•
•
•
•
It was just announced that openFATE, openSUSE’s feature tracking system, will now be open to non openSUSE members. What this means anyone can submit new feature requests. For more info: openFATE – Adding New Features Now Open for Everybody.
After beating Enigmo in the iPhone, I was eager for more. I’m a sucker for these type of games. I downloaded the demo of the Windows version of Enigmo 2, and, to my delight, it works great out of the box in Wine! It’s got tons more doodads and etc than the iPhone version, so I’d say it’s a perfect upgrade path if you like that game.
The installer works fine, but I recommend launching the Enigmo 2 application after you have installed it with a command similar to this:
wine explorer /desktop=Enigmo,1024x768 'c:\\Program Files\\Ideas From the Deep\\Enigmo 2 Supernova\\Enigmo 2.exe'
Enigmo 2 appears to have a maximum resolution of 1024×768, and this command will allow you to run it in a Window that size.
It even works on my HP Mini 1030, which doesn’t have the most fantastic video card in the world :)
Some great news was just announced! The openSUSE project opened its Factory repo up to anyone in the community that would like to directly help maintain, support, and/or contribute to the core distribution. For those that don’t know what Factory is it is the next release of openSUSE. So, the current Factory will become openSUSE 11.2. You can read all about this great news over at http://news.opensuse.org.
To a more open and community oriented future…
ok, since I got the request here is the xen image (32 bit only). I’ll apologize now for the fact that I don’t currently have a way to test this image, so please let me know if it works. It actually has newer packages than the other images. I’ll try to get this all in sync sooner than later.
The June 17, 2009 Salt Lake Linux Users Group meeting will be on Blender a free open source 3D content creation suite, available for all major operating systems under the GPL presented by Christian Horn.
|
| Enlarge image |
This meeting is going to rock! Christian will be covering the VSE and the image editor, then show the game he’s been working on followed up by some questions and answers.
More info on blender can be found here:
http://www.blender.org/
http://www.blender.org/features-gallery/features/
http://en.wikipedia.org/wiki/Blender_(software)
|
| Enlarge image |
|
| Enlarge image |
Time/Date:
Wednesday, June 17, 2009 7:10pm p.m.
Place:
Room 101 or 103 in Lower Warnock Engineering Building
Directions/Parking: Directions - [http://www.map.utah.edu/index.jsp?find=62] Parking can be found just East of the WEB building and there is a big lot just North of the Merrill Engineering building (MEB). Parking is free after 6:00 (Based on the signs posted. Always check in case this changes.)
Special thanks go to: - U of U for providing the meeting room. - Various Volunteers
Well, the packages finally built and I was finally able to build a new appliance. So, the changes:
I’ve added the iscsi packages to the images. This includes the yast packages making it really easy to add external storage through iscsi.
Updated mono core to be 2.4.2 preview 1.
Updated ifolder packages which made our patches obsolete and closer to just working with the next version of mono (2.4.2). I’m not sure what all of the updates were to be honest.
I’ve also generated more formats of images and archs (huge thanks to Nat on the suse studio team)
As a disclaimer I haven’t really tested these much more than the default setup, my scripts in /root/iFolder, and logging in. Please let me know if there is anything you want to see changed, added, or fixed!
So, without further delay here is the list of images. I did exclude the xen image, but if you would like it please just drop me a comment or email.
32 bit:
vmware (works in VirtualBox just fine)
Live image – Let me know how this works out if you try it 
64 bit:
vmware (works in VirtualBox just fine)
Live image – same deal as the 32bit live
Every GNU/Linux distribution ships with GnuPG by default. While they all don’t ship with the same GUI frontend, they do ship with the the same CLI backend. So, we’ll be interfacing with that throughout this informational session. I’m not presenting this as anything necessarily useful. Rather, I hope you find it informational/educational, and learn a little bit with how GnuPG works “under the hood”. So, let’s have some fun. First, a list of the “standard” algorithms that ship with GnuPG on a GNU/Linux system. This is completely based on the type of main public and private keys as well as any subkeys that you’ve generated. You can see a list of supported cipher, digest and compression algorithms by invoking the gpg binary and passing “–version” as an option. For example, here is the output from my Debian GNU/Linux unstable laptop:
$ gpg -v --version
gpg (GnuPG) 1.4.9
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: 3DES (S2), CAST5 (S3), BLOWFISH (S4), AES (S7), AES192 (S8),
AES256 (S9), TWOFISH (S10)
Hash: MD5 (H1), SHA1 (H2), RIPEMD160 (H3), SHA256 (H8), SHA384 (H9),
SHA512 (H10), SHA224 (H11)
Compression: Uncompressed (Z0), ZIP (Z1), ZLIB (Z2), BZIP2 (Z3)
So, for ciphers, I support 3DES, CAST5, BLOWFISH, AES, AES192, AES256 and BLOWFISH. For digest hashes, I support MD5, SHA1, RIPEMD160, SHA224, SHA256, SHA384 and SHA512. Lastly, for compression algorithms, I support uncompressed, ZIP, ZLIB and BZIP2. Your output my vary slightly one way or the other. For example, you may not see the full suite of SHA algorithms. This can be obtained by generating an RSA subkey for signing only. Other ciphers might include IDEA, CAMELLIA128, CAMELLIA192 and CAMELLIA256, and you could have TIGER and WHIRLPOOL as possible supported hashes.
With all these algorithms, how do you know which to use and when? Fortunately, GnuPG takes care of that for you automatically. However, you can tell it what you would to prefer to use for each, if you like. You can set these in your ~/.gnupg/gpg.conf file. The options you are looking to set are “default-preference-list”, “personal-cipher-preferences”, “personal-digest-preferences” and “personal-compress-preferences”. For myself, here is what I have set in my gpg.conf:
default-preference-list 3DES CAST5 BLOWFISH AES AES192 AES256 TWOFISH MD5 SHA1 RIPEMD160 SHA224 SHA256 SHA384 SHA512 Uncompressed ZIP ZLIB BZIP2 personal-cipher-preferences TWOFISH AES256 AES192 AES BLOWFISH CAST5 3DES personal-digest-preferences SHA512 SHA384 SHA256 SHA224 SHA1 RIPEMD160 MD5 personal-compress-preferences BZIP2 ZLIB ZIP Uncompressed
Now, when we printed out the verbose version, we saw in parenthesis S2, S3, H8, H9, Z1, Z2 and so on. We can use these instead of the name in our gpg.conf if we so wish. I prefer the name, as I can’t recall the key to the algorithm, and it’s easier to read. So, in my case, I list out everything that I want for a default list of preferences, then I choose the order of which to pick from when encrypting, signing and compressing. So, for encryption, I have set TWOFISH as my first choice, with AES256 as my second choice, then AES192 as my third, and so forth. I’ve done the same with my preferred digest hashing algorithm choosing SHA512 first, then SHA384 second, and so on, and the same with compression.
Why set the preference? For starters, if you’re like me, you sign all your email by default. You probably want your signature to withstand the test of time as long as possible. Given the strength of today’s hardware, why not choose the strongest encryption and hash algorithms? But on a more practical note, if you’re encrypting data to yourself, this would tell GnuPG to use TWOFISH as the encryption algorithm. This means that if you want to decrypt it at a later date, maybe on another computer, you’ll need to make sure TWOFISH is compiled into GnuPG. How would you know what was used? We’ll cover that in a bit.
However, what about encrypting to someone else other than yourself? How do these preferences come into play? Well, you can also set preferences in your public key. The purpose of this, is when people grab a copy of your key, and they want to encrypt something to you, GnuPG will negotiate the first preferred algorithm that is common between the two end points (the one doing the encrypting and the one receiving the encrypted data).
For example, let’s suppose Alice has a GnuPG keypair as does Bob. In Alice’s public key, which Bob has a legitimate copy of, she has set a cipher preference order of: TWOFISH BLOWFISH AES CAST5 and 3DES. Bob wants to encrypt data to Alice. Because he has a copy of her public key, he can do this. The question here is, which algorithm will be chosen for the encryption? Well, Alice prefers TWOFISH as a first pick. If Bob has compiled TWOFISH support in his copy of GnuPG, then it will be used. Suppose he doesn’t have TWOFISH support. Then the next preferred algorithm is BLOWFISH, because it’s Alice’s second pick. Let’s say Bob does support it, then BLOWFISH is the algorithm used for encrypting the data to Alice. When Alice receives the encrypted data, she’ll use the BLOWFISH algorithm along with her private key to decrypt the data. Should she wish to reply, her copy of GnuPG will pull out the preferences from Bob’s public key, and go through the same process looking for the first preferred algorithm by Bob that is supported by both parties. The “SSL handshake” works much in this same manner.
Digest hashing works much the same way, but slightly different. Because the recipient doesn’t matter with signed data, then rather than looking to public keys for the digest algorithm preference, you turn to your gpg.conf file, if listed, and use that there. If the recipient, or recipients have a copy of your public key, and the same digest algorithm compiled into their copy of GnuPG, they can verify your signature. If either is missing, the public key, or the algorithm, the signature will fail, and GnuPG will explain the problem. This process is the same for compression algorithms.
So, we’ve made the preferences in our gpg.conf, but how do we set them in the public key, so we can distribute this to others? Well, in this case, we need to edit our key. From the terminal (I’ve snipped out the noise, focusing only on what’s important):
$ gpg --edit-key KEYID gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Secret key is available. [ ... SNIP ... ] Command>
We are now sitting at a command prompt that we can use to pass commands in an interactive fashion. I should mention that all this can be done non-interactively. Checking out the gpg manual will provide the list of options for making this possible. Typing “help” will give us the list of commands that we can pass:
Command> help [... SNIP ...] pref list preferences (expert) showpref list preferences (verbose) setpref set preference list for the selected user IDs [... SNIP ...]
The commands that we are interested in “pref” and “setpref”. Passing “pref” might give us something like the following:
Command> pref
[ultimate] (1). Aaron <aaron@example.com>
S10 S9 S8 S7 S4 S3 S2 H10 H9 H8 H11 H2 H3 H1 Z3 Z2 Z1 Z0 [mdc] [no-ks-modify]
See those algorithm codes we saw at the beginning of this tutorial? They are listed in the preferred order that we wish to have each algorithm. In my case, I have all my encryption algorithms lists, from strong to weak, then hashing from strong to weak, then compression from most tight to no compression. What if I wanted to set a different order, or maybe not include some preferences: Using “setpref” makes this possible:
Command> setpref S10 S9 S8 S7 H10 H9 H8 H2 H3 Z2 Z1 Z3 Z0
Set preference list to:
Cipher: TWOFISH, AES256, AES192, AES, 3DES
Digest: SHA512, SHA384, SHA256, SHA1, RIPEMD160
Compression: ZLIB, ZIP, BZIP2, Uncompressed
Features: MDC, Keyserver no-modify
Really update the preferences? (y/N)
Typing “y” will of course make the setting in your key. At this point, you’ll be asked to enter your private key passphrase successfully before continuing. At that point, it will be statically set in your public key, and you can send your key off to the keyservers and emailed to your family and friends, so they can immediately start taking advantage of the new preferences. Type “quit” to leave the prompt.
Now, let’s say you have some signed and encrypted data, and you’re curious of the algorithms used when creating the cipher text. This can be done by passing the “–list-packets” option to gpg to see the data packets. We’ll need to turn on verbosity as well. For example, the output of a file I sent to a friend using the Mutt email client (emphasis mine):
gpg -v --list-packets file.txt gpg: armor header: Version: GnuPG v2.0.11 (GNU/Linux) [... SNIP ...] gpg: AES256 encrypted data :compressed packet: algo=3 :onepass_sig packet: keyid CE7911B7FC04088F version 3, sigclass 0x01, digest 8, pubkey 1, last=1 :literal data packet: mode t (74), created 1244484492, name="mutt-helios-1000-24974-13", raw data: unknown length
Here, I can easily see that AES256 was used for the encryption algorithm, but what’s this compressed “algo=3″ and “onepass_sig packet digest 8″ stuff? Well, in order to understand those, we need to turn to RFC 4880. This RFC describes the OpenPGP message format and the standards used. Browse your way down to section 9, and you’ll see what “algo=3″ means for compression and “digest 8″ is for signatures. It appears, according to that RFC, that BZIP2 was used for compression and SHA256 was used for the hashing algorithm. So, in this case, Christer and myself preferred those settings higher than the others, and my GnuPG acknowledged those preferences and did the encrypting, signing and compressing as told. We can see these by “editing” his key:
$ gpg --edit-key christer
[... SNIP ...]
Command> pref
[ full ] (1). Christer <christer@example.com>
S9 S8 S7 S3 S2 H2 H8 H3 Z2 Z3 Z1 [mdc] [no-ks-modify]
[... SNIP ...]
Command> quit
Christer places AES256 has his first preferred encryption algorithm. Because I also support this algorithm, this is used for the encryption. SHA1 is his preferred digest hashing algorithm with SHA256 as his second preferred, but remember that for the signature and compression, these preferences are found in my gpg.conf instead. I prefer SHA512 as my first preference, but he doesn’t list it as suported (according to his public key), so I move down to SHA384. Again, he doesn’t list it, so I try SHA256. He lists it, so it’s used. Lastly, BZIP2 as the compression algorithm, and he lists it, thus it’s chosen. Thus, the results we got. Make sense?
I hope this has been informative. It’s been great discovering the details of how these algorithms were chosen, and it’s been fun playing with all sorts of encrypted emails and files to get to the guts of the GunPG process. If I’ve misrepresented any data here, or you have questions, please let me know.
Lately I've been feeling rather disappointed by Evolution. I've been a long time user (7 years I think) and for the most part it works great. But it's that "most part" bit that really is starting to grind. The last few iterations that I've tried (whatever is bundled with Ubuntu Feisty, Gutsy, Intrepid and Jaunty) have all had a a few quirks, none of them the same of course, For instance, The Intrepid version had an annoying habit of leaving messages marked as unread, even after I, you know, read them. Made for an annoyance when filing messages away. Worse, many of the messages that Evolution said were read, weren't really marked as such on the server so sometimes messages would magically unread themselves.
So I decided to give KMail another shot. I tried it last year sometime I think it was and decided it just didn't cut the mustard. But I'm a few revs forward on KDE now so it was worth a try. Over the last few days I have found it to be less annoying and much snappier than Evolution so I am considering a permanent switch, but it too does have issues. One major oddity is that when I open up a new folder, the unread messages count will reset while the folder is rescanned. That's just crazy. I can see why in a way, but there's just no need for it. A second complaint is that there's no way to move to the next message without closing the currently open message and opening a new window (I turn off the preview pane).
On the other hand, KMail excels in a quite a few ways. Contact auto completion is much much (much!) faster. I like the idea of the "favorite folders", although to date I haven't made much use of it. I like the way it integrates with my Spam Assassin. It handles multiple identities perfectly (although the configuration is kind of spread out).
Of course the elephant in the room is Exchange support. It's a necessary evil at least at my company (better than Groupwise!). Evolution has an Exchange plugin which works via Outlook Web Access to give you all the features of Exchange in Linux. In theory anyway. While many features do work, not all are flawless. The address book doesn't work for me. My calendar doesn't seem to sync with the server calendar. I've had previous problems with server-side calendar reminders not working, although the version in Jaunty seems to work fine.
Is there anything better out there that I should take a look at? Exchange support would be great, but frankly I don't use all the extra features all that often and if I have to fire up Outlook (via terminal services) once a week, that's not a deal breaker. I would like it to be rock solid, though.
