CS SysAdmin

I wanted to add scponly to Tempest, so it’ll be ready to handle scp/sftp.  Ideally, I’d like to load it from RedHat or something like EPEL.

I looked in yum for scponly and got the following hit:

[root@tempest ~]# yum --enablerepo=epel search scponly
=============================================== Matched: scponly ===============================================
rssh.x86_64 : Restricted shell for use with OpenSSH, allowing only scp and/or sftp
[root@tempest ~]#

Oh, that would be nice and easy.  However, reading http://www.pizzashack.org/rssh says that rssh isn’t really compatible with WinSCP, which many students use, so that’s a no-go.

Googling for scponly finds this:  http://pkgs.repoforge.org/scponly/ which suggests it might be in the repoforge repository.  What is Repoforge?  Going to http://repoforge.org/ shows that it’s a replacement for rpmforge, which we already use.  So, that’s worth doing.

I went to http://repoforge.org/use/ (using Firefox) and right-clicked on the link for the EL6 x86_64 version and chose “copy link address.” I then pasted that address into the following command:

 [root@tempest ~]# rpm -ivh http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpmRetrieving http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
Preparing...                ########################################### [100%]
    package rpmforge-release-0.5.2-2.el6.rf.x86_64 is already installed

Hunh.  That’s surprising.  I guess they haven’t (yet) changed the name of the repo in the files.  So, let’s proceed:

[root@tempest ~]# yum --enablerepo=rpmforge search scponly
Warning: No matches found for: scponly
No Matches found

Darn! But what about that entry we saw before, at http://pkgs.repoforge.org/scponly/ ?  Oh, I see, these are only for EL 5 and below.  There is a source package; maybe we can download that and compile it?

Ah, but how to download a source rpm?  There’s a nice tutorial here:  http://crashcourse.ca/content/working-source-rpms-under-centos. Since I just want the source rpms for rpmforge, I have to create a .repo file for the source.  However, getting the right URLs seems to be difficult in this case.  And, reading further in that tutorial shows that the process of compiling the source is not easy.  So, I’m going to resume my search for a precompiled binary.

I googled for it, and eventually found a document that says that scponly was dropped (orphaned) from EL6 due to a change in the Fedora Project Contributor Agreement (FPCA):  http://www.redhat.com/archives/epel-devel-list/2011-July/msg00049.html.  So, it’s hopeless to try to find a pre-compiled binary.  We either need to get the source (using git, apparently, from http://pkgs.fedoraproject.org/cgit/scponly.git/tree/?h=f17) or configure sftp to do this, using something like this or try the simple expedient of having a ~/.login file that ends in “exit.”

Hang on!  There *is* an /usr/local/bin/scponly shell on Tempest!  I thought we were missing that.  Apparently I’ve been wasting my time.

 

Lyn reported that he couldn’t login to the cs117 account and it seems that the password database entries are missing:

Something is wrong with account cs117.  I tried from root to su to cs117, and was 
told it doesn't exist. And the owner and group for /home/cs117 aren't recognized 
as known users/groups: 

[root@puma cs117] su - cs117
su: user cs117 does not exist
[root@puma cs117] ls -l /home/cs117
total 8
drwxr-x--- 2 5121 5125 4096 Aug 25  2011 private
drwxrwxr-x 2 5121 5125 4096 Sep 12  2011 public_html

Grepping through /etc/passwd on Tempest shows that indeed, that entry is missing.  Darn.  I looked through the backups of /etc/passwd in /root/snapshots/system/ but even the oldest is only a few months old, and it doesn’t have the missing entries.

So, I added the missing entries just by editing /etc/passwd and /etc/group with Emacs.

[root@tempest ~]# grep cs117 /etc/passwd
cs117:x:5121:5125:Inventing Mobile Apps:/home/cs117:/bin/bash
[root@tempest ~]# grep cs117 /etc/group
cs117:x:5125:

I set the password to a random password:

[root@tempest ~]# /usr/bin/passwd cs117
Changing password for user cs117.
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.
[root@tempest ~]#

Not being able to restore the correct password is embarrassing, but Lyn will easily be able to change it to one he likes.

Now, we need to propagate these changes to LDAP and to /etc/passwd files on Puma:

[root@tempest ~]# get-ldap-entry cs117
[root@tempest ~]# ldapadduser cs117
adding new entry "uid=cs117,ou=People,dc=cs,dc=wellesley,dc=edu"

adding new entry "cn=cs117,ou=Group,dc=cs,dc=wellesley,dc=edu"

[root@tempest ~]# get-ldap-entry cs117
dn: uid=cs117,ou=People,dc=cs,dc=wellesley,dc=edu
uid: cs117
cn: Inventing Mobile Apps
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JHh1OU03QXM0JDdZY3lOOVZqWlVKdlJzV3FBVlRGbFNIQzFDSGU
 wQ2VZSC5mSGJpZkNxcmxYblB2TUpKdTJZSTdFQmY0UjVON2I5c3l4dXlIVE1XZzlSdXVIWDhUcm9x
shadowLastChange: 15573
loginShell: /bin/bash
uidNumber: 5121
gidNumber: 5125
homeDirectory: /home/cs117
gecos: Inventing Mobile Apps

Now it’s in LDAP, so we should be able to su to that account on any of the client machines.

[root@tempest ~]# ssh anderson@sampras
anderson@sampras's password: 
Last login: Thu Aug  9 11:13:51 2012 from 149.130.167.203
[anderson@sampras ~] getent passwd cs117
cs117:*:5121:5125:Inventing Mobile Apps:/home/cs117:/bin/bash
[anderson@sampras ~] su - cs117
Password: 
[cs117@sampras ~] id
uid=5121(cs117) gid=5125(cs117) groups=5125(cs117)
[cs117@sampras ~] ls -l
total 8
drwxr-x--- 2 cs117 cs117 4096 Aug 25  2011 private
drwxrwxr-x 2 cs117 cs117 4096 Sep 12  2011 public_html
[cs117@sampras ~] logout

Good.  Last step, we need to copy these entries to Puma’s flat files, since we still don’t have it working as an LDAP client (and may never).

[root@tempest ~]# ssh puma grep cs117 /etc/passwd
[root@tempest ~]# acct-copy-to-puma 
Usage: /root/ldapscripts/acct-copy-to-puma account
Copies account data from Tempest to flat files on Puma
Run this script on Tempest
Warning: this does not check that the account hasn't already been copied
[root@tempest ~]# acct-copy-to-puma cs117
cs117.passwd                                                                  100%   62     0.1KB/s   00:00    
cs117.shadow                                                                  100%  117     0.1KB/s   00:00    
cs117.group                                                                   100%   14     0.0KB/s   00:00    
[root@tempest ~]# ssh puma grep cs117 /etc/passwd
cs117:x:5121:5125:Inventing Mobile Apps:/home/cs117:/bin/bash
[root@tempest ~]#

Okay, we should be all set now.  We need to make sure no other accounts are missing like this.

 

 

 

 

Saving a web page to a client (say, Sampras), and then going to cs.wellesley.edu and refreshing the page often fails to get the new files, because of NFS delays.  I think the saving is nearly instantaneous  I think this is mostly at Puma’s end; it’s not reading the new file.  We could work on the parameters for NFS, or we could make Tempest be the web server, which we need to do anyhow.

I checked for differences between the directory tree at /etc/httpd for each system.  There are lots of extra files in /etc/httpd/conf.d on Puma, unsurprisingly. Some of them are unnecessary (manual.conf).

Some, I’m not sure we use, but they can’t hurt:  perl.conf enables mod_perl and python.conf enables mod_python, which advanced web programmers might use.

[root@tempest ~]# yum -y install mod_perl
Resolving Dependencies
--> Running transaction check
---> Package mod_perl.x86_64 0:2.0.4-10.el6 will be installed
--> Processing Dependency: perl(BSD::Resource) for package: mod_perl-2.0.4-10.el6.x86_64
--> Running transaction check
---> Package perl-BSD-Resource.x86_64 0:1.29.03-3.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

=====================================================================================================================================
 Package                           Arch                   Version                         Repository                            Size
=====================================================================================================================================
Installing:
 mod_perl                          x86_64                 2.0.4-10.el6                    rhel-x86_64-server-6                 3.2 M
Installing for dependencies:
 perl-BSD-Resource                 x86_64                 1.29.03-3.el6                   rhel-x86_64-server-6                  35 k

Installed:
  mod_perl.x86_64 0:2.0.4-10.el6                                                                                                     

Dependency Installed:
  perl-BSD-Resource.x86_64 0:1.29.03-3.el6                                                                                           

Complete!

Now, we made some changes to the perl.conf file, so

[root@tempest ~]# cd /etc/httpd/conf.d
[root@tempest conf.d]# mv perl.conf perl.conf.orig
[root@tempest conf.d]# cp /home/sysadmin/etc/httpd/conf.d/perl.conf .
[root@tempest conf.d]# ls -Z perl.conf*
-rw-rw----. root root unconfined_u:object_r:httpd_config_t:s0 perl.conf
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 perl.conf.orig
[root@tempest conf.d]# chcon --reference=perl.conf.orig perl.conf
[root@tempest conf.d]# ls -Z perl.conf*
-rw-rw----. root root system_u:object_r:httpd_config_t:s0 perl.conf
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 perl.conf.orig
[root@tempest conf.d]# ls -Z
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 mod_dnssd.conf
-rw-rw----. root root system_u:object_r:httpd_config_t:s0 perl.conf
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 perl.conf.orig
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 php.conf
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 README
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 welcome.conf
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 wsgi.conf

And now for python:

[root@tempest ~]# yum -y install mod_python
No package mod_python available.
Error: Nothing to do
[root@tempest ~]#

Hunh.  That was unexpected.  mod_python *does* exist on Puma.  Let’s see ….

[root@tempest ~]# yum search mod_python
======================================================== Matched: mod_python ========================================================
mod_wsgi.x86_64 : A WSGI interface for Python web applications in Apache
[root@tempest ~]# yum -y install mod_wsgi
---> Package mod_wsgi.x86_64 0:3.2-1.el6 will be installed
Installed:
  mod_wsgi.x86_64 0:3.2-1.el6                                                                                                        

Complete!
[root@tempest ~]#

Okay, that’s better.  Now, I think Consuelo wanted this, to do subversion over the web:

[root@tempest conf.d]# yum -y install mod_dav_svn
--> Running transaction check
---> Package mod_dav_svn.x86_64 0:1.6.11-7.el6 will be installed
Installed:
  mod_dav_svn.x86_64 0:1.6.11-7.el6                                                                                                  

Complete!

