#+TITLE: Administrative diary for Fripost's servers and systems #+AUTHOR: Those involved with the administration * Upgrade of benjamin <2011-10-06 tor> The server benjamin was upgraded to Debian GNU/Linux 6.0 Squeeze in accordance with the [[http://www.debian.org/releases/squeeze/i386/release-notes/ch-upgrading.en.html][upgrading release notes]]. At some point the raid array did not mount so the installation was interupted. Mdadm was used to setup the software raid: : $ cat /proc/partitions : $ cat /etc/mdadm/mdadm.conf : # mdadm --misc --query /dev/sdc1 /dev/sdd1; # for display : # mdadm --misc --examine /dev/sdc1 /dev/sdd1; # for display : # mdadm --misc --examine --scan : # mdadm --assemble --scan Then also the logical volume management (LVM) was needed to set up. : # vgdisplay : $ ls -1 /dev | grep 2T; # shows nothing : # vgchange --available y 2T_vg-backup : $ ls -1 /dev | grep 2T; # shows VG 2T_vg-backup : # cryptsetup luksOpen /dev/2T_vg-backup/backup backup : # sudo mount -t ext4 /dev/mapper/backup /mnt/backup The =/etc/fstab= is no longer correct since "ext4dev" is not a supported file system. Instead "ext4" should be used. ** Things to do after upgrade - Remove the following packages - apticron (will be replaced by unattended-upgrades) - Check logcheck rules - Check rkhunter (root kit hunter) configurations - Check NTP (network time protocol) configuration * Configure Roundcube for password change <2011-11-22 tis> From phone call with Stefan. Appache is configured differently and better on zetkin. There is one file per host which is better then having all host's configurations in one file. However, the Roundcube installation is older on zetkin, so ti could be wise to update with backports. <2011-11-22 tis> [[http://www.roundcube.net/][Official website]]. The plugin of interest is [[http://trac.roundcube.net/browser/trunk/plugins/password][passord]] found from [[http://trac.roundcube.net/wiki/Plugin_Repository][Pugin Repository]]. <2011-11-24 tor> Found the Roundcube directory: /var/lib/roundcube/. The configuration files are in /etc/roudcube/. Also the relevant Apache2 configuration files are linked into /etc/roundcube/. Plugins are placed in /var/lib/rouncube/plugins/ and installed by editing /etc/roundcube/main.inc.php/. It took a while to figure Apache out enough to find the directories. Roudcube is not really a program; it is just some PHP script. I do not have a clue about how to download the plugin, after hours of searching. This PHP code tracking drives me mad. <2011-12-04 sön> As a plugin exercise I (Gustav) installed serverinfo. Note also catalogue /\/usr\/share\/roundcube/ and that many paths are links into /var/lib/roundcube/. It appears that some plugins comes with the installation. See [[http://www.roundcubeforum.net/3-news-announcements/12-general-discussion/5258-plugin-download-link.html][This post]]. Finally the plugin is installed; I requested the full stable 0.6-version sources to my home directory and copied the plugin files into /var/lib/roundcube/plugin. Next step will be to identify how to establish a connection with the IMAP (database) server. <2011-12-06 tis> This is hard. It is not MySQL's MD5 algorithm that is used. The check sum is probably of base 64 and not hexadecimal (from Password.pm). Can this be a plan: - Reproduce the fripost-passwd perl script to realise what is happening. - Confirm how the connection is established between roundcube and imap.fripost.org <2011-12-10 lör> Notes from phone call with Stefan. (1) Create a user, /roudcubetunnel/, on /antilop/ and configure tunnel according to fripost-documentation. (2) the password is created together with a salt. <2011-12-11 sön> MySQL was installed on cantor on order to have a lab system: /root//'root', database /fripost-lab/. : > create database fripost-lab Log in using: : $ mysql --user=root --password fripost_lab Read Section 5.3.2.2, "End-User Guidelines for Password Security". User created according to 5.5.2. "Adding User Accounts". : > create user 'roundcube'@'localhost' identified by 'roundcube'; : > create user 'roundcube'@'%' identified by 'roundcube'; -- so it can be used from all hosts : > show grants for 'roundcube'@'localhost'; : > show grants for 'roundcube'@'%'; : > set password for 'roundcube'@'localhost' = password('roundcube'); : > set password for 'roundcube'@'%' = password('roundcube'); : > grant select, update on fripost_lab.mailbox to 'roundcube'@'localhost'; : > grant select, update on fripost_lab.mailbox to 'roundcube'@'%'; The command /grant/ gives /roundcube/ privileges to select and update table /mailbox/. There is no possibility to give privileges to just update certain columns in a table. If that is sought for a separate table has to be created. Next: - create an SQL-script that tests all privileges, and try it on /roundcube@localhost/ and /roundcube@%/. - create that user on /antilop/ * Preparation for migration of IMAP from /antilop/ to /mistral/ <2011-12-20 tis> ** Administrator's user accounts. The administrators /gustav/, /ljo/, and /skangas/ are in /\/etc\/sudoers/, and \/ ** Files from /etc. Files to transfer to /mistral/ are: : bacula/ dovecot/ etckeeper/ logcheck/ mysql/ ossec-init.conf postfix/ rkhunter.conf rsyslog.conf ssh/sshd_config ssl/ Archived in /\/home\/gustav\/ect-antilop-2011-12-20.tar.gz/, ready for transfer. ** check when done - that /etc/cron.d and friends are the same as on /antilop/ ** change luks keys cite Basically, you just add an additional password(LUKS allows up to 8 different passwords for the same volume) and delete the original password. Here's a link that describes the process in detail: http://www.saout.de/tikiwiki/tiki-in...eviceUsingLUKS : # cryptsetup luksAddKey /dev/sdc1 Enter any LUKS passphrase: (enter an existing password for this partition) key slot 0 unlocked. Enter new passphrase for key slot: (enter the extra password) : # cryptsetup luksDelKey /dev/sdc1 0 ** paket Alla paket som ska installeras och tas bort, både från dpkg-selections på antilop och från fripost-docs, finns i /home/gustav/selections-2011-12-20.tar.gz på antilop. * Upgrade of luxemburg to squeeze <2011-12-21 ons> - `luxemburg', `harvey' and `zetkin' requires the package `firmware-linux-nonfree'. This means we should add contrib and non-free to /etc/apt/sources.list, e.g.: deb ftp://ftp.sunet.se/pub/Linux/distributions/debian squeeze main contrib non-free - Install emacs23-nox, remove emacs22-nox - Merge /etc/mysql/my.cnf, among other things removing the line ^skip-bdb$