I'm working on an upgrade of a RADIUS server and I need the ability to verify that my changes won't alter the behavior of the server. So what would be really nice is a way to record all the network traffic going to my RADIUS server with a tool like tcpdump and then resend it to my test server and compare the results. As luck would have it, there is such a tool and it's named tcpreplay.
While I haven't run the full tests on my RADIUS server, I have done a few simple tests with ICMP and UDP packets just to verify that it will work with protocols other than TCP, despite its name. It does. Here's an example.
In on root shell, run the following command to capture packets:
# tcpdump -np -s0 -i eth1 -w icmp.pcap icmp and dst host 192.0.20.1
Then, in another shell, start a ping to the IP address in question:
$ ping -c 5 192.0.20.1
PING 192.0.20.1 (192.0.20.1) 56(84) bytes of data.
64 bytes from 192.0.20.1: icmp_seq=2 ttl=64 time=1.63 ms
64 bytes from 192.0.20.1: icmp_seq=3 ttl=64 time=1.49 ms
64 bytes from 192.0.20.1: icmp_seq=4 ttl=64 time=1.55 ms
64 bytes from 192.0.20.1: icmp_seq=5 ttl=64 time=1.55 ms--- 192.0.20.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4021ms
rtt min/avg/max/mdev = 1.490/1.567/1.639/0.049 ms
Now you've got a PCAP file that you can feed to tcprelay. This is a very basic, and fun, way to run tcprelay so that you can watch and confirm each packet. There are many other options for how you can alter the replay.
# tcpreplay --intf1=eth1 --oneatatime --verbose icmp.pcap
sending out eth1
processing file: icmp.pcap
reading from file -, link-type EN10MB (Ethernet)
15:45:37.376377 IP 192.0.20.189 > 192.0.20.1: ICMP echo request, id 58216, seq 1, length 64
**** Next packet #1 out eth1. How many packets do you wish to send? 1
Sending packet 1 out: eth1
15:45:38.383298 IP 192.0.20.189 > 192.0.20.1: ICMP echo request, id 58216, seq 2, length 64
**** Next packet #2 out eth1. How many packets do you wish to send? 1
Sending packet 2 out: eth1
15:45:39.391925 IP 192.0.20.189 > 192.0.20.1: ICMP echo request, id 58216, seq 3, length 64
**** Next packet #3 out eth1. How many packets do you wish to send? 1
Sending packet 3 out: eth1
15:45:40.394081 IP 192.0.20.189 > 192.0.20.1: ICMP echo request, id 58216, seq 4, length 64
**** Next packet #4 out eth1. How many packets do you wish to send? 1
Sending packet 4 out: eth1
15:45:41.398076 IP 192.0.20.189 > 192.0.20.1: ICMP echo request, id 58216, seq 5, length 64
**** Next packet #5 out eth1. How many packets do you wish to send? 1
Sending packet 5 out: eth1
Actual: 5 packets (490 bytes) sent in 15.14 seconds
Rated: 32.4 bps, 0.00 Mbps/sec, 0.33 ppsStatistics for network device: eth1
Attempted packets: 5
Successful packets: 5
Failed packets: 0
Retried packets (ENOBUFS): 0
Retried packets (EAGAIN): 0
I’ve been getting a flurry of emails at work, reminding me that my passwords are about to expire on several Unix and Linux machines in our production datacenter. They have a policy in place, where the password much be changed every 90 days, and I have to keep my current password for at least 7 before changing it, and I can’t use any password that has been used previously, let alone, the insane requirements for the password. So, rather than fight it, I thought I would make this easy on myself.
First, I’m a big fan of SSH key authentication. Because I’m allowed to use SSH authentication, I have my public SSH key on all the servers in the datacenter. When my password is about to expire, I get an email notice once per day two weeks in advance. I can use this email as an opportunity to execute a script that will change all the passwords on all the servers for me. In the script, I’ll have it grab some data from /dev/urandom, and create a sha1sum of the input. An encrypted version of the hash will then be saved locally to disk, which will be encrypted with my GnuPG key, and emailed to myself, should I need the password for something other than SSH. Lastly, just so the password can’t be compromised, only the encrypted versions of the password remain on disk. The hashes themselves are shell variables that are cleared when the script exits. Further, I’ve changed the permissions on my home directory, where my SSH keys and GnuPG keys exist, such that everything sensitive is only accessible to myself. I realize that convenience comes at the sacrifice of a bit of security. My laptop is running full disk encryption, and my password to guard my account is strong. I am the only one on my machine, and I expect it to stay that way. As such, I’m not worried about anything getting compromised.
All of this is stored in a simple shell script, shown below. You will need the “expect” and “sha1sum” packages installed on your system before executing this script. You will need a GnuPG key pair generated for encrypting and decrypting data. You’ll need SSH keys created and distributed to each server beforehand. You should probably have your SSH keys added to your SSH agent, as well as your GnuPG key added to a GPG agent before executing the script, to save you some serious typing. I won’t cover that here, but Seahorse is a great utility for managing GPG and SSH keys. Of course, your SSH keys and GPG keys should be passphrase protected.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 | #!/bin/sh # License: public domain if [[ -f newpass.gpg ]]; then mv -f newpass.gpg oldpass.gpg OLDPASSWD="$(gpg -d oldpass.gpg)" fi # Change "Your Name" to fit the user ID that matches in your GPG key dd if=/dev/urandom count=100 2> /dev/null | sha1sum -b - | \ gpg -ar "Your Name" -e - > newpass.gpg # Change "username@domain.tld" to match the email you wish to send this to cat newpass.gpg | mail -s "Password for servers" username@domain.tld NEWPASSWD="$(gpg -d newpass.gpg)" # Change "server1 server2 sever3" to match the hostnames of the servers you'll loop over # Change "domain.tld" to match the FQDN for your servers for host in server1 server2 server3; do EXPECT=$(expect -c " spawn ssh $host.domain.tld send \"passwd\r\" expect \"(current) UNIX password: \" send \"$OLDPASSWD\r\" expect \"New UNIX password: \" send \"$NEWPASSWD\r\" expect \"Retype new password: \" send \"$NEWPASSWD\r\" ") echo $EXPECT done |
Initially, when I started writing this script, I wanted it to run in cron locally on my laptop. As I began building the script, I realized this wasn’t a secure move, for a couple of reasons. First, as already mentioned, I’m using SSH authentication using public key cryptography. All of my SSH keys are passphrase protected. I didn’t want to store the passphrase in the script, so I could automate the process, and I didn’t want to remove the passphrase or generate new keys that didn’t have a passphrase. Further, wanting to encrypt the data, and send it to myself via email required that I store my GnuPG passphrase on disk as well. I didn’t like this idea either, as I’m already storing the new and old encrypted passwords on disk from the script, and that’s enough. No need to compromise security any further. So, I’ll run this script by hand.
However, we have a problem. You will be typing passphrases galore in this script if you have a decent number of hosts to loop through. So, as mentioned, it would probably be best to take advantage of an SSH and GPG agent to cache your passphrases to ease the pain before executing the script.
Looking over the script a bit. First thing to note, is it is sending the same password to every server. You might not want this. If so, feel free to modify the script to fit your needs. Second, the sha1sum hash is never stored on disk. Rather, it’s just stored in variables OLDPASS and NEWPASS. The idea between the old passwords and the new passwords, is so we can provide the current password when updating, as well as the old.
We’re pulling from /dev/urandom as a source for semi-random data. Yes, you can pull from /dev/random if it makes you sleep better at night. Also, we’re not pulling a lot of data, because ultimately, the SHA1 hash will be strong enough as it is. You’ll notice too that because we’re using STDIN for our data source, the hash contains a space, asterisk and hyphen following the hash, and we’re keeping it. I figured no reason to remove it, as spaces, asterisks and hyphens are valid UNIX password characters. If your company has a more draconian password policy than mine does, requiring specifically more than say 3 or 5 non-alphanumeric characters, then just append those to the end of hash before encrypting to disk. Maybe something like the string “!@#$%”.
Lastly, we’re emailing the encrypted password to ourselves, so no worries about compromising there, plus that gives us an extra backup in case we lose our disk that is storing the encrypted passwords. This also gives flexibility to where we can retrieve the password, provided we have access to the Internet and our GPG keys. Then we’re using “expect” to send the passwd command to the server and send our old and new passwords as prompted for each server. You might need to change the expected prompt depending on your GNU/Linux or Unix derivative (”New RedHat password: ” for example).
That’s it! Simple enough. If you have any questions, or improvements, please post them in the comments. Thanks!
So, since I upgraded to Jaunty, I had been seriously irritated with their decision to change the way updates are handled.
Instead of the familiar update notification icon in your notification area, the update window just pops up when a security update is available, or once a week for everything else. I'm not running OS X or Windows. I'll update my computer when I feel like it!
Fortunately, I was looking at the Jaunty release notes for an explanation of this idiocy, and instead of finding good reasoning, I found a way to change it back to the old behavior.
gconftool -s --type bool /apps/update-notifier/auto_launch false
Following the tradition of retarded naming schemes, Jaunty Jackalope was released today. I've successfully upgraded 4 machines (three from aptitude safe-upgrades, and one from a fresh install). Here are some notes I've gathered so far:
All in all, the upgrade process hasn't been that bad. There are some cool new graphics (the new usplash and gdm themes look much better). There haven't been any "holy crap, look at that" features that I've seen yet, but it's only been less than a day.
On another note, if you're in the software development business and you use Ubuntu on your production servers, don't plan any of your own releases near any of Ubuntu releases. Trying to install some needed packages on our servers proved difficult with everyone else hoarding the bandwidth trying to download the new version.
I've upgraded my last machine from Intrepid to Jaunty, my EeeBox. Flawless victory, upgrade went without a hitch. I'd say that all in all, this has been the easiest upgrade for me.
Following the tradition of retarded naming schemes, Jaunty Jackalope was released today. I've successfully upgraded 4 machines (three from aptitude safe-upgrades, and one from a fresh install). Here are some notes I've gathered so far:
All in all, the upgrade process hasn't been that bad. There are some cool new graphics (the new usplash and gdm themes look much better). There haven't been any "holy crap, look at that" features that I've seen yet, but it's only been less than a day.
On another note, if you're in the software development business and you use Ubuntu on your production servers, don't plan any of your own releases near any of Ubuntu releases. Trying to install some needed packages on our servers proved difficult with everyone else hoarding the bandwidth trying to download the new version.
I've upgraded my last machine from Intrepid to Jaunty, my EeeBox. Flawless victory, upgrade went without a hitch. I'd say that all in all, this has been the easiest upgrade for me.
Following the tradition of retarded naming schemes, Jaunty Jackalope was released today. I've successfully upgraded 4 machines (three from aptitude safe-upgrades, and one from a fresh install). Here are some notes I've gathered so far:
All in all, the upgrade process hasn't been that bad. There are some cool new graphics (the new usplash and gdm themes look much better). There haven't been any "holy crap, look at that" features that I've seen yet, but it's only been less than a day.
On another note, if you're in the software development business and you use Ubuntu on your production servers, don't plan any of your own releases near any of Ubuntu releases. Trying to install some needed packages on our servers proved difficult with everyone else hoarding the bandwidth trying to download the new version.
I've upgraded my last machine from Intrepid to Jaunty, my EeeBox. Flawless victory, upgrade went without a hitch. I'd say that all in all, this has been the easiest upgrade for me.
Tommorow is the Big Day for GNU/Linux, when Ubuntu goes through it’s regularly 6 month upgrade. Ubuntu 9.04, codenamed “Jaunty Jackalope” is due for release. The consequence is, these servers will get slammed, meaning that’s it’s difficult for people who use other distributions on some mirrors to update their distribution. As a result, rather than hit the servers with FTP or HTTP, it would make sense to pull as much strain off the big iron as possible. There are many ways to pull this off, such as rsync, jigdo and bittorrent.
Unfortunately, as efficient as they can be, rsync and jigdo still hit the servers, even if it’s light. Bittorrent doesn’t have to, being a peer-to-peer technology. So, when you’re looking to get your latest ISO downloaded and burned, so you can hand them out at release parties, install on new boxen, or just for archival, it would be best if you used bittorrent. Of course, if you use bittorrent, then rather than cut the connection when you’re done, get at least a one-to-one ratio on uploads to downloads, so everyone can benefit.
Many popular bittorrent clients exist as Free Software for GNU/Linux, such as Transmission, GNOME Bit Torrent and rTorrent (text-based). Trackers will be ready, if they’re not already, and the ISOs will be ready to go. Just find a link with a torrent to grab, and start downloading and sharing. No worries either for data speeds. Everytime I’ve used bittorrent on the release day, my connection was always filled to the max at 1 MB/s. Let us not forget how popular Ubuntu really is!
See you on the other side!
P.S.: The Ubuntu help documentation has a good guide for upgrading from 8.10, if you go that route. https://help.ubuntu.com/community/JauntyUpgrades
Stephen Dubner, the famed economist behind Freakonomics (an excellent book, btw), posed the question, is it time to rename 'Digital Piracy'?" The answer is an unequivocal "yes". Despite what Shakespeare said, sometimes a name can mean everything. I refuse to accept the word "piracy" as anything other than high-seas pillaging. I suppose one positive outcome of the recent surge in Somali piracy is that people are realizing that copyright infringement hardly warrants such a strong word, especially when we have a perfectly adequate one. Let's not let the geniouses at the RIAA, who've had a wonderfully successful program of suing their customers, dictate our terminology on the matter.
This month’s Salt Lake Linux Users Group meeting will about a consumer Network Attached Storage device.
http://en.wikipedia.org/wiki/Network-attached_storage
We’ll look at a consumer NAS device and see what it’s about, starting with taking a peek the the teeny-weeny pcb that attaches to the biggish sata drive, looking at the services it offers, and how it can be put to good use in the home.
Time/Date: ---------- Wednesday, April 15, 2009 7:10pm p.m. Place: ---------- Room 101 or 103 in Lower Warnock Engineering Building Directions/Parking: Directions - [http://www.map.utah.edu/index.jsp?find=62] Parking can be found just East of the WEB building and there is a big lot just North of the Merrill Engineering building (MEB). Parking is free after 6:00 (Based on the signs posted. Always check in case this changes.) Special thanks go to: - U of U for providing the meeting room. - Various Volunteers
Not literally, of course. This is programming talk, those of you who aren’t programmers can let your eyes glaze over.
I wanted a script to start a bunch of little servers, then wait around for them to finish or when the user interrupts with Ctrl-C, clean up the servers instead of orphaning them. I wanted to propagate the SIGINT to the child processes. I wanted to kill the kids.
The simple way, if you just want to make sure the kids are killed and you don’t care how:
sleep 300 &
# etc.
trap "kill $(echo $(jobs -p)) 2>/dev/null" EXIT
wait
If you only want to trap SIGINT and want to make sure you send SIGINT (not SIGKILL) to the children, then you want to do something like:
trap "kill -INT $(echo $(jobs -p)) 2>/dev/null" INT
wait
Update: I was asked by a shell scripting guru why I needed to do $(echo $(jobs -p)) and not just $(jobs -p). I intended to cover that but forgot. The reason is that $(jobs -p) has newlines and while that’s not usually a problem it is in a trap statement, because it’s evaluated at creation time not at run time. It also means that processes created after you create the trap wouldn’t be killed. Then, he suggested a function instead. Pure brilliance. Where does he come up with these things? Here’s the improved version:
function killkids() { kill $(jobs -p); }
trap "killkids" EXIT
You can still redirect stderr if you want to, but the reason I was directing stderr was because some of the kids may have already died (early evaluation remember) and then kill would needlessly complain. This way, it kills all the kids that are still alive, none more none less.
