From 4ae8d6bc43e64060d82691f0814833a146e19a9a Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Mon, 4 May 2009 21:50:28 +0200 Subject: [PATCH 01/16] rsyslog: Add default configuration. --- etc/rsyslog.conf | 115 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 115 insertions(+) create mode 100644 etc/rsyslog.conf diff --git a/etc/rsyslog.conf b/etc/rsyslog.conf new file mode 100644 index 0000000..d88cb68 --- /dev/null +++ b/etc/rsyslog.conf @@ -0,0 +1,115 @@ +# /etc/rsyslog.conf Configuration file for rsyslog v3. +# +# For more information see +# /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html + + +################# +#### MODULES #### +################# + +$ModLoad imuxsock # provides support for local system logging +$ModLoad imklog # provides kernel logging support (previously done by rklogd) +#$ModLoad immark # provides --MARK-- message capability + +# provides UDP syslog reception +#$ModLoad imudp +#$UDPServerRun 514 + +# provides TCP syslog reception +#$ModLoad imtcp +#$InputTCPServerRun 514 + + +########################### +#### GLOBAL DIRECTIVES #### +########################### + +# +# Use traditional timestamp format. +# To enable high precision timestamps, comment out the following line. +# +$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat + +# +# Set the default permissions for all log files. +# +$FileOwner root +$FileGroup adm +$FileCreateMode 0640 +$DirCreateMode 0755 + +# +# Include all config files in /etc/rsyslog.d/ +# +$IncludeConfig /etc/rsyslog.d/*.conf + + +############### +#### RULES #### +############### + +# +# First some standard log files. Log by facility. +# +auth,authpriv.* /var/log/auth.log +*.*;auth,authpriv.none -/var/log/syslog +#cron.* /var/log/cron.log +daemon.* -/var/log/daemon.log +kern.* -/var/log/kern.log +lpr.* -/var/log/lpr.log +mail.* -/var/log/mail.log +user.* -/var/log/user.log + +# +# Logging for the mail system. Split it up so that +# it is easy to write scripts to parse these files. +# +mail.info -/var/log/mail.info +mail.warn -/var/log/mail.warn +mail.err /var/log/mail.err + +# +# Logging for INN news system. +# +news.crit /var/log/news/news.crit +news.err /var/log/news/news.err +news.notice -/var/log/news/news.notice + +# +# Some "catch-all" log files. +# +*.=debug;\ + auth,authpriv.none;\ + news.none;mail.none -/var/log/debug +*.=info;*.=notice;*.=warn;\ + auth,authpriv.none;\ + cron,daemon.none;\ + mail,news.none -/var/log/messages + +# +# Emergencies are sent to everybody logged in. +# +*.emerg * + +# +# I like to have messages displayed on the console, but only on a virtual +# console I usually leave idle. +# +#daemon,mail.*;\ +# news.=crit;news.=err;news.=notice;\ +# *.=debug;*.=info;\ +# *.=notice;*.=warn /dev/tty8 + +# The named pipe /dev/xconsole is for the `xconsole' utility. To use it, +# you must invoke `xconsole' with the `-file' option: +# +# $ xconsole -file /dev/xconsole [...] +# +# NOTE: adjust the list below, or you'll go crazy if you have a reasonably +# busy site.. +# +daemon.*;mail.*;\ + news.err;\ + *.=debug;*.=info;\ + *.=notice;*.=warn |/dev/xconsole -- 2.30.2 From 83b9e50f5c8879f979531db6a9ea3d0059027aac Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Mon, 4 May 2009 22:00:15 +0200 Subject: [PATCH 02/16] rsyslog: Clean up rsyslog configuration. This removes some commented out lines, and reorganizes the existing logfiles to be more consistent. --- etc/rsyslog.conf | 80 +++++++++++++----------------------------------- 1 file changed, 21 insertions(+), 59 deletions(-) diff --git a/etc/rsyslog.conf b/etc/rsyslog.conf index d88cb68..3d61e26 100644 --- a/etc/rsyslog.conf +++ b/etc/rsyslog.conf @@ -10,15 +10,7 @@ $ModLoad imuxsock # provides support for local system logging $ModLoad imklog # provides kernel logging support (previously done by rklogd) -#$ModLoad immark # provides --MARK-- message capability - -# provides UDP syslog reception -#$ModLoad imudp -#$UDPServerRun 514 - -# provides TCP syslog reception -#$ModLoad imtcp -#$InputTCPServerRun 514 +#$ModLoad immark # provides --MARK-- message capability ########################### @@ -50,66 +42,36 @@ $IncludeConfig /etc/rsyslog.d/*.conf ############### # -# First some standard log files. Log by facility. -# +# Log each facility into its own log auth,authpriv.* /var/log/auth.log -*.*;auth,authpriv.none -/var/log/syslog -#cron.* /var/log/cron.log +cron.* -/var/log/user.log daemon.* -/var/log/daemon.log kern.* -/var/log/kern.log lpr.* -/var/log/lpr.log mail.* -/var/log/mail.log user.* -/var/log/user.log +local0,local1,local2,\ + local3,local4,local5,\ + local6,local7.* -/var/log/local.log + +# Omitted facilities: syslog, news, uucp, ftp + +# All logs end up in syslog as weel as the corresponding facility log above +# (except for auth, mail which only end up in the facility log for privacy +# reasons and debug which only ends up in the debug log below to prevent +# flooding). +*.*;\ + *.!=debug;\ + auth,authpriv.none;\ + mail.none -/var/log/syslog -# -# Logging for the mail system. Split it up so that -# it is easy to write scripts to parse these files. -# -mail.info -/var/log/mail.info -mail.warn -/var/log/mail.warn -mail.err /var/log/mail.err - -# -# Logging for INN news system. -# -news.crit /var/log/news/news.crit -news.err /var/log/news/news.err -news.notice -/var/log/news/news.notice - -# -# Some "catch-all" log files. -# +# Debug entries end up in debug.log as well as the corresponding facility log +# above (except for auth and mail, which only end up in the facility logs for +# privacy reasons). *.=debug;\ auth,authpriv.none;\ - news.none;mail.none -/var/log/debug -*.=info;*.=notice;*.=warn;\ - auth,authpriv.none;\ - cron,daemon.none;\ - mail,news.none -/var/log/messages - + news.none;mail.none -/var/log/debug.log # # Emergencies are sent to everybody logged in. # *.emerg * - -# -# I like to have messages displayed on the console, but only on a virtual -# console I usually leave idle. -# -#daemon,mail.*;\ -# news.=crit;news.=err;news.=notice;\ -# *.=debug;*.=info;\ -# *.=notice;*.=warn /dev/tty8 - -# The named pipe /dev/xconsole is for the `xconsole' utility. To use it, -# you must invoke `xconsole' with the `-file' option: -# -# $ xconsole -file /dev/xconsole [...] -# -# NOTE: adjust the list below, or you'll go crazy if you have a reasonably -# busy site.. -# -daemon.*;mail.*;\ - news.err;\ - *.=debug;*.=info;\ - *.=notice;*.=warn |/dev/xconsole -- 2.30.2 From fda2165e0ded02b36acb69fe1ffaedf6f31c23c8 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Mon, 4 May 2009 22:26:54 +0200 Subject: [PATCH 03/16] rsyslog: Enable loggin of mark lines. --- etc/rsyslog.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/etc/rsyslog.conf b/etc/rsyslog.conf index 3d61e26..294272a 100644 --- a/etc/rsyslog.conf +++ b/etc/rsyslog.conf @@ -10,8 +10,8 @@ $ModLoad imuxsock # provides support for local system logging $ModLoad imklog # provides kernel logging support (previously done by rklogd) -#$ModLoad immark # provides --MARK-- message capability - +$ModLoad immark # provides --MARK-- message capability +$MarkMessagePeriod 900 # mark messages appear every 15 Minutes ########################### #### GLOBAL DIRECTIVES #### -- 2.30.2 From c6b04db7d343fa7bd5e42b9ddbdd382011557706 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Mon, 4 May 2009 22:31:27 +0200 Subject: [PATCH 04/16] rsyslog: Disable logging of kernel messages. The vservers won't have access to the kernel messages anyway. --- etc/rsyslog.conf | 1 - 1 file changed, 1 deletion(-) diff --git a/etc/rsyslog.conf b/etc/rsyslog.conf index 294272a..5ad1ede 100644 --- a/etc/rsyslog.conf +++ b/etc/rsyslog.conf @@ -9,7 +9,6 @@ ################# $ModLoad imuxsock # provides support for local system logging -$ModLoad imklog # provides kernel logging support (previously done by rklogd) $ModLoad immark # provides --MARK-- message capability $MarkMessagePeriod 900 # mark messages appear every 15 Minutes -- 2.30.2 From 93e25a9d8f8f35367603250fcdc03269925fcb07 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Mon, 4 May 2009 22:37:56 +0200 Subject: [PATCH 05/16] rsyslog: Add default logrotate config. --- etc/logrotate.d/rsyslog | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 etc/logrotate.d/rsyslog diff --git a/etc/logrotate.d/rsyslog b/etc/logrotate.d/rsyslog new file mode 100644 index 0000000..9ce5a44 --- /dev/null +++ b/etc/logrotate.d/rsyslog @@ -0,0 +1,37 @@ +/var/log/syslog +{ + rotate 7 + daily + missingok + notifempty + delaycompress + compress + postrotate + invoke-rc.d rsyslog reload > /dev/null + endscript +} + +/var/log/mail.info +/var/log/mail.warn +/var/log/mail.err +/var/log/mail.log +/var/log/daemon.log +/var/log/kern.log +/var/log/auth.log +/var/log/user.log +/var/log/lpr.log +/var/log/cron.log +/var/log/debug +/var/log/messages +{ + rotate 4 + weekly + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + invoke-rc.d rsyslog reload > /dev/null + endscript +} -- 2.30.2 From 8a1dcae9b3294d856aea292a46354f1eefd79be8 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Mon, 4 May 2009 22:41:06 +0200 Subject: [PATCH 06/16] rsyslog: Update logrotate config to new rsyslog config. --- etc/logrotate.d/rsyslog | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/etc/logrotate.d/rsyslog b/etc/logrotate.d/rsyslog index 9ce5a44..eac2616 100644 --- a/etc/logrotate.d/rsyslog +++ b/etc/logrotate.d/rsyslog @@ -11,18 +11,7 @@ endscript } -/var/log/mail.info -/var/log/mail.warn -/var/log/mail.err -/var/log/mail.log -/var/log/daemon.log -/var/log/kern.log -/var/log/auth.log -/var/log/user.log -/var/log/lpr.log -/var/log/cron.log -/var/log/debug -/var/log/messages +/var/log/*.log { rotate 4 weekly -- 2.30.2 From fb358aeffdc097cc31d26f702bbc4b1e82cce400 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Tue, 5 May 2009 10:17:52 +0200 Subject: [PATCH 07/16] rsyslog: Move all rsyslog log files into a subdir. This allows us to use *.log in the logrotate configuration, without conflicting with logfiles not created by rsyslog. --- etc/logrotate.d/rsyslog | 4 ++-- etc/rsyslog.conf | 20 ++++++++++---------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/etc/logrotate.d/rsyslog b/etc/logrotate.d/rsyslog index eac2616..5682508 100644 --- a/etc/logrotate.d/rsyslog +++ b/etc/logrotate.d/rsyslog @@ -1,4 +1,4 @@ -/var/log/syslog +/var/log/rsyslog/syslog { rotate 7 daily @@ -11,7 +11,7 @@ endscript } -/var/log/*.log +/var/log/rsyslog/*.log { rotate 4 weekly diff --git a/etc/rsyslog.conf b/etc/rsyslog.conf index 5ad1ede..262d102 100644 --- a/etc/rsyslog.conf +++ b/etc/rsyslog.conf @@ -42,16 +42,16 @@ $IncludeConfig /etc/rsyslog.d/*.conf # # Log each facility into its own log -auth,authpriv.* /var/log/auth.log -cron.* -/var/log/user.log -daemon.* -/var/log/daemon.log -kern.* -/var/log/kern.log -lpr.* -/var/log/lpr.log -mail.* -/var/log/mail.log -user.* -/var/log/user.log +auth,authpriv.* /var/log/rsyslog/auth.log +cron.* -/var/log/rsyslog/user.log +daemon.* -/var/log/rsyslog/daemon.log +kern.* -/var/log/rsyslog/kern.log +lpr.