Setup Linux to VPN into work (using VPNC)

VPNC is an OSS alternative to the proprietary Cisco VPN client software. Cisco puts you through a nightmare of a registration process just to get their software. VPNC is a free, lightweight alternative that is just as good. To use this method, you must already have a valid VPN login. Here is how you install it on either CentOS or Fedora Core 3:

1) Install two missing libraries: libgpg-error-devel and libgcrypt-devel
yum install libgpg-error-devel
yum install libgcrypt-devel

2) Add /usr/lib and /usr/include to the /etc/ld.so.conf file. This file is a list of extra directories that the dynamic linker uses to search for shared libraries.

3) Run ldconfig

4) Create a file called /etc/vpnc.conf and enter this data into it:
IPSec ID
IPSec gateway
IPSec secret
Xauth username
Domain

5) Download the latest version of the software (in tarball form) here: http://www.unix-ag.uni-kl.de/~massar/vpnc

6) Untar it into its own directory.

7) Change to the vpnc-0.3.3 directory, and run the “make” command to create the binaries. A few lines will scroll by showing you the build process with gcc.

8) Copy two binaries to a common location in your system’s PATH:
cp vpnc vpnc-disconnect /usr/local/sbin

9) Create the directories /etc/vpnc and /var/run/vpnc
mkdir -p /etc/vpnc
mkdir -p /var/run/vpnc

10) Copy the vpnc-script file to /etc/vpnc
cp vpnc-script /etc/vpnc

Start the VPN client like this:
$ vpnc
Enter password for [email protected]:
VPNC started in background (pid: 5454)…

Stop the VPN client like this:
$ vpnc-disconnect
Terminating vpnc daemon (pid: 5454)

Remount root read-write in an emergency

If you’re in single-user mode, you’re usually fighting an emergency. An you often need to “undo” some action you took on the filesystem (such as changing a config file) that forced you into emergency mode. Single-user mode mounts the root partition read-only by default. To change a config file, you must first allow read-write on the root partition. Issue this command:

# mount -n -o remount /

This will remount the root filesystem without writing into the /etc/mtab file (which normally happens during a mount operation).

Grep with context

Use the -Cx switch where “x” is the number of lines of surrounding context to show. For example, to show four lines of context:

grep -C4 “virtual” /usr/local/bin/httpd

Processor optimizations before "./configure"

Boost the speed of your compiled source code by prefixing your CPU architecture flags in front of the ./configure command (when building from source). Lets say you had an Opteron-based server:

CFLAGS=”-march=opteron -O3 -m64 -pipe -mtune=opteron -fomit-frame-pointer” ./configure

Disable VNC's built-in webserver

I never use this feature, and just figured out how to turn it off:

1) Open the VNC server perl script.
vi /usr/bin/vncserver

2) Scroll down to approximately line 140. Find either of the following lines, and comment it out:
# $cmd .= ” -httpd $vncJavaFiles” if ($vncJavaFiles);
# $cmd .= ” -httpd $vncClasses”;

3) Restart the VNC service.
service vncserver restart

4) Verify that port 5800 is no longer listening with the command: “netstat -pantl|grep LISTEN”

Jabber2 and Active Directory

The Jabber documentation tells you to connect to Active Directory (AD) on the common LDAP port of 389. While this setup s fine for minimal AD implementations, when you have a complicated AD forest with multiple trees, you need to point Jabber authentication to the Global Catalog instead.

More specifically, in the c2s.xml file, you should have an entry like this:
servername3268

Linux NIC teaming w/o additional software

After unsuccessfully trying several 3rd-party drivers to provide load-balancing and failover for my Linux servers with dual NIC cards, I stumbled upon the fact that Linux has an integrated bonding driver called, appropriately, “bonding.” Here’s how you get it working (assuming you have at least two interfaces):

1) Add the following lines in /etc/modules.conf:

alias bond0 bonding
options bond0 primary=eth0 mode=1 miimon=200
alias eth0 bcm5700
alias eth1 bcm5700

2) Create a file named /etc/sysconfig/network-scripts/ifcfg-bond0 containing the following (change the network info for your particular environment):

DEVICE=bond0
IPADDR=192.168.1.1
NETMASK=255.255.255.0
NETWORK=192.168.1.0
BROADCAST=192.168.1.255
ONBOOT=yes
BOOTPROTO=none
USERCTL=no

3) Create a file named /etc/sysconfig/network-scripts/ifcfg-eth0 containing the following:

DEVICE=eth0
USERCTL=no
ONBOOT=yes
MASTER=bond0
SLAVE=yes
BOOTPROTO=none

4) Create a file named /etc/sysconfig/network-scripts/ifcfg-eth1 containing the following:

DEVICE=eth1
USERCTL=no
ONBOOT=yes
MASTER=bond0
SLAVE=yes
BOOTPROTO=none

5) Reboot the server.

6) Verify team configuration by viewing /proc/net/bond0/info or by using the “ifconfig” command.. The bond MAC address will be the taken from its first slave device.

You can set up your bond interface according to your needs. Changing one parameters (mode=X) in /etc/modprobe.conf allows you to select what you need. Here are the choices:

mode=0: Round-robin load balancing
mode=1: Active backup. Only one slave is active. A different slave becomes active if the active slave fails.
mode=2: Load balancing and fault tolerance.
mode=3: Broadcast. Transmits everything on all slave interfaces. Fault tolerant.
mode=4: Dynamic link aggregation. Bonding for combining bandwith into a single connection.
mode=5: Adaptive transmit load-balancing.
mode=6: Adaptive transmit and receive load balancing

Automatic IRC login in GAIM

1) Setup your IRC account.
2) Add NickServ to your buddy list.
3) Place a buddy pounce on NickServ:
a) In Gaim, go to Tools > Buddy Pounce > New Buddy Pounce
b) Add NickServ as the Buddy Name
c) Select your IRC account
d) Pounce When: Sign on
e) Send a message (the message is simply “identify password [password]”)
f) Check “Save this pounce after activation
g) Click “Save”

mod_disk_cache vs mod_mem_cache

Apache is faster when using disk cache than memory cache. This seems counter-intuitive, as I expected that delivering content from RAM would be significantly faster than accessing a file off a slower disk drive. However, after a conversation with “chipig” in the Apache IRC group, I have seen the light.

If you use mod_mem_cache, when Apache recieves a request from a browser for a file, that file’s contents must first be read into memory, and then sent out to the client via a communcations endpoint. This process of copying the data into RAM, and then into a kernel buffer to send it is wasteful, and time-consuming. The server really doesn’t want the contents of the file-it merely wants to send the contents to the browser.

If you use the mod_disk_cache module, Linux can use the sendfile () API. Sendfile eliminates the necessity that the server read a file before sending it. With sendfile, the server specifies the file to send and the communications endpoint in the sendfile API; then the OS reads and sends the file. Thus, the server doesn’t have to issue a read API or dedicate memory for the file contents, and the OS can use its file system cache to efficiently cache files that clients request.

And because the copying is done in the kernel, these disk accesses will be buffered by the kernel. This serves to increase cache speed even higher.