Linux | The WP Guru

Category: Linux Toggle Comment Threads | Keyboard Shortcuts

Over 80% is running on some form of Linux – so does your Mac and you iPhone. Sometimes we have to get our hands dirty on the command line – it makes you feel like a proper hacker.

Here are some pointers I picked up on my journey.

Jay Versluis 11:11 am on March 3, 2015 Permalink | Reply
Tags: CentOS ( 35 ), Debian, Fedora, Ubuntu
Categories: Linux ( 59 )
The Debian Experience: Cheat Sheet for CentOS and Fedora users
I’ve just installed a LAMP stack on my Nook Tablet using Debian. However I’ve been using CentOS since 2008 and I’m so used to how things are done there that it was a bit of a culture shock doing relatively simple things “on the other side”. It’s like a country whose language you don’t speak well enough.

Here are a few pointers for how to so these simple things in Debian and Ubuntu, for CentOS and Fedora Users:

Installing Packages

While I’m used to yum and it’s super easy search and install options, its counterpart apt is very different. Searching for packages is done with
```
apt-cache search package
```
instead of yum list. Likewise, installing a package is done with
```
apt-get install package
```
I believe the cache is not created automatically, so from time to time (or before an update/install operation) we need to run
```
apt-get update
```
To update all packages (equivalent to yum update), we have to run
```
apt-get upgrade
```
There are other front ends available which I have not explored yet. aptitude is for the command line and appears to have a similar simplified syntax to yum. synaptic is for GNOME like environments.

LAMP Stack

Apache is called httpd on CentOS, but it’s called apache2 on Debian. Its system user does not run as apache:apache, but as www-data:www-data.

The web root directory is not in /var/www/html but instead in /var/www. File ownership should be tweaked to the above user in this directory. SELinux is not enabled by default.

The Apache config file is not in /etc/httpd/httpd.conf but in /etc/apache2/apache2.conf. The content however is the same, except for the system user which is defined in envvars in the same directory.

PHP is not just called php, but instead it’s php5 on Debian. This is true for all derivatives, such as
- php5
- php5-cli
- php5-mysql
- php5-gd
MySQL is still MySQL in Debian Wheezy, and not MariaDB (yet).

Starting and stopping services on boot

chkconfig does not work on Debian. Instead we can use a script called update-rc.d. Here’s how to enable something at boot:
```
update-rc.d apache2 defaults
```
And to disable something:
```
update-rc.d -f apache2 remove
```
- http://www.aboutlinux.info/2006/04/enabling-and-disabling-services-during_01.html
- - https://www.digitalocean.com/community/tutorials/how-to-install-linux-apache-mysql-php-lamp-stack-on-ubuntu
Add your voice! Cancel reply
Jay Versluis 7:23 pm on February 25, 2015 Permalink | Reply
Categories: Linux, Mac OS X, Windows ( 59 )
How to find your CPU details from the command line
It’s often necessary to know what the exact type of CPU that’s installed on your system. For example, you may need to know if you’re dealing with a dual core or quad core system, or a 32/64 bit system. Only the CPU can tell you this.

Here’s how to find out the string you need for further investigation.

Windows

From the command line, execute the wmic command with the following parameters:
```
wmic cpu get name

Name
Intel(R) Core(TM) i7-3615QM CPU @ 2.30GHz
```
Thanks to Jonathan @ Next of Windows for this tip!

Windows also gives you an accurate result via the GUI: open Windows Explorer and head over to Computer – Properties:

Mac OS X

On the Mac you won’t get a very accurate result from the Apple Icon – About this Mac. It will tell you what CPU type you’re using, but not the exact model number.

To find that out, head over to Applications – Utilities – Terminal and enter the following command:
```
sysctl -n machdep.cpu.brand_string

Intel(R) Core(TM) i7-3615QM CPU @ 2.30GHz
```
There. Much better than this:

Linux

You can take a look at the /proc/cpuinfo file which holds a plethora of information about your system’s CPU. So much in fact that it’s difficult to find what you’re looking for. Filtering the output of this file for ‘model name’ gives you an exact match:
```
cat /proc/cpuinfo | grep ‘model name’

model name : Intel(R) Atom(TM) CPU N270   @ 1.60GHz
```
Where can I find more information about my CPU?

