RHEL6 apache httpd virtual host the proper way

My recipie for name based virtual hosts in separate directories on RHEL:

We place all the virtual hosts under a new directory tree /var/www/vhosts:

# yum install httpd
# mkdir /var/www/vhosts
# semanage fcontext -a -t httpd_sys_content_t /var/www/vhosts
# restorecon -Rv /var/www/vhosts
# mkdir -p /var/www/vhosts/{site1,site2,site3}/{logs,htdocs}
# chown -R apache:apache /var/www/vhosts

I recommend using the FQDN of each site instead of the words “site1”, “site2”, in these examples.

Create the file /etc/httpd/conf.d/vhosts.conf with appropriate content such as:

NameVirtualHost *:80

<VirtualHost *:80>
  ServerName site1
  DocumentRoot /var/www/vhosts/site1/htdocs
  CustomLog "/var/www/vhosts/site1/logs/access.log" common
  ErrorLog "/var/www/vhosts/site1/logs/error.log"

  <Directory "/var/www/vhosts/site1/htdocs">
     Options None
     AllowOverride All
     Order Deny,Allow
     Allow from 127.0.0.1
  </Directory>
</VirtualHost>

<VirtualHost *:80>
  ServerName site2
  DocumentRoot /var/www/vhosts/site2/htdocs
  CustomLog "/var/www/vhosts/site2/logs/access.log" common
  ErrorLog "/var/www/vhosts/site2/logs/error.log"

  <Directory "/var/www/vhosts/site2/htdocs">
     Options None
     AllowOverride All
     Order Deny,Allow
     Allow from 127.0.0.1
  </Directory>
</VirtualHost>

and so on

(Dont forget to set the Directory permissions properly. Above is just an example!)

Then activate the goodness:

# apachectl restart

Why is this method good?

1. Creating the vhosts.conf in conf.d doesn’t modify any vendor-supplied files, which means that we won’t lose them if we reinstall the package.

2. Keeping each virtual host and its logs under its own directory tree makes maintenance a breeze and permissions can be separated to give developers access to specific vhosts only.

officially best way to get up to date LAMP on RHEL6

Q: How do I update php, mysql, and apache on RHEL6 without breaking stuff?

A: Use the great packages from IUS!

1. set up the IUS repo

$ wget http://dl.iuscommunity.org/pub/ius/stable/Redhat/6/x86_64/ius-release-1.0-11.ius.el6.noarch.rpm
$ wget http://dl.iuscommunity.org/pub/ius/stable/Redhat/6/x86_64/epel-release-6-5.noarch.rpm
$ sudo rpm -Uvh ius-release*.rpm epel-release*.rpm

2. make sure you have an up to date ca-certificates bundle installed.

3. See what php packages are available: yum list | grep -w ius | grep ^php

4. The “downside” (a minor inconvenience) of the greatness of the IUS is that the packages they build provides the same things as the original outdated redhat packages, but don’t obsolete them. This is intentional, and what makes me think it is the best way to obtain a current LAMP on RHEL or CentOS. What this boils down to is that the IUS packages have different names but cannot be installed at the same time as the RedHat/CentOS packages.
This means that we must uninstall the original packages (if they are installed) before we can install the more recent IUS packages.

IUS provides a neat yum plugin called “replace”, that can be used to do this en masse for a whole bunch of packages based on a certain name. If you have the stock packages “php”, “php-devel”, “php-common” and “php-cli” installed, you can “upgrade” them to the IUS php54 equivalents with a pretty oneliner like “yum replace php –replace-with php54“! (If you want to use the plugin, first install it with: “sudo yum install yum-plugin-replace“).

5. install the IUS packages the usual way if not using the replace plugin.

In case of RHEL6, postfix (terribly outdated 2.6.6) requires mysql-libs, so you cannot install mysql55 straight away. What I did was two-steps:

# yum erase postfix
# yum install postfix php54 mysql55-server

This means that I uninstalled postfix which was dependent on mysql-libs, and then reinstalled it at the same time as php54 and mysql55. Then it uses mysql55-libs instead.

