jonen/notes/notes_2003-02.twingle

<h3>jonen's notes - 2003-02</h3>
<hr/>

  - Unix-Systems
    o learn howto move/maintain /etc of servers at cvs !!
    Debian:
      x search if new packages available, do 'apt-get --dry-run upgrade'! 
       x build small systool script 'apt-get_remote.pl' which do a cronly 'apt-get --dry-run upgrade' and send output via mail
       o review 'apt-get_remote.pl'
         o what's about parsing some response for comand like installing some marked packages
    FreeBSD(stable):
      o read more about BSD package systems (pkg, cvsup)
        x for simple package installation/de-installation use pkg
          x install downloaded package:
              :# pkg_add {package}-{version}.tgz
          x install package via remote server(only if package is available as *latest*): 
                pkg_add -r {package}.tgz
        x using cvsup
          x read http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/cvsup.html
          x newbies could use cvsupit:
              :# pkg_add -r cvsupit.tgz
            - cvsupit will proberly ask you for the default values it
              place at /etc/cvsupfile, which is used by cvsup
            - after that it will start cvsup to update your system
          x if /etc/cvsupfile already exists and you know what you do,
             this command will update your system (maybe run it via cron...):
              :# /usr/local/bin/cvsup -g -L 2 /etc/cvsupfile
             where '-g' tells cvsup not to use a GUI, '-L 2' sets default output level to 2
          x for available cvs tags, look at http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/cvs-tags.html
      o whats about daemon start-stop scripts (like at linux: /etc/init.d/) ?
      x configure and compile custom kernel:
        x read http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-building.html
        x create custom kernel conf-file
          - cd usr/src/sys/i386/conf/
          - copy default kenrnel GENERIC to eg MYKERNEL
          - edit/modify MYKERNEL
        x configure sources(really?)
          - run /usr/sbin/config MYKERNEL
        x build kernel
          - cd ../../MYKERNEL
          - make depend
          - make
          - make install
      x use packet fiters (firewall):
        x read http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html
        x some options at the kernel have to be enabled:
          - options IPFIREWALL
           Compiles into the kernel the code for packet filtering.
          - options IPFIREWALL_VERBOSE
           Enables code to allow logging of packets through syslogd.
           Without this option, even if you specify that packets should be logged in the filter rules, 
           nothing will happen.
          - options IPFIREWALL_VERBOSE_LIMIT=10
           Limits the number of packets logged through syslogd on a per entry basis.
           You may wish to use this option in hostile environments in which you want to log firewall activity,
           but do not want to be open to a denial of service attack via syslog flooding.
           When a chain entry reaches the packet limit specified, logging is turned off for that particular entry.
           To resume logging, you will need to reset the associated counter using the ipfw(8) utility:
                  :# ipfw zero 4500
           Where 4500 is the chain entry you wish to continue logging.
          - options IPFIREWALL_DEFAULT_TO_ACCEPT
           This changes the default rule action from ``deny'' to ``allow''.
           This avoids the possibility of locking yourself out if you happen to boot a kernel with IPFIREWALL support but have not configured your firewall yet.
           It is also very useful if you often use ipfw(8) as a filter for specific problems as they arise.
           Use with care though, as this opens up the firewall and changes the way it works.
        x firewall is enabled at /etc/rc.conf (or /etc/rc.conf.local)
             firewall_enabled = "YES"
             firewall_type = "{firewall_type}"
          x where {firewall_type} is either a case at /etc/rc.firewall (/etc/rc.firewall6 for ipv6)
             or some custom file to read rules from.
          x  Use firewall_type = "OPEN" for default policy 'OPEN' (allow all)


