This is a small example on flock. It may help you to prevent multiple running instances of the same script. Assume you run the script via cron and it may not be finished when cron attempts to start it again. This few lines of code solve this issue.
if(!open(LOCK,">/var/run/my_app.lock")){print"Failed to open lock file: $!\n";exit(1);}## Create exclusive, non blocking lock: LOCK_EX(2) + LOCK_NB(4)if(!flock(LOCK,6)){close(LOCK);if(!open(PID,"</var/run/my_app.pid")){print"Failed to read PID file: $!\n";exit(1);}my$pid=<PID>;close(PID);print"Failed to accquire lock. Another instance (PID $pid) running!\n";exit(1);}else{if(!open(PID,">/var/run/my_app.pid")){print"Failed to open pid file: $!\n";exit(1);}printPID$$;if(!close(PID)){print"Failed to write PID file: $!\n";exit(1);}}
You may have had the same issue as i some time ago. You install a perl module from Portage but you have to modify the module’s code. Of course you don’t want to patch and install manually. Assuming the module is named “foobar” here’s how i solved it:
There are many settings that make BASH even more usable. As many people doesn’t seem to know this particular parameter i post it here:
1
HISTCONTROL="ignoredups"
This setting in bashrc or profile makes BASH ignore duplicate commands when searching the history. It’s pretty useful if you had entered the same command several times.
If you’re unmerging software in Gentoo some files stay on your server. This is a result of the setting CONFIG_PROTECT.
To unmerge a package completely use this command:
First of all make sure UMTS card is recognized by your system. You need PCMCIA support enabled in your kernel. If you compiled it as modules load the modules.
Download und build the Nozomi kernel module. You can get it here
Nozomi install
12345
cd nozomi_2.21alpha_060917
mkdir -p /lib/modules/KERNEL_VERSION/kernel/drivers/pci/hotplug (if it doesn't exists)
make
depmod
modprobe nozomi
After you succeeded in loading the nozomi module you should see something like this in dmesg:
dmesg
1234
nozomi 0000:04:00.0: Nozomi driver nozomi_tty
Initializing Nozomi driver 2.21alpha (build date: Jun 9 2008 15:00:29)
nozomi 0000:04:00.0: Version of card: 3
nozomi 0000:04:00.0: Initialization OK!
PPP Configuration
You have to supply the PIN to your SIM-card. There are two ways to accomplish this:
Add AT+CPIN=MY_SIM_PIN to your chat script
Use a little Perl script (for example if you use a PIN app)
Perl helper
1234567891011121314151617181920212223242526
#!/usr/bin/perlusestrict;usewarnings;$SIG{ALRM}=sub {die("timeout: no response from modem $modem\n");};myยงpin=shift;my$modem='/dev/noz0';open(MODEM,"+<",$modem)ordie("Failed to open modem $modem: $!");print(MODEM"AT+CPIN=\"$pin\"\n\r");while(<MODEM>){if(m/OK/){close(MODEM);print("PIN accepted\n");exit(0);}if(m/ERROR/){close(MODEM);print("PIN rejected\n");exit(1);}}exit(0);
Now it’s time to create the PPP config and chat scripts.
