Ulimit, setting max open files, temporary and permanently

Posted in Administration, LF, Linux by erralt on 25 novembre 2010

You tried :
me$ ulimit -n 4096
and you still have 1024 max open files ?

You tried to add the line in /etc/security/limits.conf :
me hard nofile 4096
and you still have 1024 max open files ?

After that, you tried :
me$ ulimit -n 4096
but on the next login, max open files got back to 1024 ?

So, add the following line in /etc/security/limits.conf :
me soft nofile 4096
it sets permanently max open files soft limit from 1024 to 4096 !

Tagged with: , , ,

Embedded archives in your shell scripts

Posted in Administration, LF, Linux by erralt on 16 août 2010

My problem was how to make an install of my servers with different files to create/modify with only one script, just using a copy/paste into my SSH console ?

It’s pretty easy to do, good news.

The principle is to have a variable which contains all the files we need in the script.
It’s done with base64 command which ensure me to have a string that does not interfere with the rest of my script.

How to use ? What to put in the variable ?

For an entire archive :
ARCHIVE = `tar -c /path/to/files | gzip | base64`
or just one file :
ARCHIVE = `cat /path/to/file | gzip | base64`
If you don’t want to compress, remove gzip step.

The variable looks like a simple hexadecimal string. Put it in one line (it could work when it’s truncated but i met some problems).
ARCHIVE = "PD9YTUwgdmVyc2lvbj0iMS4xIiBlbmNvZGluZz0iVVRGLTgiPz4NPCFET0NUWVBFIGtleWJvYXJkIFBVQkxJQyAiIiAiZmlsZTovL2xvY2FsaG9zdC9TeXN0ZW0vTGlicmFyeS9EVERzL0tleWJvYXJkTGF5b3V0LmR0ZCI+DTwhLS1MYXN0IGVkaXRlZCBieSBVa2VsZWxlIHZlcnNpb24gZW1hIiBvdXRwdXQ9IsKoIi8+DSAgICA8L3Rlcm1pbmF0b3JzPg08L2tleWJvYXJkPg0="

And finally just do the reverted actions in order to restore files contained in $ARCHIVE.
For an archive :
echo $ARCHIVE | base64 -d | gzip -d | tar -x
(use -t option instead of -x of tar to control what you are doing)
or just one file :
echo $ARCHIVE | base64 -d | gzip -d | cat > destination-file
If you don’t want to compress, remove gzip -d step.

Tagged with: , , , , ,

How to create a good certificate file to make Courier IMAPS functional

Posted in Administration, Linux by erralt on 12 août 2010

Especially :
« Once you have downloaded your certificates from your certificate authority, open the primary certificate and the private key that you created earlier in a text editor. Copy and paste the text in the Primary Certificate and then from the Private Key. Save the file with a .pem extension (i.e myCertificate.pem)

(Primary SSL certificate)
(Your Private Key)

Opération non supportée, setfacl

Posted in Administration, Linux by erralt on 5 mai 2010


La gestion des ACL (Liste de contrôle d’accès) sous Unix n’est pas supportée de base.
Les permissions sur un fichier ou un répertoire restent limitées à donner des droits de lecture (r), écriture (w) et éxecution (x).

Nota : Petite précision, le droit d’éxécution d’un répertoire, indique que l’on peut le traverser mais qu’on ne peut pas lister son contenu.

Pour étendre ces droits d’accès à des utilisateurs ou groupes en particulier avec pour chacun des permissions spécifiques, il faut utiliser les ACL.

1/ Vérifier que votre noyau a le support des ACL

# grep -i acl /boot/config-`uname -r`

Si les ACL sont prises en charge, les options CONFIG_XXX_FS_POSIX_ACL doivent être définie à « y » pour les systèmes de fichiers qui concernent votre machine.

2/ Installation du package pour la gestion des acl

Sur Ubuntu, le package est « acl ». Il fournit les outils « getfacl », « setfacl » et « chacl » ainsi que les pages manuels qui vont bien avec.

3/ Montage des partitions avec support des ACL

Lors d’un setfacl, si vous avez l’erreur « Operation not supported » ou « Opération non supportée« , c’est que vous n’avez pas activé l’option « acl » au montage de la partition.

L’utilisation des ACL sur une partition n’est pas une option par défaut. Il faut l’activer explicitement au montage de la partition.

# cat /etc/fstab
/dev/mapper/V0-HOME /home ext4 defaults,acl 0 2
# mount -o remount /home
La gestion des acl est maintenant opérationnelle sur votre partition.

Tagged with: , , , , ,

Make SFTP and umask working

Posted in Administration, LF, Linux by erralt on 5 mai 2010

In your file /etc/ssh/sshd_config use this line for SFTP working with custom umask :

Subsystem sftp /bin/sh -c 'umask 0002; exec /usr/lib/openssh/sftp-server'

loadaverage what’s this ?

