Well, usually I forget to take pictures, because either A) I forget my camera [I brought it this time] or 2) I get wrapped up in the event and forget to bring it with me.  But this release party, I plain just forgot to charge my batteries for my camera, oops!

Fortunately, I was able to snap a few pictures with some of the spare, also not fully-charged, batteries I did have on hand.  However, others took many pictures and I’ve listed them below.

• Sheri Bigelow took some great pictures.  She is a great local photographer, web designer and the local webmistress.
• Tristan Rhodes, a local Asterisk Entrepreneur posted a good blog post.
• Here’s the pictures I took.  Not nearly as many, or as good.

To summarize the party, much celebration was had with foosball, a chess game on one of the largest chess boards around, video games, air hockey and much more was provided by CodeGreene.  The FedoraProject and Utah Open Source sponsored the food and prizes.  If you’ve never had a Chipotle burrito, they are the best burritos around.

I was able to spend time with about 5-7 people myself sharing the Preview Release of Fedora 9 (codename Sulphur) including two who had never had previous success with Fedora or Linux in general.  It was very satisfying to see things work for them.

The Ubuntu folks were there in strength as well.  The Hardy Heron (8.04) CDs were being passed out, while we Fedoran’s provided LiveUSB versions.  I even saw people taking advantage and obtaining both!  Its great to see communities come together and celebrate together.

The party continued at Salt Lake Pizza & Pasta for another couple hours.  Lot’s of talk about the releases, upcoming events, and general mayhem took place including having Heartsbane shoot beer through his nose when I swore at him!

All in all, quite a successful evening and I look forward to helping others in November at our next release party.

Cheers,

Herlo

UPDATE: Another 70+ pictures have been added, check them out!

(May 15, 2008 06:09 AM UTC)

https://www.redhat.com/archives/fedora-announce-list/2008-May/msg00007.html

Get yours today! http://fedoraproject.org

Be sure and digg it too:

http://digg.com/linux_unix/Fedora_9_Sulphur_Released

(May 14, 2008 01:04 PM UTC)

I upgraded to Ubuntu 8.04 (Hardy) this weekend. So far my first experience with Firefox 3 hasn't been great.

First the minor issue: When I launched FF3, my fonts were messed up. Some pages looked normal, others had ugly huge fonts. Maybe the big fonts are a problem with Ubuntu's Freetype config. Maybe it's a problem with the nVidia drivers. I don't know. Thankfully, I found a workaround. In Firefox about:config set layout.css.dpi to 96. (http://ubuntuforums.org/showthread.php?t=706788&page=2)

Now my bigger gripe: I don't like the new rich urlbar. Back in FF2, I could open most of my favorite sites in 4 keystrokes or less. By increasing the amount of data the new urlbar searches, the Firefox devs have decreased the unique identifiers for each link. So far, I haven't found a fix. It isn't just the slow loading or the giant waste of space, the most important detail is the sorting algorithm. I know abou the oldbar plugin, unfortunately it's only a cosmetic fix because it doesn't include the old FF2 sorting.

Hopefully I'll find reasons to like FF3, but for now it feels like Firefox has taken two steps back.

(April 26, 2008 07:27 PM UTC)

The following two articles were published in the past couple days.  When they were published and made known to me, I was saddened:

Report: OLPC may eventually switch from Linux to Windows XP
Nicholas Negroponte on Sugar and One Laptop Per Child

It appears, that Greg DeKoenigsberg responded (it appears) to these two articles with a great rebuttal in this article:

OLPC Developers are *not* fundamentalists

Thank you Greg, thank you for saying what I feel inside.  As an open source advocate, I see the value and benefit of free software and its power.  I feel good inside when I contribute and don’t feel anything like a fundamentalist.

Again, thank you Greg.

Cheers,

Herlo

(April 24, 2008 10:36 PM UTC)

As many of you may already know, Fedora 9 (codename: Sulphur) has been pushed back 2 weeks to May 13.  Being the organizer of the Utah Fedora/Ubuntu Linux Release Party on May 3, its kind of hard to push it back because Ubuntu’s release is still on time.

I’m glad though that the major parts of this release are feature complete and its just a few blocker bugs holding it back.  I’m also really happy to point out that because the folks at the Fedora Project are willing to push the date back, the release will be much better off in the end.

