do-release-upgrade Checking for a new Ubuntu release No new release found

My HTPC is almost appliance like, in the way I never upgrade it, i.e. this morning it was still running Ubuntu 11.04 Natty Narwhal… It’s also not very appliance like in that it’s also full of random development stuff that probably shouldn’t be on it as well as several different types of databases, my backup infrastructure and tons of other things you really don’t care for.

But not today. Today I was bored and decided the best use of my time was to replace MythTV with XBMC. Not only that, I figured I should probably upgrade from

      Ubuntu 11.04 (Natty Narwhal)
      Ubuntu 11.10 (Oneiric Ocelot)
      Ubuntu 12.04 LTS (Precise Pangolin)
      Ubuntu 12.10 (Quantal Quetzal)
      Ubuntu 13.04 (Raring Ringtail)
      Ubuntu 13.10 (Saucy Salamander)

That’s a lot of upgrading. It would have probably been better for me to just install 13.10 ..

But when I got to Pangolin, the 12.04 LTS EVERYTHING WENT WRONG!


rus@relax:~$ sudo do-release-upgrade -p
Checking for a new Ubuntu release
No new release found

OMG I hear you cry, much like I did. WHAT IS THIS??? I tried everything, apt-get update, turning it on and off again, throwing things at the TV, I even went outside and bought a coffee. None of the above worked. This was because I was stupid.

do-release-upgrade Checking for a new Ubuntu release No new release found

The reason for the error was because I’d arrive at an LTS release. And the do-release-upgrade configuration had changed to now *stick* to LTS releases and not upgrade any more. So as the new 14.04 LTS isn’t out yet (as we’re not in the future, dummy) it couldn’t find anything to upgrade to.

The fix is to tell the computer to just upgrade to the next release and not be so stubborn by editing /etc/update-manager/release-upgrades


# Default behavior for the release upgrader.

[DEFAULT]
# Default prompting behavior, valid options:
#
# never - Never check for a new release.
# normal - Check to see if a new release is available. If more than one new
# release is found, the release upgrader will attempt to upgrade to
# the release that immediately succeeds the currently-running
# release.
# lts - Check to see if a new LTS release is available. The upgrader
# will attempt to upgrade to the first LTS release available after
# the currently-running one. Note that this option should not be
# used if the currently-running release is not itself an LTS
# release, since in that case the upgrader won't be able to
# determine if a newer release is available.
Prompt=lts

See how it says Prompt=lts? THATS JUST RUBBISH! Change it from lts to normal then rerun do-release-upgrade. Theres a good boy!

sudo: sorry, you must have a tty to run sudo

sudo: sorry, you must have a tty to run sudo We’re using an old version of Upstart, on Centos, to manage stopping and starting our Node.js daemons, and one of the things the script does, like any good deamon, is change the user of the deamon process from root to something more applicable, security and all that 😉

The scripts look a little like this


!upstart
description "Amazing Node.js Daemon"
author "idimmu"

start on runlevel [2345]
stop on shutdown

env PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
env NAME=”amazing-daemon”

script
export HOME=”/root”
cd /opt/idimmu/$NAME
echo $$ > /var/run/$NAME.pid
exec sudo -u idimmu /usr/bin/node /opt/idimmu/$NAME/server.js >> /var/log/$NAME/stdout.log 2>&1
end script

pre-start script
echo “[`date -u +%Y-%m-%dT%T.%3NZ`] (upstart) Starting $NAME” >> /var/log/$NAME/stdout.log
end script

pre-stop script
rm /var/run/$NAME.pid
echo “[`date -u +%Y-%m-%dT%T.%3NZ`] (upstart) Stopping $NAME” >> /var/log/$NAME/stdout.log
end script

Which is nice, as it means we can use Upstart to stop/start/status deamons really nicely. The equivalent init.d script looked really horrible.

But there’s one massive caveat, which we always encounter when building a brand new box, from scratch.


