Skip to content

No whois server is known for this kind of object

I make extensive use of whois in my work and since they introduced all these fancy TLDs in recent years I've noticed the standard linux whois client is failing for many of them.
Ever tried to whois e.g. and got this instead?
No whois server is known for this kind of object

Well, apparently it's as simple as adding the new servers to the whois client config file. Here's how my /etc/whois.conf looks like.
Feel free to copy/paste.

Credits go to


Protect KVM processes from OOM killer

While running clouds on Linux KVM hypervisors it may happen that some of your virtual machines processes get killed by the OOM killer in order to free up memory.

Depending on your situation, the OOM killer may be instructed not to kill certain processes; but if you go this way make sure you know what you are doing and how resources are used.

So, to proceed with protecting KVM processes from out of memory scenarios, we need to run a few commands:
1 - determine the PID of the processes, we can use pgrep for this
2 - protect them from OOM killer by changing the PIDs oom_adj value to -17 (OOM_DISABLE); if you use a 3.x+ kernel then you need to change oom_score_adj to -1000 instead as oom_adj is deprecated

This can be wrapped up in a one-liner such as this:
for PID in $(pgrep qemu-kvm); do echo -17 > /proc/$PID/oom_adj; done

That would work in CentOS 6, but if you are on a newer kernel than that (say 3.x like the one in CentOS 7) then use this:
for PID in $(pgrep qemu-kvm); do echo -1000 > /proc/$PID/oom_score_adj; done

You might want to double check your KVM processes run as qemu-kvm, that's the program's name in CentOS, it may differ in other distributions.

If you do not want to do this manually every time a VM is created you can simply create a cron job to do it for you every X minutes; if you spin up instances very often then you may set it as frequent as 1 minute:
echo '*/1 * * * * root for PID in $(pgrep qemu-kvm); do echo -1000 > /proc/$PID/oom_score_adj; done' > /etc/cron.d/oomprotect

If you run into memory usage issues, do have a look at KSM as it can help optimise memory utilisation (but at the cost of extra CPU usage).

Wasting time

Quit twitter. Now if I could only do the same with reddit and hacker news.. I might have a shot at doing something with my life. :)
Later edit 7th May: well, that didn't last long, I reactivated my twitter account. But HN and Reddit remain banned. So, partial victory.

Setting up Varnish in a CentOS server

I've seen Varnish

Varnish is one of those small, shiny, remarcable jewels of the open source world.
It can make an enormous difference in how your web application responds and how fast your web site loads.
It's all in it's caching feature and not only; I've seen people use it as an web application firewall (search github) and out of the box it will only forward well formed HTTP requests to your backend, acting as a filter against malicious activity or scans against your server.
It'll also take the brunt of a syn flood attack, sparing Apache HTTPD or Nginx which usually go belly up quite fast.

Performing an install of Varnish in CentOS 6 is quite trivial as they provide a yum repo:
yum -y install
yum install varnish
Out of the box it will listen on port 6081 and will not do much caching. If you want to modify how it works you need to edit 2 files:
The first file tells Varnish what kind of cache to use and how big, also on which ports to listen to.
The second file configures the backend servers and the way in which the caching is done. Configuring caching in Varnish is not for the faint of heart, so do a serious read-up of the documentation before-hand; there are also many examples online.

Both those files come with working defaults, all you need to do is point your web traffic at it and here you have 2 choices at least:
1 - Assuming Varnish sits on the same IP/machine as the backend, change the port of your web server to something other than 80 (like 8080) and set Varnish to use port 80
2 - Do a redirect from iptables, this is my favourite as it doesn't need any reconfiguration of the web servers:
iptables -t nat -I PREROUTING -i lo -j ACCEPT 
iptables -t nat -I PREROUTING -s LOCAL_IP -p tcp -m tcp --dport 80 -j ACCEPT
iptables -t nat -I PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 6081 

Before you do that, however, you need to tell Varnish which is the backend web server. This is done in /etc/varnish/default.vcl like this:
backend default {
  .host = "LOCAL_IP";
  .port = "80";

* LOCAL_IP is your servers IP
You can check the configuration is correct with this command: varnishd -C -f /etc/varnish/default.vcl
Restart Varnish so it's up and running with your configuration: service varnish restart
You can use the commands varnishtop or varnishstat to see what is going on.
Once you do this HTTP traffic will go through Varnish and then to your backend, one consequence of this is that your Apache log will show that all requests are coming from the local IP instead of your visitors' IPs. You can solve that by installing and configuring mod_rpaf.


