System Administration

I use the built-in Apache 2.2 ajp ProxyPass support when deploying Tomcat and JBoss applications via Apache. When doing so, be careful your slashes match up or you can have subtle problems with applications which use redirects. For example, I was deploying a JSPWiki but having an odd problem with authentication where logins would seem to fail but then work fine if I manually reloaded the page. I was using this Apache configuration:

ProxyPass /webdevwiki ajp://127.0.0.1:8009/webdevwiki/
ProxyPassReverse /webdevwiki ajp://127.0.0.1:8009/webdevwiki/

This appeared to work fine, but when logging in an extra slash would get added to the Login.jsp redirection page. This kept the redirect to the main page from working, causing it to reload the Login.jsp infinitely even though login had been successful. A manual click of the reload button fixed the site, with authentication and all other functions working until trying to log in again.

ProxyPass /webdevwiki ajp://127.0.0.1:8009/webdevwiki
ProxyPassReverse /webdevwiki ajp://127.0.0.1:8009/webdevwiki

Removing the extra slashes as shown fixed this issue.

Apache 2.2's mod_authnz_ldap has significant differences from Apache 2.0's mod_auth_ldap. Moving to 2.2, some significant changes are needed which can be confusing and cause seemingly nonsensical authorization loops if directives are missed.

Necessary modules

• auth_basic
• authz_user
• ldap
• authnz_ldap

Directives


AuthType basic
AuthBasicProvider ldap
AuthName "My Site"
AuthLDAPURL ldap://ldap1.example.com/ou=People,o=Example
AuthzLDAPAuthoritative Off
Require valid-user

AuthBasicProvider ldap is needed instead of AuthLDAPEnabled on, which no longer exists as a valid directive.

AuthzLDAPAuthoritative Off is needed to allow the authorization to fall though to Require valid-user, otherwise you will get auth _ldap authorise: authorisation denied in your debug messages after it successfully authenticates the user but fails to find an authorization directive to allow access. These messages will not show up in your logs by default, so it can be confusing if you watch the ldap server, see authentication succeed, and wonder why it keeps requesting a username and password.

Zimbra lacks a calendar feature commonly used by serious Outlook and Entourage users, the ability to configure reminders for individual calendar entries. The workaround is to create a 'reminder' calendar entry, which does not work well as it requires manually changing the reminder if the original appointment changes. If you are a current or prospective Zimbra user and would like to have this feature added, please vote for this bug. On a related note, the Zimbra Toaster (which provides popup notification of new mail) does not support calendar reminders, which is documented in this bug.

In the area where I reside power fluctuations and outages are numerous, so having a UPS is crucial when doing serious computer work. When my old Belkin F6C800 unit recently died a malodorous death, I decided to return to APC. Browsing the local Best Buy, I saw a Back-UPS XS 1500 LCD on the shelf with, as the name implies, an LCD display. Such a geeky feature was beyond resistance for me.

I use a Back-UPS XS 1500 (without the LCD) for various machines downstairs, and it works well. The only issue with it is the noise; it beeps every time the power fluctuates with no way to turn it off. On some days when my power is particularly bad, this results in perpetual beeping every few minutes. Obviously they received many customer complaints about this, as the XS 1500 LCD has two buttons on the front; 'Power' and 'Mute'.

Update: The display readings for this device are proving to be inaccurate when tested. Do not rely on the readings from this device.

I made a purchase with Google Checkout earlier this week and was really impressed with the user experience. While doing some research into using it, I found they are offering free checkout services until 2008. This seems to be a killer deal for budding businesses; setting up a merchant account and transaction fees are a considerable obstacle for new businesses.

It does however lack Interchange support. It is possible to use the basic embedded-in-page checkout with Interchange now, but this HTML option doesn't provide as nice of an experience for the user. It also requires more administration work as the retailer has to manually process orders using Google's checkout site. Building and contributing Google Checkout XML interface support for Interchange may be in my future.

When using scratchbox (a cross-compilation toolkit), be very careful when moving or deleting user data from the /scratchbox/users directory. There are hard links to /dev, /sys, and other important directories there after adding users. Recursive commands are extremely dangerous in these user directories. The LILO boot results at the left were caused after moving scratchbox into its own partition using recursive commands.

/scratchbox/sbin/sbox_umount_all is your friend.

I have never had a good experience with S.M.A.R.T. (Self-Monitoring, Analysis, and Reporting Technology). It usually only reports the drive is about to fail after the drive has already failed and is completely unreadable. My latest drive failure is yet another case of this, but interesting in that this failure seems to have been quite easily predictable. The drive was obviously failing from the output of the S.M.A.R.T. monitoring system, with 197 new defects, and over 50 uncorrected errors. Yet the software in the drive still reports SMART Health Status: OK.