2013-09-27T10:50:10.174Z] (upstart) Starting amazing-daemon
sudo: sorry, you must have a tty to run sudo

sudo: sorry, you must have a tty to run sudo

So it all falls apart due to the following error:

sudo: sorry, you must have a tty to run sudo

Basically sudo is stopping the process from running because Upstart doesn’t have a TTY. This is easily fixable. Just edit /etc/sudoers using visudo and comment out


Defaults requiretty

i.e.


#Defaults requiretty

Now we can use Upstart to start the daemon and check it’s status to confirm it’s running! More recent versions of Upstart don’t need this hack. One day I’ll live in the future, but not today.


deploy:amazing root$ start amazing
amazing start/running, process 3965
deploy:amazing root$ status amazing
amazing start/running, process 3965

Bamo, problem solved!

Keeping Linux Users In A MySQL Database With libpam-mysql On Ubuntu

I want to have a set of users on my Ubuntu 10.4 Lucid Lynx box managed by MySQL, rather than LDAP for a change which means delving in to the sexy world that is libpam-mysql!

As ever, the first thing that we need are packages! Remember when installing mysql-server to set a strong root MySQL password. As we’re managing user accounts in MySQL we need to really make sure everything is locked down tight!

apt-get install mysql-server libpam-mysql libnss-mysql

Configuring MySQL

We then need to auth to MySQL as root

mysql -u root -p

and create a database and some tables!

CREATE DATABASE nss_mysql;

USE nss_mysql;

CREATE TABLE groups (

group_id int(11) NOT NULL auto_increment primary key,

group_name varchar(30) DEFAULT ” NOT NULL,

status char(1) DEFAULT ‘A’,

group_password varchar(64) DEFAULT ‘x’ NOT NULL,

gid int(11) NOT NULL

);

CREATE TABLE user (

user_id int(11) NOT NULL auto_increment primary key,

user_name varchar(50) DEFAULT ” NOT NULL,

realname varchar(32) DEFAULT ” NOT NULL,

shell varchar(20) DEFAULT ‘/bin/sh’ NOT NULL,

password varchar(40) DEFAULT ” NOT NULL,

status char(1) DEFAULT ‘N’ NOT NULL,

uid int(11) NOT NULL,

gid int(11) DEFAULT ‘65534’ NOT NULL,

homedir varchar(32) DEFAULT ‘/bin/sh’ NOT NULL,

lastchange varchar(50) NOT NULL default ”,

min int(11) NOT NULL default ‘0’,

max int(11) NOT NULL default ‘0’,

warn int(11) NOT NULL default ‘7’,

inact int(11) NOT NULL default ‘-1’,

expire int(11) NOT NULL default ‘-1’

);

CREATE TABLE user_group (

user_id int(11) DEFAULT ‘0’ NOT NULL,

group_id int(11) DEFAULT ‘0’ NOT NULL

);

And set up 2 MySQL accounts, one for reading and one for writing. The read only account will have a password exposed on the file system, so make sure it is locked down and unique. This isn’t a security issue as all it will expose is as much as /etc/passwd does anyway.

GRANT select(user_name,user_id,uid,gid,realname,shell,homedir,status) on user to nss@localhost identified by 'buttercup';

GRANT select(group_name,group_id,gid,group_password,status) on groups to nss@localhost identified by 'ieopurASDF';

GRANT select(user_id,group_id) on user_group to nss@localhost identified by 'buttercup';

GRANT select(user_name,password,user_id,uid,gid,realname,shell,homedir,status,lastchange,min,max,warn,inact,expire) on user to 'nss-shadow'@localhost identified by 'bunnyface';

GRANT update(user_name,password,user_id,uid,gid,realname,shell,homedir,status,lastchange,min,max,warn,inact,expire) on user to 'nss-shadow'@localhost identified by 'bunnyface';

FLUSH PRIVILEGES;

Configuring NSS

NSS (Name Service Switch) provides a common method through which system database requests can be fed. Implementations of these operations can be extended via modules. By default Ubuntu is configured to use the compat (/etc/passwd & /etc/shadow) module, but we’re going to tell it to also use the mysql module.

