- DC-Users - DuckCorp Mailing-Lists

A few activities between summer sunny nap and winter hibernation
by DuckCorp Admin Team 13 Sep '09

13 Sep '09

Coin, === Orfeo Migration === Everything went fine. IPv6 connectivity was restored a few hours later. Thanks Hivane for handling this move quite transparently. More planification would be better though ;-). === Arch Support is Gone === As planned, Tla/Arch support was removed on Toushirou. Users which had not converted their projetcs to another VCS can find a backup of their data in a 'arch-devel-archives.tgz' archive in their home directory. It was a nice tool... === FTP Security === As one user reported, ftp.duckcorp.org is not very secure, as you authenticate on an unsecured connection when you need to upload new content. So, we decided to improve the situation. From now on, you should be using ftps.duckcorp.org instead. This virtual host enforce using TLS before authenticating. Around october, 15th ftp.duckcorp.org will connect you to the public part of the FTP data, and you won't be able to do any modification using this vhost. Nevertheless, authenticating using TLS would probably be retained, in order to leverage a few limitations, like FXP allowance. In the meantime, the physical layout in the /ftp directory will be changed to allow more vhosts in the future. === DB Migration === As users do not use PostgreSQL, migration to 8.4 was done recently. Do not hesitate asking for an account if you need. MySQL is widely used, and is being upgraded to a new major version soon, around november, 15th. So, we will take care of any wide needed actions, like running REPAIR on all tables (needed for FULLTEXT indexes and probably a few other things), but we need YOU to check for incompatible changes in the software you use. System-wide softwares, like Mediawiki and Gallery2, will be handled by our staff, so you don't need to care about. For more information, please look at: http://dev.mysql.com/doc/refman/5.1/en/upgrading-from-previous-series.html You can contact us in order to provide a SQL script to run at migration time if needed. === Toushirou Kernel upgrade === Toushirou is being used for shells/screens and IRC proxy (bip), so it is not easy to reboot it without you noticing, but sometimes, because of so much security problems, it is needed. We plan to reboot it soo, probably September, 19th, around midday. === IRC Plan === The test server is working pretty well. We plan to upgrade it to a testing version very near the final release, test it a bit (mostly SSL links, with another test server), and replace production softwares before the end of the year. === LDAP Work === Important changes were done, and further migrations should be less intrusive.. That's all for now. Don't forget help and donations are still warmly welcome.. -- Marc Dequènes (Duck)

1 0

Short partial downtime happening _Today_
by DuckCorp Admin Team 12 Sep '09

12 Sep '09

Coin, Due to complex sponsoring needs, we needs to move Orfeo to a new location _today_. Unfortunately, it could not be planned better, and the machine is being moved in an hour or two. Our sponsor Hivane would take care of almost everything transparently. We'll stop the machine at the last moment and take care of checking network connectivity and services as soon as online again. Affected services would mostly be Mail related (several others having redondancy, like IRC, DNS, MX2, or Jabber/XMPP). Sorry for the inconvenience. Regards. -- Marc Dequènes (Duck)

