Planet Debian Administration

So i've been struggling with an Ubuntu 8.04 networked workstation. It uses libpam-mount to mount the user's homedir (actually, the mountpoint is one level up from the homedir) automatically at login over CIFS.

One of the problems i ran into with this arrangement happened because i was following the pam_mount configuration instructions too literally. In particular, README.Debian.gz says:

For every application used for logging in, there is a file of the form /etc/pam.d/xyz, add the following line at the end of the file: @include common-pammount

In particular, ubuntu's /etc/pam.d/gdm defaults to:

#%PAM-1.0                                                                                                                                                               
auth    requisite       pam_nologin.so
auth    required        pam_env.so readenv=1
auth    required        pam_env.so readenv=1 envfile=/etc/default/locale
@include common-auth
auth    optional        pam_gnome_keyring.so
@include common-account
session required        pam_limits.so
@include common-session
session optional        pam_gnome_keyring.so auto_start
@include common-password

When i added the @include common-pammount directive to the bottom of this file when using pam_mount, new GNOME sessions failed badly: the gnome-panel didn't appear (which means that the user couldn't log out conveniently), and two error messages popped up at each login with nasty details like:

No database available to save your configuration: Unable to store a value at [...], as the configuration server has no writable databases.

The problem seems to be that libpam-gnome-keyring actually kicks off gconfd-2 during its PAM session invocation. If that comes before libpam-mount's PAM session invocation, then the home directory isn't mounted for the keyring, and gconfd-2 decides that it is unable to save any settings. Since gconfd then persists for the rest of the session, further GNOME session components try to talk to it and it refuses, even though the gconf db is now available (via the mounted homedir).

Since the order of the lines in a /etc/pam.d/* are semantically relevant, i'm usually very reluctant to tamper with the defaults. However, i think the correct /etc/pam.d/gdm for this scenario (or any pam-mount scenario using GNOME where the homedir might not be present at all before the session) is actually:

#%PAM-1.0                                                                                                                                                               
auth    requisite       pam_nologin.so
auth    required        pam_env.so readenv=1
auth    required        pam_env.so readenv=1 envfile=/etc/default/locale
@include common-auth
@include common-account
session required        pam_limits.so
@include common-session
@include common-password
@include common-pammount
auth    optional        pam_gnome_keyring.so
session optional        pam_gnome_keyring.so auto_start

With this configuration in place, i can successfully log in with a test user, anyway (and move on to the next problem, which appears to be SQLite over CIFS, ugh).

These sorts of problems are tough to nail down:

• Is this overall problem due to a bug in the documentation for libpam-mount?
• In gdm for its default weirdly-ordered PAM config?
• In libpam-gnome-keyring for launching gconf-d-2 in the first place?
• In libgconf2-4 for gconfd-2 not being able to notice when the directories it wants become available?

Or maybe it's just a configuration detail that i should have known about and expected to deal with in the first place. Ah, well.

The Dovecot SSL certificate expired on my Dovecot POP3s server and needed refreshing.

It was the end to a long drawn out and painful week.

* Works is sh*t at the moment
* Landlord is evicting us and we have to find somewhere else to rent
** House prices are tumbling, so I refuse buy at the moment
** Estate agents are lazy, greedy and useless
** Moving is a pain however you look at it
* ADSL service at home is cr*p at the moment
* I'm depressed and miserable

Seems that folk tracking the SQL injection worm are counting the occurrences of "winzipices.cn" on the net by typing it into Google and assuming the first number back reflects the number of infected web pages.

Google don't always return every page in a search, so whilst such a method probably produces a good indication of whether such a worm is widespread, or still spreading, as a guide to the absolute number of compromised pages it is fairly hopeless.

Contrast Google searches for:

"winzipices.cn" (about 12,200) against "winzipices.cn site:com" (about 17,400)

Either way you probably don't want to visit any of the resulting pages.

Anyone know a way to get Google to give us its best guess? Google will of cause always be an underestimate.

