This Apache configuration snippet can help protect in the case where someone performs a ‘svn checkout’ instead of a ‘svn export’ into a web accessible directory. It denies access to .svn directories.
Order Deny,Allow
Deny from all
All posts by David Lehman
Shrinking an ext4 File System and the Logical Volume Containing It
The following procedure will reduce both the ext4 file system and logical volume sizes by 10 GB. Initially the file system uses the entire size of the logical volume. Obviously, there needs to be at least 10 GB of disk space currently available. This procedure needs to be done with the file system unmounted. This should also work fine on ext2 and ext3.
root@ubuntu:/tmp# df -h /dev/mapper/mysql_s1_prod1_raid10-data
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/mysql_s1_prod1_raid10-data
241G 647M 228G 1% /local/mysql-s1-prod1_data
root@ubuntu:/tmp# umount /local/mysql-s1-prod1_data
root@ubuntu:/tmp# pvscan
PV /dev/mapper/mysql-s1-prod0-t1-v1_fujitsu2-27 VG mysql_s1_prod0_raid1 lvm2 [78.12 GiB / 0 free]
PV /dev/mapper/mysql-s1-prod1-t1-v1_fujitsu2-32 VG mysql_s1_prod1_raid1 lvm2 [78.12 GiB / 0 free]
PV /dev/mapper/mysql-s1-prod0-t1-v2_fujitsu2-28 VG mysql_s1_prod0_raid10 lvm2 [244.14 GiB / 10.00 GiB free]
PV /dev/mapper/mysql-s1-prod1-t1-v2_fujitsu2-35 VG mysql_s1_prod1_raid10 lvm2 [244.14 GiB / 0 free]
PV /dev/sda2 VG system lvm2 [135.84 GiB / 102.32 GiB free]
Total: 5 [780.36 GiB] / in use: 5 [780.36 GiB] / in no VG: 0 [0 ]
root@ubuntu:/tmp# lvscan
ACTIVE '/dev/mysql_s1_prod0_raid1/data' [78.12 GiB] inherit
ACTIVE '/dev/mysql_s1_prod1_raid1/data' [78.12 GiB] inherit
ACTIVE '/dev/mysql_s1_prod0_raid10/data' [234.14 GiB] inherit
ACTIVE '/dev/mysql_s1_prod1_raid10/data' [244.14 GiB] inherit
ACTIVE '/dev/system/root' [9.31 GiB] inherit
ACTIVE '/dev/system/var' [4.66 GiB] inherit
ACTIVE '/dev/system/tmp' [2.79 GiB] inherit
ACTIVE '/dev/system/swap' [2.79 GiB] inherit
ACTIVE '/dev/system/home' [4.66 GiB] inherit
ACTIVE '/dev/system/opt' [9.31 GiB] inherit
root@ubuntu:/tmp# e2fsck -fy /dev/mysql_s1_prod1_raid10/data
e2fsck 1.41.11 (14-Mar-2010)
Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information
/dev/mysql_s1_prod1_raid10/data: 127/16007168 files (2.4% non-contiguous), 1170118/63998976 blocks
root@ubuntu:/tmp# resize2fs -Mp /dev/mapper/mysql_s1_prod1_raid10-data
resize2fs 1.41.11 (14-Mar-2010)
Resizing the filesystem on /dev/mapper/mysql_s1_prod1_raid10-data to 291412 (4k) blocks.
Begin pass 2 (max = 88941)
Relocating blocks XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Begin pass 3 (max = 1954)
Scanning inode table XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Begin pass 4 (max = 11)
Updating inode references XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
The filesystem on /dev/mapper/mysql_s1_prod1_raid10-data is now 291412 blocks long.
root@ubuntu:/tmp# e2fsck -fy /dev/mysql_s1_prod1_raid10/data
e2fsck 1.41.11 (14-Mar-2010)
Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information
/dev/mysql_s1_prod1_raid10/data: 127/73728 files (2.4% non-contiguous), 160138/291412 blocks
root@ubuntu:/tmp# lvreduce -L -10G /dev/mapper/mysql_s1_prod1_raid10-data
WARNING: Reducing active logical volume to 234.14 GiB
THIS MAY DESTROY YOUR DATA (filesystem etc.)
