Ulimit, setting max open files, temporary and permanently

Posted in Administration, LF, Linux by erralt on 25 novembre 2010

You tried :
me$ ulimit -n 4096
and you still have 1024 max open files ?

You tried to add the line in /etc/security/limits.conf :
me hard nofile 4096
and you still have 1024 max open files ?

After that, you tried :
me$ ulimit -n 4096
but on the next login, max open files got back to 1024 ?

So, add the following line in /etc/security/limits.conf :
me soft nofile 4096
it sets permanently max open files soft limit from 1024 to 4096 !

Tagged with: , , ,

Embedded archives in your shell scripts

Posted in Administration, LF, Linux by erralt on 16 août 2010

My problem was how to make an install of my servers with different files to create/modify with only one script, just using a copy/paste into my SSH console ?

It’s pretty easy to do, good news.

The principle is to have a variable which contains all the files we need in the script.
It’s done with base64 command which ensure me to have a string that does not interfere with the rest of my script.

How to use ? What to put in the variable ?

For an entire archive :
ARCHIVE = `tar -c /path/to/files | gzip | base64`
or just one file :
ARCHIVE = `cat /path/to/file | gzip | base64`
If you don’t want to compress, remove gzip step.

The variable looks like a simple hexadecimal string. Put it in one line (it could work when it’s truncated but i met some problems).
ARCHIVE = "PD9YTUwgdmVyc2lvbj0iMS4xIiBlbmNvZGluZz0iVVRGLTgiPz4NPCFET0NUWVBFIGtleWJvYXJkIFBVQkxJQyAiIiAiZmlsZTovL2xvY2FsaG9zdC9TeXN0ZW0vTGlicmFyeS9EVERzL0tleWJvYXJkTGF5b3V0LmR0ZCI+DTwhLS1MYXN0IGVkaXRlZCBieSBVa2VsZWxlIHZlcnNpb24gZW1hIiBvdXRwdXQ9IsKoIi8+DSAgICA8L3Rlcm1pbmF0b3JzPg08L2tleWJvYXJkPg0="

And finally just do the reverted actions in order to restore files contained in $ARCHIVE.
For an archive :
echo $ARCHIVE | base64 -d | gzip -d | tar -x
(use -t option instead of -x of tar to control what you are doing)
or just one file :
echo $ARCHIVE | base64 -d | gzip -d | cat > destination-file
If you don’t want to compress, remove gzip -d step.

Tagged with: , , , , ,

How to create a good certificate file to make Courier IMAPS functional

Posted in Administration, Linux by erralt on 12 août 2010

Especially :
« Once you have downloaded your certificates from your certificate authority, open the primary certificate and the private key that you created earlier in a text editor. Copy and paste the text in the Primary Certificate and then from the Private Key. Save the file with a .pem extension (i.e myCertificate.pem)

(Primary SSL certificate)
(Your Private Key)

Opération non supportée, setfacl

Posted in Administration, Linux by erralt on 5 mai 2010


La gestion des ACL (Liste de contrôle d’accès) sous Unix n’est pas supportée de base.
Les permissions sur un fichier ou un répertoire restent limitées à donner des droits de lecture (r), écriture (w) et éxecution (x).

Nota : Petite précision, le droit d’éxécution d’un répertoire, indique que l’on peut le traverser mais qu’on ne peut pas lister son contenu.

Pour étendre ces droits d’accès à des utilisateurs ou groupes en particulier avec pour chacun des permissions spécifiques, il faut utiliser les ACL.

1/ Vérifier que votre noyau a le support des ACL

# grep -i acl /boot/config-`uname -r`

Si les ACL sont prises en charge, les options CONFIG_XXX_FS_POSIX_ACL doivent être définie à « y » pour les systèmes de fichiers qui concernent votre machine.

2/ Installation du package pour la gestion des acl

Sur Ubuntu, le package est « acl ». Il fournit les outils « getfacl », « setfacl » et « chacl » ainsi que les pages manuels qui vont bien avec.

