A while back I was asking about how to look at server load issues. I wound up using collectd, which was pretty useful.

I identified a handful of disk I/O spikes - unfortunately it’s hard to match these up against the subjective delays/lag problem. However, I looked into ways to improve I/O handling, and found information about caching and pdflush.

I’m currently experimenting with upping /proc/sys/vm/swappiness (to 90), to encourage more swapping to disk - on the grounds that I do have an active server, and I’d rather use the disk cache more. I think. I’m a little unsure of my logic here, but so far this seems to have improved the situation a bit, so maybe I’m on the right lines.

There are some “interesting” issues being raised due to an incompatibility between e2fsprogs and GRUB legacy that results in non-booting systems. Newer versions of e2fsprogs default to creating new Ext3 filesystems with 256-byte sized inodes, instead of the old default of 128. GRUB legacy has absolutely no clue what to do with 256-byte inodes, so it barfs up the “Error 2: unknown file or directory type” message and sits back down. GRUB legacy will not be patched to support 256-byte inodes. Yay! But this is a transitional problem; read all about it here:

GRUB vs. the Inodes: Who Needs a Bootable System, Anyway?

This week’s discovery: a bug with IE7’s CSS handling (I’m sure you’re all very surprised), and the workaround.

The bug: I have rollover submenus, set up with CSS. In Firefox and Safari they behave as expected: the submenu pops up on rollover, and then you can navigate the mouse to the submenu item you want and click on it. In IE7, when you try to navigate to the submenu items, as soon as your pointer moves off the rollover-trigger item, the submenu vanishes. Most irritating.

The eventual solution was to give the submenu a background image (also in CSS). This background image doesn’t need to actually exist (mine doesn’t, to save creating a transparent one) - just the call to it seems to be sufficiently to counter the bug. I confess to having no idea whatsoever why this works, but work it does. In fact you probably do want the background image file to exist (to avoid errors in your logs), but just touching it will be fine.

(I would like to extend intense gratitude to whoever it was put me onto this; unfortunately I went through so many different sites over the hour or so I spent struggling with this that I don’t know who or where it was that I found the idea. I’m still very grateful to them, though.)

Radio silence here of late as I have been moving old website to new website; a process which is time-consuming and gives rise to a very long to-do list, but which isn’t remotely interesting to anyone else. Although I have discovered that IE7 handles CSS boxes, percentages, and padding differently from Firefox/Safari/Opera. (This irritates but does not surprise me.)

I’ve also been dealing with some user queries about compiling Fortran. Can anyone recommend a good online beginner’s tutorial on the general subject of makefiles, or on the specific subject of makefiles for Fortran? Or a decent Fortran book?

Instant Messaging for Introverts
This is an excellent article about the intrusiveness of modern “always on” communications tools, especially instant messaging. The author framed it as an introvert vs. extrovert problem, which I’m not sure is a correct assessment- to me it’s manners vs. rudeness. Some folks think because they have instant messaging it’s OK to be constantly interrupted, or to constantly interrupt other people for every trivial thing. Well, no, it’s not OK.

I have a server (LDAP and NFS) which occasionally seems to take a while to react. Load average is consistently high (10-12 for 4 CPUs, which AIUI means 2.5-3 per CPU); response may also be being affected by disk I/O.

I’d like to find out which processes in particular are causing the heavy load, and possibly also to track disk I/O activity over say a 24 hr period. Unfortunately, this has exposed a shocking lack in my knowledge, viz: I have no idea how to do this, what tools are out there, etc etc. (Obviously I am fortunate never to have encountered performance issues before; all my machines have previously either Worked or Not Worked.) Any suggestions?

(The other possibility is a network load issue, but as I’m not responsible for the network, tracking that might be tougher.)

Another, unconnected query: I have been asked to source quiet/silent keyboards for a couple of my colleagues who are noisy typers. Any recommendations? I’ve looked at the Saitek Eclipse but it sounds like it’s not very tough. Bonus virtual biscuit for recommendations which are actually available to buy in the UK (the IBM Quiet Touch appears not to be, for example). Real biscuit available to anyone able to implement a biscuit-over-IP protocol; failing that I shall just eat them all myself.

If you’re interested in SSL & Apache (a how-to).

Also on the web front: the other week I was talking about CSS & child elements, and someone suggested using the :empty selector. This isn’t in the CSS 2.1 spec, but is in the CSS 3 selector draft, and it appears that Firefox 2+ at least supports it. Which is nice.

Unfortunately, it doesn’t work for what I want it for because what I want is to identify list items that have children; but the list items without children aren’t empty, because they have content (the list item text). I think in theory this counts as a “child”, but it’s not what I mean by having a child. Anyway: the theory is sound, but in practice doesn’t solve my problem. Oh well.

I’ve been running Vector Linux 5.9 Standard since it was released about six weeks ago. I’ve mostly been satisfied with it. I ran into a problem, though, when I first tried to install the Culmus fonts, a popular font set for the Hebrew character set. The fonts installed correctly and were where they were supposed to be but none of my applications could see them. It turns out the same was true of Courier, Helvetica, Biitstream Charter, and a host of other fonts traditionally included with X.org and XFree86. All were installed on my system but none were available.

The problem originated upstream from Vector Linux. I still don’t know whether or not this is a Slackware issue or an X.org issue in release 7.3. I do know that some other popular distros don’t have the problem. However, since it’s easy to fix and undoubtedly affects other distros, not just Vector Linux, I thought I’d share what the source ot the problem is and how to solve it.

Sometimes you get bitten by the goofiest things in computing. I bought a nice new 320 GB Samsung SATA hard drive. I like Samsung drives. They’re quiet and reliable, and good performers. I like nice little skinny SATA cables.

So I crack open the box (Antec Sonata, minus the silly CPU exhaust tube that made the interior case temperature warmer and took up all kinds of room, but otherwise a splendid case) and in less time than it takes to say “Voila! That was so easy I should blog about it!” the new drive was ready to use.

But. It didn’t work.

Very useful article on using gnuplot to plot log data information. I used it yesterday to look at the data on LDAP response rates that I’ve been collecting for a few weeks, and the suggested script (with appropriate minor changes) worked great. On the last line, points may be better than lines, depending on what you’re graphing.

It transpires that the occasional blip in LDAP response rates here isn’t particular time-dependent (although there’s a couple of minor peaks at the two times when I know most people are around and doing stuff), so I need to consider the matter further.

Having just moved my mouse to the left of the keyboard in order to put my notebook on the right*, I am now hyper-aware of how much I use the mouse and that this is less comfortable than using the keyboard. So, a few questions, if anyone can help:

1. I love my MacBook keyboard/trackpad - use the mouse without having to move your hand! Adesso make a contoured keyboard with trackpad but I’m not sure if this will play nicely with Linux. Any experiences, or other recommendations?
2. I’m trying to increase the amount that I use keyboard shortcuts. The two GUI programs I use most often are Firefox and Thunderbird (actually these are pretty much the only GUI programs I use; everything else is terminal-based and I have a Gnome shortcut to launch a terminal window). I have the “frequently used shortcuts” tip pages for both of these; any other good resources?
3. In particular, I can’t find any way of searching my bookmarks, or in particular accessing the quick bookmark bar, in Firefox from the keyboard. I’ve tried the Vim Firefox extension before but it didn’t work well for me. Any suggestions here?

* It was pointed out to me that constantly reaching across the keyboard to make notes was a bit daft. I have been sat at this desk for nearly 3 years and this has never previously occurred to me.

One thing that did not make it into the Linux Networking Cookbook was a chapter on setting up VLANs (Virtual LANs). VLANs are logical subnetting, rather than being constrained by your physical Ethernet switches. Now that “smart” switches have gotten so inexpensive, VLANs are nice options even for small networks. For one example, you can run multiple subnets off a single switch. Parts 1 and 2 of my three-part series are here:

Do More With Less: Build a Linux VLAN
Do More With Less: Port-Based VLANs

Windows and Mac clients can also be members of your VLANs; part 3 will address tagged VLANs, routing and Linux client configuration.

Part 3 runs next week.

Occasionally it is necessary to print out a text file. There are a couple of ways of making this happen in a slightly prettier fashion than simply using lp file.txt.

a2ps is one possibility - it gives you nice borders & prints by default 2 x A5 pages sideways on A4 (landscape). There are a vast array of options. However, none of them give you double-spacing, which if you’re printing in order to edit, is a nuisance.

pr, on the other hand, doesn’t do the pretty thing, but does do double-spacing. And you can pipe its output elsewhere.

So we get:

pr -d -t | a2ps

Obviously if you want real proper nice printing then I commend to you the splendid LaTeX, but if you need plain text then putting in then stripping out all that markup is a PITA.

I have cron-apt set up on all my machines — you can get it to install any updates automatically but that sounds like Bad News to me, so instead it’s set to download and email me. I had a script that took names-of-machines-to-upgrade as arguments and did the rest for me, but that involved typing up to 50 machine names. And I am lazy.

So I finally got around to writing a script that parses a local mailbox, grabs the machine names from the subject lines, and does the rest from there. My involvement now is:

1. Get Thunderbird to show me only the cron-apt emails (via tag filter — tags are automatically applied).
2. Quick check of the emails to make sure nothing outrageous is going to happen.
3. Select all, hit Ctrl-6 to move them to the special mailbox (TB QuickMove Extension allows you to allocate up to 10 mailboxes to key combinations).
4. Find terminal window, run script.

Note that in an ideal world I’d be using Net::SSH::Perl to check for the root ssh key, but I was having problems with CPAN when I wrote this.

#!/usr/bin/perl -w

use strict;

my $homedir = "/home/user";
my $file    = "$homedir/mail/aptget";
my $sshkey  = "$homedir/.ssh/key";
my $cmd     = "apt-get -y upgrade";
my @hosts;

sub runcommand();

open FILE,"+<$file";

# Subject line looks like:
# Subject: CRON-APT completed on machinename [/etc/cron-apt/config]
while (<FILE>) {
    next unless /CRON-APT completed/;
    my @line = split;
    my $hostname = $line[4];
    push @hosts, $hostname;
}

# Check if sshkey is in ssh list & add it if not
if (`ssh-add -l` =~ /.* $sshkey/) {
    runcommand();
}
else {
    `ssh-add $sshkey`;
    runcommand();
    `ssh-add -d $sshkey`;
}

print FILE "";
close FILE;


sub runcommand() {
    foreach my $host (@hosts) {
        print "Host is: $host\n";
        system("ssh root\@$host -i $sshkey $cmd");
    }
}

We have an NFS system which involves part of the local disks of all desktops being exported via NFS. Mostly this is consistently accessed via /disk/machinename, but some desktops have more than one local directory that’s exported. I finally got around recently to rewriting the (very old and no longer functional) script to query the LDAP database and get this info for a given machine name:

#!/usr/bin/perl -w 

use strict;
use Net::LDAPS;

die "Usage: showdisks machinename\n"
        unless (@ARGV == 1);

# Get & set values
my ($search) = @ARGV;
my $server   = "ldaps://ldap.example.com";
my $cert     = "/etc/ldap/servercert.pem";
my $base     = "dc=example,dc=com";

my $ldap = Net::LDAPS->new( $server,
                             verify => 'optional',
                             cafile => $cert ) or die $@;
my $mesg = $ldap->bind;

my $filter = "(nisMapEntry=*$search*")";
 
$mesg = $ldap->search(  base   => $base,
                        filter => $filter,
                        attr   => ['cn', 'nisMapEntry', 'nisMapName'],
                     );

$mesg->code && die $mesg->error;

my @entries = $mesg->sorted('nisMapEntry');

foreach my $entry ( @entries ) {
    my $location  = $entry->get_value( 'nisMapEntry' );
    my $automount = $entry->get_value( 'nisMapName' );
    my $dir       = $entry->get_value( 'cn' );

    # The if is because otherwise you get warnings from the first couple of lines 
    # of the LDAP return.  
    if ($dir) {
        my ($auto, $path)= split /_/,$automount;
        print "$location : /$path/$dir \n";
    }
}

$mesg = $ldap->unbind;

From Enough With The Rainbow Tables: What You Need To Know About Secure Password Schemes:

“Most of the industry’s worst security problems (like the famously bad LANMAN hash) happened because smart developers approached security code the same way they did the rest of their code. The difference between security code and application code is, when application code fails, you find out right away. When security code fails, you find out 4 years from now, when a DVD with all your customer’s credit card and CVV2 information starts circulating in Estonia.”

