Notes / Debian 13 (trixie) install

[listerr]

Installed on Debian 13 (trixie). Here's my notes on what I had to do to get it working. May be useful for more recent Ubuntu versions.

---

1. lighttpd Deprecated Config

2025-08-27 20:11:45: (mod_deflate.c.741) DEPRECATED: compress.filetype replaced with deflate.mimetypes
2025-08-27 20:11:45: (mod_deflate.c.804) DEPRECATED: compress.cache-dir replaced with deflate.cache-dir

Just replace these in /etc/lighttpd/lighttpd.conf as suggested:

# these have been deprecated, replaced with deflate.*
# compress.cache-dir          = "/var/cache/lighttpd/compress/"
# compress.filetype           = ( "application/javascript", "text/css", "text/html", "text/plain" )

deflate.cache-dir           = "/var/cache/lighttpd/compress/"
deflate.mimetypes           = ( "application/javascript", "text/css", "text/html", "text/plain" )

2. Generic "403 Forbidden" errors (But nothing logging why...)

On first install, everything appeared to run, but was just getting 403 Forbidden no matter what. Nothing logs anything anywhere to give any hint what the problem is. Because that would be too helpful.

root@rc01:~# wget -q -O - -d http://rc01-ipv4.lonap.net/lg
DEBUG output created by Wget 1.25.0 on linux-gnu.
[...]
---response begin---
HTTP/1.1 403 Forbidden
Content-Type: text/html
Content-Length: 158
Date: Thu, 28 Aug 2025 08:12:14 GMT
Server: lighttpd/1.4.79

To diagnose, enable request debug logging in /etc/lighttpd/lighttpd.conf and restart it.

# request debugging:
debug.log-request-handling = "enable"

root@rc01:~# service lighttpd restart
root@rc01:~# wget -q -O - -d http://rc01-ipv4.lonap.net/lg
[<output snipped>]
root@rc01:~# tail /var/log/lighttpd/error.log
2025-08-28 09:33:24: (response.c.306) URI-path (clean): /index.php/
2025-08-28 09:33:24: (response.c.308) URI-query       :
2025-08-28 09:33:24: (response.c.387) -- logical -> physical
2025-08-28 09:33:24: (response.c.389) Doc-Root     : /srv/birdseye/public
2025-08-28 09:33:24: (response.c.391) Basedir      : /srv/birdseye/public
2025-08-28 09:33:24: (response.c.393) Rel-Path     : /index.php/
2025-08-28 09:33:24: (response.c.395) Path         : /srv/birdseye/public/index.php/
2025-08-28 09:33:24: (response.c.116) -- : Permission denied
2025-08-28 09:33:24: (response.c.119) Path         : /srv/birdseye/public/index.php/
2025-08-28 09:33:24: (response.c.121) URI          : /index.php/

Now we get some more useful error logging - Permission denied. Still took me a while (read: ages!) to find it though by comparing it with a working install. I was looking in the directory and other places. But not the directory itself...

The fix was simple:-

root@rc01:/srv# ls -l
drwx------ 17 birdseye birdseye 4096 Aug 27 22:45 birdseye

root@rc01:/srv# chmod a+rx birdseye/
root@rc01:/srv# ls -l
drwxr-xr-x 17 birdseye birdseye 4096 Aug 27 22:45 birdseye

Oops. I can't reproduce this though. Probably our saltstack automation or something making the dir with the wrong permissions when it checks out git repos.

Comment out the debug and restart. (Warning: gratuitous sed coming up...)

root@rc01:~# sed -i 's/^[^#]*debug.log-request-handling/# &/' /etc/lighttpd/lighttpd.conf
root@rc01:~# service lighttpd restart

3. 503 Service Unavailable / FastCGI-stderr:PHP Warning: preg_match(): Allocation of JIT memory failed, PCRE JIT will be disabled.

