Continue reading »]]> First of all, note that if your wireless card does not support master/hostap mode, you can only use ad-hoc mode, which allows only one device to connect.
Secondly, NetworkManager only support WEP for ad-hoc mode, so don’t select other Security method like WPA. If you don’t want to ask for trouble, select “WEP 40/128-bit Key”.

The setup is indeed very simple. just click the network icon from the top right corner of your screen, select “Network settings”, select wireless, then click “Use as hotspot”, it will setup everything for you, including the secret key, and the SSID, you can click the “configure” button to change some settings, like the SSID, and the secret, but keep the above 2 point in mind.
If everything goes OK, you can connect your mobile device to the hotspot in about 30 seconds. in case of problem, do check /var/log/messages for help.

Continue reading »]]> When starting squid with the default configuration (compiled from source), you may notice that the squid process listens not only on TCP port 3128, but also a high UDP port.

netstat -tlunp | grep squid


tcp 0 0 :::3128 :::* LISTEN 3520/(squid)
udp 0 0 0.0.0.0:52431 0.0.0.0:* 3520/(squid)
udp 0 0 :::51621 :::* 3520/(squid)

What in the hell is that 52431 UDP port used for? Let’s find out.
Edit squid.conf, add the following line to configure debug output:

debug_options 78,9 5,9 50,9

restart squid, check the debug output in cache.log:

2012/02/17 02:06:37| Starting Squid Cache version 3.1.19 for x86_64-unknown-linux-gnu...
2012/02/17 02:06:37.140| idnsInit: attempt open DNS socket to: [::]
2012/02/17 02:06:37.140| comm_openex: Attempt open socket for: [::]
2012/02/17 02:06:37.140| comm_openex: Opened socket FD 7 : family=10, type=2, protocol=17
2012/02/17 02:06:37.140| comm_open: FD 7 is a new socket
2012/02/17 02:06:37.140| commBind: bind socket FD 7 to [::]
2012/02/17 02:06:37.140| idnsInit: attempt open DNS socket to: 0.0.0.0
2012/02/17 02:06:37.140| comm_openex: Attempt open socket for: 0.0.0.0
2012/02/17 02:06:37.140| comm_openex: Opened socket FD 8 : family=2, type=2, protocol=17
2012/02/17 02:06:37.140| comm_open: FD 8 is a new socket
2012/02/17 02:06:37.140| commBind: bind socket FD 8 to 0.0.0.0
2012/02/17 02:06:37.140| comm_local_port: FD 7: port 51621(family=10)
2012/02/17 02:06:37.140| DNS Socket created at [::], FD 7
2012/02/17 02:06:37.141| commSetSelect(FD 7,type=1,handler=1,client_data=0,timeout=0)
2012/02/17 02:06:37.141| comm_local_port: FD 8: port 52431(family=2)
2012/02/17 02:06:37.141| DNS Socket created at 0.0.0.0, FD 8
2012/02/17 02:06:37.141| commSetSelect(FD 8,type=1,handler=1,client_data=0,timeout=0)
2012/02/17 02:06:37.141| Adding nameserver 127.0.0.1 from /etc/resolv.conf
...

from the above output, we can figure out that those 2 high ports are used for DNS things. In fact, it’s used for the “internal dns”, a mechanism for squid to effectively manages DNS queries.

Some sys admins like to bind local service to internal interface only, so there come’s a requirement: how can we make squid to ‘listen’ ONLY on internal interface for those udp ports? According to the Squid configuration directives:

udp_incoming_address	is used for UDP packets received from other
				caches.

	The default behavior is to not bind to any specific address.

	Only change this if you want to have all UDP queries received on
	a specific interface/address.

	NOTE: udp_incoming_address is used by the ICP, HTCP, and DNS
	modules. Altering it will affect all of them in the same manner.

Add udp_incoming_address xxx.xxx.xx.xx to squid.conf, the udp ports will then bind to xxx.xxx.xx.xx.
However, there may be a trap. If you have two interfaces, one with IP 192.168.1.1, the other 12.34.56.78.
when you set “udp_incoming_address 192.168.1.1″, the proxy may stuck because of DNS problem. especially, when you can’t reach the dns server from local IP.

Continue reading »]]> 1.    谁偷了我的磁盘空间？

发现大小为10G的/home分区磁盘空间使用了9.8G,但是通过du得到的大小却是5G. 另外的4.8G空间哪里去了呢？

du和df都不太可能出错，文件系统也没有损坏的迹象，那问题出在哪儿呢？查看unlink系统调用的手册页：

unlink()  deletes  a  name from the filesystem. If that name was the last link to a file and no processes have the file open the file is deleted
and the space it was using is made available for reuse.