# Most GPRS phones don't reply to LCP echo's
lcp-echo-failure 0
lcp-echo-interval 0
# Keep pppd attached to the terminal:
# Comment this to get daemon mode pppd
nodetach
# Debug info from pppd:
# Comment this off, if you don't need more info
debug
# Connect script:
# scripts to initialize the UMTS modem and start the connection,
connect /etc/ppp/peers/umts-connect-chat
# Disconnect script:
# AT commands used to 'hangup' the UMTS connection.
disconnect /etc/ppp/peers/umts-disconnect-chat
# Serial device to which the UMTS card is connected:
/dev/noz0
# Serial port line speed
115200
# Hardware flow control:
# Use hardware flow control with cable, Bluetooth and USB but not with IrDA.
crtscts # serial cable, Bluetooth and USB, on some occations with IrDA too
#nocrtscts # IrDA
# Ignore carrier detect signal from the modem:
local
# IP addresses:
# - accept peers idea of our local address and set address peer as 10.0.0.1
# (any address would do, since IPCP gives 0.0.0.0 to it)
# - if you use the 10. network at home or something and pppd rejects it,
# change the address to something else
0.0.0.0:0.0.0.0
# pppd must not propose any IP address to the peer!
noipdefault
# Accept peers idea of our local address
ipcp-accept-local
# Add the ppp interface as default route to the IP routing table
defaultroute
# DNS servers from the phone:
# some phones support this, some don't.
usepeerdns
# ppp compression:
# ppp compression may be used between the phone and the pppd, but the
# serial connection is usually not the bottleneck in GPRS, so the
# compression is useless (and with some phones need to disabled before
# the LCP negotiations succeed).
novj
nobsdcomp
novjccomp
nopcomp
noaccomp
# The phone is not required to authenticate:
noauth
mtu 1500
mru 1500
/etc/ppp/peers/umts-connect-chat
1234567891011121314151617181920212223
exec chat \
TIMEOUT 5 \
ECHO ON \
ABORT '\nBUSY\r' \
ABORT '\nERROR\r' \
ABORT '\nNO ANSWER\r' \
ABORT '\nNO CARRIER\r' \
ABORT '\nNO DIALTONE\r' \
ABORT '\nRINGING\r\n\r\nRINGING\r' \
'' \rAT \
TIMEOUT 12 \
SAY "Press CTRL-C to close the connection at any stage!" \
SAY "\ndefining PDP context...\n" \
OK ATH \
OK ATE1 \
OK 'AT+CGDCONT=1,"IP","web.vodafone.de","",0,0' \
OK ATD*99# \
TIMEOUT 22 \
SAY "\nwaiting for connect...\n" \
CONNECT "" \
SAY "\nConnected." \
SAY "\nIf the following ppp negotiations fail,\n" \
SAY "try restarting the phone.\n"
/etc/ppp/peers/umts-disconnect-chat
12345678
exec /usr/sbin/chat -V -s -S \
ABORT "BUSY" \
ABORT "ERROR" \
ABORT "NO DIALTONE" \
SAY "\nSending break to the modem\n" \
"" "\K" \
"" "+++ATH" \
SAY "\nPDP context detached\n"
This howto will show you how to use client certificates to authenticate against applications hosted by a BigIP loadbalancer. You may find this howto (or parts of it) on ask.f5.com as they was no documentation before on this topic. I forwarded it to F5 some time ago. This is the only way to use client certificates without purchasing addon modules from F5.
Purpose
If you host a website/application which should only be accessible by some users you you may have already thought about client certificates. This makes brute force attacks against login panels impossible.
This increases the overall application security by adding another layer a user must pass.
The mapping between certificates and access rights is based on a LDAP directory.
Overview
The loadbalancer reads the CN from the client certificate and searches the defined group for the virtual server for a matching entry. The loadbalancer verifies CA and CRL’s before the lookup takes place.
dn: cn=Example User,ou=users,ou=webauth,ou=datacenter,dc=company,dc=com
cn: Example User
sn: Example User
objectClass: person
description: It's just a example user
Group LDIF
1234567
dn: cn=Example Group,ou=groups,ou=webauth,ou=datacenter,dc=company,dc=com
cn: Example Group
objectClass: posixGroup
description: Group is allowed to connect to BigIP's VHOST secure.company.com
memberUid: cn=Example User,ou=users,ou=webauth,ou=datacenter,dc=company,dc=com
memberUid: cn=Example User No2,ou=users,ou=webauth,ou=datacenter,dc=company,dc=com
gidNumber: 145
The “memberUid” has to match exactly the certificates CN because this is the key the BigIP is looking for.
BigIP Configuration
Authentication Configuration
As a first step we create a new “Authentication Configuration”. Just open the web frontend and navigate to:
Local Traffic → Profiles → Authentication → Configuration
You have to create a new config for every virtual host you want to secure. This is force by the LDAP group used because every config can only use one group. Here’s a example configuration:
Authentication Configuration
123456789101112
Parameter | Value
==========================================================================
Hosts | 1.2.3.4
Search Type | User
User Base | DNou=users,ou=webauth,ou=datacenter,dc=company,dc=com
User Key | cn
Admin DN | DN for binding
Admin Password | Bind password
Group Base DN | ou=groups,ou=webauth,ou=datacenter,dc=company,dcc=com
Group Key | cn
Group Member Key | memberUid
Valid Groups | Corresponding LDAP group
Authentication Profile
The next step is to create a profile which inherits the new created config. You need a profile for every configuration. Navigate to
Local Traffic → Profiles → Authentication → Profiles
Authentication Profile
123456
Parameter | Value
==========================================================================
Type | SSL Client Certificate LDAP
Parent Profile | ssl_cc_ldap
Mode | Enabled
Configuration | NAME OF CONF JUST CREATED
CA Upload
If your CA certificate(s) have not been installed it’s time to do so.
Local Traffic → SSL Certificates → Import
SSL Profiles
To use SSL (without client certificates too) you need a SSL profile. Navigate to
Local Traffic → Profiles → SSL → Client
Create a new profile based on “clientssl” or one of your already defined profiles.
This howto describes the setup of a HA Linux router based on Gentoo and Keepalived. I’m writing this because there’s not really a good documentation on this topic so far. At least as i searched for it.
Requirements
The intended router requires this config and tools:
Kernel with activcated VLAN support(CONFIG_VLAN_8021Q=y)
Keepalived installed
vconfig installed
Optionally bonding support in Kernel and ifenslave installed
Network Configuration
This configuration example is designed for 8 NIC’s and 20 VLAN’s. The following config is split to make it more readable but belongs completely to /etc/conf.d/net.
VLAN-Interface-Mapping
Depending on your network and traffic you have to find a VLAN-interface-mapping that matches your environment.
This VLAN setup will lead to interfaces named vlanXX. See the manpage of vconfig if you prefer a different setup. Then it’s time to disable the “parent interfaces”. You can’t use a interface in mixed mode: VLAN’s or single interface.