System administration
Background noise
http://smcv.pseudorandom.co.uk/tags/sysadmin/
Background noise
ikiwiki
2011-02-09T20:28:08Z
DSpam and how not to do it
http://smcv.pseudorandom.co.uk/2009/04/dspam/
Copyright © 2009 Simon McVittie
2011-02-09T20:28:08Z
2009-04-13T20:57:39Z
<p>At some point I might document my current e-mail setup, but for now, here's
the bit that caused plenty of frustration on Friday. Many howtos for postfix
and dspam will tell you that if you embed user IDs in the signature with
<code>PgSQLUIDInSignature on</code> (or the MySQL equivalent, you can do something like
this for retraining, and set it up to receive spam@example.com:</p>
<pre><code># master.cf
dspamretrain unix - n n - 10 pipe
flags=R user=dspam argv=/usr/bin/dspam --user dspam
--class=${nexthop} --source=error
# mailbox_transport map
spam dspamretrain:spam
notspam dspamretrain:innocent
</code></pre>
<p>in which <code>--user dspam</code> names an arbitrary user (dspam will extract the uid
from the signature and switch from "dspam" to the correct user, but the
command line argument is still required, for no particular reason).</p>
<p>I said it named an arbitrary user, but actually that's a lie. The things to
be careful of are:</p>
<ul>
<li>the dspam user must be listed in your database (e.g. in dspam_virtual_uids
for postgres users with the default setup)</li>
<li>if you're running dspam in opt-in mode, dspam must have opted in
(so create /var/spool/dspam/opt-in/local/dspam.dspam)</li>
</ul>
<p>Having failed at both of those, my retrain address wasn't working, and sadness
ensued.</p>
Encrypted root filesystem on a Debian laptop
http://smcv.pseudorandom.co.uk/2008/09/cryptroot/
Copyright © 2008 Simon McVittie
2008-09-14T16:45:00Z
2008-09-11T15:36:00Z
<p>I've been meaning to document this for ages...</p>
<p>My laptop is set up with an encrypted root filesystem using LVM and dmcrypt.
It also has a small Debian stable system for recovery purposes (I don't have
a CD drive, so if everything goes horribly wrong, I can't just boot from a
live CD).</p>
<p>Here's how to set up something similar:</p>
<h2>Step 1. Set up the recovery system</h2>
<p>Start the Debian lenny (beta) installer as usual. (I originally used etch,
but these instructions are for lenny - either should work.)</p>
<p>When you get to "Partition disks", choose "Manual".</p>
<p>Here's the partitioning scheme to use:</p>
<ul>
<li><p>main partition for LVM, taking up the whole disk minus 1GB or so. select
"Do not use", for now</p></li>
<li><p>1GB recovery partition at the end of the disk (this will also be the main
system's /boot, since /boot needs to be unencrypted anyway).
Use the defaults: ext3 mounted at /.</p></li>
</ul>
<p>Finish partitioning and write changes to disk, and wait for the base system
to install.</p>
<p>Say yes to installing Grub to the MBR for now (it might be possible to do
the install more cleanly by installing Grub to the recovery partition's boot
sector instead - I haven't tested that).</p>
<p>Reboot into the freshly installed recovery system and satisfy yourself that
it works.</p>
<h2>Step 2. Set up the main system</h2>
<p>Now boot the Debian installer again. This time it's for your installed
system.</p>
<p>At the "Partition disks" stage, choose "Manual" again. Select the main
partition and choose "Use as: physical volume for encryption".</p>
<p>Next select "Configure encrypted volumes". Your main partition will now be
randomized - this is slow - and some time later you'll be asked for a
passphrase. You'll have to type this in at each boot.</p>
<p>Select the contents of the "disk" Encrypted volume (hda1_crypt)
and choose Use as: physical volume for LVM.</p>
<p>Now "Configure the Logical Volume Manager" and create a Volume Group.
