PostgreSQL 8.3 adding uuid-ossp on Debian

UUID is a nice way to generate (almost) unique id’s.

However on PostgreSQL 8.3 the data type exists, but if you wish to be able to generate UUID’s you need to get a module (in this case uuid-ossp).

On Debian this module is in the contrib package, so if you have not installed this before do it now

user@server:~$ sudo apt-get install postgresql-contrib

Then you need to “load” the module into PostgreSQL; or more accurately you tell PostgreSQL about the new functions this module has, how to reach them etc.
Depending on you security settings (in pg_hba.conf) you may need to log in as the postgres user on your system.

postgres@sever:~$ psql -d MYDB -U postgres -f /usr/share/postgresql/8.3/contrib/uuid-ossp.sql

Ubuntu Hibernate/Suspend problem

First off, quick explanation.
Suspend saves a image to ram. It is faster to save and reload; but the computer uses a minimal amount of energy to keep this in ram. If the power is lost (battery is drained etc) then the image is lost.
Hibernate save a image to disk. It is slightly slower to save and reload; but there is no problem if the power is lost.

However I am not the only one that have noticed that hibernate/suspend on Ubuntu does not work on a default installation.
One solution that more than me have found to be working is to switch to uswsusp.

user@laptop$ sudo apt-get install uswsusp
user@laptop$ sudo s2disk

s2disk does a hibernation (s2ram does a suspend); and it is good to test it out before swapping the hibernate/suspend function.
When you know hibernate/suspend works, you can swap to using uswsusp by using:

user@laptop$ sudo dpkg-divert --rename --divert /usr/sbin/pmi-disabled /usr/sbin/pmi

If you later on would like to swap back you can use

user@laptop$ sudo dpkg-divert --rename --remove /usr/sbin/pmi

Adding a OpenVPN client on ubuntu 10.04

First the certificate (key) should be created on the server.

cd /etc/openvpn/easy-rsa/
source vars
./pkitool hostname

Copy the certificate files to the client
* /etc/openvpn/ca.crt
* /etc/openvpn/easy-rsa/keys/hostname.crt
* /etc/openvpn/easy-rsa/keys/hostname.key

Then the client should be setup

apt-get install openvpn
cd /etc/openvpn
cp /usr/share/doc/openvpn/examples/sample-config/client.conf client.conf

Edit the client.conf file (edit all that you need to fit your config, the following are those I recommend):
The fix for Vista I add (commented out) since I am lazy and usually just copy a old config file to the next client

remote my.domain.com 1194
 
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca ca.crt
cert clientName.crt
key clientName.key
 
#fix for vista being stuid...
;route-method exe
;route-delay 2

Restart OpenVPN on the client:

 /etc/init.d/openvpn restart
 * Stopping virtual private network daemon(s)...                                
 *   No VPN is running.
 * Starting virtual private network daemon(s)...                                
 *   Autostarting VPN 'myVPN'                                         [ OK ]

Same as with the server, the above means that is went well, a [fail] means that the logs should be read for details.

A word of caution: [ OK ] only means that the OpenVPN was started ok – no errors in config etc.
There might still be issues with firewalls, wrong hostname (to the server) etc.
Check ifconfig and ping the server to make sure it is working.

Installing OpenVPN (server) on ubuntu 10.04

This is a quick note on how to install OpenVPN as a Ethernet tunnel (not a bridge) on ubuntu 10.04

install

sudo apt-get install openvpn

Server Certificates

First, copy the easy-rsa directory to /etc/openvpn.

sudo mkdir /etc/openvpn/easy-rsa/
sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/

You may also wish to adjust permissions in the easy-rsa directory to allow the current user permission to create files.

sudo chown -R $USER /etc/openvpn/easy-rsa/

Next, edit /etc/openvpn/easy-rsa/vars but make sure you adjust at least the following values to values make sense to you:

export KEY_COUNTRY="SE"
export KEY_PROVINCE="Blekinge"
export KEY_CITY="Karlskrona"
export KEY_ORG="My organization"
export KEY_EMAIL="vpnhelp@example.com"

Enter the following to create the server certificates:

cd /etc/openvpn/easy-rsa/
source vars
./clean-all
./build-dh
./pkitool --initca
./pkitool --server server
cd keys
openvpn --genkey --secret ta.key
sudo cp server.crt server.key ca.crt dh1024.pem ta.key /etc/openvpn/

Server Configuration
Lets start by copying the example config.

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
sudo gunzip /etc/openvpn/server.conf.gz

Edit /etc/openvpn/server.conf changing (at least) the following options (change to values that make sense to you):

#Change the VPN subnet address to one that makes sense to you (and don't collide with any other net)
server 10.9.0.0 255.255.255.0
#If you wish the computers on the VPN to be able to connect to each other then uncomment
client-to-client
# You can uncomment this out on
# non-Windows systems.
user nobody
group nogroup
#If this is uncommented then a separate log will be written for OpenVPN (If both log lines are uncommented, then syslog is used)
log-append  openvpn.log
#To enable per client configurations uncomment:
client-config-dir client-configs

Restart the VPN:

/etc/init.d/openvpn restart

If the server failed to start:

/etc/init.d/openvpn restart
 * Stopping virtual private network daemon(s)...                                                                                                 
 *   No VPN is running.
 * Starting virtual private network daemon(s)...                                                                                                 
 *   Autostarting VPN 'server'                                                     [fail]

Then you should check out the log (either syslog or the log you set in the config file) and solve the issues.
It should look like this:

/etc/init.d/openvpn restart
 * Stopping virtual private network daemon(s)...                                                                                                 
 *   No VPN is running.
 * Starting virtual private network daemon(s)...                                                                                                 
 *   Autostarting VPN 'server'                                                     [ OK ]

apt-get WARNING: The following packages cannot be authenticated!

apt-get is verifying the packages before installing them.
If the keys are not up to date, then apt-get upgrade will issue a warning.

