I have been struggling with an issue for a bit while trying to get tab completion working on the python shell on OS X. I've been working on a Django project and not being able to tab complete has been a bit obnoxious. It took a few sessions of searching around to find out what's going on, so I thought I'd share it in one place. Turns out that the default shell settings are ready to go with tab complete (I spent a lot of time making sure configs were correct), but OS X simply doesn't ship GNU readline. Instead, Apple just symlinked BSD libedit which is problematic because the default python readline module links to GNU readline.

Someone has already created an egg with readline statically linked just for OS X so the fix is super-easy. Just install the standalone readline module with your favorite python installer. I used:

sudo easy_install readline

After delaying cleanup on the code for a week or two, I've published my cookbook for deploying SugarCRM CE using Opscode Chef. The cookbook utilizes the community cookbooks from Opscode for deploying the standard LAMP stack on a machine, grabs a copy of the latest stable build of SugarCRM CE from Github, and creates a silent installer file for super-easy installation of SugarCRM.

Some quick notes on setup:

Usage

Usage is super easy, especially with a general knowledge of Chef. I'm not going to dive into setting up Chef, they've got some great documentation for that.

You'll need to pull down the php, apache2, mysql, openssl, and git community cookbooks from Opscode and upload to your organization as well.

Then, you can just download the sugarcrm cookbook and upload to your organization:

knife cookbook site vendor sugarcrm knife cookbook upload sugarcrm

Then, add the sugarcrm recipe to whatever node or role you desire. For me, I created a role for sugarcrm:

$ knife role show sugarcrmchef_type: role default_attributes:
description:
env_run_lists:
json_class: Chef::Role name: sugarcrm override_attributes: run_list: recipe[sugarcrm]

You can either bootstrap a new VM / cloud instance or apply the role to an existing machine and do a run of chef-client.

For my example, I created a new EC2 instance based on Ubuntu (can be any OS that the Opscode community cookbooks support):

knife ec2 server create -r 'role[sugarcrm]' --image ami-7000f019 -d ubuntu10.04-apt -S mykey -x ubuntu -i ~/.ssh/mykey.pem

Then, you can navigate to your server's FQDN/sugarcrm in your browser to complete the install. Not to worry, the cookbook configures a config_si.php (si = silent installer), so no need to know any details about your install.

Once complete, you'll reach the login page. Default login is admin/admin (which can be overridden with override attributes in the role/node).

That's it!

For anyone who knows SuSE Enterprise, you can file this one under "what a n00b!" (my SuSE experience in the past has been with openSUSE), but I recently inherited a project that required RHEL or SuSE Enterprise so they chose to deploy SuSE Enterprise on EC2 to reduce acquisition time. (Who would've thought a cloud provider like Amazon would be faster to acquire an install of one of these softwares that used more traditional licensing models?) Anyway, I needed to install a few extra pieces of software, but when I ran yast, its list of repositories was empty!? Turns out the fix is really easy, but I couldn't easily find the answer within a minute or two, so I thought I'd share:

suse_register -a email="myemail@whatan00b.com"

Yup, that was it. No license key required (at least on the EC2 build). Novell just wanted my email address.

I've (finally) published my first public project to the Internets! It's a set of scripts to grab stats from the APC PHP opcode cacher for graphing inside Zenoss (though should be compatible with Nagios). It's incredibly simple, but I have yet to find anyone else who has done this for Zenoss so I thought I would share in case it's helpful. For now, it just grabs the hit ratio of the cache.

In the famous last words of many an open source project, "In the future, I plan on adding":

1. fragmentation graphs
2. a ZenPack for easy installation
3. Ideas?

Grab the scripts at Github and rough install instructions are listed on the README page.

Here's a fairly boring screenshot of the graph in action:

I did a fairly deep dive into some new cool things in EC2 this weekend and ran into something that caught me off guard. The default Amazon AMIs come with the EC2 tools pre-loaded and ready to go. Or so I read. But, when trying to run, I was greeted with a nice stack trace:

Unexpected error:

javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1665)
        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1628)
        at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1611)
        at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1537)
        at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:83)
(snipped)

Turns out it doesn't quite have everything it needs. Even though it's complaining about trustAnchors and such, all it really needs is a Java Runtime Environment..

yum install java-1.6.0-openjdk

I was helping my sister with an issue with connecting to her school's email server from her MacBook last night and discovered something interesting. Her school uses a webmail.domain.com address for the front end for OWA which is just a CNAME to its real address - a .local address. This all worked fine until a few weeks or so ago - we later pieced together that that's when she upgraded to 10.6.5.