Line: 2
Char: 1
Invalid Character
code: 0

The problem, a web page doesn't load correctly in IE7.

The error is some variation on the above.

Microsoft support note this as occurring with some ActiveX controls (nope)

Some people note Add-ins can cause this (disable them all and restart browser, nope).

The error (also sometimes "line: 1") seems to reflect that a permissions problem of some sort occurred.

In this case removing the cookie from the site fixed the problem, but we have no reason to believe there is a problem with the web page, or cookie handling other than IE7 sometimes messes up.

Indeed most of the remaining issues with the site in question seem to be IE sometimes messes up, fortunately a workaround exists ;)

On one of our Etch boxes writing to a Windows 2000 server.

Explanation, work around, and fix all here....

http://www.nabble.com/Corrupted-data-on-write-to-Windows-2003-Server-to7763783.html

That'll teach me for believing folks who said "CIFS is better", and "I'm a luddite for using smbfs" etc.

Don't upgrade to this version, the module seems to segfault on starting Apache

I have in installed Kubuntu on a PowerBook G4 and am in the proses of seeing if most KDE apps will work on it. So far i have installed the latest versions of Katapult and Ksmothdock. Both seem to work fine, except for Katapult freezing the computer the first time it loaded. However, after that it worked fine. Yakuake is the next KDE app i will try to install.

thought it might be a good idea to register.
so, hello.

The switch for disabling these for PHP scripts is not "mysql.cnf" as some non-Debian hints suggest but "/etc/php5/apache2/php.ini" on Debian (adjust for PHP and Apache versions as applicable).

You might consider this if you seem to accumulate a lot of lurking MySQL processes from web applications that use the pconnect call in PHP, and you thus hit problems with too many connections.

mysql.allow_persistent=Off

Similar setting can be set for various different databases (Postgres, ODBC etc).

Persistent connections allow a resource optimisation, but allowing them permits users to more easily hit the resource constraint "Too many connections in ...", depending on programmer skill.

Unless the same database connections are heavily used, disabling it makes the system administrators life easier (and in our case things run faster, probably as the so many fewer tasks have to be scheduled!). So assume your PHP programmers are brain dead, and disable it till you learn otherwise, and life may be better.

In this instance I am probably the brain dead PHP programmer, although there are a lot of clueless PHP programmers so it might not have been me, and this was in generated code anyway so I probably clicked the wrong button in a point and drool tool somewhere.

This is a note for self. If I understood all this - I wouldn't have hit this problem.

I'm working on a baseline ssh security white paper for Debian systems and I think i've found a good combination for great security and still ease of use. The servers this white paper will mostly apply to are machines facing the outside world and have static ip addresses from which they are administered from.

This entry has been truncated read the full entry.

I sometimes need to boot machines with an external device that has all the tools I need to repair it. After mucking around with various live solutions, I have found the easiest and most flexible solution is to simply bootstrap the installations into separate partitions and install grub.

I'm using a 2GB key (device is /dev/sda on my machine), so I partition it up as follows:
/dev/sda1 100MB (shared /boot)
/dev/sda2 900MB (amd64)
/dev/sda3 900MB (i386)

Those figures aren't exact, it's basically a case of 100MB for /boot and split the rest of the key between the other two partitions.

Next I use e2label to name the partitions as boot, amd64 and i386. If you're updating or working on the key itself it just makes it easier. You can also use "mount -L label /dir" instead of the devicename if you want.
e2label /dev/sda1 boot
e2label /dev/sda2 amd64
e2label /dev/sda3 i386

Format the partitions up as ext3:
mkfs.ext3 /dev/sda1
mkfs.ext3 /dev/sda2
mkfs.ext3 /dev/sda3

Mount the partitions we need for the amd64 (64bit) installation on /mnt:
mount /dev/sda2 /mnt
mkdir /mnt/boot
mount /dev/sda1 /boot

Install a very minimal set of packages with debootstrap:
/usr/sbin/debootstrap --arch amd64 etch /mnt http://http.us.debian.org/debian