================================================================================
 Package          Arch      Version               Repository               Size
================================================================================
Installing:
 mysql55          x86_64    5.5.31-1.ius.el6      ius                     9.1 M
 mysql55-server   x86_64    5.5.31-1.ius.el6      ius                     9.6 M
 php54            x86_64    5.4.16-1.ius.el6      ius                     2.7 M
 postfix          x86_64    2:2.6.6-2.2.el6_1     rhel-x86_64-server-6    2.0 M
Installing for dependencies:
 apr              x86_64    1.3.9-5.el6_2         rhel-x86_64-server-6    123 k
 apr-util         x86_64    1.3.9-3.el6_0.1       rhel-x86_64-server-6     87 k
 apr-util-ldap    x86_64    1.3.9-3.el6_0.1       rhel-x86_64-server-6     15 k
 httpd            x86_64    2.2.15-28.el6_4       rhel-x86_64-server-6    821 k
 httpd-tools      x86_64    2.2.15-28.el6_4       rhel-x86_64-server-6     73 k
 mailcap          noarch    2.1.31-2.el6          rhel-x86_64-server-6     27 k
 mysql55-libs     x86_64    5.5.31-1.ius.el6      ius                     783 k
 mysqlclient16    x86_64    5.1.61-1.ius.el6      ius                     3.8 M
 perl-DBD-MySQL   x86_64    4.013-3.el6           rhel-x86_64-server-6    134 k
 perl-DBI         x86_64    1.609-4.el6           rhel-x86_64-server-6    707 k
 php54-cli        x86_64    5.4.16-1.ius.el6      ius                     2.6 M
 php54-common     x86_64    5.4.16-1.ius.el6      ius                     894 k

Transaction Summary
================================================================================
Install      15 Package(s)

That’s all, folks!

Error: Cannot retrieve repository metadata (repomd.xml) for repository: epel. Please verify its path and try again

Error: Cannot retrieve repository metadata (repomd.xml) for repository: epel. Please verify its path and try again

I tried installing EPEL on a fresh install of RHEL6, and after adding the repo, yum fails with the above error. I have RHEL6.1 (Santiago) and get the above error.

This happens because the RHEL/CentOS installation doesn’t trust the HTTPS certificate used by mirrors.fedoraproject.org, that is issued by “GeoTrust SSL CA“.

In my case the package ca-certificates was not installed and the /etc/pki/tls/certs/ folder didn’t contain any ca-bundle.crt or ca-bundle.trust.crt !

Solution: yum install ca-certificates

(I had to temporarily rpm –erase epel-release first, to get yum working again)

I once got the same error message eventhout ca-certificates was installed and up to date. Then it was a firewall blocking https (port 443) traffic.

I worked around that by changing from https to http in /etc/yum.repos.d/epel.repo

On PRISM, the NSA, Google, Facebook and the Echelon

Q: Are European politicians upset that America is spying and storing data on all its citizens or just that the fact has become public?

In my opinion, that this was going on should have been obvious for every top-politician that is not totally clueless about their own country’s intelligence operations.

It should also have been obvious for every half-clever internet user such as myself too. However, things that we don’t see and that makes us uncomfortable, tend to be repressed, not talked about, and practically forgotten.

I guess that makes the question rhetorical, implying that the problem is that it has become public, but I also would think that most politicians, given that they (subconsciously?) knew what was going on, still was overwhelmed when they fully understood the scale of things.

My personal awareness level: I know that Google logs everything, I know what kind of technical traces I leave when I browse the web. (I use the Firefox plugins DNT+, ABP, and NoScript, and I don’t have flash player or java in the web browser. I do however load images automatically in the browser, even linked from other sites.) This should make me leave a lot less unnecessary traces than most people. Sure, Google knows “me” and my search history, most likely even after I log out from their services, but that’s probably a price I can live with for using their search engine.

I have closed my Facebook account (kind of silly to call it “deleted”, right? It’s just inaccessible to everyone outside Facebook’s datacenter).