I’m not going to install squid or proxy_ajp or webalizer, so we can ignore those modules out of the list on puma:

[root@tempest conf.d]# ssh puma ls -l /etc/httpd/conf.d/
total 140
-rw-r--r-- 1 root root  793 Jul 19 14:37 00_auth_cas.conf
-rw-r--r-- 1 root root  517 Sep  9  2004 10_authz_ldap.conf
-rw-r--r-- 1 root root 9835 Mar  9  2008 20_ssl.conf
-rw-r--r-- 1 root root  295 Jun  6 10:04 manual.conf
-rw-rw---- 1 root root 1824 Feb  1  2008 perl.conf
-rw-r--r-- 1 root root 1796 Apr 22  2005 perl.conf.orig
-rw-r--r-- 1 root root 1853 Feb  1  2008 perl.conf.wellesley
-rw-r--r-- 1 root root  560 Jun  2  2010 php.conf
-rw-r--r-- 1 root root  566 Jun  6 10:04 proxy_ajp.conf
-rw-r--r-- 1 root root 1671 Jul 12  2006 python.conf
-rw-r--r-- 1 root root  392 Jun  6 10:04 README
-rw-r--r-- 1 root root  334 Feb 16  2010 squid.conf
-rw-r--r-- 1 root root 1315 Apr  4  2005 subversion.conf
-rw-r--r-- 1 root root 8159 Feb  1  2008 twiki.conf
-rw-r--r-- 1 root root  352 Jul 12  2006 webalizer.conf
-rw-r--r-- 1 root root  299 Jun  6 10:04 welcome.conf
[root@tempest conf.d]#

That leaves on twiki, which I’ll put off for now, and the CAS stuff.  I implement a script to duplicate the CAS setup.  Here it is:

[root@tempest conf.d]# cat /home/sysadmin/fixes/install-cas.sh
#!/bin/bash

set -e

yum -y install --enablerepo=epel mod_auth_cas 
yum -y install mod_authz_ldap

# rename modules to load first and in order
cd /etc/httpd/conf.d/
mv authz_ldap.conf 10_authz_ldap.conf
mv ssl.conf 20_ssl.conf

# This file was developed by following http://wiki.jasig.org/pages/viewpage.action?pageid=47874958
# and Jim Billing's (of Wellesley's LTS) advice:
cp /home/sysadmin/etc/httpd/conf.d/00_auth_cas.conf /etc/httpd/conf.d

cd /var/lib
mkdir cas
chown apache:apache cas
chmod 750 cas
semanage fcontext -a -s system_u -t httpd_var_lib_t /var/lib/cas
restorecon -r -v ./

Let’s go ahead and do that:

[root@tempest conf.d]# /home/sysadmin/fixes/install-cas.sh
epel/metalink                                                                                                 |  12 kB     00:00     
epel                                                                                                          | 4.3 kB     00:00     
epel/primary_db                                                                                               | 4.6 MB     00:01     
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package mod_auth_cas.x86_64 0:1.0.8.1-2.el6 will be installed
--> Finished Dependency Resolution

Installed:
  mod_auth_cas.x86_64 0:1.0.8.1-2.el6                                                                                                

Complete!
Resolving Dependencies
--> Running transaction check
---> Package mod_authz_ldap.x86_64 0:0.26-15.el6 will be installed
--> Finished Dependency Resolution

Installed:
  mod_authz_ldap.x86_64 0:0.26-15.el6                                                                                                

Complete!
mv: cannot stat `ssl.conf': No such file or directory
[root@tempest conf.d]#

Oops.  Hmm.  Where does that come from?

[root@tempest conf.d]# ssh puma rpm -qf /etc/httpd/conf.d/ssl.conf
mod_ssl-2.2.3-65.el5.centos
[root@tempest conf.d]# yum -y install mod_ssl
Resolving Dependencies
--> Running transaction check
---> Package mod_ssl.x86_64 1:2.2.15-15.el6_2.1 will be installed
--> Finished Dependency Resolution

Installed:
  mod_ssl.x86_64 1:2.2.15-15.el6_2.1                                                                                                 

Complete!
[root@tempest conf.d]#

Okay, that’s better.  I updated the script to include that step, and then undid the “mv” step (since that’s not idempotent) and re-ran the script.

root@tempest conf.d]# mv 10_authz_ldap.conf authz_ldap.conf 
[root@tempest conf.d]# /home/sysadmin/fixes/install-cas.sh
Package mod_auth_cas-1.0.8.1-2.el6.x86_64 already installed and latest version
Nothing to do
Package mod_authz_ldap-0.26-15.el6.x86_64 already installed and latest version
Nothing to do
Package 1:mod_ssl-2.2.15-15.el6_2.1.x86_64 already installed and latest version
Nothing to do
mkdir: cannot create directory `cas': File exists

Hmm.  Did that directory already exist?

[root@tempest conf.d]# ls -ld /var/lib/cas
drwxr-xr-x. 3 root root 4096 Feb  3  2012 /var/lib/cas

Seems so.  *sigh*. Okay, edit the script to make it idempotent, and re-run.  It should only do the last steps of “semanage” and “restorecon”:

[root@tempest conf.d]# /home/sysadmin/fixes/install-cas.sh
Package mod_auth_cas-1.0.8.1-2.el6.x86_64 already installed and latest version
Nothing to do
Package mod_authz_ldap-0.26-15.el6.x86_64 already installed and latest version
Nothing to do
Package 1:mod_ssl-2.2.15-15.el6_2.1.x86_64 already installed and latest version
Nothing to do
restorecon reset /var/lib/ldap.24549 context system_u:object_r:slapd_db_t:s0->system_u:object_r:var_lib_t:s0
restorecon reset /var/lib/ldap.24549/__db.004 context unconfined_u:object_r:slapd_db_t:s0->unconfined_u:object_r:var_lib_t:s0
restorecon reset /var/lib/ldap.24549/objectClass.bdb context system_u:object_r:slapd_db_t:s0->system_u:object_r:var_lib_t:s0
restorecon reset /var/lib/ldap.24549/__db.006 context unconfined_u:object_r:slapd_db_t:s0->unconfined_u:object_r:var_lib_t:s0
restorecon reset /var/lib/ldap.24549/ou.bdb context system_u:object_r:slapd_db_t:s0->system_u:object_r:var_lib_t:s0
restorecon reset /var/lib/ldap.24549/cn.bdb context system_u:object_r:slapd_db_t:s0->system_u:object_r:var_lib_t:s0
restorecon reset /var/lib/ldap.24549/id2entry.bdb context system_u:object_r:slapd_db_t:s0->system_u:object_r:var_lib_t:s0
restorecon reset /var/lib/ldap.24549/__db.001 context unconfined_u:object_r:slapd_db_t:s0->unconfined_u:object_r:var_lib_t:s0
restorecon reset /var/lib/ldap.24549/__db.003 context unconfined_u:object_r:slapd_db_t:s0->unconfined_u:object_r:var_lib_t:s0
restorecon reset /var/lib/ldap.24549/DB_CONFIG context unconfined_u:object_r:slapd_db_t:s0->unconfined_u:object_r:var_lib_t:s0
restorecon reset /var/lib/ldap.24549/gidNumber.bdb context system_u:object_r:slapd_db_t:s0->system_u:object_r:var_lib_t:s0
restorecon reset /var/lib/ldap.24549/nisMapName.bdb context system_u:object_r:slapd_db_t:s0->system_u:object_r:var_lib_t:s0
restorecon reset /var/lib/ldap.24549/memberUid.bdb context system_u:object_r:slapd_db_t:s0->system_u:object_r:var_lib_t:s0
restorecon reset /var/lib/ldap.24549/loginShell.bdb context system_u:object_r:slapd_db_t:s0->system_u:object_r:var_lib_t:s0
restorecon reset /var/lib/ldap.24549/dn2id.bdb context system_u:object_r:slapd_db_t:s0->system_u:object_r:var_lib_t:s0
restorecon reset /var/lib/ldap.24549/uidNumber.bdb context system_u:object_r:slapd_db_t:s0->system_u:object_r:var_lib_t:s0
restorecon reset /var/lib/ldap.24549/log.0000000001 context system_u:object_r:slapd_db_t:s0->system_u:object_r:var_lib_t:s0
restorecon reset /var/lib/ldap.24549/alock context system_u:object_r:slapd_db_t:s0->system_u:object_r:var_lib_t:s0
restorecon reset /var/lib/ldap.24549/log.0000000003 context system_u:object_r:slapd_db_t:s0->system_u:object_r:var_lib_t:s0
restorecon reset /var/lib/ldap.24549/log.0000000002 context system_u:object_r:slapd_db_t:s0->system_u:object_r:var_lib_t:s0
restorecon reset /var/lib/ldap.24549/__db.002 context unconfined_u:object_r:slapd_db_t:s0->unconfined_u:object_r:var_lib_t:s0
restorecon reset /var/lib/ldap.24549/uid.bdb context system_u:object_r:slapd_db_t:s0->system_u:object_r:var_lib_t:s0
restorecon reset /var/lib/ldap.24549/__db.005 context unconfined_u:object_r:slapd_db_t:s0->unconfined_u:object_r:var_lib_t:s0
restorecon reset /var/lib/denyhosts context unconfined_u:object_r:var_lib_t:s0->unconfined_u:object_r:denyhosts_var_lib_t:s0
restorecon reset /var/lib/denyhosts/offset context unconfined_u:object_r:var_lib_t:s0->unconfined_u:object_r:denyhosts_var_lib_t:s0
restorecon reset /var/lib/denyhosts/hosts-valid context unconfined_u:object_r:var_lib_t:s0->unconfined_u:object_r:denyhosts_var_lib_t:s0
restorecon reset /var/lib/denyhosts/allowed-hosts~ context unconfined_u:object_r:var_lib_t:s0->unconfined_u:object_r:denyhosts_var_lib_t:s0
restorecon reset /var/lib/denyhosts/hosts-restricted context unconfined_u:object_r:var_lib_t:s0->unconfined_u:object_r:denyhosts_var_lib_t:s0
restorecon reset /var/lib/denyhosts/hosts-root context unconfined_u:object_r:var_lib_t:s0->unconfined_u:object_r:denyhosts_var_lib_t:s0
restorecon reset /var/lib/denyhosts/allowed-hosts context unconfined_u:object_r:var_lib_t:s0->unconfined_u:object_r:denyhosts_var_lib_t:s0
restorecon reset /var/lib/denyhosts/users-valid context unconfined_u:object_r:var_lib_t:s0->unconfined_u:object_r:denyhosts_var_lib_t:s0
restorecon reset /var/lib/denyhosts/suspicious-logins context unconfined_u:object_r:var_lib_t:s0->unconfined_u:object_r:denyhosts_var_lib_t:s0
restorecon reset /var/lib/denyhosts/users-hosts context unconfined_u:object_r:var_lib_t:s0->unconfined_u:object_r:denyhosts_var_lib_t:s0
restorecon reset /var/lib/denyhosts/hosts context unconfined_u:object_r:var_lib_t:s0->unconfined_u:object_r:denyhosts_var_lib_t:s0
restorecon reset /var/lib/denyhosts/users-invalid context unconfined_u:object_r:var_lib_t:s0->unconfined_u:object_r:denyhosts_var_lib_t:s0
restorecon reset /var/lib/rsyslog context system_u:object_r:var_lib_t:s0->system_u:object_r:syslogd_var_lib_t:s0
restorecon reset /var/lib/cas context system_u:object_r:var_lib_t:s0->system_u:object_r:httpd_var_lib_t:s0
[root@tempest conf.d]#

Wow, I didn’t expect those other operations by restorecon.  I wonder if that explains the trouble we’ve been having with denyhosts?  Seems likely:  whenever you have unexplained difficulties, consider blaming selinux!