1 0

Summer of Work
by DuckCorp Admin Team 14 Jul '09

14 Jul '09

Coin, === LDAP Work == Since 2007, most of our core infrastructure has remained identical. To improve it, we have begun an heavy work on the LDAP database and related softwares. We no longer rely on firewalling for security, as every involved server now use TLS communications with certificate check. The schema is being improved and work on better administration/user tools will follow. The LDAP infrastructure will soon be opened to all properly authenticated and securized access to everyone. This should allow more transparency on retained user information, and is a continuation of the "Experimental Tool" Banya (see previous mail in march). That is to say, this work could introduce some disturbance, mostly at night (from a GMT+2 point of view) or during legal holidays, even if we try to minimize it as much as possible. === Mail === Latest sunday (and probably the previous one), you may have experienced problems connecting to the mail services. Unfortunately, our SPAM database suddenly grow quite large, and it was necessary to shutdown to do some urgent maintenance. Several things were done to improve the situation, and the software was also upgraded to take advantage of several database optimizations. The web interface and processing speed have been improved a bit too. As several persons do not use much the spam filtering facility, the default training method was changed to ensure a reduced ressource usage when unnecessary (it can still be changed in the web interface). The mail software has been upgraded too, coming with a much better server-side mail filtering engine (SIEVE), with many fixes compared to the previous one, and the following new extensions: - variables - imap4flags (replacing the obsolete imapflags) - enotify (replacing the obsolete notify) - encoded-character More info on SIEVE and these extensions can be found here: http://sieve.info/ People using our SMTP from a roaming connections may have had a few problems with certain restrictions, this is now fixed. === Mail from Webapps === We spotted a few strange mails, and found a few of you are using forum or website with open registration with no or not-very-efficient anti-bot protection, leading to a few SPAM messages. From now on, webapps using the traditionnal mail functions will have their mail follow a special path, to ensure we can spot these problems easily and be able to train our antispam with problematic mails. This should ensure our mail servers are not banned. === Webmails === First, a few weeks ago, a Horde upgrade led to firstnames being screwed in the Contacts, due to a bug in the upgrade script. We had not enough time to work on restauration, and as very few of you were concerned, we decided this was too much of a workload. Sorry for the bother. The SIEVE filtering plugin for webmail.duckcorp.org has been upgraded and has better support for SIEVE extensions (but not 'variables' yet). === RCS === The Arch webdav access was broken, not working with https and auth with tla, and buggy with baz, so it was merely dropped. Moreover, Arch not updated upstream since a while (baz was even dropped and corpse hidden by Canonical a few years ago), so, Arch support is scheduled for removal in September. You are not obliged to move to a new RCS, but tools will disapear on our servers. WHen times come to and end, remaining archives in '/rcs/arch-devel-archives' will be moved to the corresponding user's home directory. == SAFT is Back === In DuckCorp, we like oldies, abandonwares and the like. Once upon a time, DC servers were prodiving a service to send files to a remote UNIX user, SAFT. This funny service is asynchronous and retry-aware, and can be used when the sender and recipient can't share a common place to exchange data (FTP for example), and sending a huge mail would be horrible or even impossible. The receiver needs to run a simple and light server, and the receiver to use the 'sendfile' command (available in Debian). One is now running on Toushirou, and received files can then be found with your shell access and the 'receive' command, or via your FTP account in '/sendfile/<uid>/'. You're address for the service would then be <uid>@saft.duckcorp.org. More info on this subject can be found here: http://fex.rus.uni-stuttgart.de/saft/sendfile.html Have FUN !!! -- Marc Dequènes (Duck)

1 0

Acontios|Wrk has quit (Killed (irc.t1r.net (Bad Nickname))) << hey fuck you t1r !
by DuckCorp Admin Team 06 Mar '09

06 Mar '09

Coin, === Cleanup === For the people _rarely_ using Toushirou to compile stuff, this is now _over_. For historical reasons this machine supported such feature, but as it is not secure enough, and not useful enough for really building things (as you cannot install build dependencies), this has definitevely been shutdown. === Cheers === That's perhaps just strange eons, or just a dream i made, but it seems Toushirou has reached 42 days being up and without an Oops. So i guess that's a good reason to drink (even if not real) :-) ! === IRC Stumblings === Once upon a time, a lord, after having had a big party, or the like, dicided to rename its "Etch" castle in "Lenny" castle. Unfortunately, during his hard work modifying the residence in accordance to the new name, he overlooked a part of his domain. One of his men decided to lay down his own rules, banishing people generously for no good reason. Later, a neighbouring lord, seing all this mess crossing boundaries of his own land, decided to give a hand. Both, with great bravoure, restored peace and justice over the world ! Hum. This is to say... sorry for the so many disturbances while T1R IRC server was upgraded, and later when the other IRCd crashed while prepared the upcoming new IRC services. The good news, is that we are using improved IRC services now. Most news are polishing and bug fixes, but there also a new service (even if not really useful): MEMOSERV, for leaving offline messages. There is also a translation of services messages, but only in russian and bulgarian :-/, so if someone is willing to help... === Experimental Tool === Since a while there are several services available, but yet most of them cannot be set up by the user themself. For people having a shell account, there still is a delegating script to access the part of perso.duckcorp.org apache log related to their web space, and people may still read the logs of their personnal websites. Their was also another script to allow modifying their DNS master zone, but since Orfeo was back and not opened to user accounts, it was no more working. So, it has been a while something was missing. A new tool is being written to address part of the problem. It is currently totally experimental and doing almost nothing yet, but yet you could help us test it. You need to have a GPG key, have one of the MP admins signed it and registered into the service, to be able to use it (for obvious security reasons). Then you can write a _signed_ mail to "MilkyPond Administration Officer" <banya(a)milkypond.org>, and in the body use the following commands (one per line): - DNS INFO to get the list of DNS <zone>s you can manage (and probably more in the future) - DNS GET ZONE <zone> to get the DNS <zone> content - DNS SET ZONE <zone> @<i> to replace the current DNS <zone> content with the <i>st/nd/rd/th attachment (text/plain accepted only) As your zone content can be *secret*, then you can get the Banya key D0CCBBA55460719D515C11E6E770C685EF410567, signed by Arnau and me, and encrypt the mail with it. The mail should be RFC3156-compliant, and should not use the combined method described in chapter 6.2 of this RFC (not supported yet). The subject is purely informational, for you to identify the reply to the corresponding demand. Have FUN !!! -- Marc Dequènes (Duck)