What bothers me incredibly much about “the PRISM incident” is that in the first denial statements I read from Google and Facebook, they were very explicit in talking about access to their servers. Anyone working with networks and intrusion detection/prevention systems knows that all high-end network equipment has capabilities of mirror ports, that is, to output all traffic that passes through the equipment on a separate port. This is used for exactly the purpose of monitoring. We use it to analyze network traffic for anomalies, the NSA use it to copy the communications of the PRISM participants. In Sweden, the FRA use it for all traffic passing through the geographic borders. So, denying backdoors and server access in their datacenters are just smokescreen words for the ignorant masses. They were no lies, but the purpose was to make people think they were not feeding the NSA with data about their users, which of course is not true.

The NSA don’t want server access, they want to tap off the communications, and store it in their own datacenters.

Did you know that their new datacenter in Utah has a Yottabyte scale storage capacity? That’s right, 24 zeroes. That’s huge beyond imagination. So, thinking that they only listen in on communications, without storing and analyzing it, would be ultra-silly.

About 10-15 years ago there was talk about Echelon. Many people thought it was unrealistic and that the descriptions were exaggerated. I wonder if it was. At least today it is not.

Howto install perl modules

I often find myself trying to install (binary) packages that have dependencies to perl modules.

Because I work on varying platforms, sometimes RHEL/RedHat, CentOS, sometimes Debian based, like Ubuntu, and sometimes, less often now, but maybe I will go back again, to Gentoo. In many ways my ideal platform.

However, Perl is wicked, and the concept of perl modules in a package manager is even more crazy.

What are we going to do when we need a new version of a software (say, amavisd-new) that is not available in the distros package library?

I’m thinking, build from source and you can’t go wrong, right?

In the case of amavisd-new, these are the listed prerequisites:

Archive::Zip   (Archive-Zip-x.xx) (1.14 or later, currently 1.23)
Compress::Zlib (Compress-Zlib-x.xx) (1.35 or later, currently 2.008)
Compress::Raw::Zlib (Compress-Raw-Zlib) (2.017 or later)
Convert::TNEF  (Convert-TNEF-x.xx)
Convert::UUlib (Convert-UUlib-x.xxx) (1.08 or later, stick to new versions!)
MIME::Base64   (MIME-Base64-x.xx)
MIME::Parser   (MIME-Tools-x.xxxx) (latest version from CPAN - currently 5.425)
Mail::Internet (MailTools-1.58 or later have workarounds for Perl 5.8.0 bugs)
Net::Server    (Net-Server-x.xx) (version 0.88 finally does setuid right)
Digest::MD5    (Digest-MD5-x.xx) (2.22 or later)
IO::Stringy    (IO-stringy-x.xxx)
Time::HiRes    (Time-HiRes-x.xx) (use 1.49 or later, older can cause problems)
Unix::Syslog   (Unix-Syslog-x.xxx)
BerkeleyDB     with bdb library (preferably 4.4.20 or later)
Mail::DKIM     (Mail-DKIM-0.31 or later)

So, if I’m going to install amavisd-new, from souce, on a RHEL6 server, what do I need to do? -Well, I’ll show what I did. Not neccessarily what is the best thing to do… OK?

yum install cpan
perl -MCPAN -e shell

(going with the defaults, automatic is nice)

When I attempted to install the first module (Archive::Zip), I discovered that I did not have web access from my server, so I had to download the CPAN modules by hand. I did this by using the powerful http://search.cpan.org/ search tool, and just pasting the package name (Archive::Zip) in the search box and then downloading the tar.gz packages one at a time.