3/ Montage des partitions avec support des ACL

Lors d’un setfacl, si vous avez l’erreur « Operation not supported » ou « Opération non supportée« , c’est que vous n’avez pas activé l’option « acl » au montage de la partition.

L’utilisation des ACL sur une partition n’est pas une option par défaut. Il faut l’activer explicitement au montage de la partition.

# cat /etc/fstab
/dev/mapper/V0-HOME /home ext4 defaults,acl 0 2
# mount -o remount /home
La gestion des acl est maintenant opérationnelle sur votre partition.

Tagged with: , , , , ,

Make SFTP and umask working

Posted in Administration, LF, Linux by erralt on 5 mai 2010

In your file /etc/ssh/sshd_config use this line for SFTP working with custom umask :

Subsystem sftp /bin/sh -c 'umask 0002; exec /usr/lib/openssh/sftp-server'

loadaverage what’s this ?

Posted in Administration, Linux by erralt on 22 mars 2010

Follow this link if you want to know : Understanding load averages (Linux)

OpenLDAP, syncrepl via TLS/SSL

Posted in Administration, LF, Linux by erralt on 19 janvier 2010

I had to configure an Openldap consumer to replicate datas from my Openldap provider.

At the first time, my openldap server does not use slapd.conf directives but cn=config directives.
All the configuration examples i found on Internet, used slapd.conf. So, i had to find by myself howto translate slapd.conf directives in cn=config directives, especially syncrepl directives.

On the provider

1/ Add the attribute « olcModuleLoad » with value « syncprov »

the server will change your modification to :

dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModuleLoad: {0}back_hdb
olcModuleLoad: {1}syncprov
olcModulePath: /usr/lib/ldap

Equivalence with slapd.conf :

module syncprov

2/ Add overlay directive with some suboptions

– add this entry under a node of a database backend configuration, not under the master configuration directive (it doesn’t work, i made the mistake). Verify that you have bdb or hdb database type because syncrepl works only with one of them.

dn: olcOverlay={0}syncprov,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov
olcSpCheckpoint: 100 10
olcSpSessionlog: 100

Adjust olcSpCheckpoint and olcSpSessionlog as you want.

Equivalence with slapd.conf :

overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100

3/ Add indexes for entryCSN and entryUUID :

on the node dn: olcDatabase={1}hdb,cn=config

olcDbIndex: entryCSN,entryUUID eq

Here are the options for syncprov translated in cn=config version :

syncprov-checkpoint -> olcSpCheckpoint
syncprov-sessionlog -> olcSpSessionlog
syncprov-nopresent -> olcSpNoPresent
syncprov-reloadhint -> olcSpReloadHint

On the consumer

Configuration of syncrepl :

On the node of your database configuration (for me : dn: olcDatabase={1}hdb,cn=config), add the following attribute and value :

olcSyncrepl: {0}rid=000 provider=ldap://
retry="60 +"

Equivalence with slapd.conf :

syncrepl rid=000 provider=ldap://
retry="60 +"

At this point, the provider directory could be replicated to the consumer directory in clear text. Verify that all work fine.


Prior to every TLS/SSL configuration of openldap server, add user « openldap » to « ssl-cert » group.

After, check that « openldap » user is able to read /etc/ssl/private/server.key file.

On the provider

Check if the provider is well configured for SSL or TLS connections.
To check SSL connection, launch this :

ldapsearch -H ldaps:// -x -W

To check TLS connection :

ldapsearch -H ldap:// -W -x -ZZ

On the consumer

* For SSL connection, in syncrepl configuration :
– change provider option to use ldaps:// instead of ldap://
– add these options :


* For TLS connection, in syncrepl configuration :
– keep provider option using ldap://
– add these options :


* I got this error :

main: TLS init def ctx failed: -1

=> I had a look on and my problem came from not following symbolic links, weird.

* I got this error :

main: TLS init def ctx failed: -207

=> It seems to be an error on checking SSL chain (have a look on this thread on Openldap list). I used certtool from GNUTLS package to create self signed certificate.