If the name was the last link to a file but any processes still have the file open the file  will  remain  in  existence  until  the  last  file
descriptor referring to it is closed.
可以看出，如果一个文件被删除了，但是还有其他hard link,或者有进程打开它，那么磁盘空间不会被释放.
如何找出这样的文件呢？

nohup.out这个文件名字虽然从/home/curuwong目录消失了，但是所占据的磁盘空间仍然没有被释放，因为有个叫做testsvr的程序还在打开着这个文件。

du得到的空间占用情况和df的结果差距明显的情形，还有一种原因，那就是某个原本有内容的目录被作为挂载点mount上其他分区，于是那个目录下原本的内容就看不到了，但是它们都还在那里，在占用着空间。你看不见的东西，不意味着它们就不存在。^_^

2. wget监听udp端口?(对，你没看错)

我们某业务上有个叫做virusscanner服务,它监听udp端口9999.这个服务进程会不断地通过system函数启动wget通过http去拉取一些东西(OK,我知道你想说使用libcurl会更高效).
virusscanner刚启动时,通过netstat查看端口监听状况：

然而一段时间之后:

从常识出发，我们想象不出通过HTTP下载东西的wget会和UDP扯上什么关系. 那为什么会出现上面的诡异情况呢？

这里主要有两点:
1). 父子进程间的描述符继承
2). 进程PID轮转.

system函数主要做的事情，就是启动一个程序并等待其执行完毕，这主要涉及两个系统调用: fork和exec系列
查看open(2)系统调用的手册页：
The  new file descriptor is set to remain open across an execve(2)
默认情况下，在父进程打开的文件描述符，在子进程中依然保持打开。
这样的结果是，virusscanner打开并监听的udp端口(socket函数的返回值也是文件描述符)，在子进程wget中也是处于打开状态,可以被访问。

至于为什么netstat的输出刚开始显示viruscanner，后来显示wget,这就是PID轮转的结果了。从上面的分析我们知道，virusscanner和wget都在”监听”那个udp端口，netstat只是输出pid较小的进程.
在Linux系统下，PID不是无限增长的，它有个最大值，可以通过文件/proc/sys/kernel/pid-max指定。当pid超过这个最大值时，新进程的pid又会从最小的没使用的开始。结果是：某一时刻，子进程的pid会比父进程的pid还小，于是netstat里面的输出，看到的就会是pid较小的子进程wget了。

那对上面的问题，有什么解决办法呢？很简单，修改virusscanner的代码，调用system()函数之前，
在父进程的socket文件描述符上，通过fcntl设置”执行时关闭“标志就可以了。

fcntl(sock_fd, F_SETFD, fcntl(sock_fd, F_GETFD, 0) | FD_CLOEXEC);

3. 有16G内存的空闲系统下，mysql查询竟然报内存不足(数据量小于百万)？

在32位Linux下，启用PAE之后，系统可以管理最多64G的物理内存。然而由于指针大小的限制，
32位程序最多只能寻址4G的内存。要是只有一个mysqld进程，剩下的28G内存都白白浪费了
(这个不完全正确，因为系统会使用一部分内存来作为buffer和cache,对mysql的运行效率还是
有帮助的)
所以在有大内存的机器上，建议安装64位系统.

4. strace： 跟踪程序的系统调用

当你发现一个进程看似挂起了，不知道它是在忙什么的时候，或者发现程序无法像平常那样工作的时候，可以试试strace:
strace -t /path/to/program
strace -t -p process_pid

会显示进程所做的系统调用，在明白每个系统调用的大致含义之后，你大概就能猜想出程序正在做什么，有什么问题。
比如，我们发现有个rsync进程，启动时间为十天前，但现在还在进程列表里面，我们要确定它到底是在干嘛，可以通过ps查到pid,然后:
strace -t -p rsync_pid
发现它根本没有调用读写socket的函数，而是一直在select,等待可读写IO,进一步分析，我们可以知道，是网络连接问题导致rsync挂起。 直接kill掉之后重传就可以了。

又比如，我们不知道本机mysqld要读取的配置文件顺序是什么，但是我们知道my_print_defaults命令能找到和读取正确的文件，这时我们也可以通过strace来找到它:

