kerbtier

The last month i worked in the Nairobi Office. For internet we have a KDN-Fibre. Because it’s so often down we also have a KDN-Wimax line. But even with this configuration sometimes we have downtimes so we also ordered a ZUKU Wimax line.

Both KDN lines use the same IP. I don’t think it’s easy possible to have them both plugged into the router for redundancy. So when the fiber is down someone has to unplug and plug the wimax cable. for the ZUKU line i wanted a better solution. if KDN has a problem the ZUKU line should take over automatically. The first approach was to use an old PC with linux installed and three network cards. But there are a few serious drawbacks. A whole PC uses lots of Power. It’s expensive, heats up the office, it’s not so green and if we have a power cut it drains the backup battery faster. A router with redundant line capabilities is quite expensive… and also uses lots of power. It’s also over sized for our little office.

But there is openwrt and a few similar projects. They provide a linux distribution which you can install on a few cheap and small wireless routers. These routers with almost no functionality can get very powerful devices with a proper Operating System installed on them.

It was really hard to find a supported router in Nairobi. In Switzerland you can get them in lots of online and offline shops. Here we had to find someone who specialized only in routers. The one we bought was a Linksys WRT54GL. The next Step was to install the openwrt OS on it. There are two flavors, used the Kamikaze, it’s more modern! You can use the original webinterface to upload the new firmware. There is a Page with all the ways how to install it. The router now has a very powerful web interface. You can already add multiple WAN interfaces. I created one for the ZUKU line called zukuwan. You also have to add a third vpn (*1) which uses one of the LAN ports and uses the zukuwan network. i also had to add that zukuwan network to the WAN zone of the firewall. To modify the firewall settings i had to install the luci firewall packet (*2).

You can check if both WAN lines are properly working when you plug only one WAN line and restart the router.

A nice guy created a script which ads line balancing and failover support. For this some rather complex routing stuff is required. The script manages that and also checks if a line is down. You have to add the packages multiwan and luci-app-multiwan (config interface) from https://forum.openwrt.org/viewtopic.php?id=23904.

After you installed the packages you have a multi-wan configuration page in the network menu. Remove there the wan2 config and add a new one called zukuwan or however you called your second WAN connection. You can also remove all of the entries in mwanfw. The default route should be fastbalancer. Set the failover_to for each interface to the other one.

After this it should work. If it’s not working ther is a way to check. You can connect via ssh to the router if you changed your password. There type ip route show table 123 This should give two default routes. If you plug out one cable it should take about 10 to 20 seconds and then this route should be removed.

(*1) Go to the Administration/Network/Switch Page. Add an interface ethX.2. set it to the ports 0 and 5. Remove Port 0 from ethX.0. For the second WAN connection set eth0.2 as Interface.

(*2) Go to Administration/Overview/LuCI Components. Check luci-app-firewall package and press the Install button. After a restart you have the Administration/Network/Firewall config page. Select wan and zukuwan for the wan Zone.

To make one PDF file out of many is not so hard on Linux. Usually there is ghostscript already installed. You can use gs -dBATCH -dNOPAUSE -sDEVICE=pdfwrite -sOutputFile=merged.pdf\ file1.pdf file2.pdf file3.pdf to do that. instead of providing every single filename something like *.pdf is more usable.

To extract a few pages out of one big PDF you can use: gs -dBATCH -dNOPAUSE -sDEVICE=pdfwrite -sOutputFile=pages_10_to_15.pdf\ -dFirstPage=10 -dLastPage=15 bif_file.pdf