* -/var/log/rsyslog/lpr.log +mail.* -/var/log/rsyslog/mail.log +user.* -/var/log/rsyslog/user.log local0,local1,local2,\ local3,local4,local5,\ - local6,local7.* -/var/log/local.log + local6,local7.* -/var/log/rsyslog/local.log # Omitted facilities: syslog, news, uucp, ftp @@ -62,14 +62,14 @@ local0,local1,local2,\ *.*;\ *.!=debug;\ auth,authpriv.none;\ - mail.none -/var/log/syslog + mail.none -/var/log/rsyslog/syslog # Debug entries end up in debug.log as well as the corresponding facility log # above (except for auth and mail, which only end up in the facility logs for # privacy reasons). *.=debug;\ auth,authpriv.none;\ - news.none;mail.none -/var/log/debug.log + news.none;mail.none -/var/log/rsyslog/debug.log # # Emergencies are sent to everybody logged in. # -- 2.30.2 From 1ac1b5e19135689700694ab9fc6019b910aa6fd2 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Tue, 5 May 2009 10:52:30 +0200 Subject: [PATCH 08/16] rsyslog: Send all logs to the log vserver. This happens in addition to local logging. --- etc/rsyslog.conf | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/etc/rsyslog.conf b/etc/rsyslog.conf index 262d102..088b8bb 100644 --- a/etc/rsyslog.conf +++ b/etc/rsyslog.conf @@ -36,9 +36,9 @@ $DirCreateMode 0755 $IncludeConfig /etc/rsyslog.d/*.conf -############### -#### RULES #### -############### +####################### +#### Local logging #### +####################### # # Log each facility into its own log @@ -74,3 +74,10 @@ local0,local1,local2,\ # Emergencies are sent to everybody logged in. # *.emerg * + +######################## +#### Remote logging #### +######################## + +# Send all log entries to the log vserver +*.* :omrelp:log:514;RSYSLOG_SyslogProtocol23Format -- 2.30.2 From 7c9854dfdaf39c0d635788fb89a4d5d86f2fd418 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Tue, 5 May 2009 11:17:28 +0200 Subject: [PATCH 09/16] nss: Add some comments. --- etc/libnss-ldap.conf | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/etc/libnss-ldap.conf b/etc/libnss-ldap.conf index 7154a4d..32b8645 100644 --- a/etc/libnss-ldap.conf +++ b/etc/libnss-ldap.conf @@ -12,7 +12,10 @@ uri ldap://ldap.drsnuggles.stderr.nl # The LDAP version to use ldap_version 3 -# Use uniqueMember +# Use the uniqueMember property, referring to dn's instead of the memberUid +# property referring to usernames. This allows us to have group members with or +# without an account, and give a group member an account without having to +# change all his memberships. nss_schema rfc2307bis # Use our custom posixGroup replacement -- 2.30.2 From e006df102382618400410b2e67430fb81eb93d97 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Tue, 5 May 2009 15:07:22 +0200 Subject: [PATCH 10/16] rsyslog: Enable queuing of log messages. This prevents messages from getting lost when the log vserver is temporarily unavailable. --- etc/rsyslog.conf | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/etc/rsyslog.conf b/etc/rsyslog.conf index 088b8bb..7b95903 100644 --- a/etc/rsyslog.conf +++ b/etc/rsyslog.conf @@ -79,5 +79,15 @@ local0,local1,local2,\ #### Remote logging #### ######################## -# Send all log entries to the log vserver -*.* :omrelp:log:514;RSYSLOG_SyslogProtocol23Format +# Send all log entries to the log vserver, but queue them in memory as well as +# on disk if needed. +$WorkDirectory /var/spool/rsyslog +# Use a linked list for queueing +$ActionQueueType LinkedList +# Name to use for the queue file +$ActionQueueFileName remote +# infinite retries on insert failure +$ActionResumeRetryCount -1 +# save in-memory data if rsyslog shuts down +$ActionQueueSaveOnShutdown on +*.