One of my friends recently asked me how to verify a signature that is distributed with an opensource application. Since I didn’t have a machine handy to show him, I thought I would jot this down for him in my blog. The first step in verifying a signature requires locating the public key of the individual who signed the binary. Once you locate the key and validate it’s authenticity, you can use the gpg “–import” option to import the key. Once the key is imported, you can use the gpg “–verify” option to verify that the signature is legit:
$ gpg --verify postfix-2.3.2.tar.gz.sig postfix-2.3.2.tar.gz
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: Signature made Thu Jul 27 12:49:07 2006 EDT using RSA key ID C12BCD99
gpg: Good signature from "Wietse Venema "
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: FF 96 4A 8C 96 88 7C 6E A4 EF AD BF 48 34 E1 BB
In the above example, I used Wietse Venema’s public key (which I had previously imported) to verify the signature stored in the file postfix-2.3.2.tar.gz.sig against the source code I downloaded. Gpg is a swell piece of software!
To ensure that my CentOS machines run as efficiently and securely as possible, I disable a number of services after each installation. The end result is a system that accepts ssh connections on TCP port 22, and on one or more service ports that are in use by the applications hosted on the platform. To get to this state, I go through and disable numerous services that come enabled by default. Here is the default list of services that are enabled after a CentOS 4.4 installation:
$ chkconfig --list | grep on
atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
messagebus 0:off 1:off 2:off 3:on 4:on 5:on 6:off
smartd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
portmap 0:off 1:off 2:off 3:on 4:on 5:on 6:off
sendmail 0:off 1:off 2:on 3:on 4:on 5:on 6:off
netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off
cups 0:off 1:off 2:on 3:on 4:on 5:on 6:off
irqbalance 0:off 1:off 2:off 3:on 4:on 5:on 6:off
rpcgssd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
xfs 0:off 1:off 2:on 3:on 4:on 5:on 6:off
isdn 0:off 1:off 2:on 3:on 4:on 5:on 6:off
autofs 0:off 1:off 2:off 3:on 4:on 5:on 6:off
gpm 0:off 1:off 2:on 3:on 4:on 5:on 6:off
apmd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
acpid 0:off 1:off 2:off 3:on 4:on 5:on 6:off
microcode_ctl 0:off 1:off 2:on 3:on 4:on 5:on 6:off
pcmcia 0:off 1:off 2:on 3:on 4:on 5:on 6:off
cpuspeed 0:off 1:on 2:on 3:on 4:on 5:on 6:off
xinetd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
rpcidmapd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
readahead_early 0:off 1:off 2:off 3:off 4:off 5:on 6:off
readahead 0:off 1:off 2:off 3:off 4:off 5:on 6:off
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
anacron 0:off 1:off 2:on 3:on 4:on 5:on 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
kudzu 0:off 1:off 2:off 3:on 4:on 5:on 6:off
syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
nfslock 0:off 1:off 2:off 3:on 4:on 5:on 6:off
rawdevices 0:off 1:off 2:off 3:on 4:on 5:on 6:off
mdmonitor 0:off 1:off 2:on 3:on 4:on 5:on 6:off
haldaemon 0:off 1:off 2:off 3:on 4:on 5:on 6:off
Several of these services are required, but several others serve no purpose in my environment, and use CPU and memory resources that would be better allocated to my applications. Since I don’t use RPC services, autofs or NFS, those are the first to get disabled:
$ /sbin/chkconfig --level 0123456 portmap off
$ /sbin/chkconfig --level 0123456 nfslock off
$ /sbin/chkconfig --level 0123456 netfs off
$ /sbin/chkconfig --level 0123456 rpcgssd off
$ /sbin/chkconfig --level 0123456 rpcidmapd off
$ /sbin/chkconfig --level 0123456 autofs off
I also don’t allow individual hosts to receive mail from the outside world, so sendmail gets nixed next:
$ /sbin/chkconfig --level 0123456 sendmail off
On server platforms, who needs printing?:
$ /sbin/chkconfig --level 0123456 cups off
Now we get to the font server, isdn capabilities, console mouse and pcmcia support. I don’t use these services on my servers, so they get disabled as well:
$ /sbin/chkconfig --level 0123456 xfs off
$ /sbin/chkconfig --level 0123456 isdn off
$ /sbin/chkconfig --level 0123456 gpm off
$ /sbin/chkconfig --level 0123456 pcmcia off
Once these services are disabled (and optionally stopped with the service command or a reboot), my netstat output looks nice and clean:
$ netstat --tcp --udp --listening
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:ssh *:* LISTEN
This has served me well over the years, since it reduces boot time (less rc scripts to run), and frees up additional resources for my applications (while this isn’t substantial, every page of memory helps!).