i deployed a python app on a live server and the only output i got was a blank page. there was no error in the virtual hosts log file and it stopped somewhere during the execution of the script. in the apache error log file i found the following line: child pid 15136 exit signal Segmentation fault (11) a very informative and helpful message. after a bit of googling i found out that the gdb would help. gdb is short for GNU Project Debugger. in the file /usr/share/doc/apache2.2-common/README.backtrace there is a short howto to get a stacktrace of a segmentation fault in apache… at least on debian based systems. here is a short overview of what there is to do. at first it’s necessary to install the following packages: apt-get install apache2-dbg libapr1-dbg libaprutil1-dbg gdb add the line CoreDumpDirectory /var/cache/apache2 to your apache config, usually /etc/apache/apache2.conf. after a restart of apache it should now create a memory dump named /var/cache/apache2/core which can be analysed with gdb. it might be necessary to set the maximum size of the coredump like following (inclusive restart of apache): /etc/init.d/apache2 stop ulimit -c unlimited /etc/init.d/apache2 start to analyze the core dump you need to execute the gdb like following: gdb /usr/sbin/apache2 /var/cache/apache2/core (gdb) bt full ... (gdb) quit if you use the threaded mpm (unlikely) then you need to use gdb /usr/sbin/apache2 /var/cache/apache2/core (gdb) thread apply all bt full ... (gdb) quit my dump produced following output: #0 0xb7dd86a5 in free () from /lib/libc.so.6 #1 0xb6675011 in RelinquishMagickMemory () from /usr/lib/libMagick.so.9 #2 0xb6625ba0 in DestroyDrawInfo () from /usr/lib/libMagick.so.9 #3 0xb57d9857 in Magick::Options::~Options () from /usr/lib/libMagick++.so.10 #4 0xb57d6725 in Magick::ImageRef::~ImageRef () from /usr/lib/libMagick++.so.10 #5 0xb57cbfe6 in Magick::Image::~Image () from /usr/lib/libMagick++.so.10 #6 0xb59ed7f3 in boost::python::objects::value_holder::~value_holder () from /var/lib/python-support/python2.5/PythonMagick/_PythonMagick.so #7 0xb581adea in ?? () from /usr/lib/libboost_python-gcc42-1_34_1-py25.so.1.34.1 #8 0xb6ce6f4f in ?? () from /usr/lib/libpython2.5.so.1.0 #9 0×0889a39c in ?? () #10 0xb6d8f7e0 in ?? () from /usr/lib/libpython2.5.so.1.0 #11 0xbf80d088 in ?? () #12 0xb6ce6c60 in ?? () from /usr/lib/libpython2.5.so.1.0 #13 0×00000000 in ?? () i was using pythonMagick which uses Magick++ wich uses ImageMagick. it was a bit irritating that Magick++ version 10 used ImageMagick version 9 instead of 10. after removing ImageMagick version 9 the problem was gone. no idea why it used the wrong version.

i bought me a “Gigabyte GA-GC230D, Atom 230″ motherboard some weeks ago and now i finally had time to install linux on it. i was a bit surprised how much of a torture this was. there are lots of quite specific howtos but still it took me hours of trying. in the end it was quite easy, but you have to know how. here is a list of sources i used but none of them did it by itself. live usb pendrive persistent
installation from usb stick
how to install ubuntu on usb bar

preparing the usb stick

at first, i created a single partition, there is usually already one on an usb stick. it has to be at least the size of two cds. then i formated it like: sudo mkfs -t vfat /dev/sdx1 whereas /dev/sdx1 is the partition of the usb stick. be careful not to format accidentally another partition if yo have serial-ata or scsi disks. i accidentally formated my swap space :-) you can find out your usb device by typing: sudo fdisk -l

copy the files

you need to get an iso image of an install cd. i got the ubuntu 8.10 server image. after downloading i created a directory, mounted the iso to this directory and copied all the files to the usb stick. it is probably not necessary to copy all files to the stick but i was to lazy to test whats exactly necessary. the path of the usb stick was in my case /media/disk. mkdir ubuntuImage mount -o loop /path/to/iso-image ubuntuImage cd ubuntuImage cp -Rf * /media/disk cp -Rf .disk /media/disk cp -Rf isolinux /media/disk/syslinux cd /media/disk/syslinux mv isolinux.cfg syslinux.cfg thats it, the files are on the stick. during the installation there was a problem copying files from the stick. i solved it by making a copy of /media/disk/dists/intrepid to stable. on the cd there was a symbolic link to stable, this is not possible on a fat filesystem. cp -R /media/disk/dists/intrepid /media/disk/dists/stable to “fix” another problem occurring later, copy the whole iso image to the stick too.

make the drive bootable

to install the bootloader you need a command called syslinux. it does some magic to the usb stick. to install it type: sudo apt-get install syslinux mtools if your usb stick is mounted, unmount it. use sudo syslinux /dev/sdx1 to finally install the bootloader. to be sure your stick has a proper master boot record use: install-mbr /dev/sdx

booting from the stick

in the bios i had to activate an option called “legacy USB storage detect” and select USB-ZIP as boot device. after that ubuntu booted and the installer started. the first problem occurred when it tried to load the cd. it just wasn’t able to do this. with alt-f2 you can switch to the console and mount the “cdrom” manually by typing mount -t vfat /dev/sdx1 /cdrom go back to the installer with alt-f1, try the failed step again and it should now work. after setting up network and disk there will occur another error. when trying to install the base system a message “Failed to determine codename for the release” will appear. go back to the install menu and select “load installer components from cd”. select the iso option and it will find the image and the installation should continue without problems.

this is a little manual to get a debian etch server with apache2 and tomcat5.5 running.

the software you need

for tomcat you need a jdk. the one from sun is easy to install and stable. because it is in non-free you need to change your /etc/apt/sources.list file. after that it should look about: deb http://ftp.ch.debian.org/debian/ etch main non-free deb http://security.debian.org/ etch/updates main contrib non-free it usually should only be necessary to add the non-free tags. after changing the file you need to update your package-index with: apt-get update we need apache2, jdk, tomcat5.5 and, for the connection between tomcat and apache, mod_jk. to install them: apt-get install apache2 sun-java5-jdk tomcat5.5 libapache2-mod-jk now you should have a “it works” page from apache with the url http://localhost the tomcat you may need to start /etc/init.d/tomcat5.5 start after that you should get a blank page with http://localhost:8180 the blank page because there are no webapps installed yet.