This post was written in response to an alarmist post that had been highly reddit’d (aren’t all highly reddit’d posts alarmist?). Besides being an effective smackdown, this post is also a good survey of approaches to password hashing. There is a good pointer to SRP.

We automatically pay for next-business-day onsite support for all our machines. I have had cause recently to access this twice, with two different companies.

Company 1 (machine has what I suspect is a dodgy fan): will only send out an engineer after they have got you to run diagnostic tests of various sorts. Then they will know what to send the engineer along with. I kind of see where they’re coming from, but tbh what I really want is for me to make the phone call^*, and for an engineer to appear the next day with a boot full of Relevant Hardware, diagnose, and fix.

Company 2 (machine losing time, motherboard being replaced): phone not working, send email. Response to email pretty fast, we agree that the losing of time in itself isn’t disastrous but may signify something more serious, so they’ll replace the chassis. Radio silence for the next 2 days (apparently someone phoned on my day out of the office, but since I warned them that I would be out of the office, they should really have emailed). It transpires that in this instance, NBD means “we will ship the replacement parts & then send an engineer the NBD after they arrive”. So that’s minimum 2 BDs. Again, my expectation is that the engineer should bring the parts with them. (And the lack of information on this annoys me rather more.)

My assumption is that this is to do with centralised this-and-that: that engineers are based in Place A and parts in Place B (where Place B may in fact be out of the country, or even the continent in extreme cases). But it doesn’t actually meet what I want from NBD, though I expect it meets the contract. Am I expecting too much?

(I feel I should note that once I actually get an engineer onsite, they are invariably extremely competent, fast, and hardworking. My complaint is not with any of them!)

* Ideally, for me to send an email, but I will settle for phone.

Things to look for if kerberos-enabled SSH isn’t working:

• Check /etc/ssh/sshd_config for lines that look like this:

  KerberosAuthentication yes
  KerberosOrLocalPasswd yes
  KerberosTicketCleanup yes
  GSSAPIAuthentication yes
  GSSAPICleanupCredentials yes
  GssapiKeyExchange yes
  

• Check that libsasl2-gssapi-mit is installed (for Debian; insert appropriate package for your system).
• Check that you’ve extracted the host/client.example.com key to /etc/krb5.keytab on the client you’re trying to log in to (that client.example.com is the FQDN for the client you’re trying to log in to). This is the one that I most often get caught by. The command is klist -k /etc/krb5.keytab (as root).
• Check that /etc/krb5.keytab is only readable by root.
• Restart sshd to make sure that any changes you’ve made on the above lines are actually operational.

This week’s (unconnected) observation: it’s still possible to get caddies for IDE drives, for very little money. This comes in handy when an elderly motherboard expires, at an unfortunate stage of the backup cycle, and the disk is still good (and has several days of non-backed-up data: see above re backup cycle). £10 = one happy user.

Happy Thanksgiving to US readers! Enjoy the holiday. I am, as I type this, listening to Alice’s Restaurant in honour of it.

My webserver has been playing up of late - tending to hang. top showed some blosxom.cgi processes that had been running for some time and were using up large chunks of CPU (up to 100% occasionally). Killing these didn’t resolve the problem permanently, so I looked further.

Apparently there was (at least at some point) a problem with the Calendar plugin. I edited in this fix which resolved things. (It also showed up in the logs, so it does seem that that was the issue.)

In fact, when I contacted the blosxom-using user, it transpired that he was in fact no longer a blosxom-using user (it was a leftover from an earlier experiment), so we deleted the lot. It would appear that the hammering the webserver was taking was from some Russian machine - possibly looking for an exploit?

It is possible to use ssh-add -l to list the ssh keys which ssh-agent is currently handling. (I love ssh-agent.) Is there an easier way of doing this from the command line or within bash than just getting the output of `ssh-add -l` (and then searching it for a particular key)?

Investigating this has led me to discover the perl module Net::SSH::Perl::Agent (there’s also Net::SSH::Perl::Auth), so possibly I should rewrite the relevant scripts in perl instead. I haven’t been able to play with that yet as the CPAN mirror I use seems to be on a go-slow.

Recently the people running our centralised email server decided to increase its security. Among other things, this meant that if the From: header of an email didn’t match a registered user, it would be bounced back. I have a couple of pieces of software (RT and Hobbit, notably), that run as a particular userid and send mail as that ID, so since those weren’t “real” users, the mails started bouncing.

I have found two ways of dealing with this, using exim4:

1. More complicated. Use sendmail -f realuser@example.com as the mail command within the program (this works for RT but not for Hobbit). The -f flag rewrites the envelope-from — you will also need to put the line

   dc_untrusted_set_sender='true'

   in /etc/exim4/update-exim4.conf.conf, run update-exim4.conf, and restart exim. This allows any user to rewrite the envelope-from. This does have security implications if you mistrust your users (in this particular instance, these are servers without user access so I’m not too worried).
2. Rather easier. Edit /etc/email-addresses to include a line:

   problemuid: realuser@example.com

   You don’t need the dc_untrusted_set_server line. You probably don’t even need to restart exim. (I did because I’m like that.)

I worked out the more complicated one first, obviously. Oh well.

At intervals I get complaints that one of the printers isn’t responding from a given machine. On investigation via the CUPS frontend the error is: /usr/lib/cups/backend/lpd failed Restarting the printer from there works, but it is slightly irritating.

This has happened several times in the last couple of days on one particular (aging) machine, which prompted me to seek a better solution. I found this entry which explains at the bottom how to change the CUPS setup appropriately. Edit /etc/cups/printers.conf and change the ErrorPolicy for each printer from stop-printer to retry-job. So far this seems to be working fine and I shall be rolling it out across the network.

In How Far Behind is Linux?, WSJ writer Lee Gomes sets up a beautiful strawman about the security of GNU/Linux versus Windows and knocks it down with its own answer. (The emphasis is mine).

Almost every productive person I know wishes that he or she had more time. Most of us wonder where our time really goes; often it’s noon by the time I finish reading my feeds and following up on interesting URLs. (Fortunately, I’m not a morning person, so I wouldn’t accomplish much before noon anyway.)

I’ve often wished for a short X.org program that would run in the background and monitor which window had active focus. If I tracked that for a few hours or days, I’d be able to perform some interesting statistical analysis to see where I actually spend my time.

Writing a prototype took about ten minutes, thanks to Dennis Paulsen’s X11::GUITest Perl module (see Test-Driving X11 GUIs by George Nistorica for more):

After trying out a number of Linux photo-management applications, I have settled on Digikam. It has some great tools for managing vast photo archives, wonderful RAW support, and an array of good photo-editing-and-fixing features. Two introductory articles are on Linux Planet:
Digital Photo Management In Linux, Part 1
Digital Photo Management In Linux, Part 2

Not mentioned in the articles are Digikam’s Plugins, which extend its usefulness considerably. Such as Noise Reduction, Refocus for rescuing blurry pictures, BlowUp for good-quality enlargements, white balance adjustment, and many more.

Over on LXer.com you might find some useful information on photography fundamentals, such as lens types and quality, and understanding how to use aperture to make your photos say what you want them to:
Adventures in Digital Photography With Linux, part 4: Fundamentals

We have k3b installed locally for users to burn CDs/DVDs/etc. This only gets used very infrequently, and it seems that something else has broken every time it does get used.

This time it was a “Cannot find writer” error. I checked for the presence of cdrecord and dvd-rw-tools; all fine. Eventually it turned out to be a permissions error - that /dev/cdrom was set to be only user- and group-writable; and the user was not in the relevant group. Added them, log in & out, all well.

This is curious, because I am 100% confident that I haven’t changed anything on either /dev/cdrom (or the relevant group membership). Which implies that it has been changed with an update at some point. I’m not sure I see the point of this. Is being able to write to /dev/cdrom really such a security risk?

The longer-term solution is (assuming this doesn’t break anything; I haven’t checked yet) to set the cdrom group to come from LDAP and automatically put all users in it, to avoid having to do this for multiple machines.

I am working on finding a way to enable developers working in a wide variety of languages to directly access computationally-intensive libraries written in C++, C, and Fortran. The libraries will have been multithreaded using Threading Building Blocks (TBB), the open source project for which I’m “community manager.” TBB is a C++ template library (like STL). I don’t expect to have much of a problem calling C and Fortran libraries from C++/TBB code. But, what’s the best path to enable someone writing in Perl or Python or Ruby or — whatever — to call these multithreaded libraries?

This search has led me to reinvestigate some techniques I’ve looked at in the past — for example, Perl’s XS — but the idea of having to create an interface for each individual calling language is unappealing. I looked at, and did some experimenting with, SWIG (Simplified Wrapper and Interface Generator). But before I got very far, Parrot was suggested to me by some people on the #tbb IRC channel (on FreeNode.net).

During my initial investigation of Parrot, I wrote a blog about my research. Parrot looked promising to me:

Hence, if we can wrap C++ libraries threaded using TBB, then the Parrot NCI should make it possible for all the languages that have Parrot support to call those libraries. Then, high level scripting languages such as Ruby, Python, and Perl will have convenient access to computationally-intensive libraries that have been threaded for optimal performance on multicore processors.

This post elicited an interesting response on another site: “Will Parrot Ever Truly Deliver?” The author acknowledges that “Parrot does sound like an interesting piece of technology”, but wonders “will it ever be a platform suitable for serious, production usage?” The author’s concerns include the length of time Parrot has been in existence (quite a long time), the instability of the code base (lots of significant changes), and the incompleteness of the support from other languages.

Does multicore change the Parrot equation?

Sometimes a technology is invented, and the time simply isn’t right, the need at the moment for solutions that apply that technology is nearly non-existent, though many people readily admit it’s a “wonderful” technology. I wonder if this might apply to a certain extent to Parrot prior to the age of many-core computing?

In a few years, inexpensive PCs will have 8, 16, or more processing cores. Some people doubt that the average home or office user is going to have any use for all these cores. I think that’s like saying “no one will ever need more than 640K of RAM.” Once it’s possible for the average home or office user to apply algorithms and image analysis and video processing and stock market simulators that were previously available only on high-end workstations in data centers, you cannot tell me they won’t want to do this.

