--- /dev/null
+/usr/lib/estraier/estseek.cgi
\ No newline at end of file
--- /dev/null
+indexname: /afs/hcoop.net/common/ikiwiki/source//.ikiwiki/hyperestraier
+tmplfile: /afs/hcoop.net/common/ikiwiki/source//.ikiwiki/hyperestraier/cgi.tmpl
+topfile: /dev/null
+logfile:
+logformat:
+replace: ^file:///afs/hcoop.net/common/ikiwiki/dest{{!}}http://ikiwiki.hcoop.net/
+showreal: false
+perpage: 10,20,30,40,50,100
+attrselect: false
+showscore: false
+extattr: date|Date
+snipwwidth: 480
+sniphwidth: 96
+snipawidth: 96
+condgstep: 2
+dotfidf: true
+scancheck: false
+smplphrase: true
+phraseform: 2
+candetail: true
+smlrvnum: 0
+smlrtune: 16 1024 4096
+clipview: 2
+relkeynum: 0
+spcache:
+wildmax: 256
+qxpndcmd:
+helpfile: estseek.help
+deftitle:
+attrwidth: 80
+dispproxy:
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html>
+<head>
+<base href="http://ikiwiki.hcoop.net/" />
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+<title>search</title>
+<link rel="stylesheet" href="http://ikiwiki.hcoop.net/style.css" type="text/css" />
+<link rel="stylesheet" href="http://ikiwiki.hcoop.net/local.css" type="text/css" />
+
+</head>
+<body>
+
+<div class="header">
+<span>
+<a href="http://ikiwiki.hcoop.net/">Hcoop Ikiwiki</a>/ search
+</span>
+</div>
+
+<div id="content">
+<!--ESTFORM-->
+
+<!--ESTRESULT-->
+
+<!--ESTINFO-->
+
+
+</div>
+
+<div id="footer">
+<!-- from Hcoop Ikiwiki -->
+</div>
+
+</body>
+</html>
--- /dev/null
+#!/usr/bin/perl
+
+#
+# Please make sure that all paths in this file are in /afs -- this
+# makes it possible to "git push" via AFS.
+#
+
+# Remember to re-run ikiwiki --setup any time you edit this file.
+
+use IkiWiki::Setup::Standard {
+ wikiname => "Hcoop Ikiwiki",
+ adminemail => 'admins@hcoop.net',
+
+ # Be sure to customise these..
+ srcdir => "/afs/hcoop.net/common/ikiwiki/source/",
+ destdir => "/afs/hcoop.net/common/ikiwiki/dest/",
+
+ url => "http://ikiwiki.hcoop.net/",
+ cgiurl => "http://ikiwiki.hcoop.net/cgi",
+ templatedir => "/afs/hcoop.net/common/ikiwiki/templates",
+ underlaydir => "/afs/hcoop.net/common/ikiwiki/basewiki",
+
+ rcs => "git",
+
+ # mwolson, do you know how to set these?
+ #historyurl => "http://git.example.org/gitweb.cgi?p=wiki.git;a=history;f=[[file]]",
+ #diffurl => "http://git.example.org/gitweb.cgi?p=wiki.git;a=blobdiff;h=[[sha1_to]];hp=[[sha1_from]];hb=[[sha1_parent]];f=[[file]]",
+ gitorigin_branch => "origin",
+ gitmaster_branch => "master",
+
+ wrappers => [
+ {
+ # The cgi wrapper; generated by 'ikiwiki --wrappers'
+ cgi => 1,
+ wrapper => "/afs/hcoop.net/common/ikiwiki/bin/ikiwiki.cgi",
+ wrappermode => "06755",
+ },
+ {
+ wrapper => "/afs/hcoop.net/common/ikiwiki/repo/hooks/post-update",
+ wrappermode => "04755",
+ # Enable mail notifications of commits.
+ notify => 1,
+ },
+ ],
+
+ # Generate rss feeds for blogs?
+ rss => 1,
+ # Generate atom feeds for blogs?
+ atom => 1,
+
+ # Urls to ping with XML-RPC when rss feeds are updated
+ #pingurl => [qw{http://rpc.technorati.com/rpc/ping}],
+ # Include discussion links on all pages?
+ discussion => 1,
+
+ # To exclude files matching a regexp from processing. This adds to
+ # the default exclude list.
+ #exclude => qr/*\.wav/,
+ # To change the extension used for generated html files.
+ #htmlext => 'htm',
+ # Time format (for strftime)
+ #timeformat => '%c',
+ # Locale to use. Must be a UTF-8 locale.
+ #locale => 'en_US.UTF-8',
+ # Only send cookies over SSL connections.
+ #sslcookie => 1,
+
+ # Logging settings:
+ #verbose => 1,
+ syslog => 0,
+
+ # To link to user pages in a subdirectory of the wiki.
+ #userdir => "users",
+ # To create output files named page.html rather than page/index.html.
+ #usedirs => 0,
+ # Simple spam prevention: require an account-creation password.
+ #account_creation_password => "example",
+
+ # editdiff doesn't seem to work
+ add_plugins => [qw{httpauth camelcase wikitext search teximg editdiff graphviz table more toggle plaintext poll img linkmap toc sidebar fortune tag html meta orphans brokenlinks pagecount inline}],
+
+# waiting for {attach} plugin to be released; use git for now
+# attach => {
+# enabled => 1, #If false, no new attachments are allowed via the web interface
+# every_page => 1, #Toggles whether attachments are allowed on every page of the IkiWiki
+# },
+
+
+ #add_plugins => [qw{goodstuff search wikitext camelcase
+ # htmltidy fortune sidebar map rst anonok}],
+ # If you want to disable any of the default plugins, list them here.
+ disable_plugins => [qw{passwordauth}],
+ #disable_plugins => [qw{inline htmlscrubber passwordauth openid}],
+ # To add a directory to the perl searh path, use this.
+ #libdir => "/home/me/.ikiwiki/",
+
+ # For use with the tag plugin, make all tags be located under a
+ # base page.
+ #tagbase => "tag",
+
+ # For use with the search plugin if your estseek.cgi is located
+ # somewhere else.
+ #estseek => "/usr/lib/estraier/estseek.cgi",
+
+ # For use with the openid plugin, to give an url to a page users
+ # can use to signup for an OpenID.
+ #openidsignup => "http://myopenid.com/",
+
+ # For use with the mirrorlist plugin, a list of mirrors.
+ #mirrorlist => {
+ # mirror1 => "http://hostname1",
+ # mirror2 => "http://hostname2/mirror",
+ #},
+}
--- /dev/null
+mtime=1193537498 ctime=1193537498 src=DomTool/Examples.mdwn dest=DomTool/Examples/index.html link=DomTool link=WebNodes link=DocumentRoot link=DomTool/Examples/discussion depends=sidebar
+mtime=1193534889 ctime=1193534889 src=membermanual.mdwn dest=membermanual/index.html link=membermanual/discussion depends=sidebar
+mtime=1192992183 ctime=1171139226 src=pagespec.mdwn dest=pagespec/index.html link=PageSpec link=SubPage link=SandBox link=pagespec/discussion depends=sidebar
+mtime=1193537497 ctime=1193537497 src=ContactHcoop.mdwn dest=ContactHcoop/index.html link=IrcChannel link=ContactHcoop/discussion depends=sidebar
+mtime=1192992183 ctime=1171139226 src=local.css dest=local.css
+mtime=1193537497 ctime=1193537497 src=AfsClientConfiguration.mdwn dest=AfsClientConfiguration/index.html link=AfsFedoraClientConfiguration link=TroubleshootingAFS link=AfsClientConfiguration/discussion depends=sidebar
+mtime=1192992183 ctime=1171139226 src=shortcuts.mdwn dest=shortcuts/index.html link=shortcuts/discussion depends=sidebar
+mtime=1193537498 ctime=1193537498 src=JustinLeitgeb.mdwn dest=JustinLeitgeb/index.html link=JustinLeitgeb/discussion depends=sidebar
+mtime=1192992183 ctime=1171139225 src=smileys/alert.png dest=smileys/alert.png
+mtime=1193537498 ctime=1193537498 src=MemberManual/UsingDomtool.mdwn dest=MemberManual/UsingDomtool/index.html link=MemberManual link=DomTool link=DomTool/UserGuide link=MemberManual/UsingDomtool/discussion depends=sidebar
+mtime=1193537498 ctime=1193537498 src=MemberManual/UsingCron.mdwn dest=MemberManual/UsingCron/index.html link=MemberManual/RunningUnattendedCommands link=MemberManual/UsingCron/discussion depends=sidebar
+mtime=1192992183 ctime=1171139226 src=preprocessordirective.mdwn dest=preprocessordirective/index.html link=WikiLink link=preprocessordirective/discussion depends=sidebar
+mtime=1193537498 ctime=1193537498 src=MemberManual/Databases.mdwn dest=MemberManual/Databases/index.html link=MemberManual link=MemberManual/Databases/discussion depends=sidebar
+mtime=1193537498 ctime=1193537498 src=TipsAndTricks.mdwn dest=TipsAndTricks/index.html link=TipsAndTricks/discussion depends=sidebar
+mtime=1193537497 ctime=1193537497 src=AdminArea.mdwn dest=AdminArea/index.html link=AndrewFileSystem link=BackupInfo link=ChangingAdminPassword link=DaemonAdmin link=DomTool link=IpAddresses link=NewSystemHardware link=TaskDistribution link=SoftwareArchitecturePlans link=SystemArchitecturePlans link=OnSiteStuff link=OneTimeCosts2007 link=HcoopAddresses link=AdminArea/discussion depends=sidebar
+mtime=1193537498 ctime=1193537498 src=TaskDistribution.mdwn dest=TaskDistribution/index.html link=MichaelOlson link=AdamChlipala link=NathanKennedy link=AdamMegacz link=DavorOcelic link=JustinLeitgeb link=ClintonEbadi link=BrianTempleton link=DomtoolTwo link=TaskDistribution/discussion depends=sidebar
+mtime=1192992183 ctime=1171139225 src=smileys/smile4.png dest=smileys/smile4.png
+mtime=1193537498 ctime=1193537498 src=MemberManual/GettingStarted/AccountCreated.mdwn dest=MemberManual/GettingStarted/AccountCreated/index.html link=MemberManual link=MemberManual/GettingStarted/AccountCreated/discussion depends=sidebar
+mtime=1193537497 ctime=1193537497 src=DaemonAdmin.mdwn dest=DaemonAdmin/index.html link=DaemonAdmin/Apache link=DaemonAdmin/Bind link=DaemonAdmin/LDAP link=DaemonAdmin/MySQL link=DaemonAdmin/PostgreSQL link=DaemonAdmin/discussion depends=sidebar
+mtime=1192992183 ctime=1171139225 src=smileys/tired.png dest=smileys/tired.png
+mtime=1192992183 ctime=1171139225 src=smileys/star_on.png dest=smileys/star_on.png
+mtime=1192992183 ctime=1171139225 src=smileys/ohwell.png dest=smileys/ohwell.png
+mtime=1193537497 ctime=1193537497 src=AdminGroup.mdwn dest=AdminGroup/index.html link=IpAddresses link=FrankBynum link=AdamChlipala link=NathanKennedy link=AdamMegacz link=DavorOcelic link=MichaelOlson link=OmryYadan link=AdminGroup/discussion depends=sidebar
+mtime=1193537498 ctime=1193537498 src=HCoopAdvocacy.mdwn dest=HCoopAdvocacy/index.html link=ProspectiveMemberFaq link=JoinUs link=MemberManual link=OurHistory link=TheHcoopLook link=T-Shirt link=HcoopPublicity link=LogoDiscussion link=NathanKennedy link=HCoopAdvocacy/discussion depends=sidebar
+mtime=1193537498 ctime=1193537498 src=DomTool/UserGuide.mdwn dest=DomTool/UserGuide/index.html link=DomTool link=MemberManual/GettingStarted/AfsExamples link=DomTool/LanguageReference link=DocumentRoot link=DomTool/Examples link=DomTool/UserGuide/discussion depends=sidebar
+mtime=1193537498 ctime=1193537498 src=HcoopPolicies.mdwn dest=HcoopPolicies/index.html link=EnvironmentalPolicy link=NamingConventions link=SevenPrinciples link=VolunteerResponsePolicy link=HcoopPolicies/discussion depends=sidebar
+mtime=1193537498 ctime=1193537498 src=OldWelcomePage.mdwn dest=OldWelcomePage/index.html link=DefaultFrontPage link=NewServersSetup link=MigrationTips link=NewFeatures link=ProspectiveMemberFaq link=MemberFaq link=NewMember link=SshConfiguration link=FtpConfiguration link=FirewallRules link=FileTransfer link=UserWebsites link=UsingEmail link=UsingDatabases link=DynamicWebSites link=SystemAuthentication link=BackupServices link=UsingResourceLimits link=JabberServer link=SpamAssassin link=WebSpam link=CustomDaemons link=TipsAndTricks link=DomainRegistration link=DomainTool link=DnsConfiguration link=EmailConfiguration link=AfsClientConfiguration link=MailingListConfiguration link=MoinMoinConfiguration link=UsingSsl link=VirtualHostConfiguration link=MemberDues link=ContactHcoop link=HcoopMarketing link=HcoopPolicies link=HcoopGuidelines link=HcoopStructure link=IrcMeetings link=OtherGroups link=CategoryOutdated link=InstalledSoftware link=InstallationLog link=CategorySystemAdministration link=PrincipalsForNonHumans link=OpenProblems link=KvmInfo link=BackupInfo link=OldWelcomePage/discussion depends=sidebar
+mtime=1193537498 ctime=1193537498 src=IpAddresses.mdwn dest=IpAddresses/index.html link=IpAddresses/discussion depends=sidebar
+mtime=1192992183 ctime=1171139225 src=smileys/thumbs-up.png dest=smileys/thumbs-up.png
+mtime=1193537498 ctime=1193537498 src=MemberManual/MigrationGuide.mdwn dest=MemberManual/MigrationGuide/index.html link=NewServersSetup link=Kerberos link=RealSecurity link=DenyHosts link=UsingDatabases link=DomTool link=ProcmailExample link=SpamAssassin link=UsingEmail link=AndrewFileSystem link=MemberManual/MigrationGuide/discussion depends=sidebar
+mtime=1193537498 ctime=1193537498 src=OmryYadan.mdwn dest=OmryYadan/index.html link=OmryYadan/discussion depends=sidebar
+mtime=1193537498 ctime=1193537498 src=FtpConfiguration.mdwn dest=FtpConfiguration/index.html link=FtpConfiguration/discussion depends=sidebar
+mtime=1193537498 ctime=1193537498 src=ProspectiveMemberFaq.mdwn dest=ProspectiveMemberFaq/index.html link=HcoopBylaws link=IrcChannel link=PayPal link=DomTool link=WelcomePage link=HardwareSpecs link=ProspectiveMemberFaq/discussion depends=sidebar
+mtime=1193087757 ctime=1193086461 src=imelite.mdwn dest=imelite/index.html link=imelite/discussion depends=sidebar
+mtime=1193537498 ctime=1193537498 src=KrunkInfoz.mdwn dest=KrunkInfoz/index.html link=KrunkInfoz/discussion depends=sidebar
+mtime=1192992183 ctime=1171139225 src=smileys/redface.png dest=smileys/redface.png
+mtime=1192990630 ctime=1192990630 src=README.CRUCIAL-AVOID.CORRUPTION dest=README.CRUCIAL-AVOID.CORRUPTION
+mtime=1193537498 ctime=1193537498 src=UsingEmail.mdwn dest=UsingEmail/index.html link=SpamAssassin link=DomainTool link=NathanKennedy link=SpamAssassinFilter link=FeedingSpamAssassin link=SpamAssassinAdmin link=MichaelOlson link=ProcmailExample link=X509Anchors link=AdamChlipala link=AndreKuehne link=UsingEmail/discussion depends=sidebar
+mtime=1193091550 ctime=1193089952 src=examplepageinrawhtml.html dest=examplepageinrawhtml/index.html link=PayPal link=examplepageinrawhtml/discussion depends=sidebar
+mtime=1192992183 ctime=1171139226 src=helponformatting.mdwn dest=helponformatting/index.html link=MarkDown link=WikiLink link=PreProcessorDirective link=smileys link=helponformatting/discussion depends=sidebar
+mtime=1192992183 ctime=1171139226 src=subpage.mdwn dest=subpage/index.html link=SubPage link=SubPage/LinkingRules link=LinkingRules link=subpage/discussion depends=sidebar
+mtime=1192992183 ctime=1171139225 src=smileys/frown.png dest=smileys/frown.png
+mtime=1192992183 ctime=1171139226 src=smileys.mdwn dest=smileys/index.html link=smileys/smile.png link=smileys/biggrin.png link=smileys/smile2.png link=smileys/smile3.png link=smileys/smile4.png link=smileys/ohwell.png link=smileys/devil.png link=smileys/angry.png link=smileys/frown.png link=smileys/sad.png link=smileys/tongue.png link=smileys/redface.png link=smileys/tired.png link=smileys/thumbs-up.png link=smileys/icon-error.png link=smileys/checkmark.png link=smileys/idea.png link=smileys/attention.png link=smileys/alert.png link=smileys/star_on.png link=smileys/star_off.png link=WikiLink link=smileys/discussion depends=sidebar
+mtime=1193537498 ctime=1193537498 src=MemberManual/GettingStarted/NewMember.mdwn dest=MemberManual/GettingStarted/NewMember/index.html link=PayPal link=MemberDues link=SshConfiguration link=MemberManual link=MemberManual/GettingStarted/NewMember/discussion depends=sidebar
+mtime=1193091694 ctime=1193091694 src=images/ikiwiki.png dest=images/ikiwiki.png depends=sidebar
+mtime=1193537497 ctime=1193537497 src=BackupInfo.mdwn dest=BackupInfo/index.html link=BackupInfo/discussion depends=sidebar
+mtime=1192992183 ctime=1171139225 src=smileys/smile.png dest=smileys/smile.png
+mtime=1193537497 ctime=1193537497 src=DaemonAdmin/Bind.mdwn dest=DaemonAdmin/Bind/index.html link=DomTool link=DomTool/AdminProcedures link=DaemonAdmin/Bind/discussion depends=sidebar
+mtime=1193537498 ctime=1193537498 src=MemberManual/VersionControl.mdwn dest=MemberManual/VersionControl/index.html link=MemberManual link=MemberManual/VersionControl/discussion depends=sidebar
+mtime=1193537498 ctime=1193537498 src=HcoopGuidelines.mdwn dest=HcoopGuidelines/index.html link=GenderNeutralLanguage link=DeveloperGuidelines link=HcoopGuidelines/discussion depends=sidebar
+mtime=1193537498 ctime=1193537498 src=DomTool/Implementation.mdwn dest=DomTool/Implementation/index.html link=DomTool link=DomTool/UserGuide link=DomTool/Building link=DomTool/ArchitectureOverview link=DomTool/LanguageReference link=DomTool/Implementation/discussion depends=sidebar
+mtime=1193091908 ctime=1193089797 src=sidebar.mdwn dest=sidebar/index.html link=sidebar/discussion link=images/ikiwiki.png depends=((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((*) or (sidebar)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)) or (*)
+mtime=1193537674 ctime=1192990171 src=index.mdwn dest=index.html link=OldWelcomePage link=MemberManual link=HCoopAdvocacy link=ContactHcoop link=AdminArea link=BoardArea link=WikiStuff link=MichaelOlson link=index/discussion depends=sidebar
+mtime=1193537498 ctime=1193537498 src=MemberManual/GettingStarted/AfsExamples.mdwn dest=MemberManual/GettingStarted/AfsExamples/index.html link=MemberManual/GettingStarted/AfsExamples/discussion depends=sidebar
+mtime=1193537498 ctime=1193537498 src=HcoopStructure.mdwn dest=HcoopStructure/index.html link=HcoopBylaws link=RegisteredAgent link=BoardOfDirectors link=HcoopStructure/discussion depends=sidebar
+mtime=1193537577 ctime=1193537498 src=WelcomePage.mdwn dest=WelcomePage/index.html link=OldWelcomePage link=MemberManual link=HCoopAdvocacy link=ContactHcoop link=AdminArea link=BoardArea link=WikiStuff link=MichaelOlson link=WelcomePage/discussion depends=sidebar
+mtime=1193537498 ctime=1193537498 src=StyleGuide.mdwn dest=StyleGuide/index.html link=TableOfContents link=DomTool link=MemberManual link=StyleGuide/discussion depends=sidebar
+mtime=1193537498 ctime=1193537498 src=SoftwareArchitecturePlans.mdwn dest=SoftwareArchitecturePlans/index.html link=AdamChlipala link=DavorOcelic link=JustinLeitgeb link=DnsConfiguration link=DomainRegistration link=FtpConfiguration link=FileTransfer link=ServedOn link=ClintonEbadi link=UserWebsites link=DynamicWebSites link=VirtualHostConfiguration link=UsingEmail link=EmailConfiguration link=JabberServer link=MailingListConfiguration link=UsingDatabases link=SpamAssassin link=FeedingSpamAssassin link=SpamAssassinAdmin link=SshConfiguration link=ShaunEmpie link=DomainTool link=SquirrelMail link=MoinMoin link=MichaelOlson link=UserPreferences link=ResourceLimits link=DaemonFileSecurity link=FirewallRules link=SoftwareArchitecturePlans/discussion depends=sidebar
+mtime=1192992183 ctime=1171139225 src=smileys/star_off.png dest=smileys/star_off.png
+mtime=1192992183 ctime=1171139225 src=smileys/smile2.png dest=smileys/smile2.png
+mtime=1193537497 ctime=1193537497 src=ChangingAdminPassword.mdwn dest=ChangingAdminPassword/index.html link=ChangingAdminPassword/discussion depends=sidebar
+mtime=1193537498 ctime=1193537498 src=NewServersSetup/FinalPreparations.mdwn dest=NewServersSetup/FinalPreparations/index.html link=NewServersSetup link=NewServersSetup/FinalPreparations/discussion depends=sidebar
+mtime=1193537497 ctime=1193537497 src=DomTool/AdminProcedures.mdwn dest=DomTool/AdminProcedures/index.html link=DomTool/UserGuide link=DomTool link=DomTool/Building link=DomTool/AdminProcedures/discussion depends=sidebar
+mtime=1193537498 ctime=1193537498 src=Meeting20060909.mdwn dest=Meeting20060909/index.html link=DomtoolTwo link=Meeting20060909/discussion depends=sidebar
+mtime=1192992183 ctime=1171139225 src=smileys/checkmark.png dest=smileys/checkmark.png
+mtime=1192992183 ctime=1171139225 src=smileys/icon-info.png dest=smileys/icon-info.png
+mtime=1193537498 ctime=1193537498 src=RewriteGoals/PagesToDelete.mdwn dest=RewriteGoals/PagesToDelete/index.html link=ProjectGroupsTemplate link=ProjectTemplate link=ThwartingPackages link=MichaelOlson link=RewriteGoals/PagesToDelete/discussion depends=sidebar
+mtime=1193537497 ctime=1193537497 src=DomTool.mdwn dest=DomTool/index.html link=DomTool/UserGuide link=DomTool/Examples link=DomTool/LanguageReference link=DomTool/AdminProcedures link=DomTool link=DomTool/ArchitectureOverview link=DomTool/Plugins link=DomTool/AdditionalClients link=DomTool/SslProcedures link=DomTool/Building link=DomTool/Implementation link=DomTool/Debugging link=DomainTool link=DomtoolTwo link=AdamChlipala link=DomTool/discussion depends=sidebar
+mtime=1193537498 ctime=1193537498 src=WikiStuff.mdwn dest=WikiStuff/index.html link=DefaultFrontPage link=MoinMoin link=StyleGuide link=WikiStuff/discussion depends=sidebar
+mtime=1192992183 ctime=1171139225 src=subpage/linkingrules.mdwn dest=subpage/linkingrules/index.html link=SubPage link=WikiLink link=FooBar link=OtherPage link=BazBar link=subpage/linkingrules/discussion depends=sidebar
+mtime=1193537498 ctime=1193537498 src=ProcmailExample.mdwn dest=ProcmailExample/index.html link=LifeReader link=Neki_Fujiyama link=InfoWorld link=JustinLeitgeb link=ProcmailExample/discussion depends=sidebar
+mtime=1193537498 ctime=1193537498 src=IrcMeetings.mdwn dest=IrcMeetings/index.html link=Meeting20071021 link=Meeting20060909 link=Meeting20060624 link=IrcMeetings/discussion depends=sidebar
+mtime=1192992183 ctime=1171139225 src=smileys/angry.png dest=smileys/angry.png
+mtime=1192992183 ctime=1171139225 src=smileys/biggrin.png dest=smileys/biggrin.png
+mtime=1193537498 ctime=1193537498 src=MemberManual.mdwn dest=MemberManual/index.html link=MemberManual/MigrationGuide link=MemberManual/GettingStarted link=MemberManual/UsingDomtool link=DomTool link=MemberManual/TransferringFiles link=MemberManual/EmailDelivery link=MemberManual/ServingWebsites link=MemberManual/Databases link=MemberManual/RunningUnattendedCommands link=MemberManual/UsingCron link=MemberManual/VersionControl link=MichaelOlson link=MemberManual/discussion depends=sidebar
+mtime=1193537498 ctime=1193537498 src=TroubleshootingAFS.mdwn dest=TroubleshootingAFS/index.html link=CellServerDB link=TroubleshootingAFS/discussion depends=sidebar
+mtime=1193537497 ctime=1193537497 src=DaemonAdmin/LDAP.mdwn dest=DaemonAdmin/LDAP/index.html link=AuthenticationScheme link=DaemonAdmin/LDAP/discussion depends=sidebar
+mtime=1193537498 ctime=1193537498 src=RewriteGoals/PagesNeedingLove.mdwn dest=RewriteGoals/PagesNeedingLove/index.html link=MemberManual/UsingDomtool link=DomTool link=DomTool/UserGuide link=MemberManual link=AdamChlipala link=MemberManual/MigrationGuide link=MemberManual/TransferringFiles link=MemberManual/EmailDelivery link=MemberManual/ServingWebsites link=MemberManual/UsingCron link=JoinUs link=OurHistory link=MemberManual/VersionControl link=MemberManual/VersionControl/git link=RewriteGoals/PagesNeedingLove/discussion depends=sidebar
+mtime=1193537497 ctime=1193537497 src=BadContent.mdwn dest=BadContent/index.html link=MyServer link=SaNaLHaCKERLaR link=ViewMyLoan link=BadContent/discussion depends=sidebar
+mtime=1192992183 ctime=1171139226 src=wikilink.mdwn dest=wikilink/index.html link=WikiLinks link=WikiLink link=SubPage/LinkingRules link=SubPage link=SandBox link=wikilink/discussion depends=sidebar
+mtime=1193537498 ctime=1193537498 src=MoinMoinConfiguration.mdwn dest=MoinMoinConfiguration/index.html link=MoinMoin link=HelpOnInstalling/WikiInstanceCreation link=VirtualHostConfiguration link=DnsConfiguration link=AdamChlipala link=JeremyPenner link=DavorOcelic link=MoinMoinConfiguration/discussion depends=sidebar
+mtime=1193537498 ctime=1193537498 src=RewriteGoals.mdwn dest=RewriteGoals/index.html link=WelcomePage link=DomTool/Examples link=MigrationTips link=MemberManual link=StyleGuide link=MichaelOlson link=RyanMikulovsky link=MichaelPotter link=RewriteGoals/PagesToDelete link=RewriteGoals/PagesNeedingLove link=RewriteGoals/discussion depends=sidebar
+mtime=1192992183 ctime=1171139226 src=markdown.mdwn dest=markdown/index.html link=HelpOnFormatting link=WikiLink link=PreProcessorDirective link=markdown/discussion depends=sidebar
+mtime=1193537497 ctime=1193537497 src=BoardArea.mdwn dest=BoardArea/index.html link=BoardOfDirectors link=HcoopPolicies link=HcoopGuidelines link=HcoopStructure link=IrcMeetings link=BoardArea/discussion depends=sidebar
+mtime=1193537498 ctime=1193537498 src=DomTool/Plugins.mdwn dest=DomTool/Plugins/index.html link=DomTool/UserGuide link=DomTool link=DomTool/Plugins/discussion depends=sidebar
+mtime=1193537498 ctime=1193537498 src=SpamAssassinAdmin.mdwn dest=SpamAssassinAdmin/index.html link=SpamAssassin link=SiteSpam link=SiteHam link=CategorySystemAdministration link=SpamAssassinAdmin/discussion depends=sidebar
+mtime=1193537498 ctime=1193537498 src=MemberManual/RunningUnattendedCommands.mdwn dest=MemberManual/RunningUnattendedCommands/index.html link=MemberManual link=MemberManual/RunningUnattendedCommands/discussion depends=sidebar
+mtime=1193537498 ctime=1193537498 src=NewSystemHardware.mdwn dest=NewSystemHardware/index.html link=NewSystemHardwareArchive link=NewServersSetup link=PowerEdge link=KrunkInfoz link=ShaunEmpie link=HardwareDonations link=JustinLeitgeb link=__91__AdamMegacz link=StarTech link=NewSystemHardware/discussion depends=sidebar
+mtime=1193537497 ctime=1193537497 src=DomTool/ArchitectureOverview.mdwn dest=DomTool/ArchitectureOverview/index.html link=DomTool link=DomTool/LanguageReference link=VeriSign link=AdamChlipala link=DomTool/ArchitectureOverview/discussion depends=sidebar
+mtime=1193537498 ctime=1193537498 src=NewFeatures.mdwn dest=NewFeatures/index.html link=DomTool link=DomTool/Examples link=NewFeatures/discussion depends=sidebar
+mtime=1193537498 ctime=1193537498 src=MemberManual/TransferringFiles.mdwn dest=MemberManual/TransferringFiles/index.html link=MemberManual link=MemberManual/TransferringFiles/discussion depends=sidebar
+mtime=1193537520 ctime=1193537520 src=subpage/bazbar.mdwn dest=subpage/bazbar/index.html link=subpage/bazbar/discussion depends=sidebar
+mtime=1193537498 ctime=1193537498 src=MemberManual/DistributedSecurity.mdwn dest=MemberManual/DistributedSecurity/index.html link=PasswordlessLogin link=MemberManual/DistributedSecurity/discussion depends=sidebar
+mtime=1192992183 ctime=1171139226 src=sandbox.mdwn dest=sandbox/index.html link=SandBox link=WikiLink link=sandbox/discussion depends=sidebar
+mtime=1193537498 ctime=1193537498 src=FrankBynum.mdwn dest=FrankBynum/index.html link=FrankBynum/discussion depends=sidebar
+mtime=1192992183 ctime=1171139225 src=smileys/attention.png dest=smileys/attention.png
+mtime=1193084957 ctime=1193084957 src=discussion.mdwn dest=discussion/index.html link=discussion/discussion depends=sidebar
+mtime=1193088403 ctime=1193088403 src=exampleofaplaintextpage.txt dest=exampleofaplaintextpage/index.html link=exampleofaplaintextpage/discussion depends=sidebar
+mtime=1192992183 ctime=1171139226 src=style.css dest=style.css
+mtime=1192992183 ctime=1171139225 src=smileys/devil.png dest=smileys/devil.png
+mtime=1193537498 ctime=1193537498 src=RyanMikulovsky.mdwn dest=RyanMikulovsky/index.html link=RyanMikulovsky/discussion depends=sidebar
+mtime=1193537498 ctime=1193537498 src=VolunteerResponsePolicy.mdwn dest=VolunteerResponsePolicy/index.html link=HcoopBylaws link=AdamChlipala link=NathanKennedy link=AdamMegacz link=DavorOcelic link=MichaelOlson link=TaskDistribution link=VolunteerResponsePolicy/discussion depends=sidebar
+mtime=1193537497 ctime=1193537497 src=DaemonAdmin/Apache.mdwn dest=DaemonAdmin/Apache/index.html link=DaemonAdmin/Apache/discussion depends=sidebar
+mtime=1193537498 ctime=1193537498 src=DomTool/LanguageReference.mdwn dest=DomTool/LanguageReference/index.html link=DomTool link=DomTool/UserGuide link=DomTool/Building link=DomTool/Implementation link=DomTool/LanguageReference/discussion depends=sidebar
+mtime=1192992183 ctime=1171139226 src=blog.mdwn dest=blog/index.html link=PreProcessorDirective link=PageSpec link=SubPage link=blog/discussion depends=sidebar
+mtime=1193537497 ctime=1193537497 src=AdminPolicies.mdwn dest=AdminPolicies/index.html link=TaskDistribution link=VolunteerResponsePolicy link=PayPal link=DomainTool link=AdminPolicies/discussion depends=sidebar
+mtime=1192992183 ctime=1171139225 src=smileys/smile3.png dest=smileys/smile3.png
+mtime=1192992183 ctime=1171139225 src=smileys/idea.png dest=smileys/idea.png
+mtime=1193537497 ctime=1193537497 src=DomTool/Building.mdwn dest=DomTool/Building/index.html link=DomTool link=SourceForge link=ConfigDefault link=DomTool/Building/discussion depends=sidebar
+mtime=1193537498 ctime=1193537498 src=MemberManual/GettingStarted.mdwn dest=MemberManual/GettingStarted/index.html link=MemberManual link=IrcChannel link=MemberManual/GettingStarted/discussion depends=sidebar
+mtime=1192992183 ctime=1171139225 src=smileys/tongue.png dest=smileys/tongue.png
+mtime=1193537497 ctime=1193537497 src=AnishJacob.mdwn dest=AnishJacob/index.html link=CategoryHomepage link=AnishJacob/discussion depends=sidebar
+mtime=1192992183 ctime=1171139225 src=smileys/icon-error.png dest=smileys/icon-error.png
+mtime=1193537497 ctime=1193537497 src=DomTool/AdditionalClients.mdwn dest=DomTool/AdditionalClients/index.html link=DomTool link=SpamAssassin link=DomTool/AdditionalClients/discussion depends=sidebar
+mtime=1193537498 ctime=1193537498 src=MemberManual/EmailDelivery.mdwn dest=MemberManual/EmailDelivery/index.html link=MemberManual link=MemberManual/EmailDelivery/discussion depends=sidebar
+mtime=1192992183 ctime=1171139226 src=favicon.ico dest=favicon.ico
+mtime=1193537498 ctime=1193537498 src=JoinUs.mdwn dest=JoinUs/index.html link=MemberManual link=JoinUs/discussion depends=sidebar
+mtime=1192992183 ctime=1171139225 src=smileys/sad.png dest=smileys/sad.png
+mtime=1193084974 ctime=1193084974 src=index/discussion.mdwn dest=index/discussion/index.html link=index/discussion/discussion depends=sidebar
+mtime=1193537498 ctime=1193537498 src=MemberManual/ServingWebsites.mdwn dest=MemberManual/ServingWebsites/index.html link=MemberManual link=MemberManual/ServingWebsites/discussion depends=sidebar
+mtime=1192992183 ctime=1171139226 src=wikiicons/diff.png dest=wikiicons/diff.png
+mtime=1193537498 ctime=1193537498 src=Meeting20071021.mdwn dest=Meeting20071021/index.html link=Meeting20071021/discussion depends=sidebar
--- /dev/null
+Board member, president, treasurer, and person in charge of custom software like DomTool\r
+\r
+Home page: http://www.schizomaniac.net/\r
+\r
+----\r
+CategoryHomepage\r
--- /dev/null
+attachment:zombie.jpeg\r
+\r
+.\r
+y\r
--- /dev/null
+#pragma section-numbers off\r
+\r
+This contains a list of pages that are of interest to the admins.\r
+\r
+[[TableOfContents]]\r
+\r
+= General =\r
+\r
+ * AdminGroup: Listing of HCoop system administrators.\r
+ * AndrewFileSystem: Using our new shared filesystem.\r
+ * BackupInfo: Information on how to recover deleted files from our off-site backups.\r
+ * ChangingAdminPassword: How admins can change their UNIX passwords.\r
+ * DomTool: Administering and using the new domtool.\r
+ * IpAddresses: Listing of IPs that we use.\r
+ * NewSystemHardware: Information on the new hardware.\r
+ * SoftwareArchitecturePlans: Plans for software installation.\r
+ * SystemArchitecturePlans: Plans regarding our hardware.\r
+ * OnSiteStuff: Checklist for the next on-site visit to the new machines.\r
+ * OneTimeCosts2007: Costs associated with the new servers through April 2007.\r
+ * HcoopAddresses: Physical addresses relevant to us.\r
+\r
+= Responsibilities =\r
+\r
+ * TaskDistribution: What each sysadmin is responsible for.\r
+ * VolunteerResponsePolicy: Guidelines for responding to requests and email.\r
+\r
+= Programs =\r
+\r
+ * DaemonAdmin: Daemon-specific pages aimed at admins.\r
+ * MailmanInstallation: Additional things we must do to keep Mailman happy.\r
--- /dev/null
+#acl All:read\r
+\r
+This is a listing of the people who have access to the IpAddresses page\r
+and other protected pages. They also are the only ones who have the\r
+ability to delete pages.\r
+\r
+ * FrankBynum\r
+ * AdamChlipala\r
+ * NathanKennedy\r
+ * AdamMegacz\r
+ * DavorOcelic\r
+ * MichaelOlson\r
+ * OmryYadan\r
--- /dev/null
+If we want to scale up to a larger member base and high reliability, then we need to know exactly what is expected of people who volunteer for particular duties. That way, someone can turn down a role if he knows he can't meet the time requirements, and he knows exactly what is expected of him if he ''does'' sign on. This page is our scratch pad for ideas on formal guidelines in this direction.\r
+\r
+See the TaskDistribution page for an in-progress assignment of people to jobs.\r
+\r
+= Policies deserving their own pages =\r
+\r
+ * VolunteerResponsePolicy\r
+\r
+= Summaries of official roles and their duties =\r
+\r
+ * '''President''': Mostly general moral leadership :-)\r
+ * '''Treasurer''': Manage that money!\r
+ * '''Secretary''': Keep official records\r
+ * '''System administrator''': Both plan and set up technical infrastructure and keep it running on a day to day basis\r
+ Note that the President/Treasurer/Secretary are officers on the board of directors, and have legal decision-making power defined under Pennsylvania law and HCoop's bylaws and articles of incorporation. System administrators, by contrast, have only powers delegated to them by the board of directors. Despite this, sysadmins may act quite autonomously and may be more involved with the day to day operations of HCoop than directors, though they are ultimately subordinate to and acting on behalf of the board, which in turn is elected by and represents the interests of the membership at large.\r
+\r
+= Requirements of anyone in an official role =\r
+\r
+ * Respond to e-mail to his HCoop e-mail address within 24 hours of when it is sent, barring extreme situations, whenever that mail makes it clear that it expects a response from the particular person\r
+ * Make an official notification to the co-op when he won't be able to meet the above requirement, because he goes on vacation or for whatever other reason\r
+ * Send e-mail to a list containing just people in special roles?\r
+ * Post to a wiki page?\r
+\r
+= Sysadmin stuff =\r
+\r
+How many sysadmins (all with root access) should we have? 4 seems like about the right number. It would be nice if we could somehow pick admins with good spread across the different time zones, to give us more times when one is likely to be awake and able to handle emergencies.\r
+\r
+It might be nice for each sysadmin to have brief "office hours" each week, where he agrees to be on IRC answering questions and helping people in real time.\r
+\r
+= Official list of tasks =\r
+\r
+We should try to come up with a list of task types that covers everything expected of people in special roles. Each task should have an associated list of people in charge of it, listed in a total order. At any time, the first person on the list for a task who is not "on vacation" via the above allowance is responsible by default for handling it. Of course, it's always possible to make special arrangements for some tasks, but the lead person for the task will be in charge of arranging them.\r
+\r
+I expect that the tasks of the officers (president/secretary/treasurer) will almost always be performed by single officers, since they will tend to be less time-critical. The sysadmin tasks should probably be spread evenly among the sysadmins.\r
+\r
+Let's list the tasks, organized by which role we expect to handle them.\r
+\r
+== President ==\r
+\r
+ * Schedule meetings\r
+ * Run meetings\r
+\r
+== Treasurer ==\r
+\r
+ * Process new member payments and alert sysadmins when someone has paid and can have an account created\r
+ * Process ongoing payments by updating the portal's financial records\r
+ * Hunt down people who are behind in payments\r
+ * Do physical payment processing for rare people who aren't willing to use Pay``Pal\r
+ * Handle support tickets in the Financial category\r
+\r
+== Secretary ==\r
+\r
+ * Keep meeting minutes\r
+ * Maintain the board's [http://hcoop.net/board/ webpage]\r
+ * Keep files of all HCoop-related paperwork, and post scans or transcripts of any particularly important documents to the board's webpage\r
+ * Conduct all elections and official membership votes, report and archive their results\r
+\r
+== Sysadmins ==\r
+\r
+ * Add new members who have been approved and have paid\r
+ * Process specific support requests:\r
+ * Requests for a domain in DomainTool\r
+ * Requests for apt package installation\r
+ * Requests for Mailman lists\r
+ * Process other support tickets, differentiated by category on the portal:\r
+ * Web\r
+ * E-mail\r
+ * Server Misc (possibly add more categories, since this category is used fairly often...)\r
+ * Meta\r
+ * Periodically update packages through Debian apt\r
+ * Manage the firewall\r
+ * Manage relational database servers\r
+ * Advising the board as to policy matters, or setting policies as enabled to do so by the board.\r
+ * Maintaining and auditing the security of HCoop's servers.\r
+ * Protecting and respecting the privacy of HCoop members. Abuse of superuser privileges to view private member files or communication (except to the extent necessary in the course of legitimate sysadmin duties) is strictly forbidden, and is ground for immediate termination of sysadmin status and also for termination of membership, in the same way that use of HCoop services for cracking is grounds for expulsion.\r
--- /dev/null
+= AFS Client Configuration =\r
+\r
+HCoop is using AFS on the new shared server configuration at Peer 1. You can use AFS to have files with the same name accessible from various computers. Here is how you can configure AFS at home or work for use with HCoop:\r
+\r
+ * AfsFedoraClientConfiguration\r
+\r
+See http://research.cs.berkeley.edu/doc/afs/debian.html for how to get the OpenAFS client to work in Debian/Ubuntu, and ["TroubleshootingAFS"] for informations on problems you might have getting it to work.\r
--- /dev/null
+= AFS Fedora Client Configuration =\r
+\r
+This describes how to get an AFS client at home working with a HCoop AFS cell on a Fedora workstation.\r
+\r
+= Basic Steps =\r
+\r
+ * Download the [http://www.openafs.org/release/latest.html openafs source RPM for your version of Fedora]. This will have a filename like openafs-1.4.4-fc6.2.src.rpm.\r
+ * Build this on your machine with an rpmbuild command like the following: sudo rpmbuild --rebuild --target=i686 openafs-1.4.4-fc6.2.src.rpm (you will need to have the kernel-headers package installed for this to work.\r
+ * If the build completed successfully, you should see some lines that say "Wrote: " towards the end of the output. Use an rpm command like "rpm -ivh packagename" to install this rpm on your system. ''Note: should you install a new kernel, you'll have to repeat this part of the process!''\r
+ * Install openafs-1.4.4-fc6.2.i386.rpm, openafs-client-1.4.4-fc6.2.i386.rpm, and openafs-krb5-1.4.4-fc6.2.i386.rpm, or the newest stable packages for your platform.\r
+\r
+ * Change the home cell in {{{/usr/vice/etc/ThisCell}}} to hcoop.net.\r
+ * Start the openafs client with {{{sudo /etc/init.d/openafs-client start}}}\r
+ * Run kinit and type your password\r
+ * Make sure that afsd is running.\r
+ * Run "klist" just to make sure that you have a valid token.\r
+ * Run aklog - if this works you should be able to see /afs/hcoop.net.\r
+\r
+== Rebuilding openafs for new kernels ==\r
+\r
+You will have to rebuild the source RPM every time your kernel is updated. If you followed the steps above, the source rpm should have been installed in /usr/src/redhat/SRPMS/. Use the rpmbuild command above to build this. This resulting RPM file will be put in an appropriate directory under /usr/src/redhat/RPMS if the build is successful. It will contain the name of the running kernel. Install this RPM, and when you run /etc/init.d/openafs-client start the daemon should start properly.\r
+\r
+If you're lazy you may want to script the process of creating a new openafs module each time you install a new kernel. Here is a script that works no my Fedora 7 system. It rebuilds the source RPM, installs it, and starts the openafs daemon. It hasn't been well tested and I wrote it very quickly, so feel free to make it more robust if you want to:\r
+\r
+{{{\r
+#!/bin/bash\r
+\r
+# Re-builds the openafs modules for the currently running kernel.\r
+# Should work on Fedora systems.\r
+# This has not been broadly tested, written Tue Jun 5 11:30:35 EDT 2007\r
+# by Justin S. Leitgeb [leitgebj AT hcoop -- NOSPAM -- net].\r
+\r
+OPENAFS_SRPM="/usr/src/redhat/SRPMS/openafs-1.4.4-fc6.2.src.rpm"\r
+\r
+if [ -a $OPENAFS_SRPM ] ; then\r
+ echo SRPM $OPENAFS_SRPM exists, starting rebuild. ;\r
+ rpmbuild --rebuild --target=i686 $OPENAFS_SRPM\r
+ \r
+ # Figure out what the filename should be for the new RPM based on\r
+ # running kernel version, then install it.\r
+ kernel_name_for_afs=`uname -r | sed 's/-/_/'`\r
+\r
+ # Not a pretty command but it worked for me... we'll see if it does in the future.\r
+ new_afs_rpm=`find /usr/src/redhat/RPMS/ -type f | grep openafs | grep $kernel_name_for_afs | grep kernel | head -1`\r
+ \r
+ rpm -ivh $new_afs_rpm\r
+\r
+ echo Re-starting openafs client...\r
+ /etc/init.d/openafs-client start\r
+fi\r
+}}}\r
+\r
+== Troubleshooting ==\r
+\r
+If you get an error like "aklog: unable to obtain tokens for cell hcoop.net (status: 11862790)" it may mean that your router is blocking SRV requests. If you're running djbdns locally (used by lots of operating systems for embedded devices, such as OpenWrt), make sure that the line {{{filterwin2k}}} is commented out in /etc/dnsmasq.conf, or whatever the config file is on your machine.\r
+\r
+Read TroubleshootingKerberos for more.\r
--- /dev/null
+A regular member.\r
--- /dev/null
+= Basic Architecture =\r
+\r
+Using the shared filesystem involves a combination of Kerberos and OpenAFS.\r
+\r
+= File conventions =\r
+\r
+The `/afs` tree contains shared filesystems. `/afs/hcoop.net` (symlinked from `/afs/hcoop` as well) is our piece of the AFS-o-sphere. Subdirectories include:\r
+\r
+ * `/afs/hcoop.net/user`, the home of home directories\r
+ * `/afs/hcoop.net/user/U/US/$USERNAME`, `$USERNAME`'s home directory\r
+ * `/afs/hcoop.net/common/etc`, the home of non-platform-specific fun stuff like DomTool\r
+\r
+= Connecting to AFS from an HCoop server =\r
+\r
+I found this handy summary of the commands that must be run:\r
+ http://www.eos.ncsu.edu/remoteaccess/LinuxOpenAfs/kreset_debian/kreset\r
+\r
+On our servers, it seems sufficient to run:\r
+{{{kinit\r
+aklog}}}\r
+\r
+These should be run automatically if you log in normally, but admins who manually `kinit` to different users (for\r
+the purpose of testing access permissions most often), need to of course run both `kinit; aklog` to completely\r
+switch to a target user.\r
+\r
+= The kadmin shell =\r
+\r
+All Kerberos administration commands are run from a special shell, called Kadmin. There are two variants of Kadmin:\r
+kadmin is the usual, remote version of the command which can be run on any machine; kadmin.local is the "local"\r
+version which can only be ran on the AFS fileserver (deleuze).\r
+\r
+Invoke kadmin.local as `sudo kadmin.local -p YOURUSERNAME_admin`. It is good to include "-p YOURUSERNAME_admin", or\r
+kadmin will "authenticate" as the first user it finds in the ticket cache, which may or may not be the username you\r
+expected. All the administrative commands would work anyway (since you ran kadmin.local), but an incorrect principal\r
+name would make various statistics incorrect (like name of principal who was adding/changing entries in the DB).\r
+\r
+To invoke kadmin, use `kadmin -p YOURUSERNAME_admin`. In normal course of action, kadmin asks for a password. This is\r
+impractical for automated scripts. As usual, instead of a password, you can also pass a keytab file. Our keytabs are\r
+saved in /etc/keytabs/ on each system, and they are readable by group 'wheel'. So administrators should be able\r
+to invoke 'kadmin' (use control shell) or kinit/k5start (impersonate any user) by supplying target user's key from\r
+a keytab, such as `kadmin -p domtool/deleuze -k -t /etc/keytabs/domtool.deleuze` .\r
+\r
+= Creating a new user =\r
+\r
+We follow the convention that Kerberos users for daemons are named `$DAEMON`, where `$DAEMON` is the name of the daemon (for instance, the name of system user it runs as, or the name of its `/etc/init.d` file). ''Some daemons\r
+currently use DAEMON/HOST scheme, but this will be changed later and is not to be used for any new principals\r
+you create''.\r
+\r
+To add the Kerberos principal for a daemon, run this in kadmin:{{{\r
+addprinc -randkey -policy service $DAEMON}}}\r
+\r
+AFS users exist separately from Kerberos principals. To add the AFS user for a daemon to which you want to assign UID `$UID`, run:{{{\r
+pts createuser $DAEMON}}}\r
+\r
+"keytab" files smooth the way to running daemons that run with AFS privileges. An access-protected local file contains a user's credentials, and daemons read these files on starting up in order to authenticate.\r
+\r
+To create a keytab for a daemon, run this in kadmin:{{{\r
+ktadd -k /etc/keytabs/$DAEMON -e "des3-hmac-sha1:normal rc4-hmac:normal" $DAEMON\r
+chown $DAEMON:wheel /etc/keytabs/$DAEMON\r
+chmod 440 /etc/keytabs/$DAEMON\r
+}}}\r
+\r
+In the example above, only one key (of 4 or 5 created) is exported for a user. Sometimes it might be desirable to\r
+only export a specific key into a keytab file, but we generally just omit the `-e KEY_TYPE` parameter and export\r
+all keys to the keytab file.\r
+\r
+You can view keys stored in a keytab by doing `sudo klist -k /etc/keytabs/KEYTAB_FILE`.\r
+\r
+To make daemons properly kinit/aklog as the user you created for them, use ``k5start`` command. Many examples\r
+of how to use it are already found in our /etc/init.d/ scripts. Important options include `-U` (which kinits as\r
+the first principal found in the keytab file, without the need to explicitly name a principal), -f (which specifies\r
+the keytab file to kinit from), and -K MINUTES (which re-news the ticket after MINUTES, so that daemons can run\r
+for long periods of time).\r
+\r
+To give $DAEMON the actual permission in AFS space, for most common actions, `fs setacl DIR $DAEMON read` or `write` \r
+are good. All subdirectories that get created within the toplevel directory for which you give permissions, will \r
+inherit all the permissions.\r
+\r
+= Listing and setting quotas =\r
+\r
+To list volume quota, run{{{\r
+fs lq DIR\r
+}}}\r
+\r
+\r
+To set volume quota in 1-kilobyte blocks, run{{{\r
+fs sq DIR -max SIZE\r
+}}}\r
--- /dev/null
+#format wiki\r
+#language en\r
+\r
+Email: http://anil.net.in/images/web/mailidg.png\r
+Homepage: http://anil.net.in\r
+\r
+==== Probable migration concerns ====\r
+\r
+ * ssh stuff (pub key, no UDP for use with krb).\r
+ * Missing user group-id.\r
+ * Apache server layout (wait for DomTool)\r
+ * Would port forwarding be available ?\r
+ * 400MB quota.\r
+ * When would fyodor be put out of commission ?\r
+\r
+----\r
+CategoryHomepage\r
--- /dev/null
+##master-page:HomepageTemplate\r
+#format wiki\r
+== Anish Jacob ==\r
+\r
+I have been a member of hcoop since Sept 2006.\r
+I live in Pune, India.\r
+\r
+Email: [[MailTo(me AT SPAMFREE aizak DOT net)]]\r
+\r
+...\r
+\r
+----\r
+CategoryHomepage\r
--- /dev/null
+= Authentication Scheme =\r
+\r
+Regarding the exact authentication mechanism on HCoop:\r
+\r
+We have Kerberos and LDAP working. Kerberos holds user "principals" (account names + passwords), while LDAP keeps account names plus everything else (such as UIDs, GIDs, home directories, real names, permissions etc.). General policy is: all users have LDAP accounts and a Kerberos principal. Admins have passwd file account and a Kerberos principal. When needed, admins can also create a pure local-files-based account.\r
+\r
+The whole authentication work is performed though a series of PAM (Pluggable Authentication Modules) configuration directives. PAM has four "management groups", listed in most-common order of execution: auth, account, session, and password. (The exact order of execution is controlled by the order of lines in /etc/pam.d/* files, with each file corresponding to a particular service).\r
+\r
+ * Auth is concerned with actual username/password verification in the database. \r
+ * Account checks things like password aging etc. If the user has an LDAP account, then the Kerberos account module is invoked which checks for the list of allowed principals in ''~/.k5login''. Users with no LDAP account are just checked in the local password files. Currently, the pam_krb5 module we use does not check password aging information in Kerberos'''. Russ Allbery did a new module which will be in Debian Etch.\r
+ * Session sets up session details, including limits. pam_krb5 is invoked and only succeeds if the user has a Kerberos principal. (If it has, it initializes the TGT ticket for them automatically). And then, finally, pam_unix_session is called which just logs session creation (and later session termination) to system log files. At that point, users are logged in.\r
+ * Password is the management group involved only in changing the password (or whatever the authentication mechanism is). Currently, by default, Kerberos password is changed. Running '''kpasswd''' will change the Kerberos password; running '''passwd''' will change the local-files password, and will only work for people with pure local accounts.\r
--- /dev/null
+This page describes the procedure for accessing and using our off-site backups. Only admins can do this -- if you want to get some file or directory back from the dead and are not an admin, please contact the hcoop-sysadmin list for assistance.\r
+\r
+== Backups of AFS Volumes ==\r
+\r
+=== Getting access ===\r
+\r
+{{{\r
+ssh FOO_admin@deleuze.hcoop.net\r
+\r
+aklog -c megacz.com\r
+}}}\r
+\r
+=== Navigating the available backups ===\r
+\r
+{{{\r
+cd /afs/megacz.com/hcoop-backup/\r
+\r
+cd $DESIRED_BACKUP_DATE\r
+}}}\r
+\r
+=== Restoring the volume dump to a volume with a new name ===\r
+\r
+{{{\r
+cat $VOLNAME.dump.bz2.aescrypt | \\r
+ ccrypt -cdk /etc/backup-encryption-key | \\r
+ bunzip2 | \\r
+ vos restore deleuze /vicepa $VOLNAME.restored\r
+}}}\r
+\r
+=== Mounting the newly restored volume onto the filesystem ===\r
+\r
+{{{\r
+fs mkm /afs/hcoop.net/.old/tmp-mount $VOLNAME.restored\r
+vos release old\r
+}}}\r
+\r
+=== Restoring a particular file ===\r
+\r
+{{{\r
+# examine /afs/hcoop.net/.old/tmp-mount\r
+}}}\r
+\r
+=== Unmounting the restored volume ===\r
+\r
+{{{\r
+fs rm /afs/hcoop.net/.old/tmp-mount\r
+}}}\r
+\r
+=== Renaming the restored volume so it takes the place of the damaged/corrupted/erased volume ===\r
+\r
+Do this if you want to restore an entire volume. This deletes the old volume and replaces it with the backup.\r
+\r
+{{{\r
+vos remove $VOLNAME\r
+vos rename $VOLNAME.restored $VOLNAME\r
+}}}\r
+\r
+=== Removing the restored volume ===\r
+\r
+If you only wanted to restore a few files from the volume, you should remove the local copy of the backup volume when done.\r
+\r
+{{{\r
+vos remove -id $VOLNAME.restored\r
+}}}\r
+\r
+== Database Backups ==\r
+\r
+{{{\r
+cat databases.tar.bz2.aescrypt | \\r
+ ccrypt -cdk /etc/backup-encryption-key | \\r
+ bunzip2 | \\r
+ tar -xvzf -\r
+}}}\r
--- /dev/null
+We considered a number of services that you can use to recover your data in the event that you accidentally delete it, our hardware fails, or some malicious party finds a way to corrupt it.\r
+\r
+'''For now, we don't have any backup services. All of the text below describes techniques that we tried and stopped using for various reasons.'''\r
+\r
+= On-disk backups =\r
+\r
+For the sake of the first two categories above, we maintain multiple "snapshots" of the filesystem in previous states. You can browse through these at your leisure and retrieve old versions of files. At the moment, we archive only `/home` (where most user-associated files live, thanks to our attempts to keep everything users can modify significantly on this partition) and `/etc`.\r
+\r
+This will save you if you delete your files accidentally, but the old versions were intact at the time of one of our 6 most recent hourly backups, 7 most recent daily backups, 4 most recent weeklies, or 6 most recent monthlies. These frequencies are the defaults in the Debian rsnapshot package, and we'll see how well they mesh with the realities of disk space usage, and probably adjust them accordingly.\r
+\r
+If our hardware fails, it's likely that the failure will be in at most one of our RAID disk pair at once, in which case the backup information will remain stored safely while we copy the filesystem onto a replacement disk.\r
+\r
+We use the [http://www.rsnapshot.org/ rsnapshot] program to manage these backups incrementally. This handy rsync-based approach uses hard links in a way that allows backups whose size is mostly proportional to the size of files that have ''changed'' since the last backup. You can find the current snapshots in `/backup`, where, for example, `/backup/hourly.0` is the most recent hourly snapshot, `/backup/daily.2` is the third most recent daily snapshot, etc..\r
+\r
+'''/backup is currently unavailable and will remain so until someone figures out how to mount the same directory in both read-only-for-users and read-write-for-root-only modes, when that directory isn't the root of a partition. We currently don't know the right firewall configuration to allow a self-NFS-mount, which is the recommended method on the rsnapshot site.'''\r
+\r
+= Off-site backups =\r
+\r
+If some unauthorized person ever finds a way to get root access to one of our servers, he can trash any on-disk backups. Moreover, even if we ever switch to storing that kind of backup on a remote filesystem, it's probably true that root has access to write to that filesystem arbitrarily, since we want the backup process to be automatic. As a result, we need some backup storage that even root on our own servers can't modify.\r
+\r
+Our current approach to this is ad-hoc. About once a month, an admin tars and compresses all of `/home` and `/etc` and transfers it to some other location. The resulting archive file can be burned to CDs or similar.\r
+\r
+Naturally, users can't automatically restore their files from such an image. However, this should only be a problem if someone gets root access on a server, in which case it will be a problem for everyone, and admins will be very involved, anyway.\r
+\r
+Suggestions are welcome for a more automated solution, or a solution that involves paying a company a reasonable price to do this.\r
--- /dev/null
+## Please edit system and help pages ONLY in the moinmaster wiki! For more\r
+## information, please see MoinMaster:MoinPagesEditorGroup.\r
+##master-page:Unknown-Page\r
+##master-date:Unknown-Date\r
+#acl All:read\r
+#format plain\r
+#language en\r
+([\w\-_.]+\.)?(l(so|os)tr)\.[a-z]{2,}\r
+(blow)[\w\-_.]*job[\w\-_.]*\.[a-z]{2,}\r
+(buy)[\w\-_.]*online[\w\-_.]*\.[a-z]{2,}\r
+(gambling|porn|\bsms|busty|prescription|pharmacy|penis|pills|enlarge)[\w\-_.]*\.[a-z]{2,}\r
+(diet|penis)[\w\-_.]*(pills|enlargement)[\w\-_.]*\.[a-z]{2,}\r
+(annunci|tatuaggi|canzoni|musicali|scarica|salute|sesso|hentai|ragazze|sonnerie)[\w\-_.]*\.[a-z]{2,}\r
+(i|la)-sonneries?[\w\-_.]*\.[a-z]{2,}\r
+(incest|beastiality)[\w\-_.]*\.[a-z]{2,3}\r
+(levitra|lolita|phentermine|viagra|vig-?rx|zyban|valtex|xenical|adipex|meridia\b)[\w\-_.]*\.[a-z]{2,}\r
+(magazine)[\w\-_.]*(finder|netfirms)[\w\-_.]*\.[a-z]{2,}\r
+(mike)[\w\-_.]*apartment[\w\-_.]*\.[a-z]{2,}\r
+(milf)[\w\-_.]*(hunter|moms|fucking)[\w\-_.]*\.[a-z]{2,}\r
+(online)[\w\-_.]*casino[\w\-_.]*\.[a-z]{2,}\r
+(paid|online)[\w\-_.]*surveys[\w\-_.]*\.[a-z]{2,}\r
+(prozac|zoloft|xanax|valium|hydrocodone|vicodin|paxil|vioxx)[\w\-_.]*\.[a-z]{2,}\r
+(puss(ie|y)|adult|sex|fuck|suck|cock|virgin)\S{0,15}\.info/\r
+(ragazze)-?\w+\.[a-z]{2,}\r
+(ultram\b|\btenuate|tramadol|pheromones|phendimetrazine|ionamin|ortho.?tricyclen|retin.?a)[\w\-_.]*\.[a-z]{2,}\r
+(valtrex|zyrtec|\bhgh\b|ambien\b|flonase|allegra|didrex|renova\b|bontril|nexium)[\w\-_.]*\.[a-z]{2,}\r
+\.(chat|boom|fromru|hotmail|newmail|nightmail|nm|narod|pochta)\.ru\r
+\.[0-9]{5,}\.(com|net|org|us|biz|cn|ru)\r
+\.4t\.com\r
+\.51\.net\r
+\.6x\.to\r
+\.a\.la/\r
+\.b3\.nu\r
+\.cameroun\.ws\r
+\.flywebs\.com\r
+\.free-25\.de\r
+\.gb.com\r
+\.hostrim\.com\r
+\.qn.com\r
+\.sbn\.bz\r
+\.shell\.la\r
+\.static\.net\r
+\.t35\.com\r
+\.uk\.to\r
+\.uni\.cc\r
+\.w28\.org\r
+\.wol\.bz\r
+\.wtf\.la\r
+\.xs3\.com\r
+\.ya\.com\r
+\.yadoo\.cn\r
+\bby\.ru\b\r
+\bda\.ru\b\r
+\bde\.gg\b\r
+\bde\.nr\b\r
+\bde\.tc\b\r
+\bde\.tp\b\r
+\bgo\.ro\b\r
+\w+\.sh\.cn\r
+0008888.com\r
+000site\.com\r
+0020.net\r
+0030.net\r
+00freehost\.com\r
+01-beltonen.com\r
+01-klingeltoene.at\r
+01-klingeltoene.de\r
+01-loghi.com\r
+01-logot?.com\r
+01-logotyper.com\r
+01-melodias?.com\r
+01mobile.com\r
+01-ringe?tones?.com\r
+01-ringe?tones?.us\r
+01-ringsignaler.com\r
+01ringtones.co.uk\r
+01-soittoaanet.com\r
+01-suonerie.com\r
+01-toque.com\r
+0adult-cartoon.com\r
+0cartoon.com\r
+0cartoon-sex.com\r
+0catch.com\r
+0livesex.com\r
+0sex-toons.com\r
+0sfondi.com\r
+0sfondi-desktop.com\r
+0suonerie.com\r
+0toons.com\r
+0xxx-cartoon.com\r
+1000\-celebs\.com\r
+100comm.com\r
+100hgh.com\r
+100-sex.com\r
+100megsfree5\.com\r
+108bikes.com\r
+110fat.com\r
+11126.com\r
+123-sign-making-equipment-and-supplies.com\r
+125mb.com\r
+125we.com\r
+148-law.com\r
+150m\.com\r
+158hk\.com\.cn\r
+163ns.com\r
+163school.com.cn\r
+168Education.com\r
+168marketing.com\r
+168wire.com\r
+16safe.com\r
+17train.com\r
+1816.net\r
+18caixin.com\r
+18ny.com\r
+18show.cn\r
+1accesshost\.com\r
+1afm\.com\r
+1asphost.com\r
+1-bignaturals.com\r
+1concerttickets.com\r
+1-cumfiesta.com\r
+1domiks\.org\r
+1ebalo\.org\r
+1foleks\.org\r
+1footballtickets.com\r
+1golod\.org\r
+1hrens\.org\r
+1ibanusiks\.org\r
+1jolla\.org\r
+1-klingeltone.com\r
+1so.com.cn\r
+1so\.net\.cn\r
+1st-(auto-insurance-4u|phonecard|printer-ink-cartridge|shemale-sex).com\r
+1st-host.org\r
+1stindustrialdirectory.com\r
+1stlookcd.com\r
+1stop[\w-]*.com\r
+1st-payday-loans.net\r
+1sweethost\.com\r
+1-texas-holdem.us\r
+1und1-shopping.de\r
+1-welivetogether.com\r
+1-wholesale-distributor.com\r
+1xp6z.com\r
+2008travel.com\r
+20fr.com\r
+216.130.167.230\r
+24-hour-fitness-online.com\r
+269s.tinline.com\r
+269s\.com\r
+2ndmortgageinterestrates.com\r
+2twinks.com\r
+321cigarettes.com\r
+3333.ws\r
+35tk\.com\r
+365jp.com\r
+3ccenter\.com\r
+3host.com\r
+3-sexy.com\r
+3sheng.net\r
+3sixtyfour.com\r
+3yaoi.com\r
+404host.com\r
+41b.net\r
+42tower.ws\r
+4mg.com\r
+4u-topshelfpussy.com\r
+4womenoftheworld.com\r
+5118.com\r
+5118.net.cn\r
+512j.com\r
+5151office\.cn\r
+51asa.com\r
+51dragon.com\r
+51nlp\.com\r
+51weixing.com\r
+51wisdom.com\r
+51zhengxing.net\r
+54eo.com\r
+5782601.net\r
+58798309dyb.com\r
+591dy.com\r
+625fang\.com\r
+63174828.com\r
+63dns.com\r
+65.217.108.182\r
+66.197.102.2\r
+666house\.com\r
+66battery.com\r
+66cable.com\r
+66cellphone.com\r
+66ceramic.com\r
+66floor.com\r
+66interior.com\r
+66logistics.com\r
+66machine.com\r
+66packing.com\r
+66sculpture.com\r
+66supply.com\r
+66tools.com\r
+68685633.com\r
+68l.com\r
+69.61.11.163\r
+69yo.com\r
+6p.org.uk\r
+6x.to\r
+71space\.[a-z]{2,}\r
+7p.org.uk\r
+8848flower.com\r
+888cas.com\r
+888jack.com\r
+888steel.com\r
+888-texas-holdem.com\r
+88aabb.com\r
+88feedstuff.com\r
+88fiber.com\r
+88telephone.com\r
+8cx.net\r
+8cx\.net\r
+8k.com\r
+8th\S*street\S*latina\S*\.[a-z]{2,}\r
+911\.uni\.cc\r
+9136\.cn\r
+91dir.com\r
+91xz.info\r
+999777888.com/jkcy009\r
+99bbcc.com\r
+99caixin.com\r
+99jl.net\r
+9sf\.cn\r
+a1-mortgage-finder.com\r
+a-1-versicherungsvergleich.de\r
+a688.net\r
+aaaaaaaa.ru\r
+aaff.net\r
+aajj.net\r
+aaliyah\.ws\r
+aauu.net\r
+abc3x.com\r
+abcink\.com\r
+abnehmen-ganz-sicher.com\r
+abocams.de\r
+abymetro.org.uk\r
+ac8888.com\r
+academytrans.com\r
+accessories-car.com\r
+accompagnatrici.cc\r
+acme\-arts\.com\r
+acmetranslation\.com\r
+acornwebdesign.co.uk\r
+activeshow\.net\r
+acupuncturealliance\.org\r
+acyclovir.net\r
+ad.huwh.org\r
+aducasher.spb.ru\r
+adult\-categories\.info\r
+adult-dvds?-dot.com\r
+adultfreehosting.com\r
+adult-free-webcams.com\r
+adult-friend.info\r
+adultfriendfinder.com\r
+adultfriendfindernow.com\r
+adultfriendfindersite.com\r
+adultfriendsite.com\r
+adult-games.name\r
+adulthostpro.com\r
+adultlingerieuk.com\r
+adultnonstop.com\r
+adultpics.com\r
+adultserviceproviders.com\r
+adultshare.com\r
+advantage-quotes.com\r
+a--e.com\r
+aegean.net.cn\r
+aektschen.de\r
+aerohose.com\r
+aesthetics.co.il\r
+afreeserver.com\r
+agentsmax\.com\r
+agreatserver.com\r
+aids120.95.cn\r
+aimaiti.com\r
+aimite.com\r
+air520\.com\r
+airfare-links.net\r
+airshow-china.com.cn\r
+airtrip.com.cn\r
+akkx\.info\r
+alawna.blogspot.com\r
+alexanet.com\r
+alfago.com\r
+alhaurin.to\r
+all-debt-consolidation.org\r
+allfind.us\r
+all-fioricet.com\r
+allinsurancetype.com\r
+allmagic.ru\r
+allof.myphotos.cc\r
+alloha.info\r
+allohaweb.com\r
+all-porn.info\r
+all-rxdrugs.com\r
+all-we-live-together.com\r
+allwoodoxford.com\r
+almacenpc.com\r
+alprazolam-online.qn.com\r
+amateur-(lesbian|movie|naked|site).us\r
+amateurs.r00m.com\r
+amateursuite.com\r
+amateurs-xxx.us\r
+amateur-thumbs.net\r
+ambien-online-order.zx81.at\r
+ambien-prescription.qn.com\r
+americacashfast.com\r
+americancdduplication.com\r
+americanpaydayloans.net\r
+american-single-dating.com\r
+amoxicillin-online.net\r
+amoyplastic.com\r
+anacondasex\.info\r
+analloverz.com\r
+anal-sex-pictures.us\r
+anchuang.com.cn\r
+andyedf.de\r
+angenehmen-aufenthalt.de\r
+animalsex-movies-archive.com\r
+animalsex-pics-gallery.com\r
+anime1.org\r
+anime-adult.us\r
+anlinet.com\r
+annuaire.biz.ly\r
+annuaire.tk\r
+anonymous-blogger.com\r
+antely.com\r
+anti-exploit.com\r
+antu.com.cn\r
+anxietydisorders.biz\r
+anything4health.com\r
+anzwers\.net\r
+anzwers\.org\r
+a-onedigitizing.com\r
+a-oneemb.com\r
+aotubang.com\r
+aotubangshi.net\r
+ap8\.com\r
+apa-redlion.com\r
+apicalsoft.com\r
+a-pics.net\r
+apollopatch.com\r
+appliances66.com\r
+apply-to-green-card.org\r
+appollo.org\r
+approachina.com\r
+approval-loan.com\r
+a-purfectdream-expression.com\r
+aquari.ru\r
+aquatyca.net\r
+arbat\.or\.at\r
+arcsecurity.co.uk\r
+area-code-npa-nxx.com\r
+argendrom.com\r
+armor2net.com\r
+aromacc.com\r
+arrecife.to\r
+arterydesign.com\r
+artsdeal.com\r
+asianbum.com\r
+asian-girls.name\r
+asian-nude.blogspot.com\r
+asian-sex-woman.com\r
+asp169.com\r
+ass-picture.us\r
+a-stories.com\r
+atetech.com.cn\r
+atkinsexpert.com\r
+auctionmoneymakers.com\r
+auktions-uebersicht.de\r
+autodetailproducts.com\r
+autodirektversicherung.com\r
+autofinanzierung-autokredit.de\r
+autofinanzierung-zum-festzins.de\r
+autohandelsmarktplatz.de\r
+autoing.com\.cn\r
+autoing\.com\.cn\r
+auto-insurance-links.net\r
+autokredit-autofinanzierung.de\r
+autokredit-tipp.de\r
+auto-loans-usa.biz\r
+automotive.com\r
+autoversicherung-vergleichen.info\r
+autumn-jade.com\r
+avon-one.com\r
+awxk.net\r
+ayamonte.to\r
+ba2000.com\r
+babes-d.com\r
+babes-maidens\.info\r
+babes-plus.com\r
+baby-info\.org\r
+babymarktplatz-aktiv.de\r
+baby-perfekt.de\r
+background-check.info\r
+bad-movies.net\r
+bad-passion.com\r
+bahraichfun.com\r
+baidublog.com\r
+baifaa.cn\r
+balancingmachine.cn\r
+bali-dewadewi-tours.com\r
+balidiscovery.org\r
+bali-hotels.co.uk\r
+balivillas.net\r
+banialoba3w.150m.com\r
+bannedhome.com\r
+banned-pics.com\r
+barbate.to\r
+barcelona.to\r
+barcode555.com\r
+barcodes.cn\r
+bare.org\r
+barely-legald.com\r
+barely-legal-teenb.com\r
+bargeld-tipp.de\r
+barrym.co.uk\r
+bast3.ru\r
+batukaru\.[a-z]{2,}\r
+bayareabags\.com\r
+bbell.com\r
+bbs.csnec.net\r
+bccec.com.cn\r
+bccinet.org\r
+bc-printer.com\r
+bdi-bone.com\r
+bdsensors.com.cn\r
+bdsm-story.blogspot.com\r
+beast(iality|sex)-(movies|stories|animal-sex-stories).(com|net)\r
+beaumont-bar.co.uk\r
+beauty333.com\r
+beauty-farm.net\r
+beautysilk.net\r
+beer-china.com\r
+beijingkh.com\r
+belinking.com\r
+beltonen-logos-spel.com\r
+benalmadena-costa-del-sol.to\r
+benavista.to\r
+benessere.us\r
+benidorm.to\r
+bestasianteens.com\r
+best-buy-cialis.com\r
+best-cialis-source.com\r
+bestdvdclubs.com\r
+bestel.com.cn\r
+besthandever.com\r
+best-high-speed-internet.com\r
+bestialitylinks.org\r
+bestiality-pics.org\r
+bestialityzoo.sytes.net\r
+best-internet-bingo.com\r
+bestits.net\r
+best-make-money.com\r
+bestonline-medication.com\r
+bestonline-medication.net\r
+bestonline-shopping.com\r
+best-result-fast.com\r
+bet-on-horseracing.com\r
+better-56.com\r
+beverlyhillspimps?andhos.com\r
+bhs-design.com\r
+big-(black-butts|breast-success|hooters|natural-boobs|naturals-4u).(com|net|us|org)\r
+big(bras-club|moms|titchaz).com\r
+bigmag.com.ua\r
+big-rant.com\r
+bigsitecity.com\r
+bigxigua\.com\r
+bildmitteilung.us\r
+billigfluege-billige-fluege.de\r
+billleo.com\r
+bio-snoop.com\r
+birth-control-links.com\r
+bizhat.com\r
+bizhome\.org\r
+bj-?(acca|erwai|fusheng|fyhj|hchy|hsdx|cas|gift|khp|xhjy|sd|zufang).(cn|com)\r
+bj701.com\r
+bjdyzs\.com\r
+bjerwai.com\r
+bjfusheng.com\r
+bjhsdx.com\r
+bjicp.net\r
+bj-page.com\r
+bj-qsan\.com\r
+bjsister.com\r
+bjxin\.com\r
+bjzyy.com\r
+black-?jack-?(4u|777|dot|homepage|play-blackjack|site|winner)?.(net|com|fm)\r
+black-amateur-cock.net\r
+blackjack-123.com\r
+blackjack-p.com\r
+blahblah.tk\r
+blanes.to\r
+b-liver.com\r
+blk-web.de\r
+bllogspot.com\r
+blog.co.tz/dexters\r
+blogbus.com\r
+blogcn.com\r
+blogforbaby.com/blog/deepsea\r
+blogforbaby.com/blog/jbilder\r
+bloggersdream.com/ahorcar\r
+bloggersdream.com/emscience\r
+bloggingmadness.com/aufmerksamkeitsdefizitsyndrom\r
+bloglabs.biz\r
+blogman.biz\r
+blogmen.net\r
+blogspam.org\r
+blogspoint.com/kostas\r
+blogspoint.com/marklanegan\r
+blogstudio.net\r
+blog-tips.com\r
+blonde-(pussy|video|xxx).us\r
+blumengruss-onlineshop.de\r
+blumenshop-versand.de\r
+b-mailbox.com\r
+bnuol.com\r
+bochao.com.cn\r
+bodet-clocks.co.uk\r
+body-jewelry.reestr.net\r
+bodyjock.com\r
+body-piercing.softinterop.com\r
+bokaibj.com\r
+bolonia.to\r
+bondage-story.blogspot.com\r
+bon-referencement.com\r
+boobmorning.com\r
+boobspost.com\r
+booking-room.com\r
+book-translation\.com\r
+boom.ru\r
+boom\.ru\r
+boylaser\.com\r
+breast-augmentation.top-big-tits.com\r
+briana-banks-dot.com\r
+british-hardcore.net\r
+brownlion.com.cn\r
+brrddd.org\r
+budget-phonecards.co.uk\r
+bueroversand-xxl.de\r
+bugaboo-stroller.com\r
+buildermax\.com\r
+bulkemailsoft.com\r
+burda\.isgre\.at\r
+burningcar.net\r
+businessbloging.com/benzaldehyde\r
+businessbloging.com/gesetz\r
+business-grants.org\r
+butalbital.org\r
+butianshi.com\r
+buy.*\.qn\.com\r
+buy-[\w-]+-online\.\r
+buy-adult-sex-toys.com\r
+buy-adult-toys.biz\r
+buy-ambien.8bit.at\r
+buyambienonline\.blogspirit\.com\r
+buy-car-insurance-4-us.com\r
+buy-carisoprodol\.qo\.pl\r
+buy-cheap-soma\.ar\.gs\r
+buy-cialis.ws\r
+buy-cialis-1.qn.com\r
+buy-cialis-online.qn.com\r
+buy-codeine.bebto.com\r
+buy-codeine.qn.com\r
+buy-codeine-online.b3.nu\r
+buy-computer.us\r
+buy-computer-memory.net\r
+buy-discount-airline-tickets.com\r
+buy-hydrocodone.qn.com\r
+buy-hydrocodone-online.sinfree.net\r
+buy-hydrocodone-online.u4l.com\r
+buyhydrocodonewhere.bigsitecity.com\r
+buy-laptop.biz\r
+buy-levitra-1.qn.com\r
+buy-levitra-online.qn.com\r
+buy-order-cheap-online\.info\r
+buy-rx-usa.com\r
+buy-sex-toys.net\r
+buystuffpayless.com\r
+buy-valium.imess.net\r
+buy-valium.qn.com\r
+buy-valium-online.enacre.net\r
+buy-vicodin.dd.vg\r
+buy-xanax.qn.com\r
+buy-zolpidem.qn.com\r
+buzz-hotels.co.uk\r
+bvicr\.cn\r
+b-witchedcentral.co.uk\r
+by-and-by.com\r
+byondart\.com\r
+byronbayinternet.com\r
+c911c\.com\r
+cabopino.to\r
+cadaques.to\r
+cadiz-andalucia.to\r
+cai4\.com\r
+caipiaowangzhi.com\r
+calahonda.to\r
+california.k9.pl\r
+callingcardchoice.com\r
+calling-phone-cards\.org\r
+calpe.to\r
+cambridgetherapynotebook.co.uk\r
+camemberts.org\r
+camera-cn.com\r
+canada-travel.cn\r
+canos-de-meca.to\r
+cantonfairhotelguangzhou.com\r
+cantonfairhotelguangzhou\.com\r
+cantwell2000.com\r
+CAPAZ MESMO, ISTO E UM FATO MALUCO\r
+capital-credit-cards.com\r
+captain-stabbin.blogspot.com\r
+captain-stabbin-4u.com\r
+cardsloansmortgages.com\r
+careersmax\.com\r
+car-financing-low-rates.biz\r
+car-fuck.net\r
+carisoprodol.q03.net\r
+carisoprodolonline.bigsitecity.com\r
+carlack.cn\r
+carmenblue.com\r
+carnalhost.com\r
+carnumbers.ru\r
+car-rental-links.com\r
+car-rentals-2go.com\r
+car-rental-search.com\r
+cars-links.com\r
+cartama.to\r
+cartoni(-animati|erotici|giapponesi).com\r
+cartopia.com\r
+cashadvanceclub.com\r
+cash-advance-quick.com\r
+cashmerebiz.com\r
+casillas-del-angel.to\r
+casoft.com.cn\r
+castingagentur2004.de\r
+cast-shadow.com\r
+cat-guide\.org\r
+cbitech.com\r
+ccie130.com\r
+ccie-ccnie.com\r
+ccna130.com\r
+ccna-ccna.com\r
+ccnp130.com\r
+ccnp-ccnp.com\r
+cd21\.cn\r
+cdshop-guenstig.de\r
+cds-xxl.de\r
+cebooks.net\r
+cegcr\.cn\r
+celebritylust.blog-city.com\r
+celebritypics.ws\r
+celebskin.com\r
+celebtastic.com\r
+cell-phone-accessories-dot.com\r
+ceool\.cn\r
+ceramic168.com\r
+certificationking.net\r
+certified-(new|used)-(autos|cars|suvs).com\r
+cfeenet.com\r
+changweia.cn\r
+chaosmagic.com/weblog/catastrophic\r
+chat\.ru\r
+chat-l.de\r
+chatten.bilder-j.de\r
+chauffeurtours.co.uk\r
+cheap.*\.6x\.to\r
+cheap-4.com\r
+cheap-adult-sex-toys.com\r
+cheap-ambien.qn.com\r
+cheap-cialis.qn.com\r
+cheap-cigarettes.com\r
+cheaper-digital-cameras.uk.com\r
+cheapest-phone.co.uk\r
+cheap-levitra.qn.com\r
+cheap-valium.my-age.net\r
+cheap-web-hosting-companies.com\r
+cheap-xanax.qn.com\r
+chem888.com\r
+cherrybrady.com\r
+chickz.com\r
+china\.com\r
+china0519.com\r
+chinaad-design.com\r
+china-af.com\r
+chinaaircatering.com\r
+china-am.com\r
+china-apt.com\r
+chinaaxletree.com\r
+china-cp.com\r
+china-digital-camera.com\r
+china-dope.com\r
+chinagoldcoininc.com\r
+chinahr.com\r
+chinalatex.com\r
+chinaqygl.com\r
+chinasensor\.info\r
+china-sports-kit.com\r
+chinaswk.com\r
+china-transformer.com\r
+china-vcr.com\r
+chinaw3.com\r
+china-wood-floor.com\r
+china-wp.com\r
+chindata.com\r
+chindmoz.com\r
+chipiona.to\r
+chloesworld.com\r
+choose-online-university.com\r
+chrislaker.co.uk\r
+chuanganqi.dzsc.com\r
+chuanqisuji.com\r
+chunmeng.com\r
+cialis.homeip.net\r
+cialis.incredishop.com\r
+cialis.xs3.com\r
+cialisapcalis.com\r
+cialis-buy.com\r
+cialis-dot.com\r
+cialis-express.com\r
+cialis-online.b3.nu\r
+cialis-online-1.qn.com\r
+cialisusa.bravehost.com\r
+ciscochina.com\r
+claireburgos.com\r
+clamber.de\r
+clanbov.com\r
+clarks-shoe.u4l.com\r
+classifiche-italiane.org\r
+claudiachristian.co.uk\r
+clayjames.com\r
+cleannbright.co.uk\r
+click\.hn\.org\r
+click-or-not.de\r
+clophillac.org.uk\r
+closed-network.com\r
+club69.net\r
+cmeontv.de\r
+cmmdc.com.cn\r
+cn80051.1816.net\r
+cnbess.com\r
+cnbjflower.com\r
+cn-clothing.com\r
+cn-computer.com\r
+cndevi.com\r
+cn-dynamotor.com\r
+cn-exhibition.com\r
+cn-fashion.com\r
+cnfibernet\.com\.cn\r
+cnfti.org.cn\r
+cngreat\.net\r
+cn-present.com\r
+cn-press.com\r
+cn-Satellite-tv.com\r
+cnsec.cn\r
+cntaiyangneng.com\r
+cntoplead.com\r
+cn-vcr.com\r
+cnvideomeeting.com\r
+co.tradeinfo.cn\r
+codeine.xs3.com\r
+codeine-online.imess.net\r
+coin-abndalucia.to\r
+college-girl-pic.com\r
+college-links.net\r
+coma-cn.com\r
+combaltec.com\r
+comeback.com\r
+cometo(japan|malaysia|singapore|thailand).com\r
+commovie-china.com\r
+competa.to\r
+completelycars.com\r
+completelyherbal.com\r
+comptershops-online.de\r
+computer666.com\r
+computer888.com\r
+computer-onlinebestellung.de\r
+computer-und-erotische-spiele-download.com\r
+computerversand-xxl.de\r
+confession-of.mine\r
+conil.to\r
+conjhost.com\r
+container-partner.de\r
+contake.com\r
+cool\.as\r
+cool-extreme.com\r
+coolgoose.com\r
+coolhost\.biz\r
+coolp.(biz|net|org)\r
+copy168.com\r
+cor-admin.co\r
+cor-admin.com\r
+coresleep.com\r
+cornishholidaysuk.com\r
+cosmetics2008.com\r
+cosmetics666.com\r
+costa-blanca-alicante.to\r
+costa-blanca-denia.to\r
+costa-blanca-elche.to\r
+costa-blanca-ibi.to\r
+costa-blanca-javea.to\r
+costa-blanca-torrevieja.to\r
+couponmountain.com\r
+cover-your-feet.com\r
+cpravo.ru\r
+cqychy.com\r
+craftwork2008.com\r
+cragrats-catering.co.uk\r
+cragrats-education.co.uk\r
+cragrats-inspiring.co.uk\r
+cragrats-react.co.uk\r
+cragratstraining.co.uk\r
+crazypussy.info\r
+crazyvirgin\.info\r
+creavic.com.cn\r
+creditcardpost.com\r
+credit-factor.com\r
+credit-links.net\r
+credit-report-links.net\r
+csnec.net\r
+cstarcom.com\r
+cszg\.net\r
+cum-facials.us\r
+cumfiesta-4u.com\r
+cumon.no-ip.org\r
+customer-reviews.org\r
+cvdiy.com\r
+cvdiy\.com\r
+cw92013.chinaw3.com\r
+cxcn\.info\r
+cyberfreehost.com\r
+cycatki.com\r
+cyclobenzaprine.00freehost.com\r
+cyclo-cross.co.uk\r
+cykanax.com\r
+czwin.com.cn\r
+dad-daughter-incest.com\r
+dadi009\.91\.tc\r
+dahongbao.com\r
+dailyliving.info\r
+damadaoju.com\r
+damianer.top-100.pl\r
+danni.com\r
+dapt\.org\r
+darest.de\r
+datasoon.com\r
+datestop.net\r
+dating-(choice|harmony|service-dating|services-dating-service).com\r
+dating999.com\r
+dating-online-dating.org\r
+day4sex.com\r
+deathblow\r
+debt-consolidation-care\.com\r
+debtconsolidationfirm.net\r
+debt-consolidation-kick-a.com\r
+debt-consolidation-low-rates.biz\r
+debt-consolidation-now-online.com\r
+debtconsolidationusa.org\r
+debt-disappear.com\r
+debtmanagementcompanyonline.com\r
+debt-solution-tips.com\r
+decorationsexport.com\r
+dedichepersonali.com\r
+deep-ice.com\r
+deikmann.de\r
+dela88.com\r
+delay-dva.com\r
+deli.net.cn\r
+dentalinsurancehealth.com\r
+department-storez.com\r
+desiraesworld.com\r
+deutschlandweite-immobilienangebote.de\r
+devonanal.com\r
+devon-daniels.com\r
+diabetes-cn.com\r
+dianepoppos.com\r
+dianying8.net\r
+diarypeople.com\r
+diecastdot.com\r
+digitale-teile.de\r
+digital-projector.net\r
+dindon.cn\r
+dinmo.net\r
+directcarrental.com\r
+directcti.com\r
+directrape.com\r
+directringtones.com\r
+direct-tv-for-free.com\r
+dirty-story.blogspot.com\r
+discount-airfares-guide.com\r
+discount-cheap-dental-insurance.com\r
+discount-life-insurance.us\r
+discountprinterrefill.com\r
+discoveryofusa.com\r
+divorce-links.com\r
+dlctc.com\r
+dmoznet.com\r
+dmoznet.net\r
+dmoznet.org\r
+dnip.net\r
+dn-register.com\r
+dns\.com\.cn\r
+dns110.com\r
+do\.9jh\.com\r
+dogolz.de\r
+domkino.com.ua\r
+dongdao.net\r
+dont-lost-money.info\r
+doo.pl\r
+door168.com\r
+doppi.static.net\r
+dorka\.ifindex\.com\r
+dostweb.com\r
+dotas.com\r
+dotcomup.com\r
+dotmoment.com\r
+downloadzipcode.com\r
+downsms.com\r
+dr\.ag\r
+dragonball-?x*.biz\r
+dragonball-?x*.cc\r
+dressagehorseinternational.co.uk\r
+dress-cn.com\r
+drive-backup.com\r
+drochka.com\r
+drozd\.voxelperfect\.net\r
+drs.infosec.org.cn\r
+drugsexperts.com\r
+drugstore.blog-city.com\r
+drugstore.st\r
+drugstore-online.us\r
+drunk-girls-(flashing|party).(com|us)\r
+dstmedia.com\r
+dudoctor\.com\r
+duducat.com\r
+dunecliffesaunton.co.uk\r
+duriel.static.net\r
+duvx\.com/bbs\.php?bbs=vs\r
+dvd2.us\r
+dvd-copier.info\r
+dvd-home-theatre.com\r
+dwoq.com\r
+dzhsc.com\r
+e40.nl\r
+earphone168.com\r
+easy-money-investing.com\r
+easyrecorder.com\r
+easyseek.us\r
+ebackground-checks\.com\r
+ebaybusiness.net\r
+ebony-xxx.us\r
+ebookers.co.uk\r
+e-bookszone.com\r
+ec198.com\r
+ec51.cn\r
+ec51.com\r
+ec51.net\r
+ec51.org\r
+ec91.com\r
+ecar-rentals\.com\r
+ecblast.com\r
+eccentrix.com/members/casinotips\r
+echinabid.com\r
+echinabid\.com\r
+echofourdesign.com\r
+e-cialis.net\r
+ecologix.co.uk\r
+e-credit-card-debt.com\r
+ecredit-report\.com\r
+eden\.fx120\.net\r
+e-discus.com\r
+e-dishnetworks\.com\r
+edrugstore.md\r
+edwardbaskett.com\r
+effexor.cc\r
+effexor-web.com\r
+e-fioricet.com\r
+e-free-credit-reports.com\r
+eggesfordhotel.co.uk\r
+egyway.com\r
+einfach-wunschgewicht.com\r
+elcenter-s.ru\r
+eldorado.com.ua\r
+electromark-uk.co.uk\r
+electronics-info.com\r
+elegant-candles.com\r
+elektronikshop-xxl.de\r
+elie\.com\.cn\r
+elite-change.com\r
+elitecities.com\r
+eliulin.com\r
+elrocio.to\r
+elviria.to\r
+emmasarah.com\r
+emmss.com\r
+enacre.net\r
+ena-free-show\.info\r
+endns.net\r
+e-news.host.sk\r
+enine-pv.com\r
+envoyer-des-fleurs.com\r
+e-online-bingo.com\r
+eonsystems.com\r
+e-order-propecia.com\r
+epackshop.net\r
+e--pics.com\r
+eplastic-surgery\.com\r
+e-play-bingo.com\r
+epsystem.net\r
+erbium12.com\r
+erosway.com\r
+erotic4free.net\r
+eroticalservers.net\r
+erotic-free.com\r
+erotic-lesbian-story.blogspot.com\r
+erotic-video.us\r
+erotische-geschichten-portal.com\r
+errolware.com\r
+escort-links.net\r
+escorts-links.com\r
+eScrew is\r
+esmartdesign.com\r
+esmoz.com\r
+estepona.to\r
+ethixsouthwest.com\r
+etoo.cn\r
+etowns\.org\r
+e-tutor.com\r
+evanstonpl.org\r
+event-kalendarium.de\r
+everyvoice.net\r
+evromaster.ru\r
+exdrawings.com\r
+execsoft-software.co.uk\r
+executive-chauffeur-hire.co.uk\r
+ex-machine.com\r
+exoticdvds.co.uk\r
+exoticmoms.com\r
+expatdream.com/blog/aclarar\r
+experienceflagstaff.com/blogs/xzchro\r
+extralife\.biz\r
+extrasms.de\r
+extreme-rape.org\r
+extreme-sex.org\r
+eye-laser.co.uk\r
+f2g.net\r
+f2s.be\r
+fabida.net\r
+fabricant-accessories.co.uk\r
+fabulos.de\r
+fabuloussextoys.com\r
+facial-skin-care-center.com\r
+fairchild.com.cn\r
+fairland.cn\r
+fairyblog.com/conect\r
+fakir\.zenno\.info\r
+family-incest.us\r
+fangso\.com\r
+fansjiaoab.blog.163.com\r
+fantasyfootballsportsbook.com\r
+farm-beastiality.com\r
+farmsx.com\r
+fasa\.jetco-ops\.com\r
+fashuo300.com\r
+fast-fioricet.com\r
+fast-mortgage-4-u.com\r
+fat-cash.com\r
+fateback.com\r
+fat-lesbians.net\r
+fat-pussy-sex.net\r
+fatty-liver.cn\r
+fatwarfare.com\r
+favilon.net\r
+fda.com.cn\r
+fdl.net.cn\r
+feexpert.com\r
+feilun.com.cn\r
+female-orgasms.org\r
+ferta\.imlds\.com\r
+fielit.de\r
+figa.nu\r
+finance-world.net\r
+finanzen-marktplatz.de\r
+find-a-mortgage.co.uk\r
+findbookmakers.com\r
+find-cheap-dental-plans.com\r
+finddatingsites.com\r
+findsexmovie.info\r
+findsexxx.us\r
+find-u-that-mortgage.com\r
+findyouruni.com\r
+finger-bobs.com\r
+fioricet.batcave.net\r
+fioricet.bravehost.com\r
+fioricet.st\r
+fioricet-dot.com\r
+fioricet-web.com\r
+firefoxdownload\.us\r
+first-time-story.blogspot.com\r
+fishoilmiracle.com\r
+fitness-links.net\r
+fitnessx.net\r
+fittest\.250m.com\r
+flash77.com\r
+flatbedshipping.com\r
+fleet-drive.co.uk\r
+fleshlight.org\r
+flewblog.net\r
+flexeril-web.com\r
+flirt08.de\r
+floraday\.com\.cn\r
+flowertobj.com\r
+flowerwish.com\r
+flug-und-mietwagen.de\r
+fly-sky.com\r
+fm360.net\r
+food-cn.com\r
+football-betting-nfl.com\r
+forceful.de\r
+forex.inc.ru\r
+forex[\w-]*\.info\r
+forex-online-now.com\r
+forlovedones.com\r
+forseo\.\r
+foto-gay.us\r
+found-money-investment.info\r
+franchise\.ws\r
+frangelicasplace.org\r
+frankpictures.com\r
+free(hostingpeople|webs|web-hosting).com\r
+free-adult-chat-room.com\r
+free-adult-check.com\r
+freeallsearch.com\r
+free-britney-spears-nude.biz\r
+free-debt-consolidation-online.us\r
+freedvdplayer.cjb.net\r
+freeeads.co.uk\r
+free-fast.net\r
+free-games-links.com\r
+free-gay-video-clip.com\r
+free-hilton-paris-sex-video.com\r
+free-horoscopes.biz\r
+free-incest-stories-site.com\r
+free-latina-mpg.com\r
+freemovie-cn.com\r
+free-net-sex.com\r
+freenetshopper.com\r
+freenudegallery.org\r
+free-paris-nikki-hilton.blogspot.com\r
+freepicsdaily.com\r
+free-satellite-tv-directv-nocable.com\r
+free-satellite-tv-now.com\r
+freeteenpicsandmovies.com\r
+free-teens-galleries.com\r
+free-texas-?hold-?em.(biz|us)\r
+freewebpage.org\r
+freewhileshopping.com\r
+freshsexhosting.com\r
+friko.pl\r
+fromru.com\r
+fspv.com\r
+fssj.com\r
+fsyflower\.com\r
+fuck\-my\-ass\.info\r
+fuck-animals.com\r
+fuckfrompussy\.info\r
+fuelcellmarketplace.co.uk\r
+fuel-dispenser.com\r
+fuengirola-costa-del-sol.to\r
+fuerteventura.to\r
+fuhaidasha.com.cn\r
+fulongcn.com\r
+funasia.cn\r
+funmod.com\r
+funny-girls\.info\r
+fun-spass-game.de.ms\r
+furensteel.cn\r
+furensteel\.cn\r
+furniture135.com\r
+furrios.de\r
+furry-kinks-looking.com\r
+furry-kinks-looking.net\r
+futurenet.com.cn\r
+fzrr.com\r
+gagnerargent.com\r
+gals4all.com\r
+galsonbed.com\r
+gamble-on-football-online.com\r
+gambling\Sgames.cc\r
+gamefinder.de\r
+games-advanced.de\r
+gang-rape.org\r
+gangxing.com\r
+gaokao.net.cn\r
+garment-china.com\r
+garrywa.com\r
+gartenshopper.de\r
+garthfans.co.uk\r
+gaucin.to\r
+gay-b.com\r
+gaybloghosting.com/kushi\r
+gay-boy.us\r
+gayfunplaces.com\r
+gayhomes\.net\r
+gay-male-story.blogspot.com\r
+gay-nude.us\r
+gay--sex.org\r
+gay-sex-videos.com\r
+gays-sex-gay-sex-gays.us\r
+gay-twinks-sex.com\r
+gayx.us\r
+gcchq.com\r
+gdgc.org\r
+gelago.de\r
+gem2.de\r
+gemtienda.co.uk\r
+generic-ambien.qn.com\r
+generic-cialis.qn.com\r
+generic-levitra.qn.com\r
+generic-propecia.net\r
+generic-valium.512bit.at\r
+genimat.220v.org\r
+genimat.cjb.net\r
+geocities.com/alexgolddphumanrbriar\r
+geocities.com/avbmaxtirodpaulmatt\r
+geocities.com/brandtdleffmatthias7\r
+geocities.com/cclibrannar_rover\r
+geocities.com/constpolonskaalniko7\r
+geocities.com/forestavmiagdust\r
+geocities.com/free_satellite_tv_dish_system\r
+geocities.com/ofconvbdemikqfolium\r
+geocities.com/pashkabandtvcom\r
+geocities.com/pautovalexasha_kagal\r
+geocities.com/reutovoalexeypetrovseverin5\r
+geocities.com/timryancompassmedius\r
+gerardoknutson.com\r
+germanytek.com\r
+gesundheitsshop-kosmetik.de\r
+gesundheit-total.com\r
+getapussy\.info\r
+get-cell-phone-accessories.com\r
+getdomainsandhosting.com\r
+get-free-catalogs.com\r
+get-freetrial.us\r
+get-hardcore-sex.com\r
+gethelp24x7.net\r
+get-insurance-quotes.com\r
+getitip.org\r
+getmoregiveless.com\r
+getrxscripts.biz\r
+get-satellite-tv-dish.com\r
+getstarted24x7.net\r
+getyourlyrics.com\r
+get-zoo.com\r
+gghggh.com\r
+gguu\.com\r
+ghettoinc.com\r
+giantipps.de\r
+gifs-clipart-smiley.de\r
+gilerarunner.8m.com\r
+giochi-online.us\r
+giochix.com\r
+girls\-pussies.info\r
+girlshost.net\r
+girlswantsmore\.info\r
+girls-with-cunts\.info\r
+giveramp.com\r
+give-u-the-perfect-mortgage.com\r
+glass8888.com\r
+glendajackson.co.uk\r
+global-phonecard.co.uk\r
+globalsearch.cn\r
+global-verreisen.de\r
+globalwebbrain.com\r
+globalwiremesh\.com\r
+glory-vision.com\r
+gloveboxes.com.cn\r
+gloveboxes\.com\.cn\r
+go.nease.net\r
+godere.org\r
+gogito.com\r
+gogoogle.net\r
+gogt\.info\r
+gojerk.com\r
+goldenholiday.com\r
+golfhq\.org\r
+gomvents.com\r
+gongi.pl\r
+gonzalesltd.com\r
+goodasses\.info\r
+goodlife2000-geheimtipp.com\r
+goodsexy.com\r
+goodwebsite.org/blog/elrincondelvago\r
+google8.net\r
+googleandbaidu.com\r
+googlebaidu.com\r
+googlepromotion.com\r
+google-seo.net\r
+googlesweb\.com\r
+googletosh.com\r
+go-pussy.titanhousing.com\r
+gotobiz.net\r
+gotooa.com\r
+government-grants.org\r
+government-grants.ws\r
+gpo4.com\r
+gpsplanet\.org\r
+grafit\.zenno\.info\r
+grancanaria.to\r
+grannypictgp.com\r
+grannysexthumbs.com\r
+great-cialis.com\r
+greatnow.com\r
+greecehotels-discount.com\r
+green-gradens\.org\r
+green-tx.com\r
+greewon\.com\.cn\r
+grinding-mill.net\r
+group-eurosex.com\r
+gt-lite.com\r
+guadalmina.to\r
+guardami.org\r
+guenstige-(krankenversicherung|onlineshops|sportartikel|versicherungstarife).(com|de)\r
+guizang.net\r
+guttermag.com\r
+gyhx.com\r
+gym-equipments\.org\r
+gyrohost.com/iboga\r
+h1\.ripway\.com/xz\r
+h2kmatrix.com\r
+haffa.static.net\r
+haidianjiaxiao.com\r
+hainan35\.com\r
+hair-loss-cure.net\r
+hairy-pussy-sex.net\r
+haishun.net\r
+hallo-tierfreund.de\r
+hand-job.us\r
+handwerksartikel-xxl.de\r
+handy-klingeltoene.eu.tp\r
+handylogos-klingeltoene.net.ms\r
+handysprueche.de\r
+handytone.us\r
+hangchen.cn\r
+hangchen.com\r
+haole\.cn\r
+happyagency.com\r
+happy-shopping-online.com\r
+hardcore-(jpg|junky|pictures|pussy|sex|video).(com|us|bz|net)\r
+hardcorecash.net\r
+hard-sex-teen.com\r
+hardware123.com\r
+hardware888.com\r
+hartsflorist\.com\r
+haugeprint.co.uk\r
+hautesavoieimmobilier.com\r
+hchcinc.com\r
+hddata.com\r
+hdfix.com.cn\r
+headachetreatment.net\r
+healthmore.net\r
+healthrules.org\r
+heartbeatofhealing.org\r
+heavytools.webzdarma.cz\r
+heb-shuntong.com\r
+hebu.myrice.com\r
+hello\.to\r
+hentay.us\r
+herpies.net\r
+hewittlandscapes.co.uk\r
+heydo.com\r
+hg-fix\.com\r
+hgxweb.de\r
+hhpumps.cn\r
+high-risk-merchant-account.org\r
+hilton-nicky-paris.blogspot.com\r
+hion.cn\r
+hit168.net\r
+hit-melodias.com\r
+hits?-logos?-(games|klingeltone?|ringe?tone|suoneria).com\r
+hitslogosgames.com\r
+hjsos.com\r
+hk99689.com\r
+hk99w.com\r
+hkfor\.cn\r
+hkfor\.com\r
+hkfor\.net\r
+hkfor\.org\r
+hksaa\.net\r
+hksac\.org\r
+hlduanjian.com\r
+hmlaser.com\r
+hmxuan.com\r
+hnhqmj\.com\r
+hobbs-farm.com\r
+hogwatch\.org\r
+hold-em-big.com\r
+hold-pok.com\r
+hold-screen.com\r
+home.soufun.com\r
+home\.ro\b\r
+home\-trade\.net\r
+home4web.org/(hainan|fanguangcailiao|gongzuofu|niupixian|tuozhan)\r
+home-business-ideas-investment.info\r
+home-business-investments.info\r
+home-internet-business-investment.info\r
+homelivecams.com\r
+homenetworkingsolutions.co.uk\r
+home-secure\.org\r
+home-videos.net\r
+hongkong\.richful\.net\r
+hongkongcompanyregistry\.com\r
+horny-honey.com\r
+hornymoms.net\r
+hornypages.com\r
+horny-world.com\r
+horoskop-auswertung.de\r
+horse-racebetting.com\r
+horse-sex.ws\r
+hospitalonline\.cn\r
+hostingplus.com\r
+hostultra.com\r
+hotchina.org\r
+hot-cialis.com\r
+hotel\.altse\.com\r
+hotel\.netsuns\.net\r
+hotelbookingserver.com\r
+hotel-bordeaux.cjb.net\r
+hotelsaficionado.com\r
+hotelsplustours.com\r
+hot-escort-services.com\r
+hotfunsingles.com\r
+hot-mates.info\r
+hotmoko\.info\r
+hot-naked-guys.net\r
+hotsexys.com\r
+hotusa.org\r
+house222.com\r
+house263\.com\r
+houseclub.com.cn\r
+how-quit-smoking.com\r
+how-to-make-money-investment.info\r
+hp-ibm.com\r
+hs168.com\r
+ht-sensor\.com\r
+https?://[^/\n]*8k\.com\r
+https?://[^/\n]*ap8\.com\r
+https?://[^/\n]*bare\.org\r
+https?://[^/\n]*danni\.com\r
+https?://[^/\n]*doo\.pl\r
+https?://[^/\n]*dr\.ag\r
+https?://[^/\n]*e40\.nl\r
+https?://[^/\n]*f2s\.be\r
+https?://[^/\n]*it\.tt\r
+https?://[^/\n]*t35\.com\r
+https?://[^/\n]*via\.net\r
+huafei7.cn\r
+huahuan.com\r
+hua-shun.com.cn\r
+huazhangmba.com\r
+huelva.to\r
+huihualin.com\r
+human-cn.com\r
+humangrowthhormone.org\r
+hunksandbabes.com\r
+hustler.bz\r
+hustlerw.com\r
+huyprossish\.pcadsl\.com\.tw\r
+hydrocodone.webzdarma.cz\r
+hydrocodone-online.hotusa.org\r
+hydrocodone-without-prescription.enacre.net\r
+hyip[\w-]*\.(info|com)\r
+hyper-sex.com\r
+hypnobabies.co.uk\r
+hzjl365.com\r
+hzn.cn\r
+ialmostdied\.com\r
+ibiza-island.to\r
+i-black-jack.com\r
+i-butalbital-fioricet.com\r
+i-buy-mortgage.com\r
+icpcn\.com\r
+idc2008\.cn\r
+idebtconsolidation.org\r
+i-directv.net\r
+i-dish-network.org\r
+i-flexeril.com\r
+ifreepages.com\r
+ig3.net\r
+ihongtai\.com\r
+i-horny.com\r
+i-ink-cartridges.com\r
+illegalhome.com\r
+illegalspace.com\r
+imeanit.org\r
+imess.net\r
+imitrex-web.com\r
+immobilien-?(auswaehlen|angebote-auswahl|makler-angebote|makler-l|-l).de\r
+immobilienmarkt-grundstuecke.de\r
+immobilierdessavoie.com\r
+immodev.com\r
+im-naked.com\r
+Imobissimo.com\r
+i-mortgage-online.com\r
+important\.as\r
+impotence-rx.biz\r
+incest-?((pics|photos?|stories|movies|videos)-?(collection|download|gallery|archive|library)?|reality|relations|taboo).(com|biz|net|ws)\r
+incest[0-9]\.org\r
+incest-pics--incest.com\r
+incest--stories.org\r
+inc-magazine.com\r
+incredishop.com\r
+indiasilk.biz\r
+indiasilktradition.com\r
+industrialresource.biz\r
+industrial-testing-equipment.com\r
+i-need-money-ideas.info\r
+inescudna.com\r
+inexpensiverx.net\r
+infopoint.cn\r
+inforceable.com\r
+inforceables.com\r
+innfg.de\r
+insatax\.com\r
+insatiablepussy.com\r
+inspection-trips.com\r
+insurance.*\.go\.ro\r
+insurancehere.net\r
+insurance-quotes-fast.com\r
+interealty.es\r
+international-candle-shop.com\r
+international-cheese-shop.com\r
+internet-explorer\.ws\r
+internet-goulasch.com\r
+internette-anbieter.de\r
+interphone555.com\r
+interracial-sex.ws\r
+inter-ross.ru\r
+interseo\.com\r
+int-fed-aromatherapy.co.uk\r
+in-the-vip.org\r
+inthevip-4u.com\r
+inthevip-sex.com\r
+intking.com\r
+intlcr\.cn\r
+intlcr\.com\r
+intlcr\.net\r
+intlcr\.org\r
+intymnie.com\r
+investing-get-rich-quick.info\r
+investments-free-money.info\r
+inviare-mms.net\r
+invio-mms.us\r
+Invite-cn.com\r
+i-online-bingo.com\r
+ipaddressworld.com\r
+i-play-bingo.com\r
+i-play-blackjack.com\r
+ipmotor.com\r
+ipodnano\.cn\r
+ipodshop\.cn\r
+ipsnihongo.org\r
+iqwork.com\r
+irianjaya.co.uk\r
+isgre\.at\r
+i-shemale.com\r
+i-skelaxin.com\r
+islacanela.to\r
+islacristina.to\r
+isla-fisher\.com\r
+islantilla.to\r
+i-soma.net\r
+isourceindia.com\r
+isparkl.com\r
+ispycameltoe.com\r
+i-texas-hold-?em.(biz|com|info|us)\r
+itisok\.net\r
+it-mgz.ir/forfamilies\r
+itzhongguo.com\r
+iul-online.de\r
+i-university-guide.com\r
+ivoryvaughan.com\r
+iwebbroker.com\r
+i-wellbutrin.com\r
+i-will-find-the-best-mortgage-lead.com\r
+i-win-bingo.com\r
+iza.net/\r
+jack-x.com\r
+jade.bilder-i.de\r
+jandia.to\r
+japan-partner.com\r
+javelin.static.net\r
+jbbjcc.com\r
+jerez.to\r
+jewelry4navel.com\r
+jewelry666.com\r
+jforce.no-ip.org\r
+jgc-network.co.uk\r
+jgzhutanfang.com\r
+jhhkw.com\r
+jhyujik\.org\r
+jiadian666.com\r
+jialicn.com\r
+jialicn\.com\r
+jieju-china.com\r
+jingtong\.com.cn\r
+jinlong.co.uk\r
+jinxique.com\r
+jinyibei.com.cn\r
+jinyuetuan\.cn\r
+jipu.com.cn\r
+jk-999.com\r
+jnqidong.com\r
+jobbnu.com\r
+job-interview-questions-tips.com\r
+joes\.com\r
+johnhowesatty.com\r
+join-2008.com\r
+joinin-cn.com\r
+jokeria.de\r
+jp114\.cn\r
+js-chenguang.com\r
+judahskateboards.com\r
+juliamiles.co.uk\r
+jungfrauen-sex.com\r
+junyuan.com.cn\r
+justasex.com\r
+jzhrb.com.cn\r
+jz-machine\.com\r
+kamerry.com\r
+kangdachemical.online.sh.cn\r
+kangxin.com\r
+kantorg.h10.ru\r
+karibubaskets.com\r
+karma.za.pl\r
+karmicdebtconsolidation.com\r
+kcufrecnac.com\r
+keikoasura.com\r
+keithandrew.co.uk\r
+kewler.net\r
+kewl-links.com\r
+kickme\.to\r
+kickmy.com\r
+ki-disease.com\r
+kinggimp.org\r
+kinkyhosting.com\r
+kiranthakrar.co.uk\r
+kitehost.com/decoratie\r
+kktthhyy\.org\r
+kleinkinder-shop.de\r
+klingeltoene-handylogos.de.be\r
+klingeltone-logo.com\r
+klingelton-logos-mms.de\r
+klitoris.ca\r
+kln.com.cn\r
+kmsenergy.com\r
+kohost.us\r
+koihoo.com\r
+kontaktanzeigen-bild.de.ms\r
+kontaktlinsen-kaufen.de.ms\r
+kontaktlinsen-partner.de\r
+korol.lir.dk\r
+kostenlose-sexkontakte.org\r
+kraskidliavas.ru\r
+kredite-online.de.ms\r
+kredite-portal.de\r
+kredite-sofortzusage.de\r
+kreditkarten-sofort.de.ms\r
+kredit-ratenkredit-sofortkredit.de\r
+krutop.static.net\r
+kuangye.net\r
+kupibuket.ru\r
+kyfarmhouse.org\r
+labelcan\.com\r
+lablog.biz\r
+lach-ab.de\r
+lajares.to\r
+lakesideartonline.com\r
+lalinea.to\r
+lambethcouncil.com\r
+landscape-painting.as.ro\r
+langsrestaurant.com\r
+lannygordon.com\r
+lannythurman.com\r
+lanreport.com\r
+lantai.com.cn\r
+lanucia.to\r
+laptopy.biz.pl\r
+laser-eye.co.uk\r
+laser-eye-centre.co.uk\r
+laser-eye-correction.co.uk\r
+lasikclinic.co.uk\r
+lastminute-blitz.de\r
+lasvegas-real-estate.net\r
+las-vegas-real-estate-1.com\r
+lasvegasrealtor.com\r
+lasvegastourfinder.com\r
+latina-sex.ws\r
+lavalifedating.com\r
+lavinuela.to\r
+law-translation\.com\r
+lcd-cn.com\r
+leadbanx.com\r
+leather168.com\r
+leatherfamous.com\r
+lechery-family.com\r
+left-page.com\r
+legalblonde.com\r
+leonabruno.com\r
+lesbian-girl.us\r
+lesbichex.com\r
+leseratten-wunderland.de\r
+letemgo.de\r
+letomol\.com\r
+leveltendesign.com\r
+lexapro-web.com\r
+lgt-clan.ru\r
+liaozhi\.org\r
+lifedna.com\r
+life-insurance-advisor.com\r
+lifeinsurancefinders.com\r
+lifeslittle-luxuries.co.uk\r
+lifuchao.com\r
+light518.com\r
+likesmature.com\r
+lindsaylife\.com\r
+lingerie-guide\.org\r
+lingerie-land.com\r
+link-dir.com\r
+linkedin\.com\.cn\r
+linkliste-geschenke.de\r
+linseysworld.com\r
+linuxwaves.net\r
+lipitordiscount.biz\r
+lipitordiscount.com\r
+list1st.com\r
+listbanx.com\r
+livetexasholdem.com\r
+livetreff.tv\r
+livevents.de\r
+livingchina.cn\r
+lizziemills.com\r
+lkcx\.com\r
+l-king.com.cn\r
+lliippoo\.org\r
+lloret.to\r
+lnhbsb\.com\r
+loaninfotoday.com\r
+loan-king.com\r
+loans.de.vu\r
+loans-4all.com\r
+loan-superstore.com\r
+locationcorse.free.fr\r
+logical-planet.co.uk\r
+logod-helinad-mangud.com\r
+logoer-mobil.com\r
+logos?-(beltonen|downloads|free|klingeltone|max|melodias|mobiel|mobile-repondeurs?|moviles|phones|repondeurs?-mobile|spiele|tones?).com\r
+logosik.pl\r
+logos-logos.be\r
+logos-melodijas-speles.com\r
+logotyper-mobil.com\r
+lolita-bbs.name\r
+longcrossgroup.co.uk\r
+longslabofjoy.com\r
+longsuncard.com\r
+lookforukhotels.com\r
+lop\.t28\.net\r
+loraxe.com\r
+lotye\.schillerstudent\.com\r
+love.csnec.net\r
+lowclass.de\r
+lowcost.us.com\r
+lowest-rates-mortgages.com\r
+ltjz2000.com\r
+lucking.com.cn\r
+luffassociates.co.uk\r
+luxus-gourmetartikel.de\r
+lvrealty.net\r
+lygweb.com\r
+lynskey-admiration.org.uk\r
+lyriclovers.com\r
+ly-yufeng.com\r
+lzbiz\.com\r
+ma-cabinet.com\r
+machine168.com\r
+machine88.com\r
+macinstruct.net\r
+maffi.static.net\r
+magus1.net\r
+mail333.com\r
+mainentrypoint.com\r
+mainjob.ru\r
+majorapplewhite.info\r