  - Backup:
    x bacula (http://www.bacula.org)
       Bacula is a set of computer programs that permit you (or the system administrator) to manage backup, 
       recovery, and verification of computer data across a network of computers of different kinds. 
       In technical terms, it is a network client/server based backup program. 
       Bacula is relatively easy to use and efficient, while offering many advanced storage management features 
       that make it easy to find and recover lost or damaged files.
       Bacula source code has been released under the GPL version 2 license.
      x created debian package, cause we can't found any other
        x wrote some notes about how to build an debian binary package
            http://www.netfrag.org/~jonen/computing/notes/build_bacula_deb.html
        o create 'postinst' and 'prerm' scripts for saving configs on update, etc.
      x tested network backup with Director, Storage Daemon and File Daemon(Client)
         at different hosts, works great!
      x tested backup to FileStorage, instead of using tapes drives
         (if someone would like to sponsor some tape drive, you're more than welcome!)
       notes:
        x remember to use different 'LabelFormat' filename at each pool !
        x use compression at 'FileSet' definition, where GZIP is equal to GZIP6, means compression-level 6 (1-9)
         example:
           # ====== snip FileSet ============
           FileSet {
             Name = "Full Set"
             Include = signature=MD5 compression=GZIP { 
             /home
             }
            Exclude = { *.o }
          }
           # ====== snip FileSet ============
         

  - QoS (Quality of Services)
    o check it out !

  - Apache/php:
    - apache aliases - redirect '/' to index.php (used for url catching/rewriting)

  - PHP:
    x search for php widget lib
     x APL (http://apl.sourceforge.net) 
       - huge lib in pure C
     x phphtmllib (http://phphtmllib.newsblob.com)
         a mainly widget/render lib, written in php, complete OO-based
         and with nice DataList rendering (abstract source API)
       x integrated with flib
       x wrote some classes to browse data-objects via class DataList (new classes flibRPCDataSource, ObjectList, TsBackend)
         o rename flibRPCDataSource (maybe rework to get more abstract)
         o review ObjectList amd move it to phphhtmllib
       x semi-integraded with class FormBuilder from binarycloud via interface class FormElementsInterface
         x new class DataItem, which render one data object for viewing/editing
       x integrated new FormProcessing classes from phphtmllib (released one day after interface to binaryclouds Formbuilder was written ;)
         x refactored DataItem to use now phphtmllib form processing instead of interface to binarycload
           o review code and move to phphtmllib
     o XOOPS (http://xoops.org)
         XOOPS is a dynamic OO (Object Oriented) based open source portal script written in PHP.
         It is the ideal tool for developing small to large dynamic community websites, intra company portals, 
         corporate portals, weblogs and much more.
     o binarycloud (http://binarycloud.com)
         binarycloud is an enterprise class web application platform. binarycloud shares many of the capabilities of products 
         like Oracle 9i AS (Application Server) and IBM's WebSphere:
         Proper definition of a framework: "A framework supplies the infrastructure and mechanisms that execute a policy for 
         interaction between abstract components with open implementations" 
        - benefits:
            x much code done yet!
        - drawbacks: 
             o not-really 100% clean code
             o complex app which gives you only limited possibilities to use only some classes, so not very modular
   

  - OpenLDAP:
    - Contacts:
      o Evolution: modify/create schema (map Attribute) so the field 'Note' and others can be used

    - PAM + SASL
      o seems pam will only works(will only be activated) if plain passwords are used
      o read more about PAM special in co-operate with SASL !! 

    - Kerberos V
      x use GQ LdapBrowser with SASL to authenticate against ldap
         - this requires a 'kinit <username>' at the shell to get the kerberos ticket
         - ldap will check your ticket pricipial against its acl's !
      o 'libpam-ldap' from Turbo is bad, don't use it !! (remember at 'apt-get upgrade' !!)
      o write this down in some (existing e.g. sendmail?) howto

    - Sendmail
      o research some about sendmail-cluster, 2 mx records, howto to set up second mx/cluster?
       x backup mx:
          - set up second mx at dns
          - add at backup mx place some like this at /etx/mail/mailtertable:
               domain.com     esmtp:[123.123.123.123]
             where the ip points to the system the real user accounts
            and add every domain to /etc/mail/relay-domains:
               domain.com
             o whats about these *open* relaying rules(security ?!?)
       x simple load balancing:
          - set up two(or more) mx records with same priority at dns
          - add at every mx place some like this at /etx/mail/mailtertable:
               domain.com     esmtp:[123.123.123.123]
             where the ip points to the system the real user accounts are
          note: this will do load balancing between eg 2 mail server, but if one fails,
                   there is only a 50% chance that sent messages would arrive
      o change '/etc/init.d/amavisd' to '/etc/init.d/amavis-milter' in howto
      o migrationtools:
        o patch migrationtools for sendmail aliases support (/usr/share/migrationtools/migrate_aliases.pl)
        o create, or search web for, migrationtool for sendmail virtusertable (/usr/share/migrationtools/migrate_virtuser.pl)
        o review patched kerberosV support at /usr/share/migrationtools/migrate_user.pl?
  