Do you really want to reduce data? [y/n]: y
Reducing logical volume data to 234.14 GiB
Logical volume data successfully resized
root@ubuntu:/tmp# resize2fs /dev/mapper/mysql_s1_prod1_raid10-data
resize2fs 1.41.11 (14-Mar-2010)
Please run 'e2fsck -f /dev/mapper/mysql_s1_prod1_raid10-data' first.
root@ubuntu:/tmp# resize2fs /dev/mapper/mysql_s1_prod1_raid10-data
resize2fs 1.41.11 (14-Mar-2010)
Resizing the filesystem on /dev/mapper/mysql_s1_prod1_raid10-data to 61377536 (4k) blocks.
The filesystem on /dev/mapper/mysql_s1_prod1_raid10-data is now 61377536 blocks long.
root@ubuntu:/tmp# e2fsck -fy /dev/mysql_s1_prod1_raid10/data
e2fsck 1.41.11 (14-Mar-2010)
Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information
/dev/mysql_s1_prod1_raid10/data: 127/15351808 files (2.4% non-contiguous), 1128998/61377536 blocks
root@ubuntu:/tmp# df -h /dev/mapper/mysql_s1_prod1_raid10-data
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/mysql_s1_prod1_raid10-data
231G 647M 219G 1% /local/mysql-s1-prod1_data
root@ubuntu:/tmp# pvscan
PV /dev/mapper/mysql-s1-prod0-t1-v1_fujitsu2-27 VG mysql_s1_prod0_raid1 lvm2 [78.12 GiB / 0 free]
PV /dev/mapper/mysql-s1-prod1-t1-v1_fujitsu2-32 VG mysql_s1_prod1_raid1 lvm2 [78.12 GiB / 0 free]
PV /dev/mapper/mysql-s1-prod0-t1-v2_fujitsu2-28 VG mysql_s1_prod0_raid10 lvm2 [244.14 GiB / 10.00 GiB free]
PV /dev/mapper/mysql-s1-prod1-t1-v2_fujitsu2-35 VG mysql_s1_prod1_raid10 lvm2 [244.14 GiB / 10.00 GiB free]
PV /dev/sda2 VG system lvm2 [135.84 GiB / 102.32 GiB free]
Total: 5 [780.36 GiB] / in use: 5 [780.36 GiB] / in no VG: 0 [0 ]
root@ubuntu:/tmp# lvscan
ACTIVE '/dev/mysql_s1_prod0_raid1/data' [78.12 GiB] inherit
ACTIVE '/dev/mysql_s1_prod1_raid1/data' [78.12 GiB] inherit
ACTIVE '/dev/mysql_s1_prod0_raid10/data' [234.14 GiB] inherit
ACTIVE '/dev/mysql_s1_prod1_raid10/data' [234.14 GiB] inherit
ACTIVE '/dev/system/root' [9.31 GiB] inherit
ACTIVE '/dev/system/var' [4.66 GiB] inherit
ACTIVE '/dev/system/tmp' [2.79 GiB] inherit
ACTIVE '/dev/system/swap' [2.79 GiB] inherit
ACTIVE '/dev/system/home' [4.66 GiB] inherit
ACTIVE '/dev/system/opt' [9.31 GiB] inherit
Installing Oracle Java on Ubuntu
If you already have Ubuntu packages of JRE and/or JDK already installed, then you may leave them installed. However, you must uninstall IcedTea. The IcedTea project provides a harness to build the source code from http://openjdk.java.net using free software build tools and adds a number of features to the upstream OpenJDK codebase.
root@ubuntu:~# aptitude search icedtea
i A icedtea-6-jre-cacao - Alternative JVM for OpenJDK, using Cacao
i A icedtea-6-jre-jamvm - Alternative JVM for OpenJDK, using JamVM
i A icedtea-7-jre-jamvm - Alternative JVM for OpenJDK, using JamVM
i A icedtea-netx - NetX - implementation of the Java Network
i A icedtea-plugin - web browser plugin based on OpenJDK and Ic
v icedtea6-jre-cacao -
v icedtea6-jre-cacao -
v icedtea6-plugin -
i icedtea6-plugin - web browser plugin to execute Java applets
root@ubuntu:~# aptitude remove icedtea6-plugin icedtea-plugin icedtea-netx icedtea-7-jre-jamvm icedtea-6-jre-jamvm icedtea-6-jre-cacao
Download Java from Java’s website: http://www.java.com. For 64-bit you want Linux x64 (the file name ending with x64.bin). In this example we downloaded jre-6u31-linux-x64.bin.
Then make a directory for Oracle Java. Move the downloaded file into this new directory:
root@ubuntu:~# mkdir -p /opt/java
root@ubuntu:~# cd /opt/java
root@ubuntu:/opt/java# mv /home/username/downloads/jre-6u31-linux-x64.bin .