+make-money-investment.info\r
+malaga-costa-del-sol.to\r
+mallorca-island.to\r
+mallorycoatings.co.uk\r
+man.interhousing.com\r
+management666.com\r
+map666\.com\r
+marriage666.com\r
+marshallsupersoft.com\r
+marteq-on.com\r
+matalascanas.to\r
+match-me-up.com\r
+matureacts.com\r
+mature-big-tits.net\r
+maturefolk.com\r
+mature-old-mature.com\r
+mature-women\.enter-in\.etowns\.org\r
+mavina.static.net\r
+maxigenweb.com\r
+maxxsearch.com\r
+mba100.com\r
+mbgeezers.com\r
+medcenterstore.com\r
+mediaaustralia.com.au\r
+medications-4all.com\r
+medicine-supply.com\r
+meds-pill.com\r
+medyep.com\r
+meetpeopleforsex.com\r
+mega-spass.com\r
+melincs.org\r
+melodias-logos-juegos.com\r
+melucky.com\r
+members.fortunecity.com/kennetharmstrong\r
+members.lycos.co.uk/tramadol\r
+menexis.com\r
+mengfuxiang.com\r
+menguma.co.uk\r
+menguma.com\r
+menorca.to\r
+men-sex.us\r
+menzyme.com\r
+meoko.com\r
+mewqsd.org\r
+mercedesazcona.com.ar\r
+mercefina.com\r
+merditer.com\r
+merlinworld.com\r
+mesothelioma-asbestos-help.com\r
+mesothelioma-health.com\r
+metroshopperguide.com\r
+mfdy8\.cn\r
+mhgzs\.com\r
+micrasci.com\r
+microscope-cn.com\r
+midi\.99caixin\.com\r
+mietangebote-domain.de\r
+migraine-relief.com\r
+mijas.to\r
+mikebunton.com\r
+mikewsd.org\r
+milesscaffolding.co.uk\r
+millionaire-blogs.com/cosmeticdentistry\r
+minxinghb.com\r
+missoula.com/blog/occupation\r
+misterwolf.net\r
+mmorpg-headlines.com\r
+mms.coay.com\r
+mmsanimati.com\r
+mneuron.com\r
+mobilefor.com\r
+-mobile-phones.org\r
+mobilequicksale.com\r
+mobile-repondeurs?-logos?.com\r
+mobilesandringtones.com\r
+mode-domain.de\r
+mode-einkaufsbummel.de\r
+molding-tool.com\r
+moltobene.ru\r
+momcare.com.cn\r
+monarch.com.cn\r
+moneybg.com\r
+money-room.com\r
+montaguefineart.com\r
+mookyong.com\r
+mooo.com\r
+mortage-4all.com\r
+mortgage-info-center.com\r
+mortgage-rates-guide.net\r
+mortgages-links.net\r
+mortloan.com\r
+mostika.us\r
+mother-son-incest-sex.net\r
+moto-cn.com\r
+motonet.pl\r
+motor2008.com\r
+movie-online123.com\r
+movies6.com\r
+mp3download.bz\r
+mp3x.biz\r
+mpeg2pci.com\r
+mqblog.cn/user1/jipiao\r
+mqblog.cn/user1/qiufeng\r
+mqfzj.blog.ccidnet.com\r
+mrpiercing.com\r
+mujweb.cz\r
+mujweb\.cz\r
+multipurpose-plants.net\r
+multiservers.com\r
+multivision.com.hk\r
+murcia.to\r
+musica-gratis.biz\r
+musica-gratis.org\r
+musica-karaoke.net\r
+musical88.com\r
+musica-mp3.biz\r
+musicamp3.us\r
+musiccheap.us\r
+music-downloads-links.com\r
+musicenergy.com\r
+muxa.ru\r
+mxbearings.com\r
+mxzt.com\r
+my.nbip.net/homepage/nblulei/\r
+my-age.net\r
+myasiahotels.com\r
+mybestclick.com\r
+mybooktown.com\r
+mycv.cn\r
+mycv.com.cn\r
+mycv\.com\.cn\r
+mydatingagency.com\r
+my-dating-agency.com\r
+mydear\.biz\r
+my-discount-cigarettes.com\r
+myeuropehotels.com\r
+myfavlinks.de\r
+myflooring\.org\r
+mygenericrx.com\r
+mymistake.biz\r
+mymixture.com\r
+my-mom.kicks-ass.net\r
+myricenet.com\r
+myrtlejones.com\r
+myseo.com.cn\r
+MyServer.org\r
+my-sex-toys-store.com\r
+myslimpatch.com\r
+mystify2001.com\r
+naar\.be\r
+nabm(il|li)or.com\r
+nabpak.org\r
+naked-gay.us\r
+naked-pussy.us\r
+naked-womens-wrestling-league-dvds.com\r
+naked-womens-wrestling-league-videos.com\r
+nancyflowerswilson.com\r
+nanyangcn.net\r
+narod.ru\r
+nasty-pages.com\r
+natel-mobiles.com\r
+natural-barleygreen.com\r
+natural-breasts-enhancement.net\r
+naturalknockers.net\r
+navinic\.com\r
+nazari.org\r
+nbflashlights.com\r
+nbip.net\r
+ne1\.net\r
+nease.net\r
+nebulax.net\r
+necsi.com.cn\r
+neiladams.org.uk\r
+nemarov.com\r
+nerja.to\r
+netbank.cn\r
+netfirms.com\r
+netisc\.net\r
+netizen.org\r
+netlogo.us\r
+net-mature.com\r
+netnetn.com\r
+netsuns.net\r
+netsuns\.net\r
+netsx.org\r
+net-von-dir.de\r
+neurogenics.co.uk\r
+neverback.com\r
+new-cialis.com\r
+newfurnishing.com\r
+newgallery.co.uk\r
+newideatrade.com\r
+newsnewsmedia.com\r
+newxwave.com\r
+nextdayid.co.uk\r
+nfl-football-tickets.biz\r
+nicepages.(biz|net|org)\r
+nice-pussy.us\r
+niceshemales.net\r
+nichehit.com\r
+nicolepeters.com\r
+nieruchomosci.biz.pl\r
+nifty-erotic-story-archive.blogspot.com\r
+nikechina.net\r
+nikeproduct.com\r
+nikeshoesshop.com\r
+nikeshoeswholesale.org\r
+nikesupplier.com\r
+nikkiwilliams.info\r
+njhma.com\r
+njlvtong.com\r
+njningri.com\r
+njunite.net\r
+njuyq.com\r
+nnyykkii\.org\r
+no-1.com.cn\r
+no-1.org.cn\r
+no1pics.com\r
+no-cavities.com\r
+nohassle-loans.com\r
+no-more.dyndns.org\r
+noni-?(jungbrunnen|top-chance|vitalgetraenk|expert).com\r
+nonstopsex.org\r
+noslip-picks.com\r
+notebook555.com\r
+no-title.de\r
+notsure.de\r
+novacspacetravel.com\r
+novosanctipetri.to\r
+nr-challenges.org\r
+nude-(black|movies?|videos?).us\r
+nude-teens.name\r
+nudevol.us\r
+nuevaandalucia.to\r
+nuppy.static.net\r
+nutritional-supplements.ws\r
+nutritionalsupplementstoday.com\r
+nwwl-dvds.com\r
+nwwl-videos.com\r
+nz.com.ua\r
+office-021\.com\r
+office-stock\.com\r
+officialdarajoy.com/wwwboard\r
+officialdentalplan.com\r
+officialsatellitetv.com\r
+offseasonelves.com\r
+ohamerica.org\r
+okings.com\r
+okuk.org\r
+oldgrannyfucking.com\r
+oliva.to\r
+olsenstyle.com\r
+omega-fatty-acid.com\r
+omeida.com\r
+one-cialis.com\r
+one-debt-consolidation.com\r
+onepiecex.net\r
+one-propecia.com\r
+oneseo.com\r
+one-soma.com\r
+onexone.org\r
+online-?hgh.com\r
+online-auction-tricks.com\r
+online-blackjack-online.com\r
+online-buy-plavix.com\r
+online-casino.descom.es\r
+online-ccc.com\r
+online-credit-report-online.com\r
+online-dating-singles-service.com\r
+online-deals99.com\r
+on-line-degree.org\r
+online-dot.com\r
+online-escort-service.com\r
+online-flexeril.com\r
+online-games24x7.com\r
+online-games24x7.net\r
+online-games-links.net\r
+onlinehgh.com\r
+online-investing-ideas.info\r
+on-line-kasino-de.com\r
+online-medications24x7.com\r
+online-photo-print.com\r
+onlineshop.us.com\r
+onlinesmoker.com\r
+online-texas-?hold-?em.(net|us)\r
+on-pok.com\r
+opensorcerer.org\r
+operazione-trionfo.net\r
+oraengel.com\r
+oral-sex-cum.com\r
+orangeyogi.net\r
+orbanus.static.net\r
+order-?(claritin|effexor|medicine|naturals).(com|net)\r
+order-ambien-1.qn.com\r
+order-cialis-1.qn.com\r
+order-codeine.deep-ice.com\r
+order-levitra-1.qn.com\r
+order-valium-online.deep-ice.com\r
+orlandodominguez.com\r
+orospu.us\r
+otito.com\r
+ottawavalleyag.org\r
+ourhealthylife.net\r
+our-planet.org\r
+outoff.de\r
+ovulation-kit.com\r
+owaceilings.co.uk\r
+owns1.com\r
+ownsthis.com\r
+oxford-english.com\r
+oxgm.com\r
+p105.ezboard.com/bdatingpersonalsadultdating\r
+p5.org.uk\r
+p7.org.uk\r
+p8.org.uk\r
+p9.org.uk\r
+pack001.com\r
+packing-machine.com\r
+pafu.w4.dns2008.cn\r
+page.zhongsou.com\r
+pagerealm.com\r
+pages4people.com\r
+paidsurveysforall.com\r
+pai-gow-keno.com\r
+paisleydevelopmentassociation.org\r
+paite.net\r
+pajara.to\r
+panpanddc.com\r
+pantandsocks.co.uk\r
+paperscn.com\r
+paper-translation\.com\r
+paris-(movie|naked|nicky|nikki)-hilton.blogspot.com\r
+paris-and-nicky-hilton-pictures.blogspot.com\r
+paris-hilton-video-blog.com\r
+paris-hilton-videos.biz\r
+parkersexecutivecar.co.uk\r
+partnersmanager.com\r
+partnersuche-partnervermittlung.com\r
+partybingo.com\r
+passende-klamotten.de\r
+passion.org.cn\r
+passwordspussynudity.com\r
+pastramisandwich.us\r
+pasuquinio.com\r
+paybacksh\.com\r
+payday-loan\.de\.com\r
+payday-loan-payday.com\r
+paydayloans-guide\.com\r
+paysites.info\r
+pc-choices.com\r
+pcdweb.com\r
+pcpages.com\r
+pcpages.com/abyssal\r
+pcvr.com.cn\r
+pdxx.com\r
+peak-e.com\r
+peepissing.com\r
+penase\.org\r
+penelopeschenk.com\r
+peoplegrad\.gen\.in\r
+perepug\.ig3\.net\r
+perfect-dedicated-server.com\r
+perfect-mortgage-lead-4-u.com\r
+personalads.us.com\r
+personal-finance-tips.com\r
+personals-online-personals.com\r
+petlesbians.com\r
+petroglyphx.com\r
+pety-viagra.newmail.ru\r
+pfxb.com\r
+phantadu.de\r
+pharmaceicall.com\r
+phente.m...\.do\.nu\r
+phentermine\r
+phentermine.webzdarma.cz\r
+phone-cards-globe.pushline.com\r
+phono.co.il\r
+photobloggy.buzznet.com\r
+phrensy.org\r
+pickevents.com\r
+pickone.org\r
+picsfreesex.com\r
+pics--movies.com\r
+pics-stories.com\r
+picsteens.com\r
+pictures-movies.net\r
+piercing-auswaehlen.de\r
+piercing-magic.com\r
+piercingx.com\r
+pill(-buy|blue|chart|hub|hunt|inc|tip).com\r
+pimp(hop|hos|space).com\r
+pinkzoo.com\r
+pinnaclepeakrealty.com\r
+pj-city.com\r
+planetluck.com\r
+plastic168.com\r
+playandwin777.com\r
+playandwinit777.net\r
+play-cash-bingo-online.com\r
+player-tech.com\r
+playgay.biz\r
+playmydvd.com\r
+play-texas-hold-?em.us\r
+play-texas-holdem-today.net\r
+playweb.blogspot.com\r
+plazaerotica.com\r
+plcm.com.cn\r
+plygms.de\r
+pm.tsinghua.edu.cn\r
+poizen.info\r
+pokemonx.biz\r
+polifoniczne.org\r
+polott.org\r
+polyphone.us\r
+pompini.nu\r
+Ponderosa\r
+ponytest.com\r
+pops.pp.ru\r
+post.baidu.com\r
+posters?-?shop.us\r
+power-rico.de\r
+power-tools.rx24.co.uk\r
+predictive-dialers.org\r
+pregnancy-guide\.org\r
+pregnant\.sumale\.net\r
+pregnant-sex-free.us\r
+p-reise.de\r
+pre-machine.com\r
+prepaid-telephonecards.co.uk\r
+prepaylegalinsurance.com\r
+preteen-(models|sex|young).(biz|info|net)\r
+prettypiste.com\r
+princeofprussia.org\r
+printer-cn.com\r
+prism-lupus.org\r
+privacy-online.biz\r
+private-krankenversicherung-uebersicht.com\r
+private-network.net\r
+pro-collegefootballbetting.com\r
+product-paradise.com\r
+projector-me.com\r
+promindandbody.com\r
+prom-prepared.com\r
+propecia.bravehost.com\r
+propecia-for-hair-loss.com\r
+propecia-for-hair-loss.net\r
+propecia-info.net\r
+propecia-store.com\r
+property2u.com\r
+property2u\.com\r
+prosearchs.com\r
+protech.net.cn\r
+psearch.163.com\r
+pseudobreccia60.tripod.com.ve\r
+psites.(biz|net|org|us)\r
+puertaumbria.to\r
+puertobanus.to\r
+puertoreal.to\r
+punksongslyrics.com\r
+purchase-ambien.qn.com\r
+purchase-valium.hotusa.org\r
+pureteenz.com\r
+pushline.com\r
+pussy-(d|cum|movies).(com|us)\r
+pussy\.the-best\.etowns\.org\r
+qd-heli.com\r
+qiangzhe\.cn\r
+qianyijia.com\r
+qingchundoua.cn\r
+qitao.wy8.net\r
+qj100\.net\r
+qm0?0[0-9]\.com\r
+qmnet\.cn\r
+qmwa\.com\r
+qqba.com\r
+qqmei.com\r
+quangoweb.com\r
+quickchina.com.cn\r
+quickdomainnameregistration.com\r
+quick-drugs.biz\r
+quick-drugs.com\r
+quickie-quotes.com\r
+qumingqiming.com.cn\r
+qybalancingmachine.com\r
+qz168.com\r
+qzkfw.co\r
+racconti-gay.org\r
+radsport-artikel.de\r
+raf-ranking.com\r
+ragazze-?\w+\.[a-z]{2,}\r
+rampantrabbitvibrator.co.uk\r
+randysrealtyreview.com\r
+ranklink.org\r
+rape-(fantasy-pics|stories).(biz|com)\r
+rapid-merchant-account.com\r
+ratenkredit-center.de\r
+ratenkredit-shop.de\r
+raw-pussy.us\r
+raymondmill.biz\r
+rbfanz.com\r
+readytocopy\.com\r
+real.net.cn\r
+real-estate-investment-online.info\r
+realestate-max\.com\r
+reality-sites.com\r
+reality-xxx.biz\r
+real-sex.us\r
+realtickling.com\r
+real-worldinternational.co.uk\r
+rebjorn.co.uk\r
+recycle.myrice.com\r
+redcentre.org\r
+redi.tk\r
+refinance-mortgage-home-equity-loan.com\r
+reggaeboyzfanz.com\r
+reggdr.org\r
+registerxonline.com\r
+reglament-np.ru\r
+reisen-domain.de\r
+relay888.com\r
+relievepain.org\r
+relocationmax\.com\r
+rentalcarsplus.com\r
+repondeurs-logos-mobile.com\r
+republika.pl\r
+restaurant-l.de\r
+reviewonlinedating.com\r
+rfhk\.cn\r
+rfhk\.net\r
+rfhk\.org\r
+rfhz\.com\r
+rfhz\.net\r
+rfhz\.org\r
+ricettegolose.com\r
+richshemales.com\r
+rincondelavictoria.to\r
+ringsguide\.org\r
+ringsignaler-ikon-spel.com\r
+ringtone-logo-game.com\r
+ringtoner-logoer-spill.com\r
+ringtonespy.com\r
+rittenhouse.ca\r
+rituo.com\r
+riyao.com.cn\r
+roboticmilking.com\r
+roche.to\r
+romane-buecher.de\r
+romeo-ent.com\r
+ronda.to\r
+room-ordering.com\r
+roscoeluna.com\r
+rota-andalucia.to\r
+rotek.com.cn\r
+roulette---online.com\r
+roulette-w.com\r
+royaladult.com\r
+royalfreehost.com/teen/amymiller\r
+royalprotectionplan\.com\r
+rr365.net\r
+rrank.net\r
+ru(send|idea)\.com\r
+ru21.to\r
+ruilong.com.cn\r
+rx4.mine.nu\r
+rxbkfw.com\r
+rx-central.net\r
+rx-lexapro.biz\r
+rxpainrelief.net\r
+rx-phentermine.newmail.ru\r
+rx-store.com\r
+rxweightloss.org\r
+rydoncycles.co.uk\r
+safetytech.cn\r
+salcia.co.uk\r
+sandrabre.de\r
+sanfernando.to\r
+sanlucar.to\r
+sanpedro.to\r
+santamaria.to\r
+sarennasworld.com\r
+satellite.bravehost.com\r
+satellite-direct-for-you.com\r
+satellite-network-tv.com\r
+satellitetv-reviewed.tripod.com\r
+saveondentalplans.com\r
+saving-money-hyip.info\r
+saw-blade.net\r
+sba\.com\.cn\r
+sbdforum.com\r
+sbn\.bz\r
+sbt-scooter.com\r
+scent-shopper.com\r
+scepter.static.net\r
+schanee.de\r
+schmuck-domain.de\r
+scottneiss.net\r
+scpv.net\r
+screencn.com\r
+scuba-guide\.com\r
+s-cyclobenzaprine.fromru.com\r
+sd-dq\.com\r
+sdsanrex.com\r
+search.online.sh.cn\r
+search.sohu.com\r
+search-1.info\r
+search722.com\r
+search-engine-optimization-4-us.com\r
+searchfix.net\r
+sec66.com\r
+sec-battery.co.uk\r
+secureroot.org\r
+security-result.com\r
+seitensprung-gratis.com\r
+selectedsex.com\r
+selena-u.ru\r
+selten-angeklickt.de\r
+sempo-tahoe.com\r
+sense.com.cn\r
+sensor168.com\r
+seodetails\.com\r
+seov.net\r
+seoy.com\r
+servicesmax\.com\r
+se-traf.com\r
+seven-card-stud.biz\r
+seven-card-stud.us\r
+sevilla-andalucia.to\r
+sewilla.de\r
+sex-(4you|bondagenet|lover|photos).org\r
+sex(ushost|webclub|websites).com\r
+sex--.*\.com\r
+--sex\.com\r
+sex4dollar.com\r
+sexbrides.com\r
+sexcia.com\r
+sexe.vc\r
+sexforfree.webzdarma.cz\r
+sex-friend.info\r
+sexglory.com\r
+sexiestserver.com\r
+sexingitup.com\r
+sex-livecam-erotik.net\r
+sex-mates.info\r
+sexmuch.com\r
+sexo9.com\r
+sex-pic-sex.com\r
+sexplanets.com\r
+sex-pussy.us\r
+sexschlucht.de\r
+sexshop.tk\r
+sexshop-sexeshop.com\r
+sex-toys-next-day.com\r
+sextoysportal.com\r
+sexual-shemales.com\r
+sexual-story.blogspot.com\r
+sexvoyager.com\r
+sexy-(ass|babes|lesbian|pussy).us\r
+sexy-celebrity-photos.com\r
+sexy-girls.org\r
+sexy-girls\.org\r
+sexynudea.com\r
+sfondi-desktop-gratis.com\r
+sfondi--gratis.com\r
+s-fuck.com\r
+shadowbaneguides.net\r
+shannon-e.co.uk\r
+shareint-store.com\r
+sheffield800.freeserve.co.uk\r
+shellbitumen.com.cn\r
+shemalesex.biz\r
+shemalesland.com\r
+shemalezhost.com\r
+shemalki.com\r
+Shemok\r
+shengdanuclei.com\r
+shenman.com\r
+shfldz\.com\r
+shfx-bj.com\r
+shimiana.cn\r
+shinylights\.org\r
+shirts-t-shirts.com\r
+shluhen.lir.dk\r
+shoesbuynow.com\r
+shoeswholesale.cn\r
+shop.tc\r
+shop24x7.net\r
+shop263.com\r
+shop-opyt.com\r
+shopping-cn.com\r
+shoppingideen-xxl.de\r
+shopping-liste.de\r
+shoppyix.com\r
+showsontv.com\r
+sh-shengde.com\r
+shtestm.com\r
+shtravel.net\r
+shunfeng-pioneer.com\r
+sh-xinping.com\r
+simplemeds.com\r
+simpsonowen.co.uk\r
+sina.com.cn\r
+sinfree.net\r
+singtaotor\.com\r
+sinoart.com.cn\r
+sino-bee.com\r
+sinodragon.freewebpage.org\r
+sinostrategy.com\r
+sinski.com\r
+sister8.com\r
+site\.neogen\.ro/xy[\w]+/files/ps_imagini\.php\r
+site-mortgage.com\r
+sitesarchive.com\r
+site-webarea.com\r
+sjdd.com.cn\r
+sjlstp\.com\r
+sjzyxh.com\r
+skf-baijia.com\r
+skidman.com\r
+ski-resorts-guide.com\r
+sky\.static\.net\r
+slimmobile.org\r
+slmj.com\r
+slng.de\r
+slotmachinesguide.net\r
+slot-machines-slots.com\r
+slots-w.com\r
+slowdownrelax.com\r
+slpblogs.com/expenditure\r
+slutcities.com\r
+slut-wife-story.blogspot.com\r
+smartdot.com\r
+smartonlineshop.com\r
+smeego.com/gettext\r
+smerfy.pl\r
+smutwebsites.com\r
+sneakysleuth.com\r
+s-norco.fromru.com\r
+so18.cn\r
+socoplan.org\r
+sofortkredit-tipps.de\r
+sofort-mitgewinnen.de\r
+soft.center.prv.pl\r
+soft-industry.com\r
+softsenior.com\r
+softwaredevelopmentindia.com\r
+software-einkaufsmarkt.de\r
+software-engine.org\r
+software-linkliste.de\r
+softwarematrix\.org\r
+software-review-center.org\r
+sohublog.com\r
+soittoaanet-logot-peli.com\r
+sol-web.de\r
+soma-(cheap-soma|solution|web).com\r
+soma.st\r
+somaspot.com\r
+somee.com\r
+sommerreisen-2004.de\r
+sonderpreis.de.com\r
+songshangroup\.com\r
+sorglos-kredit.de\r
+sorry\.yi\.org\r
+sotogrande.to\r
+sou23.com\r
+soulfulstencils.com\r
+source.dyndns.dk\r
+sowang\.com/translation\.htm\r
+spaces.msn.com/members/wangluoyingxiao/\r
+spacige-domains.de\r
+spannende-spiele.de\r
+spassmaker.de\r
+speedy-insurance-quotes.com\r
+spiele-kostenlose.com\r
+spiele-planet.com\r
+sportartikel-auswahl.de\r
+sportecdigital.com\r
+sportlich-chic.de\r
+sports---betting.com\r
+sports-inter-action.com\r
+spp-net.de\r
+spy-patrol.com\r
+spyware-links.com\r
+spzd\.com\r
+ss-cn.com\r
+s-sites.net\r
+ssy-web.com\r
+staffordshires.net\r
+stars-laser.com\r
+static.net\r
+stationery555.com\r
+stationfoundation\.org\r
+statusforsale.de\r
+steel168.com\r
+steelstockholder.co.uk\r
+stellenangebote-checken.de\r
+stellenangebote-l.de\r
+stevespoliceequipment.com\r
+stfc-isc.org\r
+sting.cc\r
+stock-cn.com\r
+stock-power.com\r
+stolb.net\r
+stop-depression.com\r
+stopp-hier.de\r
+stopthatfilthyhabit.com\r
+stories-adult.net\r
+stories--archive.com\r
+stories-inc.com\r
+striemline.de\r
+strivectinsd.com\r
+stst-cn.com\r
+stunningsextoys.com\r
+styrax-benzoin.com\r
+submit-your-cock\.info\r
+success-biz-replica.com\r
+suckingsex\.info\r
+sudian.com.cn\r
+suma-eintragen.de\r
+sumaeintrag-xxl.de\r
+sunbandits.com\r
+sunnyby.com\r
+suonerie-(center|download|loghi-gratis).com\r
+suonerieloghix.com\r
+suoneriex.net\r
+suoyan.com\r
+super-celebs.com\r
+super-cialis.com\r
+surfe-und-staune.de\r
+susiewildin.com\r
+sutra-sex.com\r
+svitonline.com\r
+swan-storage.com\r
+sweet-?(horny|hotgirls).com\r
+sweetapussy\.info\r
+swinger-story.blogspot.com\r
+swing-in-golf.com\r
+switch168.com\r
+switch88.com\r
+sxcoal.com\r
+sydney-harbour.info\r
+sylphiel.org\r
+sylviapanda.com\r
+sysaud.com\r
+szpromotion.com\r
+t35.com\r
+t3n.org\r
+tabsinc.com\r
+t-agency.com\r
+taifudamy\.com\r
+tailongjixie.com\r
+take-credit-cards.com\r
+taliesinfellows.org\r
+talkie.stce.net\r
+talktobabes.com\r
+tamsquare.com\r
+tang\.la\r
+tanganyikan-cichlids.co.uk\r
+tangzhengfa.com\r
+tapbuster.co.uk\r
+taremociecall.com\r
+targetingpain.net\r
+tarifa.to\r
+tattoo-entwuerfe.de\r
+tb-china.com\r
+tcom-control.co.uk\r
+tdk-n.com\r
+teajk\.com\r
+teardust.net/blog/bulletingboard\r
+techfeng.com\r
+teen-(babes|movie|video|xxx).us\r
+teenblog.org/alerts\r
+teenblog.org/handicrafts\r
+teen-boys-fuck-paysite.com\r
+teen-d.com\r
+teens7ever.info\r
+teensluts.org\r
+teenxxxpix.net\r
+teflontape.cn\r
+tejia\.net\.cn\r
+telechargement-logiciel.com\r
+telematicsone.com\r
+telematiksone.co.uk\r
+tenerife-info.to\r
+terminator-sales.com\r
+terra.es/personal\r
+testersedge.com\r
+testi.cc\r
+tests-shop.com\r
+tette.bz\r
+tettone.cc\r
+teulada.to\r
+texas-hold-em-(4u|555|winner).(com|net)\r
+texas-holdem-0.com\r
+texasholdem777.net\r
+texas-holdem-a.com\r
+texas-holdem-big.com\r
+texasholdem-flip-flop.com\r
+texasholdemking.com\r
+texas-holdem-now.com\r
+texasholdem-online.us\r
+texasholdemsite.net\r
+texas-hold-em-w.com\r
+textile88.com\r
+tgplist.us\r
+the1930shome.co.uk\r
+the-bestiality-stories.stories-movies.com\r
+theblackfoxes.com\r
+the-boysfirsttime.com\r
+theceleb.com\r
+thecraftersgallery.com\r
+the-date.com\r
+thefreecellphone.com\r
+thehadhams.net\r
+the-horsesex.stories-movies.com\r
+the-hun-site.com\r
+the-hun-yellow-page-tgp.com\r
+themadpiper.net\r
+the-pill-bottle.com\r
+the-proxy.com\r
+thepurplepitch.com\r
+thepussies\.info\r
+therosygarden.com\r
+the-sad-diary-of.mine.nu\r
+thesoftwaregarage.co.uk\r
+thespecialweb.com\r
+thewebbrains.com\r
+thfh\.com\r
+thorcarlson.com\r
+thoth\.cn\r
+thumbscape.com\r
+thuriam.com\r
+tianjinpump\.com\r
+ticket88.com\r
+ticket-marktplatz.de\r
+tickets4events.de\r
+tiere-futter.de\r
+tiffany-towers.com\r
+tikattack.com\r
+timead.net\r
+timeguru.org\r
+timescooter.com\r
+tips-1a.de\r
+tire-cn.com\r
+tits-center.com\r
+tits-cumshots.net\r
+tjht.net\r
+tjht\.net\r
+tjtools.com\r
+tjwatch.com\r
+tl800\.com\r
+tldyjc.com\r
+tmrr.com\r
+tofik.pl\r
+tokyojoes.info\r
+toner-cartridge\.mx\.gs\r
+tontian.com\r
+tonzh.com\r
+topaktuelle-tattos.de\r
+top-cialis.com\r
+topcities.com\r
+top-dedicated-servers.com\r
+top-des-rencontres.com\r
+top-fioricet.com\r
+top-internet-blackjack.com\r
+top-of-best.de\r
+top-online-slots.com\r
+top-point.net\r
+top-result.com.cn\r
+top-skelaxin.com\r
+top-soma.com\r
+top-the-best.de\r
+toques-logos-jogos.com\r
+torch.cc\r
+torredelmar.to\r
+torremolinos-costa-del-sol.to\r
+torrox.to\r
+toshain.com\r
+tossa.to\r
+totallyfreecreditreport.org\r
+total-verspielt.de\r
+touchweb\.com\.cn\r
+touchwoodmagazine.org.uk\r
+toy-china.com\r
+traceboard\.com.cn\r
+tracyhickey.com\r
+tradeba.com\r
+tradeinvests\.cn\r
+tradeinvests\.org\r
+training-one.co.uk\r
+tran4u.com\r
+tranny-pic-free.com\r
+trannysexmovie.com\r
+transcn.net\r
+transestore.com\r
+transpire.de\r
+traum-pcs.de\r
+trendsbuilder.com\r
+treocat.com\r
+triadindustries.co.uk\r
+troggen.de\r
+troie.bz\r
+trolliges.de\r
+trucchi-giochi.us\r
+trueuninstall.com\r
+ts998\.com\r
+ts-wood.com\r
+tt33tt.com\r
+tt7.org\r
+ttuuoopp\.org\r
+tuff-enuff.fnpsites.com\r
+tumor-cn.com\r
+tuofaa.cn\r
+tv-bazzar\.com\r
+tygef.org\r
+tyjyllrj.go1.icpcn.com\r
+tykh\.com\.cn\r
+tzonline.cn\r
+ua\-princeton.com\r
+ufosearch.net\r
+ukeas.com\r
+uk-virtual-office-solutions.com\r
+ultracet-web.com\r
+ultraseek.us\r
+unbeatablecellphones.com\r
+unbeatablemobiles.co.uk\r
+unbeatablerx.com\r
+unccd.ch\r
+underage-pussy.net\r
+undonet.com\r
+unexpectedmovement.b4net.lt\r
+uni-card.ru\r
+universalplastic.com\r
+unscramble.de\r
+unterm-rock.us\r
+uoo.com\r
+upoisoning.com\r
+ups123.com\r
+upsms.de\r
+urlaubssonne-tanken.de\r
+usa-birthday-flowers.com\r
+usa-car-insurance.com\r
+usa-car-loans.com\r
+usbitches.com\r
+us-cash.com\r
+uscashloan.com\r
+user1.7host.com\r
+us-meds.com\r
+uswebdata.com\r
+uusky.com\r
+uusky.net\r
+uusky.org\r
+uusky.zj.com\r
+uusky2.home.sunbo.net\r
+uvinewine.co.uk\r
+u-w-m.ru\r
+v(27|29|3).(net|be)\r
+vacation-rentals-guide.com\r
+vaiosony.com\r
+valentine-gifts.qn.com\r
+valeofglamorganconservatives.org\r
+valium-online.1024bit.at\r
+valium-online.sinfree.net\r
+venera-agency.com\r
+veranstaltungs-tickets.de\r
+vergleich-versicherungsangebote.de\r
+versicherungsangebote-vergleichen.de\r
+versicherungsvergleiche-xxl.de\r
+versteigerungs-festival.de\r
+verybrowse.com\r
+verycd.com\r
+verycheapdentalinsurance.com\r
+vfrrto.org\r
+viaggix.com\r
+viagra\.freespaces\.com\r
+viapaxton.com\r
+viasho.com\r
+video-n.com\r
+videoportfolios.com\r
+vietdiary.com/andromedical\r
+vilentium.de\r
+vilez\.zenno\.info\r
+villagesx.com\r
+villajoyosa.to\r
+villamara.net\r
+vindaloosystems\.com\r
+vip-condom.com\r
+vitamins-for-each.com\r
+vivalatinmag.com\r
+vivlart.com\r
+vixensisland.com\r
+vod-solutions.com\r
+voip99.com\r
+voip99.net\r
+voip-guide.org\r
+vttolldd.org\r
+vtsae.org\r
+vttthtgg.org\r
+waldner-msa.co.uk\r
+warblog.net\r
+wasblog.com/ascitis\r
+washere.de\r
+watches-sales.com\r
+waterbeds-dot.com\r
+waycn.com\r
+wblogs.com\r
+wcdma2000.com\r
+wcgaaa.org\r
+wchao.net\r
+wdc\.com\.cn\r
+wding.com\r
+we.rx.pp.ru\r
+weareconfused.org.uk\r
+wearethechampions.com\r
+weaver.com.cn\r
+web.csnec.net\r
+web3dchina.com\r
+webanfragen.de\r
+webblogs.biz\r
+webcam-erotiche.com\r
+webcenter.pl\r
+web-cialis.com\r
+webcopywizard.net\r
+w-ebony.com\r
+webpage-cn.com\r
+webpark.pl\r
+webrank.cn\r
+web-revenue.com\r
+websamba\.com\r
+websitedesigningpromotion.com\r
+website-expansion.com\r
+websitespace-cn.com\r
+webzdarma.cz\r
+wecony.com\r
+weddings-info.com\r
+weddings-links.com\r
+weedns.com\r
+weighlessrx.com\r
+weight-loss-central.org\r
+weight-loss-links.net\r
+weightlossplace.net\r
+weitere-stellenangebote.de\r
+welan\.com\r
+welding\.mx\.gs\r
+we-live-together-4u.com\r
+wellness-getraenk.de\r
+weroom.com\r
+westzh.com\r
+wet-?(4all|pussy|horny).(com|us)\r
+whitehouse.com\r
+white-shadow-nasty-story.blogspot.com\r
+whizzkidsuk.co.uk\r
+wholesalepocketbike.com\r
+willcommen.de\r
+wincmd.ru\r
+wincrestal.com\r
+windcomesdown.com\r
+wine-booking.com\r
+wine-shop001.com\r
+wirenorth.com\r
+wiset-online.com\r
+witch-watch.com\r
+witji.com\r
+witz-net.de\r
+wizardsoul.com\r
+wjmgy.com\r
+wol\.bz\r
+women-fitness\.org\r
+workfromhome-homebasedbusiness.com\r
+worldblognet.com/eurasia\r
+world-candle.com\r
+world-cheese.com\r
+worldmusic.com\r
+worldsexi.com\r
+worldwide-(deals|games|holdem).(com|net)\r
+worldwide.php5.sk\r
+wotcher.de\r
+wrrirk\.poes\.net\r
+wujing-eyes.com\r
+wuyue.cn\r
+ww\.\d+\.com\r
+www.bhcyts.cn\r
+www.bjicp.com\r
+www.bungee-international.com\r
+www.it01.com.cn\r
+www.lamp-expert.com\r
+www.richtone.com.cn\r
+www.sex-portal.us\r
+www.webcamss.com\r
+www\.76e\.net\r
+www\.8z\.cn\r
+www\.banzhao\.com\r
+www\.chat-live\.net\r
+www\.pasca\.info\r
+www\.roth-401k-forum\.com\r
+www-sesso\r
+www-webspace.de\r
+wxals.com\r
+wxboall.cn\r
+wxfl.net\r
+wxwz.fwhost.com\r
+wxwz.tabrays.com\r
+x24.com.ru\r
+x8x.weedns.com\r
+x911\.net\r
+xanax.qn.com\r
+xanax-online.qn.com\r
+xaper.com\r
+xazl.net\r
+xazlkjh.blog.ccidnet.com\r
+x-baccarat.com\r
+x-baccarat.us\r
+x-beat.com\r
+x-bingo.com\r
+x-craps.com\r
+x-craps.us\r
+xdolar.com\r
+x-fioricet.com\r
+xfreehosting.com\r
+xgsm.org\r
+xhhj.com.cn\r
+xianggangjc.com\r
+xianliming.com\r
+xianwahl\.com\r
+xinchen.net.cn\r
+xin-web.de\r
+xinyifang.net\r
+xinyitong\.org\r
+x-jack.us\r
+xlboobs.net\r
+xmtmdart.com\r
+xnan2.91x.net\r
+xnan2.blogdriver.com\r
+xnxxx.com\r
+x-pictures.net\r
+x-pictures.org\r
+xpictx.com\r
+xprv.com\r
+xratedcities.com\r
+xrblog.com/ezetimib\r
+x-ring-?tones.com\r
+x-roulette.com\r
+x-roulette.us\r
+x-roullete.com\r
+xs3.com\r
+xsjby.cn\r
+x-slots.com\r
+x-slots.us\r
+x-stories.org\r
+xt[\w]+.proboards\d\d\.com\r
+xtnm.com\r
+xxshopadult.com\r
+xxx(chan|seeker|washington).com\r
+xxx-alt-sex-story.blogspot.com\r
+xxx-beastiality.com\r
+xxx-database.com\r
+xxx-dvd.biz\r
+xxx-erotic-sex-story.blogspot.com\r
+xxx-first-time-sex-story.blogspot.com\r
+xxx-free-erotic-sex-story.blogspot.com\r
+xxx-gay-sex-story.blogspot.com\r
+xxx-girls-sex.com\r
+xxx-password-web.com\r
+xxx-pussy.us\r
+xxx-rape.org\r
+xxx-sex-movies.org\r
+xxx-sex-story-post.blogspot.com\r
+xxx-spanking-story.blogspot.com\r
+xxx-stories.net\r
+xxx-story.blogspot.com\r
+xy[\w]+\.blogg.de\r
+xyu[\w]+\.easyjournal\.com\r
+xyxy.net\r
+xz[\w]+\.over-blog\.com\r
+xz9.com\r
+yaninediaz.com\r
+ycc-zipper.com.cn\r
+ychzn.com\r
+yculblog.com\r
+ygci.com\r
+yihongtai.com\r
+ying0.com\r
+yipu.com.cn\r
+yipu\.com\.cn\r
+yisounet.com\r
+yisounet.net\r
+yl-jx\.com\r
+ylqx.org\r
+ymf.name\r
+yoll.net\r
+you-date.com\r
+youll.com.cn\r
+young\-tender\.info\r
+young-ass.us\r
+yourdentalinsuranceonline.com\r
+yourowncolours.co.uk\r
+yourserver.com\r
+your-tattoo.de\r
+youyipu\.com\r
+yubatech.com\r
+yukka.inc.ru\r
+yunchou.com.cn\r
+yyhq.com\r
+z0rz.com\r
+zahara.to\r
+zahara-de-la-sierra.to\r
+zahara-de-los-atunes.to\r
+zazlibrary.com\r
+zbbz.com\r
+zcfounder.com\r
+zchb.com\r
+zenno\.info\r
+zeonline.com.cn\r
+zfgfz.net\r
+zgpt.cn\r
+zgqygl.com\r
+zgxbw\.cn\r
+zhiliaotuofa.com\r
+zhjx-sh.com\r
+zhkaw.com\r
+zhongzhou-sh.com\r
+zhqzw.com\r
+ziliaowang\.cn\r
+zipcodedownload.com\r
+zipcodesmap.com\r
+zithromax-online.net\r
+zjww\.com\r
+znpp.com\r
+zo.servehttp.com\r
+zoo(-zone|europe|fil).com\r
+zoo-?sex-?(pics|motion-videos|pictures)?.(com|biz)\r
+zoosx.net\r
+zorpia\.com/xt\r
+zpics.net\r
+zt148.com\r
+zum-bestpreis.de\r
+zxyzxy.com\r
+zybxg.net\r
+zy-image.com\r
+zzdh.com\r
+zzgj.net\r
+\r
+abouthongkong\.asexblogs\.com/\r
+abouthongkong\.bloggingmax\.com/\r
+abouthongkong\.blogslinger\.com/\r
+abouthongkong\.satublog\.com/\r
+berko\.com\.au/merry/\r
+blog\.bachhoacung\.ws/freey/\r
+blog\.mogway\.com/abouthongkong/\r
+blog\.myaliyah\.com/\?u=abouthongkong\r
+blogcharm\.com/huanger/\r
+blogs\.thesubculture\.com/\?u=abouthongkong\r
+cancerblog\.com\.au/abouthongkong/\r
+film4vn\.net/blog/\?w=lieey\r
+rockstart\.net/blog/\?u=abouthongkong\r
+smeego\.com/feier/\r
+tornblog\.com/abouthongkong/\r
+um\.com\.my/win/\r
+vfwnjwebcom\.org/abouthongkong/\r
+we-r-blogs\.com/\?w=drewer\r
+weblog\.statisticounter\.com/abouthongkong/\r
+www\.asiannotes\.com/art/\r
+www\.betterbrain\.com/blog/\?u=abouthongkong\r
+www\.billionaire-blogs\.com/abouthongkong/\r
+www\.blarbitration\.com/lelby/\r
+www\.blog3\.com/\?u=abouthongkong\r
+www\.blogfreely\.com/abouthongkong/\r
+www\.blogstuff\.co\.uk/\?u=abouthongkong\r
+www\.blogtoowoomba\.com/\?w=homuy\r
+www\.earthtank\.com/diewu/\r
+www\.elblog\.de/howue/\r
+www\.freescrapblogs\.com/red/\r
+www\.fsaalumni\.net/blog/\?u=abouthongkong\r
+www\.kosova\.ch/yourblog/\?u=abouthongkong\r
+www\.love2k\.com/weblogs/\?u=abouthongkong\r
+www\.mattian\.co\.uk/liuhcai/\r
+www\.nukeblog\.info/\?u=abouthongkong]]\r
+www\.pandablogs\.com/xiangang\r
+www\.picturethisblog\.com/\?u=abouthongkong\r
+www\.sblnet\.co\.uk/sblogger/abouthongkong/\r
+www\.skaffe\.com/weblog/abouthongkong/\r
+www\.slickblogs\.com/abouthongkong/\r
+www\.slpblogs\.com/abouthongkong/\r
+www\.soccerblogger\.co\.uk/\?w=uowek\r
+www\.sovereigngracesingles\.com/sgs_blog/\?u=abouthongkong\r
+www\.spottersblog\.com/tremo/\r
+www\.spweblog\.com/abouthongkong/\r
+www\.stitch-studios\.com/weblogs/\?u=abouthongkong\r
+www\.stu-c\.com/blogs/abouthongkong/\r
+www\.tatsulok\.com/yuer/\r
+www\.teenblog\.org/abouthongkong/\r
+www\.toiyeu\.net/nhatky/\?w=toiyew\r
+www\.totalvideogames\.com/blog/laner\r
+www\.vfwmowebcom\.org/nicer/\r
+www\.weblogone\.com/dry/\r
+www\.westwoodbapt\.org/blog/abouthongkong/\r
+www\.worldblognet\.com/abouthongkong/\r
+www\.ym1\.com/abouthongkong/\r
+chio92\.com\r
+onlinepoker\.happyhost\.org\r
+kolloidales-silber\.at\r
+sonyy1\.com\r
+tdk14\.com\r
+nyteam\.info\r
+ethock\.info\r
+pepsi14\.info\r
+jiayinte\.cn\r
+moxor\.info\r
+maxor\.info\r
+chevy\.ws\r
+adoption\.ws\r
+carpetcleaning\.ws\r
+hrentut\.org\r
+icwak\.info\r
+humela\.info\r
+guoyong\.com\r
+ziyangwz\.com\r
+zhanziyang\.com\r
+ziyangshiwo\.com\r
+short\-termhealthinsurance\.com\r
+scooter\-web\.org\r
+bikesplanet\.org\r
+aishwaryalife\.com\r
+jessicaalbalife\.com\r
+shakiralife\.com\r
+terapatricklife\.com\r
+adrianalimapics\.org\r
+wifiguide\.org\r
+wifi-planet\.org\r
+wifi-world\.org\r
+teainfo\.org\r
+pizzaguide\.org\r
+coffee-guide\.us\r
+chocolateplanet\.org\r
+girls-xxx-party\.com\r
+trinitao\.com\r
+tjshenguang\.com\r
+liveadulthost\.com\r
+speedorado\.com\r
+sexsdreams\.com\r
+carpassion\.com\r
+neureich\.de\r
+v-ringtones\.com\r
+4vti8\.com\r
+artsmediamag\.com\r
+ringtones\.konaxil\.be\r
+upcoming\.netteen\.net\r
+cfcsouthpugetsound\.org\r
+xultin\.info\r
+tidep\.info\r
+ythrip\.info\r
+yston\.info\r
+xution\.info\r
+gosle\.info\r
+tallygotmoves\.com\r
+sexstar2000\.com\r
+dante4all\.com\r
+q7voda\.com\r
+fetishrred\.spycams777\.com\r
+discovery\.teenorg\.net\r
+cosmo02\.net\r
+(cam|sex|gay|fuck|swingers|adult|dating|erotic|personal|ads|cum|wife-swap)[\w\-_.]*\.blogspot\.com\r
+irzar\.com\r
+gokdep\.com\r
+nittion\.com\r
+cheapwowgold\.co\.uk\r
+win\.com\.cn\r
+wowgoldworld\.com\r
+starsnak\.biz\r
+shop-now\.be\r
+whitewalker\.com\r
+beatroulette\.atspace\.com\r
+onlines-slots-game\.atspace\.com\r
+(friendlysearch|medchoice|freesearches|getmedicineeasy)\.bravehost\.com\r
+gihore\.info\r
+soseik\.info\r
+ithyr\.info\r
+letreal\.info\r
+efdmen\.info\r
+udwryp\.info\r
+bupyere\.info\r
+tagmyn\.info\r
+suogman\.info\r
+gegbyl\.info\r
+laww\.info\r
+plonehostingdemo\.nidelven-it\.no\r
+wiki\.opennetcf\.org/upload\r
+sprint\.zope\.it\r
+ssdcard\.info\r
+soujipiao\.com\r
+5ijipiao\.com\r
+jipiao126\.com\r
+jipiaoair\.com\r
+canjipiao\.com\r
+bjxiongfei\.com\r
+SaNaLHaCKERLaR\.ORG\r
+jspit7\.info\r
+kokoxx\.info\r
+donte\.info\r
+lib/exe/fetch.php\?media=\r
+imhotep\.sphosting\.com\r
+1-myspace-layout\.blogspot\.com\r
+dinmo\.cn\r
+51education\.com\r
+sispc.com\.cn\r
+sh-dzgs\.com\r
+teyi21\.com\r
+yizhish\.com\r
+oa586\.com\r
+watesi\.com\r
+sh-shenhuang\.com\r
+guojikuaidi\.com\r
+lbjq2h\.com\r
+xingaoweixing\.com\r
+shyw\.com\r
+shnakano\.com\r
+ihtc\.cn\r
+chonggong\.com\r
+kkvalve\.com\.cn\r
+uwb1hhc\.info\r
+vzh5k87\.info\r
+mvuxq60z\.info\r
+bodybillboardz\.com\r
+blog\.lide\.cz\r
+teeenp0rn\.org\r
+creditcarddebt\.neo\.cx\r
+dhzilnwr\.com\r
+hntwzokt\.com\r
+xoyeeuqx\.com\r
+badcredpersloan\.new\.fr\r
+securedcreditcard\.neo\.li\r
+hometown\.aol\.com\r
+(creditcons|creditreport|freeannualcr1|freecreditro|freecredits|cealis)\.monforum\.com\r
+fishmls\.com\r
+localendar\.com/public/\r
+\.maxblog\.pl\r
+\.phpbbx\.de\r
+foroswebgratis\.com\r
+(cabrini|annotation)\.bravepages\.com\r
+(asp|impaction|monocled|wriggle|maneating|migrations)\.1sweethost\.com\r
+(bailee|carrycot|webmasters|markab|homewards)\.dreamstation\.com\r
+(bohemians|encloses|gravel|verite|tenderfeet|sabers)\.exactpages\.com\r
+(drained|shuffles|diathermy)\.fcpages\.com\r
+(headland|similar|muffler|normalise|typologist|buckshots)\.741\.com\r
+(ctenophore|failles|whistle|mayflies|nestled|eunice)\.angelcities\.com\r
+(arcady|tulip|undreamt|impair|reamers|hokiest|catnapping)\.greatnow\.com\r
+(absolutely|bellman|kwangchow|fluctuant|trouping)\.wtcsites\.com\r
+(wafers|whensoever|prescient|spacious|acadia|toothsome|gasolines)\.envy\.nu\r
+(smuggles|showboat|ipecacs|skivvying|straying)\.150m\.com\r
+(suffixed|barbeques|dispersal)\.100freemb\.com\r
+(killer|grumbles|despoiler|termites)\.kogaryu\.com\r
+(adversely|militated)\.g0g\.net\r
+(brunettes|struts)\.o-f\.com\r
+(reconnect|clownishly)\.00freehost\.com\r
+(drygoods|fl|liberia)\.9cy\.com\r
+(membership|retarders|spoonfed|pointedly)\.freewebsitehosting\.com\r
+(unwiser|innervates|woofed)\.ibnsites\.com\r
+(goodnight|shortens|brokering)\.freewebpages\.org\r
+(epaulet|impotency|jewelries)\.1accesshost\.com\r
+homepage\.mac\.com/(nonreader|cartels|cornflour|docilities|unanswered|feelings1)/\r
+(imagist|phosphor|hatecrime|landward)\.freecities\.com\r
+(ainsurance|diflucanmed|mypropecia|1creditrepair)\.proboards104\.com\r
+(carisoprodol|tadalafil)\.mybbland\.com\r
+(refinancingmortgage|cheapautoinsurance|autoinsurancequote)\.(forumactif|actifforum)\.com\r
+fioricetmed\.blogcu\.com\r
+the-sabotage\.org\r
+spygrup\.org\r
+gencnesil\.org\r
+\.(blogsitemaking|blogginpoint)\.info\r
+hjlxmosb\.com\r
+dohzqmod\.com\r
+dadbhpsu\.com\r
+supermegapizdetc\.com\r
+cjbqixzs\.com\r
+tacmbuqe\.com\r
+qcprkjgp\.com\r
+wwcldvob\.com\r
+nhdwinyg\.com\r
+pewddohw\.com\r
+x-uqur\.org\r
+toyota-corollailf\.blogspot\.com\r
+corolla-toyota730\.blogspot\.com\r
+staticstroke\.tr\.cx\r
+vuhavrva\.com\r
+nfzwzphv\.com\r
+ljhasdic\.com\r
+volny\.cz\r
+peoazsog\.com\r
+szsbqqdb\.com\r
+kvxkloks\.com\r
+turkatesi\.net\r
+megaturks\.com\r
+rnsgroup\.us\r
+turkstorm\.org\r
+(ladyboy|shemale)\.viptop\.org\r
+nxyvarpv\.com\r
+shlmsapu\.com\r
+wjmlwkvk\.com\r
+www\.umes\.edu/accsupport/ossd/ossdchat/\r
+jiyxhkdf\.com\r
+hpdrsykw\.com\r
+wminyrxj\.com\r
+gucvfiuh\.com\r
+osgtpzde\.com\r
+szexqgix\.com\r
+susiesbeads\.net\r
+swliuxue\.com\r
+mindtouch\.com\r
+e-parishilton\.com\r
+\.vg\.edu\r
+euitaly\.info\r
+sprzedam\.pl\r
+wpi\.biz\r
+galadriel\.nmsu\.edu\r
+d007\.phpnet\.us\r
+todosvem\.info\r
+flowers-shop\.sitesfree\.com\r
+bcasinos1\.ovp\.pl\r
+\.greatkozel(site|world)\.info\r
+hack-e\.com\r
+eelive\.info\r
+asi\.0moola\.com\r
+Valintino.Guxxi\r
+web\.hit\.bg\r
+\.sportsinfoitaly\.info\r
+urlbee\.com\r
+site3\.info\r
+bdqt\.org\r
+\.svt\.pl\r
+ycaol\.com\r
+abunimah\.org\r
+aypp\.info\r
+poker\.blog\.drecom\.jp\r
+idisk\.mac\.com/ringtonesforyou\r
+chaco\.gov\.ar/meccyt/subsecyt/_act1\r
+forourbano\.gov\.ar/_forodisc/\r
+tx-bridge\.com\r
+beijingimpression\.com\r
+enrichuk\.com\r
+recphone\.cn\r
+kcmp\.cn\r
+pumppump\.cn\r
+officezx\.com\r
+vcd-dvd168\.com\.cn\r
+dinmoseo\.com\r
+wow-powerleveling-wow\.com\r
+e-fanyi\.net\r
+chongshang\.com\.cn\r
+radfort\.com\r
+eachost\.com\r
+bjjly\.net\r
+sino-(jipiao|liuxue|zufang|lvyou)\.com(\.cn)?\r
+citylight\.com\.cn\r
+e4u\.cn\r
+china-co\.com\r
+celsnet\.cn\r
+deqinfy\.com\r
+mycomb\.com\r
+dm-(baojie|jipiao)\.cn\r
+xttg\.cn\r
+cthb\.com\.cn\r
+china-byt\.com\r
+china(yuntong|lipin|yiyao)(\.com|\.net)?\.cn\r
+jinpack\.com\r
+xinyuanit\.com\r
+timeyiqi\.com\.cn\r
+mendean\.net\r
+zgpdw\.cn\r
+5i8811sf\.com\r
+my-projector\.net\r
+bjlhj\.cn\r
+imperial\.edu/maria\.coronel/\r
+vca\.org\r
+faculty\.chi\.devry\.edu/ksteinkr/\r
+encyko\.bee\.pl\r
+(synthroid|cialis|depakote|zithromax|cipro|aciphex-meds|diflucan-777|lipitor|zocor|norvasc|propecia|imitrex)\.ca\.cx # this is the specific regex\r
+\.ca\.cx # if noone complains we'll just keep that\r
+fpoker\.abc\.pl\r
+ftpoker\.ir\.pl\r
+ftpoker\.blogjapan\.jp\r
+wxerqxad\.com\r
+mnwftplr\.com\r
+ixgqwyaj\.com\r
+lglpvgdi\.com\r
+khmifkyd\.com\r
+fnabdymv\.com\r
+maomzyex\.com\r
+iprnhyeb\.com\r
+qytkgqkk\.com\r
+supermeganah\.com\r
+xnjehmqg\.com\r
+koufoadi\.com\r
+palgdhek\.com\r
+kcqdqjiv\.com\r
+xxqzcrbx\.com\r
+ejulbpnr\.com\r
+dfywxiza\.com\r
+wjdvppas\.com\r
+qfoijpym\.com\r
+usphwxib\.com\r
+fawhongh\.com\r
+xjayjaqh\.com\r
+hmaugptw\.com\r
+saeoazbj\.com\r
+pnjugiiu\.com\r
+xpubccoq\.com\r
+umbmjyug\.com\r
+lqbguwrt\.com\r
+1url\.org/go/1yolui\r
+uwrejaag\.com\r
+wjlnjljz\.com\r
+jacpusnk\.com\r
+51ticket\.net\r
+galasale\.com\r
+bjcdmaker\.com\r
+sdcy\.com\.cn\r
+ukpass\.org\r
+archifashion\.com\r
+sino-ups\.com\r
+qwerty\.wblogs\.org/2007/06/\r
+astroguia\.org/bitacoras/qwerty/2007/06/\r
+trinilopez\.com/_msgbrd/00002992\r
+thyoapan\.com\r
+qfrtsyrp\.com\r
+uooyqazf\.com\r
+websearchdir\.net\r
+firstwebdirect\.org\r
+webdironline\.org\r
+nwdirect\.org\r
+wwbol\.info\r
+maagrenn?a\.tripod\.com\r
+(trumtrum|bugaga)\.ifrance\.com\r
+(bugogo|damdan)\.ibelgique\.com\r
+(sukonah|tramtram)\.isuisse\.com\r
+(gurevin|grandan)\.awardspace\.com\r
+uubol\.info\r
+rrbol\.info\r
+iibol\.info\r
+qqbol\.info\r
+iibol\.info\r
+eoajx\.quotaless\.com\r
+hardcorerapecomics\.tripod\.com\r
+(qq|pp|yy)adv\.biz\r
+(dd|gg)coll\.info\r
+rietdekkersbedrijfscholten\.com\r
+taylorrain\.newsit\.es\r
+\.webdirext\.com\r
+(sh)?chfang\.com\r
+xianweijin\.com\r
+strawberrydelights\.com\r
+whichsideofthefence\.com\r
+it\.snhu\.edu\r
+free-online-dating\r
+sudu\.info\r
+shcbprint\.net\r
+toppowerlevel\.net\r
+mysiteup\.my2gig\.com\r
+globalceoforum\.com\.cn\r
+isefc\.com\.cn\r
+teamflyelectronic\.com\r
+hzmqzs\.com\r
+coolingame\.com\r
+mydofus\.com\r
+rs2myth\.com\r
+levelmyth\.com\r
+ankama\.us\r
+buy-dofus-kamas\.net\r
+vulturesknob\.com\r
+yournetexpert\.hostwq\.net\r
+fundorro\.net\r
+normalforce\.com\r
+sei-mein-bester-freund\.de\r
+titaniuexport\.kiev\.ua\r
+loveangelinajolie\.com\r
+movief\.5gbfree\.com\r
+ylhz\.net\r
+grendamix\.com\r
+89bm\.net\r
+temaxd\.cn\r
+gglhctm\.cn\r
+xgswd\.cn\r
+ofcpa\.com\r
+netbai\.net\r
+power-level\.net\r
+e489d\.com\r
+lingollc\.com\r
+boinbb\.com\r
+fourw\.jp\r
+sweepdesign\.jp\r
+chn-job\.com\.cn\r
+xfgkj\.com\r
+houseso\.cn\r
+beijingxiezilou\.com\r
+xiezilouxinxi\.com\r
+kibonbarcode\.com\r
+xzhfblp\.com\r
+linuxbj\.com\r
+pr1ma\.info\r
+dom\d\.info\r
+cardz\d\.info\r
+hom\d\.info\r
+rossa\d\.info\r
+svx\d\.info\r
+bomb\d\.info\r
+filmes[\w\-_.]*sexo\r
+filmes[\w\-_.]*gratis\r
+video[\w\-_.]*sexo\r
+video[\w\-_.]*gratis\r
+foto[\w\-_.]*nudo\r
+seeyo\.info\r
+suphost\.info\r
+freehostss\.info\r
+hostzz\.info\r
+19mb\.info\r
+freespase\.info\r
+host24h\.info\r
+cdq369\.com\r
+datangshutong\.com\r
+jonchn\.com\.cn\r
+sweepdesign\.jp\r
+bj5yuehua\.com\r
+jonchn\.com\.cn\r
+bjht888\.com\r
+zgxbzlw\.com\r
+466tv\.cn\r
+sixnet\.com\.cn\r
+99caigang\.cn\r
+cydjk\.com\r
+fstzb\.com\r
+znstudio\.net\r
+datangshutong\.com\r
+liaoxinbj\.com\r
+bjhrj\.cn\r
+flowervoice\.com\r
+jonchn\.com\.cn\r
+iiwezxmkwzht\.com\r
+miqiatwuypzw\.com\r
+hjigunxxrqaf\.com\r
+slondcnixlwj\.com\r
+bengfa168\.cn\r
+kaiquan\.com\.cn\r
+huigao-v\.com\r
+bgzb\.com\r
+spvalve\.com\r
+dltools\.cn\r
+rosement\.com\.cn\r
+stone-ebay\.com\r
+zgxbzlw\.com\r
+farfly\.com\r
+e-bjmelody\.cn\r
+adsmc\.com\r
+yhht-valve\.com\r
+qmtyblphlilu\.com\r
+qewojlupomxg\.com\r
+zoqecyrqdfhc\.com\r
+jbhazglyuzml\.com\r
+bodt\.com\.cnn\r
+bodt\.com\.cn\r
+onebedroomfurniture\.com\r
+69bm\.com\r
+69bm\.net\r
+cp788\.com\r
+1k888\.com\r
+libfondo\.info\r
+nimerino\.info\r
+minutospa\.info\r
+ihtibel\.info\r
+akmandel\.info\r
+168xh\.net\r
+posui\.net\.cn\r
+szgwjy\.com\r
+tcl\.com\r
+johnsonip\.cn\r
+szwanyang\.com\r
+lfhcn\.com\r
+89bm\.com\r
+caishen\d*\.cn\r
+hcplasticmold\.com\r
+ViewMyLoan\.com\r
+hotwetred\.info\r
+uniwuros\.com\r
+cbyanrbp\.com\r
+vmwtynhs\.com\r
+odosuz\.cn\r
+idakoxic\.cn\r
+ifom\.info\r
+omiducer\.cn\r
+isekecec\.cn\r
+hzylin\.cn\r
+vaqyjcqu\.com\r
+nvzisslp\.com\r
+jxzgdglq\.com\r
+wetwetwett\.info\r
+nudevidz\.info\r
+nunde4free\.info\r
+668w\.com\r
+fregalz\.info\r
+hothothott\.info\r
+163\.(com|net)\r
+ifux\.info\r
+jzups\.com\.cn\r
+longre\.com\r
+wecomesh\.com\r
+cjh120\.com\r
+cctv8168\.com\r
+meter17\.cn\r
+quntuo\.com\r
+bjjinshan\.com\r
+cccstandard\.com\r
+szlrwl\.cn\r
+deqinfy\.net\r
+ebakvqsq\.com\r
+adklnaum\.com\r
+gohzmgek\.com\r
+hypoq\.(org|info)\r
+cerbaq\.info\r
+vertyn\.info\r
+bjyyct\.com\r
+blt\.net\.cn\r
+qemlcnwg\.com\r
+hudwzsfh\.com\r
+ppyecsia\.com\r
+impactcrusher\.net\.cn\r
+hammercrushers\.com\r
+benconq\.com\r
+jawcrusher\.net\.cn\r
+raymondmill\.cn\r
+zenithcrusher\.com\r
+cnzenith\.com\r
+conecrushers\.com\.cn\r
+impactcrusher\.net\.cn\r
+beconq\.com\r
+benconq\.com\r
+crusher-cn\.com\r
+zenithcrusher\.com\r
+lemmings.dontexist\.com\r
+bjjjjgd\.cn\r
+mingshengximqm\.com\r
+shangguanhong\.net\r
+zooxtreme\.(com|net|org)\r
+beastplace\.(com|net|org)\r
+beastzone\.(com|net|org)\r
+beast-space\.(com|net|org)\r
+3vindia\.info\r
+2kool4u\.net\r
+22web\.net\r
+isgreat\.org\r
+iblogger\.org\r
+talk4fun\.net\r
+prophp\.org\r
+totalh\.com\r
+xanga\.com\r
+stonecrusher\.net\.cn\r
+vone\.net\.cn\r
+aggregate-plant\.com\r
+grindingmill\.cn\r
+huili-cn\.com\r
+globalchineseedu\.com\r
+zgxbzlw\.com\r
+wahlee\.net\r
+lilyspring\.com\r
+wetlesbiansx\.com\r
+wetindians\.net\r
+sex4uonly\.net\r
+jxpump\.com\r
+bfjxkf\.com\r
+zzdehong\.com\r
+wet-n-hairy\.net\r
+pinkshaved\.net\r
+sweetttits\.com\r
+jxpump\.com\r
+uextkhveawym\.com\r
+ghzbstszrpgo\.com\r
+qsevvccxnzlb\.com\r
+ahxxugvpswym\.com\r
+cce-china\.cn\r
+cd8545\.com\r
+travelnursingdirect\.com\r
+cone-crusher\.org\r
+chinadrtv\.com\r
+jsd-coffee\.com\r
+flolon\.com\r
+sc818\.com\r
+seo315\.net\r
+pkseo\.cn\r
+nabirbsb\.com\r
+oqholfwb\.com\r
+wjoupiyw\.com\r
+yejuntech\.com\r
+ngvvlxpwuqhh\.com\r
+opggdydlpwsx\.com\r
+jrrwpwbungrk\.com\r
+lmkjshlsejlh\.com\r
+lovewind\.cn\r
+jormabridal\.com(\.cn)?\r
+paddletotheheadwaters\.com\r
+muzica-mp3\.ro\r
+movie2b\.com\r
+(stone|jaw|impact|cone|hammer)[-]*crusher\.(org|com|net|cn)\r
+pfkf999\.com\r
+hnpjs\.cn\r
+pysz\.com\.cn\r
+dxb\.ha\.cn\r
+ganbing120\.com\.cn\r
--- /dev/null
+\r
+This page describes the HCoop board, its workings, its policies, and so on.\r
+\r
+[[TableOfContents]]\r
+\r
+== About the board ==\r
+\r
+ * BoardOfDirectors: The members of the board.\r
+\r
+== Policies and guidelines ==\r
+\r
+ * HcoopPolicies: Our various policies.\r
+ * HcoopGuidelines: Guidelines for communicating, being HCoop staff, and more.\r
+ * HcoopStructure: Co-op bylaws, board members, and other legal details about the cooperative.\r
+ * IrcMeetings: View official meetings that are logged.\r
--- /dev/null
+The second board of directors for HCOOP, Inc. consists of:\r
+\r
+ *AdamChlipala, President and Treasurer\r
+ *NathanKennedy, Secretary\r
+ *DavorOcelic\r
+\r
+Please see the board's static website at http://hcoop.net/board/\r
--- /dev/null
+#format wiki\r
+#language en\r
+\r
+Some content that isn't directly relevant anymore\r
+\r
+'''List of pages in this category:'''\r
+\r
+ 1. AccountPrivileges\r
+ 1. AdminVolunteers\r
+ 1. MemberMigration\r
+ 1. OurOwnHostingFacility\r
+ 1. PaymentProcessing: Figure out how we should accept electronic payments.\r
+\r
+----\r
+CategoryCategory\r
--- /dev/null
+#format wiki\r
+#language en\r
+\r
+Here is system administration information that is not directly relevant to normal users.\r
+\r
+'''List of pages in this category:'''\r
+\r
+[[FullSearch(regex:(----(-*)(\r)?\n)(.*)CategorySystemAdministration\b)]]\r
+\r
+----\r
+CategoryCategory\r
--- /dev/null
+This page describes how admins may change their UNIX password (which is stored in {{{/etc/shadow}}}) on the new machines without disrupting Kerberos.\r
+\r
+ 1. Run {{{\r
+grub-md5-crypt\r
+}}}\r
+ and type your password twice. If you have GRUB installed on your home machine, you can do this there. Otherwise, log into {{{mire.hcoop.net}}} and do it.\r
+ 1. Copy the generated hash into the clipboard.\r
+ 1. Log into the machine where you want to change your password.\r
+ 1. Run {{{\r
+EDITOR=emacs vipw -s\r
+}}}\r
+ This opens up {{{/etc/shadow}}} in {{{vi}}}, and adds a safety net in case you make an error, by refusing to apply your changes if they would cause an error.\r
+ 1. Find the entry for your username. Replace the existing password hash for yourself. It will be the second field.\r
+ 1. Save and quit. {{{vipw}}} will tell you if there was an error. If there was not an error, it will apply your changes.\r
--- /dev/null
+I am Clinton Ebadi. \r
+\r
+= Contact =\r
+ * [[MailTo(clinton at unknownlamer dot org)]] (Email)\r
+ * unknownlamer (AOL Instant Messenger)\r
+ * 41087914 (ICQ)\r
+ * [[MailTo(clinton at hcoop dot net)]] (Jabber)\r
+ * unknown_lamer on [http://freenode.net freenode] (IRC) in #hcoop\r
+ * +1 443 538 8058 (Phone, SMS preffered)\r
+\r
+= Websites =\r
+ * http://unknownlamer.org '''Personal Homepage'''\r
+ * http://lazybastard.net\r
+\r
+= Stuff I Do for HCoop =\r
+I maintain the JabberServer service. Contact me if you want a jabber account.\r
+\r
+= Something Else =\r
+\r
+I a bicycling and beer brewing anarchist who espouses a philosophy of complete pesonal freedom. I hack code in Lisp and Scheme, and working on a magical project to replace the web with something better. It shall be put on ice for a bit as I am intending to go on a several month long bicycle tour of the northeast US in the spring and summer of 2007, but I hope to return more well read and with the skills required to undertake such a large project effectively.\r
+\r
+----\r
+CategoryHomepage\r
--- /dev/null
+'''This page is outdated. You might want to see NewServersSetup instead.'''\r
+\r
+Pretty soon we'll have more people wanting to join than we can support nicely on a single standard "dedicated server." This page contains information and links to other pages related to the planning and details of our next architecture.\r
+\r
+= Current state of the project =\r
+\r
+Currently, we are hashing out final software and network plans for the new architecture at SystemArchitecturePlans. To accompany this we have put together a page outlining ColocationNextSteps.\r
+\r
+During our meeting on June 24, 2006 we agreed on the following points regarding our new server configuration and the structure of HCoop:\r
+\r
+ * We decided on the pieces of hardware that we will need. This is described in more detail on NewSystemHardware. NewSystemHardware will also be the forum for collaboration on brands/models of hardware that will be purchased.\r
+ * Peer 1 will be the colocation provider for our next infrastructure.\r
+ * MichaelOlson and JustinLeitgeb will be system administrators after the move to the new system configuration is installed. Currently, they will be handling issues related to the new hardware and software.\r
+ * We will reconvene on FreeNode, #hcoop at 2:00 EST next week to talk about hardware specifics based on our research.\r
+\r
+The group previously researched different hosting providers for our new infrastructure. This information is archived on the page HistoricalColocationProvidersInformation.\r
+\r
+Overall, the goal of our project is to provide an architecture that will scale with the growing member base of Hcoop, Inc. Please see the page SystemArchitecturePlans to find out how we are planning to construct our servers to meet the needs of our growing hosting coop. Overall, the new system architecture has been planned to address the problems with our current system infrastructure detailed at the wiki page CurrentSystemGripes.\r
+\r
+Please feel free to help us grow by modifying any of these wiki pages.\r
+\r
+= Members most active in new system construction =\r
+\r
+The following Hcoop, Inc. members have expressed an interest in helping with the new server infrastructure on the mailing list:\r
+\r
+ * KarlChen\r
+ * ShaunEmpie\r
+ * JustinLeitgeb\r
--- /dev/null
+= Possible Colocation Service Providers =\r
+\r
+Currently, the Hcoop Inc. group planning the next server architecture is compiling a list of companies that we will contact with our quote request letter, detailed on the page ProspectiveHostsQuoteRequest. All members are invited to submit new companies to the pool that will be considered for hosting our next architecture by the deadline of April 14, 2006. You may also petition to remove hosting companies from consideration by that date.\r
+\r
+In order to remove or add companies from consideration, you may modify the list of companies below. If for any reason you would prefer not to modify the wiki page, email JustinLeitgeb at justin@phq.org and he will modify the wiki page for you.\r
+\r
+Also, JustinLeitgeb will be the default representative from the group to send out the quote requests, unless anyone else volunteers. If certain members would like to contact any of the hosting companies below, perhaps to maintain continuity of a relationship, add a comment stating this next to the name of the appropriate company below.\r
+\r
+Once we begin to receive requests from the companies concerned, the results will be posted for member review on the page ServiceProvidersReview. The hcoop discussion email list will be mailed to indicate when results are ready for review as we lead up to a vote.\r
+\r
+== List of Providers we will send our Quote Request to ==\r
+\r
+This is the list of providers, in alphabetical order, that we will send our quote request to, once the letter on ColocationPlans has been finalized. All will be contacted by JustinLeitgeb unless noted otherwise to the right of the company name.\r
+\r
+''Sat Apr 8 10:49:16 EDT 2006 Update: JustinLeitgeb sent quote requests to all of the organizations listed below, except for the one that NathanKennedy contacted previously. Please feel free to modify this list by the April 14 deadline, and any provider that is appended to the list will have a quote request sent to them. Otherwise, be patient for a few days and you will see the wiki page ColocationProvidersEvaluation populated with a summary of responses that we have received from the providers in contention for our colo needs.''\r
+\r
+ 1. [http://www.gaiahost.coop/ GAIA Host]\r
+ 2. [http://www.he.net/ he.net] Large colo provider with two? data centers and a solid reputation.\r
+ 3. [http://www.inreach.com/ InReach]\r
+ 4. [http://www.peer1.net/ Peer1] Another large colo provider, with about 5 data centers. Perhaps slightly larger than he.net.\r
+ 5. [http://seaccp.org/ The Seattle Community Colo Project], which is sponsored by [http://www.riseup.net/ riseup.net]. \r
+ \r
+ - I have sent a quote request to Riseup.net --NathanKennedy \r
+\r
+ - I would like to consider the [http://nyccp.net/ New York Community Colo Project], which is a branch of this project that may be closer to a larger portion of member base.\r
+\r
+ 6. [http://www.simpli.biz/ Simpli] (my personal favorite so far --AdamChlipala)\r
+ 7. [http://www.switchanddata.com/index.asp Switch and Data] has many carrier-neutral data centers in New York that I would like to check for pricing.\r
+\r
+== Service providers no longer in contention, unless members have valid reasons for including them in the pool ==\r
+\r
+ * [http://www.monkeybrains.net/ Monkey Brains]\r
+ This is a one-man shop renting cabinets from a real datacenter. I don't think this guy is capable of providing the support we need. Very disturbing FAQ line:\r
+\r
+ '''Is there a hidden bandwidth limit?'''\r
+\r
+ ''I haven't had any 'heavy' users, so the limits have yet to be tested.''\r
+\r
+ In other words, he's not much bigger than we want to be, soon. --NathanKennedy\r
+\r
+ ''(FYI - I think that most of the colo providers we are looking at here are small companies or individuals renting from data centers. Even Simpli still just rents two "cages" or rooms from a larger data center. The only exceptions to this might be bigger shops like [http://www.he.net he.net] that have their own data centers. -- JustinLeitgeb)''\r
+\r
+== See Also ==\r
+\r
+Pages that are related to this are ColocationPlans, which is the main page for discussion of the new architecture, and SystemArchitecturePlans, which provides details and diagrams on hardware and software configuration issues related to the new hcoop network.\r
+\r
+Finally, OlderColocationProviderInfo holds page of historical interest based on previous inquiries. I would like to consider this page deprecated as rates may have changed since we initially contacted these companies.\r
--- /dev/null
+= Evaluation of Potential Colocation Providers =\r
+Below are the service providers that Hcoop, Inc. is considering for our future hosting needs, along with available information about pricing and infrastructure. Some providers that are no longer being considered for our hosting needs are listed at the page PreviouslyConsideredColocationProviders.\r
+\r
+== Peer 1 ==\r
+http://www.peer1.net\r
+\r
+Peer 1 offers a quarter cabinet for 10U. A fast ethernet port with a 5MB/s connection is provided. Monthly costs for the space will be $750, and there would be a $400 initial charge for installation of a rack/cabinet. A 10 amp circuit is provided.\r
+\r
+Peer 1 does not sell hardware.\r
+\r
+Their response to our request as a PDF: attachment:Peer1.QuarterCab.Proposal.pdf\r
+\r
+ . It looks pretty clear that Peer1 is by far the highest quality provider on our list, and I was impressed by their letter and quote. The bar to entry is also high; $750 a month and 10U to utilize. On the other hand it is tempting; PLENTY of room for growth probably for years to come, a first-class network (450 direct tier one peers, 1-ms maximum intercity latency, 4-ms maximum intercity latency delivery to any tier one peer). We would NOT be having the kind of network issues we were plagued with in the past with Interserver. It is definitely a good value, but it an awfully big step up from where we are now--we don't want to waste member resources if the cabinet went vastly underutilized for long periods of time; we would need a major membership drive or some really big clients. Another advantage is the datacenter is in Manhattan and provides secure unescorted access. I could personally be there to fix, install, or upgrade stuff from my house within an hour. Of course if we are thinking beyond two years we can't just count on me, since who knows what I will be doing then, and of course on-site response can't be replaced in a lot of situations, but having an alternative to a $150/hour remote hands fee for most situations would be nice. NathanKennedy Another thing, I seriously think we should consider marketing dedicated servers or collocation ourselves. This would be another valuable service we could provide, which would make it much easier to fill larger cabinets and allow even our $5/mo. members to benefit from the best possible facilities. NathanKennedy\r
+\r
+== He.net ==\r
+http://www.he.net/\r
+\r
+If we can stay under 1MB/s, the rate for bandwidth plus up to 7U is $300/month.\r
+\r
+He.net does not sell hardware.\r
+\r
+Their response to our request as a PDF: attachment:he_colo.pdf\r
+\r
+ . HE looks great. I have heard great things about them, and this is definitely a good deal for what it is. I think they come a close second after Peer1 for quality. NathanKennedy\r
+ . .\r
+ . I ran my Artelope web site off a basic user account on HE for 5 or 6 years. I was always satisfied with their service, both in terms of uptime and in terms of helping me out with a human being when I had a problem. I closed my account and came here because I felt their price was too much to pay for a small site like mine. JoshGoldfoot\r
+\r
+== Switch and Data ==\r
+http://www.switchanddata.com/\r
+\r
+Switch and Data is carrier-neutral, meaning that they would give us space, and we would buy bandwidth from another provider (or multiple providers, eventually). I got quotes for three locations that Switch and Data has in NYC. The reason that the 65 Broadway location is slightly less expensive than the other two locations is because it has connections to fewer providers available compared to the other locations in NYC. If we can live with the providers\r
+\r
+Bundled Half Cabinet:\r
+\r
+Includes: (1) Half Locking Cabinet/Open Face Rack, 10 AMPS AC Power, (1) Cross Connect (Media Agnostic)\r
+\r
+65 Broadway: $625.00 Monthly Recurring Cost\r
+\r
+111 8th & 60 Hudson St: $775.00 Monthly Recurring Cost\r
+\r
+The Switch and Data representative also gave me site specifications for their three locations in NYC.\r
+\r
+ * attachment:Site_Spec_NYC_111_8th_.pdf\r
+ * attachment:Site_Spec_NYC_60_Hudson_8.01.05.pdf\r
+ * attachment:Site_Spec_NYC_65_Broadway_4.22.05.pdf\r
+== Simpli ==\r
+Justin had disqualified Simpli before, but I was surprised at their nonresponsiveness, because I'd had some nice e-mail conversations with the founder in the past. So, I e-mailed her asking what was up and she got back to us in a few days. She said that she hadn't replied before because Simpli is currently figuring out the details of expanding into some new hosting space and that made some pricing issues uncertain. I don't think it was acceptable to give us no reply because of this, but I at least have reason to believe that these are good people at Simpli and that we should consider them, given their much lower rates for colocation at our current modest needs. --AdamChlipala\r
+\r
+I think that any provider which does not respond in a timely manner should be removed from consideration, without exception. This was a warning sign with InterServer that we failed to heed. --MichaelOlson\r
+\r
+They would provide the hardware with 1-year parts and labor warranties:\r
+\r
+{{{\r
+Web server (each): $964.60 (includes 3Ware 2-port Serial ATA hardware RAID\r
+card; subtract $150 if you would prefer software RAID)\r
+- Uses 2x80GB Western Digital SATA drives.\r
+\r
+Database server: $2700 with 500GB drives\r
+$2180 with 400GB drives\r
+(includes 3Ware 4-port Serial ATA hardware RAID card; subtract $380 if you\r
+would prefer software RAID)\r
+\r
+Both configurations are 1U. Each server comes with a 1-year parts and labor\r
+warranty. After the year, we can replace parts for the part cost + labor\r
+(which is $100/hour) or you can buy the parts yourself through us or through\r
+any vendor and replace it yourself by scheduling a datacenter visit.\r
+\r
+Your total colocation price would be $70/month for 2U of space (assuming 2\r
+servers) plus whatever bandwidth costs you would have.\r
+\r
+Serial console service is $20/month per server. We don't currently have an\r
+offsite backup service such as the one you are looking for, but we will in\r
+the next 2-3 months as we open a second location.\r
+}}}\r
+This leaves out some details of bandwidth pricing, which can be found at http://www.simpli.biz/colocation.php.\r
--- /dev/null
+Here are various methods to get in touch with Hcoop.\r
+[[TableOfContents]]\r
+== Members and Non-Members ==\r
+ * IrcChannel: Join our "chat" channel for 24/7 discussion.\r
+ * abuse@hcoop.net: for DMCA violations and other complaints about the use of our servers.\r
+\r
+== Members ==\r
+ * [http://members2.hcoop.net Portal]: for taking care of common administrative tasks on HCoop's new systems.\r
--- /dev/null
+The planning of a new system architecture at Hcoop, Inc. is motivated by a set of concerns with the current infrastructure. This page details these concerns in order to improve ourselves in Hcoop, Inc. v. 2.\r
+\r
+= What deficiencies in our current set-up do we want to correct? =\r
+\r
+ * If one machine goes down, then our services will go down, too.\r
+ * No way for members to buy arbitrary amounts of disk space\r
+ * No automated off-machine backups\r
+ * ''Until we get new machine(s) set up, would it be possible to rsync the server contents off-site? I would be willing to contribute space on my linux workstation to this purpose... or do bandwidth constraints make this unreasonable? I imagine that our content is relatively static so that might make this possible.'' --JustinLeitgeb\r
+ * We don't have a human administration set-up where everyone with an admin job:\r
+ * Feels compensated in proportion to the work he does\r
+ * Is accessible on a predictable schedule\r
+ * PHP scripts have a time limit. This created problems with Squirrel Mail:\r
+ * It is often impossible to attach large files or download large attachments.\r
+ * When Fyodor is running its backup, the system becomes slow. Sometimes folder listings don't display because the php script times out before the folder is read from the imapd.\r
+ * ''Can we correct this by "nicing" the backup process? Might be a quick fix.'' --JustinLeitgeb\r
+ * ''Already done, unfortunately.'' --AdamChlipala\r
+ * Downloads from www.hcoop.net/~username are not counted toward the user's bandwidth usage\r
+ * ''Actually, they are counted as much as any other web activity, though we don't have any formal idea of "bandwidth quota" ATM. Do you have any information to indicate otherwise?'' --AdamChlipala\r
--- /dev/null
+== Choosing DSA (Digital Signature Algorithm) or RSA (Rivest, Shamir, Adleman) ==\r
+\r
+=== For the purposes of SSH Authentication ===\r
+\r
+The text below was copied from various referenced websites. Conclusions are shown at the top, with context below.\r
+\r
+From [http://ac.umfk.maine.edu/~romeo/?p=69]:\r
+\r
+Conclusion: \r
+{{{ \r
+I always use 1280-bit DSA key pairs for SSH authentication, i.e. the keys are generated with “ssh-keygen -t dsa -b 1280″ \r
+}}}\r
+\r
+''Note: my version of openssh limits DSA keys to 1024 bits.'' -- RickHull\r
+\r
+Context:\r
+{{{\r
+For RSA, a 1536-bit key pair is recommended now for most uses e.g.\r
+SSH public-key authentication, but longer keys shall be used for signing\r
+documents that should not be forged even after many years.\r
+Nevertheless, most Web sites that use HTTPS, have only 1024-bit RSA key\r
+pairs, those are still reasonably secure for now, but in a few years\r
+they will become breakable. An 1536-bit RSA public/private key pair\r
+requires about the same time for breaking as a 90-bit key of a\r
+secret-key algorithm. Nonetheless, in reality 1536-bit RSA is much more\r
+secure than 90-bit, because either a huge memory (much beyond what is\r
+currently possible) is needed for the computation or, if the memory is\r
+unavailable, the computation becomes much slower, so the RSA key will be\r
+equivalent in strength with a longer secret key.\r
+\r
+RSA is more appropriate for signing certificates, because it can be\r
+verified faster, but for the authentication of the initial message\r
+exchange in network connection establishments, like in IPsec, TLS/SSL or\r
+SSH, DSA can be better, because there are an equal number of signing and\r
+verification operations, so only the sum of the execution times for\r
+signing and verification matters. DSA has the advantage that it has the\r
+same security as RSA at a shorter key length, i.e. 1280-bit DSA has\r
+about the same security as 1536-bit RSA. For that reason I always use\r
+1280-bit DSA key pairs for SSH authentication, i.e. the keys are\r
+generated with “ssh-keygen -t dsa -b 1280″, both for the server host key\r
+and for the users’ workstations.\r
+\r
+DSA has a disadvantage that is not a property of the algorithm but\r
+only of its implementation in OpenSSL, OpenSSH and other common\r
+programs, it has several parameters that must be increased\r
+simultaneously for better security, but applications like ssh-keygen let\r
+you specify only the key length and they keep the other parameters\r
+unchanged. Because of that it is absolutely useless to increase the DSA\r
+key length beyond 1280-bit, because the security is not improven. On\r
+the other hand, with RSA you can specify 2048-bit, 3072-bit or longer\r
+key pairs, if you so desire. \r
+}}}\r
+\r
+From [http://www.chiark.greenend.org.uk/~sgtatham/putty/faq.html#faq-dsa PuTTY FAQ]:\r
+\r
+Conclusion: \r
+{{{ \r
+we still recommend you use RSA instead \r
+}}}\r
+\r
+Context:\r
+{{{\r
+DSA has a major weakness if badly implemented: it relies on a random number generator to far too great an extent. If the random number generator produces a number an attacker can predict, the DSA private key is exposed - meaning that the attacker can log in as you on all systems that accept that key.\r
+\r
+The PuTTY policy changed because the developers were informed of ways to implement DSA which do not suffer nearly as badly from this weakness, and indeed which don't need to rely on random numbers at all. For this reason we now believe PuTTY's DSA implementation is probably OK. However, if you have the choice, we still recommend you use RSA instead. \r
+}}}\r
--- /dev/null
+We've recorded some special instructions, hints, etc., for these daemons on our new servers hosted at Peer 1:\r
+\r
+ * ["DaemonAdmin/Apache"]\r
+ * ["DaemonAdmin/Bind"]\r
+ * ["DaemonAdmin/LDAP"]\r
+ * ["DaemonAdmin/MySQL"]\r
+ * ["DaemonAdmin/PostgreSQL"]\r
--- /dev/null
+\r
+This page describes how to deal with Apache issues. It is intended for use by HCoop administrators.\r
+\r
+[[TableOfContents]]\r
+\r
+== Dealing with too many apache processes ==\r
+\r
+Sometimes on our old machines (fyodor), too many apache processes are run, and they consume all available memory. In case this same problem is ever experienced on the new machines, it could be handy to know how to do this recovery procedure.\r
+\r
+This problem can be diagnosed by running\r
+\r
+{{{\r
+free\r
+}}}\r
+\r
+to check the amount of memory being used, and\r
+\r
+{{{\r
+ps -e | grep [a]pache2 | wc -l\r
+}}}\r
+\r
+to see how many Apache processes are running. If there are around 100 processes or more running, and we have less than 60MB memory free, and are using more than 50% of swap, we need to continue with the "apache2 draining" procedure listed below.\r
+\r
+To get rid of apache2 processes, do the following.\r
+\r
+{{{\r
+iptables -I INPUT 1 --proto tcp --dport 80 -j REJECT\r
+/etc/init.d/apache2 stop # wait about 5 minutes, then hit Ctrl+c a few times to stop\r
+killall apache2\r
+killall -9 apache2\r
+/etc/init.d/apache2 start\r
+iptables -D INPUT 1\r
+}}}\r
+\r
+Now check to see whether member websites can be browsed. Also, check to see whether the amount of free memory has increased substantially.\r
--- /dev/null
+\r
+[[TableOfContents]]\r
+\r
+= Filesystem layout =\r
+\r
+On both deleuze and mire, BIND data lives in `/etc/bind`. This directory is seeded with the default files from the Debian `bind9` package. Additionally, we add a `zones` subdirectory.\r
+\r
+DomTool periodically deposits `/etc/bind/named.conf.local`, listing all of our hosted DNS zones and their master/slave statuses and configuration. DomTool also populates `/etc/bind/zones` with zonefiles referenced by `/etc/bind/named.conf.local`.\r
+\r
+== Permissions ==\r
+\r
+`/etc/bind/zones` should be owned by user `bind`, since BIND seems to like creating temporary files there. I've only yet seen this matter during updating of slave zone information.\r
+\r
+= Adding new hcoop subdomains =\r
+\r
+This is '''not''' done by editing anything in {{{/etc/bind}}}. Instead, see ["DomTool/AdminProcedures"].\r
--- /dev/null
+\r
+ * To edit LDAP database from a GUI tool, use ''gq'' program\r
+ * To connect to hcoop's ldap server using ''gq'', create a SSH tunnel: ''' ssh -f -N -L 389:localhost:389 USERNAME@deleuze.hcoop.net''', and then connect to ''localhost:389'' in ''gq''.\r
+ * For the description of the actual authentication scheme, see AuthenticationScheme.\r
--- /dev/null
+Because we wanted to have version 5 of MySQL running on our stable server, we used the [http://dotdeb.org] package. For this reason there should be mirrors from dotdeb.org listed in the file ''/etc/apt/sources.list'' on deleuze.\r
+\r
+= Configuration details =\r
+\r
+my.cnf file modified to leave a port open over the network, default is local pipe only.\r
+\r
+= Progress =\r
+\r
+As of Sat Jan 6 12:29:23 EST 2007, the MySQL 5.0 daemon and client libraries have been installed on deleuze. I also installed the mysql-common and mysql-client 5.0 packages on mire which should will allow for users to connect back to the main DB server.\r
+\r
+= To Do =\r
+\r
+The new dbtool implemented as part of DomTool can now be used to create MySQL users and databases and the associated AFS directories. We still need to figure out how to allow users to drop tables from their databases without letting them drop the databases themselves. Since users retain permissions on a database even after it's dropped, the user could drop his database and recreate it on the partition where /var/lib/mysql lives, instead of in AFS.\r
+\r
+We also need to work out exactly what hostname mask to use in creating users and granting them privileges.\r
+\r
+= Steps to perform =\r
+\r
+== Logical steps ==\r
+\r
+ 1. Create user's database volume in AFS, if one isn't there already\r
+ 1. Create directory structure with proper permission within the AFS volume (the sole existence of the directory is enough for MySQL to consider it a database, even if just an empty one). NOTE: If we stick to existing behavior on fyodor, requested database name should be prefixed with USERNAME_ .\r
+ 1. Create a symbolic link in /var/lib/mysql/ that points to the database\r
+ 1. Grant the user rights on the new DB\r
+\r
+And, in terms of command line, the steps are:\r
+\r
+== Initialize DB space for any DB ==\r
+\r
+You need to perform this as any user who has AFS admin permissions:\r
+\r
+ 1. $dir = /afs/hcoop.net/common/.databases/'''USERNAME'''\r
+\r
+'''If vos examine db.USER says there's no volume created:'''\r
+ 1. vos create -server afs -partition a -name db.'''USERNAME''' -maxquota 5000\r
+\r
+\r
+'''If db.USER volume is there, but $dir is not present (volume isn't mounted):'''\r
+ 1. fs mkmount -dir /afs/hcoop.net/common/.databases/'''USERNAME''' -vol db.'''USERNAME''' -rw\r
+ 1. vos release common.databases\r
+\r
+'''And this can be done always:'''\r
+ 1. fs setacl -dir $dir -acl databases l\r
+ 1. fs setacl -dir $dir -acl system:backup rl\r
+\r
+\r
+== Database creation routine when the db space has been initialized ==\r
+\r
+You need to perform this as any user who has AFS admin permissions:\r
+\r
+ 1. $dir = /afs/hcoop.net/common/databases/'''USERNAME'''/mysql\r
+ 1. mkdir -p $dir\r
+ 1. fs setacl -dir $dir -acl mysql lid\r
+ 1. fs setacl -dir $dir -acl databases none # (keep out other databases, just in case)\r
+ 1. fs setacl -dir $dir -acl system:backup rl # (should be inherited from parent dir)\r
+ 1. sudo mkdir $dir/'''DBNAME''' || exit # (Must not exist)\r
+ 1. sudo chown mysql:mysql $dir/'''DBNAME'''\r
+ 1. sudo chmod 770 $dir/'''DBNAME''' # (Just for visual impression)\r
+ 1. sudo ln -sf $dir/'''DBNAME''' /var/lib/mysql/'''DBNAME'''\r
+ 1. fs setacl -dir $dir/'''DBNAME'''/ -acl mysql all\r
+\r
+Now, about users and granting permissions to the database, I would like to see users being able create new users\r
+and passwords and their privileges (to their databases) themselves. This would allow fine-grained tuning\r
+of what service uses which DB username/pw, and what access rights it has. Maybe a list of users/passwords,\r
+or an appropriate support ticket would be cool.\r
+\r
+So anyway, the procedure for creating a user and giving privileges, executed on behalf of the admin user\r
+(domtool2), which can be specified as '''sudo -H mysql -e "<COMMAND HERE>" mysql''':\r
+\r
+ 1. CREATE USER ''''USERNAME''''@''''HOSTNAME'''' IDENTIFIED BY ''''PASSWORD'''';\r
+ 1. GRANT SELECT,INSERT,UPDATE,DELETE,INDEX,ALTER,CREATE VIEW,SHOW VIEW,GRANT OPTION ON '''DBNAME.*''' TO '''USERNAME'''@'%.hcoop.net';\r
+ 1. FLUSH PRIVILEGES;\r
+\r
+(Thing to note here: Wildcard '%' can be used in hostname part, for things like '%.hcoop.net'.)\r
+\r
+\r
+There are two other things related to users, one is changing password and the other is deleting users. These simply map to\r
+mysql SET PASSWORD and DROP USER commands, if you go to implement them.\r
+\r
+And one last thing; mysql is listening both on localhost and network interfaces (deleuze external IP). Maybe we want to restrict\r
+it to run on just one of them. Or if not, if it will run on both, then the access rule ( USERNAME@'%.hcoop.net' ) has to be duplicated\r
+in a way (for USERNAME@localhost), OR the users will always have to specify mysql host "deleuze" instead of "localhost". Another solution to this is that we don't try to be clever at all, but simply let users make sure the hostname part in their support ticket will match the interface they'll be using to connect.\r
--- /dev/null
+See MySQL for list of things that have to be done for any database\r
+(both MySQL and Postgres).\r
+\r
+= Postgres-specific setup =\r
+\r
+ 1. $dir = /afs/hcoop.net/common/databases/USERNAME/postgres\r
+\r
+If $dir does NOT exist:\r
+\r
+ 1. sudo -u postgres psql -c "CREATE USER '''USERNAME'''" template1\r
+ 1. mkdir -p $dir\r
+ 1. chown postgres:postgres "$dir"\r
+ 1. fs setacl -dir $dir -acl postgres write\r
+ 1. fs setacl -dir $dir -acl databases none # (keep out other databases, just in case)\r
+ 1. fs setacl -dir $dir -acl system:backup rl # (should be inherited from parent dir)\r
+ 1. sudo -u postgres psql -c "CREATE TABLESPACE user_'''USERNAME''' OWNER '''USERNAME''' LOCATION '$dir'" template1\r
+\r
+When it does, go directly to database creation step:\r
+\r
+ 1. sudo -u postgres createdb -O '''USERNAME''' -D user_'''USERNAME''' '''DBNAME'''\r
--- /dev/null
+Part of the reason hcoop is so swell is that we (try to) make it easy for members to take advantage of shared daemons. Of course, it's important that no one can take advantage of this to interfere with the services a daemon provides for others. This page focuses on how we do this for the particular case of data and configuration files associated with particular daemons but conceptually belonging to particular users.\r
+\r
+There are two main things to watch out for:\r
+ * One user shouldn't be able to exhaust available disk space through his configuration of a daemon. This would include getting a system user, e.g. the one that runs a particular database server, to exceed its disk quota or fill up the partition its data files live on. To achieve this goal, a common theme is that we try to keep all files with the potential to be large on `/home` and make sure that they belong to the group of the human user who we consider responsible for them. With this, we can use group quotas as single-point limits on disk usage.\r
+ * Through direct filesystem access, users shouldn't be able to break any daemons with respect to the services that those daemons provide for other users, though we don't care if users can hose their own services like this.\r
+\r
+= Static web sites =\r
+\r
+This one's easy. Users manage their own files and just need to make them readable by `www-data`, the Apache user.\r
+\r
+= domtool configuration files =\r
+\r
+Individual domain directories are basically extensions of users' home directories, permissions-wise, so again there are no problems.\r
+\r
+= Mailboxes =\r
+\r
+Users are given ownership of both their primary mailboxes (`~/Maildir`) and virtual mailboxes (`/home/vmail/<domain>/<name>`). We're assuming that Exim and Courier IMAP are robust enough that errors in these mailboxes won't prevent delivery of mail to other mailboxes or prevent others from checking their mail.\r
+\r
+= Mailing lists =\r
+\r
+We modify the default Mailman set-up in the following ways:\r
+\r
+ * Symlink `/var/lib/mailman/[archives|lists]` to `/home/mailman/[archives|lists]`, where the real action is.\r
+ * For a mailing list `mylist@mydom.com` owned by user `me`, we create it by running `/usr/local/bin/listnew mylist mydom.com me somepasswd`, which runs the following for each value of `F` in `/home/mailman/lists/mylist`, `/home/mailman/archives/private/mylist`, and `/home/mailman/archives/private/mylist.mbox`:\r
+\r
+{{{chmod -R g+s F\r
+chmod -R g-rwx F\r
+chmod -R u-s F\r
+chown -R list.me F}}}\r
+\r
+ In other words, `list`, the Mailman user, owns the files. They have the human user's group, but this group is given no more permissions than the rest of the world gets. It's only there as a marker for `/home` group quotas. The directories are setgid, so that new files created belong to the human user's group.\r
+ * Change the Mailman CGI scripts in `/usr/lib/cgi-bin/mailman` to be owned by `list.list` and to be setuid instead of setgid. These scripts already cry bloody murder if run by anyone but `www-data`, so this use of setuid should be secure. They let the CGI scripts run as the Mailman user itself, since belonging only to Mailman's group is no longer enough to access the list data.\r
+\r
+= SpamAssassin training =\r
+\r
+Everyone has write access to the shared folders where misclassified spam and ham should be deposited. This is definitely a security problem if someone wants to train Spam``Assassin to mark legitimate and important messages as spam to harrass other users. Also, by copying files directly instead of going through IMAP, users may be able to screw up the folders in some way that impacts others.\r
+\r
+= MySQL databases =\r
+\r
+The databases of user `me` live in `/home/mysql/me_*`. Each of these directories is owned by `mysql.me` and is symlinked from the usual MySQL database location. There are no write permissions for the group, so `me` can't modify the database directly in an effort to confuse or crash MySQL; and, of course, all database files are counted towards `me`'s group quota.\r
+\r
+= PostgreSQL databases =\r
+\r
+The databases of user `me` live in `/home/postgres/me/`. We use the new PostgreSQL's "tablespace" mechanism to make this more elegant than the MySQL set-up. Tablespaces are named containers for databases that are associated with particular roots in the filesystem. We give each user his own tablespace, with the usual ownership by his group, setgid, and no group permissions. `me` can't modify the database directly in an effort to confuse or crash Postgres; and, of course, all database files are counted towards `me`'s group quota.\r
+\r
+----\r
+CategorySystemAdministration\r
--- /dev/null
+Founding member and concerned citizen.\r
+\r
+http://enthalpy.net/\r
--- /dev/null
+DavorOcelic, HCOOP Inc. system administrator and Board of Directors member.\r
+\r
+= System administrator position =\r
+\r
+One year ago\r
+ * we were still using our now-old server (fyodor.hcoop.net)\r
+ * we were a little more than half the current size (currently: 110 members)\r
+ * more of us were visiting #hcoop channel at the FreeNode IRC network (irc.gnu.org server, for example)\r
+ * more manual user-to-admin communication was required\r
+\r
+Today, things are looking different. We have a new infrastructure that will be deployed shortly\r
+ * the 2 new servers + old Abulafia (hopefully with increased automation and security infrastructure)\r
+ * a nice member base (kind greeting to everyone who joined!)\r
+ * an extraordinary members portal ([http://members.hcoop.net/] - all Domtool and Portal fame richly deserved by AdamChlipala), and this new wiki ([http://wiki.hcoop.net/])\r
+\r
+As far as our current technology and my system administrator position at HCOOP are concerned, in 2007 I plan to:\r
+ * continue with the current, usual system administration tasks\r
+ * improve on the security infrastructure\r
+ * develop a global (authentication and other) infrastructure for all HCoop servers\r
+ * as always, help with any tasks that pop up\r
+\r
+As mentioned, we are working on a new HCoop infrastructure. The areas I work on can be seen on the TaskDistribution page.\r
+\r
+'''I would like to thank Justin Leitgeb, Ray Racine and Shaun Empie for valuable hardware donations that made the next round of HCoop expansion much easier in all aspects! See NewSystemHardware.'''\r
+\r
+= Board of Directors position (2007) =\r
+\r
+I should also give you a word on the nature of the Board of Directors position.\r
+HCoop is democratic in its roots, thanks to the original principles set (and rigorously conducted) by Adam Chlipala. While AdamChlipala is (and will probably always be ;) "The HCoop Founder", it's important to understand that Adam is not making decisions single-handedly, especially since we became a legal and officially recognized organization in all aspects (HCOOP, Inc.). Instead, the power is held within the member base, and ultimately within the Board of Directors (read our HcoopBylaws page).\r
+\r
+So the Board of Directors (BoD) position has a few specifics:\r
+ * the number of directors is very small (only three of all members, as you see. Although with plans to increase that number to five)\r
+ * the position requires combination of both management and technical abilities\r
+ * each directors is worth a whole 33.3%, and two-thirds of the board can take immediate action\r
+ * the number of directors will not grow linearly with the number of HCoop members\r
+\r
+For the above, it is important that you pay close attention to the Board being a "good balance of skills, geographic locations, and personalities" (as NathanKennedy nicely put it).\r
+\r
+Finally, there is another part of Nathan's previous-year platform that I would like to quote:\r
+\r
+"I hope you will re-elect the three current members of the board (Adam Chlipala, Nathan Kennedy, and Davor Ocelic).\r
+I believe that together we can continue to bring the membership together to create a service that gets better all the time."\r
+\r
+Thank you all,\r
+\r
+Davor Ocelic\r
+\r
+= Board of Directors position (2006) =\r
+\r
+I would like to thank everyone who voted for me on our first BoD HCOOP elections (see ["Election2006"]).\r
+\r
+= Board of Directors position (2005) =\r
+\r
+I would like to thank everyone who voted for me on our first BoD HCOOP elections (see ["Election2005"]).\r
+\r
+Close to what I initially predicted, our first year was marked mostly by advances in the system setup.\r
+On a parallel front, NathanKennedy was working on issues related to our legal status (see [http://hcoop.net/board/]).\r
+\r
+Few members-related issues did pop up, but nothing that would require the Board to meet outside of the scheduled meetings.\r
--- /dev/null
+#format wiki\r
+#language en\r
+#pragma section-numbers off\r
+= WikiName Wiki =\r
+\r
+What is this wiki about?\r
+\r
+Interesting starting points:\r
+ * RecentChanges: see where people are currently working\r
+ * WikiSandBox: feel free to change this page and experiment with editing\r
+ * FindPage: search or browse the database in various ways\r
+ * SyntaxReference: quick access to wiki syntax\r
+ * SiteNavigation: get an overview over this site and what it contains\r
+\r
+\r
+== How to use this site ==\r
+\r
+A Wiki is a collaborative site, anyone can contribute and share:\r
+ * Edit any page by pressing '''[[GetText(Edit)]]''' at the top or the bottom of the page \r
+ * Create a link to another page with joined capitalized words (like WikiSandBox) or with {{{["quoted words in brackets"]}}}\r
+ * Search for page titles or text within pages using the search box at the top of any page\r
+ * See HelpForBeginners to get you going, HelpContents for all help pages.\r
+\r
+To learn more about what a WikiWikiWeb is, read about MoinMoin:WhyWikiWorks and the MoinMoin:WikiNature. Also, consult the MoinMoin:WikiWikiWebFaq. \r
+\r
+This wiki is powered by MoinMoin.\r
--- /dev/null
+We keep all of our non-trivial custom programs and scripts in CVS for [http://hcoop.sourceforge.net/ our SourceForge project]. All HCoop admins should have Source``Forge accounts and be added as developers for project `hcoop`.\r
+\r
+There are [http://sourceforge.net/cvs/?group_id=99567 instructions on how to use our project CVS], both for admins and curious others.\r
+\r
+Every commit to our repository triggers an e-mail to the [https://lists.sourceforge.net/lists/listinfo/hcoop-cvs hcoop-cvs mailing list] hosted at Source``Forge. All developers for the project should probably subscribe to this list. It's open to the public, so anyone else should feel free to subscribe, too.\r
+\r
+Our CVS repository contains several modules. Most of them are custom tools implemented in ML and "owned" by AdamChlipala, so that most others won't even need to check them out for modification. However, the `misc` module is of particular interest to all admins. Whenever you make significant changes to some script (for instance, modifying an `/etc/init.d` script to add AFS support), it should be checked into the appropriate subdirectory of the `misc` module. Rely on the `README` files in that module to determine which subdirectory that is, and be sure to add new `README`s and new entries to existing files as necessary to keep the module self-explanatory.\r
--- /dev/null
+Before continuing with this page, you probably want to read DomainTool to learn the basics of how we handle shared daemon configuration.\r
+\r
+A {{{.dns}}} file in a domain's directory controls its DNS settings. Such files consist of a sequence of lines of the following types:\r
+\r
+ * {{{Master <ip>}}}: Designates a master DNS server from which we should fetch all data for this domain. Any DNS configuration in a {{{.dns}}} file after any {{{Master}}} directive is ignored, except for {{{Mail}}} lines which determine the behavior of our SMTP server. You can use multiple {{{Master}}} directives, but the later IP addresses will only be used if the earlier servers are not contactable. The DNS data is queried using the standard zone transfer protocol.\r
+ * {{{Slave <slave>}}}: Usually appears at top of file. Discussed in the next section.\r
+ * {{{TTL <seconds>}}}: {{{seconds}}} is an integer specifying the lifetime in seconds of the DNS records coming after this directive and before the next {{{TTL}}} directive, if any. DNS caches around the 'net will feel free to assume that these mappings remain valid for that long without consulting our DNS servers to verify that this is really the case. This is valuable behavior, since it saves wear and tear on our servers. You should only use this directive if you have a particular, compelling reason, such as that a particular DNS mapping is updated regularly by a program. {{{domtool}}} enforces that the TTL that you enter is at least some minimum value. The current minimum is 120 seconds, which we can change if someone has a good reason.\r
+ * {{{TTL default}}}: Switch back to using default TTLs after using the directive described in the last entry. Different kinds of entries have different default TTLs that will be used, based on what the author of djbdns thought makes sense in the general case.\r
+ * {{{Primary <host> <ip>}}}: Sets the primary DNS server for the domain to IP address {{{ip}}}, naming it {{{host.domain}}}\r
+ * {{{Primary <full_hostname>}}}: Use this to set your primary DNS server to a hostname from another domain. For example, you should use this if you want to use our default {{{ns.hcoop.net}}}/{{{ns2.hcoop.net}}} DNS configuration and your registrar complains that your DNS servers report different hostnames for nameservers than you gave to the registrar. We've only yet encountered one case where this was necessary. The set of allowed hostnames is specified in root-administered {{{.nses}}} files, which are handled in the same way as {{{.slaves}}} files. {{{ns.hcoop.net}}} and {{{ns2.hcoop.net}}} will both always be available.\r
+ * {{{Secondary <host> <ip>}}}: Adds a secondary DNS server for the domain with IP address {{{ip}}}, naming it {{{host.domain}}}\r
+ * {{{Secondary <full_hostname>}}}: Analagous to the {{{Primary}}} form above for full hostnames.\r
+ * {{{Mail <host> <ip>}}}: Add a server to process e-mail for the domain with IP address {{{ip}}}, naming it {{{host.domain}}}. Mail servers will attempt to deliver mail to the servers you list following the order in which you list them, starting from the first.\r
+ * {{{BackupMail <host> <ip>}}}: This like like {{{Mail}}}, but, instead of declaring that mail for a domain is accepted locally, it declares that our mail server should accept mail for this domain and forward it on to one of that domain's "real" mail servers. This is useful in case that domain's primary mail server goes down, in which case our mail queue can hold messages meant for it.\r
+ * {{{Mail <full.host>}}}: Add an external server {{{full.host}}} to process e-mail for this domain. This form doesn't add an A record, so you will only want to use it for non-HCoop mail servers that already have A records elsewhere.\r
+ * Mail creates a DNS __MX__ record.\r
+ * {{{Default <ip>}}}: Sets the IP address for {{{domain}}} to {{{ip}}}\r
+ * {{{Host <host> <ip>}}}: Sets the IP address for {{{host.domain}}} to {{{ip}}}\r
+ * {{{Alias <host> <ip>}}}: Sets the IP address for {{{host.domain}}} to {{{ip}}}; use this when this IP address has already been assigned a name in this domain with {{{Default}}} or {{{Host}}}\r
+ * Alias creates a DNS __A__ record.\r
+ * {{{Redir <host1> <host2>}}}: Sets {{{host1.domain}}} to have the same IP address as {{{host2}}}. This should almost never be used, as it requires every client resolution of this hostname to follow the chain of redirections, possibly across different servers. You should usually define a variable for a commonly used host IP address and use it with {{{Host}}} and {{{Alias}}} directives.\r
+ * Redir creates a __CNAME__ record. CNAME is usefull when you want to resolve to a server on a different DNS server / hosting provider.\r
+''Note'': The entries for Primary and Secondary DNS servers are required for the other entries to have any useful effect. (If you don't specify that our servers are in charge of your domain, no one will know to ask them about it.) See the {{{.dns}}} files for other working domains to get an idea of how this file should look.\r
+\r
+= Subdomains =\r
+Creating subdomains is easy. For instance, to create a subdomain {{{a.me.com}}} of domain {{{me.com}}} that you control in domtool, create the directory {{{/etc/domains/com/me/a}}}. You can then configure your subdomain like any other domain, by editing files in its directory and running {{{domtool}}}.\r
+\r
+Copying all the files in your domain directory into a subdomain directory is a bad idea. At least delete your {{{.users}}}, {{{.groups}}}, and {{{.paths}}} files if you do so, since domtool will generate error messages for everyone as long as you have any files with those names that are owned by your UNIX user.\r
+\r
+= Slave servers =\r
+It's also true that your Secondary servers need to agree with us on which host names go where. One way to accomplish this is to use whatever ad-hoc mechanisms you like on these secondary servers. Another way is to use the "slave server" mechanisms built into domtool.\r
+\r
+Domain directories can have root-maintained {{{.slaves}}} files that specify allowable slave servers for those domains and their subdomains, in the style of {{{.paths}}}. These files map short server names into strings that are suitable parameters to rsync, specifying where to drop off updates to DNS data.\r
+\r
+As an example, we can look at this system-wide slave server, declared in {{{/etc/domains/.slaves}}}:\r
+\r
+{{{abu newdns@63.246.10.45:data/;newdns@63.246.10.45:/service/autoaxfr/root/slaves/}}}\r
+\r
+This is the slave server that you're most likely to use, if you don't want to worry about figuring out your own DNS infrastructure. You can use it to replicate your DNS mappings on our secondary DNS server, Abulafia. This slave is named {{{abu}}}, and data meant for it should be put in the {{{data}}} subdirectory of user {{{newdns}}}'s home directory on the server at IP address 63.246.10.45. There is an additional rsync path, separated from the first by a semicolon, that specifies the path for "sub-slaves," which are cases where this domain's data is queried from a remote host via {{{Master,}}} but you still want to instruct further servers to serve that same data.\r