  - MySQL:
    o move this to mysql-common-tasks howto
       - Create Database
         :# mysqladmin create <database>
       - Set Privileges on databases(creates user too, if not exists...):
           mysql>grant all on {database}.* to {user} identified by "{pass}";
           mysql>grant all on {database}.* to {user}@{domain} identified by "{pass}";


  - Document saving:
    o remember *.doc is a non-standard, bloated Mircosoft format, use HTML instead !!
       see http://www.fsf.org/philosophy/no-word-attachments.html

  - my documents:
    o convert all howto's to SDF format ( look at 'nfo/doc/computing/sysadmin/linux/example_sdf_howto.sdf' )
    o learn more about Lyx/LaTex
      o convert all howto's to LaTex format ( look at 'nfo/doc/computing/sysadmin/linux/example_latex_howto.lyx' )


future:
  o build 'black box' to trace for 'spys' at a isdn/internet connection ;)

<hr/>
$Id: notes_2003-02.twingle,v 1.4 2003/03/13 20:26:50 jonen Exp $
     
1	jonen	1.1	<h3>jonen's notes - 2003-02</h3>
2			<hr/>
3
4			- Unix-Systems
5			o learn howto move/maintain /etc of servers at cvs !!
6			Debian:
7			x search if new packages available, do 'apt-get --dry-run upgrade'!
8			x build small systool script 'apt-get_remote.pl' which do a cronly 'apt-get --dry-run upgrade' and send output via mail
9			o review 'apt-get_remote.pl'
10			o what's about parsing some response for comand like installing some marked packages
11			FreeBSD(stable):
12			o read more about BSD package systems (pkg, cvsup)
13			x for simple package installation/de-installation use pkg
14			x install downloaded package:
15	jonen	1.3	:# pkg_add {package}-{version}.tgz
16	jonen	1.1	x install package via remote server(only if package is available as latest):
17	jonen	1.3	pkg_add -r {package}.tgz
18	jonen	1.1	x using cvsup
19	jonen	1.3	x read http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/cvsup.html
20			x newbies could use cvsupit:
21	jonen	1.1	:# pkg_add -r cvsupit.tgz
22			- cvsupit will proberly ask you for the default values it
23			place at /etc/cvsupfile, which is used by cvsup
24			- after that it will start cvsup to update your system
25			x if /etc/cvsupfile already exists and you know what you do,
26			this command will update your system (maybe run it via cron...):
27			:# /usr/local/bin/cvsup -g -L 2 /etc/cvsupfile
28	jonen	1.3	where '-g' tells cvsup not to use a GUI, '-L 2' sets default output level to 2
29			x for available cvs tags, look at http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/cvs-tags.html
30	jonen	1.1	o whats about daemon start-stop scripts (like at linux: /etc/init.d/) ?
31			x configure and compile custom kernel:
32			x read http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-building.html
33			x create custom kernel conf-file
34			- cd usr/src/sys/i386/conf/
35			- copy default kenrnel GENERIC to eg MYKERNEL
36			- edit/modify MYKERNEL
37			x configure sources(really?)
38			- run /usr/sbin/config MYKERNEL
39			x build kernel
40			- cd ../../MYKERNEL
41			- make depend
42			- make
43			- make install
44			x use packet fiters (firewall):
45			x read http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html
46			x some options at the kernel have to be enabled:
47	jonen	1.2	- options IPFIREWALL
48			Compiles into the kernel the code for packet filtering.
49			- options IPFIREWALL_VERBOSE
50			Enables code to allow logging of packets through syslogd.
51			Without this option, even if you specify that packets should be logged in the filter rules,
52			nothing will happen.
53			- options IPFIREWALL_VERBOSE_LIMIT=10
54			Limits the number of packets logged through syslogd on a per entry basis.
55			You may wish to use this option in hostile environments in which you want to log firewall activity,
56			but do not want to be open to a denial of service attack via syslog flooding.
57			When a chain entry reaches the packet limit specified, logging is turned off for that particular entry.