Recently, Andrew wrote me an email, which I shall pass on for the benefit of all:
Hi Scott
I started off writing a serious email, but your “why Santa Can’t Exist” converted me to tears of laughter, the story above it soon gave me a reality check, poor girl.I was before I was interrupted with humour reading your blog posts on Linux, and was very impressed with the informative way that you write. We create video based tutorials and over the last 18 months we have been turning more of our resources to covering Linux based subjects. We have also been converting our videos to play in Flash as well as QuickTime, so Linux users don’t have to mess around installing 3rd party apps and invoke all kinds of trickery just to watch a simple training video.
I was wondering if you would consider offering some of our links to your visitors, I have listed the tutorials below that may be of interest:-
http://www.computer-training-software.com/opensuse.htm
http://www.computer-training-software.com/ubuntu-linux.htm
http://www.computer-training-software.com/ubuntu-server.htm
http://www.computer-training-software.com/ubuntu-certification.htm
http://www.computer-training-software.com/linux-security.htm
http://www.computer-training-software.com/lpi.htm
http://www.computer-training-software.com/lpic-2.htm
http://www.computer-training-software.com/linux.htm
Thanks, Andrew.
My home network has "native" IPv6 through a series of tunnels that I've set up. The setup is pretty basic. A v6-in-v4 tunnel comes in through HE to my server, giving my server control over... a lot of v6. From here I segment it off a bit, and then branch the connectivity out over several other tunnels. One of these tunnels, as you could guess, heads to my home router.
When I was initially setting up the server <--> home tunnel, my firewalling rules gave me a fair bit of crap. Staring at tcpdump for quite some time didn't give me any leads concerning the proper rule to create, and I wound up whitelisting my entire home IPv4 address (that sounds a bit silly - whitelisting an 'entire v4 address' - you know, all one of them).
I finally got sick of allowing this IP full access to everything, because there were quite a number of ports "open" on the server but that I didn't want anyone outside accessing. This also caused problems with creating proper rules in the first place, because my only test bed was... from an entirely whitelisted IP. Suffice it to say some things that I thought were open were in fact not open to anyone but me, and this caused me quite the headache before I figured it out.
So how did I fix this? The answer is actually pretty simple - 42.
Wait, no. I meant 41. Sorry. Really I did. 41 is the protocol number assigned to IPv6. If this was obvious to others, well, sorry that I'm so slow. I didn't know. If I had known that I should be picking random numbers and trying them in a not exactly often used iptables command, then maybe I would have done this earlier.
Fun fact: "TCP" is 6. Note how this is ambiguous in terms of which "IP" it means, but in this case, it means IPv4. Why TCP is "6" is evidently defined in RFC 793, and why IPv6 is "41" can be found in RFC 1883 (or 1112, not exactly sure).
Note how TCP is 6, and that UDP is 17. Both TCP and UDP are commonly known as "TCP/IP" and "UDP/IP." Both of these operate quite nicely over both IPv4 and IPv6. IPv6 has an assigned number - but IPv4 does not. How you would intermix this I'm not sure. I can block IPv6 quite nicely it seems, but IPv4 is strangely absent. Does 6 imply v4? Does 17 imply v4? How can you filter UDP over 41?
I have no idea. I'm confused too. If you can make sense of the why, I'd be very interested in finding out why these protocol number seem so convoluted and inconsistent. It is pretty obvious that the protocol number for v6 was tacked on long after the base numbers for TCP and UDP were established, but whatever.
Enough rambling.
So how did I fix this firewalling issue?
# iptables -I INPUT -s <v4 home address here> -p 41 -j ACCEPT
# iptables -I INPUT -p tcp --dport 80 -j ACCEPTIt is just a simple protocol match. All we're doing is matching the v4 source address, the v6 data, and allowing it through. Despite the above example doing something quite different, the -p switch does the same thing: matches a protocol.
So tonight I was sitting there tonight getting ready to setup cobbler for another installation source, and I noticed something very odd.
# ls -l /root
total 88
-rw-------. 1 root root 1176 2008-11-23 17:22 anaconda-ks.cfg
drwxr-xr-x. 2 root root 4096 2008-12-14 18:37 bin
See the . ? Where you ask? Look closer!
drwxr-xr-x. <– look, there it is!! At first, I thought it was just one file, but then I noticed it other places, then I looked further, and it seems to be everywhere.
What is up with that? Where does this come from? What is it for? LazyWeb, can you help me?
Cheers,
Herlo
At work, we have an RHN satellite that is registered against RHN, and pulls down all the updates as necessary for the 32-bit and 64-bit RHEL servers that we have in our network. We currently have 34 RHEL servers in operation, with the expectation to grow past 40, all without virtualization. When we really start taking advantage of Xen and/or KVM, so our developers each have their own sandbox, our RHEL saturation will grow past 200. We need a simple way to manage this. My solution was simple: install clusterssh on my Linux desktop, then write a simple script to automate the regestration. First, the script:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | #!/bin/bash # Register the machine with the local satellite # Replace 'server.com' with the FQDN of your satellite server rpm -Uvh http://server.com/pub/rhn-org-trusted-ssl-cert-1.0-1.noarch.rpm sed -i 's/https:\/\/xmlrpc.rhn.redhat.com/https:\/\/server.com/' /etc/sysconfig/rhn/up2date sed -i 's/RHNS-CA-CERT/RHN-ORG-TRUSTED-SSL-CERT/' /etc/sysconfig/rhn/up2date rhn_register if rpm -q yum &> /dev/null; then yum clean all yum -y update else up2date -u fi |
This script doesn’t have much to it, but it sure beats the pants off doing it manually. It installs the SSL certificate necessary for communicating with the satellite. Note: if your date timestamp is not in sync with the satellite, then the SSL certificate will fail validation against the satellite, and you won’t be able to continue. It would be ideal if you are taking advantage of NTP, encrypted or unencrypted, to keep all your dates in sync.
After installing the certificate, we make only two edits to the /etc/sysconfig/rhn/up2date file, pointing our updates to our satellite and telling it the certificate that it needs to use. After which, we run ‘rhn_register’ to register ourselves against the satellite. This will require interaction, specifying your username and password to login to the satellite, and so forth. Lastly, after the registration, we update our system to grab and install the latest packages.
Simple.
Now, with 200 possible RHEL systems, doing this on each system one by one could be problematic. My solution? I installed clusterssh to manage the large amounts of servers that I’m interacting with. I then created a .csshrc file to store all the profiles that I need. Now, when I’m ready to register the systems, I can do them in bulk, rather than one at a time. Of course, you can have X11 forwarding to your display, if you want, as clusterssh reads the standard SSH config file in your home directory, as clusterssh is just a frontend to multiple SSH connections. This could get messy though, with several popups on your desktop. Your mileage may vary.
Now, the results. I have just registered 16 RHEL 5.2 servers against my satellite in the time in would take me to do one. Good thing for good GNU/Linux tools and a little bit of hackery.
It’s time to announce April’s presentation, it’s looking to be great.
Cooking with PAM
Thad Van Ry will cover the basics of Pluggable Authentication Modules (PAM). If you’re a Sys Admin who wants to know how PAM can help you or hurt you, this meeting is for you. Thad will go over the different stacks available as well as how to call modules and their control flags.
Thad is a Linux System Administrator for the LDS Church. He has been using Linux in his work life for the past 12+ years.
We meet in conference room A on the lower level of the Salt Lake Library. Head down the stairs, make a left turn. The conference room is directly under the foyer area (the area with all the shops on the 1st level) If you aren’t clear, ask the information desk. A map is available of all floor plans of the library.
Also, our meetings should be posted on the Electric Signs by the entrance to the library on the first floor.
I setup the new office printer here on my laptop this morning and I had all kinds of trouble getting it to work with the system-config-printer graphical utility that I usually love so much. As part of my troubleshooting I thought I’d try the web interface, which worked great! That gave me the idea of sharing how to configure your printers over the default-installed, yet often unused, web interface.
CUPS, the Common Unix Printing System, comes with a web interface by default that many people don’t know about. If you’d like to take a quick peek at it go ahead and open a new tab and visit http://localhost:631. Did you know you can configure everything via the web interface that you might normally configure via the graphical interface? Everything from creating and deleting printers, to printing test pages and assigning the default printer for the machine.
Now, for those of you that are suddenly worried about a service running on your machine that you were unaware of, CUPS only allows connections on the localhost interface by default. In other words, if you tried accessing it over your public IP it would deny you access. This means it would also deny access to anyone else trying to get in and manipulate your printers.
It is possible to make this interface open to more than just your localhost connection, just be sure you’re aware of the security implications first. Anyone with access to that web management tool may be able to view, customize and possibly even delete your configured printers.
To allow access to the printer web interface simply edit the /etc/cups/cupsd.conf file and update the line reading:
Listen localhost:631
To:
Listen 0.0.0.0:631
You can, of course, replace 0.0.0.0 with a more specific IP address. Using 0.0.0.0 will listen on all available addresses the machine has.
In conclusion, configuring your printers is not limited to the graphical interface. CUPS has provided a web interface for some time now and its nearly as simple to use. The next time you have issues configuring or managing your printers, give the web interface a try!
This month’s meeting will be presented on Parrot by Stephen Weeks:
Parrot is a virtual machine for dynamic languages and a very nice set of compiler tools. I’ll be walking through the steps of implementing a compiler for Parrot from the ground up, using scheme as an example.
From the Parrot web site:
“Parrot is a virtual machine designed to efficiently compile and execute bytecode for dynamic languages. Parrot currently hosts a variety of language implementations in various stages of completion, including Tcl, Javascript, Ruby, Lua, Scheme, PHP, Python, Perl 6, APL, and a .NET bytecode translator. Parrot is not about parrots, though we are rather fond of them for obvious reasons.”
It seems that a class may have room 101 scheduled this semester so we may meet in 103 which is just across the hall from 101.
Time/Date: ---------- Wednesday, March 18, 2009 7:10pm p.m. Place: ---------- Room 101 or 103 in Lower Warnock Engineering Building
Directions/Parking:
Directions - [http://www.map.utah.edu/index.jsp?find=62]
Parking can be found just East of the WEB building and there is a big
lot just North of the Merrill Engineering building (MEB).
Parking is free after 6:00 (Based on the signs posted. Always check in
case this changes.)
Special thanks go to:
- U of U for providing the meeting room.
- Various Volunteers
So, due to my inability to prefix a command with a "/", I recently lost most of my home directory. So, I was prompted to write a backup management script. My only problem was I wanted the ability to NOT backup certain directores (I really don't need to backup the kernel source four times), and I wanted the final result gpg encrypted. So, I present you with backup.sh. When called, it scans $HOME for .nobackup files, and adds the directory to the exclude list for the backup. It then creates, if it doesn't exist already, $HOME/.backups, and $HOME/.backups/.nobackup (there's no point in backing up backups, over and over). The backup is in a timestamped .tar.gz, and if $HOME/.backups/gpgkey exists (and contains something like, "0x057F140A", no trailing newline, less quotes), it will then encrypt the backup and rm the .tar.gz (no longer needed).
When I taught Linux system administrators, I would go through a series of rules, and rule #1 was always:
Whenever you’re editing config files, and a tool exists to make the change, use the tool instead of editing the config by hand.
The logic is easy to follow. We as humans are capable of error. Unfortunately, error happens all too often. The more we rely on ourselves to make changes by hand, rather than use an automated system, we’ll be bound for mistakes. So, use the tools are the most appropriate means for making changes to your config file in Unix and Linux
For example, editing the /etc/sudoers file. Many will just use vim or emacs, edit away, save and quit, and call it good. This is unfortunate, as your editor probably doesn’t have a syntax checker for the /etc/sudoers file. As such, you should be using the ‘visudo’ binary which does ship with a syntax checker. What about editing the /etc/passwd file? ‘usermod’ is your tool. And for the /etc/shadow file? ‘chage’ my friend. You should even use ‘postconf’ for your /etc/postfix/main.cf file. Of course, there are config files that don’t ship with an appropriate tool to edit the config file correctly. Further, there are times when editing a config file by hand is called for. However, you should be reaching for the tool first.
Now with this in mind, let me tell you an experience I had breaking this rule.
At my current place of employment, I’m in charge of several HP-UX 11v1 servers. Being new to HP-UX, I’ve been spending many an hour reading the documentation off of HP’s site, and dorking around when I have the time. It’s been a fascinating experience. Recently, I discovered that HP-UX can access software from a software repository (they refer to them as “depots”). This was great news to me, as I was getting real tired of the Bourne shell. I miss my tab-completion, inline history editing, and other shortcuts I’ve grown accustomed to. So, I looked for BASH, and it was available. I installed it using ’swinstall’, and I was up and running. Now all I needed to do was make BASH the default shell for my account and the root account, and I’d be in heaven.
It worked fine setting the shell for my unprivileged user, but not for root. Every time I ran ‘usermod -s /usr/bin/bash root’, it came back with an error saying that the root account was already logged in. Well, of course! How do you expect me to change root’s login shell? Well, rather than troubleshoot the issue, and learn if there was an appropriate way to accomplish this task, I jumped into the /etc/passwd file with vi, and edited root’s line. Except, apparently, unknown to me, I made a syntax error.
This was discovered when I wanted to login. Even after providing the password successfully, I was unable to reach a shell prompt. I tried everything I could think of to become root, but everything was failing. I thought further about single user login from a reboot. Could that even be possible? Will single user mode still process the /etc/passwd file? Frantic, I started thinking irrationally, thinking about sending a password file via SCP, FTP or NFS, logging in without creating a new login shell, and other craziness.
I was bothered the rest of the day, and through the night. I didn’t sleep well, and I was up very early before the day started to see if I could think of anything new. Thinking of sending the file via SCP, I wanted to check the permissions of /etc. I looked, and saw ‘r-xr-xr-x’. I thought this was odd, so I thought I’d look at the permissions of the passwd file itself: ‘rw-rw-rw-’. Yes, you read that correctly. Anyone and everyone on this system could edit the passwd file!!! Could this be true? I logged in as my unprivileged user, made the edit, saved the file, and exited. I still didn’t believe what just happened, so I had to cat the file out to the terminal to double-check: just in case. Sure enough, the edit stuck, and I could login as root. The unprivileged user saved the day, due to a horribly bad permission set on the /etc/passwd file.
Sometimes, it takes the worst of experiences to teach us lessons in life, and one such lesson was taught to me that I spent so much time teaching to my students. I should have spent the time learning why usermod would not let me change any login attributes for root. Rule #2 to my students was always:
If the tool doesn’t succeed, learn why.
Maybe editing the config file by hand was the appropriate solution. Maybe not. All that matters here, is I made a rash decision that could have had disastrous consequences, all because I didn’t want to use the appropriate tool or troubleshoot the problem.
I spent a little bit of time trying to find an answer to this today but I was unsuccessful. I’m hoping one of you will have the secret for me.
Situation:
I’ve configured my .ssh/config file with profile and port information for the many servers I connect to on a regular basis.
Problem:
One of the servers I need to access requires bouncing through another server first. ie; In order to access machine2 I have to connect to machine1 first. How to automate this within the .ssh/config?
When I manually connect to this I use:
ssh -t machine1 ssh machine2
What I would like to do is configure my .ssh/config file to use that -t option when connecting to that specific machine. I would like to be able to simple run:
ssh machine1
and based on the configuration in the .ssh/config have this automatically connect to machine2.
Any ideas?
