Phine Solutions web work notes

Normally Exim runs very well out of package, and there is no need to do much tweaking on it. These are just some watch points that may need a little attention.

The never_users list

In /etc/exim.conf, root is in the “never_users” list. This is described as a “paranoiac” security catch. The only problem I had was that the email delivered to root from the cron job got bounced and it was flooring the exim mail log. To cure this, either you have to create an local alias for root so the emails will be forwarded to that user; or change the cron job email destination to something other than root. I chose the latter option.

Running smtp on another port

The reason for this is that some ISPs start to block post 25. So from your email client you will see some “connection timeout” error. Opening another port, and configuring your email client to connect to the new one can help bypassing this “restriction” from your ISP if it is there.

If you have Cpanel installed, start another exim on a different port is quite easy. Just go to “Service Configuration”->”Service Manager” page and setup “exim on another port”.

Logrotate normally runs as a daily cron job and rotate/compress/remove the log files that are generated by the system. In a CentOS system, you may see this error in the email that sent from the cron job:

/etc/cron.daily/logrotate:

error: error running postrotate script
error: error running postrotate script
error: error running postrotate script
error: error running shared postrotate script for /var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron

And although logrotate changed messages to messages.1 and created a messages file, the messages.1 is the one that is still being logged to and growing.
This place gives some insight about the cause of this problem. But in a nutshell, logrotate executable writes something(probably a script) to /tmp and tries to execute it. Since /tmp is mounted on most system as “noexec” for security reasons, logrotate fails.

To work around this, we can create a new “tmp” directory and let logrotate use that one. For example, below is my new /etc/cron.daily/logrotate:

#!/bin/sh

TMPDIR=/var/tmp_safe
export TMPDIR

/usr/sbin/logrotate /etc/logrotate.conf
EXITVALUE=$?
if [ $EXITVALUE != 0 ]; then
/usr/bin/logger -t logrotate “ALERT exited abnormally with [$EXITVALUE]”
fi
exit 0

/var/tmp_safe is the new directory I created for logrotate and it needs to be executable.

To test this from command line, we will need to run /etc/cron.daily/logrotate. Notice that logrotate won’t rotate files twice in a same day so we need to add “-f” option after /usr/sbin/logrotate to force it rotate again. And you should see them rotating.

I was trying to run a PHP script from CRON and kept getting a “XSLTProcessor class not found message”.

This really puzzled me since I had no problem to run the exactly same script from the command line. I tried different stuff, and one point even re-compiled PHP.

Feeling hopeless I put phpinfo() in the script to see what kind of PHP environment is running in CRON and found out the configure options and build date are not the same with the current version. OK, what’s going on?

It turned out, I have an older copy of PHP executable in /usr/bin, which was probably compiled and left there by my hosting company (by the way this is a VPS server), and my newer re-compiled PHP is under /usr/local/bin.

Guess what, in /etc/crontab file, the path is: “PATH=/sbin:/bin:/usr/sbin:/usr/bin”, and this is why the older PHP which didn’t have xslt compiled in always got picked up.

whew….

Now I have the server ready and Apache web server is also up and running, it’s time to test drive this bad boy now.

I know this is a box with slow CPU (only an 8 year old AMD400) so the bottlenet is probably around the CPU process power.

Use Apache ab utility, I started:

./ab -n1000 -c10Â http://localhost/

This will send in 1000 requests with 10 simultaneouly.

In another window, I ran:

top d 1

This will give me the resource utilization every 1 sec.

The test is quite interesting. During the run, the CPU was running with 0% idle time and the load average was around 10-12 per second, which means there are always around 10 process waiting.

Although there were no request failing, the average time for each request was about 7 seconds.

