PP.'s questions

Let's say I want to track my root users. Each of them has a unique private key and their public keys have been stored in /root/.ssh/authorized_keys.

Given that each user logs in with their unique key how can I tell from within a BASH session which key was used to authenticate? I've tried looking at the environment variables when I log in but cannot see anything that correlates my session with my public key.

Problem

I am observing that poll() calls are taking milliseconds when immediately called after a write() operation, yet taking only microseconds when immediately called after a read() operation.

This is in code that uses the ACE C++ communication library.

I'm trying to understand why there is such a significant difference in the system CPU time taken to call poll() after a write() call compared to a read() call.

System

[root@host ~]# lsb_release -a
LSB Version:    :core-4.0-amd64:core-4.0-ia32:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-ia32:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-ia32:printing-4.0-noarch
Distributor ID: RedHatEnterpriseServer
Description:    Red Hat Enterprise Linux Server release 5.9 (Tikanga)
Release:    5.9
Codename:   Tikanga

strace

write(234, "\4\0S\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0"..., 256) = 256 <0.000048>
poll([{fd=234, events=POLLIN}], 1, -1)  = 1 ([{fd=234, revents=POLLIN}]) <0.006036>
read(234, "\4\0S\0\0\0\0\0\1\0\0\0
write(234, "\4\0S\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0"..., 256) = 256 <0.000192>
poll([{fd=234, events=POLLIN}], 1, -1)  = 1 ([{fd=234, revents=POLLIN}]) <0.004996>
read(234, "\4\20S\0\0\0\0\0\1\0\0\0\200\2\0\0\0\0\3\0\1\0\0\0\0\10\1\0\200\2\0\0"..., 256) = 256 <0.000076>
poll([{fd=234, events=POLLIN}], 1, -1)  = 1 ([{fd=234, revents=POLLIN}]) <0.000022>
read(234, "\2\0\0\0\241\352\1\0\0\0\0\0\25\0\0\0\7\0\0\0\242\1\0\0\25\0\0\0\251\1\0\0"..., 640) = 640 <0.000337>
write(234, "\4\0S\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0"..., 256) = 256 <0.000096>
poll([{fd=234, events=POLLIN}], 1, -1)  = 1 ([{fd=234, revents=POLLIN}]) <0.004102>
read(234, "\4\20S\0\0\0\0\0\1\0\0\0!\1\0\0\0\0\3\0\1\0\0\0\0\10\0\0!\1\0\0"..., 256) = 256 <0.000037>
poll([{fd=234, events=POLLIN}], 1, -1)  = 1 ([{fd=234, revents=POLLIN}]) <0.000157>
read(234, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\t\0\0\0\10\1\0\0\0\0\0\0\0\0\0\0"..., 289) = 289 <0.000047>
write(234, "\4\0S\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0"..., 256) = 256 <0.000036>
poll([{fd=234, events=POLLIN}], 1, -1)  = 1 ([{fd=234, revents=POLLIN}]) <0.001882>

Discussion

Even though the ACE library has an option to use it there is probably little benefit in moving to epoll() because poll() is only being called with one file descriptor in this case.

As the system becomes loaded with 600 odd threads this poll() call is consuming around 98% of the system call CPU time of the process involved. So I'm looking for ways to make this more efficient. It does appear, however, that calling poll() after a write() is the issue as this is consistently in the order of 100x slower than after a read() call.

I am trying to develop my own dynamic DNS. I'm running my own custom DNS for the subdomain on port 5353. ASCII diagram:

INET --->:53 Bind 9 --->:5353 node.js
               |
               V
           zone_files

I have example.com. The node.js DNS is for dyn.example.com.

In my /etc/bind/named.conf.local I have:

zone "example.com" {
    type master;
    file "/etc/bind/db.com.example";
    allow-transfer {
        zonetxfrsafe;
    };
};

zone "dyn.example.com" IN {
    # DYNAMIC
    type forward;
    forwarders { 127.0.0.1 port 5353; };
    forward only;
};

I've even gone so far as to add a NS in my example.com zone file:

$TTL    86400
@   IN  SOA ns.example.com. hostmaster.example.com. (
            2013070104  ; Serial
               7200     ; Refresh
               1200     ; Retry
            2419200     ; Expire
              86400 )   ; Negative Cache TTL
;
        NS  ns                    ; inet of our nameserver

ns      A   1.2.3.4

; NS record for subdomain
dyn     NS  ns

When I attempt to get a record from the subdomain server it doesn't get forwarded:

dig @127.0.0.1 test.dyn.example.com

However if I turn recursive on in /etc/bind/named.conf.options:

options {
  recursion yes;
}

.. then I CAN see the request going to the subdomain server.

But I don't want recursion yes; in my Bind configuration as it is poor security practice (and allows all-and-sundry requests that are not related to my managed zones).

How does one forward (proxy) zone queries for just one zone? Or do I give up on Bind altogether and find a DNS server that can actually forward specific queries?