Now it seems like forever ago, but I have been on the hunt for a good Django IDE for a very long time. I have tried PyDev, Aptana, Komodo, TextMate, Vim, Emacs, Wing IDE and every variation in between, but was never satisfied with the featurset. I wanted complete python language support and completion, complete support for Django Templates, total HTML support, as well as complete Javascript (specifically jQuery) support. Most editors made the mistake of having support for some of those individually, but I can’t get javascript support inside of a Django Template etc.
The magical and awesome app that represents the first real attempt at a complete Django development environment? Netbeans!
I know it sounds crazy, but progress is being made, and while its a boatload of effort to get it built, and even then, not much of the promised featureset actually works. But those are just details, examination of the code available at:
http://code.google.com/p/netbeans-django/
shows some real work being done towards a Django project type. Moreover, a recent blog post from someone at Sun alludes to this support being available as soon as Netbeans 7.0.
Perhaps this is just another let down waiting to happen, but the existing Python code support is fantastic, and significant strides appear to already have been made towards the goal of total Django integration. If you want to try out the existing language support, just grab the Netbeans 7M2 build and install the Python plugin!
Here’s a great article about a handful of ways that OpenSUSE Linux 11.1 makes for a fantastic desktop.
Excerpt:
“One such distribution, Novell’s OpenSUSE, reached its 11.1 release late last year, packed with the (at times, overreaching) desktop feature ambition on which the SUSE name was built, but also enhanced with the sort of community-embracing capabilities that the distribution will require to hang on to its prominence.”
“In particular, OpenSUSE 11.1 is the first release to ship since Novell’s OpenSUSE Build Service hit Version 1.0. The Build Service enables users to create, compile and host software packages for OpenSUSE, as well as for several other Linux distributions, such as SUSE Linux Enterprise, Red Hat Enterprise Linux and Fedora, and Ubuntu.”
Last night, I spent a few hours migrating this production server from Ubuntu 8.04 “Hardy Heron” to Debian 5.0 “Lenny”. Many have asked me online and in person why I would make the switch, especially being a heavy Ubuntu advocate. I hope I can explain that in a clear manner in this post. But first, let me make it crystal clear that I’ve in no way abandoned Ubuntu or its ideals. I am running Ubuntu in VirtualBox on my work laptop, Ubuntu on my personal laptop and Ubuntu on the home desktop. I am only running Debian as servers.
So, why migrate from Ubuntu to Debian on the server? Surely, Ubuntu isn’t that bad of a server platform. You’re correct. It isn’t. In fact, it’s been “good enough” for me since installing it, which actually has an interesting history. This server came from a repossession when I used to work for a major home furnishings company in Utah. It was a home HP desktop computer that was old enough, my employer wasn’t interested in reselling it, so I asked if I could have it, and brought it home for $20.
This was back in 2005, so I put Ubuntu 5.04 on it as a desktop with XFCE as the window manager, as it’s only a Pentium 700 with at the time 128MB of RAM and a 10GB HDD. I’ve since beefed up the RAM and disk space. It was updated from 5.04 to 5.10, and it was at this time, I realised that I could ditch my then running Windows Server 2003 for Linux. So, Ubuntu 5.10 became a server, hosting my blog and a couple other web sites. When Ubuntu 6.06 LTS was released, it was running full time as my production server, and I became convinced of the LTS releases, determined to keep this server on LTS versions only. Also, I realised that it was running headless, so there was no reason to have X11 installed any longer, so I went through the pain of removing every last package that I didn’t need for a headless server. This was done for security as well as resource management.
It stayed on 6.06 LTS until 8.04 LTS released, at which point I upgraded the server yet again. So, from roughly May of 2005 to Feb 2009, it had been a desktop and a server spanning four upgrades. Not a big deal really. Upgrading servers and desktops is getting easier and easier these days, with less headaches being encountered. I would keep it on 8.04 LTS waiting for the next LTS release, and upgrade again if I hadn’t decided to change operating systems to Debian.
During the path of an Ubuntu server, it’s had some rough spots, as some of my friends can attest to, none of which were Ubuntu’s fault at all, but the system administrator hacking it (me). For example, when I wanted to host my web site on it, I needed to know how to make that happen. I found a HOWTO on howtoforge for installing Apache, as well as ISPConfig, and a number of other packages that I realise now were not necessary. In fact, I ended up removing ISPConnfig a couple years later, as it was causing problems with logs, consuming a large amount of RAM, and just getting in the way. Then I wanted to run my own email server. Not knowing how to set an email server up, I fiddled with Exim, Sendmail, Postfix and others, failing at every pass, and further causing havoc on the filesystem and DPKG database. Eventually, I found the help I needed from a friend, and was able to get a Postfix server up and running as an external MTA. There were many other services I messed with from time to time, testing this out or the other, slowly filling the filesystem with pointless stuff. In a nutshell, what I’m trying to say, is the Ubuntu 8.04 install, while functional, was no longer pretty. It was hackish at best.
This prompted me to do a reinstall of Ubuntu 8.04 LTS. I wanted a fresh, clean install, restoring the needed data from backup (yes, I actually run backups). However, as I began thinking about it, I realised that I didn’t trust the build quality of the LTS releases as much as I trusted the build quality of Debian stable releases. Thinking about it further, I was having a hard time convincing myself to run an Ubuntu server. The reason being the way packages are tested in the Debian repositories. Consider for example a package that’s uploaded to the unstable repository. Before that package can reach the testing repository, it much meet certain criteria:
The above criteria for packages entering the testing repository ensure that packages are reaching a bug-free state for the next stable release. The goal is to have the number of release critical bugs drop and drop and drop approaching zero. Of course, bugs are only brought about by an active community reporting them, then decided on whether or not the bug is critical enough to be labelled a release critical bug. After the packages in testing have reached sufficient maturity and have few enough bugs to qualify a release, the testing repository is brought to stable. The current stable becomes “old stable”, and the current testing is reprepared for the next stable release. So, in theory, the stable distribution is STABLE. Rock sold stable. Anyone who’s anyone in the Linux world knows that Debian stable is just about as stable as you can get for an operating system.
Another nice thing with Debian stable, is it releases when it’s ready. The Debian community has taken some flack for this, with 2-3 years at times between releases. However, Debian stable is the operating system that is high production quality. While most end users tend to run testing or unstable on their desktops or laptops, many prefer stable for their production server.
Now, I ask the Ubuntu community, what are we doing to ensure the same build quality for the LTS releases? I would think that each 6 month release would hold the some criteria as Debian, namely that packages can’t enter that release unless it has fewer RC bugs than current. This way, as we approach the LTS release, we’re slowly but consistently stabilising the operating system. Unfortunately, this would mean that Ubuntu wouldn’t be as bleeding edge as it is currently. Many packages would stay rather old, due to having less RC bugs than the current release. But then, the LTS releases would be much more stable.
Now, with that said, I personally have never had any problems with my LTS server, either Dapper 6.06 or Hardy 8.04. But do I want to risk it? Should I chance it? While nothing may ever happen that causes critical concern for me with an LTS release, I feel more comfortable putting my trust in Debian stable than I do Ubuntu LTS. However, I want to see Ubuntu LTS succeed in the server arena. I was ecstatic to find that Wikimedia moved all their servers, or are moving, to Ubuntu LTS. I’ve heard other success stories of migrations to Ubuntu LTS. I think this is good, and the larger the community gets, hopefully, the more bugs will be reported, the more patches will be submitted, and more work will be done upstream to Debian. There’s no reason why Ubuntu can’t learn from Debian, and vice versa, creating a solid symbiotic relationship.
So, in a nutshell, I’ve put my faith behind Debian stable for any production servers personally, and Ubuntu for any desktops and laptops that can afford a little wiggle room in relation to stability. This is my opinion with my hardware, and your mileage will probably vary. That’s what makes our community as a whole so great. I want to see Debian succeed on the desktop, laptop and netbook arena, and I want to see Ubuntu succeed in the server / Big Iron arena, and I’ll do what I can to make that happen. But for now, I am where I am.
Any questions or comments of course, please populate the comment form below.
Apparently, python is now the preferred language for gnome/kde virus/worm writing. Makes sense, it's preinstalled on most linux environments. (Take tongue out of cheek). WRT the actual virus, nothing really too surprising, other than the newbie linux netbook users who would probably be the most likely to get duped by something like this... Maybe there should be a "how (intelligently) to use a computer" class in elementary school, (so kids can come home and teach their parents).
disclaimer: The wife has an eee
One of the nice things about git is due to its UNIXy design and its massive and ever-growing popularity, there are a lot of really nice bells and whistles, and I think we can expect to see even more. For example, GitHub.
While most git interaction is with simple commands in the terminal, it often pays to be able to get a birds-eye view of the revision history, or what I will call the DAG. The original tool for this is gitk. Gitk is functional, but it’s really really unpleasant. It’s written in Tcl/Tk—what did you expect? Some of us have higher standards for usability.
I tried out a few git GUIs and I have settled on two that I think are best of breed. The first is tig. Tig is an ncurses program, so it excels for remote operation over ssh, for quick dives into the repository without reaching for the mouse, and in keyboard use. Think of it as mutt for git. It’s a fantastic program and I use it most frequently.
I have customized my tig setup slightly:
$ cat /Users/fugalh/.tigrc
set show-rev-graph = yes
color cursor white blue
$ alias | grep tig
alias tiga='tig --all'
The second is GitX. It’s a mac app in every good sense, and it’s an excellent git GUI. As you can tell from the screenshot, it’s a bit easier on the eyes for visualizing complicated DAGs (not that this screenshot is of a complicated DAG).
If you use GitX be sure to “Enable Terminal Usage…” so you can start it on the current repository on the terminal by typing gitx.
See, now people always tell me that I am a conspiracy theorist against Microsoft. Alrighty, well, here’s yet another chance for you to see that I am more of a realist than you think.
When you see this, it will give you the willies, and I’d be surprised if you didn’t switch to Linux in a heartbeat.
Excerpt:
Microsoft:”First, the role of ISVs. ISVs- independent software vendors-are pawns in the struggle between platform vendors. They’re essential. So you can’t win without them, and you have to take good care of them. You can’t let them feel like they’re pawns in the struggle. You’re going out with a girl, what you really want to do is have a deep, close and intimate relationship, at least for one night. And, you know, you just can’t let her feel like that, because if you do, it ain’t going to happen, right. So you have to talk long term and white picket fence and all these other wonderful things, or else you’re never going to get what you’re really looking for. So you can’t let them feel like pawns, no matter how much they really are.”
This month, Clint Savage will be presenting on “Fedora Remix: Custom distributions based upon proven design” at the Feb 18, 2009 Salt Lake Linux Users Group meeting.
Fedora offers a complete set of tools for generating your own customized distribution. The output format can be installable CDs or DVDs, or Live images suitable for CD/DVD or USB keys. These tools allow sub-communities to consume and contribute to FOSS using a platform that is geared toward their specific needs. This talk will show off the tool set, and how the tools can be used to fill a variety of needs for the hobbyist, the administrator, or the FOSS advocate. http://fedoraproject.org/wiki/Remix It seems that a class may have room 101 scheduled this semester so we may meet in 103 which is just across the hall from 101. Time/Date: ——— Wednesday, February 18, 2009 7:10pm p.m. Place: ——— Room 101 or 103 in Lower Warnock Engineering Building Directions/Parking: Directions - [http://www.map.utah.edu/index.jsp?find=62] Parking can be found just East of the WEB building and there is a big lot just North of the Merrill Engineering building (MEB). Parking is free after 6:00 (Based on the signs posted. Always check in case this changes.) Special thanks go to: - U of U for providing the meeting room. - Various Volunteers
Debian released 5.0 codenamed “Lenny” last night, after just 1 month shy of two years since 4.0 “Etch” was released. I’ve been running it on my messaging server for nearly a year now, and it’s great. I had one hiccup with the kernel not wanting to communicate with my HappyMeal ethernet cards, but a fix in the latest release of the kernel brought it online. But, that wasn’t a Debian specific bug, so I can say that for me, 5.0 has been rocking! Of course, Debian stable is a thoroughly tested platform, so I’m not concerned about its stability.
Some notes about it’s release. This is a GNU/Linux release which supports 12 CPU architectures (1 up from 4.0 “Etch”), ships with four desktop environments and strictly adheres to the FSH 2.3 and LSB 3.2 standards. 23,000 binary packages come from 12,000 source packages, making it one of the top distributions shipping the most software. Most software in this release is the latest version or one release old, and thoroughly tested. 5.0 only shipped with only about 120 outstanding RC bugs. The KVM and Xen hypervisors are shipped, as well as improved support for laptop power management and even adding netbook support. The Debian installer now supports installing important security updates before the first reboot of the system. In terms of continued security, many SETUID binary executables have been removed and Debian GNU/Linux is now listening on fewer ports with a default install than previous. Lastly, live images have shipped with 5.0, making it easy to test Debian GNU/Linux without installing it on your system. Kernel version 2.6.26 is the shipped kernel.
As with every Debian stable release, this is a thoroughly tested, highly featured, stable release on par with the most advance “Enterprise” Linux distributions. As with every stable release, you can easily upgrade to 5.0 by changing your /etc/apt/sources.list, and running ‘aptitude update’ and ‘aptitude full-upgrade’ as root from the terminal. If your sources.list already is using “stable’ as it’s repository, then you’ll get the upgrade automatically.
This is a well received release. As you can see, a lot has gone into it, and the Debian Developers have done a good job putting it together. The next stable release, codenamed “squeeze” is now the current testing repository, and hopefully will be out sooner than later. Put this on your servers, if you haven’t already, because you know you can kick a Debian stable box, and it’ll keep humming right along.
Congrats everyone on a solid release!
KDE 4.2 came down in the latest batch of updates for Fedora 10 last night. Resource settings were automagically migrated and it seems to have worked pretty well. Wikipedia has a decent summary of what's in KDE 4.2.
Dennis Muhlestein posted a quick ssh tip, and then a couple of really neat gems emerged in the comments. For the sake of those who didn’t click through, and my non-Utah readers, I repeat them here:
ssh-copy-id is a little utility to copy your public key to a remote server. Passwordless authentication has never been easier to set up!
ssh-keygen -t rsa
ssh-copy-id $remote_host
ControlPath reuses the same connection for subsequent logins, so if you ssh into the same server from several terminals the logins after the first happen much faster. This is a really neat trick.
# in ~/.ssh/config
Host *
ControlMaster auto
ControlPath ~/.ssh/master-%r@%h:%p
Linux wallpapers can sure be funny. Props to whoever made this (if you know, please let me know). Here’s one that everyone should have the chance to see:
A small (but growing!) handful of additional Linux wallpapers can be found in the Linux wallpaper collection
If you know of any other excellent Linux wallpapers, please drop me a line. Have a good one, all.
I’ve had this discussion a couple of times with some friends about which looks better: Ubuntu or Fedora. So, I decided to take a poll from my readers, and see what you think. Which vendor does a better job at artwork? I’ve provided screenshots of the default wallpaper for each release on both distributions. Now, you may be asking, “Why not [insert your favorite distro here]?” Frankly, because if I were to meet everyone’s needs in that regard, this would be a very large post, and it wouldn’t change your biased mind anyway. Also, the discussion my friends and I have had in the past were Ubuntu vs. Fedora, not Ubuntu vs. Fedora vs. Arch vs. Mandriva vs. Debian vs. etc., etc., etc.
Lastly, both distributions have done a solid job in artwork and look-and-feel for their operating system. No doubt. However, there have been some bumpy roads with both as well. For example, I love the latest default wallpapers for the past two releases on both distributions. However, Fedora Core 6 isn’t a solid wallpaper, and neither is Ubuntu 6.06. Those who know me, know I’m not a fan of the Human theme that is default in Ubuntu either. But, the latest Fedora theme isn’t any better in my eyes as well. So, what are your opinions? What do you think about the artwork between the two biggest GNU/Linux distributors? Share you judgments in the comments below.
