Tue, 30 Mar 2004
sysvinit config
By default, /etc/inittab has six virtual terminals active, which waste memory that could be used for something else. Besides; if you want virtual terminals, you can (and should) install and use screen, which works better anyway.
Yes, I know that the memory saved by doing this is only a meg or so, but I still have a couple of machines in use where an extra meg is useful.
[/config/sysvinit] permanent link
monit config
monit is a daemon watching daemon. It’s designed to monitor the status of services on the local host and restart them automatically if they should crash. If you’ve ever accidentally nuked sshd on a remote host, you’ll probably dig monit. I also use monit to automatically restart daemons that have been updated using a cluster distribution tool like systemimager.
The monit configuration that I use. This config is designed to restart daemons that have failed, and to watch for changes to local binaries and configuration files, restarting daemons if appropriate.
[/config/monit] permanent link
NTP Config
The guys over at JuiceCo have a great page on NTP configuration. Rather than reproducing their excellent work here, I suggest that you go there and check them out instead.
BIND9 policy
Data that is stored in the DNS is public, and attempts to put things into the DNS that shouldn’t be public and then adding a bunch of acl and TSIG controls is usually counterproductive. It is okay to use IP acls to limit RFC 1918 leakage; however, you probably should figure out why external hosts are asking you for your internal IP addresses anyway.
The authoritative nameservers will not offer recursive nameservice to anyone outside of controlled subnets.
All autoupdating hosts should run a local caching nameserver that will perform recursive DNS lookups for anyone by default. The firewall policy should block unwanted external querying of these nameds. This allows for rapid disaster recovery should your site caching nameservers go away.
All nameds should use the primary caching nameds as forwarders. This reduces the amount of DNS traffic.
All “client” hosts should use a subnet local caching nameserver, if one exists. Otherwise, use the primary caching nameservers.
Nameservers should use use TSIG whenever possible.
The TSIG shared secret should be changed at least once per year.
[/config/bind9] permanent link
Two deploys in two days make Mark something something…
Well, we released Second Life 1.3 on Monday, and then issued a quick patch this morning. Two early morning deploy days wipes me out.
Folks seem to be liking the new feature set; I need to go play with it for a while so I have some idea of what’s going on in-world.
Tired.
NTP policy
All hosts should be in the UTC timezone (Etc/UTC). Users should be encouraged to override this setting via the TZ environment variable.
All hosts should run an NTP client. Too many security and communication systems depend on the correct time.
There should be two site primary NTP servers that query external higher stratum servers. Good choices for these are the same hosts that are your primary caching DNS servers.
Each subnet should have an NTP server acting as a broadcast server. These should reference the primary NTP servers only, to reduce external traffic.
The default NTP client config should just listen for broadcast NTP announcements.