This also goes to show that while many businesses would consider releasing anyway.  Mainly because they promised something, and not releasing would cost them revenue and possible customers.  Open source people don’t follow the same mantra, and I’m proud to say that while I like meeting deadlines, if deadlines slips a little to make a better product, timelines should slip.

In the meantime, enjoy the preview release made available yesterday.  Utah will party with this preview.  Shortly after the party, an update will be made available via yum.  There are some amazing things coming out in a few weeks.  Keep your ear to the ground and enjoy the new Sulphur in your life!

Cheers,

Herlo

(April 18, 2008 10:31 PM UTC)

My T60p.

[clints@herlo-lap ~]$ history|awk ‘{a[$2]++ } END{for(i in a){print a[i] ” ” i}}’|sort -rn|head
144 svn
144 cd
108 ls
104 ./manage.py
101 ssh
69 su
43 screen
26 vim
25 rm
15 ping

[clints@thor ~]$ history|awk ‘{a[$2]++ } END{for(i in a){print a[i] ” ” i}}’|sort -rn|head
266 git
260 make
71 cd
57 ls
55 vim
55 rt
26 rm
19 bin/send-patch
18 grep
16 bin/validate

I guess I love RCS’.

Cheers,

Herlo

(April 13, 2008 01:31 AM UTC)

I was perusing today, and maybe its just because its April Fools day and I’ve not posted, but I thought this was pretty hilarious…

If you click to add a new calendar item into Google Calendar, you get a new button “I’m Feeling Lucky”…

After clicking this new button I recognized, here’s what I got:

Woohoo!  So right before the Ubuntu/Fedora Release party on May 3, I have a date with Jessica Alba!  Nice!  I might blow off the release party if the date goes well…

I tried this a few more times and here’s the results I’ve received.  I’ve got dates with:

• Anna Kournikova on May 5 at 4pm
• Eric Cartman on May 10 at 6pm
• George W. Bush on May 6 at 4pm
• Matt Damon on May 8 at 8pm

Wow!  I’m popular.  Who else, what else did you get?

Cheers,

Herlo

(April 01, 2008 09:00 PM UTC)

So I’ve done it.

Yes, I really have done it this time!

Well, maybe…time will tell.

I’ve gone and posted an idea for a project on the Fedora wiki page for the Google Summer of Code (GSoC), but that’s not all, no!

In addition, I took the time to apply to be a mentor at the Google Summer of Code Project page.  And what’s weirder, is I hope I get the opportunity to make this idea a reality, because I think its something that Fedora could really use.

I’m somewhat surprised it hasn’t already been created. A couple of people found this idea too, and have emailed me about it, and I need to reply.  Soon that will happen.

I am really excited.

Cheers,

Herlo

(March 27, 2008 05:47 AM UTC)

Get yourself some of that sulphur love!

From the mouth of the daring Mike McGrath:

The beta is live.  Go out, get people and try to crash the servers!  The
challenge is on :-P

http://fedoraproject.org/get-prerelease

Personally, I’ve been on Rawhide (the development tree) since February.  While there have been some bumpy roads, most of it has been smooth sailing.  These Fedora guys really know what they are doing :)

Tell me what you think of the latest and greatest of Linux releases?

Cheers,

Herlo

UPDATE: Feel free to digg this article if you like the beta

http://digg.com/linux_unix/The_Fedora_Project_releases_Fedora_9_Beta

(March 25, 2008 05:50 PM UTC)

I've just spent a frustrating hour trying to find the right program and print options to print a PDF without extra margins or scaling. Thankfully, I've found the solution: disable the printer's "scale to fit" option.

Perhaps you've seen this problem yourself. I created a PDF with landscape orientation and carefully measured layout, but when printed it would be scaled smaller with an extra margin (and sometimes even switched to portrait). I tried every print option and program available. I started with evince. Then I switched to acroread and tried configuring scaling, rotation, Postcript level 2, Postscript level 3, every option I could find. I even tried lp and lpr. No matter what I tried my margins were incorrect.

Finally I realized that if every program was wrong, it was probably the print driver's fault. Sure enough, CUPS, the most common Linux printing system, was performing the scaling.

From the command line: /etc/printers.conf

One way to eliminate the extra margin is to edit your /etc/cups/printers.conf and disable the fitplot option.

Option fitplot false

Using a GUI: system-config-printer

On Fedora and Ubuntu, system-config-printer can be used to configure CUPS. If you're more comfortable using a GUI, I've included a screenshot showing the option I'm referring to.

