Christopher Karel's questions

I have imported internal Certificate Authorities into Java's CA keystore. (Using keytool to import into the "cacerts" store) This works fine and dandy, until I update the Java RPM. At which point all of those imported certs are not carried over to the new install. So applications bomb when attempting to make SSL connections.

Is there any way to make these certificates persist through Java upgrades? Or an easy way to rerun the import commands on an upgrade trigger? I can obviously script these commands into my upgrade process, but I'm hoping there's a more elegant solution.

For reference, this is a RHEL 5.10 equivalent (technically Oracle Linux). I'm using java-1.7.0-openjdk through the official repositories, and just upgraded to U65.

The Problem

I'm attempting to make a mod_rewrite rule in Apache's global server configuration, and have it take effect for all Virtual Hosts. The documentation certainly indicates this is perfectly fine to do. However, I can't for the life of me get anything to actually rewrite. Even when using a mind-numbingly simple configuration like the following:

LoadModule rewrite_module modules/mod_rewrite.so
RewriteEngine On
RewriteRule .* https://www.google.com

However, if I move the above code into one of the virtual servers, it works just fine. (for that domain) But I'd like to have this entered into just the server config, and have it take effect for every hosted website. Is that actually possible? Am I missing some detail? Barring that, is there a good way to troubleshoot what might be going wrong?

Background:

I'm attempting to make a 503 maintenance page for use during system outages. Currently, I'm doing this via mod_alias and a RedirectMatch rule. RedirectMatch 503 ^((?!^(/error/503_error.html)|(/images/503_error.jpg)$).)*$ This lives just fine in the server config (httpd.conf), and applies to all Virtual Hosts when it's enabled.

I'm looking to replace this with mod_rewrite so I can exempt some internal IPs from the redirection. Essentially, so the system can be tested internally, without also making it available to everyone else.

Currently running fully up-to-date RHEL 5.10 with stock Apache 2.2.3.

We have a bunch of Linux boxes mounting NFS shares off a NetApp filer. From time to time, I will flub some part of the export configuration. Typo on one of the allowed hosts, incorrect IP address, etc, etc. No worries, this is usually done on a test system, or with brand new exports that aren't yet in production.

However, I've found that once I've been denied permission to mount something from a Linux machine, the failure gets cached for as long as a day. I will correct the problem that was blocking the mount, re-export on the NetApp, and still not be able to mount the share. I'm pretty sure this caching is done at the NetApp side. It normally ages out after a day or so, but it really sucks having to wait until tomorrow to mount a share.

I've tried exportfs -f on the NetApp, as well as dns flush. (I found both suggestions via Google) However, neither one works.

I would sell my soul if someone could help out with a command/pagan ritual that would clear up this cache issue.

In the course of my sysadmin/network administration duties, I need to packet sniff for connectivity issues. Unfortunately, this often occurs on machines I don't 'own'. Servers under the purview of other administrators, end users' home machines, or simply servers we'd like to avoid installing new software on. So I'd like something that can be used without a proper 'install'.

I personally use WireShark for my local desktop. Works great. But it obviously doesn't cut it for the above scenarios. I know they have U3 and portable apps versions, but that is dependent on physical access to plug in a USB stick. That's also not something I can count on.

So, does anyone know a packet sniffing tool that can be used without a true installation? Something that is just contained in a folder that can be dumped on a target machine, used, then easily deleted? If it's just a CLI, that's perfectly fine. I can always move the .cap files back to my desktop for analysis.

I would personally prefer something that was free (as in libre) and free (as in beer). However, proprietary and paid for products are perfectly valid suggestions.

I'm currently the administrator of some RHEL Linux machines, in a mixed network. Our DNS servers are Windows AD controllers. As such, they occasionally need to come down for maintenance. (eg: patching) This means that at some point, the primary DNS controller for my Linux machines will be unreachable.

In the Windows world, this is handled pretty well. When DNS queries to the primary fail, Windows clients stop using it for 15 minutes. So, barring the initial hiccup, they all putt along pretty smoothly. But Linux keeps trying the same (failed) primary server. By default it will wait at least 5 seconds before trying a secondary server. This translates into EVERYTHING taking a long time, and even applications timing out if there are a good number of DNS lookups.

So, I'm looking into making my server more robust. My current plan is to A) modify resolv.conf to only wait 1/2 a second for a response, and not retry. and B) possibly make some strategic entries to /etc/hosts so that major servers are still reachable quickly.

All that being said, I'd love to have a better solution. Alternately, I'd like to hear what other people are doing with their setups. Or just theoretical "Your idea is good/bad, here's why."


--Christopher Karel