Execute the file downloaded:
root@ubuntu:/opt/java$ sh jre-6u31-linux-x64.bin
This will create the directory /opt/java/jre1.6.0_31 containing your new instance of Java. Its name will match the version of Java downloaded. You may now delete the downloaded Java installation file:
root@ubuntu:/opt/java$ rm jre-6u31-linux-x64.bin
Tell the system that there is a new instance of Java available:
root@ubuntu:/opt/java# update-alternatives --install "/usr/bin/java" "java" "/opt/java/jre1.6.0_31/bin/java" 1
update-alternatives: using /opt/java/jre1.6.0_31/bin/java to provide /usr/bin/java (java) in manual mode.
Tell the system to default to the new Java instance:
root@ubuntu:/opt/java# update-alternatives --set java /opt/java/jre1.6.0_31/bin/java
Verify your system is now using this instance of Java:
root@ubuntu:/# java -showversion
java version "1.6.0_31"
Java(TM) SE Runtime Environment (build 1.6.0_31-b04)
Java HotSpot(TM) 64-Bit Server VM (build 20.6-b01, mixed mode)
References
APT Package Resource List for Old Ubuntu Releases
Package repositories for old Ubuntu releases are dropped from Ubuntu’s upstream package repository and are removed from Ubuntu package mirrors. However, Ubuntu still makes them available here: http://old-releases.ubuntu.com/ubuntu/. Here is an example /etc/apt/sources.list file for Ubuntu Dapper:
#
# /etc/apt/sources.list
# Ubuntu Dapper 6.06
#
#
# main and restricted:
#
# These are the primary package archives.
#
deb http://old-releases.ubuntu.com/ubuntu dapper main restricted
deb-src http://old-releases.ubuntu.com/ubuntu dapper main restricted
deb http://old-releases.ubuntu.com/ubuntu dapper-updates main restricted
deb-src http://old-releases.ubuntu.com/ubuntu dapper-updates main restricted
deb http://old-releases.ubuntu.com/ubuntu dapper-security main restricted
deb-src http://old-releases.ubuntu.com/ubuntu dapper-security main restricted
#
# universe:
#
# Additional software from the larger pool of debian packages. Gobs and
# gobs of useful software lives here, however, software from this
# repository is ENTIRELY UNSUPPORTED by the Ubuntu team.
#
# Note: Some of the software in this repository may not be under a free
# licence. Please satisfy yourself as to your rights to use the
# software.
#
# Note: Software in this repository WILL NOT receive any review or
# updates from the Ubuntu security team.
#
deb http://old-releases.ubuntu.com/ubuntu dapper universe
deb-src http://old-releases.ubuntu.com/ubuntu dapper universe
deb http://old-releases.ubuntu.com/ubuntu dapper-updates universe
deb-src http://old-releases.ubuntu.com/ubuntu dapper-updates universe
deb http://old-releases.ubuntu.com/ubuntu dapper-security universe
deb-src http://old-releases.ubuntu.com/ubuntu dapper-security universe
#
# multiverse:
#
# Additional software that is "not free", which means the licensing
# requirements of this software do not meet the Ubuntu "main" Component
# Licence Policy.
#
# Note: This software is not supported and usually cannot be fixed or
# updated. Use it at your own risk.
deb http://old-releases.ubuntu.com/ubuntu dapper multiverse
deb-src http://old-releases.ubuntu.com/ubuntu dapper multiverse
deb http://old-releases.ubuntu.com/ubuntu dapper-updates multiverse
deb-src http://old-releases.ubuntu.com/ubuntu dapper-updates multiverse
deb http://old-releases.ubuntu.com/ubuntu dapper-security multiverse
deb-src http://old-releases.ubuntu.com/ubuntu dapper-security multiverse
#
# backports:
#
# Software from a newer release of the distribution, or even from the
# development branch of the distribution, but built against this release.
# It may provide newer features, but should be considered untested.
#
# Note: Software in this repository WILL NOT receive any review or
# updates from the Ubuntu security team.
#
#deb http://old-releases.ubuntu.com/ubuntu dapper-backports main restricted
#deb-src http://old-releases.ubuntu.com/ubuntu dapper-backports main restricted
#deb http://old-releases.ubuntu.com/ubuntu dapper-backports universe
#deb-src http://old-releases.ubuntu.com/ubuntu dapper-backports universe
#deb http://old-releases.ubuntu.com/ubuntu dapper-backports multiverse
#deb-src http://old-releases.ubuntu.com/ubuntu dapper-backports multiverse
Here is an example /etc/apt/sources.list file for Ubuntu Hardy:
#
# /etc/apt/sources.list
# Ubuntu Hardy 8.04
#
#
# main and restricted:
#
# These are the primary package archives.
#
deb http://old-releases.ubuntu.com/ubuntu hardy main restricted
deb-src http://old-releases.ubuntu.com/ubuntu hardy main restricted
deb http://old-releases.ubuntu.com/ubuntu hardy-updates main restricted
deb-src http://old-releases.ubuntu.com/ubuntu hardy-updates main restricted
deb http://old-releases.ubuntu.com/ubuntu hardy-security main restricted
deb-src http://old-releases.ubuntu.com/ubuntu hardy-security main restricted
#
# universe:
#
# Additional software from the larger pool of debian packages. Gobs and
# gobs of useful software lives here, however, software from this
# repository is ENTIRELY UNSUPPORTED by the Ubuntu team.
#
# Note: Some of the software in this repository may not be under a free
# licence. Please satisfy yourself as to your rights to use the
# software.
#
# Note: Software in this repository WILL NOT receive any review or
# updates from the Ubuntu security team.
#
deb http://old-releases.ubuntu.com/ubuntu hardy universe
deb-src http://old-releases.ubuntu.com/ubuntu hardy universe
deb http://old-releases.ubuntu.com/ubuntu hardy-updates universe
deb-src http://old-releases.ubuntu.com/ubuntu hardy-updates universe
deb http://old-releases.ubuntu.com/ubuntu hardy-security universe
deb-src http://old-releases.ubuntu.com/ubuntu hardy-security universe
#
# multiverse:
#
# Additional software that is "not free", which means the licensing
# requirements of this software do not meet the Ubuntu "main" Component
# Licence Policy.
#
# Note: This software is not supported and usually cannot be fixed or
# updated. Use it at your own risk.
deb http://old-releases.ubuntu.com/ubuntu hardy multiverse
deb-src http://old-releases.ubuntu.com/ubuntu hardy multiverse
deb http://old-releases.ubuntu.com/ubuntu hardy-updates multiverse
deb-src http://old-releases.ubuntu.com/ubuntu hardy-updates multiverse
deb http://old-releases.ubuntu.com/ubuntu hardy-security multiverse
deb-src http://old-releases.ubuntu.com/ubuntu hardy-security multiverse
#
# backports:
#
# Software from a newer release of the distribution, or even from the
# development branch of the distribution, but built against this release.
# It may provide newer features, but should be considered untested.
#
# Note: Software in this repository WILL NOT receive any review or
# updates from the Ubuntu security team.
#
#deb http://old-releases.ubuntu.com/ubuntu hardy-backports main restricted
#deb-src http://old-releases.ubuntu.com/ubuntu hardy-backports main restricted
#deb http://old-releases.ubuntu.com/ubuntu hardy-backports universe
#deb-src http://old-releases.ubuntu.com/ubuntu hardy-backports universe
#deb http://old-releases.ubuntu.com/ubuntu hardy-backports multiverse
#deb-src http://old-releases.ubuntu.com/ubuntu hardy-backports multiverse
References
Encrypting a Directory using TrueCrypt
Create a password protected encrypted file container using TrueCrypt stored in the path ~/encrypted/encrypted.tc. The following script will decrypt this file and mount it as the directory ~/encrypted/encrypted. It will also unmount the directory when you are done.
#!/bin/sh
# truecrypt-encrypted
# Mount and unmount an encrypted TrueCrypt directory.
#
# Author: Dave Lehman ; http://nowherelan.com
# Date Created: 2012-01-01
# Version: 1.0
################################################################################
SCRIPTNAME=truecrypt-encrypted
ENCRYPTED_FILE=$HOME/encrypted/encrypted.tc
DECRYPTED_MNT=$HOME/encrypted/encrypted
mount(){
mkdir -p $DECRYPTED_MNT
truecrypt --text $ENCRYPTED_FILE $DECRYPTED_MNT
return 0
}
umount(){
truecrypt --text --dismount $DECRYPTED_FILE
return 0
}
status(){
truecrypt --text --list $DECRYPTED_FILE
return 0
}
case "$1" in
--mount)
mount
;;
--umount)
umount
;;
--status)
status
;;
*)
echo "Usage: $SCRIPTNAME {--mount|--umount|--status}" >&2
exit 0
;;
esac
exit 0
curl: (60) SSL certificate problem, verify that the CA cert is OK
When using curl, you may receive the following error message if you are missing the CA certificate in the directory tree /usr/local/share/ca-certificates/ for the site you are trying to connect to:
user@hardy:/tmp$ curl https://example.com
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). The default
bundle is named curl-ca-bundle.crt; you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
The easiest way around this is to turn off curl’s verification of the certificate, using the -k (or –insecure) option. However, the best way is to add the associated CA certificate to your system by following these directions: Adding Additional SSL CA certificates.
