Rainbow Scenery
Valid HTML 4.01 Transitional

CompuLab Fit-PC3
Services and Software (Jacinth)

Jim Carter, 2013-07-19

Since this machine is our home server and hosts a lot of mission critical services, the emphasis was to get it checked out fast, and to move existing services unchanged as nearly as possible. New material will be deferred until the machine is fully operational.

The existing server, which is not broken, is a Koolu called Jacinth. The new machine is called Orion. When the new machine is ready to go into production, these identities will be swapped. I reserve the name Orion for new machines being set up.

Prerequisite Services

firewall.J

SYSTEMD_NO_WRAP=1 /etc/init.d/firewall.J dump -- It appears to be complete, and it does let in legitimate other hosts. From off site only port 1443/tcp is open, 25, 587, 1723 (pptp) admit that they exist but are closed; SMTP is broken at the moment and pptp is transit for Ben's laptop. See also ooba, which works.

cronj

Copying over: cronj.jacinth.conf cron.d cron.daily . /var/lib/cronj is populated and /var/lib/cronj/activity shows the expected cron jobs.

cups

Orion can send out print jobs, but the media size is wrong (looks like A4) with this command line: gpgview -p pws.gpg and the same with setenv LC_PAPER Letter. This magically fixed itself later.

haveged

It's running; hard to do a functional test.

kerberos (client)

The session gets a Kerberos ticket at login, which is available in all xterms.

named

Copied /etc/named.conf /var/lib/named . It delivers (to dig) the SOA for cft.ca.us and outside domains. Running as Jacinth, it has to be using the off-site forwarders from Verizon.

ntp

Being configured with /etc/ntp.master it is synced with Verizon's NTP server.

I have an ongoing project to set up authenticated NTP, but haven't made much progress.

syslog

Copied /etc/rsyslog.conf . Requires manual merging of /etc/sysconfig/syslog [done].

The SYSLOGD_ADDITIONAL_SOCKET_${SERVICE} parameters, for importing into various chroot jails, are no longer present. Make sure the chrooted services can write log messages. Services: named, ntp, dhcp. Confirmed that named, dhcpd and ntp are logging.

Mission Critical Infrastructure

apcupsd

This is the management daemon for the APC (American Power Conversion) UPS (Uninterruptible Power Supply). Copied /etc/apcupsd /etc/sysconfig/apcupsd s1/upgrade/jacinth.etc/sysconfig/shutdown . Functional test has to wait until the machine is connected to the UPS. Functional test: apcaccess status ; it reports UPS info.

I did a complete test by unplugging power. The UPS beeps every 30 secs (can't shut it up). As configured, the system runs for 30 minutes on battery: CPU, powered USB hub and its clients including wild side network, 2 MOCA bridges. The only thing not powered is the monitor. After 30 mins, apcupsd sets the UPS for a delayed shutdown, and sends the OS into a voluntary power-off action. 2 mins later, the UPS shuts off power. When power returns, the system boots up.

In theory, with a new battery, this UPS can provide 50 watts for 30 mins. The daemon monitors the battery voltage and when it declines indicating about 5 minutes of runtime left, if this happens before the configured 30 mins, it will immediately start the shutdown sequence.

bridge.J

Need to set up the network bridge [done]. This script turns on bridge multicasting. It works: functional test is that slpd also works (q.v.) But presently, Jacinth sees only its own daemon, indicating a problem. [Fixed]

dhclient

Copied /etc/dhclient.conf Need to manually reconcile /etc/sysconfig/network/dhcp [done]. Can't test it until we're connected to the wild side. Once various network problems were straightened out, dhclient did its job.

dhclient-hooks

Copied /etc/ddclient.conf /etc/init.d/dhclient-hooks . Can't test it until we're connected to the wild side. It did successfully register the new IP address with both dyn.com and Hurricane Electric.

postgresql

Copied /etc/init.d/postgresql . This took some work to get running.

netpolice.J

This does traffic shaping so when a big download is going on, other streams like audio or video get the access they need. Copied /etc/init.d/netpolice.J . Can't test it until we're connected to the wild side. It claims to be running; a functional test is a little bit hard. Later I took the time to re-do speed tests; netpolice.J is doing its job to limit the data rate.

network6

Copied /etc/init.d/network6 ; requires manual editing of /etc/udev/rules.d/70-persistent-net.rules [done]. Can't test it until we're connected to the wild side. Once the bridge was unscrambled, it set up IPv6 successfully.

Wait for default route and DNS: The script times out. It does the same thing on old Jacinth. This needs to be worked on. [Fixed, see below.]

radvd

Copied /etc/init.d/radvd /etc/sysconfig/radvd . It starts even though IPv6 forwarding is turned off. It should be safe if it has no routes to anywhere. Can't really test it until we're connected to the wild side. Yes, it is passing out routes.

rng-tools

Useless, no hardware random number generator on this machine. The Koolu (AMD Geode) had one.

Mission Critical Services

apache2

Copied /etc/apache2 /etc/sysconfig/apache2 . Functions served through Apache:

Apache problems:

dhcpd

Copied /etc/dhcpd.conf /etc/dhcp.README Need to manually merge /etc/sysconfig/dhcpd [done]. Did not start on boot (missing conf file?) [fixed]. Started manually, it's listening on port 67/udp. Confirmed that it is passing out IP addresses.

