Simple ‘Down for Maintenance’ Solution for Apache using .htaccess

I finally decided to create a maintenance page to use whenever I’m upgrading any of my sites. This solution was pretty simple.

I added two RewriteCond stanzas to my .htaccess, at the top of the file at the base of the site. The first rewrite handles the case where the maintenance page exists:

# If the maintenance.html page exists, redirect to that.
RewriteCond /full/path/to/site/system/maintenance.html -f
# Don't redirect if the maintenance page was requested.
RewriteCond %{REQUEST_URI} !/system/maintenance.html
RewriteRule ^.*$ http://blog\.coredump\.ca/system/maintenance.html [R,L]

If the maintenance.html file exists, it is displayed. What happens when the maintenance is complete? Well, I remove the maintenance.html page of course. To prevent anyone from seeing a 404 once maintenance.html has been removed, I added the following to .htaccess immediately after the previous stanza:

# If the maintenance.html page does not exist, redirect to the index.
RewriteCond /full/path/to/site/system/maintenance.html !-f
RewriteCond %{REQUEST_URI} /system/maintenance.html
RewriteRule ^.*$ http://blog\.coredump\.ca [R,L]

Now all I do whenever I bring the site down for maintenance is:

  1. copy maintenance.html into the appropriate location;
  2. perform the site maintenance;
  3. remove maintenance.html.

Isn’t that easy?

Installing Fedora 10 from USB drive

I’ve got an old IBM ThinkPad R51 that needed an upgrade. The CD-ROM has become flaky, so I wanted to install from a USB thumbdrive. Turns out this was pretty easy.

  1. Download the Fedora live CD. For Fedora 10, this is about 682MB.
  2. Follow the instructions at How to create and use Live USB.

That’s all it took. To boot from USB, you have to press the blue ‘Access IBM’ button, then F12. From there, the BIOS presents a menu and you can select the thumbdrive as a boot device.

BTW, I was initially going to attempt a PXE-boot and kickstart. This is also easy to do thanks to the folks at Etherboot.

IP Change Now Complete

Shaw was having routing issues (which was pretty obvious from my traceroute). Now that those issues have been resolved, I’m back up and running again. It’s unfortunate that this IP change led to ~9 hours of downtime.

Helping Daddy Change the Static IPs

Shaw notified us a while ago that we were getting new static IP addresses. This is part of their, “ongoing commitment to proactively manage and upgrade” their internet network. Whatever that means.

The old IPs (70.73.128.39 and 70.73.128.40) became inactive around 1AM today. The new IPs (96.53.0.246 and 96.53.0.250) were to become active at 6AM today.

This is where Nathaniel became involved.

At 5AM our Number One Son and Heir awoke. As happens most early mornings, he wakes up very cheerful. And why wouldn’t he be today? After all, he was going to get to help daddy work on the dmurray.ca network infrastructure.

Having received my 5AM wake-up call, I gave him a bottle. I then made myself a cappuccino to kickstart my sleep-deprived brain. We then headed down to the doffice to see whether Shaw was on time.

So far, not so good.

Forward and reverse DNS are working correctly for wart.dmurray.ca:
dmurray@euler:/home/dmurray 0> dig +short wart.dmurray.ca
96.53.0.250
dmurray@euler:/home/dmurray 0> dig +short -x 96.53.0.250
wart.dmurray.ca.

But I’m able to do nothing more than ping the gateway IP (96.53.0.249). I’m able to resolve external hosts, but unable to reach any of them. Hmm. I tried a traceroute on wart.dmurray.ca:

root@wart:~# traceroute shaw.ca
traceroute to shaw.ca (204.209.208.8), 30 hops max, 40 byte packets
1 * * *
2 rd1no-ge7-0-0-2.cg.shawcable.net (64.59.131.210) 9.615 ms 9.261 ms 8.978 ms
3 * * *
4 * * *
...
30 * * *

Right. The only host that responded was rd1no-ge7-0-0-2.cg.shawcable.net. Time to make a call to tech support. Yuck.

Since there wasn’t much else Nathaniel could do, he decided to roll around on the floor. Back to front, front to back, play with toys, play with toes, back to front. He’s getting really good at rolling over. But he’s still not sleeping through the night — up at least once, if not twice.

Significant Backscatter

Experienced my first significant backscatter on one of my domains today. Good times.

Here’s how backscatter happens:

  1. spammer forges the sender in email, such as ‘From: NameGeneratedBySpammersEvilSoftware@example.com’;
  2. server which receives the forged email bounces the message;
  3. since the spammer used my domain as the sender, the bounce comes to my domain;
  4. since the spammer guessed a name that doesn’t actually exist, my mail server is unable to deliver the bounce message locally (generating a double bounce);
  5. my mailserver then sends the double bounce to postmaster at my domain; since I’m the postmaster, it sucks to be me.

Over a 5-hour period, I received 1200 of these little messages.

Some of this is caused by my use of qmail. Qmail will accept a message for delivery at the SMTP stage, then realizes there is no suitable recipient. At that point it has to generate a bounce and return it to the sender — who was forged, creating a double bounce.

Might become necessary to install chkuser — it refuses to accept email unless there is an actual recipient. We’ll see. At the moment, the rate of backscatter has dropped to a few per hour.

Passed My RHCE Exam

I received the results from my RHCE exam — they arrived in my inbox Friday night.

