CSF bugs and updates

June 25th, 2016

ConfigServer Security and Firewall (CSF) is a great program for managing iptables/netfilter firewall rules on Linux servers and performing automated blocks based on various things such as brute force login attempts (check it out at http://www.configserver.com/cp/csf.html) and I really shouldn’t complain given that it’s free, but sometimes I really do wonder if ConfigServer/Way to the Web actually do any testing at all before releasing new versions!

7 issues fixed in 6 bugfix releases (9.01 to 9.06) in 2 days! It’s a good job that the automatic update feature works properly…

ValueError in Django migration

May 15th, 2016

I’ve recently started developing in Python+Django again for a personal site that I’m working on and for far too long today I’ve been pulling my hair out when trying to write what should be a fairly simple migration using migrations.RunPython() to generate a default value to assign to a new OneToOneField column.

The rather confusing error message that I was receiving is:

ValueError: Cannot assign "<User: blah>": "Profile.account" must be a "User" instance.

This seems to be the same problem described at http://stackoverflow.com/questions/29700001/valueerror-cannot-assign-user-issue-on-my-onetoonefield-relationship, but nothing mentioned in that post worked.

I was hopeful when I came across https://code.djangoproject.com/ticket/24282 that this was a known issue, but alas whilst similar it’s not exactly the same problem and that bug was closed over a year ago. Back to square one!

What was particularly confusing was that the same code seemed to work as expected when run in the Django shell:

from foo.models import Profile, Article
from django.contrib.auth.models import User
first_superuser = User.objects.all().filter(is_superuser=True).first()
default_profile = Profile(account=first_superuser, biography="")
default_profile.save()

After a lot of fiddling, I eventually realised that the way which I was importing the User model from the built in Django auth system was wrong for a migration and so I replaced:

from django.contrib.auth.models import User

with:

User = apps.get_model('auth', 'user')

And now the migration finally works as expected. 🙂

Cumulus attacks on Juniper (again)

November 12th, 2015

I have a lot of time for Cumulus Networks – I think they’re doing some very cool and unique things with their Cumulus Linux operating system for switches and they genuinely have something different to offer, but when they publish blog posts like their one today (https://cumulusnetworks.com/blog/junipers-second-run-up-the-open-networking-mountain/) I lose a lot of respect for them.

This seems to be nothing more than a thinly veiled attack casting FUD (Fear, Uncertainty and Doubt) at a competitor – a knee-jerk reaction to a threat to their business. It actually reads pretty similarly to their blog post when Juniper originally announced the OCX range (https://cumulusnetworks.com/blog/juniper/). They’ve probably attacked other vendors in a similar manner.

For example, just by going to the main QFX5200 page on the Juniper web site (http://www.juniper.net/us/en/products-services/switching/qfx-series/qfx5200/), I find:

Open access to the standard Junos Linux kernel, enabled by the disaggregated version of the Junos software, allows users to install third-party Linux RPM packages and create guest containers and VMs with central resource management and programmable APIs.

Yes that still needs a little more detail, but it answers at least some of the questions and all it took was a couple of clicks! Imagine what you could find out by actually speaking to someone familiar with the details…

I have a few questions of my own for Cumulus Networks;

  1. Did Cumulus Networks actually attempt to find out the answers to any of these points yourselves? If so, were you unable to find the details, or did you just not like what you found so decided to feign ignorance?
  2. Will Cumulus Networks put their money where their mouth is and make sure that Cumulus Linux runs on the Juniper QFX5200 series of switches (assuming that Juniper are willing to co-operate)?
  3. Does Cumulus Linux currently run on any switches powered by the Broadcom StrataXGS Tomahawk chipset? It doesn’t seem to be listed anywhere on the Cumulus Linux HCL that you so helpfully linked to from your blog post.
  4. Does Cumulus Linux currently run on any switches which support 25G, 50G or 100G Ethernet ports? These also seem to be conspicuously absent from the Cumulus Linux HCL.
  5. When will Cumulus Networks offer a fully featured MPLS implementation on their Cumulus Linux control plane?

Upgrading to Junos 12.3 from before 10.4R2 on Juniper EX

October 19th, 2015

In the release notes for Junos 12.3 (http://www.juniper.net/techpubs/en_US/junos12.3/information-products/topic-collections/release-notes/12.3/topic-69605.html#pre-resilient-dual-root-upgrade-ex) on Juniper EX series switches, it says:

Upgrading from Junos OS Release 10.4R2 or Earlier

To upgrade to Junos OS Release 12.3 from Junos OS Release 10.4R2 or earlier, first upgrade to Junos OS Release 11.4 by following the instructions in the Junos OS Release 11.4 release notes. See Upgrading from Junos OS Release 10.4R2 or Earlier or Upgrading from Junos OS Release 10.4R3 or Later in the Junos OS 11.4 Release Notes .