(February 23, 2008 06:25 PM UTC)

The latest and greatest Rawhide of Fedora has been put into an Alpha Release.  I downloaded both the LiveCD and the DVD isos yesterday, which took 15+ hours.

Just a reminder that Alpha means its not ready for your production box, so test it extensively and give feedback.  When the Beta comes out in March, I plan to move my lappy over.  Until then, I’ll just keep testing.

You can get yours from:

http://mirrors.fedoraproject.org/publiclist/Fedora/9-Alpha/

A list of the upcoming features for Fedora 9 are available here:

http://fedoraproject.org/wiki/Releases/9/

Cheers,

Clint

(February 07, 2008 07:53 PM UTC)

So I’m back at work today after a very hard Sunday (fudpub was not friendly to me) at the slack^H^H^H^H^Hhackfest. However, I have to say that it was probably the best learning experience one could have at a conference. The BarCamp concept really worked well and I think it gave me some much needed information to move ahead on projects with which lately, I’d been struggling.

In addition to all of the learning, I was able to meet some really cool people there. Of course, there were my friends, Jared Smith, Evan McNabb and Derek “goozbach” Carter, and it was great to see them.

But I didn’t just come for my friends, and it was great to meet so many others.

I met Paul Frields when Jared introduced me. He quickly informed me, that Paul would be the “New Max”. After spending the last 2.25 days near or around Paul, I think he’ll be a great leader. And to be honest, it feels to me as he’ll put his own stamp on things. Not to take away from what Max has done, and will do, but I think Paul will be an awesome leader and I look forward to his friendship and leadership.

I was able to visit with Jim Whitehurst, the new Red Hat CEO. He stopped me to ask about my Eeep c and what I thought. We talked for a good 5 minutes before I realized who he was, and then I congratulated him on the job and said I expected great things :) He was quite excited to see the Eeep and it was awesome to know how passionate he was about Fedora. And to take the time out on a Saturday, that’s awesome!

A few more people I met who were awesome and friendly: Michael DeHaan, Karsten Wade, Seth Vidal, Russell Harrison,Toshio Kuratomi and another who’s name escapes me (who I helped get lost somewhere near Cary and Apex) and so many more names I cannot recall, though I’ll not forget your faces. Thank you for your valuable time and helping me get acclimated to this awesome community. I’d like to thank everyone who spent time helping us naive souls learn the way of the Fedora.

In the future, I plan to take much of what I learned and start working with it in my spare time. I’ve also started the process of joining the documentation project and look forward to helping them. My ambassador duties are simple enough that I can continue doing that as well, so this year should be a good year.

Thanks again to my company Guru Labs, for helping me arrange my schedule around FUDCon and hopefully they’ll be as accommodating for Scale next month.

Cheers,

Herlo

(January 15, 2008 03:13 AM UTC)

Several years ago, I was a poor college student in need of a car. Everytime I saw an ad for a car in my price range and called about it, I would be told it had already been sold. So I hacked together a simple Perl script that scraped local newpaper listings daily and emailed me a list of cars in my price range.

Fast forward a few years and I'm in the market for a new laptop. Lenovo's T61 is almost perfect, but I've gotten used to my current laptop's 1920x1200 screen. I refuse to move backwards. Rumor has it the T61p will be available in 1920x1200, so for the last couple of months I've been eagerly awaiting its announcement, but Lenovo appears to be in no hurry.

I'm tired of manually checking for new announcements. Thankfully, IBM periodically provides a file named tabook.pdf with a list of Thinkpad models. So I wrote the following script to periodically check for new versions and email me the latest as soon as it's detected:

#!/bin/bash
URL='http://buscaluz.org/robots.txt'
EMAIL="spam.spam.eggs.and.spam@buscaluz.org"

# Detect and send new copies of $URL to $EMAIL.
# $LOG timestamp is used to detect new $FILE.

FILE=$(basename "$URL")
LOG="$.log"

function log {
  printf "%s: %s\n" $(date +%F) "$@" >> "$LOG"
}

if [ ! -f "$LOG" ]
then
  log "Created log file."
  touch -t 197001010000 "$LOG"
fi

wget -N "$URL"
if [ "$FILE" -nt "$LOG" ]
then
  printf "A new copy of '$FILE' was discovered.\n\nurl: $URL\n" | \
    mutt -s "New $FILE" -a "$FILE" "$EMAIL"
  log "Sent new copy of '$FILE'."
fi

You'll notice I designed the script to be easily adapted. If you want to use it yourself, you'll probably also want to see the crontab entry that runs it:

15 0  * * *  cd /home/sjansen/tabook && ./tabook.sh &>/dev/null

(June 24, 2007 09:07 PM UTC)

Slicehost, my current hosting company, is migrating clients to a new IP range. After updating DNS, I was curious to find out how long my old data would be cached.

dig +ttlid buscaluz.org @ns8.zoneedit.com

Next I wanted to monitor my local DNS server as the old entry expired.

watch -n 30 'dig +ttlid buscaluz.org | egrep ^b.*IN.*A'

Man, I love Linux!

