There are some “interesting” issues being raised due to an incompatibility between e2fsprogs and GRUB legacy that results in non-booting systems. Newer versions of e2fsprogs default to creating new Ext3 filesystems with 256-byte sized inodes, instead of the old default of 128. GRUB legacy has absolutely no clue what to do with 256-byte inodes, so it barfs up the “Error 2: unknown file or directory type” message and sits back down. GRUB legacy will not be patched to support 256-byte inodes. Yay! But this is a transitional problem; read all about it here:

GRUB vs. the Inodes: Who Needs a Bootable System, Anyway?

This week’s discovery: a bug with IE7’s CSS handling (I’m sure you’re all very surprised), and the workaround.

The bug: I have rollover submenus, set up with CSS. In Firefox and Safari they behave as expected: the submenu pops up on rollover, and then you can navigate the mouse to the submenu item you want and click on it. In IE7, when you try to navigate to the submenu items, as soon as your pointer moves off the rollover-trigger item, the submenu vanishes. Most irritating.

The eventual solution was to give the submenu a background image (also in CSS). This background image doesn’t need to actually exist (mine doesn’t, to save creating a transparent one) - just the call to it seems to be sufficiently to counter the bug. I confess to having no idea whatsoever why this works, but work it does. In fact you probably do want the background image file to exist (to avoid errors in your logs), but just touching it will be fine.

(I would like to extend intense gratitude to whoever it was put me onto this; unfortunately I went through so many different sites over the hour or so I spent struggling with this that I don’t know who or where it was that I found the idea. I’m still very grateful to them, though.)

Radio silence here of late as I have been moving old website to new website; a process which is time-consuming and gives rise to a very long to-do list, but which isn’t remotely interesting to anyone else. Although I have discovered that IE7 handles CSS boxes, percentages, and padding differently from Firefox/Safari/Opera. (This irritates but does not surprise me.)

I’ve also been dealing with some user queries about compiling Fortran. Can anyone recommend a good online beginner’s tutorial on the general subject of makefiles, or on the specific subject of makefiles for Fortran? Or a decent Fortran book?

Instant Messaging for Introverts
This is an excellent article about the intrusiveness of modern “always on” communications tools, especially instant messaging. The author framed it as an introvert vs. extrovert problem, which I’m not sure is a correct assessment- to me it’s manners vs. rudeness. Some folks think because they have instant messaging it’s OK to be constantly interrupted, or to constantly interrupt other people for every trivial thing. Well, no, it’s not OK.

I have a server (LDAP and NFS) which occasionally seems to take a while to react. Load average is consistently high (10-12 for 4 CPUs, which AIUI means 2.5-3 per CPU); response may also be being affected by disk I/O.

I’d like to find out which processes in particular are causing the heavy load, and possibly also to track disk I/O activity over say a 24 hr period. Unfortunately, this has exposed a shocking lack in my knowledge, viz: I have no idea how to do this, what tools are out there, etc etc. (Obviously I am fortunate never to have encountered performance issues before; all my machines have previously either Worked or Not Worked.) Any suggestions?

(The other possibility is a network load issue, but as I’m not responsible for the network, tracking that might be tougher.)

Another, unconnected query: I have been asked to source quiet/silent keyboards for a couple of my colleagues who are noisy typers. Any recommendations? I’ve looked at the Saitek Eclipse but it sounds like it’s not very tough. Bonus virtual biscuit for recommendations which are actually available to buy in the UK (the IBM Quiet Touch appears not to be, for example). Real biscuit available to anyone able to implement a biscuit-over-IP protocol; failing that I shall just eat them all myself.

If you’re interested in SSL & Apache (a how-to).

Also on the web front: the other week I was talking about CSS & child elements, and someone suggested using the :empty selector. This isn’t in the CSS 2.1 spec, but is in the CSS 3 selector draft, and it appears that Firefox 2+ at least supports it. Which is nice.

Unfortunately, it doesn’t work for what I want it for because what I want is to identify list items that have children; but the list items without children aren’t empty, because they have content (the list item text). I think in theory this counts as a “child”, but it’s not what I mean by having a child. Anyway: the theory is sound, but in practice doesn’t solve my problem. Oh well.