While reading up on the Linux parted utility, I came across partprobe. Partprobe can be used to display the number of partitions on a device, and is useful for quickly viewing the layout of a given device:
$ /sbin/partprobe -s /dev/hda
/dev/hda: msdos partitions 1 2
If your looking for details on the layout of a device, I reckon fdisk is a better bet:
$ /sbin/fdisk -l /dev/hda
Disk /dev/hda: 8590 MB, 8590417920 bytes
255 heads, 63 sectors/track, 1044 cylinders
Units = cylinders of 16065 512 = 8225280 bytes
Device Boot Start End Blocks Id System
/dev/hda1 1 978 7855753+ 83 Linux
/dev/hda2 979 1043 522112+ 82 Linux swap
I really dig the fdisk “-l” option!
I needed to expand a ZFS pool from a single disk to a pair of disks today. To expand my pool named “striped,” I ran zpool with the “add” option, the pool name to add the disk to, and the device to add to the pool:
$ zpool add striped c1d1
Once the disk was added to the pool, it was immediately available for use:
$ zpool status -v
pool: striped
state: ONLINE
scrub: none requested
config:
NAME STATE READ WRITE CKSUM
striped ONLINE 0 0 0
c1d0 ONLINE 0 0 0
c1d1 ONLINE 0 0 0
errors: No known data errors
I used to think Veritas had the easiest method to expand file systems, but I don’t think that is the case anymore. Now if we can just get Sun to allow us remove devices from a pool, and expand the number of columns in a RAIDZ or RAIDZ2 vdev!
I periodically need to review netstat data to debug network problems, and prefer to view the deltas between two adjacent runs. The Solaris netstat utility can be passed a time interval, which will cause it to display the difference between two runs:
$ netstat -sP tcp 10
TCP tcpRtoAlgorithm = 4 tcpRtoMin = 400
tcpRtoMax = 60000 tcpMaxConn = -1
tcpActiveOpens = 20 tcpPassiveOpens = 50
tcpAttemptFails = 20 tcpEstabResets = 0
tcpCurrEstab = 4 tcpOutSegs =859323
tcpOutDataSegs =847791 tcpOutDataBytes =1159286456
tcpRetransSegs = 19 tcpRetransBytes = 13388
tcpOutAck = 11532 tcpOutAckDelayed = 620
tcpOutUrg = 0 tcpOutWinUpdate = 96
tcpOutWinProbe = 0 tcpOutControl = 136
tcpOutRsts = 20 tcpOutFastRetrans = 0
tcpInSegs =186702
tcpInAckSegs =103393 tcpInAckBytes =1159286502
tcpInDupAck = 229 tcpInAckUnsent = 0
tcpInInorderSegs = 83753 tcpInInorderBytes =79048288
tcpInUnorderSegs = 9 tcpInUnorderBytes = 432
tcpInDupSegs = 8 tcpInDupBytes = 4664
tcpInPartDupSegs = 0 tcpInPartDupBytes = 0
tcpInPastWinSegs = 0 tcpInPastWinBytes = 0
tcpInWinProbe = 0 tcpInWinUpdate = 0
tcpInClosed = 0 tcpRttNoUpdate = 0
tcpRttUpdate =103347 tcpTimRetrans = 109
tcpTimRetransDrop = 0 tcpTimKeepalive = 61
tcpTimKeepaliveProbe= 15 tcpTimKeepaliveDrop = 0
tcpListenDrop = 0 tcpListenDropQ0 = 0
tcpHalfOpenDrop = 0 tcpOutSackRetrans = 7
TCP tcpRtoAlgorithm = 0 tcpRtoMin = 400
tcpRtoMax = 60000 tcpMaxConn = -1
tcpActiveOpens = 0 tcpPassiveOpens = 0
tcpAttemptFails = 0 tcpEstabResets = 0
tcpCurrEstab = 4 tcpOutSegs = 83
tcpOutDataSegs = 83 tcpOutDataBytes = 6544
tcpRetransSegs = 0 tcpRetransBytes = 0
tcpOutAck = 0 tcpOutAckDelayed = 0
tcpOutUrg = 0 tcpOutWinUpdate = 0
tcpOutWinProbe = 0 tcpOutControl = 0
tcpOutRsts = 0 tcpOutFastRetrans = 0
tcpInSegs = 78
tcpInAckSegs = 76 tcpInAckBytes = 6544
tcpInDupAck = 0 tcpInAckUnsent = 0
tcpInInorderSegs = 2 tcpInInorderBytes = 96
tcpInUnorderSegs = 0 tcpInUnorderBytes = 0
tcpInDupSegs = 0 tcpInDupBytes = 0
tcpInPartDupSegs = 0 tcpInPartDupBytes = 0
tcpInPastWinSegs = 0 tcpInPastWinBytes = 0
tcpInWinProbe = 0 tcpInWinUpdate = 0
tcpInClosed = 0 tcpRttNoUpdate = 0
tcpRttUpdate = 76 tcpTimRetrans = 0
tcpTimRetransDrop = 0 tcpTimKeepalive = 0
tcpTimKeepaliveProbe= 0 tcpTimKeepaliveDrop = 0
tcpListenDrop = 0 tcpListenDropQ0 = 0
tcpHalfOpenDrop = 0 tcpOutSackRetrans = 0
Netstat is some good stuff!