(May 31, 2007 02:01 AM UTC)

Until recently, I thought dmidecode was an interesting curiosity but nothing more. That was until I needed to upgrade the BIOS on a classroom full of machines without disturbing the students. Instead of upgrading each system in a careful order, I jumped on systems as they became available. Eventually, I thought I was done but couldn't be sure. Then it hit me:

for I in {1..20}
do
  ssh root@station$I dmidecode | grep -A 3 'BIOS Info' | grep Version
done

And that is why I love Linux!

(May 21, 2007 11:39 PM UTC)

Having owned several IBM T-series ThinkPads I've always been a fan. The ownership of T-series has spread throughout the troupe of Linux Training instructors here at Guru Labs as lesser laptops have fallen to the wayside.

I've had my current T42p for almost three years now. I've been very happy with it. The build quality is excellent, and it anyone looking at it would never guess it has been used daily for the last three years. The Linux support is superb. The only problem is that the 2.0 Ghz Pentium-m CPU in it doesn't support PAE so Xen in RHEL5/FC6 doesn't work.

Today I found that IBM has posted details on the new Santa Rosa chipset based T61 laptops to be released next month. I plan on picking one up to replace my T42p. Some of the highlights:

* All the benefits of Santa Rosa platform
* LCD roll cage
* Firewire port
* NVIDIA Quadro 140M replaces ATI as high video card option
* Four-in-one media reader
* New Intel 4965AGN WiFi card

More information is available in the Announcement Letter (HTML) or Announcement Letter (PDF)

(April 24, 2007 06:01 PM UTC)

If you have NetworkManager in use on Fedora Core 6, you have probably seen this dialog box:

I got tired of entering my password every morning to unlock the default keyring, so I went looking for a solution. What I found was a module for use with PAM that would supply my system password to gnome-keyring for me. The module is called pam_keyring.so.

On Fedora Core 6 the steps that I used to implement this were:

1) As root install the module and it's documentation:
# yum install pam_keyring

2) Insert the following two lines into /etc/pam.d/gdm:
auth optional pam_keyring.so try_first_pass
session optional pam_keyring.so

Note that order is important in the gdm file. This is what my /etc/pam.d/gdm file looks like with the additions:

auth required pam_env.so
auth optional pam_keyring.so try_first_pass
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
session optional pam_console.so
session optional pam_keyring.so

Now the system no longer prompts me for the default keyring password when I log in.

(March 07, 2007 11:10 PM UTC)

Ed: This post was originally written on 2006/08/03, but for some reason I missed publishing it. As I believe the information is useful, I'm publishing it now.

On my home workstation, I used LVM for the one 160GB hard drive. When I first built the box (in May of 2004), I installed Fedora Core 2 for x86_64; it's a dual AMD Opteron 242 (1.6GHz). I created four partitions:

1. 100MB /boot/
2. 2GB swap (there's 1GB RAM, but I can expand to 8GB)
3. remainder (~96GB) LVM
4. 60GB Windows XP Professional

For a couple of weeks, I have been unable to install any updates to FC5. When I run yum update, I get a series of error messages telling me that yum needs additional disk space on the root partition in order to install packages. Strangely enough, almost none of those packages have files that end up in the root partition.

The root filesystem was a 512MB ext3 LVM logical volume. Sure, I could make it bigger, but I shouldn't have to. In fact, I should be able to have it be only about 256MB and still have a completely usable system. I have /home/, /tmp/, /usr/, /var/ and even /opt/ all split off onto their own LVs, so there's not that much stuff left on the root volume. In fact, running du -sx / shows that there is just barely 200MB of data present. However, running df / shows that it is 99% full (about 508MB used). Clearly, ext3 is not an efficient choice for a root partition when the bulky filesystems are split out like this.

