Phine Solutions web work notes

DNS stands for Domain Name Server (or System). It provides a "directory" like service to map a domain name to a IP host. The setup and configuration of DNS is critical since it can make a website "invisible" on the internet if not done correctly. Understand the basic stuff can make this process a lot easier.

First, some terminologies and tools that can check for DNS setting

DNS uses has different record types to define a domain. The most used one are as follows:

A - stores the host ip address CNAME - alias record, for example, www.phinesolutions.com is the alias for phinesolutions.com

MX - mail exchange record which tells mail server how to route emails.

CNAME – Canoical name: Used to assign aliases to existing A records, for example, a domain.com can have other alias such as www.domain.com, ftp.domain.com…etc.

Once the basic meanings are clear, you shouldn't have too much trouble to read the report from www.dnsreport.com , where you can spot the DNS problems with your server and make changes.

If you have access to a *nix system, the "dig" command can be very helpful too:

dig www.phinesolutions.com tells me the A record for the domain.

dig phinesolutions.com mx tells me the MX record.

Notice we lose the "www" part because we really need to check the domain name without it. People use email address like email[at]phinesolutions.com, instead of email[at]www.phinesolutions.com.

dig is a powerful command and you can certainly dig out a lot more information than above. A look at dig man page should make a nice guide on this.

Next, is an example of using BIND to run a DNS service.

BIND – Berkeley Internet Name Domain

BIND is an implementation of DNS protocols. It includes a set of components that are necessary to run and maintain a DNS server. The BIND package is installed on the vast majority of the DNS server machines on the internet.

Named

Named it part of the BIND package and will run as a Daemon process to handle the DNS requests.

/etc/named.conf

This file serves as a name server configuration file. It provides the settings for named to run. Most of the settings do not need to be changed. But to add a domain name to a name server, a "zone" setting has to be added into this file, like the one below:

zone "phinesolutions.com" { type master; file "/var/named/phinesolutions.com.db"; };

This basically tells named that it should handle the request for domain name "phinesolutions.com" and the zone file for this domain is /var/named/phinesolutions.com.db.

A "zone" is not necessarily mapped to a domain name, it can also be mapped to a sub-domain name like "my.phinesolutons.com".

zone file

A zone file, for example "/var/named/phinesolutions.com.db" in the above example, tells the DNS server HOW to keep this zone record. For example, how often should the server updates other DNS servers about the whereabout (IP) of this domain. Here is what is looks like:

To understand this, we need some explanation:

1. Throughout the file, there are numbers like 14400 and 86400, they are the Time To Live (TTL) value. It defines the length of time, in seconds, a particular zone info is valid. As you can see in the beginning of the file, "$TTL 14400" sets the default value. And the individual records have their own and can overwrite.
2. SOA – Start Of Authority. This specifies the primary name server for this domain name and a set of values that are related to the name server. I am going lazy here, if you need to understand what they are for you can find it from this RedHat documentation.
3. NS records. Again they define the primary and secondary name servers for this domain. 
4. A record, like explained in the previous section, shows the IP that this domain is pointing to.
5. MX record points to the same sever since I have the mail server running on the same server. Multiple MX records indicate the multiple mail servers for the domain. And the number 0 shows the priority of the server.
6. My CNAME records include www, mail and ftp. So if a user tries to access www.phinesolutions.com, ftp.phinesolutions.com or mail.phinesolutions.com, the name sever knows where to point them to.

Once you have one working zone file in place, it can be used as a template for the others. The zone file has some special format, such as the "." following each domain TLD. They have to be there or it won't work.

With a host management tool such as Cpanel, all these can pretty much configured through a friendly UI without getting down to the dirty work of file editing. However, knowing these simple concepts can help you better understand the process and know where to look into when needed.

Pick the right MTA is an important step for a webmaster. For a *nix system, the most popular ones are Exim, Postfix, Qmail, and Sendmail. Here is a very good article talking about their differences and how to compare them:

MTA comparison

Normally Exim runs very well out of package, and there is no need to do much tweaking on it. These are just some watch points that may need a little attention.

The never_users list

In /etc/exim.conf, root is in the “never_users” list. This is described as a “paranoiac” security catch. The only problem I had was that the email delivered to root from the cron job got bounced and it was flooring the exim mail log. To cure this, either you have to create an local alias for root so the emails will be forwarded to that user; or change the cron job email destination to something other than root. I chose the latter option.

Running smtp on another port

The reason for this is that some ISPs start to block post 25. So from your email client you will see some “connection timeout” error. Opening another port, and configuring your email client to connect to the new one can help bypassing this “restriction” from your ISP if it is there.

If you have Cpanel installed, start another exim on a different port is quite easy. Just go to “Service Configuration”->”Service Manager” page and setup “exim on another port”.

Logrotate normally runs as a daily cron job and rotate/compress/remove the log files that are generated by the system. In a CentOS system, you may see this error in the email that sent from the cron job:

/etc/cron.daily/logrotate:

error: error running postrotate script
error: error running postrotate script
error: error running postrotate script
error: error running shared postrotate script for /var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron

And although logrotate changed messages to messages.1 and created a messages file, the messages.1 is the one that is still being logged to and growing.
This place gives some insight about the cause of this problem. But in a nutshell, logrotate executable writes something(probably a script) to /tmp and tries to execute it. Since /tmp is mounted on most system as “noexec” for security reasons, logrotate fails.