tomcat configuration

we need no fancy configuration stuff, no cluster, no tomcat manager, so we can reduce the whole /etc/tomcat5.5/server.xml config file to: <Server port="8005" shutdown="SHUTDOWN"> <Service name="Catalina"> <Connector port="8180" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" redirectPort="8443" acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" /> <Connector port="8009" enableLookups="false" redirectPort="8443" protocol="AJP/1.3" /> <Engine name="Catalina" defaultHost="localhost"> <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false"> </Host> </Engine> </Service> </Server> you can also leave it like it was, it should make no difference. next we will set up an example application. for that we will set up a “virtual host” so we can connect with a domain name. for example we take the domain example.com. at first we create a directory named example.com in /var/www. we also set the owner of example.com to tomcat55 because tomcat needs to write to this directory to deploy war files. mkdir /var/www/example.com chown tomcat55 /var/www/example.com in the next step we will set up the virtual server in tomcat. in the /etc/tomcat5.5/server.xml file we need to add a Host element to the Engine element. the Host element should look like: <Host name="example.com" appBase="/var/www/example.com" unpackWARs="true" autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false"> </Host> after that we need to restart tomcat again /etc/init.d/tomcat5.5 restart to test this, we can deploy an example war file. there is one downloadble from an apache server. we just need to get in the exampl.com directory and download it with wget. we save it as ROOT.war because this creates a the root webapp, the webapp, which is reachable directly with no aditional context path: cd /www/var/example.com wget -O ROOT.war http://tomcat.apache.org/tomcat-5.5-doc/appdev/sample/sample.war after that we should be able to view the sample page with the url http://example.com:8180. but for that we need to let point the domain example.com to the proper server. to do that you need to add the line 192.168.1.100 example.com into the /etc/hosts file from the client where you are trying to connect to the server. the ip can be 127.0.0.1 when you are trying to connect from the server itself, otherwise it must be the ip of the server. the page of http://example.com:8180 should look like an example “hello world!” page.

configure apache

now tomcat is running but we only can access tomcat files trough port 8180. we sure want to access these pages trough the default http port: 80. this port is already in use by the apache server. for this we need mod_jk. this is a kind of a proxy which requests files for some defined url patterns from tomcat and sends them back to the client. for that we need ad first to add a virtual host to the apache config. create a file named example.com in /etc/apache2/sites-available: <VirtualHost *> ServerAdmin your@email.com DocumentRoot /var/www/example.com/ROOT ServerName example.com ErrorLog /var/log/apache2/example.com.error.log CustomLog /var/log/apache2/example.com.access.log combined <Directory /var/www/example.com/ROOT> Options Indexes </Directory> <LocationMatch "/(WEB-INF|META-INF)/"> Order allow,deny Deny from all </LocationMatch> </VirtualHost> to activate the virtual host create a symbolic link of example.com in /etc/apache2/sites-enabled: ln -s /etc/apache2/sites-available/example.com /etc/apache2/sites-enabled/example.com and restart apache /etc/init.d/apache2 restart after that go to the url http://example.com now you should see the same page as before with the port 8180. it is the same page but it is served by the apache server and not by tomcat. there are two links in this page, the one goes to a file called hello.jsp. this jsp page should be interpreted by tomcat but it isn’t. we see the sourcecode. the secand link, /hello is a servlet and it isn’t served by tomcat to. for that we have to add two rules to the example.com apache config: JkMount /hello ajp13_worker JkMount /*.jsp ajp13_worker now this two patterns, the path hello and all paths ending with .jsp ashould be forwarded to tomcat. but wee ned to setup mod_jk properly at first.

mod_jk to glue them together

ther is already an mod_jk configuration, but it’s like almost all config files much to complicated. the config file is/etc/libapache2-mod-jk/workers.properties and should roughly contain: worker.list=ajp13_worker worker.ajp13_worker.port=8009 worker.ajp13_worker.host=localhost worker.ajp13_worker.type=ajp13 now ajp_13 is properly configured. the module is loaded by apache2 but apache doesn’t know where the config file ist. for that we create a file called jk.conf in /etc/apache2/mods_available: JkWorkersFile /etc/libapache2-mod-jk/workers.properties JkShmFile /var/run/apache2/jk-runtime-status JkLogFile /var/log/apache2/mod_jk.log JkLogLevel info now we need a smbolic link to this file inside /etc/apache2/mods-enabled: ln -s /etc/apache2/mods-available/jk.conf /etc/apache2/mods-enabled/jk.conf then restart apache again and it should work.

clean up the mess

if it works you can clean up, document and harden the whole config. for example you should kick out the http connector in tomcat (port 8180). because we can connect trough apache we don’t need this connector anymore. each closed port on a server improves security a bit. there are many configurations to improve security and performance. it’s important to tweak them and adapt them to the servers needs. but thats your task. it might be that the config i used here is very poorly, concerning security and performance.