Eric Mason . net » sysadmin

Apt-get upgrade wants to replace my compiled packages.

eric — Mon, 30 Mar 2009 20:16:40 +0000

I was getting some messages from my daily apt-get upgrade script telling me some of my ffmpeg debs needed to be upgraded. Since I had recompiled ffmpeg from the source debs with different options, I re-ran apt-get source ffmpeg to get the latest source. When nothing downloaded, I checked the latest version with apt-cache and found it matched the version I have installed. Off to Google I went and found this thread from 9 years ago saying the bogus upgrade messages are normal and I had to increment the version number.

I still want to be notified when new versions come out (via my daily upgrade script) so I can recompile it, so I updated the version as little as possible by adding an “a” to the end of it.

In the source directory, I edited debian/changelog . The first line said

ffmpeg (3:0.cvs20070307-5ubuntu7.3) hardy-security; urgency=low

So I changed it to

ffmpeg (3:0.cvs20070307-5ubuntu7.3a) hardy-security; urgency=low

Then I ran fakeroot debian/rules binary and installed the resulting packages. Now apt-get upgrade tells me I have nothing to upgrade. As long as the ffmpeg package maintainer doesn’t use 3:0.cvs20070307-5ubuntu7.3a as the new version number, I’ll still know when a new release comes out.

SOAP4R and SSL: unable to get local issuer certificate

eric — Wed, 01 Oct 2008 13:16:40 +0000

After enabling SSL on a couple of apps, I got an email from one of my cron jobs telling me my SOAP API was no longer working. (This is why you always want to have an entry in /etc/aliases forwarding root’s email to an account you will read)

The error message was “unable to get local issuer certificate.” I thought, no big deal, there must be an easy way to get SOAP4R to find all the root CA certificates. Unfortunately it took a while searching Google to find the right answer, so I’m posting it here to make it easier for the next person (which just might be me next week).

It turns out SOAP4R will read a file called “soap/property” in your ruby library path (which can usually be the directory your app is in). You can place certain configuration options in this file to control how SOAP4R behaves. In this case, I needed to add
client.protocol.http.ssl_config.ca_file=/etc/ssl/certs/ca-certificates.crt

This fixed the “unable to get local issuer certificate” error right away.

There was another problem though; it was complaining about the hostname not matching the certificate. Since I’m using a wildcard certificate, I assume this means OpenSSL doesn’t respect wildcard certificates. I grudgingly added this to soap/property file
client.protocol.http.ssl_config.verify_mode=OpenSSL::SSL::VERIFY_NONE
And it’s fine now.

Multiple virtual hosts using SSL on the same IP and Port

eric — Wed, 01 Oct 2008 03:08:12 +0000

Tonight I decided to set up SSL on two internal web apps I’ve been running for a while. I have a wildcard certificate *.stockpr.com just for this purpose. Each app was originally running on a separate hostname on a single IP address on port 80.

After I started setting up SSL, I realized that I might run into trouble because Apache has always said you can’t combine NameVirtualHost and SSL. The reason for this is that the SSL session is established before the HTTP headers are sent. Since NameVirtualHost relies on the HTTP Host header, which is unavailable since it hasn’t yet been sent at the time SSL is being negotiated, Apache can only use a single SSL cert per combination of IP and port.

So my thought was this should technically not be a problem since both of my hostnames are under the same domain and I have that fancy wildcard certificate for both virtual hosts. I thought Apache just might be cool enough to send the first certificate it finds, but still respect the HTTP Host header and send the request to the right virtual host.

Guess what… Apache is indeed that cool. I now have x.stockpr.com and y.stockpr.com on the same IP and port with two different virtual hosts, sharing the same certificate.