2 1

Still on Air
by DuckCorp Admin Team 12 Feb '09

12 Feb '09

Coin, === Coinings === First of all, Happy new year to everybody. We are late because we were still eating chocolates and drinking beer, and had no time for lusers :-). === Network Migration === We love it... Our network provider now has a wider range of IPv6 addresses, but unfortunatly this is not an extension of the previous one, so we are going to move to new addresses during the we. In fact HQ and tunnel provider addresses were already moved, but the other changes may not be unnoticed, so you are warned. === Webdesk === We recently (this night) added the Trean extension to Horde, so you can play with bookmark management from now on. === Calls === I know this is quite boring, but i'd like to remind the call for help and the call for funds are still actives. No more bad news for today... ;-) -- Marc Dequènes (Duck)

1 0

Indigestible Pack of News
by DuckCorp Admin Team 29 Sep '08

29 Sep '08

Coin, Hold your breath... === Toushirou's Unplanned Reboot === Bad news first, Toushirou was rebooted Saturday at 13:10, due to kernel problems. This is quite infrequent nowadays, and often improved by new kernels and system tools. So the next one should be a planned one, we hope. === Orfeo's Planned Reboot === The machine will be rebooted for kernel upgrade tomorrow, 2008-09-29 (as we change day at 05:00 in the pond), after midnight (exact time would be announced on IRC). === IPv6 Migration === Our transit provider needs to use a new range of addresses, so we need to give back our IPs and use new ones in their new range. The first easy step of the migration, HQ and IPv6 tunnels, has already been done successfully. The second and final step is to change the IPv6 connectivity of our main servers. This will be done soon, and you'll be advertise when to take this into account (DNS masters, SSH known hosts, ...) === Backup === The backup system is back alive. We took the necessary time to change and improve things a bit. it should be stable by now. In order not to fetch generated files, or big files which you already have backed-up in another location, the following filenames are excluded from the files backed-up : - Data-Secondary - *-nobackup - cache If you have programs, or websites, with temporary, cache, or template-generated files, which can be regenerated by the software and does not need to be saved, please tell us, so we can add an exclude pattern. If you have big growing files (like irc logs from epoch), and as our software is not yet able to fetch the diff only, we'd like you to split the files regularly, so as not to fetch tens of megabytes per file, per software, per user, per day (incremental daily backup). This is to save our backup capacity, thanks. === Mail === Saturday, you might have experienced, if not taking advantage of the shining sun, a few hours of unavailable incoming mails, and unavailable roaming outgoing mails. This was due to a migration i was unable to plan with the current amount of work at office, sorry. Our mail delivery software, as long as our anti-SPAM software, were upgraded. Along with a few interesting bug fixes and performance enhancements, we've gained the following new features : - full IMAP namespace support (the old 'INBOX.' private namespace is replaced by the '' namespace, inherited from our old architecture using Courier-IMAP, thus getting rid of this ugly prefix; the old one is still working, even if hidden, to allow smooth migration, but is gonna be removed in a month or two, so please update your IMAP clients) - new IMAP extensions (see Dovecot 1.1.x changelog for details) - new SIEVE extensions (include, body, copy) - SPAM filtering enhanced message analysis (new OSB tokenizer) In the past, i advised you to use 'sieve-connect' to manage your SIEVE scripts. So you'd be happy to know recent sieve-connect software (the one in Lenny at least), does not require a patch anymore, and is working quite well. === Webmail === (webmail.duckcorp.org and webmail.hurdfr.org) A few enhancements have been done: - a working spellchecker (finally!) (just ask if you need extra languages) - visual enhancements and flag management - alternative (and experimental) filters using SIEVE (can only edit its own scripts, no active script selection, own script auto-selected) === Webdesk === (webdesk.duckcorp.org) A few enhancements have been done (a few weeks ago, indeed): - global upgrade with many fixes and a _slight_ speed enhancement - a working spellchecker (finally!) (just ask if you need extra languages) - DIMP now available (dynamic version of IMP, still incomplete) - MIMP (light IMP for mobile phones) was available but broke; it has been repaired, but not all phone browsers can be detected yet (just ask if you want one to be added) - a bug triggered when people logged in with different cases of their login resulted in calendars/tasks//notes/... data to be considered owned by multiple accounts; it has been fixed === Quotas === In the DC world, quotas does not mean you have to swim in a glass or die. We have a limited amount of space, this is true, but we'll try to give you as much space as you need. If you don't ask for huge