daemontools on redhat enterprise 6.0

So, for a project I needed to get something running in order to insure memcached would keep on running. The (for me) natural choice for this was daemontools (0.76 at time of writing).

There are a couple of things you have to pay attention to, in order to get this going on RHEL 6. (and I suppose many other Linux distro’s)

Phase 1 – get the source and compile it

get the source tarball here (note: this might not be the current version anymore!) and download it to /usr/local/src

  • unpack it with tar -zvxf daemontools-0.76.tar.gz and cd into admin/daemontools-0.76.
  • edit src/conf-cc and add ‘-include /usr/include/errno.h’ at the end of the line. (anywhere is fine, really)
  • run package/install

this should give you the needed files in /command and an existing /service

Phase 2 – fixing startup

Daemontools requires a somewhat different approach to starting up then you might be used to. ( the most common way being /etc/init.d/<name>, and using chkconfig to influence when it starts). Daemontools should be started on boot, and init must be told to restart it when it dies. This ensures continued operation. The installer you ran in phase 1, took care of this by adding a line in /etc/inittab, but that’s an old method, and for the sake of continued operation (and working straight away) we’ll use the new method:

  • Remove the added line from /etc/inittab.
  • cd /etc/init
  • create a new file called svscan.conf, and put the following contents in:
start on runlevel [345]
exec /command/svscanboot

now, tell init, it should re-read it’s configuration, and then start svscanboot:

  • initctl reload-configuration
  • initctl start svscan

if you check now, you should see a happily running svscan, and daemontools is ready to kick some:

2676 ?        Ss     0:00 /bin/sh /command/svscanboot
2678 ?        S      0:00  \_ svscan /service

Enjoy! I hope this little post was helpful.

bacula: Fatal error: Failed to authenticate Storage daemon

When you see the backup of a (non localhost) client failing with the message:

Fatal error: Failed to authenticate Storage daemon

Keep in mind that bacula uses tcpwrappers, though probably not in the way you expect it.

instead of doing:

bacula-sd : 111.222.333.444


$name-sd : 111.222.333.444

where $name is the name you specified in the bacula-sd.conf

Most services that use tcpwrappers (tcpd) use the name of the service (bacula-sd in this case), but bacula has a cute approach to it that listens only to the name you defined for the service. As far as I can tell this applies only to bacula-sd, and not bacula-dir or bacula-fd.

So, say you would have the following config in bacula-sd.conf:

Storage {                             # definition of myself
  Name = foo.bar-sd
  SDPort = 9103                  # Director's port
  WorkingDirectory = "/var/lib/bacula"
  Pid Directory = "/var/run/bacula"
  Maximum Concurrent Jobs = 20

then your /etc/hosts.allow would read:

foo.bar-sd : 111.222.333.444

Please note that you will still need to take care of your passwords on both ends, any mismatches there will results in no backups being made. Be sure to test your backups regularly.

Spamassassin 2010 bug

Someone on IRC pointed me to this wonderful bug in Spamassassin, it’s easy to quickfix, but the fix itself will become a bug in 10 years, in any case, until they push an update that correctly fixes this:

header   FH_DATE_PAST_20XX      Date =~ /20[1-9][0-9]/ [if-unset: 2006]
describe FH_DATE_PAST_20XX      The date is grossly in the future.

( meaning emails sent in 2010  will also trigger the scoring )

should be changed into:

header   FH_DATE_PAST_20XX      Date =~ /20[2-9][0-9]/ [if-unset: 2006]
describe FH_DATE_PAST_20XX      The date is grossly in the future.

Making it not a problem until we reach 2020 🙂

On my ubuntu box the rule is found in:


Special thanks to Habbie for making me aware of the problem on IRC!

oh and by the way:

Happy New Year!


FreeBSD 7.1-RC1 Security Advisories

FreeBSD - The power to serve

One day, you’re bouncing all over the place because there’s an official 7.1-RC1, the next, there’s already two security advisories.

To sum them up:

  • protosw
    safe to ignore unless you have local users, safe to ignore if you haven’t loaded / compiled in the ng_* modules

    Index: sys/kern/uipc_domain.c
    --- sys/kern/uipc_domain.c	(revision 186366)
    +++ sys/kern/uipc_domain.c	(working copy)
    @@ -112,13 +112,18 @@
     #define DEFAULT(foo, bar)	if ((foo) == NULL)  (foo) = (bar)
     	DEFAULT(pu->pru_accept, pru_accept_notsupp);
    +	DEFAULT(pu->pru_bind, pru_bind_notsupp);
     	DEFAULT(pu->pru_connect, pru_connect_notsupp);
     	DEFAULT(pu->pru_connect2, pru_connect2_notsupp);
     	DEFAULT(pu->pru_control, pru_control_notsupp);
    +	DEFAULT(pu->pru_disconnect, pru_disconnect_notsupp);
     	DEFAULT(pu->pru_listen, pru_listen_notsupp);
    +	DEFAULT(pu->pru_peeraddr, pru_peeraddr_notsupp);
     	DEFAULT(pu->pru_rcvd, pru_rcvd_notsupp);
     	DEFAULT(pu->pru_rcvoob, pru_rcvoob_notsupp);
     	DEFAULT(pu->pru_sense, pru_sense_null);
    +	DEFAULT(pu->pru_shutdown, pru_shutdown_notsupp);
    +	DEFAULT(pu->pru_sockaddr, pru_sockaddr_notsupp);
     	DEFAULT(pu->pru_sosend, sosend_generic);
     	DEFAULT(pu->pru_soreceive, soreceive_generic);
     	DEFAULT(pu->pru_sopoll, sopoll_generic);
  • ftpd
    you can ignore it if you don’t run this ftp daemon, or if you have disabled ftp all together. Otherwise: patch it right the heck now!