Now, we should check the httpd.conf file.  First, compare the httpd versions:

[root@tempest conf.d]# rpm -q httpd
httpd-2.2.15-15.el6_2.1.x86_64
[root@tempest conf.d]# ssh puma rpm -q httpd
httpd-2.2.3-65.el5.centos

I think those are similar enough that they probably haven’t changed the httpd.conf file.  Eventually, I should clean out the cruft in there, such as cgi-script-user directives for students who have graduated, but that’s not for today.

[root@tempest conf.d]# cd  ../conf
[root@tempest conf]# ls
httpd.conf  magic
[root@tempest conf]# mv httpd.conf httpd.conf.orig
[root@tempest conf]# cp /home/sysadmin/etc/httpd/conf/httpd.conf .
[root@tempest conf]# ls -Z httpd.conf*
-rw-r-----. root root unconfined_u:object_r:httpd_config_t:s0 httpd.conf
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 httpd.conf.orig
[root@tempest conf]# chcon --reference=httpd.conf.orig httpd.conf
[root@tempest conf]# chmod a+r httpd.conf
[root@tempest conf]# ls -l httpd.conf*
-rw-r--r--. 1 root root 54451 Aug 15 12:16 httpd.conf
-rw-r--r--. 1 root root 34418 Feb  7  2012 httpd.conf.orig
[root@tempest conf]# ls -Z httpd.conf*
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 httpd.conf
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 httpd.conf.orig
[root@tempest conf]#

Okay, I’m ready to ask apachectl to test the configuration files:

[root@tempest conf]# apachectl -t
httpd: Syntax error on line 196 of /etc/httpd/conf/httpd.conf: Cannot load /etc/httpd/modules/mod_file_cache.so into server: /etc/httpd/modules/mod_file_cache.so: cannot open shared object file: No such file or directory
[root@tempest conf]# ssh puma rpm -qf /etc/httpd/modules/mod_file_cache.so
httpd-2.2.3-65.el5.centos

So, I think that file goes with the version of httpd on Puma, and not the one on Tempest, so I think the right thing to do is simply to delete that line from the httpd.conf file.  In fact, there may be other differences in default settings, so let’s check:

[root@tempest conf]# diff httpd.conf httpd.conf.orig | more
61c61,63
< # identification number when it starts.
---
> # identification number when it starts.  Note the PIDFILE variable in
> # /etc/sysconfig/httpd must be set appropriately if this location is
> # changed.
68c70
< Timeout 120
---
> Timeout 60
117,118c119,120
< StartServers         2
< MaxClients         150
---
> StartServers         4
> MaxClients         300
186a189
> LoadModule substitute_module modules/mod_substitute.so
191a195
> LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
196d199
< LoadModule mem_cache_module modules/mod_mem_cache.so
200,210d202
< # Wellesley mod:  Added these for Subversion support.  See http://svnbook.red-bean.com/en/1.5/svn.serverconfig.httpd.html
< # Actually, these aren't necessary, because the .so files are in /etc/httpd/modules/
< # LoadModule dav_module modules/mod_dav.so
< # LoadModule dav_svn_module modules/mod_dav_svn.so
< LoadModule unique_id_module modules/mod_unique_id.so
< 
< # Wellesley mod:  Added this for Django support.  See
< # http://docs.djangoproject.com/en/dev/howto/deployment/modwsgi/
< # TODO
< 
< 
214d205
< #LoadModule cern_meta_module modules/mod_cern_meta.so
215a207,216
> #LoadModule authn_dbd_module modules/mod_authn_dbd.so
> #LoadModule cern_meta_module modules/mod_cern_meta.so
> #LoadModule cgid_module modules/mod_cgid.so
> #LoadModule dbd_module modules/mod_dbd.so
> #LoadModule dumpio_module modules/mod_dumpio.so
> #LoadModule filter_module modules/mod_filter.so
> #LoadModule ident_module modules/mod_ident.so
> #LoadModule log_forensic_module modules/mod_log_forensic.so
> #LoadModule unique_id_module modules/mod_unique_id.so
> #
276d276
< ServerName cs.wellesley.edu:80
331c331
<     Options Indexes FollowSymLinks ExecCGI
---
>     Options Indexes FollowSymLinks
...

Ick. The difference is modules and such has me concerned.  So, I think it’s time to bite the bullet and factor the system httpd.conf file from the Wellesley augmentations and overrides.  I think if we put all those in a file in /etc/httpd/conf.d/, it’ll get loaded.  So, I did that, and we’ll see if this all works.  We have to undo the modified httpd.conf file and put a file in conf.d:

[root@tempest conf]# rm httpd.conf
[root@tempest conf]# mv httpd.conf
httpd.conf~      httpd.conf.orig  
[root@tempest conf]# rm httpd.conf~
[root@tempest conf]# mv httpd.conf.orig httpd.conf
[root@tempest conf]# cd ../conf.d
[root@tempest conf.d]# cp /home/sysadmin/etc/httpd/conf.d/wellesley.conf .
[root@tempest conf.d]# ls -Z w*
-rw-r-----. root root unconfined_u:object_r:httpd_config_t:s0 00_auth_cas.conf
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 10_authz_ldap.conf
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 20_ssl.conf
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 auth_cas.conf
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 mod_dnssd.conf
-rw-rw----. root root system_u:object_r:httpd_config_t:s0 perl.conf
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 perl.conf.orig
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 php.conf
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 README
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 subversion.conf
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 welcome.conf
-rw-rw----. root root unconfined_u:object_r:httpd_config_t:s0 wellesley.conf
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 wsgi.conf
[root@tempest conf.d]# chcon --reference=wsgi.conf wellesley.conf 
[root@tempest conf.d]# chcon --reference=10_authz_ldap.conf 00_auth_cas.conf 
[root@tempest conf.d]# ls -Z
-rw-r-----. root root unconfined_u:object_r:httpd_config_t:s0 00_auth_cas.conf
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 10_authz_ldap.conf
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 20_ssl.conf
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 auth_cas.conf
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 mod_dnssd.conf
-rw-rw----. root root system_u:object_r:httpd_config_t:s0 perl.conf
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 perl.conf.orig
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 php.conf
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 README
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 subversion.conf
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 welcome.conf
-rw-rw----. root root system_u:object_r:httpd_config_t:s0 wellesley.conf
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 wsgi.conf
[root@tempest conf.d]# chmod 644 *

Okay, let’s see how that goes:

[root@tempest conf.d]# !apac
apachectl -t
httpd: Syntax error on line 221 of /etc/httpd/conf/httpd.conf: Syntax error on line 6 of /etc/httpd/conf.d/00_auth_cas.conf: Cannot load /etc/httpd/modules/mod_auth_cas.so into server: /etc/httpd/modules/mod_auth_cas.so: undefined symbol: SSL_connect

*sigh*.

Okay, first check that it’s not just some module that is out of date:

[root@tempest conf.d]# rpm -V mod_auth_cas
[root@tempest conf.d]# rpm -V httpd
S.5....T.  c /var/www/error/include/bottom.html
[root@tempest conf.d]# yum -y update httpd mod_auth_cas
Loaded plugins: downloadonly, product-id, refresh-packagekit, rhnplugin, security, subscription-manager
Updating certificate-based repositories.
Unable to read consumer identity
Setting up Update Process
No Packages marked for Update
[root@tempest conf.d]#

I did some googling for the error message and I found the following Bugzilla entry:  https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=708550.  So, I added the following lines to the top of 00_auth_cas.conf:

[root@tempest conf.d]# head -12 00_auth_cas.conf
#
# mod_auth_cas is an Apache 2.0/2.2 compliant module that supports the
# CASv1 and CASv2 protocols
#

# The following three lines may fix a bug where the SSL_connect symbol
# is not defined when the mod_auth_cas.so is loaded, because the
# mod_ssl is loaded later.
<IfModule !mod_ssl.c>
LoadModule ssl_module modules/mod_ssl.so
</IfModule>

When I do that, I get:

[root@tempest conf.d]# apachectl -t
[Wed Aug 15 14:35:21 2012] [warn] module ssl_module is already loaded, skipping
[Wed Aug 15 14:35:21 2012] [warn] module auth_cas_module is already loaded, skipping
Syntax OK

Interesting!  So, maybe the thing to do is to re-arrange the order of these .conf files.  Instead of

[root@tempest conf.d]# ls -1 *0*
00_auth_cas.conf
10_authz_ldap.conf
20_ssl.conf

we do

[root@tempest conf.d]# mv 00_auth_cas.conf 05_auth_cas.conf 
[root@tempest conf.d]# mv 20_ssl.conf 00_ssl.conf

to get:

[root@tempest conf.d]# ls -1 *0*
00_ssl.conf
05_auth_cas.conf
10_authz_ldap.conf

So, we get:

[root@tempest conf.d]# apachectl -t
[Wed Aug 15 14:40:20 2012] [warn] module auth_cas_module is already loaded, skipping
Syntax OK

Hunh?  How does that happen?

[root@tempest conf.d]# grep mod_auth_cas.so *
05_auth_cas.conf:# is not defined when the mod_auth_cas.so is loaded, because the
05_auth_cas.conf:LoadModule auth_cas_module modules/mod_auth_cas.so
auth_cas.conf:LoadModule auth_cas_module modules/mod_auth_cas.so

Oh, we don’t need the auth_cas.conf file, since we have the 05 version to replace it:

[root@tempest conf.d]# rm auth_cas.conf 
[root@tempest conf.d]# apachectl -t
Syntax OK

Oh, good.  I also went back and deleted those extra lines at the top of the file that is now 05_auth_cas.conf.

