leif's blog

Caching yum repo data in Fedora

Since Comcast are nuts and meters my connection, and I do a lot of yum update and yum install on my day-to-day work, I decided to setup an HTTP cache. I decided against doing a mirror, because I don't need all of what Fedora provides, only a very small subset. Now, the modern Fedora DNF configurations uses metalink and HTTPS URLs, which are not (easily) cacheable. The first thing I ended up doing was to edit the yum.repos.d configuration files, e.g. fedora.repo, for example:

name=Fedora $releasever - $basearch

In particular, notice that I removed (commented out) the metalink configuration. Alternatively, I'm fairly certain you can keep the baseurl pointing to the normal download.fedoraproject.org server, and instead add a proxy= configuration option to /etc/dnf/dnf.conf. However, since I had to edit the .repo files anwyays, I figured I might as well just do it all there.

Next, it's time to setup a caching proxy, in my case, the obvious choise is Apache Traffic Server. What gets a little tricky here is that the Fedora download servers sends a lot of redirects to the mirrors, which mostly defeats the purpose of caching. In my configuration (remap.config), I work around this by making sure ATS itself follows such redirects:

map http://some_cache.ogre.com http://download.fedoraproject.org \
    @plugin=conf_remap.so \
    @pparam=proxy.config.http.number_of_redirections=2 \


Update: I attached a Lua plugin script, that's a little more clever, and does more aggressive caching of the various RPM file extentions. This combines all the logic above, and this additional cache tweaking all into one nice script.

Fwiw, I tried  using https://download.fedoraproject.org, but that did not seem to work :-/. I did a few minor other tweaks in ATS itself, but primarily this is running a stock ATS configuration out of the box (change the ports definition though). One thing to bear in mind is that the content from Fedora (and its mirrors) do not include a Cache-Control or Expires header. So, I ended up changing the ATS configurations to allow heuristics based on Last-Modified:

CONFIG proxy.config.http.cache.required_headers INT 1
CONFIG proxy.config.http.cache.heuristic_min_lifetime INT 7200
CONFIG proxy.config.http.cache.heuristic_max_lifetime INT 172800

Obviously set this min/max to some numbers that are reasonable for your environment and needs. Enjoy!

Running HomeBrew gdb on macOS

So, if you try to run gdb from e.g. HomeBrew on macOS, you get an error like this:

Starting program: /Users/leif/apache/trafficserver/iocore/net/.libs/test_UDPNet
Unable to find Mach task port for process-id 42037: (os/kern) failure (0x5).
 (please check gdb is codesigned - see taskgated(8))


I found this article / HowTo for doing a code signing certificate for the gdb binary, and sign it: https://sourceware.org/gdb/wiki/PermissionsDarwin


Drupal 8 upgrades

I did the latest security updates for Drupal 8 on this system, and ended up having new problems that I've not seen before. This showed up in my logs:

[Thu Jan 17 13:40:42.339572 2019] [:error] [pid 12676] [client] PHP Fatal error:  Class 'TYPO3\\PharStreamWrapper\\Behavior' not found in drupal8/core/lib/Drupal/Core/DrupalKernel.php on line 484

The solution, of course, is to update the dependency modules, using

$ composer install --no-dev



RPi Picade and turning off the display

Since Peter has the fancy Picade in his bedroom, I wanted to turn off the display completely at night. Even with the screen saver, it has a bit of a glow to it. So, I found a few commands that I added to my crontab:

0 20 * * * /usr/bin/vcgencmd display_power 0 > /dev/null
0 8 * * *  /usr/bin/vcgencmd display_power 1 > /dev/null


Cyrus IMAPD and expired objects

As part of a recent upgrade of my Linux distro, I noticed that deleted messages and mailboxes no longer got removed (expunged or expired). Upon investigation, I reliazed I have to explicitly run a cron job, using cyr_expire, to purge these deleted items. I added the following, which means it'll expire messages and folders that were deleted 2 weeks ago:

01 17 * * * /sbin/cyr_expire -E 3 -D 14 -X 14


For good meassure, I also rebuilt some of the mailboxes, with e.g.

