Handling the "open() 11 resource temporarily unavailable" error with nginx (samba problem)

If you happen to edit your files through samba and serve them with nginx you may get some "11: Resource temporarily unavailable" which are originated by the fact that nginx cannot open the file in question.

Samba performs a lock to the file you're editing and I don't know exactly how nginx open the files it's serving, but the problem is that Samba locks the file nginx is trying to read.

So, a bit of searching through the locking options with Samba and I found out an option to put in smb.conf that solves the problem:

oplocks = no

This option enables or disables support for oplocks on the client. The option is enabled by default so we're turning it off.

Restart Samba and you should not get more open() errors.

Carlos

Dump an strace log to a file

I wanted to strace a php backend to see if the X-LIGHTTPD-send-file header (and feature) of Lighttpd was actually working, so I could see the backend doing some read operations or not and prove that the php was not in fact the process sending the file.

This was not necessary at all, but I just wanted to confirm php REALLY not having anything to do with the downloads.

So I started strace with the PID of the backend and saved the log to see those open() and read() operations

strace -Ff -tt -p PID 2>&1 | tee strace.log

And that was pretty much it ;-)

Paypal IPN listener security (without validating Paypal's IP address pool)

I found a way to not check the source (IP address) of the IPN messages Paypal sends to my IPN listener so I can prevent spambots and fake postings to it.

When you build your DoExpressCheckoutPayment request (or other requests that may set the IPN NOTIFYURL), set the NOTIFYURL to something like:

PAYMENTREQUEST_n_NOTIFYURL=https://YOURHOST/?ipn_secret=yoursecret

Paypal then send you an IPN message with the POST method, but in the URL (and consequently in your $_GET variable), it will include your secret variable (ipn_secret in this case) that you can check to match.

As the DoExpressCheckoutPayment request went through HTTPS (SSL secured) you can be sure only Paypal and you knows the ipn_secret value.

This way you can avoid checking that the message came from an authorized source (and by source I mean their IP address pool, which they can change at any time without notice).

Of course, you still have to reply the exact message you received in the same order and wait for the VERIFIED or INVALID strings, but by doing this you can avoid to connect to their servers each time you get a fake message from someone who is NOT Paypal (spambots and the like) preventing a denial of service on your server because you HAVE to connect and send the message to validate it.

Hopefully this will help someone, since I didn't saw anything in the IPN documentation or the forums regarding this issue.

Carlos

tmux (a terminal multiplexer similar to screen)

This is a list of the most useful keys/commands (IMHO) for tmux, a terminal multiplexer like the old screen.

Global config file: /etc/tmux.conf
Per-user config file: ~/.tmux.conf

Configuration options:

set-option -g prefix Ctrl-a # this will bind the Ctrl-a combination to the prefix key
set-option -g prefix ` # this will bind the ` key to the prefix key
setw -g monitor-activity on # mark visually the window that had activity on the status bar
set -g visual-activity on # pop a message in the status bar for the window that had activity

The default prefix, or the key that precedes the command is Ctrl-b

prefix c Create new window
prefix d Detach current client
prefix l Move to previously selected window
prefix n Move to the next window
prefix p Move to the previous window
prefix & Kill the current window
prefix , Rename the current window
prefix % Split the current window into two vertical panes
prefix q Show pane numbers (quickly press the number shown and you'll go to that pane)
prefix o Switch to the next pane
prefix ? List all keybindings

Window management:

prefix n Go to the next window
prefix p Go to the previous window
prefix l Go to the previous selected window
prefix w (List all windows / window numbers)
prefix window_number Go to the specified window number
prefix f Type the window name and tmux will try to find and switch to it
prefix { Move current pane to the left
prefix } Move current pane to the right
prefix space Rearrange windows (even-horizontal, even-vertical, main-horizontal, main-vertical and tiled)
prefix arrow_keys You can use the prefix key plus the up/right/down/left arrows to switch panes
prefix [ Enters copy mode so you can scroll up/down through that pane's terminal history (with Shift + PgUp/PgDown)

Command mode:

You can go into command mode by typing

prefix :

Inside command mode you can type whatever command tmux supports. One important tip here is that the command mode has a history function, so while inside you can use the up and down arrows to go through the history of commands you entered

A couple interesting commands are

rename-window name Rename current window
rename-session name Rename current session
break-pane Make the current pane into its own window
switch -t session_name Switch to the session named session_name
ls List sessions

After you have your client detached:

tmux new -s session_name Create a new session named session_name
tmux attach -t session_name Attach the client to the session named session_name (tip: you can type only a couple chars of the session name, tmux is intelligent enough to find out)
tmux ls This is the same as tmux list-sessions

I'm using squeeze which currently has the 1.3-2+squeeze1 version that has a little problem to properly draw the pane divisions on PuTTY so I installed a greater version from the squeeze-backports which is 1.4-6~bpo60+1 that correct this issue.