* @@log;RSYSLOG_SyslogProtocol23Format -- 2.30.2 From 033368ac1cf3e8576f589405dcfbe5a3e0dc6816 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Tue, 5 May 2009 15:55:27 +0200 Subject: [PATCH 11/16] rsyslog: Make the main queue disk-assisted as well. --- etc/rsyslog.conf | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/etc/rsyslog.conf b/etc/rsyslog.conf index 7b95903..c6e706b 100644 --- a/etc/rsyslog.conf +++ b/etc/rsyslog.conf @@ -35,6 +35,17 @@ $DirCreateMode 0755 # $IncludeConfig /etc/rsyslog.d/*.conf +# Store any queues here. This directory is not created automatically, so it +# must already exist! +$WorkDirectory /var/spool/rsyslog + +# Use a (disk-assisted) main queue +# Use a linked list for queueing +$MainMsgQueueType LinkedList +# Name to use for the queue file +$MainMsgQueueFileName main +# save in-memory data if rsyslog shuts down +$MainMsgQueueSaveOnShutdown on ####################### #### Local logging #### @@ -81,7 +92,6 @@ local0,local1,local2,\ # Send all log entries to the log vserver, but queue them in memory as well as # on disk if needed. -$WorkDirectory /var/spool/rsyslog # Use a linked list for queueing $ActionQueueType LinkedList # Name to use for the queue file -- 2.30.2 From 8c8d29d2441584403b7e6d79bdc6b2638e112a3a Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Tue, 5 May 2009 17:06:45 +0200 Subject: [PATCH 12/16] ssh: Add default initscript configuration. --- etc/default/ssh | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 etc/default/ssh diff --git a/etc/default/ssh b/etc/default/ssh new file mode 100644 index 0000000..9680d34 --- /dev/null +++ b/etc/default/ssh @@ -0,0 +1,11 @@ +# Default settings for openssh-server. This file is sourced by /bin/sh from +# /etc/init.d/ssh. + +# Options to pass to sshd +SSHD_OPTS= + +# OOM-killer adjustment for sshd (see +# linux/Documentation/filesystems/proc.txt; lower values reduce likelihood +# of being killed, while -17 means the OOM-killer will ignore sshd; set to +# the empty string to skip adjustment) +SSHD_OOM_ADJUST=-17 -- 2.30.2 From 5e14935679f15c54c8be47c88d36632ec1cc9ade Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Tue, 5 May 2009 17:07:10 +0200 Subject: [PATCH 13/16] ssh: Disable changing of the oom_adj value. This value is meant for making sure ssh is never killed by the oom killer, but that is not allowed inside vservers. --- etc/default/ssh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/etc/default/ssh b/etc/default/ssh index 9680d34..afbc23b 100644 --- a/etc/default/ssh +++ b/etc/default/ssh @@ -8,4 +8,5 @@ SSHD_OPTS= # linux/Documentation/filesystems/proc.txt; lower values reduce likelihood # of being killed, while -17 means the OOM-killer will ignore sshd; set to # the empty string to skip adjustment) -SSHD_OOM_ADJUST=-17 +# Disabled since oom_adj is not available inside vservers +SSHD_OOM_ADJUST= -- 2.30.2 From 3efd2f3ff6b490e947d45ec28925f35888ec6896 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Tue, 5 May 2009 18:09:52 +0200 Subject: [PATCH 14/16] rsyslog: Use another format for forwarding messages. The syslog protocol 23 format seems to be broken in rsyslog for messages that were originally generated by legacy applications (i.e., do not have a structured-data field). See http://bugzilla.adiscon.com/show_bug.cgi?id=125 --- etc/rsyslog.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/rsyslog.conf b/etc/rsyslog.conf index c6e706b..ab6876b 100644 --- a/etc/rsyslog.conf +++ b/etc/rsyslog.conf @@ -100,4 +100,4 @@ $ActionQueueFileName remote $ActionResumeRetryCount -1 # save in-memory data if rsyslog shuts down $ActionQueueSaveOnShutdown on -*.* @@log;RSYSLOG_SyslogProtocol23Format +*.