amounts, you'll never have to give us a reason. The goal for quotas, is to give you a report on the resources you're using, and asking you gently to tidy your room once in a while. Then, try first to do with your current amount, and if you need more, just ask, we'll give you more if possible with great pleasure. Quotas have been activated for mails this week. The default is 512Mo. People already above this value have been automatically given a higher amount suitable for their needs. The webmail and webdesk have been updated to display your quota usage. Filesystem quotas, for those having a shell account, is to be implemented in the future. === IRC === We are experimenting a new version of our dear IRC server software, with a few interesting features, like secure connections. You can read more about it, and instructions to help testing it on a dedicated test server (nevertheless linked to the network), here: ftp://ftp.duckcorp.org/duckcorp/ircd-test.txt === Dev === The work on RCS hosting has begun, but at the moment still restricted to people with shell access. The tla/baz webdav access is still not working, nevertheless, the git RCS is now supported. You can find a summary of available tools here: https://rcs.duckcorp.org/ A project manager has been installed recently, and can host your Free-software developments if you like (just ask). You can see it running here: https://projects.duckcorp.org/ === Restricted Access Helpers === If you have a restricted access to the web at work/school/during vacation/..., you may still access a few services. First, IRC access is available using the alternative 6669 port (and i know you can't live without it ;-). You may also use the web access using https://irc.milkypond.org/. Then, SSH access is available through the alternative host portal.duckcorp.org (both IPv4 and IPv6) using port 80 or 443. === Call for Donations === Since the first steps of DuckCorp, in early 2000, this is _the_first_time_ we ask for financial help. As our network is not very big, we don't need plenty of big machines, but sometimes disasters occurs, or upgrades are necessary (and even sometimes our brand new machine is cursed). Since then, the network has been working as follow: - main hardware expenses using Duck's personal money (thousands of euros since the beginning) - a HD donation from an anonymous donor for our backup machine (replaced since then) - bandwidth is completely sponsored by Hivane - housing of Toushirou is a monthly 41.56€ cost (since august 2007) - housing of Orfeo was sponsored by Nerim and is now sponsored by an anonymous provider - DuckCorp DNS domain is paid by Duck - MilkyPond DNS domain is sponsored by Rtp We've been quite unlucky several times, and i had to choose between stopping a great deal of DC's activities or push things again. I've always been willing to provide free-of-charge services, and that's still my wish. DC is not an official association (yet?), and anyhow we do not want to add subscription fees. Nevertheless, personal donations are still possible, so, if you feel like it, and if you can afford it, a small donation would be very helpful for the budget. === Call for Help === There's another resource we lack much these days: workforce. The DC's admin team has always been quite small, due to several trust issues and difficulties to find motivated persons. Currently, Arnau is quite unavailable since a few months, and i can't personally cope with all the requested tasks. That's why critical tasks are still done, but other tasks suffer delay or even are not done. I don't think the situation is bad, compared to other associations (or even to office), but that's not completely satisfactory. If one of you: - is motivated - has time to spend in a _regular_ manner - accept to work on delightful projects as well as boring maintenance tasks - has at least basic knowledge in system/network administration - is able to work in a team led by a demanding(dreadful?) Duck then mail us explaining the grounds of your motivation, the extent of your knowledge, and why we should trust you (as we won't just give away root access). We'll check through any serious application. How many still alive ? ;-) -- Marc Dequènes (Duck)

1 0

SSH access broken on all machines
by DuckCorp Admin Team 27 Aug '08

27 Aug '08

Coin, Unfortunately, after an "apparently" successful upgrade this night, SSH servers on upgraded machines were not restarted correctly or crashed. Consequently it is no more possible to log into Orfeo, Toushirou, or Elwing. A rescue action is planned this evening for Elwing and Toushirou, so they should be available again soon. We have a plan for Orfeo too, but i cannot tell you when it will be aplicable. Nevertheless, in a few days everything should be alright. For tests purposes and also to switch to a newer kernel, these machines will be restarted, so your sessions will die, sorry. Maintaining and upgrading machines is a delicate and sometimes difficult task. We really try to handle this process as smoothly as possible and we are very sorry for the inconvenience. Other services are unaffected. Do not hésitate mailing us if you need assistance (or via IRC). -- Marc Dequènes (Duck)