I’ve been running Vector Linux 5.9 Standard since it was released about six weeks ago. I’ve mostly been satisfied with it. I ran into a problem, though, when I first tried to install the Culmus fonts, a popular font set for the Hebrew character set. The fonts installed correctly and were where they were supposed to be but none of my applications could see them. It turns out the same was true of Courier, Helvetica, Biitstream Charter, and a host of other fonts traditionally included with X.org and XFree86. All were installed on my system but none were available.

The problem originated upstream from Vector Linux. I still don’t know whether or not this is a Slackware issue or an X.org issue in release 7.3. I do know that some other popular distros don’t have the problem. However, since it’s easy to fix and undoubtedly affects other distros, not just Vector Linux, I thought I’d share what the source ot the problem is and how to solve it.

Sometimes you get bitten by the goofiest things in computing. I bought a nice new 320 GB Samsung SATA hard drive. I like Samsung drives. They’re quiet and reliable, and good performers. I like nice little skinny SATA cables.

So I crack open the box (Antec Sonata, minus the silly CPU exhaust tube that made the interior case temperature warmer and took up all kinds of room, but otherwise a splendid case) and in less time than it takes to say “Voila! That was so easy I should blog about it!” the new drive was ready to use.

But. It didn’t work.

Very useful article on using gnuplot to plot log data information. I used it yesterday to look at the data on LDAP response rates that I’ve been collecting for a few weeks, and the suggested script (with appropriate minor changes) worked great. On the last line, points may be better than lines, depending on what you’re graphing.

It transpires that the occasional blip in LDAP response rates here isn’t particular time-dependent (although there’s a couple of minor peaks at the two times when I know most people are around and doing stuff), so I need to consider the matter further.

Having just moved my mouse to the left of the keyboard in order to put my notebook on the right*, I am now hyper-aware of how much I use the mouse and that this is less comfortable than using the keyboard. So, a few questions, if anyone can help:

1. I love my MacBook keyboard/trackpad - use the mouse without having to move your hand! Adesso make a contoured keyboard with trackpad but I’m not sure if this will play nicely with Linux. Any experiences, or other recommendations?
2. I’m trying to increase the amount that I use keyboard shortcuts. The two GUI programs I use most often are Firefox and Thunderbird (actually these are pretty much the only GUI programs I use; everything else is terminal-based and I have a Gnome shortcut to launch a terminal window). I have the “frequently used shortcuts” tip pages for both of these; any other good resources?
3. In particular, I can’t find any way of searching my bookmarks, or in particular accessing the quick bookmark bar, in Firefox from the keyboard. I’ve tried the Vim Firefox extension before but it didn’t work well for me. Any suggestions here?

Other ergonomic-type thoughts welcome. I do have correct desk/monitor/keyboard height etc setup already, based on recommendations from my osteopath; I use Workrave to prompt break-taking; and I try to remember not to slouch…

* It was pointed out to me that constantly reaching across the keyboard to make notes was a bit daft. I have been sat at this desk for nearly 3 years and this has never previously occurred to me.

One thing that did not make it into the Linux Networking Cookbook was a chapter on setting up VLANs (Virtual LANs). VLANs are logical subnetting, rather than being constrained by your physical Ethernet switches. Now that “smart” switches have gotten so inexpensive, VLANs are nice options even for small networks. For one example, you can run multiple subnets off a single switch. Parts 1 and 2 of my three-part series are here:

Do More With Less: Build a Linux VLAN
Do More With Less: Port-Based VLANs

Windows and Mac clients can also be members of your VLANs; part 3 will address tagged VLANs, routing and Linux client configuration.

Part 3 runs next week.

Occasionally it is necessary to print out a text file. There are a couple of ways of making this happen in a slightly prettier fashion than simply using lp file.txt.

a2ps is one possibility - it gives you nice borders & prints by default 2 x A5 pages sideways on A4 (landscape). There are a vast array of options. However, none of them give you double-spacing, which if you’re printing in order to edit, is a nuisance.

pr, on the other hand, doesn’t do the pretty thing, but does do double-spacing. And you can pipe its output elsewhere.