Google is of course your friend when trying to find out more information about your processor, but there are two tools provided by Intel and AMD that may also be of help. Intel’s ARK website is particularly helpful:
- http://ark.intel.com
- http://products.amd.com/en-us/
Jay Versluis 3:57 pm on February 23, 2015 Permalink | Reply
Tags: CentOS ( 35 ), yum ( 4 )
Categories: Linux ( 59 )
How to find which package provides a command in yum
Sometimes you know you need a package, but when you try to install it with yum you’ll get a message like “No matches found”. Yet you’re sure the package exists because you’ve used it before.

This can happen if the package in question is part of a set which installs multiple packages. The net-tools package springs to mind.

yum has a great option called whatprovides with which you can query what package you need to install to use a command. Let’s try it out!

Say I wanted to install mkfs.vfat which is not installed by default in CentOS. Simply trying to install it won’t work:
```
yum install mkfs.vfat

Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirrors.advancedhosters.com
 * extras: centos.mirrors.tds.net
 * updates: centos.mirrors.tds.net
No package mkfs.vfat available.
Error: Nothing to do
```
Of course it won’t. But I can ask yum what provides this package:
```
yum whatprovides mkfs.vfat

Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirrors.advancedhosters.com
 * extras: ftp.usf.edu
 * updates: centos.mirrors.tds.net
dosfstools-3.0.20-9.el7.x86_64 : Utilities for making and checking MS-DOS FAT
                               : filesystems on Linux
Repo        : base
Matched from:
Filename    : /usr/sbin/mkfs.vfat



dosfstools-3.0.20-9.el7.x86_64 : Utilities for making and checking MS-DOS FAT
                               : filesystems on Linux
Repo        : @base
Matched from:
Filename    : /usr/sbin/mkfs.vfat
```
Well fantastic! The package I’m looking for is called dosfstools. Knowing that, I can simply use yum install dosfstools, and a few moments later mkfs.vfat will work as expected.

Thanks, yum!
Jay Versluis 10:17 am on February 17, 2015 Permalink | Reply
Tags: CentOS ( 35 ), squid
Categories: Linux ( 59 )
How to view local websites on your iPad with Squid
I like developing and testing websites on my local network before they go live. On both Mac and PC it’s easy to tweak the /etc/hosts file so that the URL doesn’t point to a numeric IP, but instead to http://yourserver (or something equally catchy).

On iOS devices we can’t tweak that file unless we deal with the highly unethical practice of jailbreaking. Turns out there is an easier way to surf local websites on mobile devices, simply by using a Proxy Server such as Squid.

A Proxy Server is often used as a caching server or to disguise where a request is coming from. For example, surfers use proxies to pretend they’re visiting from a different country, or ISPs use proxies to speed up data delivery in local areas. In simple terms, a proxy is fetching data on our behalf. Then we talk to the proxy and get the data from him. Think of a Proxy Server as a middle man in a network transaction.

To surf local websites on an iPad or iPhone, we can connect to our WiFi network with a proxy on a machine on which we CAN tweak the /etc/hosts file. Let me show you how this works.

For this example I’m using a development server on my local network. It’s a simple LAMP Stack running CentOS.

Installing and configuring Squid

We’ll install Squid on the development server. Websites are accessible via http://localhost but also as something more swish when the /etc/hosts file is tweaked, for example http://yourserver.

Squid is available via yum, and installation is simple:
```
yum install squid

chkconfig squid on
```
The second line will start Squid on every server restart, just in case.

Squid should work out of the box on port 3128, but if you ever need to tweak this, you can do so in /etc/squid/squid.conf.

Configuring the iPad Connection

When you connect your iOS device to your local WiFi network it will do this without a Proxy Server by default. We’ll change this under Settings – WiFi, then tap the little info icon next to your active connection. It goes without saying that the development server needs to be on the same network as your iPad.

At the bottom of this page, under “http proxy”, select manual and add your development/proxy server’s numeric IP, and 3128 under Port. Leave authentication off. It should look like this:

Now any tweaked URL that works on your development server will work on the iOS Device too: visit http://yourserver to verify this.

Should Safari give you a problem, maybe due to its spurious caching technology, head over to Settings – Safari – Clear History and Website Data.

Notes

Squid will cache every request you make on your iOS device as long as your WiFi connection uses the proxy setting. Chances are that your development server isn’t going to deliver results as fast as non-cahced results would come in from your router – unless you surf the same slow website over and over.

Also, Squid will leave a record of every request that has been made in /var/log/squid/access.log. If you’re using such a setup in your office, you may need to tell users on the network that their requests will be logged.

