Refurbished power supply was a bust; wrong item (it was hot swapable, I didn’t have redundent, hot swapable — but I do now).
So I’ve moved on to server rebuild. And with Centos pretty much gone, seemingly a causality of IBM’s purchase of Red Hat, I’m moving on to Rocky Linux. Going from 7.X to 9.X was bound to have some growing pains (having them in a more controlled build and cutover rather than replacing a dead server would have been nicer).
Lessons from my experience:
First, Rocky uses AuthorizedKeys vs. Centos 7 using AuthorizedKeys2; not a big problem but my first, bad, assumption was the upgrade meant I needed newer keys. And then (did I mention I was trying to go fast), I just used default file permissions on the new file. Final stumbling block: the new key pushed me over the limis so I started to get “too many failed attempts” errors. Lesson: copy AuthorizedKeys2 to AuthorizedKeys and check the file permissions.
It’s been a long time since I set it up. First, bad assumption: samba users are pulled from OS users. Eventually the errors made sense and I remembered I had to create the samba users/passwords. Second issue: selinux boolean to allow samba to get to home directories — that generates a really weird error on Linux workstation mapping in those drives (not sure what Windows would have looked like). Lessons: create the samba users/passwords and ensure selinux is permitting home directories (or relabel the file system).
Really went pretty well: don’t forget to install CRS with mod_security. And the new rulesets added a few more false positives for subversion access.
Speaking of subversion; it just works. I was pleasantly surprised to see no issues with access the repositories via httpd (after the mod_sec updates). (Do be sure selinux context is correct.)
postfix and spamassassin
It took a lot longer than it should have to understand that the error message about pipe failed due to unknown user really meant just that. The Spamassassin package for CentOS 7 used the “spamfilter” user (I think); it seems like the Rocky 9 package piggybacks off of the “mail” user.
I had to refresh my memory on SSL keys for dovecot; but mistakenly figured I could just remove the Thunderbird saved key and add back the new key (see below). For me, dovecot uses standard key files in standard tls directory. I was surprised that dovecot seems to log Thunderbird’s ssl error which Thunderbird seemed to just mask.
When I hit the certificate issue, I thought (next bad assumption) I could just remove the key I loaded from the old server and add a new exception for the new server’s key. I spent a long time trying but could never coach Thunderbird to ask for that offending key and give me a chance to accept it.
So I remembered having to create a new profile not that long ago when the hard drive failed on the old server. (The power supply was the camel back breaking straw.) So I created a new profile and that let me import the certificate. But…
The Thunderbird new profile/account set up presumed username would include domain (email@example.com, for example). Of course, dovecot on Linux, using Linux accounts just needed the name. The unknown user / invalid password threw me for my final loop of the rebuild session. Lessons: Delete imported SSL cert only as a last resort and look closely at the assumptions made in setting up a new profile/account.
Final note this this entry: when I started my backup scripts, I was getting astronomically large backup files. tar, in Rocky 9 does not like “—exlude” clause after the source of the files to tar up. CentOS 7 was OK with that. Lesson: tar
The server has been working well for a few days now and I’m feeling pretty good. I have a bunch more disk space to work with (but I’ll likely need new, bigger USB drives for offsite storage). And I’ve seen a whole new slew of error messages and eventually worked out what they mean and what I need to do.
Of course, the public server (serving this blog and website) is the same era as the internal server and lived through the same very dusty remodel. So that’s next on my plate…
Oh, and Ting is setting up fiber to the house too…