Extracted from the tmux changelog:

CHANGES FROM 1.3 TO 1.4, 27 December 2010

* Use UTF-8 line drawing characters on UTF-8 terminals, thus fixing some terminals (eg putty) which disable the vt100 ACS mode switching sequences in UTF-8 mode. On terminals without ACS, use ASCII equivalents.

ATI console framebuffer with Debian Squeeze

In order to have a native resolution console on ATI hardware you just need to install one package that adds KMS support:

sudo apt-get install xserver-xorg-video-ati

This installs some X.org related stuff but also a module that adds console framebuffer support on widescreen resolutions, etc etc.

The conf file is:

/etc/modprobe.d/radeon-kms.conf

Cheers

Regex to match an integer/float with PHP and Javascript examples

A not so easy regex I was working with yesterday, it matches from the start of the line an integer or float.

For instance,

.23 and 0.23 matches
12. and 12.23 matches
12.asd23 will get the 12. part
asd.23 does not match
12.23.23 will get the 12.23 part

etc, etc ...

Now that I said that, here it goes:

PHP example to get the part of the string matched by the regex (using preg_match):

if (preg_match('/^(?:[\d]+|)(?:\.{1}(?:\d+)?)?/', $subject, $regs)) {
 $result = $regs[0];
} else {
 $result = false;
}

Javascript example:

result = subject.match(/^(?:[\d]+|)(?:\.{1}(?:\d+)?)?/g);

Update IP with custom DDNS on DD-WRT for DynDNS.com

I have DD-WRT on my Linksys WRT54GL and I needed to update my host IP with DynDNS.com but they did some changes recently and it wont update with the default DynDNS.org entry, so here is what you need to do:

DDNS Service: Custom
Do not use external ip check: no
DYNDNS server: members.dyndns.org
User Name: put your dyndns username here
Password: put your dyndns password here
Host Name: the host you are trying to update, like myname.dyndns-server.com
URL: /nic/update?
Additional DDNS Options: --dyndns_system dyndns@dyndns.org --ip_server_name checkip.dyndns.org:8245 /

And taken from the DD-WRT wiki, the following notes:

If static DNS is used, use statdns@dyndns.org instead of dyndns@dyndns.org.
Your ddns password should contain no spaces at the beginning or end of it.

Good luck ;-)

Multiple SSL certificates on the same IP with nginx (and others)

Long story short: you can host multiple domains or sites and serve different SSL certificates on the same IP address.

Now, let's develop this long story:

1) You need nginx compiled with SNI support (and the SSL module with --with-http_ssl_module). More info on this subject here: http://en.wikipedia.org/wiki/Server_Name_Indication.
2) You need a version of OpenSSL greater than 0.9.8f (compiled with the --enable-tlsext option) or 0.9.8j which has it enabled by default.

Here you have different outputs with debian etch which has an older version of OpenSSL than 0.9.8f and debian squeeze which has 0.9.8o (at the moment)

root@etch# ./nginx -V
nginx version: nginx/0.7.65
built by gcc 4.1.2 20061115 (prerelease) (Debian 4.1.1-21)
TLS SNI support disabled

root@squeeze# ./nginx -V
nginx: nginx version: nginx/1.0.2
nginx: built by gcc 4.4.5 (Debian 4.4.5-8)
nginx: TLS SNI support enabled

The SSL handshake between the client and server is made before any HTTP data is transmitted, so the server has no way of knowing what certificate to serve, hence the default certificate is delivered.

To remedy this "problem" the TLSv1.1 Server Name Indication extension (SNI, RFC3546) was created, which allows the client to send the info about what host the client is interested in, and this results in the server knowing what certificate to deliver, and voila, we can host multiple SSL sites with their certificates on the same IP address.

Don't take my word for this, it's in the nginx documentation here:

http://nginx.org/en/docs/http/configuring_https_servers.html

And you can test your client (the browser most of the times) for SNI support at this URL:

https://alice.sni.velox.ch/

Of course, as usual, there's a catch. And a big one.