... Permissions glitch sorted. But seems we're not out of the proverbial woods yet, however :-/

2025-08-28 10:13:04: (mod_fastcgi.c.444) FastCGI-stderr:PHP Warning:  preg_match(): Allocation of JIT memory failed, PCRE JIT will be disabled. This is likely caused by security restrictions. Either grant PHP permission to allocate executable memory, or set pcre.jit=0 in /srv/birdseye/bootstrap/app.php on line 28

systemd log also shows this error: (journalctl --unit lighttpd)

Aug 28 10:09:58 rc01.lonap.net lighttpd[86959]: mprotect() failed [13] Permission denied

• The default systemd config for lighttpd has a lot of fun new security restrictions. (And quite right too. These days, we can't be having anything just having access to any OS capability willy-nilly...)

Debian location: /usr/lib/systemd/system/lighttpd.service

• Make an override.conf to turn off MemoryDenyWriteExecute. Assuming you don't already have override.conf for lighttpd:

root@rc01:~# mkdir -p /etc/systemd/system/lighttpd.service.d
root@rc01:~# echo -e "[Service]\nMemoryDenyWriteExecute=no" > /etc/systemd/system/lighttpd.service.d/override.conf
root@rc01:~# systemctl daemon-reload
root@rc01:~# service lighttpd restart

(Or you can use systemctl edit lighttpd.service and add it that way. Read the next bit though...)

4. 503 Service Unavailable / sudo: The "no new privileges" flag is set

... Alas, the sunlit uplands of birdseye utopia are not yet ours to be had... :-/

journalctl --unit lighttpd now shows a new error and birdseye again bombs with "503 Service Unavailable" when we try a request.

Aug 28 10:22:25 rc01.lonap.net systemd[1]: Started lighttpd.service - Lighttpd Daemon.
Aug 28 10:22:29 rc01.lonap.net lighttpd[87970]: sudo: The "no new privileges" flag is set, which prevents sudo from running as root.
Aug 28 10:22:29 rc01.lonap.net lighttpd[87970]: sudo: If sudo is running in a container, you may need to adjust the container configuration to disable the flag.

• Update override.conf to turn off NoNewPrivileges. To update the previous step:

root@rc01:~# mkdir -p /etc/systemd/system/lighttpd.service.d
root@rc01:~# echo -e "[Service]\nNoNewPrivileges=no\nMemoryDenyWriteExecute=no" > /etc/systemd/system/lighttpd.service.d/override.conf
root@rc01:~# systemctl daemon-reload
root@rc01:~# service lighttpd restart

5. bird socket files

The route server reload script api-reconfigure-example-birdv2.sh and collector reload script reconfigure-rc-bird2.sh suggests socket of /var/run/bird/bird-${handle}.ctl

RUNPATH="/var/run/bird"
socket="${RUNPATH}/bird-${handle}.ctl"

The default setup for the bird deb packages runs everything as user bird. The systemd bird.service (which we obviously need to change if running our IPv4/IPv6 instances) runs /usr/lib/bird/prepare-environment, which does:

BIRD_RUN_DIR=/run/bird

mkdir --parents "$BIRD_RUN_DIR";

# [ checks for user/group ]

chown --silent "$BIRD_RUN_USER:$BIRD_RUN_GROUP" "$BIRD_RUN_DIR"
chmod 775 "$BIRD_RUN_DIR"

The suggested crontab runs the update scripts as root, so if this fires before bird starts up, bird will bomb during start-up because the paths (log path, run path etc.) are not writable by bird user.

(To make it easier to implement, I'm only using the rs-reload script as it's basically the same as rc-reload script. )

I've tweaked this script to fix this issue:-

BIRD_RUN_USER=bird
BIRD_RUN_GROUP=bird

# Or inherit from bird installed defaults:
# . /etc/bird/envvars

# Hmm. Maybe we could just do similar everywhere in all these scripts to set the right config without editing them all.

...

ETCPATH="/etc/bird"
RUNPATH="/run/bird"
LOGPATH="/var/log/bird"
LOCKPATH="/tmp/ixp-manager-locks"

...