* I got this error :

main: TLS init def ctx failed: -69

=> remove the passphrase from the key.

Now, all work, but sometimes I have the error :

slap_client_connect: URI=ldaps://****.*****.net DN="cn=syncrepl,dc=*****.net" ldap_sasl_bind_s failed (-1)

and i don’t know if it’s critical. It seems to be not, it works again after.

Example of syncrepl which does work :

hdb_modify: updated id=00000032 dn="cn=*****,ou=users,dc=*****.net"
slapd[19443]: send_ldap_result: conn=-1 op=0 p=3
slapd[19443]: send_ldap_result: err=0 matched="" text=""
slapd[19443]: syncrepl_entry: rid=000 be_modify cn=*****,ou=users,dc=*****.net (0)
slapd[19443]: do_syncrep2: rid=000 LDAP_RES_SEARCH_RESULT
slapd[19443]: =>do_syncrepl rid=000
slapd[19443]: =>do_syncrep2 rid=000
slapd[19443]: do_syncrep2: rid=000 LDAP_RES_SEARCH_RESULT
slapd[19443]: do_syncrep2: cookie=rid=000,csn=20100109013243.742646Z#000000#000#000000
slapd[19443]: slap_queue_csn: queing 0x7f0b4ab5f9c0 20100109013243.742646Z#000000#000#000000
slapd[19443]: hdb_modify: dc=******.net
slapd[19443]: bdb_dn2entry("dc=******.net")
slapd[19443]: bdb_modify_internal: 0x0000001d: dc=*****.net
slapd[19443]:  entry_encode(0x0000001d):
slapd[19443]: <= entry_encode(0x0000001d):
slapd[19443]: hdb_modify: updated id=0000001d dn="dc=******.net"
slapd[19443]: send_ldap_result: conn=-1 op=0 p=3
slapd[19443]: send_ldap_result: err=0 matched="" text=""
slapd[19443]: slap_graduate_commit_csn: removing 0x7f0b4ab5fa00 20100109013243.742646Z#000000#000#000000

If you have to control if slapd uses Gnutls or Openssl as a library :

# ldd $(which slapd) =>  (0x00007fff2a318000) => /usr/lib/ (0x00007f103bb68000) => /usr/lib/ (0x00007f103b95a000) => /usr/lib/ (0x00007f103b5f8000) => /usr/lib/ (0x00007f103b398000) => /usr/lib/ (0x00007f103b186000) => /usr/lib/ (0x00007f103af6c000) => /usr/lib/ (0x00007f103acca000)  <===== => /lib/ (0x00007f103aa91000) => /lib/ (0x00007f103a878000) => /usr/lib/ (0x00007f103a66e000) => /lib/ (0x00007f103a463000) => /lib/ (0x00007f103a247000) => /lib/ (0x00007f1039ed8000) => /lib/ (0x00007f1039cbe000) => /lib/ (0x00007f1039aba000) => /usr/lib/ (0x00007f10398a9000) => /lib/ (0x00007f1039692000) => /lib/ (0x00007f103941a000)
        /lib64/ (0x00007f103bdb1000) => /lib/ (0x00007f1039216000)

Edit : pay attention to /usr/local/etc/openldap/ldap.conf, used by ldapsearch and seems to make syncrepl working easier.
Find with « strace ldapsearch -b -x -ZZ », ldapsearch does not use /etc/ldap/ldap.conf on Ubuntu 9.10 (Karmic).

Pnp4nagios, adding a datasource to a rrd file (not only for pnp4nagios)

Posted in Administration, LF, Linux by erralt on 14 janvier 2010


Pnp4nagios : is monitoring tool based on for the data storage and on PHP for the frontend.

This tool parses performance datas provided by Nagios probes. They follow this format : ‘data name’=value; (more details on this page :

I use Pnp4nagios and i got this error (in Disk.xml file by example) because of adding a new data in the output of a Nagios probe.

<TXT>expected 10 data source readings (got 14) from 1263470356:794:378:49</TXT>

Natively, Pnp4nagios cannot add new datasource on the fly, RRDTool does not do it too. So, i had to search for an useful tool.

