Home / user-6990

Signum's questions

Martin Hope
Signum
Asked: 2012-05-22 01:58:33 +0800 CST
  • 41

In our team we have three seasoned Linux sysadmins having to administer a few dozen Debian servers. Previously we have all worked as root using SSH public key authentication. But we had a discussion on what is the best practice for that scenario and couldn't agree on anything.

Everybody's SSH public key is put into ~root/.ssh/authorized_keys2

  • Advantage: easy to use, SSH agent forwarding works easily, little overhead
  • Disadvantage: missing auditing (you never know which "root" made a change), accidents are more likely

Using personalized accounts and sudo

That way we would login with personalized accounts using SSH public keys and use sudo to do single tasks with root permissions. In addition we could give ourselves the "adm" group that allows us to view log files.

  • Advantage: good auditing, sudo prevents us from doing idiotic things too easily
  • Disadvantage: SSH agent forwarding breaks, it's a hassle because barely anything can be done as non-root

Using multiple UID 0 users

This is a very unique proposal from one of the sysadmins. He suggest to create three users in /etc/passwd all having UID 0 but different login names. He claims that this is not actually forbidden and allow everyone to be UID 0 but still being able to audit.

  • Advantage: SSH agent forwarding works, auditing might work (untested), no sudo hassle
  • Disadvantage: feels pretty dirty - couldn't find it documented anywhere as an allowed way

What would you suggest?

linux root
Martin Hope
Signum
Asked: 2012-02-14 07:33:01 +0800 CST
  • 1

We intend to run several components to run a web site. Like a load balancer, a cache and a couple of web serserves. To avoid single-points-of-failure we intended to use Heartbeat/Corosync/Pacemaker and instead of one load balancer just run two of them. Now we have different choices how we set them up and I would like to hear your opinion which one works better:

  1. Run pairs of servers in different clusters. E.g. "loadbalancer1" and "loadbalancer2". That way we wouldn't have two few servers to reach quorum if one of the servers failed. We could switch off the quorum feature though but would risk a split-brain situation. This doesn't sound perfect but the configuration is clear and simple and it would probably just work.

  2. Run triples of servers in different clusters. Like "loadbalancer1" and "loadbalancer2" and "loadbalancer-quorum". That way we have an extra server that is otherwise doing nothing but at least we can reach quorum in case of a failure.

  3. Run all servers in a single cluster. That way the cluster would consist of "loadbalancer1", "loadbalancer2", "cache1" and "cache2". Then we could use contraints to make sure that the load balancing software only runs on "loadbalancer1" or "loadbalancer2" and that the cache software only runs on "cache1" or "cache2". I could imagine that this gets confusing. But we we would have enough servers to always reach a quorum.

Do you have experience with such a setup? What should we do?

cluster heartbeat pacemaker corosync
Martin Hope
Signum
Asked: 2009-12-12 08:48:15 +0800 CST
  • 6

We are using an ".intranet.local" domain for our internal network. For years the ".local" domain seemed to be a sane choice for local networks running on private (RFC 1918) IP addresses. Today we learned that ".local" is nowadays used for zeroconf network services. Our first software that breaks here is "Psi" (the Jabber client) which only sends multicast DNS (mDNS) queries to find the given Jabber server and fails because no service/server is listening on 224.0.0.251. It doesn't use a fallback to regular (unicast) DNS and thus fails.

It would be rather complicated to move our company network to another internal domain. Do we have another choice? Like running a network service that translates mDNS requests to unicast DNS requests on our local DNS server.

I tried "avahi-daemon" on our (Linux) gateway but couldn't find a configuration where mDNS would get forwarded/translated to unicast DNS. In addition the Avahi documentation warns:

"If you come across a network where .local is a unicast DNS domain, please contact the local administrator and ask him to move his DNS zone to a different domain. If this is not possible, we recommend not to use Avahi in such a network at all."

Next I hoped that our bind name server could answer mDNS requests but apparently it can't.

What is the best choice in our situation? Thanks in advance.

networking
Martin Hope
Signum
Asked: 2009-11-17 08:06:35 +0800 CST
  • 5

I am trying to offer our users an Apache WebDav space where they can store their calendar (.ics) files. I've got Dav and LDAP authentication running already. But I fail to jail users to some sub-directories. After all I don't want them to access each other's calendar files.

Example: Let's say user johndoe logs in. Then I'd like to have his "/" path be mapped to /var/www/users/johndoe on disk. So that every user has their own directory.

What I have tried so far:

  1. UserDir /var/www/users/*/

    but it seems like this directory just sets the path for /~johndoe/ requests which is not what I want.

  2. RewriteRule ^/ /users/%{REMOTE_USER} [R]

    Fails. And it's probably just rewriting the path which isn't what I want.

  3. AliasMatch ^/ /var/www/users/%{REMOTE_USER}/

    This should map the path to a directory on disk but the %{REMOTE_USER} does not get expanded.

Is is possible to jail logged in users to some subdirectory? Thanks in advance.

apache-2.2
Martin Hope
Signum
Asked: 2009-06-20 03:34:08 +0800 CST
  • 7

We are making extensive use of the logical volume manager (LVM) on our Debian servers. But I find it hard to get a good overview on which partitions (LVM as well as native) I have mounted where, from which LV (logical volume) from which VG (volume group) and from which PV (physical volume). There are console tools like "lvdisplay -v" and "lvs" but those always just give me a partial view of everything. What I'd wish for is a textual representation something like:

Volume group "vgmain"
=======================
consists of physical volumes:
- /dev/sda1 (300 GB, 50 GB unused)
- /dev/sdb1 (300 GB, 120 GB unused)
- /dev/sdc1 (300 GB, nothing unused)

provides logical volumes:
- lvroot (EXT3 mounted on /, 4 GB, 0.5 GB free)
- lvmysql (XFS mounted on /var/lib/mysql, 8 GB used, 2 GB free)

Volume group "vghuge"
=======================
consists of physical volumes:
- /dev/sdc2 (800 GB, 250 GB unused)

provides logical volumes:
- lvhome (XFS mounted on /home, 300 GB, 90 GB free)
- lvbackup (XFS mounted on /mnt/backup, 300 GB, 20 GB free)

Just as an idea how that might look. Is there such a tool? If nothing like that exists yet I think I'll have to script something myself which queries "df", "lvdisplay", "vgdisplay" and "pvdisplay" and creates such an overview.

Thanks in advance.

linux debian lvm