Click on an image to see an uncropped larger image. All images are in order of release from oldest to newest. Hover your mouse over the image to see the release info.
Fedora:
Ubuntu:
So the boss wants me to learn Ruby on Rails. As a sidenote, right now I’m running OpenSUSE 11.0.
I’d like to use a great IDE so that I can get going quickly. So I have to learn the IDE and the language.
Which IDE to use? Well, I thought since Eclipse is an IDE platform, that I could do PHP and Ruby on it.
I spent the next few days learning how to install Eclipse so that it would work with Ruby on Rails.
Here’s where I stand:
First, install libmysqlclient-devel, because you’ll need to compile the mysql gem for Ruby. Then, install ruby (1.8.6 patchlevel 114 worked best for me), and make sure gcc is installed so you can compile gems when necessary.
When you’re done with this step, check to see what version of ruby you have, and make sure it’s 1.8.6:
$ ruby -v ruby 1.8.6 (2008-03-03 patchlevel 114)
Next, install eclipse. I found version 3.4 from the OpenSUSE BuildService. Version 3.3 is available for OpenSUSE 10.3.
While that is installing, install rubygems 1.3.1. Again, this version for OpenSUSE 11.0 was only available on the BuildService.
Then, you’ll need to update your gem repository, and then install a handful of gems:
$ gem sources -u $ gem install rails $ rails -v Rails 2.2.2 $gem install mysql cgi_multipart_eof_fix ruby-prof linecache ruby-debug-ide ruby-debug-base mongrel gem_plugin $ gem update // gets the latest versions of installed gems
When eclipse is done installing, follow the instructions in the “Plugging Aptana into an existing Eclipse configuration” article.
It will prompt you for lots of updates, just go ahead and do them all. Once in awhile, I’ve had it crash, so I just start the article over from the beginning.
Finally, run eclipse, go to the MyAptana view, click on the Plugins icon. You’ll see a list of available plugins. One is PHP, and one is Aptana Radrails. Click on “Get it”. You’ll go through a similar installation process to install that plugin.
Again, if there are any updates, go ahead and do them.
Now, that is how far I’ve gotten, and I’ve even been able to do a tutorial or two with that setup. For all the ruby experts out there who are running it on Linux, what IDE do you use? If you use Eclipse w/RadRails, do you have any further suggestions? If you don’t use Eclipse, why? And if you don’t use Eclipse, what tutorials exist that teach one how to use your preferred IDE with Ruby on Rails?
So I wrote about IPv6 a few months back. Tunneling it over IPv4, general networking with it, and even ping6'ing Google.
Been using it ever since.
Whoa now, wait a minute! People use IPv6?
For the most part, I set it up and poked with it for vanity purposes. "Hey look at me! I'm speaking a protocol that your router has no idea what to do with!" I had little actual use for it. For the most part I never had any real problems, but no real benefit either.
But it's been a few months, and I recently had my "IPv6 Epiphany." So here, have some random bits of info that I've picked up while playing with it.
The Problems
1. IPv6-in-IPv4 tunnels aren't really firewall friendly, nor are they the easiest thing to configure. I wound up whitelisting my home router's IPv4 address on my server, exempting it from all other iptables rules. This fixed a problem that cropped up when I rebooted my server, resetting my firewall rules to their saved state, and broke my ability to SSH into my server from home without specifying -4. Further, configuring a tunnel with iproute2 is pretty easy. Configuring a tunnel from CentOS to Debian using the "proper system-specific methods" really isn't. Debian I got working. CentOS I didn't, and wound up writing a pseudo-service to manage the tunnels and routes. All things considered, I probably would have wound up doing the same thing for my Debian router if it was as overloaded as my server in terms of IPv6 config.
Plus you have the increased latency. As a whole, this hasn't been a problem for me.
2. Not everyone who runs IPv6 maintains their v6 stack nearly as well as they do their v4 stack. This has proven to be a problem. For example, I was looking into H.323, and tried to open up the Open H.323 website.
The problem lies in the DNS. The OpenH323 project had a v6 DNS server. This server did not respond to queries coming over the v6 transport, breaking DNS resolution nicely for me. When I went poking with dig, it responded happily over v4. (It seems that their DNS is broken for both v4 and v6, so perhaps it was coming anyway. But the point stands. When your site works, you're content. You're not going to spend time checking that it works over both v4 and v6. This leads to problems.)
3. Application support.
From a sysadmin standpoint, nearly every computer out there has a DHCP client. Wait, sorry. Nearly every computer out there has a DHCPv4 client. This poses a problem when it comes to v6 connectivity. This is one area where Vista is quite a bit ahead of the *nix - they ship a DHCPv6 client and full stateless v6 autoconfig support by default. Their stateless autoconfig leaves a bit to be desired, as it ignores RDNSS data in the router advertisements, but they have documented how to get full DNS resolution on a stateless-only interface. It's pretty simple.
Linux, at a minimum, has a stateful DHCP client kicking around, but it isn't installed or even mentioned in most distro networking guides. It's not even available in several distros. The kernel has great stateless autoconfig, but RDNSS isn't exactly a kernel space setting either. There is a user space tool around that watches for the router adverts and adjusts /etc/resolv.conf as needed, but it's even less known than the stateful DHCP client.
There are also a couple really popular open source programs out there that don't speak v6 at all. There are two that bug me to this day: MySQL and Asterisk. MySQL is really not too huge of an issue right now, but to my knowledge they aren't even working on it. Maybe Drizzle could?
Asterisk is really the bigger issue. One of the largest roadblocks to getting VoIP with SIP to play nicely is NAT. To put it simply, it doesn't work with NAT. I can see (properly done) VoIP being a huge, monumental boost of support and a fantastic reason to get v6 working. Nearly the entire point of deploying v6 now is massively increased connectivity (with v4 connectivity dropping drastically in the near future). The current v4 (NAT) landscape is incredibly inhibiting to SIP, and while you can argue the relative merits of SIP to any other VoIP protocol, the value of having full connectivity from any one device to any other device really can't be understated.
(A note to you "but I like NAT because it's a great firewall!" people: first off, no it isn't. Second, there is a very simple rule here that both mirrors what you "get" with NAT and is arguably more secure than NAT. It happens to be called "default deny." From there, if you want to support VoIP, you can add one single rule and have great VoIP support. Have a /48 that houses both users and servers? Great - subnetting is your friend. Just open :80 to the server subnet.)
4. IPSEC. Still sucks to configure, is only going to become more important with enhanced device to device communication. Isn't supported by any mobile phone I'm aware of. Have a mobile phone that can connect to a SIP server over wifi? Great! Can it do IPSEC? Nope. Sure, TLS exists for a reason, but full-blown IPSEC has numerous advantages over TLS and it really isn't supported anywhere but the router and desktop. (Plus it still sucks to configure.)
Does your (insert handheld gaming device here) support IPSEC? No? Well sure I wasn't expecting it to, but it'll be interesting to see how this plays out over the next couple years.
5. Reverse DNS. 3.d.3.7.0.0.e.f.f.f.b.3.f.1.2.0.d.f.f.f.b.2.8.d.0.7.4.0.1.0.0.2.ip6.arpa. Do I really need to say just how much configuring reverse DNS sucks? No? Good. Is there a better solution? Probably not. I'm just glad that dig and ipv6calc are of use here, so I don't have to manually type out every full-length DNS record.
Advantages
1. Pretty much every single application I've used on linux supports it very well. Everything from HTTP to IMAP to Kerberos to SSH is operating flawlessly for me over v6. Vista has v6 CIFS, rdesktop, and RPC. I could make a full list here of what is supported in terms of services and clients across different OSs, but really, the list of what isn't properly supported is shorter at this point. And yes, for the most part, that applies to Windows too.
2. It's supported, well, by every (very?) modern OS. Vista just works with it. Linux just works with it.
There are some "gotchas" with both, but they'll be resolved over time and as more and more sysadmins come to use it. Vista actually has a default 6to4 tunnel built in, that starts up if you have a public v4 address. Even if your ISP doesn't support v6 (not that any of them do), if you can plug your Vista box in straight to the internet, you'll get v6 without any configuration or hassle.
3. NAT really sucks. The simple connectivity provided by v6 rocks. Now this leads back to how I started this entire post. First, a bit of background.
I run CentOS on my server. SSH has all password-based authentication disabled, and only supports Kerberos (GSSAPI) and pubkey auth.
I have a few RPMs that I need to rebuild to support a few extra things (namely postfix to support mysql, and kerberos to support an LDAP backend). I'd rather not keep all of the needed -devel packages installed on my server, and I'd also prefer to keep gcc and the rest of the needed buildutils not installed. The obvious solution is to rebuild them on another CentOS box, create a mini RPM repo, and then just use yum to install them. The process is simple enough.
The trick comes in actually getting those rebuilt RPMs to my server. This is also where v6 happens to make my life incredibly easy.
My CentOS "build box" is a VM running on my Vista box. This is really the best solution for me. I don't need to have a dedicated CentOS box here, and as a result of that I can click "turn off" and forget about it entirely until I need it again. This is probably the only really good use of VMs that I've found so far, but I digress.
As mentioned, you can't login to my server over SSH without an SSH key or kerberos auth. This means that I can't just scp them up to my server without either copying my existing key(s) over, or generating new keys and adding them
It was at this point I realized that my v6 setup meant that my VMs had public v6 addresses. And then a light clicked on.
I fired up rsync on the VM, copied the v6 address, and then from the server used rsync to move them over.
And it just worked. No port forwarding. No key configuration. No advanced auth config for the VM. I could have used apache+wget just as easily. I was able to start a service (on a VM that sits on a host behind NAT) and use it without any hassle, without any VPN trickery - it just worked.
If you compare the effort it would take to setup v6 on your home network and an "external" network, and compare that to the port forwarding, NAT translation/incompatibility, "hey this port is already in use, by another NAT'd device, guess that means we get to start using extensive proxies or odd ports" mess that may be involved in something as simple just getting host A to talk to host B...
... I think v6 comes out ahead in terms of what you get and the time it takes to make it work.
After about 4-5 hours last night, and early this morning, I finished creating a board book for my 15-month old daughter. Of course, what better topic to choose than that of operating systems? So, I settled with GNU/Linux, UNIX and other operating systems as the main categories for the book, and it turned out great! The goal of the book is to teach her operating systems that she can easily point at. Believe it or not, toddlers catch on fast to this game.
The layout of the book has 3 main categories, with each of their respective operating systems beneath it. Then, the title of each page is the main branch of which many operating systems are based on. For example, in the “GNU/LINUX” category, there is the “Debian” branch, which you will find Knoppix and Ubuntu, among others. I wanted to grab the largest branches of each category, then get the most popular systems that are still in active development from each branch. I wasn’t interested in “dead” systems. I also didn’t want to repeat operating systems in multiple categories, so I kept it as unique as possible. I did the best I could, although I’m sure I overlooked some more popular systems than what I chose. Here’s my breakdown:
GNU/LINUX
UNIX BASED
Other
Yes, SCO Unix and Microsoft Windows are listed. As either a company or an operating system, they have had a profound effect on the operating system market as a whole. Further, this book isn’t about Free operating systems, but as a light educational resource for operating systems in general. Pictures are worth a thousand words, so here they are (in the last picture, my daughter is nicknamed “Boo” as she was born on Halloween 2007):
First, the board book. You can find blank board books all over the Internet. The ones that my wife and I have are 5″ square with 10 inner pages, an outer cover page and back page, which brings the total to 12 complete pages that you can print and stick to the book. The paper I printed on 8 1/2″ x 11″ white shipping label sticky paper. After printing, cut the paper as necessary, peel the protective backing from the shipping label and apply it to the book. You can use my template here, if you wish (ODT). I used the GIMP for my image manipulation, and found most of my images off of Distrowatch. There are a few SVG icons used from the Tango icon set, many were Googled, and some made by hand. The font used for the cover and three main categories is “URW Chancery L Italic” and the font on the back cover is “Liberation Mono”.
The images are PNG files, and if you wish, can be downloaded here: Front cover, page 1, page 2, page 3, page 4, page 5, page 6, page 7, page 8, page 9, page 10, back cover. All are licensed under the public domain. Individual logos licensed as appropriate by their respective owners.
For those geek readers of my blog, you’ll probably notice a couple oddities about the book. First, MEPIS was initially based on SUSE, then Debian and now Ubuntu. It’s currently a Debian-like distro, so that’s where it sits. CentOS isn’t based on Fedora, but Red Hat Enterprise Linux, however, it’s such a major Red Hat-like distribution, than I couldn’t overlook it. MINIX isn’t a AT&T System V derived UNIX, but a UNIX-like system written from scratch. It pulls almost entirely from the System V philosophy, so I put it there. With the BSDs, some will say that Mac OS X isn’t a BSD-based UNIX, but a hybrid of many UNIX like technologies, including Mach. Because most of the userspace tools on OS X are pulled from FreeBSD, it seems a good fit. Lastly, I know that OS/2 Warp is no longer in active development, but I was having a hard time filling the “Other” category with six systems. I could have chosen Palm, but I was looking for operating systems that could be installed on a desktop, laptop or server, rather than embedded, mobile or otherwise. Also the “Other” page isn’t alphabetical like the others. Oh well.
Now that this book has been realized, I have some other ideas for baby board books that will “geek it up” for my daughter, including programming languages, Internet browsers and protocols (that should be interesting). Feel free to use my template here for my operating systems book, and modify as you see fit. The template file itself is also under the public domain.
I’ve had an analogy on my mind for several days, churning, and I think I’d better blog it or else it’s going to devour me. Here it is:
“PHP application development is like bologna as Perl application development is like a good marinated London Broil.”
So, there you go. Now, let me explain. There are upsides and downsides to this.
Balogna requires nearly nothing to start eating. It’s as simple as opening the package, removing a slice of the processed meat product, and eating it. It’s just that easy. My five-year old does it all the time. Sometimes, he puts it on a plate and, using a butter knife, cuts the slice of balogna into little wedge-shaped pieces.
And, as a consumer, you don’t have to do much to get balogna to a point where you can consume it. It’s ready in its edible form at the supermarket. You go, buy it, take it home, (cut a slice into little wedge-shaped pieces), and eat it.
London Broil, on the other hand, isn’t available at the supermarket in sealed ready-to-eat packaging. You have to find a cut of top round beef, preferably one that has a nice amount of thickness (over 1-inch thick is ideal). In addition to the beef, you’re going to need to get some other ingredients for the marinade. When I was in college and wanted to impress a girl on a date, my sister suggested preparing a dinner that included London Broil. I don’t remember the exact recipe for the marinade now, but I remember there was worchestershire sauce, red cooking wine and series of different spices and salts. Looking online, there are many different recipes for such a marinade that include honey, garlic, chopped parsley, pepper, soy sauce, and more.
Once you get your ingredients home, mix the marinade and put it in a large plastic bag that zips shut. Place the raw beef into the bag with the marinade and put it in the refrigerator for up to 24 hours, turning it over once.
Cooking the marinated London Broil is a tricky p;ocess. You definitely broil or grill the meat, but this isn’t a hamburger. You need to heat it carefully, about six to eight inches over the flames. Some recipes actually call for broiling the meat to “rare” before you place it in the marinade. After the meat is cooked to the desired wellness, take it off the grill and begin cutting it in slices with your knife at a 45-degree angle to the meat.