* @@log;RSYSLOG_ForwardFormat -- 2.30.2 From 94063426f36b90b391ed37c28a83980ae22a14c9 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Mon, 26 Jul 2010 15:26:53 +0200 Subject: [PATCH 15/16] oidentd: Add default configuration. --- etc/default/oidentd | 17 +++++++++++++++++ etc/oidentd.conf | 22 ++++++++++++++++++++++ etc/oidentd_masq.conf | 11 +++++++++++ 3 files changed, 50 insertions(+) create mode 100644 etc/default/oidentd create mode 100644 etc/oidentd.conf create mode 100644 etc/oidentd_masq.conf diff --git a/etc/default/oidentd b/etc/default/oidentd new file mode 100644 index 0000000..14bec1e --- /dev/null +++ b/etc/default/oidentd @@ -0,0 +1,17 @@ +# options to use when starting oidentd as daemon: +# -m lookup masquaraded connections in /etc/oidentd_masq.users +# -f forward requests for masquaraded connections to real host +# -q don't log connections to oidentd +# see oidentd(8) for detailed list +OIDENT_OPTIONS="-mf" + +# user / group +OIDENT_USER=oident +OIDENT_GROUP=oident + +# Allow the default router to act as an oidentd proxy? (yes/no) +# this is needed behind a masquarading router that runs oidentd -f +# if your identd proxy is not the default router, you have to +# manually specify it via -P +OIDENT_BEHIND_PROXY=yes + diff --git a/etc/oidentd.conf b/etc/oidentd.conf new file mode 100644 index 0000000..03b28d8 --- /dev/null +++ b/etc/oidentd.conf @@ -0,0 +1,22 @@ +# Configuration for oidentd +# see oidentd.conf(5) +# +default { + default { + deny spoof + deny spoof_all + deny spoof_privport + allow random + allow random_numeric + allow numeric + deny hide + } +} + +# you may want to hide root connections +#user "root" { +# default { +# force reply "UNKNOWN" +# } +#} + diff --git a/etc/oidentd_masq.conf b/etc/oidentd_masq.conf new file mode 100644 index 0000000..8fb03f1 --- /dev/null +++ b/etc/oidentd_masq.conf @@ -0,0 +1,11 @@ +# oident masquarded connections configuration + +# use this file if your host is masquarading connections for several +# hosts and you want to return a reply based on the hostname of +# the originating machine +# by default, such requests are forwarded to the real host. +# you can disable forwarding by removing "-f" from OIDENT_OPTIONS +# in /etc/default/oidentd + +# add hosts in the following format, see oidentd_masq.conf(5) for details: +# [/mask] -- 2.30.2 From a799b50b1d46b49b57ce3212c2fcf60317e7a6f9 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Mon, 26 Jul 2010 15:29:31 +0200 Subject: [PATCH 16/16] oidentd: Allow the vserver host to forward connections. --- etc/default/oidentd | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/etc/default/oidentd b/etc/default/oidentd index 14bec1e..f807bd5 100644 --- a/etc/default/oidentd +++ b/etc/default/oidentd @@ -2,16 +2,19 @@ # -m lookup masquaraded connections in /etc/oidentd_masq.users # -f forward requests for masquaraded connections to real host # -q don't log connections to oidentd +# -P allow forwarded connectsions from this host. We use our own +# hostname here, since connections will be forwarded from oidentd +# on the vserver host. Those connections will appear to originate +# from our own (and only) IP address. # see oidentd(8) for detailed list -OIDENT_OPTIONS="-mf" +OIDENT_OPTIONS="-mf -P `hostname`" # user / group OIDENT_USER=oident OIDENT_GROUP=oident # Allow the default router to act as an oidentd proxy? (yes/no) -# this is needed behind a masquarading router that runs oidentd -f -# if your identd proxy is not the default router, you have to -# manually specify it via -P -OIDENT_BEHIND_PROXY=yes +# Since the vserver stuff messes up this autodetection, we pass in -P +# above instead. +OIDENT_BEHIND_PROXY=no -- 2.30.2