Full client config looks this way:

tls-client
pull
remote vpn.xxx.xxx
dev tun
ifconfig 10.0.232.2 10.0.232.1
cert [full-path-to-client's-CRT-file]
key [full-path-to-client's-KEY-file]
ca [full-path-to-server's-CA-CRT-file]
comp-lzo
persist-key
persist-tun

Server config is similar:

port 1194
proto udp
dev tun
ca ca.crt
cert vpn-server.crt
dh dh1024.pem
server 10.0.232.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push “route 192.168.232.0 255.255.255.0″
client-config-dir ccd
push “dhcp-option DNS 10.0.232.1″
keepalive 10 120
comp-lzo
max-clients 10
user nobody
group daemon
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 3

there’s nothing and in ccd/client.

The worst thing was, i could find no solution for My-Link-Not-Working on the Internet:
Both ends use ‘tun’, the subnets are set correctly, i could even see packets arrivint to the VPN end on port 1194.
But no traffic on ‘tun0′, no ping, no connection. That was kind of strange. I was already to swith to ‘tap’ adapter and proceed to bridging, but fortunatelly i’ve read what ‘pull’ means in OpenVPN – “This option must be used on a client which is connecting to a multi-client server. It indicates to OpenVPN that it should accept options pushed by the server, provided they are part of the legal set of pushable options (note that the –pull option is implied by –client ).”

No idea why, but:
routes were correctly set on both ends;
the firewall was not an issue both on Linux and windows sides;
the magical “pull” made the work done.

…
include /etc/ipsec.d/*.conf

Not sure if ‘agressive mode’ is A Good Idea, but it Just Works
/etc/ipsec.d/partner.conf :

conn partner
type=tunnel
left=$YOUR_PUBLIC_IP
leftid=$YOUR_PUBLIC_IP
leftsubnet=$YOUR_PRIVATE_SUBNET/WITH_MASK
right=$PARTNER’S_PUBLIC_IP
rightid=$PARTNER’S_PUBLIC_IP
rightsubnet=$PARTHENR’S_PRIVATE_SUBNET/WITH_MASK
rightnexthop=$PARTHENR’S_ROUTER_IP
keyingtries=0
pfs=yes
aggrmode=yes
auto=add
auth=esp
esp=3DES-SHA1
ike=3DES-SHA1
authby=secret

/etc/ipsec.secrets

$YOUR_PUBLIC_IP $PARTNER’S_PUBLIC_IP : PSK “verySecretPreSharedKey”

If it’s the very first time you are adding the connection, use

ipsec auto –add partner

If you are editing the existing connection, use

ipsec auto –replace partner

Now, restart IPsec and initiate connection

/etc/init.d/ipsec start
ipsec whack –name partner –initiate

Ah yes, routing:

ip route add $PARTHENR’S_PRIVATE_SUBNET/WITH_MASK via $YOUR_PUBLIC_IP src $YOUR_PRIVATE_IP

SonicWall should be set the same way:

Policy: site-to-site;
Authentication Method: IKE using Preshared Secret
IPSec Primary Gateway Name or Address: $YOUR_PUBLIC_IP
Local IKE ID: IP Address, $PARTNER’S_PUBLIC_IP
Peer IKE ID: IP Address, $YOUR_PUBLIC_IP

IKE (Phase 1) proposal:
Excahnge: Aggressive mode
Encryption: 3DES
Authentication: SHA1
Life Time (seconds) 28800

IPsec (Phase 2) Proposal:
Protocol: ESP
Encryption: 3DES
Authentication: SHA1

Again, not sure if ‘Aggressive mode’ is A Good Idea.

References:
SonicWall NSA 3500
Linux to Sonicwall and also here
Linux to SonicWall TZ190
ipsec.conf (5)
IPsec VPN routing

The miraculous command is

dpkg -l | egrep ^r | cut -d ‘ ‘ -f 3 | xargs apt-get remove –purge -y

What it does?

dpkg -l

list all packages

egrep ^r

print only those matching status ‘r*’. Package status is the first column, so add ‘^’ to match only the lines, beginning with ‘r’ symbol.

cut -d ‘ ‘ -f 3

return selected field only. Usually I add field separator symbol with ‘-d’ option and specify field number with ‘-f’

xargs apt-get remove –purge -y

xargs runs the specified command, appending input from STDIN (you can alter this behaviour vith options). In this case, i’m executing ‘apt-get remove –purge’ command. ‘-y’ swich means ”assume ‘yes’ to all questions” and is needed for apt-get to confirm the removal of packages.

The rest is the magic of pipes.

Why do i write this?

A strange messages were found in the syslog:

Errors when running cron:
    grandchild #2047 failed with exit status 1: 1 Time(s)
    grandchild #2205 failed with exit status 1: 1 Time(s)
    grandchild #2342 failed with exit status 1: 1 Time(s)
    grandchild #2658 failed with exit status 1: 1 Time(s)
    grandchild #2878 failed with exit status 1: 1 Time(s)
    grandchild #2972 failed with exit status 1: 1 Time(s)
    grandchild #30732 failed with exit status 1: 1 Time(s)
    grandchild #30832 failed with exit status 1: 1 Time(s)
    grandchild #30934 failed with exit status 1: 1 Time(s)
    grandchild #3094 failed with exit status 1: 1 Time(s)
    grandchild #31290 failed with exit status 1: 1 Time(s)
    grandchild #32395 failed with exit status 1: 1 Time(s)
    grandchild #3262 failed with exit status 1: 1 Time(s)

In-deep analysis revealed ‘/etc/cron.d/greylistclean’ from package ‘sa-exim’. I don’t use exim and it was replaced by postfix just after installing the system. The file mentioned did not show any signs of miss-formatting until a new version of cron daemon was installed via ‘apt-get dist-upgrade’

On the other hand, if you need to peep into the other system’s files, you need to re-boot. Or use sometimes not so stable filesystem utilities.
Running fully virtualized OS, using eg Xen as supervisor, creates additional load an hardware, maybe not too big when running multiple OS’es on the pretty new server, but significant, if it is a laptop. And yes, you NEED to keep data in-sync between virtual and real OS.
VMware users, please don’t read any more. Yes, you can do it from pre-historic times.