Unfortunately, Juniper don’t list any Junos releases older than 12.3R1 for the EX4200 (and possibly other EX series) on their download site.

After poking around the Juniper support site for a bit, I found technical bulletin TSB16151 (https://kb.juniper.net/InfoCenter/index?page=content&id=TSB16151), which contains downloads for Junos 11.4R8-S1 on EX2200, EX3200, EX3300, EX4200, EX4500, EX6200, EX8200 and XRE-200.

With this and the jloader files from technical bulletin TSB15524 (http://kb.juniper.net/InfoCenter/index?page=content&id=TSB15524), I was able to complete the upgrade successfully.

cPanel 54

October 16th, 2015

Yesterday cPanel laid out the upcoming changes in cPanel 11.54, or just cPanel 54 as it’s now known (see http://blog.cpanel.com/whats-next-for-cpanel-whm). Whilst light on any details, there are at least some interesting tidbits.

The new versioning system
This makes very little real world difference, but I can’t help but feel like they’re following Google Chrome and Mozilla Firefox in a race to have the largest possible version number!

X3 being retired
Finally! X3 is an absolutely horrible theme which provides a truly terrible experience for users and I’ll be glad to see the back of it at long last!

Paper Lantern becoming the only choice
Hopefully with Paper Lantern becoming the only cPanel user interface (and dropping the silly “Paper Lantern” name!), it will start to move away from just being a tarted up version of X3 with some nicer icons and towards a more friendly, usable interface which doesn’t just feel the need to dump everything on one page!

cPassword, OpenID Connect and 2FA
I’ve got mixed feelings about this – the new cPassword interface sounds like a great idea, but the OpenID Connect feature sounds like a security nightmare, particularly with the default service being hosted externally on cPanel.com. At least we’re going to have the option of replacing it with our own backend (as well as being able to disable it altogether, hopefully!).
That said, Two factor authentication is a great addition, although I suspect that we are going to see more support tickets as people lose their phones etc. and lock themselves out of their hosting!

IPv6 only
cPanel were massively behind the game when it came to adding full IPv6 support, so it’s good to see them adding the ability to run completely without IPv4 now, particularly given the recent IPv4 exhaustion at ARIN.

Nginx front end
Good to see cPanel finally starting to catch up with Odin Plesk on this one! Hopefully we’ll see support for more complex configurations in future versions.

Directory Syncing
This could be quite useful depending on how it’s implemented. I suspect that it will be some form of asynchronous rsync based system, possibly with FTP and/or inode based hooks. Hopefully it won’t just be a periodic cron job task!

EasyApache 4
Hopefully EasyApache 4 will move towards using the operating system package management (RPM and YUM) for Apache and PHP, instead of insisting on needlessly compiling everything from scratch. This is one of my biggest pet peeves with cPanel at the moment – it adds needlessly complexity to system administration, makes simple tasks like adding an Apache module or PHP extension slow and laborious and even makes installing cPanel pointlessly time consuming. If they have finally caught up with how the rest of the world has been working for the past decade (or more) then it will be great news!

Courier support finally being dropped
Dovecot beats Courier hands down, so it makes sense to stop supporting Courier and move everyone over to Dovecot. There really is little point in spending the extra development effort support two mail servers, so I’m a bit surprised that it has taken this long.
I wonder if we’ll continue to see support for both ProFTPD and Pure-FTPd as well as BIND/named, NSD and MyDNS in future or if they will also move those towards only supporting a single daemon.

OpenLiteSpeed OCSP stapling with Comodo PositiveSSL

September 13th, 2015

OpenLiteSpeed supports OCSP stapling, which helps web browsers check the revocation status of an SSL certificate without having to connect to the Certificate Authority’s OCSP servers and so can speed up the SSL connection process.

In order to enable OCSP stapling, first we need to construct the intermediate certificate chain which OpenLiteSpeed will use to cryptographically verify the response from the CA’s OCSP server.