1 1

Extraordinary Maintenance
by DuckCorp Admin Team 15 Jul '08

15 Jul '08

Coin, During 2008-07-16 evening, between 20:00 and 21:00, our main server Orfeo is to be moved to a new space in our sponsor's achitecture. A short downtime is planned, during which several services will be completely unreachable (primary mail services MX1/IMAPS/POP3S/SIEVE/Webmail/..., NS1, IRC Services, Postgres, NTP). Other services are replicated and should not be bothered. Have Fun ! -- Marc Dequènes (Duck)

1 0

Bad News but Alive
by DuckCorp Admin Team 22 Jun '08

22 Jun '08

Coin, === Toushirou Reboots === Even if the kernel seems less bloated, regular reboot are necessary. Be sure we only resort to this solution when really there are unsolvable problems due to kernel oops or brokeness. A few days ago it was necessary, then the next one should be in a month or two. This does not really affect availability of services, as this is a matter of minute before everything is up again, but people using screens would be annoyed. === HQ Technical Problems === Due to an unfortunate accident in the HQ while moving in furniture, both the firewall and backup machine were chocked. Result is the firewall hard drive is injured, and even if the machine is still working fine, it may probably not survive a reboot. The lack of hosted services on this machine should not be a problem as there is no more important external services not available outside, but you should understand lags from my part, as i may suddenly have no internet connection, or be busy repairing. The backup machine is not responding, and my screen died by the way, so i'm currently blind. According to the strange sounds coming from it, it seems the hard drive is out of order. Then, starting from now, you shouldn't count on us having an available backup of your data, and it might even be impossible to recover older backups (as we are not rich enough to backup the backup). Orfeo and Toushirou should continue working quite fine, but please backup your crucial data in case we are not able to repair everything fast enough before another problem arise. May the heat stops injuring machines, and god bless them to avoid disasters again... -- Marc Dequènes (Duck)

1 0

Security Problems and Miscellenous Other Changes
by DuckCorp Admin Team 15 May '08

15 May '08

Coin, As Usual, we are so busy, we didn't really have time to give much news. Follows a few unsorted news, to quickly feel the gap. === Security Problem === Due to a "BIG security issue"[1] in Debian, our software was quickly upgraded to fix the issue, but this is not sufficient, and keys/certificates are weak and must be regenerated. For the SSH host keys, they are being regenerated today, and new fingerprints will be advertised in DNS via SSHFP entries (there is no validation of such entries yet, but better than nothing). That is to say: you SHOULD verify you get the following message when you try to log back to our machines after removing the old keys in '~/.ssh/known_hosts' : Matching host key fingerprint found in DNS. Complete session initialization would be like the following : # ssh root(a)toushirou.duckcorp.org The authenticity of host 'toushirou.duckcorp.org (2001:7a8:800:6666::1)' can't be established. RSA key fingerprint is 77:40:c9:c1:f3:cc:17:22:67:50:8d:3d:1f:39:bd:46. Matching host key fingerprint found in DNS. Are you sure you want to continue connecting (yes/no)? For the user's SSH keys, you should take care of them yourself, and verify your ones are not weak with the Debian provided tool. Soon they will be blacklisted and won't work anymore (and you know you cannot log into DC's machine with passwords). If you could not fix your keys and '~/.ssh/authorized_keys' in time, just contact us to manually insert a new key. For the services' certificates, they are being regenerated soon too, and as our CA (certificate authority) is not compromized, it should be invisible to you. === HQ Unavailability === A few weeks ago, you might have expirienced unavailabilit of the HQ ans the few public services services hosted in there. The ADSL problem seems to be closed, and we are trying to improve service redondancies for the future. === Jabber Issues === As said above, we are trying to improve HQ hosted services availability, and Jabber is one of the most important ones. We added another jabber server to make a cluster, which is totaly invisible to the users. Unfortunately, it was more difficult than expected, and the downtime was followed by a long time with screwed up rosters. We managed to reinject rosters, but with a not so fresh backup. Most of our contacts were retrieved, thought, and it should be working fine now. === Backup Downtime === We just managed to restart our backup server which was down because of hardware problems during about 3 weeks. Seems fresher stuff is needed here. === Homes Synchronization === Arnau worked well coding a nice script which daily synchronize hidden files/directories in you home (those begining with a dot, mostly configuration files) accross our machines. People allowed to log into several machines won't have to manually copy their configuration files and keys and stuff. Have FUN... :-/ [1] http://www.us.debian.org/security/2008/dsa-1571 -- Marc Dequènes (Duck)

1 0