Posted in Administration, Linux by erralt on 22 mars 2010

Follow this link if you want to know : Understanding load averages (Linux)

OpenLDAP, syncrepl via TLS/SSL

Posted in Administration, LF, Linux by erralt on 19 janvier 2010

I had to configure an Openldap consumer to replicate datas from my Openldap provider.

At the first time, my openldap server does not use slapd.conf directives but cn=config directives.
All the configuration examples i found on Internet, used slapd.conf. So, i had to find by myself howto translate slapd.conf directives in cn=config directives, especially syncrepl directives.

On the provider

1/ Add the attribute « olcModuleLoad » with value « syncprov »

the server will change your modification to :

dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModuleLoad: {0}back_hdb
olcModuleLoad: {1}syncprov
olcModulePath: /usr/lib/ldap

Equivalence with slapd.conf :

module syncprov

2/ Add overlay directive with some suboptions

– add this entry under a node of a database backend configuration, not under the master configuration directive (it doesn’t work, i made the mistake). Verify that you have bdb or hdb database type because syncrepl works only with one of them.

dn: olcOverlay={0}syncprov,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov
olcSpCheckpoint: 100 10
olcSpSessionlog: 100

Adjust olcSpCheckpoint and olcSpSessionlog as you want.

Equivalence with slapd.conf :

overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100

3/ Add indexes for entryCSN and entryUUID :

on the node dn: olcDatabase={1}hdb,cn=config

olcDbIndex: entryCSN,entryUUID eq

Here are the options for syncprov translated in cn=config version :

syncprov-checkpoint -> olcSpCheckpoint
syncprov-sessionlog -> olcSpSessionlog
syncprov-nopresent -> olcSpNoPresent
syncprov-reloadhint -> olcSpReloadHint

On the consumer

Configuration of syncrepl :

On the node of your database configuration (for me : dn: olcDatabase={1}hdb,cn=config), add the following attribute and value :

olcSyncrepl: {0}rid=000 provider=ldap://
retry="60 +"

Equivalence with slapd.conf :

syncrepl rid=000 provider=ldap://
retry="60 +"

At this point, the provider directory could be replicated to the consumer directory in clear text. Verify that all work fine.


Prior to every TLS/SSL configuration of openldap server, add user « openldap » to « ssl-cert » group.

After, check that « openldap » user is able to read /etc/ssl/private/server.key file.

On the provider

Check if the provider is well configured for SSL or TLS connections.
To check SSL connection, launch this :

ldapsearch -H ldaps:// -x -W

To check TLS connection :

ldapsearch -H ldap:// -W -x -ZZ

On the consumer

* For SSL connection, in syncrepl configuration :
– change provider option to use ldaps:// instead of ldap://
– add these options :


* For TLS connection, in syncrepl configuration :
– keep provider option using ldap://
– add these options :


* I got this error :

main: TLS init def ctx failed: -1

=> I had a look on and my problem came from not following symbolic links, weird.

* I got this error :

main: TLS init def ctx failed: -207

=> It seems to be an error on checking SSL chain (have a look on this thread on Openldap list). I used certtool from GNUTLS package to create self signed certificate.

* I got this error :

main: TLS init def ctx failed: -69

=> remove the passphrase from the key.

Now, all work, but sometimes I have the error :

slap_client_connect: URI=ldaps://****.*****.net DN="cn=syncrepl,dc=*****.net" ldap_sasl_bind_s failed (-1)

and i don’t know if it’s critical. It seems to be not, it works again after.

Example of syncrepl which does work :

hdb_modify: updated id=00000032 dn="cn=*****,ou=users,dc=*****.net"
slapd[19443]: send_ldap_result: conn=-1 op=0 p=3
slapd[19443]: send_ldap_result: err=0 matched="" text=""
slapd[19443]: syncrepl_entry: rid=000 be_modify cn=*****,ou=users,dc=*****.net (0)
slapd[19443]: do_syncrep2: rid=000 LDAP_RES_SEARCH_RESULT
slapd[19443]: =>do_syncrepl rid=000
slapd[19443]: =>do_syncrep2 rid=000
slapd[19443]: do_syncrep2: rid=000 LDAP_RES_SEARCH_RESULT
slapd[19443]: do_syncrep2: cookie=rid=000,csn=20100109013243.742646Z#000000#000#000000
slapd[19443]: slap_queue_csn: queing 0x7f0b4ab5f9c0 20100109013243.742646Z#000000#000#000000
slapd[19443]: hdb_modify: dc=******.net
slapd[19443]: bdb_dn2entry("dc=******.net")
slapd[19443]: bdb_modify_internal: 0x0000001d: dc=*****.net
slapd[19443]:  entry_encode(0x0000001d):
slapd[19443]: <= entry_encode(0x0000001d):
slapd[19443]: hdb_modify: updated id=0000001d dn="dc=******.net"
slapd[19443]: send_ldap_result: conn=-1 op=0 p=3
slapd[19443]: send_ldap_result: err=0 matched="" text=""
slapd[19443]: slap_graduate_commit_csn: removing 0x7f0b4ab5fa00 20100109013243.742646Z#000000#000#000000