To work around this, we can create a new “tmp” directory and let logrotate use that one. For example, below is my new /etc/cron.daily/logrotate:

#!/bin/sh

TMPDIR=/var/tmp_safe
export TMPDIR

/usr/sbin/logrotate /etc/logrotate.conf
EXITVALUE=$?
if [ $EXITVALUE != 0 ]; then
/usr/bin/logger -t logrotate “ALERT exited abnormally with [$EXITVALUE]”
fi
exit 0

/var/tmp_safe is the new directory I created for logrotate and it needs to be executable.

To test this from command line, we will need to run /etc/cron.daily/logrotate. Notice that logrotate won’t rotate files twice in a same day so we need to add “-f” option after /usr/sbin/logrotate to force it rotate again. And you should see them rotating.

I was trying to run a PHP script from CRON and kept getting a “XSLTProcessor class not found message”.

This really puzzled me since I had no problem to run the exactly same script from the command line. I tried different stuff, and one point even re-compiled PHP.

Feeling hopeless I put phpinfo() in the script to see what kind of PHP environment is running in CRON and found out the configure options and build date are not the same with the current version. OK, what’s going on?

It turned out, I have an older copy of PHP executable in /usr/bin, which was probably compiled and left there by my hosting company (by the way this is a VPS server), and my newer re-compiled PHP is under /usr/local/bin.

Guess what, in /etc/crontab file, the path is: “PATH=/sbin:/bin:/usr/sbin:/usr/bin”, and this is why the older PHP which didn’t have xslt compiled in always got picked up.

whew….

Now I have the server ready and Apache web server is also up and running, it’s time to test drive this bad boy now.

I know this is a box with slow CPU (only an 8 year old AMD400) so the bottlenet is probably around the CPU process power.

Use Apache ab utility, I started:

./ab -n1000 -c10Â http://localhost/

This will send in 1000 requests with 10 simultaneouly.

In another window, I ran:

top d 1

This will give me the resource utilization every 1 sec.

The test is quite interesting. During the run, the CPU was running with 0% idle time and the load average was around 10-12 per second, which means there are always around 10 process waiting.

Although there were no request failing, the average time for each request was about 7 seconds.

After some reading I decided to use dovecot for IMAP server. The installation is pretty simple.

if PAM is not installed,
yum install pam-devel

• create a dedicated user dovecot:dovecot

• for virtual users, create /etc/dovecot/vmailuser and /etc/dovecot/vmailpass

• create dovecot.conf and save it under /etc

• create a dovecot service script in init.d and install it by

chkconfig –add dovecot

It took me some time to get the virtual users working. Originally I was trying to create the user and password file under the virtual mailbox directory, and using %d variable in dovecot.conf file so each virtual domain can have its own user/password file. But for some reason I kept getting the “no user” or “bad password” error when tried to login from IMAP. Finally I decided that’s it and created universal vmailuser and vmailpass file under /etc/dovecot, which worked perfectly.

First, remove sendmail.

rpm -e –nodeps sendmail

Add a dedicated user:
groupadd -g 5000 vmailman
adduser -u 5000 -g 5000 vmailman
usermod -d /var/mail/vhosts vmailman

install Postfix from RPM.

Installed MySQL 5 from RPMs grabbed from mysql.com

MySQL-client-standard-5.0.24-0.rhel4.i386.rpm
MySQL-devel-standard-5.0.24-0.rhel4.i386.rpm
MySQL-server-standard-5.0.24-0.rhel4.i386.rpm
MySQL-shared-standard-5.0.24-0.rhel4.i386.rpm

mysql configuration file
cp /usr/share/doc/MySQL-server-standard-5.0.24/my-small.cnf etc
use the following configuration:
[mysqld]
bind_address = 127.0.0.1

installation path
mysql home is located under /var/lib/mysql

mysqladmin -u root status
shows some stats.

Now we need to tighten it up:

shell> mysql -u root
mysql> DELETE FROM mysql.user WHERE User = ”;
mysql> FLUSH PRIVILEGES;

mysql -u root mysql
mysql>update mysql.user set password = PASSWORD(”whateveritis”) where user = ‘root’;
mysql>FLUSH PRIVILEGES;

or

shell> mysql -u root
mysql> SET PASSWORD FOR ‘root’@'localhost’ = PASSWORD(’newpwd’);
mysql> SET PASSWORD FOR ‘root’@'host_name’ = PASSWORD(’newpwd’);

or

shell> mysqladmin -u root password “newpwd”
shell> mysqladmin -u root -h host_name password “newpwd”

Add a new user:

mysql> GRANT ALL PRIVILEGES ON *.* TO ’someuser’@'localhost’
-> IDENTIFIED BY ’somepass’ WITH GRANT OPTION;

or

mysql> INSERT INTO user
-> VALUES(’localhost’,’someuser’,PASSWORD(’somepass’),
-> ‘Y’,'Y’,'Y’,'Y’,'Y’,'Y’,'Y’,'Y’,'Y’,'Y’,'Y’,'Y’,'Y’,'Y’);

mysql> GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP
-> ON somedb.*
-> TO ’someuser’@'localhost’
-> IDENTIFIED BY ’somepass’;

Note: if PHP was installed befor MySQL, it will need to be re-compiled…

When testing viewing index.php under a user directory, I kept getting this error:
in the log: client denied by server configuration
On the browser: Permission denied: access to /index.php denied

Feeling puzzled aftering trying to set the directory permission, I found this post and it really helped me out.

In the default directory configuration, it looks like this:
<directory>
Options FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
</directory>

It is very restrictive and essentially denies everything.

Now what I need to do is to add this in my virtual host session:
<directory>
AllowOverRide All
Order deny,allow
Allow from all
</directory>>

That fixed the issue.