WARNING: The following packages cannot be authenticated!
  ure uno-libs3
Install these packages without verification [y/N]?

The way to solve this is rather simple, just run apt-get update and it should download the keys automatically.

apt-key handles keys, using apt-key list will show you the keys that are on the computer.

ubuntu: Upgrade release version

  1. Check out “/etc/update-manager/release-upgrades” to make check out what sort of releases you wish to use (lts/normal/or never upgrade)
    # default behavior for the release upgrader
    #
     
    [DEFAULT]
    # default prompting behavior, valid options:
    #  never  - never prompt for a new distribution version
    #  normal - prompt if a new version of the distribution is available
    #  lts    - prompt only if a LTS version of the distribution is available
    Prompt=normal
  2. Make sure the (current) dist is up to date. Problems are not guaranteed if you don’t – but they are likely
    • apt-get update
    • apt-get upgrade
  3. Make sure the upgrade tool is installed (and up to date) “apt-get install update-manager-core”
  4. do-release-upgrade
  5. Follow the instructions

apt-get update gives the error “E: Could not get lock /var/lib/apt/lists/lock – open (11: Resource temporarily unavailable)”

If running apt-get (or aptitude) and you get the following error:

$ apt-get update
E: Could not get lock /var/lib/apt/lists/lock - open (11: Resource temporarily unavailable)
E: Unable to lock the list directory

Then (most likely) explenation is that one of the sources have gotten a timeout and that a (cron) sheduled update task have gotten locked.
A simple solution for this is to find the cron process is locked, and kill it.

$ ps -a |grep apt
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
 3737 ?        SN     0:00 /bin/sh /etc/cron.daily/apt
 3833 ?        SN     0:00 apt-get -qq -y update -o APT::Update::Auth-Failure::=cp /usr/share/apt/apt-auth-failure.note /var/lib/update-notifier/user.d/
 3835 ?        SN     0:00 /usr/lib/apt/methods/http
 3838 ?        SN     0:00 /usr/lib/apt/methods/http
 3842 ?        SN     0:00 /usr/lib/apt/methods/http
 3869 ?        SN     0:00 /usr/lib/apt/methods/http
 4223 pts/0    R+     0:00 grep apt
$ kill -9 3833

If this happens often, then perhaps you should try to debug the sources and remove (or exchange) the source that is causing the problems.

apt-get update The following packages have been kept back

 apt-get upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages have been kept back:
  bind9-host dnsutils libbind9-50 libdns50 libisc50 libisccc50 libisccfg50 liblwres50 linux-generic linux-generic-pae linux-image-generic
  linux-image-generic-pae
0 upgraded, 0 newly installed, 0 to remove and 12 not upgraded.

The message has been kept back most often means that the upgrade was kept back due to dependencies that are not met.

Some possible solutions

  • A simple way is to invoke dselect to help out with the update. dselect performs the actions necessary to realize that state (for instance, the removal of old and the installation of new packages).
     apt-get dselect-upgrade
  • While apt-get and aptitude are basically the same, aptitude is sometimes better at handling dependencies than apt-get
     aptitude upgrade
  • Another solution is to install the package using apt-get install to install the upgraded package and let apt-get install the missing dependencies
     apt-get install dnsutils

Quickly configure shorewall on Debian

By definition shorewall is not a firewall, it is a way to (more) easily configure iptables to work as a firewall.

  • First install shorewall “$ apt-get intall shorewall”
  • Enter /etc/shorewall
  • Copy the example files from /usr/share/doc/shorewall-common/default-config/ (might also be located in /usr/share/doc/shorewall/default-config/) “$ cp /usr/share/doc/shorewall-common/default-config/* .”
  • Edit the files and enter the data that your system has
    • First create zones “$ nano zones”
       #ZONE   TYPE            OPTIONS         IN OPTIONS                OUT OPTIONS
      fw      firewall
      net     ipv4
      vpn     ipv4
    • Connect zones with interfaces”$ nano interfaces”
       #ZONE   INTERFACE       BROADCAST       OPTIONS
      net     eth0            detect          tcpflags,blacklist,dhcp
      vpn	tun0		-
    • Create policies “$ nano policy”
       #SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
      fw              net             ACCEPT
      vpn             net             ACCEPT
      vpn             fw              ACCEPT
      fw              vpn             ACCEPT
      net             all             DROP            info
      all             all             DROP            info
    • Create rules “$ nano rules”
       #ACTION SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/
      #                                               PORT(S) PORT(S)         DEST            LIMIT           GROUP
      ACCEPT          net             fw             tcp     22 # ssh
      ACCEPT          net             fw             tcp     80 # web
    • Verify that the rules are fine “$ shorewall check”
    • Edit /etc/default/shorewall and set startup to 1
       # prevent startup with default configuration
      # set the following varible to 1 in order to allow Shorewall to start
       
      startup=1
    • Start the firewall “$ /etc/init.d/shorewall start”

If you later decide to update rules, zones etc run “$ /etc/init.d/shorewall restart” to load the changes.