Find and make a note of the filesystem uuids on the USB key. We need them because if you are using the key on machines with varying numbers of SATA hard drives, you can't guarantee which device will be assigned to your key. This causes lots of problems with grub and fstab.
tune2fs -l /dev/sda1 | grep -i uuid
Filesystem UUID: d386494f-c4f5-4e69-8fdc-6741797e521e
tune2fs -l /dev/sda2 | grep -i uuid
Filesystem UUID: fcdf1bde-c16f-4cf3-9e66-248b9f40741a
tune2fs -l /dev/sda3 | grep -i uuid
Filesystem UUID: 5dc6ba69-719b-4461-af40-7b8b0dd83bd4

Chroot into the new installation to set up a few things.
LANG=C chroot /mnt /bin/bash


Make a basic fstab
vi /etc/fstab

Copy and paste the following, replacing the uuids with the ones from your key.
# <file system> <mount point> <type> <options> <dump> <pass>
proc /proc proc defaults 0 0
UUID=63c0907e-3d17-4124-b8ca-74d6c22bf057 /boot ext3 defaults 0 2
UUID=84db6c63-1f99-43f3-8025-9e78dd59d8aa / ext3 defaults,errors=remount-ro 0 1


Make a basic interface config.
vi /etc/network/interfaces

Copy and paste.
auto eth0
iface eth0 inet dhcp


Create /etc/resolv.conf
vi /etc/resolv.conf

Configure a couple of nameservers.
nameserver xxx.xxx.xxx.xxx
nameserver yyy.yyy.yyy.yyy


Set the hostname.
echo "usb-amd64" > /etc/hostname


Add localhost to /etc/hosts
vi /etc/hosts
127.0.0.1 localhost


Create /etc/apt/sources.list
vi /etc/apt/sources.list

Copy and paste the following:
deb http://http.us.debian.org/debian etch main contrib non-free
deb-src http://http.us.debian.org/debian etch main contrib non-free

deb http://security.debian.org/ etch/updates main contrib non-free
deb-src http://security.debian.org/ etch/updates main contrib non-free


Run the following commands:
apt-get update
apt-get install console-data locales
Select "Don't touch keymap" when prompted.
dpkg-reconfigure locales

Depending on where you are, select the appropriate locales. The ones I use are:
[*] en_GB ISO-8859-1
[*] en_GB.ISO-8859-15 ISO-8859-15
[*] en_GB.UTF-8 UTF-8

[*] en_IE@euro ISO-8859-15

[*] en_NZ ISO-8859-1
[*] en_NZ.UTF-8 UTF-8

[*] en_US ISO-8859-1
[*] en_US.ISO-8859-15 ISO-8859-15
[*] en_US.UTF-8 UTF-8


Create /etc/kernel-img
vi /etc/kernel-img.conf

Copy and paste the following:
# Kernel image management overrides
# See kernel-img.conf(5) for details
do_symlinks = yes
relative_links = yes
do_bootloader = yes
do_bootfloppy = no
do_initrd = yes
link_in_boot = no


Install the kernel, grub and mdadm
apt-get install linux-image-amd64 grub mdadm

Select (or type in) all when prompted for: MD arrays needed for the root filesystem
(Ignore the mdadm errors)


Exit the chroot:
exit


Install grub:
grub-install --no-floppy --recheck --root-directory=/mnt /dev/sda


Re-enter the chroot:
LANG=C chroot /mnt /bin/bash


Create the boot menu/options:
update-grub
(press "y" when it asks: Could not find /boot/grub/menu.lst file. Would you like /boot/grub/menu.lst generated for you? (y/N)

Set grub to use the UUIDs.
vi /boot/grub/menu.lst

Find the line that starts with: # kopt=root=/dev/something ro
Replace the /dev/something with the uuid for your root filesystem (/dev/sda1 in my case).
# kopt=root=UUID=fcdf1bde-c16f-4cf3-9e66-248b9f40741a ro