[ ! -f "$ETCPATH" ] && mkdir -p $ETCPATH ; chown --silent "$BIRD_RUN_USER:$BIRD_RUN_GROUP" "$ETCPATH" && chmod 775 "$ETCPATH"
[ ! -f "$LOGPATH" ] && mkdir -p $LOGPATH ; chown --silent "$BIRD_RUN_USER:$BIRD_RUN_GROUP" "$LOGPATH" && chmod 755 "$LOGPATH"
[ ! -f "$RUNPATH" ] && mkdir -p $RUNPATH ; chown --silent "$BIRD_RUN_USER:$BIRD_RUN_GROUP" "$RUNPATH" && chmod 775 "$RUNPATH"
[ ! -f "$LOCKPATH" ] && mkdir -p $LOCKPATH ; chown --silent "$BIRD_RUN_USER:$BIRD_RUN_GROUP" "$LOCKPATH" && chmod 775 "$LOCKPATH"

6. birdseye sudo wrapper

That said, I don't think we need birdseye to run the wrapper as root.

The suggested .env config has this:-

# To query Bird securely, we use a wrapper script
BIRDC="/usr/bin/sudo /path/to/birdseye/bin/birdc -6 -s /path/to/bird/socket"

and the suggested sudoers config:

www-data        ALL=(ALL)       NOPASSWD: /srv/birdseye/bin/birdc

I've tweaked this to:

# To query Bird securely, we use a wrapper script
BIRDC="/usr/bin/sudo -u bird /srv/birdseye/bin/birdc -2 -s /run/bird/bird-rc01-ipv4.ctl"

(and similar for IPv6)

/etc/sudoers.d/birdseye contains:-

www-data  ALL=(bird) NOPASSWD: /srv/birdseye/bin/birdc

So the wrapper will run bird (or the cut-down birdcl for scripts) as bird user.

root@rc01:~# sudo -u bird /srv/birdseye/bin/birdc -2 -s /run/bird/bird-rc01-ipv4.ctl 'show status'
BIRD 3.1.2 ready.
Access restricted
BIRD 3.1.2
Router ID is 5.57.80.254
Hostname is rc01.lonap.net
Current server time is 2025-08-28 14:11:40
Last reboot on 2025-08-27 20:36:28
Last reconfiguration on 2025-08-28 13:16:57
Daemon is up and running
root@rc01:~#

7. profit!

... Only now can we bask in the glory of looking glass goodness.... :-)

(Unless you're using BIRD 3. In which case see the next bit. Not quite basking for you just yet...)

I thought I'd document this somewhere in case someone else encounters the same issues.

If you are reading this and found it useful and maybe saved you some hours of head-scratching:

1. You're most welcome.
2. Mine's a pint. :)

Oh, and I do love this note in the README:

In an ideal world, this micro-service will be deprecated once the BIRD developers release a version with a built-in HTTP JSON API.
This is a (hopefully) temporary solution to plug a gap.

Birdseye will soon celebrate its 10th birthday of being a temporary solution.

'Aint it always the way? :-)

8. BIRD 3 Compatibility

Looking glass works but gets stuck on some of the route detail displays. (Both birdseye looking glass and IXP Manager looking glass just grind to a halt, waiting forever for output.)

I tracked this down to a change in the format of attributes in BIRD 3 vs previous versions.

This will need the parser code to be updated for both formats. But in the meantime, put something like this at the top of your bird3 config template (header), using the template variables to make the correct path:

cli "/path/to/bird/socket.ctl” {
    v2 attributes;
};

Then pull the config again and restart bird. It should then work as before.

---

P.S: lighttpd

• Oh, to whoever called it lighttpd:

• It's very cute n'all. But .... ugh. Will I type lighthttpd ? lighhttpd ? lighttttpd ?

This has caused me such. rage.

A pox on you! Or maybe just some minor inconvenience like when you get cozy in bed but suddenly have to pee. Or when one of your ears pops on an aircraft and doesn't un-pop for an hour.

---

P.P.S: php

...speaking of deprecated...