So if you’re concerned about any of these aspects, simply switch the proxy off in your WiFi settings.
Jay Versluis 10:06 am on February 15, 2015 Permalink | Reply
Tags: CentOS ( 35 ), GNOME ( 3 )
Categories: Linux ( 59 )
How to enable automatic logins in CentOS and GNOME
I was researching auto login options for CentOS today. I thought those would come in handy when GNOME is used as a standard desktop, so that the computer starts straight into the desktop environment without the need to provide a password.

It’s also a handy feature to have if the machine lives in another room and needs GNOME to login to the wireless network when I issue a remote restart.

Turns out there are two parts to the puzzle: providing auto logins and removing a pesky Keyring Dialogue that appears to come up when those are enabled. Let’s tackle both of them here.

I’m using CentOS 6.6 with GNOME here, but the same principle also works in CentOS 7.

Enabling Auto Logins

Head over to the trusty command line and edit /etc/gdm/custom.conf. The file already contains several sections, all of which are empty by default.

In the daemon section, add the following values (replacing youruser with your actual user name):
```
# GDM configuration storage

[daemon]
AutomaticLoginEnable = true
AutomaticLogin = youruser

[security]

[xdmcp]

[greeter]

[chooser]

[debug]
```
Thanks to Keith Wright on the CentOS Forum for this tip.

Now when you restart your system, youruser is automatically logged in when GNOME starts.

Disabling the Keyring Dialogue

However, you may experience a Keyring Dialogue which will ask for your root password every time after a restart. This isn’t much better than the login screen. This may or may not happen, depending on your current configuration:

One article I found suggested to head over to System – Preferences – Startup Applications and simply remove the Keyring Daemon from the list. Turns out this doesn’t actually make a difference, so don’t do that (although it doesn’t seem to have an adverse effect either):

The real solution comes courtesy of Jim and iiSeymour: http://superuser.com/questions/43132/why-do-i-need-to-enter-a-password-for-the-default-keyring-to-unlock

All we have to do is

– head over to the Network Connections Icon at the top of the screen
– and right-click it
– select Edit Connections…
– pick your current wireless connection and select Edit
– provide the root password (only necessary this once)
– check the tick box Available to all users

In CentOS 7, choose the little gear icon to bring up a window. You can find the available to all users tick box in the Identity section on the left hand side.

And that’s it! On subsequent logins, GNOME will now start with youruser already logged in and your wireless network connected.

Wait! My system boots into the Command Line interface, even though I have GNOME installed. What gives?

You can tell your system in which mode to start. To do this, edit your /etc/inittab file:
```
// change this line 
id:3:initdefault:

// to 
id:5:initdefault:
```
Jay Versluis 10:54 pm on February 10, 2015 Permalink | Reply
Tags: CentOS ( 35 ), firewalld, iptables ( 4 )
Categories: Linux ( 59 )
How to set firewall rules from a GUI in CentOS
Sick and tired of countless command line statements to set your firewall rules? Me too. No matter what I try, I never get the results quite right. There’s always some switch I forget and ultimately something isn’t working.

For years I was thinking, “there has to be an easier way, like there is in Plesk”?

And today I found that there is: a rather un-obvious tool called system-config-firewall. It’s a godsend and works in CentOS 6 with iptables, and in CentOS 7 with firewalld.

Installation

To make use of it, install the following two packages:
```
yum install system-config-firewall system-config-firewall-tui
```
The first one is a version that runs under Gnome and KDE, and second one works on the command line.

The Command Line Version

You can invoke the command line version by running
```
sudo system-firewall-config-tui
```
and it will present you with the following interface. You may need to switch the firewall off temporarily, but the tool will tell you if that’s necessary:

Here’s how to use the interface:
- use the cursor keys to move up and down
- use the SPACE bar to select items
- use TAB to choose the next option
- and once selected, hit RETURN
system-config-firewall has several built-in presets, such as DNS, FTP, Mail, standard and secure http ports and many others. If you need to open a specific port, hit Add on the “other” screen and define both the port and the protocol. In this example I’m opening port 3306 for incoming MySQL traffic:

Step forward through all available options, or select Close to move back to the first screen. Make sure the Firewall Enabled option is ticked, then hit OK and all your rules will be saved.

The Desktop Version

If you have Gnome or KDE installed, you can invoke the Desktop Version from the command line like this:
```
sudo system-firewall-config
```
In addition, there should also be a handy menu item under System – Administration – Firewall which will start the same thing.

The options are much the same, perhaps a little easier on the eye and easier to select. In addition you have a Wizard which will let you start your firewall rules with a clean slate (great if you’ve been previously poking around on the command line, potentially messing things up).