Find the menu entries at the end of the file:
title Debian GNU/Linux, kernel 2.6.18-6-amd64
root (hd0,0)
kernel /boot/vmlinuz-2.6.18-6-amd64 root=/dev/hda1 ro
initrd /boot/initrd.img-2.6.18-6-amd64
savedefault

title Debian GNU/Linux, kernel 2.6.18-6-amd64 (single-user mode)
root (hd0,0)
kernel /boot/vmlinuz-2.6.18-6-amd64 root=/dev/hda1 ro single
initrd /boot/initrd.img-2.6.18-6-amd64
savedefault

Remove /boot on the lines beginning with "kernel" and "initrd".
On the kernel lines, replace /dev/something as you did for the "kopt" line. They should look something like this when finished:
title Debian GNU/Linux, kernel 2.6.18-6-amd64
root (hd0,0)
kernel /vmlinuz-2.6.18-6-amd64 root=UUID=fcdf1bde-c16f-4cf3-9e66-248b9f40741a ro
initrd /initrd.img-2.6.18-6-amd64
savedefault

title Debian GNU/Linux, kernel 2.6.18-6-amd64 (single-user mode)
root (hd0,0)
kernel /vmlinuz-2.6.18-6-amd64 root=UUID=fcdf1bde-c16f-4cf3-9e66-248b9f40741a ro single
initrd /initrd.img-2.6.18-6-amd64
savedefault


Update /etc/kernel-img.conf
vi /etc/kernel-img.conf

Change do_bootloader = yes to: do_bootloader = no

Paste the following to the end of the file:
## Automatically update /boot/grub/menu.lst on
## installation or removal of Debian kernels.
postinst_hook = update-grub
postrm_hook = update-grub


Install any additional packages you want such as iproute, psmisc, lvm2, xfsprogs, less and exit the chroot. You should now be able to boot on the key.

Once you have booted on the key and checked it works, repeat the process to install i386 on the third partition (/dev/sda3 in my case). Mount /dev/sda1 as /mnt/boot again and use i386 instead of amd64 in the debootstrap command. This has become an extremely useful tool to me in my job.

Use this aptitude line to find out about all packages that are:

1. Automatically installed
2. No package depends on it (ie, they are in your computer because someone recommended it).

aptitude search '?and( ?automatic(?reverse-recommends(?installed)), ?not(?automatic(?reverse-depends(?installed))) )'

Hace un tiempo que no escribo nada de mi en la web, por motivos desconocidos.
Les cuento, que una vez más recurro a este sitio para sacar información relevante para mi trabajo, lo cual me llevo a querer editar mi blog, que hace mas de 2 años no actualizaba.
Estoy muy metido con el software libre,voy a darle a este blog toda la informacion referida a mi vida con debian.
También voy publicar algun articulo referido al debian-uruguay, grupo del que soy miembro.

I couldn't help posting this ... because its symptomatic of my experience with learning Linux on my own ...

It all started because i noticed this message when shutting down :

apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName

the webserver was running fine, there was nothing to worry about, but it was annoying - so i start searching for a fix.

Unfortunately couldnt find any ... the google search returned many entries for this error - and was confusing even more.

Until i found the most stupid fix there is :

sudo vi /etc/apache2/httpd.conf

and I just added at the end of the file

ServerName localhost

And that was it !

Passed me by until now, but bookmarks can contain executable Javascript, a horrid idea called bookmarklets.

IE6 and IE7 have the good sense to warn users about such bookmarks, where as Firefox (and Iceweasel) is happy to allow them without comment.

It isn't clear to this simpleton how wide the scope of the security gap here is, as the bug reports just note that a proper security context isn't created. At the very least you can read information from the current page and send it to a third party when the bookmark is used, because the boss just created one that does exactly that for perfectly legitimate purposes.

I'll create my bookmarks more carefully in future.