So we get:

pr -d -t | a2ps

which will send output to your default printer. (Use the -o switch to a2ps to get a postscript file instead if you want to check layout first.) The -d switch does double-spacing, the -t switch suppresses the filename and page header, which you don’t want because a2ps will provide them.

Obviously if you want real proper nice printing then I commend to you the splendid LaTeX, but if you need plain text then putting in then stripping out all that markup is a PITA.

I have cron-apt set up on all my machines — you can get it to install any updates automatically but that sounds like Bad News to me, so instead it’s set to download and email me. I had a script that took names-of-machines-to-upgrade as arguments and did the rest for me, but that involved typing up to 50 machine names. And I am lazy.

So I finally got around to writing a script that parses a local mailbox, grabs the machine names from the subject lines, and does the rest from there. My involvement now is:

1. Get Thunderbird to show me only the cron-apt emails (via tag filter — tags are automatically applied).
2. Quick check of the emails to make sure nothing outrageous is going to happen.
3. Select all, hit Ctrl-6 to move them to the special mailbox (TB QuickMove Extension allows you to allocate up to 10 mailboxes to key combinations).
4. Find terminal window, run script.

Note that in an ideal world I’d be using Net::SSH::Perl to check for the root ssh key, but I was having problems with CPAN when I wrote this.

#!/usr/bin/perl -w

use strict;

my $homedir = "/home/user";
my $file    = "$homedir/mail/aptget";
my $sshkey  = "$homedir/.ssh/key";
my $cmd     = "apt-get -y upgrade";
my @hosts;

sub runcommand();

open FILE,"+<$file";

# Subject line looks like:
# Subject: CRON-APT completed on machinename [/etc/cron-apt/config]
while (<FILE>) {
    next unless /CRON-APT completed/;
    my @line = split;
    my $hostname = $line[4];
    push @hosts, $hostname;
}

# Check if sshkey is in ssh list & add it if not
if (`ssh-add -l` =~ /.* $sshkey/) {
    runcommand();
}
else {
    `ssh-add $sshkey`;
    runcommand();
    `ssh-add -d $sshkey`;
}

print FILE "";
close FILE;


sub runcommand() {
    foreach my $host (@hosts) {
        print "Host is: $host\n";
        system("ssh root\@$host -i $sshkey $cmd");
    }
}

We have an NFS system which involves part of the local disks of all desktops being exported via NFS. Mostly this is consistently accessed via /disk/machinename, but some desktops have more than one local directory that’s exported. I finally got around recently to rewriting the (very old and no longer functional) script to query the LDAP database and get this info for a given machine name:

#!/usr/bin/perl -w 

use strict;
use Net::LDAPS;

die "Usage: showdisks machinename\n"
        unless (@ARGV == 1);

# Get & set values
my ($search) = @ARGV;
my $server   = "ldaps://ldap.example.com";
my $cert     = "/etc/ldap/servercert.pem";
my $base     = "dc=example,dc=com";

my $ldap = Net::LDAPS->new( $server,
                             verify => 'optional',
                             cafile => $cert ) or die $@;
my $mesg = $ldap->bind;

my $filter = "(nisMapEntry=*$search*")";
 
$mesg = $ldap->search(  base   => $base,
                        filter => $filter,
                        attr   => ['cn', 'nisMapEntry', 'nisMapName'],
                     );

$mesg->code && die $mesg->error;

my @entries = $mesg->sorted('nisMapEntry');

foreach my $entry ( @entries ) {
    my $location  = $entry->get_value( 'nisMapEntry' );
    my $automount = $entry->get_value( 'nisMapName' );
    my $dir       = $entry->get_value( 'cn' );

    # The if is because otherwise you get warnings from the first couple of lines 
    # of the LDAP return.  
    if ($dir) {
        my ($auto, $path)= split /_/,$automount;
        print "$location : /$path/$dir \n";
    }
}

$mesg = $ldap->unbind;

Hope it’s useful to someone! If your LDAP automount info wasn’t exported from NIS you may have different names for those attributes.

