Timeline


and

Mar 18, 2011:

11:38 PM Changeset [1790] by andersk
trac.fcgi: Stop relying on fcgi_frontend details that Trac 0.12 will break In Trac 0.12, trac.web.fcgi_frontend does ‘from _fcgi import WSGIServer’ instead of ‘import _fcgi’, and also conditionally wraps dispatch_request in FlupMiddleware.
10:49 AM Changeset [1789] by mitchb
Add missing backend route to not-backward You know, because we were sending it traffic... backward.
10:30 AM Changeset [1788] by mitchb
Switch from "strict" to "loose" reverse-path filtering Reverse-path filtering controls what happens when you receive traffic on an interface directly claiming to be from an IP address that your routing rules indicate shouldn't be part of the network(s) directly attached to that interface. It's meant to help guard against IP spoofing. There are three legal values: 0 - "off" - does not block anything 1 - "strict" - blocks any traffic that "shouldn't" have arrived on this interface according to your routing rules 2 - "loose" - blocks any traffic that "shouldn't" have arrived on any of your interfaces according to your routing rules (but allows traffic from addresses that should be on directly attached networks and arrive on the "wrong" interface); recommended for sites with asymmetric routing configurations where traffic to a given address is expected to return through a different interface than it leaves on A normal non-multihomed machine should usually use "strict" mode, and in fact this was a simple boolean between "off" and "strict" in older kernels throguh somewhere in the 2.6.20s. Back then, the kernel ANDed the value of net.ipv4.conf.all.rp_filter and net.ipv4.conf.${iface}.rp_filter, so to enable it, you needed to turn it on under both "all" and the interface hierarchy. When it became a trinary value, this logic was overlooked, so the only (undocumented) way to use "loose" mode on some interfaces and "strict" mode on others was to set rp_filter in the "all" hierarchy to the undocumented value "3". At some point in 2.6.31, the rp_filter behavior was corrected to use the max() of the "all" and interface value. Until now, we've been setting net.ipv4.conf.default.rp_filter to "1", which causes the interface values to be "1". The "all" value defaults to "0" on Fedora. Since the last kernel in Fedora 11 was 2.6.30.10, this means that we never actually used reverse-path filtering until we upgraded to Fedora 13, at which point we began using strict filtering without intending to have changed anything. This behavior is incorrect for us because we do have asymmetric routing scenarious and intend to add more. The specific example where we want this is to allow a Scripts LVS realserver to also be an LVS client. It will send traffic to the Scripts LVS-balanced IP addresses on the frontend network (eth0) because those addresses only exist on the frontend, where LVS will assign it to a given realserver to handle and forward it along. That realserver will try to respond to the requesting realserver on the backend network (eth1) because of the static routes we have installed to prefer servers talking to each other over the non-public segment. If rp_filter is in "strict" mode, this traffic will be dropped, and the scripts servers on the backend can never talk to the balanced addresses. We also want non-realserver machines on our backend network (such as not-backward) to be able to be LVS clients.

Mar 15, 2011:

9:47 PM Ticket #196 (Test) closed by ezyang
invalid
9:44 PM Ticket #196 (Test) created by ezyang
This is testing attachment emailing

Mar 14, 2011:

5:27 PM Ticket #125 (Set up issue tracking for private scripts.mit.edu Trac tickets) closed by geofft
fixed: Removed SensitiveTicketsPlugin? because it doesn't work. I also …

Mar 12, 2011:

5:15 PM Ticket #195 (Allow connections to the primary from scripts servers) closed by mitchb
duplicate: This *is* #175.
9:11 AM Ticket #195 (Allow connections to the primary from scripts servers) created by adehnert
In all likelihood, fixing this would also lead to fixing (or …

Mar 10, 2011:

2:17 AM Changeset [1787] by andersk
/etc/scripts/modprobe: Tighten binfmt-464c check Substring matching was sloppy; check that the arguments match the expected ones exactly.

Mar 8, 2011:

5:14 PM Ticket #194 (Disable mail to *@scripts-vhosts.mit.edu) created by andersk
Many sendmail installations, including MIT’s, canonicalize …

Mar 3, 2011:

5:19 PM Changeset [1786] by geofft
vhost and cert for gsc [help.mit.edu #1491793]

Mar 1, 2011:

12:53 AM Ticket #193 (Keep contact address on file for accounts) created by adehnert
It would be useful for a couple reasons to have email addresses on …
12:40 AM Ticket #185 (Find a better replacement for Advanced PHP Guestbook) closed by adehnert
wontfix: We seem to be talking lately about making certain autoinstalls …

Feb 27, 2011:

3:58 AM Changeset [1785] by geofft
suexec also needs to know about filetypes: add ttf and otf

Feb 26, 2011:

11:14 AM Changeset [1784] by geofft
Add .ttf and .otf font file types

Feb 18, 2011:

11:40 PM Changeset [1783] by geofft
Refresh krb5.spec.patch
5:48 PM Changeset [1782] by geofft
for-each-server: Remove dependency on machtype and simplify code

Feb 17, 2011:

10:48 PM Changeset [1781] by geofft
Don't log harmless modprobe requests for invalid ELF binaries
Note: See TracTimeline for information about the timeline view.