Mmmmm mmmm. This is making my mouth water, just blogging about it!
London Broil, a magnificent meal that is sure to impress a date (or scare her away, as was my case.).
To bring this back to the programming languages, let me regurgitate a story of a recent experience I had.
A couple of weeks ago, a handful of systems I used to manage were compromised. These servers were running Fedora Core 6 and Fedora Core 5 which, of course, haven’t been supported by the Fedora community in at least a couple of years. The obvious response to a compromise was to install a actively supported Linux distribution on the hardware, make sure security issues are addressed, and then re-deploy the applications.
I was asked to assist in the process because of my knowledge of the systems.
Backing up critical data, installing a new OS, restoring data was pretty straightforward and easy. Next came the harder part: Getting all the applications configured and working again, just as they were supposed to.
Most of these applications were written in Perl. I went through each, one by one, taking note of the errors that occured when I first tried to run them. These errors invariably complained of missing CPAN modules — most of which were not available as packages available to install from a software repository affiliated with the Linux distribution.
This meant I had to go through, one by one, and build packages for each CPAN module that was a dependency for the applications. Many of these had their own sets of dependencies. The result: a couple of hours building packages to satisfy an interconnecting web of dependencies. In the end, everything worked.
It was then I decided to check on the one application that wasn’t written in Perl. This last application was written in PHP by some no-name programming team that the client paid to develop and host the software but when they didn’t have the chops to host and manage the application, the client took the application to someone who did have the necessary skills.
Guess what. The PHP application ran, out of the box. no unmet dependencies; No package installations neededl No fuss; Nothing.
At a recent PLUG meeting, I shared my experience with a friend who nodded in agreement. He too had his share of trouble navigating the waters of “dependency hell” trying to get a Perl application working.
Some Perl developers don’t understand this experience because they don’t use their OS’s packaging infrastructure to manage their Perl installation. Instead, they let Perl run loose, so to speak, and install necessary packages outside of a package management system. The upside: It’s fast. The downside: It’s risky and unmanagable.
My friend said, “Perl developers are just too smart.” I have to agree. Damian Conway, a Perl guru that travelled to Utah and spoke to a group of us about four years ago, likes to quote the late Arthur C. Clarke: “Any sufficiently advanced technology is indistinguishable from magic.” Conway prides himself on being the author of several CPAN modules that work “like magic.”
Conway’s not the only one. Many in the Perl community have developed extremely useful but complicated pieces of code and have graciously shared it with the open source community. Like any good open source community, others have built on what has been done and the result is software that has a deep root system of module dependencies.
Meanwhile, Perl has fallen out of favor as a language of choice for web application development, despite all the “magic” that exists within the Perl community. Why? If it’s so technologically superior, why aren’t the hordes of web developers using it?
The answer: Precisely because it is so technologically superior.
Newcomers to web development are drawn to the simplicity, straightforwardness, and relatively painless entry of developing applications using PHP. I can’t tell you how many PHP-based web applications I’ve looked at that are quite useful and powerful on the outside, but the code is... well, it’s boring. That’s not to say the programmers didn’t know what they were doing, they just didn’t really seem to know of any optimal ways of doing it. In the end, that’s okay, because the software works as it’s supposed to. A computer scientist will tell you, however, that this type of programming runs the risk of becoming unmanagable as it grows. The PHP community doesn’t seem to mind, though. They’ve had no problem “brute-forcing“ their way through most obstacles like this.
As a advocate of Perl, I’m left with a problem. My language of choice is failing at popularity contests and now I think I know why: It’s a pain in the ass to grasp in order to wield the magic.
What is it going to take to rectify this problem?! A Linux distribution that includes a great portion of the CPAN modules a programmer would ever need? That would certainly make things a lot easier.
What if the great minds of Perl put their current challenges aside for a few moments and tackled this challenge instead? Make the magic easier to obtain. Make using Perl much less frustrating for the uninitiated.
There are some that would say selling London Broil in a ready-to-eat package would be too hard or that it would be too expensive. I don’t know. I know you can get some very tasty prepared, marinated meats ready to slap on a plate. Sure, you pay more than you would for a slice of balogna, but isn’ it worth it?
Jared Smith of Digium’s UTOSC 2008 presentation on Asterisk and Asterisk dialplans is now available from http://www.opensourcetv.tv/.
Jared Smith throwing a free copy of his book to an audience member at UTOSC 2008
This presentations shows people the basics of using the Asterisk dialplan. We’ll explore simple voice menus, dialing other phones, and implementing things like voicemail, find-me/follow-me routing, and audio conferencing. Along the way, we’ll also cover some telephony fundamentals.
Jared Smith is a computer geek. He currently works for Digium and runs their training department. He’s also the author of Asterisk: The Future of Telephony (O’Reilly Media). He currently lives in Virginia with his wife and two children.
A week or so ago I posted a request to the Salt Lake Linux Users Group members list for ideas for upcoming SLLUG meetings. Here’s a list of what they sent in. All great ideas. I think I got them all listed here. If you suggested an idea and it’s not in the list below, shoot me an email, reply to the thread on the sllug-members@sllug.org list or to this post here.
All great ideas! There were a few people who not only suggested the topics but offered to present on them! Whoohoo! That’s just plain awesome. This year looks great. We’ll try to get these presentations lined up.
Hey, just letting people know that if I can’t find a laptop with an nvidia chipset, I’ll demo using GPSs on Linux and talk about gpsbabel, gpicsync and Google Earth instead of talking about Google Sketchup on Wine.
Either way, this meeting tonight will be a blast!
Oh I also have openSUSE 11.1 DVDs to give out. See you there!!!!
See the original post for directions and time, etc: SLLUG meeting: Wed. Jan 21, 2009: Google Sketchup 7 running on Wine demo
This month’s presentation will be by me…well, I started looking for a presenter a couple days ago so I looked around and saw that I was the only one available :) Here’s the announcement:
I'll be giving a short presentation and demo of Google Sketchup 7 running on Wine. (if I can get it working on the laptop I'm borrowing from work). If that fails, we'll talk about some other Linux tips and tricks. So, bring your tips and tricks to share and cross your fingers on the wine/sketchup demo! Should be tons of fun! We'll watch some of the demo videos for Sketchup as well. http://sketchup.google.com/ http://www.winehq.org/ Time/Date: ———- Wednesday, January 21, 2008 7:10pm p.m. Place: ———- Room 101 in Lower Warnock Engineering Building Directions/Parking: Directions - [http://www.map.utah.edu/index.jsp?find=62] Parking can be found just East of the WEB building and there is a big lot just North of the Merrill Engineering building (MEB). Parking is free after 6:00 (Based on the signs posted. Always check in case this changes.) Special thanks go to: - U of U for providing the meeting room. - Various Volunteers
I have a VPN and a DNS server that serves up forward and reverse DNS for my VPN hosts, which zone I call wan. When I want to look at my Cacti graphs, I go to gwythaint.wan and as long as my laptop is on the VPN I can see them wherever I am. In theory anyway. In practice, getting this to work without screwing up other things is harder.
I’ll leave out the myriad permutations that I tried over the past couple of weeks and show you the one that actually works well. That is to have a caching and forwarding name server on your laptop, and to add localhost to your list of nameservers. For best results, you would have it forwarding to the name server your DHCP server gives you, with an explicit forward over the VPN for the wan zone (and its reverse). resolvconf on Linux can do this. Your situation may warrant a static forwarder for non-wan addresses, in which case you just set that forwarder and be done with it. If your various DHCP nameservers are a bit more subtle—perhaps serving up internal domains of their own—then you may have to not forward and/or recurse except explicitly for wan.
I just took the default BIND9 configuration on my system and tweaked it thus:
// local/vpn stuff
zone "wan" {
type forward;
forwarders { 172.17.77.1; 172.17.0.1; };
};
zone "17.172.in-addr.arpa" {
type forward;
forwarders { 172.17.77.1; 172.17.0.1; };
};
On most systems the default named.conf is already some reasonable caching setup, so you wouldn’t have to tweak it beyond that. Then I added localhost to the nameserver list (/etc/resolv.conf on Linux, in the network preferences pane on OS X) and checked that it works with a dig @localhost gwythaint.wan.
Things got tricky because dig and host on my laptop were taking forever to
return when I queried localhost—6 seconds or so. I chased this wild goose for
awhile and in the end I didn’t find the reason (it still does it), but I
verified that it’s not a problem. If you use the -v flag to host you notice
that the actual queries took <1ms, so whatever else host and dig are doing may
not be relevant. Even stranger, if you do host -v gwythaint.wan and don’t
specify to query localhost, everything resolves instantly and yet it reports
that it queried localhost (which you can verify with the non-traffic on repeat
requests via tcpdump). It hasn’t slowed down any other applications (a 6-second
slowdown on DNS lookups would be very obvious), so I chalk it up to “who
cares?” If host and dig on OS X return the right answer, and you verify they’re
querying the right server, then you’re good to go.
I had MythTV on falcon, then I got a new graphics card for gwythaint and so I moved the frontend to gwythaint (HD, yay). Then I got a new hard disk and decided to put the big disks in gwythaint, which meant falcon no longer needed to be a mythtv backend of any sort (gwythaint was already doing all the transcoding). Moving the mythtv backend was not as simple as it should have been. These instructions outline what I did at first. The database step was not an issue, and of course copying was simple enough, but MythTV couldn’t find my moved files.
Poking around in the logs revealed it was still trying to get the movies from falcon, even though I had removed the backend on falcon. So as a stopgap I reinstalled the backend on falcon, set it up as a secondary backend, and set up a samba share so it could access the MythTV data storage directory. Now whenever I watched anything it would go back and forth across the LAN. Whee!
I was puzzled by these assertions that you can just move files between storage directories and MythTV would just find them, when it didn’t seem to be even trying on my setup. Then it came to me in a flash of insight. It wasn’t trying to look for them because it thought they were still there. I had the same data storage directory path on both machines: /av/myth. It saw the filenames it expected in gwythaint:/av/myth and so it assumed that no update was needed, although the files were originally on falcon:/av/myth. So I created a symlink from /av/myth to /av/myth-dummy and added that to the storage group. Still, that did not help.
The final solution was to hack the database directly:
mysql> update recorded set hostname='gwythaint' where hostname='falcon';
Query OK, 53 rows affected (0.00 sec)
Rows matched: 53 Changed: 53 Warnings: 0
I love Cacti. It’s an excellent tool for visualizing interesting statistics like bandwidth usage, CPU and load average, memory usage, etc. It’s relatively straightforward to set up, if slightly klunky, and it takes a lot of guesswork out of questions that are otherwise difficult to answer. (I should note here that Cacti is a sort of front-end to RRDtool which does all the hard work as far as the visualization is concerned.)
But some of the default graphs that come with Cacti are absolute rubbish. I took it upon myself to fix the two worst offenders this week: the load average graph and the memory usage graph. Let’s compare, shall we?
Here’s the default load average graph:
This graph is just plain wrong. It stacks the load averages one on top of the other which makes it impossible to get a real reading for the 5 and 15 minute averages, and makes things look worse than they are. If that textual explanation went over your head, compare with this repaired load average graph and all will be made clear:
Wow, you can actually see how the averages are, well, averages. Funny thing about proper graphs.
This change is simple enough to do yourself so I won’t provide a template download in the interest of expanding your mind (hopefully without exploding your skull). Right after I show you my pretty memory usage graph, that is.
First, let’s see the default memory usage graph:
If you can tell what that graph is saying at a glance, you’re better than I. This one doesn’t so much lie as beat around the bush. The vital information is there, if you know how to read it. The key is that the stuff you see totals the RAM that is available for programs to consume (free+buffers+cache), so the smaller the area of the graph, the less memory you have available. It also doesn’t show swap. Swap is available on another graph (also in terms of free swap not swap used), but on a separate graph you miss out on the relative comparison.
Here’s the memory graph I came up with:
I think it is self-explanatory and that it has all the information you could ask of a memory usage graph presented in the clearest possible way. Maybe I’m a bit biased, but you have to admit it’s better.
So how do we modify and create graphs in Cacti for fun and profit? Let’s begin with the load average graph. No, scratch that. Let’s begin with some terminology.
Cacti has graph templates that define what the graph will look like. We’ll spend a lot of time creating and modifying those. It also has data templates for telling it how to get the data (e.g. the SNMP OID or the script to run). You use a data template to create a data source which actually fetches and stores that data, and you use a graph template to create a graph that is associated with a device (host) and its data sources. Data sources are usually created automatically when you create a graph. There’s one more oddball thing called a CDEF which is basically a rudimentary RPN calculator that you have to define the expressions for ahead of time in the most excruciatingly painful way. But we’ll need a couple for the memory usage graph.
SNMP stands for Simple Network Management Protocol, which naturally means that it’s the antithesis of simple and that it is mostly used for monitoring instead of management (though you can indeed use it for management, which is way beyond the scope here). The short of it is, you have devices that talk SNMP and you can get info about interesting things that you’d like to graph with Cacti over the network. If you have a linux box, it can be made to talk SNMP by installing Net-SNMP and configuring it.
SNMP version 3 is a complicated mess to configure because you have to have a PhD in network security to understand its authentication schemes (in which case you might conclude that it’s not secure enough). Versions 1 and 2c are both sufficient for my needs, and from our point of view they’re essentially identical and simple enough to explain. I’ll assume you use version 2c. There’s a cleartext password for read-only access and optionally one for read-write access (for that management thing that we don’t do). In order to keep things (anti)simple, they’re not called passwords but rather “community strings”. The default community strings for when you really can’t be bothered to change them are “public” and “private”, and most SNMP devices come with these defaults preset. What’s that? You didn’t realize you had several (dozens?) of devices on your network just waiting for some bored employee to start playing with its settings from the comfort of his workstation because you didn’t change the default read-write community string? Well, you do.
Here’s the snmpd config file I use, which I don’t mind sharing because the only way you can get to it is over my LAN or my VPN, and it’s read-only anyway and I have no secrets about my host stats.
rocommunity yoursecrethere
syslocation "Las Cruces"
syscontact hans@fugal.net
sysservices 79
If you can’t figure out how to tweak the configuration file included with your distro (which is no doubt hundreds of lines long with loads of comments), you can replace it with something like that and you’ll be up and running with SNMP version 2c.
Ok, now you can install Cacti. Then create a device using the ucd/net SNMP device template for the host you want to monitor (you don’t technically have to do that with localhost but you’d have to modify my graphs to use the non-SNMP data sources). When the device is created and it says it was able to connect to it ok, then you can create graphs for the device. Go ahead and create the “ucd/net - Load Average” graph. Then you’ll no doubt dash over to the graphs “tab” and be totally dismayed that the graph seems broken. Fear not, it’ll show up once it’s had some time to gather data (check back in 5 minutes).
In the meantime we can go fix the load average graph template. Any changes we make will apply to the graph we just created as well as any new graphs we create with that template. Go to “Graph templates” on the left then find the graph of interest and click on its name. Take a moment familiarizing yourself with this page, then click on the 5 minute average item to edit it. Here you change the graph item type from STACK to LINE1. I also changed the color to 002ABF which shows up better. Do the same for the 15 minute average item (LINE1, I left the color alone). Now go refresh your graph and you’ll see the changes. Et voilà, you are a Cacti graph template hacker. At this point you may feel the irresistable urge to change the colors of some of the more ugly but functional graphs, and I won’t hinder you. I’ll wait right here.