Trixie ships with php8.4 as standard:

root@rc01:~# dpkg -l | grep php8
ii  php8.4-cgi                        8.4.11-1                       amd64        server-side, HTML-embedded scripting language (CGI binary)
ii  php8.4-cli                        8.4.11-1                       amd64        command-line interpreter for the PHP scripting language
ii  php8.4-common                     8.4.11-1                       amd64        documentation, examples and common module for PHP
ii  php8.4-curl                       8.4.11-1                       amd64        CURL module for PHP
ii  php8.4-intl                       8.4.11-1                       amd64        Internationalisation module for PHP
ii  php8.4-mbstring                   8.4.11-1                       amd64        MBSTRING module for PHP
ii  php8.4-opcache                    8.4.11-1                       amd64        Zend OpCache module for PHP
ii  php8.4-readline                   8.4.11-1                       amd64        readline module for PHP
ii  php8.4-xml                        8.4.11-1                       amd64        DOM, SimpleXML, XML, and XSL module for PHP

It seems to work fine, but there are some warnings logged:

2025-08-28 10:57:32: (mod_fastcgi.c.444) FastCGI-stderr:PHP Deprecated:  Illuminate\View\FileViewFinder::__construct(): Implicitly marking parameter $extensions as nullable is deprecated, the explicit nullable type must be used instead in /srv/birdseye/vendor/illuminate/view/FileViewFinder.php on line 53
2025-08-28 10:57:32: (mod_fastcgi.c.444) FastCGI-stderr:PHP Deprecated:  Illuminate\Support\Traits\Conditionable::when(): Implicitly marking parameter $callback as nullable is deprecated, the explicit nullable type must be used instead in /srv/birdseye/vendor/illuminate/conditionable/Traits/Conditionable.php on line 21
2025-08-28 10:57:32: (mod_fastcgi.c.444) FastCGI-stderr:PHP Deprecated:  Illuminate\Support\Traits\Conditionable::when(): Implicitly marking parameter $default as nullable is deprecated, the explicit nullable type must be used instead in /srv/birdseye/vendor/illuminate/conditionable/Traits/Conditionable.php on line 21
2025-08-28 10:57:32: (mod_fastcgi.c.444) FastCGI-stderr:PHP Deprecated:  Illuminate\Support\Traits\Conditionable::unless(): Implicitly marking parameter $callback as nullable is deprecated, the explicit nullable type must be used instead in /srv/birdseye/vendor/illuminate/conditionable/Traits/Conditionable.php on line 53
2025-08-28 10:57:32: (mod_fastcgi.c.444) FastCGI-stderr:PHP Deprecated:  Illuminate\Support\Traits\Conditionable::unless(): Implicitly marking parameter $default as nullable is deprecated, the explicit nullable type must be used instead in /srv/birdseye/vendor/illuminate/conditionable/Traits/Conditionable.php on line 53
2025-08-28 10:57:32: (mod_fastcgi.c.444) FastCGI-stderr:PHP Deprecated:  Illuminate\Events\Dispatcher::__construct(): Implicitly marking parameter $container as nullable is deprecated, the explicit nullable type must be used instead in /srv/birdseye/vendor/illuminate/events/Dispatcher.php on line 65
2025-08-28 10:57:32: (mod_fastcgi.c.444) FastCGI-stderr:PHP Deprecated:  Illuminate\Support\Str::createRandomStringsUsing(): Implicitly marking parameter $factory as nullable is deprecated, the explicitnullable type must be used instead in /srv/birdseye/vendor/illuminate/support/Str.php on line 755
2025-08-28 10:57:32: (mod_fastcgi.c.444) FastCGI-stderr:PHP Deprecated:  Illuminate\Support\Str::createUuidsUsing(): Implicitly marking parameter $factory as nullable is deprecated, the explicit nullable type must be used instead in /srv/birdseye/vendor/illuminate/support/Str.php on line 1274
2025-08-28 10:57:32: (mod_fastcgi.c.444) FastCGI-stderr:PHP Deprecated:  Illuminate\Support\Str::freezeUuids(): Implicitly marking parameter $callback as nullable is deprecated, the explicit nullable type must be used instead in /srv/birdseye/vendor/illuminate/support/Str.php on line 1319
2025-08-28 10:57:32: (mod_fastcgi.c.444) FastCGI-stderr:PHP Deprecated:  Illuminate\Http\Request::duplicate(): Implicitly marking parameter $query as nullable is deprecated, the explicit nullable type must be used instead in /srv/birdseye/vendor/illuminate/http/Request.php on line 501