+\r
+You can use this slave in your own {{{.dns}}} files by beginning them with the line:\r
+\r
+{{{Slave abu}}}\r
+\r
+Data lines are only shared with slaves declared ''before'' those data lines. This means that you could do something like dividing your DNS data into layers, where some slaves only receive data up to a specific layer. However, it's not clear why you'd want to do that, and domtool mostly supports this "feature" because it made implementation easier. :)\r
+\r
+For our example to work out, we had to set up the password-less ssh login described in SshConfiguration between {{{root}}} on our server and {{{newdns}}} on Abulafia. Abulafia's DNS build process takes into account the data files that our main server hands to it. If you want to hand data to your own slave servers, you will need to do similar work to make your servers put the data to good use.\r
+\r
+Currently, we only support slaves based on [http://http://cr.yp.to/djbdns.html djbdns], as that is the data format we send to remote slaves. If there is demand, we may add support for more conventional BIND transfers.\r
+\r
+You can implement "sub-slaves" by following a sequence of {{{Slave}}} directives with a sequence of {{{Master}}} directives. In this case, {{{fyodor}}} and all slaves that you specify will get their data for your domain from the masters that you specify.\r
--- /dev/null
+This is the master page for information on HCoop's distributed system configuration tool.\r
+\r
+= For everyone... =\r
+\r
+ * DomTool/UserGuide: An introduction to configuring shared daemons at HCoop\r
+ * ["DomTool/Examples"]: A smorgasbord of example configuration snippets\r
+ * DomTool/LanguageReference: A complete description of the programming language used for configuration files\r
+ * [http://deleuze.hcoop.net/domtool/ Standard library reference], including all of the primitive actions for configuring shared daemons\r
+\r
+= For admins (and the curious)... =\r
+\r
+ * DomTool/AdminProcedures: The daily care and feeding of DomTool\r
+ * DomTool/ArchitectureOverview: How does this beast work, anyway?\r
+ * ["DomTool/Plugins"]: Descriptions of the different plugins responsible for configuring various daemons, including how they publish their configuration for those daemons to use\r
+ * DomTool/AdditionalClients: Several other command-line tools mentioned elsewhere on this wiki are really DomTool clients. This page collects notes on their implementations.\r
+ * DomTool/SslProcedures: How to set up the various certificates used by the domtool clients and servers\r
+ * ["DomTool/Building"]: Obtaining and building the DomTool source\r
+ * ["DomTool/Implementation"]: Details on the implementation of the DomTool tools\r
+ * ["DomTool/Debugging"]: Some tricks to do manually what DomTool usually does automatically\r
+\r
+= Old pages =\r
+\r
+ * DomainTool describes the previous version of domtool.\r
+ * DomtoolTwo is the preview added by AdamChlipala before we began migrating to our new servers.\r
--- /dev/null
+This page documents command-line tools besides the `domtool*` family that act as DomTool clients. It's aimed at admins. Most members will probably find the most useful documentation on these tools in other places scattered throughout this wiki.\r
+\r
+[[TableOfContents()]]\r
+\r
+= dbtool =\r
+\r
+`dbtool` handles DBMS user and database creation. See the DomTool `Dbms` module for the hooks used to add handling for a new database server.\r
+\r
+''More detail should follow as we figure out how we'll be storing databases.''\r
+\r
+= vmail =\r
+\r
+`vmail` manages mappings from virtual mailbox e-mail addresses to the locations of their Maildir mailboxes and their IMAP/POP passwords. Data goes into `/etc/courier/userdb`, which must be owned by the `domtool` user for `vmail` to work properly. `/etc/courier/exim` (text version of mapping database) and `/etc/courier/exim.dat` (compiled DBM version) are root-owned, and DomTool uses `domtool-publish` with `sudo` to manipulate them.\r
+\r
+= setsa =\r
+\r
+`setsa` sets SpamAssassin analysis preferences for different e-mail addresses. The set of addresses to filter is those who have files named after them in `/etc/spamassassin/addrs`, which should be owned by `domtool`.\r
+\r
+= smtplog =\r
+\r
+`smtplog` (previously called `rlog`) returns lines from the current SMTP log (in `/var/log/exim4/mainlog`) that contain a domain name. `sudo domtool-publish` is used to read this root-only file with `grep`.\r
+\r
+= mysql-fixperms =\r
+\r
+Runs `/usr/bin/sudo -H /afs/hcoop.net/common/etc/scripts/mysql-grant-table-drop` to grant users drop permissions on their MySQL tables.\r
--- /dev/null
+This page is only of direct interest to HCoop admins; that is, people with root privileges on our servers. Most members should probably start at DomTool/UserGuide.\r
+\r
+[[TableOfContents()]]\r
+\r
+= Conventions for this document =\r
+\r
+We'll use:\r
+ * `$USER` to stand for the UNIX username that should be clear from context\r
+ * `$USERPATH` to stand for the first letter of the username, a slash, the next two letters of the username, a slash, and the username, concatenated. For example, a `$USER` of "adamc" would have `$USERPATH` be "a/ad/adamc".\r
+ * `$DOMTOOL` to stand for `/afs/hcoop.net/common/etc/domtool`, the root of global DomTool data\r
+\r
+= Adding users =\r
+\r
+When a new UNIX user is added who should have DomTool access, run:{{{\r
+domtool-adduser $USER}}}\r
+\r
+This does a few things:\r
+ 1. Creates a `$DOMTOOL/keys/$USER` directory if it doesn't already exist, setting its ownership to `domtool.domtool` and granting `$USER` read permissions on it. The AFS permissions inherited from `$DOMTOOL/keys` already prevent other users from peeking at keys stored in this directory.\r
+ 1. Use `openssl req` to generate (to file `$DOMTOOL/keys/$USER/key.pem`) a new RSA key for purposes of `$USER`'s interactions with DomTool. The only fields given values on this key are:\r
+ * Common name: Set to `$USER`\r
+ * E-mail address: Set to `$USER@hcoop.net`\r
+ 1. Use `openssl ca` to sign the key with the DomTool certificate authority. The result is a certificate file in `$DOMTOOL/certs/$USER.pem`, owned by `domtool.domtool`.\r
+ 1. Grant some standard DomTool permissions to the user:\r
+ * `user $USER`\r
+ * `group $USER`\r
+ * `path /afs/hcoop.net/user/$USERPATH`\r
+\r
+All of these actions should be idempotent. That is, running `domtool-adduser` repeatedly with the same argument should work just fine. The only consequence that might bother perfectionists is that our certificate authority will issue a new certificate each time with a new serial number, incrementing the saved serial number count. It should also be safe to re-run `domtool-adduser` after a previous invocation failed halfway through.\r
+\r
+Sometimes you only want to run the SSL-related commands or the DomTool permission-related commands. For those cases, run `domtool-addcert $USER` or `domtool-addacl $USER`.\r
+\r
+= Removing users =\r
+\r
+When someone leaves HCoop and you want to squelch all of his domains and DomTool privileges, run:{{{\r
+domtool-rmuser $USER}}}\r
+\r
+This does a few things:\r
+ 1. Delete `$DOMTOOL/keys/$USER`.\r
+ 1. Delete `$DOMTOOL/certs/$USER.pem`.\r
+ 1. Run `domtool-admin rmuser $USER`, which:\r
+ 1. Removes all DomTool privileges for `$USER`.\r
+ 1. Deletes all domains to which only `$USER` has the `domain` permission. This includes removing all configuration related to those domains in real daemons.\r
+\r
+= Querying permissions =\r
+\r
+== Listing a user's permissions ==\r
+\r
+To list all permission that `$USER` has, run:{{{\r
+domtool-admin perms $USER}}}\r
+\r
+== Finding out who has a permission ==\r
+\r
+To list all the users that have permission `$CLASS`/`$VALUE`, run:{{{\r
+domtool-admin whohas $CLASS $VALUE}}}\r
+\r
+For instance, to see which users are allowed to configure hcoop.net, run:{{{\r
+domtool-admin whohas domain hcoop.net}}}\r
+\r
+= Changing permissions =\r
+\r
+== Granting a permission ==\r
+\r
+To give `$USER` permission `$CLASS`/`$VALUE`, run:{{{\r
+domtool-admin grant $USER $CLASS $VALUE}}}\r
+\r
+Such as:\r
+{{{\r
+domtool-admin grant docelic domain spinlocksolutions.com\r
+domtool-admin grant docelic cert /etc/apache2/ssl/apache.pem\r
+}}}\r
+\r
+== Revoking a permission ==\r
+\r
+To revoke permission `$CLASS`/`$VALUE` from `$USER` , run:{{{\r
+domtool-admin revoke $USER $CLASS $VALUE}}}\r
+\r
+= Updating domtool =\r
+\r
+== Reinstalling domtool ==\r
+\r
+In the case that you make changes to domtool and want to reinstall it, see ["DomTool/Building"], the ''Reinstalling the standalone tools'' section, for instructions.\r
+\r
+== Validating after a major change ==\r
+\r
+If something changes in the Domtool standard library, users' configuration might stop working. If you just run `domtool-admin regen` in such a case, those users' domains will go down, which will probably make them sad. Instead, run this first:{{{\r
+domtool-admin regen -tc}}}\r
+\r
+This just verifies that all configuration type-checks. You can go through and fix the errors, which show up in `/var/log/domtool.log` on deleuze, one at a time, and only run `domtool-admin regen` (as in the following section) after everything type-checks.\r
+\r
+== Regenerating files ==\r
+\r
+To effectively erase all published configuration and regenerate it all by running all files found in `.domtool` subdirectories of users' AFS volumes, run:{{{\r
+domtool-admin regen}}}\r
+\r
+You might want to do this if there has been some nasty kind of data corruption, or if a security vulnerability has been discovered in DomTool and you want to drop all old, unsafe configuration directives that the buggy DomTool had been letting through.\r
+\r
+= Managing domains =\r
+\r
+== Adding a domain ==\r
+\r
+To grant a user `$USER` some domain `$DOMAIN`, run:{{{\r
+domtool-admin grant $USER domain $DOMAIN}}}\r
+\r
+== Removing a domain ==\r
+\r
+To remove all configuration associated with a domain `$DOMAIN`, run:{{{\r
+domtool-admin rmdom $DOMAIN}}}\r
+\r
+This clears out DomTool configuration related to `$DOMAIN` and removes any reference to it from the actual configuration files used by real daemons. However, users' permissions to configure the domain are left untouched. You can remove those separately with `domtool-admin revoke`.\r
+\r
+== Managing admin-run domains ==\r
+\r
+Every domain is thought of as owned by a user. By convention:\r
+ * User `domtool` owns `localhost`, so you should edit `~domtool/domtool/localhost` for such purposes as adding local e-mail aliases.\r
+ * User `hcoop` owns `hcoop.net` and sub-domains, so you should edit `~hcoop/domtool/deleuze.hcoop.net`, `~hcoop/domtool/hcoop.net`, etc., as appropriate. (`hcoop` also owns the portal, the wiki, and other "informational" services that are relatively low security.)\r
+\r
+= Debugging other users' configuration files =\r
+\r
+The relevant typing rules for configuration files vary based on which user is processing files. For instance, the values of `your_domain` depend on which permissions the user has been granted. You can always use `domtool-admin regen` to reload all config, executed as the appropriate users. However, reprocessing everything has a significant cost, so you might want to run single files as particular users. To do this, use this pattern:{{{\r
+DOMTOOL_USER=$SOMEONE domtool $FILENAME}}}\r
+\r
+You can also use other ways of setting the UNIX environment variable `DOMTOOL_USER`. Note that an invocation with `DOMTOOL_USER` set depends on the ability to read that user's private key from AFS, so you will need AFS admin permissions to do this in general.\r
--- /dev/null
+This page describes the client/server distributed configuration architecture of DomTool. For (largely orthogonal) information on the programming language used for configuration, see DomTool/LanguageReference.\r
+\r
+[[TableOfContents()]]\r
+\r
+= Conventions for this document =\r
+\r
+We'll use these conventions:\r
+ * `$DOMTOOL` refers to `/afs/hcoop.net/common/etc/domtool`, the root of global DomTool data\r
+\r
+= Users and authentication =\r
+\r
+The principals that figure into DomTool authentication are either AFS/Kerberos users (like `adamc`) or HCoop machine hostnames (like `mire`). When one of these entities connects to another with some request to make, it authenticates using SSL.\r
+\r
+To faciliate this, we have our own SSL certificate authority (CA) living in `/etc/domtool` on `deleuze.hcoop.net`. We use this CA to sign keys belonging to DomTool-related principals. The DomTool tools only recognize this certificate authority, so, e.g., Veri``Sign can't grant any DomTool privileges.\r
+\r
+Each principal has its CA-signed certificate stored in `$DOMTOOL/certs/$NAME.pem`, where `$NAME` is the UNIX username of a user or the one-word hostname of a server. Any user is allowed to read these certificates, which are the public key halves of public key cryptography.\r
+\r
+The private keys are stored in `$DOMTOOL/keys/$NAME/key.pem`. AFS permissions are set such that, besides admins, only the user in question has the ability to read the key data. In contrast to certificates, keys have their own directories because AFS only allows directory-level permissions.\r
+\r
+'''Meta note''': This clearly isn't the most direct way to do authentication. I chose to do things this way initially because of that wise security mantra to implement as little as possible of your own cryptography infrastructure. By basing our authentication on that implemented in well-tested OpenAFS code, along with some help from the OpenSSL library, we avoid opportunities to introduce new bugs. But the result definitely isn't so aesthetically pleasing. --AdamChlipala\r
+\r
+= Access control lists =\r
+\r
+As in the cases of so many fancy systems, DomTool has its own notion of access control lists relevant to the resources it controls. The ACL data is serialized to `$DOMTOOL/acl`, though it is usually accessed via in-memory data structures in the different `DomTool` tools, after they read initial values from that file.\r
+\r
+There's nothing novel or surprising about ACLs in DomTool. The ACL list is essentially a set of '''user'''/'''class'''/'''value''' triples. Users are DomTool principals as discussed in the last section. ''Classes'' include things like domain configuration rights, rights to run programs as particular UNIX users, rights to use particular filesystem paths, etc.. ''Values'' are class-specific capabilities, like the name of a domain that the user may configure.\r
+\r
+== Standard ACL classes ==\r
+\r
+ * `user`: As which UNIX users may this principal run programs?\r
+ * `group`: With which UNIX groups may this principal run programs?\r
+ * `path`: Which filesystem directories is this principal allowed to reference in his configuration? Subdirectories of these are also allowed.\r
+ * `domain`: Which Internet domain names may this principal configure?\r
+ * `priv`: What kinds of admin actions may this principal perform? Useful values include:\r
+ * `all`: Let the principal do whatever he asks. This privilege is required for administration of the ACL database itself.\r
+ * `dns`: The principal may configure DNS settings on servers whose DNS daemons are off-limits to normal members.\r
+ * `mail`: The principal may configure mail settings on servers whose mail daemons are off-limits to normal members.\r
+ * `www`: The principal may configure web settings on servers whose web daemons are off-limits to normal members.\r
+ * `regen`: The principal may run `domtool-admin regen` to reload all domain configuration from scratch.\r
+\r
+= Client/server model =\r
+\r
+Here's the anatomy of the handling of a user's configuration request.\r
+\r
+ 1. A user writes his domain configuration in the form of source code in the DomTool language. (See DomTool/LanguageReference.) The file can have any name. Ideally it is stored at the top level of the `.domtool` subdirectory of the user's AFS volume, as otherwise the corresponding configuration will be dropped if an admin triggers a regeneration.\r
+ 1. The user runs `domtool $FILENAME`.\r
+ 1. `domtool` parses and type-checks `$FILENAME`. The DomTool language and its type system are designed to have the lovely property that type-checking implies proper adherence to access rights and general good citizenship. This means that users can check their configuration for acceptability locally, not taking up shared daemons' time until after validation.\r
+ 1. The user opens an SSL connection to our DomTool dispatcher on deleuze.hcoop.net, port 1234.\r
+ 1. The dispatcher authenticates the user by way of his SSL certificate, and the user does the same for the dispatcher. This relies on the fact that only the user has permissions to read his key file in AFS.\r
+ 1. The user sends the text of his configuration program to the dispatcher.\r
+ 1. The dispatcher again parses and type-checks the program. If any errors arise, the dispatcher informs the user of this and terminates the session.\r
+ 1. Otherwise, the dispatcher runs the program.\r
+ 1. A DomTool program is a purely functional expression that evaluates into a description of actions to be taken. Running the program involves executing these actions, which generally add new files to a temporary directory tree (which we'll call `$TMP` here) representing configuration. The roots of `$TMP` are HCoop server names like `deleuze` and `mire`. Each server's subdirectory contains configuration specific to its daemons. Each subdirectory has a tree structure mirroring the structure of Internet domain names. For instance, `$TMP/mire/net/hcoop` stores configuration related to `hcoop.net` on mire's daemons. '''Only domains that have been configured during this session''' will be present in any of these trees. This is part of a critical optimization to avoid reprocessing all configuration on every change.\r
+ 1. Once the configuration program has been run, it's time to propagate the changes into the real world. The first step of doing this is to copy the modified domains from `$TMP` into the permanent configuration tree, located at `$DOMTOOL/nodes`. Not only are new/changed configuration files propagated, but old configuration files not present in `$TMP` are deleted from `$DOMTOOL/nodes`. Crucially for performance, parts of `$DOMTOOL/nodes` for domains not configured during this session are not examined or changed.\r
+ 1. Now all the relevant configuration is in AFS and accessible to all HCoop servers. What remains is to publish it into the real daemons. The different DomTool plugins register handlers for different filenames that might be found in `$DOMTOOL/nodes`. For instance, the Apache plugin asks to be notified of changes to files ending in `.vhost`. This handler copies these files to `/var/domtool/vhosts`. The Apache plugin also registers a post-handler to copy all files from `/var/domtool/vhosts` to `/etc/apache/vhosts` and reload Apache configuration after any `.vhost` file has changed.\r
+ 1. For all files in `$DOMTOOL/nodes/deleuze` whose status changed on this invocation, the dispatcher itself runs the matching handlers.\r
+ 1. For configuration in `$DOMTOOL/nodes/$NODE` for other values of `$NODE`, the dispatcher opens an SSL connection to a slave daemon on `$NODE` on port 1235.\r
+ 1. Two-way SSL authentication proceeds in the same way as for user-dispatcher connections.\r
+ 1. The slave server runs the appropriate file handlers locally.\r
+ 1. Weather permitting, the dispatcher informs the user that the configuration has succeeded, and the session ends.\r
--- /dev/null
+[[TableOfContents()]]\r
+\r
+= Prerequisites =\r
+\r
+== Compilers ==\r
+\r
+To compile the standalone DomTool tools, you will need the [http://mlton.org/ MLton] [http://www.standardml.org/ Standard ML] compiler. It's available as Debian package "mlton". The version in Debian testing works fine, but the stable version is too old, so grab the Debian stable version of the latest release from [http://mlton.org/Download the MLton download page].\r
+\r
+To use DomTool from an interactive SML REPL session, you will need a recent version of [http://www.smlnj.org/ Standard ML of New Jersey]. The SML/NJ packages in non-experimental Debian are so old that I don't bother using them, opting to install SML/NJ manually following the directions on the SML/NJ web site. Chances are you can get by just fine without support for interactive REPL use and can skip installing SML/NJ if you don't want it for some other purpose.\r
+\r
+Why am I referencing two different compilers here? Well, developing with SML/NJ and building release binaries with MLton is standard practice in the SML world. SML/NJ supports separate compilation and interactive use, which are very helpful during development. MLton is a whole-program optimizing compiler that produces extremely efficient binaries, at the cost of much greater compile-time time and memory usage than SML/NJ.\r
+\r
+== Libraries ==\r
+\r
+You will need the OpenSSL C library with development files, available in Debian package "libssl-dev".\r
+\r
+== Utilities ==\r
+\r
+If you plan to run a server (dispatcher or slave), you'll need rsync, which is available in Debian package "rsync".\r
+\r
+= Getting the source code =\r
+\r
+You can obtain the approximately-latest version of the DomTool source code from [http://sourceforge.net/cvs/?group_id=99567 SourceForge anonymous CVS]. The module name is `domtool2`. I write "approximately" because it can take about a day for the latest changes to propagate from developer CVS to anonymous CVS. I'll duplicate the directions from that Source``Forge help page and tell you that you can check out this module by running:\r
+{{{cvs -d:pserver:anonymous@hcoop.cvs.sourceforge.net:/cvsroot/hcoop login\r
+cvs -z3 -d:pserver:anonymous@hcoop.cvs.sourceforge.net:/cvsroot/hcoop co -P domtool2}}}\r
+\r
+Just press enter when prompted for a password.\r
+\r
+If you have been granted write permission to the repository and plan to commit code changes, then you'll want to check the repo out from developer CVS, like so:\r
+{{{export CVS_RSH=ssh \r
+cvs -z3 -d:ext:developername@hcoop.cvs.sourceforge.net:/cvsroot/hcoop co -P domtool2}}}\r
+\r
+= Building the standalone tools =\r
+\r
+First, in the `domtool2` directory that you have checked out, create a file `config.sml` containing:\r
+{{{structure Config :> CONFIG = struct\r
+ open ConfigDefault\r
+end}}}\r
+\r
+Heck, you could even go ahead and set some non-standard configuration values! If you leave it as is, you inherit the defaults, which should be appropriate for HCoop servers.\r
+\r
+Even if you set configuration parameters until you're blue in the face, this stuff probably won't work very well in environments that don't look much like Linux. Perhaps some day greater portability will become enough of a priority for us to fix that.\r
+\r
+Once you have that done, the rest is easy! Just run{{{\r
+make}}}\r
+\r
+This will populate `domtool2/bin/` with the compiled DomTool programs. As root, run{{{\r
+make install}}}\r
+\r
+to copy these programs and some additional scripts to appropriate standard locations. Consult the Makefile if you'd like to see what those locations are ahead of time.\r
+\r
+== Reinstalling the standalone tools ==\r
+\r
+If you want to reinstall domtool on machines that are running it already, then it is best to use a slightly modified set of instructions.\r
+\r
+First, create a {{{config.sml}}} file as directed above, and run {{{make}}}.\r
+\r
+If the current machine is a slave, then run {{{\r
+make install_slave}}}\r
+\r
+If the current machine is a server, then run {{{\r
+make install_server}}}\r
+\r
+= Building for SML/NJ =\r
+\r
+After following the same procedure as above for `config.sml`, run{{{\r
+make smlnj}}}\r
+\r
+followed by{{{\r
+make install}}}\r
+\r
+as root. Now you should be able to run `sml` in the base `domtool2` directory and run `CM.make "src/domtool.cm";`. If you don't see any error messages, then the DomTool modules are loaded and you can start poking them. For instance, running `open Main;` should print information on the primary entry-points.\r
--- /dev/null
+= AFS authentication =\r
+\r
+To "become" the domtool user on deleuze, run:{{{\r
+sudo -u domtool -s\r
+k5start -U -f /etc/keytabs/domtool.deleuze\r
+aklog\r
+}}}\r
--- /dev/null
+Here are some example configuration files for DomTool, our distributed configuration management system.\r
+\r
+[[TableOfContents()]]\r
+\r
+= Domains =\r
+\r
+== The Model T ==\r
+\r
+If you just want to declare your domain with a `www.yourdomain` virtual host serving out of `~/public_html/` and all mail forwarded to your mailbox, use:\r
+{{{dom "yourdomain" with\r
+end;}}}\r
+\r
+== Upgraded Model T ==\r
+\r
+If you like everything `dom` gives you but want to add additional configuration, include it between `with`..`end`. For instance, to add an extra web virtual host `other`:\r
+{{{dom "yourdomain" with\r
+ web "other" with\r
+ (* More configuration could go here *)\r
+ end;\r
+end;}}}\r
+\r
+== Attack of the Model T Clones ==\r
+\r
+We can take the Model T and use it with some alternate names for the domain we're configuring.\r
+{{{dom "yourdomain" where\r
+ Aliases = ["yourotherdomain", "yourotherotherdomain"]\r
+with\r
+end;}}}\r
+A single Apache virtual host is created, answering to multiple names. Other configuration is duplicated like you had entered it in a separate `dom` block for each alias.\r
+\r
+== The Do-It-Yourself ==\r
+\r
+The lowest-level way of configuring a domain is the `domain` directive, which does nothing but set up basic DNS parameters and provide a space for including further directives:\r
+{{{domain "yourdomain" with\r
+ (* Your directives here *)\r
+end;}}}\r
+\r
+= DNS =\r
+\r
+Here's a tour through the available DNS features.\r
+\r
+{{{domain "yourdomain" with\r
+ nameserver "ns1.hcoop.net";\r
+ nameserver "ns3.hcoop.net";\r
+ (* Specify two DNS servers that are authoritative for yourdomain *)\r
+\r
+ dnsIP "host" "1.2.3.4";\r
+ (* Add a mapping from host.yourdomain to IP address 1.2.3.4 *)\r
+\r
+ dnsMail 23 "mail.yourdomain";\r
+ (* Register mail.yourdomain as an SMTP handler for yourdomain, with priority 23 *)\r
+\r
+ dnsAlias "hcoop" "hcoop.net";\r
+ (* Add an alias such that hcoop.yourdomain resolves to the same thing as hcoop.net *)\r
+\r
+ dnsIP "dynamic" "5.6.7.8" where\r
+ TTL = 100\r
+ end;\r
+ (* Add an IP mapping with an abnormally low time-to-live of 100 *)\r
+end;}}}\r
+\r
+== Keeping DNS elsewhere ==\r
+\r
+This example shows how to configure mail handling for a domain that is primarily hosted off of HCoop:\r
+\r
+{{{domain "yourdomain" where\r
+ DNS = noDns\r
+with\r
+ handleMail;\r
+end;}}}\r
+\r
+= Mail =\r
+\r
+{{{domain "yourdomain" with\r
+ handleMail;\r
+ (* HCoop should provide relaying for yourdomain *)\r
+\r
+ emailAlias "user1" "user1@gmail.com";\r
+ (* Forward mail from user1@yourdomain to user1@gmail.com *)\r
+\r
+ emailAlias "user2" "me";\r
+ (* Forward mail from user2@yourdomain to HCoop user me *)\r
+\r
+ aliasMulti "pals" ["pal1@yahoo.com", "pal2@prodigy.com", "pal3"];\r
+ (* Forward mail from pals@yorudomain to pal1@yahoo.com, pal2@prodigy.com, and HCoop user pal3 *)\r
+\r
+ aliasDrop "spamtrap";\r
+ (* Silently drop all mail to spamtrap@yourdomain *)\r
+\r
+ defaultAlias "me";\r
+ (* Send all yourdomain mail that doesn't match some local user or other special rule to user me *)\r
+\r
+ catchAllAlias "me";\r
+ (* Send all yourdomain mail, period, to user me *)\r
+end;}}}\r
+\r
+= Apache =\r
+\r
+== The Model T ==\r
+\r
+{{{domain "yourdomain" with\r
+ web "www" with\r
+ (* This is a web host found at www.yourdomain. *)\r
+ end;\r
+end;}}}\r
+\r
+Note that the `web` directive also adds the right DNS mapping for your virtual host.\r
+\r
+== The Do-It-Yourself ==\r
+\r
+{{{domain "yourdomain" with\r
+ vhost "www" with\r
+ end;\r
+end;}}}\r
+\r
+This one doesn't add any DNS mappings.\r
+\r
+== Using a nonstandard web server ==\r
+\r
+{{{domain "yourdomain" with\r
+ web "www" where\r
+ WebNodes = ["fyodor"]\r
+ with\r
+ end;\r
+end;}}}\r
+\r
+== Bucking all the trends ==\r
+\r
+{{{domain "yourdomain" with\r
+ web "www" where\r
+ DocumentRoot = home "private_html";\r
+ User = "me_web";\r
+ Group = "me_web";\r
+ SSL = use_cert "/home/me/mycert.pem"\r
+ with\r
+ end;\r
+end;}}}\r
+\r
+`home "private_html"` builds the full path to subdirectory `private_html` of your home directory.\r
+\r
+== Basic URL handling ==\r
+\r
+{{{domain "yourdomain" with\r
+ web "www" with\r
+ alias "/doc" "/usr/local/doc";\r
+ (* Serve all URIs beginning in /doc out of directory /usr/local/doc *)\r
+\r
+ scriptAlias "/my-script" "/var/cgi/a-program";\r
+ (* Handle requests for /my-script by calling the CGI program /var/cgi/a-program.\r
+ The example here uses a file, but scriptAlias directive can also alias CGI\r
+ directories, as you'd expect: scriptAlias "/location/" "/directory/" *)\r
+\r
+ errorDocument "404" "not_found.html";\r
+ (* Handle HTTP error code 404 by sending file not_found.html *)\r
+ end;\r
+end;}}}\r
+\r
+== Location-specific configuration ==\r
+\r
+{{{domain "yourdomain" with\r
+ web "www" with\r
+ location "/private" with\r
+ errorDocument "404" "not_found_private.html";\r
+ end;\r
+ (* When in the /private tree of URI-space, handle 404s with not_found_private.html *)\r
+\r
+ directory "/usr/local/doc" with\r
+ errorDocument "404" "not_found_doc.html";\r
+ end;\r
+ (* When looking for a file in real directory /usr/local/doc, handle 404s with not_found_doc.html *)\r
+ end;\r
+end;}}}\r
+\r
+== Server aliases ==\r
+\r
+{{{domain "yourdomain" with\r
+ web "www" with\r
+ serverAliasHost "www2.yourdomain";\r
+ serverAliasHost "www.otherdomain";\r
+ (* www2.yourdomain and www.otherdomain are alternate names for this vhost *)\r
+\r
+ serverAlias "www3";\r
+ (* Short form for an alternate name within the current domain *)\r
+\r
+ serverAliasDefault;\r
+ (* Make this virtual host answer to yourdomain, with no extra hostname needed in front. *)\r
+ end;\r
+end;}}}\r
+\r
+Note that you must have domtool configuration rights to all domains you name with `serverAlias`.\r
+\r
+== Directory options ==\r
+\r
+\r
+{{{domain "yourdomain" with\r
+ web "www" with\r
+ options [execCGI, indexes];\r
+ (* Use exactly the Apache options execCGI and indexes by default for this vhost *)\r
+\r
+ set_options [includesNOEXEC];\r
+ (* Add the option includesNOEXEC, leaving the others alone *)\r
+\r
+ unset_options [indexes];\r
+ (* Change our mind about including indexes *)\r
+\r
+ directoryIndex ["index.html", "index.php", "index.txt"];\r
+ (* When looking for the default file to serve for a directory, consider these possibilities in order *)\r
+\r
+ action "image/gif" "/cgi-bin/images.cgi";\r
+ (* Run /cgi-bin/images.cgi to serve images *)\r
+\r
+ addDefaultCharset "utf-8";\r
+ (* Use the UTF-8 character set by default *)\r
+\r
+ location "/prefix" with\r
+ forceType "text/plain";\r
+ (* Serve all files in this location as plain text *)\r
+\r
+ forceTypeOff;\r
+ (* Change our mind about that! *)\r
+\r
+ (* All the other directives mentioned above can be used in locations, too, but forceType* _must_ be in a location. *)\r
+ end;\r
+ end;\r
+end;}}}\r
+\r
+== Access control ==\r
+\r
+{{{domain "yourdomain" with\r
+ vhost "www" with\r
+ location "/loc1" with\r
+ authType basic;\r
+ (* Use HTTP basic authentication in this location *)\r
+\r
+ authName "my domain";\r
+ (* Tell users that they're authenticating for "my domain" *)\r
+\r
+ authUserFile "/etc/webusers";\r
+ (* Look up user/password information in /etc/webusers *)\r
+\r
+ orderAllowDeny;\r
+ (* Access is denied by default *)\r
+\r
+ requireValidUser;\r
+ (* Anyone providing a valid password is allowed *)\r
+\r
+ denyFrom "badguys.evil.net";\r
+ (* However, anyone coming from this domain is banned *)\r
+\r
+ denyFrom "1.2";\r
+ (* Also ban anyone with a 1.2.*.* IP address *)\r
+ end;\r
+\r
+ location "/loc2";\r
+ authType basic;\r
+ authName "my other domain";\r
+ authUserFile "/etc/otherone";\r
+\r
+ denyFromAll;\r
+ (* Deny everyone by default *)\r
+\r
+ requireUser ["fred", "barney"];\r
+ (* Allow fred and barney in *)\r
+\r
+ requireGroup ["prehistoric"];\r
+ (* Also require membership in the prehistoric group *)\r
+ end;\r
+ end;\r
+end}}}\r
+\r
+== Fancy directory index generation ==\r
+\r
+{{{domain "yourdomain" with\r
+ web "www" with\r
+ addDescription "The planet Mars" "/web/pics/mars.gif";\r
+ (* Describe /web/pics/mars.gif as "The planet Mars" on index pages *)\r
+\r
+ indexOptions [fancyIndexing, htmlTable, iconHeight 10, iconWidth 10];\r
+ (* Set some index-generation options *)\r
+\r
+ headerName "header.html";\r
+ (* Include header.html at the start of a directory listing *)\r
+\r
+ footerName "footer.html";\r
+ (* Include footer.html at the end of a directory listing *)\r
+ end;\r
+end;}}}\r
+\r
+== mod_rewrite ==\r
+\r
+{{{domain "yourdomain" with\r
+ web "www" with\r
+ rewriteRule "^(.+)\.php$" "$1.sml" [];\r
+ (* Rewrite all URLs ending in .php to end in .sml *)\r
+\r
+ rewriteRule "/gone.html" "http://somewhere.else/there.html" [redirectWith permanent];\r
+ (* Redirect /gone.html to http://somewhere.else/there.html, giving an HTTP code indicating a permanent relocation *)\r
+\r
+ rewriteLogLevel 1;\r
+ (* Turn on some more logging for rewrite debugging in /afs/hcoop.net/usr/$USER/apache/log/$NODE/www.yourdomain/rewrite.log *)\r
+ end;\r
+end;}}}\r
+\r
+== mod_proxy ==\r
+\r
+{{{domain "yourdomain" with\r
+ vhost "www" with\r
+ proxyPass "/mirror/foo/" "http://localhost:5555/";\r
+ (* Proxy path /mirror/foo/ to a local server with URL base http://localhost:5555/ *)\r
+\r
+ proxyPassReverse "/mirror/foo/" "http://localhost:5555/";\r
+ (* Adjust Location and other HTTP headers appropriately for the above proxying *)\r
+ end;\r
+end;}}}\r
+\r
+= Mailman =\r
+\r
+{{{domain "yourdomain" with\r
+ mailmanWebHost "lists.yourdomain";\r
+ (* The default server for web interfaces to this domain's mailing lists is lists.yourdomain *)\r
+end;}}}\r
+\r
+= Live Examples in HCoop AFS =\r
+\r
+ * /afs/hcoop.net/user/d/do/docelic/.domtool/spinlocksolutions.com\r
--- /dev/null
+This page describes the implementation of the DomTool language interpreter and other tools. Most members would probably be better served visiting DomTool/UserGuide.\r
+\r
+[[TableOfContents()]]\r
+\r
+= Languages =\r
+\r
+DomTool is implemented mostly in [http://en.wikipedia.org/wiki/Standard_ML Standard ML] (SML), with teeny tiny bits of C and shell script. Standard ML is a [http://en.wikipedia.org/wiki/Statically_typed statically-typed] [http://en.wikipedia.org/wiki/Functional_programming_language functional programming language] with much to recommend it, including a [http://portal.acm.org/citation.cfm?id=549659 language standard] (with formal semantics), [http://mlton.org/ one of the best open source optimizing compilers ever for any language], and open development models and communities associated with the major implementations (out of about 10 total language implementations floating around today).\r
+\r
+But really, why choose a programming language that "nobody's ever heard of"? The answer is simple. With SML, you can program at a high level of abstraction without having to worry about performance penalties and other historical undesirables.\r
+\r
+In the following sections, I'll often refer to SML modules by name, instead of giving source file paths. A module named `Name` will be defined in either `domtool2/name.sml` or `domtool2/plugins/name.sml`, depending on whether it's part of core DomTool or of a plugin. You'll also find signature `NAME` defined in `domtool2/name.sig` or `domtool2/plugins/name.sig`. I readily point the reader to the source code itself, and the signature files in particular, as the best sources of detailed documentation on the implementation. Readers coming from backgrounds outside of statically-typed functional programming may be pleasantly surprised at how well ML code documents itself!\r
+\r
+Information about obtaining and building the DomTool tools is found on ["DomTool/Building"].\r
+\r
+= Build process =\r
+\r
+MLton and SML/NJ take different inputs to drive their build processes. The main Makefile is responsible for building `src/domtool.cm` (the input to SML/NJ) and `src/domtool-*.mlb` (the tool-specific inputs to MLton) from `src/sources` and some other compiler-specific files. When adding a new source file to the system, include it in `src/sources`, not any of the generated files, and take care to insert it in dependency order relative to the sources already in the file.\r
+\r
+A C library `openssl_sml.so` is built to provide a cleaner (but spartan) interface to the OpenSSL library. The Makefile uses the [http://ttic.uchicago.edu/~blume/papers/nlffi.pdf NLFFI] tools shipped with MLton and SML/NJ to build compiler-specific SML interfaces to this library, and then compiler-agnostic code takes over and defines the visible `OpenSSL` structure based on the common interface supported by all NLFFI tools. Code specific to compiler `$COMPILER` lives in `domtool2/openssl/$COMPILER`.\r
+\r
+= Configuration =\r
+\r
+As is more and more the fashion lately, DomTool supports many tweakable configuration variables, and the particular settings of those variables are conveyed via program source code. In particular, the various pieces of the DomTool implementation look for configuration in different members of a `Config` module in an SML source file `config.sml` in the `domtool2` base directory. When building the standalone tools with MLton, these configuration settings will be inlined into the places where they're used in the resulting binary, possibly triggering opportunities for further optimization. Isn't compilation technology wonderful?\r
+\r
+Any particular installation of DomTool is unlikely to want to set custom values for all or even most of the available variables. Thus, the implementation takes modest advantage of SML's module system to allow inheritance of default settings via the `open` declaration, while maintaining the possibility for piecemeal setting of custom values.\r
+\r
+DomTool involves a number of distinct plugins and sources of functionality, all of which have some configuration parameters. The implementation uses Makefile-driven concatenation of files following a certain convention to build the overall default configuration module from files associated with the separate plugins. In particular, in `domtool2/configDefault`, you will find a set of `.cfg`, `.cfs`, and `.csg` files. All the `.cfs` files are concatenated together to form the definition of the signature `CONFIG`, while `.csg` files are concatenated together to form supporting definitions of sub-signatures. The `.cfg` files are concatenated together to form the definition of a structure `ConfigDefault` ascribing opaquely to `CONFIG`. Your custom configuration structure `Config` also ascribes to `CONFIG` and may `open` `ConfigDefault`.\r
+\r
+= The language interpreter =\r
+\r
+The process of reading, checking, and running a DomTool source file goes like this:\r
+\r
+ 1. The lexer breaks the textual input into tokens. It's embodied by the `DomtoolLexFn` functor, built by ml-lex from `domtool.lex`.\r
+ 1. The parser converts the stream of tokens into an abstract syntax tree (AST). It's embodied by the `DomtoolLrValsFn` functor, built by ml-yacc from `domtool.grm`. The `Parse` module ties together the lexer and parser.\r
+ 1. The `Tycheck` module type-checks the AST.\r
+ 1. The `Reduce` module applies familiar lambda calculus-style reduction rules to simplify the AST as much as possible.\r
+ 1. For input files that request configuration rather than just add definitions, the `Eval` module executes the resulting configuration value.\r
+\r
+Every piece of this pipeline is independent of the distributed configuration aspect of DomTool described on DomTool/ArchitectureOverview, though every stage after the parser provides hooks that can be used to conscript the language implementation for use in that and other applications.\r
+\r
+One important hook of this kind in `Tycheck` is in the form of its members `allowExterns` and `disallowExterns`. Call the appropriate one of these functions to set whether or not `extern type` and `extern val` declarations should be allowed in the source file to check.\r
+\r
+As DomTool/LanguageReference explains, all configuration takes place through the configuration monad, which has a lot in common with the [http://www.haskell.org/ Haskell] [http://www.nomaware.com/monads/html/iomonad.html IO monad]. Haskell newcomers often have trouble understanding how the IO monad enables the use of imperative code within a pure functional language. My favorite explanation for this is that values in the IO monad are runtime representations of programs in an embedded imperative language, which you hope will be run by some entity outside the scope of the Haskell language. In the DomTool implementation, this idea appears quite literally. The `Reduce` module handles the "pure functional" aspects of the language semantics, reducing input programs into first-order imperative programs, in the form of configuration values. `Eval` is the component that actually runs the resulting configuration, like the mythical top-level IO-meister in Haskell.\r
+\r
+= Plugin architecture =\r
+\r
+DomTool provides a number of ways to request callbacks when certain events occur or when certain add-on features are used. Plugins work by calling these hook functions, typically many times per plugin. By convention, a plugin is a module defined in `domtool2/src/plugins/` that registers some callbacks as a side-effect of its definition.\r
+\r
+The following subsections summarize the hooks that are available for DomTool plugins. There are other hooks that are only of interest when using the DomTool language implementation in a different application.\r
+\r
+== Extern functions ==\r
+\r
+Declared `extern val` functions can be implemented in two different ways. One hardly counts as implementation: you can leave them unimplemented and just treat them as purely syntactic entities, since some of the later callbacks that we'll cover are passed general DomTool ASTs as arguments. The second option is to register an extern function handler. `Env.registerFunction` is the hook for this.\r
+\r
+== Actions ==\r
+\r
+Actions are the connection between functional DomTool programs and "real-world" configuration. Call `Env.registerAction` to register the actual code that should be run when an action is encountered during `Eval`, giving the action's name and a function for transforming an environment variable mapping and a list of argument ASTs into a new environment variable mapping. These are DomTool, not UNIX, environment variables.\r
+\r
+There is a family of convenience functions `Env.action_none`, `Env.action_one`, etc., for registering actions taking argument lists of fixed length with known types. Values of type `Env.arg` are used to encapsulate methods for extracting native SML values from DomTool ASTs of known types.\r
+\r
+== Containers ==\r
+\r
+Containers are actions that take actions as additional arguments, like `domain` and `vhost`. Their handlers are registered very similarly to other actions, with the addition that containers have associated callbacks that are run after all nested configuration has been processed. When a container is encountered during `Eval`, its action handler is run, then all of its nested configuration is evaluated, and finally the container's "afterward" callback is run. There are functions `Env.container_none`, `Env.container_one`, etc., that correspond to the convenience functions for regular actions.\r
+\r
+== Extern types ==\r
+\r
+Types declared with `extern type` are treated as refinement types. That is, each should have an associated simple type to which an additional filtering predicate is applied. `Env.type_one` is the hook to register a new extern type by giving its name, an `Env.arg` for converting its values to native SML, and a boolean predicate for deciding which values of the base type are allowed in the new type. This predicate can be arbitrary SML code. It may rely on imperativity, but it should never be visibly inconsistent in its decisions within a single type-checking. For example, our use of the DomTool language for distributed configuration has extern type handlers that use imperativity to determine the current user, what domains he may configure, etc., but this information is set before type-checking begins and doesn't change until it's over.\r
+\r
+== Environment variable defaults ==\r
+\r
+Call `Defaults.registerDefault` to provide a default value for an environment variable that should be set before type-checking begins. You must provide the variable's name, its type, and a (possibly impure) function for generating its initial expression value.\r
+\r
+== Reset handlers ==\r
+\r
+When an admin runs `domtool-admin regen`, we need a way to revert to a pristine configuration where everything users have added is gone, before we build it all back up again from scratch. `Domain.registerResetGlobal` registers a function to perform this clean-up on global (i.e., AFS) configuration, while `Domain.registerResetLocal` registers a similar function to be run on each node before regeneration. For example, the Webalizer plugin uses `registerResetGlobal` to delete all Webalizer configuration files, and the Apache plugin uses `registerResetLocal` to clear the contents of `/var/domtool/vhosts`.\r
+\r
+== Before/after domains ==\r
+\r
+Call `Domain.registerBefore` and `Domain.registerAfter` to register callbacks to be called before and after a `domain` directive's nested configuration is run.\r
+\r
+== File change handlers ==\r
+\r
+Call `Slave.registerFileHandler` to register a callback to call whenever a file's status in `$DOMTOOL/nodes` changes. See DomTool/ArchitectureOverview for more information on when such callbacks would be triggered.\r
+\r
+== Pre/post-handlers ==\r
+\r
+Call `Slave.registerPreHandler` and `Slave.registerPostHandler` to register functions to be called before and after a DomTool configuration session, which might include arbitrarily many domains and source files.\r
--- /dev/null
+This page gives an in-depth specification of the DomTool language. Most members would probably prefer the more informal presentation in DomTool/UserGuide.\r
+\r
+[[TableOfContents()]]\r
+\r
+= Source code =\r
+\r
+For a complete, precise, and accurate grammatical specification, see the lexer and parser specifications `src/domtool.lex` and `src/domtool.grm` in the DomTool source code. See `src/tycheck.sml` for the type-checker implementation. ["DomTool/Building"] has information on obtaining the source.\r
+\r
+= Token conventions =\r
+\r
+In the grammars that follow, we use these lexical token class names:\r
+\r
+|| '''Name''' || '''Description''' ||\r
+|| `Int` || Integer constant ||\r
+|| `String` || String constant (enclosed in double quotes) ||\r
+|| `Symbol` || Identifier starting with a lowercase letter ||\r
+|| `CSymbol` || Identifier starting with a capital letter ||\r
+\r
+= Predicates =\r
+\r
+DomTool uses '''predicates''' to describe in what contexts an action may occur. For instance, web-related actions should only occur inside the scope of a virtual host directive. Predicates are built up following the grammar in the table below, using the letter `P` as the non-terminal for predicates.\r
+\r
+Meanings are given as statements that must hold about the context where an action is found. The context is represented as a stack of '''context IDs''' which have been declared with `context` declarations.\r
+\r
+|| '''Syntax''' || '''Description''' || '''Meaning''' ||\r
+|| `Root` || Root || The stack is empty. ||\r
+|| `CSymbol` || Context ID || `CSymbol` is on the top of the stack. ||\r
+|| `^P` || Suffixes || Some (not necessarily strict) suffix of the stack matches `P`. ||\r
+|| `!P` || Not || The stack ''doesn't'' match `P`. ||\r
+|| `P1 & P2` || And || The stack matches both `P1` and `P2`. ||\r
+|| `(P)` || Grouping || Identical to `P` ||\r
+\r
+= Types =\r
+\r
+Types describe expressions. As is standard in statically-typed programming languages, they are used only for validation purposes and have no real effect on the "output" of a program. The following table gives the grammar of types `T`. The section on expressions will give the meanings of types in terms of which expressions have which types.\r
+\r
+|| '''Syntax''' || '''Description''' ||\r
+|| `Symbol` || Extern type ||\r
+|| `[T]` || List of `T`s ||\r
+|| `T1 -> T2` || Function from `T1` to `T2` ||\r
+|| `[P]` || Action allowed only when `P` is satisified; requires no environment variables on input and writes none of its own ||\r
+|| `[P] {CSymbol1 : T1, ..., CSymbolN : TN}` || Action that requires environment variables `CSymbol1`, ..., `CSymbolN` to have the given types when run ||\r
+|| `[P] {CSymbol1_1 : T1_1, ..., CSymbol1_N : T1_N} => {CSymbol2_1 : T2_1, ..., CSymbol2_M : T2_M}` || Like the last case, but the second set of typed environment variables describes what the action will write ||\r
+|| `P => T` || A nested action that requires that its nested configuration satisfy `P`; `T` should be some action type ||\r
+|| `(T)` || Grouping ||\r
+\r
+= Expressions =\r
+\r
+Here is the grammar of expressions `E`. As is standard in ML-family languages and Haskell, juxtaposition is used to represent function application, with application associating to the left.\r
+\r
+|| '''Syntax''' || '''Description''' || '''Typing''' ||\r
+|| `Int` || Integer constant || `G |- Int : int` ||\r
+|| `String` || String constant || `G |- String : string` ||\r
+|| `[E1, ..., EN]` || List || If `G |- Ei : T` for each `Ei`, then `G |- [E1, ..., EN] : [T]`. ||\r
+|| `Symbol` || Variable || `G1, Symbol : T, G2 |- Symbol : T`. ||\r
+|| `E1 E2` || Application || If `G |- E1 : T1 -> T2` and `G |- E2 : T1`, then `G |- E1 E2 : T2`. ||\r
+|| `\ Symbol -> E` || Abstraction (inferred domain type) || If `G, Symbol : T1 |- E : T2`, then `G |- \ Symbol -> E : T1 -> T2`. ||\r
+|| `\ Symbol : (T1) -> E` || Abstraction (explicit domain type) || If `G, Symbol : T1 |- E : T2`, then `G |- \ Symbol : (T1) -> E : T1 -> T2`. ||\r
+|| `CSymbol = E` || Environment variable set || See subsection on actions ||\r
+|| `Symbol <- CSymbol; E` || Environment variable get || See subsection on actions ||\r
+|| `E1; E2` || Sequencing || See subsection on actions ||\r
+|| `E1 where E2 end` || Local bindings || See subsection on actions ||\r
+|| `let E1 in E2 end` || Local bindings || See subsection on actions ||\r
+|| `E1 with E2 end` || Nested action || See subsection on actions ||\r
+|| `E1 with end` || Empty nested action || See subsection on actions ||\r
+|| `E1 where E2 with E3 end` || Nested action with local bindings || See subsection on actions ||\r
+|| `E1 where E2 with end` || Empty nested action with local bindings || See subsection on actions ||\r
+|| `\\ Symbol : P -> E` || Nested action abstraction || See subsection on actions ||\r
+|| `(E)` || Grouping || Same as `E` ||\r
+\r
+== Actions ==\r
+\r
+The DomTool language is [http://en.wikipedia.org/wiki/Purely_functional purely functional]. Like [http://haskell.org/ Haskell], it uses a monad to inject effectful operations into its pure core. For DomTool, this is the '''action monad'''. This monad merges two potentially separate features that tend to occur together.\r
+\r
+First, actions are used to run code that will affect the outside world and lead to changes in the configuration of real daemons. '''Primitive actions''' like `domain` and `vhost` are the building-blocks here. They are defined by plugins. The other action forms in the table above are there just to allow the proper composition and sequencing of applications of primitive actions, which do the real work. See ["DomTool/Implementation"] for how the code to run for a particular primitive action is registered with the implementation.\r
+\r
+Second, the action monad provides the functionality of '''environment variables'''. These are similar to UNIX environment variables, but DomTool maintains its own environment where each variable has a static type. The rationale for including environment variables in the language is that, while many actions are highly configurable, you usually only want to tweak a few of their options at a time. DomTool allows an ambient environment of default variable settings, and it provides language constructs for modifying certain variables both globally and locally.\r
+\r
+=== Effects of the action expressions on the environment ===\r
+\r
+|| '''Syntax''' || '''Effect''' ||\r
+|| `CSymbol = E` || Environment variable `CSymbol` is set to the value of `E`, with `E`'s type. ||\r
+|| `Symbol <- CSymbol; E` || Environment variable `CSymbol` is read into normal variable `Symbol`, which inherits its type/value. ||\r
+|| `E1; E2` || The effect of `E1` followed by the effect of `E2` ||\r
+|| `E1 where E2 end` || The effect of `E2` followed by `E1`, afterward '''erasing''' any environment variable alterations by `E2` ||\r
+|| `let E1 in E2 end` || Same as `E2 where E1 end` ||\r
+|| `E1 with E2 end` || The effect of `E1` followed by `E2` ||\r
+|| `E1 with end` || Same as `E1` ||\r
+|| `E1 where E2 with E3 end` || The effect of `E2` followed by `E1` followed by `E3`, afterward '''erasing''' any environment variable alterations by `E2` ||\r
+|| `E1 where E2 with end` || The effect of `E2` followed by `E1`, afterward '''erasing''' any environment variable alterations by `E2` ||\r
+|| `\\ Symbol : P -> E` || No effect until called ||\r
+|| `E1 with E2 end`, when `E1` is a nested abstraction function || The effect of `E1` followed by `E2` followed by the effect of the action obtained by substituting the value of `E2` in the body of the abstraction to which `E1` evaluates. ||\r
+\r
+=== Nested action functions ===\r
+\r
+Sometimes it is convenient to be able to write new nested actions that call primitive nested actions as subroutines. For instance, the [http://deleuze.hcoop.net/domtool/easy_domain.html#V_dom dom] helper function uses [http://deleuze.hcoop.net/domtool/domain.html#V_domain domain] as a subroutine. Standard functions aren't good enough for these purposes, since they don't allow us to take into account the different environment effects that different nested action arguments might have. The nested function type `P => T` is the solution to this problem.\r
+\r
+You can define a nested action function with the `\\ Symbol : P -> E` form. Such a function has type `P => T` when assuming that `Symbol` has type `[P]` implies that `E` has type `T`. Any call to this function will be typed taking into account that we play the argument action's effect before playing the effect of the function's body.\r
+\r
+== Extern types ==\r
+\r
+Extern types (which are also used to implement "primitive types" like `int` and `string`) have something of the flavor of dependent types or refinement types. Registering appropriate handlers from a plugin can create an extern type whose values are controlled by an arbitrary predicate. Plugin implementers are supposed to maintain the invariant that the predicate controlling an extern type is never observably inconsistent in the course of a single type-checking session. That is, it never once declares a value to belong to type `T` and also declares it not to belong to `T` in the same type-checker invocation. A good example is the [http://deleuze.hcoop.net/domtool/domain.html#T_your_domain your_domain] type, which consists of those strings naming domains that the current user is allowed to configure. Within a single type-checking, the user remains constant, and so `your_domain`'s predicate returns consistent decisions. On the other hand, across different sessions by different users, the predicate will of course make different decisions. This approach allows extern types to be used for flexible type-level enforcement of security policies.\r
+\r
+It would be a pain for users to have to mark exactly which extern type a certain expression is meant to belong to. Instead, the DomTool language implementation uses slightly non-compositional type-checking to make use of rich extern types more convenient. By "non-compositional", I mean that the value of an expression, not just its type, may matter in type-checking a larger expression that it is found within. This non-compositionality is only used to infer when a value was given a base type like `string` when it really ought to have been given some rich extern type. For instance, when a function is called that expects an argument of type `your_domain`, the argument is first type-checked. If its inferred type is `your_domain`, then all is well. If not, then we try again, passing the actual argument expression to `your_domain`'s controlling predicate. Only if that predicate also rejects the expression do we signal a type error.\r
+\r
+= Declarations =\r
+\r
+Declarations `D` add new symbols to the typing environment.\r
+\r
+|| '''Syntax''' || '''Description''' || '''Effect on typing environment''' ||\r
+|| `extern type Symbol` || Extern type || Register `Symbol` as a new extern type that is either defined in a plugin or treated purely syntactically. ||\r
+|| `extern val Symbol : T` || Extern value || Register `Symbol` as a new variable that is either defined in a plugin or treated purely syntactically. ||\r
+|| `val Symbol = E` || Expression synonym || Define `Symbol` as an abbreviation for `E`; a specific type for the binding is inferred and used at future occurrences. ||\r
+|| `val Symbol : T = E` || Expression synonym || Define `Symbol` as an abbreviation for `E` of type `T`. ||\r
+|| `context CSymbol` || Context ID || Declare a new context ID `CSymbol`. ||\r
+\r
+= Source files =\r
+\r
+A source file is an optional documentation string, followed by a sequence of semicolon-terminated declarations with optional trailing documentation strings, followed by an optional expression. A documentation string is any text between `{{` and `}}` delimiters and may contain HTML.\r
+\r
+Documentation strings are used in automatic HTML documentation generation. A documentation string that starts a file is used to describe that file in the module index, and it's also included at the start of that file's page. A documentation string after a declaration is used to describe it in the detail section of its file's page. [http://deleuze.hcoop.net/domtool/ The standard library documentation] shows an example output.\r
--- /dev/null
+This page is aimed at admins; that is, people with root privileges on our servers. Most members should probably consult DomTool/UserGuide instead.\r
+\r
+This page documents the different DomTool '''plugins''', which provide the primitive actions that can be used to configure particular "real" daemons.\r
+\r
+[[TableOfContents()]]\r
+\r
+= Apache =\r
+\r
+'''Modules:''' [http://deleuze.hcoop.net/domtool/apache.html Apache], [http://deleuze.hcoop.net/domtool/apache_auth.html Apache_auth], [http://deleuze.hcoop.net/domtool/apache_options.html Apache_options], [http://deleuze.hcoop.net/domtool/mod_autoindex.html Mod_autoindex], [http://deleuze.hcoop.net/domtool/mod_dav.html Mod_dav], [http://deleuze.hcoop.net/domtool/mod_env.html Mod_env], [http://deleuze.hcoop.net/domtool/mod_rewrite.html Mod_rewrite], [http://deleuze.hcoop.net/domtool/proxy.html Proxy], [http://deleuze.hcoop.net/domtool/urls.html Urls]\r
+\r
+Each `vhost "$HOST"` directive creates a `$HOST.vhost` file in `$DOMTOOL/nodes`. A change handler for `.vhost` files copies them to `/var/domtool/vhosts`. A post-handler runs `domtool-publish apache`, which rsyncs `/var/domtool/vhosts` to `/etc/apache2/vhosts` after any vhost has changed and runs `/etc/init.d/apache2 reload` to reload configuration.\r
+\r
+The Apache plugin also manages creation and deletion of log directories. Each member should have an `apache/log` subdirectory of his AFS volume root, owned by domtool with read permissions for the member. The plugin creates a directory `/afs/hcoop/usr/$USER/apache/log/$NODE/$HOST` for each virtual host running on `$NODE` as `$USER` with full hostname `$HOST`. When a vhost is deleted, the plugin deletes its log directory. Since this can't be done while Apache is running, because the daemon maintains open file handles to logs, the plugin has to take Apache down until configuration is finished, reloading it afterward. Hopefully domains aren't deleted very often, so this shouldn't be much of a problem.\r
+\r
+Apache also provides hooks that other plugins can use to request callbacks just before and/or after a vhost is configured.\r
+\r
+= BIND =\r
+\r
+'''Modules:''' [http://deleuze.hcoop.net/domtool/bind.html Bind]\r
+\r
+BIND configuration directives are written to `dns` files in the `$DOMTOOL/nodes` directories of the appropriate nodes/domains. These `dns` files contain all of the contents of a BIND zonefile, with the exception of the SOA record. This is handled by main DomTool code and written in a stylized form to `soa` files. The BIND plugin registers a change handler looking for modifications to either `dns` or `soa` files. When any are found, `/var/domtool/zones/$DOMAIN.zone` is regenerated from them.\r
+\r
+The BIND plugin also produces a `named.conf` file for each domain. A change handler notes when some `named.conf` has changed, and a post-handler concatenates all `named.conf` files in `$DOMTOOL/nodes/$NODE` into `/var/domtool/named.conf.local` and runs `domtool-publish bind`, which rsyncs `/var/domtool/zones` to `/etc/bind/zones`, copies `/var/domtool/named.conf.local` to `/etc/bind/`, and runs `/etc/init.d/bind9 reload`.\r
+\r
+= Exim =\r
+\r
+'''Modules:''' [http://deleuze.hcoop.net/domtool/alias.html Alias], [http://deleuze.hcoop.net/domtool/exim.html Exim]\r
+\r
+The Exim plugin maintains three kinds of files in domain configuration directories:\r
+ * `aliases`, e-mail aliases to be concatenated into `/etc/aliases.hosted`\r
+ * `mail` files that, if non-empty, should contain the current domain's name, indicating that the current node should accept mail for that domain for local delivery\r
+ * `mail.relay` files that, if non-empty, should contain the current domain's name, indicating that the current node should provide relaying for any mail addressed to that domain\r
+\r
+A post-handler performs the concatenation over all domains into `/var/domtool/aliases`, `/var/domtool/local_domains.cfg`, and `/var/domtool/relay_domains.cfg`, respectively; and then runs `domtool-publish exim`, which copies the first file to `/etc/aliases.hosted` and concatenates the rest to `/etc/exim4/conf.d/main/10_domtool-domains`, and then runs `/etc/init.d/exim4 reload`.\r
+\r
+= HCoop =\r
+\r
+'''Modules:''' [http://deleuze.hcoop.net/domtool/hcoop.html Hcoop]\r
+\r
+This plug-in currently only provides useful HCoop-specific `extern` functions.\r
+\r
+= Mailman =\r
+\r
+'''Modules:''' [http://deleuze.hcoop.net/domtool/mailman.html Mailman]\r
+\r
+The `mailmanWebHost` action writes a domain file `mailman`, recording the default Mailman vhost for that domain. A post-handler concatenates all of these into `/var/domtool/mailman.map` in a format suitable for a Python association list in Mailman configuration, and runs `domtool-publish mailman`, which copies that file to `/etc/mailman`. A file `/var/domtool/mailman_domains.cfg` is also created to list which domains should be considered for Mailman list delivery, and this list is added to `/etc/exim4/conf.d/main/10_domtool-domains` upon publishing.\r
+\r
+= Webalizer =\r
+\r
+'''Modules:''' none\r
+\r
+This plugin works entirely through the before/after vhost hooks provided by the Apache plugin. For each vhost `$VHOST` on node `$NODE`, it writes to `$DOMTOOL/webalizer/config/$NODE/$VHOST.conf` Webalizer configuration that will generate statistics for that vhost. The output HTML and images are directed to `$DOMTOOL/webalizer/output/$NODE/$VHOST/`, which the plugin ensures exists.\r
--- /dev/null
+'''Note''': You can generally avoid worrying about these details by using the scripts described in DomTool/AdminProcedures. The instructions here are mostly of interest to people implementing those scripts.\r
+\r
+These instructions assume you are running as a user in group `wheel` on `deleuze.hcoop.net`.\r
+\r
+= Creating a certificate authority =\r
+\r
+I followed the instructions on this page:\r
+ http://sial.org/howto/openssl/ca/\r
+\r
+This blog post revealed the source of a puzzling error:\r
+ http://ilovett.com/blog/projects/debian-apache-ssl\r
+It turns out leaving some fields (like the city name for your new certificate) blank leads to baffling messages!\r
+\r
+Extracting the relevant commands from the Makefile available at the former page, we run these commands to create our CA:\r
+{{{mkdir crl newcerts private\r
+chmod go-rwx private\r
+echo '01' > serial\r
+touch index\r
+# NOTE use "-newkey rsa:2048" if running OpenSSL 0.9.8a or higher\r
+openssl req -nodes -config openssl.cnf -days 1825 -x509 -newkey rsa -out ca-cert.pem -outform PEM}}}\r
+\r
+Now the directory structure of our CA exists, and we have the certificate we will use to sign certificates.\r
+\r
+= Creating a certificate for a node or user =\r
+\r
+I followed the instructions on these pages:\r
+ http://marc.theaimsgroup.com/?l=openssl-users&m=97049654211960&w=2\r
+\r
+ http://www.postgresql.org/docs/8.1/interactive/ssl-tcp.html\r
+\r
+The commands to run are:\r
+{{{openssl genrsa -out serverkey.pem\r
+openssl req -new -key serverkey.pem -out newreq.pem -days 365\r
+cat newreq.pem serverkey.pem > new.pem\r
+openssl ca -config /etc/domtool/openssl.cnf -policy policy_anything -out servercert.pem -infiles new.pem}}}\r
+replacing `serverkey.pem` and `servercert.pem` with appropriate names for your new key and certificate, respectively. The change I made from [http://marc.theaimsgroup.com/?l=openssl-users&m=97049654211960&w=2 the cited source] is to include the `-config` flag to reference the modified config file obtained from [http://sial.org/howto/openssl/ca/ the page about creating a CA].\r
+\r
+Once I figure out the final directory layout, there will be instructions here on where to put these files once they're created.\r
+\r
+= Baffling things that can happen =\r
+\r
+If `openssl ca` tells you this:\r
+{{{failed to update database\r
+TXT_DB error number 2}}}\r
+\r
+it means that you have it configured not to sign a certificate for the same user multiple times, but you've gone ahead and asked it to do so anyway. Add this line to the section for your default CA in `openssl.cnf`:\r
+{{{\r
+unique_subject = no}}}\r
+\r
+If you've already been signing some keys and you want to keep what you've done so far, you may also need to make similar changes in `index.attr` and possibly `index.attr.old`.\r
--- /dev/null
+#pragma section-numbers off\r
+\r
+This is the DomTool User Guide. The properties of DomTool are described, as well as its use and its configuration file format.\r
+\r
+[[TableOfContents()]]\r
+\r
+= Overview =\r
+\r
+HCoop is almost unique in the history of the Internet. We are trying to provide highly configurable Internet hosting to the general public while maintaining a high level of security, so that your services keep running and your data stays safe and private. You can probably see that these goals conflict in a number of ways! Since our organization's birth in 2002, we've been evolving tools to help us reconcile these different goals. This document introduces the primary element of our current solution.\r
+\r
+This solution is called DomTool, and here's the one-line summary of what it's all about:\r
+ DomTool enables HCoop members to use a '''domain-specific programming language''' to describe how to configure daemons spread across our servers.\r
+\r
+Some other cogent properties of DomTool:\r
+ * The language is a '''[http://en.wikipedia.org/wiki/Statically_typed statically-typed], [http://en.wikipedia.org/wiki/Purely_functional purely functional] programming language'''. Other functional programming languages that you might have heard of include Lisp, Scheme, ML, and Haskell. Haskell and ML are statically-typed, and Haskell is purely functional.\r
+ * The language has a rich and extensible type system that can '''enforce complicated security policies through type-checking'''.\r
+ * Configuration works via a '''distributed client/server architecture''', so, with the right software installed, you can configure your domains from anywhere.\r
+\r
+Some readers may be scared off by this level of technical jargon. We apologize, but we just couldn't help showing it off. ;-) The rest of this document will be aimed at the average member, assuming only a solid understanding of the basics of Linux and the Internet. In particular, we assume no experience with particular kinds of programming.\r
+\r
+= Configuration files =\r
+\r
+In this example, we'll assume that you've requested and been granted privileges to some Internet domain name (like `you.com`) via our [https://members2.hcoop.net/portal/domain domain permission request form]. If you ''don't'' want to configure a domain that you own, then you don't need to be using DomTool!\r
+\r
+You will edit a text file with the configuration directives you want applied your domain. Where `$USER` is your HCoop username and `$DOMAIN` is your domain name, you should write configuration into a file `~$USER/.domtool/$DOMAIN`. If you're logged into one of our servers, `cd ~/.domtool` should get you to the proper directory. Otherwise, it can be useful to know that your home directory is something like `/afs/hcoop.net/user/u/us/username`, where you should replace `username` with your HCoop username and `u` and `us` with the one- and two-character prefixes of that username. Be sure that your `.domtool` directory has an AFS ACL set that allows the user `domtool` to read it, or your domains may go down when we need to reload everyone's configuration. If you end up with the wrong permissions, see MemberManual/GettingStarted/AfsExamples for the right command to run.\r
+\r
+We leave it up to you to choose how to edit the source file. You might run something like `emacs $DOMAIN` over SSH, or you might open it locally if you have our AFS cell mounted in your local filesystem. In the latter case, those of you lucky enough to be using UNIX-based home systems will probably want to create softlinks from your local home directories to your HCoop home directories in AFS, to save some typing each time you want to open Domtool files.\r
+\r
+In this file `$DOMAIN`, you can write:\r
+{{{dom "$DOMAIN" with\r
+end;}}}\r
+\r
+You should replace `$DOMAIN` with the actual domain name. This example introduces the simplest useful configuration, based on the `dom` directive. What does this source file accomplish? It:\r
+ * Declares our nameservers as authoritative for your domain.\r
+ * Declares that Exim should handle e-mail for your domain.\r
+ * Directs Exim to send all mail to your domain to your mailbox.\r
+ * Adds a DNS mapping from `www.yourdomain.com` to our web server's IP address.\r
+ * Creates an Apache virtual host at that hostname serving `~$USER/public_html/`.\r
+\r
+There are more primitive configuration directives to set up each of these features individually. `dom` packages all of the functionality together in an easy-to-use package. One of the main principles behind DomTool and our use of it is to '''avoid configuration repetition wherever possible'''. The DomTool language contains several abstraction features familiar from high-level programming languages, as well as some new ones, all in support of abstracting common code patterns into programming language entities that can be called multiple times. In general, if you find yourself writing the same code over and over again, let us know, and we'll try to add a new abstraction to our standard library! You could even write such an abstraction yourself, but that's beyond the scope of this intro document.\r
+\r
+Now, enough talk; let's execute our source file! Assuming that you're in your `.domtool` directory, run{{{\r
+domtool $DOMAIN}}}\r
+\r
+This contacts our central dispatcher server over an SSL connection. Once the server verifies that you are who you say you are, it will publish your configuration to the affected daemons, and you should be able to start using your domain.\r
+\r
+You could also simply run{{{\r
+domtool}}}\r
+which calls the dispatcher with '''all''' configuration files in your `.domtool` directory, regardless of what your current working directory is. This can be a helpful shortcut sometimes, though it can be noticeably less efficient than calling `domtool` with the single domain that you know you've changed.\r
+\r
+In fact, the names of the source files in your `.domtool` directory don't matter. We recommend storing the configuration for each of your domains in a separate file named after that domain, but you might want to make different choices. For instance, you might want to use an abstraction that configures multiple domains at once. However, it '''is''' important that you keep all your permanent configuration files in your `.domtool` directory. Sometimes we need to reprocess all configuration from scratch, and in such cases our dispatcher will only look for source files in your `.domtool` directory. For temporary experimentation, though, you can feel free to store source files elsewhere and run them explicitly with `domtool $FILENAME`.\r
+\r
+= Debugging configuration files =\r
+\r
+To check a configuration file without actually publishing its results, run:{{{\r
+domtool -tc $FILENAME}}}\r
+\r
+Here, `-tc` stands for "type-check." The Domtool language is designed to capture all rules of which configuration is valid and which isn't in its parsing and typing rules, so using the `-tc` option ''should'' enable you to find any bugs in your configuration. We might have bugs in our implementations of the configuration directives from time to time, but `-tc` should be sufficient to help you find your own bugs.\r
+\r
+Note that using your `~/.domtool` directory as a scratch space with lots of stray files is a bad idea, especially if you have multiple files representing different alternatives for configuring the same domain. Sometimes we make a change to Domtool that requires reprocessing all user configuration. In such cases, we run every file found in any user's `~/.domtool` directory. In that case, your `~/.domtool` files will be run in an arbitrary order, including any files that you have been thinking of as "test cases." It just might happen that the "test cases" end up overriding the "real" files. Also, if ''any'' file in your `~/.domtool` fails to type-check, we will unpublish ''all'' of your domains automatically. In summary, use another directory for storing tests, and run them by specifying explicit filename arguments to `domtool`, possibly with the `-tc` option.\r
+\r
+= Permissions =\r
+\r
+Now let's put on our Evil Hacker from the Seventh Circle of Hell hats. If you write this to a file `hcoop.net`:\r
+{{{dom "hcoop.net" with\r
+end;}}}\r
+and run:{{{\r
+domtool hcoop.net}}}\r
+you should see an error message like:\r
+{{{hcoop.net:0.0-1.14:error: Function argument has wrong type.\r
+ Expression: "hcoop.net"\r
+Actual type: string\r
+Needed type: your_domain}}}\r
+\r
+What this is saying is that you are only allowed to use `dom` with domains that '''you''' are allowed to configure. You tried to configure `hcoop.net`, which is not one of those domains, and so is treated like an arbitrary string (sequence of characters). The type checker has saved the day, and the Evil Hacker is prevented from mucking with `hcoop.net` configuration.\r
+\r
+How exactly does DomTool determine which domains you're allowed to configure? It uses a general permissions system based on access control lists. You can list all of your permissions by running:{{{\r
+domtool-admin perms}}}\r
+You should see output like this:\r
+{{{Permissions for you:\r
+domain: you.com you.net you.org\r
+path: /afs/hcoop.net/user/y/yo/you\r
+user: you}}}\r
+where `you` stands for your username. The `domain` list gives the Internet domains to which you've been granted configuration rights. `user` lists the UNIX users as whom you may run programs, and `path` gives the filesystem paths that you're allowed to reference in your configurations. You have rights to all subdirectories of `path` entries, too.\r
+\r
+You might like to perform some other queries on the permissions database, too. For instance, you might like to know which member owns `someone.com`. You could run:{{{\r
+domtool-admin whohas domain someone.com}}}\r
+and hopefully get back a reply like:{{{\r
+whohas domain / someone.com: someone}}}\r
+\r
+In general, `domtool-admin whohas $CLASS $VALUE` will list every user who has `$VALUE` in the `$CLASS` row of his permissions table.\r
+\r
+= Nested configuration directives =\r
+\r
+Let's look under the hood at what `dom` is doing by writing an equivalent configuration file that doesn't use it.\r
+{{{domain "$DOMAIN" with\r
+ dns (dnsNS "ns1.hcoop.net");\r
+ dns (dnsNS "ns3.hcoop.net");\r
+\r
+ dns (dnsA "www" web_ip);\r
+\r
+ handleMail;\r
+ catchAllAlias "$USER";\r
+\r
+ vhost "www" with\r
+ end;\r
+end;}}}\r
+\r
+Now we see what that `with..end` syntax was about: it relates to '''nested configuration directives'''. Both `dom` and the more primitive `domain` directive take additional configuration specific to the named domain. Everything we include here inside `domain` could also have been included inside a `dom` use, though it would be redundant.\r
+\r
+The contents of the `domain` block are a series of DomTool language expressions that evaluate to '''actions'''. Each action is given using consistent programming language syntax, rather than the ad-hoc configuration syntaxes used by daemons like Apache and Exim. This means that the directives are sometimes slightly more verbose, but they are much easier for humans and machines to parse, since no directive-specific ad-hoc syntax information is required.\r
+\r
+Let's step through the nested directives one by one to explain their meanings.\r
+\r
+The `dns` lines register DNS mappings to be included in `$DOMAIN`'s zone. `dnsNS` records list the authoritative nameservers in order. `dnsA` records provide mappings from hostnames to IP addresses. `web_ip` is a variable containing the IP address of our default web server for member use, defined in the standard library.\r
+\r
+`handleMail` asks Exim to provide relaying for any e-mail message addressed to any address at `$DOMAIN`.\r
+\r
+`catchAllAlias "$USER"` directs Exim to deposit any mail addressed to any user at `$DOMAIN` in `$USER`'s mailbox.\r
+\r
+The `vhost` directive demonstrates several layers of nested configuration. It declares an Apache virtual host named `www.$DOMAIN`. We could have included further Apache-specific configuration inside the `vhost` directive.\r
+\r
+= Configuration contexts =\r
+\r
+Not all configuration directives make sense in all contexts. For instance, it doesn't make sense to specify a URL rewrite rule outside of a `vhost` directive. The DomTool language uses a concept of '''contexts''' or '''predicates''' to enforce correct usage of directives.\r
+\r
+To illustrate, let's try breaking the rule we just gave in our example:\r
+{{{dom "hcoop.net" with\r
+ alias "/doc" "/usr/local/doc"\r
+end;}}}\r
+\r
+We ask for the URI prefix `doc/` to be mapped to file path `/usr/local/doc`. The `alias` directive is only allowed inside `vhost`s, so we get an error like this:\r
+{{{hcoop.net:0.0-3.4:error: Context incompatibility for nested action.\r
+Have: Domain\r
+Need: Vhost}}}\r
+\r
+This one's simple enough. We're in a `Domain`, but we need to be in a `Vhost` to use that directive. In full generality, DomTool's context specification language is a small logic that can be used to express much more complicated conditions, while maintaining the ability for the interpreter to check proper usage automatically. See the DomTool/LanguageReference for a full specification.\r
+\r
+= Environment variables =\r
+\r
+DomTool has its own concept of typed '''environment variables''' that are used to tweak parameters of configuration directives. Here's an example to demonstrate how they're used and why they're useful.\r
+\r
+Running this configuration:\r
+{{{vhost "www" with\r
+end;}}}\r
+gives you an Apache virtual host that serves documents out of `~/public_html`. If you wanted to serve documents out of `$DIR` instead, you could run:\r
+{{{vhost "www" where\r
+ DocumentRoot = "$DIR"\r
+with\r
+end;}}}\r
+Maybe you want to use the same document root for two different virtual hosts. In that case, you could use:\r
+{{{let\r
+ DocumentRoot = "$DIR"\r
+in\r
+ vhost "www" with\r
+ end;\r
+\r
+ vhost "www2" with\r
+ end;\r
+end;}}}\r
+Both of these alternatives involve assigning a new value to the '''environment variable''' `DocumentRoot` of type `your_path`, the type of filesystem paths that you may reference in configuration. Both `where` and `let` only introduce ''local values'' for environment variables. That is, once the `let` or the expression with the `where` clause has finished, it undoes changes to the environment made in the `where` clause or the first part of the `let`. This helps you maintain neat code that doesn't rely too much on global state.\r
+\r
+As this example hopefully shows, environment variables are useful because they make it more pleasant to use highly-customizable configuration directives. The less-commonly-configured aspects of a directive can be taken in as environment variables rather than normal arguments. That way, you don't need to write any code to deal with them when you are happy with their default values. When you ''do'' want to set a non-standard value, you can use a construct like `let` to apply it to multiple directives at once.\r
+\r
+= Removing a domain =\r
+\r
+When you no longer want to host a domain `$DOMAIN` with HCoop, do the following:\r
+\r
+ * Remove all mentions of `$DOMAIN` from the files in your `~/.domtool`.\r
+ * Run: {{{\r
+domtool-admin rmdom $DOMAIN\r
+}}}\r
+\r
+The second step should fail if you haven't been granted permission to configure `$DOMAIN`. If you finish both steps successfully, then none of the shared HCoop daemons should serve anything related to `$DOMAIN` anymore.\r
+\r
+= Further reading =\r
+\r
+We're purposely cutting off this user guide at this shallow level of detail. The best thing to read next is the ["DomTool/Examples"], which should introduce by example all of the language features and configuration directives that you're likely to use. If you want to understand the type error messages that the interpreter generates as more than just "there is a problem somewhere," then you'll probably want to learn a bit more about the language.\r
+\r
+For a more in-depth understanding of DomTool, including how to build and use your own directives, see the DomTool/LanguageReference. The [http://deleuze.hcoop.net/domtool/ standard library reference] presents all of the standard directives with full DomTool type information. We've glossed over details of the type system in this guide, but members comfortable with ML or Haskell programming will probably find this formal documentation the easiest to use, since types express very succinctly how directives may be used.\r
+\r
+The main DomTool page links to all of these resources and several more.\r
--- /dev/null
+If you want to host a domain name with us, you'll need to pick a registrar and sign up with them. For those who don't know, the domain registrar business was demonopolized years ago, so you have a choice between hundreds of registrars who compete for your business. [http://www.godaddy.com/ GoDaddy] is the current leader in new domain registrations, and AdamChlipala and a number of other hcoop members use and recommend it. [http://www.gandi.net/ GANDI] is a French registrar who has a nice English-language site and is highly recommended by FrankBynum, since they are the only registrar that declares in the agreement that you actually own the domain name. \r
+\r
+The only technically important thing about a domain name registration is providing the addresses of name servers to provide authoritative information on the domain's hosts. If you want to use our standard hosting setup, the name servers you give should be:\r
+{{{\r
+ns.hcoop.net\r
+ns2.hcoop.net\r
+}}}\r
+\r
+It takes a while for DNS records to propagate to all ISP's once you register a domain. Once your local DNS server knows about the new domain, you can start setting it up. Visit [https://members.hcoop.net/portal/domain the portal] to request access to administer your domain with DomainTool.\r
+\r
+== If this doesn't work ==\r
+\r
+=== "SOA serial mismatch" ===\r
+\r
+At least one domain name registry (NIC-SE, which handles the .se domain) has been known to have problems with djbdns, the DNS software HCoop is using.\r
+\r
+This error is reported as "SOA serial mismatch".\r
+\r
+In the case of .se, it works to just specify one authoritative DNS server:\r
+\r
+{{{\r
+ns.hcoop.net\r
+}}}\r
+\r
+Hopefully this will work for any registries with this problem.\r
--- /dev/null
+This page documents the procedures for administering the sites you have hosted with HCoop. All the configuration files described support line comments, indicated by beginning a line with {{{#}}}.\r
+\r
+This page describes in detail how to use domtool. It may be easiest for you to simply look at the setup of an existing domain and copy most of the directives. See, for example, {{{/etc/domains/net/schizomaniac}}}, AdamChlipala's personal domain.\r
+\r
+You won't be able to find help about domtool elsewhere on the web. We've developed it ourselves specifically for hcoop (see [http://hcoop.sf.net/ the SourceForge project]). Also, you will no doubt be wasting your time looking elsewhere for information on configuring Apache, your individual web sites, DNS, e-mail aliases, or any other shared service, since we don't allow users to modify these settings directly. You have to go through domtool, and this page should tell you everything you need to know about doing that.\r
+\r
+= Directory structure =\r
+The configuration files for the sites hosted here are rooted in {{{/etc/domains}}}. This directory tree corresponds to the structure of Internet domain names. For instance, tpu.org configuration is rooted in {{{/etc/domains/org/tpu}}}. We use standard UNIX file permissions to control who may modify which domains. There are appropriate files to edit in a domain's directory to control its DNS, e-mail aliases, Apache virtual hosts, and Webalizer statistics. Upon making changes, you run the {{{domtool}}} command line program (with no parameters) to publish them. It will let you know if it finds any errors in your changes. ''Remember'', none of the files in {{{/etc/domains}}} have any direct effect on our services by themselves. You must always run {{{domtool}}} to publish your changes.\r
+\r
+To begin configuring a new domain, [https://members.hcoop.net/portal/domain request access to it through our portal]. This will create a directory for your domain and populate it with the skeleton files .dns, .groups, .paths and .users. You will need to add any additional files and review these initial files to see if they are appropriate for your domain. Do not attempt to change the .groups, .paths or .users files yourself. This must be changed by an administrator. If you do edit them {{{domtool}}} will reject them. After making changes remember to execute {{{domtool}}} from the directory.\r
+\r
+= Variables =\r
+Domain directories, including the root {{{/etc/domains}}}, may contain {{{.vars}}} files. These define simple mappings from strings to strings, in the form of whitespace-separated name/value pairs on separate lines. Currently, they are used only in naming IP addresses that will be used in many domains. For example, the IP address of the web server configured by this tool is called {{{www}}}. Subdomains inherit the variables set in their parents, and they may also define new variables.\r
+\r
+= Paths =\r
+To control access to the filesystem, each domain has an associated list of directories it is allowed to access. Any of these directories or their subdirectories is allowed to be used any place a directory must be specified. {{{.paths}}} files in domain directories give lists of allowable paths. They are inherited in the same manner as {{{.vars}}} files. {{{.paths}}} files must be configured by someone with root access or they will not be read. Do '''not''' attempt to edit your {{{.paths}}} file, as doing so will change its ownership and make {{{domtool}}} reject your changes.\r
+\r
+When a {{{.paths}}} file begins with a line that says {{{CLEAR}}}, it causes its domain not to inherit parents' path privileges. This can be used to delegate subdomains to others without giving them access to resources associated with the main domain.\r
+\r
+= Users and groups =\r
+The set of users and groups as whom you may run CGI programs is controlled in a manner analogous to paths. {{{.users}}} and {{{.groups}}} files in any position in the domain hierarchy add permissible users for those domain subtrees. {{{CLEAR}}} is supported for these, as well. As with {{{.paths}}}, do '''not''' edit your own {{{.users}}} or {{{.groups}}} file. Only administrators may do this, and changing its ownership will result in {{{domtool}}} rejecting your changes.\r
+\r
+= Configuring daemons =\r
+domtool lets you configure a number of different daemons. We've documented each one on a separate page. See:\r
+\r
+ * DnsConfiguration: Mapping Internet hostnames to IP addresses\r
+ * EmailConfiguration: Controlling how e-mail to your domain is delivered or otherwise handled\r
+ * VirtualHostConfiguration: Managing web sites at different hostnames of your domain\r
+ * MailingListConfiguration: Setting which web site provides the Mailman web interface for any mailing lists you host with us\r
--- /dev/null
+'''This page is out of date and was only meant as a preview. See DomTool instead.'''\r
+\r
+Herein lies an overview of the new configuration management tool that AdamChlipala is developing. Many things that could be included aren't here yet, and they'll be added as they seem to be important.\r
+\r
+New members coming to this page: This system isn't yet rolled out. You probably want DomainTool instead.\r
+\r
+[[TableOfContents()]]\r
+\r
+= Why something new? =\r
+\r
+The vast majority of configuration changes made at HCoop today go through the (already second-generation) DomainTool developed by AdamChlipala. We would have collapsed under the weight of the collective needs of our growing member base if we hadn't had ''something'' like Domtool to allow members to configure their own domains in a secure way. However, today's Domtool has some serious weaknesses. Here are a few in rough increasing order of seriousness.\r
+\r
+ * '''Extending Domtool is painful.''' The source code has ''some'' nice organizing principles, but still not very many. Adding a new feature tends to involve a hearty helping of boilerplate code. This doesn't have a big effect on anyone but Adam, but there's always the issue that more complicated coding increases the risk of bugs.\r
+ * '''It doesn't support configuration of multiple machines.''' Since we will be switching to running multiple machines (see ColocationPlans), this is a problem! The current Domtool could probably be patched to support this, but the other complaints make it not worth doing.\r
+ * '''The syntax and semantics of each configuration directive are ad-hoc.''' New directives are added by writing custom code to parse lines of input, check that they satsify any constraints necessary for security, etc.. Just like in programming, it's nice to have a common abstraction for the basic building blocks of, in this case, configuration files.\r
