin-cgi/munin-cgi-graph/(.*) /$1
        RewriteCond %{REQUEST_URI}                 !^/static
        RewriteCond %{REQUEST_URI}                 .png$
        RewriteRule ^/(.*)  /usr/lib/munin/cgi/munin-cgi-graph/$1 [L]
        # Ensure we can run (fast)cgi scripts
        ScriptAlias /munin-cgi/munin-cgi-graph /usr/lib/munin/cgi/munin-cgi-graph
        <Location /munin-cgi/munin-cgi-graph>
                Options +ExecCGI
                <IfModule mod_fcgid.c>
                        SetHandler fcgid-script
                </IfModule>
                <IfModule !mod_fcgid.c>
                        SetHandler cgi-script
                </IfModule>
                Allow from all
        </Location>
        ScriptAlias /munin-cgi/munin-cgi-html /usr/lib/munin/cgi/munin-cgi-html
        <Location /munin-cgi/munin-cgi-html>
                Options +ExecCGI
                <IfModule mod_fcgid.c>
                        SetHandler fcgid-script
                </IfModule>
                <IfModule !mod_fcgid.c>
                        SetHandler cgi-script
                </IfModule>
                Allow from all
        </Location>
        <Location />
                Options +ExecCGI
                <IfModule mod_fcgid.c>
                        SetHandler fcgid-script
                </IfModule>
                <IfModule !mod_fcgid.c>
                        SetHandler cgi-script
                </IfModule>
                Allow from all
        </Location>
        <Location /static/>
                SetHandler None
                Allow from all
        </Location>
        <Directory /var/cache/munin/www>
                Order allow,deny
                #Allow from localhost 127.0.0.0/8 ::1
                Allow from all
                Options None
                # Set the default expiration time for files to 5 minutes 10 seconds from
                # their creation (modification) time.  There are probably new files by
                # that time.
                #
            <IfModule mod_expires.c>
                ExpiresActive On
                ExpiresDefault M310
            </IfModule>
        </Directory>
</VirtualHost>

Finally, enable this new site:

# a2ensite munin

That’s it, we now need to reload apache:

# /etc/init.d/apache2 reload

Now, you should be able to access munin at http://munin.example.com and zoom on graph!