All posts by Maksim Malchuk

IPv6 and GMail problems with Exim MTA

After connecting to IPv6 network mail sent to GMail bounced with an error:

SMTP error from remote mail server after end of data:
 host gmail-smtp-in.l.google.com [2a00:1450:4008:c01::1a]:
 550-5.7.1 [2a02:e840:10:6:218:51ff:fed7:bb9f 16] Our system has detected
 550-5.7.1 that this message does not meet IPv6 sending guidelines regarding PTR
 550-5.7.1 records and authentication. Please review
 550-5.7.1 https://support.google.com/mail/?p=ipv6_authentication_error for more
 550 5.7.1 information.

Temporary fix for this problem – setup Exim to resolve only IPv4 for GMail:

dns_ipv4_lookup = gmail-smtp-in.l.google.com : *.gmail-smtp-in.l.google.com

BILLmanager and Partner programm accounts

SELECT a.partner AS partner_id,
aa.name AS partner_name,
a.id AS account_id,
a.name AS account_name
FROM account a
LEFT JOIN account aa ON a.partner=aa.id
WHERE a.level = 5 AND a.partner IS NOT NULL;
 
+------------+-------------------------------+------------+---------------+
| partner_id | partner_name                  | account_id | account_name  |
+------------+-------------------------------+------------+---------------+
|          5 | Иванов Иван Иванович (ivan)   |        114 | Юзер7 (user7) |
|          5 | Иванов Иван Иванович (ivan)   |        115 | Юзер8 (user8) |
|         79 | Петров Петр Петрович (petr)   |        101 | Юзер5 (user5) |
|        102 | Сидоров Сидр Сидорович (sidr) |         37 | Юзер1 (user1) |
|        102 | Сидоров Сидр Сидорович (sidr) |         42 | Юзер2 (user2) |
|        102 | Сидоров Сидр Сидорович (sidr) |         72 | Юзер3 (user3) |
|        102 | Сидоров Сидр Сидорович (sidr) |         87 | Юзер4 (user4) |
|        102 | Сидоров Сидр Сидорович (sidr) |        113 | Юзер6 (user6) |
+------------+-------------------------------+------------+---------------+
8 rows in set (0.00 sec)

Install OpenStack nova CLI on MacOS X

1. Check the Python installation. Currently, the nova client does not support Python 3.

$ python -V
Python 2.7.2

2. Install python-novaclient using pip, don’t panic if you already installed python-novaclient using easy_install.

$ sudo easy_install pip
Searching for pip
Best match: pip 1.3.1
Processing pip-1.3.1-py2.7.egg
pip 1.3.1 is already the active version in easy-install.pth
Installing pip script to /usr/local/bin
Installing pip-2.7 script to /usr/local/bin
 
Using /Library/Python/2.7/site-packages/pip-1.3.1-py2.7.egg
Processing dependencies for pip
Finished processing dependencies for pip
 
$ sudo pip install python-novaclient
Requirement already satisfied (use --upgrade to upgrade): python-novaclient in /Library/Python/2.7/site-packages
Requirement already satisfied (use --upgrade to upgrade): iso8601>=0.1.4 in /Library/Python/2.7/site-packages/iso8601-0.1.4-py2.7.egg (from python-novaclient)
Requirement already satisfied (use --upgrade to upgrade): prettytable>=0.6,<0.8 in /Library/Python/2.7/site-packages/prettytable-0.7.2-py2.7.egg (from python-novaclient)
Requirement already satisfied (use --upgrade to upgrade): requests>=0.8 in /Library/Python/2.7/site-packages/requests-1.2.3-py2.7.egg (from python-novaclient)
Requirement already satisfied (use --upgrade to upgrade): simplejson in /Library/Python/2.7/site-packages/simplejson-3.3.0-py2.7-macosx-10.8-intel.egg (from python-novaclient)
Cleaning up...

as you can see pip listed python-novaclient in their packages. but you always can delete and reinstall python-novaclient using pip now, or simple use update option.

DNSSEC and possible problems with DNS resolvers

DNSSEC replies are much bigger than traditional DNS answers.
Typical DNS replies fit into the 512-byte standard UDP DNS packet.
So if they get bigger we need EDNS Support.
To test if your DNS Servers can successfully forward bigger
packages you should use OARC’s DNS Reply Size Test Server:

$ dig +short rs.dns-oarc.net txt

If should then output something like this:

;; Truncated, retrying in TCP mode.
rst.x3827.rs.dns-oarc.net.
rst.x3837.x3827.rs.dns-oarc.net.
rst.x3843.x3837.x3827.rs.dns-oarc.net.
"217.23.92.200 sent EDNS buffer size 4096"
"217.23.92.200 DNS reply size limit is at least 3843"
"Tested at 2013-06-18 19:16:29 UTC"

Explanation can be found here

Enabling DNSSEC on Bind

1. Enable DNSSEC

Update named.conf options section:

options {
 dnssec-enable yes;
 dnssec-validation yes;
};

