The Debian project just announced the third update for its stable distribution “lenny” 5.0.3. Those installing regular updates from security.debian.org will notice just a few new updates (base-files for the version change to 5.0.3, heartbeat, perl, openssl, linux-image, svn, etc). Also the installer has been updated to incorporate the new kernels released with this point release, adding support for new network hardware, and to fix a segfault early in the boot process of installations for the S/390 architecture.

“The Debian project is pleased to announce the third update of its stable distribution Debian GNU/Linux 5.0 (codename lenny). This update mainly adds corrections for security problems to the stable release, along with a few adjustment to serious problems.

Please note that this update does not constitute a new version of Debian GNU/Linux 5.0 but only updates some of the packages included. There is no need to throw away 5.0 CDs or DVDs but only to update via an up-to-date Debian mirror after an installation, to cause any out of date packages to be updated.

Those who frequently install updates from security.debian.org won’t have to update many packages and most updates from security.debian.org are included in this update.

New CD and DVD images containing updated packages and the regular installation media accompanied with the package archive respectively will be available soon at the regular locations.”

Release Announcement: http://www.debian.org/News/2009/20090905

Many times you might want to fine tune the default permissions of the files created on a linux system. This is very simple and usually if you are using bash all you have to do is to define somewhere in the bash startup files (/etc/profile is a good place for this) a new value for umask like this:
umask 002
(this will allow by default group write permissions on the newly created files)

Normally on modern linux distributions this is by default set to 022 and you can easily find out what it is on your system by running the umask command:
umask

Contrary to what you might think, this is not enough to have this working for all applications and daemons on the system. This works fine for any files created from a shell session, but the files created by other processes, like the web server for example, will still use the default, unless otherwise configured. In order to have apache use a different umask we can define this inside /etc/apache2/envvars (debian, and ubuntu systems) or /etc/sysconfig/httpd (rhel,centos systems) like this:
umask 002
and restart apache to enable it.

Other daemons will have different locations where you can define this to overwrite the default setting for umask (check their documentation if you are unsure).

Earlier this week, at DebConf 9, the Debian team proposed a new approach for the Debian’s release cycle, which was later on announced publicly on the Debian site:

“The Debian project has decided to adopt a new policy of time-based development freezes for future releases, on a two-year cycle. Freezes will from now on happen in the December of every odd year, which means that releases will from now on happen sometime in the first half of every even year. To that effect the next freeze will happen in December 2009, with a release expected in spring 2010. The project chose December as a suitable freeze date since spring releases proved successful for the releases of Debian GNU/Linux 4.0 (codenamed “Etch”) and Debian GNU/Linux 5.0 (“Lenny”).”

This doesn’t mean that we will have a time-based release as for example Ubuntu does on a specific date, but it means that we will have a time-based freeze for each new release (in December of every odd year); the release will still become stable “when it is ready”, but after this, we can expect the new releases in general sometimes in the spring of the every even year.

“Time-based freezes will allow the Debian Project to blend the predictability of time based releases with its well established policy of feature based releases. The new freeze policy will provide better predictability of releases for users of the Debian distribution, and also allow Debian developers to do better long-term planning. A two-year release cycle will give more time for disruptive changes, reducing inconveniences caused for users. Having predictable freezes should also reduce overall freeze time.”

This new approach will leave a very short time for the next release Debian 6.0 (“Squeeze”), that will be freezed later on this year (lenny was released earlier this year in February). Here are the major release goals for squeeze: multi-arch support, which will improve the installation of 32 bit packages on 64 bit machines, and an optimised boot process for better boot performance and reliability.

The Debian project just announced the second update for its stable distribution “lenny” 5.0.2. Those installing regular updates from security.debian.org might not even notice this update, except for the version change to 5.0.2. As an interesting change, the debian-installer has been updated to allow the installation of the oldstable release (Debian 4.0 “etch”).

“The Debian project is pleased to announce the second update of its stable distribution Debian GNU/Linux 5.0 (codename “lenny”). This update mainly adds corrections for security problems to the stable release, along with a few adjustment to serious problems.
Please note that this update does not constitute a new version of Debian GNU/Linux 5.0 but only updates some of the packages included. There is no need to throw away 5.0 CDs or DVDs but only to update via an up-to- date Debian mirror after an installation, to cause any out of date packages to be updated.
…
New version of the debian-installer
The debian-installer has been updated to allow the installation of the previous stable release (Debian 4.0 “etch”) and to include an updated cdebconf package which resolves several issues with installation menu rendering using the newt frontend, including:
* explanatory text overlapping with the input box due to a height miscalculation
* overlapping of the “Go Back” button and the select list on certain screens
* suboptimal screen usage, particularly affecting debian-edu installations
The installer has been rebuilt to use the updated kernel packages included in this point release, resolving issues with installation on s390 G5 systems and IBM summit-based i386 systems.”

