John Bachir's questions

I'm working with some code that fires up cron on a server (which doesn't have it running at boot time). The script which starts cron sets up some logging stuff and then simply invokes cron. It doesn't use /etc/init.d/cron or service cron start.

After starting cron this way, service cron status and service cron stop seem to be happily able to work, and the PIDFILE specified in /etc/init.d/cron is present.

I put a log line into /etc/init.d/cron, and it looks like running cron standalone does not invoke the script.

# service cron status
script is running
 * cron is running
# service cron stop
script is running
 * Stopping periodic command scheduler cron                                                                                                                                                        [ OK ]
# cron
#

What's going on here? Is this simply because the cron binary and the /etc/init.d/cron script use the same convention for the location of the pidfile?

On a new Ubuntu install, a user's PATH is:

/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games

But in that same user's cron environment, it is:

/usr/bin:/bin

I looked at all the user's dot files in the home directory, nothing in there is changing the PATH.

What's changing the PATH? Why doesn't cron use that PATH?

My understanding is that the SPF spec specifies an email receiver shouldn't have to do more than 10 DNS lookups in order to gather all the allowed IPs for a sender. So if an SPF record has include:foo.com include:bar.com include:baz.com and those three domains each have SPF records which also have 3 include entries, now we are up to 3+3+3+3=12 DNS lookups.

1. is my understanding above correct?

2. I only use 2 or 3 services for my domain and I am already way past this limit. Is this limit typically (or ever) enforced by major/minor email providers?

I have a .deb which politely installs itself in /opt. For my purposes I would prefer it acted like a first-class citizen and installed itself in the regular filesystem locations.

Is there a way to do this?

This is Ubuntu 10.04.4

update

I have tried --root=/, it doesn't change the installation location.

How can I have monit continue to alert me on an interval until the condition has been fixed? Here's an example config:

check filesystem datafs with path /dev/sda1
  if space usage > 80% for 5 times within 15 cycles then alert

Here I'l get an alert once and then no more. I want monit to not shut up until the problem is fixed.

Once can have monit monitor memory usage…

check system foo
  if memory usage > 95% then alert

Does it use free RAM, or free -/+ buffers/cache? (or something else?)

# free -m
             total       used       free     shared    buffers     cached
Mem:           998        851        146          0        114         70
-/+ buffers/cache:        666        332
Swap:         2047         54       1993

I've configured monit tests and alerts — but I want to make sure that everything in my alert stack (outgoing email servers, sms email gateways…) is functioning properly. Is there a handy way to fire off a dummy test alert?

I've read that 2.6.33+ allows setting custom cwnd.

1. if the IW is 10 by default (for all distros? only some?)
2. how does one view what the current IW is on a particular compiled kernel?

references:

• http://monolight.cc/2010/12/increasing-tcp-initial-congestion-window/
• http://www.igvita.com/2011/10/20/faster-web-vs-tcp-slow-start/

The current version of Ruby in natty is 1.9.2 p0. The current version is p290, which is the second release after p0. So if Ruby used normal versioning it would be 1.9.2.3 (or really, 2.2.3, but let's not get into that).

Anyway -- is it likely that later ruby releases will make their way into natty?

Neither the openntpd nor the ntpd.conf manpage have this information.

I have ntpd running on my server. It's all the default settings, except I commented out its ability to be a server to other machines:

# restrict -4 default kod notrap nomodify nopeer noquery                                                                    
# restrict -6 default kod notrap nomodify nopeer noquery   
restrict default ignore

If I run ntpdate -q ntp.ubuntu.com, I'm told that my machine's clock is off by 7 seconds.

What's going on? How can I diagnose what's happening, is there a log I can turn on?

more info #1

# ntpq -np
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 91.189.94.4     193.79.237.14    2 u   30   64    7  108.518   -0.136   0.361

more info #2

Here's what this looked like when I asked the question:

# ntpdate -q ntp.ubuntu.com
server 91.189.94.4, stratum 2, offset 7.191308, delay 0.13310
10 Jan 20:38:09 ntpdate[31055]: step time server 91.189.94.4 offset 7.191308 sec

And here's what it looks like now, after restarting ntpd a couple times (I'm assuming that's what fixed it):

# ntpdate -q ntp.ubuntu.com
server 91.189.94.4, stratum 2, offset 0.000112, delay 0.13164
10 Jan 20:47:03 ntpdate[31419]: adjust time server 91.189.94.4 offset 0.000112 sec

more info #3

I uninstalled ntp and installed openntpd and ran /usr/sbin/ntpd -d, and I'm seeing output like this:

reply from 64.73.32.134: offset 6.715003 delay 0.041152, next query 30s
reply from 208.53.158.34: offset 6.700224 delay 0.036263, next query 31s
adjusting local clock by 6.734120s
reply from 72.18.205.156: offset 6.708575 delay 0.035885, next query 30s
reply from 64.73.32.134: offset 6.701463 delay 0.044199, next query 33s

Which to me pretty clearly indicates that I'm not able to set the time on my server (although, with regular ntp, it does seem to update sometimes...).

more info #4

My VPS provider says:

The latest kernels should not lock your system to our dom0's clock, to be on the safe side you can set xen.independent_wallclock = 1 in your sysctl.conf.