Also don’t forget add managed-keys section or include bind.keys sullied with bind.
At least ROOT KEY must included to work dnssec validation:

managed-keys {
 # ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml
 # for current trust anchor information.
 # NOTE: This key is activated by setting "dnssec-validation auto;"
 # in named.conf.
 . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
  FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
  bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
  X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
  W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
  Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
  QxA+Uk1ihz0=";
};

2. Generate Keys

ZSK (Zone Signing Key) is responsible for signing records within a zone. This one will need to be changed frequently (typical recommendation is every month):

$ dnssec-keygen -a RSASHA1 -b 1024 -n ZONE zonename

KSK (Key Signing Key) which can be stronger since you will need to change it less (typically every year):

$ dnssec-keygen -a RSASHA1 -b 4096 -n ZONE -f KSK zonename

3. Add keys to zonefile

; Zone Signing Key
$INCLUDE Kzonename.+001+11111.key
; Key Signing Key
$INCLUDE Kzonename.+001+22222.key

4. Sign the Zone

$ dnssec-signzone zonefile
Output is zonefile.signed

5. Validate the zonefile

$ donuts zonefile.signed zonename

6. Publish the signed zone

Update named.conf with signed zonename file:

zone "zonename" {
 file "/etc/bind/zonename/zonefile.signed";
};

7. Testing

$ dig zonename SOA +dnssec +multiline

difference between the ssh-keygen keypair fingerprint and Amazon EC2 fingerprint

we’re have an RSA ssh keypair, and can check it fingerprint

$ ssh-keygen -l -f ~/.ssh/id_rsa.pub
2048 f5:26:50:e6:f6:92:b6:7b:87:4d:64:6c:90:6d:1a:a0  mmalchuk@mmalchuk (RSA)
$ ssh-keygen -l -f ~/.ssh/id_rsa
2048 f5:26:50:e6:f6:92:b6:7b:87:4d:64:6c:90:6d:1a:a0  mmalchuk@mmalchuk (RSA)

now upload this public key into Amazon EC2 cloud:

$ ec2-import-keypair mykeypair --public-key-file ~/.ssh/id_rsa.pub
KEYPAIR	mykeypair	26:f4:9f:a3:f6:0e:4e:31:6c:25:06:9c:eb:4d:cf:ae

ok, key uploaded, but with different fingerprint? no!
ssh-keygen use SHA1 algorithm, but Amazon EC2 uses MD5 instead ;)
let’s check different way:

$ openssl pkey -in ~/.ssh/id_rsa -pubout -outform DER | openssl md5 -c
(stdin)= 26:f4:9f:a3:f6:0e:4e:31:6c:25:06:9c:eb:4d:cf:ae

ok, fine, this is our key uploaded ;)

stable nginx 1.0+ для Debian 6 (squeeze)

наконец то долой “левые” репозитории или ручную сборку nginx !!!

wget -qO - http://nginx.org/keys/nginx_signing.key | apt-key add -
echo "deb http://nginx.org/packages/debian/ squeeze nginx" >>/etc/apt/sources.list
apt-get update && apt-get dist-upgrade && apt-get clean

в итоге получаем:

nginx version: nginx/1.4.1
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx
 --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log
 --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid
 --lock-path=/var/run/nginx.lock
 --http-client-body-temp-path=/var/cache/nginx/client_temp
 --http-proxy-temp-path=/var/cache/nginx/proxy_temp
 --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp
 --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp
 --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx
 --with-http_ssl_module --with-http_realip_module --with-http_addition_module
 --with-http_sub_module --with-http_dav_module --with-http_flv_module
 --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module
 --with-http_random_index_module --with-http_secure_link_module
 --with-http_stub_status_module --with-mail --with-mail_ssl_module
 --with-file-aio --with-ipv6

BILLmanager and number of VDS templates

SELECT p.id, p.name, COUNT(dp.diskimage) AS templates
FROM pricelist p
LEFT JOIN diskimage2pricelist dp
ON p.id=dp.pricelist
WHERE p.type=6
GROUP BY dp.pricelist;
 
+-----+--------------------------------------+-----------+
| id  | name                                 | templates |
+-----+--------------------------------------+-----------+
|  63 | Сервер VDS1 (Базовый)                |        65 |
|  64 | Сервер VDS2 (Стандарт)               |        65 |
|  65 | Сервер VDS3 (Эксперт)                |        65 |
|  66 | Сервер VDS4 (Бизнес)                 |        65 |
|  95 | Сервер VBX1 (Базовый)                |         2 |
|  99 | Сервер VBX2 (Стандарт)               |         2 |
| 103 | Сервер VBX3 (Эксперт)                |         2 |
| 107 | Сервер VBX4 (Бизнес)                 |         2 |
+-----+--------------------------------------+-----------+
8 rows in set (0.00 sec)