58			To resume logging, you will need to reset the associated counter using the ipfw(8) utility:
59			:# ipfw zero 4500
60			Where 4500 is the chain entry you wish to continue logging.
61			- options IPFIREWALL_DEFAULT_TO_ACCEPT
62			This changes the default rule action from ``deny'' to ``allow''.
63			This avoids the possibility of locking yourself out if you happen to boot a kernel with IPFIREWALL support but have not configured your firewall yet.
64			It is also very useful if you often use ipfw(8) as a filter for specific problems as they arise.
65			Use with care though, as this opens up the firewall and changes the way it works.
66	jonen	1.1	x firewall is enabled at /etc/rc.conf (or /etc/rc.conf.local)
67			firewall_enabled = "YES"
68	jonen	1.3	firewall_type = "{firewall_type}"
69			x where {firewall_type} is either a case at /etc/rc.firewall (/etc/rc.firewall6 for ipv6)
70	jonen	1.1	or some custom file to read rules from.
71			x Use firewall_type = "OPEN" for default policy 'OPEN' (allow all)
72	jonen	1.6
73
74	jonen	1.4	- Backup:
75			x bacula (http://www.bacula.org)
76	jonen	1.5	Bacula is a set of computer programs that permit you (or the system administrator) to manage backup,
77			recovery, and verification of computer data across a network of computers of different kinds.
78			In technical terms, it is a network client/server based backup program.
79			Bacula is relatively easy to use and efficient, while offering many advanced storage management features
80			that make it easy to find and recover lost or damaged files.
81			Bacula source code has been released under the GPL version 2 license.
82	jonen	1.4	x created debian package, cause we can't found any other
83	jonen	1.6	x wrote some notes about how to build an debian binary package
84			http://www.netfrag.org/~jonen/computing/notes/build_bacula_deb.html
85	jonen	1.4	o create 'postinst' and 'prerm' scripts for saving configs on update, etc.
86			x tested network backup with Director, Storage Daemon and File Daemon(Client)
87			at different hosts, works great!
88			x tested backup to FileStorage, instead of using tapes drives
89			(if someone would like to sponsor some tape drive, you're more than welcome!)
90			notes:
91			x remember to use different 'LabelFormat' filename at each pool !
92			x use compression at 'FileSet' definition, where GZIP is equal to GZIP6, means compression-level 6 (1-9)
93			example:
94			# ====== snip FileSet ============
95			FileSet {
96			Name = "Full Set"
97			Include = signature=MD5 compression=GZIP {
98			/home
99			}
100			Exclude = { *.o }
101			}
102			# ====== snip FileSet ============
103
104	jonen	1.1
105			- QoS (Quality of Services)
106			o check it out !
107
108			- Apache/php:
109			- apache aliases - redirect '/' to index.php (used for url catching/rewriting)
110
111			- PHP:
112			x search for php widget lib
113			x APL (http://apl.sourceforge.net)
114			- huge lib in pure C
115			x phphtmllib (http://phphtmllib.newsblob.com)
116			a mainly widget/render lib, written in php, complete OO-based
117			and with nice DataList rendering (abstract source API)
118			x integrated with flib
119			x wrote some classes to browse data-objects via class DataList (new classes flibRPCDataSource, ObjectList, TsBackend)
120			o rename flibRPCDataSource (maybe rework to get more abstract)
121			o review ObjectList amd move it to phphhtmllib
122			x semi-integraded with class FormBuilder from binarycloud via interface class FormElementsInterface
123			x new class DataItem, which render one data object for viewing/editing
124			x integrated new FormProcessing classes from phphtmllib (released one day after interface to binaryclouds Formbuilder was written ;)
125			x refactored DataItem to use now phphtmllib form processing instead of interface to binarycload
126			o review code and move to phphtmllib
127			o XOOPS (http://xoops.org)
128			XOOPS is a dynamic OO (Object Oriented) based open source portal script written in PHP.