We are going to need to edit /etc/nsswitch.conf, look for the lines

passwd: compat

group: compat

shadow: compat

and reconfigure it to also use mysql like so

passwd: compat mysql

group: compat mysql

shadow: compat mysql

Now edit the two files with the relevant MySQL usernames and passwords. The first uses the nss user and the second uses the nss-shadow user.

/etc/nss-mysql.conf

/etc/nss-mysql-root.conf

Now we make the nss-shadow file only readable by root as this contains the really important credentials

chmod 600 /etc/nss-mysql-root.conf

Do not do that to nss-mysql.conf though.

Configuring PAM

PAM (Pluggable Authentication Modules) handles all the different ways you can authenticate to the system. We need to update it so it knows it can use MySQL to handle authantication!

In /etc/pam.d we must edit a series of files :

common-auth

auth sufficient pam_unix.so nullok_secure

auth sufficient pam_mysql.so user=nss-shadow passwd=bunnyface db=nss_mysql usercolumn=user.user_name crypt=1 table=user

auth requisite pam_deny.so

auth required pam_permit.so

common-account

account sufficient pam_unix.so

account optional pam_mysql.so user=nss passwd=buttercup db=nss_mysql usercolumn=user_name table=user

account requisite pam_deny.so

account required pam_permit.so

common-session

session sufficient pam_unix.so

session required pam_mysql.so user=nss passwd=buttercup db=nss_mysql usercolumn=user_name table=user

session requisite pam_deny.so

session required pam_permit.so

session required pam_unix.so

common-password

password sufficient pam_unix.so nullok obscure min=5 max=12 md5 debug

password sufficient pam_mysql.so nullok user=nss-shadow passwd=bunnyface db=nss_mysql usercolumn=user_name crypt=1 table=user passwdcolumn=password statcolumn=status

password requisite pam_deny.so

password required pam_permit.so

Now lock the files down so they are only root readable

chmod 600 common-*

Creating A User

We’re going to create a user and a group called minty! Create a minty.sql file for the user

INSERT INTO nss_mysql.groups VALUES (100,'minty','A','x',1002);

INSERT INTO nss_mysql.user VALUES (100,'minty','Minty','/bin/false','','A',1002,1002,'/home/minty', '041406', '', '','', '', '-1');

INSERT INTO nss_mysql.user_group VALUES (100,100);

Then import the sql file

mysql -u root -p < minty.sql

Create the home directory

root@crisps:~# cp -ax /etc/skel /home/minty

root@crisps:~# chown -R minty:minty /home/minty/

Set the password

passwd minty

(New) Password:

Retype (New) Password:

passwd: password updated successfully

SSH in to the server 😉

Chill:~ idimmu$ ssh minty@crisps

Warning: Permanently added 'crisps,192.168.0.111' (RSA) to the list of known hosts.

minty@crisps's password:

Last login: Fri Aug 27 10:14:05 2010 from 192.168.0.110

minty@crisps:~$

et voila, libpam-mysql based user management on a Linux Ubuntu box! Next up to write a web interface to manage all that 🙂

Disk Quotas On Ubuntu

I’ve recently needed to add disk usage quotas to a server in order to limit how much data users can store so as not to affect the quality of service for other users.

Linux has a method called quota which can help you do this.

Ubuntu provides some packaged tools which let you manage quotas

apt-get install quota

To enable quotas on a partition the first step is to edit the /etc/fstab entry for the partition and append usrquota to it so the kernel knows to manage that partition using quotas.

