Archív kategorií: Linux

PowerDNS – GSQLBackend lookup query:Attempt to bind more parameters than query has

PowerDNS is a very good DNS nameserver, but debugging is sometimes very hard. I just add some records to my zone and zone stops working: server doesn’t respond to DNS queries.

Here is error from syslog:

2018-03-28T23:59:14+02:00 my [err] [pdns] Exception building answer packet for hostname.sk/MX (All data was not consumed) sending out servfail
 2018-03-28T23:59:30+02:00 my [err] [pdns] Backend reported permanent error which prevented lookup (GSQLBackend lookup query:Attempt to bind more parameters than query has: SELECT content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE disabled=0 and name=? and domain_id=?), aborting

Tracing of pdns told me the following exception:

$ strace -s 4096 -f -e send,recv,read,write,sendmsg -p `pidof /usr/sbin/pdns_server-instance`
[pid 12801] send(3, "<27>Mar 29 01:09:08 pdns[12791]: Exception building answer packet for zcvisioncare.sk/A (All data was not consumed) sending out servfail\0", 137, MSG_NOSIGNAL) = 137

After few hours of googling, debugging, removing records etc. I have found:

$ pdnsutil check-zone hostname.sk
[Error] Following record had a problem: "hostname.sk IN SOA ns.hostname.sk hostmaster.hostname.sk 2018032808 21600 7200 1209600 3600 "
[Error] Error was: All data was not consumed
Checked 14 records of 'hostname.sk', 1 errors, 0 warnings.

Did you notice extra space at the end of record? After removing extra space problem get solved.

I have added the following crontab job to prevent problems in the feature:

@daily pdnsutil check-all-zones | grep Error

Firewall rule to allow access to windows updates

When you try to install Windows updates for the first time (e.g. you buy a new computer with Windows 8.1 preinstalled), windows doesn’t start to download updates unless you permit UDP connection to port 3544.

Here is the firewalling rule for your linux firewall:


iptables -A FORWARD -d 94.245.64.0/18 -p udp -m udp --dport 3544 -m conntrack --ctstate NEW -j ACCEPT

Here we go!
Windows_update

Howto make sure nagstamon is running on your desktop

nagstamon_header_logoAdd the following line to your (desktop user, not root) crontab:

*/5 * * * * [ -z "`pidof -x /usr/bin/nagstamon`" ] && DISPLAY=:0.0 /usr/bin/nagstamon &

This will start nagstamon and make sure user doesn’t closes them. Tricky is configuration of connection to you Xserver / graphical environment. But solution is simple: set $DISPLAY environment variable to :0.0 value, which means ‚use the first desktop running on localhost‘.

Did you know ‚xauth list‘ command?

Nagstamon – Python OpenSSL certificate validation

nagstamon_header_logoWhen I try to connect to my monitoring system with desktop widget Nagstamon, Nagstamon was not able to connect due to SSL certificate validation problem. I’m using certificate from CAcert.org.

After a while of hacking I have found this workaround in source code. This is the wrong way: Pokračovať v čítaní

MySQL Workbench – passwords not being saved in keychain

MySQLWorkbenchIf you have problem, that your MySQL Workbench can’t save passwords for your MySQL connections, try to start mysql-workbench in verbose mode. Maybe you will see a error:

$ mysql-workbench --verbose
** Message: Gnome keyring daemon seems to not be available. Stored passwords will be lost once quit
['un\\"o', 'do``s']
Ready.

Thread started

Pokračovať v čítaní

sendxmpp release v1.24

New config file format is supported since sendxmpp version 1.24. Issue #9 – passwords with spaces not supported in .sendxmpprc. has been fixed.