Take the COMODORSADomainValidationSecureServerCA.crt and COMODORSAAddTrustCA.crt files provided by Comodo when your certificate was issued and concatenate them into a single file

cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt > /etc/pki/tls/certs/PositiveSSL_chain.pem

Now log in to the OpenLiteSpeed WebAdmin console and perform the following steps:

  1. Click on “Configuration” on the navigation bar and then select “Listeners” from the drop down menu
  2. Click “View/Edit” on your HTTPS listener
  3. Click on the “SSL” tab
  4. Click “Edit” on the “OCSP Stapling” section
  5. Set “Enable OCSP Stapling” to “Yes”
  6. Set “OCSP Responder” to “http://ocsp.comodoca.com”
  7. Set “OCSP CA Certificates” to the file containing the chained intermediate certificates created earlier (“/etc/pki/tls/certs/PositiveSSL_chain.pem” in my case).
  8. Click “Save”
  9. Perform a “Graceful Restart” of the OpenLiteSpeed server

If all has gone well, you now have OCSP stapling working. Click on “Actions” on the navigation bar and then select “Server Log Viewer” from the drop down menu or look in /usr/local/lsws/logs/error.log and check that you have a line saying “Enable OCSP Stapling successful!

You can also use the excellent SSL Server Test by Qualys’ SSL Labs at to check many attributes of your server’s SSL setup, including whether or not OCSP stapling is working.

The Zimbra merry-go-round

August 21st, 2015

I’ve been a big fan of the Zimbra email collaboration system for many years, using it since version 4.5 or 5.0 (I can’t remember exactly). However, in recent years the product has been falling further and further behind competitors such as Microsoft Exchange, particularly in the all important area of redundancy and availability.

Email and collaboration are critical to modern businesses and so every effort needs to be taken in order to ensure that they are always available. Microsoft clearly recognise this as Exchange has had Database Availability Groups (DAG) since Exchange 2010 and before that had a number of other High Availability options.

Zimbra however still does not have this as of the current version (8.6). Zimbra were supposed to be addressing this with a 9.0 release scheduled for the second half of 2015, however now that has been pushed back to the first half of 2017 at the earliest!

Instead, we aren’t getting any more releases in 2015 and all we are getting in the first half of 2016 is version 8.7, which will start to bring back the chat feature that was previously dropped! Zimbra aren’t even providing the chat server to start with – just an XMPP client and you will have to run your own server until version 8.8 arrives in the second half of 2016! This will also bring some much needed anti-spam improvements (although it seems that this will be by integrating an as yet unspecified third party product) and two factor authentication. This seems a long time to wait for not a great deal of new functionality!

I can’t help but feel that this is in a large part due to the constant change of ownership of Zimbra. Back in 2007 Yahoo bought Zimbra for $350m (https://yodel.yahoo.com/blogs/partnerships/zimbra-damn-cool-592.html) but then sold it on to VMware in 2010 (http://www.vmware.com/company/news/releases/zimbra.html). The exact amount paid wasn’t disclosed, but it was generally reported to be around $100m.

VMware then sold Zimbra to Telligent in 2013 (http://www.vmware.com/company/news/releases/zimbra-telligent-071513.html), again for an undisclosed amount, who promptly renamed themselves to Zimbra Inc. (https://blog.zimbra.com/2013/07/telligent-acquires-zimbra-from-vmware/) with the products becoming Zimbra Collaboration (formerly Zimbra) and Zimbra Social (formerly Telligent).

Telligent then acquired Mezeo (https://blog.zimbra.com/2014/07/zimbra-acquires-mezeo-adds-cloud-based-secure-file-sharing-capabilities/) for their MezeoFile sync-and-share technology in 2014, with the MezeoFile product becoming Zimbra Sync and Share, which was then discontinued in 2015 (https://blog.zimbra.com/2015/07/discontinuing-zimbra-sync-share/).

Shortly after discontinuing Zimbra Sync and Share, Zimbra made the wooly statement of (https://blog.zimbra.com/2015/07/register-free-webinar-zimbra-quarterly-partner-update/):

“As many of you know, Zimbra made a few strategic decisions over the past few months in order to ensure the company’s stability and achieve an increase in EBITDA”

Not long afterwards, the Zimbra Social product was sold off to a company called Verint (https://blog.zimbra.com/2015/08/verint-acquires-telligent-zimbra/) and renamed back to Telligent, leaving Zimbra Inc. with just Zimbra Collaboration.

At this point I was naturally wondering if Zimbra Inc. was running out of money and concerned as to what the future holds for Zimbra Collaboration and its customers given all these recent announcements, but I didn’t have to wait long as then a couple of days later Zimbra is sold to Synacor (http://news.synacor.com/phoenix.zhtml?c=253437&p=irol-newsArticle&ID=2080463) for $24.5m. Strangely this announcement seems to be missing from the Zimbra blog…

Back when Zimbra was owned by VMware, their answer to any questions about availability, redundancy or disaster recovery/business continuity was to run Zimbra inside a VMware environment and use their HA+DR technologies, but soon after being sold off to Telligent they started talking about a project “Always ON”. This was mentioned in a number of blog posts throughout 2013, but https://blog.zimbra.com/2013/04/zimbra-judaspriest-release-update-1/ and https://blog.zimbra.com/2013/09/project-always-on/ were the most detailed.