/dev/sda1 / ext4 defaults,usrquota 0 0

We then need to create 2 files that manage the quota levels in the root of the partition in question

sudo touch /quota.user /quota.group
sudo chmod 600 /quota.*

To make the setting take affect we then need to remount the partition, we can either do this with a reboot or

sudo mount -o remount /

to check that it worked, investigate /etc/mtab, it should look similar to

/dev/sda1 / ext4 rw,usrquota,usrquota 0 0

remounting didn’t work for me, so i issued the reboot command!

When the disk is mounted to support quotas, the next step is to configure how the system is going to manage them!

I’m going to be managing quotas on a per user basis, each user is going to be allowed to store up to 5Gb of data! To configure a user we use the edquota command which will open up an editor

edquota -u idimmu -f /

then edit the config like so


Disk quotas for user idimmu (uid 1000):
Filesystem blocks soft hard inodes soft hard
/dev/sda1 0 5242880 5242880 0 0 0

you can see how I’ve set the hard and soft limits to be 5Gb in kilobytes! (5 * 1024 * 1024)

We can confirm the change with the quota command


root@crisps:~# quota -u idimmu
Disk quotas for user idimmu (uid 1000):
Filesystem blocks quota limit grace files quota limit grace
/dev/sda1 5242872 5242880 5242880 20 0 0

You can see that it’s also done some math to work out how many blocks to limit the user to as well!

Now we need to test it .. can the idimmu account create more than 5Gb in his home directory?


idimmu@crisps:~$ dd if=/dev/zero of=filename1 bs=1024 count=1000000
1000000+0 records in
1000000+0 records out
1024000000 bytes (1.0 GB) copied, 20.8073 s, 49.2 MB/s
idimmu@crisps:~$ dd if=/dev/zero of=filename2 bs=1024 count=1000000
1000000+0 records in
1000000+0 records out
1024000000 bytes (1.0 GB) copied, 25.4285 s, 40.3 MB/s
idimmu@crisps:~$ dd if=/dev/zero of=filename3 bs=1024 count=1000000
1000000+0 records in
1000000+0 records out
1024000000 bytes (1.0 GB) copied, 35.7829 s, 28.6 MB/s
idimmu@crisps:~$ dd if=/dev/zero of=filename4 bs=1024 count=1000000
1000000+0 records in
1000000+0 records out
1024000000 bytes (1.0 GB) copied, 18.8164 s, 54.4 MB/s
idimmu@crisps:~$ dd if=/dev/zero of=filename5 bs=1024 count=1000000
1000000+0 records in
1000000+0 records out
1024000000 bytes (1.0 GB) copied, 23.2641 s, 44.0 MB/s
idimmu@crisps:~$ dd if=/dev/zero of=filename6 bs=1024 count=1000000
dd: writing `filename6': Disk quota exceeded
242813+0 records in
242812+0 records out
248639488 bytes (249 MB) copied, 10.6704 s, 23.3 MB/s

 

apparently not 😀

Ubuntu Linux Bible The Ubuntu Linux Bible covers every facet of Ubuntu administration, both for the desktop and the server, as well as dealing with virtual environments and multi user setups.

Slow SSH and SCP connections on Ubuntu

My home Ubuntu Jaunty installation often takes a good 40-60 seconds to connect to using SSH, none of the other servers I maintain have this same problem, they’re pretty much instantaneous, and today, on a Friday evening at 1am this irked me enough to fix it!

The first step is of course to make the SSH connection with debug output on.


