This is an update to the "ddclient & squid" here
Ran into a new problem recently....though the need for SSL in squid on ubuntu is deprecated, by the fact that I'm slowly replacing this server with a FreeBSD server.
As a result, I don't pay attention to this ubuntu server as much as I used to, so I've configured unattended-upgrade. It was installed, but it didn't seem to do anything in that on other servers I'd log in to find that there are lots (40+) of patches available and more than half that are security. Since I came across how to configure it to do more than just security patches, including send me email and on some systems automatically reboot when necessary. (should've thought to see how unattended-upgrade is configured and doing such things in the Ubuntu AMI I have in AWS)
Since I got unattended-upgrade configured on this old server (32-bit Ubuntu Server, which I've heard they have a 12.04LTS download for??? They had said they dropped 32-bit server support, so there was version with 10.04LTS. So I couldn't upgrade and now I'm way past EOL, which is causing problems...probably need to hunt down the landscape and ubuntuone services and nuke them, instead of letting them degrade my server for being EOL.) I've also had to update packages on here from outside sources to keep things running, so guess I should work harder on abandoning this server.... Where it'll likely get reborn as [yet ]a[nother] FreeBSD server....along with the server that I think I have all the parts collected for it, but just need to sit down and put it together. It started as a mostly function pulled 1U server, in need of ... well either new fans or a new case.... I opted for the new case route. It also needed drives and memory. But, as a result of the new case route...aside from case/powersupply...it meant I would need to get heatsinks...since the passive ones based on the 1U case channeling air flow....would be hard to recreate in the tower case I went with. Its a huge tower case, given that its an E-ATX motherboard...yet it isn't a full tower (like the formerly windows machine called TARDIS...someday I'll work its regeneration....need money to buy all the bits and pieces that'll make that up, which I haven't fully worked out what those will be....or where it'll go since my dual 23" widescreen FreeBSD desktop has consumed all of the desk that it would've shared....and not really keen on the idea of a KVM for this situation. )
Anyways...every day I get an email from unattended-upgrade for this system.... with:
Unattended upgrade returned: True Packages that are upgraded: squid-common Packages with upgradable origin but kept back: squid squid-cgi Package installation log: Unattended-upgrades log: Initial blacklisted packages: Starting unattended upgrades script Allowed origins are: ["['Ubuntu', 'heron-security']", "['Ubuntu', 'heron-updates']"] package 'squid' upgradable but fails to be marked for upgrade (E:Unable to correct problems, you have held broken packages.) Packages that are upgraded: squid-common Writing dpkg log to '/var/log/unattended-upgrades/unattended-upgrades-dpkg_2013-07-06_08:05:42.056193.log' All upgrades installed
This is because of that quirk where even though I rebuilt my version with SSL, and kept it the same version...it wants to install its version to replace mine (of the same version). Which is why I did the hold thing.
I could do the alternative of add a string to make my version advance from current....though I suppose I won't unhold...so that unattended-upgrade won't upgrade should such a thing appear (unlikely since both the OS and squid are ancient...and there'll be no more updates.) But, the intent is to hopefully silence unattended-upgrade in this matter.
Though kind of surprised its still doing something....hmmm, guess there was a new security patch to squid 2.7 back on January 29, 2013....that I've been missing (suppose its already downloaded the update in its 'cache'....or the backend is still there, its just not getting updates beyond what's there....whatever, I think I'm down to one more service to move off....)
So, doing cacti on cbox doesn't seem to be working long term... but, the moment is being prepared for....I starting to assemble the pieces to build a new machine to do this and handle some other tasks that I've been looking for a place for.
Back to cfengine, I added a promise for dnetc (distributed.net)....and then a promise to finally configure CUPS on the two servers. And, then I turned to nagios.
I spent a couple evenings creating the initial configuration of nagios, working in design changes that I wanted to make and initial monitoring of localhost (dbox). Though it wasn't straight forward....there were differences here and there....mostly in FreeBSD layout, paths, and some of the commands taking different options. But, eventually I got everything running. My old check_dyndns worked once, but then stopped working.... problem was that it did 'stat -c "%Y" ..." which doesn't work on FreeBSD, 'stat -f "%m" ...' was the adjustment for that. All, while all the checks_* seem to be there, command definitions was lacking....but I guess having command definitions for everything is part of the debian/ubuntu packaging. There were other frills that came with that, that I don't mind not having...
I did run into check_ntp being deprecated....with check_ntp_time and check_ntp_peer being the tests to use....separating and making more clear on whether you're comparing time between servers using ntp or checking the state of the ntp server...