From Enough With The Rainbow Tables: What You Need To Know About Secure Password Schemes:

“Most of the industry’s worst security problems (like the famously bad LANMAN hash) happened because smart developers approached security code the same way they did the rest of their code. The difference between security code and application code is, when application code fails, you find out right away. When security code fails, you find out 4 years from now, when a DVD with all your customer’s credit card and CVV2 information starts circulating in Estonia.”

This post was written in response to an alarmist post that had been highly reddit’d (aren’t all highly reddit’d posts alarmist?). Besides being an effective smackdown, this post is also a good survey of approaches to password hashing. There is a good pointer to SRP.

We automatically pay for next-business-day onsite support for all our machines. I have had cause recently to access this twice, with two different companies.

Company 1 (machine has what I suspect is a dodgy fan): will only send out an engineer after they have got you to run diagnostic tests of various sorts. Then they will know what to send the engineer along with. I kind of see where they’re coming from, but tbh what I really want is for me to make the phone call^*, and for an engineer to appear the next day with a boot full of Relevant Hardware, diagnose, and fix.

Company 2 (machine losing time, motherboard being replaced): phone not working, send email. Response to email pretty fast, we agree that the losing of time in itself isn’t disastrous but may signify something more serious, so they’ll replace the chassis. Radio silence for the next 2 days (apparently someone phoned on my day out of the office, but since I warned them that I would be out of the office, they should really have emailed). It transpires that in this instance, NBD means “we will ship the replacement parts & then send an engineer the NBD after they arrive”. So that’s minimum 2 BDs. Again, my expectation is that the engineer should bring the parts with them. (And the lack of information on this annoys me rather more.)

My assumption is that this is to do with centralised this-and-that: that engineers are based in Place A and parts in Place B (where Place B may in fact be out of the country, or even the continent in extreme cases). But it doesn’t actually meet what I want from NBD, though I expect it meets the contract. Am I expecting too much?

(I feel I should note that once I actually get an engineer onsite, they are invariably extremely competent, fast, and hardworking. My complaint is not with any of them!)

* Ideally, for me to send an email, but I will settle for phone.

Things to look for if kerberos-enabled SSH isn’t working:

• Check /etc/ssh/sshd_config for lines that look like this:

  KerberosAuthentication yes
  KerberosOrLocalPasswd yes
  KerberosTicketCleanup yes
  GSSAPIAuthentication yes
  GSSAPICleanupCredentials yes
  GssapiKeyExchange yes
  

• Check that libsasl2-gssapi-mit is installed (for Debian; insert appropriate package for your system).
• Check that you’ve extracted the host/client.example.com key to /etc/krb5.keytab on the client you’re trying to log in to (that client.example.com is the FQDN for the client you’re trying to log in to). This is the one that I most often get caught by. The command is klist -k /etc/krb5.keytab (as root).
• Check that /etc/krb5.keytab is only readable by root.
• Restart sshd to make sure that any changes you’ve made on the above lines are actually operational.

This week’s (unconnected) observation: it’s still possible to get caddies for IDE drives, for very little money. This comes in handy when an elderly motherboard expires, at an unfortunate stage of the backup cycle, and the disk is still good (and has several days of non-backed-up data: see above re backup cycle). £10 = one happy user.

Happy Thanksgiving to US readers! Enjoy the holiday. I am, as I type this, listening to Alice’s Restaurant in honour of it.

My webserver has been playing up of late - tending to hang. top showed some blosxom.cgi processes that had been running for some time and were using up large chunks of CPU (up to 100% occasionally). Killing these didn’t resolve the problem permanently, so I looked further.

Apparently there was (at least at some point) a problem with the Calendar plugin. I edited in this fix which resolved things. (It also showed up in the logs, so it does seem that that was the issue.)

In fact, when I contacted the blosxom-using user, it transpired that he was in fact no longer a blosxom-using user (it was a leftover from an earlier experiment), so we deleted the lot. It would appear that the hammering the webserver was taking was from some Russian machine - possibly looking for an exploit?