It seems that in 10.6.5, OS X can't follow that CNAME for some reason. I could ping the .local address just fine and the browser connected just fine, but when I tried to use the .com CNAME'd hostname, it would fail. The kicker? The dig utility seems to ignore all of this madness which made it lie to me, and that did not help at all while troubleshooting.

I was able to find an Apple forum thread about this with someone saying that rolling back the mDNS binaries to those shipped with 10.6.4 seemed to fix it, but it didn't help in my case (and some others in the thread). I personally don't use anything at work or at home using the .local domain, but I hope this gets fixed soon as it breaks a lot of Microsoft-centric networks as a lot tend to use .local for one reason or another..

This one is a bit off topic, but something that has been bugging me for the last week or so and I finally figured out, so I thought I'd share in case anyone out there is going through the same thing. I've been trying to adjust picture settings on our TV to get a little lower power consumption out of it, but every time I would change them, the settings would reset after 30 minutes or after restarting the TV. I dug through the manual and all over Samsung's support site, but found nothing.

The answer was that the TV was stuck in a "demo mode" which is for when the TV is in the store so customers don't mess up the settings too badly. With a little help from this thread, I was able to get it out. You can see if it's in demo mode by hitting the "info" button the remote and if it says "demo mode" on the screen, then well I hope that explains it. Getting it out of this mode was trivial:

1. Go to cable or air input
2. Press volume up on the tv
3. Press and hold the menu button on the tv

That's it! You should be able to hit the info button again and actually see info for the channel.

I encountered an interesting question this week at work after a little mistake was made in a config template in Puppet. We had the wrong type of comment character get inserted, so the config file on the Puppet client wasn't valid and the service went away. Fortunately, it was caught and fixed within seconds and didn't cause much of a disruption, but it made us a bit nervous about service restarts since the init scripts should do a configtest before doing either a restart or reload.

The answer wasn't overly obvious after a quick Google search, so I thought I'd share what I found. Turns out, if we had simply RTFM'd, we'd have known that the default behavior of Puppet is to issue a stop then a start which explains why the service got stuck in that state. The reason for the stop/start behavior is because not all services across all distros do things properly, so they took the least common denominator and made the user specify that a correct restart in the init script was available. The answer was easy enough. Just add..

hasrestart => true,

.. as part of the service definition and you're good to go.

Just to be clear, I wouldn't ever want to depend upon this, but it's nice to have a last line of defense since mistakes do happen on occasion (since we're all human and all).

I was also pleased to see that there's a feature request for a similar "hasreload" feature as well!

This last week Zimbra released its new version 6.0.8 which is the first version that supports Ubuntu 10.04 (still in beta, but package was released). Being a sucker for upgrades, I decided to give it a try tonight and upgrade my Zimbra server. The upgrade actually went pretty smooth, despite the fact that I've had bad luck with Ubuntu distro upgrades in the past.

To start, I had a server at Zimbra 6.0.7 on Ubuntu 8.04 (64-bit). I upgraded Ubuntu to 10.04 first and then Zimbra to 6.0.8.

The upgrade for Ubuntu is pretty straightforward and is outlined in their docs. Basically, make sure the install manager is up-to-date:

sudo apt-get install update-manager-core

Then, make sure Prompt is set to "lts" in /etc/update-manager/release-upgrades. (These two steps weren't necessary for me and I didn't do that on purpose, so it's likely they are ok 'out of the box')

Then, perform the upgrade:

sudo do-release-upgrade

I did mine from an SSH session (gives a warning and starts another SSH server on an alternate port, but I didn't have to worry about that). When the upgrader prompted, I took the defaults except for /etc/pam.d/common-*.

Once your new Ubuntu 10.04 server is up and running, we have to grab an additional dependency:

sudo apt-get install libperl5.10

I then just ran the install like normal, but skipped the integrity checks. The first time I let them run and hit this error:

perl: symbol lookup error: /opt/zimbra/zimbramon/lib/x86_64-linux-gnu-thread-multi/auto/Data/UUID/UUID.so: undefined symbol: Perl_Tstack_sp_ptr

The second time I just skipped the integrity check and everything went as normal.