In Apache I would like a URL "/myscript" or "/myscript?param=myparam" to execute a CGI script located at:

/usr/local/scripts/custom.pl

I have tried:

Action custom-action /usr/local/scripts/custom.pl
<Location "/myscript">
    SetHandler custom-action
</Location>

but this isn't working.

Any ideas how I can achieve the mapping of URL to script?

As a system administrator I would like to be able to write an automated process for installation to a production server that:

• has access to a remote git repository (say on git.mycompany.com)
• can get a copy of one branch/label (say release_20110721_01) from the repository
• will not create a local copy of the entire repository

In other words, have a central repository containing all the revisions, but then install to production servers the specific tag only.

Is there a way of doing this? At least with CVS a working copy of a module with a given tag can be obtained without having to pull a copy of the entire repository.

I upgraded my Debian from Lenny to Squeeze. BIG MISTAKE.

Now I get:

[Tue Feb 08 16:34:57 2011] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)

littered throughout /var/log/apache2/error.log.

How to fix? Looking through a mess of forums it is easy to see that Apache changed the way it reads configurations around 2.2.13. Great. But not great for me or the millions of other web administrators who now have web servers that simply won't start, and an error message that says NOTHING about the problem or how to fix.

Anybody else actually solved this issue? I had perfectly working virtual servers with SSL before (for years actually).

I've tried to find the basics in a Big IP manual but it seems to me the device is marketed towards GUI users only.

Meanwhile I want to write a few scripts to automate tasks on the load balancer. Namely:

1. how do I turn off more - when I issue a command I want the output to stream out without waiting for me to press a key for the next page
2. how do I show the running configuration (I think list all is the way to do it but cannot find it documented anywhere)

Thanks!

Very strange issue at work.

I have a very basic Apache configuration. Has a DocumentRoot, <Directory ...> section within which there is an Options +Indexes directive that isn't being honoured (I just get a 404 error when trying to access the directory listing).

The Apache I've build is set to be installed in /usr/local/apache22 however I've got a copy in a different path and am calling it with:

LD_LIBRARY_PATH=/tmp/apache22/lib /tmp/apache22/bin/httpd -f /tmp/test.conf

The configuration gets loaded successfully but doesn't honour the Directory, Location, or Option Indexes directives. In addition an error log is correctly being written to when requesting a bad URL, however the access log is NOT being written to when accessing a good URL.

A friend has tried the same configuration on a different machine using a differently compiled web server and it functions fine. So the configuration is not at fault. I'm wondering if perhaps Apache silently fails when not located in its destined directory...

I'm unclear what the best order is to capture both STDERR and STDOUT to the same file using tee. I know that if I want to pipe to a file I have to map the filehandle after the redirect, i.e.

find . >/tmp/output.txt 2>&1

This instructs the shell to send STDOUT to /tmp/output.txt and then to send STDERR to STDOUT (which is now sending to /tmp/output.txt).

Attempting to perform the 2>&1 before redirecting the file will not have the desired effect.

However when I want to pipe using tee should it be:

find . |tee /tmp/output.txt 2>&1   # or
find . 2>&1 |tee /tmp/output.txt   # ?

The unix find(1) utility is very useful allowing me to perform an action on many files that match certain specifications, e.g.

find /dump -type f -name '*.xml' -exec java -jar ProcessFile.jar {} \;

The above might run a script or tool over every XML file in a particular directory.

Let's say my script/program takes a lot of CPU time and I have 8 processors. It would be nice to process up to 8 files at a time.

GNU make allows for parallel job processing with the -j flag but find does not appear to have such functionality. Is there an alternative generic job-scheduling method of approaching this?

I want to deliberately throw an arbitrary error. Something appropriate between the <LocationMatch>...</LocationMatch> directorives. e.g.:

<LocationMatch "^/myurl/.+">
    ThrowError 503
</LocationMatch>

<LocationMatch "^/anotherurl/.+">
    ThrowError 504
</LocationMatch>

<LocationMatch "^/safeurl/">
    # not throwing an error from this path
    Options +Indexes
</LocationMatch>

What can I use instead of ThrowError 503? I want to force the server to tell the user whatever error code I choose (e.g. 404, 403, 501, etc) as a means of testing my rules. Worst case I'd like a message written to the error_log if I cannot actually throw an error at the browser.

I'm aware I could possibly use mod_rewrite to perform a RewriteRule .* - [R=503,L] however I want to just use the core modules (I do not have mod_rewrite compiled into my Apache).

Update: have discovered I can say RedirectMatch 410 . which will report a "Gone" message to the user as one potential solution.

I can use uname and cat /proc/version but all I get is the kernel version.

How do I know whether I'm running RHEL4 or 5.5 or such?

I have a mod_include (SSI) page that is generating erronous output during chunked encoding when requested by a HTTP/1.1 browser.

The page is output fine when requested by a HTTP/1.0 (because the output is not chunked).