Bypassing BT HomeHub

So you have BT Infinity, the white Openreach modem is up and running and you have broadband via wired or wifi through the fancy BT HomeHub; but you are a geek or a freak and you want to run your own router.
You want to use your local linux box, custom dd-wrt router or who knows, perhaps a Raspberry PI. Fair enough. Here's how to do it:
1 - disconnect the BT HomeHub router from the white modem
2 - connect your linux machine to the modem (LAN1 port usually)
3 - run pppoe-setup on the linux machine and answer the questions accordingly. Interestingly the user/password I used seem to be sort of gibberish, but do work: "" and the password "broadband".
I chose not to let pppoe-setup set the DNS or firewall for me, ymmv. Start the connection with /sbin/ifup ppp0.

That's it, enjoy your broadband!


"Fixing" Firefox

For quite some time now Firefox has a shitty behaviour regarding the address bar, which may be OK for grandma, but it gets in the way of power users.
I was too lazy to do anything about it until now, but it's 2015, I am getting old and less tolerant, so here are my pet peeves:
A - modify urls that do not look like traditional addresses and add a www prefix and .com suffix
B - send a single word address to a google search instead of opening it (kills internal addresses such as "http://wiki")
C - the protocol gets hidden, but when you copy/paste the url from the address bar it gets included, e.g. I copy "", but when I paste it in an editor it actually comes up as ""

So here's how to fix it - open a new tab, go to "about:config" and:
- to fix A search for "browser.fixup.alternate.enabled" and double click it so the value changes to "false"
- to fix B search for "keyword.enabled" and double click it so the value changes to "false"
- to fic C search for "browser.urlbar.trimURLs" and double click it so the value changes to "false"

That's it. Now you can enjoy a better browsing experience! ;-)

Changing an AD password from CentOS Linux

Changing the AD password from linux is surprisingly straighforward.
Just run the passwd command as you would normally!
If that doesn't do it, then just issue this command, replacing of course the variables with your own values:
smbpasswd -r $AD-server -U $AD-username

Voilà, enjoy!

Nested virt - Xenserver on KVM

At we need to test templates on Xenserver and KVM, however the basic OS for the build environment is CentOS 7 (with KVM).
In order to test the templates on Xenserver we had to run this HV as a KVM guest (gotta love virtualisation!); however by default Xenserver will complain that you can't run any HVM guests, only paravirt ones (PV). This sucks because PV is used less and less with HVM being in the spotlight.

Luckily with KVM we can forward the VMX CPU flag to a guest and as such make it available to Xenserver, for it's HVM mode.

There are a few things to be aware of though:
1 - in libvirt do give the Xenserver VM a good CPU profile (I used Core2duo) and make sure the VMX flag is set on "require"
2 - stock CentOS 7 kernel has a problem with nested virt at the moment, do use a newer kernel[1] (I'm using kernel-ml from elrepo-kernel)
3 - make sure the kvm_intel module is loaded with the option nested=1. For this to happen I reload/rebooted with this in /etc/modprobe.d/kvm-intel.conf:
options kvm-intel nested=1

Now enjoy docker on centos, in xenserver on kvm on centos. :-)

[1] - - this will likely be fixed in future CentOS/RH kernel updates, I hope

Stella 6.6 released

As a result of CentOS 6.6 release we have bumped up the version as well, so enjoy all the goodies of CentOS + extra desktop stuff with the new Stella.

Download it from the usual locations and let us know if you run into any issues!


The poodle bites the web

Heartbleed is not even cold in its grave and here comes another SSL vulnerability: Poodle.
You can read more about it here and there, tl;dr it exploits a weakness in SSLv3 to allow MITM attacks: (local copy)

To fix this in Apache HTTPD edit your ssl configuration file (eg /etc/httpd/conf.d/ssl.conf in CentOS) to have this SSLProtocol line:
SSLProtocol all -SSLv2 -SSLv3
If you're running CPanel there's more you need to do:
- go in "Home » Service Configuration » cPanel Web Services Configuration" and add ":-SSLv3"
- go in "Home »Service Configuration »Apache Configuration»Include Editor", add the following in "Pre Main Include":
SSLProtocol All -SSLv2 -SSLv3
- be warned than on older CPanel installations (CentOS 5), removing SSLv3 (:-SSLV3) from the cipher list might cause Apache not to start at all.

- If you are running Webmin/Virtualmin:
echo ssl_version=10 >> /etc/webmin/miniserv.conf
service webmin restart
- also be warned that these changes may affect some older browsers, such as IE6, test before you change.