I lost a few settings, the same as the 6.0.7 upgrade :(. I wrote about them last time here. I also lost my zimbraMailMode setting again, same thing as the upgrade to 6.0.7.

After the settings were back, I noticed mail wouldn't send out properly. /var/log/zimbra.log complained of the antivirus scanner being unavailable. A run of 'zmcontrol status' showed that clamd wasn't running. When I tried to start the antivirus, it failed on starting clamd, showing this in /opt/zimbra/log/clamd.log:

/opt/zimbra/clamav/sbin/clamd: error while loading shared libraries: libltdl.so.7: cannot open shared object file: No such file or directory

Turns out it's easy enough to fix:

apt-get install libltdl7

A restart of zmantivirusctl and all was good. (update: submitted bug for this)

I was poking around on the Zimbra forums today during some downtime and I ran across a little gem regarding configuration around a few options regarding spam delivery to users. The question was about disabling of spam filtering on a per-user basis (Yes, not really ideal, but sometimes you have to give users something I like to call 'exactly what they asked for'), but I found even more than I expected.

Anyway, I thought I would highlight a few of the gems that I discovered.

Disabling mail to the Junk folder

This was actually the original question that I was trying to answer. Most Zimbra admins know how to whitelist/blacklist senders and other various tweaks in the Zimbra wiki, but I didn't realize until today that we can actually configure Zimbra to not send mail filtered as junk to the Junk folder. This can be done per user, per domain, or per class of service (COS).

zmprov ma user@whatan00b.com +amavisSpamLover TRUE +amavisBypassSpamChecks TRUE

To disable, just make the + a -:

zmprov ma user@whatan00b.com -amavisSpamLover TRUE -amavisBypassSpamChecks TRUE

(or you can just set to false, but the default is false - I do like me some clean configs!)

And of course, change the command ma (modifyAccount) to match whatever type of object you want if you're not modifying a user.

Letting banned files through to users

Every once in a while, I've struggled with users needing to get things like encrypted zip files or other suspicious-looking files. Not wanting to let all kinds of viruses though by disabling virus scanning and file extension blocks, it always ends up in a battle. Perhaps I'm the last to learn this one, but it's actually easily bypassed on a per-user, per-domain, or per-COS basis.

zmprov ma user@whatan00b.com +amavisBannedFilesLover TRUE

You can also disable virus scanning for those various levels as well:

zmprov ma user@whatan00b.com +amavisBypassVirusChecks TRUE

Whitelisting and Blacklisting via zmprov (upgrade-safe!)

One of the new, well-known, features of Zimbra 6 is that you can now allow users to have their own white and blacklists, controllable within the user interface. Whitelisting and blacklisting has, of course, always been supported, but it's been a pain as long as I've been managing Zimbra servers. If you're one that already knew which wiki article I was referring to above, you know what I mean! To make matters worse, those settings have to be re-applied after upgrades.

While adding blacklist and whitelist senders to a user's list via zmprov is expected (after all, you can configure it in the web client), what hasn't really been touted - as far as I've read - is that those filters can easily be applied per domain as well. While that's not really a new feature by any means, it does mean that those whitelist and blacklist lists are in Zimbra's LDAP - where they should've been all along. That, and LDAP doesn't get wiped during upgrades / service restarts like some config files do.

zmprov md whatan00b.com +amavisBlacklistSender @exchange.microsoft.com

Loosening up spam tag levels

You can also adjust the spam scoring levels to mark messages as junk/not junk on the various levels as well. The properties to adjust are: amavisSpamTagLevel, amavisSpamTag2Level, and amavisSpamKillLevel.

Warning: with these settings, be sure that you know exactly what each of these mean. That rule always applies, of course, but getting those settings wrong could cause your mail server to drop messages without bouncing them, thus neither sender nor receiver knows!

So many more!

This turned into a much longer post than I expected, but there are so many more options available! Check out /opt/zimbra/conf/attrs/amavisd-new-attrs.xml on your Zimbra server for even more config options.

Extra Credit

Also, check out /opt/zimbra/conf/attrs/zimbra-attrs.xml for even more goodness (unrelated to junk mail).