Vote here for a warning...
https://bugzilla.mozilla.org/show_bug.cgi?id=371923

More information on this security "feature"...
https://bugzilla.mozilla.org/show_bug.cgi?id=371179

When you do a ping on recent versions of Debian you get a summary:

2 packets transmitted, 2 received, 0% packet loss, time 1015ms
rtt min/avg/max/mdev = 0.131/0.133/0.136/0.011 ms

I thought I'd check what "mdev" meant, after much searching, and eventually reading the source code (ping_common.c) I got the answer.

In the iputils implementation of ping "mdev" is the standard deviation of the round trip time.

Wikipedia has been corrected. I filed a bug report asking that the documentation and/or code be amended to make it more obvious.

It doesn't matter for most purposes which "deviation" is measured, as you'll usually just be interested in the relative, rather than absolute value of the number (assuming it is a good measure of deviation or variance), although if you were doing statistical checks on a network to establish if changes were significant or not it might be important to know.

I'm guessing the name "mdev" is a result of a translation issue. Some suggested it might be "mean deviation". However standard deviation can be calculated easily on an running basis, but I can't see how "mean deviation" could be calculated on such a basis (statisticians please tell me), so a ping that calculated "mean deviation" would have to store all the round trip times. Although I dare say it is possible to approximate the "mean deviation" in less resource intensive ways.

MacOS labels this "stddev" maybe here it does have a superior user interface.

Last summer I have been at a vitualisation meeting sponsored from our Hardware supplier. So I met many fellow administrators.
One guy told me about his hobby: Geocaching - it sounded interessting.

So I checked it out on www.geocaching.com and other variouse websites and tried it. Apperently I m a huge fan of going out caching. It gives me something to do and a reason to go outside into nature and walk great distances. (If you got kids, they will love it!)

All what is requiered is a good GPS reciever (No navigation system, but good enough to try it), I got myself a Garmin 60csx.

Who else is Geocaching? Every once a while I meet other cachers following their hobby. It starts to be very common.

Should have subscribed earlier. This is a very useful website...

The UK news is a buzz with the news that arrests for child abuse in the UK using the Internet are up.

Behind this is CEOP, part of the Serious and Organized Crime Agency.

That the numbers are up is hardly surprising, as the agency is relatively new.

Behind the headline figure, it cost just under 9 million pounds to disrupt the activities of 55 sex offenders, and initiate(!) investigations into the identity of 36 abused children.

Now clearly any abuse of children is unacceptable, but one wonders how effective this spending is compared to other forms of policing and social care in improving childrens lives. It would be harsh to judge CEOP on these raw numbers of ~200,000 GBP per sex offender disrupted, as they have done substantial amounts of training of other professionals. But I just wanted to highlight that one shouldn't let the media highlight one aspect of a news story, without critical examination of other aspects. Someone might be trying to spin a story to say save their department from being axed for being inefficient for example.

Kind of my dream place, a world of Nougat.

Wikipedia seems to believe that Nougat traditionally doesn't have peanuts in it, but in the UK almost all retail Nougat contains peanuts. I can't eat peanuts.

Now all I need to do is learn French.

http://www.nougat-chabert-guillot.com/index.php

Thanks to Bruce on Spam-L for bringing to my attention a note on Phishing by the folks at Paypal. Nothing earth shattering, indeed the PDF linked claims no "silver bullet", but good to see a well grounded document on the topic, rather than yet another final and ultimate solution to the spam problem.
Original Blog entry
PDF

Dear Lazyweb,

I'm an experience email admin, although I've avoided content based filtering.

DKIM seems a reasonably sensible way to attempt to validate email, although I expect a significant non-zero error rate if I apply it to all email.

My main interest is in verifying messages sent to my server, especially from named domain names (Paypal will do for starters).

I'm not particular interested in signing emails at this point.

I should be able to attempt to verify an email with DKIM before queuing to disk.

I need to be able to easily and clearly exempt certain servers (such as mailing list servers), and possible certain recipients (which can probably be done in the Postfix config, but a nice simple config like Postgrey has would be good).

