PHP5 FastCGI init.d scriipt for Debian/Ubuntu

Recently, I am using Nginx + PHP5 FastCGI as the new web platform. I really need a init.d script for PHP5 FastCGI. It is not so difficult according to the skeleton.

First of all, make sure to install php5-cgi and spawn-fcgi.

sudo apt-get install php5-cgi spawn-fcgi

Second, create the /etc/init.d/php-fastcgi script, as below:

#!/bin/sh
### BEGIN INIT INFO
# Provides:          php-fastcgi
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: PHP5 FastCGI mode
# Description:       This file should be used to construct scripts to be
#                    placed in /etc/init.d.
### END INIT INFO

# Author: Yi Zhao

# Do NOT "set -e"

# PATH should only include /usr/* if it runs after the mountnfs.sh script
PATH=/sbin:/usr/sbin:/bin:/usr/bin
DESC="PHP5 FastCGI Service"
NAME=php5-cgi
FASTCGI_USER=www-data
FASTCGI_GROUP=www-data
SOCKET=/var/run/php-fastcgi.sock
PHP5=/usr/bin/php5-cgi
PIDFILE=/var/run/$NAME.pid
SCRIPTNAME=/etc/init.d/$NAME
CHILDREN=2
DAEMON=/usr/bin/spawn-fcgi
DAEMON_ARGS="-s $SOCKET -C $CHILDREN -P $PIDFILE -u $FASTCGI_USER -g $FASTCGI_GROUP -f $PHP5"

# Exit if the package is not installed
[ -x "$DAEMON" -a -x "$PHP5" ] || exit 0

# Read configuration variable file if it is present
[ -r /etc/default/$NAME ] && . /etc/default/$NAME

# Load the VERBOSE setting and other rcS variables
#. /lib/init/vars.sh

# Define LSB log_* functions.
# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
# and status_of_proc is working.
. /lib/lsb/init-functions

#
# Function that starts the daemon/service
#
do_start()
{
        # Return
        #   0 if daemon has been started
        #   1 if daemon was already running
        #   2 if daemon could not be started
        start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
                || return 1
        start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \
                $DAEMON_ARGS \
                || return 2
        # Add code here, if necessary, that waits for the process to be ready
        # to handle requests from services started subsequently which depend
        # on this one.  As a last resort, sleep for some time.
}

#
# Function that stops the daemon/service
#
do_stop()
{
        # Return
        #   0 if daemon has been stopped
        #   1 if daemon was already stopped
        #   2 if daemon could not be stopped
        #   other if a failure occurred
        start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
        RETVAL="$?"
        [ "$RETVAL" = 2 ] && return 2
        # Wait for children to finish too if this is a daemon that forks
        # and if the daemon is only ever run from this initscript.
        # If the above conditions are not satisfied then add some other code
        # that waits for the process to drop all resources that could be
        # needed by services started subsequently.  A last resort is to
        # sleep for some time.
        start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --name $NAME
        [ "$?" = 2 ] && return 2
        # Many daemons don't delete their pidfiles when they exit.
        rm -f $PIDFILE
        return "$RETVAL"
}

#
# Function that sends a SIGHUP to the daemon/service
#
do_reload() {
        #
        # If the daemon can reload its configuration without
        # restarting (for example, when it is sent a SIGHUP),
        # then implement that here.
        #
        start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
        return 0
}

case "$1" in
  start)
        [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
        do_start
        case "$?" in
                0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
                2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
        esac
        ;;
  stop)
        [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
        do_stop
        case "$?" in
                0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
                2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
        esac
        ;;
  status)
       status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
       ;;
  #reload|force-reload)
        #
        # If do_reload() is not implemented then leave this commented out
        # and leave 'force-reload' as an alias for 'restart'.
        #
        #log_daemon_msg "Reloading $DESC" "$NAME"
        #do_reload
        #log_end_msg $?
        #;;
  restart|force-reload)
        #
        # If the "reload" option is implemented then remove the
        # 'force-reload' alias
        #
        log_daemon_msg "Restarting $DESC" "$NAME"
        do_stop
        case "$?" in
          0|1)
                do_start
                case "$?" in
                        0) log_end_msg 0 ;;
                        1) log_end_msg 1 ;; # Old process is still running
                        *) log_end_msg 1 ;; # Failed to start
                esac
                ;;
          *)
                # Failed to stop
                log_end_msg 1
                ;;
        esac
        ;;
  *)
        #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
        echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
        exit 3
        ;;
esac