It did show some interesting oddities in holding NTP time on my home network.... I know that I should have 3 or more ntp servers, but it seems that I'm often landing in the state where I only have 2....with lots of delay, resulting in pretty good swings of jitter....almost makes me wonder if this something I could graph in cacti....
Wonder if I can find a cheap NTP appliance somewhere....
The last stumbling block was check_dhcp. Which seems to be broken on FreeBSD. All, the discussion on it seemed to point to firewalls, but no firewalls and it still didn't work....tcpdump on both places, and its saying it sending stuff, but no packets appearing on the network. But, I can see the other DHCP traffic on the network.
I remove that check and call it a night. I mull some possible work arounds....first one I tried was setting up linux compability and try running the check_dhcp from my working (ubuntu) nagios. Well, it didn't work...it couldn't find an interface. Oh well, guess there's the ugly way....use nrpe to invoke it. Though that didn't work right away.....probably because while I had created new nrpe configs for all my servers in cfengine, I haven't put any of my ubuntu servers under cfengine yet. Most of the other promises haven't been implemented for ubuntu yet. It was pretty simple to include nrpe.cfg for everything.... in fact it condensed to only 3 files.... a freebsd version, an ubuntu version and a host specific version for orac. Well, not right away...that happened more recently...while I was going through and updating the nrpe.cfg's by hand on the ubuntu servers. Was when I noticed that some of the files were only different in comments....so I made further simplifications in cfengine...which'll propagate out eventually....
Long term, I'll probably just have to track down some alternate implementation of check_dhcp....
I then add cbox to monitoring...and then looked to see about monitoring things that are on cbox/dbox...so I found checks for freeradius, cups, squid, along with improvements to checks on ntp. The check_squid was tricky....I got it working by hand, after making the suggested change for the default Cache type parsing, which turned out to be changes for squid3 vs. squid2 (but box is still running squid 2.7 - since I had re-built it by hand with SSL support, and blocked ubuntu from updating it. Orac wasn't blocked so it eventually turned into squid3.
it worked by hand, but wouldn't work under nagios...turned out that the embedded perl wasn't liking it. I was going to disable embedded perl for it, when I took a look at seeing what it was complaining about. And, did some reading on embedded perl.... the gist was "use strict", "perl -w" and "perl -c" as starting points. perl -w was find, but perl -c had one problem....which I fixed. But, no go. And, then noticed the line "# todo : use strict", guess I'll have to deal with that.
And, making that all happy, got it working.
The only other quirk was the memory check wouldn't work on FreeBSD, I guess there's no mallinfo() available for that. So, no running that test on those servers....plus no Cache test on box. But, it still left enough variety of tests that worked on all. And, it wasn't so much that I wanted to get all the information, but I choose to define all the different tests with ports set into the test....so running the check would also test that all my squid ports worked. There's actually only two that matter, but I have all my squid's configured the same, listening on 5 or 7 ports....depending on whether I have SSL enabled. Though I pretty much only need two now. I'm not doing transparent proxying and I don't need the SSL now that I've split box into dbox/cbox....the SSL was so ddclient could work on box and update dyndns via proxy to DSL....
Next up is adding zen to nagios, and coming with with more tests of things that are specific to zen, but covered or not covered in the old nagios.
Though as I worked along...there were things I couldn't find monitors for...though I realized that I could have cfengine promise that those services were running. Plus cfengine was also taking care of other things. So, I should probably work on writing some promises for zen. So, I can have promises to make sure things are started up again after a port is updated or that php/extensions.ini is reordered, etc.
But, I'll probably continue adding everything else to nagios first.
The home server migration that I wrote about on April 7th, hit a delay .... I started working on migrating cacti and nagios.
I probably should've started with nagios, since I don't think that would've taken as long as cacti has.
I had already been monitoring the new servers using my old cacti installation. I had pretty much decided that moving the old installation to the new servers wasn't going to straightforward.... partly because of versions, and no easy intermediary. But, I wasn't too worried about the historical data in my old cacti....
I figured that once I got things up and running, I'd just export the templates and import them into my new system and I'd be done.
But, then I hit a hitch....the squid templates I had weren't working on the new system....all I could find were old results about issues with doing SNMP to ports other than 161, and possibly due to newer versions of net-snmp....though that later turned out to be a wild goose.
Anyways...the work around was to use the proxy option in net-snmp. Though I recall having tried net-snmp before discovering bsnmpd on FreeBSD, but I gave it a shot.
Before I got to testing the proxy...I soon saw that it wasn't giving the same information as bsnmpd...specifically, for the HOST-RESOURCES-MIB and parts of UCB-SNMP-MIB. So, I decided that I could proxy net-snmp to bsnmpd and get those. But, that didn't work.....after some reading the answer was I needed to either map bsnmpd in somewhere else or exclude those areas from net-snmp.