Which I suppose still does not address the issue of the VPS needing a CPU available in order to do correct timing calculations.

I have ntpd running on a box. I want to see how the time on the box compares to the time retrieved from ntp.ubuntu.com. Is there an easy way to do this?

I have a very low traffic site running on nginx, with 4 workers, 1024 connections each.

Every several hours I start seeing in the error log "1024 worker_connections are not enough", and my site slows down / becomes flakey. A nginx restart solves the problem entirely for the next several hours.

Clearly something odd is happening, there is no way I'm serving 4k concurrent users of my application.

Other than looking at the access log (which looks normal), is there a way to observe with greater details what nginx is doing?

Is there some notorious configuration combination that might result in old connections being held open and not closed?

Thanks.

edit this looks not right

# lsof |grep nginx |grep CLOSE_WAIT |wc -l
1271

I got the seemingly-common "too many file descriptors" error on nginx. After much searching, the solution is clearly to increase the number of file descriptors available to nginx. But there isn't enough info out there for me to feel comfortable doing this in a meaningful and safe way. Here are the main points that most forum/email threads cover:

• the OS has its own total file descriptor limit (on my system, cat /proc/sys/fs/file-max outputs "100678")
• each user can have their own limit too (but on my system, running ulimit as any user outputs "unlimited" see update at bottom with more detail)
• a few people said something along the lines of what this person said: 'Directive worker_rlimit_nofile doesn't specify "how many", it is the operating system limit which does. Directive worker_rlimit_nofile just allows a quick-and-dirty way to enlarge this limit if it's not enough.' So I guess the implication is that it's "better" to set the limit for the nginx OS user instead of in the config?

I can just throw in a worker_rlimit_nofile value greater than the number of connections per worker and call it a day, but I feel I don't really know what's going on here.

• why would the limit per worker be less than the OS limit?
• How do I find out what my limit is now?

update: for both root and a normal user, ulimit outputs "unlimited", BUT ulimit -Hn and ulimit -Sn both output 1024

I have a virtual server just for MySQL for a handful of apps. It's a 256 MB server. There is currently barely any data in there, but free -m shows full memory usage:

             total       used       free     shared    buffers     cached
Mem:           245        197         47          0         23        120
-/+ buffers/cache:         53        192
Swap:          511          2        509

This is on Ubuntu 10.04. All the configuration settings are default IIRC -- key buffer is 16, query cache is 16. (I might be missing some

So, it seems to me that with barely any data and no special settings for the buffers, I should be using well below 256. Is 256 just the lower table for what an OS + MySQL need these days?

I have my chained certificate from Dreamhost set up and working for all browsers. I have 2 sites with 2 certs from dreamhost, example.com and sub.example.com.

All browsers are fine with the certs on both sites, except IE6, 7, and 8 (on XP, haven't tried other OSes). IE is fine with example.com, but it thinks that sub.example.com is trying to use the example.com cert.

Looking at the fingerprints in Firefox 3, Firefox is using the right cert for each domain. Looking at the fingerprints in IE, it's using the example.com cert and not the sub.example.com cert. (this part is really weird to me -- IE is going out of its way to go up a domain level and get the wrong cert?)

I'm using nginx.

Let me know if you'd like any more info. Thanks!

Using account A, I can add user B to the permissions of a bucket, but that bucket does not then show up in user B's management console.

1. What does it mean to give a user permissions in this way?
2. Is it possible for 2 users to truly have the same access to a bucket, so that it shows up in both consoles?

telnet mydomain.tld 25 tells me "connection refused"

that's the extent of my network hax0r skillz.

how can i tell if it's my network i'm on or the server itself?

I'd like to make a CNAME record for my Amazon S3 domain, to have nicer URLs.

There's not much discussion of this out there on the web, and nothing at all in the Amazon documentation (unless I'm missing it). Is this a reasonable thing to do? Are there any drawbacks?

I have a small network of servers and I would like to increase the general security. I don't have enough time/money/paranoia to set up a VPN -- what's a basic way I can increase the security of my system?

One thing could be to require that users both send their key and enter a password. This is kinda hard to google for because everything about "ssh key password" is about sshing without a password. :-)

One scheme I've always wanted to toy with is requiring that incoming connections only come from a whitelist of dyndns ip addresses. I know some security heads would vomit at the thought of the idea, but the fact of the matter is it would add very significant complexity to exploit a box.

What do you think? What else is out there?