+ * '''There is no support for user-programmed abstractions.''' Nearly every subdirectory of `/etc/domains` has a `.dns` file with a shared prefix, declaring common elements like name servers. These should instead be calling a library function or otherwise using a reified object. All sorts of other patterns reappear frequently in Domtool configuration files and ought to be replaced with function calls.\r
+\r
+= Overview of Domtool 2 =\r
+\r
+There are two main pieces to the Domtool 2 system: a programming language and a system for distributed configuration implemented around it.\r
+\r
+== The Language ==\r
+\r
+The Domtool language is a [http://en.wikipedia.org/wiki/Functional_programming statically-typed, pure functional programming language] influenced by Haskell and ML. It uses the function as the basic unit of abstraction, both for describing primitive configuration directives and higher-level subroutines built from them.\r
+\r
+Configuration itself as modeled as a stateful process of making a series of changes to the world, and this process is modeled inside the Domtool language with a configuration monad. The monad also includes the notion of typed environment variables that are a principled alternative to default function parameters, where it's possible to change defaults locally via lexical scoping.\r
+\r
+Not all configuration directives are valid in all contexts. For instance, it only makes sense to specify that a file is a CGI script if you're working in the context of an Apache virtual host. Further, some Apache directives are only valid in the context of a particular directory. Values in the configuration monad are labeled with predicates in a tiny logic describing valid contexts for their use, and the type checker won't let you use a directive elsewhere.\r
+\r
+The language interpreter also allows the addition of new base types by providing membership predicates implemented in SML. For instance, the standard library has a type for the name of a domain that the current user is allowed to configure. Rich types like this make it possible to use types of library functions as machine-checked documentation that often doesn't need to be supplemented with English.\r
+\r
+== Distributed Configuration ==\r
+\r
+As the language allows primitive functions to be implemented externally in SML code, it's possible to build all sorts of systems on top of it. The one that we're interested in here is a system for changing configuration of network daemons running on multiple machines.\r
+\r
+The basic system has three tiers.\r
+\r
+The first tier is the members, merrily configuring away, laughing, crying, enjoying life's ups and downs, and sometimes attempting to configure things that they ought not to, through honest mistakes or (God forbid) malice. They write their configuration files as programs in the Domtool language and type check them locally to make sure that they will be accepted. If type checking succeeds, the scripts are sent over our LAN to a daemon process living on our main server.\r
+\r
+This daemon type-checks the files again (since we don't want to have to trust users to do it right!) and, assuming they check out, executes them to modify a directory tree on our shared AFS filesystem. This tree looks a lot like `/etc/domains` does now, except that it's populated with summaries outputted by the daemon on how other daemons should behave.\r
+\r
+At this point, we reach the final tier. A given set of changes may affect any subset of the configurable servers. The main configuration daemon sends each affected server a note listing the files that have changed, and each of these servers then retrieves the changes from AFS and uses them to rewrite its local configuration in a service-specific way, restarting any local daemons that need restarting.\r
+\r
+= Documentation =\r
+\r
+You can grab the source code from [http://sourceforge.net/cvs/?group_id=99567 HCoop CVS on SourceForge], or [http://hcoop.cvs.sourceforge.net/hcoop/domtool2/ browse it on the web]. Be forewarned that it's implemented in [http://www.hprog.org/fhp/MlLanguage Standard ML] and doesn't have much documentation on building and using it.\r
+\r
+The Domtool 2 language toolset generates documentation automatically, in a way that you may be familiar with from tools like Java``Doc and Doxygen. You can read [http://www.schizomaniac.net/domtool2/ the documentation for the standard library so far].\r
+\r
+= Configuration Examples =\r
+\r
+== The Model T of Domain Configuration ==\r
+\r
+A lot of folks at least start out with very simple configuration with their domains. In fact, a lot of the domains hosted with HCoop have the exact same configuration, modulo usernames and other blanks to fill in. A standard recipe is:\r
+\r
+ * Declare our nameservers as authoritative for your domain.\r
+ * Declare that Exim should handle e-mail for your domain.\r
+ * Direct Exim to send all mail to your domain to your mailbox.\r
+ * Add a DNS mapping from `www.yourdomain.com` to our web server's IP address.\r
+ * Create an Apache virtual host at that hostname serving `~/public_html/`.\r
+\r
+With the old Domtool, this configuration is scattered throughout a number of files. With Domtool 2, this source code accomplishes it:\r
+\r
+{{{\r
+dom "yourdomain.com" with\r
+end;\r
+}}}\r
+\r
+Simple, eh? `dom` is a library function defined elsewhere. For comparison, an equivalent configuration that doesn't use it is:\r
+\r
+{{{\r
+domain "yourdomain.com" with\r
+ dns (dnsNS "ns.hcoop.net");\r
+ dns (dnsNS "ns2.hcoop.net");\r
+\r
+ dns (dnsA "www" web_ip);\r
+\r
+ handleMail;\r
+ mailbox <- Mailbox;\r
+ catchAllAlias mailbox;\r
+\r
+ vhost "www" with\r
+ end;\r
+end;\r
+}}}\r
+\r
+Still quite a bit better than what the old Domtool allows!\r
+\r
+== A Very Busy Example ==\r
+\r
+I'm not even going to bother setting out to explain this. Here is a load of configuration sitting in a bucket.\r
+\r
+{{{\r
+domain "hcoop.net" with\r
+ dns (dnsNS "ns.hcoop.net");\r
+\r
+ dns (dnsA "a" "1.2.3.4");\r
+ dns (dnsCNAME "b" "a.hcoop.net");\r
+ dns (dnsMX 1 "mail.nowhere.eu");\r
+\r
+ handleMail;\r
+\r
+ emailAlias "someone" "someoneElse";\r
+ aliasMulti "me" ["nowhere","smelly@yikes.com"];\r
+\r
+ catchAllAlias "me@gmail.com";\r
+\r
+ mailmanWebHost "lists.hcoop.net";\r
+\r
+ dns (dnsA "www" web_ip);\r
+ vhost "www" where\r
+ DocumentRoot = "/home/adamc/html";\r
+ ServerAdmin = "my@other.address"\r
+ with\r
+ serverAlias "hcoop.net";\r
+ addDefaultCharset "mumbo-jumbo/incomprehensible";\r
+\r
+ location "/theMorgue" with\r
+ rewriteRule "A" "B" [];\r
+ end;\r
+ end;\r
+end;\r
+\r
+domain "schizomaniac.net" where\r
+ TTL = 1234\r
+with\r
+ vhost "www" with\r
+ directory "/home/adamc/thisPlace" with\r
+ unset_options [includesNOEXEC];\r
+ indexOptions [iconsAreLinks, scanHtmlTitles, iconWidth 45];\r
+ end\r
+ end;\r
+\r
+ vhost "proxy" with\r
+ proxyPass "/proxyLand" "http://localhost:1234/otherProxyLand";\r
+ proxyPassReverse "/proxyLand" "http://localhost:1234/otherProxyLand";\r
+ end;\r
+end;\r
+}}}\r
+\r
+= Summary of Security-Related Architecture =\r
+\r
+The system for distributed configuration, as implemented now, works something like this:\r
+\r
+We create our own Open``SSL Certificate Authority for signing certificates related to the operation of Domtool 2. Every check mentioned below will only accept certificates signed by this authority.\r
+\r
+When a user wants to push out some new configuration, he opens an SSL connection to the dispatcher daemon. The user looks in the shared AFS filesystem for his personal, automatically-generated certificate and private key. The certificate is world readable, while the permissions on the key are such that only that user can read it. (This means that we are depending on the security of AFS/Kerberos/whatever else we use.) The server verifies that the certificate is made out to the user's UNIX username and then performs the usual SSL handshake to make sure the party on the other end of the connection really has read access to the private key.\r
+\r
+If everything has gone properly, at this point the dispatcher is convinced that it's talking to a particular UNIX user. The dispatcher consults a special Domtool access control list, telling which filesystem paths, domains, etc., that user is authorized to use. These settings are used to determine the meanings of some custom base types in the Domtool language. The dispatcher type-checks the user's configuration source in that context, aborting if type-checking fails.\r
+\r
+The dispatcher now executes the configuration to update the directory tree (on AFS) representing network-wide configuration. The dispatcher opens an SSL connection to each server affected by the changes in turn. The other server verifies that the connecting party's certificate is signed by our CA and that it is made out to the dispatcher's hostname. If it is, the other server can accept the list of configuration files that have changed. We again trust AFS security, as the other server reads the updated files from AFS and makes the appropriate local changes.\r
+\r
+= Open Design Decisions =\r
+\r
+ * '''Where should configuration source files be stored?''' Domtool 2 does away with the association between filenames/paths and configuration semantics. However, enforcing a standard filesystem layout for configuration is nice, because it makes it easy to recompile everyone's configuration in the event that something changes in the tools. How should we handle this issue with Domtool 2 while letting members keep the flexibility of this programming language?\r
+ * '''How does that SSL stuff sound?''' A lot of it was designed to make this easiest to implement, not because it leads to the conceptually cleanest mechanism. By the way, the Open``SSL library is a bear to learn!\r
+\r
+= Epilogue =\r
+\r
+After we've migrated to the new architecture and everything seems stable for a few months, I want to try creating a "web control panel"-style interface to Domtool 2. I believe I've designed the language such that this should be trivial. Specifically, I ''think'' the Domtool language's type system gives all of the information needed to generate a nice control panel interface automatically. We'd want to add some extra metadata, like cute icons for particular configuration functions, but I think it should be straightforward to implement a generic control panel that (aside from icons and extra descriptive text) builds its interface automatically from the source code of our standard library.\r
+\r
+The gist of the interface would be a tree-editor GUI for the abstract syntax trees of the Domtool language. I think we can present it in a way such that even people who aren't comfortable with programming view it as a natural way of doing things, and the abstraction enabled by the language behind the scenes should let us blow away the competition with how quickly we can add new configuration functionality.\r
--- /dev/null
+Everybody's favorite member (really).\r
+\r
+Do not go to http://raines.ws.\r
--- /dev/null
+The short answer to the usual question is, yes, we do have PHP in Apache, and we do have SQL database servers running (PostgreSQL and MySQL) (see UsingDatabases).\r
+\r
+If you want to use our main Apache server for your dynamic web sites, you must use CGI or another execution method which requires forking a new script process for every dynamic request. There are a number of more efficient ways of doing dynamic page generation (including `mod_some_language`), but they don't work well with running scripts as their owners from a single main Apache instance, which is crucial from a security perspective in a multi-user environment like ours. However, you are free to run whatever web server you want by [https://members.hcoop.net/portal/sec requesting a port for it] and having Apache proxy to it with the `LocalProxy` directive for VirtualHostConfiguration. In the remainder of this page, we'll assume that you don't want to do this.\r
+\r
+= Security =\r
+\r
+We have some basic security measures in place to keep your dynamic page generation programs from using enough server resources to produce service outages for other users.\r
+\r
+ * Your CGI/PHP programs can't use more than 100MB of RAM. If they could use arbitrary amounts, they could cause important daemons to crash because of out-of-memory errors.\r
+ * No more than 100 processes total with a single owning user can be running. Without this, the above limitation would be ineffective, since that limit only applies on a per-process basis.\r
+ * Your CGI/PHP programs can't run for more than 10 seconds. While an infinite-looping script may sound like it's far from a security threat, it actually is. Apache has a fixed number of child processes that it uses to service requests, and each script monopolizes one of those processes while it's running. If enough scripts run for long enough, then there will be no child processes left, and no other web pages will be served until some children free up. A single infinite-looping script on a popular site could reach this situation very quickly.\r
+\r
+The specific numbers here, and even more qualitative aspects of the policy, are open to debate. If you find that these constraints prevent you from doing something reasonable, and if you can suggest alternate enforcement mechanisms that still prevent users from stepping on each other, then suggest it on the `hcoop-discuss` mailing list.\r
+\r
+An alternative is for you to run your own web server to which Apache proxies requests, as suggested near the beginning of this page. In that case, you have much more freedom, but you will still be under the usual resource limits for regular user processes. (See UsingResourceLimits.) Also, Apache enforces a time-out for proxying, as well, for the same reasons as detailed above, so you will really need to run your own web server on a non-standard port if you want long-running dynamic page generation programs.\r
+\r
+= PHP =\r
+\r
+We support PHP via Apache's `mod_suphp`. This module forks a new process for each script execution, like with CGI. It runs scripts as their owners, which is the reason we need to use it instead of `mod_php`.\r
+\r
+The combined upside/downside compared to suexec CGI is that `mod_suphp` requires that every script be in the `DocumentRoot` of the vhost it's running in. To allow `http://hcoop.net/~you/...` PHP scripts, we've set `hcoop.net`'s `DocumentRoot` to `/home`. This should be safe as long as everything in `/home` has appropriate permissions, but we may decide to revise it later for security reasons.\r
+\r
+You must use the `User` and `Group` VirtualHostConfiguration directives to make virtual hosts serving dynamic content run as particular users. You'll usually choose either your own user or a special user created to be run for your dynamic web stuff. (You are required to do one or the other to get PHP/CGI working for your own vhosts.) [https://members.hcoop.net/portal/support Create a support ticket] if you want such a user.\r
+\r
+= CGI =\r
+\r
+CGI scripts and programs accessed via `http://some.domain/~you/...` run as `you`. When you want to run CGI scripts for your own virtual host, you can use a `ScriptAlias` or `CGI` directive for VirtualHostConfiguration. Like for PHP, you must use `User` and `Group` to set the user/group scripts should run as on your vhost.\r
+\r
+= Debugging =\r
+\r
+If your scripts give you "Error 500" pages or similar, you should check the error log for the virtual host you are using. If you're accessing your site via `http://some.domain/~you/` where `some.domain` has the same front page as `hcoop.net`, the error log is `/var/log/apache2/home/error.log`, and it is readable by everyone. If your script is running on a separate vhost, then see the `Group` directive for VirtualHostConfiguration for how to get read access to the logs for all users in a specified group.\r
+\r
+= Notes =\r
+\r
+See also MailingListConfiguration for information on adding a Mailman web interface to your virtual host.\r
--- /dev/null
+''(The following content was moved from the old Abulafia wiki node BoardOfDirectorsElection for reference purposes).''\r
+\r
+'''VOTING IS NOW CLOSED. DO NOT EDIT THIS PAGE.''' The first board of directors of HCOOP, INC. consists of Adam Chlipala (27 votes), Nathan Kennedy (23 votes), and Davor Ocelic (14 votes).\r
+\r
+This page is for the election of the first Board of Directors of HCOOP, Inc.\r
+\r
+Nomination of candidates and candidate statements shall occur simultaneously with voting on the ["Bylaws"] at BylawsVote.\r
+\r
+Please list candidates to nominate below. You may nominate yourself. Please list candidate names alphabetically by last name.\r
+\r
+Nominations may continue until April 3, 2005, 11:59 PM UTC.\r
+\r
+= Nominations =\r
+ 1. LukeChao. Nominated by LukeChao.\r
+ 2. AdamChlipala. Nominated by NathanKennedy.\r
+ 3. ClintonEbadi. Nominated by DavidBettis.\r
+ 4. RobGubler. Nominated by RobGubler.\r
+ 5. BrianHolmes. Nominated by BrianHolmes\r
+ 6. NathanKennedy. Nominated by AdamChlipala.\r
+ 7. DavorOcelic. Nominated by NathanKennedy.\r
+ 8. JasonSmathers. Nominated by JasonSmathers.\r
+\r
+= Candidate Statements =\r
+Nominees who accept their nominations may place a candidate statement here, and/or a link to such a statement elsewhere.\r
+\r
+ 1. LukeChao. Among Hcoop members, I'm not at all special for being a Linux geek, or even for being one of the people who helped to make Abulafia happen in the first place. So, I'll state that if you vote for me, I will press to require new applicants to write an analytical essay on Garrett Hardin's paper "The Tragedy of the Commons." Without checks, rapid expansion could cause catastrophe. That's my platform. LukeChao for 2005!\r
+ 2. AdamChlipala. Hello. I put together most of what you see here and do most of the day-to-day management. I reckon I can keep doing that pretty well.\r
+ 3. RobGubler. Level headed; will make unbiased decisions. More people should be running for the board...\r
+ 4. BrianHolmes. I have an interest in seeing this group grow and develop into a well respected organization. I will always be sure that the decisions I make are well informed and fulfill the needs of HCoop's members. Please view my full statement on my page at BrianHolmes.\r
+ 5. NathanKennedy. Since joining in January, I have been active in discussion and support on the list and in #hcoop. I have moved forward the incorporation proceedings, wrote most of the ArticlesOfIncorporation, successfully handled the paperwork for incorporating in Pennsylvania, and have been helping to craft bylaws. If elected I would continue to get tough tasks done and maintain a strong leadership to grow the membership and move the cooperative forward.\r
+ 6. DavorOcelic. Please see my statement on my DavorOcelic user page. Thank you.\r
+ 7. JasonSmathers. I have included a detailed statement on my JasonSmathers page. You will see my experience with non profit corporations, corporate procedures, and interaction with the IRS on behalf of non profit corporations. Additionally I have the technical knowledge to help Hcoop, Inc. grow in a smart way.\r
+\r
+= Votes =\r
+Nominees who accept their nominations should place their names on this list. When voting begins, every member may place their vote under up to three candidates. Nominees may vote for themselves. Voting will be open for a week after bylaws are approved.\r
+\r
+Voting begins on April 4, 2005, 00:00 (midnight) UTC, and closes one week later on April 10, 11:59 PM UTC. During this time, you may list your name underneath up to three candidates.\r
+\r
+ * LukeChao\r
+ 1. DavidBettis\r
+ 1. ClintonEbadi\r
+ 1. FrancoisDenisGonthier\r
+ 1. AadityaSood\r
+ 1. GianPerrone\r
+ 8. Jeffrey Drake\r
+ * AdamChlipala\r
+ 1. LukeChao\r
+ 1. DavorOcelic\r
+ 1. NathanKennedy\r
+ 1. AdamChlipala\r
+ 1. DavidBettis\r
+ 1. RobGubler\r
+ 1. MichaelOlson\r
+ 1. MikeLeonhard\r
+ 1. ClintonEbadi\r
+ 1. MatthieuSozeau\r
+ 1. DrewRaines\r
+ 1. JeffreyDrake\r
+ 1. JohnSettino\r
+ 1. RickHull\r
+ 1. NoufalIbrahim\r
+ 1. JeremyPenner\r
+ 1. DavidSnider\r
+ 1. Matt Currington\r
+ 1. FrancoisDenisGonthier\r
+ 1. AadityaSood\r
+ 1. GianPerrone\r
+ 1. BrianHolmes\r
+ 1. FrankBynum\r
+ 1. TanveerSingh\r
+ 1. SriharshaSetty\r
+ 1. VisnjaBolf\r
+ 1. AndreKuehne\r
+ * RobGubler\r
+ * BrianHolmes\r
+ 1. JeremyPenner\r
+ * NathanKennedy\r
+ 1. NathanKennedy\r
+ 1. LukeChao\r
+ 1. DavorOcelic\r
+ 1. AdamChlipala\r
+ 1. DavidBettis\r
+ 1. MichaelOlson\r
+ 1. MikeLeonhard\r
+ 1. ClintonEbadi\r
+ 1. MatthieuSozeau\r
+ 1. DrewRaines\r
+ 1. Jeffrey Drake\r
+ 1. JohnSettino\r
+ 1. RickHull\r
+ 1. NoufalIbrahim\r
+ 1. JeremyPenner\r
+ 1. Matt Currington\r
+ 1. AadityaSood\r
+ 1. GianPerrone\r
+ 1. FrankBynum\r
+ 1. TanveerSingh\r
+ 1. SriharshaSetty \r
+ 1. VisnjaBolf\r
+ 1. AndreKuehne\r
+ * DavorOcelic\r
+ 1. LukeChao\r
+ 1. NathanKennedy\r
+ 1. RobGubler\r
+ 1. MikeLeonhard\r
+ 1. DavorOcelic\r
+ 1. TerrenceBrannon\r
+ 1. RickHull\r
+ 1. NoufalIbrahim\r
+ 1. Matt Currington\r
+ 1. FrancoisDenisGonthier\r
+ 1. FrankBynum\r
+ 1. TanveerSingh\r
+ 1. VisnjaBolf\r
+ 1. AndreKuehne\r
+ * JasonSmathers\r
+ 1. AdamChlipala\r
+ 1. RobGubler\r
+ 1. MichaelOlson\r
+ 1. MatthieuSozeau\r
+ 1. TerrenceBrannon\r
+ 1. DrewRaines\r
+ 1. JohnSettino\r
+ 1. BrianHolmes\r
--- /dev/null
+This page is for the election of the second Board of Directors of HCOOP, Inc. Nominations shall be done in our usual wiki style. Voting shall be done through the HCOOP portal. You may see last year's election results at ["Election2005"] or summarized on the BoardOfDirectors [http://hcoop.net/board/ website].\r
+\r
+This election is governed by articles 3 and 4 of our HcoopBylaws. All current members in good standing may vote for three candidates to replace the outgoing board, whose term expires on April 4, 2006.\r
+\r
+Please list candidates to nominate below. You may nominate any current HCOOP members, including yourself. Please list candidate names alphabetically by last name, and list your own name as the nominator. \r
+\r
+Nominations may continue until March 31, 2006, 11:59 PM UTC. Voting on all candidates who have accepted their nominations shall begin on April 4, 2006 at midnight UTC and continue for one week through April 11, 2006 at midnight UTC.\r
+\r
+Please note that this is a minor procedural change from last year. The voting period is the same, beginning and ending exactly one year later, but unless anyone has reasonable objections, nominations will be closed at the end of March, in order to prevent last-minute nominees from being left off of the ballot.\r
+\r
+= Nominations =\r
+ 1. AdamChlipala. Nominated by NathanKennedy.\r
+ 1. NathanKennedy. Nominated by NathanKennedy.\r
+ 1. DavorOcelic. Nominated by NathanKennedy.\r
+\r
+= Candidate Acceptances =\r
+Nominees who accept their nominations must place their name here, along with any statement or links that they wish to make.\r
+\r
+== Adam Chlipala ==\r
+\r
+I'm the founder, current president and treasurer, and author of most of our portal and custom administration software. I'd be glad to continue help keep this ship on course. :-)\r
+\r
+== Nathan Kennedy ==\r
+\r
+I have served as secretary of the board for the past year. I am pleased that the past year has seen the membership of the co-op almost double through word-of-mouth alone. I have put a good deal of work into legal and administrative issues, such as incorporating, drafting bylaws, registering with the IRS in order to get a corporate bank account, and filing for tax-exempt status. This last application is still ongoing, and since it will probably be a while before the IRS finishes processing our application, the more pressing issue to resolve before April 15 is what our tax obligations for the present year are, including filing a tax return if need be.\r
+\r
+Beyond this dull but necessary work, I have a few goals for HCOOP:\r
+ *Keep entry-level base dues for members at or below US$5/month or less. As we expand our infrastructure, maintaining this benchmark will require pricing changes, and I will continue to seek feedback from all our members in order to figure out the fairest policy for everyone.\r
+ *Create a service which is accessible and useful for non-techy users. I believe we can not only do this without compromising the great value that HCOOP has to technical users, but that providing a service which more casual users seeking a low-cost webhost can use will enable all of HCOOP's users to benefit from greater economy of scale.\r
+\r
+I hope you will re-elect the three current members of the board. Adam, Davor, and myself are a good balance of skills, geographic locations, and personalities. I believe that together we can continue to bring the membership together to create a service that gets better all the time.\r
+\r
+== Davor Ocelic ==\r
+\r
+As usual, please visit my DavorOcelic user page. Thank you.\r
--- /dev/null
+Nominations are now CLOSED. Please do not edit this page unless you are already a candidate listed below. You may now vote in the election at [https://members.hcoop.net/portal/poll?vote=9].\r
+\r
+----\r
+\r
+This page is for the election of the second Board of Directors of HCoop, Inc. Nominations shall be done in our usual wiki style. Voting shall be done through the HCoop portal. You may see last year's election results at ["Election2006"] or summarized on the BoardOfDirectors website.\r
+\r
+This election is governed by articles 3 and 4 of our HcoopBylaws. All current members in good standing may vote for three candidates to replace the outgoing board, whose term expires on April 11, 2007.\r
+\r
+Please list candidates to nominate below. You may nominate any current HCoop members, including yourself. Please list candidate names alphabetically by last name, and list your own name as the nominator.\r
+\r
+Nominations may continue until March 31, 2007, 11:59 PM UTC. Voting on all candidates who have accepted their nominations shall begin on April 4, 2007 at midnight UTC and continue for one week through April 11, 2007 at midnight UTC.\r
+\r
+= Nominations =\r
+ 1. AdamChlipala. Nominated by NathanKennedy.\r
+ 1. DavorOcelic. Nominated by NathanKennedy.\r
+ 1. NathanKennedy. Nominated by AdamChlipala.\r
+ 1. JustinLeitgeb. Nominated by DmitriyMorozov.\r
+\r
+= Candidate Acceptances =\r
+Nominees who accept their nominations must place their name here, along with any statement or links that they wish to make.\r
+\r
+ 1. AdamChlipala. I started HCoop, and I'm the current president and treasurer. I develop the custom software that keeps HCoop running, including DomTool and [https://members.hcoop.net/ the portal]. I also get to be the one all the volunteers hate, because I have to poke them when they go radio silent and we're not sure if they're still handling their jobs! My platform is simple: set up technical and social infrastructure to make HCoop sustainable. It's easy for members looking in from the outside to imagine that it's important for a candidate to have a laundry list of "great ideas," assuming that HCoop is ready to expand from its current stable base. In actuality, HCoop runs now because I take on almost all of the work, including things that '''no one''' finds fun and wants to do. Because I'll soon be leaving behind the world of studenthood, it's no longer feasible to assume that I'll be doing all of the heavy lifting. Finding sustainable ways of spreading the work evenly is the most important activity for the co-op, or it won't be surviving much longer. "Environmental policy" is hardly relevant in comparison. I'm sure that almost any single member could make small changes in his daily life and have a bigger positive environmental impact than the whole co-op could ever have while still providing the level of service that our members expect.[[BR]][[BR]]\r
+\r
+ Put another way: '''HCoop is not stable today!''' It looks like everything is holding up fine because I have sacrificed and continue to sacrifice so much of my time and money to keep things running. Solving this problem is much more critical than anything related to social movements or the environment, because a dead HCoop can do nothing to further those causes a year from now. I'm working on directing various solutions to these problems now. As far as I know, no one else has ever initiated any efforts to solve any of the problems I'm describing, despite what I hope is an open environment where everyone is encouraged to chip in on our mailing lists. In contrast, I've initiated every hardware and software architecture upgrade that HCoop has gone through so far and drafted every set of guidelines for distribution of responsibilities, along with writing all of the software to make these distributions possible. If this isn't the right kind of "vision" to be thinking about in this election, then I don't know what is.\r
+\r
+ 2. DavorOcelic. I am a current Board of Directors member. For my platform and an overview of my plans for HCoop in the following year, see my Wiki page DavorOcelic.\r
+\r
+ 3. JustinLeitgeb. I have been an HCoop member since 2005 and I helped out with the process of deciding on a new colocation site for our servers (i.e., the current project at Peer 1). For the platform that I am running on, see the wiki page JustinLeitgeb.\r
+\r
+ 4. NathanKennedy. I am currently a board member and secretary of HCoop. I've taken care of most of the legal side of HCoop, incorporating it as a nonprofit as well as successfully obtaining recognition from the IRS for HCoop as a tax-exempt cooperative. I have also dealt with Peer1 and handled the physical installation at the Peer1 site. My goals for 2007 include ensuring a smooth transition to our Peer1 site, planning for future growth, and ensuring that the future of HCoop is secure as a cooperative organization. Beyond the transition to our new architecture at Peer1, this includes developing a robust backup and disaster recovery protocol, developing an environmental policy, expanding the board from three to five seats over the next year, and at some point setting a target for hiring staff.\r
--- /dev/null
+Before continuing with this page, you probably want to read DomainTool to learn the basics of how we handle shared daemon configuration.\r
+\r
+There are two ways to control how exim handles mail sent to your domains.\r
+\r
+The first, simpler, and preferable way is to ask exim to redirect messages from particular input addresses to particular output addresses. These redirections are called aliases. This method avoids creating any new mailboxes, and it even supports redirecting to e-mail accounts on other servers.\r
+\r
+If you really need distinct mailboxes for different addresses at your domain, then you can use virtual mailboxes. While aliases work similarly to other DomainTool features, virtual mailboxes are managed with a special command-line tool {{{vmail}}}.\r
+\r
+= E-mail aliases =\r
+A {{{.aliases}}} file in a domain's directory controls its e-mail aliases. A {{{target}}} below may one of three things:\r
+\r
+ * a local username, to deliver mail to that user\r
+ * an e-mail address, to forward mail to it\r
+ * {{{!}}}, to drop mail to this address\r
+The file then consists of a sequence of lines of the following types. In each case, {{{targets}}} means a comma-separated list of one or more targets. \r
+\r
+ * {{{user targets}}}: Send all mail to {{{user@domain}}} to {{{targets}}}.\r
+ * {{{* targets}}}: Send all mail to {{{domain}}} not matching any other rule to {{{targets}}}. However, if mail is sent to an existing UNIX username, the message will go to that account.\r
+ * {{{** targets}}}: Send all mail that does not match another rule to {{{domain}}} to {{{targets}}}, even mail addressed to real UNIX usernames.\r
+\r
+After you modify the {{{.aliases}}} file, run the command {{{domtool}}} followed by the command {{{reloadusers}}} for the changes to take effect.\r
+\r
+== Example: Using aliases to send e-mail to multiple accounts ==\r
+\r
+The email aliasing feature can be used to set up a mailing list where email to one address is sent to multiple addresses. In order to do this, include a line similar to the following in your .aliases file (no caps, no spaces):\r
+\r
+{{{admins beth@test.org,bob@test.org}}}\r
+\r
+In this example, {{{admins@yourdomain.org}}} would be the destination address that would send an email to both {{{beth@test.org}}} and {{{bob@test.org}}}.\r
+\r
+After you modify the {{{.aliases}}} file, run the command {{{domtool}}} followed by the command {{{reloadusers}}} for the changes to take effect.\r
+\r
+= Virtual e-mail addresses =\r
+You may create virtual e-mail boxes for any domains for which you have write permission in DomainTool. I think a few examples will explain the process well enough.\r
+\r
+Before continuing, however, please note that DomainTool allows you to create aliases that forward mail from one address to another. Aliases are much preferable to extra mailboxes, both in terms of conserving server resources and convenience for you, as you can continue checking one mail account even if multiple aliases point to it. The basic rule is: If you are creating a virtual mailbox that only you will read, or if you are creating multiple virtual mailboxes to be read by the same other person, then you should be using aliases instead.\r
+\r
+{{{\r
+% vmail your.domain add new.user\r
+Password: password\r
+Reenter password: password\r
+Mailbox created.\r
+% vmail your.domain list\r
+new.user\r
+% vmail your.domain passwd new.user\r
+Password: password'\r
+Reenter password: password'\r
+Password set.\r
+% reloadusers\r
+% vmail your.domain rm new.user\r
+Are you sure you want to remove new.user@your.domain? (yes/no) yes\r
+Removed.\r
+}}}\r
+Running {{{reloadusers}}} is necessary to update Courier's database with your new user information. You only need to run it at the end of a batch of modifications, including just a single modification. After doing this in the example, your new user can access his e-mail with username {{{new.user@your.domain}}} via SSL IMAP or POP3 at {{{mail.hcoop.net}}}. He could also use [http://mail.hcoop.net/ SquirrelMail].\r
+\r
+In the example above, the created mailbox lives at {{{/home/vmail/your.domain/new.user}}}. The files are owned by the creating user, so they will count towards your disk quota. This also means you can muck around with your virtual mailboxes directly, but I wouldn't advise it. However, you should only be able to screw yourself over by doing so. The one time when it's helpful to access them directly is when transferring mailboxes across machines.\r
+\r
+For your virtual mailboxes that are intended to be used by other people (which should be all of them!), we have [https://members.hcoop.net/passwd a web page] where your users can change their own passwords.\r
+\r
+= Backup MX services =\r
+See the {{{BackupMail}}} directive in DnsConfiguration.\r
+\r
+= Debugging mail problems =\r
+If you are having problems with e-mail accounts associated with a domain that you don't own, post a support request on [https://members.hcoop.net/portal/ the portal].\r
+\r
+For domains that you ''do'' own, you can run the {{{rlog domain.name}}} command to see those lines from the current mail log that contain your domain name. This won't always be all the information that you'd like to see, since log entries can be grouped without containing the domain name on each line, but it can be helpful all the same. A better solution might be put into place if someone develops one.\r
--- /dev/null
+This page contains a draft of a proposed HCoop Environmental Policy. As always, add comments or proposed revisions here.\r
+\r
+== Background ==\r
+One of the defining SevenPrinciples of cooperatives is "Concern for Community," or more succinctly, Social Responsibility. A cooperative that ignores its social responsibility has ceased to be cooperative at all and has become a mutant, renegade firm. Environmental responsibility, then, is an extension of a cooperative's greater social responsibility.\r
+\r
+The greatest single resistance to a solid environmental policy is the attitude that it will increase costs with no tangible benefit. In fact, often environmental discipline yields a direct cost saving, and where additional costs are incurred they are usually small for this type of business. Additionally, the ability to certify our business as green and powered by renewable energy gives us bragging rights that few other services in a crowded field can offer, and can draw in more business from environmentally conscious consumers. This is the best kind of advertising money can buy.\r
+\r
+Moreover, the sooner we adopt a comprehensive policy, the easier it will be to stick to it, rather than doing it halfway and making excuses once we are large that we've never done it in the past.\r
+\r
+On to the substance:\r
+\r
+== Power ==\r
+Baseline: Zero carbon emissions, ideally from clean energy offsets.\r
+\r
+How: Purchasing renewable energy credits or carbon offsets equal to the number of KW-hours consumed by HCoop servers. NativeEnergy defines "renewable energy credits" this way:\r
+\r
+ . RECs are a commodity that consist of the rights to claim the emissions reductions and other environmental benefits of green power. RECs became a commodity because people who want to buy green power often don't have it available to them. No matter where you live, you can achieve the same environmental benefits of buying green power by buying RECs to “green-up” the generic electricity you get from your utility. Utilities often buy RECs on your behalf to provide you green power. RECs are also referred to as “green tags” and tradable renewable certificates.\r
+Where: Two of the better options I have found:\r
+\r
+ * [http://www.nativeenergy.com/ NativeEnergy] ''Wind''Builders.\r
+ * [http://www.carbonfund.org/ Carbonfund] Carbonfund offsets.\r
+Immediate cost: between $0.05 and $0.15 per member monthly. Future cost: the same or lower, as hardware utilization rates increase, and more efficient hardware is acquired.\r
+\r
+AdamChlipala says:\r
+\r
+ . I know we discussed this when you first joined, but would you mind rehashing here how buying energy credits allows us to be certified as powered by renewable energy, or how in general it can be seen as anything but a charitable donation unconnected to our real operations?\r
+ . NativeEnergy's CoolWatts certificates are certified by [http://www.green-e.org/ Green-e] as putting the number of KW-hours of wind energy on the face of the certificate into the electrical grid. Our servers directly consume electricity from coal, gas, and other non-renewable, polluting and greenhouse gas-emitting sources. We can calculate the exact amount of KW-hours of dirty power consumed by our servers and purchase certificates for that exact amount. If we average 10A of current, then we use 110V*10A*365.25*24/1000 = 9642 KW-hr per year. Buying 10,000 KW-hr of wind certificates would then be equivalent to powering our servers with wind turbines and displacing the dirty power that our servers otherwise use (which costs $8/mo from NativeEnergy. Once we migrate we will probably be using around 5A or less to begin, so the cost would be proportionately less). This is not a charitable donation, it is internalizing the direct environmental cost of our servers. If we bought more energy credits than the power that we actually consume, that would be a "charitable donation." Carbon credits are similar, except they use a more general market-based approach to dealing with greenhouse gases only through a variety of programs. --NathanKennedy\r
+== Hardware ==\r
+Baseline: Ensure that no HCoop electronics end up in landfill.\r
+\r
+How: At a minimum, send all hardware not sold or donated to a reputable recycling facility.\r
+\r
+Where: Suggestions?\r
+\r
+Immediate cost: none\r
+\r
+Future cost: Selling hardware could ''save'' money. Recycling could cost some money as hardware is retired. Some manufacturers will recycle their hardware for free.\r
+\r
+Links to computer recycling programs:\r
+\r
+ * [http://www.dell.com/recycle Dell Recycling]\r
+== Paper ==\r
+Baseline: Minimize use of paper. Use only post-consumer recycled/tree free paper.\r
+\r
+Where:\r
+\r
+ * [http://www.livingtreepaper.com/ Living Tree Paper] - post-consumer / hemp / flax paper\r
+DavidBettis says:\r
+\r
+ . I don't think creating policies that deal with products that are of such limited use to the coop need to be encoded in documents such as this. Alternatively, we could have a section that states that we should prefer recycled products, when economically feasible.\r
+Immediate cost: none, HCoop's use of paper is currently limited to occasional mailings and corporate records. Future cost: cost savings through conservation. Paper is such a tiny portion of cost that nominal premium for recycled or tree-free paper is nothing.\r
+\r
+== External Resources ==\r
+ * [http://www.phone.coop/about/envir_policy.html phone.coop's environmental policy]\r
--- /dev/null
+\r
+This page contains example scripts for automating the process of\r
+giving SpamAssassin feedback.\r
+\r
+= Warning =\r
+\r
+Your mileage may vary. Feel free to fix bugs. Test these scripts\r
+before making use of them. Make sure you know what you're doing.\r
+\r
+= Scripts =\r
+\r
+'''feed-site-spam''': Feed uncaught spam messages to SpamAssassin.\r
+\r
+'''NOTE''': It is assumed that you empty your Spam folder after\r
+running this script. Otherwise you'll feed some of the same messages\r
+to SpamAssassin every time you run the script.\r
+\r
+{{{\r
+#!/bin/bash\r
+\r
+# Location of your spam directory\r
+SPAMDIR=~/Maildir/.Spam.Definitely/cur\r
+\r
+# Destination directory for spam messages\r
+SHAREDDIR=/etc/spamassassin/Maildir/.SiteSpam/cur\r
+\r
+# Copy files were not marked as spam to the site folder\r
+for i in $(find $SPAMDIR -type f -print0 | xargs -0 grep -l "^X-Spam-Status: N");\r
+do\r
+ cp $i $SHAREDDIR\r
+done\r
+}}}\r
+\r
+\r
+'''feed-site-ham'''\r
+\r
+{{{\r
+#!/bin/bash\r
+\r
+# Prefix for folder locations\r
+MAILPRE=~/Maildir/.\r
+\r
+# IMAP directories that contain definite non-spam (ham)\r
+HAMDIRS="Bugs Family Friends Fun Gnu Info Lists Plug School Work"\r
+\r
+# Destination directory for ham messages\r
+SHAREDDIR=/etc/spamassassin/Maildir/.SiteHam/cur\r
+\r
+# Copy files that were erroneously marked as spam to the site folder.\r
+# Note: This includes email with a spam level of 3 or higher,\r
+# 30 days old or less.\r
+for i in $HAMDIRS; do\r
+ echo Learning ham in $i:\r
+ for i in $(find $MAILPRE$i/cur -type f -ctime 30 -print0 | xargs -0 grep -l "^X-Spam-Level:.*\*\*\*");\r
+ do\r
+ cp $i $SHAREDDIR\r
+ done\r
+done\r
+}}}\r
--- /dev/null
+The recommended way (and possibly only reasonable way at the moment) to upload content from your computer to our servers (or the other way around if you want to make backups) is to use ''scp''. It is a secure and easy way to copy single files or whole directory trees.\r
+\r
+If all you want is to keep a directory at hcoop in sync with your local changes, you should consider using ''rsync''. It can significantly reduce bandwidth usage by only transmitting the differences between the two trees. Since version 2.6 ''rsync'' uses ''scp'' for file transfer by default. For older versions you have to use the ''-e'' (''--rsh'') option. For example:\r
+\r
+{{{\r
+rsync -avz -e ssh ~/html/hcoop/* username@hcoop.net:public_html\r
+}}}\r
+You can also use plain ''scp'', but it overwrites destination files and is usually only applicable when you are uploading new files to hcoop:\r
+\r
+{{{\r
+scp -r ~/html/hcoop/* username@hcoop.net:public_html\r
+}}}\r
+You can run command-line sftp (Secure FTP) tool:\r
+\r
+{{{\r
+sftp hcoop.net\r
+Connecting to hcoop.net...\r
+Password:\r
+sftp> help\r
+}}}\r
+With GUI FTP clients, SFTP connection is possible if the clients support "Secure FTP" or similar as the connection method. In Unix/Gnome, you could use for example ''gftp''; for Microsoft Windows, example clients are the free [http://WinSCP.sourceforge.net WinSCP], or proprietary FTP Voyager.\r
+\r
+We also started supporting the usual FTP protocol, but you need to request the ability to use it (see [https://members.hcoop.net Member Portal]), and we only allow "SSL Auth" method (see FtpConfiguration). Here's an example:\r
+\r
+{{{\r
+ftp hcoop.net\r
+Connected to hcoop.net.\r
+220 fyodor.hcoop.net FTP server ready.\r
+Name (hcoop.net:user):\r
+234 AUTH SSL OK.\r
+[SSL Cipher AES256-SHA]\r
+331 Password required for user.\r
+Password:\r
+User logged in.\r
+Remote system type is UNIX.\r
+Using binary mode to transfer files.\r
+ftp> help\r
+}}}\r
--- /dev/null
+'''This page is out of date. See [http://members.hcoop.net/portal/pledge the pledge page] for the current situation. The default amount in the "calculate your share" box is what we expect to pay per month.'''\r
+\r
+Various quandries in how we pay for all this cool stuff\r
+\r
+= One-time costs =\r
+If you are willing to chip in towards the $3102 in one-time costs that we are pondering now for our new hosting set-up, either through a donation, a loan/bond, or some other scheme of your own devising, then please record here your name and the details of your offer.\r
+\r
+ * AdamChlipala is willing to make a donation towards this if a few other people agree to split the costs evenly. He'd also probably waive his right to interest payments if a bond-based scheme ends up being the clear winner.\r
+ * FrankBynum is willing to make a donation as well, though would prefer to defer his payment until the end of August when his student loans come through. He could pay now if necessary, though. He would similarly waive interest payments, and is intrigued by the bond setup if there is enough support for it.\r
+ * ShaunEmpie is a fan of the bond scheme, but will also go with a no interest loan if the bond idea does not fly. The amount of the loan is TBD.\r
+ * TerrenceBrannon is willing to make a donation fo USD $50.00\r
+ * AndreKuehne is willing to make a donation of $50.\r
+ * NathanKennedy is willing to indefinitely keep his ~$450 balance already on deposit with the co-op, and make an additional $240 interest-free loan, to be paid back into his account in 24 monthly installments of $10. Additionally, he is willing to donate the first year of renewable energy credits, suggesting ''Cool''Watts from ''Native''Energy—i.e. the co-op would sign up to have the funds debited from its checking account, and for the first year for this to be debited in turn from ntk's balance.\r
+ * TanveerSingh is willing to put in 200$ as an interest free loan, paid back over 20 months. This loan may be adjusted in his monthly payments to the coop if so desired\r
+ * JeffreyDrake is additionally concerned about the idea of the cooperative getting into this much debt. The current funds are dictated by what the members put in. The members put in based on service costs. I can see this being a problem for payback later on, possibly even if it is by paying back in service credits (the money still has to come from somewhere and it is starting to appear like there will be quite a few members being creditors).\r
+ * How is this so much debt? We already have over $2000 in cash. It looks like we will be financing at most $1500 in member loans. Even at our current size that is only $22 per person! The idea is that more members will join after the migration, at least twice as many, hopefully we will triple our size before too long. Which would make it about $7.50 per person, paid back over about two years. I think financing through loans, especially cheap or free loans from members which are a much better deal than we could get in the open market, is more responsible, sustainable and sensible than billing the co-op outright at this point. Would you really prefer billing everyone $47 right now? --NathanKennedy\r
+ * [Instead of doing this, I've opted to increase my shares, since it will only be for a few months] MichaelOlson is willing to donate a yet-undetermined amount (not exceeding $400) for the one-time costs when our purchasing plans are finalized.\r
+ * MatthieuSozeau is willing to make a donation of $50.\r
+ * RobLinwood is willing to donate upto $300 for financing.\r
+ * BillAllen is willing to donate up to $50, plus make an interest free loan of $200 or so as described by others above.\r
+\r
+= Monthly costs =\r
+If you are not willing to pay $13.44 per month for a few months, then please record your name here and how much you ''are'' willing to pay.\r
+\r
+ * JeffreyDrake is not willing to pay a combined total of over $7.00. Current and future plans involve very minimal use of resources and costs cannot be justified. This position is current till at least the new year.\r
+ * NathanKennedy suggests offering an ''opt-in'' alternative plan at a flat rate of $5 per month to members whose resource usage is in the bottom quintile. At his current level JeffreyDrake would qualify. For the future members who do not qualify or opt in would evenly split remaining costs. Opting-in members would be responsible for keeping their disk/bandwidth/memory/CPU usage low, and would also likely need to have stricter quotas and ulimits set.\r
+ * TanveerSingh thinks this may not work as we still do not have a reliable quota system. Sure we have web stats but things like ftp/ssh etc., are not really logged properly and we currently do not have the required infrastructure(software) to do so. Admins may correct me if I am wrong\r
+ * I was thinking of using a semihonor system to enforce this. It's fairly obvious who the heavier users are, and it is unlikely that someone near the bottom of disk/web usage is going to be using sneaky methods to waste HCOOP's resources in other ways. If it became a problem we could revisit this. --NathanKennedy\r
+ * As current bleed on funds is just over $3 per month, an additional $5 per month would be very economical for me. -- JeffreyDrake\r
+\r
+ * As someone who uses 1% of total bandwidth used on avg (from last 3 months stats) and 1% of the largest disk user (so percent to total would be miniscule) and whose CPU usage is unknown, but whose budget for hosting from donations to support my site is approx $5 (each user donates $6 to "sponsor" that particular month) , this new amount, even if temporary, would force me to leave and look for other hosting that is within my expense limitations. And I understand that we are not using all of the bandwidth we are presently getting, so my percent of that would be even less. --''Hallgren/chatmroomcc''\r
+ * Your stats are somewhat disingenuous. You have been consistently been one of the top bandwidth users of late--so far this month number 2 out of 67, after clinton. Likewise your disk usage is not high but it is just a bit below the median. It would make sense to charge extra to those members who are using disproportionate resources, e.g. clinton and a few others on bandwidth and terry and a few others on disk space, but it is debatable whether this is actually a good idea when we are so far from being saturated and the difference is a single order of magnitude. But while I am certainly willing to look for ways to keep your costs low, you certainly aren't using below-average server resources. --NathanKennedy\r
+ * I'll be the first to agree that for current month thus far, my bandwidth is high. I was looking at prior months and comparing it to overall total used. I'm also under the impression that we are not using anywhere near the bandwidth that we are presently under contract for. So how do we account for all the unused capacity? I'll never need that much capacity. If HCoop gets billed for , let's say for example, 10 times the bandwidth we now use, should I as one who doesn't need/want that resource be billed based on that? That was my point. -- Hallgren\r
+ * You can't just say you're using 1% of the co-op's total bandwidth. First of all, a lot of that bandwidth is used by HCoop's websites and is not allocated to any individual user at all, and moreover we have 67 members. You are using several times the median bandwidth per member. And yes, we do have a free terabyte of bandwidth monthly at Interserver, that we are now only using a fraction of. But it's not as if you can just say you are being overcharging. At Xiolink, we didn't have free bandwidth and we were paying per gig, through the nose--more than we are paying at Interserver. And we need to have room to expand--even discounting new members, our bandwidth usage has been steadily rising. We have a contract for bandwidth for the mutual benefit of all our members, you are not the only one paying for this "wasted" bandwidth. If all goes well, as new members join costs per member will steadily drop from $13/month back to the under $5/member where it is now, but with vastly greater resources, network, and overall value to each member within our expanded infrastructure. I hope we can arrange a situation where you can afford dues through that point, but in order to get there we have to be equitable to all members. -- NathanKennedy\r
+\r
+ * AlexandreSantos is not willing to pay $13.44 per month for a few months. I perfectly understand that people wish to improve and expand the capacities of HCoop, but it just goes beyond the budget I had planned for my webhosting. I also understand that this could unfortunatelly mean the end of my participation to HCoop. If the others agree, I would be happy to pay $5/month as long as my ressource usage remains suitably low. Sorry for not being more supportive, but at the moment I just do not have the time to use the ressources and can't really justify the increased expenses. --AlexandreSantos\r
+ * Your utilization of HCoop has consistently been very low, lower even than jdrake's. Regardless of the scheme that we choose, at your present usage levels you would definitely qualify for the reduced rate, which I would like to keep to at most $5 monthly. I certainly understand your need to keep costs low and obviously you are not using $13 worth of services by any measure. --NathanKennedy\r
+\r
+ * RickHull is not willing to pay $13.44 per month for a few months. I echo AlexandreSantos' comments. I am currently above the median on both bandwidth and disk usage, but I cleaned out some backups (2006-08-15) and `du` now shows 63344. Also, the band whose website I am hosting has been hiatus since July and does not expect much web traffic from here on out. August's statistics should be telling... $6.72 sounds about right...\r
--- /dev/null
+Since we primarily provide "Internet hosting" and not "shell servers," our primary concern is keeping our services up and reliable. To this end, we try to limit user actions as much as possible without stopping those users from doing reasonable things.\r
+\r
+One way we enforce this is by disallowing all network traffic that isn't covered by a specific "whitelist" rule in our {{{ferm}}} firewall configuration, rooted at {{{/etc/firewall/closed.conf}}}. The file {{{/etc/firewall/users.conf}}} defines user-specific rules, granting users permission to listen on particular ports or connect to particular ports on other servers. We try to limit connections to particular IP addresses, as well, whenever feasible.\r
+\r
+Why do this? As an example, we can look at a successful attack performed on our old server. A member's buggy PHP script allowed anyone to run arbitrary code as the PHP user. An attacker used this to obtain shell access, by running a shell server on a nonstandard port; and to connect to an IRC network and serve large media files, costing us hundreds of dollars in transfer fees. The first problem can be prevented by simply not allowing users to listen on ports that they don't have specific permission for. The second one can be prevented by authorizing IRC client connections to particular server IP addresses only. Sure, most of the time no harm will come from allowing unrestricted IRC client connections, but, when it matters, it can be very helpful to block actions that we haven't specifically authorized.\r
+\r
+= fwtool =\r
+To make it easy for us to manage these per-user tools, we've developed an administrative tool called {{{fwtool}}}. It generates the appropriate {{{ferm}}} configuration using input from the file {{{/etc/firewall/users.rules}}}. The portal has [https://members.hcoop.net/portal/sec an interface for requesting modifications to this file] on your behalf. You should also be able to view this file directly, if curious.\r
+\r
+At the moment, {{{fwtool}}} supports these directives:\r
+\r
+ * {{{user Client ports [hosts]}}}: Allow {{{user}}} to connect to remote hosts on any of the given {{{ports}}}, which are specified as a comma-separated list of single port numbers and/or ranges of the form {{{low:high}}}. The space-separated list {{{hosts}}} is optional. If omitted, connections are allowed to any remote IP addresses. If included, {{{hosts}}} provides an exhaustive list of the IP addresses and/or hostnames to which to allow connections.\r
+ * {{{user Server ports [hosts]}}}: The analogue of the above, for the privileges of listening and accepting connections.\r
+ * {{{user LocalServer ports}}}: Allow {{{user}}} to listen and accept connections on the {{{ports}}}, but only for connections from the local server to itself. This is useful for things like running your own web server that Apache proxies, which you can configure using the {{{LocalProxy}}} VirtualHostConfiguration directive.\r
--- /dev/null
+Hello! I'm Frank Bynum, hcoop member since January of 2004. At that time I lived in New York City, and I have since moved to Los Angeles. Here, I am a third-year student at the University of Southern California Law School. Eventually I hope to be able to help hcoop in a legal capacity, since I'm no use as a sysadmin.\r
+\r
+I run a website at http://frankbynum.com/\r
+\r
+That site has been up, in various forms, since May of 2000. I have had a website of some form in various places since around December of 1995.\r
+\r
+I'm originally from Texas. A blue part of texas.\r
--- /dev/null
+##master-page:FrontPage\r
+#format wiki\r
+#language en\r
+#pragma section-numbers off\r
+= hcoop Wiki =\r
+\r
+This is the Internet Hosting Cooperative's space for maintaining documentation on how our services work. Everyone, including both members and non-members, is invited to create and edit appropriate pages.\r
+\r
+If you are new to wikis, see the DefaultFrontPage.\r
+\r
+= News =\r
+\r
+ * DomtoolTwo: The next generation configuration management tool for HCoop\r
+ * FinancingIssues: Who is willing to pay how much, when, and for what\r
+ * PaymentPlanProposals: Ideas about payment plans to cover HCoop costs\r
+ * PaymentProcessing: Figure out how we should accept electronic payments.\r
+ * ColocationPlans: Plans for our next server set-up, designed to handle more users than can fit comfortably on a single main server.\r
+ * AdminPolicies: Draft set of formal guidelines governing the responsibilities of members tasked with administrative roles, technical and otherwise.\r
+\r
+= Getting started =\r
+\r
+ * HCOOP's [http://hcoop.net/ front page].\r
+ * ProspectiveMemberFaq\r
+ * NewMember\r
+\r
+= Technical information =\r
+\r
+== Basic account usage ==\r
+\r
+ * [https://members.hcoop.net/ The member portal]\r
+ * SshConfiguration: How to connect to our servers for shell access\r
+ * FtpConfiguration: How to connect to our servers for FTP access\r
+ * FirewallRules: What you can do over the network on our servers\r
+ * FileTransfer: How to get files created elsewhere onto our servers\r
+ * UserWebsites: The easiest way to host a web site with us\r
+ * UsingEmail\r
+ * UsingDatabases\r
+ * DynamicWebSites\r
+ * SystemAuthentication: Authentication mechanisms supported\r
+ * BackupServices\r
+ * UsingResourceLimits: What to do if your process dies when trying to fork or allocate memory\r
+ * JabberServer: How to get a Jabber account\r
+ * SpamAssassin: How to set up automated spam filtering for your HCoop email account\r
+ * WebSpam: Add ideas on how to defeat spam that defaces web pages to this wiki page, or add links to your web spam logs.\r
+\r
+== Configuring shared daemons ==\r
+\r
+ * DomainRegistration: How to get your own domain properly set up to use hcoop's servers\r
+ * DomainTool: An overview of our tool to let users configure how shared daemons handle their domains\r
+ * DnsConfiguration\r
+ * VirtualHostConfiguration\r
+ * EmailConfiguration\r
+ * MailingListConfiguration\r
+ * MoinMoinConfiguration: Setting up your own wiki like this one\r
+ * UsingSsl: How to create SSL certificates\r
+\r
+== Non-technical administrative stuff ==\r
+\r
+ * IrcChannel: Join our "chat" channel for 24/7 discussion.\r
+ * [http://hcoop.net/board/ Secretary's official records and information site]\r
+ * HcoopBylaws\r
+ * MemberDues\r
+ * BoardOfDirectors\r
+ * NamingConventions: What the right ways are to write HCoop's name and Internet addresses in different contexts\r
+ * IrcMeetings\r
+ * SevenPrinciples\r
+ * EnvironmentalPolicy\r
+ * GenderNeutralLanguage: Tips on how to write in a gender-neutral way for the HCoop wiki or in any other forum.\r
+ * OtherGroups who run services similar to us\r
+ * TheHcoopLook: web site visual design chatter\r
+ * ["T-Shirt"]: help design and plan the new HCoop T-shirt\r
+ * CategoryOutdated\r
+\r
+== System administration ==\r
+\r
+ * InstalledSoftware: Information on packages installed and maintained by means other than Debian's `apt`\r
+ * InstallationLog: Our admins' progress on setting up this new server\r
+ * CategorySystemAdministration: Other bits of interest to our admins and other curious folk\r
+ * OpenProblems: Problems we're trying to solve to make our services more reliable\r
--- /dev/null
+= Setting up FTP access =\r
+We offer FTP access on the standard FTP port (21, that is), with two things to have in mind:\r
+\r
+First, FTP access is disabled by default. You need to request FTP access privilege on our [https://members.hcoop.net/portal/sec Portal / Security page].\r
+\r
+Second, '''only SSL-authenticated FTP is allowed'''. In other words, you need to use an FTP client that supports (explicit) "SSL Auth" method, and there are many available. For reference though, you could install `ftp-ssl` package on Unix, or download [http://www.coreftp.com CoreFTP] for Microsoft Windows (not that I encourage the use of CoreFTP specifically in any way, but one of our users had success with it, using the free Lite vers.). Or alternately you can use [http://filezilla.sf.net FileZilla].\r
--- /dev/null
+Describe GenderBiasedLanguage here.\r
--- /dev/null
+'''This page is not intended as an "official HCoop policy or position." Rather, it is an attempt by some of the members to call attention to issues of how our language reflects and reproduces gender norms that exist in our society, and to disseminate information that may help those who agree with the ideas in this page (if not the exact manner in which they have been articulated) to write in a manner that is more gender-neutral. In addition, since some members disagree with the ideas in this page, dissenters may voice their opinions on this page as well.'''\r
+\r
+= Reasons for Using Gender-Neutral Language =\r
+\r
+For many in the Cooperative, language is not merely a tool that we use, but one which reproduces the structures of power in our society. Gender inequality, as one of these social forms of power, is also reproduced through language. Because of this, many members of the Cooperative feel strongly that we consider carefully how gender bias creeps into our everyday languages, including the communication between members of the Cooperative and externally.\r
+\r
+== Tips on Writing in a Gender-Neutral Style ==\r
+\r
+Generally, many of the arguments for gender-neutral language have led those who advocate its use to prefer gender-neutral instead of gender-specific pronouns when discussing a person whose gender is unknown, when the person prefers to not categorize themself as belonging to a specific gender, or when a group of individuals is of mixed gender. \r
+\r
+For example, in the English language, many who try to write in a gender-neutral manner prefer the use of "their" instead of "his" or "her". Despite claims of some that this is gramatically "wrong" when referring to a single subject, sites listed in the references section of this document point out that this usage of "their" has a long history that precedes many of the political reasons for the use of the term today.\r
+\r
+Recently, many writers in the English language have tried to make their writing more gender-neutral by such techniques as alternating the use of "she" and "he" in their texts. However, it is important to note that by alternating the usage of "her" and "his" in writing, the traditional dichotomization of gender is still preserved. For many who feel displaced or otherwise uncomfortable about the discrete categories that have been constructed in societal discourse, it may be more comfortable to use the gender-neutral term "their", even to refer to a singular subject.\r
+\r
+It should also be noted that the exclusive use of "his", while occasionally said to be "gender-neutral", is really not. Clearly, it is a product of a patriarchial society, and remains strongly tied to that tradition. Further, it is important to note how even claiming that "he" is gender-neutral has a tendency to naturalize our understanding of the concept, thereby giving it a certain sort of transcendental status. It is important to realize that the social understanding of "his" as a neutral term is a social creation, as is language itself, and therefore reflects the unequal relationships that we have developed in society.\r
+\r
+While it is likely that the exact terms to be used in gender-neutral writing will remain in debate for a long time, there are some practices that seem to be favored, such as using "their" in place of "his" or "her". Many feel that this is an improvement even to the practice of alternating "his" or "her" in writing as it leaves space for people who feel marginalized by the binary categories of gender that exist in society (e.g., perhaps some transgender individuals who don't feel comfortable either as "men" or "women", as these cultural roles are often understood).\r
+\r
+== Arguments Against Gender-Neutral Language ==\r
+\r
+Some members have expressed that they disagreed with elements on this page. This section attempts to articulate these points where people disagree with gender-neutral language in general, or some of the ways that implementation of gender-neutral language have been suggested.\r
+\r
+ * '''Some have mentioned that the use of "their" in cases where it refers to a singular subject a "sin against the English language"'''. Other members argue that this kind of monopoly on "correct" grammar should not be maintained, and have suggested that this kind of grammar "policing" is elitist and only technically correct if one believes in a mythical purity of language. Of course, it is true that in many academic institutions and journals, for example, that there is resistance to using alternative grammatical constructs in order to work towards progressive social goals. In response to this point, advocates of progressive constructs that are truly gender-neutral often suggest that our receptiveness to certain words or phrases is socially conditioned as well, and that with time we can push towards more popular acceptance of linguistic constructs which is not objectionable to many people on the basis of gender marginalization and inequality.\r
+\r
+ * ClintonEbadi wrote that, "When possible, we should lean away from being "grammar police", and be in favor of editing our communications in such a way that it helps to deconstruct the subversive political ideas that plague our society." Clinton, in his statement, paraphrases what a previous author on the wiki said, and clearly puts gender-neutral language in the category of "subversive language", which he suggests that we avoid, at least in the case of gender issues. Since gender-neutral language is intended to work against things such as patriarchy and the prescriptive roles of gender that most of Western society still has deeply embedded in it, and because Clinton seems to be against using likely tools, such as language, to work against gender inequality, it seems that he may actually be in favor of conserving these forms of inequality in society. Since it is unlikely that this is what Clinton really intended to say, further explication of this point would be helpful.\r
+\r
+== Historical versions of this page ==\r
+\r
+Previous comments from this page have been archived at the page HistoricalGenderNeutralLanguage for clarity of the ideas presented on this section of the site.\r
+\r
+== Related Resources ==\r
+\r
+ * HCoop wiki page on GenderBiasedLanguage\r
+\r
+== External Links ==\r
+\r
+ * [http://en.wikipedia.org/wiki/Gender_neutral_language Article on Gender-neutral language in wikipedia]\r
+ * [http://www.crossmyt.com/hc/linghebr/austheir.html]\r
+ * [http://www.cs.virginia.edu/~evans/cs655/readings/purity.html Douglas Hofstadter's satirical A Person Paper on Purity in Language]\r
--- /dev/null
+#format wiki\r
+#language fr\r
+== Graham Freeman ==\r
+\r
+Adresse électronique : [[MailTo(graham.freeman@cernio.com)]]\r
+\r
+http://cernio.com/Members/graham/\r
+\r
+I like French-language templates.\r
--- /dev/null
+#pragma section-numbers off\r
+\r
+This page is for HCoop history, logos, grass-roots HCoop marketing ideas, and other bits of advocacy.\r
+\r
+[[TableOfContents]]\r
+\r
+= Joining HCoop =\r
+\r
+ * ProspectiveMemberFaq: Answers to frequently-asked questions about HCoop, joining HCoop, and what you can do after joining.\r
+ * JoinUs: How to apply to join HCoop.\r
+ * MemberManual: After joining HCoop, be sure to read the manual, so that you can create an account and stay in good standing with the co-operative. The [:MemberManual/GettingStarted:Getting Started chapter] is especially important.\r
+\r
+= Miscellaneous =\r
+\r
+ * OurHistory: Learn about the founding of HCoop and its continued history.\r
+ * TheHcoopLook: web site visual design chatter.\r
+ * ["T-Shirt"]: help design and plan the new HCoop T-shirt\r
+ * HcoopPublicity: what publicity HCoop has received\r
+\r
+= Spreading the word about HCoop =\r
+\r
+== Websites ==\r
+\r
+Link to HCoop with the HCoop logo (LogoDiscussion) or images such as this one: [http://hcoop.net/~ntk/hcoop.png]\r
+This not only points users to our site from yours, it also increases HCoop's search engine rankings and makes it easier for people to find. HCoop's Alexa traffic rankings have gone from 4,000,000 to 900,000 in the last three months alone. If we can continue that trend we are on the right track.\r
+\r
+== T-shirt ==\r
+\r
+Help out with our ["T-Shirt"] project. Create a design, or simply commit to buying one. If enough people do, we will make the HCoop T-shirt happen.\r
+\r
+== Signatures ==\r
+If appropriate, you can reference HCoop in email or web forum signatures.\r
+\r
+== Advertising ==\r
+We may or may not want to spend money on formal advertising for the cooperative. As an experiment I have submitted an ad to kuro5hin.org which will run for 10K exposures (out of NathanKennedy 's own pocket).\r
+\r
+== Other ==\r
+Add more ideas here!\r
--- /dev/null
+= Hardware Donations =\r
+\r
+Some HCoop members are willing to donate pieces of hardware to the coop to help with our new infrastructure. These hardware pieces are outlined below.\r
+\r
+== Dell PowerEdge 2850 ==\r
+\r
+This is a 2U server that I bought used (actually traded for a Dell PowerEdge 2800 that I had previously). I purchased parts for it which give it the following specifications:\r
+\r
+ * 4 GB RAM\r
+ * 4 x 10K Seagate Cheetah SCSI drives, 73GB\r
+ * 2 x 10K Seagate Cheetah SCSI drives, 36GB\r
+ * 2 x 2.8 GHz processors\r
+ * RAID kit, with battery, etc.\r
+ * 256 MB RAID cache\r
+ * 2 power supplies\r
+\r
+Currently I have this machine configured with a RAID 1 set on 2 x 36 GB disks for the system partition, and a 4 disk RAID 10 set for user files.\r
+\r
+The machine is less than 1 year old, and is still under warranty for most of the parts (some parts were purchased used, so would not be covered by the warranty from Dell). I believe that we can purchase a support contract from Dell for this machine but I will have to call them to make sure and find out more details.\r
+\r
+I have put [http://www.hcoop.net/~leitgebj/poweredge/ some pictures online]. Sorry, they are large files!\r
+\r
+= Nortel (Baystack) 380 switch =\r
+\r
+From Shaun Empie:\r
+\r
+It is not brand new but is working. Here is a guide that I was able to find to give anyone interested a more in depth view of it, [http://vpit.net/es380-guide.pdf es380 guide].\r
+\r
+ES380 AC Power Specs: Input current: 1.5A to 100 AC Input voltage (rms): 100 to 240 VAC at 47 to 63 Hz Power consumption: 150 W Thermal rating: 1000 BTU/hr maximum\r
--- /dev/null
+= Primary Server (fyodor) =\r
+\r
+ * Intel P4 3.0Ghz\r
+ * DDR 1 GB RAM\r
+ * 2 x 120GB IDE HD (RAID 1)\r
+\r
+= Secondary Server (Abulafia) =\r
+\r
+ * AMD Duron 900MHz 192KB cache 200MHz FSB\r
+ * Cool``Jag JAC313C low profile fan and heatsink\r
+ * 2x 256MB Kingston PC2100 CL2.5 DDR RAM\r
+ * Gigabyte GA-7VKML VIA KM266 motherboard (onboard vid + LAN)\r
+ * 2x IBM 40GB 120GXP IDE 7200rpm 2MB cache 3YR warranty hard disk, mirrored with RAID-1\r
+ * Super``Micro SC811-IDE 1U 200W rackmount case\r
+ * 3Ware Escalade 3W-6410 PCI IDE RAID adapter (4x UDMA66 EIDE ports)\r
+ * 32bit 33MHz PCI riser card\r
+ * 12X IDE slim CDROM (from a Toshiba laptop)\r
--- /dev/null
+= Peer 1 address =\r
+\r
+HCoop, Inc.[[BR]]\r
+c/o Peer 1 Network[[BR]]\r
+75 Broad St 2F[[BR]]\r
+New York, NY 10004\r
--- /dev/null
+#pragma section-numbers off\r
+\r
+= Article 1. Name and Purpose =\r
+\r
+Section 101. The name of the Corporation shall be "HCOOP, Inc."\r
+\r
+Section 102. The purpose of the Corporation shall be to provide\r
+Internet hosting services for the mutual benefit of its members.\r
+\r
+= Article 2. Membership =\r
+\r
+Section 201. Membership in the Corporation shall be open to any\r
+individuals who are able to meet the requirements of\r
+membership.\r
+\r
+Section 202. Membership shall be granted by a majority vote by the\r
+board.\r
+\r
+Section 203. Each member shall have an equal vote in all general\r
+membership decisions, and shall have an ownership interest in the\r
+Corporation in proportion to the total amount of the member's business\r
+with the Corporation since its incorporation.\r
+\r
+Section 204. Before admission to the Corporation, a member shall make a deposit of money in an amount specified by Corporation policy. This deposit\r
+shall be returned to a member in good standing upon termination of\r
+membership, less any outstanding obligations of a member to\r
+the Corporation, as determined by the board.\r
+\r
+Section 205. Members shall be charged monthly dues and any other\r
+expenses delineated in the Corporation's policies as determined by\r
+the board.\r
+\r
+Section 206. Members may voluntarily terminate their memberships at\r
+any time by notifying the President of their intentions.\r
+ \r
+Section 207. A member may be expelled for cause by a two-thirds vote\r
+of the membership. Such a vote must be called by the board of directors.\r
+\r
+Section 208. The board may, by majority vote, expel any member who\r
+maintains outstanding debt to the Corporation for three consecutive months or more.\r
+This means that the member has paid less than the total dues owed to\r
+date.\r
+\r
+Section 209. Termination of membership, whether voluntary or\r
+involuntary, does not excuse a person's outstanding obligations or\r
+debts to the Corporation.\r
+\r
+Section 210. The board may suspend a member's privileges, other than\r
+the privilege to attend and vote in meetings, by majority vote at any time pending a vote on\r
+expulsion.\r
+\r
+= Article 3. Board of Directors =\r
+\r
+Section 301. The board shall consist of three members of the\r
+Corporation, and shall serve for terms of one year.\r
+\r
+Section 302. Board elections shall be held prior to the end of the\r
+previous board's term. Only members in good standing may run as candidates in board elections. Each member may vote for up to three\r
+candidates. The three candidates receiving the most votes shall serve\r
+in the new board. In case of ties, run-off elections\r
+shall be held with the candidates whose votes are tied.\r
+\r
+Section 303. Boardmembers may voluntarily resign their positions at\r
+any time.\r
+\r
+Section 304. Any boardmember may be removed by a two-thirds majority\r
+vote of the general membership at any time.\r
+\r
+Section 305. Any vacancy in the board shall be filled as\r
+soon as possible by a special membership election.\r
+\r
+Section 306. Boardmembers shall receive no compensation beyond reimbursement for expenses incurred in performing their duties.\r
+\r
+Section 307. The board shall have regular meetings scheduled at least\r
+four times per year, and special meetings as often as necessary.\r
+\r
+Section 308. The board shall vote to choose officers from the board of\r
+President, Treasurer, and Secretary. Individual boardmembers may\r
+serve multiple roles except no boardmember may be both Treasurer and\r
+Secretary.\r
+\r
+Section 309. The President shall preside over all meetings and\r
+maintain order.\r
+\r
+Section 310. The Treasurer shall handle the Corporation's financial\r
+matters, including preparing financial reports, writing checks,\r
+receiving member deposits and dues, and maintaining detailed financial\r
+records of the Corporation's business with members. The Treasurer\r
+shall submit a proposed budget in December for the following year, and\r
+shall be responsible for filing government tax forms.\r
+\r
+Section 311. The Secretary shall be responsible for keeping the\r
+Corporation's records. The Secretary shall keep logs and minutes for\r
+all meetings, as well as copies of all official Corporate documents.\r
+\r
+= Article 4. Decision-making =\r
+\r
+Section 401. All meetings, whether of the board or the general\r
+membership, shall be open to the entire membership. When possible\r
+these meetings should also be open for the general public to observe.\r
+\r
+Section 402. All votes shall be made with a public ballot, with the\r
+results of the vote recorded in the minutes of the next board meeting.\r
+\r
+Section 403. Decisions by the membership as a whole shall be accomplished through a voting system established by the board. Any member may initiate a vote, which must be announced to the entire membership. Members shall have one week from the time of announcement to cast votes on the issue. Vote results shall be determined based on the proportion of "Yes" votes out of total non-abstention votes cast, not out of the entire membership. The vote result shall only be binding if a quorum of twenty percent of the total membership votes on the issue.\r
+\r
+Section 404. Members who are not board members are only permitted to call potentially binding votes on revising the bylaws and removing board members.\r
+\r
+Section 405. The board may revise the Corporation's policies by\r
+majority vote at any board meeting. The Secretary is responsible for\r
+keeping and publishing up-to-date editions of the Corporation's\r
+policies.\r
+\r
+= Article 5. Amendment =\r
+\r
+Section 501. The bylaws of the Corporation may be amended by a\r
+two-thirds vote of the Corporation's membership.\r
+\r
+= Article 6. Dissolution =\r
+\r
+Section 601. Upon dissolution of the Corporation, all assets remaining\r
+after the Corporation's liabilities are met shall be distributed among\r
+all current and former members in accordance with IRS regulations and\r
+statutory requirements for Internal Revenue Code Section 501(c)(12)\r
+cooperatives. The board shall be responsible for the liquidation and\r
+distribution of all such assets.\r
+\r
+Section 602. Termination of membership for any reason shall not\r
+forfeit a member's established ownership rights and interests in the\r
+Corporation.\r
+\r
+----\r
+\r
+ A static copy of the latest revision is always available at [http://hcoop.net/board/bylaws.html] along with text versions and prior revisions.\r
--- /dev/null
+Guidelines can provide a great way to be efficient. Here are some guidelines that HCoop believes may help its staff and community thrive.\r
+[[TableOfContents]]\r
+== General Guidelines ==\r
+ * GenderNeutralLanguage: Tips on how to write in a gender-neutral way for the HCoop wiki or in any other forum.\r
+\r
+== Staff Guidelines ==\r
+ * DeveloperGuidelines for admins developing custom programs/scripts for HCoop\r
--- /dev/null
+Here are policies and principles that HCoop has charged itself with. Some may be in development.\r
+[[TableOfContents]]\r
+== Adopted Policies ==\r
+ * EnvironmentalPolicy\r
+ * NamingConventions: What the right ways are to write HCoop's name and Internet addresses in different contexts\r
+ * SevenPrinciples\r
+ * VolunteerResponsePolicy\r
+\r
+== Policies In-Work ==\r
--- /dev/null
+= Articles =\r
+\r
+ * Interviewed for "Alternative Web Hosting" in [http://www.pingzine.com/web-hosting-magazine/online-20.php issue 20] of [http://www.pingzine.com/ Ping! Zine]\r
--- /dev/null
+HCoop is a cooperative, and as such, is organized in a specific way in order to meet specific legal requirements.\r
+[[TableOfContents]]\r
+\r
+== Legal Stuff ==\r
+ * HcoopBylaws\r
+ * RegisteredAgent\r
+\r
+== Officials ==\r
+ * BoardOfDirectors\r
+\r
+== Records ==\r
+ * [http://hcoop.net/board/ Secretary's official records and information site]\r
--- /dev/null
+= Historical Colocation Providers Information =\r
+\r
+''Below is information from HCoop's colocation provider search. Since this search is over, the information below is probably not incredibly useful at this point! ;)''\r
+\r
+The quote request form, which exists at wiki page ProspectiveHostsQuoteRequest, was emailed by or before our deadline of April 14, 2006 to seven colocation providers. We have received responses from a number of providers, which are described, along with supporting materials where available, on the page ColocationProvidersEvaluation. After some providers did not respond to our request in a sufficient amount of time, they were moved to the page PreviouslyConsideredColocationProviders. This leaves us with three providers that are still in contention for our future hosting needs from those considered. The initial pool of providers that we considered is available as historical information on ColocationPlansServiceProviders.\r
--- /dev/null
+'''This page is not intended as an "official HCoop policy or position." Rather, it is an attempt by some of the members to call attention to issues of how our language reflects and reproduces gender norms that exist in our society. In addition, since some members disagree with the notes in this page, dissenters may voice their opinions on this page as well.'''\r
+\r
+= Gender-Neutral Language =\r
+\r
+For many in the Cooperative, language is not merely a tool that we use, but one which reproduces the structures of power in our society. Gender inequality, as one of these social forms of power, is also reproduced through language. Because of this, many members of the Cooperative feel strongly that we consider carefully how gender bias creeps into our everyday languages, including the communication between members of the Cooperative and externally.\r
+\r
+== Tips on Writing in a Gender-Neutral Style ==\r
+\r
+Generally, many of the arguments for gender-neutral language have led those who advocate its use to prefer gender-neutral instead of gender-specific pronouns when discussing a person whose gender is unknown, when the person prefers to not categorize themself as belonging to a specific gender, or when a party is of mixed gender. See the wikipedia article below for more information.\r
+\r
+\r
+Previous comments from this page have been archived at the page HistoricalGenderNeutralLanguage for clarity of the views presented on this section of the site.\r
+\r
+For example, in the English language, many who try to write in a gender-neutral manner prefer the use of "their" instead of "his" or "her". \r
+\r
+ * [took out text that referred to old text that was removed] ... that said, I think gender-neutral language is a fine thing to strive for, and "they" is way more palatable than alternatives like "[http://en.wikipedia.org/wiki/Ze_%28pronoun%29 ze]" or "he or she". \r
+ \r
+ Clinton, do you have any examples of alternating pronouns every paragraph? Because that sounds like it would be extremely difficult to read. -- JeremyPenner\r
+ * "The programmer should make sure he calls free() after mallocing memory. ... ¶ The programmer is responsible for defining subclasses for her application." I don't like that style much myself, but it is far less jarring than seeing the disagreeing pronoun/verb case. I prefer the easy method of the author using his (or her) own gender.\r
+ * Using 'their' is incorrect. 'He' is the unspecified gender pronoun in English. Alternating between male and female pronouns every paragraph is reasonable if one wishes, but using they/their is a sin against the English language. -- ClintonEbadi\r
+ * I disagree, the English language has rare few "sins." Singular "their," while prescriptively "wrong," has a very long and wide history in the language. I don't care to write an HCoop style manual now, and we may or may not want this usage in "HCoop literature," but everyone is entitled to their opinion and it is more nuanced than simply "wrong." (see, e.g. [http://www.crossmyt.com/hc/linghebr/austheir.html]) It can be very difficult or awkward to write "correct" and concise documentation in standard English that is simultaneously gender-neutral. --NathanKennedy\r
+ * We should note that for some, alternating "he" and "she", or only using one is not adequate because it remains within the gender binary established by society, and refuses to recognize that one may not feel comfortable within these linguistic and social constructions, e.g., in the case of transgender individuals.\r
+ * "He" is ''not'' an "unspecified gender pronoun", it is clearly tied to the cultural gendered distinctions that have been constructed. The idea that it is considered "gender-neutral" is precisely the mechanism by which it helps to maintain established power differentials in society. While I am not calling for a "style manual" or policy that determines how any member can use language, I feel strongly that we need to allow members to use language in a manner that they feel is appropriate, personally and politically. When possible, we should lean away from being "grammar police", and be in favor of editing our communications in such a way that it helps to deconstruct the gender binaries and hierarchies that plague our society.\r
+ * 'When possible, we should lean away from being "grammar police", and be in favor of editing our communications in such a way that it helps to deconstruct the subversive political ideas that plague our society.' --ClintonEbadi\r
+\r
+== External Links ==\r
+\r
+ * [http://en.wikipedia.org/wiki/Gender_neutral_language Article on Gender-neutral language in wikipedia]\r
+ * [http://www.crossmyt.com/hc/linghebr/austheir.html]\r
+ * [http://www.cs.virginia.edu/~evans/cs655/readings/purity.html Douglas Hofstadter's satirical Paper on Purity in Language]\r
--- /dev/null
+= 2005/10/23 =\r
+\r
+I'm setting up TripWire to cut out some unneccessary data from its report. --MichaelLeonhard\r
+\r
+= 2005/10/10 =\r
+\r
+Well, suitable time to add some comments. We've opened for the public in the meanwhile, and things are looking very good.\r
+We've had some problems with backup process bringing the system to a stall, but we've niced it to a lower priority task.\r
+Adam's portal is doing its job perfectly well, I am taking care of simpler run-time issues, and generally I am delighted\r
+to see the new server a full success. Enjoy a better service, everyone. --DavorOcelic\r
+\r
+= 2005/9/10 =\r
+\r
+InterServer folks seem to be behaving unethically, and the end product is that they aren't ''really'' offering the backup service that they advertise at the moment. They also won't guarantee that they will ever offer it to us at any future time. We're using a half-assed replacement scheme, documented at BackupServices. Anyway, while this isn't the best way to remove your last to-do item, it removed it all the same, and so we finally reached the point of MemberMigration. --AdamChlipala\r
+\r
+= 2005/8/31 =\r
+\r
+Just to give some signs of activity. We're waiting for InterServer's backup service to go up again. Once\r
+they do that and we set up backups, things will get moving again. --DavorOcelic\r
+\r
+= 2005/8/24 =\r
+\r
+I got OTP (One-Time Passwords) support working. Basically, all services that use PAM (Pluggable Authentication Modules) to authenticate users will first open up the standard Password prompt, and then, if users just press\r
+Enter or type in the wrong password, it will present an OTP challenge.\r
+\r
+The principle of OTP is that, while you're\r
+logged in over ssh from a trusted source, you generate a list of say, 10 one-time passwords. Each time you\r
+connect after that, you can skip the standard prompt and type in the one-time password. When you use all\r
+one time passwords, you need to access HCOOP from a secure location again, and generate a new list of passwords.\r
+So it will be possible to use OTP if you're accessing HCOOP from untrusted machines which may be hacked or\r
+have some kind of password logging turned on.\r
+\r
+Not everyone will want to use OTP, but that is OK. If you want, it's available and it integrates transparently into the infrastructure. --DavorOcelic\r
+\r
+= 2005/8/21 =\r
+\r
+I think our firewall setup is actually ready to go into use. With lots of help from DavorOcelic, I have gotten per-user firewall rules working, to allow only certain users to listen on a port or connect to a particular port of a particular remote IP address. --AdamChlipala\r
+\r
+I've modified the Apache log file scheme to put each domain's log files in a separate subdirectory of `/var/log/apache2`, (somewhat) as per TerrenceBrannon's suggestion. --AdamChlipala\r
+\r
+= 2005/8/18 =\r
+\r
+DavorOcelic got his firewall configuration running in a way that seems to allow all of the "trusted" services that we need. Still to come is support for other user connections, both client and server. --AdamChlipala\r
+\r
+= 2005/8/16 =\r
+\r
+I just picked off the easy to-do of adding an `addsubuser` script in `/usr/local/sbin`. Run like `addsubuser adamc web`, it calls `adduser` to create `adamc_web`, with flags to give the new user no password or login ability. It also sets an initial `.forward` to `adamc` for `adamc_web`, and helpfully reminds you to give `adamc` sudo rights as `adamc_web`. --AdamChlipala\r
+\r
+= 2005/8/14 =\r
+\r
+I've modified suphp to impose the same limits. --AdamChlipala\r
+\r
+I've modified Apache 2 suexec to impose ulimits on scripts, and to give up on scripts after a time-out, killing them and all their child processes. --AdamChlipala\r
+\r
+I've set up login/cron ulimits, as described on ResourceLimits. --AdamChlipala\r
+\r
+I've extended dbtool to add Postgres databases. See UsingDatabases. --AdamChlipala\r
+\r
+= 2005/8/13 =\r
+\r
+Concerning our firewall infrastructure, I made some initial progress. This file takes care about all the standard stuff in our setup.\r
+What's left to add, is one chain for each user, which we use for both user traffic-accounting, and user-specific\r
+firewall rules. --DavorOcelic\r
+\r
