When running web servers, it is extremely common for website administrators to disable access time updates on file systems that contain content. This alleviates the need for the kernel to update the access time of a file each time it is requested, and less work in the kernel means more cycles are available for serving content.
Prior to the introduction of the Solaris ZFS file system, you could disable access time updates by adding the noatime mount option to the desired entry in /etc/vfstab. Since ZFS stores the file system attributes with the file system, this allows the attributes (e.g., compress content, checksum content, disable atime updates, etc.) to move with the file system. To view the attributes of a ZFS file system, you can run the zfs utility with the “get” option and the file system to retrieve attributes from:
$ zfs get all home/apps
NAME PROPERTY VALUE SOURCE
home/apps type filesystem -
home/apps creation Sat Jul 8 23:14 2006 -
home/apps used 170M -
home/apps available 54.9G -
home/apps referenced 170M -
home/apps compressratio 1.00x -
home/apps mounted yes -
home/apps quota none default
home/apps reservation none default
home/apps recordsize 128K default
home/apps mountpoint /home/apps default
home/apps sharenfs off default
home/apps checksum on default
home/apps compression off default
home/apps atime on default
home/apps devices on default
home/apps exec on default
home/apps readonly off default
home/apps zoned off default
home/apps snapdir hidden default
home/apps aclmode groupmask default
home/apps aclinherit secure default
As you can see from the output above, there are numerous attributes available. The attribute to control access time updates is “atime,” and it can be switched off with the zfs “set” option:
$ zfs set atime=off home/apps
Once a file system attribute is modified, the change will immediately take effect, no mounting or unmounting required:
$ zfs get all home/apps
NAME PROPERTY VALUE SOURCE
home/apps type filesystem -
home/apps creation Sat Jul 8 23:14 2006 -
home/apps used 170M -
home/apps available 54.9G -
home/apps referenced 170M -
home/apps compressratio 1.00x -
home/apps mounted yes -
home/apps quota none default
home/apps reservation none default
home/apps recordsize 128K default
home/apps mountpoint /home/apps default
home/apps sharenfs off default
home/apps checksum on default
home/apps compression off default
home/apps atime off local
home/apps devices on default
home/apps exec on default
home/apps setuid on default
home/apps readonly off default
home/apps zoned off default
home/apps snapdir hidden default
home/apps aclmode groupmask default
home/apps aclinherit secure default
I have only worked with ZFS for two months, and am impressed with that I see so far. Once ZFS has better methods to detect disk failures, the ability to remove devices and expand RAIDZ sets, support for “/,” and the known performance issues are addressed, it will be the final word in Solaris file systems.
While reading up on PHP security, I came across several links that I thought I would pass on:
Security Focus article on securing PHP installations: http://www.securityfocus.com/infocus/1706
Article on PHP attack vectors and defenses: http://www.securereality.com.au/studyinscarlet.txt
Bugtraq discussion on PHP security: http://www.securityfocus.com/archive/1/438417/30/0/threaded
I was recently introduced to CentOS 4.0, which is a Linux distribution built from the source RPMs that comprise Redhat Advanced Server. I am currently running several production services on CentOS 4.0, and am extremely happy with the features it brings to the table. Here are several reasons you might be interested in using CentOS:
1. CentOS 4.0 is free, and has the look and feel of Redhat Advanced Server. If you are used to managing servers running one of the Redhat derivatives, you will feel right at home.
2. CentOS 4.0 uses yum as the default package manager!
3. CentOS mirrors the upstream RPMS provided by Redhat, and offers several additional repositories ( e.g., extras, addons, contribs, centosplus, etc.) to extend the base CentOS installation.
4. The CentOS team will provide security updates for CentOS 4.0 until February 29, 2012.
5. CentOS is supposed (I haven’t tested this yet) to be binary compatible with Redhat Advanced Server. This can lower costs for companies that don’t need true parity between production, QE, test and development servers.
6. Redhat Advanced Server is widely deployed, and there are dozens of places to get free support for it. Since CentOS is identical to Redhat Advanced Server, you can use the Redhat support forums to find answers to your questions.
7. Redhat Advanced Server is running some large websites, and you can be assured that corporate customers are leveraging their support contracts to get problems fixed. These fixes turn up in CentOS 4.0, so you benefit for free.
8. You can use Redhat Global File System 6.1 and Cluster Suite 4.0 with CentOS 4.0.
If you are looking for a commercially supported Linux distribution, CentOS is probably not for you. But if you want to use a distribution that is super reliable and community supported, it might be the right distribution for you.
The Redhat, Fedora and CentOS installer (anaconda) provides a series of graphical or text-based screens to step users through the OS installation process. One of the screens allows the user to pick one or more package groups to install, and optionally allows individual packages to be added and removed. I periodically forget to add groups when I perform interactive installs. Luckily yum understands package groupings, and contains options to update, query, install and remove groups of packages. To view all of the package groupings on a system, yum can be invoked with the “grouplist: option:
$ yum grouplist
Setting up Group Process
Setting up repositories
Installed Groups:
Administration Tools
Compatibility Arch Support
DNS Name Server
FTP Server
Mail Server
MySQL Database
PostgreSQL Database
Server Configuration Tools
Web Server
Windows File Server
Available Groups:
AptRPM
Author: Matty
Compatibility Arch Development Support
Development Tools
Editors
Engineering and Scientific
GNOME Desktop Environment
GNOME Software Development
Games and Entertainment
Graphical Internet
Graphics
Horde-Apps
KDE (K Desktop Environment)
KDE Software Development
Legacy Network Server
Legacy Software Development
Network Servers
News Server
Office/Productivity
Printing Support
Sound and Video
System Tools
Text-based Internet
X Software Development
X Window System
XFCE-4.2
drbd-heartbeat
Done
If you want to view the dependencies and individual packages that make up a specific group, the group name can be passed to the “groupinfo” option:
$ yum groupinfo Graphics
Setting up Group Process
Setting up repositories
Group: Graphics
Required Groups:
Base
X Window System
Default Packages:
xsane-gimp
ImageMagick
netpbm-progs
dia
gimp-gap
sane-frontends
gimp-print-plugin
gimp-help
xsane
gimp-data-extras
gimp
Optional Packages
xfig
kdegraphics
Yum also has the “groupinstall,” “groupremove” and “groupupdate"options to add, remove and update groups of packages. I digs me some yum.
If you run DNS and SMTP servers, you probably know how important it is to validate the configurations used by your SMTP relays and DNS servers. Broken configurations can lead to clients not being able to find your website, open mail relays, unroutable mail, and your domain being blackholed by the Internet. Luckily there are three awesome services that can be used to sanity check the DNS and SMTP servers for a domain. The first service is the Mail abuse website, which checks to see if your mail server is acting as an open relay:
The second service is DNS report, which validates the DNS server configuration for a specific domain:
The last service is the open SPF website, which allows you to generate SPF (Sender Policy Framework) TXT records for a domain:
I use all three services, and can’t begin to describe how useful they are.