So, I decided to "convert" to another filesystem type. I chose to use XFS for the root volume. Converting the root partition can be a little bit tricky, as the initrd needs to have the right drivers to work with it. Here's my step-by-step (assuming that the volume group is named system):

1. Create a new volume and format it with the new filesystem type (the size could be smaller, if desired):

   # lvcreate -L 512MB -n newroot system
   # mkfs.xfs /dev/system/newroot
   

2. Mount the new root volume and remount the current root volume read-only:

   # mkdir /mnt/temp
   # mount /dev/system/newroot /mnt/temp/
   # mount -o remount,ro /
   

3. Copy the contents of just the root volume to the new root volume (the -x switch is very important):

   # cp -ax /* /mnt/temp/
   

4. Unmount the new root volume:

   # umount /mnt/temp/
   

5. Run uname -r and record the value. This will be needed later when running mkinitrd.
6. Reboot the system into a rescue environment. In order to be able to boot with the new root partition, it is necessary to recreate the initrd. You could hand edit the existing one(s) to fix things up, but this will be quite a bit easier. Use a CD or a network bootable rescue environment for your distro (FC5 in my case).
7. If you let the setup for the rescue environment mount your partitions/volumes, that's fine, just make sure to unmount everything so you can switch root partitions. If you don't let it mount up the parts, that's fine too; just use the LVM commands for your rescue environment to activate LVM.
8. Rename the old root volume out of the way and rename the new one into place (this only works while the volumes are not mounted):

   # lvrename system root oldroot
   # lvrename system newroot root
   

9. Mount the (new) root volume and at least /boot/ and /usr/ on top of that:

# mkdir /mnt/system/
# mount /dev/system/root /mnt/system/
# mount /dev/sda1 /mnt/system/boot/
# mount /dev/system/usr /mnt/system/usr/

10. It's time to recreate the initrd. This is easiest when done chroot'ed into the system environment found on your hard drive (assuming your new root volume was mounted at /mnt/system/):

    # chroot /mnt/system/
    

11. Run mkinitrd. Depending on which distribution is installed, this could require quite a different set of switches than what I'm showing you here. In my case, it was Fedora, so I used the mkinitrd command found in the /sbin/new-kernel-pkg script, which is run as part of the post-install scripts from every Red Hat kernel RPM (just open up /sbin/new-kernel-pkg and find the right command to run, replacing "something" with the correct kernel version string recorded earlier from the uname -r command):

    # /sbin/mkinitrd --allow-missing -f /boot/initrd-2.6.something 2.6.something
    

12. Leave the chroot environment and unmount everything (yes, if you just cleanly exit the rescue environment, it should cleanly unmount everything, but let's just be sure it happens right, shall we?):

    # exit
    # umount /mnt/system/usr/
    # umount /mnt/system/boot/
    # umount /mnt/system/
    

13. Reboot. The system should come up with your root volume in use with a new filesystem type.

That's it. That wasn't so difficult, was it?

The entire thing could be done from within the rescue environment, including copying the contents of the root volume to the new root volume, if you like.

(March 07, 2007 12:23 AM UTC)

I've had a Network Time Protocol (NTP) server running in my home network for many years. The two workstation dual boot Windows and Linux. When running Linux, the ntpd daemon keeps them in sync with my NTP server. When running Windows, I haven't bothered, as there isn't anything running under windows that cares about time at all, and since they run Linux most of the time.

Today, I decided to figure out how to keep Windows client's clock synchronized with NTP. A quick Google search located an NIST PDF document titled, "Configuring Windows 2000 and Windows XP to use NIST Time Servers." There is also a link in the introductory pages of that document to the freely available download from Microsoft to enable Windows NT systems to be configured as NTP clients.

As it turns out, it's really easy to configure Windows 2000 and Windows XP Professional, as they both have native, out-of-the-box support to run as a NTP clients. So, to boil down the NIST's 12 page document, open a "DOS prompt" command shell as a user with admin rights and run:

> net /setsntp:servername
> net stop w32time
> net start w32time

That's it.

You could also use the Time/Date control panel. When I tried it (first) on one of my boxes, it had the default configuration of using a Microsoft time server already configured. When I changed it in that dialog box to use my time server, it griped that it wouldn't use the time I was providing as the server's stratum was lower than the host's. I wonder what goofy things Microsoft's time server is doing, as my time server is stratum 2. Anyway, I ran those three commands and it successfully switched over to using my NTP server.