No user with Windows XP on any service pack (yes, even SP3 fully updated) using any version of IE or Safari will be able to use your new and shiny SNI server config because there's simply no support for it. You can, however, use Opera, Chrome or Firefox on Windows XP which has SNI support built in but as you can see, leaving out all IE users on Windows XP it's a significant amount of users to implement this in production and rely on it.

You have SNI support on IE (and Safari) starting on Vista and of course in Windows 7.

Another solution I've seen some people is implementing is using the subjectAltName field in the SSL certificate to add more domains, but this solution is limited because you can't put 5000 domains in there as the field has a limited length (don't know which the limit is btw), so I don't see this as a practical solution at all (to host 5000 domains, maybe for 2 or 3).

The only way of having everyone happy is to use separate IP's for every domain/certificate you host. Of course, I hate this solution, but it's the only one that works 100% of the times.

Sucks right ?

Cheers

PHP exec() and system() tied to /bin/sh on debian squeeze

In the past I relied on the exec() and system() functions to run some commands in PHP.
It came to a surprise when I updated my distro from etch to squeeze that the /bin/sh symlink was not pointing to bash anymore, but to dash which is a POSIX compliant shell and who knows what else (technical blah-blah).

Some commands I ran through exec() and system() failed and the reason is that bash doesn't share the same syntax and builtins as dash.

I was told on some IRC channels that reverting to bash should not break anything, just make slower the execution of startup scripts and the like (anyway I'll not die by waiting 2 seconds more for the box to be ready).

Just do a:

dpkg-reconfigure dash

and follow instructions, afterwards your /bin/sh symlink will point again to bash and your PHP exec() and system() calls will behave as before.

Enable and disable root password (Ubuntu/Debian and others)

Some say that using root all the time is wrong. I never had a problem because of that, but well, the distros have adapted to not allowing a root login by default (well, this is not exactly true but it's the default behavior).

So, you can enable again your root login by doing a:

sudo passwd root

And disable it again with a:

sudo passwd -l root

which locks the root account.

And if you have the root account locked, you can become root by typing:

sudo -i

Stupid, I know, but it's the better way (I was found myself doing a sudo bash and that is more or less, wrong).

Cheers

Configure per font antialiasing on Ubuntu Linux

I wanted to use the Fixedsys font which is a very VERY nice font to program with, but as this font is a conversion from a raster monospaced font available on Windows only to a TTF version (thankfully someone made it, the download link is at the bottom of this post) I needed to disable antialias for just this particular font.

Thankfully (again) this was possible even on a per user basis:

On Ubuntu 10.10 I had to touch the ~/.fonts.conf file and add the following:

<?xml version="1.0"?>
<!DOCTYPE fontconfig SYSTEM "fonts.dtd">
<fontconfig>
<match target="font">
 <test qual="any" name="family" compare="eq">
  <string>Fixedsys Neo+</string>
  <string>Fixedsys Excelsior 2.00</string>
 </test>
 <edit name="antialias" mode="assign">
  <bool>false</bool>
 </edit>
</match>
</fontconfig>

You just have to add your font name (the exact name) between those string blocks and any font you put there will be unaliased.

I barely scratched the fontconfig configuration, so I suspect many more things can be made or configured (I dream of a per app config for example, although I'm not sure of course).

I'm happy now with my Geany text editor (a really nice and fast GTK editor with a lot of good plugins) and my unaliased Fixedsys font.

Fixedsys font @ http://fixedsys.moviecorner.de/ (click on English version and go to the Further downloads tab, the font is the Fixedsys Neo+).

Geany text editor @ http://www.geany.org/

Cheers

Intel driver issues with Flash Player on Ubuntu 10.10 Maverick Meerkat

I solved the glitches I was having when going to fullscreen, for instance, on Youtube videos (among others).

I just installed the drivers provided by some guy that has them a bit more upgraded:

sudo add-apt-repository ppa:glasen/intel-driver
sudo apt-get update
sudo apt-get upgrade

I restarted my box and everything worked like a charm afterwards.

This was the last thing preventing me to have a fully working Ubuntu machine.

Good luck ;-)

Intel console framebuffer with Debian Squeeze

In order to have a native resolution console on Intel hardware you just need to install one package that adds KMS support:

sudo apt-get install xserver-xorg-video-intel

This installs some X.org related stuff but also a module that adds console framebuffer support on widescreen resolutions, etc etc.

The conf file is:

/etc/modprobe.d/i915-kms.conf

Cheers

Capturar trafico SMTP con tshark (wireshark)

tshark -f "tcp port 25" -R "smtp" -i eth0

-f = especifica el filtro de captura
-R = especifica el filtro de muestra
-i = la interface a capturar