I always use the laptop's hostname as the VG name (this reduces confusion
if you ever plug the disk into another machine for disaster recovery).</p>
<p>Create a Logical Volume called swap, the size you want your swap space
to be. If you plan to use suspend-to-disk, this needs to be at least as
large as your RAM.</p>
<p>Create a Logical Volume called root, for the root filesystem. If you want
separate "partitions" for things like /home, now is a good time to create
them too; if you want to use my schroot howto, leave some unallocated
space in the VG for that.</p>
<p>Set your swap LV to be used as a swap area, and your root LV to be used
as ext3 mounted at <code>/</code>. If you wanted extra LVs, set them up too.</p>
<p>Also set your recovery partition to be used as ext3, mounted on /boot,
and not reformatted.</p>
<p>It should now look something like this (smcvcrypt is the name of
a KVM virtual machine in which I've been testing these instructions, normally
you'd have the laptop's hostname there).</p>
<p><img src="http://smcv.pseudorandom.co.uk/2008/09/cryptroot/partitions.png" alt="Screenshot from d-i" /></p>
<p>Proceed with the installation.</p>
<p>Install Grub to the MBR - this will temporarily make the recovery system
unbootable, but <em>shrug</em> never mind. Finish the installation and reboot into
your new main system.</p>
<h2>Step 3. Make them dual-boot</h2>
<p>Within the main system your recovery system is also visible, at /boot.
Bind-mount /dev onto /boot/dev, chroot into /boot, and run
"update-grub /dev/hda2", where hda2 is the partition where the recovery
partition is. Leave the chroot.</p>
<p>Edit /boot/grub/menu.lst and put this right at the end:</p>
<pre><code>title Go to recovery system
root (hd0,1)
chainloader +1
</code></pre>
<p>(Replace (hd0,1) with what Grub thinks the recovery partition is - the second
number is the partition number starting from 0, so /dev/hda5 would be (hd0,4)
and so on.)</p>
<p>Also edit /boot/boot/grub/menu.lst and put this right at the end:</p>
<pre><code>title Back to main system
root (hd0)
chainloader +1
</code></pre>
<p>Also, still in /boot/boot/grub/menu.lst, go to the top of the file and
change the colour scheme to something else (I used a red background) to
indicate that this boot menu is for the recovery system.</p>
<p>Reboot and try it out. You should now have an extra boot menu option,
"Recovery system". Selecting it will switch to the recovery system's
boot menu, which has an option to switch back, and so on. Each boot menu
also has some entries for kernels, any of which will boot with the
appropriate root filesystem (encrypted root for the main system,
unencrypted for the recovery system). Success!</p>
Integrating Enemies of Carlotta with Postfix
http://smcv.pseudorandom.co.uk/2008/09/eoc/
Copyright © 2008 Simon McVittie / Rob McQueen
2008-09-03T13:12:00Z
2008-09-02T08:48:43Z
<p>From the "doing sysadmin over wobbly 3G while waiting for our plane to be
allowed to take off" department comes this bit of mailing list setup.
By his own admission, <a href="http://www.robot101.net/">Rob</a> is better at configuring
Postfix than he is at making blog posts, so I get to be the one posting this...</p>
<pre><code>09:58 <@Robot101> my postfix -> eoc integration is basically ninja, if I might
say so myself
09:58 <@Robot101> so, an eoc transport in master.cf:
09:58 <@Robot101> eoc unix - n n - 10 pipe
user=list argv=/usr/bin/enemies-of-carlotta --quiet
--incoming --sender=${sender} --recipient=${recipient}
09:59 <@Robot101> then in main.cf:
09:59 <@Robot101> eoc_destination_recipient_limit = 1
09:59 <@Robot101> virtual_mailbox_domains = lists.collabora.co.uk
09:59 <@Robot101> virtual_mailbox_maps = pcre:/etc/postfix/list_transports
09:59 <@Robot101> transport_maps = pcre:/etc/postfix/list_transports
09:59 <@Robot101> then a script/cron:
09:59 <@Robot101> su -c "enemies-of-carlotta --show-lists" list | sed
's,\(.*\)@\(.*\),/^\1(-[^@]*)?@\2$/ eoc,'
>/etc/postfix/list_transports
09:59 <@Robot101> giving list_transports like this:
09:59 <@Robot101> /^test(-[^@]*)?@lists.collabora.co.uk$/ eoc
09:59 <@Robot101> (thanks to smcv for assistance with regexp-generation regexp)
...
10:01 <@wjt> ten points for using the best -named mlm
10:01 <@Robot101> 2000 points for not having a mailing list system held
together with procmail, shell, duct tape, gash and string
</code></pre>