It’s going to take programming techniques like Threading Building Blocks, OpenMP, perhaps new languages such as Erlang, or Transactional Memory applied in Haskell, to multithread these computationally-intensive libraries. I doubt that applying conventional low-level threads is going to be an efficient way to accomplish this in terms of programming time (I’ve worked at this level for a long time).

But on the other side: no one is going to want to convert the mass of existing software platforms/applications that could potentially apply these computation libraries, into C++ or C. A convenient means to enable a broad spectrum of languages to call multithreaded C++, C, and Fortran libraries is going to be needed. Otherwise, again we face enormous software development inefficiency, as a separate interface has to be constructed for each library for each calling language. That’s not a solution that is going to fly, in my opinion.

It seems to me that Parrot is an excellent candidate for addressing this problem. If this is the case, the Parrot team may soon find itself lent increasing support from independent developers, and possibly from companies who recognize the need for this capability with respect to their own applications.

I don’t think this need was really there when PC performance could be improved simply through ever-increasing clock speeds. Single-threaded software that did a few simple calculations was fine then. Multicore, however, changes everything. As highly-scalable multithreaded computation / simulation libraries become available, and people realize they want them, and developers realize they need to be able to call these libraries from every language platform, Parrot’s time may arrive.

First up: check out the O’Reilly “Women in Tech” series - especially my article :)

Lately I have mostly been playing with Puppet, a piece of software for centrally managing host configuration. (I have various roll-your-own solutions for aspects of this, as ever, but this looks like a better way of doing it.)

One very nice thing about Puppet from my point of view is that it will take its node definitions from LDAP. (In Puppet, a node is any individual machine.)

How this works is that instead of having your node definitions in site.pp, you keep them in LDAP as the puppetclass attribute. You can have as many of these attributes per host as you like - for example, my web server has webserver, ftpserver, and server as puppetclass attributes.

site.pp therefore has only import statements, not node definitions, and you put your class definitions in /etc/puppet/manifests/classes (or wherever suits you), and import them in site.pp.

You probably want to start with something along the lines of the setup I have, as described below, with base.pp, desktop.pp, and server.pp classes (the latter two inherit from the first). These correspond to desktop and server as puppetclass attributes (the inheritance structure means there is no need to specify base). Then add further puppetclasses as required for your site.

The wiki has some information on how to do the LDAP integration; this is how I did it:

• Install libldap-ruby1.8 on the Puppet server (Debian package).
• Add the Puppet schema to your LDAP schema directory (/etc/ldap/schema/ for me), add it to your slapd.conf, and restart slapd. The schema seems to be a little hard to get hold of through official channels at present, so I reproduce it here:

  # These OIDs are all fake.  No guarantees there won't be conflicts.
  #
  # $Id$
  
  attributetype ( 1.1.3.10 NAME 'puppetclass'
          DESC 'Puppet Node Class'
          EQUALITY caseIgnoreIA5Match
          SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
  
  attributetype ( 1.1.3.9 NAME 'parentnode'
       DESC 'Puppet Parent Node'
       EQUALITY caseIgnoreIA5Match
       SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
  
  objectclass ( 1.1.1.2 NAME 'puppetClient' SUP top AUXILIARY
       DESC 'Puppet Client objectclass'
       MAY ( puppetclass $ parentnode ))
  

• Modify all existing host LDAP entries so they have objectClass: puppetClient, a puppetclass attribute (my initial ones were server and desktop, and a parentnode attribute (I have baseserver and basedesktop).
• Create baseserver and basedesktop LDAP entries. It is not entirely clear to me if these really have a purpose; but I gave them the appropriate puppetclass and will investigate further in due course.
• In /etc/puppet/puppetmasterd.conf, add:

  [ldap]
  ldapnodes = true
  ldapserver = ldapserver.example.com
  ldapbase = dc=example,dc=com
  

• That’s it!

A note: if you’re changing the puppetmaster config, or any other puppet setup stuff, it can be useful to stop the running puppetmaster process, and restart it interactively with the verbose option: puppetmasterd --verbose. This helps a lot with debugging.

Lucas Nussbaum suggests that Linux distributions should have a place to collaborate more effectively than just with upstream projects:

I am both a Debian and an Ubuntu developer, and I’m sometimes amazed that Ubuntu discusses technical choices that were discussed (and solved) a few weeks earlier in Debian. And it’s even worse with the other big distros out there.

Couldn’t we try to improve this ?

More and more I believe that open code itself is insufficient. Encouraging and participating in a healthy community around the project is necessary for both free software and open source.

http://www.linux.com/feature/118946
“If you have a point-and-click digital camera made by Canon, you may be able to turn on all sorts of features usually reserved for more expensive SLRs. That includes live histograms, depth-of-field calculation, under and overexposure highlighting, and — best of all — shooting your pictures in RAW. The secret is CHDK, an enhanced, free software replacement firmware.”

This sounds pretty darned cool, and it illustrates the nature of this newfangled digital world- it’s all in the software. Of course, the optics and the camera sensor are important, but in the end the software does most of the work. Software translates the data from the camera sensor, software runs your photo printer, software makes your pretty pics into Web galleries. Amazing stuff.

I realised a while ago that it would be a useful thing to check, occasionally, that all the machines I’m responsible for are still up. (This helps to minimise those embarrassing “Oh, I didn’t know there was anything wrong with it” conversations.).

Thus, the following pretty basic perl script, which I run from /etc/crontab on my own desktop every couple of hours:

#!/usr/bin/perl -w
#
# host_ping.pl - run from crontab

use strict;
use Net::Ping;
use Net::SMTP;

sub sendmail;

my $ping  = Net::Ping->new();
my $email = 'me@example.com';

my @host_array = qw/host1 host2 serverA serverB/;
my $hosts_down = "";

foreach my $host (@host_array) {
    unless ($ping->ping($host)) {
        $hosts_down .= "$host ";
    }
}

sendmail() if ($hosts_down ne "");

sub sendmail()  
{
    # email to me
    my $s = Net::SMTP->new('mailserver.example.com');
    $s->mail($email);
    $s->to($email);
    $s->data("Subject: Host(s) down: $hosts_down","\n","\n");
    $s->quit;
}

Also this week, I’ve been organising an engineer for a 4TB RAID 5 array which had 2 disks fall over at the same time. Apparently this is increasingly common with large SATA disks (we had 10 500GB disks) - probably due to the heavy load put on the disks by rebuilding. And of course it renders the RAID5 unusable, so reinstall/restore-from-tape fun on the horizon once the engineer currently in the server room has established that it’s definitely kaput.

The other current project is looking at Puppet. So far I’ve got a server and test client working, and am cautiously optimistic about prospective usefulness. I wish you could readily up the log level without having to run in the foreground, mind. I will doubtless blog more on this in future.

This for the “how the hell have I done this job this long & not known this already?” files.

Debian has a file called /etc/rc.local which runs at the end of all the multi-user boot levels, and which you can therefore put stuff in. I’ve had trouble with autofs not starting properly on certain machines (there seems to be a correlation with SCSI or SATA rather than IDE drives, although I do not know why this should be), and putting the line

/etc/init.d/autofs restart

Especially baffled that I didn’t know of this file because I’ve had to do stuff like this in the past, and have horribly misused /etc/init.d/rmnologin instead.

In totally unconnected, and not even slightly tech-related news: a bunch of my cycling friends are riding 1200km in 90hrs in France this week, for fun. (I was hoping to go as well but didn’t qualify - although given the vile weather they’ve had this might be for the best.) They’re all doing fantastically well, especially given the awful conditions, & I’ve been following their progress all week with much excitement (one person has finished already, in 60hrs!). Finish deadline is 4pm French time tomorrow. Allez allez!

I use RT as a request/bug tracker, but until recently hadn’t set it up with an email address plugged directly into it. This was because I don’t run my own email server - that’s centralised - which makes setup a bit more difficult. And undocumented, hence this post. Convincing users to use a different email address may well be tough, but at least you yourself can start bouncing relevant emails to the RT address, thereby creating a more trackable system.

There are 2 basic steps: 1. setting up the mail gateway to RT; 2. mail pickup from the external central server. Note that I’m using exim4 - other mail programs will obviously work differently. Details are below…

run-parts is used (on Debian systems, anyway) to run the scripts in /etc/cron.daily (hourly, weekly, etc) on the appropriate schedule. I had trouble this week with a Perl script I’d dropped into /etc/cron.daily failing to run. Ran fine from the command line, of course. Odd.

Eventually it occurred to me, after a little light man page reading, to try run-parts --test /etc/cron.daily (which just prints the names of the scripts that would run). Script failed to show up. Most Odd.

I finally found the answer via Google, although a slightly less light reading of the man page would have helped. Scripts to be run by run-parts must adhere to a particular naming convention - in particular, no .xx endings. So my script.pl script wasn’t being picked up due to that .pl ending. I renamed it to script and all was well.

(I’m not actually sure what the logic of this is; I’m assuming it’s likely to be historical reasons. You can alter it with the --lsbsysinit option, if you prefer that. I know the .xx ending is by no means essential, but I prefer in general to have a quick visual of what language I’ve written a script in.)

I just ran across a great tutorial by Miriam Ruiz: Recipe: Internationalizing a C program with gettext. Though it’s only a starting point, it explains everything I failed to get by trawling the appropriate manpages. Now I have almost no excuse not to do it!

I’ve had Google Desktop for Linux running for a while now; I can’t actually say I’ve used it all that much, but what I did very quickly observe was that the default cronjob (/etc/cron.hourly/gdl-update) that checks for updates had far too much output (I do not want hourly updates telling me “not going to update now”, kthx). And some spelling mistakes.

Here’s an improved version that only sends you email if something of note has happened (update occurred; update failed unexpectedly; can’t create or update timestamp file):

#!/bin/bash
# Copyright 2007 Google Inc. All Rights Reserved.