Example for Google Talk servers:

$ cat ~/.sendxmpprc
username: lubomir.host
jserver: talk.google.com
password: my-"secure-pass _word with sp@ce!
component: gmail.com

Please, don’t try the password above, I have changed them. 🙂

 

Make cryptsetup ask the same password only once at boot

initramfs-tools-cryptroot-as-password-onceluks-logoI bought a new hard drive. Because I protect all my harddisk with encryption, I setup LUKS for new harddrive too. But init scripts ask password for every encrypted partition and I want enter my harddisk password only once. I have started with googling but I wasn’t succesfull. I have found this thread about the same problem. But author didn’t provide patch and uploaded *.tar.gz archive is no longer available. Pokračovať v čítaní

Shorewall – filtering IMAP/SMTP access to gmail.com domain

gmail-firewall-IMAPDo you need to discover what IP netblocks are owned and operated by Google to perhaps add to your firewall ACLs?

With dynamic zones available in Shorewall, you are able to define firewall rules and to filter network traffic based on the domain name. For example, you can permit IMAPS connection only to gmail.com domain. Problem is that Google cluster is very big and you are always connecting to different IP address. So you can’t define static rules for traffic filtering.

Here is little HOWTO do this.
Pokračovať v čítaní

Installing Java 7 (Oracle) in Debian via apt-get

java-debian-mixed-logo

If you want install Java on your Debian server, you can use this guide:
Download Java 7 (Oracle) from Java Downloads for Linux. Download *.tar.gz files.

$ ls -la j*.tar.gz
-rw-r--r-- 1 data data 138199690 Mar  7 00:58 jdk-7u51-linux-x64.tar.gz
-rw-r--r-- 1 data data  46904005 Mar 19 00:08 jre-7u51-linux-x64.tar.gz

Pokračovať v čítaní

Zareportoval som bug v Debiane – Midnight Commander a Java archive data (JAR)

mc-java-archive-data-JAR-2Ak sa vám stane, že mc neotvorí váš *.zip archív tak ako má, možno je chyba v súbore /etc/mc/mc.ext.. V Debiane som na túto špecifickú chybu narazil pri pokuse otvoriť nočný build CyanogenModu. Typ tohto súboru je Java archive data (JAR).
Pokračovať v čítaní

Aktualizácia SSL certifikátov

Aktualizácia SSL certifikátu metódou copy&paste

Aktualizácia SSL certifikátu metódou copy&paste

V predchádzajúcom príspevku sme úspešne vygenerovali SSL certifikát. Ten sme úspešne nasadili na server a ani sme sa nenazdali, platnosť certifikátu vypršala. O blížiacom sa okamihu nás certifikačná autorita CAcert.org pekne upozorňovala, ale nebol čas certifikát aktualizovať.

Pokračovať v čítaní

Generovanie SSL certifikátov

Vygenerovať správny SSL certifikát je úloha, s ktorou sa stretne každý, kto sa stará o bezpečnost svojich stránok. Vygenerovanie certifikátu a jeho obnova sa však deje tak jeden až dva krát do roka a človek má tendenciu postup zabudnúť. A preto som si nachystal nasledovný postup, ktorý mi pomáha vygenerovať prípadne obnoviť SSL certifikát bez zbytočného zdržiavania. Verím, že pomôže aj vám.

Vygenerovaný SSL certifikát od CAcert.org

Vygenerovaný SSL certifikát od CAcert.org

Pokračovať v čítaní

Howto migrate s9y blog to WordPress

Migrate s9y posts
– use import from RSS, rss = http://blog-s9y.hostsname.sk/feed/rss.php?version=2.0&all=1

And then update to whole body:

UPDATE wp_posts w, sp_entries s 
  SET w.post_content = CONCAT(s.body , '<!--more-->', s.extended) 
    COLLATE utf8_general_ci
WHERE w.post_title = s.title COLLATE utf8_general_ci ;

Pokračovať v čítaní

Ako vie technika niekedy zlyhať

Dnes bol deň detí a ako vraví zákon schválnosti, technika mi totálne zlyhala. Ale bola to tak trochu aj moja chyba.Prvá vec čo zlyhala bola vybitá batéria v mojej zrkadlovke. Áno, podcenil som stav nabitia a riskol to – veď hádam vydrží. Nevydržala a zrkadlovka sa vypla po pár záberoch detí šantiacich na hojdačke.

Vravím si, kašlem na to, budem fotiť mobilom. Pokračovať v čítaní