  • Section I: Troubleshooting and System Maintenance
    • Compulsory: 50/50
    • Non-compulsory: 50/50
    • Overall Section I score: 100
  • Section II: Installation and Configuration
    • RHCT Components: 93.5/100
    • RHCE Components: 100/100

My marks were much higher this time. Three more years of experience helped, but it was probably more important that I wasn’t a sleep-deprived father of a 7-week-old baby girl. It also helped that I had my IBM R51 with CentOS 5 — this was indispensable when I was studying.
RHCE Certificate number: 805007524928180
RHCE Certificate (PDF)

RAITD (Redundant Array of Inexpensive Thumb Drives)

RAITD

During yesterday’s RHCE class, Lee used a powered USB hub and some cheap USB thumb drives to construct a software RAID array.

This seemed like a pretty cool (and inexpensive) way to build a software RAID without destroying my ThinkPad. It wouldn’t do me any good to disable my ThinkPad before the RHCE exam, now would it?

I found a USB hub and some 512MB thumb drives at Staples. The drives were only $10 each, so this was a much lower barrier to entry than an enterprise attached storage solution.

Once I had the thumb drives connected I created some partitions of type fd (Linux raid autodetect). I then created the RAID 1 devices with mdadm. Once those were in place I created LVM pvs, vgs, and lvs. Last came the ext3 filesystems.

The beauty of this setup is I now have a safe place to test things. And it’s just too hilarious, you know?

RHCE RHEL5 — Day 1

I’m taking my RHCE again — it’s been 3 years, and my old certificate is going to expire real soon now. So I’m in Toronto and missing my girls.

When I took this course in 2004, I did it in Calgary. The instructor was Lee Elston. I was kind of surprised to see he’s my instructor this time around too.

The participants in this class seem pretty knowledgeable. This will keep Lee on his toes — no newbie questions from these people. It also means I’ll have to keep my blood-caffeine level pretty high.

Toronto Eaton Centre

This evening I’ve been hacking on my IBM R51. I installed CentOS 5 on it a couple weeks ago, because I knew what I’d be doing in the hotel.

Things I’ve done to this machine tonight:

  • added udev rules for my CIRA usb key and my SanDisk SDDR-92 CF Reader:

    cat /etc/udev/rules.d/70-cirakey.rules
    BUS=="usb", KERNEL=="sd*", SYSFS{serial}=="JT8EYK0J", NAME="cirakey%n"
    cat /etc/udev/rules.d/70-imagemate.rules
    BUS=="usb", KERNEL=="sd*", SYSFS{serial}=="0300176226", NAME="imagemate%n"
  • added corresponding entries to /etc/fstab:

    /dev/imagemate1 /media/flash vfat noauto,user 0 2
    /dev/cirakey1 /media/cirakey vfat noauto,user 0 2
  • labelled my root filesystem as /:

    e2label /dev/vg0/slash /
  • updated both /etc/fstab and /boot/grub/grub.conf, then rebooted (yes, the system came back just fine):

    grep -w \/ /etc/fstab
    LABEL=/ / ext3 defaults 1 1
    grep -w \/ /boot/grub/grub.conf
    kernel /vmlinuz-2.6.18-8.1.8.el5 ro root=LABEL=/ rhgb quiet
  • switched to permissive SElinux policy, then rebooted (relabelling the filesystems)

I’m happy to announce that the laptop is running better than it was when I left Calgary.

I still have a little more to review before I sleep: quotas, ACLs, and swapfiles.

SpamAssassin, spam_buttons, Squirrelmail, and CentOS 3

After more than 6 years, I’m finally starting to get spam on my primary dmurray.ca email address. It has certainly helped that the address has not been published: my fans need to use my contact page first.

The QVCS Guide has clear instructions on configuring SpamAssassin to filter out spam. Once I had this configured I tracked down the spam_buttons plugin for SquirrelMail.

Theoretically, spam_buttons should have been an easy way to mark email as spam or ham (non-spam) from SquirrelMail. Alas, I had to fight a little to get this working. The missing piece was sudo -H in config.php.

  1. Follow the spam_buttons INSTALL instructions.
  2. In /etc/sudoers:

    apache ALL=(ALL) NOPASSWD: /usr/bin/sa-learn
  3. In spam_buttons/config.php:

    $is_spam_shell_command = 'sudo -H -u ###USERNAME### /usr/bin/sa-learn --spam';
    $is_not_spam_shell_command = 'sudo -H -u ###USERNAME### /usr/bin/sa-learn --ham';

Shaw SOHO Xtreme-I With Two Static IPs

Ten days ago I upgraded our Shaw residential internet to a business account: SOHO Xtreme-I with a pair of static IP addresses.

We’d been having frequent internet outages, probably because we had an old Motorola CyberSURFR Wave cablemodem. The symptoms: I would be unable to ping the gateway address, I’d check the modem and the ‘cable’ light would be flashing. I’d call Shaw’s residential tech support and they’d begin asking really stupid questions.

“Do you have a router?”

“What kind of operating system do you use?”

“How many computers are connected?”

Trying to explain that the flashing ‘cable’ light meant there was a problem between the modem and Shaw’s infrastructure was an exercise in futility.

After a few minutes or a few hours of interruption, the CyberSURFR would once again begin talking to the internet at large.

So I did two things:

  1. Went to Shaw’s retail outlet and exchanged the CyberSURFR with a Motorola DOCSIS SURFBoard (SB5101);
  2. Upgraded to a business account.

The former put us on a newer network — I suspect the CyberSURFR network is old and crufty, and likely that’s the reason for the frequent outages. The latter allows us to talk to semi-intelligent tech support people.

By upgrading from the base SOHO to Xtreme-I we get a theoretical 1 Mbps upload speed, which is good for Personal Thyme.

Last week I phoned Shaw’s business tech support and asked them to update the reverse DNS for my static IP so it pointed back at dmurray.ca. The tech actually understood what I was saying — don’t try that with the residential techs.

After 10 days we’ve had no downtime at all. I’m pretty happy with this so far.