[root@tempest conf.d]# service httpd start
Starting httpd:                                            [  OK  ]
[root@tempest conf.d]# chkconfig httpd on

We can do some testing, by visiting these urls:

• http://tempest.wellesley.edu/

Hmm.  That results in a page that says:

If you are a member of the general public:

The fact that you are seeing this page indicates that the website you just visited is either experiencing problems, or is undergoing routine maintenance.

Ah, the /var/log/httpd/error_log shows:

[root@tempest conf.d]# tail /var/log/httpd/error_log 
[Wed Aug 15 14:43:44 2012] [notice] Apache/2.2.15 (Unix) DAV/2 mod_ssl/2.2.15 OpenSSL/1.0.0-fips PHP/5.3.3 SVN/1.6.11 mod_wsgi/3.2 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1 configured -- resuming normal operations
[Wed Aug 15 14:48:05 2012] [error] [client 149.130.167.203] Symbolic link not allowed or link target not accessible: /var/www/html/index.html
[Wed Aug 15 14:48:05 2012] [error] [client 149.130.167.203] Symbolic link not allowed or link target not accessible: /var/www/html/index.html
[root@tempest conf.d]# ls -l /var/www/html/index.html
lrwxrwxrwx. 1 root root 31 May 10  2011 /var/www/html/index.html -> /home/cs/public_html/index.html

So, the symlink out of /var/www/html is not working.  Hmm, but I see that

<Directory "/var/www/html">
...
    Options Indexes FollowSimLinks

So, why isn’t the simlink being followed?  Is it an issue with showing the target of the link?  So, try the following URL:

http://tempest.wellesley.edu/~cs/

Ah, that says 404, and the error log shows:

[root@tempest conf.d]# tail /var/log/httpd/error_log 
[Wed Aug 15 14:58:05 2012] [error] [client 149.130.167.203] File does not exist: /var/www/html/~cs
[root@tempest conf.d]#

So, we need to enable home directories.  But that should be done in conf.d/wellesley.conf.

[root@tempest conf.d]# ls -l wellesley.conf 
-rw-r--r--. 1 root root 22129 Aug 15 12:35 wellesley.conf
[root@tempest conf.d]# grep public_html !$
grep public_html wellesley.conf
    # To enable requests to /~user/ to serve the user's public_html
    UserDir public_html
<Directory /home/*/public_html>
...

I wasn’t sure whether we could override the configuration of mod_userdir in the main httpd.conf file, so let’s try that, first.

[root@tempest conf.d]# cd /etc/httpd/conf/
[root@tempest conf]# ls httpd.conf*
httpd.conf  httpd.conf.orig
[root@tempest conf]# diff httpd.conf*
366,368c366
<     # Wellesley mod:  allow UserDir
<     #UserDir disabled
<     UserDir public_html
---
>     UserDir disabled
[root@tempest conf]# apachectl graceful

Okay, now I get 403 forbidden:

[root@tempest conf]# tail -1 /var/log/httpd/error_log 
[Wed Aug 15 15:08:45 2012] [error] [client 149.130.167.203] (13)Permission denied: access to /~cs/ denied

Okay, now what?  I think it might be that apache isn’t able to read those files.  Let’s learn how to test that:

[root@tempest conf]# echo "success" > /tmp/apache-no
[root@tempest conf]# echo "success" > /tmp/apache-only
[root@tempest conf]# chown apache.apache /tmp/apache-only
[root@tempest conf]# chmod 600 /tmp/apache*
[root@tempest conf]# su -s /bin/sh apache -c "cat /tmp/apache-only"
success
[root@tempest conf]# su -s /bin/sh apache -c "cat /tmp/apache-no"
cat: /tmp/apache-no: Permission denied

Let’s see if that command works on these web pages:

[root@tempest conf]# su -s /bin/sh apache -c "head /home/cs/public_html/index.html"
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!-- Edited by lyn on 03/04/2012 to edit the intro to "A Brief History" (removing mention that it
 was written back in 1999.) --> 

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
[root@tempest conf]#

Okay, so that’s not it.  Hmm….  Okay, I’ll modify the main httpd.conf file to use, exactly, the <Directory configuration they have.

[root@tempest conf]# grep -A12  "^<Directory .*public_html" httpd.conf
<Directory /home/*/public_html>
    AllowOverride FileInfo AuthConfig Limit
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
   <Limit GET POST OPTIONS>
        Order allow,deny
        Allow from all
    </Limit>
    <LimitExcept GET POST OPTIONS>
        Order deny,allow
        Deny from all
    </LimitExcept>
</Directory>
[root@tempest conf]# apachectl graceful
[root@tempest conf]# HEAD http://tempest.wellesley.edu/~cs/index.html
403 Forbidden
Connection: close
Date: Wed, 15 Aug 2012 20:06:00 GMT
Server: Apache/2.2.15 (Red Hat)
Content-Type: text/html; charset=iso-8859-1
Client-Date: Wed, 15 Aug 2012 20:06:00 GMT
Client-Peer: 127.0.0.1:80
Client-Response-Num: 1
[root@tempest conf]# tail -1 /var/log/httpd/error_log 
[Wed Aug 15 16:06:00 2012] [error] [client 127.0.0.1] (13)Permission denied: access to /~cs/index.html denied

@#*!!  Let’s try running the server in debug mode:

[root@tempest conf]# service httpd stop
Stopping httpd:                                            [  OK  ]
[root@tempest conf]# /usr/sbin/httpd -X -c "LogLevel debug" &
[1] 17983
[root@tempest conf]# HEAD http://tempest.wellesley.edu/~cs/index.html
200 OK
Connection: close
Date: Wed, 15 Aug 2012 20:16:52 GMT
Accept-Ranges: bytes
Server: Apache/2.2.15 (Red Hat)
Content-Length: 4579
Content-Type: text/html; charset=UTF-8
Last-Modified: Wed, 04 Apr 2012 15:11:06 GMT
Client-Date: Wed, 15 Aug 2012 20:16:52 GMT
Client-Peer: 127.0.0.1:80
Client-Response-Num: 1

[root@tempest conf]#

Bizarre!  Running it in debug mode solves the problem! Let me bump up the logging in the configuration file:

[root@tempest conf]# grep LogLevel httpd.conf
# LogLevel: Control the number of messages logged to the error_log.
#LogLevel warn
LogLevel debug
[root@tempest conf]# service httpd start
Starting httpd: 
[root@tempest conf]# service httpd status
httpd (pid  17983) is running...
[root@tempest conf]# HEAD http://tempest.wellesley.edu/~cs/index.html
200 OK
Connection: close

Okay, so bumping up the logging works.  What if we take it back down?

[root@tempest conf]# grep LogLevel httpd.conf
# LogLevel: Control the number of messages logged to the error_log.
LogLevel warn
#LogLevel debug
[root@tempest conf]# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
[1]+  Done                    /usr/sbin/httpd -X -c "LogLevel debug"
[root@tempest conf]# HEAD http://tempest.wellesley.edu/~cs/index.html
403 Forbidden
Connection: close

Ah, I see.  It wasn’t the loglevel, it was the server process running in debug mode (see how it exits when we restart the server).  Let’s try once more:

[root@tempest conf]# service httpd stop
Stopping httpd:                                            [  OK  ]
[root@tempest conf]# /usr/sbin/httpd -X

That hangs, as it should.  Now, in another window, I do:

[root@tempest ~]# HEAD http://tempest.wellesley.edu/~cs/index.html
200 OK

Hmm.  Good, but what I’d really like is for it to fail, so that I can try to figure out why.

Some Googling found this: http://stackoverflow.com/questions/8816836/apache-403-error-13permission-denied-access-to-denied-fedora-16, which suggests it’s an selinux problem (big surprise).  But where are the darn selinux logs?  Ah, this page http://wiki.centos.org/HowTos/SELinux/ says they’re in /var/log/audit/audit.log, and sure enough:

root@tempest conf]# grep httpd /var/log/audit/audit.log | wc
  17194  378268 5100511
[root@tempest conf]# grep /usr/sbin/httpd /var/log/audit/audit.log | wc
   8597  240716 3128595
[root@tempest conf]# grep httpd /var/log/audit/audit.log | tail -5
type=SYSCALL msg=audit(1345062965.521:18406): arch=c000003e syscall=4 success=no exit=-13 a0=7f26fddca878 a1=7fff177324c0 a2=7fff177324c0 a3=1999999999999999 items=0 ppid=18276 pid=18278 auid=716 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1019 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1345062971.986:18407): avc:  denied  { search } for  pid=18280 comm="httpd" name="cs" dev=dm-4 ino=5636097 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=SYSCALL msg=audit(1345062971.986:18407): arch=c000003e syscall=4 success=no exit=-13 a0=7f26fe2305c0 a1=7fff177321a0 a2=7fff177321a0 a3=0 items=0 ppid=18276 pid=18280 auid=716 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1019 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1345062971.986:18408): avc:  denied  { getattr } for  pid=18280 comm="httpd" path="/home/cs" dev=dm-4 ino=5636097 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=SYSCALL msg=audit(1345062971.986:18408): arch=c000003e syscall=6 success=no exit=-13 a0=7f26fe2306a0 a1=7fff177321a0 a2=7fff177321a0 a3=1 items=0 ppid=18276 pid=18280 auid=716 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1019 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
[root@tempest conf]#

Absolutely unreadable.  So, use “sealert”

[root@tempest conf]# sealert -b
-bash: sealert: command not found
[root@tempest conf]# yum -y install setroubleshoot
============================================================================================================================================================================
 Package                                        Arch                           Version                                   Repository                                    Size
============================================================================================================================================================================
Installing:
 setroubleshoot                                 x86_64                         3.0.47-3.el6_3                            rhel-x86_64-server-6                         118 k
Installing for dependencies:
 setroubleshoot-plugins                         noarch                         3.0.40-1.el6                              rhel-x86_64-server-6                         505 k
 setroubleshoot-server                          x86_64                         3.0.47-3.el6_3                            rhel-x86_64-server-6                         1.3 M
Running Transaction
  Installing : setroubleshoot-plugins-3.0.40-1.el6.noarch                                                                                                               1/3 
  Installing : setroubleshoot-server-3.0.47-3.el6_3.x86_64                                                                                                              2/3 
  Installing : setroubleshoot-3.0.47-3.el6_3.x86_64                                                                                                                     3/3 
Installed products updated.
  Verifying  : setroubleshoot-server-3.0.47-3.el6_3.x86_64                                                                                                              1/3 
  Verifying  : setroubleshoot-plugins-3.0.40-1.el6.noarch                                                                                                               2/3 
  Verifying  : setroubleshoot-3.0.47-3.el6_3.x86_64                                                                                                                     3/3 

Installed:
  setroubleshoot.x86_64 0:3.0.47-3.el6_3                                                                                                                                    

Dependency Installed:
  setroubleshoot-plugins.noarch 0:3.0.40-1.el6                                         setroubleshoot-server.x86_64 0:3.0.47-3.el6_3                                        

Complete!