Sadly, over 2 years later we are still waiting for this new “Always ON” architecture and it seems that we have to wait at least another year and a half! I’m not holding my breath that things are going to get any better under the new ownership, but right now I’m just glad that my company didn’t buy into Zimbra Social or Zimbra Sync and Share like we considered!

Missing Junk mailbox in Apple Mail

August 19th, 2014

When setting up a new MacBook Pro recently, I was impressed that all of my mail account settings were synced over via iCloud, but somewhat surprised and confused to find that the “Junk” mailbox for all accounts was missing.

I couldn’t find the “Junk” mailbox anywhere – it wasn’t in the list of special folders (Drafts, Sent, Trash etc.) with the Inbox and it wasn’t in the list of general mailboxes – it had seemingly just vanished.

This is particularly annoying for me as I used Zimbra for my mail server and can train the server side junk mail filters by moving messages in and out of the special “Junk” mailbox.

All of the junk mail settings in Apple Mail were enabled and seemed to match those in the same version of Apple Mail on my old laptop, so what was happening?

It seems that when you have the junk mail setting in Apple mail set to “Mark as junk mail, but leave it in my Inbox”, Apple hides the “Junk” mailbox to start with whilst it trains its filters and then only shows it once they have sufficient data built up to start identifying spam.

A quick work around to get the “Junk” mailbox to show up straight away is to change the junk mail setting in Apple Mail from “Mark as junk mail, but leave it in my Inbox” to “Move it to the Junk mailbox” and back again.

Changing this setting causes the “Junk” mailbox to be shown and the mailbox doesn’t get hidden again when you change it back.

Parallels Plesk hanging on login

June 27th, 2014

I recently came across a strange problem when setting up a new Windows Server running Parallels Plesk 12.

Everything was working fine to being with, and then suddenly Parallels Plesk started behaving strangely. I would select some items in a list and press remove and they would be greyed out as if the AJAX had fired in the background, but they wouldn’t be removed from the list until refreshing the page.

Wondering if this was some kind of browser problem as I was using Apple’s Safari, I fired up Mozilla’s Firefox but was somewhat surprised that I couldn’t get past the login screen.

The login page loads, but once I’d entered the username and password and pressed “Log In”, the page would just hang, loading indefinitely until it eventually times out.

The CPU and memory usage on the server were fine. The services were all running correctly. What’s going on?

After a quick look in “C:\Program Files (x86)\Parallels\Plesk\admin\logs\php_error”, it was pretty obvious that the recently installed Parallels Panel Mobile Center extension wasn’t working properly, as there were lots of errors about being unable to access files in “C:\Program Files (x86)\Parallels\Plesk\var\modules\plesk-mobile”.

Deleting the “C:\Program Files (x86)\Parallels\Plesk\var\modules\plesk-mobile” folder at least allowed me to log back in to the Parallels Plesk control panel, however the Parallels Panel Mobile Center extension couldn’t be removed.

After a bit of digging, it seems that the permissions on “C:\Program Files (x86)\Parallels\Plesk\var\modules\” aren’t set correctly out of the box and the “psaadm” user needed to be given write access to this folder in order to create or remove the files and folders for extensions when they are installed/uninstalled.

Once the permissions had been corrected, I was able to remove and then reinstall the Parallels Panel Mobile Center extension successfully.

Citrix XenServer XS62E015 update failing to apply

June 16th, 2014

If you’re using XenServer 6.2, you may have some problems installing the XS62E015 update from CTX140808.

You go through the normal update procedure – download XS62E015.zip from the CTX140808 Citrix knowledge base article, extract it and upload the XS62E015.xsupdate file to the pool, then apply UUID c8b9d332-30e4-4e5e-9a2a-8aaae6dee91a to the pool, which promptly fails with:

The uploaded patch file is invalid. See attached log for more details.
log: error parsing patch precheck xml: expected one of these character sequence: “required”, found “error” line 4

It turns out that Citrix issued two updates for the same issue – one for Citrix XenServer 6.2 without SP1 installed and one for Citrix XenServer with SP1 installed. The slight snag is that both of these updates show up in the list of available updates in Citrix XenCentre and the knowledge base articles don’t mention that the two updates patch the same problem, but in two different version of Citrix XenServer.

If you are running Citrix XenServer 6.2 with SP1 installed, then you need to install the XS62ESP1003 update from CTX140416 (UUID c208dc56-36c2-4e91-b8d7-0246575b1828). Once XS62ESP1003 has been installed, XS62E015 will also show up in the list of installed updates.