:

Add php-fastcgi into the start list

sudo update-rc.d php-fastcgi default

this will start for init level 2,3,4,5

Access Ubuntu GPG Keyserver behind restrict firewall

Ubuntu PPA is a very good apt source-list expansion mechanism, but it requires to install new GPG public key for the PPA repository. It isn't a big problem for user without a restrict firewall.

ubuntu keyserver is using standard GPG keyserver port keyserver.ubuntu.com:11371. It will be blocked by restrict firewall. While Ubuntu.com has enable the 80 on the keyserver, we should add some options to let gpg to use hkp:80 to access the keyserver.


For my example,

gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring /etc/apt/secring.gpg --trustdb-name /etc/apt/trustdb.gpg --keyring /etc/apt/trusted.gpg --primary-keyring /etc/apt/trusted.gpg --keyserver hkp://keyserver.ubuntu.com:80 --keyserver-options http-proxy=http://webproxy.yourdomain.com:80 --recv 36E81C9267FD1383FCC4490983FBA1751378B444

We will be able to retrieve the GPG key through restrict firewall. :)

Installation Debian/Ubuntu over SSH

By using the debootstrap, it is possible for us to install the Debian or Ubuntu inside an Linux machine without a booting from Floppy/CD/USB/Net. It is really funny.

Bash新手指南

今天又看到了 BASH 的新手指南，网络上中文的东西越来越多了！
只不过又是翻译作品，希望今后有越来越多的中文原创！

802.1X is working under my Ubuntu Linux

Finally the my Ubuntu linux is authenticated with the Windows IAS 802.1x RADIUS server. Thanks Xsupplicant, thanks Open1x project to provide us a such great too.
今天， 我的 Ubuntu Linux 终于可以通过公司的 802.1X 端口认证了。非常感谢 Xsupplicant, 感谢 Open1X 小组为我们提供的工具。

Before configure your Linux box, you should be look at your windows configuration carefully. In fact M$ windows didn't support too much authentication methods. For Windows 2000 with the Wireless authentication patch, it do only support 3 type of EAP, (PEAP, MD5-Challenge, and Smart-card or Certificate). The MD5-Challenge is too weak, and the smart-card isn't deployed widely. So the PEAP is the proper, maybe only choice for Windows.
在开始配置你的 Linux 前，我们需要仔细察看 Windows 中802.1X的协议设置。实际上，在 Window 系统中，对以太网卡并不支持很多的认证方法。对于应用了微软无线认证补丁的 Windows 2000 中只支持三种 EAP 方法（PEAP, MD5-Challenge, and Smart-card or Certificate）。实际上基于 MD5 的认证方式实在是太脆弱了，而 Smart-Card 的应用实际上也不广泛。因此 PEAP 实际上是可以使用的唯一选择。

Under the Linux, there are some tricks for the Xsupplicant configurations. See the sample PEAP-example.conf below:

# This is an example configuration file for xsupplicant versions after 0.8b.

### GLOBAL SECTION

# network_list: defines all of the networks in this file which 
#      should be kept in memory and used.Comma delimited list or "all"
#      for keeping all defined configurations in memory. For efficiency,
#      keep only the networks you might roam to in memory.
#      To avoid errors, make sure your default network is always
#      in the network_list.  In general, you will want to leave this set to 
#      "all".

network_list = all
#network_list = default, test1, test2

# default_netname: some users may actually have a network named "default".
#      since "default" is a keyword in the network section below, you can
#      change which is to be used as the replacement for this keyword

default_netname = default
#default_netname = my_defaults

# When running in daemon, or non-foreground mode, you may want to have the
# output of the program.  So, define a log file here.  Each time XSupplicant
# is started, this file will be replaced.  So, there is no need to roll the
# log file.
logfile = /var/log/xsupplicant.log

# The auth_period, held_period, and max_starts modify the timers in the state
# machine.  (Please reference the 802.1x spec for info on how they are used.)
# For most people, there is no reason to define these values, as the defaults
# should work.