How can I tell Apache not to use chunked encoding when requested by a HTTP/1.1 browser?

More info: The erronous chunked output is caused by having sendfile() support enabled on a Solaris 5.10 machine with a sparc processor. Disabling sendfile() support causes this problem to disappear; however I am trying to catch this bug and fix it.

I am having trouble compiling coreutils-8.5 on Solaris 5.10 on the Intel platform using cc.

Firstly I had the following error during ./configure:

checking whether <wchar.h> uses 'inline' correctly... no
configure: error: <wchar.h> cannot be used with this compiler (/tool/sunstudio12.1/bin/cc -xc99=all -g  -D_REENTRANT).

This seemed similar to the problem in this question. The solution was to edit configure and replace the reference of -xc99=all to -xc99=all,no_lib.

This permitted the configure to complete.

Then I ran /usr/sfw/bin/gmake and it progressed until I received the following message:

Making all in src
gmake[2]: Entering directory `/home/peterp/src/coreutils-8.5/src'
gmake  all-am
gmake[3]: Entering directory `/home/peterp/src/coreutils-8.5/src'
  CCLD     chroot
Undefined                       first referenced
 symbol                             in file
eaccess                             ../lib/libcoreutils.a(euidaccess.o)
ld: fatal: Symbol referencing errors. No output written to chroot

What could cause this problem?

PS I was only compiling coreutils because I wanted colour ls.

I am trying to compile rsync-3.0.7 on Solaris 5.10 on an Intel chipset.

When running ./configure I see the following (obviously erroneous lines):

checking size of int... 0
checking size of long... 0
checking size of long long... 0
checking size of short... 0
checking size of int16_t... 0
checking size of uint16_t... 0

In config.log I see the following lines:

configure.sh:5448: /tool/sunstudio12.1/bin/cc -xc99=all -o conftest -g -DHAVE_CONFIG_H   conftest.c  >&5
"conftest.c", line 123: warning: statement not reached
cc: Fatal error in cc : Segmentation Fault
configure.sh:5448: $? = 1
configure.sh: program exited with status 1

Segmentation fault? What could be causing a simple test script to segfault during compilation?

Using mod_rewrite I can construct a rule to respond with a clean error code (e.g. 404 not found, 410 gone, or 403 unauthorised) when a page is requested that I don't want to serve.

But frequently I get completely erroneous requests from hackers scanning my website for vulnerabilities or possibly cross-site scripting attempts. For these customers I do not want to return a clean error - I'd rather do something else like immediately drop the connection with no response or, alternatively, hold the connection open for a lengthy period of time to frustrate the automated process.

Any ideas how to accomplish this with Apache? I've read that nginx has the ability to immediately terminate a connection when a particular pattern is matched.

Really simple question. I do not want a Google account. I just want Google to stop making requests every 2 minutes for a URL it should never have known about (apparently Google harvests URLs from search requests as well as private e-mails, not just from actual web pages).

But when I search Google help for removing URLs it appears I have to use their "webmaster tools" which require logging into a GMail account!

How do I tell Google not to index my URL without becoming a customer?

Note: I already return 404 for the URLs in question using a rewrite rule - this appears to make zero difference to the crawler which continually attempts to fetch the page every 2 minutes.

After about half a day the IIS 6.0 ASP (VBScript) web server appears to die. It accepts TCP connections (i.e. I can telnet localhost 80 successfully) however it does not return any response.

When I restart the server (going through My Computer -> Manage -> IIS -> All Tasks -> Restart) I get a lot of entries in C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log at the time of restart that say:

... 80 HTTP/1.1 GET / - 843545307 Connection_Abandoned_By_AppPool DefaultAppPool
... 80 HTTP/1.0 GET / - 843545307 Connection_Abandoned_By_AppPool DefaultAppPool
... 80 HTTP/1.0 GET / - 843545307 Connection_Abandoned_By_AppPool DefaultAppPool

where the ... refers to the prefix of the line, e.g.

2010-03-17 10:05:06 127.0.0.1 4927 127.0.0.1 80

There are 583 such lines (Connection_Abandoned_By_AppPool) in my log at time of restart.

What could be the cause of this problem?

Can Windows 7 do software RAID 10 (or RAID 1+0 depending on terminology)?

There appears to be a lack of information about software RAID for Microsoft Windows products. Even a search of the microsoft.com offers zero articles about the subject, just a few forum posts.

It appears that the disk manager can create dynamic volumes and that you can organise striped or mirrored sets. But it is unclear whether it is possible to take two independently mirrored volumes and then stripe them (i.e. use 4 disks).

Anybody with experience running software RAID 10 using Microsoft Windows XP, Vista, or Windows 7?

Update: this link implies that Windows 7 Home Premium cannot even do RAID 1 (mirroring). That's not mentioned on the Windows 7 comparison chart. I may make a complaint to the advertising standards authority even though I bought Professional.