It is possible to use ssh-add -l to list the ssh keys which ssh-agent is currently handling. (I love ssh-agent.) Is there an easier way of doing this from the command line or within bash than just getting the output of `ssh-add -l` (and then searching it for a particular key)?

Investigating this has led me to discover the perl module Net::SSH::Perl::Agent (there’s also Net::SSH::Perl::Auth), so possibly I should rewrite the relevant scripts in perl instead. I haven’t been able to play with that yet as the CPAN mirror I use seems to be on a go-slow.

Recently the people running our centralised email server decided to increase its security. Among other things, this meant that if the From: header of an email didn’t match a registered user, it would be bounced back. I have a couple of pieces of software (RT and Hobbit, notably), that run as a particular userid and send mail as that ID, so since those weren’t “real” users, the mails started bouncing.

I have found two ways of dealing with this, using exim4:

1. More complicated. Use sendmail -f realuser@example.com as the mail command within the program (this works for RT but not for Hobbit). The -f flag rewrites the envelope-from — you will also need to put the line

   dc_untrusted_set_sender='true'

   in /etc/exim4/update-exim4.conf.conf, run update-exim4.conf, and restart exim. This allows any user to rewrite the envelope-from. This does have security implications if you mistrust your users (in this particular instance, these are servers without user access so I’m not too worried).
2. Rather easier. Edit /etc/email-addresses to include a line:

   problemuid: realuser@example.com

   You don’t need the dc_untrusted_set_server line. You probably don’t even need to restart exim. (I did because I’m like that.)

I worked out the more complicated one first, obviously. Oh well.

At intervals I get complaints that one of the printers isn’t responding from a given machine. On investigation via the CUPS frontend the error is: /usr/lib/cups/backend/lpd failed Restarting the printer from there works, but it is slightly irritating.

This has happened several times in the last couple of days on one particular (aging) machine, which prompted me to seek a better solution. I found this entry which explains at the bottom how to change the CUPS setup appropriately. Edit /etc/cups/printers.conf and change the ErrorPolicy for each printer from stop-printer to retry-job. So far this seems to be working fine and I shall be rolling it out across the network.

In How Far Behind is Linux?, WSJ writer Lee Gomes sets up a beautiful strawman about the security of GNU/Linux versus Windows and knocks it down with its own answer. (The emphasis is mine).

Almost every productive person I know wishes that he or she had more time. Most of us wonder where our time really goes; often it’s noon by the time I finish reading my feeds and following up on interesting URLs. (Fortunately, I’m not a morning person, so I wouldn’t accomplish much before noon anyway.)

I’ve often wished for a short X.org program that would run in the background and monitor which window had active focus. If I tracked that for a few hours or days, I’d be able to perform some interesting statistical analysis to see where I actually spend my time.

Writing a prototype took about ten minutes, thanks to Dennis Paulsen’s X11::GUITest Perl module (see Test-Driving X11 GUIs by George Nistorica for more):

After trying out a number of Linux photo-management applications, I have settled on Digikam. It has some great tools for managing vast photo archives, wonderful RAW support, and an array of good photo-editing-and-fixing features. Two introductory articles are on Linux Planet:
Digital Photo Management In Linux, Part 1
Digital Photo Management In Linux, Part 2

Not mentioned in the articles are Digikam’s Plugins, which extend its usefulness considerably. Such as Noise Reduction, Refocus for rescuing blurry pictures, BlowUp for good-quality enlargements, white balance adjustment, and many more.

Over on LXer.com you might find some useful information on photography fundamentals, such as lens types and quality, and understanding how to use aperture to make your photos say what you want them to:
Adventures in Digital Photography With Linux, part 4: Fundamentals

We have k3b installed locally for users to burn CDs/DVDs/etc. This only gets used very infrequently, and it seems that something else has broken every time it does get used.

This time it was a “Cannot find writer” error. I checked for the presence of cdrecord and dvd-rw-tools; all fine. Eventually it turned out to be a permissions error - that /dev/cdrom was set to be only user- and group-writable; and the user was not in the relevant group. Added them, log in & out, all well.