If your ethernet port is not working on OS X (it seems to be most common and/or only on the Intel Macbooks):

• Rename /Library/Preferences/SystemConfiguration


• Toggle a setting in the Network System Preferences panel


• Setup your Network as desired and test it, the configuration should rebuild and your network should now work

A friend had this happen on his brand new Macbook Pro Core 2. However, it has never happened on mine. This may mean the software preload was bad, especially if this happens on a new machine, so doing an Archive and Install is probably a good idea.

Update: Further testing indicates this problem was caused by bad firmware on a SMC SMCGS16-SMART switch. The problem only occurred upon connection to this brand and model of switch, and was resolved permanently by upgrading the firmware in the switch from v.1.00.04 to v.1.00.06_16.

When configuring a third party router with Verizon.net DSL, the DSL modem may need reconfigured to bridged mode and the third party router configured to handle PPPoE instead of the provided DSL modem. I found this issue in particular with the Westell 6100 DSL modems Verizon is now issuing. An excellent resource in this case is this information on configuring the Westell 6100 in bridged mode, then follow the third party router's instructions for PPPoE. Note the <username>@verizon.net and password configured for e-mail is the same one needed for PPPoE.

I have been using Ubuntu on various desktops lately; it is one of the most polished Linux distributions I have ever used from a desktop refinement standpoint. However, Ubuntu's desktop refinement appears to only be skin deep.

The Ubuntu developers tend to make major changes right before release time without adequate testing; Hoary's last minute Gnome update, the many issues I've had getting Dapper to work with most video cards (only one machine I've tested on so far works with the LiveCD without using safe mode, two have required the alternative install), and the PowerPC LiveCD installer crashing on yaboot thus making the LiveCD installer quite useless on that platform.

All of these issues were quite obvious, happen either every time or extremely often, and would have been caught with even the most rudimentary of testing. Apparently this lack of testing extends to their updates as well. If I had not noticed their past pattern of not testing before release, I would find it rather amazing that such an update, which kills X11 on their two most major platforms so consistently, slipped through.

It is absolutely critical to use data scrubbing with Linux software RAID. If you fail to do so, when one of the drives fail and the new one is put in place to resync with, the chance of losing all data is very high. When Linux resyncs a RAID array, it steps through each and every block on the disk(s) it is syncing from. If there are any bad blocks on the 'good' drives data scrubbing hasn't found (or data scrubbing isn't being used), that drive will also be marked as unusable. This renders your array useless unless an array is in use that can recover from multiple drive failures at the same time, or you have quite a few days to spend on manual recovery.

See this information on how to do data scrubbing with Linux RAID for another description and instructions on how to do this.

The new features in Solaris and its legendary stability have convinced me to give it a try. 

It has quite a few differences from Linux, some of them obviously better and others that are quite obnoxious to a seasoned Linux administrator.  What follows are some notes on a sample configuration setting up RAID and ZFS on a pair of 80GB disks.  I used Solaris 10 06/06, this short howto for the RAID information (with quite a few modifications for Solaris 10), and lots of man page reading.

I expect to follow this up with more notes on Solaris in the following weeks.

There was much excitement this week when Sun released a version of Java under a license that is supposed to allow Linux distributions to legally package it.  Debian almost immediately made it available in their non-free package repository.  However, it seems no one actually checked the license.  The much vaunted new license is actually very hostile to redistribution, completely useless to the very Linux distributions it is supposed to enable packaging with.

Hopefully this is just a mistake and they have an actually usable license to be released soon.  If not this is a huge mistake by Sun which is going to backfire in their faces quite loudly.

I have seen a depressing trend lately towards full-gloss laptop displays and computer screens.  It is hard to find screens anymore at retail outlets without a mirror-like glossy shine.  Although they look pretty at first glance, you can tell in seconds how unusable they are when you can see a perfect reflection of yourself and/or the store lights superimposed on the screen.  Now even Apple is in with the trend; just look at their sample image on that page; half the screen is unusable from glare even on their promotional page.

I was thrilled when LCDs came out that we were finally rid of the horrible glare problems of shiny glass CRT displays; however now the industry seems determined to bring mirror-like reflections back with a vengeance.

I like OS X's X11 implementation.  It allows X applications to rather cleanly mesh with the OS X environment.  However, when setting up X11 apps for end users X has a habit of popping up a terminal window.  Instead of making users close this window all the time, place a plain text .xinitrc file in their home directory with this line and only this line:

exec quartz-wm

This will disable xterm from starting when X starts.