CACHE_DIR="/var/cache/google/desktop"
PREFIX="/opt/google/desktop"
GDL_UPDATE="/opt/google/desktop/bin/gdl_update"
PKG_FORMAT="deb"
PKG_UPGRADE_CMD="dpkg -i --refuse-downgrade"
TIMESTAMP_FILE="/var/cache/google/desktop/update_timestamp"
ID_FILE="/var/cache/google/desktop/id"
PATH=/sbin:/usr/sbin:/bin:/usr/bin:$PATH

if [ ! -x "$GDL_UPDATE" ]; then
  echo "gdl_update is not available."
  exit 1
fi

# run gdl_update
export PATH

DO_UPDATE=no
if [ ! -e $TIMESTAMP_FILE ]; then
  if touch $TIMESTAMP_FILE; then
    DO_UPDATE=yes
  else
    echo "Failed to create timestamp file."
  fi
else
  LAST=`date -u -r $TIMESTAMP_FILE +%s`
  NOW=`date -u +%s`
  DELAY=`expr 86400 + $RANDOM % 21600`
  DIFF=`expr $NOW - $LAST`
  # Update should only be occurred every 24 to 30 (randomly) hours.
  if [ $DIFF -gt $DELAY ]; then
    if touch $TIMESTAMP_FILE; then
      DO_UPDATE=yes
    else
      echo "Failed to update timestamp file."
    fi
  fi
fi

if [ "$DO_UPDATE" != "yes" ]; then
  exit 0
fi

UUID=""
if [ ! -f "$ID_FILE" ]; then
  UUIDGEN=`which uuidgen`
  if [ -n "$UUIDGEN" -a -x "$UUIDGEN" ]; then
    $UUIDGEN > $ID_FILE
    chmod 644 $ID_FILE
  fi
fi
UUID=`cat $ID_FILE`

if [ "$UUID" = "" ]; then
  UUID="0"
fi

NEW_PKG=`LD_LIBRARY_PATH="/opt/google/desktop/lib:$LD_LIBRARY_PATH" $GDL_UPDATE "$PKG_FORMAT" "$UUID" 2>&1`

# Note spelling error (appears to be in gdl-update binary so can't readily be removed)
if [ "$NEW_PKG" = "unavaliable" ]; then
    # echo "Package is not available
    exit 0
fi

# update package is successfully downloaded
if [ $? -eq 0 ] && [ -f "$NEW_PKG" ]; then
  dpkg -i --refuse-downgrade "$NEW_PKG"
  if [ $? -eq 0 ]; then
    echo "Updated successfully."
  else
    echo "Update failed."
  fi
  rm -f "$NEW_PKG"
fi

Back in February I wrote about using xli to add a desktop background of your choice to a minimalist window manager. I chose to write about xli for two reasons. First, several window manager developers choose to use xli by default. For example, if you look at a .jwmrc file, the configuration file used by JWM, a lightweight window manager I am rather fond of, you will see that xli is used in the <Startup Command> section. The second and perhaps more important reason I chose to write about xli is because it’s what I knew and used for years. One thing about Linux and UNIX: there are always different ways to do things. It turns out that many distros include something a bit newer and perhaps better than xli.

Esetroot can also be used to change the contents of the root window in X. The root window is your desktop background. The advantage of Esetroot over xli is that it supports transparency in applications. This is a low resource piece of eye candy that I particularly like in terminal emulators like mrxvt, aterm, and xfce Terminal. I like seeing my background, albeit shaded, perhaps in a color of my choice, in the background of my terminal window. pypanel, a small panel or toolbar application for minimalist window managers written in Python, also supports transparency nicely.

Mac rather than Linux, but never mind.

One of my users recently had his PowerBook fail, and needed to reinstall from an external source (as the DVD drive was broken). Apparently all the information he found online insisted that this could only be done via FireWire, either from an external DVD drive or by booting in Target mode (attached to another Mac). However, after some days of prodding at it, he eventually tried a USB external DVD drive, and that worked absolutely fine, albeit slowly.

While I’m on the subject, consider this a reminder to back your data up. I say this because my own laptop died last week (thankfully I did have a recent backup!). The Mac Target mode did come in handy here. My hard drive was showing errors when I booted verbosely (hold down Apple-V as you press the power button & hold it until the boot screen appears - may take some time). However, when I attached it to another Mac via FireWire, and booted it in Target mode (hold down Apple-T during boot), it (eventually…) showed up as a volume on the other Mac. This meant I was able to rescue the one really important file that hadn’t been backed up in its most recent version, as I’d been working on it that day. After which, sadly, it expired entirely. I do now have a lovely shiny new black MacBook (prioritising size over the increased power of the PowerBook - it’s a shame they no longer make 12″ PowerBooks) as a replacement.

On July 22nd a new set of kernel packages was released for Vector Linux, my chosen primary and current favorite distribution. This was the second build of the 2.6.21 kernel with Con Kolivas’ CK2 patchset, replacing a test build released on July 8. In the past the only reason I’ve recommended upgrading a kernel is to close security vulnerabilities or to add support for new hardware. Recently, though, there is another very good reason: noticeably improved performance, particularly if you are currently using kernel 2.6.19 or earlier.

Thanks to everyone who commented on my last post, about Jabber servers. Quite a few of them seem to play nicely with LDAP; the trouble with the setup here is that we have LDAP + Kerberos, and it’s the Kerberos part that seems problematic. There is of course the “roll your own” option but I am currently preferring to steer clear of that in favour of accepting that users will have to create themselves a separate Jabber account rather than having everything tie together neatly. It’s not terribly difficult to do, after all!

A couple of things to bring to your attention: firstly, the usefulness of cron-apt (for apt-using systems) is probably well known already, but since I only encountered it about a year ago, I commend it to anyone else who hasn’t done so yet. It runs a daily cron-job to check for package updates for you. I recommend setting it to download only, not to automatic install, and also to only email if there’s an update waiting. To actually run the upgrades once you’ve checked the email to ensure it’s not done anything foolish, you can then use either ClusterSSH to run apt-get upgrade, or some form of roll-your-own solution, such as this:

#!/bin/sh
# Script to automate apt-get run across machines
# Usage: deb_aptget.sh "machine1 machine2 machine3"

case $@ in
"") echo "Usage: `basename $0` \"machine1 machine2 machine3 ...\""
        exit 1
        ;;
esac

# Authenticate root passphrase
ssh-add .ssh/root_key

# Run command on each of listed machines
for arg
        do
                echo $arg
                ssh root@$arg -i .ssh/root_key apt-get -y dist-upgrade
        done

# Deauthenticate root
ssh-add -d .ssh/root_key

Secondly, you may be interested in this article about OpenGuides, a Perl-based wiki that allows people to build open-source guides to cities. I confess to being biased, since I’ve been a contributor (on the content, rather than the code, side) to a couple of OpenGuides wikis (& know the author of the article!), but it is a very interesting project and well worth a look.

A request for opinion/experience today: does anyone have experience of running (local) Jabber servers under Linux? (Debian, ideally).

I’ve been experimenting with setting up a Jabber server to run within our LAN. I tried Openfire and found it quite hard work. Ejabberd worked better, but after running for a few hours on the same machine as our webserver, there were a lot of zombie blosxom.cgi processes and the webserver was no longer responding. I haven’t definitely confirmed this behaviour as due to ejabberd, but am not terribly keen to experiment further on a live webserver. I will be trying it on another machine to see how that behaves; but in the meantime, a) has anyone else seen problems on a server running ejabberd? and b) can anyone recommend a Jabber server that is straightforward to set up, well-behaved once running, and supports chatrooms?

I would also very much like for it to hook into our LDAP/Kerberos setup. I gather that single-sign-on is a nonstarter (since gaim and other clients don’t do GSSAPI), but being able to use the same usernames and passwords would be very useful. In theory both Openfire and ejabberd can be made to do this; in practice IME it doesn’t work. Any thoughts on that would also be welcome!

I’m making the leap from point-and-shoot digital cameras to digital SLRs. This represents a considerable increase in cost and hassle. The latest generation of compact point-and-shoots are pretty darned good. Will it be worth it? Or will I be smitten with terminal buyer’s remorse? Does Linux offer sufficient high-end photo management and editing software? Visit Adventures in Digital Photography With Linux, part 2 to find out. The first two installments cover cameras and lenses, and digital arcana thereof. Over the next few weeks I’ll write about editing and managing photos on Linux.

And, of course, you fine readers are invited to share your own Linux photography adventures.

I run a master and slave Kerberos servers, which requires setting up kprop to run regularly on the master server in order to transfer any changes to the slave server. The usually suggested way of doing this is a 2-line script (dump to file, propagate file across), which runs from /etc/crontab with the output directed to /dev/null.

I didn’t like this, because whilst I don’t want (obviously) to get the SUCCEEEDED message emailed to me every time it propagates successfully, I do want to know about it in the event of failure. So I wrote this slightly improved script, which does just that.

#!/bin/sh
# Script to run automatic Kerberos dump & transfer to slave server

DUMPFILE=/etc/krb5kdc/slave_dump_file
RESULT=/etc/krb5kdc/slave_dump_result
SLAVE=server2.example.com
MAIL=sysadmin@example.com

/usr/sbin/kdb5_util dump $DUMPFILE
/usr/sbin/kprop -f $DUMPFILE $SLAVE > $RESULT

if grep -vq SUCCEEDED $RESULT ; then
        mail -s "Kerberos replication problem" $MAIL < $RESULT
fi

This goes in /etc/cron.hourly (if you wanted to run it more often you'd want to call it from /etc/crontab at whatever interval you prefer) and seems to work fine.

I use RT as a problem-ticketing system (or at least, I encourage people to use it). Since I don’t manage my own mail server, I’ve been putting off the mail gateway part of this for a while, but finally got it working yesterday.

The mail handler is rt-mailgate, and the basic setup is explained in the man page. In your /etc/aliases file, add the line:

rt-email: "|/usr/bin/rt-mailgate --queue General --action correspond --url https://localhost/rt

pipe_transport = address_pipe

More after the jump…

Last week I finally finished installing Condor (a distributed computing project) on our machines here. The install packages didn’t seem to include a Debian startup script (or I couldn’t find it), and a little light Googling produced nothing either. So I wrote my own, & reproduce it here to assist the laziness of others.

#! /bin/sh
# /etc/init.d/condor: start and stop Condor

set -e

test -x /soft9/condor/sbin/condor || exit 0

if test -f /etc/default/condor; then
    . /etc/default/condor
fi

export PATH="${PATH:+$PATH:}/usr/sbin:/sbin:/soft9/condor/sbin"
export CONDOR_CONFIG="/soft9/condor/etc/condor_config"
PIDFILE="/var/run/condor.pid"

case "$1" in
  start)
        echo -n "Starting condor"
        start-stop-daemon --start --quiet --exec /soft9/condor/sbin/condor_master -- $CONDOR_OPTS
        PID=`pidof condor_master` || true
        echo $PID > $PIDFILE
        echo "."
        ;;
  stop)
        echo -n "Stopping condor"
        start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/condor.pid
        echo "."
        ;;

  *)
        echo "Usage: /etc/init.d/condor {start|stop}"
        exit 1
esac

exit 0

I may write more about condor when we’ve been using it a bit longer.

There is a very interesting back-and-forth going on between Linux creator Linus Torvalds writing on the Linux kernel mailing list and Jonathan Schwartz, President and CEO of Sun Microsystems writing in his blog. Despite the different fora the two actually seem to be talking to each other as well as their respective audiences.

A year and a half ago Mr. Schwartz posted to his blog about possibly releasing Solaris under dual Open Source licenses, CDDL and GPL v3. Never mind that GPL v3 doesn’t exist yet and certainly wasn’t finalized a year and a half ago. This was one of Sun’s many pronouncements about their support for Open Source that seemed to have very little substance behind it.

Fast forward to yesterday and Linus’ post to the kernel mailing list in a discussion about the possibility of dual licensing the kernel under GPL v2 and v3. While Linus acknowledges positive contributions made by Sun he is very skeptical about their motives and about what, if anything, interesting they may release under any form of the GPL. While I share his skepticism I applaud his decision to be civil towards Sun and to say that he hopes he’s wrong. Read the whole post — it’s very interesting and informative.

Today Jonathan Schwartz responded. I must say he did nothing to allay my skepticism but… at least a discussion is taking place and a Sun commitment to Open Source and the GPL has been reiterated.

After upgrading to etch recently, I had a plaintive email from a user saying that some Fortran software she had downloaded now wasn’t compiling any more (when it had been previously).

The error message was pretty clear that the problem was with g77 not being able to find the relevant include file - but there it was, right in the directory.