+Disk quotas are now functional. We've come to the conclusion that user ownership may be different, but group ownership will always point to real file owners. Therefore, we use group quotas. Users can check their quota\r
+statistics with ''quota -g'', while administrative overview can be had with ''sudo repquota -ag''. --DavorOcelic\r
+\r
+= 2005/8/11 =\r
+\r
+I've integrated the old web bandwidth stats page into the portal. I've also replaced the old disk usage page, which was based on reading the results of a daily cronjob which ran `du`, with a slicker one that uses `repquota` output. --AdamChlipala\r
+\r
+Quick surveys in `#perl` and `#python`, including definitive answers from people who at least think they know what they're talking about, lead me to believe there is no good way to provide secure, multi-user use of mod_perl or mod_python in a shared Apache 2 daemon... so I have removed those from the list. It looks like, if you want these, you'll need to install and run your own Apache daemon. --AdamChlipala\r
+\r
+I have the portal from Abulafia (both code and current database) up and running here. Things look promising for getting Postgres to run with proper permissions. I'm still waiting for DavorOcelic to update domtool to automate the sorts of permission changes that I made, though. --AdamChlipala\r
+\r
+= 2005/8/10 =\r
+\r
+After some discussion with DavorOcelic, I set out to modify some permission schemes so that we can account for all of a user's filesystem usage with his group quota. This involved the most wrangling for Mailman. I've summarized the results on DaemonFileSecurity. --AdamChlipala\r
+\r
+= 2005/8/8 =\r
+\r
+I made the 'dbtool' script (see CVS on [http://www.sf.net/projects/hcoop]) which allows users to \r
+manage the databases themselves. Not to repeat myself, see UsingDatabases.\r
+\r
+This works nicely for MySQL (as you can see from the above page and CVS), but is a little tricky\r
+for Postgres. Postgres can't be fooled by symlinks, and we need to use the "tablespaces" feature\r
+present in pgsql 8.0.\r
+\r
+The only problem with tablespaces is that they force mode 700 on a directory, thus clearing our\r
+sgid bit on a directory. As a consequence, files don't belong to the users' group but to \r
+a generic group 'postgres', which prevents filesystem quotas from working as we want them.\r
+\r
+One solution is to have a script that traverses the directory and chgrps the files, but we\r
+should see if that would mess up postgres. The other solution is to bend the behavior to our\r
+liking and recompile postgres. --DavorOcelic\r
+\r
+MRTG (link statistics) is up as well. It is dumping output to /var/www/mrtg/ . Make it \r
+available over the web somewhere, at members.hcoop.net perhaps. --DavorOcelic\r
+\r
+= 2005/8/7 =\r
+\r
+Spam``Assassin learning is good to go. I fixed a problem in our Abulafia SA config that was causing a message to be e-mailed to `spamd` at every 5-minute interval when there were no new training messages! I've recorded the (to my knowledge) right configuration procedure at SpamAssassinAdmin. --AdamChlipala\r
+\r
+Mailman is up. Following our general plan of consolidating disk usage accounting, we're giving ownership of all growing mailing list files to their owning users. I've also improved the exim configuration so it doesn't deliver mail addressed to `somelist@dom1.com` to a list called `somelist@dom2.net`. --AdamChlipala\r
+\r
+SquirrelMail up, this time running properly inside of the main Apache instance via the squirrelmail Debian package and suphp. --AdamChlipala\r
+\r
+Webalizer is up and running. I've set a convention for SSL virtual hosts where both the Apache log files and Webalizer directories of SSL host www.dom.net are called `www_ssl.dom.net.<suffix>`. --AdamChlipala\r
+\r
+Apache SSL is up and integrated with domtool. See VirtualHostConfiguration for details. --AdamChlipala\r
+\r
+I've installed `mod_suphp` and concluded that to make it work with `/~username` URLs, we need to make `/home` the `DocumentRoot` of `hcoop.net`. Suexec CGI always checks for presence in `/var/www` or `/home/*/public_html/`, while suphp checks for presence in the current vhost's `DocumentRoot`. This means that `mod_suphp` allows direct execution in both userdirs and vhosts, but the required configuration for `hcoop.net` is a pain, and we may need to change it later for security reasons. --AdamChlipala\r
+\r
+= 2005/8/6 =\r
+\r
+After a suitable amount of wrestling, I think all of the e-mail stuff from Abu is properly replicated, possibly with improvements. The big change is that virtual mailboxes are now owned by the user who owns their domains, meaning that your virtual mailbox contents will count automatically toward your filesystem quota. The big thing not yet set up is any kind of web mail client, but I group that into a separate to-do bucket, anyway. --AdamChlipala\r
+\r
+The DNS server should be up now. I've submitted a change request at the registrar for one of my little-used domains to begin using our new machine as its primary DNS server, which will allow me to test the setup under realistic conditions. --AdamChlipala\r
+\r
+To state the obvious, I've gotten the almost-latest version of [http://moinmoin.wikiwikiweb.de/ MoinMoin] installed here. I'm using this wiki as an opportunity to test the proposed new scheme for scripts, where every virtual host script request is proxied to use a `~username` URL. The benefit of this is that Apache suexec has special support for `~username` scripts, which prevents us from needing to give users subdirectories of `/var/www`. This seems to be working now, with only the annoying problem remaining that MoinMoin uses absolute URLs, reverting to the uglier `~username` form. Hopefully I can fix this, and also implement some infrastructure to help us take advantage of the centralized "wiki farm" support in the latest Moins. (Update: Fixed!) --AdamChlipala\r
+\r
+I've got a proof-of-concept iptables setup running, that will allow us to account for all bandwidth used on a \r
+packet level. This is really excellent and fits our idea to run all services under user accounts. --DavorOcelic\r
+\r
+= 2005/8/4 =\r
+\r
+I've installed domtool from [http://hcoop.sf.net/ CVS]. It was remarkably easy to get the basic stuff working. The only changes so far have to do with our switch to Apache 2 from Apache 1.3, which required using a different directive to indicate which user and group suexec should use for a vhost. --AdamChlipala\r
+\r
+= 2005/8/4 =\r
+\r
+I spent time installing bits and pieces here and there, most notably the configuration files tracker\r
+(changetrack), tripwire, and other stuff. --DavorOcelic\r
+\r
+= 2005/8/2 =\r
+\r
+I installed disk quotas. By default, each user will have 4 G soft quota, and 5 G hard quota on home directory\r
+size. Similarly, each user has a soft number-of-files quota set at 400,000, and hard quota at 500,000. I picked\r
+the numbers based on current usage pattern on Abulafia.\r
+\r
+Additionally, thanks to grsecurity kernel patch, we now have the ability to restrict socket creation and\r
+program execution. By adding users to special groups, we can prevent them from creating server, client or\r
+any INET sockets. In the same way, we can allow users to only run files from root-owned directories.\r
+\r
+Regardless of grsecurity, I am planing use the standard Unix groups mechanism to restrict use of the \r
+development tools (compilers, most notably). Users who will want access to compilers will be added to \r
+a special group.\r
+\r
+Cron and At services will be disabled by default as well. As usual, people needing them will have to ask\r
+for them. --DavorOcelic\r
+\r
+= 2005/8/1 =\r
+\r
+Since we had two disks in the server, and the other one was unused (simply mounted on /backup), I repartitioned\r
+it, installed new Debian GNU installation on it (using debootstrap), compiled the kernel, and successfully\r
+rebooted into it on the first try!\r
+\r
+Then I went to move the installation to /dev/hda, thereby replacing the stock setup we got from InterServer.\r
+Evertyhing worked fine, and then I went to set up software RAID-1. I made a minor mistake in lilo.conf, \r
+and the server didn't want to boot properly. We filled in a Support Ticked at InterServer's site, and in \r
+2 hours, John Quaglieri booted the system from the CD, fixed lilo.conf and even performed one additional \r
+step regarding RAID-1. I was impressed by his support. --DavorOcelic\r
+\r
+= 2005/7/21 =\r
+\r
+Our new server is ready to go at [http://interserver.net/ InterServer].\r
--- /dev/null
+Whenever possible, we like to use [http://www.debian.org/doc/user-manuals#apt-howto Debian's apt] to manage the software that we have installed. This handles almost all details, including automated security patches and other upgrades. However, we occasionally need to install and maintain software by other means. All such software should be documented on this page.\r
+\r
+= Table of software =\r
+\r
+A star before a maintainer name indicates the extra bonus that the mentioned member is a developer of the software in question.\r
+\r
+|| '''Name''' (with link) || '''Maintainers''' || '''Base directories''' || '''Notes''' ||\r
+|| [http://hcoop.sourceforge.net/ Co-op Hosting Tools] || *AdamChlipala || See [http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/hcoop CVS] ||\r
+|| [http://www.smlnj.org/ Standard ML of New Jersey] || AdamChlipala || `/usr/local/smlnj` ||\r
+|| [http://smlweb.sourceforge.net/ Standard ML web tools] || *AdamChlipala || `/usr/local/share/mlt`, `/usr/local/share/smlsql` ||\r
+|| [http://ferm.sf.net/ Ferm] || DavorOcelic || `/usr/local` ||\r
--- /dev/null
+\r
+This page contains a listing of all IP addresses in the HCoop subnet.\r
+\r
+By Peer1 we are given the following:\r
+\r
+ * Network: 69.90.123.64 /27\r
+ * Gateway: 69.90.123.65\r
+ * Usable: 69.90.123.66 - 94\r
+ * Netmask: 255.255.255.224\r
+\r
+Included in the listing is: IP address, hostname, port.\r
+\r
+The first line with an IP address on it should contain the canonical\r
+name of the machine, if applicable, and no port. Remaining lines\r
+after that should each list a port and the hostname used with it.\r
+\r
+|| '''IP address''' || '''Hostname''' || '''Port''' ||\r
+|| 69.90.123.66 || baltar || ||\r
+|| 69.90.123.67 || deleuze || ||\r
+|| || members2 || SSL ||\r
+|| 69.90.123.68 || mire || ||\r
+|| 69.90.123.69 || KVM || ||\r
+|| 69.90.123.70 || krunk || ||\r
+|| 69.90.123.80 || mail80 || 80 for SMTP||\r
--- /dev/null
+The official HCoop IRC channel is [irc://irc.freenode.net/#hcoop #hcoop] on [http://freenode.net/ Freenode].\r
+\r
+You can find an introduction to Internet Relay Chat and more at [http://www.irchelp.org/ IRChelp.org].\r
+\r
+Like most IRC channels, ours is not especially "on-topic," but it's a great place to get advice about using your HCoop account. Please join and "idle" there if you can to help build momentum and answer other members' questions!\r
+\r
+Our volunteer admins don't treat IRC as an official support method, because it is way too hard to organize handling of support requests that come over such an unstructured medium. This means that you're free to ask questions or make requests that can only be answered/fulfilled by admins, but that they won't feel obligated to reply. [https://members.hcoop.net/portal/support Open a support ticket on the portal] for such issues.\r
--- /dev/null
+Information on IRC meetings that we've held.\r
+\r
+ * ["Meeting20071021"]\r
+ * ["Meeting20060909"]\r
+ * ["Meeting20060624"]\r
+\r
+See [http://hcoop.net/board/] for information on other past meetings.\r
--- /dev/null
+HCoop is running a closed registration [http://jabber.org Jabber] server.\r
+\r
+Your UID will be in the form USER@hcoop.net.\r
+\r
+JabberUsers contains a list of everyone with a Jabber account.\r
+\r
+= Account Setup =\r
+\r
+Please contact ClintonEbadi to have a new account made. Please provide him with your preferred username. '''DO NOT GIVE HIM A PASSWORD''', one will be autogenerated. You may contact him in any way listed on his userpage (if you choose the phone method please SMS unless you first contact electronically to make sure he is there or you may not get an account right then). As soon as your user is added to the db you will be provided with the autogenerated password. '''Change this immediately upon logging in for the first time.'''\r
+\r
+= Client Setup =\r
+\r
+$USER refers to your Jabber username.\r
+\r
+Please add info for any clients you use.\r
+\r
+== Logging in / Adding a New Account ==\r
+\r
+=== Adium ===\r
+http://www.adiumx.com/\r
+\r
+ 1. Open the Preferences dialog (Adium->Preferences or Command-comma)\r
+ 2. Go to the "Accounts" section\r
+ 3. Select "Jabber" from the "+" menu in the lower-left corner\r
+ 4. Enter "$USER@hcoop.net" in the "Jabber ID" field\r
+ 5. Enter your password in the "Password" field\r
+ 6. Click "OK"\r
+\r
+=== Agile Messenger ===\r
+http://www.agilemobile.com/index.html\r
+\r
+ 1. Add a new account of type "XMPP"\r
+ 2. Enter "$USER@hcoop.net" as the username\r
+ 3. Enter your password\r
+\r
+Note that your resource will be "Work" and you cannot change this (as far as I can tell)\r
+\r
+=== Gaim ===\r
+http://gaim.sf.net\r
+\r
+ 1. Open the Accounts dialog (Tools->Accounts or C-a)\r
+ 2. Add a new account\r
+ 3. Set the type to Jabber\r
+ 4. Screen Name = $USER, Server = hcoop.net\r
+\r
+== Changing Your Password ==\r
+\r
+=== Gaim ===\r
+http://gaim.sf.net\r
+\r
+ 1. Go to Tools->Account Actions->$USER->Change Password\r
+ 2. Change your password\r
--- /dev/null
+|| '''Name''' || '''Wiki Page''' || '''Jabber Username @ hcoop.net''' ||\r
+|| David Bettis || DavidBettis || dwb ||\r
+|| Frank Bynum || FrankBynum || frank ||\r
+|| Luke Chao || || LucasChaos ||\r
+|| Matt Currington || || matt ||\r
+|| Clinton Ebadi || ClintonEbadi || clinton ||\r
+|| Francois-Denis Gonthier || || neumann ||\r
+|| John Herman || || frayedthread ||\r
+|| Rick Hull || || rick.hull ||\r
+|| Nathan Kennedy || NathanKennedy || ntk ||\r
+|| Michael Leonhard || || Mike_L ||\r
+|| Ryan Mikulovsky || || ryan ||\r
+|| Michael Olson || MichaelOlson || mwolson ||\r
+|| John Settino || JohnSettino || nion ||\r
+|| Aaditya Sood || || aaditya ||\r
+|| Matthieu Sozeau || MatthieuSozeau || mattam ||\r
+|| Brian Templeton || BrianTempleton || bpt ||\r
+|| Michael Potter || || mpotter ||\r
--- /dev/null
+I am John Settino, known as "Nion" in real life and online.\r
+\r
+You may find more about me at my personal website: http://nion0.com\r
+----\r
+CategoryHomepage\r
--- /dev/null
+#pragma section-numbers off\r
+\r
+This page describes how to apply to join HCoop.\r
+\r
+[[TableOfContents]]\r
+\r
+Write me.\r
+\r
+ * Explain that we currently just put people on a waiting on list until the new servers are up. Will let them know once we are ready.\r
+ * Follow with instructions on how to join, assuming we are ready for it. Can be as simple as a "see portal" sentence, with link.\r
+ * Applicants go through acceptance process, and become HCoop members.\r
+ * See [:MemberManual/GettingStarted/NewMember:New Member page] for instructions on what to do now. Then read MemberManual, especially the [:MemberManual/GettingStarted:Getting Started] chapter.\r
--- /dev/null
+= Justin Leitgeb =\r
+\r
+I have been an HCoop member since 2005. My home page is at [http://justin.phq.org/].\r
+\r
+I am also a member of the [http://www.lexington.coop Lexington Food Coop], a Buffalo, NY based food cooperative.\r
--- /dev/null
+= Logging in without a password via Kerberos =\r
+\r
+On windows anyway I just discovered instructions that worked for me[http://www.ncsa.uiuc.edu/UserInfo/Resources/Software/kerberos/windows_kfw_ssh.html here].\r
--- /dev/null
+Note when installing debian : http://groups.google.com/group/linux.debian.bugs.dist/msg/7b05436df66934a3\r
+\r
+Mire's ttyS0 is connected to krunk's LOM port.\r
+\r
+Linux's "eth0" is the physical "Port B" (I put a sticker over it marked eth0). "eth1" is "Port A". Just keep this in mind.\r
+\r
+Root password is the same as the KVM (at the moment).\r
+\r
+Both disks have a small partition (part1) and a big partition (part3). The big partitions are RAID1'ed together; the small partition on the first drive is boot, the second drive is swap.\r
+\r
+Also: http://www.openafs.org/pipermail/openafs-info/2006-November/024356.html\r
--- /dev/null
+= IP KVM Tunneling =\r
+To use a VNC through a tunnel, one of the following commands must be issued \r
+''More information needed...''\r
+{{{\r
+ /usr/local/bin/stunnel -f -c -d 5900 -r 69.90.123.69:15900\r
+}}}\r
+or\r
+{{{\r
+ ssh admin@69.90.123.69 -L 5900:69.90.123.69:5900\r
+}}}\r
--- /dev/null
+= Ideas for logos or logo themes =\r
+\r
+ * A computer of some kind with people living in/on it and performing various activities in/on it. Perhaps a mounted "HCoop" sign on top of it. --AdamChlipala\r
+\r
+ * A stylized drawing of a rackmount server inside a circle, with hands/arms coming symmetrically from different directions to touch it. Probably monochrome or close ot it. --AdamChlipala\r
+\r
+= Logos =\r
+\r
+=== Sense ===\r
+http://hcoop.net/~aku/hcoop_logo/hcoop_sense.png\r
+\r
+=== Clear ===\r
+http://hcoop.net/~aku/hcoop_logo/hcoop_clear.png\r
+\r
+=== Fade ===\r
+http://hcoop.net/~aku/hcoop_logo/hcoop_fade.png\r
+\r
+From the Attic: http://hcoop.net/~aku/hcoop_logo_attic.html\r
+\r
+=== geek ===\r
+http://hcoop.net/~aku/hcoop_logo/hcoop_geek.png\r
+\r
+=== script ===\r
+attachment:hcoop-script.png\r
+\r
+=== Planet ===\r
+http://detriment.org/planet-round.png\r
+\r
+http://detriment.org/planet-round.svg\r
+\r
+ Best logo yet! I very much like the circled-planet center. Not so sure I like the cropped "h" on top, perhaps it could be modified. But this one is showing promise.\r
+ How about changing it to a fat, capital H instead? Something like a less ugly/more stylized version of this:\r
+ http://hcoop.net/~ntk/planet-round-mod.png\r
+ (Obviously that H is too wimpy-looking, but that seems to be a more balanced-looking/symmetrical logo.) --NathanKennedy\r
+ I like this a lot. Even though Adam says that text may work against us, I think using the planet in the center and then a simple "HCOOP" in the black ring would look great. Perhaps the HCOOP being at the same arc as the ring. --JohnSettino\r
+\r
+Quick symetrical job before work:\r
+\r
+http://detriment.org/planet-sym.png\r
+\r
+http://detriment.org/planet-sym.svg\r
+\r
+=== More planet ===\r
+\r
+This is actually Chris "det" Clearwater's design which I only slightly modified and I offer it here because I liked something about it. --DavorOcelic\r
+\r
+http://hcoop.net/~docelic/planet-alt-docelic.png.png\r
+\r
+ I like the text/logo juxtaposition here. Perhaps this simple route is better than trying to do clever things with the letters. However this planet looks a bit too egg-shaped, maybe a little more round would be better. I'm not sure if I prefer the original planet color-scheme or not, I suppose that's just a matter of taste. --NathanKennedy\r
+\r
+ I'm also not too gung-ho about incorporating text into the logo. A simpler yet more distinctive logo that uses a graphic that symbolizes us in some way could be much more effective. --AdamChlipala\r
+\r
+=== Four Hands ===\r
+\r
+Try at mixing the Ubuntu style of portraying cooperation with more 'square' theme.\r
+\r
+|| http://anil.net.in/images/drwg/hcoop/fhhcooprh.png || http://anil.net.in/images/drwg/hcoop/fhhcooprh45.png ||\r
+|| || Tilted 45 degrees. ||\r
+\r
+Left hand versions and svg files are here: http://anil.net.in/images/drwg/hcoop/ -- AnilNarayanan\r
+\r
+ These are interesting looking logos. However I didn't know they were hands until I read your email. They look more like whales, or mittens, which is kind of strange. --NathanKennedy\r
+\r
+How about this one ?\r
+\r
+http://anil.net.in/images/drwg/hcoop/hcoop_rh3.png\r
+\r
+-- AnilNarayanan\r
+ Better! --NathanKennedy\r
+\r
+ Nice. It would be better if there was some aspect of the logo that indicated some semi-unique characteristic of HCoop, though. There are lots of co-ops out there to which these logos would apply equally well. --AdamChlipala\r
+\r
+= HardCore =\r
+http://www.detriment.org/knuckles.jpg\r
+\r
+ Cute. But no. (This one comes from ChrisClearwater by the way). --NathanKennedy\r
+\r
+ Yeah, it was a joke. I had fun doing it. --ChrisClearwater\r
+\r
+=== Four Hands Inlay ===\r
+\r
+|| http://anil.net.in/images/drwg/hcoop/hcoop_rh_screen.png || http://anil.net.in/images/drwg/hcoop/hcoop_rh_globe.png ||\r
+|| Web pages being served || Networking and Internet theme ||\r
+\r
+\r
+ I really like the general idea behind these two! I'm not too thrilled about the 4 arms though. For some reason I get this odd vibe from it. Instead of 4 arms perhaps it would look better if it were just two hands grasping each other. Or, a bunch of hands underneath the world/webpages. Actually if its not too hard could you just bring out the world/webpages that are in center so its in the foreground and is ontop of the arms. I'd like to see what that looks like. --RobGubler\r
+\r
+ Here you go:\r
+\r
+http://anil.net.in/images/drwg/hcoop/hcoop_rh_globe_z.png\r
+\r
+ I'd rather not do the same to the web pages one as the inlaid picture does not have (black) borders (like the globe) and it blends with the color of the hands, making a mess. I thought some regular shape binding a theme is good for logos to be used in a different places (ranging from the main pages to the tiny icon beside the URL). When shrunk, the inlay graphics are losing significance. Its just the shades of the hands and the overall shape that is felt. We should try another web-pages graphic to be placed over the hands. -- AnilNarayanan\r
+\r
+ That was quick. I like this; it's clean, simple, and elegant. --RobGubler\r
+\r
+=== Some more combinations ===\r
+\r
+|| http://anil.net.in/images/drwg/hcoop/hc_rh_glb_pc.png || http://anil.net.in/images/drwg/hcoop/hc_ar_glb.png ||\r
+|| Primary colors used || Dropped the hands ||\r
+\r
+==== Other inset pics ====\r
+\r
+|| http://anil.net.in/images/drwg/hcoop/hc_rh_h.png || http://anil.net.in/images/drwg/hcoop/hc_rh_pcb.png ||\r
+|| 'h' for hcoop || PCB indicating computers. ||\r
+\r
+ I'm really really liking your last few batches of logos. They look very professional. Probably the PCB one is not the most appropriate however, since "hardware" is sort of incidental to our purpose. I love the globe graphic you did as well with the swoopy orbit, that was very clever. However I had to stare at it for a long time to figure out that the thingy on the end is an RJ-45 plug (the networking hint clued me in)--the first thing that came to mind was that it looked like a tank. Perhaps if the tab and the pins were a little more visible? --NathanKennedy\r
+\r
+ For what it's worth, the correct identity was immediately apparent to me. --AdamChlipala\r
+\r
+ '''Tried improving the RJ45 connector'''\r
+\r
+|| http://anil.net.in/images/drwg/hcoop/hc_rh_glb_rj45_2.png || Bigger copy of this with transparent background is [http://anil.net.in/images/drwg/hcoop/hc_rh_glb_rj45_big.png here] ||\r
+\r
+ Its a bit cartoonish; I wanted to avoid too many fine lines. There is a small problem I ran into while making the new logo and did some dirty fixing. Let me know if you could figure out the issue from the pic. --AnilNarayanan\r
+\r
+=== business style ===\r
+\r
+http://www.geocities.com/kuribas/hcoop.png\r
+\r
+This logo has a businesslike style. Actually it is not really a logo, but more a top-banner for the website. The connected o's stand for cooperation, while the mouse stands for, well, the internet :)\r
+--KristofBastiaensen\r
+\r
+=== Badges ===\r
+\r
+|| http://anil.net.in/images/drwg/hcoop/hcbadge.png || A sample attribution pic. The 'proud member' phrase is from MichaelOlson's [http://www.mwolson.org site]. (Gif format is [http://anil.net.in/images/drwg/hcoop/hcbadge.gif here]) --AnilNarayanan ||\r
+\r
+I don't think we've ever used "H-Coop" to name ourselves before. I've taken to using "HCoop" without any official discussion. There's room to settle on a capitalization/etc. convention that everyone likes, but we should definitely be consistent. --AdamChlipala [Someone overwrote this post in an edit, perhaps not paying attention to the warning that someone else is editing.]\r
+\r
+|| http://enthalpy.net/images/hcbadge.png || Slightly modified text. [http://enthalpy.net/images/hcbadge.gif Gif version]. --DavidBettis ||\r
+\r
+Thanks Anil and David! It looks great. --MichaelOlson\r
+\r
+|| http://anil.net.in/images/drwg/hcoop/hcbadge2.gif ||<rowspan=2> Removed hyphen from name -- AnilNarayanan||\r
+|| http://anil.net.in/images/drwg/hcoop/hcbadge3.gif ||\r
--- /dev/null
+Before continuing with this page, you probably want to read DomainTool to learn the basics of how we handle shared daemon configuration.\r
+\r
+If you would like a mailing list managed by our global [http://www.list.org/ Mailman] installation you must first [https://members.hcoop.net/portal/list place a request on the portal]. You then have a choice between doing list management at [http://hcoop.net/cgi-bin/mailman/admin/LISTNAME http://hcoop.net/cgi-bin/mailman/admin/''LISTNAME''] or at your own domain.\r
+\r
+If you are fine with using the main hcoop.net site for your list's web interface, then there is nothing left to do except wait for the list to be created. If you would like the web interface to be at your own domain, then you must do some simple domain configuration.\r
+\r
+''LISTNAME'' is the name you gave your list, ''DOMAIN'' is your domain, and ''TLD'' is the TLD (org, com, name, ...) of your domain, ''VHOST'' is the virtual subdomain you would like the web interface to be accesible from. If you want to access the site from your domain with no subdomain then use the default virtual host for ''VHOST''.\r
+\r
+ * Write `VHOST.DOMAIN.TLD` to `/etc/domains/TLD/DOMAIN/.mailman`. You must do this '''before''' requesting the list on the portal or it will have no effect.\r
+ * Place the `Mailman` directive in the VirtualHostConfiguration at `/etc/domains/TLD/DOMAIN/VHOST`.\r
+ * Run domtool\r
+\r
+Now the list admin web interface will be available at http://VHOST.DOMAIN.TLD/cgi-bin/mailman/admin/LISTNAME.\r
+\r
+Note that you '''can''' host mailing lists with us that use your own domains even if your domain is primarily hosted elsewhere. However, the best way we know of doing this is for you to point your domain's MX record to `mail.hcoop.net`. If you don't know what this means, then you probably shouldn't be trying anything so complicated as splitting a domain's hosting between several providers in the first place.\r
--- /dev/null
+## page was renamed from ThwartingPackages\r
+We override the behavior of some Debian packages, such that we need to re-make some changes each time they update. The `/usr/local/sbin/fixperms` script is responsible for doing this, so you should run it after an `apt-get upgrade`. Currently, it does this:\r
+\r
+{{{chown list.list /usr/lib/cgi-bin/mailman/*\r
+chmod g-s /usr/lib/cgi-bin/mailman/*\r
+chmod u+s /usr/lib/cgi-bin/mailman/*\r
+\r
+chown -R list /var/lib/mailman/lists/*}}}\r
+----\r
+CategorySystemAdministration\r
--- /dev/null
+#format wiki\r
+#language en\r
+== Matthieu Sozeau ==\r
+\r
+Email: [[MailTo(mattam AT SPAMFREE mattam DOT org)]]\r
+\r
+...\r
+\r
+I'm a french PhD student, member of HCoop where I host my personal [http://mattam.org website].\r
+\r
+----\r
+CategoryHomepage\r
--- /dev/null
+= Summary =\r
+\r
+We discussed plans related to setting up our new, more robust hosting set-up.\r
+\r
+Unfortunately, board member NathanKennedy didn't show up, so we couldn't declare it an official board meeting.\r
+\r
+= Decisions =\r
+\r
+ * We settled on DavorOcelic, JustinLeitgeb, and MichaelOlson as the new team of system administrators, along with AdamChlipala transitioning to only the role of author and maintainer of custom administration software, but no day-to-day support request handling. The new team will lead the planning of our new hosting infrastructure, but we'll keep our current admin team until that's ready.\r
+ * We chose Hurricane Electric as our next colo provider, pending any new information that might come up. You can find the quotes given to use by them and other providers on ColocationProvidersEvaluation.\r
+ * We decided that our new hosting plans require purchasing the following hardware: one server that all members are allowed to log into, one server accessible only to admins, a network-accessible serial console, and a switch. More detail on NewSystemHardware.\r
+\r
+= Action Items =\r
+\r
+ * We need to figure out what models/configurations of hardware to buy and where to buy it! Everyone is encouraged to research the options and report them on NewSystemHardware.\r
+ * We've created a new mailing list, `hcoop-sysadmin`. Its purpose is to host quite technical discussions on how we should configure our servers. It's open to everyone, not just official sysadmins, and the intention is that we continue to use this list throughout HCoop's lifetime, keeping `hcoop-discuss` more for social or less technical discussion. Everyone with an interest in this stuff is encouraged to join by subscribing himself via the [https://members.hcoop.net/portal/pref Portal Preferences page]!\r
+ * We've scheduled our next meeting (hopefully an official board meeting!) for exactly a week after this one: [http://www.timeanddate.com/worldclock/fixedtime.html?month=7&day=1&year=2006&hour=11&min=0&sec=0&p1=224 Saturday, July 1, 2006 at 18:00:00 UTC]. Hopefully research on hardware options will be complete by then, and we can make some definite choices about what to buy.\r
+\r
+= IRC Log =\r
+\r
+AdamChlipala created this log with X-Chat.\r
+\r
+{{{\r
+Jun 24 11:20:47 <Smerdyakov> OK, the appointed time is here.\r
+Jun 24 11:21:01 <Smerdyakov> How about we start with an official announcement of presence from everyone who's here and watching?\r
+Jun 24 11:21:03 <Smerdyakov> Hi!\r
+Jun 24 11:21:15 <iriefrank> no its not healthy\r
+Jun 24 11:21:35 <Optikal_> I am here.\r
+Jun 24 11:21:41 <iriefrank> Frank Bynum here\r
+Jun 24 11:21:46 <leitgebj> Hi all.\r
+Jun 24 11:21:47 <jch5> this is John Hallgren from Cape Cod MA\r
+Jun 24 11:21:48 <Smerdyakov> And deactivate off-topic conversation for the duration. :)\r
+Jun 24 11:22:20 * Smerdyakov pings docelic.\r
+Jun 24 11:22:30 <bpt> i am here\r
+Jun 24 11:22:51 >docelic_< Ready to start?\r
+Jun 24 11:22:59 <docelic_> Yep we can start\r
+Jun 24 11:23:20 <Smerdyakov> OK. I think the first thing is to decide officially who is in charge of being in charge of things. ;)\r
+Jun 24 11:23:21 <docelic_> (Davor Ocelic here)\r
+Jun 24 11:23:44 <bpt> <- Brian Templeton\r
+Jun 24 11:23:44 <Smerdyakov> ntk isn't here, so this doesn't count as a board meeting per our bylaws, but docelic and I can still make official decisions by majority vote.\r
+Jun 24 11:24:12 <Smerdyakov> We have our admin volunteers listed here: http://wiki.hcoop.net/wiki/AdminVolunteers\r
+Jun 24 11:24:44 <Smerdyakov> ntk volunteered himself half-heartedly in case we didn't find enough folks. What do we think? Is 3 sysadmins a good number, or do we want 4?\r
+Jun 24 11:25:52 <jch5> from a lowly user POV, if 4 is possible, I'm appreciate it...to cover all time slots and backup/vacation\r
+Jun 24 11:25:53 <docelic_> Do we want to make a complete decision now, or a decision of "3 now, with one slot open" is good enough?\r
+Jun 24 11:25:54 <Smerdyakov> We're making do now with, effectively, 2, where one (me) doesn't really want to be doing day-to-day sysadmin stuff.\r
+Jun 24 11:26:25 <leitgebj> I think that if it was a half-hearted self-nomination, we are OK with 3 until someone comes along who is interested. ntk is doing a lot with the co-op without taking on more responsibilities, unless he really wants them. I am also confident that someone will come along in short time who is willing to do the job.\r
+Jun 24 11:26:29 <Smerdyakov> jch5, the counterbalancing issue is that more people with root access degrades security.\r
+Jun 24 11:26:53 <iriefrank> three is fine with me, i dont think we need an official declaration of how many sysasmin "slots" there are either\r
+Jun 24 11:27:06 <docelic_> I'm a little surprised we couldn't come up with 4. There's been a number of people who expressed their interest over time :(\r
+Jun 24 11:27:07 <Smerdyakov> Incidentally, I'm also suggesting that I retain root access as the person in charge of software infrastructure... AKA maintaining domtool and related stuff.\r
+Jun 24 11:27:25 <Smerdyakov> So that would be 4 with docelic, leitgebj, mwolson, and me.\r
+Jun 24 11:27:46 <leitgebj> Smerdyakov, I think that sounds like a solid plan.\r
+Jun 24 11:27:54 <docelic_> Sounds good.\r
+Jun 24 11:27:55 <Smerdyakov> iriefrank, there are administrative things like whom to make sure is present at meetings about sysadmin stuff. :)\r
+Jun 24 11:27:58 <jch5> 10-4\r
+Jun 24 11:28:34 <Smerdyakov> OK, so it sounds like for now we'll assume the roster of sysadminesque people I just stated.\r
+Jun 24 11:29:19 <Smerdyakov> Now I think we should turn to choosing our next colo provider: http://wiki.hcoop.net/wiki/ColocationProvidersEvaluation\r
+Jun 24 11:29:41 <Smerdyakov> HE seems to have the most attractive deal at present. Any objections to taking them as our intended provider going forward?\r
+Jun 24 11:30:09 <leitgebj> I also think that he.net is the best option.\r
+Jun 24 11:30:30 <leitgebj> docelic, how do you feel?\r
+Jun 24 11:31:45 <docelic_> I wasn't much into data collection for this round\r
+Jun 24 11:31:52 <docelic_> I've read all there was on the subject earlier today\r
+Jun 24 11:31:59 <Smerdyakov> docelic, you can see on their page that they have the lowest price. ;)\r
+Jun 24 11:32:17 <docelic_> and I heared of HE.net before. We considered them in the previous round too, or I heared of them from some other place ?\r
+Jun 24 11:32:52 <Smerdyakov> I don't know.\r
+Jun 24 11:33:48 <Smerdyakov> OK... I don't see a lot of deliberation. docelic, are you pondering this now, or are you just yielding to our conclusion? :)\r
+Jun 24 11:34:16 <docelic_> I was just doing inquiries, but I agree with going on with HE\r
+Jun 24 11:34:33 <docelic_> My point was that, if it wasn't in our previous round, then I heared good things about HE from other places as well\r
+Jun 24 11:35:08 <Smerdyakov> OK. That leaves us to figure out exactly what we want to host there.\r
+Jun 24 11:35:36 <Smerdyakov> Whose natural home is http://wiki.hcoop.net/wiki/SystemArchitecturePlans\r
+Jun 24 11:35:52 <docelic_> Are we looking to move abu and fyodor there ?\r
+Jun 24 11:36:02 * voider (n=Is@modemcable169.254-80-70.mc.videotron.ca) has joined #hcoop\r
+Jun 24 11:36:16 <Smerdyakov> docelic, we don't own fyodor, so I think that's a "no" there.\r
+Jun 24 11:36:26 <Smerdyakov> docelic, Abu is something we haven't decided on yet.\r
+Jun 24 11:36:29 <docelic_> Well I mean in a software sense\r
+Jun 24 11:36:35 <voider> hi guys\r
+Jun 24 11:36:36 <Smerdyakov> docelic, eh?\r
+Jun 24 11:36:40 <docelic_> hello voider \r
+Jun 24 11:36:40 <voider> i am late?\r
+Jun 24 11:36:56 <voider> *am i*\r
+Jun 24 11:37:06 <docelic_> voider: not much, we agreed on admin structure (leitgebj, mwolson, adam and me), and to go with HE.net for next provider\r
+Jun 24 11:37:06 <Smerdyakov> voider, not so late. We decided on who the sysadmins would be, decided to go with HE as our next colo provider, and now we discuss system architecture to colocate.\r
+Jun 24 11:37:26 <docelic_> Smerdyakov: I didn't mean "moving" in sense of relocating hardware, but services\r
+Jun 24 11:37:29 <voider> ok good\r
+Jun 24 11:37:49 <metaperl> what about Mike_L as admin?\r
+Jun 24 11:37:50 <Smerdyakov> docelic, it has been my assumption the whole time that all of our primary services would move to the new servers.\r
+Jun 24 11:37:58 <Smerdyakov> metaperl, he didn't add himself to the candidate list.\r
+Jun 24 11:38:09 <voider> i'll mostly act as a spectator, I don't know enough about the way you operate hcoop yet\r
+Jun 24 11:38:15 <Smerdyakov> metaperl, and I think he doesn't have much interest in the level of time commitment that is appropriate.\r
+Jun 24 11:38:15 <docelic_> metaperl: just like Clinton didn't \r
+Jun 24 11:38:27 <docelic_> Smerdyakov: ok then\r
+Jun 24 11:39:05 <Smerdyakov> The SAP wiki page lists three servers: file server, member accessible server (the scary zone!), locked-down server (where we keep as much as we can).\r
+Jun 24 11:39:35 <Smerdyakov> I think of all of these as limited to "Internet hosting" stuff only.\r
+Jun 24 11:39:54 <Smerdyakov> We could also consider (space permitting) to move Abu to the new colo place and make that a generic "shell server" for whatever.\r
+Jun 24 11:40:06 <docelic_> ok\r
+Jun 24 11:40:07 <Smerdyakov> We could even buy a new server for that, but this seems a good use for something we have around anyway.\r
+Jun 24 11:40:31 <Smerdyakov> But I consider that something to do after the main stuff is up and running smoothly.\r
+Jun 24 11:41:14 <Smerdyakov> Does anyone object to the very high-level proposed configuration for the main 3 servers?\r
+Jun 24 11:41:28 <Smerdyakov> Or have any suggestions at that level before we drill down..\r
+Jun 24 11:42:32 <docelic_> I think it's OK. One thing that wasn't mentioned, and it should have been as it's the same logical level as AFS fileserver, is centralized login DB\r
+Jun 24 11:43:03 * mwolson (i=mwolson@jpi-wlafyte-213-192.dmisinetworks.net) has joined #hcoop\r
+Jun 24 11:43:06 <docelic_> Very probably using LDAP\r
+Jun 24 11:43:15 <docelic_> mwolson: short summary: \r
+Jun 24 11:43:19 <Smerdyakov> Yes. I've always associated that with AFS in my CMU days. I think it was based on Kerberos; that is, I know Kerberos was used, but I'm not sure if there was something else more fundamental.\r
+Jun 24 11:44:01 <mwolson> oh ... darnit\r
+Jun 24 11:44:04 <docelic_> mwolson: admins: leitgebj, mwolson, adam, docelic. Next provider: HE.net. System structure OK as proposed on http://wiki.hcoop.net/wiki/SystemArchitecturePlans\r
+Jun 24 11:44:09 <leitgebj> Right, I was thinking of Kerberos as well, even though I haven't used it before. I have used ldap a bit.\r
+Jun 24 11:44:42 <docelic_> Well, AFS has something like kerberos built-in for authentication, but you can plug it into existing kerberos setup if you have one\r
+Jun 24 11:44:54 <Smerdyakov> I know Kerberos and AFS also work well with geographically distributed networks... so it could scale well to future set-ups where we branch out into multiple main locations.\r
+Jun 24 11:45:15 <docelic_> So AFS would imply using kerberos, and somehow by nature of things, kerberos would imply LDAP\r
+Jun 24 11:45:29 <Smerdyakov> Maybe. I never used LDAP in my experiences in college.\r
+Jun 24 11:45:45 <Smerdyakov> That is, I never did something where it was obvious that the LDAP protocol was involved.\r
+Jun 24 11:45:55 <Smerdyakov> Anything could have happened behind the scenes.\r
+Jun 24 11:46:21 <docelic_> I've read the O'reilly book on LDAP and played with it last month, in a more serious way than before\r
+Jun 24 11:46:42 <mwolson> i've set up LDAP before at my LUG\r
+Jun 24 11:47:54 <mwolson> i'd be willing to do so here, if we decide on it\r
+Jun 24 11:48:19 <Smerdyakov> I think we should pick a main person in charge of the purchase and set-up of the new systems.\r
+Jun 24 11:48:36 <Smerdyakov> I anti-nominate me because I do a lot of stuff already, AND I don't know much about this stuff. ;)\r
+Jun 24 11:48:53 <docelic_> I volunteer for the software setup, as usual\r
+Jun 24 11:49:16 <Smerdyakov> What about hardware elements?\r
+Jun 24 11:50:02 <Smerdyakov> *a pin drops*\r
+Jun 24 11:50:08 <leitgebj> I am in the process of buying a house right now, and that may complicate things. \r
+Jun 24 11:50:48 <Smerdyakov> Well, I know I'll screw something up if _I'm_ in charge of it!\r
+Jun 24 11:50:48 <leitgebj> I am willing to help, but I imagine that what will happen is that we will have the servers shipped to a physical location, plugged into a network, e.g., dsl connection. then they are configured and sent to the colo provider.\r
+Jun 24 11:51:14 <Smerdyakov> leitgebj, there are serious issues of just _which_hardware_ to buy, and I think you expressed opinions there in the past.\r
+Jun 24 11:51:17 * Optikal___ (n=optikal@pool-70-18-225-250.res.east.verizon.net) has joined #hcoop\r
+Jun 24 11:51:37 <leitgebj> Right, that's another stage of the planning that seems to have not been settled fully.\r
+Jun 24 11:51:44 <leitgebj> Maybe we should start there. \r
+Jun 24 11:51:55 <leitgebj> How much money do we have, or have access to?\r
+Jun 24 11:51:58 <Smerdyakov> That's what I was talking about: appointing someone in charge fo that stage.\r
+Jun 24 11:52:22 <leitgebj> I volunteer to lead that part of the process.\r
+Jun 24 11:52:51 <Smerdyakov> Here we can see how much we theoretically will commit to spending per month: https://members.hcoop.net/portal/poll?id=8\r
+Jun 24 11:52:57 <jch5> i'd just ask to not overbuy and spend extra $$$ unneeded\r
+Jun 24 11:53:18 <voider> I have a question, dunno if it has been discussed before: how will all this cost? How will it affect the montly payment?\r
+Jun 24 11:53:31 <voider> ah\r
+Jun 24 11:53:32 <docelic_> voider: look at the URL Smerdyakov pasted\r
+Jun 24 11:53:36 <Smerdyakov> I get $317 dollars considering the lower bounds of people who voted.\r
+Jun 24 11:53:58 <Smerdyakov> voider, we will use sliding scale payments to make sure there is no serious increase for people who don't feel HCoop is worth investing more.\r
+Jun 24 11:54:21 <voider> shit, I don't have my password here\r
+Jun 24 11:54:29 <voider> and I forgot it :/\r
+Jun 24 11:54:38 <voider> I'll check that link when I return back to home\r
+Jun 24 11:55:01 <jch5> in my case, it's not that it's not worth it...just that I have a very limited budget for my site\r
+Jun 24 11:55:11 <Smerdyakov> I was somewhat surprised by the scarcity of high-end answers to that poll. :\\r
+Jun 24 11:55:24 <Smerdyakov> Lots of people not willing to spend as much as they do for cable TV. :P\r
+Jun 24 11:55:56 <docelic_> We need to figure out new ways to increase hcoop service value\r
+Jun 24 11:56:16 <voider> personnaly I'm not in a situation that allow me to spend much for my hosting\r
+Jun 24 11:56:23 <Smerdyakov> leitgebj, there are issues to consider of "do we want to take out loans?" and "do we want to have some loan-like structure arranged amongst ourselves?" and "do we expect a number of members to make one-time donations for hardware that will never be paid back?".\r
+Jun 24 11:56:29 <mwolson> bah, who would pay money to see mostly commercials ...\r
+Jun 24 11:56:39 <jch5> I've got $6 a month for all my site expenses...\r
+Jun 24 11:56:49 <Optikal___> $50 a month is outrageous for web hosting, especially non-commercial\r
+Jun 24 11:57:01 <Smerdyakov> jch5, that's what's always confused me about your situation. What's so bad about paying out of your own pocket?\r
+Jun 24 11:57:06 <mwolson> (referring to cable TV)\r
+Jun 24 11:57:14 <Smerdyakov> jch5, I pay out of my own pocket for a number of groups whose web sites I host.\r
+Jun 24 11:57:36 <Smerdyakov> jch5, but that's distracting now and perhaps interesting to bring up later.. :)\r
+Jun 24 11:57:54 <Smerdyakov> Optikal_, $50 a month is a negligible investment for the average young IT hotshot. :P\r
+Jun 24 11:58:05 <Optikal___> I don't think of money in relative terms\r
+Jun 24 11:58:13 <jch5> it's designed to be self supporting by users.. i provide the brains...well most \r
+Jun 24 11:58:51 <Smerdyakov> leitgebj, I hope that answered your question. ;)\r
+Jun 24 11:59:28 <voider> someone can tell the big lines of the above pasted link please?\r
+Jun 24 11:59:29 <leitgebj> OK, that is fine. There is something that I've been thinking of in relation to the system architecture, though. It seems that we are just over the point where one system suffices. Can we consider buying two solid servers to host at he.net? That should be more than sufficient for quite a while, if we are smart about building them.\r
+Jun 24 11:59:30 <Optikal___> and this isn't exactly an investment, all the returns go to other hcoop members.\r
+Jun 24 11:59:38 <voider> you're talking about 50/month ?\r
+Jun 24 11:59:55 * voider scratches his scrotum\r
+Jun 24 12:00:04 <Smerdyakov> leitgebj, that might be sensible. Would you think of combining "file server" and "locked-down server"?\r
+Jun 24 12:00:31 <leitgebj> Perhaps. I guess I didn't get that far yet! ;)\r
+Jun 24 12:00:34 <Smerdyakov> voider, the most popular answer was that people are willing to pay $6-$10/mo. in the short term while we build membership and pay off loans.\r
+Jun 24 12:00:53 <Smerdyakov> leitgebj, because there are many nice consequences of having a server where only admins can log in.\r
+Jun 24 12:01:19 <voider> ok\r
+Jun 24 12:01:19 <leitgebj> Smerdyakov, certainly, I agree that we should have one machine with only admin logins.\r
+Jun 24 12:01:50 <mwolson> that machine had better be doing other things as well though :^)\r
+Jun 24 12:02:04 <Smerdyakov> leitgebj, well... it seems only natural that the file server should be on that machine instead of the one where users go wild running their programs. :)\r
+Jun 24 12:02:16 <leitgebj> Smerdyakov, I agree.\r
+Jun 24 12:02:39 <Smerdyakov> As long as we keep a clean upgrade path to dedicated fileserver mode..\r
+Jun 24 12:03:15 <docelic_> Technically we could group together 1) and 3). (fileserver, and other services used through protocols and not shell)\r
+Jun 24 12:03:23 <Smerdyakov> Anyone else's thoughts on leitgebj's idea?\r
+Jun 24 12:03:48 <docelic_> It would reduce bandwidth too. Like, no need for mail server to lay data on a fileserver that's remote\r
+Jun 24 12:03:56 <Smerdyakov> leitgebj, also, I wouldn't really say that we've outgrown a single machine... rather that a certain level of redundancy is important for reliability.\r
+Jun 24 12:04:08 <Smerdyakov> docelic, but it would be local bandwidth only. *shrug*\r
+Jun 24 12:04:40 <Optikal___> Are most the reliability problems at the machine level rather than the network level?\r
+Jun 24 12:04:45 * voider has quit (Read error: 104 (Connection reset by peer))\r
+Jun 24 12:04:57 <docelic_> Smerdyakov: yeah.. still. Well the price would be most visible factor in this condensed setup. And admining would be a little easier as well\r
+Jun 24 12:05:10 <docelic_> Why have 2 machines with admin-logins only when there can be one\r
+Jun 24 12:05:24 <docelic_> I kind of like the 2-in-1 idea actually, in this phase at least\r
+Jun 24 12:05:25 <mwolson> docelic_: yeah, it would definitely be best to have fileserver and mailserver on the same machine; i know NFS at least does not like writing to many small files\r
+Jun 24 12:05:35 <Smerdyakov> docelic, compute-bound and disk-bound servers have very different criteria for good hardware specs... that's one reason.\r
+Jun 24 12:06:27 <docelic_> Smerdyakov: right. However, I estimate buying one is still better, as you can save on prt of specs that would be underused if there was 2 separate systens\r
+Jun 24 12:06:34 <Smerdyakov> But I agree that price concerns trump that sort of thing today, as long as we can meet a certain performance threshold to be determined.\r
+Jun 24 12:06:39 <docelic_> part* and systems*\r
+Jun 24 12:07:19 * voider (n=Is@modemcable169.254-80-70.mc.videotron.ca) has joined #hcoop\r
+Jun 24 12:07:20 <docelic_> With modern AMD or Intel processors, we can do anything\r
+Jun 24 12:07:44 <Smerdyakov> docelic, for instance, file server might be more reliable with a complicated RAID mode that slows down ordinary operation.\r
+Jun 24 12:07:44 * Optikal_ has quit (Read error: 110 (Connection timed out))\r
+Jun 24 12:08:03 * TheDebugger (i=TheDebug@modemcable135.111-81-70.mc.videotron.ca) has joined #hcoop\r
+Jun 24 12:08:12 * TheDebugger (i=TheDebug@modemcable135.111-81-70.mc.videotron.ca) has left #hcoop\r
+Jun 24 12:08:55 <voider> oops, lost connection\r
+Jun 24 12:09:10 <Smerdyakov> OK... so have we magically shifted to agreeing on a two-server main set-up?\r
+Jun 24 12:09:20 <docelic_> Smerdyakov: you are right. But it comes down to estimating what's good enough, and as far as Im concerned, 1 system setup could work in this phase.\r
+Jun 24 12:09:33 <docelic_> With a physical room to grow at HE, we can always split later\r
+Jun 24 12:10:01 <Smerdyakov> It would be nice to have an automated system for switching static web sites between servers in an emergency.\r
+Jun 24 12:10:27 <docelic_> Between which servers ?\r
+Jun 24 12:10:30 <leitgebj> Smerdyakov, I was thinking about that, too... actually would be pretty easy to make it work with dynamic sites as well, in the future.\r
+Jun 24 12:10:41 <Smerdyakov> The big pain I've encountered with fyodor is ulimits and related stuff.\r
+Jun 24 12:10:58 <Smerdyakov> They tend to interfere with system services, at least when a novice like me sets things up\r
+Jun 24 12:11:06 <Smerdyakov> Which is why I think two servers is worth the effort.\r
+Jun 24 12:11:15 <docelic_> Smerdyakov: the ulimits thing is working pretty well now that it settled down , doesn't it ?\r
+Jun 24 12:11:39 <Smerdyakov> docelic, maybe you figured out the right way to restart services so they aren't killed for forking, but I'm still not sure. :)\r
+Jun 24 12:13:20 <leitgebj> I think that there are lots of reasons to have two systems. In an extreme case (hardware on one machine dies), we could also recover in less time by switching services to the other box. Currently, we would have to buy a machine, configure it, and send it out. That is a lot of time that the coop would be down for.\r
+Jun 24 12:14:27 <docelic_> Smerdyakov: there was a discussion in Debian about it, I made a mental note to read the conclusion, but IIRC I think this was some system level problem with limit inheritance that was identified and planned to be fixed \r
+Jun 24 12:14:53 <Smerdyakov> Well... are we agreed on two servers, or are one or three still in consideration?\r
+Jun 24 12:15:38 <docelic_> I suppose the "two servers" you and leitgebj mentioned just now, were actually meant as "two admin-only servers", as in fileserver and other server separate ?\r
+Jun 24 12:15:45 <Smerdyakov> No.\r
+Jun 24 12:15:49 <Smerdyakov> Not when I said it, at least\r
+Jun 24 12:15:51 <jch5> and that is one reason I was wondering why Abu can't be used as emergency backup for current sys...just curious.. \r
+Jun 24 12:16:03 <docelic_> "<leitgebj> I think that there are lots of reasons to have two systems. "\r
+Jun 24 12:16:07 <Smerdyakov> jch5, we haven't taken the time to set it up.\r
+Jun 24 12:16:25 <leitgebj> I meant two systems, total. One for admin, and one for user access. Nothing else, to start.\r
+Jun 24 12:16:28 <Smerdyakov> jch5, and Abu has some crappy set-up aspects to it... plus unaffordable bandwidth rates at its location.\r
+Jun 24 12:17:29 <Smerdyakov> Using fyodor as an automatic back-up would be feasible once the new stuff is going.\r
+Jun 24 12:17:55 <Smerdyakov> Since we have enough "free bandwidth" to transfer a complete dump of users' web site content in an emergency without going broke.\r
+Jun 24 12:18:02 <jch5> Smerdyakov: that idea works for me.. \r
+Jun 24 12:18:23 <docelic_> leitgebj: ah, that's assumed. We were thinking about 2 servers vs. 3 servers choice\r
+Jun 24 12:20:15 <Smerdyakov> _OK_, so it seems that we agree on 2 main servers total.\r
+Jun 24 12:20:48 <docelic_> ok\r
+Jun 24 12:20:51 <jch5> is there any situation where we might need a server just for time of conversion but not ongoing?\r
+Jun 24 12:21:01 <docelic_> no\r
+Jun 24 12:21:18 <leitgebj> I don't think so... that is what fyodor and abu are for! ;)\r
+Jun 24 12:21:47 <jch5> i meant in terms of what is located at HE\r
+Jun 24 12:22:40 <jch5> remember, i'm just an slightly literate user who used to be a mainframe pgmr\r
+Jun 24 12:23:34 <Smerdyakov> jch5, I think the answer is no, but I don't quite understand the question... let's move on, OK? :)\r
+Jun 24 12:25:06 <Smerdyakov> I am officially declaring that we have decided on 2 main servers: one for things that require member log-in and one for things that don't.\r
+Jun 24 12:25:08 <jch5> fine...(once my employer had to rent a second CPU just for period of conversion from old to new)\r
+Jun 24 12:25:30 <Smerdyakov> That isn't meant as an undeniable edict, but just to get things going... make an explicit objection if you want to question the assumption.\r
+Jun 24 12:25:46 <Smerdyakov> Now, what hardware should we buy and where?\r
+Jun 24 12:26:07 <Smerdyakov> unknown_lamer questioned the value of a hardware firewall on the wiki. I'm inclined to agree that we can at least avoid one to start.\r
+Jun 24 12:26:32 <leitgebj> I agree.\r
+Jun 24 12:26:34 <Smerdyakov> So what does that leave us to buy that wouldn't be contained inside one of the servers?\r
+Jun 24 12:26:56 <Smerdyakov> Serial console seems like a potential life-saver and worth any reasonable one-time cost.\r
+Jun 24 12:27:15 <docelic_> You mean a serial console we can connect to remotely ?\r
+Jun 24 12:27:19 <Smerdyakov> Yes.\r
+Jun 24 12:27:27 <docelic_> That's a winner, for sure\r
+Jun 24 12:27:29 <leitgebj> With only two machines, there would also be no reason to a switch. Most modern servers come with two nics, and we can set up a network between them for the LAN.\r
+Jun 24 12:27:48 <Smerdyakov> leitgebj, what if we move Abu in as a generic shell server?\r
+Jun 24 12:28:00 <leitgebj> Can one of you point me to a manufacturer of a serial console? I've never used one.\r
+Jun 24 12:28:14 <docelic_> leitgebj: cyclades.com (long-time linux friends)\r
+Jun 24 12:28:19 <Smerdyakov> leitgebj, no. I'm ignorant. tarsin recommended them to me first, I think.\r
+Jun 24 12:28:30 <leitgebj> Smerdyakov, do we have a wiki page with specs on abu?\r
+Jun 24 12:28:44 <Smerdyakov> leitgebj, I don't think so.\r
+Jun 24 12:29:18 <Smerdyakov> Here's something from the old wiki on it:\r
+Jun 24 12:29:19 <Smerdyakov> *\r
+Jun 24 12:29:19 <Smerdyakov> AMD Athlon Thunderbird 1.33GHz 266MHz FSB 256KB cache\r
+Jun 24 12:29:19 <Smerdyakov> *\r
+Jun 24 12:29:19 <Smerdyakov> CoolJag JAC311C low profile 1U cooling fan and heatsink\r
+Jun 24 12:29:19 <Smerdyakov> *\r
+Jun 24 12:29:19 <Smerdyakov> 2x 256MB Kingston PC2100 CL2.5 DDR RAM\r
+Jun 24 12:29:19 <Smerdyakov> *\r
+Jun 24 12:29:19 <Smerdyakov> Asus A7N266-VM nVidia nForce 220 266MHz FSB motherboard (onboard vid + LAN)\r
+Jun 24 12:29:19 <Smerdyakov> *\r
+Jun 24 12:29:19 <Smerdyakov> 2x IBM 40GB 120GXP IDE 7200rpm 2MB cache 3YR warranty hard disk, mirrored with RAID-1\r
+Jun 24 12:29:19 <Smerdyakov> *\r
+Jun 24 12:29:19 <Smerdyakov> SuperMicro SC811-IDE 1U 200W rackmount case\r
+Jun 24 12:29:19 <Smerdyakov> *\r
+Jun 24 12:29:19 <Smerdyakov> 3Ware Escalade 3W-6410 PCI IDE RAID adapter (4x UDMA66 EIDE ports)\r
+Jun 24 12:29:19 <Smerdyakov> *\r
+Jun 24 12:29:19 <Smerdyakov> 32bit 33MHz PCI riser card\r
+Jun 24 12:29:19 <Smerdyakov> *\r
+Jun 24 12:29:19 <Smerdyakov> 12X IDE slim CDROM (from a Toshiba laptop)\r
+Jun 24 12:29:48 <Smerdyakov> Later amended with these:\r
+Jun 24 12:29:49 <Smerdyakov> *\r
+Jun 24 12:29:49 <Smerdyakov> AMD Duron 900MHz 192KB cache 200MHz FSB\r
+Jun 24 12:29:49 <Smerdyakov> *\r
+Jun 24 12:29:49 <Smerdyakov> CoolJag JAC313C low profile fan and heatsink\r
+Jun 24 12:29:49 <Smerdyakov> *\r
+Jun 24 12:29:49 <Smerdyakov> Gigabyte GA-7VKML VIA KM266 motherboard (onboard vid + LAN)\r
+Jun 24 12:30:45 <leitgebj> As long as it doesn't push us over our space limit, and it doesn't become an important single point of failure, it shouldn't matter. 1U should be fine hanging out at HE until we have a need for the space. Would we want to send it somewhere to reload the OS before shipping it to HE?\r
+Jun 24 12:31:14 <Smerdyakov> We asked for the initial size quote assuming three servers, so I imagine it would be fine.\r
+Jun 24 12:31:18 <docelic_> Depends on HE and setup\r
+Jun 24 12:31:32 <docelic_> I would love to be able to do basic setup without hardware at my place\r
+Jun 24 12:31:42 <Smerdyakov> It would probably be cheaper to have it mailed to some member to set up first.\r
+Jun 24 12:31:45 <docelic_> If we would have serial console, I could install remotely\r
+Jun 24 12:31:47 <leitgebj> He gives us 7U with the plan that we were looking at.\r
+Jun 24 12:31:53 <docelic_> Smerdyakov: ^--\r
+Jun 24 12:32:14 <Smerdyakov> docelic, but you're pretty far from the current location... and extra distance is extra chance of damage.\r
+Jun 24 12:32:19 <leitgebj> I would probably be able to have it shipped to my place and plug it in to a high-speed connection... as long as it isn't in that period when I am moving houses.\r
+Jun 24 12:32:37 <Smerdyakov> mwolson is closest, I think. :)\r
+Jun 24 12:32:38 <docelic_> Smerdyakov: I said I could do it *without* it coming over to me\r
+Jun 24 12:33:12 <Smerdyakov> There probably is very little that needs doing, with the serial console.\r
+Jun 24 12:33:22 <Smerdyakov> Just get the OS going and hardware working..\r
+Jun 24 12:33:25 * Optikal___ has quit (Read error: 110 (Connection timed out))\r
+Jun 24 12:33:33 <docelic_> Smerdyakov: yes, as I said above\r
+Jun 24 12:33:39 <leitgebj> I would have no problem doing that, or mwolson, if he wants...\r
+Jun 24 12:33:40 <docelic_> I can even do a remote isntall with the console\r
+Jun 24 12:33:51 <mwolson> i'd be willing to receive a shipment and do initial installation stuff\r
+Jun 24 12:34:15 <Smerdyakov> mwolson, and it would also involve shipping it out again afterward, of course. :)\r
+Jun 24 12:34:20 <mwolson> i could just bring it with me to work and use the space there :^)\r
+Jun 24 12:34:24 <voider> where will be located the physical servers?\r
+Jun 24 12:34:37 <mwolson> Smerdyakov: right\r
+Jun 24 12:35:13 <Smerdyakov> voider, the quote we got seems to be for Fremont, CA... a 50 minute BART ride away from me.\r
+Jun 24 12:35:22 <mwolson> we usually go with Debian testing, right?\r
+Jun 24 12:35:45 <Smerdyakov> mwolson, I think that's a good idea for the users-can-log-in server; stable sounds good for the admins-only.\r
+Jun 24 12:35:55 <mwolson> ok\r
+Jun 24 12:36:03 <Smerdyakov> And even unstable for Abu if we use it as a generic shell server.\r
+Jun 24 12:36:17 <voider> CA?\r
+Jun 24 12:36:21 <Smerdyakov> California, USA\r
+Jun 24 12:36:21 <voider> US ?\r
+Jun 24 12:36:26 <voider> ok\r
+Jun 24 12:37:19 <voider> Im from quebec, CA\r
+Jun 24 12:37:23 <voider> as in Canada\r
+Jun 24 12:37:36 <Smerdyakov> Let's see... the reason we got into this discussion was because we were considering if we need to obtain a switch.\r
+Jun 24 12:37:46 <Smerdyakov> Let's get back to that... try to finalize the list of new hardware.\r
+Jun 24 12:38:33 <leitgebj> Well, with three machines the dual-nic's won't be sufficient anymore. I need to look at the He.net spec sheet on the colo page of our wiki to see if they provide one.\r
+Jun 24 12:38:37 <Smerdyakov> It sounds like, at most, we want 2 servers, serial console, and a switch.\r
+Jun 24 12:39:38 <mwolson> it'd probably be best to have a switch so that we don't get double traffic on one of the machines (and for the sake of future expansion)\r
+Jun 24 12:40:19 <jch5> and might we name one of them "Hopper"? (My suggested name that came in second place, i think)\r
+Jun 24 12:40:27 <mwolson> also, if the machine that passes the connection on gets rooted or goes down, well, there goes our redundancy plan\r
+Jun 24 12:40:27 <Smerdyakov> jch5, anything's possible. ;)\r
+Jun 24 12:40:49 <Erlang> I guess the names should be voted later right?\r
+Jun 24 12:40:49 <leitgebj> I'm guessing that HE won't provide a switch... we should look around at available models.\r
+Jun 24 12:40:58 <Smerdyakov> We should probably also have a full supply of replacement parts in the cabinet, which also suggests buying servers with similar hardware.\r
+Jun 24 12:41:01 <Smerdyakov> Erlang, yes\r
+Jun 24 12:41:07 <Erlang> good.\r
+Jun 24 12:41:24 * Erlang goes back to lurking mode.\r
+Jun 24 12:41:32 <leitgebj> Smerdyakov, definitely. Support contracts also often come in handy.\r
+Jun 24 12:42:15 <Smerdyakov> So the list seems to be: 2 servers, serial console, switch, replacement parts to cover the 2 servers (assuming failures are rare, so just one of each kind of part (?))\r
+Jun 24 12:42:15 <leitgebj> It is nice to know that someone will ship you a part in a known amount of time when something breaks... and something always does.\r
+Jun 24 12:42:50 <leitgebj> I don't know if we need replacement parts to cover the two servers... I don't think we want to buy a whole third server just for parts. I would rather spend the money on a support contract.\r
+Jun 24 12:43:13 <Smerdyakov> leitgebj, that would mean that, to keep high uptime, we'd really need to be sure one server can take over for a downed neighbor.\r
+Jun 24 12:43:36 <leitgebj> We may be able to get a support contract that guarantees that the part will arrive in 24h if something goes down.\r
+Jun 24 12:43:41 <jch5> i know names come later..(just thought a tenative name might make discussions of which machine being referred to easier)\r
+Jun 24 12:43:51 <Smerdyakov> With parts on hand, it can be fixed in 10 minutes...\r
+Jun 24 12:44:39 <leitgebj> Smerdyakov, it will be tricky with only two servers. Eventually, we should have a pool of servers behind a load balancer, then redundant database back-ends, etc. But I think that this is cost-prohibitive at the moment.\r
+Jun 24 12:45:06 <jch5> but does cost of spare parts on hand outweigh the advantage of getting better/newer parts to replace a failed?\r
+Jun 24 12:45:32 <Smerdyakov> jch5, they would only be meant to be used temporarily and would probably have worse specifications than the usuals.\r
+Jun 24 12:46:42 <jch5> fine...just asking the dumb questions that might prompt a smart thought by admins :) \r
+Jun 24 12:47:44 <Smerdyakov> leitgebj, so deciding by yourself you would choose to try to get a 24-hour part replacement contract?\r
+Jun 24 12:48:25 <leitgebj> yeah, or something similar. I think that we should move to eliminate single points of failure in the near future, but having an entire extra system in parts sitting around doesn't make sense to me.\r
+Jun 24 12:48:46 <Smerdyakov> OK. Some colo provider I corresponded with recommended it.\r
+Jun 24 12:49:44 <Smerdyakov> In any case, it's a feature that's easy to add later with no service interruption! :D\r
+Jun 24 12:49:48 <jch5> if we had 10 or 15 servers, having one as spare parts makes more sense....but one for two...nah\r
+Jun 24 12:50:32 <mwolson> jch5: yeah, having pre-bought spare parts for us seems pointless\r
+Jun 24 12:50:40 <leitgebj> Spare parts are a good idea... but I think that I would rather take a risk without the parts now to save money, and plan for the near future where we can have load-balancers, etc., in order to have no down time in the event of failures.\r
+Jun 24 12:50:58 <Smerdyakov> OK, then it seems our list of hardware to buy is 2xserver, serial console, and switch.\r
+Jun 24 12:51:20 <mwolson> sounds good to me\r
+Jun 24 12:51:39 <leitgebj> I move to at least seriously think about adding in the cost of hardware support contracts to the cost required for our configuration.\r
+Jun 24 12:51:55 <Smerdyakov> That's OK with me.\r
+Jun 24 12:53:10 <Smerdyakov> Time to move on to "where do we get this stuff?"?\r
+Jun 24 12:53:17 <docelic_> sounds good to me\r
+Jun 24 12:53:20 <leitgebj> Sure.\r
+Jun 24 12:54:18 <mwolson> at work newegg.com seems to be popular\r
+Jun 24 12:55:19 <Smerdyakov> PenguinComputing seems ncie for complete machines with combined warranties, but they only sell machines preloaded with RedHat or SUSE. :(\r
+Jun 24 12:55:34 <docelic_> does that matter? \r
+Jun 24 12:55:43 <docelic_> Over a console I can run install from scratch\r
+Jun 24 12:56:01 <Smerdyakov> docelic, seems a waste... and they must charge extra to some extent for the installation.\r
+Jun 24 12:56:50 <leitgebj> Smerdyakov, they probably have some kickstart schema setup where they only hit F12 on bootup to load the OS. Probably just a standard part of their hardware testing anyway.\r
+Jun 24 12:57:17 <mwolson> (newegg in particular might be good for the switch)\r
+Jun 24 12:57:30 <Smerdyakov> mwolson, ah, but not for the servers, right? (No on-site support contracts)\r
+Jun 24 12:57:38 <mwolson> Smerdyakov: right\r
+Jun 24 12:58:01 <leitgebj> I have seen hundreds of dell machines work well in production, and they have solid support contracts. They are also switching to AMD in the near future. That said, I wouldn't mind if we switched to someone like Penguin, it's just that I don't have experience with them.\r
+Jun 24 12:58:02 <Smerdyakov> I wonder what happens if the switch breaks, though. :o\r
+Jun 24 12:58:31 <mwolson> Smerdyakov: it's a very inexpensive item ...\r
+Jun 24 12:58:40 <Smerdyakov> mwolson, OK.\r
+Jun 24 12:58:47 <mwolson> manufacturer probably provides a warranty as well\r
+Jun 24 12:59:02 <leitgebj> I'd like to look at Cisco switches from a vendor with solid support. mwolson, I'm not so sure this is going to be a trivial expense ;)\r
+Jun 24 12:59:25 <mwolson> leitgebj: why? we only have 2-3 things to plug into it\r
+Jun 24 13:00:03 <leitgebj> If this interconnect goes down, all of our services go down.\r
+Jun 24 13:00:19 <leitgebj> It is a single point of failure, and therefore we want it to be extremely relilable and well-supported.\r
+Jun 24 13:02:06 <Smerdyakov> Having servers from Penguin Computing vs. Dell buys geek cred points, if nothing else. :)\r
+Jun 24 13:02:27 <docelic_> ++\r
+Jun 24 13:02:30 <leitgebj> Hey, if the support is there, I'm all for it.\r
+Jun 24 13:02:54 <Smerdyakov> They sell next-day on-site service for 3 years for $119.\r
+Jun 24 13:03:00 <mwolson> leitgebj: http://www.newegg.com/Product/Product.asp?Item=N82E16833122111\r
+Jun 24 13:03:01 <mwolson> ^^ 5-star rated $59.99 gigabit switch\r
+Jun 24 13:03:31 <mwolson> s/59/56/\r
+Jun 24 13:03:56 <leitgebj> mwolson, now what about one that's rack-mountable :)\r
+Jun 24 13:04:42 <leitgebj> I still think that money on a switch is well-spent... that seems like something that is better for an office LAN than a production server environment. Shouldn't we get a managed switch?\r
+Jun 24 13:05:19 <Smerdyakov> I yield to any informed opinion and just reiterate that I'm willing to spend money up-front to ensure quality. :)\r
+Jun 24 13:07:04 <mwolson> *sigh* http://www.newegg.com/Product/Product.asp?Item=N82E16833118021\r
+Jun 24 13:07:04 <mwolson> ^^ $249.99 rack-mountable switch\r
+Jun 24 13:07:12 <docelic_> I can;t say much on switches\r
+Jun 24 13:07:21 <jch5> newegg was recommended to me by a very techie friend...i've had good luck with them also..\r
+Jun 24 13:07:24 <Smerdyakov> Do we want to leave these issues as "homework" and move on to something else?\r
+Jun 24 13:07:29 <leitgebj> I still need to do research on this as well. Can we start a wiki page with some possible products and have a quick meeting, or email list discussion on this later?\r
+Jun 24 13:07:31 <docelic_> good idea\r
+Jun 24 13:07:43 <mwolson> can't we just throw the switch on top of a machine? does it really need to be rack-mountable?\r
+Jun 24 13:07:48 <docelic_> it's too nitpicky for the management level we're trying to keep\r
+Jun 24 13:08:06 <leitgebj> Right. OK with everyone if I start a wiki page on it?\r
+Jun 24 13:08:15 <Smerdyakov> It's always OK to start a wiki page on anything.\r
+Jun 24 13:08:27 <Smerdyakov> Worst that happens is that it's naked pictures of your cat and I have to delete it. ;)\r
+Jun 24 13:08:38 <leitgebj> What's wrong with my cat??? :)\r
+Jun 24 13:09:04 <docelic_> too little fur for a cat\r
+Jun 24 13:09:17 <leitgebj> docelic, lol\r
+Jun 24 13:09:26 <Smerdyakov> OK, I think we have our first action item for the meeting! Whoever is interested is going to research possibilities for the four items we want to buy and post information on the wiki page that leitgebj is creating.\r
+Jun 24 13:10:07 <mwolson> ok\r
+Jun 24 13:10:44 <jch5> and the budget for these items will be how much for each piece of equip?\r
+Jun 24 13:10:59 <Smerdyakov> A billion dollars\r
+Jun 24 13:11:01 <Smerdyakov> Next question?\r
+Jun 24 13:11:29 <jch5> ok..Mr Gates...whatever\r
+Jun 24 13:11:30 <Smerdyakov> I think we'll figure out the budget after we see the options.\r
+Jun 24 13:12:12 * voider has quit ("Leaving")\r
+Jun 24 13:14:01 <Smerdyakov> Other things to discuss include administrative structure.\r
+Jun 24 13:14:18 <Smerdyakov> Is there anything else besides that that we should discuss by the end of the meeting?\r
+Jun 24 13:15:03 <leitgebj> We should set a date to reconvene at, with concrete goals.\r
+Jun 24 13:15:29 <Smerdyakov> OK. That seems to be a meta-point that belongs at the end.\r
+Jun 24 13:16:07 <mwolson> let's see ... so i'm an admin now?\r
+Jun 24 13:18:09 <Smerdyakov> mwolson, sort of\r
+Jun 24 13:18:19 <Smerdyakov> It sounds like no one has any other topics to raise, so let's move to that.\r
+Jun 24 13:18:48 <Smerdyakov> Since a lot of our configuration will be changing, it doesn't seem to make particular sense for either leitgebj or mwolson to start as admins now.\r
+Jun 24 13:19:46 <Smerdyakov> The first task for the new admin team is this hardware and software planning and set-up, as I see it.\r
+Jun 24 13:20:16 <Smerdyakov> After that, we move into maintenance mode, handling issues of predictable time availability, handling support requests, etc..\r
+Jun 24 13:20:53 <Smerdyakov> One thing I want to do is create a new hcoop-sysadmin mailing list that is open to all members.\r
+Jun 24 13:21:17 <Smerdyakov> The idea would be that any sysadmin stuff is discussed there. There's no reason not to get advice from knowledgeable members just because it doesn't make sense to give them all root access.\r
+Jun 24 13:22:27 <mwolson> can we make portal requests trigger an automated email to that new list, for those that prefer email to web forms?\r
+Jun 24 13:22:38 <mwolson> (thinking of metaperl in particular)\r
+Jun 24 13:22:58 <docelic_> Smerdyakov: isn't that admins@ alias now ?\r
+Jun 24 13:23:01 <Smerdyakov> mwolson, portal requests already e-mail everyone subscribed to the associated category.\r
+Jun 24 13:23:05 <docelic_> we could just turn it into a ML\r
+Jun 24 13:23:14 <mwolson> ah, didn't know that\r
+Jun 24 13:23:25 <Smerdyakov> mwolson, you can already subscribe to any that interest you.\r
+Jun 24 13:24:07 <docelic_> I also think Smerdyakov and me can handle issues of porting current infrastructure to new servers, while new admins (mwolson, leitgebj) can be given tasks that don't rely on our current setup\r
+Jun 24 13:24:12 <Smerdyakov> docelic, yes, but the key difference is that anyone can subscribe.\r
+Jun 24 13:24:29 <mwolson> if we make hcoop-sysadmin a catch-all mailing list that gets all portal requests, though, it might be a good thing\r
+Jun 24 13:24:33 <docelic_> Smerdyakov: sure, Im just saying, move admins@ to be a ML and notify admins that it's now a public lisr\r
+Jun 24 13:24:36 <docelic_> list*\r
+Jun 24 13:24:54 <docelic_> Smerdyakov: or not, we should have an alias for admins that is private\r
+Jun 24 13:24:56 <Smerdyakov> mwolson, I don't know about that. Filtering based on subject is quite useful.\r
+Jun 24 13:25:20 <mwolson> (unless we want to separate support from administration, which is somewhat nebulous)\r
+Jun 24 13:25:23 <Smerdyakov> mwolson, I'm thinking of the mailing list as being for discussion, like that surrounding our current planning.\r
+Jun 24 13:25:51 <Smerdyakov> mwolson, I never intended to suggest that the sysadmin list would be the target for e-mailed support requests.\r
+Jun 24 13:25:56 <mwolson> ah, i see\r
+Jun 24 13:26:16 <Smerdyakov> The portal has supported collaboration from all members in handling support issues from the start, even if you didn't read the part of the wiki page that explains that. ;)\r
+Jun 24 13:28:13 <Smerdyakov> So I think I'll create that list after the meeting ends, along with modifying the portal to let people manage their subscriptions to it.\r
+Jun 24 13:28:44 * docelic has quit (Remote closed the connection)\r
+Jun 24 13:28:50 * docelic_ is now known as docelic\r
+Jun 24 13:29:06 <Smerdyakov> And we can switch all potential hcoop-discuss chatter on technical planning issues to hcoop-sysadmin.\r
+Jun 24 13:29:21 <leitgebj> That seems to make sense.\r
+Jun 24 13:30:28 <Smerdyakov> On AdminPolicies, I talk about guaranteed within-24-hours e-mail response time from anyone in an official position.\r
+Jun 24 13:30:44 <Smerdyakov> I think e-mail to hcoop-sysadmin sounds like a good way to notify of times when you're away and unable to provide that.\r
+Jun 24 13:31:05 <docelic> yep\r
+Jun 24 13:31:25 <leitgebj> Sounds good.\r
+Jun 24 13:31:54 <Smerdyakov> There are a number of other suggestions for procedures that I've made on AdminPolicies, but it seems like we can/should wait for those until we are switched over to the new set-up.\r
+Jun 24 13:33:09 <Smerdyakov> Mmmm.... anything else before we jump to the conclusion?\r
+Jun 24 13:33:41 <docelic> not here\r
+Jun 24 13:34:28 <leitgebj> not here either...\r
+Jun 24 13:34:51 <Smerdyakov> OK, then when should we meet next? If we're just doing research on hardware in the interim, one week seems like long enough to me.\r
+Jun 24 13:35:08 <docelic> it's ok\r
+Jun 24 13:35:10 <leitgebj> Agreed.\r
+Jun 24 13:35:29 <Smerdyakov> How about same time next week?\r
+Jun 24 13:35:34 <docelic> yep\r
+Jun 24 13:35:35 <jch5> user agrees also..\r
+Jun 24 13:35:40 <docelic> (I thought that was implied)\r
+Jun 24 13:35:41 <leitgebj> mwolson, is one week OK for you? you had some opinions on hardware...\r
+Jun 24 13:36:09 <mwolson> one week is fine\r
+Jun 24 13:36:25 <Smerdyakov> mwolson, and you can show up on time next week? ;)\r
+Jun 24 13:36:40 <mwolson> will try; got 4pm instead of 14:00 in my head for some reason\r
+Jun 24 13:37:09 <Smerdyakov> Did you follow the link to the time-all-over-the-world page?\r
+Jun 24 13:37:16 <mwolson> yes ...\r
+Jun 24 13:37:19 <Smerdyakov> OK.\r
+Jun 24 13:37:45 <Smerdyakov> I will send out an e-mail announcing the main results of the meeting. Let's see if I've got everything that I should include:\r
+Jun 24 13:37:51 <Smerdyakov> Link to log of this meeting on the wiki\r
+Jun 24 13:38:06 <Smerdyakov> Decided on new admins for after the hosting switch\r
+Jun 24 13:38:10 <Smerdyakov> Decided on HE\r
+Jun 24 13:38:21 <Smerdyakov> Decided on what hardware we want\r
+Jun 24 13:38:34 <Smerdyakov> Researching hardware options/prices now, to be recorded on a page that leitgebj should tell me about :)\r
+Jun 24 13:38:48 <Smerdyakov> Next meeting in a week, hopefully with ntk in attendance so that it's a real board meeting\r
+Jun 24 13:39:00 <leitgebj> Sounds good, I will do that in a minute.\r
+Jun 24 13:39:09 <Smerdyakov> Oh, and add new hcoop-sysadmin list in there.\r
+Jun 24 13:39:39 <leitgebj> I will update the wiki page to reflect our conclusions here, except for the IRC meeting log that Smerdyakov will upload, OK?\r
+Jun 24 13:39:42 <Smerdyakov> I think that's the whole list.\r
+Jun 24 13:39:44 <Smerdyakov> Sure.\r
+Jun 24 13:39:48 <Smerdyakov> Anything I missed, anyone?\r
+Jun 24 13:40:03 <jch5> thanks for answering my questions!\r
+Jun 24 13:40:06 <leitgebj> Looks good to me.\r
+Jun 24 13:40:58 <Smerdyakov> OK, then I guess that concludes the meeting!\r
+}}}\r
--- /dev/null
+Agenda for 20060909 18:00 UTC meeting:\r
+\r
+ * IRS update (ntk)\r
+ * DomtoolTwo (adamc)\r
+ * Hardware Donations (ntk)\r
+ * Financial situation\r
+ * New members & membership drive\r
+ * Peer1 & migration planning\r
+ * What else?\r
--- /dev/null
+= Agenda Suggestions =\r
+== Reports ==\r
+ * President / Treasurer\r
+ * Secretary\r
+ * System Administrators\r
+ * Status of required daemons / services (such as Mailman) / security etc.\r
+ * Hardware status\r
+ * Announcements and public comments\r
+\r
+== Business Items ==\r
+ * Do we need to make the new-user-creation-from-fyodor process simpler to avoid losing members (and their payment of negative balances)?\r
+ * Whether or not HCoop should appoint a day-to-day volunteer operations manager, and what duties he might be charged with.\r
+ * Whether or not a tiered sysadmin structure would be appropriate to reduce simple administrative workloads on primary system administrators.\r
+ * Migration timeline\r
+ * Clarify when to allow new members to join\r
--- /dev/null
+= Figuring out how much you owe =\r
+\r
+We currently have two recurring sources of costs: hosting costs from [http://interserver.net/ InterServer] for our main server, fyodor; and hosting costs from [http://www.xiolink.com/ Xiolink] for our secondary server, Abulafia. The first costs $150.05/mo. and the second is usually around $60/mo., based on $49.95 plus $5/GB of bandwidth each month. When we are billed for each of these costs, we divide the amount evenly among all current members.\r
+\r
+= How to pay =\r
+\r
+The easiest way is by [http://www.paypal.com PayPal] to payment@hcoop.net. We recommend that you pay via the customized payment link at the top of [https://members.hcoop.net/portal/portal the main portal page].\r
+\r
+Remember that Pay``Pal deducts [http://www.paypal.com/cgi-bin/webscr?cmd=_display-fees-outside service fees], so that we will receive and credit you for less than you type in to send. While the fees may seem steep, I think they may actually be the best fees you'll find for online transfers of our volume. Your credit card company imposes similar fees, but you just don't see them because merchants jack up their prices to compensate! However, if you have a better suggestion for how to accept payment online, then we're all ears.\r
+\r
+We will also accept physical payments, like mailed checks or international money orders or whatever you find necessary, though it is ''significantly'' more of a pain for us. If you feel that you can't pay with Pay``Pal, [https://members.hcoop.net/portal/issue?cat=2&cmd=new open a support ticket] explaining exactly which payment method you want to use and why you can't use Pay``Pal. Many people refuse to use Pay``Pal because of "horror stories" that they've heard, but I've yet to meet anyone who personally has experienced anything bad of this kind from Pay``Pal. It really is quite a safe and convenient way of sending and receiving money.\r
--- /dev/null
+#pragma section-numbers off\r
+\r
+This is the HCoop Member Manual. It will tell you all you need to know about using HCoop services and participating in the co-op.\r
+\r
+''This a work in progress, so don't expect complete content yet.''\r
+\r
+||<25%>'''~+[:/MigrationGuide:Migration Guide]+~''' ||<1%> ||<74%> Steps for migrating from the old HCoop server to the new setup. New members may skip this. ||\r
+||<25%>'''~+[:/GettingStarted:Getting Started]+~''' ||<1%> ||<74%> Things that new and current members must know about HCoop's setup. It is considered '''required reading''' before contacting HCoop administrators or filing support requests. ||\r
+|| ~+[:/UsingDomtool:Using Domtool]+~ || || The bare minimum that you need to know concerning our use of DomTool. ||\r
+|| ~+[:/TransferringFiles:Transferring Files]+~ || || How to transfer files to your home directory, which is kept in AFS. ||\r
+|| ~+[:/EmailDelivery:Email Delivery]+~ || || How to receive and manage your email. ||\r
+|| ~+[:/ServingWebsites:Serving Websites]+~ || || How to serve your website(s). ||\r
+|| ~+[:/Databases:Databases]+~ || || Using PostgreSQL and MySQL databases. ||\r
+|| ~+[:/RunningUnattendedCommands:Running Unattended Commands]+~ || || In general, how to run unattended commands (such as custom daemons or commands called from cron scripts) from your AFS home directory. ||\r
+|| ~+[:/UsingCron:Using cron]+~ || || How to use cron to run command periodically. ||\r
+|| ~+[:/VersionControl:Version Control]+~ || || How to use version control software to host code on HCoop servers. ||\r
+\r
+=== Pages that should be in the manual ===\r
+\r
+If you know that some pages should be in the manual, but don't know where to place them, please list them here, and MichaelOlson will classify them later on.\r
--- /dev/null
+#pragma section-numbers off\r
+\r
+This is the chapter of the MemberManual that describes how to use PostgreSQL and MySQL databases on HCoop servers.\r
+\r
+[[TableOfContents]]\r
+\r
+= MySQL =\r
+\r
+== Create an Account ==\r
+Creating a MySQL user account is an easy task with {{{dbtool}}}. It is available for use when you login to mire.hcoop.net. \r
+\r
+Run the following command:\r
+\r
+{{{\r
+dbtool mysql adduser\r
+}}}\r
+\r
+You will be asked for a password. The user created will be the same as your log-in username.\r
+\r
+== Create a Database ==\r
+{{{dbtool}}} is also used to create new MySQL databases. Replace DATABASE with your desired database name:\r
+\r
+{{{\r
+dbtool mysql createdb DATABASE\r
+}}}\r
+\r
+The database created will be USER_DATABASE (where USER is your username and DATABASE is the name you provided {{{dbtool}}}).\r
+\r
+== Delete a Database ==\r
+Delete a database with the following:\r
+\r
+{{{\r
+dbtool mysql dropdb DATABASE\r
+}}}\r
+\r
+== Changing Your Password ==\r
+If you need to change your MySQL password for security purposes or you have forgotten it, you may do so with this command:\r
+\r
+{{{\r
+dbtool mysql passwd\r
+}}}\r
+\r
+You will be prompted to input a new password.\r
+\r
+== Accessing Databases ==\r
+For web applications, set the MySQL host/server to {{{mysql}}}. Default ports apply. Use your HCoop username. Your password will be required. Please safeguard it. Remember that your database is really named USER_DATABASE, where DATABASE is the name you originally gave {{{dbtool}}}. Follow your software package's instructions.\r
+\r
+In addition, you can easily use the {{{mysql}}} shell to manipulate or analyze your databases:\r
+\r
+{{{\r
+mysql -p -h mysql USER_DATABASE\r
+}}}\r
+\r
+For security reasons, you cannot drop a database using the {{{mysql}}} shell.\r
+\r
+To learn more about the MySQL shell, review the [http://dev.mysql.com/doc/refman/5.0/en/ MySQL manual].\r
+\r
+\r
+= PostgreSQL =\r
+\r
+== Create an Account ==\r
+To create a PostgreSQL user account, enter the following command on mire.hcoop.net:\r
+\r
+{{{dbtool postgres adduser}}}\r
+\r
+You will not be prompted for a password since PostgreSQL utilizes a security model that is quite different from MySQL. The user created will be the same as your log-in username.\r
+\r
+== Create a Database ==\r
+Additionally, {{{dbtool}}} is used to create new Postgres databases. Replace DATABASE with your desired database name:\r
+\r
+{{{\r
+dbtool postgres createdb DATABASE\r
+}}}\r
+\r
+The database created will be called USER_DATABASE (where USER is your username and DATABASE is the name you provided {{{dbtool}}}).\r
+\r
+== Delete a Database ==\r
+Delete a database with the following command:\r
+\r
+{{{\r
+dbtool postgres dropdb DATABASE\r
+}}}\r
+\r
+For security reasons, you cannot drop a database using the {{{psql}}} shell.\r
+\r
+== Accessing Databases ==\r
+For web applications, set the PostgreSQL host/server to {{{postgres}}}. Default ports apply. Use your HCoop username. A password is not required. Remember that your database is really named USER_DATABASE, where DATABASE is the name you originally gave {{{dbtool}}}. Follow your software package's instructions.\r
+\r
+It is very easy to access your database using a PostgreSQL shell:\r
+\r
+{{{\r
+psql -h postgres USER_DATABASE\r
+}}}\r
+\r
+To learn more about the {{{psql}}} shell, take a look at the [http://www.postgresql.org/docs/8.1/interactive/index.html PostgreSQL manual].\r
--- /dev/null
+#pragma section-numbers off\r
+\r
+This page describes the rationale for Kerberos and AFS being the way they are. It also explains some things that people would not expect if they have never used either AFS or Kerberos.\r
+\r
+[[TableOfContents]]\r
+\r
+The new HCoop infrastructure implements true distributed security, unlike systems such as NFS/NIS and NTLM, which do not.\r
+\r
+== Understanding True Distributed Security ==\r
+\r
+In order to understand the reasoning behind this, you first need to project yourself into the future where HCOOP has grown to the point where it has several machines like mire (that is, user-login machines) and a small number of security-critical machines like deleuze (KDC, passwords, AFS service).\r
+\r
+With a system that does not implement distributed security (like NIS/NFS), the entire network implicitly trusts local root on every machine on the network. This means that with a system like NIS/NFS, if a rogue user somehow managed to compromise "local root" on any one of the mire machines, that user would instantly have full access to every account (including admin accounts) on every machine throughout all of HCoop. This is not a wise approach to security.\r
+\r
+By contrast, Kerberos (and by virtue of using it, AFS) implements true distributed security. Deleuze does not trust mire any more than it trusts your laptop on your desk at home. As we add more user servers, they too will be untrusted. Because deleuze only runs the minimal set of security-critical services, this makes HCoop very robust. Hopefully in the future we will be moving even more services off of deleuze, until it does nothing but Kerberos and AFS (but we'll need more hardware before this is practical).\r
+\r
+== The Price of Security ==\r
+\r
+However, not trusting mire comes at a price. Your files live on deleuze (in AFS), but you're logged in to mire. How does deleuze know that you should be trusted to access your own files? It can't just say "oh, I trust whatever mire says, so if mire says it's adamc (one of the root admins), I'll let him access anything." That would be incredibly poor security.\r
+\r
+Instead, when you log in to mire via ssh, you type your password, which mire then uses to prove your identity to deleuze. Deleuze issues "Kerberos Tickets" and "AFS Tokens" (which are basically the same thing; don't worry about the difference right now) that you can then use to prove your identity.\r
+\r
+=== Limited Ticket Lifetimes and Renewal Limits ===\r
+\r
+These tickets and tokens have a limited lifetime -- currently on HCoop they expire after 24 hours. This is important: if these tickets and tokens did not have expiration dates, they would be basically equivalent to your password. Anybody who stole these "immortal tickets" (say, by hacking one of the mires) could pretend to be you, forever, and you would be none the wiser. This would be just as bad as keeping your password sitting on the disk on mire.\r
+\r
+There is a consequence to these limited lifetimes: once your tickets+tokens expire, you can no longer access AFS. This means that you must log out and log back in every 24 hours in order to continue accessing your home directory. You can also renew your tickets without a password by typing "`kinit -R;aklog`" ''before'' your tickets expire -- but this will only work for seven days; you can't renew tickets longer than that without getting fresh ones.\r
+\r
+=== No SSH Public Key Authentication ===\r
+\r
+There is also another consequence to the tickets+tokens strategy: you must type your password when logging in so that mire can get tickets and tokens for you. SSH public key authentication will not work. However, you can obtain tickets and tokens on your personal computer (ie the machine you're sitting in front of), and use those tickets to log in to mire without using a password. For more information, see PasswordlessLogin.\r
--- /dev/null
+#pragma section-numbers off\r
+\r
+This is the chapter of the MemberManual that describes how to receive and manage your email.\r
+\r
+[[TableOfContents]]\r
+\r
+ * Domtool part.\r
+ * {{{~/.public/.forward}}}.\r
+ * {{{~/.procmail.d/procmailrc}}}.\r
+ * Virtual mailboxes.\r
+ * Filtering spam.\r
--- /dev/null
+#pragma section-numbers off\r
+\r
+This is the chapter of the MemberManual that describes things that new and current members must know about HCoop's setup. It is considered required reading before contacting HCoop administrators or filing support requests.\r
+\r
+[[TableOfContents]]\r
+\r
+= Joining HCoop =\r
+\r
+The pages in this section describe the joining process. If you are an HCoop member who is familiar with the portal and is getting announcement email from us, you may skip this section and move on to the good stuff.\r
+\r
+ * [:ProspectiveMemberFaq:Prospective Member FAQ]: Learn more about HCoop.\r
+ * [:JoinUs:Join HCoop]: Join HCoop by ('''TODO: very brief summary''').\r
+ * [:/NewMember:New member]: After your request is approved, you need to complete the joining process by making an account.\r
+ * [:/AccountCreated:Account created]: After completing the joining process and making an account, you need to read a very quick summary about email forwarding, pledges, and mailing lists. These are the absolute essentials for being an up-to-date member.\r
+\r
+= AFS: A distributed filesystem =\r
+\r
+HCoop now uses [http://www.openafs.org/ AFS], a distributed filesystem, to implement much of our infrastucture. Home directories and email are stored in AFS. AFS allows for fine-grained access control and the ability to access your files from any machine that has an AFS/Kerberos client.\r
+\r
+Permissions in AFS are a bit different than standard UNIX file permissions. Basically, the group of a file and the standard read/write/execute permissions do not matter at all. In place of these, there is an access control list (called an ACL) for each directory, which is a listing of a role or person and the permissions that it has. An AFS ACL uses seven types of permissions: '''r''' (read), '''l''' (lookup), '''i''' (insert), '''d''' (delete), '''w''' (write), '''k''' (lock), and '''a''' (administer). "Read" and "write" are the same as their UNIX equivalents, and "lookup" is similar to the "execute" permission in UNIX -- it permits the files contained in the directory to be accessed. If you want to learn more about AFS permissions, see [http://www.openafs.org/pages/doc/UserGuide/auusg007.htm#HDRWQ46 the relevant section of the AFS User Guide].\r
+\r
+When a new directory is created inside $HOME, it receives a clone of the ACL for its parent directory. Every member's home directory starts life initialized with an ACL that allows listing by any authenticated party on HCoop, without granting any other permissions. However, you can change the ACL for your home directory or any of its subdirectories. Just remember that, if you don't take special actions to the contrary, every subdirectory of your home directory will be listable by anyone, and no file will be readable by anyone but you and the HCoop admins.\r
+\r
+Individual files do not have ACLs; instead, files inherit the ACLs of the directories they are in.\r
+\r
+If you wish to view the ACL of a specific directory, use:\r
+\r
+{{{\r
+fs listacl <DIRECTORY>\r
+}}}\r
+\r
+Please continue on to the [:/AfsExamples:AFS examples] page for some annotated examples on how to set AFS permissions.\r
+\r
+= Kerberos: An authentication mechanism =\r
+\r
+SSH access to our system, as well as authentication to most of our webservers, is managed by Kerberos. You get a token automatically whenever you log in. Tokens can expire in less than a day. If the token expires, you may renew it by running\r
+\r
+{{{\r
+kinit\r
+}}}\r
+\r
+and typing your password.\r
+\r
+Kerberos and AFS work together. So if your token expires, so will your access to AFS. To get AFS access back after renewing your token with {{{kinit}}}, be sure to type\r
+\r
+{{{\r
+aklog\r
+}}}\r
+\r
+At this point, please read the [:MemberManual/DistributedSecurity:Distributed Security] page to understand the consequences that using AFS and Kerberos may have on your HCoop experience. We feel the gains in security to be worth the slight learning curve.\r