I'd like to be able to use "warn_if_reject" or similar so I can test before rejecting everyones email.

Some of the servers still have Sarge (i.e. Postfix 2.1).

I don't want to deploy other filtering at the same time I just want to verify email with DKIM.

So I searched the web, and came up with;

"DKIM-milter" which was designed for sendmail, requires new versions of Postfix, and seems under documented.

"Spam Assassin" which would probably work fine, and seems my best bet so far, but I would have to disable other features in order just to use the DKIM.

Roll my own using the Perl DKIM libraries, and the Postfix Before Queue Content filter. This doesn't look too challenging, even for my limited Perl skills, but I prefer code written by Perl gurus and not me for critical tasks like filtering email.

So far I'm thoroughly depressed by what I've seen in terms of documentation and successes with DKIM, so although I'm prepared to give it a try I'm looking for straight forward and easy.

What is an email admin to do?

New Scientist had a story on misunderstands of evolution, which was interesting, although I thought not especially well written. I even noted some errors I wouldn't have expected in a science magazine. New Scientist article on Myths in Evolution.

During one of those late evening discussion on evolution this weekend, it became clear that the person I was discussing with wasn't clear on the genotype-phenotype distinction, or at least the implications of this distinction.

In his superb book Genome, Matt Ridley goes to great lengths to explain that genes don't cause diseases. And then spends much of the rest of the book discussing hereditary disorders. But the point he explains is that genes in our genome encode for proteins. Some (most?) of the genome probably encodes for controlling the switching and production of these proteins (but we don't yet fully understand all the subtleties of the encoding).

Now some disorders (and features) are caused fairly directly by the failure to express one protein at all, and so a broken variant of the gene for that protein might be described as causing a genetic disorder. But the reality is usually more complex. For example chromosomes come in pairs, and so we inherit one copy of each gene from each parent (with a few exceptions, such as men, and the X chromosome - the Y chromosome being lean and mean chromosome in terms of genetic content, men may inherit only one copy of some genes on the X chromosome). Okay sometimes we get an identical copy of a gene from both parents, or two different but dysfunctional copies, but it is more complex than the binary switch many folks mistakenly think of.

The big "BUT" is that most traits we think of as genetic are polygenic. Eye colour is often taught as if it is a simple inheritance, but a quick read in the literature will show that the inheritance of eye colour is anything but simple. Many genetic traits of interest, are also influenced by the environment (nurture AND nature). The curse in my own family is a collection of autoimmune disorders, and it is thought the exact nature of the disorder that presents in an individual may depend on exposure to specific viruses or bacteria. One mutation of a gene involved has been identified as causing the over expression of a particular protein on a particular type of white blood cell (Indeed the difference from the common form of the gene is a single nucleotide polymorphism - or "snip" - a single character error in the encoding, the smallest code change possible). But the inheritance of a propensity to autoimmune disorders appears to be polygenic, as well as governed by environmental factors.

So whenever you hear anything about a "gene for [insert random human trait/disease/instinct]" remember the gene probably encodes for a protein, and a lot of chemistry has to happen (both inside and outside the organism) before the trait appears.

Note: Simon isn't a geneticist, I've probably made some horrendous mistakes in the above.

The log file showed the Google bot crawled...

20/Apr/2008 /dirname/_v2/js/?C=N;O=D
20/Apr/2008 /dirname/_v2/js/?C=S;O=A
20/Apr/2008 /dirname/_v2/js/?C=M;O=A
20/Apr/2008 /dirname/_v3/
20/Apr/2008 /dirname/_v3/js/?C=M;O=A
20/Apr/2008 /dirname/_v3/js/?C=N;O=D
19/Apr/2008 /dirname/_v3/js/?C=S;O=A

... which is the Google bot sorting the Directory Indexes generated by Apache.

I wonder if the folks at Google just haven't bothered to tell the crawlers that Apache Directory indexes aren't worth fetching in different sort orders, or if it is that there are enough other pages with query strings having only fields C and O with these values that it is worth the bandwidth spent just in case it isn't a regular directory index.