It transpired after a little Googling that g77 (at least as of the version in etch) doesn’t use the current directory or the source file directory to look for include files in. The problem was readily solved by adding -I. (note the dot!) in the configure file & running make clean;./configure;make.

However, this seems to me to be a strange decision - for my intuition, looking in the current directory and in particular the source file directory for desired files makes sense. I can’t offhand find anything explaining why it works this way; and the fact that this code used to work fine implies that it’s not “it’s always been done this way” (although I’ve now upgraded all machines to etch so haven’t got a sarge box kicking around to test!).

There’s a bug report for gfortran stating that it does include files in the current working directory while g77 doesn’t (with a patch fixing the problem); but this also states that g77 includes files in the same directory as the source file; which doesn’t actually seem to be the case with this version. Curious.

(yes, we do still have people using Fortran here. Lots of people, in fact!)

Just a quick note to mention how impressed I have been with my current backup solution, Bacula (using an Overland Neo2000 tape library, which also does the job nicely). A basic setup is pretty straightforward, and after that it runs smoothly and with very little need for intervention (other than tape switching. I have yet to find software that will pull the tapes out of the fireproof box for me & put them into the tape library…).

It handles very large filesets well - I need to do a restore of nearly 1TB of data next week, & initial dry run indicates that while it takes a *long* time to build the directory tree (lots of little files in that dataset, which doesn’t help), it will work OK. I understand that more recent versions are quicker (I’m running the version currently available in Debian etch, which is 1.38.11).

Smaller restores happen fast, and the restore interface is pretty usable. (I think there’s a graphical interface available; I use command-line style stuff).

Support is also excellent, with an active mailing list - the developer seems to spend a lot of his time answering questions there very patiently.

Might not be worth the setup time overhead if your backup requirements are small, but definitely well worth it for anything upwards of a couple of machines.

A complete set of GNOME 2.18 packages have been added to the Vector Linux Extra repository. This means that users of Vector Linux 5.8 Standard or SOHO can add GNOME easily in addition to Xfce or KDE. From the command line a simple

slapt-get --update
slapt-get --install gnomemeta

will add or upgrade roughly 100 packages on your system. Oh, and no, it doesn’t break KDE or Xfce. For those who are a bit command line phobic you can also find the gnomemeta package in gslapt, the graphical package management tool. Previously GNOME was only offfered with the Deluxe (paid for) versions of Vector Linux.

Fair warning: if you don’t have any GNOME bits on your system already doing this install can consume over 900MB in hard disk space. Installing GNOME online is definitely not recommended for those who still have only dial-up internet access.

I’m still not a huge fan of GNOME but I do think choice is good and making it easy to choose from a variety of Linux desktops is a very good thing for Vector Linux.

I ran across a mention of Callgrind in a weblog the other day. “Hm,” I thought. “I should use that to profile Parrot.”

I have a little PIR program that prints “Hello, world!”. I use it for valgrinding Parrot. Profiling Parrot’s startup and shutdown time seemed useful:

$ valgrind --tool=callgrind -v parrot hi.pir

When you do this, run callgrind annnotate on the resulting output file to get a nice report of which functions did the most work. I saw:

20,301,112  PROGRAM TOTALS

3,034,654  ???:dl_new_hash [/lib/ld-2.5.so]
2,985,581  mmd.c:mmd_expand_y [/home/chromatic/dev/parrot/blib/lib/libparrot.so.0.4.12]
2,974,773  ???:do_lookup_x [/lib/ld-2.5.so]
2,652,803  ???:_dl_relocate_object [/lib/ld-2.5.so]

Here’s what happened when I dug into the code.

One of my users complained today that automount for USB devices wasn’t working on his machine (running Debian etch). I did a little light Googling, & came across this article on the subject.

Which seemed horrendously complicated for something that (surely?) should Just Work out-of-the-box. Hmm. Messed around a bit with the suggestions there, but to no avail.

Further googling produced this blog post which suggested a much more simple solution - add the user to the plugdev group. This worked like a charm. My thanks to Matt!

I note in passing that this is one of the downsides of central auth - the “emergency” local user is automatically added to this group (& also part of the audio group), but Kerberos/LDAP users unsurprisingly aren’t.

For those of you who (like me) separate the root partition & user data, and don’t bother backing up the former because it’s a standard install & therefore easy to recreate: note that whilst this is in general true, it may not be in the case of /root.

I at least have a tendency to leave a handful of Useful Scripts there, in particular in the case of server machines. It is annoying to realise that the death of Machine X has also resulted in the loss of the Useful Script you had spent some time developing.

Conclusions I have drawn from this:
1. Back up /root.
2. Consider keeping the Useful Scripts more centrally, even if they are machine-specific in a couple of instances (I do this already with everything else I am not sure why I haven’t thought to do it for these. Some peculiar form of blind spot, evidently.)

In a further relevant note: the rescue mode of the Debian etch SPARC CD works fine, albeit quite slowly. The only real issue is that the cursor fails to show up on any of the screens so choosing the correct option is to some extent a matter of guesswork (most irritating when your guess results in hitting the “Reboot now” option rather than the “Choose another root partition” option). Useful Scripts now safely rescued, however; and backed up.

From Christopher Blizzard on one laptop per child and open source:

For once Microsoft is getting the reverse Linux laptop experience: little support and little documentation for the hardware. The result will be a platform that doesn’t include any of the really novel features that we’re building in, bad power management, no systems management via the firmware and apps that will randomly crash because they can’t fix the virtual memory problem in the same way we’re approaching it. A second class citizen, to be sure.

A couple of times I’ve encountered problems with the sound card on Debian boxes. Some notes I’ve found that may help others having difficulties:

• Check the permissions on /dev/dsp, and make sure that the relevant user(s) are in the audio group in /etc/group. You may need to log out & back in again for this to take effect.
• If using the alsa sound daemon, install the alsa-utils package and run alsaconf. This should pick up your sound card. You may need to run alsamixer to check the volume levels are correctly set afterwards.
• Blindingly Obvious (but easy to overlook) Note: make sure that the volume control on xmms (or other media player of choice), and on your headphones/speakers is sufficiently up. (I once spent ages prodding at a user’s sound config before realising that the headphones had their own volume control which I hadn’t noticed, and it was all the way down.)
• With KDE, I found recently that to get sound running it was necessary to run the KDE sound control utility, turn off KDE’s sound management and click Apply, close the utility down, reopen it, turn the sound management back on, & click Apply again. Then it worked.

Standard disk setup here used to include a 5GB root partition (this has been upped to 10GB for a while now). I’ve just encountered the first machine with this setup to be running out of space on / - mostly this seems to be down to /usr/share.

Unfortunately resizing on-the-fly in this situation is difficult, due to the parted restriction that partitions can only be resized at the end - i.e. their start point must remain the same - which means that I can’t just take space off the front of the next partition along. The disk looks like this:

/dev/hda1      /             5GB
/dev/hda2      /local      105GB

There is a solution to this, which goes like this (to expand /dev/hda1 by 5GB):

• Resize /dev/hda2 to be 5GB, leaving 95GB spare.
• Create a new partition in that 95GB.
• Copy the data from /dev/hda2 to the new partition.
• Delete /dev/hda2.
• Resize /dev/hda1 to include that newly spare 5GB which used to be the resized /dev/hda2.
• Tidy up as appropriate - all partition labels will have changed so you’ll need to edit /etc/fstab and possibly your boot loader, before you reboot.

1. This only works if you have less than 5GB of data in /dev/hda2.
2. You’ll need to be running from a rescue disk or similar if you want to mess around with your / partition.
3. Read the parted manual before actually doing the above :-)

Unfortunately, my /dev/hda2 partition in the above has rather more than 5GB of data so this plan won’t work. I was intending to dump the data off and then resize; but looking again at the partition table, I’ve noticed the existence of a swap partition between / and /local. Now, the data on this obviously doesn’t matter. So I can delete that partition, expand /dev/hda1 into that, shrink what is actually /dev/hda3 down by the appropriate size, and put in a new swap partition at the end of the disk. This will only get me 2GB, but that should be enough breathing space to be going on with.

All this did also lead me to thinking about the appropriate size for a / partition. 10GB seems like a lot to me… but for a machine with a lot of software, 5GB clearly isn’t enough any more. (There are operational reasons for keeping the root partition separate from ‘data’ partitions.). How much do I really need to allow for futureproofing on boxes I buy now and expect to last 3 yrs? Should I be upping the space to 15GB?

So Debian etch (4.0) has finally been released (not sure how late they were in the end… although I seem to remember seeing “late 2006″ on the Debian website). I’m therefore starting to go through the process of upgrading from sarge on desktop machines.

The first note is that actually, by and large it seems very smooth. The download, unsurprisingly, takes a while, and a reboot immediately afterwards does seem to be necessary to sort out a couple of oddities (mostly with X). But the three machines I’ve tested upgrading on so far have all come up fine after reboot, with no serious problems.

Minor gotchas encountered so far:

• Users actively using the machine during upgrade may experience odd errors (e.g. programs not functioning in surprising ways). These don’t seem to have any serious ill-effects but it’s probably more sensible if possible to take the machine down to single-user mode before starting. (This is, arguably, a good general idea, and is probably even an official recommendation; but I don’t like starting work early or staying late, so wanted to see if it was possible to do smoothly without kicking users off their machines.).
• DenyHosts requires a reinstall; presumably this is just to link to the newer version of Python, and as such there is probably a neater solution than reinstalling, but reinstalling is so fast that it’s an acceptable solution.

LDAP and Kerberos, always the two things I’m most concerned about, upgrade very smoothly.

In general I’m extremely impressed with the process; it’s certainly a lot smoother than the last version upgrade (to sarge) which I recall having a lot more trouble with at the time.

I have a Mac laptop, which I am very fond of; and on it I use Quicksilver which I find inordinately useful (to the point that I have trouble using other people’s Macs if they don’t have it). There is a project available entitled Gnome Launchbox which claims to be an effort to do a similar thing for Linux, which I’ve been meaning to experiment with for ages.

First order of business: upgrade to etch, as GLB requires evolution-data-server 1.2. I was expecting this to be a nuisance, & possibly lead to an exciting couple of hours of post-upgrade fixing. However, in fact it all went absolutely smoothly. I am most impressed (not to mention relieved, as I have a whole bunch of machines to upgrade when it finally gets released).

However, gnome-launchbox was still no go; the version of GTK-2.0 required is 2.10, and etch only provides 2.8.20. I’m not sufficiently keen on this exercise to start building from source or hauling in packages from unstable. I tried the 0.1 release (current is 0.2) but that produced weird make errors.

The next possibility was Katapult. Which may or may not be a good piece of software; sadly their webpage times out so I can’t find out.

Anyone encountered anything else that has a similar function? I may just switch window managers (I’ve been recommended xfce) and start setting up lots of keyboard shortcuts…

A couple of times I’ve had users complaining about cursor “ghosting” problems while running Gnome - that if typing something, the cursor seems to rewrite itself as it normally would (to move along the line) but not to delete the old cursor positions. So you wind up with a line of cursors. Admittedly this is not disastrous but it is irritating.

I’ve only observed this on systems with the following features: running Debian etch (testing); NVida graphics card; using the nv driver in xorg.conf.

