Seems that dbStat had to be developed much faster than I realised, it was a personal project that I was working on as I got time.

Now it has been completely re-written to provide a complete “break down” of a large mySQL database suffering some major iowait (on average 15%).

The database in question was 17GB in size with 63% of that data size being pure indexes … MAJOR headache.

After completion of v1.0 dbStat, and subsequent review of the output, we were able to reduce the Index size by 7GB (41% of Total).

So the datbase is siting at ~10gb (40% index), plenty more work to do, but by removing the problem causing indexes we have reduced the index overhead and stemmed a growth of ~380mb/24hrs

Rapid development has left a few bugs, currently dbStat is at v1.2 with a very buggy CSV export function, anyway more as the project progresses, it also raises a few questions about public release now due to it being laregly to resolve a business issue.


Hmm maybe I can get a testimonial! haha

EDIT: iowait is down to 2.28% now :D

After much argument with the resident Microsoft Zealot over the exploitability of IIS, words of sarcastic wisdom came from a third party (Lee) and sufficently ended the argument.

“You know what IIS Stands for?”
“Internet Information Services…”
“No! Is Inherently Sh*t”


Discuss :P

Now this one was annoying!

Whilst adding imap support to a php 5.2.2 installation running from a red hat linux 4 distro, I kept getting the same error, when running my custom config script.

/usr/bin/ld: cannot find -lltdl
collect2: ld returned 1 exit status
make: *** [libphp5.la] Error 1

Very strange as the files were there!

[root@dev01 ~]# ldconfig -p |grep ltdl
        libltdl.so.3 (libc6) => /usr/lib/libltdl.so.3
        libguile-ltdl.so.1 (libc6) => /usr/lib/libguile-ltdl.so.1

So guess what the problem was … PHP’s make script.

Note the “/usr/lib/libltdl.so.3” this as it would turn out was a symlink to “/usr/lib/libltdl.so.3.1.0”

So just by adding out own symlink without the version number “ln -s /usr/lib/libltdl.so.3.1.0 /usr/lib/libltdl.so” voila the compile runs perfectly!

Another obscure bug *sigh*, ah well at least I can play with the imap extentions now :-P

Trent Hornibrook has started a mysql dba blog, so I thought i’d provide some linkage :-)

These two articles cover how to use the mysql explain syntax for “debugging” sql queries so be sure to read part 1 and part 2

Chroot’ing a user is always a good idea from a security perspective, but by default it leaves usability lacking.

For example a web development department quite rightly is using individual logins, with each developer able to access each of their site directories, in a non chroot environment.

The downside? the can also browse pretty much the entire server, and each others directories …

So rather than some extensive and long winded chmoding or directories, we need to chroot them and still preserve access to the shared directories …

But how?

In this case the shared resource will be /home/shared

First of all for security and chrooting purposes make the following changes to /etc/vsftpd/vsftpd.conf

anonymous_enable=NO
chroot_local_user=YES

Now reload vsftpd: /etc/init.d/vsftpd

Create a test user (in this case buzz):

useradd buzz -d /home/buzz
passwd buzz

Remove the user’s shell access (and subsequently sftp/scp) by editing /etc/pass wd (remove the space between pass wd, wordpress is breaking when I try to post it properly)

replace

buzz:x:123:123::/home/buzz:/bin/bash

with

buzz:x:123:123::/home/buzz:/sbin/nologin

Test the FTP session:

[root@buzz ~]ftp xxx.xxx.xxx.xxx
Connected to xxx.xxx.xxx.xxx.
220 (vsFTPd 2.0.1)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (xxx.xxx.xxx.xxx:buzz): buzz
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>ls
227 Entering Passive Mode (10,99,1,1,123,97)
150 Here comes the directory listing.
drwxrwxr-- 4 48 48 4096 Mar 27 15:00 www
226 Directory send OK.
ftp> cd /home/shared
550 Failed to change directory.
ftp> cd ./www
550 Failed to change directory.
ftp> quit
221 Goodbye.

In the example above www is a symlink to /home/shared, as can be seen symlinking does not bypass the chroot settings.

What you need to do is use the “bind” option of the mount command (as root or a sudo’er):

mkdir /home/buzz/shared
mount --bind /home/shared /home/buzz/shared

NOTE: –bind is double dash bind NOTE: to reverse the bind (i.e. if you bind the wrong folder) umount /path/to/binded/folder

Now re-test the ftp session:

ftp xxx.xxx.xxx.xxx
Connected to xxx.xxx.xxx.xxx.
220 (vsFTPd 2.0.1)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (xxx.xxx.xxx.xxx:buzz): buzz
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (10,99,1,1,123,97)
150 Here comes the directory listing.
drwxrwxr-- 4 48 48 4096 Mar 27 15:00 www
drwxrwxr-- 4 48 48 4096 Mar 27 15:12 shared
226 Directory send OK.
ftp> cd /home/shared
550 Failed to change directory.
ftp> cd ./www
550 Failed to change directory.
ftp> cd ./shared
250 Directory successfully changed.
ftp> quit
221 Goodbye.

The user now is in a chroot’ed environment, but can still access the share resources you specify, by binding them.

FAQ:

Why remove the users SSH / SCP access?

SCP/SFTP at the time of writing has no logging facility, making it next to impossible to find out who uploaded / overwrote a file in the shared resource at any given time.

(UPDATE 19/07/2010: https://blog.oneiroi.co.uk/linux/enable-logging-in-the-sftp-subsystem)

By forcing FTP all transactions will appear in the xfer log.

There are mods for SCP out there to allow logging, however you can use them at your own risk I do not recommend using them on a customer facing environment.

Why would I want to “chroot” the user?

Change

chroot_local_user=YES

to

chroot_local_user=NO

and reload vsftpd, now login to ftp hand try to get out of your home directory,

you will notice you can pretty much browse the entire file system, and depending on the setup write and delete files owned by anyone in the same group as that user.

By chroot’ing the user you are reducing the potential for things to go wrong on your server, as you add more and more users it reduces the “sys admin” time incurred due to user error.

NOTE: Remember to put

chroot_local_user=YES

back and reload vsftpd!

Disclaimer:

You break it, it’s not my fault!

If you run into problems just leave a comment.