You would think that the fact that Windows 2000 and Windows XP have the NTP client built-in would be one of those things that I would have already "just known." Well, I didn't, but now I do.

(March 06, 2007 06:06 PM UTC)

About three weeks ago, I ran rug update on my notebook (II'm mainly using openSUSE 10.2) and got the Adobe Flashplayer 9 for Linux update installed.

That was easy.

I last checked about 12 days ago, but there wasn't an RPM for Fedora Core 6 (the current release), available yet.

(February 09, 2007 05:40 PM UTC)

SELinux on Fedora has matured greatly over the last couple of years. Once in rarely, however, I run into a problem. Here's a solution to one problem you may encounter.

I recently downloaded and tested a proprietary, third party extension for Ruby called "Uncharted". When I tried to run its example scripts, I got the error: "cannot restore segment prot after reloc: Permission denied". Looking at /var/log/message, it was obvious that SELinux was causing the permission denied.

People unfamiliar with SELinux would probably just turn it off at this point. Hopefully you, my gentle reader, have been getting more comfortable with SELinux and would instead try the same thing I did:

This didn't solve my problem because most libraries in /usr/lib are labelled with type lib_t. I did some googling and came across a solution that did work:

But wait! Before you try this yourself, please read what I discovered.

Curious about the implications of type textrel_shlib_t I did some more research and came across an email with links to documentation by Ulrich Drepper:

I was impressed by how well written the information was. I've included below the conclusion of the second link because I feel it is important:

Using the eu-findtextrel it is in most situations relatively painless to determine the culprit(s) for the text relocations easily. There is usually no reason to not fix the problems. While a programs with text relocations can be made to run by relaxing the SELinux security this is a bad idea. The kind of permissions which have to be granted to the program create a gaping hole in the security policy. Attackers will be able to modify the memory as well. If this is not the case a program can enforce a strict W^X policy. I.e., no memory page is writable and executable at the same time. And more: SElinux can also enforce that no writable page can be marked as read/exec-only. With these provisions an attacker has no room where to place his/her exploit code. This is a huge win. So, always fix all text relocations. We've made it as easy as possible.

Unfortunately, this is one of the disadvantages of using proprietary software. If Uncharted were F/OSS, I could do the work myself and submit a patch to the developers. Because it is proprietary, I can only try to provide a bug report and hope the issue will be fixed. Which is a real shame because I'd like to be able to recommend their product. Until this important issue is fixed, however, I don't feel I can.

Update: Less than 12 hours after I contacted them, the creators of Uncharted contacted me with a correctly compiled version of their product. As you might be able to guess from the name, Uncharted is a charting library with bindings for Ruby, Java, Perl, Python, PHP, and C++. Although their API feels like Java with a Ruby wrapper, I'm impressed by how quickly they responded to my report. If your looking for a charting library, give Uncharted a try.

(January 15, 2007 03:53 AM UTC)

Thanks to Knobtweakers I discovered that I love Techno mixed with Jazz. Unfortunately, that's not exactly a standard musical genre, making it hard to find great recordings while still respecting artists's copyrights.

Thanks to Technocrat I discovered that Magnatune is a great company to buy music from. Thanks to Magnatune, I discoverd the wonderful sound ofBeat Under Control.

The best part? Magnatune provides high quality WAV, MP3, OGG & even FLAC and encourages customers to share a copy with three friends. Share! The entire album! Magnatune is not evil. Magnatune is very not evil.

(November 11, 2006 11:15 PM UTC)

Yesterday, I was working on a new DNS server I was setting up for someone, when I noticed that I hadn't setup rndc on my home DNS server. After fixing that, I added a couple of zones to my home DNS server to have it serve (for now) as the secondary server for some new domains, but the zone transfers weren't working. It was immediately obvious that I needed to alter the firewall configuration to allow the DNS server to initiate zone transfers, so I ended up looking at a couple parts of my firewall configuration.

It was an easy change, but in the course of all of this, I had made a typo that caused me a problem with one of my VLAN connections. When I tried to bring the link down so I could reinitialize it with some fixed configuration, it hung. Running kill -9 didn't work, so I decided to just reboot. It had been several months since my last boot and there was a newer kernel that I wanted to be using, anyway, so it wasn't a big deal.