Chill:~ idimmu$ ssh -v cordy
OpenSSH_5.2p1, OpenSSL 0.9.7l 28 Sep 2006
debug1: Reading configuration data /Users/idimmu/.ssh/config
debug1: Reading configuration data /etc/ssh_config
debug1: Connecting to cordy [192.168.0.10] port 22.
debug1: Connection established.
debug1: identity file /Users/idimmu/.ssh/identity type -1
debug1: identity file /Users/idimmu/.ssh/id_rsa type -1
debug1: identity file /Users/idimmu/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 Debian-5ubuntu1
debug1: match: OpenSSH_5.1p1 Debian-5ubuntu1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'cordy' is known and matches the RSA host key.
debug1: Found key in /Users/idimmu/.ssh/known_hosts:7
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received

< 30 – 40 second pause occurs here >


debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/idimmu/.ssh/identity
debug1: Trying private key: /Users/idimmu/.ssh/id_rsa
debug1: Offering public key: /Users/idimmu/.ssh/id_dsa
debug1: Server accepts key: pkalg ssh-dss blen 433
debug1: read PEM private key done: type DSA
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Requesting authentication agent forwarding.
Linux Cordy 2.6.28-15-generic #49-Ubuntu SMP Tue Aug 18 18:40:08 UTC 2009 i686
Last login: Sat Jan 23 01:22:08 2010 from chill.local
idimmu@Cordy:~$

A quick Google for SSH2_MSG_SERVICE_ACCEPT and a read of man sshd_config gave me:


UseDNS Specifies whether sshd(8) should look up the remote host name and check that the resolved host name for the remote IP address maps back to the very same IP address. The default is ``yes''.

So I simply added


UseDNS no

to the end of /etc/ssh/sshd_config and issued an sudo /etc/init.d/ssh reload and bamo, instant SSH access and I can sleep peacefully!

Burning an XVid to DVD in Ubuntu Jaunty from the command line

I needed to burn an XVid of one of my performances to DVD last night, remotely, as my MythBuntu box was being used by someone else to watch some crappy TV and I wanted to show off! It was a pretty simple process, just involving a bit of a wait during the transcode 🙂

First you will need to make install the relevent packages:

sudo aptitude install dvdauthor ffmpeg ~nlibav.+-unstripped.+

If you already have dvdauthor and ffmpeg installed, you must install the unstripped libav packages as they contain a tool called mpeg2video and it’s this that does the heavy grunt work!

Next we transcode the movie and create a DVD compatible MPEG. This is the part that takes the longest to do.

ffmpeg -i performance.avi -target dvd -aspect 16:9 -sameq performance.mpg

Now we create the DVD structure, the VIDEO_TS etc. etc.


mkdir DVD
dvdauthor --title -f performance.mpg -o DVD
dvdauthor -T -o DVD

Which results in a structure that looks a lot like this:


DVD
DVD/VIDEO_TS
DVD/VIDEO_TS/VTS_01_1.VOB
DVD/VIDEO_TS/VIDEO_TS.BUP
DVD/VIDEO_TS/VTS_01_0.IFO
DVD/VIDEO_TS/VTS_01_3.VOB
DVD/VIDEO_TS/VTS_01_2.VOB
DVD/VIDEO_TS/VIDEO_TS.IFO
DVD/VIDEO_TS/VTS_01_0.BUP
DVD/AUDIO_TS

Then we create an iso image from that structure which we can then use to burn to a blank DVD

mkisofs -dvd-video -o performance.iso DVD

There are a million ways to burn the iso image, I actually SCP’d it to my MacBook and used the Disk Utility tool to burn it, but from the Ubuntu CD DVD Burning documentation you can use a tool called wodim!

You will need to install wodim

apt-get install wodim

list available DVD writers

wodim --devices
wodim: Overview of accessible drives (1 found) :
-------------------------------------------------------------------------
0 dev='/dev/scd0' rwrw-- : 'LITE-ON' 'DVDRW SOHW-1633S'
-------------------------------------------------------------------------

Insert a disk, then burn!

wodim dev=/dev/scd0 driveropts=burnfree -v -data performance.iso

New Ubuntu Jaunty Screen

At the moment I’m trying out the beta for Ubuntu Jaunty and one the first thing I noticed was the new version of screen available!

Initially you are provided with a menu to choose a theme!

I went with option 3, Ubuntu Dark! You’re then presented with an interesting new screen display, with 2 rows of status at the bottom, in lots of colours, displaying information about the CPU and RAM etc!