If you have to control if slapd uses Gnutls or Openssl as a library :

# ldd $(which slapd) =>  (0x00007fff2a318000) => /usr/lib/ (0x00007f103bb68000) => /usr/lib/ (0x00007f103b95a000) => /usr/lib/ (0x00007f103b5f8000) => /usr/lib/ (0x00007f103b398000) => /usr/lib/ (0x00007f103b186000) => /usr/lib/ (0x00007f103af6c000) => /usr/lib/ (0x00007f103acca000)  <===== => /lib/ (0x00007f103aa91000) => /lib/ (0x00007f103a878000) => /usr/lib/ (0x00007f103a66e000) => /lib/ (0x00007f103a463000) => /lib/ (0x00007f103a247000) => /lib/ (0x00007f1039ed8000) => /lib/ (0x00007f1039cbe000) => /lib/ (0x00007f1039aba000) => /usr/lib/ (0x00007f10398a9000) => /lib/ (0x00007f1039692000) => /lib/ (0x00007f103941a000)
        /lib64/ (0x00007f103bdb1000) => /lib/ (0x00007f1039216000)

Edit : pay attention to /usr/local/etc/openldap/ldap.conf, used by ldapsearch and seems to make syncrepl working easier.
Find with « strace ldapsearch -b -x -ZZ », ldapsearch does not use /etc/ldap/ldap.conf on Ubuntu 9.10 (Karmic).

Pnp4nagios, adding a datasource to a rrd file (not only for pnp4nagios)

Posted in Administration, LF, Linux by erralt on 14 janvier 2010


Pnp4nagios : is monitoring tool based on for the data storage and on PHP for the frontend.

This tool parses performance datas provided by Nagios probes. They follow this format : ‘data name’=value; (more details on this page :

I use Pnp4nagios and i got this error (in Disk.xml file by example) because of adding a new data in the output of a Nagios probe.

<TXT>expected 10 data source readings (got 14) from 1263470356:794:378:49</TXT>

Natively, Pnp4nagios cannot add new datasource on the fly, RRDTool does not do it too. So, i had to search for an useful tool.

I found this post on a blog ( which made me a bit happy.


I installed RRD::Simple with CPAN. I had to force the installation of it because of an error on the perlpod.

# cpan
cpan> force install RRD::Simple

I took the script provided on the post and modify it to fit to my needs :

/root/ :


use strict;
use warnings;

use RRD::Simple();

my $rrd_file = shift @ARGV;
my $DS_name = shift @ARGV;
my $DS_type = shift @ARGV;

my $rrd = RRD::Simple->new();

print "Processing $rrd_file...";
$rrd->add_source($rrd_file, $DS_name => $DS_type);
print " ok.\n";

I launched this command for each $DS_name i wanted (11, 12, 13 and 14) :

/root/ $rrd_file $DS_name GAUGE

Finally, it works fine !

I hope my post will be useful for other people, and i repeat it’s not specific to Pnp4nagios.

Dell Vostro 1220 sur Ubuntu, problème écouteurs

Posted in Administration, Linux by erralt on 14 décembre 2009

Voilà le problème sur mon Dell Vostro 1220 du boulot avec une distrib Ubuntu 9.10 x64:
Quand je branche mes écouteurs, ils ne sont pas détectés et le son des haut-parleurs ne se coupe pas automatiquement.

Solution temporaire que j’ai trouvé sur cette page :
– Installer hda_analyser de chez Alsa
– Démarrer hda_analyser grâce à un « python »
– Puis dans le « Node[0x1f] » décocher « OUT » (modification faite en direct)
Le tour est joué.

Ps: je ne pense que la modification soit persistante.
Edit 2009/12/18 : La modification n’est persistante que durant le fonctionnement de la machine. Un redémarrage fait perdre la modification

Edit 2010/02/16 : la solution que j’ai trouvé ne fonctionne plus, Hda Analyzer est buggé !!
Mon autre solution est la suivante :

tar zxvf hda-verb-0.3.tar.gz
cd hda-verb-0.3
sudo cp hda-verb /usr/local/bin
sudo hda-verb /dev/snd/hwC0D0 0x1f SET_PIN_WIDGET_CONTROL 0x0     ## désactive les hauts parleurs principaux
sudo hda-verb /dev/snd/hwC0D0 0x1f SET_PIN_WIDGET_CONTROL 0x40   ## active les hauts parleurs principaux

Attention, la modification ne sera pas persistante au redémarrage.