$ sudo reconstruct -r -f -G -V max -u peter


Fedora28 systemd-logind crashing with NIS / ypbind

So, yes, I run NIS on a few hosts, because it's still the easiest way to setup some account info in a small network. I'm I dinosaur, what can I say. After I upgraded to Fedora28, I noticed a significant delay when ssh'ing into these boxes. Of course, the problem is with systemd, which now also decides it needs to own logind... And it hangs in a way that it has to be killed via a watchdong. In my logs, I would see e.g.

Jul 16 23:43:51 x kernel: audit: type=1701 audit(y): auid=z uid=0 gid=0 ses=q pid=4025 comm="systemd-logind" exe="/usr/lib/systemd/systemd-logind" sig=6 res=1
Jul 16 23:43:51 x systemd[1]: Started Process Core Dump (PID 4248/UID 0).
Jul 16 23:43:51 x audit[1]: SERVICE_START pid=1 uid=0 auid=x ses=y msg='unit=systemd-coredump@3-4248-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jul 16 23:43:51 x kernel: audit: type=1130 audit(x: pid=1 uid=0 auid=y ses=z msg='unit=systemd-coredump@3-4248-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jul 16 23:43:52 x audit[1]: SERVICE_STOP pid=1 uid=0 auid=x ses=y msg='unit=systemd-logind comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Jul 16 23:43:52 x systemd[1]: systemd-logind.service: Main process exited, code=dumped, status=6/ABRT
Jul 16 23:43:52 x systemd[1]: systemd-logind.service: Failed with result 'watchdog'.
Jul 16 23:43:52 x systemd[1]: systemd-logind.service: Service has no hold-off time, scheduling restart.
Jul 16 23:43:52 x systemd[1]: systemd-logind.service: Scheduled restart job, restart counter is at 4.
Jul 16 23:43:52 x systemd[1]: Stopped Login Service.
Jul 16 23:43:52 x systemd[1]: Starting Login Service... 

The solution to this, other than trying to get rid of systemd-logind itself (which might, or might not, be doable), is to edit the two files /etc/pam.d/password-auth and /etc/pam.d/system-auth, and comment out the following (supposedly optional) line:

-session    optional                                     pam_systemd.so

There's also a Bugzilla issue which I think tracks this issue.


RPi, Fedora 28, and resizing the image

Finally, Fedora 28 supports the RPi 3B+, with a functional 64-bit image! However, I had an issue with resizing the root (/) file system. THe instructions on their site did not work as documented, after running gparted on the image, the / volume was still small. I ended up running the following, as root, on the running system, and it worked fine:

$ lvextend -l +100%FREE -r /dev/fedora/root

I had of course alread run gparted which resized the PV pool, but I suspect you could do that too with 

$ pvresize /dev/mmcblk0p3


pfSense system upgrade failure

I was having issues with the upgrades to my pfSense box, where the UI just said "Unable to check for updates":

I logged in to the box, and tried

[2.3.4-RELEASE][admin@yggdrasil.ogre.com]/root: pkg update
Shared object "libssl.so.8" not found, required by "pkg"


Yeh, no good. Poking around a bit, I did the following, which seems to have resolved the issue:

[2.3.4-RELEASE][admin@yggdrasil]/root: pkg-static update -f
[2.3.4-RELEASE][admin@yggdrasil]/root: pkg-static upgrade -f


Why the UI isn't using the statically compiled "pkg" binary is unknown (i.e. a mystery, i.e. likely a bug :-).

Picade and audio

A while ago, Peter and I built a RPi based Picade box. It was a lot of fun! We had some issues with sound though, with a lot of static and clicking noises. After some digging, I ended up with the following configurations:

# Enable audio (loads snd_bcm2835)
# Try to fix sound

I'm not sure exactly which ones are absolutely necessary, but the above works well for us.



Subscribe to RSS - leif's blog