Well, during the build of net-snmp, it did make reference to being able to set some variables in make.conf -- such as NET_SNMP_WITH_MIB_MODULE_LIST and NET_SNMP_WITHOUT_MIB_MODULE_LIST. And, by default NET_SNMP_WITH_MIB_MODULE_LIST contained "host disman/event-mib smux mibII/mta_sendmail mitII/tcpTable ucd-snmp/diskio sctp-mib if-mib"
So, I tried setting NET_SNMP_WITH_MIB_MODULE_LIST without host and ucb-snmp/diskio and tried to exclude the rest of ucb-snmp in NET_SNMP_WITHOUT_MIB_MODULE_LIST. Which got me a strange error about host being in both lists.
I delved into the Makefile, and found while the other settable NET_SNMP parameters were done as '?=' in the Makefile, the NET_SNMP_WITH_MODULE_LIST was done as '+='...with conditionals that '+=' the last two modules.
OSVERSION >= 700028 adds 'sctp-mib' and the port option MFD_REWRITES adds 'if-mib'....I had started looking at what the fix might be, but decided that all I needed to do was remove all these lines...since I'm going to have my own definition in my /etc/make.conf file.
Trying to exclude all of ucd-snmp wouldn't make things work....but I did an snmpwalk comparing bsnmpd and net-snmp, and decided that the two areas that were lacking were ucd-snmp/diskio and ucd-snmp/disk_hw. So, I recreated the 'original' NET_SNMP_WITH_MODULE_LIST in /etc/make.conf, without 'host' and 'ucd-snmp/diskio' and put 'ucd-snmp/disk_hw' in NET_SNMP_WITHOUT_MODULE_LIST. The build grumbled, but finished.
I that worked.....all my ucd/snmp host graphs were working on m new cacti server in the same detail that I was getting before (IE: the CPU Utilization gave traces for each of the 8 vCPUs...instead of just one.... I could see all the ZFS filesystems, not just the the single zroot.
So, I went back to looking at getting squid graphs to work....that didn't work.
In the morning, I will open like 50 tabs in firefox...for the sites I check out every morning. And, going through my caching proxy helps. But, there are things that I can't get to using the proxy, so I will toggle off the use of proxy in firefox.
But, then I don't remember to switch it back on later....
Additionally, there are devices on my home network that I think could benefit from going through squid, but they don't offer easy ways to make that go.
So, the answer was to investigate transparent proxy. Which I finally got around to doing this weekend.
I added two new ports to my squid.conf
http_port coxtport transparent
http_port dsltport transparent
went with new ports for transparent separate from the existing ones, and two so that one squid cache handling either gateway....
I did a lot of googling around to figure out the iptables to add to my Sveasoft Alchemy running WRT54GS routers.
This is what I've settled on (for cox gateway):
iptables -t nat -A PREROUTING -i br0 -s ! box.lhaven.homeip.net -p tcp --dport 80 -j DNAT \ --to box.lhaven.homeip.net:coxtport iptables -t nat -A POSTROUTING -o br0 -s lhaven.homeip.net/24 -d box.lhaven.homeip.net -j SNAT \ --to coxgateway iptables -A FORWARD -s lhaven.homeip.net/24 -d box.lhaven.homeip.net -i br0 -o br0 -m state \ --state NEW,ESTABLISHED,RELATED -p tcp --dport coxtport -j ACCEPT iptables -A FORWARD -d lhaven.homeip.net/24 -s box.lhaven.homeip.net -i br0 -o br0 -m state \ --state ESTABLISHED,RELATED -p tcp --sport coxtport -j ACCEPT
In the aftermath of the summer storm of August 13th, (hmmm, totally missed that it was a Friday the 13th), I made a tweak to my ddclient config for updating dyndns for my DSL line. Because I found that it wasn't able to update the IP change while Cox was down.
Couldn't find a way to make ddclient to bind to the local IP that routes out by DSL (or use non-default gateway). But, since I have squid proxy on the same box...and depending on what port I come in on, it can use either of my connections.
I set proxy=box.lhaven.homeip.net:3128
Couldn't use localhost, because ddclient does some kind of validation to require an fqdn+port, and localhost isn't an fqdn. And, yes, I use my dyndns domain as my home domain. So I can have bookmarks that'll work whether I'm at home or on the road
But, this change wasn't tested...as it has been less than 28 days for a refresh, and no IP change.
That was until this morning, when my IP did change.
The updates weren't working....seems that ddclient wants to do SSL all the way or not at all. No using an http proxy to connect out on SSL. But, I didn't feel like sending my dyndns password out non-SSL.... So, after some thought, I decided I would figure out how to set up SSL on squid.