There’s a prompt to press F9 for options which presents a curses based interface to change settings and the information on the bottom status bar.

After smiling a little, I decided my best course of action was to delete the screen settings


rus@boosh:~$ rm -rf .screen*

and restart screen using option 1, plain! It’s not that I fear change, but I don’t need to know any of that information! It doesn’t add value to my terminal experience, where as the extra 2 lines of space will!

Error: Could not stat() command file ‘/var/lib/nagios3/rw/nagios.cmd’!

I’ve been doing a lot of Nagios deployments recently, and this error always bites me, on all Ubuntu versions, including Hardy and Intrepid (haven’t quite bit the bullet to try the Jaunty beta yet 🙂 )


Error: Could not stat() command file '/var/lib/nagios3/rw/nagios.cmd'!

The external command file may be missing, Nagios may not be running, and/or Nagios may not be checking external commands.

An error occurred while attempting to commit your command for processing.

This can be quite easily fixed with the following command line fu:


sudo /etc/init.d/nagios3 stop
sudo dpkg-statoverride --update --add nagios www-data 2710 /var/lib/nagios3/rw
sudo dpkg-statoverride --update --add nagios nagios 751 /var/lib/nagios3
sudo /etc/init.d/nagios3 start

Now you should be able to send Nagios remote commands and commands via the web interface to your heart’s content!

Nagios

For more Nagios advice, I recommend Nagios by O’Reilly. It’s full of best practice advice and covers solving more ‘gotchas’ that you might encounter whilst using it!

Nexus on Tomcat 5.5 on Ubuntu Hardy

I’m trying out this Continuous Integration fun at the moment.

My end game is to get Hudson, Maven and Nexus working together to continuously build and run unit tests against code, which then gets turned in to Deb packages. A new Xen VM will then be created and configured using Puppet which the new Deb package is then deployed to. Finally Selenium will then be run to automate testing of the deployment.

Thats the plan anyway ..

I’ve been deploying everything on Ubuntu Hardy for the time being, and the latest app I am working on is Nexus. I’m deploying it as a War under Tomcat 5.5 and for a while was just getting the following error:


06-Mar-2009 20:29:08 org.apache.catalina.startup.HostConfig deployWAR
INFO: Deploying web application archive nexus.war
06-Mar-2009 20:29:12 org.apache.catalina.core.StandardContext start
SEVERE: Error listenerStart
06-Mar-2009 20:29:12 org.apache.catalina.core.StandardContext start
SEVERE: Context [/nexus] startup failed due to previous errors

I hate that error. It’s rubbish. To make it a little more verbose I edited /var/lib/tomcat5.5/webapps/nexus/WEB-INF/log4j.properties and changed the rootLogger to DEBUG and fixed the appender path to go somewhere sensible (/var/log/tomcat55/nexus.log) and restarted Tomcat! This logged the following interesting error:


2009-03-06 20:42:01.066 ERROR [main:] - org.sonatype.nexus.configuration.application.source.ApplicationConfigurationSource:file:
******************************************************************************
* Could not create configuration file [ /usr/share/tomcat5.5/sonatype-work/nexus/conf/nexus.xml]!!!! *
* Nexus cannot start properly until the process has read+write permissions to this folder *
******************************************************************************
2009-03-06 20:42:01.091 ERROR [main:] - org.sonatype.nexus.Nexus:default: Could not start Nexus, bad IO exception!
java.io.FileNotFoundException: /usr/share/tomcat5.5/sonatype-work/nexus/conf/nexus.xml (No such file or directory)

Not exactly rocket science to see what is going on here!! And really easy to fix!


mkdir /usr/share/tomcat5.5/sonatype-work
chown tomcat55: /usr/share/tomcat5.5/sonatype-work

A quick restart of tomcat, after turning the logging back down to INFO and ta da! A working Nexus repo!