#auth_period = 30
#held_period = 30
#max_starts = 3

###  NETWORK SECTION
# The general format of the network section is a network name followed
# by a group of variables.

# Network names may contain the following characters: a-z, A-Z, 0-9, '-', 
# '_', '\', '/'
# Those interested in having an SSID with ANY character in it can use
# the ssid tag within the network clause. Otherwise, your ssid will
# be the name of the network.

## The default network is not a network itself. These values are 
## the default used for any network parameters not overridden 
## in another section. If it's not in your network configuration
## and not in your default, it won't work!!

default
{
  # type: the type of this network. wired or wireless, if this value is not
  # set, xsupplicant will attempt to determine if the interface is wired or
  # wireless.  In general, you should only need to define this when
  # xsupplicant incorrectly identifies your network interface.
  type = wire # For your Ethernet card.

  # wireless_control: If this profile is forced to wired, this will not do
  # anything.  However, if the interface is forced, or detected to be wireless
  # XSupplicant will take control of re/setting WEP keys when the machine 
  # first starts, and when it jumps to a different AP.  In general, you won't
  # need to define, or set this value.
  # wireless_control = yes

  # allow_types:  describes which EAP types this network will allow.  The
  # first type listed will be requested if the server tries to use something
  # not in this list.
  # allow_types = eap_tls, eap_md5, eap_gtc, eap-otp
 allow_types = all

  # identity:  what to respond with when presented with an EAP Id Request
  #   Typically, this is the username for this network. If this is a string
  # that does not contain any spaces, or unusual characters, it can be listed
  # plain.  Otherwise, it should be enclosed in quotes.
  identity = "DOMAIN\USERID" # For window based 802.1X RADIUS, it should be DOMAIN\USER

  # Force xsupplicant to send it's packets to this destination MAC address.
  # In most cases, this isn't needed, and shouldn't be defined.
  #dest_mac = 00:aA:bB:cC:dD:eE

eap-peap {
     inner_id = USERID  # Only UserID 
     # As in tls, define either a root certificate or a directory
     # containing root certificates. If the path contains spaces, or unusual
     # characters, enclose it in quotes.

     # Trusted root cert can be exported from windows 
     # as DER format, and translate to PEM format by using openssl
    # under Linux:
    # openssl x509 -inform DER .cer -outform PEM -out root.crt
     root_cert = /path/to/root/certificate
     root_dir = "/path /to /root /certificate /dir"
    crl_dir = /path/to/dir/with/crl
    chunk_size = 1398
     random_file = /dev/random              # /dev/random will work for most case.

    # If you don't know the CN name of your RADIUS server,
    # You can make the cnexact = no
    # While the RADIUS server name can be saw in "Xsupplicant -d A" mode
     cncheck = myradius.radius.com         
     cnexact = yes                          # Should it be an exact match?
    session_resume = yes

     #Currently 'all' is just mschapv2
     #If no allow_types is defined, all is assumed
     allow_types = all # where all = MSCHAPv2, MD5, OTP, GTC, SIM
    #allow_types = eap_mschapv2

    eap-mschapv2 {
        # ntpwdhash was generated by using "xsup_ntpwdhash " command
       ntpwdhash = E653E6452753C97E46792567DFF599B6
        # Don't put your password here, use the ntpwdhash instead.
       #password = "phase2 mschapv2 pass"
    }
}
}

# TIP:
#
# 1. Use the foregroup mode to debug your configure.
# It will show you all the things.
# /usr/sbin/xsupplicant -i eth0 -d A -f 
#
# 2. Remove all the unnecessary data cleaned

802.1X under Linux

The IS department reqired the 802.1X port authentication in the new campus, it really hurt me -- as a Linux fun. After I swithed to my Ubuntu, the network port will be blocked after 30 minutes.

Oh, I found the xsupplicant of Open1X project, it looks like a feasible way to have my Linux box running under the company's 802.1X network.

But there are still some problems need to be solved. Let's do it tomorrow. :) ...