I made the necessary configuration change, but no go. Seems that ubuntu doesn't distribute squid with SSL, because squid and openssl have incompatible open source licenses. So, I did a quick search to find the ubuntu way of rebuilding it from source.
apt-get source squid apt-get build-dep squid apt-get install devscripts build-essential fakeroot cd squid-2.7.STABLE7 vi debian/rules Add --enable-ssl \ to “# Configure the package” section debuild -us -uc -b cd .. dpkg -i squid??? squid-common???
Change to proxy=box.lhaven.homeip.net:3218, and it worked.
Last night I wasn't thinking....running into the fact that my boinc-client package is broken on 'box', I thought..."why isn't it running the boinc-client from Lucid?" And, I proceeded to fix it with "apt-get"...and then realized that I'm still running karmic and unbreaking it wasn't. The boinc-client pre-Lucid is too old for a project I'm in, and it is annoying how ubuntu doesn't update packages within releases (which get's really annoying with LTS.)
Anyways....I decided the way to resolve the mess I had now made by downgrading my boinc-client, was to upgrade to Lucid Lynx 10.04LTS. It was my plan to upgrade both my Ubuntu servers to 10.04LTS (the other being 'orac' which is currently 8.04LTS)....but I was going to put it off to when I had more time and allow time for the release to stabilize (given all the issues I had when I first started running box on fresh Karmic).
So, it started....things got a little annoying, in that the upgrade requires attention....and I didn't want to spend my whole evening watching it upgrade. So, I'd check it now and then, and sometimes find it stuck waiting for me to make a decision for it, though the first one where it wants to restart stuff after a pam upgrade...that's annoying. Just do it okay, stuff it restarted weren't working right along the way anyways. Namely I found that I couldn't access websites...at first I thought the squid had become dorked, and I couldn't restart it because invoking /etc/init.d/squid said it was now a service...but using service didn't find it. Though later I realized it wasn't working because DNS was broke ('box' is my primary DNS server)... I was able to restart that in the usual manner.
Partly because of the pauses, and a bit due to slow download....it wasn't looking like I would finish before 'bedtime'....but it seemed that it would be close enough.... It wasn't, but I ended up staying up to the bitter end. So, that I could reboot and do a quick check that all was clean.
Namely, I checked that named, dhcpd, ntpd and squid were running (since these were some key services of this server, and were ones that often failed to start after boot in karmic...especially named. Manual start always worked...at one time I was restarting these services in rc.local where it always worked rather than at the 'normal' time).
Then I went to fill in the missing icons in my launcher panel....there were two holes, there also seemed to be a hole in the tray area. The missing icons were Evolution (which I right-clicked to make reappear), and boxee (which I installed the latest of). I then called it a night.
The next morning, I continued to poke around some more....adjust appearance, add some chat/broadcast accounts...and look into my ubuntuone issue....first the tray thing was missing, apparently its by design...but, I don't remember that. I poked around some more and some more....then I looked at 'ulkc' and saw that it also didn't have the tray applet anymore, and I just didn't miss it... So, I then went to check that it was connected to my account and sync'd. Actually, it really was syncing, etc. When I was at Penguicon, I had put a copy of the pictures I had taken into my cloud...expecting to see them later on 'box' when I got home. But, it would never appear. Upgrading 'ulkc' didn't help things.
During the poking around, I disconnected 'box' and reconnected...and that apparently fixed whatever was wrong, as it started syncing...and soon the folders appeared.
While this was going on, I thought that maybe I would need to finish things up by remote....so sadly I discovered that remote desktop still doesn't work in Lucid. Turning it on, consumes 50% of my CPU. My 8.04LTS (orac) doesn't suffer from this problem. But, I want to bring both servers in sync eventually, so I can see about getting failover for dhcp working between the two.
Oh well....at least it seems more successful than when I had upgraded 'box' to Karmic. And, now I'm at an LTS where it can stay for the next 2 years.... We'll see what happens when I upgrade from 8.04LTS to 10.04LTS next month....
Latest Poopli Updaters -- http://lkc.me/poop
|<< <||> >>|
migration ebay virtualbox «instant streaming» «windows xp» dvd ubuntu ups raid1 usb 10.04lts mdadm box woot zen progressive netflix dsl linux freebsd lhaven tardis raid «hd movie» «windows 7» «powersource 400» «tivo hd» prescription «chicago tardis» «air purifier» b2evolution cpap backuppc «amazon prime» «sans digital» eyeglasses «watch instantly» tivo boinc replaytv appletv «doctor who» cox amazon.com staples orac tv upgrade twitter cfengine3