从输出可以看到，mysql需要读取的配置文件顺序为(版本5.0):
/etc/my.cnf => ~/.my.cnf => $base_dir/etc/my.cnf
并且我们知道其只有/etc/my.cnf存在，其他文件都不存在。

总结： 了解一些Linux系统编程知识，能够帮助我们更好地分析各种疑难问题，提高运维工作中的排错能力。

系统编程知识在运维中的应用还有很多，我后续会不断补充。这篇文章只是够抛砖引玉，大家在这方面什么经验,欢迎交流分享。

Continue reading »]]> A friend wanted to sync all his files to a remote host, exluding the source files(those with suffix .c, .cpp, .h, .hpp). First I wrote this script

#!/bin/bash
####sync.sh (version 1): sync files to remote host###
SYNC_DST='xxx@example.com::sample_project'
SYNC_OPT=' --exclude="*.[ch]" --exclude="*.[ch]pp" '
if [[ $# -eq 0 ]]; then
        echo "Usage $0 /src/path"
        exit 1
fi
src=$1
#for debug ...
echo rsync -avz $SYNC_OPT "$src" "$SYNC_DST"
rsync -avz $SYNC_OPT "$src" "$SYNC_DST"

Now we try to sync the ‘src’ directory:

./sync.sh src
####output########################################
rsync -avz --exclude="*.[ch]" --exclude="*.[ch]pp" src xxx@example.com::sample_project
sending incremental file list
src/
src/main
src/main.c
src/main.o
src/lib/
src/lib/lib.c
src/lib/lib.h
src/lib/lib.o
####output########################################

We can see that the source files are not excluded,we can also see the full sync command. After removing all the files in the remote host, I copy and run the sync command manually:

rsync -avz --exclude="*.[ch]" --exclude="*.[ch]pp" src xxx@example.com::sample_project
sending incremental file list
src/
src/main
src/main.o
src/lib/
src/lib/lib.o

It works great! But wait, why, why, the same command was used in sync.sh, why didn’t it work as expected?
After some painful test and failure, I changed the line from

SYNC_OPT=' --exclude="*.[ch]" --exclude="*.[ch]pp" '

to

SYNC_OPT=' --exclude=*.[ch] --exclude=*.[ch]pp '

just remove the double quote in $SYNC_OPT variable and everything works as expected. Then I realize that it’s the quote in variable that caused rsync pattern to fail. Because in Bash, quotes have the quoting function only when they appears literally, otherwise, they are just quote character, nothing special.
Let’s make it clear with some example.

#!/bin/bash
###show_arg.sh: used to show arguments provided to this script##
for arg in "$@"; do
   echo "==$arg=="
done

Let’s see how the show_arg.sh works

./show_arg.sh arg1 "arg 2" arg3
==arg1==
==arg 2==
==arg3==

We can see the that the show_arg.sh will print out each argument provided to it, one argument per line, surrounded by two “==”.
replace rsync with show_arg.sh in sync.sh

#!/bin/bash
####sync.sh (version 2): show the real arguments###
SYNC_DST='xxx@example.com::sample_project'
SYNC_OPT=' --exclude="*.[ch]" --exclude="*.[ch]pp" '
if [[ $# -eq 0 ]]; then
        echo "Usage $0 /src/path"
        exit 1
fi
src=$1
./show_arg.sh -avz $SYNC_OPT "$src" "$SYNC_DST"

Test it again:

./sync.sh src

Output:

rsync -avz --exclude="*.[ch]" --exclude="*.[ch]pp" src xxx@example.com::sample_project
==-avz==
==--exclude="*.[ch]"==
==--exclude="*.[ch]pp"==
==src==
==xxx@example.com::sample_project==

It’s now obvious that the quotes are passed to rsync command literally, which definitely cause the pattern to fail. You may be happy and think that remove all the useless quotes will solve all problem. However, what if we really need the quotes?

For example, if we want to exclude files named “test a”(test space a, without quotes), we can’t write it like this:

SYNC_OPT=' --exclude=test a'

this will only exclude files named test, and takes a as file to sync. We must write it like this:

SYNC_OPT=' --exclude="test a"'

We know for now that with sync.sh version 1, it will definitely fail because of the quotes problem. Fortunately, Bash has a valuable eval command, it will process the quotes in variable as you would normally expect.