This is curious, because I am 100% confident that I haven’t changed anything on either /dev/cdrom (or the relevant group membership). Which implies that it has been changed with an update at some point. I’m not sure I see the point of this. Is being able to write to /dev/cdrom really such a security risk?

The longer-term solution is (assuming this doesn’t break anything; I haven’t checked yet) to set the cdrom group to come from LDAP and automatically put all users in it, to avoid having to do this for multiple machines.

I am working on finding a way to enable developers working in a wide variety of languages to directly access computationally-intensive libraries written in C++, C, and Fortran. The libraries will have been multithreaded using Threading Building Blocks (TBB), the open source project for which I’m “community manager.” TBB is a C++ template library (like STL). I don’t expect to have much of a problem calling C and Fortran libraries from C++/TBB code. But, what’s the best path to enable someone writing in Perl or Python or Ruby or — whatever — to call these multithreaded libraries?

This search has led me to reinvestigate some techniques I’ve looked at in the past — for example, Perl’s XS — but the idea of having to create an interface for each individual calling language is unappealing. I looked at, and did some experimenting with, SWIG (Simplified Wrapper and Interface Generator). But before I got very far, Parrot was suggested to me by some people on the #tbb IRC channel (on FreeNode.net).

During my initial investigation of Parrot, I wrote a blog about my research. Parrot looked promising to me:

Hence, if we can wrap C++ libraries threaded using TBB, then the Parrot NCI should make it possible for all the languages that have Parrot support to call those libraries. Then, high level scripting languages such as Ruby, Python, and Perl will have convenient access to computationally-intensive libraries that have been threaded for optimal performance on multicore processors.

This post elicited an interesting response on another site: “Will Parrot Ever Truly Deliver?” The author acknowledges that “Parrot does sound like an interesting piece of technology”, but wonders “will it ever be a platform suitable for serious, production usage?” The author’s concerns include the length of time Parrot has been in existence (quite a long time), the instability of the code base (lots of significant changes), and the incompleteness of the support from other languages.

Does multicore change the Parrot equation?

Sometimes a technology is invented, and the time simply isn’t right, the need at the moment for solutions that apply that technology is nearly non-existent, though many people readily admit it’s a “wonderful” technology. I wonder if this might apply to a certain extent to Parrot prior to the age of many-core computing?

In a few years, inexpensive PCs will have 8, 16, or more processing cores. Some people doubt that the average home or office user is going to have any use for all these cores. I think that’s like saying “no one will ever need more than 640K of RAM.” Once it’s possible for the average home or office user to apply algorithms and image analysis and video processing and stock market simulators that were previously available only on high-end workstations in data centers, you cannot tell me they won’t want to do this.

It’s going to take programming techniques like Threading Building Blocks, OpenMP, perhaps new languages such as Erlang, or Transactional Memory applied in Haskell, to multithread these computationally-intensive libraries. I doubt that applying conventional low-level threads is going to be an efficient way to accomplish this in terms of programming time (I’ve worked at this level for a long time).

But on the other side: no one is going to want to convert the mass of existing software platforms/applications that could potentially apply these computation libraries, into C++ or C. A convenient means to enable a broad spectrum of languages to call multithreaded C++, C, and Fortran libraries is going to be needed. Otherwise, again we face enormous software development inefficiency, as a separate interface has to be constructed for each library for each calling language. That’s not a solution that is going to fly, in my opinion.

It seems to me that Parrot is an excellent candidate for addressing this problem. If this is the case, the Parrot team may soon find itself lent increasing support from independent developers, and possibly from companies who recognize the need for this capability with respect to their own applications.

I don’t think this need was really there when PC performance could be improved simply through ever-increasing clock speeds. Single-threaded software that did a few simple calculations was fine then. Multicore, however, changes everything. As highly-scalable multithreaded computation / simulation libraries become available, and people realize they want them, and developers realize they need to be able to call these libraries from every language platform, Parrot’s time may arrive.