You’ve been warned!

As for VirtualBox, it is possible to add physical drive or disk partition to your VM setup, although no GUI tools exists to accomplish this.
Every step is documented in VirtualBox User’s Guide, but really, who read these guides?
So , excerpts from The Guide, chapter 9:

Step 1: you need to know the partition layout of the drive.

VBoxManage internalcommands listpartitions -rawdisk [physical_drive]

Substitute [physical_drive] for /dev/sd[a-z] if you live in Linux, \\.\PhysicalDrive[0..n] living in windows or /dev/drive[1..n] living in OS X.
Note the numbers. Linux usually has partition type 0×83, windows – 0×07. Not sure about Mac. You need to remember the physical partition you want to use in guest OS.

Step 2: export it to a file. It’s as easy as 1-2-3. And no, not the whole partition, but only some information about the layout of partitions will be saved:

VBoxManage internalcommands createrawvmdk -filename /path/to/file.vmdk -rawdisk /dev/sda -partitions [partition_number] -register

/path/to/file.vmdk must be absolute path. Substitute [partition_number] with the the partition from step 1. Using “-register” automagically registers the image in list of registered images of the VirtualBox.

Step 3: attach the newly created file to a guest and run it.

Some notes: it’s possible to use entire physical disk for VirtualBox:
VBoxManage internalcommands createrawvmdk -filename /path/to/file.vmdk -rawdisk [physical_drive]
Although it is possible, you should ever never launch the currently running system in VirtualBox. You’ve been warned.

Section “InputDevice”
Identifier “Configured Mouse”
Driver “vboxmouse”
Option “CorePointer”
EndSection

note two lines: vboxmouse tells X.org to use mouse driver from VirtualBox guest additions, and CorePointer instructs to use this pointer as primary. Without CorePointer line the vboxmouse driver is used, but it’s still impossible to move it outside guest’s window.

Well, WordPress was updated easily, but i had problems with Gallery2.

I need a multisite deployment of Gallery2. Although it is supported from the installer, some important steps are missing.

In order multisite Gallery2 to work, you will need to add some symlinks to every deployment of the Gallery2:

• lib -> /usr/share/gallery2/lib/

The directory is providing some scripts amongst all, so without it you will lack some functionality, like enabling themes will not work.

• modules -> /usr/share/gallery2/modules
• themes -> /usr/share/gallery2/themes

The themes directory is providing CSS file, so without this your gallery will look “flat”.

Also, you can try to use “php_admin_flag safe_mode Off” in the Apache’s VirtualHost description, in the case PHP safe mode is turned on globally.

And yes, beware: do not ever mix web directory and data directory: the content of web directory is erased during install.

# date
Sat Jul 11 10:34:07 EEST 2009
# dpkg -l |egrep gallery2
ii gallery2 2.3-1 web-based photo album written in PHP


The fresh issue: after fresh install (Gallery… deb), no one is able to login. The solution is explained here – you should set $gallery->setConfig('baseUri', ''); in ‘config.php’.

Again, having both left hands, i was unable to start multisite version of Gallery2, using install scripts. What i had to change was:

1. remove ‘lib/’
2. symlink ‘lib/’ , ‘modules/’ , ‘themes/’ from ‘/usr/share/gallery2′ to site root
3. symlink or copy and alter ‘images/’ from ‘/usr/share/gallery2′ to site root

First of all, firmware is in non-free branch, so /etc/apt/sources.list must contain “non-free” repository and:
install firmware-bnx2 package:

apt-get install firmware-bnx2

;

double check the files in /lib/firmware/;

Some people report it’s still impossible to load firmware from initrd, so you may wish to remove bnx2 line from ‘/etc/initramfs-tools/modules’;

“firmware-bnx2″ already has initrd update scripts, but you may want to re-check the created image.
You can extract the initrd image using

gzip -dc /boot/initrd.img-[]kernel version-arch] | cpio -id

Cross your fingers;
telinit 6;
It just worked for me:

# uname -a
Linux … 2.6.26-2-amd64 #1 SMP … x86_64 GNU/Linux

Still got no ping? Login to console and rmmod bnx2 && modprobe bnx2

[] printing/print_cups.c:cups_job_submit(656)
Unable to print file to - client-error-bad-request


And the printing is stopped, of course.

The solution is simple:

LANG=en_US.UTF-8 /etc/init.d/samba restart

In short:
/var/log/cups/error_log shows a lot of

E [] Unsupported character set "iso-8859-1"!

CUPS requires UTF-8.
In the case of default login in Debian, the console IS in UTF-8, but is not if you have customized it and use `su` for administrative tasks.

C’ia.

The problem was found accidentally. I have some information in national language and I usually edit /etc/samba/smb.conf from X environment or msWindows, using Unicode-aware editors. But at some time share comments in config file were edited using pico in ISO-8859-1 terminal. Pico is perfect editor for me (i hate complexity of vi or emacs) , but in this case the combination of wront terminal and ANSI-type editor was lethal. The UTF-8 strings were mangled and the configuraton was wrong (althow `testparm` showed it’s OK).
So, don’t do this at work