Thousand thanks to all the developers who have written this tool: Thomas Woerner, Chris Lumens, Florian Festi, Brent Fox and many others.
Jay Versluis 3:34 pm on January 3, 2015 Permalink | Reply
Tags: dovecot, Email ( 10 ), ssl ( 2 ), SSL Certificates ( 2 )
Categories: Linux, Plesk ( 59 )
How to install and secure Dovecot in Plesk 12
I’ve just installed the Dovecot Mail Service on one of my Plesk 12 servers. It’s an alternative to the old favourite Courier IMAP/POP and a new addition in Plesk 12.

Dovecot does more or less the same as Courier (i.e. lets you receive mail), but it’s a bit more configurable and debug friendly. It also offers server-side mail filtering which is accessible via the Plesk Webmail services Roundcube and Horde.

In this article I’ll show you how to install Dovecot in Plesk 12, and how to add your own SSL certificates for mail. In my previous article I’ve explained how to do this with the standard Courier Mail service.

Installing Dovecot in Plesk 12

Head over to
- Tools and Settings (or the Server Tab)
- under the Plesk heading
- Updates and Upgrades
Select Add or Remove Components and under Mail Hosting Features, find the option for Different IMAP/POP3 server:

You can only install either Courier or Dovecot. Switching will automatically uninstall the component you currently have and instead install the other one.

Note that switching Courier for Dovecot will preserve all mailboxes and will not affect your outgoing mail services. Give Plesk a moment until your see the “installation has finished” message.

You’re now running Dovecot!

Patching Dovecot SSL Certificates

As with Courier, Dovecot will use self-signed certificates for secure connections. This means that a nasty window is likely to pop up when clients connect. You can suppress this window by specifying your own SSL Certificates.

The default configuration file for Dovecot is in /etc/dovecot/dovecot.conf. However the file states that any changes you make here are wiped when an upgrade comes along. Instead, take a look at the /etc/dovecot/conf.d/ directory in which you’ll find three files by default:
- 10-plesk-security.conf
- 15-plesk-auth.conf
- 90-plesk-sieve.conf
You can add your own configuration snippets here, each beginning with a number and ending with .conf. The lower the number, the earlier your snippet is loaded. The higher the number, the later it is loaded. You get the picture.

Let’s create /etc/dovecot/conf.d/5-ssl.conf for our purposes. Because I had already configured my certificates for Courier they are still in /usr/share/imapd.pem – but feel free to place your .pem files anywhere you like. Here’s what my file looks like:
```
# SSL Certificates for Dovecot are defined here

ssl = yes
# Path to your Certificate, preferred permissions: root:root 0444
ssl_cert = &lt;/usr/share/imapd.pem
# Path to your Private Key, preferred permissions: root:root 0400
ssl_key = &lt;/usr/share/imapd.pem
```
Dovecot lets you have separate files for the certificate and the private key, something that’s not possible in Courier as far as I know. Dovecot is also happy to keep those in the same file though as in my example, and as in Courier. Easy going I say!

For the changes to take effect we need to restart the Plesk Mail Service like so:
```
/usr/local/psa/admin/sbin/mailmng --restart-service
```
That’s it!

How do I add a certificate for outgoing mail?

Postfix (and QMail) deal with sending mail, Dovecot and Courier only deal with receiving it. I’ve described how to add SSL Certificates to Postfix in my article about Courer.

Further Reading
- Nikolay explains how to use server-side filtering with Horde and Roundcube on the Plesk Dev Blog
- More details on Dovecot SSL Configuration
- Official Dovecot Documentation
- Wikipedia on Dovecot
- Check your new mail server with this handy online tool
Jay Versluis, prupert, and How to secure SMTP, POP and IMAP connections in Plesk | The WP Guru are discussing. Toggle Comments
- prupert 2:32 pm on January 18, 2015 Permalink | Reply
  
  You may want to add the following directives for added security:
  
  Strong DH params
  
  ssl_dh_parameters_length = 2048
  
  Disable insecure SSL protocols
  
  ssl_protocols = !SSLv2 !SSLv3
  - Jay Versluis 3:35 pm on January 18, 2015 Permalink | Reply
    
    Thank you for the tip, prupert! Very much appreciated!
Jay Versluis 10:04 pm on December 24, 2014 Permalink | Reply
Categories: Linux, Plesk, WordPress ( 59 )
FIXED: The wp-content folder does not show itself via FTP in Plesk 12 and CentOS 7

I’ve noticed a weird bug in Plesk 12 on CentOS 7: when you connect via FTP, the wp-content folder does not show up – all other folders can be seen as usual. It’s a rather crucial folder for WordPress users.