But then, DHCP (which is on the same box) no longer worked. I double-checked that dhcpd was running, did a little sniffing and discovered that the DHCP segments weren't actually getting past the firewall configuration. This is odd, since a Netfilter firewall configuration that is completely locked down (i.e. a policy of DROP on all built-in chains and no rules) has always still permitted DHCP traffic to get through. However, I decided to add a couple of rules to the firewall, such as:

-A INPUT -p udp --sport 68 --dport 67 -m state --state new -j ACCEPT

With those new DHCP rules loaded up, it started working again. It would appear that the latest kernel for Red Hat Enterprise Linux 4 and CentOS 4 (which that server runs), has made a change in Netfilter so that it now affects DHCP renewals.

Perhaps a little explanation of DHCP is order, here (skip down a little if you already know this part, in order to get the rest of the story).

(September 06, 2006 05:46 AM UTC)

I forgot to mention the use of GPG keys with yum in my recent post about using the mplug repository to install Adobe Flash Player.

In the .repo file for the mplug Yum repository, there are two lines about GPG; gpgcheck=1 turns on the feature that GPG signatures must be present and valid for packages downloaded from that repo or yum will not install them. gpgkey=http://macromedia.mplug.org/FEDORA-GPG-KEY provides the location where the GPG key file can be found. Simply download the key and run rpm --import FEDORA-GPG-KEY (as root, of course) to install the key into RPM.

There is older documentation on the Internet that will tell you to run gpg --import keyfile either prior to or in stead of rpm --import keyfile. That's for way older versions of RPM and no longer applies; it is only necessary (and desireable) to install the key into RPM.

(August 04, 2006 05:29 PM UTC)

In a recent post of mine, I talked about using the mplug yum repository to install the Adobe Flash Player web browser plugin (Adobe bought Macromedia in 2005).

I also talked a little about the future of Flash Player on Linux. The main thing is that Flash 8 will probably never come to Linux, but 8.5 would. Today, I came across this post by Emmy Huang which talks about Flash Player 9 for Linux. There should be a Linux beta late this year for public testing with the final release sometime in early 2007, according to Huang.

Also, there is a new Penguin.SWF blog at Adobe, run my "Mike M." Go there for all the latest on Flash for Linux.

(August 04, 2006 04:45 PM UTC)

There has been lots of activity the past little while on the software development front. Here is a sampling of few things that caught my eye.

SUSE Enterprise Linux 10

On Monday, Novell released the long awaited SUSE Linux Enterprise Server and Desktop version 10. Guru Lab's Linux courseware and classes cover both SUSE Linux Enterprise as well as Red Hat Linux Enterprise and we are working on releasing updated materials to cover this new version 10 release (and later this year, RHEL5).

Major Squid Release

The Squid web proxy server has a new major v2.6 release after several years. Some of the new features include better scalability, a "totally transparent" mode which rewrites layer 3 and 4 address and port numbers, support for Negotiate/Kerberos authentication, hardware assisted SSL support, and many other features. I authored the Squid chapter and lab used in our GL275: Enterprise Linux Services class and I'm excited about adding coverage the new v2.6 features. Too bad that none of the 2006 Enterprise Linux releases will include Squid v2.6.

Compiz in Fedora

On the Fedora Core v6 and Red Hat Enterprise Linux v5 development front there has been a few things of note. The OpenGL window and compositing manger, Compiz has been added to rawhide. It seems that 2006 is the year of ubber eye-candy in Linux. I doubt it will ship as part of RHEL5, but FC6 desktops should be all set. On difference between SUSE and Fedora is that Compiz sits on top of AIGLX instead of XGL. A Red Hat developer provides some more details in a post to the fedora-devel-list.

Essential Perl Modules now in Fedora

Several years ago when we added comprehensive LDAP coverage to the GL275 class we ran into a deficiency. We teach the best practice approaches to using LDAP as a NIS replacement. That often involves importing user accounts into LDAP from files in /etc. The PADL migration tools leave a lot to be desired from a functionality and user friendliness perspective. So I wrote a new migration tool in perl called "ldapmigrate". Of course when communicating with the LDAP server it is best to do so over an encrypted SSL/TLS connection. To that end my "ldapmigrate" script makes use of the perl modules IO-Socket-SSL and Net_SSLeay. By having those two modules installed the perl LDAP module can make the encrypted connections. Although SUSE included those modules as part of the distribution, Red Hat did not and I filed a bug report in 2003 to add them. In the interim we compiled and provided those modules in class. Finally, today they were added to rawhide so those modules will part of Fedora Core v6 and RHEL5.