+\r
+= Domtool: Manage domain-specific DNS/email/web =\r
+\r
+To manage all aspects of the Internet domains that our members own, we use a software suite called Domtool that we developed and maintain. Domtool allows us to easily share services among our members and enforce standards of correctness and security on configuration provided by members. Domtool facilitates DNS, email, and web serving, provided that you have a domain.\r
+\r
+You may perhaps be familiar with Domtool version 1, which was used on our old setup. What we currently use is Domtool version 2, which is a complete rewrite. The syntax for these files has changed \r
+dramatically, in favor of more uniform syntax and semantics. A major benefit to this new format is that you only have to edit one file per domain, rather than an entire directory.\r
+\r
+Please consult [:DomTool/UserGuide:the Domtool User Guide] at this point, so you can get an idea of what Domtool configuration files look like. When you are ready to set up your domain, [:DomTool/Examples:the Domtool examples page] should prove helpful.\r
+\r
+= Portal: Manage balance, request domains and packages =\r
+\r
+Our web portal at [https://members2.hcoop.net] is where you will go to manage your account balance, request new domains, request Debian packages to be installed on our systems, and view various statistics about your website. You can log into the portal with the same username and password that you use to ssh to our machines.\r
+\r
+= Getting help from the admins =\r
+\r
+Whenever you have any problem using your HCoop account, first ask yourself this question:\r
+ Is this problem specific to HCoop, or is the answer probably general knowledge among people familiar with Linux and the Internet?\r
+\r
+If your problem falls into the "general knowledge" category, feel free to ask about it on our hcoop-misc mailing list or in our IrcChannel. However, we don't consider our admins to hold any responsibility for answering this sort of question.\r
+\r
+If you have a genuine HCoop-specific problem, you should poke around this wiki some first to see if the solution is already documented. You might also try our IrcChannel, if you aren't sure that a solution requires admin intervention. If neither of these approaches helps, then visit the [https://members2.hcoop.net/portal/support support page] on the portal, which will direct you to the proper place to report your issue.\r
+\r
+Please never e-mail any of our admins directly about any problem. The support page leads you to several automated systems that help us manage workflow much better than we can with ad-hoc e-mail. Only in the event that some of our web-based support machinery is unavailable should you use e-mail, and then you should e-mail all admins at once at admins@hcoop.net. You will often find admins in our IrcChannel, but they are under no obligation to provide any support there, as managing support tickets through IRC is close to impossible.\r
+\r
+= Denyhosts: Protection from SSH attacks =\r
+\r
+We use the [http://denyhosts.sourceforge.net/ DenyHosts] package to help protect your account from brute-force SSH attacks. If someone fails to log in as a particular user several times in a row, the original IP address will be blacklisted in order to prevent additional attempts within a certain time period. If this happens to you and you try to log in again, you will see something similar to this:\r
+\r
+{{{\r
+ssh_exchange_identification: Connection closed by remote host\r
+}}}\r
+\r
+The blacklist expires IPs after a predetermined period of time. Typically, most users will not be affected by the blacklisting, but if you are, you will want to [https://members2.hcoop.net/portal/support file a report].\r
--- /dev/null
+#pragma section-numbers off\r
+\r
+This page describes the minimal efforts you must take after creating an account in order to remain in good standing at HCoop.\r
+\r
+[[TableOfContents]]\r
+\r
+The most important thing to remember is that '''if you don't read all e-mail sent to `you@hcoop.net` promptly, your account may be removed'''. Here "promptly" probably means "at least once a month," but we do tend to assume that most members check their e-mail daily, and that almost everyone checks it at least weekly. With an all-volunteer staff, we just don't have the means to contact members otherwise, and we sometimes need your help on short notice to keep your sites running.\r
+\r
+= E-mail forwarding =\r
+\r
+You shouldn't read the above as an unreasonable requirement that you check Yet Another E-mail Account every day. Most members fall into one of the following categories:\r
+\r
+ * They choose to use HCoop as their primary e-mail provider. This often goes along with owning their own domains that they host with HCoop and use for their primary e-mail addresses.\r
+ * They run `echo my.primary@email.address > ~/.forward` to set up forwarding of all HCoop messages to their preferred e-mail addresses.\r
+\r
+We want to have a simple recipe for how to reach any member. This is "e-mail `member_username@hcoop.net`", and we hold you responsible for configuring your e-mail settings so that this method for reaching you is effective.\r
+\r
+= A Cautionary Tale =\r
+\r
+It happens fairly often that a new member stumbles down this unfortunate path:\r
+\r
+ 1. Bob joins and reads about our voluntary-subscription mailing lists, such as hcoop-discuss.\r
+ 1. Wanting to contribute to the HCoop community, Bob uses the portal to subscribe to the lists.\r
+ 1. N months later, Bob notices that the lists can get quite a lot of traffic.\r
+ 1. Bob concludes that "HCoop sends him too much e-mail," forgetting that he can unsubscribe from the voluntary lists at any time on his portal preferences page.\r
+ 1. Bob stops reading all HCoop mailing list messages, including the hcoop-announce list that we sometimes use for important time-sensitive announcements; or, even worse, Bob originally decided that he didn't need to forward HCoop mail to his main e-mail account since he would just check his HCoop mailbox regularly, but now he ends up not reading any HCoop e-mail at all, even hand-crafted personal messages from desperate admins, who will always assume that `bob@hcoop.net` goes somewhere that Bob reads regularly.\r
+ 1. Bob misses a message asking him well in advance if he'd like to object to an increase in member dues, or Bob misses a message telling him he must make a dues payment soon or be expelled from the co-op, or Bob misses a message telling him that he must modify how his web site is set up or it will be taken down, etc..\r
+\r
+If Bob just unsubcribed from the voluntary lists, he would be down to less than a message a month on average from our announcements list, plus a low balance reminder once a month if he gets behind in payments. We don't consider this to meet any reasonable definition of "too much e-mail," so we'll hold you responsible for problems that arise from your not reading messages of either of these two remaining kinds promptly.\r
+\r
+= Now, About Those Lists... =\r
+\r
+Many of our members are gung-ho about receiving many e-mails each day related to HCoop, and they '''do''' subscribe to the discussion lists without trouble. We encourage anyone interested to visit [https://members2.hcoop.net/portal/pref the portal preferences page] to subscribe to voluntary lists. Just remember that you can revisit that page to unsubscribe at any time.\r
+\r
+= Sliding-Scale Pledges =\r
+\r
+We have members with a variety of financial situations. To help keep dues low, we allow members with more financial resources to pledge to pay higher dues than normal, thus lowering everyone else's dues. Visit [https://members2.hcoop.net/portal/pledge the portal's pledge page] to learn about this system or make a pledge yourself.\r
+\r
+= And All the Rest... =\r
+\r
+Our MemberManual should contain everything else you need to know to use your HCoop membership effectively.\r
--- /dev/null
+#pragma section-numbers off\r
+\r
+This page contains some examples on how to solve common problems with AFS.\r
+\r
+[[TableOfContents]]\r
+\r
+== Making a directory private ==\r
+\r
+If you wish to make a directory within your $HOME completely private so that only you can list, read, and write, do this:\r
+\r
+{{{\r
+mkdir ~/private\r
+fs setacl -clear ~/private <USERNAME> all\r
+}}}\r
+\r
+Note that the {{{-clear}}} option causes any previously set ACLs to be removed. The {{{<USERNAME> all}}} part sets full access to the directory's contents to the specified user. Therefore, if you have a directory in your home directory that you wish to make only accessible to you (such as {{{~/.ssh}}} or {{{~/documents}}}), use:\r
+\r
+{{{fs setacl -clear ~/<DIRECTORY> <USERNAME> all}}}.\r
+\r
+== Serving a website with added privacy ==\r
+\r
+If you use domtool to set up your domain, there is a way to allow {{{system:anyuser}}} only to list the contents of public_html without breaking your website(s). By default ACLs '''R''' and '''L''' are given. Change that in this way: \r
+\r
+{{{\r
+fs setacl ~/public_html system:anyuser l\r
+}}}\r
+\r
+Now, add all permissions for the ''USER.daemon'' principle:\r
+\r
+{{{\r
+fs setacl ~/public_html <USERNAME>.daemon all\r
+}}}\r
+\r
+Be aware that this only works if you use your own domain -- if you use {{{http://deleuze.hcoop.net/~USERNAME}}} to serve your files, then you '''must''' be sure that {{{system:anyuser}}} can read {{{~/public_html}}} and its subdirectories.\r
+\r
+== Setting the rights permissions on your ~/.domtool directory ==\r
+\r
+{{{\r
+fs setacl ~/.domtool domtool read\r
+}}}\r
--- /dev/null
+## page was renamed from MemberManual/NewMember\r
+#pragma section-numbers off\r
+\r
+OK, so it looks like you'll be joining us! In the descriptions below, we'll assume you've already been approved to join. If you haven't yet received an explicit e-mail saying that your application has been '''approved''', then "you've been approved to join" does '''not''' apply to you!\r
+\r
+Here's what you need to know about the process from here in. It will definitely make life easier for our volunteer administrators if you read ''all'' of this document before doing anything else with your new account, ''including'' sending a payment.\r
+\r
+[[TableOfContents]]\r
+\r
+= To complete the joining process... =\r
+\r
+== Terms of Service ==\r
+When you applied for an account, you were asked to review and agree to HCoop's [http://hcoop.net/tos.html Terms of Service]. If you have not done so already, please read and familiarize yourself with them.\r
+\r
+== Payment ==\r
+\r
+Each hcoop member has a balance, keeping track of unspent money that member has sent to the co-op. Most members prepay about a year's worth of estimated charges at a time and send new payments when they see their balances going low. Our policy is that every member must make a refundable "deposit" of $10 on joining. This is equivalent to requiring that your balance stay above that amount.\r
+\r
+Before we give you an account on our servers, we need an initial payment from you. This should include the deposit amount and some additional amount, as determined by you. Like we said, prepaying an estimated year's costs is popular. If your balance goes below the deposit amount for too long a period, we'll be forced to cancel your membership, unless there are very extenuating circumstances. This means that paying the minimum amount will require that you remember to make frequent payments.\r
+\r
+You can pay electronically using [http://www.paypal.com/ PayPal] or [http://checkout.google.com/ Google Checkout] on [http://deleuze.hcoop.net/pay.html the new member payment page]. In the comment field, write that the payment is for "Initial payment for yournamehere," where "yournamehere" is the UNIX username you asked for when you applied. '''NOTE''': In the case of Google Checkout, please email payment@hcoop.net and specify both the username of the Google account from which you sent the payment, and also your HCoop UNIX username.\r
+\r
+You can use any other reasonable payment method you want, as long as it involves United States dollars reaching our treasurer. However, please e-mail payment@hcoop.net about any method of payment not found on the payment page before using it, and wait for approval before going ahead.\r
+\r
+Keep in mind the service fees associated with each method. For example, Pay``Pal's fees are such that you save money by sending as much money at once as possible. Google Checkout will have such fees once their no-fees promotion ends in January 2008.\r
+\r
+The absolute spiffiest thing that you could do is include in your Pay``Pal payment comment a URL to your SSH public key, so that we have pretty good reason to believe that it's genuine. See the next section for more information. '''Your payment will be rejected if it isn't sent in accordance with the below "getting started" instructions.'''\r
+\r
+MemberDues contains more information on payment policies.\r
+\r
+= Getting started =\r
+\r
+Once you've paid, we can get started setting up your account. The big issue here is getting your initial password set. We don't want any unauthorized people to get ahold of your password and gain access to your account. Any unencrypted password sent over the Internet, including through e-mail, is vulnerable to interception by many people. Our two main approaches to this are:\r
+\r
+== Cryptography ==\r
+\r
+If you create an ssh public key and give a URL or other reference to it in your payment comment, we can create your account with your key pre-installed.\r
+\r
+After we set up your account, you'll be able to connect without needing to know a new password. We'll send you instructions on how to set your password from that point, since you do need to use a password for some services.\r
+\r
+SshConfiguration contains a tutorial on how you can set up ssh public-key encryption. Follow it only up to the part about generating the keys and ignore the bit about transferring them to HCoop's server. We're open to other crypto-based bootstrapping methods if you prefer them.\r
+\r
+'''Please note''' that the entire point of this scheme is compromised if you send your key information separately from your Pay``Pal payment; with unencrypted e-mail, anyone could be impersonating you, but with the Pay``Pal method we can at least verify that the same person is paying and naming the key. If you ignore this request and e-mail key information separately, we reserve the right to require that you instead indicate your key in some way that can be tied securely to your Pay``Pal account.\r
+\r
+== The quick-change ==\r
+\r
+If cryptography scares you, then we can try to minimize the time from when we send you your random password in cleartext and when you log in to our server and change it over an encrypted connection.\r
+\r
+This works best with a short meeting with an admin over IRC or an instant messaging service. Unencrypted e-mail is absolutely not acceptable, since there may be too long of a period when a password that has been sent in cleartext is still valid. Make sure you have an ssh client on hand, as you will be asked to ssh to `hcoop.net` within a minute or so to set your new password.\r
+\r
+But, really, why not just use crypto? This '''is''' the 21st century, after all!\r
+\r
+If you want to use this technique, we ask that you please e-mail admins@hcoop.net to inform us of your intentions. It would also be good if you'd let us know why you're not using the crypto option. You are making life harder for our volunteer admins by requesting to do things this way, since it requires that they orient their schedules around your availability, so we'd like to understand what prevented you from picking the easier option. '''You must send this e-mail before sending your payment, or we will assume that you have not read these instructions and e-mail you asking for another payment that includes a public key.'''\r
+\r
+= E-mail =\r
+\r
+You should have chosen your e-mail preferences when you applied. What we're referring to is whether you want e-mail to your account to be stored on our servers (and accessed via IMAP or POP3) or forwarded to an existing e-mail address. If you don't choose to forward it away, '''please''' be sure to check your HCoop e-mail box as often as any other personal mailbox! We may need to contact all members with some time-critical announcements.\r
+\r
+While there was a one-time way to set this preference when you applied, you can change it after joining by editing/deleting your `~/.forward` file in usual UNIX fashion.\r
+\r
+== Mailing lists ==\r
+\r
+We'll send important announcements through the `hcoop-announce` mailing list. Every member is subscribed to this on joining. This is for on-topic announcements about the co-op and the services we provide. It's moderated, and we don't allow discussion or anything else high volume enough to encourage members to start ignoring the list.\r
+\r
+'''Since we currently run based entirely on volunteer labor, we're unable to guarantee any uptime for your services if you don't read every message sent to the announcements list in a prompt manner!''' Sometimes we will need your help to keep your stuff going.\r
+\r
+For less time-sensitive traffic, we have the `hcoop-discuss` list. It's meant for on-topic discussion. There's also `hcoop-misc`, for anything at all that you think might be of interest to hcoop members. Finally, `hcoop-sysadmin` is where our volunteers discuss all day-to-day decision-making and implementation; this list is also open to any member who wants to help out. Subscription to any of these lists is voluntary. You can also set preferences for them after subscribing, including switching them to digest mode. This means that you receive at most one message a day, containing everything sent to the list that day. This increases the average delay to receive a message but decreases volume, in terms of number of messages sent to you.\r
+\r
+See the section on preferences below for information on setting your subscriptions. Note that it is '''expected''' that you will get an error e-mail if you try to post to a mailing list with a From address besides `you@hcoop.net`. This is no big deal. Just wait for a moderator to see that your message is legit and add the From address that you're using to our whitelist.\r
+\r
+= And for all the rest... =\r
+\r
+Please continue reading the rest of our MemberManual.\r
--- /dev/null
+## page was renamed from MigrationTips\r
+For the purposes of this page, we'll use the name New to refer to the servers hosted at Peer 1 (which are deleuze, mire, and eventually abulafia and krunk) and Old to refer to any servers that we've used previously.\r
+\r
+= Status of Migration =\r
+'''14 September 2007''': Migration has begun! Use this page to learn how to create a new account and migrate your data. A user creation script will be run periodically each day.\r
+\r
+[[TableOfContents()]]\r
+\r
+= Summary of what exactly is going on here =\r
+\r
+We are now offering limited-access accounts on the new infrastructure (see NewServersSetup) on a "beta test" basis to all users who have accounts on fyodor. These accounts come with no uptime or service guarantee; during the next few weeks we may need to temporarily disable them from time to time. Please keep all of your original data on Fyodor in the event something unexpected happens. \r
+\r
+These accounts will allow you full access to your space in AFS (currently 400MB per user) and the ability to log in to mire.hcoop.net via ssh. Currently NO OTHER SERVICES are officially supported on the new infrastructure (for example, email or serving HTTP), although they do work.\r
+\r
+Requesting an account on the new infrastructure will not affect your fyodor account. You will have access to both accounts until after all migration is complete.\r
+\r
+= Getting started =\r
+\r
+== Step 1: Get a New account ==\r
+\r
+ 1. ssh to `hcoop.net` as usual.\r
+ 1. Run this command line: `migrationpw`\r
+ 1. Follow the on-screen directions.\r
+ 1. Wait for an e-mail from the user creation script. (This stage requires that a human run the script periodically to watch for failures, but one of us should run it several times a day.)\r
+\r
+The password you set will go into our new Kerberos database, allowing log-in to mire and any other of our servers that we choose to enable for non-admin shell access. You will also use this password for authentication to other services, like e-mail and members-only HCoop web sites.\r
+\r
+An e-mail will be sent to your HCoop account to let you know that your account has been created. Be sure to memorize your password, as it won't be saved anywhere unencrypted once the account creation script runs!\r
+\r
+== Step 2: Try logging in ==\r
+\r
+Now you may attempt to login using your favorite SSH client or the new AJAX SSH service at http://ssh.hcoop.net/. It requires a modern browser that cooperates with AJAX.\r
+\r
+=== SSH Public Key is Obsoleted ===\r
+\r
+You can no longer use SSH public key authentication. ["Kerberos"] authentication ("`ssh -K`") ''is'' supported, for passwordless log-in. Some day, someone might implement the Kerberos support needed to make SSH public key auth work again. See RealSecurity for more information on all of this.\r
+\r
+That being said, if you've always been typing a password to log in via SSH and don't care to do otherwise, then you don't need to bother reading this section!\r
+\r
+=== DenyHosts ===\r
+\r
+If you fail to log in correctly a few times the DenyHosts scripts will lock you out. Currently any blocked IP's are purged after a week, so if you don't want to wait you'll need to submit a ticket, or if you can't access the portal to do this you'll need to send an email to admins@hcoop.net.\r
+\r
+== Step 3: Visit the new portal ==\r
+\r
+[https://members2.hcoop.net/ The new portal] uses the same password you use to log in to mire. That is, if you haven't created a New account yet, then you can't access the new portal.\r
+\r
+You should use the new portal for all administrative requests, except for the specialized request types (e.g., domains, firewall rules, etc.) when they relate to fyodor.\r
+\r
+== Step 4: Have your mail dual-delivered ==\r
+\r
+We recommend that you tell fyodor to ''dual-deliver'' all of your mail so that one copy goes to deleuze (our new main server) and one copy goes to fyodor. That way you can start reading your email via deleuze, but if anything goes wrong you can just switch back to fyodor.\r
+\r
+To do this, put the following lines in your {{{~/.forward}}} file ''on fyodor''. Note that the comment on the first line is '''mandatory''' -- it tells exim that this forward file uses special exim features. If your username was {{{fred}}}, you would put this in your {{{~/.forward}}}:\r
+\r
+{{{\r
+ # Exim filter\r
+ deliver fred\r
+ deliver fred@deleuze.hcoop.net\r
+}}}\r
+\r
+and you mail will be dual-delivered.\r
+\r
+== Step 5: Copy your existing email ==\r
+\r
+You can also copy the contents of your mailboxes from fyodor to mire (actually to our shared AFS filesystem by way of mire). To do this, log in to fyodor and type the following.\r
+\r
+{{{\r
+ rsync -are ssh --no-g --progress --verbose ~/Maildir/ mire.hcoop.net:Maildir/\r
+}}}\r
+\r
+= Bugzilla =\r
+\r
+We have a [https://bugzilla.hcoop.net/ Bugzilla] that we are using for managing support requests that don't fit into the special categories handled by the portal. If you've completed the migration steps above that create your New account, then you can use the same username and password to access Bugzilla. You can also start from the portal, which links to Bugzilla from the support page.\r
+\r
+= Databases =\r
+\r
+''Here lie interim dbtool docs until migration is done, at which time they will probably move to UsingDatabases.''\r
+\r
+To manage your database user and databases, the basic syntax is `dbtool <DBTYPE> <COMMAND>`, where `<DBTYPE>` is `postgres` or `mysql`.\r
+\r
+The `adduser` command creates a database user for you, with the same name as your UNIX log-in name. In the case of `mysql`, you will be prompted for a password and confirmation re-entry in the usual manner.\r
+\r
+The `passwd` command allows you to reset the password. (Useless for `postgres`, where we use only ident authentication)\r
+\r
+The `createdb <DBNAME>` command creates a database named `<USERNAME>_<DBNAME>`, and `dropdb <DBNAME>` drops a database. For security/accounting reasons, you won't be granted permissions to drop a database in the usual way, through an SQL session.\r
+\r
+Sometimes we update our policies for which permissions users are granted on their databases. To re-set the permissions for a database after such a change, run `grant <DBNAME>`. At the moment, this can only ever be necessary for MySQL databases.\r
+\r
+To access your database use the following on mire: `mysql -p -h mysql <USERNAME>_<DBNAME>` or `psql -h postgres <USERNAME>_<DBNAME>`\r
+\r
+= DNS =\r
+\r
+We are purposely not sending any DNS data from Old to New, which means that you need to change domains at your registrar if you want New to be authoritative for them. The proper nameservers are ns1.hcoop.net and ns3.hcoop.net, in that order. Keeping ns.hcoop.net and ns2.hcoop.net '''will not work'''.\r
+\r
+= Domains =\r
+\r
+See the DomTool page for instructions on managing your domains with the new setup. The configuration files are in a vastly different format, but they have a better-defined syntax that should be relatively easy to understand.\r
+\r
+\r
+= Home =\r
+\r
+Your home directory is now managed by AFS. You will enter it by default when logging in to {{{mire.hcoop.net}}} via ssh. Type {{{pwd}}} to see what the path is. It will look like {{{/afs/hcoop.net/user/u/us/username}}}. Some directories have been created for you already, so that they have the correct permissions for things like serving web pages and delivering mail.\r
+\r
+= Email =\r
+\r
+Our email subsystem utilizes mostly the same configuration as with the old server. There are a few differences in user file locations and a few updates to tools. Note that currently the utility to create the ~/Maildir directory is not available. The ~/Maildir directory is created when your account is created. So please do not delete the ~/Maildir directory if you value mail delivery and access.\r
+\r
+== .forward ==\r
+\r
+{{{~/.forward}}} files should have the same effect that they do with our old setup, but on the new setup they are located at {{{~/.public/.forward}}} instead of {{{~/.forward}}}. See [https://bugzilla.hcoop.net/show_bug.cgi?id=81#c2 this bug] for more.\r
+\r
+== IMAP ==\r
+\r
+SSL IMAP is available via SSL at port 993, using hostname {{{deleuze.hcoop.net}}}.\r
+\r
+STARTTLS IMAP is available on port 143, using hostname {{{deleuze.hcoop.net}}}.\r
+\r
+== POP3 ==\r
+\r
+POP3 access is available via SSL at port 995, using hostname {{{deleuze.hcoop.net}}}. If you're using Thunderbird, make sure to uncheck "Use secure authentication". Do not use port 110; it is not available, because no good way of securing normal POP3 has been found by the admins.\r
+\r
+== procmail ==\r
+\r
+The page ProcmailExample has been updated for the new setup. Basically:\r
+\r
+ * Use the file {{{~/.procmail.d/procmailrc}}} instead of {{{~/.procmailrc}}}.\r
+ * Write any procmail logs in {{{~/Maildir}}} rather than elsewhere.\r
+ * Use appropriate values for the HOME, MAILDIR, and DEFAULT options, based on those in ProcmailExample.\r
+\r
+== Virtual mailboxes ==\r
+\r
+The `vmail` program from fyodor has been updated for the new servers. Here's a quick run-through of how to invoke the new version. Like before, you always invoke it with `vmail $DOMAIN $COMMAND`, which indicates that you are configuring the virtual mailboxes for domain `$DOMAIN` for which you have DomTool permissions. The valid commands are:\r
+\r
+ * `list`: Print the mapping from usernames to mailbox directories for `$DOMAIN`.\r
+ * `add $USER $MAILBOX`: Add a mapping from `$USER@$DOMAIN` to a Maildir directory `$MAILBOX`. You'll be prompted to enter a password for the user, which he can then use to access IMAP, POP, or restricted SMTP services.\r
+ * `passwd $USER`: Reset a virtual user's password.\r
+ * `rm $USER`: Remove a mapping. The mailbox directory remains for you to deal with as you like.\r
+\r
+== webmail ==\r
+\r
+A Squirrelmail instance for reading your email on the new servers is available at [https://mail2.hcoop.net/].\r
+\r
+== Spam Filtering ==\r
+Use SpamAssassin as you would on the old server (Fyodor) but keep in mind the new locations of .procmailrc and .forward (see above). For example, you can still use {{{setsa on}}} to enable spam filtering. See UsingEmail for use instructions.\r
+\r
+= rsync =\r
+\r
+If you're using rsync to transfer data to the new servers, the "-a" option by itself won't work properly because rsync attempts to chgrp the transferred files. Use "-a --no-g" instead of "-a".\r
+\r
+= Security =\r
+\r
+See RealSecurity for some technical notes on security.\r
+\r
+== Securing directories ==\r
+First of all, UNIX permissions carry no weight with AFS -- therefore they are useless to you. Instead, use Access Control Lists (ACL), which are a far more powerful way of restricting access to parts of a file tree.\r
+\r
+That said, when a new directory is created inside $HOME, its ACL defaults to allow listing by any authenticated party on HCoop. Note that ACLs cannot be set on individual files. They inherit the ACL from its parent directory.\r
+\r
+If you wish to make a directory within your $HOME completely private so that only you can list, read, and write, do this:\r
+{{{\r
+mkdir ~/private\r
+fs setacl -clear ~/private <USERNAME> all\r
+}}}\r
+\r
+Note that {{{-clear}}} removes any previously set ACLs and {{{<USERNAME> all}}} sets full access to the directory's contents to the specified user. Therefore, if you have a directory in $HOME that you wish to make only accessible to you (such as ~/.ssh or ~/documents), use:\r
+{{{fs setacl -clear ~/<DIRECTORY> <USERNAME> all}}}.\r
+\r
+If you use domtool to set up your domain, there is a way to allow {{{system:anyuser}}} only to list the contents of public_html without breaking your website(s). By default ACLs R and L are given. Change that in this way: {{{fs setacl ~/public_html system:anyuser l}}}. Now, add all permissions for the ''USER.daemon'' principle: {{{ fs setacl ~/public_html <USERNAME>.daemon all}}}. Be aware that this only works if you use your own domain -- if you use {{{http://deleuze.hcoop.net/~USERNAME}}} to serve your files, then you '''must''' be sure that {{{system:anyuser}}} can read {{{~/public_html}}} and its subdirectories.\r
+\r
+If you wish to view the ACLs on a specific directory, such as any you have just applied an ACL, use:\r
+{{{fs listacl <DIRECTORY>}}}\r
+\r
+== Log-In Security ==\r
+\r
+We use the [http://denyhosts.sourceforge.net/ DenyHosts] package to help protect user accounts from brute-force ssh attacks. If a user fails to login within several attempts, then the offending originating IP will be blacklisted in order to prevent additional attempts. If the individual attempts to log in again, then they will see something similar to the following: {{{ssh_exchange_identification: Connection closed by remote host}}}.\r
+\r
+The blacklist expires IPs after a predetermined period of time. Typically, most users will not be affected by the blacklisting, but if you are, you will want to contact the hcoop-sysadmin list to get your IP address removed from the list.\r
+\r
+= WebDAV =\r
+WebDAV is accessible at https://dav.hcoop.net/. WebDAV is useful when working on a website using systems that cannot mount an AFS share. For details on how to setup WebDAV, take a look at http://research.cs.berkeley.edu/doc/dav/\r
+\r
+Note that you can only use WebDAV on directories that have {{{system:anyuser rl}}} as part of its ACL. You'll be able to write even if {{{system:anyuser}}} does not. See Securing Directories on this page for additional details on directory ACLs.\r
+\r
+= Web sites =\r
+\r
+== Websites with a domtool-managed domain ==\r
+\r
+When you publish web content, it will probably live in your home directory. The web server will need permission to read your files, or it will return "403 Access Denied" errors. Since your home directory is in AFS, '''normal UNIX permissions are irrelevant'''. See AndrewFileSystem for information on how to work with AFS's '''separate''' notion of permissions.\r
+\r
+For instance, if you get a 403 error serving `~/public_html/otherdir/page.html`, you might run this to see what's up:\r
+\r
+{{{$ fs listacl ~/public_html/otherdir\r
+Access list for /afs/hcoop.net/user/y/yo/you/public_html/otherdir is\r
+Normal rights:\r
+ system:administrators rlidwka\r
+ system:anyuser l\r
+ you rlidwka}}}\r
+\r
+Oops! Apache only matches the "system:anyuser" principal, so it only gets the "l" (= "list") permission and can only list your directory contents. Try this to fix it:\r
+\r
+{{{$ fs setacl ~/public_html/otherdir system:anyuser read\r
+$ fs setacl ~/public_html system:anyuser read\r
+$ fs setacl ~ system:anyuser l}}}\r
+\r
+The first two give full read permission on the mentioned directories. "l" permission is needed in every parent directory of a file to be able to access it, so the last line makes sure "l" is granted to system:anyuser on your home directory.\r
+\r
+When your web content is accessed through your own virtual host, you can also grant read access to `$USER.daemon` instead of the broader `system:anyuser`, where `$USER` is your username. This is your bizarro-world twin, which Apache runs as when serving your content.\r
+\r
+== Web Pages without a Domain ==\r
+\r
+Your {{{~/public_html}}} directory is available via HTTP through {{{http://deleuze.hcoop.net/~USER/}}}. Eventually this will change to {{{http://hcoop.net/~USER/}}}.\r
+\r
+Due to consequences of AFS authentication, we don't plan to allow dynamic content (CGI, PHP, etc.) via hcoop.net/~you/... on New. If you don't have a domain hosted at HCoop, but want to serve dynamic content, then you can request an hcoop.net subdomain (example: {{{USER.hcoop.net}}}, where USER is your username) via [http://bugzilla.hcoop.net/].\r
+\r
+\r
+= OpenAFS =\r
+For now, see http://research.cs.berkeley.edu/doc/afs/ for details on how to access your AFS share from a remote computer. Be sure to replace example domain names with hcoop.net or HCOOP.NET.\r
--- /dev/null
+#pragma section-numbers off\r
+\r
+This is the chapter of the MemberManual that describes how to periodically run unattended commands using cron.\r
+\r
+[[TableOfContents]]\r
+\r
+= Introduction =\r
+\r
+All users' home directories in HCoop setup are located on AFS partitions. The use of AFS implies the use of Kerberos. In essence, your Kerberos (and AFS) "identity" is completely unrelated to your Unix username. While you do automatically obtain Kerberos and AFS identity (so-called "tokens") when you log-in to HCoop machines over ssh, be aware that Unix and Kerberos/AFS login are two separate things. That's why the scripts you run unattended cannot write (or read) files because, without extra steps taken, they do not have any useful identity or access privileges to partitions where all the relevant data is residing.\r
+\r
+So, in general, when you want to access AFS space (that means any file in your home directory), you first need to authenticate with Kerberos to obtain a valid TGT ("Ticket-granting ticket"). As the name implies, the TG Ticket is then used in automatically obtaining futher tickets for access to specific services (such as to ssh, ftp, bugzilla, members portal or AFS on any of the servers in the HCoop administration "realm").\r
+\r
+= The AFS "Login" Process =\r
+\r
+Following the above, here's the complete, "expanded" series of events that take place in a typical remote shell session:\r
+\r
+ 1. You log in by providing your Unix username and password\r
+ 1. You authenticate to Kerberos and obtain the TGT by running '''kinit'''. (Verify with '''klist -5''').\r
+ 1. You use the TGT to obtain AFS "token" by running '''aklog'''. (Verify with '''tokens''').\r
+ 1. You access files in the AFS space. Actual access privileges are determined by the combination of the token you are holding and the access control lists (ACLs) set on a directory. (List access rules with '''fs la DIRECTORY''').\r
+\r
+== Interactive SSH process ==\r
+\r
+Our SSH service is configured in such a way that your password is, in fact, the secret Kerberos key. So when you log in over SSH, steps 1 to 3 above are performed for you automatically and you can use AFS right away.\r
+\r
+== Non-interactive (Unattended) Processes ==\r
+\r
+When a script is started in your Unix name by Cron, At or any other delayed/controlled-execution facility, no Kerberos ticket (or AFS token) is obtained automatically. Part of the reason lies in the fact that Kerberos' security model makes it almost impossible - even for root users - to authenticate as yourself if the password is not provided. (Where in Unix we would use "sudo" to easily impersonate any user, here it is impossible).\r
+\r
+So the way to obtain Kerberos ticket and AFS token from unattended processes will be explained.\r
+\r
+= Ways of Obtaining AFS Tokens from Unattended Scripts =\r
+\r
+As hinted before, a password '''must''' be present to obtain any Kerberos identity. However, that password may come ''either'' from an interactive terminal, or from a file. (A file that is residing outside of the AFS space, of course!).\r
+\r
+Kerberos discourages exporting of actual password keys into files, so at HCoop we create '''two''' Kerberos "identities" for each user: one named USER (your Unix username) for interactive sessions, and the other named USER.daemon for unattended sessions. \r
+\r
+ 1. Your USER principal has the password saved only in the protected Kerberos database and it is not possible to obtain its ticket without providing the password.\r
+\r
+ 1. Your USER.daemon principal has a very long random secret assigned to it and its key exported to a file named ''/etc/keytabs/user.daemon/USER''. Your scripts will use the file ''/etc/keytabs/user.daemon/USER'' as a password in obtaining Kerberos/AFS identity "USER.daemon". In fact, all shared HCoop daemons also use that file to obtain permissions to write into your home directory (such as to deliver mail). Of course, Unix permissions and ownership on the keytab file are such that no other user can read your keytab file.\r
+\r
+== Token "scope" ==\r
+\r
+Kerberos and AFS introduce a concept called Process Authentication Group ("PAG").\r
+\r
+ * If you obtain the Kerberos ticket and AFS token ''within'' the PAG, the tokens will apply only to the current process (usually a shell) and the processes started from it (its children).\r
+ * If you obtain the Kerberos ticket and AFS token ''outside'' the PAG, the tokens will apply to all processes running under your Unix username (well, to those that are not members of some existing PAGs, of course).\r
+\r
+To "enter" a PAG, you start shell named '''/usr/bin/pagsh.openafs'''. With SSH, even though you find yourself in the shell of preference, a PAG is created for you just beforehand. (Verify by running '''id''' and noticing one numerical, untranslated entry such as 1105575254). Once within a PAG, there is basically no way to "escape" from it, so in effect, it is not possible to affect Kerberos/AFS identity of any of your other running processes by SSH-ing into a machine and kinitting as a different principal or obtaining different AFS tokens - they only apply to your current shell and its subprocesses.\r
+\r
+In contrast, when unattended processes are started in your name, they are free of a PAG so you have the freedom of choice - influencing all "pagless" processes running under your Unix username, or starting pagsh manually and restricting influence to the current process and its children.\r
+\r
+This quickly leads to two possible strategies:\r
+\r
+ 1. Have one pagless process running which is refreshing USER.daemon token periodically (to keep it from expiring), and also run all scripts pagless - they will automatically find themselves to have that USER.daemon token.\r
+\r
+ 1. Invoke all your scripts with shell '''/usr/bin/pagsh.openafs''' (can be in the #! "shebang" line) and obtain AFS token immediately after. Then rely on all subprocesses started from that script to inherit the obtained identity.\r
+\r
+== Unattended Access Privileges ==\r
+\r
+In any case, using file ''/etc/keytabs/user.daemon/USER'' to obtain your Kerberos/AFS identity will "log you in" into AFS as USER.daemon, not USER. Therefore, make sure that all directories you want to access from unattended scripts have read or write permission for USER.daemon in addition to USER.\r
+\r
+For example, here's how the permissions look for your ~/Maildir/ which gives USER.daemon write access:\r
+{{{\r
+$ fs la ~/Maildir/\r
+\r
+Access list for /afs/hcoop.net/user/U/US/USER/Maildir/ is\r
+Normal rights:\r
+ system:administrators rlidwka\r
+ USER rlidwka\r
+ USER.daemon rlidwka\r
+}}}\r
+\r
+To give read permission on a directory, use\r
+{{{\r
+fs sa DIRECTORY USER.daemon read\r
+}}}\r
+\r
+To give write permission on a directory, use\r
+{{{\r
+fs sa DIRECTORY USER.daemon write\r
+}}}\r
+\r
+Note that we mention directory permissions only - in AFS, there are no file permissions. Directory permissions apply to all contained files, except subdirectories. Each subdirectory defines its own permissions. When new subdirectories are created, they inherit the ACL list from the parent directory. If you want to change ACLs on an existing directory tree, just use the '''fsr''' command in place of '''fs''', with the same arguments.\r
+\r
+= Recipes and Examples =\r
+\r
+While you can use '''kinit''' to obtain tokens, we will use '''k5start''' in all examples. '''K5start''' is equivalent or better to '''kinit''' for all purposes.\r
+\r
+== Creating the Directories Used in Examples ==\r
+\r
+Create a directory that will contain your local executables and give USER.daemon read permission to it:\r
+\r
+{{{\r
+$ mkdir ~/bin/\r
+$ fs sa ~/bin USER.daemon read\r
+}}}\r
+\r
+Make sure your {{{~/.bash_profile}}} or equivalent file has ~/bin/ at the beginning of PATH, by enabling this within {{{~/.bash_profile}}}:\r
+\r
+{{{\r
+# set PATH so it includes user's private bin if it exists\r
+if [ -d ~/bin ] ; then\r
+ PATH=~/bin:"${PATH}"\r
+fi\r
+}}}\r
+\r
+Create a directory that will contain PID files for all your user processes:\r
+\r
+{{{\r
+$ mkdir ~/.run\r
+$ fs sa ~/.run system:anyuser rl\r
+$ fs sa ~/.run USER.daemon write\r
+}}}\r
+\r
+== Script to Run a Particular Service Within Pagsh ==\r
+\r
+A wrapper script that runs a user-specified daemon is provided on Mire as {{{run-in-pagsh}}}. When calling it, the first argument should be a unique name with no spaces that describes the daemon, and then provide the commandline for calling that daemon afterwards. Be sure to follow the instructions in the previous section for creating a {{{~/.run}}} directory with correct permissions.\r
+\r
+Here is an example of calling this script.\r
+\r
+{{{\r
+run-in-pagsh interserver ~/interchange/bin/interchange\r
+}}}\r
+\r
+The script may be viewed [http://git.hcoop.net/?p=hcoop/misc.git;a=blob_plain;f=scripts/run-in-pagsh;hb=HEAD here].\r
--- /dev/null
+#pragma section-numbers off\r
+\r
+This is the chapter of the MemberManual that describes how to serve your website(s).\r
+\r
+[[TableOfContents]]\r
+\r
+ * Static sites on deleuze.\r
+ * Serving dynamic content on mire.\r
+ * Accessing read-only site-wide DAV. Also, enabling site-specific DAV so that you can use it for writing. Link to "Using revision control -> DAV and Subversion example".\r
--- /dev/null
+#pragma section-numbers off\r
+\r
+This is the chapter of the MemberManual that describes how to transfer files to your home directory, which is kept in AFS.\r
+\r
+[[TableOfContents]]\r
+\r
+= Using rsync =\r
+\r
+= Using scp =\r
+\r
+= Mounting AFS on your local system =\r
--- /dev/null
+#pragma section-numbers off\r
+\r
+This page describes the basic use of cron on HCoop systems.\r
+\r
+[[TableOfContents]]\r
+\r
+= Prerequisites =\r
+\r
+It is very important that you read the [:MemberManual/RunningUnattendedCommands:Running Unattended Commands page] to understand the general idea of how to run unattended commands on Mire.\r
+\r
+= Making a cron configuration file =\r
+\r
+Cron needs a special configuration file to tell it how to operate. It is suggested that this file be called {{{~/.crontab}}}, though it can have any name.\r
+\r
+For an explanation of the format of this file, run:\r
+\r
+{{{\r
+man 5 crontab\r
+}}}\r
+\r
+= Activating your cron configuration =\r
+\r
+Once you are satisfied with your setup, run the following command to activate your changes, assuming that your configuration file is called {{{~/.crontab}}}:\r
+\r
+{{{\r
+crontab ~/.crontab\r
+}}}\r
+\r
+= Examples =\r
+\r
+One convention for making scripts to run commands in their own PAG, as specified by the [:MemberManual/RunningUnattendedCommands:Running Unattended Commands page], is to create the {{{~/scripts}}} directory, and place your scripts there. Then, make a cron configuration file that looks something like this.\r
+\r
+{{{\r
+09 0 * * 0 ~/scripts/clean-mail\r
+11 0 * * 0 ~/scripts/remove-tmp\r
+12 0 * * 0 ~/scripts/weekly-comment-check\r
+*/10 * * * * ~/scripts/make-git-projects\r
+}}}\r
--- /dev/null
+#pragma section-numbers off\r
+\r
+This is the chapter of the MemberManual that describes the bare minimum that you need to know concerning our use of DomTool. This is meant to be a very brief HCoop-specific overview, compared to the DomTool/UserGuide page, which is more thorough.\r
+\r
+[[TableOfContents]]\r
+\r
+= Configuration files =\r
+\r
+Domtool has user-specified configuration files that determine how to set up a domain or subdomain. Each file contains all of the information needed to configure a single domain.\r
+\r
+If you want Domtool to process these files automatically, then place them in the {{{~/.domtool}}} directory. If you are just testing out a domain temporarily, the configuration files may be placed anywhere.\r
+\r
+By default, this {{{~/.domtool}}} directory is actually a symlink to the {{{~/.public/.domtool}}} directory. This makes your configuration files readable by anyone, but writable only by you. If you want to make them private, then do the following.\r
+\r
+{{{\r
+rm ~/.domtool\r
+mkdir ~/.domtool\r
+fs setacl ~/.domtool domtool read\r
+# Do the following two commands if you have any files in ~/.public/.domtool\r
+mv ~/.public/.domtool/* ~/.domtool\r
+rmdir ~/.public/.domtool\r
+}}}\r
+\r
+= Running domtool =\r
+\r
+In order to activate or test a domain, you must run the {{{domtool}}} command.\r
+\r
+== Testing your configuration ==\r
+\r
+Running the following command tests your configuration file (here called "MYDOMAIN") for errors. Make sure to give the full path to the configuration file, unless you are currently in the same directory as the configuration file.\r
+\r
+{{{\r
+domtool -tc ~/.domtool/MYDOMAIN\r
+}}}\r
+\r
+The "-tc" argument means "type-check".\r
+\r
+== Activating your configuration ==\r
+\r
+In order to make your changes go live, you need to run domtool without the "-tc" argument, as follows.\r
+\r
+{{{\r
+domtool ~/.domtool/MYDOMAIN\r
+}}}\r
+\r
+= Further instruction =\r
+\r
+The intention of this page was to give you a very quick overview of the {{{domtool}}} command. To learn about how to create working configuration files, as well as brag to your friends about Domtool's excellent design, it is essential that you read the [:DomTool/UserGuide:Domtool User Guide].\r
--- /dev/null
+#pragma section-numbers off\r
+\r
+This is the chapter of the MemberManual that describes how to use version control software to host code on HCoop servers.\r
+[[TableOfContents]]\r
+\r
+ * Example of sitewide git. We'll keep this even if we decide against managing the domtool stuff with it.\r
+ * DAV and subversion for a particular site.\r
+ * Does sitewide Mercurial make sense?\r
--- /dev/null
+Michael Leonhard, HCOOP Inc. member and part-time systems administrator\r
+\r
+Things that I manage:\r
+ * TripWire\r
+\r
+Username: leonhard\r
+\r
+My homepage: [http://tamale.net/ tamale.net]\r
+----\r
+CategoryHomepage\r
--- /dev/null
+Email: [[MailTo(mwolson AT member DOT fsf DOT org)]]\r
+\r
+Website: [http://www.mwolson.org]\r
+\r
+Projects: [http://www.mwolson.org/projects/]\r
+\r
+= Other Wiki homepages =\r
+\r
+ * [http://www.emacswiki.org/cgi-bin/wiki/MichaelOlson Emacs Wiki]\r
+\r
+ * [http://gnuarch.org/gnuarchwiki/MichaelOlson GNU Arch Wiki]\r
+\r
+ * [http://plug.student-orgs.purdue.edu/wiki/MichaelOlson Purdue Linux Users Group]\r
+\r
+ * [https://wiki.ubuntu.com/MichaelOlson Ubuntu]\r
+\r
+= Role =\r
+\r
+ * HCoop admin\r
+ * Member\r
+ * Wiki power user\r
+\r
+= Instant messaging options =\r
+\r
+ * Jabber: mwolson at hcoop.net\r
+ * IRC: mwolson on irc.freenode.net\r
+\r
+----\r
+CategoryHomepage\r
--- /dev/null
+We make it easy for you to set up your own MoinMoin wiki, without having to worry about managing your own installation of the software. Just follow these directions, which are a variation on the theme of HelpOnInstalling/WikiInstanceCreation:\r
+\r
+ 1. Choose the directory where the data files for this wiki will live. Let's call it `$DATA`.\r
+ 1. Copy `/usr/share/moin/data` and `/usr/share/moin/underlay` to `$DATA`.\r
+ 1. '''Extra bonus gripe!''' Start a write-in campaign today to stop MoinMoin from wanting to write to the `underlay` directories of particular wikis. `underlay` contains pages that are exactly the same across all wikis, like documentation. However, MoinMoin wants to be cute and write cache data in the same directory. In a setting like ours, where different wikis run as different users, it's impossible to make things work out with a shared underlay directory, even though the majority of files in such a directory are never modified and are the same for everyone.\r
+ 1. Set the permissions on your new directory to keep others from mucking with it:\r
+{{{chmod -R ug+rwX $DATA\r
+chmod -R o-rwx $DATA}}}\r
+ 1. Copy `/home/hcoop/public_html/cgi-bin/moin.cgi` to `~/public_html/cgi-bin/`, one of its subdirectories, or anywhere you feel like storing CGI scripts. Call this directory `$CGI`. For instance, if you put `moin.cgi` in `~/public_html/cgi-bin/wacky/`, then `$CGI` is `/home/you/public_html/cgi-bin/wacky`. If you will be running the Wiki out of your own home directory (over `hcoop.net/~you/` -- that means without a real $VHOST), edit the bottom of `moin.cgi` to replace "/wiki" with something like `/~you/cgi-bin/moin.cgi`.\r
+ 1. Create a `wikiconfig.py` in that same directory, or put this config somewhere else and modify `moin.cgi` so that it knows where to look. You can use `/home/hcoop/public_html/cgi-bin/wikiconfig.py` as an example. In contrast to normal MoinMoin procedure, we suggest that you keep your config files as short as possible by having them inherit from other config file classes. In particular, we've created a global `SiteConfig` class that uses all of the default options appropriate for use on the server you find it on. The example config that we just mentioned inherits from this and only sets options explicitly when they are specific to the current wiki. In any case, you are encouraged to look at `/etc/moin/siteconfig.py` for a list of options you can override. For Wikis that run out of your home directory (over `hcoop.net/~you/` -- that means without a real $VHOST), you'll want to override option "url_prefix" with a value like `/~you/moin`.\r
+\r
+\r
+ 1. Choose a short name for your wiki, to appear in URLs. Let's call it $NAME. Despite what HelpOnInstalling/WikiInstanceCreation says, we use "wiki" as the name for this wiki, and it works fine because we use nonstandard URL mappings... but exactly why it works needn't really concern you. :-)\r
+ 1. Pick a virtual host `$VHOST` where your wiki will reside. Modify its VirtualHostConfiguration file to:\r
+ 1. Make sure that it contains a `User` directive for the same user whose `cgi-bin` directory you're using for `moin.cgi`, as well as a `Group` directive for a group that user belongs to. (Both of these are probably just your username, in the common case.) \r
+ 1. Add a line `MoinMoin $NAME $CGI/moin.cgi` to enable MoinMoin requests.\r
+ 1. Be sure that you have a DNS mapping to `www` for that virtual host in the relevant DnsConfiguration file. (If using a $VHOST and not `hcoop.net/~you/`).\r
+ 1. Access your wiki at `http://$VHOST/$NAME/` (or maybe `hcoop.net/~you/`). Check out `/etc/domains/net/hcoop/wiki` for examples of other configuration you might want to set, including redirecting the front page of your vhost to your wiki.\r
+\r
+== Using Custom Themes Not Available in Global MoinMoin ==\r
+\r
+In order to use a custom theme available at various repositories, you must add a few lines to the wikiconfig.py file. If you set your wiki to reside at `hcoop.net/~user/`, then you are already one step ahead. Otherwise, this assumes you followed the rewrite rules for creating a wiki on a different domain.\r
+\r
+ 1. First determine where in your website directory (e.g., `~/public_html/`) your themes will reside. For the use of this tutorial, we will call the theme directory `themes`, although more than just themes can reside in it for the use of MoinMoin.\r
+ 1. Edit the wikiconfig.py file:\r
+ 1. Add `url_prefix = '/themes'`\r
+ 2. Add `theme_default = 'myUniqueTheme'`\r
+ 3. Optionally, add `theme_force = True` so that users cannot select their own theme.\r
+ 1. Ensure the `themes` directory exists in your web directory (i.e., `~/public_html/themes/`)\r
+ 1. Install your unique theme to that location. If you desire to make available themes that come with the MoinMoin installation, you may copy them to this location. For example, `cp -R /usr/share/moin/htdocs/modern/ ~/public_html/themes/`. \r
+ 1. MoinMoin may also need this directory to pull upon other files mentioned in your wikiconfig.py. You will need to copy the directories `common` en `applets` from `/usr/share/moin/htdocs` to this directory if you want Gui Editor to work.\r
+\r
+== Upgrading MoinMoin 1.2 wikis from Abulafia ==\r
+This is rather an obnoxious process; not in the least because one of the migration scripts (#10) doesn't appear to run properly. I've upgraded two of my wikis already, though, and I don't appear to have lost anything. Keep a backup of your data directory, just in case.\r
+\r
+Your wikis will be totally hosed when you move them, since there is no 1.2 installation available on the new server. This has the beneficial side effect of meaning you don't have to worry about people making changes behind your back!\r
+\r
+The process goes something like this:\r
+ 1. Enter the directory that contains your wiki's "data" directory -- generally where you used to stuff your moin_config.py.\r
+ 1. Run the scripts /usr/lib/python2.4/site-packages/MoinMoin/scripts/migration/12_to_13_mig01.py through 12_to_13_mig11.py Yes, all ''eleven'' of them. At the end of this process, you will have a bunch of data directories in various stages of unusability.\r
+ 1. Copy over your underlay directories, new htdocs, moin.cgi, wikiconfig.py, etc, as shown above.\r
+\r
+''The documentation I read only suggested running 1 to 9, and that's worked perfectly for me for 2 wikis that I transferred. --AdamChlipala''\r
+\r
+''I was going by the documentation in /usr/share/doc/moinmoin-common/README.migration.gz, which kind of put the fear of God into me. It was telling me crazy, crazy things, like that I should move my data directory to where the migration scripts are. In site-packages, presumably! Regardless, the biggest pain was simply finding the documentation and piecing together the steps, so that's why I put this up. I don't suppose you can point to the documentation that you were using that suggested only running 1 to 9? --JeremyPenner''\r
+\r
+\r
+''I was viewing this version of the README that's on the MoinMoin wiki. Maybe it's just an out-of-date version, but I've had no problems so far.\r
+ http://moinmoin.wikiwikiweb.de/MoinMoinRelease1.3/README.migration\r
+--AdamChlipala''\r
+\r
+''Yeah, that's out of date. I would assume the README.migration on the server would correspond to the specific version of software installed on the server. Regardless, 10 and 11 don't do a hell of a lot -- they delete stray edit-lock files (you probably won't have any), convert attachment names to utf-8 (assuming you're using roman characters, they probably already are), and update your plugin directory (your custom MoinMoin plugins are already probably useless anyway. Assuming anyone besides me was writing custom MoinMoin plugins.). Probably nothing critical to your wiki surviving, but it won't hurt to run them, either. --JeremyPenner''\r
+\r
+== Controlling access to the Wiki ==\r
+\r
+The easiest way to control access to the wiki is to tune your virtual host configuration. Sometimes, however, this is not possible. For example, wikis installed in user directories (such as ''hcoop.net/USERNAME/cgi-bin/moin.cgi'') can't use ''.htaccess'' files or otherwise define access permissions. In such cases, you might directly edit the ''moin.cgi'' script and implement quick access control in there, directly, in Python. Here's a complete template you may copy-paste and populate with IP addresses of your choice:\r
+\r
+{{{\r
+import os, re, sys\r
+if not re.compile( '^(IP\.ADD\.RESS\.ONE|IP\.ADD\.RESS\.TWO)$').search( os.environ[ 'REMOTE_ADDR'] ):\r
+ print "*** ADDRES NOT AUTHORIZED ***"\r
+ sys.exit\r
+}}}\r
+\r
+This is a quite simple and elegant solution. By default, it only allows listed IP addresses to access the wiki. To reverse the meaning (allow all but the listed addresses), simply remove the '''not''' keyword. --DavorOcelic\r
--- /dev/null
+Here are our decisions on how HCoop's name and Internet addresses should be written in different contexts. It's good to be consistent with these things, you know!\r
+\r
+''Everything here is open to debate, but let's at least agree on something.'' --AdamChlipala\r
+\r
+= Informal usage =\r
+\r
+The informal name for our cooperative is "HCoop," with exactly that capitalization. Avoid using "HCOOP," "Hcoop," "hcoop.net", or "HCoop, Inc.".\r
+\r
+= Legal usage =\r
+\r
+Our official corporation name is "HCoop, Inc.". (I believe that capitalization is irrelevant here, so I chose to write this with the same capitalization as recommended in the last section.) Never use the "Inc." bit in any informal setting, like on this wiki. We only added that at the end because it was required for incorporation by the laws of the locality we chose.\r
+\r
+= Web site URL =\r
+\r
+http://hcoop.net/ is the canonical URL for our main public web site. In particular, leaving out the slash at the end makes you (and us!) look HTTP-ignorant. ;-P\r
--- /dev/null
+Founding member serving as secretary on the [http://hcoop.net/board/ board].\r
+\r
+Email: [[MailTo(ntk at hcoop dot net)]]\r
+\r
+Jabber: ntk at hcoop dot net\r
+\r
+AIM: Shenjingbing\r
+\r
+IRC: ntk on [http://www.freenode.net/ Freenode]\r
+----\r
+CategoryHomepage\r
--- /dev/null
+This is a quick reference guide for all features available to users on Mire and Deleuze.\r
+[[TableOfContents]]\r
+\r
+= AFS =\r
+ * It is possible to mount your home directory on your own machine using [http://www.openafs.org OpenAFS].\r
+ * AFS utilizes Access Control Lists; regular Unix permissions are not used. ACLs are far more powerful.\r
+\r
+= Bugzilla =\r
+ * http://bugzilla.hcoop.net is where most support requests are now made. The portal still allows specific requests such as installation of Debian packages.\r
+ * Use your Kerberos password.\r
+\r
+= DomTool 2 =\r
+ * DomTool 2 is a very powerful tool. It utilizes a very easy to understand language to setup personal services. See ["DomTool/Examples"].\r
+ * Configuration files are located at ~/.domtool\r
+\r
+= Logs =\r
+ * Logs from services such as httpd (Apache) are now stored in ~/logs and are readable (but not writable) by you.\r
+\r
+= Mail =\r
+ * {{{.forward}}} should be created in the {{{~/.public}}} directory.\r
+ * {{{.procmailrc}}} should be instead written to {{{~/.procmail.d/procmailrc}}}.\r
+\r
+= Portal =\r
+ * Use your Kerberos password.\r
+\r
+= SSH Access =\r
+ * You may now use http://ssh.hcoop.net to access Mire with any modern browser that supports AJAX.\r
+ * Using the OpenSSH client, ''with Kerberos support compiled in'', you may use {{{ssh -K}}} to login using Kerberos.\r
+Describe NewServersSetup/FinalPreparations here.x\r
--- /dev/null
+This page collects information on the hardware we plan to install at a colocation provider as part of our new hosting infrastructure. Some older discussion and similar stuff is on NewSystemHardwareArchive.\r
+\r
+See also NewServersSetup for tasks remaining to be done to get these machcines ready for general use.\r
+\r
+Currently, what we know are the uses for the three machines we will base our infrastructure on. We also know our Abulafia machine configuration, and Justin Leitgeb's donated server configuration. The machine configurations and intended uses follow:\r
+\r
+[[TableOfContents()]]\r
+\r
+= deleuze: fileserver, static HTML content =\r
+ * Donated by: Justin Leitgeb\r
+ * Model: Dell PowerEdge 2850\r
+ * Processor: 2 x 2.8 GHz Intel Xeon\r
+ * RAM: 4 GB\r
+ * Disks:\r
+ * 4 x 10K Seagate Cheetah SCSI drives, 73GB '''and'''\r
+ * 2 x 10K Seagate Cheetah SCSI drives, 36GB\r
+ * Extra: RAID kit, with battery, etc., 256 MB RAID cache, 2 power supplies\r
+ * [https://dcse.dell.com/selfstudy/Associates_7_0/Enterprise/PowerEdge/PE2850/printer_friendly.asp Maintenance Manual for the PE 2850]\r
+'''Intended use: fileserver and host for all services that don't involve dynamic content provided by non-admins. No user logins.'''\r
+\r
+\r
+\r
+= abulafia: shell server =\r
+ * Processor: 1 x 900 MHz\r
+ * RAM: 512 MB\r
+ * Disks: 40 GB RAID 1 (2 x 40 GB 7200 RPM ATA drives)\r
+ * Extra: 3Ware 6400 PCI ATA RAID controller\r
+'''Intended use: refurbished slightly to serve as a generic shell server and the only machine where usage not strictly related to "Internet hosting" is permitted.'''\r
+\r
+= mire: dynamic web content =\r
+ * Donated by: Ray Racine\r
+ * Model: Sun Fire v20z\r
+ * Processor: 1 x 1.6GHz AMD64 (Opteron)\r
+ * RAM: 1 GB\r
+ * Disks: 2 x 36 GB Ultra320 SCSI (hot swap)\r
+ * 1U\r
+ * Ultra 320 SCSI controller embedded in mainboard\r
+ * [http://www.sun.com/products-n-solutions/hardware/docs/Servers/Workgroup_Servers/Sun_Fire_V20z/index.html Product Documentation, including Maintenance and Troubleshooting Manuals for Sun Fire v20z]\r
+\r
+'''Intended use: dynamic web content and any other Internet services that involve running arbitrary code from members (including custom daemons, etc.)'''\r
+\r
+= krunk: secondary KDC and AFS server =\r
+ * KrunkInfoz\r
+ * Donated by: Adam Megacz\r
+ * Model: Sun Netra\r
+ * Processor:\r
+ * RAM:\r
+ * Disks:\r
+ * 2 x 200GB Unknown RPM and Manufacturer\r
+'''Intended use: secondary KDC and AFS server (backup) in event that the primary server (deleuze) goes down'''\r
+\r
+= Other components =\r
+\r
+== Switch ==\r
+We are proceeding under the assumption that we'll use ShaunEmpie's donation (see HardwareDonations), a Nortel (Baystack) 380 switch. He says:\r
+\r
+It is not brand new but is working. Here is [http://vpit.net/es380-guide.pdf a guide] that I was able to find to give anyone interested a more in depth view of it.\r
+\r
+VLAN Configuration Proposal:\r
+\r
+{{{\r
+With our new setup, I think it would be best to setup a few different\r
+VLANs for different uses. For anyone who is unfamiliar with the term, a\r
+VLAN is a virtual lan. It allows you to have completely separate networks\r
+on the same switch. This will allow us to setup a private network that\r
+the public and peer1 would have no access to. This could be handy for\r
+database systems, NAS, backup servers, etc which you'd want to keep off\r
+the public network.\r
+Proposed Configuration:\r
+VLAN 1. Management VLAN - not used for normal traffic\r
+VLAN 10. Public VLAN - public/Peer1's network\r
+VLAN 20. Private VLAN - private subnet for inter-server traffic\r
+For a starting point i think having ports 1-12 in VLAN 10 and ports 13-24\r
+in VLAN 20 would be best. The VLAN membership of a port can be changed\r
+easily so these would not be set in stone.\r
+The switch allows for many more VLANs than we'll ever need so if anyone\r
+has a suggestion or need for another VLAN it would be trivial to setup.\r
+Any questions/comments, let me know.\r
+-Shaun}}}\r
+ES380 AC Power Specs:\r
+\r
+ * Input current: 1.5A to 100 AC\r
+ * Input voltage (rms): 100 to 240 VAC at 47 to 63 Hz\r
+ * Power consumption: 150 W\r
+ * Thermal rating: 1000 BTU/hr maximum\r
+== Serial console ==\r
+Some device to simulate local login over the Internet could be a life saver. JustinLeitgeb mentions a special card that Dell sells that would work with his donation.\r
+\r
+There are also some really good KVM-over-IP devices out there fairly cheap these days. My provider has one and it works very well, although on the client side you have to use this ugly Windows ActiveX control. I'm sure by now there are KVM-over-IP boxes that speak plain VNC. These should be well under $500. [AdamMegacz]\r
+\r
+== IP KVM ==\r
+The StarTech Server Remote Control External KVM over IP provides access to systems that may have a degraded network. It allows us to monitor Power-On Self Test (POST), configure BIOS/CMOS, and even reinstall operating system software. It must be connected to another multiple port KVM in order to have access to more than one server. See [http://www.startech.com/Data/ProductManuals/SV1110IPEXT.pdf?c=US manual].\r
+\r
+== Standard KVM ==\r
+We have a standard KVM to allow remote switching between servers as maintenance requires.\r
--- /dev/null
+This is old content from NewSystemHardware that is now deemed not worth having on that page.\r
+\r
+= New System Hardware =\r
+During the HCoop IRC meeting on June 24, 2006, the group decided that it would based it's new system architecture on the following pieces of hardware:\r
+\r
+ * Two robust servers, one that doesn't allow normal user logins, and one that does.\r
+ * One switch to form a LAN between these servers.\r
+ * One serial port device, to facilitate remote access to our servers.\r
+Also, it was mentioned that we should research hardware support contracts from any vendor that will be selling us equipment.\r
+\r
+Additionally, group decided that the server that HCoop currently owns, Abulafia, will be brought to he.net for shell service. This will follow a necessary re-load of the OS software at a time to be determined later.\r
+\r
+'''Some members are willing to donate pieces of hardware that fit our needs. See the page HardwareDonations for more information. Also please check the power guidelines for he.net as this is something that we will have to work around, either by going to another colocation site or hosting less equipment to start out at he.net.'''\r
+\r
+== He.net Power/Rack Guidelines ==\r
+I asked he.net about the type of racks they used, and asked for additional information. They told us to plan on the following:\r
+\r
+''We have locking cabinets. Our 7U space is 12 inches tall, 19 inches wide, and 32 inches deep. The cabinets come with front mounting posts, so don't purchase mounting rails. If your servers are extra heavy and need additional support, we offer rackmount shelves for a one time $60 setup fee.''\r
+\r
+We will almost definitely need this shelf for our equipment, so add on the $60 fee to our expected costs.\r
+\r
+''You get one outlet per 7U, so you'll need to provide a power strip for additional machines. ''\r
+\r
+''You can use approx 2 amps of power per 7U.''\r
+\r
+I asked for more information on the type of power strip:\r
+\r
+''You'll just want a basic power strip. A surge protector is not needed. We have failover UPS's that filter the power and protect against power surges. We also have PDU's for each row of cabinets for even more filtering.''\r
+\r
+According to he.net, the surge protector does not have to be rack-mountable. Anyone have $7 we can borrow? ;-)\r
+\r
+== Servers ==\r
+We will be purchasing two servers, which will be configured and sent to he.net for colocation.\r
+\r
+\r
+\r
+=== Desired Features ===\r
+These servers should be as redundant as possible. At this point, we cannot afford to have less than one point of failure in many areas, so we should look for the following features in our new servers:\r
+\r
+ * Redundant power supplies.\r
+ * How important is this really? I would argue not because I doubt we will find a colo for our size that will give us power outlets on two independent circuits, and the chance of a power supply failing is low (thus killing both benefits and creating nothing but unneccesary cost). -- ClintonEbadi\r
+\r
+ * It's not an issue for the new web server anyway; we need to go 1U and if we use Penguin they don't supply these. Some people find it useful because it's not just a matter of the circuit failing; when you use a Y cable (to plug both power supplies into the same outlet) it prevents your server from going down in case a power supply fails. It is low probability, but getting a new power supply to the machine can incur a lot of down-time that can be avoided by this option which only adds about $200 - $300 to the price of a new server. I believe it also doesn't use much more power to run two power supplies than one once the server is started. -- JustinLeitgeb\r
+\r
+ * Hardware RAID.\r
+ * Dual CPU's, AMD seems to be a stronger option than Intel\r
+==== Differences Between the Servers ====\r
+The admin-only server will hopefully be serving an AFS file system, which means that fancier kinds of RAID are justified there. The all-members server can get away with cheaper (and maybe even faster) solutions for local disk access.\r
+\r
+JustinLeitgeb thinks that perhaps RAID 1 would work on the all-members server, and either RAID 5 or RAID 10 on the admin server. It should be RAID 10 if we can afford it, or RAID 5 if we're shorter on cash. :)\r
+\r
+There may be other factors influencing different configuration choices between the servers.\r
+\r
+Perhaps we can get away with SATA RAID 1 on the web server -- hopefully this machine won't be IO-bound, especially if we add enough RAM later. Also, it might benefit us to get a couple of rather lightweight web servers behind a load balancer before really maxing them out, in order to have fewer single points of failure (of course, at this point we would probably also want to have two load-balancers using "heartbeats" so that they couldn't cause a prolonged system failure).\r
+\r
+=== Proposed Vendors and Models ===\r
+[http://www.dell.com Dell] Models:\r
+\r
+ * Possible web server [http://www.hcoop.net/~leitgebj/hcoop_servers/dell_web_server.ps (postscript)] [http://www.hcoop.net/~leitgebj/hcoop_servers/dell_web_server.pdf (PDF)], based on the Dell PowerEdge 1850 $5071.\r
+ * Possible admin server [http://www.hcoop.net/~leitgebj/hcoop_servers/dell_admin_server.ps (postscript)] [http://www.hcoop.net/~leitgebj/hcoop_servers/dell_admin_server.pdf (PDF)], based on the Dell PowerEdge 2850 (offers more space for hard disks in our primary file server) $8486.\r
+Note that when I checked Dell dropped something like $1200 off of the price of each server over $4000, so we should expect some significant discounts. Whichever company we plan on going with, we may be able to negotiate lower prices by emphasizing that we may buy more in the future, etc.\r
+\r
+[http://www.monarchcomputer.com/Merchant2/merchant.mv?Screen=CTGY&Store_Code=M&Category_Code=allracks Monarch Computer] Models:\r
+\r
+[http://www.penguincomputing.com Penguin Computing] Models:\r
+\r
+ * Possible web server configuration hardware RAID $3463 [http://www.hcoop.net/~leitgebj/hcoop_servers/penguin_web_server.ps (postscript)] [http://www.hcoop.net/~leitgebj/hcoop_servers/penguin_web_server.pdf (PDF)]\r
+ * Possible admin server configuration RAID 10 1U $5321 [http://www.hcoop.net/~leitgebj/hcoop_servers/penguin_admin_server.ps (postscript)] [http://www.hcoop.net/~leitgebj/hcoop_servers/penguin_admin_server.pdf (PDF)]\r
+ * Possible admin server configuration, using the 2U server, redundant power supplies, and RAID 5 $4884 [http://www.hcoop.net/~leitgebj/hcoop_servers/penguin_admin_raid5_server.ps (postscript)] [http://www.hcoop.net/~leitgebj/hcoop_servers/penguin_admin_raid5_server.pdf (PDF)]\r
+ * Possible admin server configuration using the 2U server, redundant power supplies, and RAID 10 $5523 [http://www.hcoop.net/~leitgebj/hcoop_servers/penguin_admin_raid10_server_2200.ps (postscript)] [http://www.hcoop.net/~leitgebj/hcoop_servers/penguin_admin_raid10_server_2200.pdf (PDF)]\r
+ * Possible web server configuration with SATA RAID 1, budget configuration about $2700 [http://www.hcoop.net/~leitgebj/hcoop_servers/altus_budget_web.ps (postscript)] [http://www.hcoop.net/~leitgebj/hcoop_servers/altus_budget_web.pdf (PDF)]\r
+With the Penguin models, we seem to have to go to the 2U, Altus 2200 in order to get a redundant power supply.\r
+\r
+== Ethernet Switch ==\r
+=== Desired Features ===\r
+ * Gigabit\r
+ * 5 ports minimum\r
+ * Managed - so that we can troubleshoot failed NIC's easier\r
+ * Rack-mountable, so that vibration and heat issues are diminished.\r
+ * SNMP monitoring capability\r
+=== Additional Information ===\r
+He.net sent us the following when asked about switch configurations at their site:\r
+\r
+''We've got customers using everything from ElCheapoSwitch(tm) to Cisco-grade equipment. The main difference between the two is how much traffic they can deal with, the number of packets they can deal with, and how they can be accesses/monitored. If you're looking at pushing primarily web traffic (<50Mb/s) and do not require any of the more advanced functionality of a managed switch, you could likely just go with a good unmanaged switch. If you were doing higher traffic levels, streaming, or other such traffic which consist of a zillion little packets, especially if it's between your servers, you would be better served by something a bit higher grade.''\r
+\r
+And from another support rep at he.net (their responsiveness has been impressive so far!):\r
+\r
+''Depends on their needs. If they want to run MRTG, then they need a managed switch. If they just need a switch, a netgear or linksys or d-link will accomplish the job. ''\r
+\r
+''Cost differences are greater managed versus non-managed. Non-managed can be 50-$100, whereas managed can start at about $250 and go into the $thousands depending on model and capabilities.''\r
+\r
+I also asked he.net about the number of ports we would need. Also got useful information about setting up a VLAN which would be useful. He.net response:\r
+\r
+''(2 * n) + 1... where n is the number of machines you colocate. ''\r
+\r
+''For 3 servers, your switch would need 7 ports. 3 for the private network, 3 for the public network, and 1 for the uplink to HE. ''\r
+\r
+''For better control of your packets and their direction... if you're intending to do a public and private network, you might want to consider purchasing 2 smaller ElCheapoSwitches... or using a slightly more managed switch which support creating a VLAN.''\r
+\r
+=== Proposed Models and Vendors ===\r
+==== Vendors ====\r
+[http://newegg.com/ Newegg] has been recommended to several of us.\r
+\r
+==== Models ====\r
+===== NETGEAR GS108 10/100/1000Mbps =====\r
+[http://www.newegg.com/Product/Product.asp?Item=N82E16833122111 Netgear GS108 Switch ]: Highly-rated Netgear switch that is not rack-mountable\r
+\r
+Price: ($56.99)\r
+\r
+(Previous opinion retracted --MichaelOlson)\r
+\r
+I don't like this switch for the following reasons:\r
+\r
+ 1. It is not rack-mountable, meaning that it could raise issues for cooling in the rack, and be more susceptible to shock that could reduce reliability of the switch, or jar patch cables out of the ports.\r
+\r
+ 1. It is not managed, so we can't track important information about performance and possible NIC failures via SNMP.\r
+Basically, I think that if we're going to pay all of this money for equipment and hosting, we shouldn't put an interconnect with insufficient features in the middle of our architecture. But, I'm not a networking expert, so I would welcome any opinions contrary to this! JustinLeitgeb\r
+\r
+===== Level One GSW-1655 10/100/1000Mbps =====\r
+ * ($249.99) Level One 16-port rack-mountable switch [[http://www.newegg.com/Product/Product.asp?Item=N82E16833118021 link ]]\r
+I've never heard of this brand (Level 1?) so I don't trust it. Any reviews? JustinLeitgeb\r
+\r
+===== Dell PowerConnect 2716 =====\r
+This is an 8-port gig switch that is web-manageable and lists for $82. I think that we could make it work, especially if I were able to write some scripts to get important data for monitoring in Nagios or rrdtool. I put the [http://www.hcoop.net/~leitgebj/hcoop_servers/pwcnt_27xx_specs.pdf specification sheet] on our web site. This switch is rack-mountable.\r
+\r
+===== 3Com® SuperStack® 3 Switch 3812 =====\r
+[http://www.3com.com/products/en_US/detail.jsp?tab=features&pathtype=purchase&sku=3C17401 3Com® SuperStack® 3 Switch 3812] seems to have most of the features that we need, with a bit of room to grow. Prices range from $1000 to $1500 on [http://froogle.google.com Froogle], in my experience [http://www.cdw.com CDW] is a reliable vendor. Perhaps we should make a jump and get the 24 port, which would support our use of an entire rack in the future, if the price difference is small?\r
+\r
+===== Nortel Ethernet Routing Switch 3510-24T and Ethernet Switch 380-24T =====\r
+The 3510 will be much more robust than the others listed. List price is around $2200 but I will see how much of a discount I can get as wholesale is much much lower. Here is the product brief,[http://vpit.net/ers3510-brief.pdf ers3510 brief]. I can answer any questions about it as I do work for Nortel. I am not trying to make a sale here, as I am not a salesman. I just work with nortel switches every day as an engineer.\r
+\r
+The 380 I can donate, as I own it. It is not brand new but is working. Here is a guide that I was able to find to give anyone interested a more in depth view of it, [http://vpit.net/es380-guide.pdf es380 guide].\r
+\r
+ES380 AC Power Specs:\r
+Input current: 1.5A to 100 AC\r
+Input voltage (rms): 100 to 240 VAC at 47 to 63 Hz\r
+Power consumption: 150 W\r
+Thermal rating: 1000 BTU/hr maximum\r
+\r
+Both are managed, 10/100/1000 switches.\r
+\r
+== Serial Port ==\r
+=== Desired Features ===\r
+Is this device really necessary? For an extra $1000 - $2000, and utilization of 1U, I am not convinced that this is worth the expense. It seems that in the rare event that our machine is inaccessible from ssh we can use remote hands with he.net and put our resources elsewhere. If someone does think that this is necessary, please put a link to specific models that would be helpful, and a list of reasons why they will come in handy that would justify the additional cost and space in our rack. JustinLeitgeb\r
+\r
+=== Proposed Models and Vendors ===\r
+[http://www.cyclades.com/ Cyclades] was mentioned as one vendor of serial port devices which are linux-friendly.\r
--- /dev/null
+##master-page:FrontPage\r
+#format wiki\r
+#language en\r
+#pragma section-numbers off\r
+\r
+= HCoop Wiki =\r
+This is the Internet Hosting Cooperative's space for maintaining documentation on how our services work. Everyone, including both members and non-members, is invited to create and edit appropriate pages.\r
+\r
+If you are new to wikis, see the DefaultFrontPage.\r
+\r
+= News =\r
+ * NewServersSetup\r
+ * MigrationTips\r
+ * NewFeatures\r
+\r
+= Getting started =\r
+ * HCoop's [http://hcoop.net/ front page]\r
+ * ProspectiveMemberFaq\r
+ * MemberFaq\r
+ * NewMember\r
+\r
+= Technical information =\r
+\r
+== Basic account usage ==\r
+ * [https://members2.hcoop.net/ The member portal]\r
+ * SshConfiguration: How to connect to our servers for shell access\r
+ * FtpConfiguration: How to connect to our servers for FTP access\r
+ * FirewallRules: What you can do over the network on our servers\r
+ * FileTransfer: How to get files created elsewhere onto our servers\r
+ * UserWebsites: The easiest way to host a web site with us\r
+ * UsingEmail\r
+ * UsingDatabases\r
+ * DynamicWebSites\r
+ * SystemAuthentication: Authentication mechanisms supported\r
+ * BackupServices\r
+ * UsingResourceLimits: What to do if your process dies when trying to fork or allocate memory\r
+ * JabberServer: How to get a Jabber account\r
+ * SpamAssassin: How to set up automated spam filtering for your HCoop email account\r
+ * WebSpam: Add ideas on how to defeat spam that defaces web pages to this wiki page, or add links to your web spam logs.\r
+ * CustomDaemons: How to run custom daemons.\r
+ * TipsAndTricks: Some tips that might make your life easier.\r
+\r
+\r
+== Configuring shared daemons ==\r
+ * DomainRegistration: How to get your own domain properly set up to use hcoop's servers\r
+ * DomainTool: An overview of our tool to let users configure how shared daemons handle their domains\r
+ * DnsConfiguration\r
+ * EmailConfiguration\r
+ * AfsClientConfiguration: Instructions on how to configure client machines to use AFS (May 16, 2007 - for beta testers only!)\r
+ * MailingListConfiguration\r
+ * MoinMoinConfiguration: Setting up your own wiki like this one\r
+ * UsingSsl: How to create SSL certificates\r
+ * VirtualHostConfiguration\r
+\r
+== Non-technical administrative stuff ==\r
+ * MemberDues\r
+ * ContactHcoop: Ways to get in touch.\r
+ * HcoopMarketing: publicity, t-shirts, and web design\r
+ * HcoopPolicies: our various policies\r
+ * HcoopGuidelines: for communicating, HCoop staff, and more\r
+ * HcoopStructure: co-op bylaws, board members, and other legal details about the cooperative\r
+ * IrcMeetings: view official meetings that are logged\r
+ * OtherGroups who run services similar to us\r
+ * CategoryOutdated\r
+\r
+== System administration ==\r
+ * InstalledSoftware: Information on packages installed and maintained by means other than Debian's {{{apt}}}\r
+ * InstallationLog: Our admins' progress on setting up this new server\r
+ * CategorySystemAdministration: Other bits of interest to our admins and other curious folk\r
+ * PrincipalsForNonHumans: policy on kerberos+pts credentials which do not correspond to humans\r
+ * OpenProblems: Problems we're trying to solve to make our services more reliable\r
+ * KvmInfo: the kvm\r
+ * BackupInfo\r
--- /dev/null
+== Previous information that was gathered about existing service providers who may be helpful to us ==\r
+\r
+Who should we consider for hosting our next hcoop architecture?\r
+\r
+Some providers that have come recommended:\r
+\r
+ * [http://www.gaiahost.coop/ GAIA Host]\r
+ * [http://www.inreach.com/ InReach]\r
+ * [http://www.monkeybrains.net/ Monkey Brains]\r
+\r
+Responses to an e-mail AdamChlipala sent to the [http://communitycolo.net/ CCCP] mailing list:\r
+ * [http://www.simpli.biz Simpli]. The owner of the company told me via e-mail that, as a 501(c)12 corporation, we could pay "30-40% off of our list prices."\r
+ * That would be awesome if they actually did that. Their list prices look reasonable to begin with. Hopefully they understand what 501(c)(12) is and aren't assuming our organization is a charity. Of course we would still need to compare their service etc. Also this is assuming we *do* get tax-exempt status...it will probably take a while yet. Best case scenario is that we get an acceptance letter sometime next month--I will call them in a week or so anyway to see what the status is. Statistically it is likely they will bounce some questions back at us requiring a few more rounds before approval. Worst case scenario is they deny it outright with prejudice, leaving administrative appeal as the only option (which tends to be a losing option). --NathanKennedy\r
+\r
+Other possibilities for hosting that have been mentioned:\r
+ * [http://www.he.net He.net]. He.net has been around a long time and has lots of redundancy in terms of connections. There is no special discount for coops or not-for-profits, but their prices seem to be reasonable. Specifically, I was given an unofficial quote on 9/11/2005 for 7U of space (12"). Using 1Mbps would be $300 per month, or 2 Mbps would be $250 per Mbps per month up to 4Mbps. I believe that if we went with He.net we would probably end up buying and configuring our own servers, configuring them and sending them to the facility. In case of hardware issues, we may want to check out their hourly cost for "remote hands". This service was cited as a possibility by JustinLeitgeb to the hcoop mailing list.\r
+\r
+Response from Riseup.net:\r
+ * You should see the seattle community colocation project at http://seaccp.org/. SCCP is a separate and mostly autonomous project of riseup.net. It functions as a democratic colocation cooperative, although the riseup collective has final say because we are fiscally liable. \r
+\r
+ Anyway, you should contact the sccp at colo@riseup.net. This ticket system is for riseup.net specific questions, and sccp is largely separate.\r
+\r
+ The colocation donation is sliding scale, but generally our costs are $50/server/month, depending on power usage. SCCP asks people to pledge to donate more if their server is using more than 1Amp.\r
+\r
+ -elijah\r
+\r
+ *I have written to SCCP and NYCCCP for quotes. --NathanKennedy\r
--- /dev/null
+##master-page:HomepageTemplate\r
+#format wiki\r
+== Omry Yadan ==\r
+a software developer and an hcoop member since 10/2006\r
+\r
+Also develops [http://firestats.cc/ FireStats], a web statistics system.\r
+Currently acting as an emergency system administrator for our aging server fyodor.\r
+\r
+[http://firefang.net/blog Hebrew blog]\r
+\r
+== Contact ==\r
+Email: [[MailTo(omry@yadan.net)]]\r
+\r
+Jabber/MSN : omry@yadan.net\r
+\r
+ICQ : 20889700\r
--- /dev/null
+This page is a checklist for ntk, so that he remembers what to bring with him on the next on-site visit (or future on-site visits, for purchases).\r
+\r
+ * Philips screwdriver\r
+ * 2nd new hard drive\r
+ * Burned RIP CD (from [http://www.tux.org/pub/people/kent-robotti/looplinux/rip/RIPLinux-2.9.iso])\r
+ * Burned Debian Etch install CD\r
+ * Netra needs to be mounted using the appropriate screws. The Netra apparently does not require rails.\r
+ * 9V+ type round adapter power cable for the new KVM switch\r
+\r
+Here is the plan for salvaging mire.\r
+\r
+ * Boot off the RIP CD.\r
+ * If without RIP CD but with Knoppix, boot using this cheat-code: {{{knoppix-txt 3}}} This should use {{{vga=normal}}} as a kernel parameter and boot into runlevel 3, command line only. The point is to allow VNC to function properly as using the framebuffer may cause display issues with VNC.\r
+ * Mount /dev/sda1 on /mnt (remember, this is the old /dev/sdb, when it is the only drive in the machine).\r
+ * mwolson will:\r
+ 1. selectively copy things off of /etc onto deleuze (he will use git for this to clone his existing /etc repository, which can ensure that the contents are not corrupt)\r
+ 2. save the output of df, fdisk -l /dev/sda and dpkg -l\r
+ 3. copy the entire /etc directory to deleuze (for reference, in case mwolson missed something important in the earlier copying run)\r
+ 4. fsck /dev/sda*\r
+ * Turn machine off, take out the hard drive, put in one new hard drive only, put the Debian Etch install CD in the CD drive.\r
+ * Install Debian on the new drive, and boot from it.\r
+ * Run bonnie++ (preferable) or dd to stress test the new HD and io subsystem, before wasting time installing too many other packages and configuring, etc. Watch for errors during test.\r
+ * bonnie -d /test/ -s 0.1 -n 1 -r 252 -u root\r
+ * bonnie -d /test/ -s 0.1 -n 10 -r 252 -u root\r
+ * Start copying over saved settings and packages to it.\r
+ * ntk is free to leave at this point if he wants.\r
+ * If the machine stays up, and does not lock up for a day or two:\r
+ * We will assume that both of the old hard drives were bad, instead of just the old /dev/sda.\r
+ * We will install the second hard drive.\r
+ * We will bind the two hard drives together via RAID.\r
+ * Otherwise, if the machine does lock up:\r
+ * Obviously something else is wrong.\r
+ * Look into various hardware we can try to replace, if there is some sort of SCSI card.\r
+ * If the motherboard is bad, we will probably have to scrap mire, unless someone has other plans.\r
--- /dev/null
+= Charge summary =\r
+\r
+|| '''Date''' || '''Amount''' || '''From''' || '''For''' ||\r
+|| 11/21/2006 || $168.94 || Red Carpet Car, Radio Shack, Kinko's || Van, electronics, fax [http://article.gmane.org/gmane.org.misc.hcoop.general/319/match=tip (reimburse ntk)] ||\r
+|| 11/28/2006 || $141.09 || [http://www.rubyskytech.com/ RubySkyTech] || Hard drive ||\r
+|| 11/28/2006 || $133.97 || [http://discountechnology.com/ DiscounTechnology] || Rails ||\r
+|| 11/30/2006 || $1150.00 || Peer 1 || Colocation set-up charge plus first month of hosting ||\r
+|| 12/19/2006 || $450.00 || Peer 1 || Colocation ||\r
+|| 1/17/2007 || $750.00 || Peer 1 || Colocation ||\r
+|| 2/20/2007 || $750.00 || Peer 1 || Colocation ||\r
+|| 3/19/2007 || $750.00 || Peer 1 || Colocation ||\r
+|| 4/4/2007 || $99.00 || [http://www.incorp.com InCorp] || Registered agent ||\r
+|| 4/25/2007 || $750.00 || Peer 1 || Colocation ||\r
+|| 5/25/2007 || $142.57 || [http://www.supplysale.com/ SupplySale] || Rails ||\r
+|| The Future || $50.00 || GrahamFreeman || Rails ||\r
+|| || '''TOTAL''' || || $5335.57 ||\r
--- /dev/null
+smartctl version 5.36 [i686-pc-linux-gnu] Copyright (C) 2002-6 Bruce Allen
+Home page is http://smartmontools.sourceforge.net/
+
+Device: SEAGATE ST336607LC Version: 0007
+Serial number: 3JA7S98P00007446XQ5Q
+Device type: disk
+Transport protocol: Parallel SCSI (SPI-4)
+Local Time is: Mon Jul 23 19:31:27 2007 EDT
+Device supports SMART and is Enabled
+Temperature Warning Enabled
+SMART Health Status: OK
+
+Current Drive Temperature: 23 C
+Drive Trip Temperature: 68 C
+Elements in grown defect list: 57
+Vendor (Seagate) cache information
+ Blocks sent to initiator = 41954199
+ Blocks received from initiator = 119443040
+ Blocks read from cache and sent to initiator = 9989563
+ Number of read and write commands whose size <= segment size = 322634364
+ Number of read and write commands whose size > segment size = 9236
+Vendor (Seagate/Hitachi) factory information
+ number of hours powered up = 5779.83
+ number of minutes until next internal SMART test = 106
+
+Error counter log:
+ Errors Corrected by Total Correction Gigabytes Total
+ ECC rereads/ errors algorithm processed uncorrected
+ fast | delayed rewrites corrected invocations [10^9 bytes] errors
+read: 162239 0 0 162239 162641 276.817 0
+write: 0 0 312 312 3337 227.790 0
+
+Non-medium error count: 426
+
+[GLTSD (Global Logging Target Save Disable) set. Enable Save with '-S on']
+
+SMART Self-test log
+Num Test Status segment LifeTime LBA_first_err [SK ASC ASQ]
+ Description number (hours)
+# 1 Background short Completed - 3 - [- - -]
+# 2 Background short Completed - 0 - [- - -]
+# 3 Background short Completed - 0 - [- - -]
+
+Long (extended) Self Test duration: 768 seconds [12.8 minutes]
--- /dev/null
+smartctl version 5.36 [i686-pc-linux-gnu] Copyright (C) 2002-6 Bruce Allen
+Home page is http://smartmontools.sourceforge.net/
+
+Device: SEAGATE ST336607LC Version: 0007
+Serial number: 3JA2248V00007350014Y
+Device type: disk