Oopsie! You're allowed to say "fixed-address FQDN;" but if it happens to resolve to the IPv6 address (as it now does on CouchNet) it will be silently ignored, and all the clients will get aleatory addresses. Use the IPv4 address explicitly. This behavior is new (since when?) /etc/dhcpd.conf has been fixed.

dovecot

Copied /etc/dovecot . Running, but rejects authentication from SquirrelMail (Jacinth did this too). This is not Dovecot's fault; SquirrelMail is trying to use the master user with the real user's password.

hostapd

Copied /etc/hostapd.conf /etc/init.d/hostapd . OK, client can connect and communicate. This is using the TP-Link TL-WN722N (Atheros chipset) normally on Jacinth. Later I want to try using the internal wireless, but that has to wait until I get a driver for it. Later: hostapd can use the internal wireless and associates with clients. But I reverted to the TP-Link TL-WN722N because it has a better external antenna.

icecast

Copied /etc/darkice.cfg /etc/icecast.xml . I tried a MP3 transcoded stream, but it did not materialize. [Fixed, see below.]

ldap

Copied /etc/openldap /var/lib/ldap . Did not start on boot. Did not start after boot either. The wrong hostname is going to really freak it out. I ended up copying Diamond's /var/lib/ldap lock stock and barrel, and that brought it back to life.

kerberos (server)

Copied /var/lib/kerberos . Can't test until LDAP is working. Yes, it works now.

ooba

Copied /etc/init.d/ooba (is this actually obsolete?) and /etc/sysconfig/ooba . It appears to be working, although the browser complains that the wrong host cert was presented. Need to re-test once the host is using the Jacinth host cert. Accessed as Jacinth the browser is happy and can do X.509 auth. An authorized wild-side host sees the expected ports open (tested TCP only): ftp ssh http imap imaps ldap ldapssl https ooba(1443); these are active but closed: smtp submission kerberos-sec(88) xmpp-client xmpp-server finger(2003, really Squid). Except for squid which is vaporware, these are all for services that ought to be available but are broken at the moment. An unauthorized host sees only ooba, submission (587 for SMTP), pptp, which are the expected open ports.

postfix

It accepted a message but doesn't know how to send it out. Copied /etc/postfix/main.cf and master.cf ; now it can send (and receive) mail.

prosody.J

This is the XMPP instant message server. Copied /etc/prosody/ /var/lib/prosody . Does not start. See ~jimc/misc/homeserv/prosody-1304.txt for hacks needed to make it work. These hacks were ineffective. After considerable work I replaced Prosody with DJabberd, which now works. See the separate writeup about Replacing My XMPP Server.

smb

Copied /etc/samba/ . Working, you can mount //orion/jimc on Jacinth.

Less Critical Services

alsasound

Is sound working? Yes, I got some speakers for Jacinth and can play media.

hylafax

Copied /etc/sysconfig/fax . Did not start on boot. I think it also won't start on Jacinth. The FAX modem is connected to neither Jacinth nor Orion, and is going to be moved to Diamond (eventually).

openvpn

Copied /etc/openvpn . Not going to test this until operational due to certificate problems. Partners do not seem to be able to connect, which they could do on the old machine. [Configuration problem, now fixed.]

sogod

Copied /etc/init.d/sogod /etc/sysconfig/SOGo . This badly needs an upgrade and some infrastructure (gdomap, memcached) is either not installed or not available on Orion. SOGo unfortunately has been fired and replaced with ownCloud.

vnc.socket

Responds and gives a functioning X session.

New Material

I'm in the process of getting these working on Jacinth. This effort will be transferred to Orion, but they are not expected to be fully operational.

avahi-dnsconfd

Running. Functional test: ping -w 3 orion.local, which works.

avahi-daemon.service

Running. It provides a d-bus protocol; I'm not sure how to do a functional test.

slpd.service

Running. Functional test, do this on another host: slptool findsrvs service:service-agent ; done from Iris, it gets answers from Iris, Diamond, Jacinth. Done on Jacinth it gets an answer only from Jacinth. Whatever the issue was, it's been fixed now.

strongswan

Copied /etc/ipsec.conf /etc/strongswan.conf . It is not yet set to start on boot [now it is], but if started manually, it runs. On Jacinth, the Android client can connect to it and route packets.

bluetooth

Running. Functional test not done. There is a driver for the Bluetooth NIC, which is integrated with the wireless NIC, for which there is no driver. Update: a Bluetooth mouse is functional with Jacinth using the internal NIC.

hostapd on internal wireless

There is no driver for the internal wireless (in the standard kernel, 3.7.10-1.16-desktop). This appears to be a Realtek Device 8723. This is possibly the Realtek RTL8723AE-BT and a lot of people have trouble with drivers for it.

askubuntu.com, OP ugopozo 2012-05-20. He tried ndiswrapper (failed). He says the driver for RTL8192CE/SE/DE mentions the 8723 in the sources, but he tried various maneuvers and could not get the driver to work with the card. PCI product id is 10ec:8723 and indeed this is the card I have.

izx replies that Realtek's 92-series driver version 0006.0514.2012 will handle this card. But it's being distributed through a dropbox link, see the post for MD5sum and build instructions. But it only compiles for kernels up to 3.3. There's another link for up to 3.5.

Keep an eye on Realtek's web site for the real driver. As of 2013-07-21 I can't find any reference to the RTL8723AE-BT (or variations) on the website.

The required firmware is available already from kernel-firmware-20130114git-1.2.1.noarch . Filenames: /lib/firmware/rtlwifi/rtl8723fw.bin and rtl8723fw_B.bin .

As suggested in the post, I'm writing to Realtek and begging for the (latest) sources, rather than getting the file from an unknown source. It appears that the contact address for wireless NICs is wlanfae@realtek.com . Mail sent on 2013-07-21. No (or spammy?) reply.

Update: with SuSE 13.1 and kernel 3.11.10 there is a driver and hostapd can use the internal wireless. However, I reverted to the TP-Link TL-WN722N because it has a better external antenna.

Loaded Modules

These should be investigated and identified:

Pending Setup Issues

These are fixed:

These are still being worked on.

Rainbow Scenery