[volunteers] gruyere (Linode host) upgraded

Rick Moen rick at linuxmafia.com
Tue Dec 18 02:27:11 PST 2007


Daniel, Lisa, and I (mostly Lisa) did a bunch of fixes to the Linode
virtual machine, last Thursday:  We merged in the extra disk space
allocated by Linode management, bringing the machine up to 8GB.  (It has
256 MB RAM.)  We also switched to a Linode-compiled 2.6.23.1 kernel
instead of the ancient 2.4.x one left over from Micah Dowty's original
choice of Ubuntu Server 5.10 "Breezy Badger" in 2005.  (Note:  Because
Linode virthosts run under User Mode Linux, we must pick from
Linode-supplied kernels.  Our virthost doesn't _contain_ that kernel,
nor any initrd, nor any bootloader.  Those are in the outside real host 
machine.)

Daniel had pointed out that, even though my site documentation has been
thorough, its location in /usr/local/src was a bit non-obvious -- that
he'd expect to find something in /root or the system root directory.  
(It's in /usr/local/src to make it readable even by non-root users, and 
we don't want to clutter the system root unnecessarily.)  Daniel's point
about non-obviousness being well taken, I made a note to fix that.

I'd mentioned to Daniel that there are a couple of semi-large subtrees that
needed scrutiny:  We need to be careful to not waste disk space.  One
was in ex-VP Micah Dowty's home directory:  three tarballs related to
the MoinMoin prototype (~200MB total), plus unpacked trees of those
(~800MB).  Another was the /var/www/lisa/* tree (125MB).  (I originally
thought this was bigger, not just 125MB.)

Today, I got back to the task.

I'd already, long ago, upgraded the virthost to Ubuntu Server 6.06
"Dapper Drake".  So, today, I brought it the rest of the way to late
2007:

   dapper (6.06)  ->  edgy (6.10)  ->  feisty (7.04)  -> gutsy (7.10)
                                                           ^
                                                           |
                                                        WE ARE HERE

It's now fully upgraded to Ubuntu Server 7.10 Gutsy Gibbon.

At the same time, I'd promised that I would see about paring down the
installed software, and have done so.  219 packages remain, and I've
managed to get rid of some big ones.  

/usr/ (exclusive of /usr/local):  200MB
/usr/local/ :                     192MB

"deborphan" and "debfoster" were key in trimming the fat on packaged
software, along with careful use of "apt-get remove".  There are also
tricks to upgrading Debian or similar (including Ubuntu Server) machines
with minimal risk.  See:  "Gradual Upgrade" on
http://linuxmafia.com/kb/Debian/ if interested.

Total disk space currently used on the virthost:  946MB out of 7.7GB
accessible (13% used).


Following Daniel's suggestion, I put symlinks pointing to the site
documentation in /root, in the system root, in each current user's home
directory, and in /etc/skel.


One of the pleasant surprises during the upgrade is that an official
Ubuntu package for the Lighttpd Web server -- not previously packaged by
Ubuntu at all, showed up starting with the Ubuntu 7.04 "feisty" stage.
Until today, we'd been obliged to use a locally built .deb I constructed
of Lighttpd 1.4.12, which required debianising an upstream tarball and
using dpkg-buildpackage to compile a binary .deb, then insert it using
"dpkg -i".  (All of that is documented in
/usr/local/src/lighttpd-ubuntu-build-instructions.)  _That_ in turn
required installation of various toolchain packages for compiling.  

With the arrival of offical Ubuntu binary packages for Lighttpd
(currently v. 1.4.18), the need for _both_ build tools and locally
compiled .deb packages went away.  Accordingly, I've (just now) deleted
the Lighttpd trees from /usr/local/src, keeping only the build
instructions in case we ever need them again.

Since J. Paul Reed and Micah Dowty haven't been on the system in years,
I've removed their logins and home directories.  Micah's tarballs
related to MoinMoin are in /usr/local/src/micahs-stuff , and should 
be looked over to see if there's anything there we need.  (I suspect
not.)

Lisa, can you delete /var/www/lisa if it's no longer needed, or move it
to your homedir, or at least document within /usr/local/src what it's
there for?  (It looks like a copy of the main PHP/HTML tree.)

Lighttpd initially blew up with the official .deb package's arrival, but
only because the official package expected to run with UID "www-data",
GID "www-data", instead of "www" for both in the package I'd compiled.
I fixed this in /etc/lighttpd/ligthttpd.conf and re-chowned trees in 
/var/www and /var/log/lighttpd as needed.  The Web server now works
again.  (It's serving up a replica of the current svlug.svlug.org
PHP/HTML site.  Check FQDN "ns1.svlug.org" with your Web browser, to
see.)

Thanks to good work by Paul in early 2007, it is reported to be capable
of running MoinMoin as a FastCGI process.  I have not confirmed this.

PHP warning:  As happens often when people enable PHP on Web servers,
the Linode host received a somewhat unsafe /etc/php5/cgi/php.ini file,
intended for development use in protected network enviroments _only_.
Note comments at the top of that file:

  ;;;;;;;;;;;
  ; WARNING ;
  ;;;;;;;;;;;
  ; This is the default settings file for new PHP installations.
  ; By default, PHP installs itself with a configuration suitable for
  ; development purposes, and *NOT* for production purposes.
  ; For several security-oriented considerations that should be taken
  ; before going online with your site, please consult php.ini-recommended
  ; and http://php.net/manual/en/security.php.

These are serious security risks, so I've just now fixed the PHP5
settings to match my recommendations in "PHP" on
http://linuxmafia.com/kb/Security/ .  (Please note that I suspect the
same may be true of PHP4 on svlug.svlug.org, and someone with sudo
access should please check ASAP.

(Don't feel bad, any of y'all, if you've enabled PHP on Web sites without
reading and altering php.ini first:  I've done that, too.  It's a
genuine nasty trap for the unwary.)


I should mention and explain:  One of the many packages I removed was
aptitude.  A .deb-based system with console administration should
ideally be maintained using either apt-get or aptitude but not both,
because each keeps (some) separate records and cannot read each other's.  
Of the two, it's easier using apt-get to keep down the growth of
optional software, because apt-get (unlike aptitude) doesn't autoinstall
packages listed as "Recommends" dependencies.  (Yes, the behaviour of
aptitude in that regard _can_ be changed.  I believe you put
Aptitude::Recommends-Important "false" into /etc/apt.conf .)






More information about the volunteers mailing list