+Transport protocol: Parallel SCSI (SPI-4)
+Local Time is: Mon Jul 23 19:31:40 2007 EDT
+Device supports SMART and is Enabled
+Temperature Warning Enabled
+SMART Health Status: OK
+
+Current Drive Temperature: 24 C
+Drive Trip Temperature: 68 C
+Elements in grown defect list: 0
+Vendor (Seagate) cache information
+ Blocks sent to initiator = 32321612
+ Blocks received from initiator = 3688231658
+ Blocks read from cache and sent to initiator = 6543427
+ Number of read and write commands whose size <= segment size = 267314716
+ Number of read and write commands whose size > segment size = 12415
+Vendor (Seagate/Hitachi) factory information
+ number of hours powered up = 5536.58
+ number of minutes until next internal SMART test = 104
+
+Error counter log:
+ Errors Corrected by Total Correction Gigabytes Total
+ ECC rereads/ errors algorithm processed uncorrected
+ fast | delayed rewrites corrected invocations [10^9 bytes] errors
+read: 24555 0 0 24555 24555 227.932 0
+write: 0 0 0 0 0 255.763 0
+
+Non-medium error count: 14643
+
+[GLTSD (Global Logging Target Save Disable) set. Enable Save with '-S on']
+
+SMART Self-test log
+Num Test Status segment LifeTime LBA_first_err [SK ASC ASQ]
+ Description number (hours)
+# 1 Background short Completed - 1 - [- - -]
+# 2 Background short Completed - 0 - [- - -]
+
+Long (extended) Self Test duration: 768 seconds [12.8 minutes]
--- /dev/null
+= Public hosting cooperatives =\r
+\r
+ * [http://lautre.net/ L'Autre Net] (French)\r
+ * [http://www.cernio.com/ Cernio] - Business converting to a cooperative\r
+ * [http://www.crosswired.org.uk/ Crosswired] (United Kingdom)\r
+ * [http://www.epfarms.org/ Eggplant Farms]\r
+ * [http://electricembers.net/ Electric Embers]\r
+ * [http://www.fiasco.org.il/ Fiasco] (based in Israel, uses English)\r
+ * [http://www.gaiahost.coop/ GAIA Host Collective]\r
+ * [http://ouvaton.coop/ Ouvaton] (French, other languages supported)\r
+ * [http://www.spaceship.com/ Spaceship.com]\r
+ * [http://www.tech.coop/ The Tech Co-op]\r
+ * [http://www.trash.net/ trash.net] (German only)\r
+ * [http://www.webhostingcoop.org/ The Web Hosting Cooperative]\r
+\r
+= Groups primarily offering internet access =\r
+\r
+ * [http://www.ccil.org/ Chester County InterLink] - of ESR fame\r
+ * [http://greenbelt.com/giac/ Greenbelt Internet Access Cooperative] - Also offers basic hosting services.\r
+ * [http://www.rain.org/ RAIN] - old internet "charity" which offers internet access, basic hosting, and a variety of services\r
+ * [http://www.punk.net/ PunkNet] - former cooperative ISP, sort of transformed into a commercial hosting company?\r
+\r
+= Private hosting cooperatives =\r
+\r
+ * [http://www.beigetower.org/ Beige Tower] ([http://www.beigetower.org/forums forums])\r
+ * [http://hosting-cooperative.com/ hosting-cooperative.com]\r
+ * [http://www.hatters.org.uk/ Mad Hatters' Web Server Club]\r
+ * [http://mongers.org/ mongers.org]\r
+ * [http://www.ourshack.com/ OurShack]\r
+ * [http://www.projectcolo.org.uk/ Project Colo]\r
+\r
+= Public access UNIX systems =\r
+\r
+ * [http://arbornet.org/ Arbornet] - also claims to be the oldest public-access UNIX!\r
+ * [http://www.grex.org/ GREX] - one of the oldest free shells out there\r
+ * [https://www.hbx.us/ HBX Networks]\r
+ * [http://www.nyx.net/ Nyx.net]\r
+ * [http://www.xox.pl/ Xox.pl] - Polish\r
+ * [http://sdf.lonestar.org/ SDF]\r
+ * [http://www.rootshell.be Rootshell.be]\r
+ * [http://www.silenceisdefeat.org/ Silence is Defeat]\r
+\r
+= Other public access services =\r
+\r
+ * [http://www.onlinepolicy.org/ Online Policy Group] - deals with issues related to equality and access online, also provides hosting services to minority groups. affiliated with CCCP\r
+\r
+= Hosting providers with somewhat non-traditional feelings =\r
+\r
+ * [http://www.nearlyfreespeech.net/ NearlyFreeSpeech.net]\r
+ * [http://textdrive.com/ TextDrive]\r
+\r
+= Hosting providers FLOSS based =\r
+\r
+ * [http://www.blackcatnetworks.co.uk/ Black Cat Networks Ltd]\r
+ * [http://bytemark.co.uk/ Bytemark Computer Consulting Ltd.]\r
+\r
+= Community Colocation =\r
+\r
+ * [http://www.communitycolo.net/ California Community Colocation Project] (closed in Jan 2007)\r
+ * [http://www.chiccp.net/ Chicago Community Colocation Project]\r
+ * [http://lists.gotroot.com/mailman/listinfo/dcccp DC Community Colocation Project] (forming)\r
+ * [http://www.sfccp.net San Francisco Community Colocation Project] (opened Dec 2006)\r
+ * [http://seaccp.org/ Seattle Community Colocation Project]\r
+ * [http://tccp.ca/ Toronto Community Colocation Project]\r
+\r
+= Other random cooperatives of interest =\r
+ * [http://www.centretownlaundrycoop.ca/ Centretown Laundry Cooperative]\r
--- /dev/null
+DRAFT.\r
+\r
+= Prehistory =\r
+== Teen Programmers Unite! ==\r
+\r
+HCOOP traces its earliest roots back to a group of youths who frequented the[http://en.wikipedia.org/wiki/USENET USENET] newsgroup {{{rec.games.programmer}}}. On July 29, 1996, one Matthew Busigin made the following post:\r
+\r
+{{{\r
+Say, there are a bunch of us teen programmers! \r
+Why don't we get to gether and form a mailing list (i'll host it) \r
+We can share info, and maybe, heaven forbid, create a game (-: \r
+If you are interested in this indeavor, mail me. \r
+\r
+ Matthew (14)\r
+}}}\r
+\r
+In classic USENET style, the first response came from Fabio Bizzetti:\r
+\r
+{{{\r
+Get a life. \r
+\r
+Fabio (3). \r
+}}}\r
+\r
+From this inauspicious beginning and the flurry of responses that followed, both positive and negative, an association called Teen Programmers Unite was conceived. Over the course of its existence, TPU has consisted of various mailing lists, websites, and chat rooms with several thousand participants. A more detailed history of TPU can be found at [http://www.hprog.org/fhp/TpuHistory], and the current TPU website is still at [http://www.tpu.org/].\r
+\r
+TPU underwent a series of reinventions, and meantime many of its original members were no longer "teens." One long-time member and TPU webmaster, Adam Chlipala, began a number of other projects. Among these were the [http://www.devlocus.org/ Software Developer's Locus] and the [http://www.hprog.org/ Fellowship of Hobbyist Programmers].\r
+\r
+== The Internet Hosting Cooperative ==\r
+\r
+In 2002, a small group of TPU members, led by Adam Chlipala, joined together to purchase a server affectionately named ["Abulafia"] and hosted on the devlocus.org domain in an informal cost-sharing arrangement. As time went by and more people chipped in, Adam formed a larger goal of creating a nonprofit cooperative providing a wide range of hosting services. Abulafia was moved to the hcoop.net domain, and the group became known as "The Internet Hosting Cooperative." Membership grew, both from other former TPU members, by word of mouth, by IRC, and via the web. Various ideas for incorporating or otherwise filing for formal legal recognition were kicked about, but nothing much happened with regards to organization. Adam legally owned all the cooperative's assets and operated as the informal leader, frequently polling the membership for decision-making purposes. In the meantime, by January 2005, the cooperative grew to about 40 members, and Adam had automated many tasks with custom software written in SML.\r
+\r
+= HCOOP, Inc. =\r
+\r
+Finally, concerned about legal issues and the lack of progress on that front, Adam announced a freeze on new membership applications. At the same time Nathan Kennedy, who had joined in December 2004, volunteered to handle the incorporation process, with the result that in February 2005 HCOOP, Inc. was organized in Pennsylvania as a nonprofit corporation. The first board of directors was elected and held meetings. A second server has been leased and now new members are free to join.\r
+\r
+ Needs more on the role of various other members in helping set up hardware etc as well as prehistory.\r
--- /dev/null
+== How to log in to mire without typing your password ==\r
+\r
+Zeroth, you must have openssh client 4.3 or later. Other versions may work, but we make no guarantees. You will also want the {{{krb5-user}}} package if you are using Debian or Ubuntu.\r
+\r
+\r
+Then, you must obtain kerberos tickets. If your username is "fred", you would do this by typing\r
+{{{\r
+ kinit fred@HCOOP.NET\r
+}}}\r
+\r
+Then type your password when prompted. Note that you MUST capitalize HCOOP.NET and you MUST NOT capitalize your user name. This is important.\r
+\r
+Next, make sure you have your tickets. To do this, type\r
+{{{\r
+ klist\r
+}}}\r
+You should see your tickets and their expiration dates.\r
+\r
+Last, type\r
+{{{\r
+ ssh -o 'GSSAPIAuthentication yes' -o 'GSSAPIDelegateCredentials yes' mire.hcoop.net\r
+}}}\r
+(GSSAPI is sort of like Kerberos. Don't worry about the difference at this point.)\r
+\r
+If that doesn't work, add "`-vvv`" to the command line and copy and paste the ENTIRE output into an email to hcoop-discuss and we'll tell you what's up.\r
+\r
+If you do this a lot, you can include the `GSSAPIAuthentication` and `GSSAPIDelegateCredentials` options in your `.ssh/config` file. But you should NOT turn on `GSSAPIDelegateCredentials` for arbitrary hosts (make sure you only enable it for HCOOP hosts). Here's what AdamMegacz uses:\r
+\r
+{{{\r
+Host deleuze.hcoop.net\r
+ ForwardX11Trusted yes\r
+ GSSAPIAuthentication yes\r
+ GSSAPIDelegateCredentials yes\r
+ User megacz_admin\r
+Host mire.hcoop.net\r
+ ForwardX11Trusted yes\r
+ GSSAPIAuthentication yes\r
+ GSSAPIDelegateCredentials yes\r
+ User megacz_admin\r
+}}}\r
+\r
+== If it doesn't work ==\r
+\r
+See TroubleshootingKerberos\r
--- /dev/null
+= Payment Plan Proposals =\r
+\r
+Different ideas have been proposed about the best way to adjust member fees. This page will contain a summary of the plans that have been proposed. When adding or editing a plan here, remember that HCoop will have to 1) cover an increase in operating costs during our migration to a new infrastructure (although nearly all of the hardware that we need has been donated at this point) 2) figure out how to adjust costs on a longer-term basis once membership increases.\r
+\r
+With that, the proposals (in alphabetical order, please update if you change the names of the plans :) ):\r
+\r
+== Flat-Rate ==\r
+\r
+=== Description ===\r
+\r
+Each member pays the same amount every month. Feature sets and bandwidth allowances are basically what we can support given our software tools and what our colocation plan gives us. Member sites may be re-evaluated at any time if their bandwidth or disk usage increases dramatically, and the cooperative at that time could decide to either charge the member more for their higher utilization or subsidize the site with existing member dues and resources.\r
+\r
+This plan recognizes that some members may leave because of a temporary increase in the flat-rate price during our migration to a new infrastructure. For this reason, the plan can be modified for a short time to allow donations by some members to subsidize the dues of those who can't afford a higher flat-rate until the membership increases to allow the cooperative to once again be affordable for all of our members.\r
+\r
+In this plan, the membership rate would settle (post server-migration) to something that included a budget for concrete operating costs as well as a fund for repairs and upgrades.\r
+\r
+Although this plan would be rather expensive for a few months compared to commercial offerings, our quality of services should be higher because of the better-quality hardware and bandwidth that we will have access to. Additionally, we already offer a broader feature set than most commercial offerings and will continue this in our new infrastructure. Finally, it is felt that after prices settle, we could reduce our monthly costs to something that most members could accept, in the range of $5 - $8 per month, US. The exact rate that we settle on would be TBD at a later date and able to be revised later to reflect changing operating costs and estimated future expenditures.\r
+\r
+=== Pros and Cons ===\r
+\r
+ * Pro: all users have the full set of features that they may need to develop dynamic web sites from the beginning of their hosting services.\r
+ * Pro: allows the cooperative to either subsidize sites that benefit the internet community or which may draw desirable traffic to the cooperative.\r
+ * Pro: Avoids hierarchy and therefore elitist differentiation of user services.\r
+ * Pro: As our systems scale, we will have to worry less and less about what are already trivial differences between user system utilization. In our new infrastructure, it will only really be noticeable when one site is experiencing thousands of hits per hour more than the others on a sustained basis. This means that a flat-rate program would add simplicity and elegance to our offering.\r
+ * Con: Essentially regressive. Members with the least usage and potentially the least ability to pay subsidize members with above average, even grossly excessive usage. You could also argue that this point is not really a substantial critique of the flat-rate program, because a) the flat-rate program allows for re-evaluation of certain sites that may have "grossly excessive" usage (probably in the sustained, hundreds of hits per hour range) and b) only a very small percentage, if any, of our sites would ever fall into this range. So, it should be thought of not as lower usage members "subsidizing" the higher usage ones, but as a system where all members pool their resources for the best outcome for everyone. Remember that as we improve services, low utilization and high utilization members receive benefits in terms of increased reliability and responsiveness of systems.\r
+ * Con: Lowest usage members may leave for services that provide better value. This may not be a very strong "con", though, because we will offer several services that benefit low and high usage members. For example, a) our colocation at Peer 1, which is a top-tier provider on redundant internet connections, b) our user expertise and strong support community and c) the fact that we offer more flexibility than any commercial offering that I know of, along with the ability to host multiple domains on one account (this may be exclusive to high "usage" members) and d) The fact that we are working on providing truly redundant services, backups, and security, there are really few, if any, commercial offerings that would offer the same value that the cooperative will offer in the new infrastructure. So, even for those who have low usage, I think that it would be hard to find a better "value" elsewhere in terms of commercial offerings.\r
+ * Con: Some members simply cannot afford "flat rate" dues. This may be ameliorated by the fact that dues should drop to a low amount with increased members on the new infrastructure. It seems that $5 - $8 per member/month should be attainable in the near future. See and/or modify Brainstorming/Hybrid Plans for other ideas on how to get around this.\r
+\r
+== Tiered Pricing ==\r
+\r
+=== Description ===\r
+Akin to standard professional hosting services, multiple hosting "plans" are offered for a flat rate.\r
+\r
+Since we are a cooperative, these rates would be determined by the distribution of actual usage levels and tweaked as necessary. Rates could be set to enable some retained earnings for future investments or maintenance.\r
+\r
+A simple compromise alterative is to simply offer an opt-in plan for the lowest-usage members at a flat rate. This was discussed in NathanKennedy 's email on this subject on hcoop-discuss.\r
+\r
+=== Pros and Cons ===\r
+ * Pro: Predictable dues for members who cannot afford large payments and have minimal requirements.\r
+ * Pro: More "fair", in that members contribution is tied to their usage of HCoop resources.\r
+ * Con: It's not necessary at the moment because all of our hosted sites are very far from being "high volume" and adds unnecessary complexity and the need for stricter monitoring/policing of users.\r
+ * Con: It could deter users from joining when they want to start collaborative community sites (arguably exactly the kind a coop should support more than commercial offerings) because their rates would rise to something more than they could individually afford. The flat-rate plan might be more flexible in this case because it allows those in the coop to collectively decide what to do in the case that a real high-volume site wants to use our services.\r
+ * Con: A "tiered" system sounds hierarchical and therefore elitist, and the idea resonates too much with commercial offerings that those drawn to a cooperative may have ideological problems with.\r
+ * Con: It is "akin to standard professional hosting services", which is an already-full market niche that we shouldn't be trying to directly compete with (if we want to focus on competition at all, rather than internal cooperation, and cooperation with other similar organizations, to improve services).\r
+ * Con: Once we start dividing up our packages, will we have to start marketing our "different" packages (with really only superficial changes) to users? It seems that this may draw us into reproducing parts of our capitalistic culture that we wish to avoid.\r
+\r
+== Shares ==\r
+\r
+=== Description ===\r
+\r
+AdamChlipala suggests:\r
+\r
+We implement a "sliding scale" scheme based on giving each member the option to pay as if he were multiple members. That means that the cost for a single pseudo-member (and a single real member who elects not to use this feature) is decreased.\r
+\r
+It is my expectation that, in the short term, some of us will pledge rather large numbers of shares to help drive the minimum cost per member low enough to avoid losing current members and attract new members with limited budgets. However, in the long term, I hope that this feature can be tied informally to resource usage, where members "police" themselves and decide when it is fair to pay as multiple members. There would remain the option for those with plenty of disposable income to pledge greater amounts out of interest in the co-op, to decrease rates and make membership more attractive to the public.\r
+\r
+=== Pros and Cons ===\r
+ * Pro: Payment of higher amounts is voluntary.\r
+ * Pro: Compared to other schemes of temporary subsidization of people with low budgets, this scheme automatically lowers everyone's dues as new people join.\r
+ * Pro: We avoid the administrative overhead of monitoring which low-dues-paying members are using more resources than we had agreed that they are allowed.\r
+ * Pro: May be a good way to supplement the short-term access to resources that we need for our move because of insufficient foresight to plan for upgrades.\r
+ * Con: Payment of higher amounts is voluntary, creates the idea that HCoop is a charity and turns dues into donations.\r
+ * Con: More generous members subsidize less generous members, without respect to actual utilization. Willingness to pay may not correspond meaningfully to ability to pay.\r
+ * Con: Members must "police" themselves to pay based on their own usage, which may deter some from setting up collaborative web sites that commonly use more resources unless they have deep pockets.\r
+ * Con: It is essentially more individualistic than cooperative, since members are paying for their own usage rather than thinking about the collective that they belong to.\r
+ * It's been said before that paying according to resources you consume is in no way "anti-cooperative." --AdamChlipala\r
+ * Con: The notion of "shares" is inherently tied to the evolution of capitalism and reflects the structure of modern institutions (i.e., for-profit corporations) that some members may wish to distance themselves from.\r
+ * This seems to be an objectively irrelevant issue of terminology, and you'll notice that I've used different terminology on the experimental portal page. --AdamChlipala\r
+\r
+== Brainstorming/Hybrid Plans ==\r
+\r
+1. '''Temporary "shares" with long-term modified flat-rate structure''': The "shares" idea is cool and should get us through the short term until membership numbers increase. In addition, it may be helpful for "fund" drives in the future. But some have raised criticisms (see "cons" above) about this in the long term, and we can always accomodate users who want to donate more through individual donations. For this reason, we would use the "shares" program in the transitional period, and switch to a "modified flat-rate" program when our membership increases to sustainable levels. \r
+\r
+This long-term schema would be ''primarily'' based on a flat-rate plan for most members. Because it is unlikely that more than a few members would have "extraordinarily high" usage (remember that with the new infrastructure this would mean that they're serving out thousands of requests per day on a sustained basis), we would offer a very reasonable base package for all members that includes a budget for repairs and upgrades. The part of the "tiered" program that we would adopt would be that all sites are able to be reviewed by any member at any time (we all have access to traffic/disk usage graphs and statistics), and the Cooperative will collaboratively decide if and when we need to ask for more resources from users hosting an extremely high-volume site.\r
+ \r
+This also allows us the flexibility of not setting an arbitrary boundary on certain resources and setting prices based on these boundaries, as these available resources are always going to change depending on the site in question and our network organization. Finally, this plan allows us the freedom to choose which sites we subsidize/support more than others based on our members' collective decisions (very likely taking into consideration the content and purpose of the site in question). Because of this, it should encourage collaboration among members instead of policing (either self-policing or policing of other members), and increase the communal nature of HCoop as a whole.\r
+\r
+2. '''Unnamed plan 1''': If we did need to offer a plan for a very low-volume site on an extremely tight budget ($3 - $5 per month), maybe we could just limit the user to the ability to host one zone on our servers per user account. This could be compromising between the "tiered" plan by allowing space for very low-budget users, while continuing to have the normal plan that supports multiple zones. These sites would also be able to be reviewed periodically for "extroardinarily high" usage which we could then charge them for if absolutely necessary, again, unless the coop wished to subsidize services. Perhaps we could call this an "introductory" hosting plan?\r
+ * If by "Zone" you mean domain name, I think this is a bad idea. You were against tiered plans in the first place because you thought they were "uncooperative" and placed arbitrary limitations on particular members. Unlike bandwidth and disk space, DNS hosting essentially costs us nothing and uses almost no resources especially on low-bandwidth sites. Let's cap resources that are limited, not those that are unlimited. --NathanKennedy\r
--- /dev/null
+= PowerEdge 2850 =\r
+\r
+HCoop has a Dell PowerEdge 2850 to use as it's new primary server. Specifications are detailed on the page HardwareDonations. There are certain steps that we still have to take before deploying, which are outlined on this page.\r
+\r
+== Equipment Needed ==\r
+\r
+ * DRAC 4 device for remote management, [http://cgi.ebay.com/Dell-DRAC-4-I-Remote-Access-Card-4th-Gen-FC955-DRAC-IV_W0QQitemZ190003054921QQihZ009QQcategoryZ71510QQssPageNameZWDVWQQrdZ1QQcmdZViewItem here] is one that is on auction at ebay.\r
+ * We could put up to 12 GB of memory in the machine with 2 GB modules, but the 4 GB that we currently have is sufficient for the moment.\r
+\r
+== Configuration Steps ==\r
+\r
+We need to decide on partitioning. Fyodor's model seems to have worked out well, let's put a new partition schema here which JustinLeitgeb will implement.\r
+\r
+We also need to decide on filesystem tuning. I think that the stripe size in the RAID arrays should match the ext3 filesystem block size, but am not entirely sure. Ideas here?\r
+\r
+We need to do final disk benchmarking and load testing, perhaps using log files from fyodor as the test cases. These can be run on a workstation on the same network as the PowerEdge while it is being configured.\r
+\r
+Final OS, mail agent configurations, then bring data from fyodor (to be rsynch'ed one last time when the PowerEdge is online at he.net), and mail it off to CA.\r
+\r
+== Questions ==\r
+\r
+ * What is the best way to access the DRAC, given our power constraints, etc? Should we get one at all?\r
+\r
+ * What is the best filesystem and RAID stripe size for performance on our different RAID sets?\r
+\r
+ * What else can we take care of before sending this server to he.net?\r
+\r
+== Resources ==\r
+\r
+There are lots of resources for configuring PowerEdge servers online.\r
+\r
+ * [http://linux.dell.com] has resources for linux on Dell\r
+ * [http://www.dell.com/content/topics/global.aspx/solutions/en/openmanage_papers] has papers on using openmanage to manage Dell servers. Includes a white paper on installing an OS remotely with a DRAC.\r
--- /dev/null
+= Previously Considered Colocation Providers =\r
+\r
+The list below contains hosting providers that Hcoop, Inc. has decided are not suitable matches for our organization, along with reasons that they are no longer being considered. If you are looking for the colocation providers that we are currently considering, please see ColocationProvidersEvaluation.\r
+\r
+== Monkey Brains ==\r
+\r
+[http://www.monkeybrains.net/ Monkey Brains]\r
+\r
+This is a one-man shop renting cabinets from a real datacenter. I don't think this guy is capable of providing the support we need. Very disturbing FAQ line:\r
+\r
+ '''Is there a hidden bandwidth limit?'''\r
+\r
+ ''I haven't had any 'heavy' users, so the limits have yet to be tested.''\r
+\r
+In other words, he's not much bigger than we want to be, soon. --NathanKennedy\r
+\r
+== GAIA Host ==\r
+\r
+[http://www.gaiahost.coop/] \r
+\r
+GAIA contacted us after receiving the quote request, but it has taken them more than a week to give us a follow-up quote. So far, they are the only provider in the list who is willing to sell us hardware. However, it seems that they would be putting it in a data center like one of the larger providers that are being considered below, such as He.net or Peer 1. \r
+\r
+ Did they ever give a followup quote? They obviously have to give us a better deal on bandwidth than offered on their website, otherwise they cannot be considered. If they can offer us good value, I think we should consider giving them a chance for at least an intermediate expansion, but if they are charging too much or simply too flaky as they have seemed in the past, then they can't be in the running. NathanKennedy\r
+\r
+ On April 22, 2006 I still have not received a followup quote. I also don't know where their facilities are located... I am guessing something less impressive that he.net or Peer 1's data centers. If this is the case I would think that our members could save time and money by doing the legwork of server installation and dealing with the colocation providers ourselves, rather than going through GAIA. Of course, it is always nice to do work with other cooperatives if we have a sound reason to do so. JustinLeitgeb\r
+\r
+\r
+== InReach ==\r
+\r
+[http://www.inreach.com/]\r
+\r
+Didn't receive reply to first email sent on 4/8/2006 to sales@inreach.com, sent second email on 4/17/2006 with our form quote request.\r
+\r
+Update: email to sales@inreach.com could not be sent for more than 4 hours, seems like an internal error on inreach's network. Since these signs don't bode well for future service, I will put them on the inactive list unless I receive a compelling quote in the next few days. Still no response by 4/22/2006.\r
+\r
+== Riseup.net, Seattle CCP, etc. ==\r
+\r
+No longer considered after NathanKennedy contacted them, see other threads for more info.\r
+\r
+== Simpli ==\r
+\r
+[http://www.simpli.biz/]\r
+\r
+Didn't receive reply to first email sent on 4/8/2006 to sales@simpli.biz, sent second email on 4/17/2006 with our form quote request. No response by 4/22/2006.\r
--- /dev/null
+here's the final procedure you should follow\r
+(for installing service "SERVICE" (mysql) on host "HOST" (deleuze)):\r
+\r
+\r
+1. create local user SERVICE in /etc/passwd:\r
+\r
+ (usually already done by Debian postinst scripts in form of "adduser --system SERVICE". (--system ensures that the assigned ID is in range 100 < ID < 1000 .))\r
+\r
+2. create Kerberos principal:\r
+{{{\r
+kadmin.local -q "addprinc -policy service -randkey SERVICE/HOST"\r
+}}}\r
+\r
+3. export user's keys to /etc/keytabs/SERVICE.HOST and chmod the file properly:\r
+{{{\r
+kadmin.local -q "ktadd -k /etc/keytabs/SERVICE.HOST SERVICE/HOST"\r
+chown SERVICE:wheel /etc/keytabs/SERVICE.HOST\r
+chmod 440 /etc/keytabs/SERVICE.HOST\r
+}}}\r
+\r
+4. create OpenAFS user SERVICE.HOST\r
+ (You must make sure that the UID chosen in AFS is above 1000. You can't use UIDs <1000 because those are reserved for local system's IDs, and so such uids in AFS would mess up reported Unix ownership of files).\r
+{{{\r
+ pts cu SERVICE.HOST.hcoop.net\r
+}}}\r
+\r
+5. create OpenAFS group "SERVICE" if it doesn't exist, and add SERVICE.HOST to it:\r
+{{{\r
+pts cg SERVICE\r
+pts ad SERVICE.HOST SERVICE\r
+}}}\r
+\r
+6. modify service's init script in /etc/init.d/ in the following way:\r
+\r
+ * Change shell at the top of script to "#!/usr/bin/pagsh.openafs"\r
+\r
+ * Change start-stop-daemon invocation in action 'start':\r
+{{{\r
+start-stop-daemon --start --pidfile $PIDFILE \\r
+ -c SERVICE:SERVICE \\r
+ --exec /usr/bin/k5start -- -U -b -f /etc/keytabs/SERVICE.`hostname` \\r
+ -K 300 -t -p $PIDFILE \\r
+ <The original start command>\r
+}}}\r
+\r
+ * Or if the service does not use start-stop-daemon itself, you still use it in\r
+ action 'start' to run k5start on a line before <The original start command>\r
+ and later in 'stop' to close it:\r
+\r
+ * (start):\r
+{{{\r
+start-stop-daemon --start --pidfile /var/run/SERVICE/k5start-SERVICE.pid \\r
+ -c SERVICE:SERVICE \\r
+ --exec /usr/bin/k5start -- -U -b -K 300 -t -p /var/run/SERVICE/k5start-SERVICE.pid \\r
+ -f /etc/keytabs/SERVICE.`hostname`\r
+sleep 2\r
+}}}\r
+ * (stop):\r
+{{{\r
+start-stop-daemon --stop --pidfile /var/run/SERVICE/k5start-SERVICE.pid\r
+rm -f /var/run/SERVICE/k5start-SERVICE.pid\r
+}}}\r
+\r
+7. You give permissions in AFS space to group "SERVICE", or to user "SERVICE.HOST" if specific instance is important. (Mostly, you just add permissions to "SERVICE").\r
--- /dev/null
+This page has a sample {{{.procmail.d/procmailrc}}} file with comments. You\r
+can use either a {{{.procmail.d/procmailrc}}} file or a {{{.forward}}} file,\r
+but not both.\r
+\r
+= Which should I use? =\r
+\r
+If you simply want to send mail to another email address, using a\r
+{{{.forward}}} file is your best bet.\r
+\r
+If you want to exercise control over your email by splitting it into\r
+various mailboxes or (in our case) IMAP folders based on custom\r
+criteria using the power of regexps, perhaps a {{{.procmail.d/procmailrc}}} file\r
+would be best for you.\r
+\r
+= What does this file do? =\r
+\r
+ * Separates mail into different folders based on who it is from or who it is addressed to.\r
+ * If an email message did not get checked by the central spamassassin daemon, make sure it gets checked. It calls the client program instead of starting another spamassassin process. Most messages have already been checked -- these we don't touch. Occasionally spamassassin misses checking a message or two, somehow.\r
+\r
+= What does this file not do? =\r
+\r
+ * Force spam checking with a custom set of rules. The admins '''do not''' recommend checking spam with custom rules, since it causes spamassassin to be invoked twice for each message.\r
+ * This file can be split into smaller task-based files, but this is not done in the example.\r
+\r
+= Notes for Beta Testers on Peer 1 Infrastructure =\r
+\r
+If you are beta testing an account on the new Peer 1 infrastructure (you should know who you are), the default procmail file location has changed. You should have a directory under your home AFS directory called .procmail.d. In this directory, procmail will look for a file called procmailrc. Create this and you should be all set. Note the new AFS file locations in the example files below, and look at mwolson's and leitgebj's procmail configuration in their home directories for more examples.\r
+\r
+\r
+= Example file =\r
+\r
+{{{\r
+# Example procmailrc filters\r
+#\r
+# We use a maildir here at hcoop.net\r
+MAILDIR=$HOME/Maildir\r
+DEFAULT=$MAILDIR/\r
+\r
+# If you want to keep track of where mail has been delivered,\r
+# uncomment this. If enabled, be sure to trim this file once\r
+# in a while (using cron is one way), because otherwise it can\r
+# grow quite large. It is strongly recommended to use the\r
+# path given here, so that the logs gets placed in a writable\r
+# location.\r
+#LOGFILE=$HOME/.logs/mail/procmail.log\r
+\r
+# See the manpages `procmailrc' and `procmailex' for explanations\r
+# of the syntax involved.\r
+\r
+# The following 2 rules come before the spam rules because we\r
+# want to make sure that email from these people get through.\r
+# It's a form of whitelisting.\r
+\r
+# Stuff from the family\r
+:0\r
+* ^From.*(familymember1@msn|familymember2@yahoo)\r
+.Family/\r
+\r
+# Work-related\r
+:0\r
+* ^From.*person@somecollege\r
+.Work/\r
+\r
+# If mail hasn't been put through spamassassin, do so now\r
+:0 fW\r
+* !^X-Spam-Level:\r
+| spamc\r
+\r
+# All mail tagged as spam (eg. with a score higher than the set\r
+# threshold) is definitely spam.\r
+:0\r
+* ^X-Spam-Status: Yes\r
+.Spam.Definitely/\r
+\r
+# If it scores 3 or better, it's probably spam.\r
+:0\r
+* ^X-Spam-Level: \*\*\*\r
+.Spam.Probably/\r
+\r
+# The Debian Bug-Tracking System forwards me a copy of each bug report\r
+# I send in. Since I don't already have a copy of this report, put it\r
+# in my Sent box.\r
+:0\r
+* ^From:.*me@hcoop\.net\r
+* ^To:.*submit@bugs\.debian\.org\r
+.Sent/\r
+\r
+# Local mail (error messages and the like)\r
+:0\r
+* ^(To:|From).*local\.domain\.org\r
+.Local/\r
+\r
+# Vending stuff\r
+:0\r
+* ^To:.*me(\+|_)vending@domain\.org\r
+.Vending/\r
+\r
+# School-related\r
+:0\r
+* ^To:.*me\+school@domain\.org\r
+.School/\r
+\r
+# Crap sent to all students\r
+:0\r
+* ^(To|Cc):.*[Rr]-[Uu]sers_\r
+.Spam.Ignore/\r
+\r
+# Bug reports\r
+:0\r
+* ^(From|To|C[c]):.*(bugs\.debian\.org|bugzilla\.)\r
+.Bugs/\r
+\r
+# LifeReader mailing list\r
+:0\r
+* ^(From|To|C[c]):.*liferea-devel@lists\r
+.Lists.LifeRea/\r
+\r
+# Neki_Fujiyama (Samurai Pizza Cats) list\r
+:0\r
+* ^(From|To|C[c]):.*[Nn]eko_[Ff]ujiyama@yahoogroups\r
+.Lists.Neko_Fujiyama/\r
+\r
+# Hcoop mailing list\r
+:0\r
+* ^To:.*users@hcoop\r
+.Lists.HCoop/\r
+\r
+# InfoWorld newsletters\r
+:0\r
+* ^From.*@newsletter\.infoworld\r
+.Lists/\r
+\r
+# Other lists\r
+:0\r
+* ^(From|To|C[c]):.*(@lists\.|@yahoogroups)\r
+.Lists/\r
+\r
+# Anything I've sent should go to Test\r
+:0\r
+* ^From:.*(mwolson@|@mwolson\.org)\r
+.Test/\r
+}}}\r
+\r
+= Another Example =\r
+\r
+I based my .procmailrc on the file above. However, I don't trust my procmail coding skills, so I had procmail create a log file of the messages that it receives, as well as a backup copy of each message for testing purposes. I also decided that the "Sender:" field is the best one to use for the lists that I receive, so I filter on this field. I took code in my .procmailrc from the "procmailex" man page, which I highly recommend.\r
+\r
+I created the directory "log" in my home directory for the log file before putting the .procmailrc in place. I also created the folders to which mail would be filtered in thunderbird, although I'm not absolutely sure if this step is necessary.\r
+\r
+Note that you should probably comment out the "backup" section once you're sure that your code works in order to save space. You will also have to rotate or truncate the procmail log file manually, or write a script for cron to use.\r
+\r
+{{{## JustinLeitgeb .procmailrc\r
+## Modified Sun Apr 15 01:41:34 EDT 2007\r
+\r
+# We use a maildir here at hcoop.net\r
+MAILDIR=$HOME/Maildir\r
+DEFAULT=$MAILDIR/\r
+\r
+# Create a log file\r
+LOGFILE=$HOME/.logs/mail/procmail.log\r
+\r
+# Make a backup of all mail that we'll wipe out when we're sure that \r
+# filtering is working correctly.\r
+:0 c \r
+.backup/\r
+\r
+## Filter all of the mailing lists that we get into different\r
+## folders.\r
+\r
+# CFP (call for papers) list\r
+:0\r
+* ^Sender.*owner-cfp@lists.sas.upenn.edu\r
+.lists.CFP/\r
+\r
+# plone-users\r
+:0\r
+* ^Sender.*plone-users-bounces@lists.sourceforge.net\r
+.lists.plone-users/\r
+\r
+# nflug\r
+:0\r
+* ^Sender.*nflug-bounces@nflug.org\r
+.lists.nflug/}}}\r
--- /dev/null
+= Letter to prospective service providers =\r
+\r
+This page contains the newest version of the letter that we will send to prospective hosting providers, as well as older versions and discusion about the letter we will send. Read the section marked '''Newest version''' to see the text that we are (almost) ready to send to potential colo providers, pending approval from the broader member base of Hcoop, Inc., or sections below that if you are curious.\r
+\r
+== Newest version of letter to prospective colocation providers, fresh out of the oven ==\r
+\r
+To whom it may concern:\r
+\r
+Our Internet hosting cooperative [http://hcoop.net/ HCoop, Inc.] is looking to colocate some servers. Could you give us a price quote on a package that would include all of the following? We are a registered non-profit corporation, so we'd love to hear about any discounts that you extend to non-profits.\r
+\r
+ * Qty. 2 web servers (perhaps 1U), each with:\r
+ * RAID 1\r
+ * About 73 GB of HD space\r
+ * Minimum 1 GB RAM\r
+ * Qty. 1 fileserver (perhaps 2U) with:\r
+ * Hardware RAID 5 (SATA RAID would be acceptable)\r
+ * 4 x 400 GB or 500 GB disks\r
+ * Serial console that can connect to any of our servers\r
+ * Hardware firewall, along with a LAN-like arrangement among our servers\r
+ * We want a comprehensive file back-up set-up. We can handle most of this ourselves using the fileserver we want to include, but we will also need less frequent back-ups of all of our data to locations that couldn't be compromised without physical access, even if an attacker managed to get root access on any of our servers. We're hoping that you can provide such an off-site back-up service.\r
+\r
+We're interested in owning the servers that we host, and we'd also like some kind of hardware support contract, where as part of the package you would fix/replace hardware that failed. We're open to the possibility of buying the hardware through you to make this more feasible. Also, we're flexible on many of the details of our plans, so suggestions based on what you've known to work well in your environment are much appreciated.\r
+\r
+Finally, if you do not sell hardware directly with a support contract, we're interested in your "remote hands" rate, as well as the range of hardware that you would be willing to support.\r
+\r
+Thanks!\r
+\r
+Justin S. Leitgeb\r
+\r
+HCoop, Inc. Representative\r
+\r
+\r
+== Older (deprecated) letter versions and discussion for the curious ==\r
+\r
+'''In general, I think this sounds too corporate-ese for my tastes; too many information-free but bulky phrases like "please advise us," and a lack of getting to the point in describing exactly what it is we want to buy. There are also some cases where you list a number of options of how they might handle a particular need of ours where I think it would be more appropriate to stay more high-level about our requirements and let ''them'' tell ''us'' what they offer or suggest. As far as factual differences from my initial draft, I only see the estimate of total rack space utilization. Did you write this new version because you had problems with the style of the original? --AdamChlipala'''\r
+\r
+[Adam, this really isn't that important to me, so if you want to send out the original that you wrote, it's fine. It was a well-worded and concise letter and I'm sure that it would do the job. I was just trying to help out by updating the draft. I think that our different versions were somewhat due to our notion of the intended audience to which we were writing. I couldn't imagine that someone who could think architecturally would be receiving our email; rather I assumed a business person who might understand different "packages" would see it and try to plug available offerings into that framework. That is how I wrote my email without mention of web servers and file servers, etc. Based on my experience, colo providers don't sell hardware anyway (of course, I'm sure there are exceptions), so I reduced the bulleted section in your message to a couple of paragraphs describing how our needs would translate to the three things that colo providers will offer -- rack space, bandwidth and on-site support. Finally, I wanted to figure out how they could support our backup needs. For me, this translated to something that is off-line, so I included that exact phrase. This is because many colo providers might just rsync our data to another server and call that a "backup". I wanted to be specific that our data security needs required something off-line (usually requiring tape), and that shortcuts weren't acceptable -- even an rsync to another network is still susceptible to a major attack, and a hacker who gains root to our system will surely see the connections being made to the backup server.\r
+\r
+At any rate, we're both trying to accomplish the same thing... we need to move towards another site and a new architecture, so anything that goes in that direction is great progress. Let's send out the original text that you wrote. I'll volunteer myself to put together a spreadsheet weighing the pros and cons of the different providers, and will update the wiki with responses from each as we receive them so that we can vote on a colo provider and figure out the specifics of server hardware and configuration based on our collective decision. --JustinLeitgeb]\r
+\r
+[I strongly prefer talking to technically-minded people about our options here. I would hope that any colo provider worth its name would have people answering e-mail who at least know how to forward an e-mail like the one I suggested originally to someone who understands it. Perhaps we want anyway to avoid huge faceless providers that wouldn't extend us this courtesy.\r
+\r
+I've made some small edits to my original below, and I'm up for considering it the official version to send. --AdamChlipala]\r
+\r
+== Older draft #2 ==\r
+\r
+To Whom It May Concern:\r
+\r
+Our Internet hosting cooperative, [http://hcoop.net/ HCoop, Inc.], is looking to colocate new servers and networking equipment. Currently, we are looking to colocate three servers, a switch (unless your facility provides fast ethernet connections with your racks), and a hardware firewall. We estimate that our space needs will be approximately 7U initially, with room to expand as our needs grow in the future. Could you please send us quotes for the following based on your current pricing:\r
+\r
+ * Between 5 - 8U of rack utilization\r
+ * Internet bandwidth in the ranges that you support, along with overage charges that may apply\r
+\r
+Additionally, we will need some support for our servers and networking equipment in the event that they become unavailable to remote connections. Please advise us on the level of hands-on support that you are able to provide, along with your current service rates or contracts that you may have available. If you sell specific hardware that accompanies this local support, we would appreciate hearing about specific server configurations and network equipment that you sell to colocation customers.\r
+\r
+Finally, we are interested in any information on backup services that you may provide in your facility. Specifically, we will need to have periodic back-ups to a location that is secure in the event of a system attack. Please advise us as to if you have centralized, off-line backups on your own network, if you would be able to provide tape rotation services from our machines, or if you currently use another method for helping your customers to achieve this level of data security.\r
+\r
+Thank you for your time. We are looking forward to reviewing your response and the possibility of forming an ongoing relationship with your organization.\r
+\r
+XXX some member of hcoop\r
+\r
+HCoop.net Representative\r
+\r
+\r
+== Older draft #1 ==\r
+\r
+To whom it may concern:\r
+\r
+Our Internet hosting cooperative, [http://hcoop.net/ HCoop, Inc.], is looking to colocate new servers and networking equipment. Currently, we are looking to colocate three servers, a switch (unless your facility provides fast ethernet connections with your racks), and a hardware firewall. We estimate that our space needs will be approximately 7U initially, with room to expand as our needs grow in the future. Could you please send us quotes for the following based on your current pricing:\r
+\r
+'''Probably include serial console in the list of hardware. --AdamChlipala'''\r
+\r
+'''What model or type of serial console are you thinking about? I don't know much about these devices, and looking on google I didn't see anything... are we sure that we need this, or can we just depend on the colo provider to bail us out if something gets really screwed up? Basically what are we looking for - a device that routes the RS232 interface over TCP/IP so that we can see it remotely? --JustinLeitgeb'''\r
+\r
+\r
+ * Between 5 - 8U of rack utilization\r
+\r
+'''Question: How do you see these 7U being used? I was expecting more like 4U for servers and no more than 1U for all other equipment. --AdamChlipala'''\r
+\r
+'''I was thinking about 2 x 1U servers, plus 1 x 2U fileserver, plus 1 x 1U ethernet switch, plus 1 x 1U firewall. Then I added one to bring us to 7U because this seems to be a common offering, e.g., [http://www.he.net/ he.net] gives 7U standard with their base plan -- JustinLeitgeb'''\r
+\r
+ * Internet bandwidth in the ranges that you support, along with overage charges that may apply\r
+\r
+Additionally, we may be interested in purchasing our new hardware through your company, if you sell hardware that you would be able to support. If this is the case, we would appreciate information on different server configurations that you offer, as well as pricing for networking equipment, such as switches and firewalls that you frequently use in your environment. ('''Being more specific about the kind of hardware support we're looking for couldn't hurt. --AdamChlipala''')\r
+\r
+'''What kind of support are we looking for? Feel free to edit the text ;) -- JustinLeitgeb'''\r
+\r
+Otherwise, if you only offer "remote hands" services, we would be interested in hearing about your hourly rates, as well as the range of hardware that you are able to support. In the case that we do need technical support for hardware, how soon are you able to respond to requests? \r
+\r
+Finally, we are interested in any information on backup services that you may provide in your facility. We want a comprehensive file back-up set-up. We can handle most of this ourselves using the fileserver we want to include, but we will also need less frequent back-ups of all of our data to locations that couldn't be compromised without physical access, even if an attacker managed to get root access on any of our servers. We're hoping that you can provide such an off-site back-up service. \r
+\r
+Thank you for your time. We are looking forward to looking over any information that you are able to send us.\r
+\r
+XXX some member of hcoop\r
+\r
+HCoop.net Representative\r
+\r
+\r
+== Other comments about our quote request ==\r
+\r
+[JustinLeitgeb -- Remember that the 4 x 500 GB drives on the fileserver are SATA, so they should be cheap. I was thinking about 3 active plus one hot-spare to increase redundancy in a critical part of our infrastructure. Remember that if we started with RAID 1 we would have to delete all data with a 3Ware escalade card to go to a different RAID type such as RAID 5. Perhaps we could consider adding another RAID 1 set later, though... ideas welcome! Also, I wrote a second draft below, which would give us an overview of basic rates, along with a request for information on hardware pricing if available.\r
+\r
+AdamChlipala -- I still think that 500 GB of storage space is an overestimate for the near future, but I guess we'll see what price we can get.]\r
+\r
+[JustinLeitgeb -- Actually since we had these 3 drives in a RAID 5 configuration, it would have given us 1 Terabyte of storage. We could trim it back to something in RAID 1. SATA RAID 1 would cost about $900 or so to give us 500 GB of available space, based on current costs of 3Ware Escalade controllers and disks, or maybe about $1200 total to buy us the next controller in the Escalade series which has more available ports to add another RAID 1 array later. Or we can spend about the same amount and get less space, but with all SCSI components, which are better tested. I could see benefits and disadvantages to all of these scenarios.]\r
--- /dev/null
+#pragma section-numbers off\r
+\r
+This page attempts to answer frequently-asked questions by prospective members.\r
+\r
+[[TableOfContents()]]\r
+\r
+= The Most Important Question =\r
+\r
+== Q: Can I do <something> with an HCoop membership? ==\r
+\r
+A: The answer is more or less a qualified "yes" for anything! We have no fixed technical structure. Everything is decided democratically by the members through their equal voting power. As long as there are enough members willing to share the added cost of the new service that you propose, we can make it happen. In some of the answers below, we address particular common requests that we've already taken the time to set ourselves up to handle, but the sky's the limit.\r
+\r
+= Meta =\r
+\r
+== Q: Can I edit this wiki before joining? ==\r
+\r
+A: Yes!\r
+\r
+== Q: Can I use an HCoop account for commercial purposes? ==\r
+\r
+A: Yes! Owners of sole proprietorships can join and use HCoop for their small business just like any other member. For partnerships, LLCs, corporations and such, the terms would depend on the intended usage of HCoop. If all you need is one shell with websites and email aliases for your domains, then your business can probably join as a single member on the same terms.\r
+\r
+== Q: How does HCoop exist legally? What makes it likely that HCoop will be around a few years down the road, and what prevents the arbitrary whims of the founders or admins from messing it up? ==\r
+\r
+We're a registered Pennsylvania (USA) non-profit corporation with HcoopBylaws that put complete control and ownership of the co-op in the hands of the members. Each member has an equal vote on issues like electing the board of directors. The board makes all of the day-to-day decisions that control how the co-op works socially and technically.\r
+\r
+HCoop is also recognized by the IRS as a 501(c)(12) tax-exempt cooperative, and thus is not liable for any federal income tax.\r
+\r
+== Q: How can I get answers to questions not covered here? ==\r
+\r
+Come to our IrcChannel, [irc://irc.freenode.net/#hcoop #hcoop] on [http://freenode.net/ Freenode]!\r
+\r
+= Payment =\r
+\r
+== Q: How much does membership cost? ==\r
+\r
+This is addressed on [http://hcoop.net/ our front page], but here's some additional anecdotal information: At the moment, each member pays about $3/mo., with no "plans" distinguishing what different members may do. We are planning an expansion under the criterion that we can offer full membership for $5/mo., with a "sliding scale" plan or some similar way of letting members who value our services more contribute more and keep costs low for others.\r
+\r
+== Q: What are the entire co-op's monthly expenses? ==\r
+\r
+We currently pay around $200/mo. for all services, and that amount should rise to around $800/mo. after our planned expansion.\r
+\r
+== Q: How much does it cost to pay with PayPal? ==\r
+\r
+See [http://www.paypal.com/cgi-bin/webscr?cmd=_display-fees-outside their fees information]. We have a business account.\r
+\r
+== Q: I've heard that PayPal sometimes does nasty things like closing accounts without refunding their balances. Since you use PayPal as the primary dues payment method, could something like this happen to bankrupt HCoop? ==\r
+\r
+No, several times a month we transfer our Pay``Pal balance to a Wells Fargo bank account in the name of our corporation. It's from that account that we pay our providers.\r
+\r
+== Q: Are payments or contributions to HCoop tax-deductible? ==\r
+\r
+No. While HCoop is tax-exempt, it is not a charity or other 501(c)(3) organization. Neither dues nor donations to HCoop are deductible for United States federal income tax purposes. HCoop cannot advise you as to tax obligations in your jurisdiction, but it is unlikely that such dues or contributions are deductible for any purpose.\r
+\r
+== Q: Is there any kind of additional "security deposit" required to join? ==\r
+\r
+We require that every member's balance with us (that is, the amount of money you've paid in total minus the total amount that you've been charged so far) stay above $10. You can think of this as a requirement for a $10 "security deposit." The main reason behind this is that it sometimes takes a while to prod someone into paying when he has forgotten about it, and we don't want to find ourselves unable to meet the co-op's financial obligations during that period.\r
+\r
+Most members prepay at least $20 when joining, and initial payments at the $50 level or higher are not uncommon. Irrespective of the minimum balance requirement, it's in your interest to pay at much at once as you're comfortable paying, since Pay``Pal has a per-transaction fee that makes this cheaper for you.\r
+\r
+= Basic Procedures =\r
+\r
+== Q: What are the basic ideas behind how I create and maintain Internet sites with an HCoop account? ==\r
+\r
+We've developed a suite of custom command-line and web-based tools for managing everything. See DomTool for one of these and our WelcomePage for links to all of the documentation related to our infrastructure.\r
+\r
+== Q: Who performs system administration? Do I have to worry about the consequences of some willy-nilly scheme for granting folks root access? ==\r
+\r
+Our board of directors appoints sysadmins from among the member base. We aim to have about 3 sysadmins appointed at a given time. These are the only people with "root access."\r
+\r
+== Q: How do I get in touch with them? ==\r
+\r
+As part of our member portal, we have a "support ticket" system like you'll find at most commercial hosting providers. There are also special systems for "semantically rich" requests for things like installation of Debian packages or permissions to configure particular domains. Members never contact admins directly, but rather interact with them through these web-based tools. We tend to have fast enough response times to requests for members to remark on them favorably.\r
+\r
+== Q: You describe the co-op as an umbrella organization for supporting whatever kinds of hosting the members want. How do new services come into being in practice? ==\r
+\r
+New services are born by majority vote of the board of directors. We always try to have an open discussion on our mailing list of each new proposal before voting on it. The directors and the members will try take into account only the real monetary and volunteer-time costs of a new idea in evaluating it. However, it doesn't seem worthwhile to codify a more specific process than this. Your votes for the board of directors are largely votes based on what informal decision making processes you expect candidate directors to apply.\r
+\r
+= Hardware =\r
+\r
+== Q: What are your hardware specs? ==\r
+\r
+See HardwareSpecs.\r
+\r
+== Q: Do you offer colocation or anything else beyond "shared hosting"? ==\r
+\r
+Not at the moment, but we provide the structure for members to decide on new services and implement them, so let us know if you would be interested in purchasing such a service through the co-op, and it can happen with enough people registering interest.\r
+\r
+= Domains =\r
+\r
+== Q: Can I use multiple domain names that I own with an HCoop account? ==\r
+\r
+A: Yes, and we even have our own software called DomTool to let you do so without superuser intervention.\r
+\r
+== Q: Do you do back-up MX and secondary DNS hosting for domains primarily hosted elsewhere? ==\r
+\r
+Yes; see DomTool.\r
+\r
+= Web =\r
+\r
+== Q: Can I use mod_python, Zope, mod_perl, etc.? ==\r
+\r
+Yes, you can use these customized web server modules or web servers, but you will probably need to run your own web daemon to do it. Most of these are not designed to work in an environment like ours, where resources are shared by mutually untrusting users; as a result, they run all scripts as the same user, which would let others trample your data, either intentionally or through negligence. We '''do''' support running your own daemons and proxying from our main Apache, though, so no worries!\r
+\r
+= E-mail =\r
+\r
+== Q: Can I do fancy things with e-mail sent to my mailbox on HCoop, like both saving it on your server and forwarding it elsewhere? ==\r
+\r
+Yes, members can use [http://www.exim.org/exim-html-4.66/doc/html/filter.html Exim filters] to do this and more.\r
+\r
+= Customization =\r
+\r
+== Q: Can I compile binaries myself? ==\r
+\r
+A: Yes. You can install your own compilers, and we'll install system-wide most any compiler that's found in Debian testing.\r
+\r
+== Q: Can I run my own daemons? ==\r
+\r
+A: Yes, though whether or not this is feasible in terms of resource use depends on the kind of server.\r
--- /dev/null
+= Rack Mounting Equipment =\r
+\r
+We will need rack mounting equipment that matches the racks at our colo facility. Below are some notes on Dell rail kits:\r
+\r
+== About DELL Rail Kits: ==\r
+\r
+DELL has three styles of rail kits for more options when mounting your DELL\r
+server into a rack. All rail kits will ONLY work with DELL servers and will\r
+not work with any other brand of server and will not work on generic\r
+servers. If you have a server that is not made by DELL, contact the server's\r
+manufacturer for help with installation in a rack.\r
+\r
+=== RAPID RAILS ===\r
+Rapid Rails are for use with DELL Cabinet racks these are also referred to\r
+as "quick connect" rail kits. They employ square tab-style connectors to\r
+install in the rack. These rails can be used with other standard 19" four\r
+post cabinet racks with standard square mounting holes.\r
+\r
+=== VERSA RAILS: ===\r
+Versa Rails are for use with 19" four post cabinets not manufactured by DELL\r
+employing round/threaded holes and screws to mount in the rack. These rails\r
+can also be used with a DELL rack if the RAPID RAILS are not available,\r
+however they must be mounted using the screws through the square holes\r
+rather than snapping in.\r
+\r
+=== 2-POST RAILS: ===\r
+2-Post Rail kits are used for standard 3" or 6" post mounted racks (telco\r
+type racks) and employ screws for mounting. These rack kits cannot be used\r
+on four post cabinet racks and cannot be modified to fit four post cabinet\r
+racks. \r
--- /dev/null
+= CURRENT registered agent info =\r
+\r
+On April 3, 2007, AdamChlipala signed us up with [http://www.incorp.com/ InCorp]. Here is the latest registered agent information:\r
+\r
+In``Corp Services, Inc.[[BR]]\r
+7208 Red Top Road[[BR]]\r
+Hummelstown, PA 17036\r
+\r
+County: Dauphin\r
+\r
+InCorp Services, Inc. is a national registered office provider with its principle place of business in Nevada. As such it should provide us with smoother service than our previous agent. Its Pennsylvania office in Hummelstown is located in central Pennsylvania a short distance east of Harrisburg, the state capital, and some two hours west of Philadelphia.\r
+\r
+= OLD registered agent info =\r
+\r
+The cooperative had engaged the services of a registered agent in Pennsylvania to serve as our Commercial Registered Office Provider as required by the Pennsylvania Code.\r
+\r
+Our registered agent was:\r
+{{{\r
+Myer & Myer CPA\r
+102 Wheatfield Dr\r
+Suite A\r
+Milford PA 18337\r
+Phone: (570) 296-2889\r
+Fax: (570) 296-2696\r
+}}}\r
+\r
+Our contact at Myer & Myer was Gregory P. Myer, CPA. His annual fee is $100. The first such payment was sent on February 5, 2005.\r
+\r
+This Milford, PA is in Pike County, Pennsylvania. Milford is the county seat of Pike, which is a rural county in northeastern Pennsylvania, and is an hour's drive from Scranton, PA and 90 minutes from New York City.\r
+\r
+When we initially contracted with Myer & Myer, they were located at 110 Broad St, but they have since moved into the office building at 102 Wheatfield.\r
+\r
+This information is no longer relevant--no HCoop mail should go to Myer & Myer.\r
--- /dev/null
+We take advantage of Linux's `ulimit` facility to limit user process' use of particular system resources. See DaemonFileSecurity for information on disk usage limits.\r
+\r
+= Login and cron jobs =\r
+\r
+Login shells and cron jobs inherit the limits from `/etc/security/limits.conf`, via PAM. We currently impose these limits, where "n/m" means "soft limit n and hard limit m":\r
+\r
+ * `as 100000/500000`. This limits how much virtual memory processes can allocate. Without this, run-away processes can use up all of the memory in the system and cause daemons to start crashing due to out-of-memory errors.\r
+ * `nproc 10/20`. Creating an unbounded number of processes is bad, so here we limit the maximum number of processes you may own concurrently.\r
+\r
+These settings are mostly designed assuming friendly users who sometimes make mistakes and create run-away processes. We may need to make the limits more stringent in the future.\r
+\r
+= CGI =\r
+\r
+We use a patched version of Apache 2 suexec that imposes the following restrictions on script execution:\r
+\r
+ * It sets some ulimits. Currently, it limits process count to 100 and memory usage to 100 MB.\r
+ * It waits up to 10 seconds for the script to execute before killing it and its children. The child-killing business is accomplished by putting the initial script process into a new process group, and then later using `pkill -g` on that process' pid if the time-out is reached.\r
+\r
+No doubt we'll be tweaking these parameters based on experience.\r
+\r
+= PHP =\r
+\r
+We've modified suphp in the same way, so your PHP scripts run with process count, memory, and time limitations, and will be killed if they exceed them.\r
+\r
+----\r
+CategorySystemAdministration\r
--- /dev/null
+This page describes the effort to bring the wiki up-to-date with respect to the new setup.\r
+\r
+[[TableOfContents]]\r
+\r
+== Context ==\r
+\r
+The information on this wiki needs to be made accurate with the current setup (deleuze, mire, abulafia, etc.).\r
+\r
+This involves:\r
+\r
+ * Updating information on existing pages\r
+ * Deleting pages that have no useful content\r
+ * Make it easy for members to get up-to-speed on migration,\r
+ * Re-work WelcomePage to be more relevant and easy to browse\r
+ * Provide more examples on ["DomTool/Examples"] and on MigrationTips\r
+ * Making an HCoop "Member Manual", perhaps by using MemberManual for the start page, with chapters represented as subpages\r
+ * Making a migration FAQ that answers all questions that members are likely to have during migration\r
+\r
+== Style guide ==\r
+\r
+See StyleGuide.\r
+\r
+== Personnel ==\r
+\r
+MichaelOlson is in charge of this effort.\r
+\r
+If you want to help out with a particular page or topic, please indicate this below.\r
+\r
+|| '''Name''' || '''Pages / topics''' ||\r
+|| RyanMikulovsky || Parts of Non-technical administrative stuff? ||\r
+|| MichaelPotter || Basic account usage ||\r
+\r
+== Progress ==\r
+ \r
+ * RewriteGoals/PagesToDelete: Pages that need to be deleted.\r
+ * RewriteGoals/PagesNeedingLove: Pages that need some attention, but should not be deleted.\r
--- /dev/null
+This is a listing of the pages that need some sort of attention. We do want to keep these pages around.\r
+\r
+== High priority ==\r
+\r
+ * MemberManual/MigrationGuide: Remove content that is already in the Manual in other places. Be sure to check existing pages first before removing content. I think that only content up to the Getting Started section on that page should remain. The page will go away after everyone is migrated.\r
+ * MemberManual/TransferringFiles: Look for existing pages about this topic, make them subpages of this one, and link to the subpages with explanatory descriptions.\r
+ * MemberManual/EmailDelivery: Move content on this topic from MemberManual/MigrationGuide to here. Move existing complete pages on Exim filtering and procmail into subpages of this page.\r
+ * MemberManual/ServingWebsites: Move content on this topic from MemberManual/MigrationGuide to here.\r
+\r
+== Medium priority ==\r
+\r
+ * JoinUs: Explanation of how to join us, with mention that people will be put on a "to notify" list until we open shop again.\r
+\r
+== Low priority ==\r
+\r
+ * OurHistory: Address on-page TODO items, mention recent history.\r
+ * MemberManual/VersionControl: Describe the use of each version control system in its own subpage. Example: [:MemberManual/VersionControl/git:].\r
--- /dev/null
+Discuss pages to delete here.\r
+\r
+== Should not delete ==\r
+\r
+ * ProjectGroupsTemplate: comes with Moin via the underlay\r
+ * ProjectTemplate: comes with Moin via the underlay\r
+\r
+== Need to verify with others ==\r
+\r
+ * ThwartingPackages (is this still applicable to our new machines?)\r
+ * Maybe. I don't know much about how mailman is set up on the new machines. We should probably ask ntk. --MichaelOlson\r
+\r
+=== New additions ===\r
+\r
+ * Add additional pages that might need to be deleted here...\r
--- /dev/null
+I have a background in database application development (mostly web-based), but I am now working as a QA Engineer for a financial services firm. I use hcoop to host a friend's band's website. I probably have a balance due ;)\r
--- /dev/null
+[http://rob.gubler.net me]\r
--- /dev/null
+I'm Rob, aka rcl. I live in Brooklyn, NY, USA.\r
--- /dev/null
+I go to Butte Community College, near Chico, CA. I plan to transfer to the University of California system in 2009.\r
+\r
+Website: http://www.distortions.net\r
--- /dev/null
+There are seven principles, known as the [http://en.wikipedia.org/wiki/Rochdale_Principles Rochdale Principles], that guide all cooperatives in the spirit of the original cooperative movement dating back to 1844. They have been modified somewhat and there are several versions sometimes with six or seven principles, but they are all similar in spirit.\r
+\r
+ 1. Voluntary and open membership.\r
+ 1. Democratic control.\r
+ One member, one vote.\r
+ 1. Member economic participation\r
+ Also, "distribution of surplus in proportion to trade." Another principle sometimes seen is "limited return on equity," in other words, reserves should be used to improve service or infrastructure, not as investments per se. One of the original principles was cash trading--no extension of credit, but this principle has been largely relaxed.\r
+ 1. Autonomy and independence.\r
+ Originally phrased in terms of political and religious neutrality.\r
+ 1. Education, training, and information.\r
+ 1. Cooperation among cooperatives.\r
+ A relatively new principle added in 1966, intended to strengthen cooperatives in a corporation-dominated economy.\r
+ 1. Concern for community.\r
+\r
+== Further reading ==\r
+ * StoneSoup\r
+ * [http://hcoop.net/~ntk/newview.txt A New View of Society], by Robert Owen, written 1813-1816. Robert Owen was an early pioneer of the cooperative movement\r
--- /dev/null
+#format wiki\r
+#language en\r
+== Shaun Empie ==\r
+\r
+Email: [[MailTo(shaun AT SPAMFREE vpit DOT net)]]\r
+\r
+Member of coop since 2005\r
+\r
+http://vpit.net\r
+\r
+jabber: shaun AT SPAMFREE hcoop DOT net\r
+...\r
+\r
+----\r
+CategoryHomepage\r
--- /dev/null
+#pragma section-numbers on\r
+\r
+This page was meant to organize a discussion and is not the canonical reference on our organizational decisions. It may often be out of date.\r
+\r
+[[TableOfContents(2)]]\r
+\r
+= Terminology =\r
+To save space below, we'll use the following working names for the different pieces of hardware involved:\r
+\r
+ * '''Main''' is the machine hosting most services.\r
+ * '''Dynamic''' is the machine hosting member dynamic web sites and other services where we run arbitrary code written by members.\r
+ * '''Shell''' is the "most anything goes" shell server.\r
+= The Big List of Scary Things =\r
+These are the issues that we're dealing with for the first time in our new set-up, meaning that we should pay special attention to them.\r
+\r
+ * Multiple servers and coordinating their interaction\r
+ * A shared file system\r
+ * Increasing member base and corresponding system load\r
+ * Different public/private networks, thanks to some switch magic\r
+ * Serious automated remote back-up service\r
+ * Centralized system logins\r
+= The Big Questions =\r
+== What Debian version do we run on each server? ==\r
+AdamChlipala suggests stable on Main and testing on Dynamic and Shell because:\r
+\r
+ * We want our primary services to be as reliable as possible.\r
+ * Members will want to use some cutting-edge stuff for running their dynamic web sites and custom daemons, and stable doesn't keep up very well with the cutting edge. On the other hand, unstable just seems too risky.\r
+ * If Shell is used as a testing environment for services later pushed to Dynamic, then it should have the same software versions as Dynamic.\r
+\r
+'''Update''': We're currently planning stable on Main and Dynamic, since testing too often has catastrophic upgrade failures in practice.\r
+\r
+== What resource limits are imposed on the different servers? ==\r
+=== Decisions that we've agreed on ===\r
+ * We don't need explicit limits on usage of Main's local resources, because only admins will be able to control them.\r
+=== Questions to be resolved ===\r
+ 1. Do we impose ulimits and related stuff on Dynamic?\r
+ AdamChlipala says:\r
+ . We need some measures in place to prevent runaway processes from crashing everyone's dynamic web sites. The question is, do we use automated measures or do we just monitor closely and intervene manually when needed? A bad runaway process can take the server down quickly, so I think it's necessary to use ulimits and their ilk.\r
+\r
+ 1. How do we control resource usage on Shell?\r
+ AdamChlipala says:\r
+ . I think I'm in favor of no ulimits or similar on Shell, relying on monitoring and manual intervention to deal with runaway processes and other horrors. We've already had some folks unable to use some implementations of non-mainstream programming languages because these implementations aren't able to deal with our resource limits... and, if you know me, you can probably guess that that Just Breaks My Heart!\r
+\r
+ 1. Where we do decide to use monitoring and manual intervention, what monitoring tools can best help us do it?\r
+ DavorOcelic says:\r
+ . I've talked about this multiple times before, and I'm still interested in doing something real in this area. First of all, there's a log parser I've written, which is very similar to Logsurfer (or Logsurfer+ for that matter), but which resolves some of their crucial limitations; we'd definitely turn Main machine into a common loghost, so this would be a good place to deploy this on. Another good thing I have in mind is Nagios, a ping/service/anything monitoring tool. Third tool I have in mind is the excellent Puppet (kind of cfengine new-generation) that we can script to test and fix stuff on our systems.\r
+== Who can log into which servers? ==\r
+=== Decisions that we've agreed on ===\r
+ * Only admins can log into Main\r
+ * Everyone can log into Shell\r
+ DavorOcelic says:\r
+ . This is a good general rule. For any exceptions, both the usual Unix auth mechanism and LDAP allow great flexibility (per-user list of allowed machines and also per-machine list of allowed users).\r
+=== Questions to be resolved ===\r
+ 1. Can everyone log into Dynamic, too?\r
+ AdamChlipala says:\r
+ . I think it is important to allow this. My mental model has Shell made deliberately unstable because we don't know how to impose automatic limits that allow all of the stuff that people want to do. I know that a lot of the people involved in this planning aren't particularly interested in using non-mainstream programming languages and other things that conventional hosting providers are never going to support, but for me and several other members this is one of the defining aspects of HCoop. That means that we need to be able to go crazy with Shell, while committing to keeping Dynamic up all the time. If Shell is down, members need to be able to use Dynamic to configure their services. That doesn't mean that they can't use the development-production split model when Shell is up, logging in only there.\r
+== How are we going to handle the basic logistics of a shared filesystem and logins? ==\r
+=== Decisions that we've agreed on ===\r
+ * We're going to use AFS filesystem and Kerberos. (AFS mandates the use of Kerberos).\r
+ * We're going to use LDAP for logins. (Can play together with AFS and Kerberos, no worries).\r
+=== Questions to be resolved ===\r
+Everything else!\r
+\r
+== How are we going to charge (monetarily or just to have a sense of who is using what) members accurately for their disk usage? ==\r
+There are a lot of issues here. We provide a number of shared services whose default models create files on the behalf of members but that are (by default) owned by a single UNIX user. Examples include PostgreSQL and MySQL databases, virtual mailboxes, Mailman mailing lists, and domtool configuration files. Any of these can grow so large as to use up all disk space on a volume, through either malicious action or accidental runaway processes.\r
+\r
+Right now we use this gimpy scheme of group quotas on /home, storing all of these files on that partition with group ownership telling which member is responsible for them. I think AFS provides a nicer way of doing this. With the way we do it now, we are constantly fighting the behavior of the out-of-the-box Debian packages to set permissions differently than how we need them to be. With AFS, I think we can separate permissions from locations.\r
+\r
+= Daemons shared by members =\r
+== Off-site file back-up services ==\r
+=== Questions to be resolved ===\r
+ * Use [http://rsync.net/ rsync.net]?\r
+== DNS ==\r
+=== Decisions that we've agreed on ===\r
+\r
+ * Running djbdns on Main\r
+\r
+'''Update''': Scrap that! We're using BIND on Main and Dynamic, since it's so much better supported throughout the 'net, makes master/slave configurations easier, etc.. In the future, we want to expand to include a tertiary DNS server in a different geographic location and on an entirely different network.\r
+\r
+=== Questions to be resolved ===\r
+ 1. How do we arrange redundant DNS infrastructure?\r
+JustinLeitgeb says:\r
+\r
+ . For now, I think we can just put our backup DNS server on either the shell or web machine at Peer 1, depending on how we finally set things up. We will have to configure this with domtool or it's replacement. I don't really see any other options here, am I missing something?\r
+=== References to how we do things now ===\r
+DnsConfiguration, DomainRegistration\r
+\r
+== FTP ==\r
+=== Decisions that we've agreed on ===\r
+ * Run an FTP daemon on Main\r
+ * Only allow encrypted authentication methods\r
+ * Only allow users on a white-list to use FTP; they should be using SCP if possible\r
+=== References to how we do things now ===\r
+FtpConfiguration, FileTransfer\r
+\r
+== HTTP ==\r
+=== Decisions that we've agreed on ===\r
+ * Using Apache 2\r
+ * Running all official/administrative HCoop web sites on Main\r
+ * Running all member dynamic web sites on Dynamic\r
+=== Questions to be resolved ===\r
+ 1. Do we completely separate adminstrative web sites from the rest, or do we allow any member static web site to be served by Main?\r
+ DavorOcelic says:\r
+ . Well. I think we don't have many administrative web sites (nor the ones we have are used heavy enough) to justify complete separation. It should be OK to run static web sites from Main, I believe. We could create default web spaces for users, like ~/public_html/ served from Dynamic, and ~/static_html/ served from Main, or something like that. (Please give more input on this).\r
+ * I think it would better to have a domtool directive that chose which machine the site was served on (e.g. ServedOn static|dynamic) and then let members choose how to lay out their own directories. -- ClintonEbadi\r
+=== References to how we do things now ===\r
+UserWebsites, DynamicWebSites, VirtualHostConfiguration\r
+\r
+== IMAP/POP ==\r
+=== Decisions that we've agreed on ===\r
+ * Running the primary IMAP/POP daemons on Main\r
+ * Running both SSL and normal versions, where the normal versions can only be used over the local network\r
+=== Questions to be resolved ===\r
+ 1. Do we keep using Courier IMAP or do we switch to something like Cyrus?\r
+=== References to how we do things now ===\r
+UsingEmail, EmailConfiguration\r
+\r
+== Jabber ==\r
+=== Decisions that we've agreed on ===\r
+ * Run the same thing we're running now, on Main\r
+=== Questions to be resolved ===\r
+ * Should we add a tool similar to webpasswd to let members enable their jabber accounts without manual intervention? Doing this by hand is easy now, but when we have hundreds of members it would make much more sense to automate the process.\r
+ * Alternatively we could let members login using their normal passwords (which is fairly secure as long as SSL is forced to be enabled). Ejabberd can use LDAP for authentication so it would be easy to automatically give every HCoop member an account.\r
+ * Should a tool be added to enable members to set up their own virtual jabber hosts (e.g. member at unknownlamer dot org )? I (ClintonEbadi) could write one in perl.\r
+ * If we did this should we allow members to add as many accounts as they wish, or only have one account per virtual server for the member? Jabber doesn't use much bandwidth (it's all text), and it would be nice to be able to give friends or family jabber accounts, and then eliminate dependence on other more evil IM services.\r
+=== References to how we do things now ===\r
+JabberServer\r
+\r
+== Mailing lists ==\r
+=== Decisions that we've agreed on ===\r
+ * Using the Mailman software\r
+ * Running the daemon on Main\r
+=== Questions to be resolved ===\r
+ 1. How/where do we store mailing list data so that it is appropriately charged towards a member's storage quota?\r
+=== References to how we do things now ===\r
+MailingListConfiguration\r
+\r
+== Relational database servers ==\r
+=== Decisions that we've agreed on ===\r
+ * Running PostgreSQL and MySQL servers on Main\r
+=== Questions to be resolved ===\r
+ 1. Are we satisfied with the latest versions from Debian stable, or do we want to do something special?\r
+ 1. Do remote PostgreSQL authentication (from Dynamic, etc.) via the ident method? DavorOcelic thinks it's OK.\r
+=== References to how we do things now ===\r
+UsingDatabases\r
+\r
+== SMTP ==\r
+=== Decisions that we've agreed on ===\r
+ * Using Exim 4\r
+ * Running the primary SMTP daemon on Main\r
+=== Questions to be resolved ===\r
+ 1. Run secondary MX on Dynamic or elsewhere?\r
+=== References to how we do things now ===\r
+UsingEmail, EmailConfiguration\r
+\r
+== Spam detection ==\r
+=== Decisions that we've agreed on ===\r
+ * Running the SpamAssassin spamd daemon on Main\r
+ * Running it via the spamc client on all mail to opted-in addresses, but leaving filtering based on the added headers up to the individual recipients\r
+ * Keeping a shared Bayes filtering database that can be trained by members by depositing misclassified messages into shared folders\r
+=== References to how we do things now ===\r
+UsingEmail, SpamAssassin, FeedingSpamAssassin, SpamAssassinAdmin\r
+\r
+== SSH ==\r
+=== Decisions that we've agreed on ===\r
+ * Use the standard SSH daemon in Debian\r
+ * Run it on all of our servers, with varying access permissions based on the shared user list\r
+ DavorOcelic says:\r
+ . Do we need ssh on Main too, if we've got a serial console?\r
+=== References to how we do things now ===\r
+SshConfiguration\r
+\r
+== SIP Redirection ==\r
+ * Do we also want to add the service of SIP redirection? I think this would go along very well with Clinton's suggestion of allowing people to have jabber accounts with their own domain. This way someone could have have their email, jabber and sip addresses all consolidated. A sip redirection server would use next to no bandwidth. All it would do is when a call comes in, give it another address the user can be found on. For example when someone tries to call user1@userdomain.com , the server would spit out a user defined address such as a gizmo or fwd account name and the call would continue on to that seamlessly. - ShaunEmpie\r
+= Services run on top of these daemons =\r
+== Domtool ==\r
+Everyone's favorite spiffy system for letting legions of users manage the same daemons securely.\r
+\r
+AdamChlipala says:\r
+\r
+ . I would like to rewrite this completely, for reasons including: From a software engineering perspective, the implementation is not so nice. There is no support for configuring multiple machines from the same configuration file source. Scalability with the increasing amount of configuration is not so hot. The current configuration scheme encourages copying-and-pasting, which makes it hard to make sweeping changes to our suggested configuration base.\r
+\r
+JustinLeitgeb says:\r
+\r
+ . If we're doing this, let's think about storing configuration information in a database. It seems that it should scale better, and it would certainly be easier to write programs for users to configure domains via a web interface. I'm also thinking about writing a tool to set up a host with a dynamic IP on the internet (like what dyndns.org provides). For this to occur, we basically need to factor in the ability for fairly frequent, small changes to DNS zones without completely reloading the server. Also we need to be able to configure the TTL on host records (this may already be possible in domtool, I haven't checked). If the new domtool is written in Perl, I will be able to make software contributions, otherwise I probably won't have time to learn a new language in the next few years.\r
+\r
+ AdamChlipala says:\r
+ . My conception of the optimal configuration tool makes every configuration file a program, with textual structure that maps very poorly to a relational database, so I am still strongly against the idea of SQL-based configuration.\r
+ . domtool already supports everything needed for dynamic DNS, including setting TTL, as someone already requested support for doing that himself.\r
+ . I won't be involved with any Perl development.\r
+\r
+ JustinLeitgeb says:\r
+ OK, I understand where you're coming from if you want the configuration files to be programs. I agree that it will be a stronger system that way.\r
+\r
+=== References to how we do things now ===\r
+DomainTool\r
+\r
+== Portal ==\r
+=== Decisions that we've agreed on ===\r
+ * Keep doing the same as now, running on Main\r
+=== References to how we do things now ===\r
+[https://members.hcoop.net/ The portal]\r
+\r
+== Web e-mail client ==\r
+=== Decisions that we've agreed on ===\r
+ * Keep using SquirrelMail, running on Main\r
+=== References to how we do things now ===\r
+[http://mail.hcoop.net/ SquirrelMail]\r
+\r
+== Webmin/Usermin ==\r
+=== Decisions that we've agreed on ===\r
+ * Keep doing the same as now, running on Main\r
+=== References to how we do things now ===\r
+[https://members.hcoop.net/usermin/ Usermin]\r
+\r
+== Wiki ==\r
+=== Decisions that we've agreed on ===\r
+ * Start from the same data as our current wiki\r
+ * Host the wiki on Main\r
+ * Keep using MoinMoin\r
+=== Questions to be resolved ===\r
+ * Upgrade the wiki to the latest release, even if there is no Debian package for it.\r
+\r
+ MichaelOlson says:\r
+\r
+ . I want to upgrade the Moin software to the latest release. The main reason for this is that the UserPreferences page is broken in the current version, in that it has no '''Mail me my account data''' button, in spite of the instructions on that page. This seems to be fixed on the official Moin wiki, so it is most likely fixed in the latest release.\r
+ . The idea is for me to start by upgrading my LUG's wiki instance. If no unsolvable problems are encountered, then upgrade HCoop's wiki instance as well. If no up-to-date Debian package is found (and there wasn't one, last time I checked), I could either:\r
+ . (a) make a Debian package, using the Debian patches against their {{{moin}}} package as a reference, or\r
+ . (b) backup the Debian additions (site-wide wiki farm settings), remove the {{{moiin}}} Debian package, and install it from source.\r
+\r
+=== References to how we do things now ===\r
+[http://wiki.hcoop.net/ This wiki]\r
+\r
+= Security =\r
+Here are the security issues we need to worry about, sorting by resource categories of varying abstraction levels. What we mostly deal with here is avoiding negative consequences of actions by members with legitimate access to our servers.\r
+\r
+== CPU time ==\r
+We haven't really encountered any trouble with this literal resource yet. However, potential problems come in when we're talking about user dynamic web site programs called by a shared Apache daemon. Apache allocates a fixed set of child processes, and each pending dynamic web site program takes up one child process for the duration of its life. Enough infinite-looping or slow CGI scripts can bring Apache down for everyone.\r
+\r
+=== Current remedies ===\r
+As per ResourceLimits, we use patched {{{suexec}}} programs to limit dynamic page generation programs to 10 seconds of running time. We also have a time-out for {{{mod_proxy}}} accesses, which we provide to allow members to implement dynamic web sites through their own daemons that the main Apache proxies.\r
+\r
+== Disk usage ==\r
+We can't let one person use up all of the disk space, now can we?\r
+\r
+=== Current remedies ===\r
+We use group quotas so that members can be charged for files that they don't own. This is still hackish and allows some unintended behaviors. DaemonFileSecurity has more detail.\r
+\r
+== Network bandwidth ==\r
+We don't do a thing to limit this now, since our current host provides significantly more bandwidth than we need.\r
+\r
+=== Questions to be resolved ===\r
+ 1. Should we start doing anything beyond monitoring?\r
+== Network connection privileges ==\r
+It's good to follow least privilege in who is allowed to connect to/listen on which ports.\r
+\r
+=== Current remedies ===\r
+We have a firewall system in place now. It uses a custom tool documented partially on FirewallRules.\r
+\r
+== Number of processes ==\r
+Fork bombs are no fun, and many resource limiting schemes are per-process and so require a limit on process creation to be effective.\r
+\r
+=== Current remedies ===\r
+As per ResourceLimits, we use the {{{nproc}}} ulimit.\r
+\r
+== RAM ==\r
+This is probably the most surprising thing for novices to the hosting co-op planning biz. If you would classify yourself as such, then I bet you would leave RAM off your list of resources that need to be protected with explicit security measures!\r
+\r
+Nonetheless, it may just be the most critical resource to control. In our experiences back when everything ran on Abulafia, the most common cause of system outage was some user running an out-of-control process that allocated all available memory, causing other processes to drop dead left and right as memory allocation calls failed. We're letting people run their own daemons 24/7, so this just can't be ignored.\r
+\r
+=== Current remedies ===\r
+As per ResourceLimits, we use the {{{as}}} ulimit to put a cap on how much virtual memory a process can allocate.\r
--- /dev/null
+= Using SpamAssassin at HCoop =\r
+\r
+HCoop has SpamAssassin installed on our email servers. SpamAssassin is a program designed to remove junk mails from your mailbox before you see them.\r
+\r
+== How to Start Using Spamassassin with you HCoop Account ==\r
+\r
+Read the page UsingEmail for information on how to start using SpamAssassin with your account quickly. Continue on for more information on SpamAssassin, in general and in our environment.\r
+\r
+== Links to Related Pages ==\r
+\r
+These pages provide more detail on how SpamAssassin works at HCoop, and about the program in general.\r
+\r
+=== Links on Hcoop Wiki ===\r
+\r
+ * FeedingSpamAssassin - Describes how to "train" SpamAssassin to recognize your junk mail\r
+\r
+ * SpamAssassinAdmin - Describes how SpamAssassin was set up at HCoop\r
+\r
+=== External Links ===\r
+\r
+ * [http://spamassassin.apache.org/ SpamAssassin home page]\r
--- /dev/null
+Here's how we set up our site-wide Spam``Assassin bayes database, including the ability for users to train it.\r
+\r
+ 1. Create a new user `spamd` with home `/var/local/lib/spamd`.\r
+ 1. Add "spamd" to `/etc/cron.allow`.\r
+ 1. Perform the following as `spamd`:\r
+ 1. `cd ~spamd`\r
+ 1. `maildirmake -S Maildir`, to create the shared Spam``Assassin mailbox.\r
+ 1. `maildirmake -f SiteSpam -s write Maildir`, to create a writable folder for misclassified spam (or if extracting from a tarball, make sure it has the sticky bit set by doing the following).\r
+ {{{\r
+find ~spamd/Maildir/.SiteSpam -type d -exec chmod o+t {} \;\r
+}}}\r
+ 1. `maildirmake -f SiteHam -s write Maildir`, to create a writable folder for misclassified ham (or if extracting from a tarball, make sure it has the sticky bit set by doing the following).\r
+ {{{\r
+find ~spamd/Maildir/.SiteHam -type d -exec chmod o+t {} \;\r
+}}}\r
+ 1. Add the following to `~spamd/.crontab` to learn from and delete messages in those shared folders every five minutes (changing MACHINENAME to be the name of the local machine):\r
+ {{{\r
+MAILTO=logs@MACHINENAME.hcoop.net\r
+\r
+# Learn from submitted spam\r
+0,10,20,30,40,50 * * * * ~spamd/scripts/learn-spam --spam\r
+# Learn from submitted ham\r
+0,10,20,30,40,50 * * * * ~spamd/scripts/learn-spam --ham\r
+# Remove any tmp cruft\r
+3 3 * * * find ~spamd/Maildir/.SiteHam/tmp -type f -delete ; find ~spamd/Maildir/.SiteSpam/tmp -type f -delete\r
+}}}\r
+ '''Be sure there's a newline after the last line, or it won't be processed.'''\r
+ 1. Copy the `learn-spam` script from the `spam` directory of the hcoop "misc" repository into the directory `~spamd/scripts`.\r
+ 1. Modify `/etc/spamassassin/local.cf` with the directive:\r
+ {{{\r
+# Location of bayes data\r
+bayes_path /var/local/lib/spamd/bayes/.spamassassin/bayes\r
+\r
+# Fix bayes permissions\r
+bayes_file_mode 0770\r
+\r
+# Directives from old setup\r
+# [any custom stuff from the old /etc/spamassassin/local.cf that you want to keep]\r
+}}}\r
+ 1. Modify `/etc/default/spamassassin` by setting `OPTIONS` and `ENABLED`as follows. The `-x` prevents `spamd` from trying to look for per-user configuration, which would be silly because it always runs as the same user here. Without this flag, the cron job triggered every 5 minutes would log an error message, which would lead to an e-mail being sent to the `spamd` user.\r
