Monthly Archives: October 2007
ssh notes
| 29-Oct-2007 | Posted by Sonia Hamilton under Ssh |
Summary:
$ ssh -fN -L localport:remoteserver:remoteport hopserver
Optionally combined with agent forwarding and user/hostname mapping in .ssh/config; optionally combined with this in .ssh/config if drilling through a squid proxy:
Host remoteserver
Hostname remoteserver
ProxyCommand connect-proxy -S dmzproxy.foo.com:1080 %h %p
To setup an ssh tunnel (4 machines):
hosta$ ssh -fN -o GateWayPorts=yes -L P:S:W user@B
hostc$ some-app A:P
-f – go into background after asking for a password
-N – don’t execute a remote command
-g – gateway (or -o GateWayPorts=yes) – may be required if doing double ssh (ie one tunnel feeding in to a second tunnel)
(image from O’Reilly’s excellent book “SSH Definitive Guide”)
Data between C and A won’t be encrypted; data between A and B will be encrypted; data between B and S won’t be encrypted.
To setup an ssh tunnel (3 machines):
If Host C and Host A are the same machine:
hosta$ ssh -fN -L P:S:W user@B
hosta$ some-app A:P
If Host B and Host S are the same machine:
hosta$ ssh -fN -o GateWayPorts=yes -L P:B:W user@B
hostc$ some-app A:P
To setup an ssh tunnel (2 machines):
Another common case is where both C and A, and B and S, are the same machines – call them local and remote. There are 2 possible commands:
local$ ssh -fN -L P:localhost:W remote
local$ ssh -fN -L P:remote:W remote
Both will usually work, but to the destination server (1) appears to come from 127.0.0.1 and (2) appears to come from remote’s ip. (1) would give “connection refused” errors if connections aren’t allowed from localhost (unusual), (2) would give “connection refused” errors if connections aren’t allowed from anything but localhost (eg typically mysql).
To connect, do ssh -p P foo@localhost. Be aware of account name issues ie localhost and remote are different hosts, so a tunnel may succeed but then the ssh command fail due to account name mismatches – hence the foo@localhost.
Some tricks from this article:
$ ssh user@intermediate-server -D 8080 # setup a pseudo socks server; point socks-able apps at localhost:8080
These sites are also interesting:
- this thread where I asked SLUG about reversing an existing tunnel
- alufis35.uv.es SSH, stunnel and a proxy: double stunnel bypass
- rzg ssh tunnelling
- Official SSH FAQ
- gentoo wiki TIP SSH Reverse Tunnel
- samba.org multi-hop ssh with nc for rsync
- sshto – bang-style ssh to do multihop ssh
MySQL Logging and LogRotation
| 24-Oct-2007 | Posted by Sonia Hamilton under MySQL |
dev.msql.com logging documentation
On Debian based systems, MySQL logging (and logrotation) is setup automatically so I’ve never had to worry about it. Unfortunately, I’m not using Debian at the moment…
The options used to start MySQL can be gleaned from ps ax | grep mysql ; in particular this will show the –datadir setting, which is where logs are created by default.
Troubleshooting Logs
- –log – the general query log – when clients connect and disconnect and all sql statements. By default, created with a name of host_name.log
- –log-error – diagnostic messages about startup and shutdown and abnormal conditions. By default, created with a name of host_name.err. If mysqld is invoked directly errors will be written to stderr; if mysqld is started by way of the mysqld_safe script (directly or via init.d) error logging may go to syslog (and therefore usually to /var/log)
- –log-slow-queries – log queries that take longer than the long_query_time server variable (10s by default) to run. By default, created with a name of host_name-slow.log
Replication/Binary Logs
todo
LogRotation
todo
Good Copy Bad Copy
| 24-Oct-2007 | Posted by Sonia Hamilton under Audio |
a documentary about copyright and culture by Andreas Johsen, Ralf Christensen and Henrik Moltke
MySQL Replication Notes
| 23-Oct-2007 | Posted by Sonia Hamilton under MySQL |
dev.mysql.com replication documentation. Replication on MySQL is similar to Log Shipping on MS SQL; the default is statement level replication, but newer versions also offer row-based replication.
Setting Up
On the Master:
- create the account that will be used by each slave for replication:
- enable for replication by editing modify /etc/my.cnf (fuller example below):
mysql> create user 'repl'@'%' identified by 'secret';
mysql> grant replication slave on *.* to 'repl'@'%';
mysql> flush privileges;
Linux ACLs
| 22-Oct-2007 | Posted by Sonia Hamilton under |
Linux ACLs (Access Control Lists) can be a bit difficult at first – here’s my understanding of how they work:
Commands:
- There’s only 2 commands needed – getfacl and setfacl – display and change acls
Files:
When you do a getfacl on a file, you’ll get this sort of entry:
$ ls -al index.html
-rw-rw-r--+ 1 root siteadm 0 Nov 30 2005 index.html
.
$ getfacl --all-effective index.html
# file: index.html
# owner: root
# group: siteadm
user::rw-
user:apache:rw- #effective:rw-
group::r-- #effective:r--
mask::rw-
other::r--
Recent Comments