129			It is the ideal tool for developing small to large dynamic community websites, intra company portals,
130			corporate portals, weblogs and much more.
131			o binarycloud (http://binarycloud.com)
132			binarycloud is an enterprise class web application platform. binarycloud shares many of the capabilities of products
133			like Oracle 9i AS (Application Server) and IBM's WebSphere:
134			Proper definition of a framework: "A framework supplies the infrastructure and mechanisms that execute a policy for
135			interaction between abstract components with open implementations"
136			- benefits:
137			x much code done yet!
138			- drawbacks:
139			o not-really 100% clean code
140			o complex app which gives you only limited possibilities to use only some classes, so not very modular
141
142
143			- OpenLDAP:
144			- Contacts:
145			o Evolution: modify/create schema (map Attribute) so the field 'Note' and others can be used
146
147			- PAM + SASL
148			o seems pam will only works(will only be activated) if plain passwords are used
149			o read more about PAM special in co-operate with SASL !!
150
151			- Kerberos V
152			x use GQ LdapBrowser with SASL to authenticate against ldap
153			- this requires a 'kinit <username>' at the shell to get the kerberos ticket
154			- ldap will check your ticket pricipial against its acl's !
155			o 'libpam-ldap' from Turbo is bad, don't use it !! (remember at 'apt-get upgrade' !!)
156			o write this down in some (existing e.g. sendmail?) howto
157	jonen	1.4
158	jonen	1.1	- Sendmail
159			o research some about sendmail-cluster, 2 mx records, howto to set up second mx/cluster?
160			x backup mx:
161			- set up second mx at dns
162			- add at backup mx place some like this at /etx/mail/mailtertable:
163			domain.com esmtp:[123.123.123.123]
164			where the ip points to the system the real user accounts
165			and add every domain to /etc/mail/relay-domains:
166			domain.com
167			o whats about these open relaying rules(security ?!?)
168			x simple load balancing:
169			- set up two(or more) mx records with same priority at dns
170			- add at every mx place some like this at /etx/mail/mailtertable:
171			domain.com esmtp:[123.123.123.123]
172			where the ip points to the system the real user accounts are
173			note: this will do load balancing between eg 2 mail server, but if one fails,
174			there is only a 50% chance that sent messages would arrive
175			o change '/etc/init.d/amavisd' to '/etc/init.d/amavis-milter' in howto
176			o migrationtools:
177			o patch migrationtools for sendmail aliases support (/usr/share/migrationtools/migrate_aliases.pl)
178			o create, or search web for, migrationtool for sendmail virtusertable (/usr/share/migrationtools/migrate_virtuser.pl)
179			o review patched kerberosV support at /usr/share/migrationtools/migrate_user.pl?
180
181
182			- MySQL:
183			o move this to mysql-common-tasks howto
184			- Create Database
185			:# mysqladmin create <database>
186			- Set Privileges on databases(creates user too, if not exists...):
187	jonen	1.3	mysql>grant all on {database}.* to {user} identified by "{pass}";
188			mysql>grant all on {database}.* to {user}@{domain} identified by "{pass}";
189	jonen	1.1
190
191			- Document saving:
192			o remember *.doc is a non-standard, bloated Mircosoft format, use HTML instead !!
193			see http://www.fsf.org/philosophy/no-word-attachments.html
194
195			- my documents:
196			o convert all howto's to SDF format ( look at 'nfo/doc/computing/sysadmin/linux/example_sdf_howto.sdf' )
197			o learn more about Lyx/LaTex
198			o convert all howto's to LaTex format ( look at 'nfo/doc/computing/sysadmin/linux/example_latex_howto.lyx' )
199
200
201
202
203			future:
204			o build 'black box' to trace for 'spys' at a isdn/internet connection ;)
205
206			<hr/>
207	jonen	1.5	$Id: notes_2003-02.twingle,v 1.4 2003/03/13 20:26:50 jonen Exp $
208	jonen	1.1
MailToCvsAdmin">MailToCvsAdmin	ViewVC Help
Powered by ViewVC 1.1.26