Often after issue:
gpg --gen-key
You can see an error:
Not enough random bytes available. Please do some other work to give the OS a chance to collect more
solution to run this command before:
sudo apt-get install rng-tools rngd -r /dev/urandom
IPv6 and GMail problems with Exim MTA
After connecting to IPv6 network mail sent to GMail bounced with an error:
SMTP error from remote mail server after end of data: host gmail-smtp-in.l.google.com [2a00:1450:4008:c01::1a]: 550-5.7.1 [2a02:e840:10:6:218:51ff:fed7:bb9f 16] Our system has detected 550-5.7.1 that this message does not meet IPv6 sending guidelines regarding PTR 550-5.7.1 records and authentication. Please review 550-5.7.1 https://support.google.com/mail/?p=ipv6_authentication_error for more 550 5.7.1 information.
Temporary fix for this problem – setup Exim to resolve only IPv4 for GMail:
dns_ipv4_lookup = gmail-smtp-in.l.google.com : *.gmail-smtp-in.l.google.com
How to regenerate SSH Public Key from Private Key?
ssh-keygen -y -f /path/to/private/key |
BILLmanager and Partner programm accounts
SELECT a.partner AS partner_id, aa.name AS partner_name, a.id AS account_id, a.name AS account_name FROM account a LEFT JOIN account aa ON a.partner=aa.id WHERE a.level = 5 AND a.partner IS NOT NULL; +------------+-------------------------------+------------+---------------+ | partner_id | partner_name | account_id | account_name | +------------+-------------------------------+------------+---------------+ | 5 | Иванов Иван Иванович (ivan) | 114 | Юзер7 (user7) | | 5 | Иванов Иван Иванович (ivan) | 115 | Юзер8 (user8) | | 79 | Петров Петр Петрович (petr) | 101 | Юзер5 (user5) | | 102 | Сидоров Сидр Сидорович (sidr) | 37 | Юзер1 (user1) | | 102 | Сидоров Сидр Сидорович (sidr) | 42 | Юзер2 (user2) | | 102 | Сидоров Сидр Сидорович (sidr) | 72 | Юзер3 (user3) | | 102 | Сидоров Сидр Сидорович (sidr) | 87 | Юзер4 (user4) | | 102 | Сидоров Сидр Сидорович (sidr) | 113 | Юзер6 (user6) | +------------+-------------------------------+------------+---------------+ 8 rows in set (0.00 sec) |
Install OpenStack nova CLI on MacOS X
1. Check the Python installation. Currently, the nova client does not support Python 3.
$ python -V
Python 2.7.2 |
2. Install python-novaclient using pip, don’t panic if you already installed python-novaclient using easy_install.
$ sudo easy_install pip Searching for pip Best match: pip 1.3.1 Processing pip-1.3.1-py2.7.egg pip 1.3.1 is already the active version in easy-install.pth Installing pip script to /usr/local/bin Installing pip-2.7 script to /usr/local/bin Using /Library/Python/2.7/site-packages/pip-1.3.1-py2.7.egg Processing dependencies for pip Finished processing dependencies for pip $ sudo pip install python-novaclient Requirement already satisfied (use --upgrade to upgrade): python-novaclient in /Library/Python/2.7/site-packages Requirement already satisfied (use --upgrade to upgrade): iso8601>=0.1.4 in /Library/Python/2.7/site-packages/iso8601-0.1.4-py2.7.egg (from python-novaclient) Requirement already satisfied (use --upgrade to upgrade): prettytable>=0.6,<0.8 in /Library/Python/2.7/site-packages/prettytable-0.7.2-py2.7.egg (from python-novaclient) Requirement already satisfied (use --upgrade to upgrade): requests>=0.8 in /Library/Python/2.7/site-packages/requests-1.2.3-py2.7.egg (from python-novaclient) Requirement already satisfied (use --upgrade to upgrade): simplejson in /Library/Python/2.7/site-packages/simplejson-3.3.0-py2.7-macosx-10.8-intel.egg (from python-novaclient) Cleaning up... |
as you can see pip listed python-novaclient in their packages. but you always can delete and reinstall python-novaclient using pip now, or simple use update option.
DNSSEC and possible problems with DNS resolvers
DNSSEC replies are much bigger than traditional DNS answers.
Typical DNS replies fit into the 512-byte standard UDP DNS packet.
So if they get bigger we need EDNS Support.