First up: check out the O’Reilly “Women in Tech” series - especially my article :)

Lately I have mostly been playing with Puppet, a piece of software for centrally managing host configuration. (I have various roll-your-own solutions for aspects of this, as ever, but this looks like a better way of doing it.)

One very nice thing about Puppet from my point of view is that it will take its node definitions from LDAP. (In Puppet, a node is any individual machine.)

How this works is that instead of having your node definitions in site.pp, you keep them in LDAP as the puppetclass attribute. You can have as many of these attributes per host as you like - for example, my web server has webserver, ftpserver, and server as puppetclass attributes.

site.pp therefore has only import statements, not node definitions, and you put your class definitions in /etc/puppet/manifests/classes (or wherever suits you), and import them in site.pp.

You probably want to start with something along the lines of the setup I have, as described below, with base.pp, desktop.pp, and server.pp classes (the latter two inherit from the first). These correspond to desktop and server as puppetclass attributes (the inheritance structure means there is no need to specify base). Then add further puppetclasses as required for your site.

The wiki has some information on how to do the LDAP integration; this is how I did it:

• Install libldap-ruby1.8 on the Puppet server (Debian package).
• Add the Puppet schema to your LDAP schema directory (/etc/ldap/schema/ for me), add it to your slapd.conf, and restart slapd. The schema seems to be a little hard to get hold of through official channels at present, so I reproduce it here:

  # These OIDs are all fake.  No guarantees there won't be conflicts.
  #
  # $Id$
  
  attributetype ( 1.1.3.10 NAME 'puppetclass'
          DESC 'Puppet Node Class'
          EQUALITY caseIgnoreIA5Match
          SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
  
  attributetype ( 1.1.3.9 NAME 'parentnode'
       DESC 'Puppet Parent Node'
       EQUALITY caseIgnoreIA5Match
       SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
  
  objectclass ( 1.1.1.2 NAME 'puppetClient' SUP top AUXILIARY
       DESC 'Puppet Client objectclass'
       MAY ( puppetclass $ parentnode ))
  

• Modify all existing host LDAP entries so they have objectClass: puppetClient, a puppetclass attribute (my initial ones were server and desktop, and a parentnode attribute (I have baseserver and basedesktop).
• Create baseserver and basedesktop LDAP entries. It is not entirely clear to me if these really have a purpose; but I gave them the appropriate puppetclass and will investigate further in due course.
• In /etc/puppet/puppetmasterd.conf, add:

  [ldap]
  ldapnodes = true
  ldapserver = ldapserver.example.com
  ldapbase = dc=example,dc=com
  

• That’s it!

A note: if you’re changing the puppetmaster config, or any other puppet setup stuff, it can be useful to stop the running puppetmaster process, and restart it interactively with the verbose option: puppetmasterd --verbose. This helps a lot with debugging.

Lucas Nussbaum suggests that Linux distributions should have a place to collaborate more effectively than just with upstream projects:

I am both a Debian and an Ubuntu developer, and I’m sometimes amazed that Ubuntu discusses technical choices that were discussed (and solved) a few weeks earlier in Debian. And it’s even worse with the other big distros out there.

Couldn’t we try to improve this ?

More and more I believe that open code itself is insufficient. Encouraging and participating in a healthy community around the project is necessary for both free software and open source.

http://www.linux.com/feature/118946
“If you have a point-and-click digital camera made by Canon, you may be able to turn on all sorts of features usually reserved for more expensive SLRs. That includes live histograms, depth-of-field calculation, under and overexposure highlighting, and — best of all — shooting your pictures in RAW. The secret is CHDK, an enhanced, free software replacement firmware.”

This sounds pretty darned cool, and it illustrates the nature of this newfangled digital world- it’s all in the software. Of course, the optics and the camera sensor are important, but in the end the software does most of the work. Software translates the data from the camera sensor, software runs your photo printer, software makes your pretty pics into Web galleries. Amazing stuff.

I realised a while ago that it would be a useful thing to check, occasionally, that all the machines I’m responsible for are still up. (This helps to minimise those embarrassing “Oh, I didn’t know there was anything wrong with it” conversations.).