+ {{{\r
+# Change to one to enable spamd\r
+ENABLED=1\r
+\r
+OPTIONS="--create-prefs --max-children 5 --helper-home-dir=/var/local/lib/spamd -u spamd -x -s /var/log/spamd.log"\r
+\r
+PIDFILE="/var/local/lib/spamd/pid"\r
+}}}\r
+ 1. Make a file called `/etc/logrotate.d/spamd` with the following contents.\r
+ {{{\r
+/var/log/spamd.log {\r
+ weekly\r
+ missingok\r
+ create 0640 root adm\r
+ rotate 4\r
+ compress\r
+ delaycompress\r
+ sharedscripts\r
+ postrotate\r
+ [ -f '/var/local/lib/spamd/pid' ] && (kill -HUP `cat /var/local/lib/spamd/pid`) || exit 0\r
+ endscript\r
+}\r
+}}}\r
+ 1. Start the daemon by doing {{{/etc/init.d/spamassassin start}}}. Check `/var/log/spamd.log` to be sure that it started OK.\r
+ 1. Install the `.crontab` entries that you wrote earlier by doing {{{crontab -u spamd ~spamd/.crontab}}} as root. Do this every time that you make changes to `~spamd/.crontab`.\r
+ 1. Edit {{{/etc/courier/shared/index}}} as follows, being sure to separate each column with a single TAB character. The second column is UID, and third column is GID -- consult `/etc/passwd` and `/etc/group` to make these match the `spamd` user and group.\r
+ {{{\r
+spamd 116 119 /var/local/lib/spamd\r
+}}}\r
+ 1. Restart courier's IMAP process: {{{runsv restart courier-imap}}}\r
+ 1. Test by checking to see if you can access {{{shared.SpamAssassin.SiteHam}}} and {{{shared.SpamAssassin.SiteSpam}}} from IMAP. If not, do {{{maildirmake --add SpamAssassin=~spamd/Maildir ~/Maildir}}} as your normal user from the machine that does courier (and presumably spamassassin as well). You might need to replace `~` with `~USERNAME` if you are using sudo to do this, where USERNAME is your normal username.\r
+ 1. Now copy some spammy mail into the {{{SiteSpam}}} directory, wait 5 minutes, and check to see if the mail got learned and deleted.\r
+ 1. If so, edit {{{~spamd/.crontab}}} to pipe the output of sa-learn to /dev/null, and run crontab as specified earlier to propogate this change.\r
+\r
+----\r
+CategorySystemAdministration\r
--- /dev/null
+It is possible to set up custom filters to do fancy things based on the X-Spam-Level: header. Here is NathanKennedy's .forward file. He finds that the default setting of 5.0 is too wimpy, and lets too much spam into his inbox. Virtually no ham that he gets scores less than 3.0, whereas a lot of spam scores less than 5.0, so he'd rather have anything over 3.0 go to his Junk folder. At the same time, he doesn't want to waste time, cycles, disk space or bandwidth with spam over 9.0. Most of his spam does score 9.0, and this goes straight to /dev/null (immediately disposed of) with this filter.\r
+\r
+Finally, he has all HCoop list email go into a special HCoop folder.\r
+\r
+Without further ado:\r
+\r
+{{{\r
+# Nathan's exim filter\r
+\r
+logfile $home/spamlog\r
+\r
+if $header_subject contains "[HCoop"\r
+then\r
+ save $home/Maildir/.HCoop/\r
+ finish\r
+endif\r
+\r
+if\r
+ "${if def:h_X-Spam-Level {def}{undef}}" is "def"\r
+then\r
+ if $h_X-Spam-Level: begins "\*\*\*\*\*\*\*\*\*"\r
+ then save "/dev/null" 660\r
+ else\r
+ if $h_X-Spam-Level: begins "\*\*\*"\r
+ then save $home/Maildir/.Junk/\r
+ endif\r
+ endif\r
+ finish\r
+endif\r
+\r
+if\r
+ "${if def:h_X-Spam-Flag {def}{undef}}" is "def"\r
+then\r
+ save $home/Maildir/.Junk/\r
+ finish\r
+endif\r
+}}}\r
--- /dev/null
+= I'm pretty sure this is obsolete =\r
+mire, at least, doesn't allow key-based ssh authentication. See ["Kerberos"] for something similar.\r
+\r
+= Setting up key-based ssh authentication =\r
+Note: This is totally optional. Some people prefer password-based authentication (the default). In order to continue with these instructions, you must already be able to authenticate with a password.\r
+\r
+There are two ways to assure our servers that you are really ''you'' so that you can login. You can tell them your secret password each time, or you can have your ssh client identify you, more or less automatically, using a unique key.\r
+\r
+Go [http://nwps.ws/pub/Security/SSH-Authentication_A_Basic_Overview.txt here] to read more, especially toward the bottom concerning keys vs. passwords.\r
+\r
+'machineSERV' is the name of our server[[BR]] 'machineCLI' is the name of your local machine with a full ssh2 implementation\r
+\r
+== For Unix-ish clients (use OpenSSH) ==\r
+From machineCLI, as the user that connects to machineSERV: [[BR]] {{{ ssh-keygen -t dsa }}}\r
+\r
+ * Note: you can use RSA key instead of DSA if you prefer (RSA may be faster to connect though slower to generate; security level is considered the same). To do this, replace every occurence of "dsa" by "rsa" in these instructions. See ["DSAvsRSA"] for more info. \r
+\r
+When the keygen program asks for a passphrase, enter a multi-word phrase that you can remember or write in a safe place. This passphrase encrypts your private key on the hard drive, protecting it from being read by even the root user. You will also get a public key, that you can (metaphorically) hand out to people like a business card. If they decide to trust you, you can just call up and flash them your business card and (after some behind-the-scenes verification) they'll let you in.\r
+\r
+''Your public key is useless for any sort of exploit or attack without the accompanying private key. Your public key cannot fall into the wrong hands, as anyone who stores it is basically inviting '''you''' to knock on '''their''' door and not the other way around. ''\r
+\r
+''Your private key, on the other hand, must be kept secure and should not be displayed or stored. The passphrase that ssh-keygen prompts you for is used to encrypt your private key, the result of which is stored on the hard drive. For ssh to use your private key, the passphrase must be supplied in order to decrypt it. ssh never transmits your private key anywhere; it is only used locally to decrypt an sshd challenge.''\r
+\r
+ssh-keygen will have created two files: id_dsa and id_dsa.pub in ~/.ssh/[[BR]] id_dsa is your private key, and id_dsa.pub is your public key[[BR]]\r
+\r
+Next, you'll want to copy your public key over to machineSERV. (notice that, in the copy process, we will rename the local id_dsa.pub to machineCLI_dsa.pub on the remote side, so as not to conflict with machineSERV's *own* public key)[[BR]] {{{ scp ~/.ssh/id_dsa.pub machineSERV:~/.ssh/machineCLI_dsa.pub }}}\r
+\r
+Then ssh over to machineSERV [[BR]] {{{ ssh machineSERV }}}\r
+\r
+Now your account on machineSERV has your business card from machineCLI. In order to accept it, we have to place its contents into ~/.ssh/authorized_keys. A .ssh directory ought to already exist, but if it doesn't, then {{{ ssh-keygen -t dsa }}} and follow the first part of the instructions above. [[BR]]Regardless, append your public key to the authorized_keys file: [[BR]] {{{ cat machineCLI_dsa.pub >> ~/.ssh/authorized_keys }}}\r
+\r
+Give it a try and make sure it works (from machineCLI): [[BR]] {{{ ssh machineSERV }}}\r
+\r
+Your ssh client should ask you for a passphrase instead of your usual password. Type in your passphrase and make sure you can authenticate. If not, start over or just delete your newly created keys.\r
+\r
+Let's verify some file permissions for ~/.ssh/ on machineCLI:\r
+\r
+{{{\r
+~/.ssh/ drwx------ (chmod 700)\r
+~/.ssh/authorized_keys -rw------- (chmod 600)\r
+~/.ssh/id_dsa -rw------- (chmod 600)\r
+~/.ssh/machineCLI_dsa.pub -rw-r--r-- (chmod 644)\r
+~/.ssh/known_hosts -rw-r--r-- (chmod 644)\r
+}}}\r
+OK. This is fine and dandy, but every time we use the private key, we need to decrypt it by entering the passphrase, which can get tedious.\r
+\r
+Luckily, a full ssh2 implementation includes a handy program called ssh-agent. You can tell ssh-agent your passphrase at the beginning of a login session on machineCLI. Then, for the rest of that session, any time you need to ssh to our servers (or anywhere else), ssh-agent will deliver the private key for you.\r
+\r
+But wait! There's more...\r
+\r
+There is another program, written by Daniel Robbins of Gentoo fame, called [http://www.gentoo.org/proj/en/keychain.xml keychain] that will remember your key until you reboot machineCLI.\r
+\r
+Install keychain on machineCLI. There is a package for sarge:\r
+\r
+{{{\r
+apt-get install keychain\r
+}}}\r
+\r
+ or you can get the source from [http://dev.gentoo.org/~agriffis/keychain/ Gentoo] and install: \r
+\r
+{{{\r
+cd /usr/local\r
+wget http://dev.gentoo.org/~agriffis/keychain/keychain-2.6.1.tar.bz2\r
+bunzip2 keychain-2.6.1.tar.bz2\r
+tar -xvf keychain-2.6.1.tar\r
+cd keychain-2.6.1\r
+install -m0755 keychain /usr/bin/keychain\r
+}}}\r
+next, add some keychain commands to ~/.bash_profile on machineCLI:\r
+\r
+{{{\r
+keychain id_dsa\r
+. ~/.keychain/machineCLI-sh\r
+}}}\r
+Log out of machineCLI and then back in. keychain should cause ssh-agent to ask for your passphrase. Once you've done that, you shouldn't have to enter your passphrase again until reboot. Then {{{ ssh machineSERV }}} and marvel that machineSERV didn't ask you for a password!\r
+\r
+Next, you'll probably want to redo this process, but from machineSERV to machineCLI. Luckily, the keychain program is already installed on machineSERV, so just follow this process again, except switch the machines.\r
+\r
+=== For MS-Windows clients (use PuTTY and PuTTYgen/Pageant) ===\r
+[[http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html get PuTTY here]] \r
+ * PuTTY is the client\r
+ * PuTTYgen is for onetime key generation\r
+ * Pageant is a tiny long-running process that remembers your private key -- analogous to keychain for unix\r
+\r
+==== Basic steps: ====\r
+ * Generate a public/private keypair\r
+ * The private key stays on machineCLI, and the public key goes on machineSERV\r
+ * Encrypt the private key using a passphrase\r
+ * Append your public key to machineSERV:~/.ssh/authorized_keys\r
+ * Configure PuTTY to authenticate using your private key\r
+ * Once this is done, you can now log in using keys instead of passwords, though you still need to decrypt your private key every time using the passphrase\r
+ * Configure Pageant to remember your passphrase\r
+\r
+For visual learners, take a look at Howtoforge's [http://www.howtoforge.com/ssh_key_based_logins_putty Key-Based SSH Logins With PuTTY].\r
+\r
+==== Detailed instructions: ====\r
+Run PuTTYgen. In the bottom pane, Parameters, choose SSH2-DSA, and then click Generate. The program will ask you to move the mouse around for injection of randomness. Then, the top pane will show your public key. Copy this text to the clipboard (ctrl-C). Keep PuTTYgen open.\r
+\r
+The text copied to the clipboard should be in the following general format: the text 'ssh-dss' followed by a single space, then a long seemingly-random string of ascii printable characters, then a single space, and finally the text 'dsa-key-YYYYMMDD' where YYYYMMDD represents today's date. There should be no newlines at all.\r
+\r
+Next, we need to add this public key to machineSERV:~/.ssh/authorized_keys. Log in to machineSERV using PuTTY and enter your password as normal. Load ~/.ssh/authorized_keys using an editor such as vi, emacs, pico, etc. Place the cursor at the last empty newline and paste your public key (right-click ?) into authorized_keys such that the public key is appended to the file. Save this file and log out of machineSERV.\r
+\r
+Switch back to PuTTYgen and enter and confirm your passphrase (in the 'Key' pane). Click on Save Private Key, and remember the location where you save it.\r
+\r
+Next, close and reload PuTTY. If you have already saved a session, highlight it, then click Load to load its configuration. Otherwise, enter 'hcoop.net' into the Host Name field near the top, type a descriptive name (like hcoop or fyodor) into the Saved Sessions field, and then click Save.\r
+\r
+Now, with the hcoop connection loaded, open up the SSH tree under Connections in the left pane. Under Auth, enter the location of your private key file in the bottom field. Click on Session (toplevel) in the left pane, and then Save in the right pane, to save this configuration.\r
+\r
+Double-click the newly-configured connection to attempt a connection. You should be asked for a login and passphrase. If you can successfully authenticate, the last step is to run Pageant so that we can skip the passphrase.\r
+\r
+When you run Pageant, you should have an icon in your systray. Double-click this icon and click Add Key. Browse for your saved private key, enter your passphrase, and you're done. Try reloading the hcoop connection to confirm that you can login without a passphrase.\r
+\r
+For one final trick, prepend your username to the hostname field of the connection (e.g. username@hostname.com ), and PuTTY will only require a double-click for you to login.\r
--- /dev/null
+From [http://en.wikipedia.org/ Wikipedia] (under WikiPedia:GFDL):\r
+\r
+ Some travellers come to a village, carrying nothing more than an empty pot. Upon their arrival the villagers are unwilling to share any of their food stores with the hungry travellers. The travellers fill the pot with water, drop a large stone in it, and place it over a fire in the village square. One of the villagers becomes curious and asks what they are doing. The travellers answer that they are making "stone soup," which tastes wonderful, although it still needs a little bit of garnish to improve the flavor, which they are missing. The villager doesn't mind parting with just a little bit to help them out, so it gets added to the soup. Another villager walks by, inquiring about the pot, and the travellers again mention their stone soup which hasn't reached its full potential yet. The villager hands them a little bit of seasoning to help them out. More and more villagers walk by, all adding another ingredient. Finally, a delicious and nourishing pot of soup is enjoyed by all.\r
+\r
+To come: Apply Stone Soup to HCOOP. (It rhymes!)\r
--- /dev/null
+#pragma section-numbers off\r
+\r
+This page explains the considerations that should be taken when writing pages in the HCoop wiki.\r
+\r
+[[TableOfContents]]\r
+\r
+= Template =\r
+\r
+Here's a basic template to apply when making new pages and revising old ones.\r
+\r
+{{{\r
+Description of page. I.e.: This page describes how to filter your email using\r
+procmail and Exim.\r
+\r
+## Every page should have a table of contents\r
+[[TableOfContents]]\r
+\r
+Remaining content of page, split into logical sections.\r
+}}}\r
+\r
+= Section numbers =\r
+\r
+The following text, when placed at the beginning of a page, turns off numbering of headings.\r
+\r
+{{{\r
+#pragma section-numbers off\r
+}}}\r
+\r
+This should be used:\r
+\r
+ * If the page is the main page, or exactly one degree away from it, then you should include the following text at the very top of the page.\r
+\r
+ * On multi-page guides, such as DomTool.\r
+\r
+ * On other pages at the discretion of those who keep the wiki up-to-date.\r
+\r
+= Level of headings =\r
+\r
+If section numbers are turned off, then start with first-level headings.\r
+\r
+If section numbers are left on, then start with second-level headings. The reason for this is that the numbers in front of first-level headings look ugly and distract from the content of the page.\r
+ Why not hack on the style instead? --AdamChlipala\r
+ Because the size of the normal unnumbered headings look about right. Perhaps we should just turn section numbering off globally. I could do that easily. --MichaelOlson\r
+\r
+= Depth of headings =\r
+\r
+For the MemberManual, there should be no more than two levels of headings, so that the distinction beween different levels may be clearly seen.\r
+\r
+= Writing commands =\r
+\r
+If you are writing a command, then put it on a separate line, so that it stands out and is easy to copy and paste.\r
+\r
+Bad: {{{my-command foo bar}}}.\r
+\r
+Good:\r
+\r
+{{{\r
+my-command foo bar\r
+}}}\r
+\r
+= Point of view =\r
+\r
+It would be best to use "you" (second-person) when writing the MemberManual.\r
+\r
+For other pages, it probably doesn't matter.\r
--- /dev/null
+= Details about the next HCoop Architecture =\r
+\r
+This page will serve as the blueprint for the architecture that HCoop is constructing right now, to be colocated at Peer 1.\r
+\r
+[[TableOfContents(2)]]\r
+\r
+== Network Overview ==\r
+\r
+The architecture for the next hcoop.net network involves three physical servers:\r
+\r
+ * A back-end server, which will serve IMAP, MySQL, PostgreSQL, primary mail, and AFS.\r
+ * A public shell server for development and deployment of files to web server.\r
+ * A public web server, also used for daemon processes written by our users. This will eventually be one node of a web cluster.\r
+\r
+== High-Level Architecture Description ==\r
+\r
+The new HCoop architecture initially involves three servers; one for user shell logins, one for back-end services, and one for web service. Our goal is to build an architecture that serves us well based on our current needs, and can be expanded for increased capacity in the future with little effort.\r
+\r
+Based on this, we should have one shell server that users edit and develop their web sites from. This will allow users to modify files on one web server in the present, and a cluster as we grow.\r
+\r
+== Design Goals ==\r
+\r
+We should be able to plug new web servers into our architeture in the future in a manner that doesn't break our software systems. We may also want to think about doing the same thing with shell and file services.\r
+\r
+== Physical Network Layout ==\r
+\r
+This section describes the HCoop physical network layout.\r
+\r
+=== Physical Network Description ===\r
+\r
+Gigabit switch, divided into VLAN for server inter-connections. LAN out to Peer 1.\r
+\r
+=== Physical Network Diagram(s) ===\r
+\r
+XXX add diagram here.\r
+\r
+== Software/System Layout ==\r
+\r
+This deserves the separate page SoftwareArchitecturePlans.\r
+\r
+=== Software/System Description ===\r
+\r
+=== Software/System Diagram(s) ===\r
+\r
+== Related Pages ==\r
+\r
+ColocationPlans is the main page for items related to the new architecture. ColocationPlansServiceProviders provides information about the service providers we are currently looking at.\r
--- /dev/null
+At a few places, it is necessary for '''HCOOP members''' to authenticate to HCOOP -\r
+either to gain initial access or use additional authenticated services.\r
+\r
+= Authentication barriers =\r
+\r
+|| '''Instance''' || '''Controlling subsystem''' || '''HCOOP interface''' || '''Type of access''' || '''Full user control''' ||\r
+|| SSH || OpenSSH internals or PAM || `passwd`, `chfn`, `chage`, `chsh` || Remote, local || No ||\r
+|| FTP || PAM || `passwd` || Remote, local || No ||\r
+|| HCOOP Web portal || HTTP Digest Authentication || `webpasswd` || Remote, local || Yes ||\r
+|| Databases || Database-specific access tables || `dbtool` || Local || Yes ||\r
+|| Firewall || IPTables/Netfilter || `fwtool` || Remote, local || No ||\r
--- /dev/null
+Discuss the T-shirt proposal and design on this page. --NathanKennedy\r
+\r
+Wah wah wah, this page isn't linked from anywhere. --AdamChlipala\r
+\r
+I linked from the front page now.\r
+\r
+Some notes. You can see the COMAMNUVI website at http://fairtradezone.jhc-cdca.org/ I have one of their organic natural-color T-shirts, and it is quite well-made. I can't vouch for their screen-printing but from the photos and their client list they seem quite good at it. Also, they have T-shirts in other colors besides white and ecru, but for an additional cost, and I don't know how well the logo would show up on other colors unless we did it in all black. Speaking of which the design must be limited to three solid colors (I assume this includes black). --NathanKennedy\r
--- /dev/null
+\r
+\r
+http://www.tanveer.in\r
--- /dev/null
+Here is a list of all of the tasks we can think of related to keeping HCoop running, along with primary and secondary people responsible for each.\r
+\r
+Names with question marks after them indicate suggestions by someone other than the person named, yet to be confirmed.\r
+\r
+|| '''Task''' || '''Primary''' || '''Secondary''' || ''' Systems ''' ||\r
+||<colspan=4>'''''Social''''' ||\r
+|| Announcements || MichaelOlson || AdamChlipala || - ||\r
+|| Billing and payment || AdamChlipala || NathanKennedy? || - ||\r
+|| Legal stuff || NathanKennedy || ? || - ||\r
+|| Meeting organization || AdamChlipala || NathanKennedy? || - ||\r
+|| Meeting records || NathanKennedy || ? || - ||\r
+||<colspan=4>'''''Standard Daemons''''' ||\r
+|| AFS || AdamMegacz || DavorOcelic || All ||\r
+|| Apache || MichaelOlson || ? || Deleuze, Mire ||\r
+|| BIND || DavorOcelic || JustinLeitgeb || Deleuze ||\r
+|| Courier IMAP/POP || MichaelOlson || AdamMegacz || Deleuze ||\r
+|| Cron || MichaelOlson || DavorOcelic || All ||\r
+|| General Debian issues || MichaelOlson || DavorOcelic || All ||\r
+|| Dell monitoring tools || ? || NathanKennedy || Deleuze ||\r
+|| Exim || MichaelOlson || DavorOcelic || Deleuze ||\r
+|| Firewall || DavorOcelic || ? || All ||\r
+|| FTPd || DavorOcelic || MichaelOlson || ? ||\r
+|| Kerberos || DavorOcelic || AdamMegacz || All ||\r
+|| Jabber || ClintonEbadi? || BrianTempleton || ? ||\r
+|| LDAP || DavorOcelic || MichaelOlson || Deleuze ||\r
+|| Mailman || NathanKennedy || MichaelOlson || Deleuze ||\r
+|| Moin``Moin || MichaelOlson || ? || ? ||\r
+|| MySQL || DavorOcelic || MichaelOlson || Deleuze ||\r
+|| PHP || MichaelOlson || ? || Deleuze, Mire ||\r
+|| PostgreSQL || DavorOcelic || MichaelOlson || Deleuze ||\r
+|| RAID stuff || ? || AdamMegacz || All ||\r
+|| Squirrel``Mail || MichaelOlson || ? || Deleuze ||\r
+|| Webalizer || DavorOcelic || ? || Mire ||\r
+||<colspan=4>'''''Custom Software''''' ||\r
+|| System kernels || NathanKennedy || DavorOcelic || All ||\r
+|| DomtoolTwo || AdamChlipala || ? || Deleuze, Mire ||\r
+|| Resource usage watchdog || DavorOcelic || ? || Mire ||\r
+|| Portal || AdamChlipala || ? || Deleuze ||\r
+||<colspan=4>'''''Routine Request Processing''''' ||\r
+|| Cron privileges || DavorOcelic || ? || - ||\r
+|| Debian packages || DavorOcelic || ? || - ||\r
+|| Domain privileges || DavorOcelic || ? || - ||\r
+|| Trusted-path execute permissions || DavorOcelic || ? || (Not used anymore) ||\r
+|| Firewall rules || DavorOcelic || ? || - ||\r
+|| FTP privileges || DavorOcelic || ? || - ||\r
+|| New mailing lists || DavorOcelic || ? || - ||\r
+|| Socket permissions || DavorOcelic || ? || (Not used anymore) ||\r
+||<colspan=4>'''''Other Technical Stuff''''' ||\r
+|| Adding approved new members || ? || ? || - ||\r
+|| Filesystem monitoring || DavorOcelic || ? || - ||\r
+|| In-person maintenance and installation || NathanKennedy || ? || - ||\r
+|| Mailing list moderation || ? || ? || - ||\r
+|| Security issues || DavorOcelic || ? || - ||\r
--- /dev/null
+HCoop's web sites have a very drab appearance at the moment. We need to come up with a visual appearance that will attract potential members.\r
+\r
+= Web site scheme =\r
+\r
+We need an attractive unifying design scheme for our web sites, including hcoop.net, wiki.hcoop.net, and members.hcoop.net.\r
+\r
+ * Here is a [http://borat.gotdns.org/hcoop.php basic site] with CSS dropdown navigation. I chose a lot of the parameters arbitrarily, such as menu items, colors, and sizes. I need to add a javascript doodad to cope with IE's broken CSS implementation. Please view with a Gecko / KHTML browser to get the dropdown effects until then. The logo (header) area I swept out was 100x770px. -- RickHull\r
+ * I don't think the "dropdown navigation" adds anything over always having all links displayed. The overall layout with the boxes at the top and then normal texty layout below looks uglier than plain boring text, to me. Also, the color scheme drives me out of my mind. --AdamChlipala\r
+ * You can turn the page style off in your browser in order to view the full menu. The dropdown effect serves only to obscure out-of-context submenu choices -- RickHull\r
+ * I guess everone has their own taste. I actually like that look better than that of our new wiki, which I find rather ugly (although I guess I could bother to change my theme). --NathanKennedy\r
+ * I changed the color scheme since Adam's comment -- RickHull\r
+ * By the way, I think the dropdown is borked in IE6. --NathanKennedy\r
+ * yup, it'll be fixed soon -- RickHull\r
+ * Partially b0rked under Konqueror. Needs a little adjustment on the font size. The design is not bad but, like Adam, I think it doesn't add anything to the current page. In fact, I think a few drop of color over added to the current front page would be enough. -- FrancoisDenisGonthier\r
+\r
+ * Here is [http://bagheera.id.au/hcoop something I whipped together,] after a request on IRC (I'm not part of the co-op.) It's a quick-ish design and I'm open to changes. --Synapse (hcoop at bagheera dot id dot au)\r
+ Nice work! --NathanKennedy\r
+ * An attempt from AdamChlipala. I am far from being an HTML/CSS expert, and I don't particularly want to become one, so treat these as mock-ups that happen to display in browsers. I'm sure I've done all sorts of bad CSS things, and I'm hoping that others who are more knowledgeable would correct them if we chose to use these.\r
+ * http://www.schizomaniac.net/hcoop/\r
+ * http://www.schizomaniac.net/hcoop/portal.html\r
+\r
+ Not bad at all. The front page is still rather busy/disorganized. There should be quick navigation links directly to the wiki, the portal, the signup form, and the board page right at the top and bottom, or top and side, or side and bottom, or anywhere that makes it clear. The logo needs to be transparent or something though, the white box is ugly. Still this is already an improvement over the current page I think. --NathanKennedy\r
+\r
+ The blue links/text on those bright green boxes are quite hard to see on my laptop. The green is way too bright, IMHO. I recall reading somewhere that good web pages need at most one page down/up to view. The front page needs two up/downs on my standard setting. Maybe make it into two pages? Also, Nathan is right: the logo needs to be within the white area/black border or something similar. Too much wasted white space at top and/or sides. But I'm not that great of a designer either. --JohnHallgren \r
+\r
+ Update: I looked at two of Anil's options using FireFox/Opera. What a big difference from IE! --J.Hallgren\r
+\r
+ I think it would look better if the bullets were indented, say 0.25in. --DavidBettis\r
+\r
+ It's not clear to me that the front page should be compacted. I think of it as a document that new visitors sit down to read. The portal is the place where members go to find convenient navigation to assorted features; I view it as a feature that potential members might be turned off by the need to read multiple pages of text to get to the good stuff, since we don't want such people joining anyway! ;) Also, the logo is transparent for me. I suspect that NathanKennedy's browser doesn't support transparent PNGs. Finally, w.r.t. the concrete suggestions about colors and spacing, wouldn't it be great if someone else implemented those and posted the results here? :) --AdamChlipala\r
+\r
+ Those two pages seem extremely tacky in appearance to me. The Green and Red in the logo appear to be 'too much' and the side bar doesn't seem right in green. - JeffreyDrake\r
+\r
+ Minor mods on the portal page are here: [http://hcoop.net/~anil/test/portalblue2.html Blue theme], [http://hcoop.net/~anil/test/portal.html Tan (original)]. I've seen them only on Firefox. Changed the side bar colors, added page-top links. -- AnilNarayanan\r
+\r
+ The color of samples by Anil are reversed, but either looks much better on laptop LCD than that green. I prefer the blue -- John Hallgren\r
+\r
+ Bringing down the differences betweeen IE and Firefox rendering to saner levels for blue theme [http://hcoop.net/~anil/test/portalblue.html here]. -- AnilNarayanan\r
+\r
+ The "test-bed" with selectable themes (already mentioned on the hcoop-disscuss list) is [http://hcoop.net/~anil/test/portalm.html here]. The CSS files (if any body wants them) used by the script are [http://hcoop.net/~anil/test/css/ here]. -- AnilNarayanan\r
+\r
+= Logo =\r
+\r
+We need one or more distinctive HCoop logos that we can use in suitable places.\r
+\r
+See LogoDiscussion for some potential logos.\r
--- /dev/null
+##master-page:Unknown-Page\r
+##master-date:2007-04-24\r
+##acl MoinPagesEditorGroup:read,write,delete,revert All:read\r
+#format wiki\r
+#language en\r
+\r
+The following are some Tips that might make your life easier.\r
+\r
+== Automatic Reboot Notifications ==\r
+For some users it may be useful to have an automatic way of knowing when the HCoop server(s) is rebooted. For example, if there was unscheduled downtime and an user does not have an automatic script in place (either from lack of desire or simple impracticality) to restart personal daemons, it would be useful for that user to know when to restart the appropriate daemons.\r
+\r
+This can be accomplished on a per user basis by utilizing a crontab file and a single command.\r
+\r
+=== Editing the Crontab ===\r
+\r
+After requesting authorization for crontab, an user can run: \r
+\r
+{{{\r
+crontab -e\r
+}}} \r
+\r
+to edit his personal crontab. Crontab will use the default editor or the editor in VISUAL or EDITOR to edit the users crontab file. Something similar to the following should then be appended to the end of the file:\r
+\r
+{{{\r
+@reboot cat ~/.reboot_notice | mail -s "[Reboot Message Subject]" <username>\r
+}}}\r
+\r
+Where <username> is the name of the user and [Reboot Message Subject] is replaced by the desired Subject of the message.\r
+\r
+The user should then edit ~/.reboot_notice to contain the desired body of the message that will be sent.\r
+\r
+== Changing login shell on mire ==\r
+\r
+'''chsh''' will not work on mire.\r
+\r
+Instead create a symbolic link in your home directory called '''.loginshell''', pointing to your desired login shell, like for example so:\r
+\r
+{{{\r
+ln -s /bin/zsh ~/.loginshell\r
+}}}\r
--- /dev/null
+#format wiki\r
+#language en\r
+\r
+Tripwire is a tool that keeps a database of information about files on the server. It performs regular checks and reports about files that have been changed, deleted, created, or renamed.\r
+\r
+== Automatic Check ==\r
+Cron runs `/etc/cron.daily/tripwire` once a day. This invokes tripwire as `/usr/sbin/tripwire --check --quiet`. The meaning of the parameters:\r
+ * `--check` causes the program to compare the current files in the system with the recorded attributes in the database, save a signed binary report file, and print a text report to stdout (which is mailed by cron)\r
+ * `--quiet` tells it not to print a lot of stuff while it is working\r
+\r
+== Configuration Files `/etc/tripwire` ==\r
+ * `fyodor.hcoop.net-local.key` is a cryptographic key used to sign the database and reports\r
+ * `site.key` is a cryptographic key used to sign the configuration and policy files\r
+ * `tw.cfg` is a signed binary file that holds configuration information\r
+ * `twcfg.txt` is the text source of tw.cfg\r
+ * `tw.pol` is a signed binary file that holds the logging and reporting policy information\r
+ * `twpol.txt` is the text source of tw.pol\r
+\r
+== Data Files `/var/lib/tripwire` ==\r
+ * `fyodor.hcoop.net.twd` is the signed tripwire database, storing information about every monitored file\r
+ * `reports/` holds the signed binary reports\r
+\r
+== Updating the Database ==\r
+The check operation creates a signed binary report file every time it runs. This report is like a "diff" of the database and the current file system. The database is updated by "patching" it with the report. Here is the procedure:\r
+\r
+ 1. The command is `tripwire --update`\r
+ 1. If it complains that the file could not be opened then you must specify the report file with the `-r` option. Choose the file with the most recent timestamp. The timestamp is included in the filename so use tab-completion. Example: `tripwire --update -r /var/lib/tripwire/report/fyodor.hcoop.net-20051023-065438.twr`\r
+ 1. This will open a selection file in the `pico` editor. Look through the file and clear the `[x]` for any line that should not be saved to the database. The process is essentially certifying that each filesystem change is valid and proper.\r
+ 1. Save the file with ^O (Control-Oh)\r
+ 1. Quit with ^X (Control-x)\r
+ 1. Now you will be prompted for the local passphrase.\r
+\r
+== Changing the Policy ==\r
+ 1. First follow the instructions to Update the Database\r
+ 1. change to `/etc/tripwire`\r
+ 1. edit the policy in `twpol.txt`\r
+ 1. create the signed binary tw.pol file with `tripwire --update-policy --secure-mode low twpol.txt`\r
+ 1. you will be prompted for the site and local passphrases\r
+\r
+== Updating the Configuration ==\r
+ 1. change to `/etc/tripwire`\r
+ 1. edit the configuration in `twcfg.txt`\r
+ 1. run `twadmin --create-cfgfile -S site.key -c tw.cfg twcfg.txt` to create the signed binary tw.cfg file\r
+ 1. you will be prompted for the site passphrase\r
+\r
+== Passphrases ==\r
+MichaelLeonhard generated the passphrases. To obtain them, save your public key to /root/$(USER).pubkey. Then send Michael an email about it. He will encrypt the passphrases and email them to you. The security of Tripwire depends on these passphrases. DO NOT store your private key or decrypt the passphrases on Fyodor. Here is the procedure:\r
+ 1. Download the latest version of [http://www.gnupg.org/ GnuPG] to your personal computer\r
+ 1. Check the signature of the downloaded file\r
+ 1. Install GnuPG onto your personal computer\r
+ 1. On your personal computer, create a public/private key pair with `gpg --gen-key`, use a good passphrase\r
+ 1. Export an ASCII version of your public key with `gpg --export -a >> public.key`\r
+ 1. Copy your public key to your home directory on Fyodor with `scp public.key username@fyodor.hcoop.net:`\r
+ 1. SSH into Fyodor and demonstrate your administrative priveleges by copying the public key to a secure location, `cp ~/public.key /root/username.pubkey` (where username is your username)\r
+ 1. Email MichaelLeonhard (username leonhard) to request a copy of the passphrases\r
+ 1. Decrypt the passphrase:\r
+ * Read Michael's email on your personal computer, copy the PGP MESSAGE section to the clipboard\r
+ * Open a terminal (or cmd prompt) on your personal computer and run `gpg` on your personal computer\r
+ * Paste the GPG message block into the terminal\r
+ * Type your secret passphrase, hit enter, then type ^Z (CTRL-Z)\r
+ * Write down the passphrases that are printed out\r
+ * Close the terminal\r
+\r
+Please note how "your personal computer" appears throughout these instructions. Your private key and the decrypted passphrases should only exist on your personal computer. Thanks for caring about security.\r
+\r
+--MichaelLeonhard\r
+\r
+----\r
+CategorySystemAdministration\r
--- /dev/null
+= AFS on Debian/Ubuntu =\r
+\r
+The instructions on http://research.cs.berkeley.edu/doc/afs/debian.html page, linked elsewhere in the wiki, were enough to get me started. I use a non-stock kernel in Ubuntu Feisty, and had no problem building and loading the OpenAFS modules. Even with that, I've stumbled on 2 problems.\r
+\r
+== ReiserFS ==\r
+\r
+First, if you are using ReiserFS, the AFS daemon will simply refuse to work because it cannot use that filesystem for its cache. If the daemon doesn't run, you'll get a puzzling error message that might make you think you have a firewall problem. I lost some time over that. I discovered it wasn't the case by Googling a bit.\r
+\r
+To get the daemon to work, I had to edit the `/etc/openafs/afs.conf` to make it use the memory cache. It is said to be less stable than the hard disk cache. I have not had obvious problems with it yet. The README.Debian file also suggests creating a loopback ext2 filesystem for the cache. If I ever need to use this technique, I'll try to remember to document it here.\r
+\r
+== Konqueror ==\r
+\r
+Konqueror simply hung up when I tried to browse /afs with the default CellServerDB. I suspect it is because it is trying to access AFS volumes it doesn't have access to or that are not accessible, and hangs indefinitely. There is a lot of cells pre-configured in the Debian package, and probably some of them are not valid or not accessible. Once I erased the content of /etc/openafs/CellServerDB but left just the hcoop.net entry, I managed to browse /afs with Konqueror\r
--- /dev/null
+[[TableOfContents(2)]]\r
+== Unix ==\r
+=== Step 1: turn off your firewall ===\r
+\r
+Make sure any and all firewalls are disabled.\r
+\r
+Make sure you can send UDP packets to HCOOP by typing\r
+\r
+{{{\r
+traceroute deleuze.hcoop.net\r
+}}}\r
+\r
+The last line should say "deleuze.hcoop.net" and have NO ASTERISKS. If this is not the case, fix your firewall or your network.\r
+\r
+=== Step 2: check your krb5.conf ===\r
+\r
+Examine your `/etc/krb5.conf` (or, on MacOS, your `/Library/Preferences/edu.mit.Kerberos` file).\r
+\r
+Make sure that `dns_lookup_kdc` or `dns_lookup_realm` options are NOT DISABLED. They should be on-by-default, but just in case your linux distribution packager decided to be retarded and changed that, try adding\r
+\r
+{{{\r
+[libdefaults]\r
+ dns_lookup_kdc = true\r
+ dns_lookup_realm = true\r
+}}}\r
+\r
+=== Step 3: make sure your DNS is working ===\r
+\r
+Install the `dig` program and type\r
+\r
+{{{\r
+dig -t SRV _kerberos._udp.hcoop.net\r
+}}}\r
+\r
+You should see `kerberos1.hcoop.net` in the output.\r
+\r
+If you don't see this record, one or more of the DNS servers that you're querying is probably blocking SRV requests. Figure out which name servers you're using by reading the file /etc/resolv.conf ({{{cat /etc/resolv.conf}}}) on your linux host. Query these particular name servers for the record in order to see where modifications might be necessary. You can do this by adding {{{@nameserver.example.com}}} to the end of the command, e.g. {{{dig -t SRV _kerberos._udp.hcoop.net @nameserver.example.com}}}.\r
+\r
+You will likely find that one or more name servers you are using does not return a SRV record. If the offending name server is one that you administer, there may be an easy fix. Djbdns (used by OpenWrt and lots of other distros) need to have the line {{{filterwin2k}}} commented out or removed in order for them to pass SRV records through (see page https://dev.openwrt.org/ticket/557 for more info). Restart the device or name resolution process on the offending device for the changes to take effect. If the offending name servers that refuse to pass SRV records through aren't your own, you may have to contact the ISP that runs them, or switch to other names servers that are properly configured.\r
+\r
+=== Step 4: post to hcoop-discuss ===\r
+\r
+Make sure to include:\r
+\r
+ 1. Your entire krb5.conf\r
+ 2. The output of all the commands in steps 1 and 3.\r
+\r
+\r
+=== Client side firewall Setting ===\r
+\r
+If you are using a firewall you might want to open it for UDP packets to and from deleuze.hcoop.net:88. Lines\r
+for [http://www.netfilter.org/ iptables] saved rules ''might'' look like the following: \r
+\r
+{{{\r
+ [0:0] -A INPUT -s 69.90.123.67 -p udp -m udp --sport 88 --dport 1024:65535 -j ACCEPT\r
+}}}\r
+\r
+{{{\r
+ [0:0] -A OUTPUT -d 69.90.123.67 -p udp -m udp --dport 88 --sport 1024:65535 -j ACCEPT\r
+}}}\r
+\r
+Put them before any rules that conflicts them (and before 'COMMIT' line in the saved rules file).\r
+\r
+== Windows ==\r
+\r
+Wave a dead chicken over your keyboard and pray.\r
--- /dev/null
+We have two standard Debian GNU scripts to perform user management.\r
+\r
+== adduser ==\r
+First, adduser, does the usual job, and executes /usr/local/sbin/adduser.local. \r
+There we log new account creation to our special log file, and set up \r
+group quotas. We can't set up quotas by defining the appropriate variable\r
+in /etc/adduser.conf because that works for user quotas only, and not\r
+group quotas. What a shame.\r
+\r
+== deluser ==\r
+The tool to delete users is deluser. What's wrong with deluser is that it\r
+can remove user's files at deletion time, and it can also back them up\r
+before that. You can specify backup directory, but it goes tar-gzipping\r
+the files, which can take a long time. I need to hack the source to allow\r
+files to just be moved to the backup directory. This way, if you keep \r
+backup dir on the same partition as /home, moving user's files is\r
+instant and doesn't grow linearly with user directory size.\r
+----\r
+CategorySystemAdministration\r
--- /dev/null
+= Hosting Basics =\r
+Things you put in a `public_html` subdirectory of your home directory are accessible via `http://hcoop.net/~you/`, and in general `~you` on any hostname that has the same front page as http://hcoop.net/.\r
+\r
+If you want to host a domain with standard services like HTTP and e-mail, see DomainRegistration and DomainTool. If you want to host a miscellaneous daemon, then request a firewall rule for it by submitting the appropriate support ticket from the \r
+[https://members.hcoop.net/portal/sec Portal Security page].\r
--- /dev/null
+## page was renamed from UseDatabases\r
+Previously, database creation needed admin intervention. We now wrote 'dbtool', however, to leave database management to the users themselves. This is possible because database files, kept in /home/<dbtype> (such as /home/mysql/), have proper filesystem permissions. They are set-gid to the users' primary group, so the sizes of users' databases enter their filesystem quota calculation.\r
+\r
+= MySQL =\r
+== Database creation ==\r
+The databases you select for creation will be prefixed with your username, to avoid any name clashes. In other words, if you ask for a database 'gis', the actual database created will be '<username>_gis'.\r
+\r
+When the database is created, all privileges on it are granted to the user owning them, except the privilege to grant permissions to other users.\r
+\r
+Let's see an invocation of dbtool:\r
+\r
+''' dbtool create <dbtype> <password> <database ...> '''\r
+\r
+Here's an example:\r
+\r
+''' dbtool create mysql myPass12.4 gis '''\r
+\r
+At this point, MySQL database '<username>_gis' has been created, and <username>@'''localhost''' is given permission to connect to it using password 'myPass12.4'. An important thing to remember here is that there is, by default, one password for all databases! If you create two MySQL databases, pick the same password for them or the second one will overwrite the first database password.\r
+\r
+== Load database ==\r
+To load a database, use:\r
+'''mysql -p <username>_gis < gis.sql'''\r
+== Connecting to the database ==\r
+You can always connect to the databases using appropriate command line tools:\r
+\r
+''' mysql -p <dbname> '''\r
+\r
+Upon typing in the password, mysql client tool will start up and connect to <dbname>. You can, however, create ~/.my.cnf to automate the "login":\r
+\r
+{{{\r
+[mysql]\r
+user = <username>\r
+password = myPass12.4 }}}\r
+Just make sure the file is mode 0600: '''chmod 0600 ~/.my.cnf''', and omit ''-p'' from further {{{mysql}}} invocations.\r
+\r
+== Database removal ==\r
+You can remove your own databases by invoking appropriate databases' command line tools. Here's a MySQL example:\r
+\r
+''' mysql -e 'drop database <username>_gis' '''\r
+\r
+Keep in mind that database permissions are not removed. In other words, once you drop the database, you can re-create it without invoking dbtool:\r
+\r
+''' mysql -e 'create database <username>_gis' '''\r
+\r
+= PostgreSQL =\r
+You can create Postgres databases in a similar way. The main difference is that you never provide a password to {{{dbtool}}}. While MySQL doesn't provide any reasonable non-password-based authentication option, PostgreSQL has the nice ident scheme, where processes authenticate to databases based on their owning UNIX user. Since this avoids adding an extra opportunity for password-guessing, we only allow Postgres authentication via this method.\r
+\r
+The following command line would create database {{{<username>_test}}}:\r
+\r
+''' dbtool create postgres test '''\r
+\r
+Then you could connect to your database:\r
+\r
+''' psql <username>_test '''\r
--- /dev/null
+= Incoming mail =\r
+You have 2 basic options for handling e-mail to {{{you@hcoop.net}}}, {{{you@hcoop.org}}}, etc..\r
+\r
+ * You can set a {{{.public/.forward}}} file in your home directory (a file consisting of just the e-mail address to which mail should be forwarded) to have it sent somewhere else. If you want to do anything more complicated than this, the page at http://www.doc.ic.ac.uk/csg/faqs/email/filter/eximforward.html is a good reference. Or you can use a {{{.procmail.d/procmailrc}}} file, if you're used to procmail filtering.\r
+ * You can store it locally and retrieve it via IMAP/POP3 from {{{mail.hcoop.net}}} over SSL (see below). Using IMAP lets you have a permanent place to categorize and file your old mail and access it from anywhere.\r
+= SpamAssassin =\r
+You probably want to set up Spam{{{}}}Assassin to avoid dealing with junk e-mail. [http://spamassassin.org/ SpamAssassin] is a program for categorizing e-mail as spam based on a wide range of criteria. It indicates its decisions by adding special headers to messages.\r
+\r
+To enable Spam{{{}}}Assassin for mail to your UNIX account, run {{{setsa on}}}. To later disable it, run {{{setsa off}}}. To check whether you've enabled it or not, run {{{setsa}}}. You can similarly enable or disable Spam{{{}}}Assassin for a virtual mailbox address by adding it as the first argument to {{{setsa}}}; for example, {{{setsa user@domain.com on}}} enables Spam{{{}}}Assassin for {{{user@domain.com}}} if you have DomainTool permissions for {{{domain.com}}}.\r
+\r
+The above procedure only asks Spam{{{}}}Assassin to examine your mail and add extra headers indicating its verdict, spam or legit. To use these headers to move junk mail to a folder called Spam in your IMAP mailbox, copy the template {{{/etc/.forward}}} to {{{~/.public/.forward}}}. This is an Exim filter that looks for Spam{{{}}}Assassin headers that indicate spamhood. You need to create a Spam folder manually to use this. You can modify this template to save spam to other places, if you don't use IMAP or prefer another scheme. (If you already have a {{{~/.public/.forward}}} file because you forward all of your mail to another account elsewhere, then you can ignore this section. You should use that e-mail provider's spam filtering services.)\r
+\r
+Spam{{{}}}Assassin flags spam with a spamminess level of 5.0 or higher. You can use the X-Spam-Level: header to customize your own filter to your own liking, however. As an example, you can see NathanKennedy's .forward file at SpamAssassinFilter.\r
+\r
+== Training ==\r
+One way that Spam{{{}}}Assassin spots spam is by using statistical (Bayesian) analysis. This requires lots of training data to work properly.\r
+\r
+Sometimes this analysis will make mistakes, and you'll want to perform the electronic equivalent of slapping it with a newspaper. The way to do that is to deposit misclassified mail in special system-wide IMAP folders, one called {{{SiteSpam}}} for spam that Spam{{{}}}Assassin missed and one called {{{SiteHam}}} for good messages that were erroneously marked as spam.\r
+\r
+If you ever run into this situation, here's how you can feed our system-wide trainer:\r
+\r
+ 1. First, this is only going to work if you are using IMAP. If you're not, or if you have other sources of spam or ham that you'd like handled specially, place a support request on [https://members.hcoop.net/portal/ the portal].\r
+ 1. Use your IMAP client's "subscribe" feature to subscribe to {{{SiteSpam}}} and/or {{{SiteHam}}}, which should appear in the {{{SpamAssassin}}} mailbox inside the {{{shared}}} tree.\r
+ 1. When you want a message to be used as an example of spam or ham, place a copy of it in the appropriate folder.\r
+ 1. Every five minutes, our faithful spamhound will sniff these folders, update its data, and clear their contents.\r
+If you would like to automate this process somewhat, check out FeedingSpamAssassin. For the curious and the sysadmins out there, SpamAssassinAdmin gives more details on how we set this up.\r
+\r
+= Customized filters =\r
+If you are interested in making customized rules to filter your incoming email into different IMAP folders, you might want to make a {{{.procmail.d/procmailrc}}} file. {{{.procmail.d/procmailrc}}} files are meant to be used instead of {{{.public/.forward}}} files and can handle the same sorts of things. Some people (like MichaelOlson) like the format of the {{{.procmail.d/procmailrc}}} files better than that of {{{.public/.forward}}}. A sample {{{.procmail.d/procmailrc}}} file with comments may be found on ProcmailExample.\r
+\r
+= Reading your mail =\r
+The mail server is {{{mail.hcoop.net}}} or any other hostname that points to our server. As far as actual filesystem storage, your user account's mail is stored in {{{~/Maildir}}} in Maildir format. E-mail clients that read files directly may not support this or require configuration tweaking to support it. We recommend using clients that go over IMAP or POP3.\r
+\r
+Non-SSL POP3 and IMAP '''have been disabled''', except for local connections, because they make it easy for people to sniff your password as it is sent in cleartext each time you connect to the server. These means you will probably need to fiddle with the configuration of your mail client as necessary to make it use SSL (Secure Socket Layer), and you will experience possibly mysterious and misleading errors without doing this. SSL POP3 is running on port 995. SSL IMAP is running on port 993.\r
+\r
+You can also access your mail through the [http://mail.hcoop.net/ web mail interface].\r
+\r
+== MacOS X ==\r
+When using webmail, MacOS X always warns you about the root certificate not found. Mail.app does this as well. The solution for this problem is to do the following:\r
+\r
+openssl s_client -showcerts -connect mail.hcoop.net:443\r
+\r
+In that output look for "BEGIN CERTIFICATE" and "END CERTIFICATE". Between those lines there is the certificate. Copy that to a pem file. Then do:\r
+\r
+certtool i hcoopmail.pem k=/System/Library/Keychains/X509Anchors v\r
+\r
+It will import this into the X509Anchors keychain, the 'v' is for verbose. It should also say it imported successfully. Now Safari should not warn you about this.\r
+\r
+MacOS X Mail seems to ignore this solution. I do not know why yet.\r
+\r
+== Symbian ==\r
+\r
+Hcoop email can be easily configured on your symbian mobile. This example is N91 specific, but other Symbian 9.1 phones should be very similar. IMAP4 configuration will be good if you like your mails to remain on the server.\r
+\r
+Go to Menu | Messaging. From there choose Options | Settings | E-mail. From there choose Mailboxes | Options | New mailbox and hit Start.\r
+\r
+Choose "IMAP4" for the mailbox type and hit Next.\r
+Enter your email address in "My email address" and hit Next.\r
+Enter "mail.hcoop.net" as your "Incoming mailserv." and hit Next.\r
+Enter "mail.hcoop.net" as your "Outgoing mailserv." and hit Next.\r
+Choose an access point that you will mostly use.\r
+Give your mailbox a name eg:user_mydomain and hit OK to create the mailbox.\r
+\r
+Your mailbox name will appear in the list of mailboxes.\r
+Go on and select the mailbox name | "Connection Settings" | "Incoming Email".\r
+Enter your username and password and change "Security(ports)" setting to "SSL/TLS" and change "Port" to "993".\r
+Go on to configure "Outgoing mail" using the same settings with "Port" as "465".\r
+\r
+Go back to Menu | Messaging and you will see your mailbox appear in the list. Open it and hit Options | Connect to read your mail\r
+\r
+== Easier Option in Latest Apple Cat Release ==\r
+In mail.app when it comes up about the certificate, drag this to a folder. Then drag this into keychain access into the system keychain, or open it with keychain access and specify system. YMMV\r
+\r
+''We're getting close to the number of members where it would be reasonable to buy a certificate from a recognized authority. That would remove the need to do things like this.'' -- AdamChlipala\r
+\r
+= Sending Mail =\r
+We use [http://www.exim.org/ exim] as our MTA (SMTP server).\r
+\r
+If you have a convincing reason for wanting to use our SMTP server to send messages to e-mail addresses for mailboxes that we don't host, then you can configure {{{mail.hcoop.net}}} as the outgoing SMTP server in your mail client. You must enable TLS SMTP auth, and you will need to authenticate with the same username and password that you use to get mail from POP3 or IMAP. Virtual mailbox names and passwords may be used here. '''The server will not query you for a username and password by default.''' Thus, you ''will'' get confusing error messages if you don't configure your client to attempt to authenticate with plaintext SMTP auth using TLS.\r
+\r
+The SMTP server requires a TLS aware mail client. MacOS X Mail, Outlook and Opera do not seem to support this at the moment. Mozilla supports TLS and runs on MacOS X, Windows and Linux.\r
+\r
+'''However, hardly anyone has a good reason to use our SMTP server in this way.''' If your computer never moves and your ISP provides an SMTP server (which most ISP's do), then you should definitely use that server instead of ours. SMTP servers are like public postal mailboxes in this way. There is rarely a reason to prefer one over another, so it generally makes sense to use the one physically closest to you.\r
+\r
+Note from NathanKennedy: It seems that some ISPs and possibly other networks discriminate against the SMTP protocol. Some block or filter in or outgoing SMTP altogether. If you need to send mail using HCOOP's mail server and experience long delays, this is likely due to your network. You can test out the mail server's responsiveness by doing "telnet localhost 25" on fyodor. If you immediately get a "220" banner, the server is working fine and you can type "QUIT".\r
+\r
+Note from AndreKuehne: A lot of ISPs SMTP servers today rewrite the sender address, so that it is not possible for example to send mail as user@hcoop.net via those ISPs. This is the reason why i send mail via hcoop. But it's not necessary to send all mail to mail.hcoop.net. Mozilla for example can use different SMTP servers, depending on the sender address. I am currently looking for/writing a wrapper for mutt.\r
+\r
+You can also set up a SSH tunnel to port 25 on mail.hcoop.net, if your MUA can't/won't use TLS.\r
+\r
+== Emacs Configuration ==\r
+\r
+To send mail through HCoop using Emacs's `smtpmail` you can use the following configuration. Put your authentication information into `~/.authinfo` which is in the netrc(5) format (make sure to supply `port 25` or else `smtpmail` won't read the entry), and ensure that it is readable only by your user.\r
+\r
+ {{{\r
+(setq message-send-mail-function 'smtpmail-send-it\r
+ smtpmail-default-smtp-server "mail.hcoop.net"\r
+ smtpmail-smtp-service 25\r
+ smtpmail-starttls-credentials '(("mail.hcoop.net" 25 nil nil))\r
+ smtpmail-debug-info t ; optional, but handy in case something goes wrong\r
+ smtpmail-auth-supported '(plain))\r
+}}}\r
+\r
+This will work for any mail client that uses `message-mode` for editing and sending mail (e.g. Gnus). \r
--- /dev/null
+To prevent users from monopolizing system resources with runaway processes, we impose ulimits in a way that will lead to your processes dying mysteriously if they try to exceed them. You can see what limits are being imposed in your current login by running the following command, with output shown:\r
+\r
+{{{you@new:~$ ulimit -aS\r
+core file size (blocks, -c) 0\r
+data seg size (kbytes, -d) unlimited\r
+file size (blocks, -f) unlimited\r
+max locked memory (kbytes, -l) unlimited\r
+max memory size (kbytes, -m) unlimited\r
+open files (-n) 1024\r
+pipe size (512 bytes, -p) 8\r
+stack size (kbytes, -s) unlimited\r
+cpu time (seconds, -t) unlimited\r
+max user processes (-u) 20\r
+virtual memory (kbytes, -v) 100000}}}\r
+\r
+These limits are known as '''soft limits'''. Similarly, you can see your '''hard limits''' by running `ulimit -aH`. Soft limits are the limits that actually apply to your processes at a given time. You have the option to increase your soft limits to any values no greater than your hard limits. For instance, if you really need to run 21 processes at once instead of just 20, you can do this, because your hard limit is probably 50. The proper command is:\r
+\r
+{{{ulimit -Su 21}}}\r
+\r
+The `-S` indicates that you are setting a soft limit, and `u` is the name of a resource limit kind, taken from the output above.\r
+\r
+You can even ''decrease'' your available resources, to put yourself in a self-imposed sandbox. For instance, you can lower your stack size hard limit to 1000 by running:\r
+\r
+{{{ulimit -Hs 1000}}}\r
+\r
+= How Draconian! Why do we have these limits?? =\r
+\r
+On our old server, we had multiple instances of users running benign yet out-of-control processes that ended up allocating all available memory. Shared daemons, like our web and mail servers, would then crash when trying to allocate memory, creating denial-of-service for everyone. The ssh daemon wasn't even able to work properly without available memory, so we sometimes needed to ask the techs at our hosting facility to reboot the server for us! It's always better safe than sorry when it comes to protecting users from breaking other users' services.\r
--- /dev/null
+To create a self-signed SSL cerificate in `file.crt` with key in `file.key`, you can run:\r
+\r
+{{{\r
+openssl req -x509 -newkey rsa:1024 -keyout file.key -out file.crt -days 9999 -nodes\r
+}}}\r
+\r
+If you are creating an SSL certificate to use for a web virtual host via domtool, then you should generate a single output file instead of separate `.crt` and `.key` files. For example:\r
+\r
+{{{\r
+openssl req -x509 -newkey rsa:1024 -keyout file.pem -out file.pem -days 9999 -nodes\r
+}}}\r
--- /dev/null
+Before continuing with this page, you probably want to read DomainTool to learn the basics of how we handle shared daemon configuration.\r
+\r
+Any file in a domain's directory whose name is a valid hostname (i.e., `www`, `myhost`, etc.) is taken to be configuration for an Apache 2 virtual host. These are separate web sites that Apache serves, differentiated based on the hostname contained in a request.\r
+\r
+In addition, a file named `name.ssl`, where `name` is a valid hostname, is taken to be an SSL virtual host.\r
+\r
+Don't forget that creating a virtual host file '''does not add a DNS mapping'''. Your new virtual host will not work unless you add the appropriate DnsConfiguration directive.\r
+\r
+'''A note on `.htaccess` files''': You'll probably find plenty of information on the web about configuring a shared Apache daemon using "`.htaccess` files." We ''don't'' allow this, because that facility really wasn't designed for our kind of environment; it makes it too easy to disrupt others' web sites. An example is the `RewriteRule` directive, which, combined with `mod_proxy`, allows you to send one of the Apache child processes into an infinite loop contacting itself. After enough hits to your web site, all child processes will be occupied talking to themselves, and so Apache will refuse to serve any pages. The `RewriteRule` directive below is checked to avoid this and other undesirable behaviors. Even for Apache directives that look safe, it's best to err on the side of caution and force everything to go through `domtool`, since they could change in upgrades, have subtle problems that we didn't realize, etc.. Giving each user a direct configuration input to a shared daemon just doesn't make security sense.\r
+\r
+= Configuration directives =\r
+\r
+The following configuration directives may appear on separate lines in such files.\r
+\r
+== Grouping other directives ==\r
+\r
+ * `Location url_prefix`: This is like the Apache 2 `Location` directive. You specify a prefix of URLs to which you want to apply special configuration. Everything from this directive to the next `/Location` directive will apply to that set of URLs only.\r
+ * `Directory path`: Like the above, but for real filesystem paths. You can only use this for paths that you have access to via a `.paths` file.\r
+\r
+== Server names ==\r
+\r
+ * `Default`: Where the configuration file is describing `host.domain`, this sets `domain` by itself as an alternate name for this vhost.\r
+ * `ServerAlias hostname`: Serve requests for full hostname `hostname` with this same vhost. There must exist an appropriate `host.aliased` file corresponding to `hostname`. For example, if `hostname` is `my.web.site`, the file `/etc/domains/site/web/my.aliased[` must exist.\r
+\r
+== Error messages ==\r
+\r
+ * `ErrorDocument code url`: This is the [http://httpd.apache.org/docs/2.0/mod/core.html#errordocument Apache ErrorDocument] directive verbatim.\r
+ * `ServerAdmin email`: Set the e-mail address of the vhost's admin to `email`. This will mainly be used in error pages to tell visitors to whom they should whine.\r
+\r
+== Static content ==\r
+\r
+ * `AddDefaultCharset something`: This is the [http://httpd.apache.org/docs/2.0/mod/core.html#adddefaultcharset Apache AddDefaultCharset] directive verbatim.\r
+ * `DocumentRoot dir`: Use `dir` as the base directory for site content.\r
+ * `HTML realdir`: Serve every file in `realdir` as HTML.\r
+\r
+== SSL ==\r
+\r
+Currently, domtool isn't set up to accommodate members' SSL vhosts that won't trigger warning dialogs in standard browsers, saying that the certificate's name doesn't match the vhost's hostname. This is because SSL is applied at the IP address level, and our main IP address is already being used for members.hcoop.net. We '''can''' request additional IP addresses, but we have to go through a bureaucratic process regulated by ICANN to do so, so no one has yet thought it sufficiently important to do so. You could be the first.\r
+\r
+ * `SSLCertificateFile path`: Indicate where to find the SSL certificate to use for this vhost, which must be an SSL vhost. The certificate probably has a file extension like `.pem` (see UsingSsl). In the style of `.paths`, `.certs` files are associated with domains to provide information on which domains may use which certificates. We can't just let you reference arbitrary files as certificates because Apache will refuse to load if any vhosts happen to reference invalid certificates, which is a security problem for everyone. Therefore, if you want to use SSL, [https://members.hcoop.net/portal/support submit a support request] asking for your certificate to be installed. We'll put it somewhere where you can't modify it and then add it to `.certs` for your domain.\r
+\r
+Anyone can use the members.hcoop.net certificate without special permission, since it is in `/etc/domains/.certs`.\r
+\r
+== Permissions ==\r
+\r
+ * `BasicAuth password_file description`: This must be used inside a `Location` or `Directory` block. It describes how to authenticate users who want to access that part of your web site. `password_file` designates a password file created with Apache's `htpasswd` program. `description` (which may contain spaces) gives a description to be displayed when asking visitors to authenticate.\r
+ * `Block pattern`: Disallow access to the site for anyone from a hostname or IP address matching the `pattern`. The possibilities for `pattern` are described in [http://httpd.apache.org/docs/howto/auth.html#allowdeny the Apache docs for Deny]. Mixing this with `AbuPrivate` may give zany results.\r
+ * `Group group`: Run dynamic page generators (CGI, PHP, etc.) with UNIX group `group`. Your domain probably has a `.groups` files that declares at least one group that you may use. If so, then the default group is the alphabetically first of these, and this is used if you omit the `Group` directive. Otherwise, the default is `nogroup`, which will effectively prevent you from doing anything interesting. This directive also sets things up so that members of `group` can read the logfiles for this virtual host in `/var/log/apache2`. (E.g., `/var/log/apache2/your.host/access.log` and `/var/log/apache2/your.host/error.log`.) If the actual log file permissions end up out-of-synch with the directives, run the `logperms` program. The upside or downside of this log ownership (depending on your point of view) is that your domains' log files are counted toward your disk quota.\r
+ * `HcoopPrivate`: This is a special combined version of `BasicAuth`/`Require valid-user` that uses our HCoop web passwords file. The passwords are set using the `webpasswd` command-line program. Deny access if a correct username and password are not provided. For security reasons, this directive isn't allowed on non-SSL hosts.\r
+ * `Require group groups`: Only allow access to visitors in the given `htpasswd` groups, specified as a space-separated list.\r
+ * `Require user users`: Only allow access to visitors authenticated as the given `htpasswd` users.\r
+ * `Require valid-user`: Only allow access to visitors who can authenticate as some user.\r
+ * `User user`: Run dynamic page generators as UNIX user `user`. The default is the alphabetically first user that you're authorized to run as, or `nobody` if no such user exists. `nobody` isn't allowed to run CGI, so you can't do much if you fall into the second category.\r
+ * `WebalizerUsers userlist`: Only allow users in space-separated `userlist` to view the Webalizer statistics for this vhost.\r
+ * `LimitRequestBody bytes`: [http://httpd.apache.org/docs/2.0/mod/core.html#limitrequestbody The Apache directive] verbatim. Restricts the total size of the HTTP request body sent from the client, such as the size of POST data for a CGI script.\r
+\r
+For step-by-step instructions to password protect a part of your website, see WebsitePasswordExample.\r
+\r
+== Logging ==\r
+\r
+ * `RewriteLogLevel n`: This is the [http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html#rewriteloglevel Apache 2 RewriteLogLevel directive]. By default, no rewrite logging is generated for vhosts. Including this directive turns on logging to `/var/log/apache2/<vhost>/rewrite.log`, at the specified level of verbosity.\r
+\r
+== Dynamic content ==\r
+\r
+ * `Action`: The Apache 2 [http://httpd.apache.org/docs/2.0/mod/mod_actions.html#action Action] directive verbatim.\r
+ * `CGI dir`: This sets filesystem directory `dir` as a location of CGI scripts, such that any web requests serviced from this directory will run the scripts instead of returning their source code. You don't need to use it if you use `ScriptAlias` for each script.\r
+ * `Mailman`: Designate this host as allowed for Mailman web requests. You probably only want to use this if you have a mailing list for which you want web links to go to your domain instead of `hcoop.net`.\r
+ * `Mason cgi`: Sets all requests for `.html` files to be serviced by the given Mason CGI script, given as an absolute filesystem path.\r
+ * `Mod lang path handler`: Sets up a special Apache language module to handle scripts in the given URI directory `path`. `handlers` specifies a handler in a language-specific format. When `lang` is `python`, it is a source file name (relative to `path` and minus file extension) that handles the requests. When `lang` is `perl`, it's a Perl module name. No other languages are supported yet. ''(Actually, both languages are currently disabled while we figure out how to make them run scripts as the owning users.)''\r
+ * `MoinMoin url cgi`: A handy shortcut for setting up a MoinMoin wiki like this one. The parameters are treated in the same way as for `ScriptAlias` below, except that `cgi` should be a `moin.cgi` somewhere. In addition to what `ScriptAlias` would do, this directive also sets up mappings for the MoinMoin static content. See MoinMoinConfiguration for more info.\r
+ * `PerlINC path`; `PerlVersion filename`: These are [http://search.cpan.org/dist/Apache-PerlVINC-0.02/ Apache::VINC] directives.\r
+ * `PerlSetVar name value`: The Apache mod_perl directive verbatim\r
+ * `SSI`: Enable server-side includes for the entire vhost.\r
+ * `ScriptAlias url cgi`: This declares that `url` (probably beginning with a slash) should be handled by running a script found at filesystem path `cgi`. In fact, this is accomplished by a simple replacement in the URL, so `url` and `cgi` can be directories. This won't work if you haven't used the `User` and `Group` directives to set as whom your script should run.\r
+\r
+== Special URL handling ==\r
+\r
+ * `Alias urldir realdir`: Serve requests for things in directory `urldir` out of `realdir`.\r
+ * `LocalProxy from to port`: This directive gives back some of the functionality of `RewriteRule` with the (disallowed) `P` flag. It calls another web server (probably one that you maintain yourself) running locally on `port` to handle certain requests. `from` is a regular expression pattern to match against requests in the style of `RewriteRule`. `to` is like the replacement for `RewriteRule`, except that it is not a full URL. Rather, when the rule is triggered, a proxy request is make to `localhost` on `port` for the path `/to` with variable replacements made. `port` may not be 80, since it's too easy to get accidental infinite loops that hang Apache for everyone this way.\r
+ * `LocalProxyPass from to port`: This is an alternate, simplified version of `LocalProxy` that you should use if you can. Instead of giving a pattern for `from`, instead give a URI prefix, like `/stuff/otherstuff/`. `to` should similarly be a URI prefix that applies on the local server that you want to receive proxy requests. In addition to what you'd expect with the equivalent `LocalProxy` directive, `LocalProxyPass` also includes rewriting URLs in HTTP headers generated by the proxy web server to avoid some errors that could result from its different point of view.\r
+ * `RewriteCond ...`: Passed directly to [http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html#rewritecond mod_rewrite].\r
+ * `RewriteRule ...`: These lines are passed verbatim to Apache's [http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html#rewriterule mod_rewrite], with some restrictions. First, if you want to pass multiple flags, you must use the `[FLAG1,FLAG2]` format instead of the `[FLAG1] [FLAG2]` format that Apache itself accepts. Second, the `P` and `N` flags are not allowed, to remove possibilities for infinite loops due to nothing but mod_rewrite's actions.\r
+\r
+== mod_autoindex ==\r
+\r
+ * `AddDescription file description`: The [http://httpd.apache.org/docs/2.0/mod/mod_autoindex.html#adddescription Apache directive] with slightly different syntax: you can only specify a single file pattern at a time, it comes before the description, and the description isn't in quotes.\r
+ * `IndexOptions options`: The [http://httpd.apache.org/docs/2.0/mod/mod_autoindex.html#indexoptions Apache directive] verbatim, currently only allowing the `FoldersFirst` and `SuppressColumnSorting` options.\r
+ * `HeaderName name`: The [http://httpd.apache.org/docs/2.0/mod/mod_autoindex.html#headername Apache directive] verbatim\r
+ * `ReadmeName name`: The [http://httpd.apache.org/docs/2.0/mod/mod_autoindex.html#readmename Apache directive] verbatim\r
+ * `NoAutoindex`: Disable mod_autoindex for this directory/location.\r
+\r
+= Notes =\r
+\r
+You may sometimes find it helpful to consult `/etc/apache2/vhosts.conf` to see how your changes affect the concrete Apache configuration.\r
+\r
+The `Default` directive, by itself, causes Apache to respond identically to any requests for `host.domain/path` and `domain/path`. It's generally better for search engines and other spiders if you redirect all requests to `host.domain` to `domain` or vice versa. You can use `mod_rewrite` to do this:\r
+\r
+{{{\r
+Default\r
+\r
+# Flags used:\r
+# NC: match case-insensitively\r
+# L: last rule; do not apply any more rewrite rules\r
+# R=301: force an HTTP redirect with status code 301 (Moved Permanently)\r
+RewriteCond %{HTTP_HOST} ^www.example.org$ [NC]\r
+RewriteRule ^(.*) http://example.org$1 [NC,L,R=301]\r
+}}}\r
--- /dev/null
+#pragma section-numbers off\r
+\r
+Coordinating an organization with a brick-and-mortar office is hard enough. When all of the staff are volunteers whose primary responsibilities are school or paid jobs, it gets a lot harder. Now scatter these volunteers across the world and have them communicate soley through the Internet, where it's easy to ignore e-mails while maintaining plausible deniability of blame. This is our current staffing situation, so it's important that we have some communication ground rules.\r
+\r
+[[TableOfContents]]\r
+\r
+= Who is affected? =\r
+\r
+Every member of the co-op has some response time obligation: we will feel free to let members' services stop working if they don't respond to e-mail after, say, a month, and we will feel free to kick members out of the co-op after the time period of non-payment specified in our HcoopBylaws, sending warnings only through e-mail.\r
+\r
+However, members who volunteer for particular roles take on additional, far greater communication responsibilities. One volunteer in a key role can derail our entire operation by not communicating effectively.\r
+\r
+= Response time caps =\r
+\r
+Every member in one of these roles needs to have a concrete response time cap listed on this page:\r
+\r
+ * Board member\r
+ * System administrator\r
+\r
+By default, a volunteer's cap is considered to be 48 hours. Volunteers may voluntarily lower their caps. Increasing your cap above 48 hours requires approval by a majority vote of the board of directors.\r
+\r
+Here are the current volunteers and their caps. The list starts out with 48 hours for everyone, and people come here and change their own caps as they like.\r
+\r
+ * AdamChlipala: 24 hours\r
+ * NathanKennedy: 48 hours\r
+ * I think that we should clearly delineate the difference between volunteering in an admin role and in a board capacity. I don't think we should require more than a 5-dayish response time to direct emails for board matters, with phone calls for true emergencies. For admin or other OPERATIONAL volunteer positions, a faster response is warranted, and 48 hours is reasonable.\r
+ * I would encourage CC-ing me on any urgent emails, and in an urgent situation my phone number is available on the portal--it won't kill you to call me--and short text messages can be emailed to my phone number @vtext.com.\r
+ * AdamMegacz: 48 hours\r
+ * DavorOcelic: 36 hours\r
+ * MichaelOlson: 48 hours\r
+\r
+= First Response rule =\r
+\r
+The basic function of your cap is to dictate how soon you must respond to messages that need a reply from you.\r
+\r
+== By when must you reply? ==\r
+\r
+These rules are intended to apply to a variety of Internet communications. Generally there's a pretty good folk idea of what's a message, what isn't, when a message is sent, and when a message is delivered. The general intent of the First Response rule is to say that you must respond to a message that needs a reply from you no later than the time that the message was '''sent''' plus your response cap.\r
+\r
+The Internet has all sorts of fun possibilities for unreliable or delayed message delivery. Using the time that the message was '''sent''' makes it easier for the sender to understand others' expectations, though. As a compromise, we interpret the response time window as starting at the message '''delivery''' time '''only if''' delivery occurs more than 30 minutes after sending. Messages will generally contain information on when they were sent, so that readers can determine which case of the rule applies.\r
+\r
+== What needs a reply from you? ==\r
+\r
+ * A bugzilla bug (see special policy below).\r
+ * Specialized support requests generated by the portal, in categories of requests for which you are the primary assignee on TaskDistribution.\r
+ * A non-list e-mail whose body says in natural language that it expects a reply from you. If the message is to you alone, then just asking a question should be considered to be expecting a reply. If the messages is to multiple recipients, your name must be used in asking a question, explicitly requesting a reply on some subject, etc.. Yes, this case means that you are required to read all HCoop-related, non-list e-mails all the way through, in a timely fashion.\r
+ * A mailing list post whose '''subject line''' includes your HCoop username. The convention to use to add reply requests to a normal subject is shown by these examples:\r
+ * `[adamc,megacz] How do you like being named Adam?` (starting a new thread)\r
+ * `Re: [HCoop-SysAdmin] [mwolson] The Olsonizer has evaporated!` (replying to an existing thread)\r
+ * When you reply to a member-tagged message that has already received the needed response from an indicated member, it's courteous to remove that member's username from the subject line.\r
+\r
+== Bugzilla Policy ==\r
+\r
+If an admin recieves an email about a new bug, and the bug:\r
+\r
+ 1. is still open\r
+ 2. [and] is assigned to the admin in question\r
+ 3. [and] does not depend on any open bugs\r
+ 4. [and] is of severity S1, S2, or S3\r
+\r
+The admin in question will either reply by posting a comment to the bug or else perform some action which causes (1), (2), (3), or (4) to no longer be true.\r
+\r
+== What should you say in a reply? ==\r
+\r
+Often this is obvious. Sometimes, your schedule means that you can't deal properly with a request within its reply time window. In these cases, you should reply acknowledging receipt of the message and giving a '''concrete''' date/time deadline by which you will give the request the attention it needs. There are no restrictions on how far in the future the deadline can be, but you should try to be reasonable.\r
+\r
+If 24 hours have passed from a deadline that you gave in a past reply and you're still not ready to handle it, you should reply again to that Bugzilla bug/mailing list thread/etc. giving a new deadline. This process repeats indefinitely. Obviously people aren't going to be happy if you just keep looping through this forever.\r
+\r
+== What if you can't reply? ==\r
+\r
+We'll be understanding if you have a genuine emergency. However, people disagree on what is a good enough emergency. A life-threatening situation or a situation where you need to focus on some task non-stop to avoid losing valuable property, getting kicked out of your apartment, etc., would qualify. Being really busy at work or in dealing with some other crisis will probably not qualify if you nonetheless end up in front of a computer regularly, able to send e-mail. Nothing that you know about in advance, during a period when you're able to send e-mail, will qualify, and here's why:\r
+\r
+Any volunteer can take any amount of "time off" at any time, just by e-mailing the hcoop-sysadmin list. The message subject should start with the text "AWAY", followed by as concrete a designation of a time period as possible. The message body should describe prospects for Internet access during your away time, along with any other information that could help avoid a communication crisis. You don't need to explain where you'll be, why you won't be able to reply, etc., but you can if you want to.\r
+\r
+It shouldn't be surprising that the board of directors will feel justified in removing someone from a sysadmin role if he "abuses" this possibility by being "away" so much that he effectively isn't an admin. Also, if a board member tries this trick, the general membership will feel justified in voting out that board member, as described in the HcoopBylaws. But we're all going to do our best to be understanding.\r
+\r
+If you have any kind of emergency but have the time and opportunity to send an AWAY message before you need to switch to full focus on that emergency, '''please''' do so!\r
+\r
+'''Important''': During a declared AWAY time, the TaskDistribution table is used to determine who is responsible for an absent volunteer's duties. When a person marked as primary assignee for a task is AWAY, the secondary person takes over with respect to the First Response rule for messages that would have been considered the responsibility of the absent member due to their subject matter. The secondary person also needs to take over doing the actual work in his marked task areas, of course.\r
--- /dev/null
+= WebSpam =\r
+As spammers have started to focus on dynamic web pages, including wiki pages and other CGI programs, it is becoming more important to track chronic offenders. If you have an experience with web spam, record any relevant information here (perhaps including IP address and date/time of attack). If you are getting hit many times per minute from the same or different IP addresses, consider using IRC to alert administrators to the problem or the HCoop mailing lists. In this case, we may have to take action more quickly to avoid surging over bandwidth limits.\r
+\r
+== WebSpam Ideas ==\r
+=== Wikis ===\r
+What are some ideas to defeat spam that defaces web pages?\r
+\r
+ * Well, the first thing that comes to mind is enabling wiki user authentication. It would require a few extra steps in order to contribute to a webpage but could be worthwhile if the level of spam is out of control. You could have open enrollment, meaning everyone that signs up for an account can automatically contribute to the wiki.\r
+ . --RobGubler\r
+ * You might notice that hardly any spamming attempts succeed on our MoinMoin wikis. That's because MoinMoin has this wonderful content-based filtering support that consults a central database of all known spam content. I think this kind of program-specific support is the way to go. --AdamChlipala\r
+ * If a wiki is very popular, even MoinMoin's content filtering isn't enough. What I generally recommend is making the FrontPage writable only to registered users, and let other pages be writable by anyone. This at least helps to save face when new visitors come to your site. --MichaelOlson\r
+=== Blog comments ===\r
+ * I use pyblosxom, which has the option of putting comments in a draft status. The blog maintainer must manually give comments a ".cmt" extension for them to show up. I'm beginning to think that it was a mistake to put a link to a page on my blog called "Guestbook", because I'm now getting about 300 spam comments a day to moderate! Hopefully getting rid of that link will help. --MichaelOlson\r
+ * Aren't [http://en.wikipedia.org/wiki/Captcha CAPTCHAs] enough ? I thought spammers are still to catchup with simple mechanisms like the one [http://sacha.free.net.ph/notebook/wiki/today.php here]. -- AnilNarayanan\r
+ * Captchas are a suboptimal solution because they block blind users from participating. --MichaelOlson\r
+ * The wikipedia page linked above mentions that audio captchas are possible as well, but they may not be as widely implemented as purely visual ones in the present.\r
+ I guess accessibility might not be an issue if just text (question-answer pairs, say) is invloved. It might work well till one's site generates enough interest to have people sit and crack the captchas. -- AnilNarayanan\r
+\r
+== WebSpam Log ==\r
+The following info indicates spam attempts, gathered by HCoop users:\r
+\r
+ * [http://www.chatmroomcc.info/SpamLOGTC.html History log file by one HCoop user that records spam attempts to his forum site]\r
+== External References ==\r
+ * [http://en.wikipedia.org/wiki/Blog_spam Wikipedia page on blog spam]\r
+ * [http://www.linksleeve.org/ LinkSleeve]: a community-based project to block spam on different kinds of dynamic web sites.\r
+ * [http://en.wikipedia.org/wiki/Captcha Wikipedia page on Captcha]\r
--- /dev/null
+This page is aimed at Linux novices who want to require that web site visitors authenticate with usernames and passwords to access particular directories. Be forewarned that, using these methods, it will still be the case that any HCoop member can read your private files; this only "protects" directories accessed over the web.\r
+\r
+Let's pretend that your username is billy and you have a website, {{{www.billy.com}}}. The files are in the directory {{{/home/billy/www/billy.com/}}}. You want to require a password for {{{www.billy.com/private}}} and give access to yourself and two friends, joe and mary. Here is what you must do:\r
+ * Log into the the server (Fyodor) with ssh\r
+ * Configure the web server:\r
+ * At the $, type {{{pico /etc/domains/com/billy/www}}} and press ENTER\r
+ * Press the down arrow to go to the bottom of the file\r
+ * Type this: {{{Directory /home/billy/www/billy.com/private\r
+BasicAuth /home/billy/www/htpasswd Billy's friends only.\r
+Require valid-user\r
+/Directory\r
+}}}\r
+ * Save the file:\r
+ * Press CTRL-X (written as ^X)\r
+ * Press Y to save changes\r
+ * Press ENTER to save over the old file\r
+ * Back at the $, type {{{domtool}}} and hit enter. It will print out the changes that it makes to the Apache configuration file.\r
+ * Now create a new htpasswd file (HTTP password file) with the a password for billy:\r
+ * At the $, type {{{htpasswd -c /home/billy/www/htpasswd billy}}}\r
+ * Type billy's password and hit ENTER\r
+ * Re-type the password and hit ENTER\r
+ * Now add a password for joe:\r
+ * At the $, type {{{htpasswd /home/billy/www/htpasswd joe}}}\r
+ * Type joe's password and hit ENTER\r
+ * Re-type the password and hit ENTER\r
+ * Finally add a password for mary:\r
+ * At the $, type {{{htpasswd /home/billy/www/htpasswd mary}}}\r
+ * Type mary's password and hit ENTER\r
+ * Re-type the password and hit ENTER\r
+ * Now test it by going to {{{www.billy.com/private}}} in your web browser. You should get a box that says {{{Billy's friends only.}}} and asks for a username and password. Try {{{billy}}} and the password you gave to the htpasswd program. You should see the contents of {{{/home/billy/www/billy.com/private/}}}.\r
+ * Troubleshooting: You know something is wrong if you type {{{billy}}} with the proper password and the login box keeps coming up. Look for errors in the Apache log file, {{{/home/log/apache2/www.billy.com/error.log}}}. This file may be very long, so use the {{{tail}}} command to view it:\r
+ * At the $, type {{{tail -f /home/log/apache2/www.billy.com/error.log}}} and hit ENTER. This command prints out the last 10 lines in the file and then "follows" the file. Whenever a new line is written to the file, tail will print it out immediately.\r
+ * Go back to the $ by pressing CTRL-C (^C).\r
+ * After using a good password, most web browsers will send that password to the site every time you go back to it. So before you can test joe's or mary's passwords, you have to make the web browser forget that you typed in billy's password. The easiest way to do this is to close the web browser. Alternatively, if you have Mozilla Firefox and the Web Developer Toolbar, then you can click the Miscellaneous button and choose Clear HTTP Authentication. After the browser has forgotten the password, go back to {{{www.billy.com/private}}} and try joe's password. Repeat with mary's password, too.\r
+ * That is all!\r
--- /dev/null
+##master-page:FrontPage\r
+#format wiki\r
+#language en\r
+#pragma section-numbers off\r
+\r
+= Welcome to the HCoop Wiki =\r
+\r
+This is the Internet Hosting Cooperative's space for maintaining documentation of interest to our members, as well as for any visitors curious about who we are, what we provide, and how we operate. Everyone, including both members and non-members, is invited to create and edit appropriate pages.\r
+\r
+'''NOTE''': This wiki is [:RewriteGoals:being heavily overhauled] at the moment. The old front page may be found at OldWelcomePage.\r
+\r
+== General Information ==\r
+\r
+ * '''MemberManual''': A guide to using HCoop's services for members of HCoop.\r
+ * '''["HCoopAdvocacy"]''': Learn about HCoop, join HCoop, and use HCoop logos.\r
+ * '''ContactHcoop''': Ways to get in touch.\r
+\r
+== Outside of the Wiki ==\r
+\r
+ * [http://hcoop.net/ HCoop's main web site]\r
+ * [https://members2.hcoop.net/ The HCoop member portal]\r
+ * [http://hcoop.sourceforge.net/ HCoop's publicly-released software]\r
+\r
+== Administrivia ==\r
+\r
+ * AdminArea: Various pages that HCoop admins have created to help them keep HCoop running.\r
+ * BoardArea: Pages that describe the workings of the HCoop Board of Directors, along with official policies and structure.\r
+ * WikiStuff: Pages having to do with the wiki software, use of the wiki, and upkeep of the wiki.\r
+\r
+== Unclassified ==\r
+\r
+If a page isn't mentioned anywhere else, yet should be, please list it here. MichaelOlson will go through these later and add them to the appropriate sections.\r
--- /dev/null
+##master-page:WikiSandBox\r
+#format wiki\r
+#language en\r
+Please feel free to experiment here, after the four dashes below... and please do '''NOT''' create new pages without any meaningful content just to try it out!\r
+\r
+'''Tip:''' Shift-click "HelpOnEditing" to open a second window with the help pages.\r
+----\r
+\r
+== Formatting ==\r
+\r
+''italic'' '''bold''' {{{typewriter}}} \r
+\r
+`backtick typewriter` (configurable)\r
+\r
+~+ bigger +~ ~- smaller -~\r
+\r
+{{{\r
+preformatted some more\r
+and some more lines too\r
+\r
+}}}\r
+\r
+{{{#!python\r
+def syntax(highlight):\r
+ print "on"\r
+ return None\r
+}}}\r
+\r
+\r
+{{{#!java\r
+ public void main(String[] args]){\r
+ System.out.println("Hello world!");\r
+ } \r
+\r
+}}}\r
+\r
+\r
+== Linking ==\r
+\r
+HelpOnEditing MoinMoin:InterWiki \r
+\r
+http://moinmoin.wikiwikiweb.de/ [http://www.python.org/ Python]\r
+\r
+someone@the.inter.net\r
+\r
+\r
+=== Image Link ===\r
+http://c2.com/sig/wiki.gif\r
+\r
+== Smileys ==\r
+\r
+/!\ Alert\r
+\r
+== Lists ==\r
+\r
+=== Bullet ===\r
+ * first\r
+ 1. nested and numbered\r
+ 1. numbered lists are renumbered\r
+ * second\r
+ * third\r
+ blockquote\r
+ deeper\r
+\r
+=== Glossary ===\r
+ Term:: Definition\r
+\r
+=== Drawing ===\r
+drawing:mytest\r
+\r
+= Heading 1 =\r
+== Heading 2 ==\r
+=== Heading 3 ===\r
+==== Heading 4 ====\r
+\r
+= IRC Log test =\r
+\r
+{{{#!irc\r
+(23:18) < jroes> ah\r
+(23:19) < jroes> hm, i like the way {{{ works, but i was hoping the lines would wrap\r
+(23:21) -!- gpciceri [~gpciceri@host181-130.pool8248.interbusiness.it] has quit [Read error: 110 (Connection timed out)]\r
+(23:36) < ThomasWal> you could also write a parser or processor\r
+(23:38) < jroes> i could?\r
+(23:38) < jroes> would that require modification on the moin end though?\r
+(23:38) < jroes> i cant change the wiki myself :x\r
+(23:39) < ThomasWal> parsers and processors are plugable\r
+(23:39) < ThomasWal> so you dont need to change the core code\r
+(23:40) < ThomasWal> you need to copy it to the wiki data directory though\r
+(23:40) < jroes> well, what i meant to say was that i dont have access to the box running the wiki\r
+(23:40) < ThomasWal> then this is no option\r
+(23:40) < jroes> yeah :/\r
+}}}\r
+\r
+Seeing if it's possible to edit...\r
--- /dev/null
+#pragma section-numbers off\r
+\r
+This page contains links to pages having to do with the wiki software, use of the wiki, and upkeep of the wiki. \r
+\r
+[[TableOfContents]]\r
+\r
+= Wiki software =\r
+\r
+ * DefaultFrontPage: More about using the MoinMoin wiki software.\r
+\r
+= Wiki upkeep =\r
+\r
+ * StyleGuide: Essential reading for those who make new content on the HCoop wiki.\r
--- /dev/null
+To implement zone transfers from BIND-style DNS masters, we use [http://www.lickey.com/autoaxfr/ autoaxfr].\r
+----\r
+CategorySystemAdministration\r
HCoop / hcoop / zz_old / ikiwiki / commitdiff