Let’s have sealert analyze the logs.  Wait, this is taking *forever*.  Let’s have it just focus on the errors we want it to:

[root@tempest conf]# grep "/home/cs" /var/log/audit/audit.log > /tmp/audit-home-cs
[root@tempest conf]# sealert -a /tmp/audit-home-cs 
100% donefound 1 alerts in /tmp/audit-home-cs
--------------------------------------------------------------------------------

SELinux is preventing httpd from getattr access on the directory /home/cs.

*****  Plugin catchall_boolean (47.5 confidence) suggests  *******************

If you want to allow httpd to read user content
Then you must tell SELinux about this by enabling the 'httpd_read_user_content' boolean.You can read 'user_selinux' man page for more details.
Do
setsebool -P httpd_read_user_content 1

*****  Plugin catchall_boolean (47.5 confidence) suggests  *******************

If you want to allow httpd to read home directories
Then you must tell SELinux about this by enabling the 'httpd_enable_homedirs' boolean.You can read 'user_selinux' man page for more details.
Do
setsebool -P httpd_enable_homedirs 1

*****  Plugin catchall (6.38 confidence) suggests  ***************************

If you believe that httpd should be allowed getattr access on the cs directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep httpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Okay, let’s follow its instructions:

[root@tempest conf]# setsebool -P httpd_read_user_content 1
[root@tempest conf]# setsebool -P http_enable_homedirs 1
libsemanage.dbase_llist_set: record not found in the database
libsemanage.dbase_llist_set: could not set record value
Could not change boolean http_enable_homedirs
Could not change policy booleans
[root@tempest conf]# setsebool -P httpd_enable_homedirs 1
[root@tempest conf]# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
[root@tempest conf]# HEAD http://tempest.wellesley.edu/~cs/index.html
200 OK

Yay!  This suggests, though, that we may have lots of difficulties with student accounts, since they’re not under /home.  We’ll see that next.

[root@tempest conf]# getent passwd gdome
gdome:x:707:707:Georgia B. Dome:/students/gdome:/bin/bash
[root@tempest conf]# HEAD http://tempest.wellesley.edu/~gdome/index.html
200 OK

Whew!  No problem here.

Finally, we should check out the python, perl, CAS and other module-like stuff. But this is enough for today.

I needed to install a PEAR package.  (PEAR is an internet-based repository of PHP packages.)  The installation command failed:

# pear install Mail_Mime
pear/Mail_Mime requires PEAR Installer (version >= 1.6.0), installed version is 1.4.9


I tried several ways of upgrading pear using yum, all of which failed:

# yum update php-pear
# yum --enablerepo="epel" update php-pear
# yum --enablerepo="rpmforge" update php-pear

Eventually, I typed the error message above into Google and found a post on StackOverflow.com that suggested:

# pear upgrade pear

That produced some complaints, many of which were the same sort as above.  I repeated the command, but no luck.  I then tried

# pear help

and noticed the following, which I tried:

# pear upgrade-all

That yielded some complaints, but mostly looked good.  No, it didn’t work.  The pear version is still 1.4.9.  According to other info on the StackOverflow page, 1.4.9 is hopelessly out of date, and I should probably uninstall it and re-install using directions like: http://pear.php.net/manual/en/installation.getting.php

I tried Tempest and it didn’t have either PHP or PEAR, so I installed them:

tempest# yum install php php-pear

Then, I did

tempest# pear version
PEAR Version: 1.9.4
PHP Version: 5.3.3
Zend Engine Version: 2.3.0

Then, I tried

tempest# pear install Mail_Mime

and that worked nicely, though it also told me to update the channel (a particular repository, I think):

tempest# pear channel-update pear.php.net

which succeeded with no complaint.

So, I think we need to (1) use Tempest as our main web server, once it’s able to do everything that Puma can now do, and (2) replace the PEAR on Puma, by hand, bypassing yum, and (3) eventually, install CentOS 6.3 on Puma, to match Tempest.

Short term, I’m going to try replacing PEAR.  First step, is to ensure that I don’t inadvertently lose some of the installed packages.  So I do:

[root@puma ~] pear list
 Installed packages, channel pear.php.net:
 =========================================
 Package           Version State
 Archive_Tar       1.3.1   stable
 Console_Getopt    1.2     stable
 HTML_Template_IT  1.3.0   stable
 MDB2              2.4.1   stable
 MDB2_Driver_mysql 1.4.1   stable
 PEAR              1.4.9   stable
 PHPUnit           1.3.2   stable
 Structures_Graph  1.0.4   stable
 XML_Parser        1.3.4   stable
 XML_RPC           1.5.5   stable
 XML_RSS           1.0.2   stable
 XML_Util          1.2.1   stable
 [root@puma ~]

This info will also let us replicate the packages on Tempest.
Here’s a nice bit of magic:

root@puma ~] pear list | tail -n +4 | awk '{ print $1; }'
 Archive_Tar
 Console_Getopt
 HTML_Template_IT
 MDB2
 MDB2_Driver_mysql
 PEAR
 PHPUnit
 Structures_Graph
 XML_Parser
 XML_RPC
 XML_RSS
 XML_Util
 [root@puma ~]

Now, if I can iterate over those, or use xargs, I can install all of them on Tempest, since Tempest isn’t quite there:

[root@puma ~] pear list | tail -n +4 | awk '{ print $1; }' > /usr/network/tmp/pear-packages
[root@puma ~] ssh tempest
Last login: Fri Aug 10 12:13:31 2012 from puma.wellesley.edu
[root@tempest ~]# logout
Connection to tempest closed.
[root@puma ~] ls -lt /usr/network/tmp/pear-packages 
-rw-rw---- 1 root root 133 Aug 10 12:14 /usr/network/tmp/pear-packages
[root@puma ~] chmod a+r !$
chmod a+r /usr/network/tmp/pear-packages
[root@puma ~] ssh tempest
Last login: Fri Aug 10 12:14:50 2012 from puma.wellesley.edu
[root@tempest ~]# for p in `cat /usr/network/tmp/pear-packages `; do echo $p; done
Archive_Tar
Console_Getopt
HTML_Template_IT
MDB2
MDB2_Driver_mysql
PEAR
PHPUnit
Structures_Graph
XML_Parser
XML_RPC
XML_RSS
XML_Util
[root@tempest ~]# for p in `cat /usr/network/tmp/pear-packages `; do pear install $p; done
downloading Archive_Tar-1.3.10.tgz ...
Starting to download Archive_Tar-1.3.10.tgz (18,294 bytes)
......done: 18,294 bytes
install ok: channel://pear.php.net/Archive_Tar-1.3.10
downloading Console_Getopt-1.3.1.tgz ...
Starting to download Console_Getopt-1.3.1.tgz (4,471 bytes)
.....done: 4,471 bytes
install ok: channel://pear.php.net/Console_Getopt-1.3.1
downloading HTML_Template_IT-1.3.0.tgz ...
Starting to download HTML_Template_IT-1.3.0.tgz (23,309 bytes)
........done: 23,309 bytes
install ok: channel://pear.php.net/HTML_Template_IT-1.3.0
downloading MDB2-2.4.1.tgz ...
Starting to download MDB2-2.4.1.tgz (119,790 bytes)
..........................done: 119,790 bytes
install ok: channel://pear.php.net/MDB2-2.4.1
MDB2: Optional feature fbsql available (Frontbase SQL driver for MDB2)
MDB2: Optional feature ibase available (Interbase/Firebird driver for MDB2)
MDB2: Optional feature mysql available (MySQL driver for MDB2)
MDB2: Optional feature mysqli available (MySQLi driver for MDB2)
MDB2: Optional feature mssql available (MS SQL Server driver for MDB2)
MDB2: Optional feature oci8 available (Oracle driver for MDB2)
MDB2: Optional feature pgsql available (PostgreSQL driver for MDB2)
MDB2: Optional feature querysim available (Querysim driver for MDB2)
MDB2: Optional feature sqlite available (SQLite2 driver for MDB2)
MDB2: To install optional features use "pear install pear/MDB2#featurename"
pear/MDB2_Driver_mysql requires PHP extension "mysql"
No valid packages found
install failed
pear/PEAR is already installed and is the same as the released version 1.9.4
install failed
WARNING: "pear/PHPUnit" is deprecated in favor of "channel://pear.phpunit.de/PHPUnit"
Did not download dependencies: pear/PHP_Compat, use --alldeps or --onlyreqdeps to download automatically
pear/PHPUnit can optionally use package "pear/PHP_Compat"
downloading PHPUnit-1.3.2.tgz ...
Starting to download PHPUnit-1.3.2.tgz (20,913 bytes)
........done: 20,913 bytes
install ok: channel://pear.php.net/PHPUnit-1.3.2
pear/Structures_Graph is already installed and is the same as the released version 1.0.4
install failed
WARNING: "pear/XML_Parser" is deprecated in favor of "pear/XML_Parser2"
downloading XML_Parser-1.3.4.tgz ...
Starting to download XML_Parser-1.3.4.tgz (16,040 bytes)
......done: 16,040 bytes
install ok: channel://pear.php.net/XML_Parser-1.3.4
WARNING: "pear/XML_RPC" is deprecated in favor of "pear/XML_RPC2"
downloading XML_RPC-1.5.5.tgz ...
Starting to download XML_RPC-1.5.5.tgz (31,862 bytes)
.........done: 31,862 bytes
install ok: channel://pear.php.net/XML_RPC-1.5.5
WARNING: "pear/XML_Parser" is deprecated in favor of "pear/XML_Parser2"
downloading XML_RSS-1.0.2.tgz ...
Starting to download XML_RSS-1.0.2.tgz (6,483 bytes)
.....done: 6,483 bytes
install ok: channel://pear.php.net/XML_RSS-1.0.2
pear/XML_Util is already installed and is the same as the released version 1.2.1
install failed
[root@tempest ~]#

This looks really good!  Let’s check:

[root@tempest ~]# pear list
 Installed packages, channel pear.php.net:
 =========================================
 Package          Version State
 Archive_Tar      1.3.10  stable
 Console_Getopt   1.3.1   stable
 HTML_Template_IT 1.3.0   stable
 MDB2             2.4.1   stable
 Mail_Mime        1.8.5   stable
 PEAR             1.9.4   stable
 PHPUnit          1.3.2   stable
 Structures_Graph 1.0.4   stable
 XML_Parser       1.3.4   stable
 XML_RPC          1.5.5   stable
 XML_RSS          1.0.2   stable
 XML_Util         1.2.1   stable
 [root@tempest ~]#