#!/bin/bash
####sync.sh (version 3): sync files, exclude file name with space###
SYNC_DST='dst'
SYNC_OPT=' --exclude="*.[ch]" --exclude="*.[ch]pp" --exclude="test a"'
if [[ $# -eq 0 ]]; then
        echo "Usage $0 /src/path"
        exit 1
fi
src=$1
#rsync -avz $SYNC_OPT "$src" "$SYNC_DST"
eval rsync -avz $SYNC_OPT "$src" "$SYNC_DST"

Test result

Conclusion: In Bash shell, quotes have the quoting capability only when they appears literally, if they appear in variable, they are just the the quote character, nothing special. If you want the quotes in variable to have quoting function, eval them.

Continue reading »]]> Let’s look at a sample code first(I use the WWW::Curl perl module here, the idea is the same for other language).

#!/usr/bin/perl
use warnings;
use strict;

use WWW::Curl::Easy;

my $url = 'http://search.cpan.org/CPAN/authors/id/L/LO/LORN/LWP-Curl-0.09.tar.gz';
my $resp_body;

#Get file length via HTTP HEAD  request
my $length;
my $curl = WWW::Curl::Easy->new();
$curl->setopt(CURLOPT_URL, $url);
#follow redirect
$curl->setopt(CURLOPT_FOLLOWLOCATION, 1);
#inlcude header in response
$curl->setopt(CURLOPT_HEADER, 1);
#do not include body in response
$curl->setopt(CURLOPT_NOBODY, 1);
$curl->setopt(CURLOPT_WRITEDATA,\$resp_body);
my $retcode = $curl->perform();
if($retcode == 0){
        print "header:$resp_body\n";
        print "*" x 80,"\n";
        $length = $curl->getinfo(CURLINFO_CONTENT_LENGTH_DOWNLOAD);
        if($length == -1 ){
                print "content length not available\n";
        }
        else {
                print "length: $length\n";
        }
}else{
        print "error happened:$retcode " . $curl->strerror($retcode) ." | "
                . $curl->errbuf ."\n";
        exit 1;
}

There’s nothing complicated, the points are:

• CURLOPT_FOLLOWLOCATION: set to 1 to follow HTTP redirect response
• CURLOPT_HEADER: set to 1 to include HTTP Header in response
• CURLOPT_NOBODY: set to 1 to exclude body content from response, so that we get header only
• CURLOPT_WRITEDATA: you get HTTP headers here, more about this later

You may think that we should use CURLOPT_WRITEHEADER to collect the HTTP headers, but it doesn’t work,we get only the first response header in this way, not the final headers after several redirection.

check http://curl.haxx.se/libcurl/ for more about libcurl

Continue reading »]]> In mailwatch v1.0.5, if the subject of a message is utf8 encoded, it can’t display correctly on the message list page. All the non-ascii characters will be replaced with question mark. For example. the subject “我爱Linux” will appears as “??Linux”.

We can patch mailwatch to support this:

1. patch Mailwatch.pm

--- MailWatch.pm.bak    2011-08-19 14:15:45.565769650 +0800
+++ MailWatch.pm        2011-08-19 15:08:47.343311859 +0800
@@ -284,7 +284,7 @@
    $msg{from_domain} = $message->{fromdomain};
    $msg{to} = join(",", @{$message->{to}});
    $msg{to_domain} = $todomain;
-   $msg{subject} = $message->{subject};
+   $msg{subject} = $message->{utf8subject};
    $msg{clientip} = $clientip;
    $msg{archiveplaces} = join(",", @{$message->{archiveplaces}});
    $msg{isspam} = $message->{isspam};

2. patch mailscanner/detail.php

--- detail.php.bak      2011-08-19 14:54:51.515734927 +0800
+++ detail.php  2011-08-19 15:04:17.003311710 +0800
@@ -147,7 +147,7 @@
    $output .= "


\n";
    $row[$f] = $output;
   }
-  if ($fieldn == "To:" || $fieldn == "Subject:") {
+  if ($fieldn == "To:") {
    $row[$f] = htmlentities($row[$f]);
   }
   if ($fieldn == "To:") {
@@ -155,7 +155,7 @@
   }
   if ($fieldn == "Subject:") {
    $row[$f] = decode_header($row[$f]);
-   //$row[$f] = htmlentities($row[$f]);
+   $row[$f] = htmlentities($row[$f],ENT_COMPAT,'utf-8');
   }
   if ($fieldn == "Spam Report:") {
    $row[$f] = format_spam_report($row[$f]);

Continue reading »]]> When configuring the Apache HTTP server, we use the Options directive to control which server features are available in a particular directory. We may, for example, write a config like this:

<Directory /usr/share/nagios>
    Options +ExecCGI Indexes FollowSymLinks
    ...
</Directory>

With this configuration, we hope to enable CGI if it has not been enabled, and set auto index and follow symlink option. However, this is completely wrong and will not work. when you access a cgi in this directory, you will get a 403 Forbidden page.