Release Announcement: http://www.debian.org/News/2009/20090627

The moment a PHP application grows to run on more servers, normally people will see problems caused by PHP sessions. If the application is not persistent you are lucky and don’t care about this, but if not you will quickly see this regardless of how good the load balancer you use is handling stickiness (sending the users to the same real server), this will slowly become a major issue. There are various solutions that can be used to store PHP sessions in a shared location, but I want to present today one solution that is very simple to implement, yet very efficient and on the long term better suited than using a database backend for this: using memcache to store the sessions.

The pecl memcache php extension has supported for a long time the memcache session.save_handler, but with the release 3.0.x (still in beta at this time) this brings in a set of interesting features for us:
- UDP support
- Binary protocol support
- Non-blocking IO using select()
- Key and session redundancy (values are written to N mirrors)
- Improved error reporting and failover handling

Read the rest of this entry »

Just a few days after the eighth update of etch (4.0r8), the Debian project announced the first update of lenny. Opposed to the etch updates, this receives a minor numbering in the version 5.0.1 and also updates the /etc/debian_version file with this information; even if this is a simple change, I like it a lot as it will make it much easier to identify what update level a machine is running (just like redhat world had forever in /etc/redhat-release ). Besides this cosmetic change, most of the updates were already on security.debian.org; still there is a kernel update (minor version update of course) that fixes some openvz, nfs bugs (see debian kernel changelog for full details) and because of this also an updated debian-installer.

“The Debian project is pleased to announce the first update of its stable distribution Debian GNU/Linux 5.0 (codename lenny). This update mainly adds corrections for security problems to the stable release, along with a few adjustment to serious problems.

Please note that this update does not constitute a new version of Debian GNU/Linux 5.0 but only updates some of the packages included. There is no need to throw away 5.0 CDs or DVDs but only to update via an up-to-date Debian mirror after an installation, to cause any out of date packages to be updated.

Those who frequently install updates from security.debian.org won’t have to update many packages and most updates from security.debian.org are included in this update.”

Release Announcement: http://debian.org/News/2009/20090411

The geoip iptables extension allows you to filter, nat or mangle packets based on the country’s source or destination. This does exactly what the geoip apache module does, or the regular geoip binary, but at the iptables level. I would not go into the details why you would want to use that, but there are many ‘positive’ ways it can be useful… For example myself I use it in a project where we want to serve customized content for different countries. Since this is a high traffic site running on many web servers behind a loadbalanced setup, we prefer to split this at the loadbalancer level and not at apache level, to simplify our setup. We serve customized content to the US based visitors, while for the other countries we serve another international site.

Now this has been working fine for a long time now, using the original geoip module and patch-o-matic-ng method of installation (similar to what is very well described here). Still, this is unmaintained, and starting with kernel 2.6.22 it is no longer working. There is a patch that will make it work with a newer kernel, but if you run iptables 1.4.x this will again fail and even if there are some manual walkarounds this is still not the best solution.

The solution is called Xtables-addons. Xtables-addons is the successor to patch-o-matic-ng. Likewise, it contains extensions that were not, or are not yet, accepted in the main kernel/iptables packages. Xtables-addons is different from patch-o-matic in that you do not have to patch or recompile the kernel, sometimes recompiling iptables is also not needed.
The latest version 1.12 supports: iptables >= 1.4.1 and kernel-source >= 2.6.17.

Read the rest of this entry »

Even though at some point it looked like debian lenny will not have full xen support (for the 2.6.26 amd64 kernel) in the end this was fixed and lenny supports fully Xen ever on amd64. Upgrading from 2.6.18 to 2.6.26 is very straightforward (though we were using xen-hypervisor 3.2-1 already) and the only problem noticed was that the console on the domU machines was no longer working: it was showing the output correctly, but you could not enter anything on the console.

This is caused by the ‘new Xen console’ (xen now uses hvc0 for its console) and to fix it you have to add to your virtual machine xen configuration file one line: extra = “console=hvc0 xencons=tty”, restart the vm and it should be fine. In /etc/xen/<myvm>.cfg add this line:
extra = "console=hvc0 xencons=tty"

Read the rest of this entry »

In my previous post, I introduced iotop a very cool tool that displays a table of current I/O usage by processes on the system; just as useful as top, but for I/O monitoring. Unfortunately, iotop requires Python >= 2.5 and a Linux kernel >= 2.6.20 to work, and even if the installation is very simple as presented in my last post, getting it to run on older distributions might not be so easy. This post will show how you can run iotop on debian etch, describing how we can solve the dependencies and make iotop run just fine on etch.
Read the rest of this entry »

Here is an interesting interview with Steve McIntyre, the current leader @ debian.org where he talks about his work as the DPL and Debian future in general. By the way, Steve is standing for re-election this year… we will see how this turns out after this year vote…

http://www.h-online.com/open/Interview-Steve-McIntyre-of-Debian–/features/112783