To test if your DNS Servers can successfully forward bigger
packages you should use OARC’s DNS Reply Size Test Server:
$ dig +short rs.dns-oarc.net txt |
If should then output something like this:
;; Truncated, retrying in TCP mode. rst.x3827.rs.dns-oarc.net. rst.x3837.x3827.rs.dns-oarc.net. rst.x3843.x3837.x3827.rs.dns-oarc.net. "217.23.92.200 sent EDNS buffer size 4096" "217.23.92.200 DNS reply size limit is at least 3843" "Tested at 2013-06-18 19:16:29 UTC"
Explanation can be found here
Enabling DNSSEC on Bind
1. Enable DNSSEC
Update named.conf options section:
options {
dnssec-enable yes;
dnssec-validation yes;
};
Also don’t forget add managed-keys section or include bind.keys sullied with bind.
At least ROOT KEY must included to work dnssec validation:
managed-keys {
# ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml
# for current trust anchor information.
# NOTE: This key is activated by setting "dnssec-validation auto;"
# in named.conf.
. initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
QxA+Uk1ihz0=";
};
2. Generate Keys
ZSK (Zone Signing Key) is responsible for signing records within a zone. This one will need to be changed frequently (typical recommendation is every month):
$ dnssec-keygen -a RSASHA1 -b 1024 -n ZONE zonename |
KSK (Key Signing Key) which can be stronger since you will need to change it less (typically every year):
$ dnssec-keygen -a RSASHA1 -b 4096 -n ZONE -f KSK zonename |
3. Add keys to zonefile
; Zone Signing Key $INCLUDE Kzonename.+001+11111.key ; Key Signing Key $INCLUDE Kzonename.+001+22222.key
4. Sign the Zone
$ dnssec-signzone zonefile Output is zonefile.signed |
5. Validate the zonefile
$ donuts zonefile.signed zonename |
6. Publish the signed zone
Update named.conf with signed zonename file:
zone "zonename" {
file "/etc/bind/zonename/zonefile.signed";
};
7. Testing
$ dig zonename SOA +dnssec +multiline |
difference between the ssh-keygen keypair fingerprint and Amazon EC2 fingerprint
we’re have an RSA ssh keypair, and can check it fingerprint
$ ssh-keygen -l -f ~/.ssh/id_rsa.pub 2048 f5:26:50:e6:f6:92:b6:7b:87:4d:64:6c:90:6d:1a:a0 mmalchuk@mmalchuk (RSA) $ ssh-keygen -l -f ~/.ssh/id_rsa 2048 f5:26:50:e6:f6:92:b6:7b:87:4d:64:6c:90:6d:1a:a0 mmalchuk@mmalchuk (RSA) |
now upload this public key into Amazon EC2 cloud:
$ ec2-import-keypair mykeypair --public-key-file ~/.ssh/id_rsa.pub KEYPAIR mykeypair 26:f4:9f:a3:f6:0e:4e:31:6c:25:06:9c:eb:4d:cf:ae |
ok, key uploaded, but with different fingerprint? no!
ssh-keygen use SHA1 algorithm, but Amazon EC2 uses MD5 instead ;)
let’s check different way:
$ openssl pkey -in ~/.ssh/id_rsa -pubout -outform DER | openssl md5 -c (stdin)= 26:f4:9f:a3:f6:0e:4e:31:6c:25:06:9c:eb:4d:cf:ae |
ok, fine, this is our key uploaded ;)
stable nginx 1.0+ для Debian 6 (squeeze)
наконец то долой “левые” репозитории или ручную сборку nginx !!!
wget -qO - http://nginx.org/keys/nginx_signing.key | apt-key add - echo "deb http://nginx.org/packages/debian/ squeeze nginx" >>/etc/apt/sources.list apt-get update && apt-get dist-upgrade && apt-get clean |
в итоге получаем:
nginx version: nginx/1.4.1 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 |
BILLmanager and number of VDS templates
SELECT p.id, p.name, COUNT(dp.diskimage) AS templates FROM pricelist p LEFT JOIN diskimage2pricelist dp ON p.id=dp.pricelist WHERE p.type=6 GROUP BY dp.pricelist; +-----+--------------------------------------+-----------+ | id | name | templates | +-----+--------------------------------------+-----------+ | 63 | Сервер VDS1 (Базовый) | 65 | | 64 | Сервер VDS2 (Стандарт) | 65 | | 65 | Сервер VDS3 (Эксперт) | 65 | | 66 | Сервер VDS4 (Бизнес) | 65 | | 95 | Сервер VBX1 (Базовый) | 2 | | 99 | Сервер VBX2 (Стандарт) | 2 | | 103 | Сервер VBX3 (Эксперт) | 2 | | 107 | Сервер VBX4 (Бизнес) | 2 | +-----+--------------------------------------+-----------+ 8 rows in set (0.00 sec) |