Won’t exactly revolutionize web hosting, but it definitely made my ~~day~~ night go a little easier. (Of course if you read my last post, something else more than made up for it)

Amazon EC2 and “4gb seg fixup”

eric — Wed, 01 Oct 2008 02:49:52 +0000

Tonight I spent two hours banging on an EC2 instance that suddenly went awry. I was adding SSL to a couple of internal applications we host on this instance when my “apache2ctl configtest” command hung. I tried all sorts of things and finally noticed there were tons of entries in /var/log/messages referencing “4gb seg fixup” like this:

kernel: printk: 16 messages suppressed. kernel: 4gb seg fixup, process sh (pid 21236), cs:ip 73:00a7b240 last message repeated 8 times kernel: printk: 353387 messages suppressed.

Google revealed that I’m not the first to run into this problem with an EC2 instance. Several posts said to install the Xen version of libc
apt-get install libc6-xen
and do this:
echo "hwcap 0 nosegneg" > /etc/ld.so.conf.d/libc6-xen.conf; ldconfig
And then reboot.

This seems to have fixed it, but I’m wondering why this was either not included in the Ubuntu AMI I’m using or somehow got undone.

Bundling EC2 Instances and EBS

eric — Wed, 24 Sep 2008 14:52:36 +0000

As I mentioned in the last post, I’m working on hosting email accounts on Amazon EC2. I am experimenting with mounting /var on an EBS volume so my database, logs, etc. will survive the failure of an instance. The idea is to be able to start a new instance, attach the EBS volume containing the /var partition, and keep going where the previous instance left off.

The first time I tried to bundle the volume I noticed it was taking a very long time. I had incorrectly assumed that ec2-bundle-vol would automatically exclude any EBS volumes. Instead, it only excludes a static list of directories, so I had to add the EBS volume (/mail) to the exclusion list.

Here are the commands I used to bundle the volume:

ec2-bundle-vol -k /mnt/aws-config/pk-xxxxx.pem \ -c /mnt/aws-config/cert-xxxx.pem \ -u xxxx-xxxx-xxxx -d /mnt/bundle \ -p image-name-20080924 -e /mail

ec2-upload-bundle -b ae-ami \ -m /mnt/bundle/image-name-20080924.manifest.xml \ -a xxxx -s xxxx

ec2reg bucket-name/image-name-20080924.manifest.xml

The next step will be to figure out how to set up the AMI so it will have a swap partition when it boots up in a new instance.

Amazon EBS Snapshot Backups with LVM and XFS

eric — Mon, 22 Sep 2008 13:53:21 +0000

I’m working on setting up a server to host email accounts on Amazon EC2 using the newly released Elastic Block Storage. My benchmarking has shown XFS to be better than ReiserFS for this task – and presumably EXT3, but I ran out of patience.

Since I will need to grow the filesystem in the future, I am using LVM. This also allows me to break up the logical volume into separate EBS volumes, which should increase random access performance.

Right now for testing, I have a single LVM volume group and logical volume comprised of three “physical” EBS volumes of 100GB each.

Although EBS’s snapshot command completes quickly and the snapshots are consistent as of the time the command is run (there is a pause in access to the filesystem while the snapshot starts), the use of multiple EBS volumes complicates matters. In order to get a consistent snapshot, the whole filesystem needs to be stopped while a snapshot is begun on each of the underlying EBS volumes. Conveniently XFS has a “freeze” command to flush the whole filesystem and prevent writes until it is unfrozen.

Here’s my current snapshot script:

#!/bin/bash

SNAP_CMD=/usr/local/ec2/bin/ec2-create-snapshot
MOUNT_POINT=/mail
export JAVA_HOME=/usr/lib/jvm/java-6-sun-1.6.0.06
export EC2_CERT=/mnt/aws-config/cert-XXXX.pem
export EC2_HOME=/usr/local/ec2
export EC2_PRIVATE_KEY=/mnt/aws-config/pk-XXXX.pem

vols=("vol-xxxx" "vol-xxxx" "vol-xxxx")
i=0
xfs_freeze -f $MOUNT_POINT

for vol in ${vols[@]}
do
        $SNAP_CMD $vol &
        pids[i]=$!
        let i+=1
done

for pid in ${pids[@]}
do
        wait $pid
done

xfs_freeze -u $MOUNT_POINT