At first I had suspected a problem with the ProFTP service which is not the stock version, but a specially compiled version for use with Plesk, and Plesk takes care of this system services (it’s called psa-proftpd in case you’re interested). But ProFTP is not the problem.

Thanks to the amazing Sergey Lystsev from Parallels for letting me know that the issue is instead with SELinux: when it’s used in Enforcing mode (which is the default), wp-content does not show itself via FTP. Switching it to Permissive mode or disabling SELinux altogether solves the problem.

The entire issue will be fixed in the next release of Plesk, and it’s already working in the latest update to the Plesk Preview 12.1.13. CentOS 5 and 6 are not affected.

How do we fix it, Cap’m?

To disable SELinux on CentOS 7 we can use this:
```
setenforce 0
```
Or, to switch to permissive mode, use this:
```
setenforce permissive
```
Now we’ll need to restart the xinetd service as well as Plesk for the changes to take effect:
```
systemctl restart xinetd.service
service psa stopall
service psa restart
```
Connect to your site via FTP and see if the wp-content folder shows itself.

To permanently change the SELinux configuration so that it survives a server restart, check out my other article here:
- http://wpguru.co.uk/2014/12/how-to-control-selinux-in-centos-7/
Jay Versluis, Ronald, and FIXED: The wp-content folder does not show itself via FTP in Plesk 12 and CentOS 7 - WP Hubbub are discussing. Toggle Comments
- Ronald 7:56 am on January 20, 2015 Permalink | Reply
  
  Thanks a lot for this post! I was experiencing the exact same problem and this solved it. Thanks.
  - Jay Versluis 9:16 am on January 20, 2015 Permalink | Reply
    
    You’re very welcome, Ronald!
Jay Versluis 8:03 pm on December 8, 2014 Permalink | Reply
Tags: vi
Categories: Linux ( 59 )
How to quit vi without saving your changes
It just occurred to me that even though I know my way around vi fairly well, I never had to quit it without saving my changes. Usually I just go back in and overwrite my mistakes.

Today I did something though that wasn’t as easy to eliminate: instead of pasting an IP address, I accidentally pasted a 4000+ character stylesheet. Dang!

So how do we leave vi and NOT save our changes? Here’s how:
Now you’re back on the command line without any saved changes.

Remind me: how do we SAVE changes again?

There are several ways of doing this, but my personal favourite is this:
- press ESC to exit editing mode (insert/append/whatever)
- press SHIFT + Z twice
This will put you back on the command line and your changes are saved.
- https://kb.iu.edu/d/afcz
- http://wpguru.co.uk/2012/03/how-to-use-vi-to-edit-files-in-linux/
Jay Versluis 2:07 pm on December 8, 2014 Permalink | Reply
Tags: CentOS ( 35 ), SELinux ( 2 )
Categories: Linux ( 59 )
How to control SELinux in CentOS 7
SELinux – when installed – can take on one of three modes:
- Enforcing
- Permissive
- Disabled
To check which mode SELinux is running on, we can use either sestatus for a more detailed output, or simply getenforce for a one liner:
```
sestatus

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
```
getenforce on the other hand will literally just say a single word, like “Enforcing”.

To change this mode, edit /etc/selinux/config:
```
vi /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted
```
Change the file according to the comments and restart the system for the changes to take effect.

setenforce command

If SELinux is running and either set to Enforcing or Permissive, you can change its mode on the fly without restarting the server using the setenforce command like so:
```
// switch to permissive
setenforce permissive

// switch to enforcing
setenforce enforcing

// disable SELinux
setenforce 0
```
You won’t get any feedback if all goes well. Note that if SELinux is disabled, the setenforce command won’t work.

setenforce is practical if you’d like to change the SELinux policy only temporary and your settings will not be retained. So the next time you restart the server, SELinux will come back with whatever is set in /etc/selinux/config.

Find out more about SELinux and what it’s good for here:
- https://www.digitalocean.com/community/tutorials/an-introduction-to-selinux-on-centos-7-part-1-basic-concepts
- http://wiki.centos.org/HowTos/SELinux
FIXED: The wp-content folder does not show itself via FTP in Plesk 12 and CentOS 7 | The WP Guru is discussing. Toggle Comments

c: compose new post
j: next post/next comment
k: previous post/previous comment
r: reply
e: edit
o: show/hide comments
t: go to top
l: go to login
h: show/hide help
shift + esc: cancel