Wonderful!  Well, there are some complaints we need to deal with, and we should upgrade those deprecated packages, and install some of the optional MDB2 stuff.  Let’s do that now:

[root@tempest ~]# yum -y install php-mysql
Loaded plugins: downloadonly, product-id, refresh-packagekit, rhnplugin, security, subscription-manager
Updating certificate-based repositories.
Unable to read consumer identity
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package php-mysql.x86_64 0:5.3.3-14.el6_3 will be installed
--> Processing Dependency: php-pdo for package: php-mysql-5.3.3-14.el6_3.x86_64
--> Running transaction check
---> Package php-pdo.x86_64 0:5.3.3-14.el6_3 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

=====================================================================================================================================
 Package                     Arch                     Version                           Repository                              Size
=====================================================================================================================================
Installing:
 php-mysql                   x86_64                   5.3.3-14.el6_3                    rhel-x86_64-server-6                    79 k
Installing for dependencies:
 php-pdo                     x86_64                   5.3.3-14.el6_3                    rhel-x86_64-server-6                    73 k

Transaction Summary
=====================================================================================================================================
Install       2 Package(s)

Total download size: 153 k
Installed size: 0  
Downloading Packages:
(1/2): php-mysql-5.3.3-14.el6_3.x86_64.rpm                                                                    |  79 kB     00:00     
(2/2): php-pdo-5.3.3-14.el6_3.x86_64.rpm                                                                      |  73 kB     00:00     
-------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                160 kB/s | 153 kB     00:00     
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : php-pdo-5.3.3-14.el6_3.x86_64                                                                                     1/2 
  Installing : php-mysql-5.3.3-14.el6_3.x86_64                                                                                   2/2 
Installed products updated.
  Verifying  : php-mysql-5.3.3-14.el6_3.x86_64                                                                                   1/2 
  Verifying  : php-pdo-5.3.3-14.el6_3.x86_64                                                                                     2/2 

Installed:
  php-mysql.x86_64 0:5.3.3-14.el6_3                                                                                                  

Dependency Installed:
  php-pdo.x86_64 0:5.3.3-14.el6_3                                                                                                    

Complete!
[root@tempest ~]#

Good.  Now for some of the MDB2 features:

[root@tempest ~]# pear install pear/MDB2#mysql
Skipping package "pear/MDB2", already installed as version 2.4.1
downloading MDB2_Driver_mysql-1.4.1.tgz ...
Starting to download MDB2_Driver_mysql-1.4.1.tgz (36,481 bytes)
..........done: 36,481 bytes
install ok: channel://pear.php.net/MDB2_Driver_mysql-1.4.1

Might as well install the sqlite backend as well:

[root@tempest ~]# pear install pear/MDB2#sqlite
Skipping package "pear/MDB2", already installed as version 2.4.1
pear/MDB2_Driver_sqlite requires PHP extension "sqlite"
No valid packages found
install failed

Hmm. That’s disappointing.  We’ll have to figure out how to do this.

Next, let’s upgrade those deprecated packages:

[root@tempest ~]# pear channel-discover pear.phpunit.de
Adding Channel "pear.phpunit.de" succeeded
Discovery of channel "pear.phpunit.de" succeeded
[root@tempest ~]# pear install phpunit/PHPUnit
Unknown remote channel: pear.symfony-project.com
Did not download optional dependencies: phpunit/PHP_Invoker, use --alldeps to download automatically
phpunit/PHPUnit requires package "channel://pear.symfony-project.com/YAML" (version >= 1.0.2)
phpunit/PHPUnit requires PHP extension "dom"
phpunit/PHPUnit can optionally use package "phpunit/PHP_Invoker" (version >= 1.1.0)
phpunit/PHP_CodeCoverage can optionally use PHP extension "dom"
phpunit/PHP_CodeCoverage can optionally use PHP extension "xdebug" (version >= 2.0.5)
phpunit/PHPUnit_MockObject can optionally use PHP extension "soap"
downloading File_Iterator-1.3.1.tgz ...
Starting to download File_Iterator-1.3.1.tgz (5,157 bytes)
.....done: 5,157 bytes
downloading Text_Template-1.1.1.tgz ...
Starting to download Text_Template-1.1.1.tgz (3,622 bytes)
...done: 3,622 bytes
downloading PHP_CodeCoverage-1.1.3.tgz ...
Starting to download PHP_CodeCoverage-1.1.3.tgz (132,726 bytes)
...done: 132,726 bytes
downloading PHP_Timer-1.0.2.tgz ...
Starting to download PHP_Timer-1.0.2.tgz (3,686 bytes)
...done: 3,686 bytes
downloading PHPUnit_MockObject-1.1.1.tgz ...
Starting to download PHPUnit_MockObject-1.1.1.tgz (19,897 bytes)
...done: 19,897 bytes
downloading PHP_TokenStream-1.1.3.tgz ...
Starting to download PHP_TokenStream-1.1.3.tgz (9,860 bytes)
...done: 9,860 bytes
install ok: channel://pear.phpunit.de/File_Iterator-1.3.1
install ok: channel://pear.phpunit.de/Text_Template-1.1.1
install ok: channel://pear.phpunit.de/PHP_Timer-1.0.2
install ok: channel://pear.phpunit.de/PHP_TokenStream-1.1.3
install ok: channel://pear.phpunit.de/PHP_CodeCoverage-1.1.3
install ok: channel://pear.phpunit.de/PHPUnit_MockObject-1.1.1
[root@tempest ~]#

Okay, that works.  (Installation instructions for PHPUnit were found at http://www.phpunit.de/manual/3.0/en/installation.html

Now, more deprecated packages:

[root@tempest ~]# pear install XML_Parser2
Failed to download pear/XML_Parser2 within preferred state "stable", latest release is version 0.1.0, stability "beta", use "channel://pear.php.net/XML_Parser2-0.1.0" to install
install failed

Hmm.  That’s also disappointing.  Let’s hope sticking with the deprecated modules isn’t too bad.  One last cleanup on Tempest before turning to Puma:

[root@tempest ~]# pear upgrade
 Nothing to upgrade
 [root@tempest ~]# pear list
 Installed packages, channel pear.php.net:
 =========================================
 Package           Version State
 Archive_Tar       1.3.10  stable
 Console_Getopt    1.3.1   stable
 HTML_Template_IT  1.3.0   stable
 MDB2              2.4.1   stable
 MDB2_Driver_mysql 1.4.1   stable
 Mail_Mime         1.8.5   stable
 PEAR              1.9.4   stable
 PHPUnit           1.3.2   stable
 Structures_Graph  1.0.4   stable
 XML_Parser        1.3.4   stable
 XML_RPC           1.5.5   stable
 XML_RSS           1.0.2   stable
 XML_Util          1.2.1   stable
 [root@tempest ~]# pear list | tail -n +4 | awk '{ print $1; }' > /usr/network/tmp/tempest-pear-list
 [root@tempest ~]# more !$
 more /usr/network/tmp/tempest-pear-list
 Archive_Tar
 Console_Getopt
 HTML_Template_IT
 MDB2
 MDB2_Driver_mysql
 Mail_Mime
 PEAR
 PHPUnit
 Structures_Graph
 XML_Parser
 XML_RPC
 XML_RSS
 XML_Util
 [root@tempest ~]# chmod a+r !$
 chmod a+r /usr/network/tmp/tempest-pear-list
 [root@tempest ~]#

I’m going to count that as a victory.  Let’s turn to Puma.  I’m not sure how dangerous erase the php-pear RPM will be, but I think it makes sense to do that, rather than to have two incompatible versions installed.  So, here goes:

[root@puma ~] rpm -e php-pear
[root@puma ~] cd /root/tmp/
[root@puma tmp] wget http://pear.php.net/go-pear.phar
--2012-08-10 12:58:38--  http://pear.php.net/go-pear.phar
Resolving pear.php.net... 5.77.39.20
Connecting to pear.php.net|5.77.39.20|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3681106 (3.5M) [application/octet-stream]
Saving to: `go-pear.phar'

100%[===========================================================================================>] 3,681,106   2.94M/s   in 1.2s    

2012-08-10 12:58:40 (2.94 MB/s) - `go-pear.phar' saved [3681106/3681106]

[root@puma tmp] php go-pear.phar 

Below is a suggested file layout for your new PEAR installation.  To
change individual locations, type the number in front of the
directory.  Type 'all' to change all of them or simply press Enter to
accept these locations.

 1. Installation base ($prefix)                   : /usr
 2. Temporary directory for processing            : /tmp/pear/install
 3. Temporary directory for downloads             : /tmp/pear/install
 4. Binaries directory                            : /usr/bin
 5. PHP code directory ($php_dir)                 : /usr/share/pear
 6. Documentation directory                       : /usr/docs
 7. Data directory                                : /usr/data
 8. User-modifiable configuration files directory : /usr/cfg
 9. Public Web Files directory                    : /usr/www
10. Tests directory                               : /usr/tests
11. Name of configuration file                    : /etc/pear.conf

1-11, 'all' or Enter to continue: 7
(Use $prefix as a shortcut for '/usr', etc.)
Data directory [$prefix/data] : /usr/share/pear/data

Below is a suggested file layout for your new PEAR installation.  To
change individual locations, type the number in front of the
directory.  Type 'all' to change all of them or simply press Enter to
accept these locations.

 1. Installation base ($prefix)                   : /usr
 2. Temporary directory for processing            : /tmp/pear/install
 3. Temporary directory for downloads             : /tmp/pear/install
 4. Binaries directory                            : /usr/bin
 5. PHP code directory ($php_dir)                 : /usr/share/pear
 6. Documentation directory                       : /usr/docs
 7. Data directory                                : /usr/share/pear/data
 8. User-modifiable configuration files directory : /usr/cfg
 9. Public Web Files directory                    : /usr/www
10. Tests directory                               : /usr/tests
11. Name of configuration file                    : /etc/pear.conf

1-11, 'all' or Enter to continue: 6
(Use $prefix as a shortcut for '/usr', etc.)
Documentation directory [$prefix/docs] : /usr/share/pear/doc

Below is a suggested file layout for your new PEAR installation.  To
change individual locations, type the number in front of the
directory.  Type 'all' to change all of them or simply press Enter to
accept these locations.

 1. Installation base ($prefix)                   : /usr
 2. Temporary directory for processing            : /tmp/pear/install
 3. Temporary directory for downloads             : /tmp/pear/install
 4. Binaries directory                            : /usr/bin
 5. PHP code directory ($php_dir)                 : /usr/share/pear
 6. Documentation directory                       : /usr/share/pear/doc
 7. Data directory                                : /usr/share/pear/data
 8. User-modifiable configuration files directory : /usr/cfg
 9. Public Web Files directory                    : /usr/www
10. Tests directory                               : /usr/tests
11. Name of configuration file                    : /etc/pear.conf

1-11, 'all' or Enter to continue: 9
(Use $prefix as a shortcut for '/usr', etc.)
Public Web Files directory [$prefix/www] : /var/www 

Below is a suggested file layout for your new PEAR installation.  To
change individual locations, type the number in front of the
directory.  Type 'all' to change all of them or simply press Enter to
accept these locations.