In fact, the apache document has already stated this:

Warning

Mixing Options with a + or - with those without is not valid syntax, and is likely to cause unexpected results.

That is to say, if you want to use the + or – sign, use them for all options, otherwise it will not work. So, the correct config should like this(all with plus sign)

<Directory /usr/share/nagios>
    Options +ExecCGI +Indexes +FollowSymLinks
    ...
</Directory>

Also, if you want to remove some option, eg, disable SSI, you can write it this way.

<Directory /usr/share/nagios>
    Options +ExecCGI +Indexes +FollowSymLinks -Includes
    ...
</Directory>

In fact, when we use the Options directive without + or – singn, we mean “set options to these …”. when use + singn, we mean “Add this option”. when we mix them together, Apache will be confused, it may wonder:

1. Set options to those you specified here(this is the final result)
2. Add the specified option to, or remove from existing option(existing + to_be_added – to_be_removed = final)

If it picks 1, it can’t satisfy 2. If it picks 2, it can’t satisfy 1. So, it’s clear that we should Never mix Options with a + or – with those without

Continue reading »]]> Building the linux kernel is time and resource consuming, especially when you do this in a VM guest.

fortunately, We can choose a fast Linux machine to take the burden of building, then install the kernel to the target Linux host

This simple article assumes that you know how to config and compile your custom kernel. so I will focus on building the kernel for other host.

1. Download the linux kernel from kernel.org. extract, make xxxconfig, then make, assume that the directory you build your kernel is called KERNEL_BUILD_DIR

2. create a directory to holding things that will be transfered to the target host and install.

cd KERNEL_BUILD_DIR
 kversion=$(make -s kernelrelease)
 mkdir $HOME/$kversion

3. Install modules to that directory

make INSTALL_MOD_PATH=$HOME/$kversion modules_install

4. Install the kernel image to that directory

make INSTALL_PATH=$HOME/$kversion install

5. Install kernel-dev files for build other module (this is optional)

Do you need things like kernel-devel package(fedora) linux-headers(Ubuntu)? if yes, download my install-kernel-dev.sh from google code. then run: (you can save this script anywhere, but you must run it from the kernel build dir)

INSTALL_PATH=$HOME/$kversion
./install-kernel-dev.sh

6. archive the resulting files

cd $HOME
tar -cjf $kversion.tar.bz2 $kversion

Copy the xxx.tar.bz2 to your target machine

7. Install on the target host
1) Install modules and headers

tar -xjf 2.6.xxx.xx.tar.bz2 # (replace  xxx with your kernel version string)
cd 2.6.xxx.xx
sudo chown root:root *
sudo cp -a lib/modules/* /lib/modules/
sudo cp -a usr/src/* /usr/src/

2) Install the kernel
On Ubuntu

sudo cp System.map-* /boot/
sudo cp vmlinuz-* /boot/
sudo update-initramfs -c -k 2.6.xxx.xxx   # (replace  xxx with your kernel version string)
sudo update-grub2

On CentOS/Fedora

installkernel 2.6.xxx.xxx  vmlinuz-*  System.map-*

edit /boot/grub/menu.lst, change default=1 to default=0.

That’s all.

Continue reading »]]> If you setup Linux as a PPTP or L2TP/IPSec VPN server, every client connection will have a corresponding pppx interface on the server. You may have a shorewall interface config like this:

/etc/shorewall/interfaces

#zone interface boradcast options
l2tp    ppp+    -

Assume that client A connected, get IP 192.168.1.100 for ppp0, client B get IP 192.168.1.101 for ppp1. When client A try to ping client B. you may get the following shorewall log:

Jul  8 00:19:20 vpngateway kernel: Shorewall:FORWARD:REJECT:IN=ppp0 OUT=ppp1
 SRC=192.168.1.100 DST=192.168.1.101 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=311
 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=52

In this case, if you really think that the connected VPN clients should be able to communicate with each other, you may add the routeback option to shorewall-interface config file, like this:

#zone interface boradcast options
l2tp    ppp+    -       routeback

Reference: shorewall-interfaces man page