I found this post on a blog ( which made me a bit happy.


I installed RRD::Simple with CPAN. I had to force the installation of it because of an error on the perlpod.

# cpan
cpan> force install RRD::Simple

I took the script provided on the post and modify it to fit to my needs :

/root/ :


use strict;
use warnings;

use RRD::Simple();

my $rrd_file = shift @ARGV;
my $DS_name = shift @ARGV;
my $DS_type = shift @ARGV;

my $rrd = RRD::Simple->new();

print "Processing $rrd_file...";
$rrd->add_source($rrd_file, $DS_name => $DS_type);
print " ok.\n";

I launched this command for each $DS_name i wanted (11, 12, 13 and 14) :

/root/ $rrd_file $DS_name GAUGE

Finally, it works fine !

I hope my post will be useful for other people, and i repeat it’s not specific to Pnp4nagios.

/proc/meminfo, free

Posted in Linux by erralt on 18 décembre 2009
Tagged with: ,

.screenrc, .zshrc

Posted in LF, Linux by erralt on 18 décembre 2009

% cat ~/.screenrc

autodetach on
shell zsh
altscreen on
attrcolor b ".I"
defbce "on"
activity "activity: window ~%"
startup_message off
hardstatus on
caption always 
caption string "[%y-%m-%d %c] %-w%{=b bw} %t%{-}%+w %= %?%{=b rw}%2`%{-} %?%1` %H"
bindkey -k kD stuff \O33[3~  # gestion de la touche "suppr" 
# WordPress pose problème : remplacer \O33 (lettre o et 33) par \ + 033 (zéro33)
defscrollback 1000
sessionname erralt
defutf8 on
screen -t shell
screen -t logs
term xterm-color
# visual bell
vbell off

% cat ~/.zshrc

[[ -z $(functions zsh/terminfo) ]] && autoload -Uz zsh/terminfo

# couleurs
autoload -U colors 
eval `dircolors $HOME/.zsh/colors`
autoload -U zutil
autoload -U compinit
autoload -U complist

bindkey "^?" backward-delete-char
bindkey '^[[1~' beginning-of-line
bindkey '^[[4~' end-of-line
bindkey -e

alias ls='ls --color=auto'
alias ll='ls -l'
alias la='ls -la'

setopt always_toend
setopt hist_ignore_dups

if [[ "$terminfo[colors]" -ge 8 ]]; then
    if [[ "$EUID" = "0" ]] || [[ "$USER" = 'root' ]]
                base_prompt="root%{$fg[red]%}@%m%{$reset_color%} "
                base_prompt="%n%{$fg[blue]%}@%m%{$reset_color%} "
            base_prompt="%n@%m "
%#%{$reset_color%} "

% cat .zsh/colors

# Commandes suplemantaires pour ls .
# -F = affiche '/' pour les dossier, '*' pour les executables, etc.
# -T 0 = don't trust tab spacing when formatting ls output.
#couleur pour les fichiers de base
NORMAL 00 # global default, although everything should be something.
FILE 00 # normal file
DIR 01;34 # directory
LINK 01;35 # symbolic link
FIFO 40;33 # pipe
SOCK 01;35 # socket
BLK 40;33;01 # block device driver
CHR 40;33;01 # character device driver

# pour les fichiers executables:
EXEC 01;32

# listez les extension comme par exemple '.gz' ou '.tar' que vous souhaitez que ls colore
# syntaxe : extension espace code de la couleur.
# Archives
.btm 01;32
.tar 01;31
.tgz 01;31
.arj 01;31
.gz 01;31
.bz2 01;31
.zip 01;31
.rar 01;31
.7z 01;31
.ace 01;31
.dar 01;31
.lzo 01;31
.tbz2 01;31
# Packages
.deb 01;35
.rpm 01;35
# Web
.htm 01;36
.php 01;36
.php3 01;36
.html 01;36
# Sources
.c 04;43;30
.cpp 04;43;30
.h 00;43;30
.hpp 00;43;30