 1. Installation base ($prefix)                   : /usr
 2. Temporary directory for processing            : /tmp/pear/install
 3. Temporary directory for downloads             : /tmp/pear/install
 4. Binaries directory                            : /usr/bin
 5. PHP code directory ($php_dir)                 : /usr/share/pear
 6. Documentation directory                       : /usr/share/pear/doc
 7. Data directory                                : /usr/share/pear/data
 8. User-modifiable configuration files directory : /usr/cfg
 9. Public Web Files directory                    : /var/www
10. Tests directory                               : /usr/tests
11. Name of configuration file                    : /etc/pear.conf

1-11, 'all' or Enter to continue: 10
(Use $prefix as a shortcut for '/usr', etc.)
Tests directory [$prefix/tests] : /usr/share/pear/test

Below is a suggested file layout for your new PEAR installation.  To
change individual locations, type the number in front of the
directory.  Type 'all' to change all of them or simply press Enter to
accept these locations.

 1. Installation base ($prefix)                   : /usr
 2. Temporary directory for processing            : /tmp/pear/install
 3. Temporary directory for downloads             : /tmp/pear/install
 4. Binaries directory                            : /usr/bin
 5. PHP code directory ($php_dir)                 : /usr/share/pear
 6. Documentation directory                       : /usr/share/pear/doc
 7. Data directory                                : /usr/share/pear/data
 8. User-modifiable configuration files directory : /usr/cfg
 9. Public Web Files directory                    : /var/www
10. Tests directory                               : /usr/share/pear/test
11. Name of configuration file                    : /etc/pear.conf

1-11, 'all' or Enter to continue: 
Beginning install...
PHP Warning:  Cannot use a scalar value as an array in phar://go-pear.phar/PEAR/PackageFile/Generator/v1.php on line 733

Warning: Cannot use a scalar value as an array in phar://go-pear.phar/PEAR/PackageFile/Generator/v1.php on line 733
PHP Warning:  Cannot use a scalar value as an array in phar://go-pear.phar/PEAR/PackageFile/Generator/v1.php on line 753

Warning: Cannot use a scalar value as an array in phar://go-pear.phar/PEAR/PackageFile/Generator/v1.php on line 753
PHP Warning:  Invalid argument supplied for foreach() in phar://go-pear.phar/PEAR/PackageFile/Generator/v1.php on line 1220

Warning: Invalid argument supplied for foreach() in phar://go-pear.phar/PEAR/PackageFile/Generator/v1.php on line 1220
Configuration written to /etc/pear.conf...
Initialized registry...
Preparing to install...
installing phar://go-pear.phar/PEAR/go-pear-tarballs/Archive_Tar-1.3.7.tar...
installing phar://go-pear.phar/PEAR/go-pear-tarballs/Console_Getopt-1.3.0.tar...
installing phar://go-pear.phar/PEAR/go-pear-tarballs/PEAR-1.9.4.tar...
installing phar://go-pear.phar/PEAR/go-pear-tarballs/Structures_Graph-1.0.4.tar...
installing phar://go-pear.phar/PEAR/go-pear-tarballs/XML_Util-1.2.1.tar...
install ok: channel://pear.php.net/Archive_Tar-1.3.7
install ok: channel://pear.php.net/Console_Getopt-1.3.0
install ok: channel://pear.php.net/Structures_Graph-1.0.4
install ok: channel://pear.php.net/XML_Util-1.2.1
install ok: channel://pear.php.net/PEAR-1.9.4
PEAR: Optional feature webinstaller available (PEAR's web-based installer)
PEAR: Optional feature gtkinstaller available (PEAR's PHP-GTK-based installer)
PEAR: Optional feature gtk2installer available (PEAR's PHP-GTK2-based installer)
PEAR: To install optional features use "pear install pear/PEAR#featurename"

The 'pear' command is now at your service at /usr/bin/pear

** The 'pear' command is not currently in your PATH, so you need to
** use '/usr/bin/pear' until you have added
** '/usr/bin' to your PATH environment variable.

Run it without parameters to see the available actions, try 'pear list'
to see what packages are installed, or 'pear help' for help.

For more information about PEAR, see:

  http://pear.php.net/faq.php
  http://pear.php.net/manual/

Thanks for using go-pear!

[root@puma tmp]

Resetting the directories makes me nervous, but I tried to compare with Tempest and, in particular, I looked at the output of this:

[root@tempest ~]# pear config-show
Configuration (channel pear.php.net):
=====================================
Auto-discover new Channels     auto_discover    <not set>
Default Channel                default_channel  pear.php.net
HTTP Proxy Server Address      http_proxy       <not set>
PEAR server [DEPRECATED]       master_server    pear.php.net
Default Channel Mirror         preferred_mirror pear.php.net
Remote Configuration File      remote_config    <not set>
PEAR executables directory     bin_dir          /usr/bin
PEAR documentation directory   doc_dir          /usr/share/pear/doc
PHP extension directory        ext_dir          /usr/lib64/php/modules
PEAR directory                 php_dir          /usr/share/pear
PEAR Installer cache directory cache_dir        /var/cache/php-pear
PEAR configuration file        cfg_dir          /etc/pear
directory
PEAR data directory            data_dir         /usr/share/pear/data
PEAR Installer download        download_dir     /tmp/pear/download
directory
PHP CLI/CGI binary             php_bin          /usr/bin/php
php.ini location               php_ini          <not set>
--program-prefix passed to     php_prefix       <not set>
PHP's ./configure
--program-suffix passed to     php_suffix       <not set>
PHP's ./configure
PEAR Installer temp directory  temp_dir         /var/tmp
PEAR test directory            test_dir         /usr/share/pear/test
PEAR www files directory       www_dir          /var/www/html
Cache TimeToLive               cache_ttl        3600
Preferred Package State        preferred_state  stable
Unix file mask                 umask            22
Debug Log Level                verbose          1
PEAR password (for             password         <not set>
maintainers)
Signature Handling Program     sig_bin          /usr/bin/gpg
Signature Key Directory        sig_keydir       /etc/pearkeys
Signature Key Id               sig_keyid        <not set>
Package Signature Type         sig_type         gpg
PEAR username (for             username         <not set>
maintainers)
User Configuration File        Filename         /root/.pearrc
System Configuration File      Filename         /etc/pear.conf
[root@tempest ~]#

What do you mean that it’s not on my path? I’m sure it is.

[root@puma tmp] echo $PATH
/usr/java/jdk1.6.0/bin:/usr/lib64/qt-3.3/bin:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/network/bin:/root/bin:/root/bin:/root/ldapscripts:/usr/network/sbin:/usr/network/bin
[root@puma tmp] which pear
/usr/bin/pear

Okay, that’s fine.  What packages do we have?

[root@puma tmp] pear list
Installed packages, channel pear.php.net:
=========================================
Package           Version State
Archive_Tar       1.3.7   stable
Console_Getopt    1.3.0   stable
HTML_Template_IT  1.3.0   stable
MDB2              2.4.1   stable
MDB2_Driver_mysql 1.4.1   stable
PEAR              1.9.4   stable
PHPUnit           1.3.2   stable
Structures_Graph  1.0.4   stable
XML_Parser        1.3.4   stable
XML_RSS           1.0.2   stable
XML_Util          1.2.1   stable
[root@puma tmp]

It’s nice that the packages remained.  Let’s see what version I have:

[root@puma tmp] pear version
PEAR Version: 1.9.4
PHP Version: 5.2.13
Zend Engine Version: 2.2.0
Running on: Linux puma.wellesley.edu 2.6.18-308.11.1.el5 #1 SMP Tue Jul 10 08:48:43 EDT 2012 x86_64

Good. So, can I now install the Mail_Mime package?

[root@puma tmp] pear install Mail_Mime
downloading Mail_Mime-1.8.5.tgz ...
Starting to download Mail_Mime-1.8.5.tgz (31,437 bytes)
.........done: 31,437 bytes
install ok: channel://pear.php.net/Mail_Mime-1.8.5
[root@puma tmp]

Yes!  Okay, time to take a break.

 

I tried to install scipy and gensim on Tempest for Eni and Jacque and it wasn’t in yum.  I added the EPEL repository (see other post and info on EPEL), and that located scipy with yum, but the installation failed due to a dependency on f2py that it wasn’t able to satisfy.  (Odd, right?)

Anyhow, some googling found this bug report which showed how to add the optional channel to Tempest:

# rhn-channel –add –channel=rhel-x86_64-server-optional-6

This prompted for a username and password, so I gave the one that gives us access to RHN.  This worked!

# rhn-channel –list

shows two channels, including the one I added.  So, now:

# yum -y install numpy-f2py

# yum -y install scipy

# easy_install gensim

# opendir /usr/lib/python2.6/site-packages

Don’t forget that last step!

A student team wants to use CAS (Central Authorization System) for their mobile web app.  Installation isn’t trivial:

1. The correct version of the Apache module needs to be installed and some configuration files/directories modified.

2. Before that, we have to enable the EPEL repo, where the Apache module can be found.  That seems like a good thing to do in any case.  To do that, I found the RPM that holds the definition of the repo.  Namely epel-release-6-7.noarch.rpm.  Unfortunately, when I tried to install that, it failed:

[root@puma ~] yum -y localinstall /tmp/epel-release-6-7.noarch.rpm
 Loaded plugins: downloadonly, fastestmirror, security
 Setting up Local Package Process
 Examining /tmp/epel-release-6-7.noarch.rpm: epel-release-6-7.noarch
 Marking /tmp/epel-release-6-7.noarch.rpm to be installed
 Loading mirror speeds from cached hostfile
 * base: mirror.metrocast.net
 * extras: centos.mirror.nac.net
 * updates: mirror.7x24web.net
 Resolving Dependencies
 --> Running transaction check
 ---> Package epel-release.noarch 0:6-7 set to be updated
 --> Finished Dependency Resolution

Dependencies Resolved

==========================================================================================================================================
 Package                          Arch                       Version                   Repository                                    Size
 ==========================================================================================================================================
 Installing:
 epel-release                     noarch                     6-7                       /epel-release-6-7.noarch                      22 k

Transaction Summary
 ==========================================================================================================================================
 Install       1 Package(s)
 Upgrade       0 Package(s)

Total size: 22 k
 Downloading Packages:
 warning: rpmts_HdrFromFdno: Header V3 RSA/SHA256 signature: NOKEY, key ID 0608b895

Public key for epel-release-6-7.noarch.rpm is not installed
 [root@puma ~] rpm -ivh /tmp/epel-release-6-7.noarch.rpm
 warning: /tmp/epel-release-6-7.noarch.rpm: Header V3 RSA/SHA256 signature: NOKEY, key ID 0608b895
 error: Failed dependencies:
 rpmlib(FileDigests) <= 4.6.0-1 is needed by epel-release-6-7.noarch
 rpmlib(PayloadIsXz) <= 5.2-1 is needed by epel-release-6-7.noarch
 [root@puma ~] rpm --checksig /tmp/epel-release-6-7.noarch.rpm
 /tmp/epel-release-6-7.noarch.rpm: RSA sha1 (MD5) (PGP) md5 NOT OK (MISSING KEYS: PGP#0608b895)
 [root@puma ~]

So, the problem seems to be in verifying the signature.  So, let’s try to do that.  I went to https://fedoraproject.org/keys and downloaded a text file for EPEL-6, which fortunately has the “0608b895” number associated with it that the rpm –checksig command indicated.  I downloaded that as a text file and put it in /tmp:

[root@puma ~] rpm --import /tmp/0608B895.txt

No complaints yet!  Let’s try the –checksig:

[root@puma ~] rpm --checksig /tmp/epel-release-6-7.noarch.rpm
 /tmp/epel-release-6-7.noarch.rpm: rsa sha1 (md5) pgp md5 OK

That’s good.  Now the installation.  Shall we try yum?

