After running nagios for a long time I suddenly got errors on all my PING checks:
CRITICAL - Plugin timed out after 10 seconds
CRITICAL - Could not interpret output from ping command
It took me quite a while to figure out what was going on. It found a tip on google about setting the LANG variable to empty, I tried compiling a new version of the plugin due to finding some bug reports etc.
Running the plugin from the command line gave me a hint about what was going on: Sometimes it would work and sometimes it would return the same error messages.
So I tried renicing nagios to -5 and voila! All my CRITICAL's started to go away.
In /etc/init.d/nagios there is a variable NICENESS=5 which can be set to 0 or even -5 instead if your web server is really too busy to run nagios niced.
Today I set up NFS over TCP.
Here are two nice guides:
And here is mine (Debian/Ubuntu):
Make portmap use specific ports instead of random ports:
- Edit /etc/default/nfs-common:
- Edit /etc/modprobe.d/options:
options lockd nlm_udpport=4001 nlm_tcpport=4001
- Edit /etc/default/nfs-kernel-server
# Options for rpc.mountd RPCMOUNTDOPTS="--port 4002"
- Edit /etc/default/quota
Insert the following iptables rule:
/sbin/iptables -A FORWARD -s myclient -d myserver -p tcp -m multiport \ --dports 111,2049,4000,4001,4002,4003 -j ACCEPT
- Edit /etc/fstab:
myserver:/nethome /nethome nfs proto=tcp,rw,rsize=8192,wsize=8192,nfsvers=3 0 0
- Now it actually works to run:
on client but it takes several minutes.
- Install nfs-common tools:
apt-get install nfs-common
and make sure it is running. Now it mounts immediately!
Sometimes even one's cute little self signed SSL certificates expires. And people are using it to log in to their workstations with ldaps.
Fortunately I noticed it a few days in advance, not after the fact.
So we make a new certificate with the command:
When it asks for a passphrase, "test" will do since the encrypted key will not be used and we delete it in a moment.
You will have to type in country, city etc. Please note that when it asks for "your name" you must enter the host name of the server! The other fields probably doesn't matter.
Now you have a file called newreq.pem containing an encrypted private key and a certificate. To get an unencrypted private key, run
openssl rsa -in newreq.pem -out newkey-2.pem
Now edit the newreq.pem file and delete the private key part of the contents.
You might want to rename the files to nicer names. It is easiest to use the
same names as in your old ldap config. My ldap client config files are
/etc/ldap.conf, /etc/libnss-ldap.conf and
/etc/pam_ldap.conf and my certificate is
Also make sure the private key is only readable by root:
mv newkey-2.pem slapd-key.pem; mv newreq.pem slapd-cert.pem chmod 600 slapd-key.pem
Now copy the new certificate (not private key!) to all client hosts. You must do the clients before the server or you will not be able to login to the clients (be chicken and keep copies of the old certificate so you can roll back if you forgot a machine).
On the clients, place the new certificate where the ldap config specifies it. If you run nscd on the client it must be restarted:
On the server, copy the certificate and the private key the the right destination (see /etc/ldap/slapd.conf), and restart slapd:
If you are using ldaps login directly on the server in any way also restart nscd on the server:
That's it! Only it is never that simple. I have a script for distribution on many clients, that is good. I found that I had to restart X on my clients before people could log in to the gui.
/usr/include/gnu/stubs.h:7:27: error: gnu/stubs-32.h: No such file or directory
while compiling with gcc on our new AMD64 box turned out to be something really simple: A 32bit gcc on a network drive was earlier in the path than the native gcc.
Today I got LDAPS to work. Sort of. Haven't got a clue about the schema and access stuff but fortunately I have a working server to copy from ;-)
Getting to see the content of a certificate:
openssl x509 -text -noout -in usercert.pem > usercert-content.txt