After some reading I decided to use dovecot for IMAP server. The installation is pretty simple.

if PAM is not installed,
yum install pam-devel

• create a dedicated user dovecot:dovecot

• for virtual users, create /etc/dovecot/vmailuser and /etc/dovecot/vmailpass

• create dovecot.conf and save it under /etc

• create a dovecot service script in init.d and install it by

chkconfig –add dovecot

It took me some time to get the virtual users working. Originally I was trying to create the user and password file under the virtual mailbox directory, and using %d variable in dovecot.conf file so each virtual domain can have its own user/password file. But for some reason I kept getting the “no user” or “bad password” error when tried to login from IMAP. Finally I decided that’s it and created universal vmailuser and vmailpass file under /etc/dovecot, which worked perfectly.

First, remove sendmail.

rpm -e –nodeps sendmail

Add a dedicated user:
groupadd -g 5000 vmailman
adduser -u 5000 -g 5000 vmailman
usermod -d /var/mail/vhosts vmailman

install Postfix from RPM.

Installed MySQL 5 from RPMs grabbed from mysql.com

MySQL-client-standard-5.0.24-0.rhel4.i386.rpm
MySQL-devel-standard-5.0.24-0.rhel4.i386.rpm
MySQL-server-standard-5.0.24-0.rhel4.i386.rpm
MySQL-shared-standard-5.0.24-0.rhel4.i386.rpm

mysql configuration file
cp /usr/share/doc/MySQL-server-standard-5.0.24/my-small.cnf etc
use the following configuration:
[mysqld]
bind_address = 127.0.0.1

installation path
mysql home is located under /var/lib/mysql

mysqladmin -u root status
shows some stats.

Now we need to tighten it up:

shell> mysql -u root
mysql> DELETE FROM mysql.user WHERE User = ”;
mysql> FLUSH PRIVILEGES;

mysql -u root mysql
mysql>update mysql.user set password = PASSWORD(”whateveritis”) where user = ‘root’;
mysql>FLUSH PRIVILEGES;

or

shell> mysql -u root
mysql> SET PASSWORD FOR ‘root’@'localhost’ = PASSWORD(’newpwd’);
mysql> SET PASSWORD FOR ‘root’@'host_name’ = PASSWORD(’newpwd’);

or

shell> mysqladmin -u root password “newpwd”
shell> mysqladmin -u root -h host_name password “newpwd”

Add a new user:

mysql> GRANT ALL PRIVILEGES ON *.* TO ’someuser’@'localhost’
-> IDENTIFIED BY ’somepass’ WITH GRANT OPTION;

or

mysql> INSERT INTO user
-> VALUES(’localhost’,’someuser’,PASSWORD(’somepass’),
-> ‘Y’,'Y’,'Y’,'Y’,'Y’,'Y’,'Y’,'Y’,'Y’,'Y’,'Y’,'Y’,'Y’,'Y’);

mysql> GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP
-> ON somedb.*
-> TO ’someuser’@'localhost’
-> IDENTIFIED BY ’somepass’;

Note: if PHP was installed befor MySQL, it will need to be re-compiled…

When testing viewing index.php under a user directory, I kept getting this error:
in the log: client denied by server configuration
On the browser: Permission denied: access to /index.php denied

Feeling puzzled aftering trying to set the directory permission, I found this post and it really helped me out.

In the default directory configuration, it looks like this:
<directory>
Options FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
</directory>

It is very restrictive and essentially denies everything.

Now what I need to do is to add this in my virtual host session:
<directory>
AllowOverRide All
Order deny,allow
Allow from all
</directory>>

That fixed the issue.

Since I didn’t intall the devel packages, some extra RPMs need to be installed for PHP installation.

A bunch of RPMs that need to be installed:
flex-2.5.4a-33.i386.rpm
libxml2-devel-2.6.16-6.i386.rpm
zlib-devel-1.2.1.2-1.2.i386.rpm
mysql-devel-4.1.12-3.RHEL4.1.i386.rpm
openssl-devel-0.9.7a-43.8.i586.rpm
krb5-devel-1.3.4-27.i386.rpm
e2fsprogs-devel-1.35-12.3.EL4.i386.rpm
mysql-bench-4.1.12-3.RHEL4.1.i386.rpm
perl-DBD-MySQL-2.9004-3.1.i386.rpm
perl-DBI-1.40-8.i386.rpm
mysql-4.1.12-3.RHEL4.1.i386.rpm

Again, if you have development packages installed when insalling Linux at the beginning, these packages should be there.

some additional packages:
yum install libpng-devel
yum install libjpeg-devel
yum install libxslt-devel

yum install libcrypt-devel <– without this one make will error out at last step.