Ok, the memory usage graph is a bit more work. I won’t take you through it step by step but I’ll point out a couple of gotchas that I encountered when creating it. First, I realize that others have made memory usage graphs and provided them on forums and such to download. After the third one failed to work I decided it was better to just make my own. Hopefully mine will work for you—I put a bit of effort into making sure it would import cleanly.
There’s actually a reason why the memory usage graphs are so backwards: because most devices provide total and free stats but not used stats. Obviously they expect you to calculate used yourself. So directly graphing the bits provided by SNMP was the easy way out.
We, on the other hand, have chosen the path of pain. We need to calculate memory used (which is total-(free+cache+buffers)). We could do this with a script but that’s sticky and not very portable (depending on the target distro, version of Cacti, etc.). The better thing is to use a CDEF. If you click on graph management the CDEFs link is revealed. We want a CDEF that calculates (total-free-cache-buffers)*1024 (the sources are kilobytes). Now, a CDEF uses a positional reference system. The first data source used by your graph is a, the second is b, and so on. So the CDEF string will look something like d,a,-,b,-,c,-,1024,*. But here’s where things get dodgy—it’s hard to know what order the data sources will settle on until after you’ve created the graph. If you create the graph in the right order (no shuffling) and you realize that the AVERAGE and MAX consolidation functions create separate data source (but not LAST), and who-knows-what other pitfalls, then you can be confident ahead of time. Or, you can just create the template, create a graph using the template, and look at the graph debug output to figure out which source is which.
So now you create a new graph template, and referring to a template similar to what you want you fill in all the right fields, leave most at their defaults, add graph items, tweak and refresh a sample graph using your template a gazillion times, go back and forth with the CDEFs getting things right, then create new (temporary) graphs to make sure it works.
Luckily for you, if all you want is a cool memory graph, I did all this for you. Download and import my memory usage graph template, create a graph, and in a day or so you’ll have a memory usage graph as pretty as mine. Oh, alright, I’ll provide a load average template for you as well.
This is a note to myself, since I always seem to get this wrong and spend an hour or two racking my brain over it, and yet it’s so simple.
Consider the following network:
172.17.77.0/24 -- A --+-- B -- 172.17.82.0/24
|
S
A: 172.17.77.1/24 and 172.17.0.77/24
B: 172.17.82.1/24 and 172.17.0.82/24
S: 172.17.0.1/24
It is instructive to watch a tcpdump on A, S, and B while you ping between these three hosts. In particular, S sees nothing when A and B ping eachother. Well, not nothing—S will see the arp requests—but if you were running tcpdump icmp you wouldn’t see anything. Now, if A is the gateway for its subnet and B is the gateway for its subnet, and you put a route for 172.17.0.0/16 via S on both A and B, the two subnets can find each other. But what if you instead put a route for 172.17.0.0/16 via the interface alone, and try to leave S out of it? A will not respond to ARP requests for 172.17.77.42, and so packets from B’s subnet for A’s subnet will fall off the edge of the network at B.
I hope that makes sense. It’s rather simple when you look at it that way and not much to sing about. But when I make this little modification my brain always seems to go on vacation:
172.17.77.0/24 -- A B -- 172.17.82.0/24
\ /
tap0
|
S
Now A, B, and S are connected by OpenVPN using TAP. TAP is like a virtual switch (Layer 2), so in reality it’s the exact same setup. But for some reason whenever I set this up I tend to think that a route on A and B for 172.17.0.0/16 via dev tap0 will work. And so it does, when pinging just A and B. Then when I finally get around to hooking up their subnets, they can’t see the other side of the VPN and I get confused. Then I fire up umpteen tcpdumps and having forgot to look for ARP traffic I get utterly flabbergasted. My mind thinks that since S is the VPN server that I should see ping traffic from A to B (or A’s subnet to B’s subnet) on S, if it’s making it through the VPN. Then I assume that OpenVPN is doing something funky. At this point I get confused by the client-to-client option, and things go downhill fast.
So lets set things straight once and for all. OpenVPN’s client-to-client option, when used with TAP, makes the VPN behave like a true switch. When it is set, A can see B’s ARPs, and vice versa. When it is not, they can’t. Think of it as S having one NIC for each client and they’re all bridged together on tap0, or not, depending on the setting of client-to-client.
If you set routes for 172.17.0.0/24 via 172.17.0.1 then A can reach B anyway, but S will helpfully send ICMP redirects which won’t work if followed. I suppose you could turn off this “helpfulness”, but if you want to get from A to B just turn on the aptly-named client-to-client option.
The next important thing is to remember that when client-to-client is set and you’re using TAP, the VPN behaves like a true switch. Packets direct from A to B will not show up on tap0 as far as external programs like tcpdump are concerned. That also goes for packets from A’s subnet to B’s subnet. Of course, they are still running through the VPN, and so S is playing the middleman as far as bandwidth, firewall, and encryption go. But you won’t see it with tcpdump. (It makes me wonder if tap0 is behaving like a switch in that traffic from A to S never travels to C at all—I think this is probably the case.) Switch, not hub.
Finally, the important thing to realize when doing TAP is that the network looks like this:
A -- + -- B
|
S
not like this:
A -- S -- B
And the final take-home lesson is, use tcpdump icmp or arp to avoid confusion and hair loss.
There. hopefully that straightens me out, if nobody else.
Update: I had some errors and oversights in my general config that didn’t have any direct bearing on the main message of this post. I have fixed them below and I beg you to pretend they never happened.
OpenVPN is a fantastic piece of software. No, it’s an essential piece of software. A godsend.
But it has this tendency to try to be all that and a bag of chips.
My primary gripe with OpenVPN over the years has been what I call “psuedo-DHCP”. It pretends, poorly, to be a DHCP server. If you have the audacity to prefer a real DHCP server you find very little help and sometimes even resistance from the tools and the community. I once tried to get it working and failed.
This week I was refreshing my OpenVPN setup and reading through the manpage for version 2.1, and saw a few references to people actually using DHCP. Still no explicit documentation, but it gave me hope. So I duly tilted at that windmill.
Now I will show you how to get DHCP working with OpenVPN. What’s more, we’ll get rid of ifconfig and route options (for the most part). In short, we’ll put OpenVPN in its place: as a secure tunnel manager.
The important paradigm shift here is that you aren’t required to do anything from withing OpenVPN to configure the interface. You can just bring up the tunnel and your TUN/TAP device will be alive but unconfigured. At that point you could do something like this:
ip link set tap0 up
ip addr add 172.17.0.1/24 dev tap0
You could do this manually, or in an up script, or whatever. Or you could let your distro do it. Ah, so we can have a tap0 stanza in /etc/network/interfaces (Debian-based distros) that will configure tap0 when we ask it to. Let’s look at a client example:
# in /etc/network/interfaces
iface tap0 inet dhcp
hostname falcon
# dhclient doesn't pay attention to this, so if you use dhclient (you
# probably do) see /etc/dhcp3/dhclient.conf
client falcon
# in the openvpn config
dev tap0
route-delay 10
cd /etc/openvpn
up "up.sh"
down-pre
down "down.sh"
…
# up.sh
#! /bin/bash
ifdown tap0 2>/dev/null
ifup tap0 &
# down.sh
ifdown tap0
There’s some subtlety here, let’s talk about it. Note that we’re specifying both the DHCP client id and the DHCP hostname—more on that later. We use an external script because of the way OpenVPN’s up option works, so that we can background the ifup call. This is important because the tunnel isn’t fully up at this point, so your DHCP client won’t succeed unless we background it (I tried up-delay to no avail). I have the ifdown bit in there as a safety measure—if for whatever reason Debian thinks the interface is already up it won’t start the DHCP client and that would be bad. But hopefully this doesn’t happen much thanks to the down option. Finally, the route-delay option gives the DHCP negotiation a chance to finish before any routes are applied (and in my setup there is one important route that I push to clients).
On the server side, we need to set up the DHCP server. ISC DHCP (dhcp3-server on Debian) isn’t very intelligent about interfaces that materialize out of nowhere, so we’ll need to set up a persistent TAP device.
# in /etc/network/interfaces
auto tap0
iface tap0 inet static
address 172.17.0.1
netmask 255.255.255.0
pre-up openvpn --dev tap0 --mktun
# in openvpn config
dev tap0
Now tap0 will be brought up automatically at boot, and will stay up even if you restart OpenVPN (you can bring it up now with ifup tap0). Notice that no ifconfig option is needed in the OpenVPN config. Now you can configure your DHCP server for the subnet:
# in dhcpd.conf
subnet 172.17.0.0 netmask 255.255.255.0 {
# example options for VPN hosts
option domain-name "vpn.example.com";
option domain-name-servers 172.17.0.1;
option netbios-name-servers 172.17.0.1;
option ntp-servers 172.17.0.1;
range 172.16.0.100 172.17.0.199;
}
host falcon {
option dhcp-client-identifier "falcon";
fixed-address 172.17.0.77;
}
Observe the dhcp-client-identifier option, and its matching entry in foo’s /etc/network/interfaces (or /etc/dhcp3/dhclient.conf). This is important because TAP MAC addresses don’t persist—you get a new one every time. dhcpd will use the client identifier to match a host, but alternatively you could spoof a static MAC address in foo’s /etc/network/interfaces config. I think the client identifier is cleaner. Even if you don’t use static leases, this way dhcpd will know it’s the same client and give him the IP address he had before. Of course if you don’t need (semi-)static leases you don’t need to worry about client identifiers. You’ll have some cruft leases but they should expire and disappear.
Unfortunately dhcpd doesn’t use the client identifier for dynamic dns updates (one of the big reasons I wanted to use real DHCP in the first place), which is why I specify the hostname option in foo’s /etc/network/interfaces. dhclient (as configured on Debian) sends the hostname whether or not you specify it in /etc/network/interfaces.
Other DHCP clients that do honor /etc/network/interfaces are available. See interfaces(5). I’m kind of partial to udhcpc, especially for hand-testing, though I usually end up sticking with dhclient.
Caveats: I haven’t been able to get DHCP working with an OS X client. I tried initiating DHCP on the TAP interface with ipconfig set tap0 DHCP but it didn’t work and once locked up my machine. So for this situation, or for any other reason you may have, you can still push ifconfig and route options in the client configuration directory entry for that client.
I haven’t tried DHCP over OpenVPN on Windows clients yet but I see no reason why it wouldn’t work.
Finally, I tried briefly to do it with a TUN device and though I can think of no obvious reason why it shouldn’t work, it didn’t. I like TAP better anyway.
Now after all this I can see some of you shaking your heads wondering what the point of all this is. “Surely this is more complicated than ifconfig and route in OpenVPN.” Yes, it’s more complicated, but it’s more powerful. If all you need is pseudo-DHCP, then by all means use pseudo-DHCP. But if you are a sysadmin serving a gaggle of clients you soon find yourself pining for a real DHCP server. Or perhaps you want dynamic dns updates, or proper DHCP option support. (You do realize DHCP options sent by OpenVPN’s dhcp-option are not applied on linux unless you do so manually by reading the environment variables in an up script, don’t you?)
When you realize OpenVPN can just set up the tunnel and get out of the way, you realize that all your fancy networking knowledge and tools can come into play to create the ultimate VPN tailored exactly to your needs. Plus, I think it snaps things into focus so that things just make more sense in your head.
And now, I present my OpenVPN configs (sanitized) for the server (frodo) and a client (falcon):
## frodo (server)
dev tap0
mode server
tls-server
cd /home/fugalh/vpn
ca cacert.pem
dh dh.pem
cert frodo.pem
key frodo.pem
keepalive 10 60
comp-lzo
client-to-client
# this new option is nifty
passtos
client-config-dir ccd
# See /etc/network/interfaces for interface configuration and routing.
# (reproduced here for our web audience)
# auto tap0
# iface tap0 inet static
# address 172.17.0.1
# netmask 255.255.0.0
# pre-up openvpn --dev tap0 --mktun
# up ip route add 172.17.64.0/24 via 172.17.0.64
# up ip route add 172.17.77.0/24 via 172.17.0.77
# up ip route add 172.17.82.0/24 via 172.17.0.82
# up ip route add 172.17.83.0/24 via 172.17.0.83
push "route 172.17.0.0 255.255.0.0 172.17.0.1"
#verb 3
mute 2
status /var/log/openvpn.status 60
## falcon (client)
dev tap0
client
remote frodo.fugal.net
nobind
cd /etc/openvpn
ca falcon-cacert.pem
cert falcon-cert.pem
key falcon-key.pem
tls-remote frodo.fugal.net
comp-lzo
passtos
route-delay 10
cd /etc/openvpn
up "up.sh"
# (reproduced here)
# #!/bin/bash
# ifdown tap0 &>/dev/null
# ifup tap0 &
down "down.sh"
# (reproduced here)
# #!/bin/bash
# ifdown tap0
mute 2
#verb 3
In my setup the 172.17.0.0/24 subnet is for the OpenVPN server and clients, and each client is a gateway to a 172.17.x.0/24 subnet for his LAN. Assuming a static route on the LAN for 172.17.0.0/16 via the OpenVPN client, frodo will route everything so people on one LAN can find people on another.
I also have dynamic dns updates for both forward and reverse DNS in my vpn.fugal.net zone.
One thing I haven’t set up which is feasible is for the LAN DHCP servers to do ddns to frodo.
OpenVPN is in its place, and our relationship is that much stronger. Good luck with yours!
“What is my IP?” A frequent question while we all remain under the oppression of NAT. Of course most of you are familiar with whatismyip.com and friends, but did you know you can do the same thing yourself very easily? All you need is a webserver (across the NAT in question, of course).
Here’s a CGI version:
#!/bin/sh
echo "Content-type: text/plain"
echo
echo $REMOTE_ADDR
If CGI is a pain but you have PHP:
<?php
header("Content-type: text/plain");
echo $_SERVER['REMOTE_ADDR'];
?>
Both of these are suitable for scripting, e.g.
#!/bin/bash
URL=http://fugal.net/ip.cgi
echo Your IP address is `curl -s "$URL"`
This stuff is documented out there, but I thought I’d give a brief summary and anecdotal evidence that it works.
I wanted to move falcon onto a RAID1 array, including root. Falcon was already using LVM for everything but root, and I wanted root on the RAID as well and so it made sense to just go all the way.
I had a bit of a hairy time, primarily because I wasn’t as prepared as I thought I was. This is in part because I was doing all this without internet, in part because of stupidity and lack of foresight, and in part because some vital things that I thought were in order, were not. But really it’s not that bad if you know what you’re doing. Having learned my lessons I did the same thing for gwythaint without incident in just a few minutes (not counting time spent copying files).
Let’s begin as all good chefs do, with mise en place.
You need a good boot disk with grub and LVM/RAID support. This is harder to find than you might think. Ubuntu’s Live CD doesn’t have LVM support (not sure about RAID). Debian Etch’s installer has RAID and LVM support, but its grub facilities are sorely lacking, and it takes forever to boot. Now would be a very good time to get familiar with the PLD Rescue Disk. This puppy is an absolute gem and no sysadmin should be without it. It supports LVM, RAID, every important filesystem, has a full suite of tools, super grub disk, GRUB4DOS, and more. I can’t sing enough praises for PLD’s rescue disk, so I won’t try. Just get it.
You naturally need to install the lvm2 and mdadm packages.
You need a kernel that supports RAID and LVM. Most stock kernels will, but make sure! Also, regenerate the initrd after installing the lvm2 and mdadm packages. You can do this with dpkg-reconfigure linux-image-`uname -r`. I got bit by an initrd generated by yaird that didn’t like being moved, so you should make sure you have initramfs-tools installed when you regenerate the initrd.