Adding the missing "Options -Indexes" fixed the problem in this specific case, but I can imagine that some of the mirror services much get a lot more crawling than needed.

I'm tired and stressed.

I need to find a new home to rent in a hurry and while house prices are tumbling in the UK at the moment, rents are not...

The wind, rain and bird song last night kept me awake.

Yesterday my email inbox was flooded with backscatter email from idiots.

Today's test of a new SAP application/interface isn't working, partially because I'm late, but also our external partner changed their SSH server without telling me!

Work is pure stress - we have a lot of the "Dead Sea" effect going on...

I need a holiday...!

Time seems right to establish a proper trading name for my online activities, not least I seem to need to make some more cash.

So I wrote to the tax man, and set up a website.

http://ijnmarketing.com/

I used 350 pages web page builder I helped build from work, and was suitably impressed, but then they let me use all the facilities at an unbeatable price! The three page site took about half an hour, including registering the domain name, and sorting the email redirects. It would probably have been a lot quicker if I didn't know so much about the system!

http://www.350.com/

So now I am the scourge of the net a self-employed affiliate marketing person. Most of the affiliate marketing folks I know are helpful people, who are kind to animals and small children, who'll even tell you their profit making "secrets" for free (without selling you a book), but there are always a few who give the others a bad name.

All I need now is lots of websites that ought to be making money but aren't.

2 days and I'm already in profit.

Get domain name + ??? = profit -- works for me

I was out partying with Crazy Lemon & the Crew.

Lately I've heard that linux desktops are not (suprizingly) that popular arounds. Shame...

I use an apt-cacher server on a network to limit bandwidth usage. Unfortunately, laptop users who connect to both the mentioned network as well as others find it a hassle to keep switching back and forth between two sets of settings for apt. So here's a nifty little script to automate this task on the client side.

This entry has been truncated read the full entry.

Used incron for first time in anger today, just to reset some file permissions as needed.

incron - a simple cron like interface to inotify for triggering actions on file system event changes.

http://www.debian-administration.org/articles/581

gzip has an "--rsyncable" option. I probably ought to use this for transferring system backups.

http://svana.org/kleptog/rgzip.html
http://olstrans.sourceforge.net/release/OLS2000-rsync/OLS2000-rsync.html

zsync - is an attempt to use Rsync algorithm with a server side HTTP. The basic insight is the server need only calculate checksums once, if serving many clients. Gives a different trade-off of resources between client and server, bandwidth and CPU.

In an interest of redunancy, I like setting up 2 network cables and than using bonding to bond them together.

I add something like this to /etc/network/interfaces

auto bond0
iface bond0 inet static
        address 10.1.1.2
        netmask 255.255.255.0
        network 10.1.1.0
        gateway 10.1.1.1
        up /sbin/ifenslave bond0 eth0
        up /sbin/ifenslave bond0 eth1
        pre-up modprobe -v bonding -o bond0 mode=4 miimon=50
        post-down rmmod bond0

After creating the first DomU, I could not get it to use my bond0. It wanted to use eth0. I tried adding

('network-bridge netdev=bond0')

to /etc/xen/xend-config.sxp but it would not work.

After doing some research I found this article: http://www.performancemagic.com/Dell1950_MD3000i_Xen_Debian_iSCSI_RDAC/Networking.html which proved to be very helpful.

I added the network-bond to the scripts in /etc/xen/scripts, set it to executable with chmod. I commented out the network-bridge and used this instead.

 (network-script network-bond) 

After a reboot it quit working. After reviewing the above link again, I saw I was missing the netboot in /etc/modules. Adding this and another reboot makes it all work great.

I sent an email with this info to the debian xen package team, but did not hear back from them.

It would be nice to have this script included and a comment added to /etc/xen/xend-config.sxp.

Perhaps this is all fixed in Lenny.
Or maybe there is a better way to do this.

Hopefully this can save someone else similar problems.