Now we can run:
./configure –with-apxs2=/usr/local/apache2/bin/apxs –with-mysql –enable-mbstring –with-curl=/usr/ –enable-exif –with-xsl=/usr/lib/ –with-gd –with-jpeg-dir=/usr/lib/ –with-png-dir=/usr/lib/ –with-zlib-dir=/usr/lib/

make
make install

Now it’s time to install the apache web server.

• First, need to remove the existing httpd stuff. I removed the following RPMS.

rpm -e mod_python-3.1.3-5.1.i386
rpm -e mod_ssl-2.0.52-22.ent.centos4.i386
rpm -e mod_perl-1.99_16-4.centos4.i386
rpm -e webalizer-2.01_10-25.i386
rpm -e httpd-2.0.52-22.ent.centos4 httpd-manual-2.0.52-22.ent.centos4 system-config-httpd-1.3.1-1 httpd-suexec-2.0.52-22.ent.centos4

The Perl and Python stuff depend on the httpd so I went ahead removed them.

• Then I downloaded apache 2.2.3 source code, unpacked them and then compile:

Oops…
configure –enable-so tells me gcc is not there.

./configure –enable-so –enable-ssl –enable-rewrite –enable-speling=shared

Ok, I didn’t install the developer’s package during system installation to try to save some space, not it came back to bite me.

After some research, the following rpms are installed:
gcc-3.4.5-2.i386.rpm
glibc-headers-2.3.4-2.19.i386.rpm
pkgconfig-0.15.0-3.i386.rpm
glib2-devel-2.4.7-1.i386.rpm
glibc-kernheaders-2.4-9.1.98.EL.i386.rpm
glibc-devel-2.3.4-2.19.i386.rpm

• Apache compiled and installed succefully.

./apachectl start

“It works!”

Now we want to add Apache httpd server to the services:

• first, make sure we have the startup script ready, copy the following script to /etc/init.d

————————————————————————
#!/bin/bash
#
# httpd Startup script for the Apache HTTP Server
#
# chkconfig: - 85 15
# description: Apache is a World Wide Web server. It is used to serve # HTML files and CGI.
# processname: httpd
# config: /etc/httpd/conf/httpd.conf
# config: /etc/sysconfig/httpd
# pidfile: /var/run/httpd.pid

RETVAL=0

# The semantics of these two functions differ from the way apachectl does
# things — attempting to start while running is a failure, and shutdown
# when not running is also a failure. So we just do it the way init scripts
# are expected to behave here.
start() {
echo -n $”Starting $prog: ”
/usr/local/apache2/bin/apachectl start
RETVAL=$?
return $RETVAL
}
stop() {
echo -n $”Stopping $prog: ”
/usr/local/apache2/bin/apachectl stop
RETVAL=$?
return $RETVAL
}

# See how we were called.
case “$1″ in
start)
start
;;
stop)
stop
;;
status)
status $httpd
RETVAL=$?
;;
restart)
stop
start
;;
condrestart)
if [ -f ${pidfile} ] ; then
stop
start
fi
;;
graceful|help|configtest|fullstatus)
$apachectl $@
RETVAL=$?
;;
*)
echo $”Usage: $prog {start|stop|restart|condrestart|status|fullstatus|graceful|help|configtest}”
exit 1
esac

exit $RETVAL

————————————————————————

The script is not going to win me any award but it is functional….status check is not in the service since it is quite easy to check on port 80…

• Second, add the service:

chkconfig –add httpd

• Third, turn it on:

chkconfig –level 3 httpd on

• Ok, do a little testing:

service httpd restart