The solution which has worked for me is simply to download and build the nvidia driver (see here for a quick how-to), edit xorg.conf to use that instead of nv, and restart X.

If you’re still seeing the problem after restarting X, check the logs (/var/log/Xorg.0.log) to make sure that the nvidia driver really is being used. I once found that it wasn’t; ps -A revealed a long-running X process which had to be killed before the new xorg.conf settings were picked up.

I have a 1TB RAID array that has to be moved from my one remaining Solaris machine (which will no longer boot) to a Linux machine. I was expecting that - as with the other disk which has undergone the same process - this would appear as a SunOS usr disk and partition, which I could then mount read-only and dump elsewhere before reformatting the disk as ext3 & dumping it back again.

Not So.

fdisk -l gives me:

Disk /dev/sdc: 983.5 GB, 983542530048 bytes
256 heads, 63 sectors/track, 119108 cylinders
Units = cylinders of 16128 * 512 = 8257536 bytes

   Device Boot      Start         End      Blocks   Id  System
/dev/sdc1               1      119109   960490751+  ee  EFI GPT

This was a surprise as I had to reformat this disk about a year ago & I do not recall doing anything peculiar to it. EFI, from an initial poke around, seemed to be an Intel PC disk format, which was further surprising since, as you may recall from the first para, this disk came from a Solaris box. However, apparently Solaris 10 uses EFI labels on disks by default, which sounds like a probable/plausible explanation.

The next and more important question: am I going to be able to access this data from the Linux box? Initial answer seems to be no (see the discussion of platforms near the end); there is however a FUSE port - although presently only in beta.

Conclusion: first, another go at resurrecting the extant Solaris box; next, dig into FUSE. Other thoughts, experiences of FUSE/ZFS, or options I’ve missed are welcome…

(For anyone out there muttering about backups: yes, this data is in theory backed up. However, restoring it is proving a challenge as Bacula keeps falling over while it’s creating the file tree. I’m not keen to do the wipe-reformat-restore thing unless I’m confident that the restore will work and at present I’m not.)

Qwaq announced a secure virtual workspace product, called Qwaq Forums, yesterday. It runs on recent Linux, Windows and Mac computers. The product signifies an important milestone for the open-source Croquet project and Squeak. Although Squeak is already the foundation for many great applications (Etoys, Etoys on OLPC, Seaside web server, the Sophie multimedia document creator, to name a few), this announcement catapults Croquet quickly into the business realm. 

What is a Qwaq Forum? Unfortunately, I can't give you first hand report on Qwaq Forums. Hopefully, someone will place a video demo online for us to view. I can tell you about Croquet, though. It’s an open source 3D development environment to create distributed multi-user virtual 3D applications. It's quite a freeing feeling walking, talking and collaborating with others and directly with applications floating in air. Anyone can download Croquet and try it out. Please do, you'll have fun.

Back to Qwaq Forums. The site says that Qwaq Forums are "virtual spaces for real work."  I imagine a room where the Forum owner can maintain the security level of the room and of each person entering (or not) - from individual rights all the way to anonymous users. Picture a secure office that can be locked up at night with a security card reader on the door - but you don't have to physically travel to use the room! Being a user of Croquet, I can easily see how the room would work. Besides what I mentioned previously, you can also write code and change your environment in Croquet - it's a totally open platform.

An important feature that Qwaq cites is persistence: "all users can see all previous changes and additions" in the Forums and teams can maintain their work and the progress made. From the datasheet: "Setting up a Qwaq Forum is simple: start by simply dragging and dropping content into a workspace in Qwaq Forums. All otgher users present will see the content immediately and will be able to start working with it right away." I don't know what could be easier.

I won't know more about the Forums until I get my hands on it. If a video becomes available, let me know. In the meantime, check out Croquet and Squeak and see what you can do with it  - your application in this 3D space could literally change the world.  The field, uh.. virtual space, is wide open!

• Read the Qwaq Forums press release
• InformationWeek on Qwaq
• Croquet FAQ
• Squeak FAQ
• Qwaq Croquet Squeak

As of this morning, I found that ssh logins into my Debian etch boxes were monumentally slow. Using the -vvv switch it looked like the problem was down to a very long wait for gssapi-with-mic authentication. Trying with the -o GSSAPIAuthentication=no switch on the command line helped, although some boxes were also pausing for a very long time when dealing with public-key auth.

Upgrading to the unstable package of openssh-server seems to have fixed the problem; although I can’t find anything explicit in the bug reports. Since libkrb53 was upgraded recently I’m wondering whether the source of the issue is actually in there.

However, note that if you’ve previously had ssh-krb5 installed, and have had the upgrade to openssh-server occur, you may have an old ssh-krb5 process kicking around. I found that in general, /etc/init.d/ssh-krb5 didn’t get removed; /etc/init.d/ssh just got installed alongside it, so be careful when rebooting.

I have posted along these lines before.

This time the recalcitrant machine is a SunBlade 100. I had at some point in the past managed to get it as far as a Debian testing install, but then it wouldn’t reboot (hung at various stages during the process). A correspondent who’d read the previous post suggested that I try appending ide=nodma to the boot line (so in my case: Linux ide=nodma at the SILO prompt). Worked like a charm. Splendid.

Unfortunately, I then messed up my /etc/silo.conf trying to add this to the boot line so it would Just Work rather than requiring manual intervention at boot. Messed it up so badly that it - once again - won’t boot at all. (One of the morals of this story is: always run /sbin/silo after making changes to /etc/silo.conf - something which I had firmly in mind back in the days when I used LILO, but which has slipped out of awareness with the ascendence of GRUB.)

Even worse: reinstall won’t work either. Both Ubuntu and Debian etch get as far as the “Booting Linux” line and then hang silently (in either install or rescue mode). I’ve tried the various fixes on the previous post, but no dice. Any further suggestions gratefully received! It is a lovely big paperweight, mind.

Notes from my last post: httrack was just the wiki backup I required, after I told it to ignore all pages including the word Special (i.e. all metadata / change record pages) as there were just too many of them and I don’t need them for emergency purposes.

httrack http://server.com/wiki/ -*Special*

does the job. Thanks to William for the comment!

Two things today: a recommendation and a question.

1. I recently discovered ClusterSSH. This enables you to set up “sets” (clusters) of hosts, log into them all at once, and then whatever you type in the main cssh window will be replicated in all the hosts. The xterms are all shown so you can check what’s going on; and you can also select any host xterm to make changes just on that host. Works best if you have ssh key logon set up, for obvious reasons. Very useful! See their FAQ for more information.
2. I keep a fair amount of my system notes on a wiki (MediaWiki). I could really do with backing this up occasionally into an offline-accessible form & dumping it somewhere where I can get at it if, say, the webserver is out of action. PDF or HTML would both do fine. Even text (with some sort of formatting) would do. Unfortunately, whilst there is a utility in MediaWiki to dump a static copy of the wiki to HTML, it doesn’t seem to work with multiple wikis on the same installation, which is what I have. Does anyone out there have any other suggestions? I feel sure that this can’t be a “roll your own” problem, but a scan of the utilities referred to MediaWiki2HTML doesn’t seem to be complete yet, and Terodump seems to be wikipedia-specific.

Getting dual-head monitors going with an nvidia card on Debian is largely a pleasingly straightforward business.

Edit your /etc/apt/sources.list to include the contrib and non-free repositories, and run apt-get update. Install the driver as follows:

apt-get install nvidia-kernel-common module-assistant
m-a -i prepare
m-a a-i -i -t -f nvidia-kernel
depmod -a
apt-get install nvidia-glx nvidia-glx-dev

The final task is to edit your xserver config, which is the bit where I encountered a slight gotcha this time around; hence this post.

If both monitors can handle the same resolution, editing the Device section of your /etc/X11/XF86Config-4 (sarge) or /etc/X11/xorg.conf (etch) as follows should work:

Section "Device"
        Identifier      "NVIDIA Corporation NV44 [Quadro NVS 285]"
        Driver          "nvidia"
        BusID           "PCI:1:0:0"
        Option          "TwinView" "true"
        #Option         "ConnectedMonitor" "FPD,FPD"
        Option          "MetaModes" "1600x1200,1600x1200; 1280x1024,1280x1024"
        Option          "SecondMonitorHorizSync" "31-80"
        Option          "SecondMonitorVertRefresh" "56-76"
        Option          "TwinViewOrientation" "RightOf"
EndSection

However, if your monitors don’t support the same resolution, you’ll need to change this line:

        Option          "MetaModes" "1024x768,1280x1024"

FWIW I’d also note that different resolution monitors is suboptimal for a TwinView setup; sometimes one has to make do with what one has, though.

Last week I had to move (and therefore reboot) a machine running Debian sarge (stable) which has a couple of FireWire drives attached to it. Last time I did this it all came up beautifully of its own accord; sadly not this time. The logs showed the nodes being recognised by the ieee1394 module, but not actually being mounted.

As this machine is in fairly heavy use there was a limit to what I could try to get them back up again.

What worked eventually was:

modprobe -r ohci1394 sbp2 raw1394 eth1394 ieee1394
modprobe sbp2 ohci1394 raw1394
./rescan-scsi-bus.sh

The rescan-scsi-bus.sh script comes from Kurt Garloff and is available for download.

A significant downside to this method is that the drives wound up being recognised more than once. In this specific case: the first time, one drive was recognised once, the other one 8 times (!). Rerunning the rescan-scsi-bus.sh script another time as I was writing this: the existing drives (2 actual drives, 7 ‘fakes’) showed up again; but the first drive (the one that only appeared once before) was picked up a further 7 times. So I now have 2 real drives, and 14 fakes (7 of each, which at least is neat). Unfortunately as mentioned above this machine sees heavy use so I can’t mess around further with this (e.g. by unloading/reloading the modules and running the script some more at various stages). (And it does work, in that the drives are mounted and accessible right now, so if it ain’t broke…).

I am curious, though. This machine is about to be replaced with a superior solution, so I might get a chance to experiment in a few weeks.

Running a basic, truly minimal window manager can save significant CPU cycles and memory. This becomes important if you’re running old, limited hardware or when designing a desktop environment for an embedded Linux device. Even the oldest, most primitive window managers (think TWM or MWM) can support a pretty desktop background image. The ability is almost as old as X itself.

The tool you need is a very old, very small utility called xli. It’s included as part of X.org in many distributions. If your favorite distro doesn’t include it the source code can be found here. You can load the image of your choice either from the command line or when your window manager starts. The command you’d use to add a background to an X session that’s already running is:

xli -onroot <path-to-image>

Bash is one of those Unix things that I am fully aware has a lot more potential and power than I know how to use. Every so often I go looking for another handful of useful things to learn about it: this is a selection of recent ones.

Firstly: the Debian bash package includes a file /etc/bash_completion which extends bash - for example, enabling zsh-style tab completion of hostnames. Source this file in your own .bashrc to get this functionality. It also makes it easy to extend/program bash yourself, via the directory /etc/bash_completion.d/, which is automatically sourced by /etc/bash_completion. For example, suppose you have a script foo.sh which takes hostnames as arguments (e.g. one which applies a particular command across a set of hostnames). You can get hostname tab-completion on foo.sh by creating a file /etc/bash_completion.d/foo which contains the line

complete -F _known_hosts foo.sh

Secondly: $CDPATH is to cd what $PATH is to executables. Set $CDPATH in your .bashrc as follows:

export CDPATH=.:~:/usr/local/:/opt/my/long/dir/path

Thirdly, some small useful .bashrc things:

• shopt -s cdspell will attempt to correct misspellings of directories.
• shopt -s dotglob allows files beginning with a dot to be returned in filename expansions.
• export HISTCONTROL=ignoreboth stops the bash history from including either duplicate lines, or lines beginning with a space, which makes it rather quicker to navigate.