On Ubuntu Hardy, curl is compiled to use the file /etc/ssl/certs/ca-certificates.crt. You will see the following when executing curl against a site using HTTPS:
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
On Ubuntu Lucid, curl is compiled to use the CA certificate directory /etc/ssl/certs/. You will see the following when executing curl against a site using HTTPS:
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
You can override this with the –ca-cert or –capath options.
Adding Additional SSL CA certificates
On Ubuntu, SSL CA certificates are stored in subdirectories of /usr/local/share/ca-certificates. In order to add additional CA certificates, first create a new subdirectory to store your CAs:
sudo mkdir /usr/local/share/ca-certificates/added
Then add your CA certificates to this directory. These files should have a .crt extension (e.g., my_ca.crt). Then append a line for each certificate you add to the configuration file /etc/ca-certificates.conf (e.g., “added/my_ca.crt“). Finally, run
sudo update-ca-certificates --fresh
This command reads the file /etc/ca-certificates.conf, updates the directory /etc/ssl/certs to hold SSL certificates and generates the file /etc/ssl/certs/certificates.crt. The script update-ca-certificates will use the command c_rehash take a hash value of each .crt file. It then creates symbolic links in the directory /etc/ssl/certs for each of the files named by the hash value. This is useful as many programs require directories to be set up like this in order to find the certificates they require. /etc/ssl/certs/certificates.crt is a concatenated single-file version of CA certificates. It contains all CA certificates that were activated in /etc/ca-certificates.conf.
Use the file command to verify that the .crt files you add use Unix newline characters, otherwise the /etc/ssl/certs/certificates.crt file may not be generated properly.
References
Convert text files between DOS and Unix
DOS text files traditionally have CR/LF (carriage return/line feed) pairs as their new line delimiters while Unix text files traditionally have LFs (line feeds) to terminate each line. Tofrodos comprises one program, “fromdos” alias “todos”, which converts text files to and from these formats. Use “fromdos” to convert DOS text files to the Unix format, and “todos” to convert Unix text files to the DOS format.
Homepage: http://www.thefreecountry.com/tofrodos/
To install on Ubuntu:
sudo aptitude install tofrodos
The following signatures were invalid: BADSIG 40976EAF437D05B5
I would get this error whenever I would run ‘sudo aptitude update’ or ‘sudo apt-get update’:
W: GPG error: http://mirror.anl.gov oneiric Release: The following signatures were invalid: BADSIG 40976EAF437D05B5 Ubuntu Archive Automatic Signing Key
I was able to resolve this issue for this GPG public key in particular by doing the following:
sudo apt-get clean
sudo mv /var/lib/apt/lists /tmp
sudo mkdir /var/lib/apt/lists
sudo apt-get update
vpnc on Ubuntu Oneiric: "Error: either "to" is duplicate, or "ipid" is a garbage."
When one attempts to connect to their VPN after installing and configuring vpnc on Ubuntu Oneiric, the following error occurs:
root@ubuntu:~# vpnc-connect
Error: either "to" is duplicate, or "ipid" is a garbage.
After some time it eventually times out and fails to create a connection.
vpnc version information:
root@ubuntu:/tmp# vpnc --version
vpnc version 0.5.3
Copyright (C) 2002-2006 Geoffrey Keating, Maurice Massar, others
vpnc comes with NO WARRANTY, to the extent permitted by law.
You may redistribute copies of vpnc under the terms of the GNU General
Public License. For more information about these matters, see the files
named COPYING.
Built with certificate support.
Supported DH-Groups: nopfs dh1 dh2 dh5
Supported Hash-Methods: md5 sha1
Supported Encryptions: null des 3des aes128 aes192 aes256
Supported Auth-Methods: psk psk+xauth hybrid(rsa)
It appears that the Ubuntu package vpnc comes with an old version of vpnc-script. This script is what sets up all the addresses and routes for you. The OpenConnect project provides an updated / revised release of this script. Download the latest copy from here . Replace the vpnc-script script that comes with the Ubuntu vpnc package: /etc/vpnc/vpnc-script.