2025-08-28 10:57:32: (mod_fastcgi.c.444) FastCGI-stderr:PHP Deprecated:  Illuminate\Http\Request::duplicate(): Implicitly marking parameter $request as nullable is deprecated, the explicit nullable typemust be used instead in /srv/birdseye/vendor/illuminate/http/Request.php on line 501
2025-08-28 10:57:32: (mod_fastcgi.c.444) FastCGI-stderr:PHP Deprecated:  Illuminate\Http\Request::duplicate(): Implicitly marking parameter $attributes as nullable is deprecated, the explicit nullable type must be used instead in /srv/birdseye/vendor/illuminate/http/Request.php on line 501
2025-08-28 10:57:32: (mod_fastcgi.c.444) FastCGI-stderr:PHP Deprecated:  Illuminate\Http\Request::duplicate(): Implicitly marking parameter $cookies as nullable is deprecated, the explicit nullable type must be used instead in /srv/birdseye/vendor/illuminate/http/Request.php on line 501
2025-08-28 10:57:32: (mod_fastcgi.c.444) FastCGI-stderr:PHP Deprecated:  Illuminate\Http\Request::duplicate(): Implicitly marking parameter $files as nullable is deprecated, the explicit nullable type must be used instead in /srv/birdseye/vendor/illuminate/http/Request.php on line 501
2025-08-28 10:57:32: (mod_fastcgi.c.444) FastCGI-stderr:PHP Deprecated:  Illuminate\Http\Request::duplicate(): Implicitly marking parameter $server as nullable is deprecated, the explicit nullable type must be used instead in /srv/birdseye/vendor/illuminate/http/Request.php on line 501
2025-08-28 10:57:32: (mod_fastcgi.c.444) FastCGI-stderr:PHP Deprecated:  Illuminate\Http\Concerns\InteractsWithInput::whenHas(): Implicitly marking parameter $default as nullable is deprecated, the explicit nullable type must be used instead in /srv/birdseye/vendor/illuminate/http/Concerns/InteractsWithInput.php on line 123
2025-08-28 10:57:32: (mod_fastcgi.c.444) FastCGI-stderr:PHP Deprecated:  Illuminate\Http\Concerns\InteractsWithInput::whenFilled(): Implicitly marking parameter $default as nullable is deprecated, the explicit nullable type must be used instead in /srv/birdseye/vendor/illuminate/http/Concerns/InteractsWithInput.php on line 201
2025-08-28 10:57:32: (mod_fastcgi.c.444) FastCGI-stderr:PHP Deprecated:  Illuminate\Http\Concerns\InteractsWithInput::whenMissing(): Implicitly marking parameter $default as nullable is deprecated, the explicit nullable type must be used instead in /srv/birdseye/vendor/illuminate/http/Concerns/InteractsWithInput.php on line 235
2025-08-28 10:57:32: (mod_fastcgi.c.444) FastCGI-stderr:PHP Deprecated:  Illuminate\View\View::render(): Implicitly marking parameter $callback as nullable is deprecated, the explicit nullable type must be used instead in /srv/birdseye/vendor/illuminate/view/View.php on line 144
2025-08-28 10:57:32: (mod_fastcgi.c.444) FastCGI-stderr:PHP Deprecated:  Illuminate\View\Engines\CompilerEngine::__construct(): Implicitly marking parameter $files as nullable is deprecated, the explicit nullable type must be used instead in /srv/birdseye/vendor/illuminate/view/Engines/CompilerEngine.php on line 40
2025-08-28 10:57:32: (mod_fastcgi.c.444) FastCGI-stderr:PHP Deprecated:  Illuminate\View\Compilers\BladeCompiler::anonymousComponentPath(): Implicitly marking parameter $prefix as nullable is deprecated, the explicit nullable type must be used instead in /srv/birdseye/vendor/illuminate/view/Compilers/BladeCompiler.php on line 796
2025-08-28 10:57:32: (mod_fastcgi.c.444) FastCGI-stderr:PHP Deprecated:  Illuminate\View\Compilers\BladeCompiler::anonymousComponentNamespace(): Implicitly marking parameter $prefix as nullable is deprecated, the explicit nullable type must be used instead in /srv/birdseye/vendor/illuminate/view/Compilers/BladeCompiler.php on line 818
2025-08-28 10:57:37: (mod_fastcgi.c.444) FastCGI-stderr:PHP Deprecated:  Illuminate\Http\RedirectResponse::withInput(): Implicitly marking parameter $input as nullable is deprecated, the explicit nullable type must be used instead in /srv/birdseye/vendor/illuminate/http/RedirectResponse.php on line 74

