pitter patter on the keyboard

If your system is far out of date you may encounter this error:

/usr/lib/portage/bin/ebuild.sh: line 370: xz: command not found
tar: This does not look like a tar archive
tar: Error exit delayed from previous errors

This is due to the switch from lzma-utils to xz-utils last year as covered in this post: Portage Errors: app-arch/lzma-utils is blocking app-arch/xz-utils. As covered earlier it is safe to remove lzma-utils then emerge xz-utils because it ships in a traditional (gzip) tarball:

# emerge --unmerge lzma-utils
# emerge xz-utils

In the last couple of weeks a wave of attacks has seen the snort packet logs on a client’s firewall fill the disc to capacity, causing all sorts of wonderful problems. Packet logging is optional and usually only worth the trouble if you are actively trying to solve an attack or false positive, in which cases it can be added at that time. For most folks it simply provides a hindrance on performance and, if your storage is not well diversified, a hazard as we have seen with this router:

Disable packet logging by editing /etc/init.d/snort to start the daemon with the -N flag:

  start)
        echo -n $"Starting $prog: "
        if test "x`/sbin/pidof snort`" != x; then
                failure
                echo ""
        else
                automagic
                # Add support for multiwan
                if [ -n "$EXTIF" ]; then
                                for INTERFACE in $EXTIF; do
                                                daemon snort -N -i $INTERFACE -D -c /etc/snort.conf
                                done
                else
                                daemon snort -N -D -c /etc/snort.conf
                fi
                RETVAL=$?
                echo
                [ $RETVAL -eq 0 ] && touch /var/lock/snort
        fi
        ;;

Restart snort via its init script:

# /etc/init.d/snort restart

If you take a look at the logrotate configuration file for snort at /etc/logrotate.d/snort you’ll see:

# A bit of a kludge here - the logrotate file is empty and
# created by /etc/rc.d/init.d/snort.
/var/log/snort/logrotate {
 missingok
 postrotate
 tar -czf /var/log/snort.tar.gz /var/log/snort 2> /dev/null
 rm -rf /var/log/snort/[0-9]* /var/log/snort/snort.log.[0-9]* 2> /dev/null
 killall -HUP snort 2> /dev/null || true
 endscript
}

I’m not sure why the ClearOS people are using a “kludge” here, at best guess it seems the point is to put the snort.tar.gz archive directly under /var/log rather than in its own directory. Maybe it has to do with accommodating snort’s built-in log rotation. I don’t know. I don’t really care.

If you’re concerned about aesthetics keep the init script from creating the blank:

        # Creates a dummy file for /etc/logrotate.d/snort script
#       if [ -d /var/log/snort ]; then
#               echo "Used for logrotate... do not delete" > /var/log/snort/logrotate
#       fi

If I read that right it’s saying “Used for logrotate… please delete.”

# yes | rm -r /var/log/snort/*

Gentoo recently made the switch from lzma-utils to xz-utils, to quote the project page at http://tukaani.org/lzma/:

LZMA Utils are legacy data compression software with high compression ratio. LZMA Utils are no longer developed, although critical bugs may be fixed as long as fixing them doesn’t require huge changes to the code.

Users of LZMA Utils should move to XZ Utils. XZ Utils support the legacy .lzma format used by LZMA Utils, and can also emulate the command line tools of LZMA Utils. This should make transition from LZMA Utils to XZ Utils relatively easy.

As you are probably aware, Portage has largely used lzma for the past year – before which bzip2 was the compression standard of choice. If alarm bells went off in your head when you saw this message:

[blocks B     ] app-arch/lzma-utils ("app-arch/lzma-utils" is blocking app-arch/xz-utils-4.999.9_beta)

You can rest easy uninstalling lzma, the xz-utils package comes in a good ol’ fashioned tarball and it works as a drop-in replacement for it so it’s safe to unmerge lzma-utils completely then – before emerging anything else – emerge xz-utils:

# emerge --unmerge lzma-utils; emerge xz-utils

 app-arch/lzma-utils
 selected: 4.32.7
 protected: none   
 omitted: none   

>>> 'Selected' packages are slated for removal.
>>> 'Protected' and 'omitted' packages will not be removed.

>>> Waiting 5 seconds before starting...
>>> (Control-C to abort)...
>>> Unmerging in: 5 4 3 2 1
>>> Unmerging app-arch/lzma-utils-4.32.7...

 * GNU info directory index is up-to-date.
Calculating dependencies... done!

# emerge xz-utils
Calculating dependencies... done!

>>> Verifying ebuild manifests

>>> Emerging (1 of 1) app-arch/xz-utils-4.999.9_beta
>>> Downloading 'http://gentoo.osuosl.org/distfiles/xz-4.999.9beta.tar.gz'

I’ll take this opportunity to point out that in this day and age the word beta has become such a gimmick that Gentoo is including so-called beta software as part of its core system. Back in my day beta meant beta and you had to walk 17 miles uphill both ways to get to the nearest phone jack. Mind you we didn’t call them modems in those days, we called em clinkerdinkers….

Way to go, Internet.