Grub2 reportedly has RAID and LVM support but I didn’t have grub2 and didn’t want to press my luck. So I made a boot partition (not on the RAID or in LVM) and copied over /boot.
Now set up the new RAID and LVM. In my case it was as simple as creating the RAID with one disk (the disk that currently hosted my system was eventually added too) then making a physical volume out of that array (pvcreate), adding it to the virtual group (vgextend), creating a new logical volume for root (lvcreate) along with its filesystem, and moving the already-existing logical volumes over to the new physical volume (lvmove). Then reboot into the rescue disk so you can safely copy over the root filesystem (PLD has rsync which makes this a snap).
PLD doesn’t automatically assemble RAID arrays or activate volume groups, so you need to do this manually. Something like this:
mdadm -A /dev/md0 /dev/sdb2
vgchange -ay
Now for the fun part: getting things to boot. First, you need to modify the new /etc/fstab to reflect the new location of /. That is, /dev/vg1/root (or whatever you called it). Also put in /boot.
Reboot and choose super grub disk at the PLD boot. At first I played with the menus but after a dozen boots (literally, I told you it was hairy) I was an expert at the grub command line and was doing things by hand. Hit c to get the grub cli, then type something like this:
find /grub/menu.lst
root (hd0,0)
setup (hd0)
kernel /vmlinuz-2.6.18-6-k7 root=/dev/mapper/vg1-root ro
initrd /initrd.img-2.6.18-6-k7
boot
Let’s analyze that.
First we find /grub/menu.lst which just tells us what grub calls the boot partition: (hd0,0) in this case. (I had a heck of a time with grub not finding my boot partition and I don’t know why. Maybe fdisk or BIOS issues. I still don’t know. I eventually was able to get a partitioning that worked, hopefully you don’t have any issues.)
Next we tell grub to use that partition as root. The setup line installs grub on the MBR so we won’t need to use the rescue disk in the future.
The kernel and initrd lines are normal grub fare. The important thing here is the root option. You must use the /dev/mapper/vg1-root path, not /dev/vg1/root. At least this is true on Debian Etch stock kernels, but it seems like a good idea in any case. The reason is that the /dev/mapper paths are there from the kernel but the /dev/vg1 symlinks are added with boot scripts.
You should boot right up. After boot, issue mount to verify that things do look like they ought to. Edit /boot/grub/menu.lst and run update-grub, then try booting without the rescue CD. You’re in business!
In summary: read the RAID and LVM howtos, LVM goes on top of RAID, get PLD, make sure your kernel and ramdisks are in order, leave /boot off the RAID/LVM, don’t forget to change /etc/fstab, and use the /dev/mapper/${VG}-${LV} path in the kernel root option.
I’ve grown more and more accustomed to that phrase. Being on IRC, blogs, forums, mailing lists, and other forms of digital social gathering, it still never ceases to amaze me the responses that come out of people these days. Case in point? The tragic ending to what should have been a happy one. I’m referring to the news story that WKOW 27 in Madison, WI ran concerning a girl in college who dropped out, because Ubuntu was installed on her Dell laptop, and she couldn’t install some software programs. WKOW, by the way, has run a follow up on the piece, showing the initial reaction of the Ubuntu community.
When I first read the story, I admit that I thought she was looking for a scapegoat to drop out, and Ubuntu on a laptop was the perfect excuse. Then, I started reading the comments, and I was floored by the community’s reaction. Almost immediately, I found myself defending her and Ubuntu comment after comment. After letting the emotion settle for a bit, I re-read the article, this time paying attention to the smaller details:
So, I ask: Why the backlash? One thing we need to understand as technical users, is the average user doesn’t think to pull up Google to troubleshoot his or her problem. If something doesn’t work as expected, such as putting the Verizon CD in Ubuntu, then it’s broken to them. They’re not going to pull up Google, and figure out how to make it work. They might call a family member if they have a computer expert in the family, but even then, the computer is still broken. Having just purchased a brand new laptop from Dell, and things not working as expected, she has every right to be upset.
Yet, everything came out positive for her, and the community responds the way it does. This story should have been a positive one for our distribution. Instead, it turned into a heated attack against her, and the news agency. Whether or not these attackers are Ubuntu users or Windows users or Mac users, it matters not. What matters to me is the maturity level of the response. Which brings me to the title of my post:
“What are we? 12?”
Look at the details of the article. Look at how three organizations were willing to handle her specific case. She looked for support, and got it! Dell, Verizon and her school should be touted as heroes! They came to her rescue, and then we respond the way we do. I found our response unfortunate, sad, and very disappointing. Linux won’t succeed on the desktop if these are the cards we play.
I have a VPN and a DNS server that serves up forward and reverse DNS for my VPN hosts, which zone I call wan. When I want to look at my Cacti graphs, I go to gwythaint.wan and as long as my laptop is on the VPN I can see them wherever I am. In theory anyway. In practice, getting this to work without screwing up other things is harder.
I'll leave out the myriad permutations that I tried over the past couple of weeks and show you the one that actually works well. That is to have a caching and forwarding name server on your laptop, and to add localhost to your list of nameservers. For best results, you would have it forwarding to the name server your DHCP server gives you, with an explicit forward over the VPN for the wan zone (and its reverse). resolvconf on Linux can do this. Your situation may warrant a static forwarder for non-wan addresses, in which case you just set that forwarder and be done with it. If your various DHCP nameservers are a bit more subtle—perhaps serving up internal domains of their own—then you may have to not forward and/or recurse except explicitly for wan.
I just took the default BIND9 configuration on my system and tweaked it thus:
// local/vpn stuff
zone "wan" {
type forward;
forwarders { 172.17.77.1; 172.17.0.1; };
};
zone "17.172.in-addr.arpa" {
type forward;
forwarders { 172.17.77.1; 172.17.0.1; };
};
On most systems the default named.conf is already some reasonable caching setup, so you wouldn't have to tweak it beyond that. Then I added localhost to the nameserver list (/etc/resolv.conf on Linux, in the network preferences pane on OS X) and checked that it works with a dig @localhost gwythaint.wan.
Things got tricky because dig and host on my laptop were taking forever to
return when I queried localhost—6 seconds or so. I chased this wild goose for
awhile and in the end I didn't find the reason (it still does it), but I
verified that it's not a problem. If you use the -v flag to host you notice
that the actual queries took <1ms, so whatever else host and dig are doing may
not be relevant. Even stranger, if you do host -v gwythaint.wan and don't
specify to query localhost, everything resolves instantly and yet it reports
that it queried localhost (which you can verify with the non-traffic on repeat
requests via tcpdump). It hasn't slowed down any other applications (a 6-second
slowdown on DNS lookups would be very obvious), so I chalk it up to "who
cares?" If host and dig on OS X return the right answer, and you verify they're
querying the right server, then you're good to go.
Starting tomorrow night, I will officially be the instructor for the LPI 103 course at the University of Utah. This course uses the awesome Guru Labs courseware and teaches Network Administration and Security as well as Troubleshooting. I’m excited to get back into the swing of teaching.
The course is 15 weeks long, 3 hours per night and will be held in the Warnock Engineering Building (WEB) room 208 on Wednesdays from 6-9pm. Basically, that means I’ll be teaching Linux once a week and keeping up my training skillz.
The only real drawback is that I’ll be missing the PLUG and SLLUG meetings for the better part of four months.
Cheers,
Herlo
I had MythTV on falcon, then I got a new graphics card for gwythaint and so I moved the frontend to gwythaint (HD, yay). Then I got a new hard disk and decided to put the big disks in gwythaint, which meant falcon no longer needed to be a mythtv backend of any sort (gwythaint was already doing all the transcoding). Moving the mythtv backend was not as simple as it should have been. These instructions outline what I did at first. The database step was not an issue, and of course copying was simple enough, but MythTV couldn't find my moved files.
Poking around in the logs revealed it was still trying to get the movies from falcon, even though I had removed the backend on falcon. So as a stopgap I reinstalled the backend on falcon, set it up as a secondary backend, and set up a samba share so it could access the MythTV data storage directory. Now whenever I watched anything it would go back and forth across the LAN. Whee!
I was puzzled by these assertions that you can just move files between storage directories and MythTV would just find them, when it didn't seem to be even trying on my setup. Then it came to me in a flash of insight. It wasn't trying to look for them because it thought they were still there. I had the same data storage directory path on both machines: /av/myth. It saw the filenames it expected in gwythaint:/av/myth and so it assumed that no update was needed, although the files were originally on falcon:/av/myth. So I created a symlink from /av/myth to /av/myth-dummy and added that to the storage group. Still, that did not help.
The final solution was to hack the database directly:
mysql> update recorded set hostname='gwythaint' where hostname='falcon';
Query OK, 53 rows affected (0.00 sec)
Rows matched: 53 Changed: 53 Warnings: 0
I love Cacti. It's an excellent tool for visualizing interesting statistics like bandwidth usage, CPU and load average, memory usage, etc. It's relatively straightforward to set up, if slightly klunky, and it takes a lot of guesswork out of questions that are otherwise difficult to answer. (I should note here that Cacti is a sort of front-end to RRDtool which does all the hard work as far as the visualization is concerned.)
But some of the default graphs that come with Cacti are absolute rubbish. I took it upon myself to fix the two worst offenders this week: the load average graph and the memory usage graph. Let's compare, shall we?
Here's the default load average graph:
This graph is just plain wrong. It stacks the load averages one on top of the other which makes it impossible to get a real reading for the 5 and 15 minute averages, and makes things look worse than they are. If that textual explanation went over your head, compare with this repaired load average graph and all will be made clear:
Wow, you can actually see how the averages are, well, averages. Funny thing about proper graphs.
This change is simple enough to do yourself so I won't provide a template download in the interest of expanding your mind (hopefully without exploding your skull). Right after I show you my pretty memory usage graph, that is.
First, let's see the default memory usage graph:
If you can tell what that graph is saying at a glance, you're better than I. This one doesn't so much lie as beat around the bush. The vital information is there, if you know how to read it. The key is that the stuff you see totals the RAM that is available for programs to consume (free+buffers+cache), so the smaller the area of the graph, the less memory you have available. It also doesn't show swap. Swap is available on another graph (also in terms of free swap not swap used), but on a separate graph you miss out on the relative comparison.
Here's the memory graph I came up with:
I think it is self-explanatory and that it has all the information you could ask of a memory usage graph presented in the clearest possible way. Maybe I'm a bit biased, but you have to admit it's better.
So how do we modify and create graphs in Cacti for fun and profit? Let's begin with the load average graph. No, scratch that. Let's begin with some terminology.
Cacti has graph templates that define what the graph will look like. We'll spend a lot of time creating and modifying those. It also has data templates for telling it how to get the data (e.g. the SNMP OID or the script to run). You use a data template to create a data source which actually fetches and stores that data, and you use a graph template to create a graph that is associated with a device (host) and its data sources. Data sources are usually created automatically when you create a graph. There's one more oddball thing called a CDEF which is basically a rudimentary RPN calculator that you have to define the expressions for ahead of time in the most excruciatingly painful way. But we'll need a couple for the memory usage graph.
SNMP stands for Simple Network Management Protocol, which naturally means that it's the antithesis of simple and that it is mostly used for monitoring instead of management (though you can indeed use it for management, which is way beyond the scope here). The short of it is, you have devices that talk SNMP and you can get info about interesting things that you'd like to graph with Cacti over the network. If you have a linux box, it can be made to talk SNMP by installing Net-SNMP and configuring it.
SNMP version 3 is a complicated mess to configure because you have to have a PhD in network security to understand its authentication schemes (in which case you might conclude that it's not secure enough). Versions 1 and 2c are both sufficient for my needs, and from our point of view they're essentially identical and simple enough to explain. I'll assume you use version 2c. There's a cleartext password for read-only access and optionally one for read-write access (for that management thing that we don't do). In order to keep things (anti)simple, they're not called passwords but rather "community strings". The default community strings for when you really can't be bothered to change them are "public" and "private", and most SNMP devices come with these defaults preset. What's that? You didn't realize you had several (dozens?) of devices on your network just waiting for some bored employee to start playing with its settings from the comfort of his workstation because you didn't change the default read-write community string? Well, you do.
Here's the snmpd config file I use, which I don't mind sharing because the only way you can get to it is over my LAN or my VPN, and it's read-only anyway and I have no secrets about my host stats.
rocommunity yoursecrethere
syslocation "Las Cruces"
syscontact hans@fugal.net
sysservices 79
If you can't figure out how to tweak the configuration file included with your distro (which is no doubt hundreds of lines long with loads of comments), you can replace it with something like that and you'll be up and running with SNMP version 2c.
Ok, now you can install Cacti. Then create a device using the ucd/net SNMP device template for the host you want to monitor (you don't technically have to do that with localhost but you'd have to modify my graphs to use the non-SNMP data sources). When the device is created and it says it was able to connect to it ok, then you can create graphs for the device. Go ahead and create the "ucd/net - Load Average" graph. Then you'll no doubt dash over to the graphs "tab" and be totally dismayed that the graph seems broken. Fear not, it'll show up once it's had some time to gather data (check back in 5 minutes).
In the meantime we can go fix the load average graph template. Any changes we make will apply to the graph we just created as well as any new graphs we create with that template. Go to "Graph templates" on the left then find the graph of interest and click on its name. Take a moment familiarizing yourself with this page, then click on the 5 minute average item to edit it. Here you change the graph item type from STACK to LINE1. I also changed the color to 002ABF which shows up better. Do the same for the 15 minute average item (LINE1, I left the color alone). Now go refresh your graph and you'll see the changes. Et voilà, you are a Cacti graph template hacker. At this point you may feel the irresistable urge to change the colors of some of the more ugly but functional graphs, and I won't hinder you. I'll wait right here.
Ok, the memory usage graph is a bit more work. I won't take you through it step by step but I'll point out a couple of gotchas that I encountered when creating it. First, I realize that others have made memory usage graphs and provided them on forums and such to download. After the third one failed to work I decided it was better to just make my own. Hopefully mine will work for you—I put a bit of effort into making sure it would import cleanly.
There's actually a reason why the memory usage graphs are so backwards: because most devices provide total and free stats but not used stats. Obviously they expect you to calculate used yourself. So directly graphing the bits provided by SNMP was the easy way out.
We, on the other hand, have chosen the path of pain. We need to calculate memory used (which is total-(free+cache+buffers)). We could do this with a script but that's sticky and not very portable (depending on the target distro, version of Cacti, etc.). The better thing is to use a CDEF. If you click on graph management the CDEFs link is revealed. We want a CDEF that calculates (total-free-cache-buffers)*1024 (the sources are kilobytes). Now, a CDEF uses a positional reference system. The first data source used by your graph is a, the second is b, and so on. So the CDEF string will look something like d,a,-,b,-,c,-,1024,*. But here's where things get dodgy—it's hard to know what order the data sources will settle on until after you've created the graph. If you create the graph in the right order (no shuffling) and you realize that the AVERAGE and MAX consolidation functions create separate data source (but not LAST), and who-knows-what other pitfalls, then you can be confident ahead of time. Or, you can just create the template, create a graph using the template, and look at the graph debug output to figure out which source is which.
So now you create a new graph template, and referring to a template similar to what you want you fill in all the right fields, leave most at their defaults, add graph items, tweak and refresh a sample graph using your template a gazillion times, go back and forth with the CDEFs getting things right, then create new (temporary) graphs to make sure it works.
Luckily for you, if all you want is a cool memory graph, I did all this for you. Download and import my memory usage graph template, create a graph, and in a day or so you'll have a memory usage graph as pretty as mine. Oh, alright, I'll provide a load average template for you as well.