• Ctrl-r searches backwards in your bash history. I love this one very much.
• Alt-. (that’s a full stop there) inserts at the cursor the last argument to the previous command.
• Alt-Ctrl-y inserts at the cursor the first argument to the previous command. Further: if you hit Alt-3 then Alt-Ctrl-y, you’ll get the 3rd argument to the previous command.

Finally: a little snippet for your .bashrc that will change the title of your xterm or xterm-alike to show username@hostname:/current/directory. It updates as you change directory or ssh to another host. This is useful if you spend a lot of time opening lots of xterms on various hosts and in various directories; and it’s another visual clue as to (e.g.) whether you’re currently logged in as root. Myself, I also set my root prompts to be in a different colour to my own prompts. You can’t have too many reminders of your identity…

case $TERM in
    xterm*)
        PROMPT_COMMAND='echo -ne "\033]0;${USER}@${HOSTNAME}:${PWD}\007"'
        ;;
    *)
        ;;
esac

Comments with other useful bash bits and pieces welcome!

I run LDAP + Kerberos on my network for information and authentication. After setting everything up initially, I later acquired a spare machine and decided to run it as a slave LDAP server, using slurpd.

Executive summary: if trying to use two different Kerberos-authenticated users at the same time, you need to set the KRB5CCNAME value accordingly. Details follow…

A while back I was trying to set up kpropd on a Debian system, and came across a problem whereby one of my hosts was identifying itself as host/localhost.localdomain (this was Not Helpful).

Investigation revealed firstly that hostname returned the correct thing (i.e. servername), and secondly that /etc/hosts looked like this:

x.x.x.x     servername.mydomain.com  servername
127.0.0.1    localhost.localdomain  localhost  servername

There has been discussion on the Debian lists about the order of this last line being incorrect; some applications (including, it seems, at least some aspects of Kerberos admin) can’t cope with 127.0.0.1 returning localhost.localdomain instead of localhost.

Replacing that last line with

127.0.0.1    localhost  localhost.localdomain  servername

(Note: this was using a sarge system (and in fact I was working on this quite some time ago); I don’t know what the current situation is with etch, nor whether it has been fixed in recent sarge bugfixes. Just documenting it in case others encounter the same/similar problem.)

Last May I wrote about reviving a pair of ancient laptops using Damn Small Linux. I called them “atticware” (a term I can’t take credit for inventing, BTW) because the attic is where computers that old often end up. My point is that there are current Linux distributions that can allow even decade old hardware to run a current if lightweight OS and software. The uses for this should be obvious: non-profits, the proverbial starving students, anyone of limited means, developing countries, and so on. Various programs to recycle old system and get them into deserving hands have sprung up like weeds though I suspect few if any bother to load Linux on such systems.

Anyway, I wrote a follow up piece in July linking to step-by-step installation instructions. I’ve received lots of responses since then. The interesting quirks I reported in the Damn Small Linux (DSL) frugal installation were fixed in version 3.1 along with lots of other improvements.. As a result I’ve updated the web page to reflect changes with the new version. I know the DSL developers had read and commented favorably on the page. DSL developers famously respond to their user community and this is just one example of that. This is one of the many advantages of running something under current development.

Another response I received informed me that Memory Ten sells 64MB and 128MB memory upgrades for the Mitsubishi Amity CN, which raises the possibility of running a somewhat heavier distribution or at least using more and varied MyDSL extensions on the machine. You still won’t be able to run a full sized Linux distro without upgrading the hard drive as well. It’s more memory than Mitsubishi ever intended for those machines but heck.. I’m told it works just fine. Thanks to Todd Bergey for the information.

If you get capital letters inserted when using the cursor keys in vi on solaris, here is how to fix it by editing your .exrc.

(cheers Bob!)

While I stand by my glowing review of Xubuntu 6.10 (Edgy Eft), I have yet to find any release of any Linux distribution which was free of bugs or quirky behavior. The latest releases of the Ubuntu family of distributions are no different.

One of the nice things about Xfce4 is that it is very easy to customize and reconfigure any way you like. However, if you go into Settings -> User Interface Preferences to change around your desktop theme be careful about then also changing your icon theme. Some work, some don’t. Changing the theme to either default or Grounation crashes Xfce. It won’t start again, either. The fix is to restore your .config directory from backup. If you don’t have a backup you can copy it from another user directory or even /root and then

sudo chmod -R : .config

If you copy from another user Xfce will start normally but your menu will not work since it still points to another user’s .config. Simply delete the menu from the panel and add it again to restore the menu. You will, of course, have the settings that the other user chose, not your own. Still, copying the whole .config is easier than figuring out which file really is broken, at least for me, and then hand probably editing xml. I probably will poke around further, though.

I haven’t been able to reproduce this bug in Vector Linux 5.8 either, but that distro uses Xfce 4.3.99 rc2 while Xubuntu still uses rc1.

Oh, and yes, I’ve been a responsible user and reported this bug (see bug #77445).

LiveCDs are the coolest things since microbrews. (Funny how certain “innovative” proprietary software companies never manage to come up with neat stuff like this.) The latest entry in my Cool LiveCDs List is BeleniX, which is OpenSolaris + KDE and XFCE. Solaris can be a bit of a booger to install. BeleniX lets you try it out without installing it to a hard drive, and it also comes with a nice utility for a hard drive installation. Solaris has a lot of advanced stuff you don’t find anywhere else, like DTrace and the ZFS filesystem.

This here article which I wrote my own self, and now shamelessly tout, has some good links for getting up and running:
Tip of the Trade: BeleniX

Last month a new update of SIAG Office, version 3.6.1 was released. It’s a minor update, mainly bugfixes. Still, it was an update I was very glad to see since it had been nearly a year since the previous release.

Why is this release important? In addition to fixing a few bugs and unbundling antiword it showed that SIAG is still being maintained and developed. OK, so you’re probably asking why SIAG is important at all. It’s feature poor when compared to OpenOffice or even AbiWord and Gnumeric.

Where SIAG scores over it’s more capable competition is in size and speed. The SIAG spreadsheet is included in a number of lightweight Linux distributions including Damn Small Linux. Granted the support for Microsoft Excel spreadsheets is limited but for stand alone use it has a very decent feature set that includes the functions that are most used in popular spreadsheet software. The suite’s word processor, PW, short for Pathetic Writer, is anything but pathetic. It’s certainly has a nice interface and is at least as capable as other lightweight word processors like Ted and FLWriter. I haven’t used Egon Animator so I really can’t comment on that piece.

Lightweight apps aren’t just for the sort of Atticware (old systems) I’ve written about from time to time. Keeping things small is also critical for embedded devices. It’s important for systems using compact flash cards and other RAM devices in lieu of hard drives where it’s highly desirable to cache the OS and as much of the applications as possible in traditional RAM to reduce read-write I/O and extend the lifespan of the storage device. One company I consulted for wanted truly silent point of sale systems with no moving parts. They wanted the OS, lightweight apps including a word processor and spreadsheet, and store data all on a single CF card. At the time in 2005 the spec called for 512MB cards. SIAG Office is perfect for their application. Something huge like OpenOffice simply wouldn’t do.

SIAG Office clearly has a place. It’s fits a growing and increasingly important niche in the Linux world. Seeing it continue to improve is important. By unbundling antiword version 3.6.1 offers those deploying SIAG Office the possibility of an even smaller footprint. Thanks to Ulric Eriksson and anyone else involved in the development of SIAG Office for your ongoing work. It is appreciated.

As hard drive capacities outstripped CDs and DVDs, hard-drive based backups became necessary. (I know y’all tape backup fans are still out there. You may have your cumbersome, slow, unwieldy, mechanically clunky tape backups with their even slower, more cumbersome restores. Kthxbye). For my clients I am very diligent and make sure they are well-protected. But for me- well, you know how it goes.

Adobe released a prerelease version of the Flash 9 Player, supposedly for “Linux”. I run Linux, but it doesn’t work for me. Hm.

Udev, the new dynamic device manager system for Linux, is solid under the hood but lacking a bit in user amenities. If you’re rassling with udev to get your scanner working for non-privileged users, or need to nail down USB device names such as wireless network cards and storage devices, check out this fine two-part series I wrote my own self.

Manage Linux Hardware with udev
Manage Linux Hardware with udev (Part 2)

IPv6 still seems like one of those “oh, maybe someday” things to do. But I think the sooner it gets rolled out the better. There are more advantages than just having a bigger address pool. So I shamelessly promote my own three-part series on why bother, how to read and understand IPv6 addresses, and finally how to use it IRL (in real life.)

Under the Hood with IPv6

Understand IPv6 Addresses

Getting Around IPv6

Building your own wireless access point, or router, or firewall using Linux and a single-board computer is fun, with the usual bonus of having complete control over your stuff. There are kazillions of tiny Linuxes- which one should you try?

A few weeks back I found that, for some reason, one of my machines wasn’t allowing X forwarding over SSH (which is normally run as standard within my local environment, since I have lots of users who at least occasionally run graphical stuff on multiple machines).

The initial error came up as:

xterm Xt error: Can't open display:
xterm: DISPLAY is not set

The obvious test was to try setting $DISPLAY manually (although this would obviously not have been a good permanent solution). New error:

xterm Xt error: Can't open display: localhost:10.0

Digging around online a bit, I found the suggestion of moving the -nolisten tcp option from /etc/X11/xinit/xserverrc - this may well work, but I was unhappy with it as it didn’t match the setup I had on other machines which were entirely happy with X forwarding.

Eventually, I found the problem: not only do you need X11Forwarding yes in /etc/ssh/sshd_config on the machine you’re sshing into, you also need AllowTcpForwarding yes. (And also ForwardX11 yes, or ForwardX11Trusted yes, depending on your security preferences and access requirements, in /etc/ssh/ssh_config on the machine you’re sshing from, for the record.)

So fairly straightforward in the end, but took me a few min to disentangle, thus recorded here for others’ reference.

Greg Kroah-Hartman gave the closing keynote at this year’s Linux Symposium. The text of this speech is online (Myths, Lies, and Truths about the Linux kernel); I found it very interesting how Greg K-H demolished several myths about the kernel, in particular device support and the idea that binary blobs of drivers are legal. (They aren’t. I just now figured out Linus’ argument about them; it’s very clever.)

Back in May I wrote an article titled Atticware: Reviving Ancient Little Laptops, which talked about using a current, very small, very lightweight Linux distribution to make a couple of old Mitsubishi Amity CN subnotebook computers useful again. The Amity CN is a 133MHz Pentium system with all of 48MB of RAM and a puny 1.2GB hard drive.