[pashdown]

Trying to get Debian 13 with bird v2 working to no avail. Followed your steps, but it dies somewhere in the PHP returning a 500 error. The sudo test of birdc works fine from www-data. Strong agree on the naming of lighththttpd.

[listerr]

Hi, See what you can get out of the lighttpd logs. You may need to enable debug logging to get it to show what's going wrong. I think Birdseye also has a dev/debug mode which can be temporarily enabled to help diagnose problems. Check the user running lighttpd is correct and permissions etc are set up correctly, and it can read the bird socket (may need to add the user to the bird group and restart everything) Barry has addressed some of these issues in a recent commit, so some steps may not be needed anymore. I will have a quick check through it when I get a minute to see if I can reproduce it. Rob 26 Nov 2025 19:34:51 pashdown ***@***.***>:

…

[Image]*pashdown* left a comment (inex/birdseye#23)[#23 (comment)] Trying to get Debian 13 with bird v2 working to no avail. Followed your steps, but it dies somewhere in the PHP returning a 500 error. The sudo test of birdc works fine from www-data. Strong agree on the naming of lighththttpd. — Reply to this email directly, view it on GitHub[#23 (comment)], or unsubscribe[https://github.com/notifications/unsubscribe-auth/AAXFTQYACIKPPRXFI23NYIT36X6FNAVCNFSM6AAAAACFBS553KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTKOBSHEZTKNJXGA]. You are receiving this because you authored the thread. [Tracking image][https://github.com/notifications/beacon/AAXFTQZAJZ4SHXDWWXQ7WAL36X6FNA5CNFSM6AAAAACFBS553KWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTWVR5BBE.gif]

[pashdown]

Found the problem. BIrdseye depends on the passed HTTP hostname in order to load the right config. Since my setup uses /etc/hosts on the IXP server and not DNS, I was testing from my desktop which didn't have the proper hostname. Once I plugged it in, things worked. Thanks for your documentation on everything else!

[gstrauss]

Thank you for the laughs and for the detailed write-up.

lighttpd was originally created and named by multi-lingual, non-native English speakers. I am current maintainer and lighttpd developer, but I did not name lighttpd. Maybe this can help: think of "lig" and "httpd". Or, you can create and install a custom systemd foo.service and type foo instead of lighttpd. 😄

Regarding lighttpd not providing enough trace before enabling the lighttpd debug in lighttpd.conf, unfortunately there are too many scanners and attackers on the internet. Error logs would be extremely noisy and fill up disk space too quickly if all voluminous error trace were enabled by default.

https://wiki.lighttpd.net/Release-1_4_79 release notes did highlight (highlighttpd lol) the behavior change to add hardening to the default systemd service, but I recognize that I now have years of telling people about this as older systems get upgraded. Thank you for helping out.

Another troubleshooting tip: regardless of the application, for services which are not running properly, one of the first things I generally do is run the service under strace -s 1024 ... to inspect and find failing system calls and the path, e.g. /srv/birdseye directory permissions.