Thus, the following pretty basic perl script, which I run from /etc/crontab on my own desktop every couple of hours:

#!/usr/bin/perl -w
#
# host_ping.pl - run from crontab

use strict;
use Net::Ping;
use Net::SMTP;

sub sendmail;

my $ping  = Net::Ping->new();
my $email = 'me@example.com';

my @host_array = qw/host1 host2 serverA serverB/;
my $hosts_down = "";

foreach my $host (@host_array) {
    unless ($ping->ping($host)) {
        $hosts_down .= "$host ";
    }
}

sendmail() if ($hosts_down ne "");

sub sendmail()  
{
    # email to me
    my $s = Net::SMTP->new('mailserver.example.com');
    $s->mail($email);
    $s->to($email);
    $s->data("Subject: Host(s) down: $hosts_down","\n","\n");
    $s->quit;
}

Also this week, I’ve been organising an engineer for a 4TB RAID 5 array which had 2 disks fall over at the same time. Apparently this is increasingly common with large SATA disks (we had 10 500GB disks) - probably due to the heavy load put on the disks by rebuilding. And of course it renders the RAID5 unusable, so reinstall/restore-from-tape fun on the horizon once the engineer currently in the server room has established that it’s definitely kaput.

The other current project is looking at Puppet. So far I’ve got a server and test client working, and am cautiously optimistic about prospective usefulness. I wish you could readily up the log level without having to run in the foreground, mind. I will doubtless blog more on this in future.

This for the “how the hell have I done this job this long & not known this already?” files.

Debian has a file called /etc/rc.local which runs at the end of all the multi-user boot levels, and which you can therefore put stuff in. I’ve had trouble with autofs not starting properly on certain machines (there seems to be a correlation with SCSI or SATA rather than IDE drives, although I do not know why this should be), and putting the line

/etc/init.d/autofs restart

in /etc/rc.local, whilst arguably a hack, does the trick just fine.

Especially baffled that I didn’t know of this file because I’ve had to do stuff like this in the past, and have horribly misused /etc/init.d/rmnologin instead.

In totally unconnected, and not even slightly tech-related news: a bunch of my cycling friends are riding 1200km in 90hrs in France this week, for fun. (I was hoping to go as well but didn’t qualify - although given the vile weather they’ve had this might be for the best.) They’re all doing fantastically well, especially given the awful conditions, & I’ve been following their progress all week with much excitement (one person has finished already, in 60hrs!). Finish deadline is 4pm French time tomorrow. Allez allez!

I use RT as a request/bug tracker, but until recently hadn’t set it up with an email address plugged directly into it. This was because I don’t run my own email server - that’s centralised - which makes setup a bit more difficult. And undocumented, hence this post. Convincing users to use a different email address may well be tough, but at least you yourself can start bouncing relevant emails to the RT address, thereby creating a more trackable system.

There are 2 basic steps: 1. setting up the mail gateway to RT; 2. mail pickup from the external central server. Note that I’m using exim4 - other mail programs will obviously work differently. Details are below…

run-parts is used (on Debian systems, anyway) to run the scripts in /etc/cron.daily (hourly, weekly, etc) on the appropriate schedule. I had trouble this week with a Perl script I’d dropped into /etc/cron.daily failing to run. Ran fine from the command line, of course. Odd.

Eventually it occurred to me, after a little light man page reading, to try run-parts --test /etc/cron.daily (which just prints the names of the scripts that would run). Script failed to show up. Most Odd.

I finally found the answer via Google, although a slightly less light reading of the man page would have helped. Scripts to be run by run-parts must adhere to a particular naming convention - in particular, no .xx endings. So my script.pl script wasn’t being picked up due to that .pl ending. I renamed it to script and all was well.

(I’m not actually sure what the logic of this is; I’m assuming it’s likely to be historical reasons. You can alter it with the --lsbsysinit option, if you prefer that. I know the .xx ending is by no means essential, but I prefer in general to have a quick visual of what language I’ve written a script in.)