    Index: libexec/ftpd/ftpcmd.y
    --- libexec/ftpd/ftpcmd.y	(revision 185134)
    +++ libexec/ftpd/ftpcmd.y	(working copy)
    @@ -1191,7 +1191,7 @@
      * getline - a hacked up version of fgets to ignore TELNET escape codes.
    -char *
     getline(char *s, int n, FILE *iop)
     	int c;
    @@ -1207,7 +1207,7 @@
     			if (ftpdebug)
     				syslog(LOG_DEBUG, "command: %s", s);
     			tmpline[0] = '\0';
    -			return(s);
    +			return(0);
     		if (c == 0)
     			tmpline[0] = '\0';
    @@ -1244,13 +1244,24 @@
     		*cs++ = c;
    -		if (--n <= 0 || c == '\n')
    +		if (--n <= 0) {
    +			/*
    +			 * If command doesn't fit into buffer, discard the
    +			 * rest of the command and indicate truncation.
    +			 * This prevents the command to be split up into
    +			 * multiple commands.
    +			 */
    +			while (c != '\n' && (c = getc(iop)) != EOF)
    +				;
    +			return (-2);
    +		}
    +		if (c == '\n')
     	sigprocmask(SIG_SETMASK, &osset, NULL);
     	if (c == EOF && cs == s)
    -		return (NULL);
    +		return (-1);
     	*cs++ = '\0';
     	if (ftpdebug) {
     		if (!guest && strncasecmp("pass ", s, 5) == 0) {
    @@ -1270,7 +1281,7 @@
     			syslog(LOG_DEBUG, "command: %.*s", len, s);
    -	return (s);
    +	return (0);
     static void
    @@ -1300,9 +1311,14 @@
     		case CMD:
     			(void) signal(SIGALRM, toolong);
     			(void) alarm(timeout);
    -			if (getline(cbuf, sizeof(cbuf)-1, stdin) == NULL) {
    +			n = getline(cbuf, sizeof(cbuf)-1, stdin);
    +			if (n == -1) {
     				reply(221, "You could at least say goodbye.");
    +			} else if (n == -2) {
    +				reply(500, "Command too long.");
    +				(void) alarm(0);
    +				continue;
     			(void) alarm(0);
     #ifdef SETPROCTITLE
    Index: libexec/ftpd/extern.h
    --- libexec/ftpd/extern.h	(revision 185134)
    +++ libexec/ftpd/extern.h	(working copy)
    @@ -46,7 +46,7 @@
     void    ftpd_logwtmp(char *, char *, struct sockaddr *addr);
     int	ftpd_pclose(FILE *);
     FILE   *ftpd_popen(char *, char *);
    -char   *getline(char *, int, FILE *);
    +int	getline(char *, int, FILE *);
     void	lreply(int, const char *, ...) __printflike(2, 3);
     void	makedir(char *);
     void	nack(char *);
    Index: libexec/ftpd/ftpd.c
    --- libexec/ftpd/ftpd.c	(revision 185134)
    +++ libexec/ftpd/ftpd.c	(working copy)
    @@ -2794,15 +2794,20 @@
     	char *cp;
    +	int ret;
     	if (!transflag) {
     		syslog(LOG_ERR, "Internal: myoob() while no transfer");
     		return (0);
     	cp = tmpline;
    -	if (getline(cp, 7, stdin) == NULL) {
    +	ret = getline(cp, 7, stdin);
    +	if (ret == -1) {
     		reply(221, "You could at least say goodbye.");
    +	} else if (ret == -2) {
    +		/* Ignore truncated command. */
    +		return (0);
     	if (strcmp(cp, "ABOR\r\n") == 0) {

I noticed that the -RC2 branch is in place too now. Almost there…. must … be … patient …


And FreeBSD 7.1-RC1 official

FreeBSD - The power to server

You got to love the way they write the release announcements:

“Gee. Did we really implement that new interface that way? That needs a bit more work.”

So,  it’s now the last few legs of the release cycle, and I’m looking forward to it.

DO read the release announcement or /usr/src/UPDATING, specialy if you currently have a system that uses the em(4) driver (Intel E1000 NIC), it might change with this release, to igb(4).


December 22, 2008Permalink 1 Comment

gearing up for FreeBSD 7.1

We’re only a little bit removed from the next major FreeBSD release. The branch has been tagged, and the ports-tree is (thank God!) unfrozen once again. The first Release Candidate has hit the FTP servers.

I’ve been running -PRERELEASE for a while now, and haven’t found any problems so far, not on real-steal hardware, nor on vmware virtualized hardware.


FreeBSD portupgrade / portversion dumps core

First of all: do not panic

Second: get some coffee

Finaly: rm /var/db/pkg/pkgdb.db

I think this comes from upgrading portupgrade somewhere along the line, and accidentaly switching between database formats (hash, or bdb4 btree). The strangest thing is that I’ve searched high and low with Google, but no results anywhere. (not even any of the FreeBSD maillinglists). So it took me a little while to figure out this one.