Manual installation of 1 CPAN package:

tar zxf Archive-Zip-1.31_04.tar.gz
cd Archive-Zip-1.31_04
perl Makefile.PL
make
make test
sudo make install

Had I had internet connection available:

perl -MCPAN -e 'install Archive::Zip'

The beauty of CPAN installation is that it resolves dependencies automatically.

authorized_keys SELinux pubkey authentication on RHEL / CentOS

So, you have correct permissions on your home directory and all the way up to /, with no other-writable directories in the path, as well as correct permissions on the .ssh directory in $HOME, and it still doesn’t work? You probably have SELinux, and need to put the newly created files in the correct security context. Do it with restorecon like this:

chmod 700 ~/.ssh
cd ~/.ssh
chmod 600 ~/.ssh/*
chmod 644 ~/.ssh/authorized_keys
chmod 644 ~/.ssh/known_hosts
chmod 644 ~/.ssh/config
restorecon -R -v ~/.ssh

 

uuencode package name

Sometimes you have a tiny file you wish to include in a block of plain text, perhaps an email. When I was young(er), -in the era of UUCP and modems, before the world wide web and HTML were invented, when RFC-821 was still new, -there were no MIME attachments to email.

If you wanted to send a file by mail, you had to encode it in a way that could be included in plain text without breaking. That meant 7-bit ASCII only, max 72 chars on each line, and a lot of other limitations.

Bandwidth and storage were limited, so uuencode was invented to “efficiently” encode 3 bytes of binary data into 4 printable characters. Pretty clever.

I recently had a need for uuencode, and it was not installed on my CentOS/RedHat system by default. The package containing uuencode is called “sharutils”. The name comes from the “shar” utility to encode binaries into a shell script, shell archive (shar file).

yum install sharutils” – and voila, I have uuencode and uudecode available.

Moved to new hosting

Hello again!

I recently had some very nice experiences with gandi simple hosting (where the story tellers guild is located), which is in effect a “hosted VPS”, that is, a hosted solution, but with a private set of apache, mysql, APC and Varnish threads. Very cool indeed.

So I’m now moving this blog to the same platform.

10 minutes of work, and all appears to be working as expected.

The steps:

  1. create the vhost(s) (with/without www.)
  2. add temp /etc/hosts entries while testing
  3. mysqldump the database (I took one of the cron-generated ones that was only an hour old)
  4. copy the files from the old DocumentRoot (put -r in sftp works in ubuntu for a recursive put, which was needed due to the amount of files)
  5. verify
  6. remove temporary /etc/hosts entry
  7. update DNS records to point to the new host

To finalize, I installed the varnish http purge plugin.
Looking forward to seeing the impact on performance in google webmaster tools.

Collaborative Storytelling!

Great news for everybody that loves to read and write fictional litterature!

I’ve found a really good site for collaborative storytelling: CoST.LI – where writing stories together is great fun! The site is very new, and improving with new features almost daily. Currently it features a nice ranking system, quite similar to the reputation mechanism of sites like StackOverflow and its sister sites in the stack exchange community. There is also a nice toplist where you can compare yourself to others.

Best of all, it’s totally free (some google ads are meant to support it, good luck on that one!), and it uses OpenID for authentication.
Give it a try! Its multilingual, currently with free stories in English and there are some impressive ones in Swedish too.

So, what is Collaborative storytelling? Simply put: someone writes a story, and another one can continue on it. One of the most interesting features on this site is that each chapter can have several continuations, so there can be potentially an unlimited number of stories in the end.

Get rid of fruit flies!

Have you ever forgotten a tomato in a window, or perhaps a banana skid in a not-so-well-closed container? Has it resulted in a family of fruit flies? (Also called vinegar flies)?

Do you want to get rid of them? Here’s how…

1. take away everything they can eat and lay their eggs in. This is important, since the females can produce up to 1000 eggs each day, and it takes only a week for them to hatch.

2. take a glass or metal container you don’t love that much – this will be their graveyard

3. add 2 part of something sweet, for instance honey or syrup

4. add 1 part of vinegar (guess why they’re called vinegar flies?)

5. add 1 or 2 parts of water, and make sure everything blends well.

6. Place it near the flies to see if they’re interested in the treat. The purpose is to mimic the smell of old/ripe fruit, where they prefer to lay their eggs and breed.

7. Finally, add a drop or two of washing-up liquid. This will get rid of the surface tension, making a nasty surprise for the flies when they try to land on the drink you prepared for them. They will sink to the bottom and drown.

8. wait and enjoy the show. Silly flies.