[root@puma ~] yum -y localinstall /tmp/epel-release-6-7.noarch.rpm

...

Running rpm_check_debug
 ERROR with rpm_check_debug vs depsolve:
 rpmlib(FileDigests) is needed by epel-release-6-7.noarch
 rpmlib(PayloadIsXz) is needed by epel-release-6-7.noarch
 Complete!
 (1, [u'Please report this error in http://bugs.centos.org/yum5bug'])
 [root@puma ~]

Okay, so that’s no good.  Investigating further, I found explanation.  Ah, I forgot that Puma is still at CentOS 5 (we eventually want it to be at CentOS 6.3, to match Tempest).

[root@puma tmp] rpm -Uvh http://download.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
 Retrieving http://download.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
 error: skipping http://download.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm - transfer failed - Unknown or unexpected error
 warning: u 0x12f9fb00 ctrl 0x12fa2890 nrefs != 0 (download.fedoraproject.org http)
 [root@puma tmp]

Well, that stinks.  Let’s try wget:

[root@puma tmp] wget http://download.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
 --2012-07-19 11:36:07--  http://download.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
 Resolving download.fedoraproject.org... 152.19.134.146, 140.211.169.197, 209.132.181.16, ...
 Connecting to download.fedoraproject.org|152.19.134.146|:80... connected.
 HTTP request sent, awaiting response... 302 FOUND
 Location: http://mirrors.einstein.yu.edu/epel/5/x86_64/epel-release-5-4.noarch.rpm [following]
 --2012-07-19 11:36:08--  http://mirrors.einstein.yu.edu/epel/5/x86_64/epel-release-5-4.noarch.rpm
 Resolving mirrors.einstein.yu.edu... 129.98.1.19, 129.98.1.27
 Connecting to mirrors.einstein.yu.edu|129.98.1.19|:80... connected.
 HTTP request sent, awaiting response... 200 OK
 Length: 12232 (12K) [application/x-rpm]
 Saving to: `epel-release-5-4.noarch.rpm'

2012-07-19 11:36:08 (437 KB/s) - `epel-release-5-4.noarch.rpm' saved [12232/12232]

[root@puma tmp] ls -l epel-release-5-4.noarch.rpm
 -rw-rw---- 1 root root 12232 Aug 12  2010 epel-release-5-4.noarch.rpm

Okay, that’s better.  Let’s try yum install again:

[root@puma tmp] yum -y localinstall epel-release-5-4.noarch.rpm

… failed

Could it be the keys problem again?  Yes:

 [root@puma tmp] rpm --checksig /tmp/epel-release-5-4.noarch.rpm
 /tmp/epel-release-5-4.noarch.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#217521f6)

Okay, let’s get that one:

[root@puma tmp] wget http://fedoraproject.org/static/217521F6.txt
 --2012-07-19 11:41:47--  http://fedoraproject.org/static/217521F6.txt
 Resolving fedoraproject.org... 152.19.134.146, 140.211.169.197, 209.132.181.16, ...
 Connecting to fedoraproject.org|152.19.134.146|:80... connected.
 HTTP request sent, awaiting response... 200 OK
 Length: 1820 (1.8K) [text/plain]
 Saving to: `217521F6.txt'

100%[===============================================================================================>] 1,820       --.-K/s   in 0s

2012-07-19 11:41:47 (59.9 MB/s) - `217521F6.txt' saved [1820/1820]

[root@puma tmp] rpm --import 217521F6.txt
 [root@puma tmp]

Okay, does the signature verify now?

rpm --checksig /tmp/epel-release-5-4.noarch.rpm
 /tmp/epel-release-5-4.noarch.rpm: (sha1) dsa sha1 md5 gpg OK
 [root@puma tmp]

Whew!  Let’s see if we can install it.

[root@puma tmp] yum -y localinstall epel-release-5-4.noarch.rpm
 Loaded plugins: downloadonly, fastestmirror, security
 Setting up Local Package Process
 Examining epel-release-5-4.noarch.rpm: epel-release-5-4.noarch
 Marking epel-release-5-4.noarch.rpm to be installed
 Loading mirror speeds from cached hostfile
 * base: mirror.metrocast.net
 * extras: centos.mirror.nac.net
 * updates: mirror.7x24web.net
 Resolving Dependencies
 --> Running transaction check
 ---> Package epel-release.noarch 0:5-4 set to be updated
 --> Finished Dependency Resolution

Dependencies Resolved

=========================================================================================================================================
 Package                          Arch                       Version                  Repository                                    Size
 =========================================================================================================================================
 Installing:
 epel-release                     noarch                     5-4                      /epel-release-5-4.noarch                      0.0

Transaction Summary
 =========================================================================================================================================
 Install       1 Package(s)
 Upgrade       0 Package(s)

Downloading Packages:
 Running rpm_check_debug
 Running Transaction Test
 Finished Transaction Test
 Transaction Test Succeeded
 Running Transaction
 Installing     : epel-release                                                                                                      1/1

Installed:
 epel-release.noarch 0:5-4

Complete!
 [root@puma tmp]

Amazing.  Just to confirm:

ls /etc/yum.repos.d/
 CentOS-Base.repo       CentOS-Vault.repo  mirrors-rpmforge          rpmforge.repo      rpmforge.repo.~2~  utterramblings.repo
 CentOS-Debuginfo.repo  epel.repo          mirrors-rpmforge-extras   rpmforge.repo~     rpmforge.repo.~3~  utterramblings.repo~
 CentOS-Media.repo      epel-testing.repo  mirrors-rpmforge-testing  rpmforge.repo.~1~  rpmforge.repo.old
 [root@puma tmp]

I’m going to go ahead and update using EPEL, since it’s updating stuff we use, like denyhosts and R.

[root@puma tmp] yum -y update

Hmm.  The update of R-devel failed, which makes me unhappy.  I’m going to disable this repo by default. (Edit the file /etc/yum.repos.d/epel.repo and set enabled=0 where it says enabled=1).

Now, let’s get back to the task at hand.  Can we now install mod_auth_cas?

[root@puma tmp] yum -y install --enablerepo=epel mod_auth_cas

...

Installed:
 mod_auth_cas.x86_64 0:1.0.8.1-2.el5

Complete!
 [root@puma tmp]

Whew!

On the advice of that installation guide above, I also installed the ldap authorization module, though I think we won’t be using it:

yum install mod_authz_ldap

Next, I’m happy to do the renaming the instructions suggested, though I think the default order will still work.  I did that, and I also created the /var/lib/cas directory as they directed.  However, the latter step caused Apache to fail.  The error message in the log was:

[Thu Jul 19 12:04:15 2012] [notice] SELinux policy enabled; httpd running as context user_u:system_r:httpd_t:s0
 [Thu Jul 19 12:04:15 2012] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
 [Thu Jul 19 12:04:16 2012] [error] MOD_AUTH_CAS: CASCookiePath '/dev/null' is not a directory or does not end in a trailing '/'!
 Configuration Failed
 [root@puma lib] cd /etc/httpd/conf.d/

I’m assuming this is due to the missing lines in the mod_auth_cas.conf file.  The file as installed from EPEL is only the first 6 lines of the contents described in those directions, and the CASCookiePath mentioned in the error message and in the missing lines of the file suggested that that was the trouble. Indeed it was.  Still, I think the “example.com” URLs will have to be edited, presumably with the URL of some CAS server that LTS maintains.

So much still to learn!

 

 

 

 

 

When I tried to start denyhosts on tempest, it failed like this:

# service denyhosts start
Starting denyhosts: Error reading file: /etc/denyhosts.conf
[Errno 2] No such file or directory: '/etc/denyhosts.conf'  [FAILED]

I found that we do have a configuration file on Tempest; it’s in /etc/denyhosts/denyhosts.conf.  I compared it to the one on Puma, and it seems that Carolyn had duplicated all the configuration changes we’d made on Puma.  So, I decided to see what would happen if we just did:

ln -s /etc/denyhosts/denyhosts.conf /etc/denyhosts.conf

I started denyhosts and had no problems.

I did notice, though, that a 149.130. IP address was immediately added to /etc/hosts.deny.  I checked /etc/hosts.allow, and I saw that we didn’t have the blanket pass in there for all 149.130 IP addresses and a few others, so I copied that data over from Puma.  I tested logging into Tempest from finch (the denied host) and it worked.

Also, on Puma’s denyhosts config, I commented out the email address, since we get too many emails from denyhosts on puma and we trust it pretty well by now.  I’ve left the email config on tempest.  We can turn it off when we trust it.

Scott

I just asked Tim to put Tempest in the DMZ, making it accessible from off-campus.  I’m still working on getting denyhosts working on it.

I’ve also created a page to explain what that last paragraph means.  See it in the “pages” list on the right.

— Scott

 

 

As System Administrators for the Wellesley Computer Science Department, we have certain responsibilities.

The full “oath of office” is the https://lopsa.org/CodeOfEthics.

As sysadmins, we have a great deal of power, and as Spiderman knows, “with great power comes great responsibility.”  So,

• We won’t abuse our power.  We won’t read people’s files, monitor their activities (stalk them), or modify their property.
• We use our power to try to help people
• We maintain the equipment and try to keep it running smoothly