While the article received no comments I have been receiving e-mails now and again from people who actually did read it and who wanted to know exactly how I managed it. I went ahead and wrote it all out as step-by-step instructions. The good news is that very little of what I’ve written is Amity-specific. I think it should mostly all work on any laptop that can’t boot from CD-ROM or USB which has at least a Pentium processor of some sort or another and at least 32MB of RAM.The net result is that I’ve created a brand new webpage detailing how to install Damn Small Linux onto the Amity CN. This may lead to an entire website dedicated to making current Linux distributions work well on older hardware.

I’d love to hear from people who actually try and use my instructions. Did they work for you? Could they be better? If you succeeded, what system were you using? I’d be happy to post revised versions for different hardware giving appropriate credit where credit is due.

I’d be particularly interested if someone gets good results with the older models in the Toshiba Libretto series. The Libretto is so small that even old models still have a geek cool factor when running Linux. I expect what I’ve written will work fine on the Libretto 50CT, 60CT, 70CT, and 100CT. Newer versions can probably run a more capable distribution. I’m afraid the Libretto 20CTA and 30CT are just too old to be really useful any longer. Anyone care to test my theories about the Libretti?

Yesterday I decided to give up wrestling with a recalcitrant Solaris 9 box (specifically, an Enterprise 250), and install Linux on it instead. My first stop was Debian, but unfortunately while the installer started up fine for both stable and testing, in neither case did I get output which included a cursor, so wasn’t able to navigate the screens (the keyboard seemed to work, but I couldn’t reliably tell what it was doing). Thus, onto Ubuntu 6.06. Which worked beautifully, cursor and all, and is now running happily.

Although I did discover New Things about the Sun boot process; viz that it will automatically pick up whatever’s on the first partition and has no MBR. In my case, this was still Solaris 9. I messed around with boot magic & nvalias a bit but couldn’t locate the Linux partition correctly (or couldn’t boot it, one or the other), so in the end decided it was quicker to reinstall over the old Solaris 9 partition as well as the previous free space - keeping it would have been something of a waste of disk space, really, since it’s not working anyway.

A further note, however, about the Ubuntu installer: it will only boot from the CD (on this architecture) if you are booting the machine from cold - i.e. turn it all the way off & all the way back on again, hit Stop+A as soon as the smonitor comes up, & type ‘boot cdrom’ at the ok> prompt. If you stop the boot (of whatever) halfway through, get back to the ok> prompt, & type ‘boot cdrom’ from there, it dies with “Illegal instruction”. (details here & other suggestions for fixing this - looks like a fix is on its way).

Sadly no joy with Ubuntu on my SunBlade 100. I’ve tried Debian stable (died with ‘cramfs wrong magic’ error - bug report although apparently fiddling with the memory might work), testing (died with ‘Illegal Instruction’ - lots of bug reports, although there is active work going on on this if you check the debian-sparc mailing list); and now Ubuntu 6.06, but still the “Illegal Instruction” error (& booting from cold doesn’t make a difference). I haven’t yet tried the firmware upgrade suggestion, or tried *much* with netboot, mind; some day when I have some spare time!

Edited to add: After sibre commented below that they’d got Ubuntu booting on their Blade 100, I had another go, in case I hadn’t booted cold enough. First go no joy: got further than previously, but hung at “rtc_init: no PC rtc found”. Second and third tries, got significantly further than that, but install hung during/just after the “Detecting hardware” stage. I may give auroralinux, linked below, a go at some point.

Further edit: Many thanks to Shane (see comment below)! Cold boot + typing install ide=nodma at the SILO prompt got Ubuntu 6.06 successfully installed on the Blade 100. For the record: Debian etch installer beta-3 version gets further than before (again, requires cold boot) but for me hung just after “Detecting network hardware”.

Since I reviewed Fedora Core 5 back in April I’ve become increasingly frustrated with one aspect of what is otherwise a very well done distribution: package management and keeping my system secure and up to date. I’ve run into repeated instances of yum deciding I needed a lot of new packages and promptly failing over just one. pup, which is really just a pretty but somewhat crippled front end to yum, also fails in the same way. What I’ve discovered is that pup and yum aren’t broken at all. The code is doing precisely what it was designed to do.

Let’s look at today’s failure as an example. I had been on vacation and my system was probably 10 days behind on updates. yum decided I needed to upgrade some 166 packages and add 2 more for dependencies. Fine, go do it. No chance. Here is the error message:

Error: Missing Dependency: libecal-1.2.so.3 is needed by package gnome-panel

That seems clear enough but it really isn’t. gnome-panel wasn’t being upgraded. Rather the package that contained libecal-1.2.so.3 was and doing the upgrade would break gnome-panel. Typing in:

yum whatprovides libecal-1.2.so.3

reveals that it is part of the evolution-data-server package. A new version of that package was rolled out without checking to see if any other package had a dependency on the old version. That is just plain sloppy package and repository management on the part of the Fedora Project people at Red Hat. If this happened just once it would be forgivable but this sort of failure has happened repeatedly over the past two months. To their credit the Fedora Project has, in each case, rolled out a new package for whatever they’ve broken in a day or two. Still, it shouldn’t happen in the first place.

I recently did some rearranging of our network setup, in part with the explicit aim of removing user logon access to several of the servers (both for security and for performance reasons). In general this has worked out fine - we use NFS so that users can still access all the relevant directories. However, the RAID array is used, among other things, for users to back up their laptops to - which means that the server running the RAID array needs to act as an rsync server.

By default these days, rsync runs over ssh. Which is great, but means that just restricting ssh access to the admin (me!) for the RAID array machine isn’t an option; since then rsync too will fail. I wasn’t keen on the idea of running it without ssh; not only a security issue, but also because it seemed that would mean having to keep another set of usernames/passwords, rather than relying on LDAP/Kerberos.

The solution I’ve come up with is slightly clunky but does the trick:

• ssh is allowed, but only for a subset of users (using the AllowUsers directive in /etc/ssh/sshd_config) - those who’ve told me they need rsync backup access.
• These users are then added to /etc/password, with the shell set as ‘/bin/nologin’ (thus overriding the LDAP data) (this and the next step are the slightly clunky parts!)
• They’re also added to /etc/shadow, with *K* (meaning ‘use Kerberos’) as the password (maintaining two lots of passwords would be Very Bad).
• /bin/nologin looks like this:

  #!/bin/sh
  # Script to disallow remote login - set as shell in /etc/passwd
  if (expr "$2" : 'rsync ..server .* .raid' > /dev/null)
  then
      if (expr "$2" : '.*;' > /dev/null)
      then
          exit
      else
          /bin/sh "$@"
      fi
  else
      echo "***********************************"
      echo "*        No login allowed!        *"
      echo "***********************************"
      exit
  fi
  

The trick I used for finding the command that’s being sent (which is not the same as the command that you type on the command line) was to first set up /bin/nologin simply as

#!/bin/sh
echo $@ > /tmp/command
exit

Note that this doesn’t worry about looking terribly hard for shell escapes (although it does look for anyone trying to pass an extra command in using ; - e.g. rsync directory/ "server:/data/directory/;rm -rf /" ). I’m using this in a local-access-only setup with a small number of reasonably trusted users, not on a machine that’s open to the world at large, so I’m prepared to take more compromises than if the circs were different.

Also note that unfortunately rsync doesn’t handle echo statements well - so there is no message to the user if they are misusing rsync (whether deliberately or accidentally). Again, in my case this is fine as the user will just contact me if they’re legitimate and behaving legitimately.

Anyone who administers boxes which are always-online is familiar with the experience of finding their logs clogged with script-kiddie attempts to brute-force passwords. Despite being pretty unsophisticated, and unlikely to prove a serious security problem (provided you’re enforcing a reasonable password policy), they’re still a nuisance. This article discusses a very good way of limiting connections via iptables, using the ‘recent’ module, so that clients who try to connect too many times in a short space of time are denied access.

I’ve been using this for somewhere between 6 and 12 months, and been very happy with it. However, after a recent upgrade, ssh started to act up on certain machines - all connections, even from machines on the local subnet, were refused. Experimentation revealed that this was due to the iptables ‘recent’ rules.

There’s a discussion of exactly what happens here, and it’s also been reported as a Debian bug (however, I can confirm that it also affects at least RHEL4 on its current kernel). Looking at the files in /proc/net/ipt_recent (which is
where the module keeps track of the relevant data), this is exactly what I was experiencing.

It’s been fixed in 2.6.12 and upwards; unfortunately, the current Debian stable kernel is 2.6.8 (the current RHEL4 is 2.6.9). Solutions: either remove the ‘recent’ rule for the moment and live with the script-kiddies (as mentioned above, you should be enforcing decent password policies…); or use apt-get pinning (on Debian) to upgrade your kernel; or be prepared to reboot every 25 days…

My Kubuntu system is working out great as a digital photo editing workstation. Originally it had a 80gig SATA drive, but I decided to get a bigger drive and swap the old one into my main workstation-for-paying-work. Well now, Linux support for SATA is fine n dandy, you don’t have to install drivers like you do for poor antique Windowses. But in the computing world rule #1 is “there are always glitches.” My workstation-for-paying-work wouldn’t recognize the 80-gig SATA drive. It took awhile to get there, but the answer turned out to be a simple one…

So there you are, dutifully wading through the documentation for whatever gnarly Linux application you’re rassling into submission. You’re running commands and editing configuration files and things are working and life is good. Until — yes, you knew the good times weren’t going to last — until you hit the dreaded “send the process a SIGHUP” instruction.
Killing With Linux: A Primer

Learn how to build an Asterisk@Home test lab.This series is also a good howto for setting up a small production Asterisk iPBX on the cheap. This three-part series is aimed at both telephony and Linux noobs. If you understand computer networking basics, this is just the Asterisk howto you need to get up and running. Not only for a test lab, but also a small production system. The series covers installation, what hardware to use, how to set up local extensions and automatic call routing, how to connect to the outside world, and how to replace the Asterisk@Home logo with your own custom logo.

VoIPowering your Office with Asterisk - Building a Test Lab, Part 1
VoIPowering your Office with Asterisk-Building a Test Lab, Part 2
VoIPowering your Office with Asterisk-Building a Test Lab, Part 3

Browsing through other blogs on here recently, I came across a piece explaining how to set Firefox to use vi key bindings. Which sounded great; unfortunately, the method as advertised no longer works (Firefox 1.5.0.1).

A bit more digging revealed a more up-to-date version. More complicated, as well - you have to unzip [firefox_dir]/chrome/toolkit.jar, edit the platformHTMLBindings.xml file to include the lines

<handler event=”keypress” key=”h” command=”cmd_scrollLeft”/>
<handler event=”keypress” key=”j” command=”cmd_scrollLineDown”/>
<handler event=”keypress” key=”k” command=”cmd_scrollLineUp”/>
<handler event=”keypress” key=”l” command=”cmd_scrollRight”/>
<handler event=”keypress” key=”u” command=”cmd_scrollPageUp” />

and then zip it back up again (keeping the old version for reference is probably wise).

Restarting Firefox and still no joy - any typing still went straight to the ‘find ahead’ toolbar. Final step, then: open about:config (type ‘about:config’ in the address bar) and set accessibility:typeaheadfind to false. This does mean you have to type / to start searching but personally my fingers do that automatically anyway so it’s not much of a disincentive; and scrolling without needing to move to either arrow keypad or mouse is a definite plus. Now I just need to retrain my hands to do so!