Tag Archives: CentOS

System running out of memory: create a swap file

If you have a virtual private server (VPS) and are getting errors like “system running out of memory,” you may want to double check whether you’re using a swap volume or file.

Swap space in Linux is used when the amount of physical memory (RAM) is full. If the system needs more memory resources and the RAM is full, inactive pages in memory are moved to the swap space. (source)

Continue reading

Managing file and folder permissions when deploying with Git

Preface

I use Git as a version control and deployment system. When a website gets pushed to a server, all files get pulled into the web root (i.e. htdocs) by a user named git executing git pull in the post-receive hook.

By default, all files and folders git creates have 664 and 775 permissions, respectively, and are owned by that user. 664 translates to the user and group being able to read and write, and everyone else only being able to read, and 775 translates to the user and group being able to read, write and execute, and everyone else only being able to read and execute. (That’s a mouthful!)

1
2
-rw-rw-r-- 1 git  git   30 Aug  15  23:04 test-file.txt
drwxrwxr-x 1 git  git  102 Aug  15  23:04 test-directory
-rw-rw-r-- 1 git  git   30 Aug  15  23:04 test-file.txt
drwxrwxr-x 1 git  git  102 Aug  15  23:04 test-directory

Now, in an instance where you need a folder in htdocs writable by another user, like apache, for let’s say a caching system, you need to be able to set those particular permissions accordingly.

To accomplish this, you really only have two options:

  1. Set permissions of files to 666 and folders to 777
  2. Set the owner or group to apache (or a group that apache is a member of)

Personally, I favor restrictive permissions over convenience, so option #1 is out, which means we’re going to take a look at how to implement option #2.

Continue reading

Manually install stable version of APC in CentOS

First you’ll want to make sure you have all required packages installed:

yum install php-pear php-devel httpd-devel pcre-devel gcc make

Most tutorials will now say to use PECL to install APC:

[[email protected] ~]# pecl install apc
downloading APC-3.1.13.tgz ...
Starting to download APC-3.1.13.tgz (171,591 bytes)

But that actually installs the latest version, even if it’s in beta (in this case it is), so we’ll actually manually download and install it.

Continue reading

SELinux: AVC denied read for postfix

I recently installed dovecot and postfix (postfix how-to documentation) on a server running an optimized and hardened version of CentOS 5.6 (LAMP):

yum install postfix dovecot system-switch-mail system-switch-mail-gnome

After starting both services:

/etc/init.d/dovecot start
/etc/init.d/postfix start

I noticed several log entries in /var/log/messages:

Aug  1 08:31:49 vps kernel: type=1400 audit(1375518709.556:695): avc:  denied  { read } for  pid=4545 comm="smtpd" name="hosts" dev=sda1 ino=803366 scontext=root:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
Aug  1 08:31:49 vps kernel: type=1400 audit(1375518709.588:696): avc:  denied  { read } for  pid=4545 comm="smtpd" name="localtime" dev=sda1 ino=803387 scontext=root:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=lnk_file
[...]

Those logs were generated by SELinux, and if I had to guess, that’s what the “hardened” part refers to in the CentOS server image name.

Here is what it does in a nutshell:

By default under a strict enforcing setting, everything is denied and then a series of exceptions policies are written that give each element of the system (a service, program or user) only the access required to function.

Continue reading