(July 20, 2006 12:08 AM UTC)

Last year, I wrote a post providing instructions on how to manually install the Macromedia Flash plugin for Linux so that it would work with all of your browsers.

As my good friend Doran Barton pointed out in a comment on my previous post, there are RPMs available to provide the Flash plugin. At the time I wrote that post, I had tried using that RPM for the current release of Fedora Core which I had recently installed, but it didn't work for me. Additionally, other instructions & HOWTOs that I had found on the Internet didn't work for all of my browsers. As I do some web stuff, I like to keep several working browsers around for testing.

When Fedora Core 4 came out (in May of 2005), I continued to use the instructions I had written to make Flash available in all of my browsers. A couple of months later, I found that the mplug yum repo (which Doran had suggested using) now worked for me and that it installs the Flash plugin such that it works with all the browsers I have installed.

When I upgraded to FC5, I found that the same RPM works there, too. You can download the .repo file, which should be placed into your /etc/yum.repos.d/ directory, then run yum install flash-plugin as root.

I did run into a website recently that required Flash 8, which is not available for Linux. It's doubtful that the complications in porting Flash Player 8 to Linux will be overcome, however, it looks like Flash Player 8.5 will be made available for Linux.

So, I would highly recommend using the mplug Macromedia yum repository. But if it doesn't work for you, refer back to my instructions for manually setting up Flash for all of your browsers.

If you experience any troubles with the Flash plugin in your browsers, check out the FAQ at mplug, which has some good tips for dealing with common issues. For those of you using FC5, there is a note in the FAQ about font issues that could apply to your situation. There are also notes regarding installing the flash plugin with other distributions.

(July 11, 2006 04:25 PM UTC)

When Red Hat's system-config-network or netconfig tools (on either RHEL or Fedora) create /etc/sysconfig/network-scripts/ifcfg-ethX files, they always add in the HWADDR=00:00:00:00:00:00 line. There have been a couple of times that I have run into trouble because of that line.

When ifup finds the HWADDR variable in an ifcfg-foo file, it uses the value to verify that it is configuring the correct interface. If it doesn't match, it bails out. Because of this, I have often told students that if they expect to be swapping NICs or if they run into a problem where ifup refuses to configure the interface, to try removing (or commenting out) the HWADDR line entirely. I have even gotten into the habit of just removing it on my own personal servers, workstations & notebooks.

However, not having HWADDR in my /etc/sysconfig/network-scripts/ifcfg-ethX files on my notebook actually caused me a little bit of trouble, today.

(July 10, 2006 10:37 PM UTC)

(Ed. I originally wrote this in August of 2005, but never published it, planning on reworking it to use dm-crypt instead. Unfortunately, with all the traveling and other things keeping me busy here at Guru Labs, I've still not gotten around to it, so, I decided to publish this version as is. I should have the dm-crypt version written as a new Guru Guide, soon.

Working for Guru Labs, I travel many tens of thousands of miles per year. I go through airports and fly all over North America. In all this traveling, I have never had to deal with the loss or theft of a notebook computer. Hopefully, my luck will hold for many years (decades?) to come.

Of course, I'm not going to just say, "Well, I'll never have to worry about that!," and call it "security". I have data on my notebook that I would not want to lose. If my notebook was lost or stolen, I have all that data on other system and could reconstruct it (well, almost all that data).

However, some of it should never be allowed to fall into the "wrong" hands, either. Encryption is a good answer to this problem.

(July 07, 2006 06:45 PM UTC)

I've had my shiny new Treo700p for the past week and I thought I share a few things I've noticed about upgrading from my Treo650.

By far, the best new feature is support for super fast (slightly less fast than DSL) data access via EVDO. The speed difference is incredible and the latency is about 1/2 of what it used to be.

Benefits of the speed increase (and latency decrease):

• SSH sessions have nearly no lag! (note that I use pssh as my PalmOS SSH client)


• IRC, VNC and RDP remote desktop sessions are also greatly improved with nearly zero lag.


• Web browsing is MUCH faster due to the lower latency, faster download speeds and improvements to cache handling in Blazer v4.5.


• Doing a new email check my IMAP inbox (with 24,000+ messages) now takes about 10 seconds versus a minute on the Treo650. New emails download very fast.


• High quality streaming audio and video is now possible. I know lots of people are going gagga over the fact that Orb works. The 3GP test page worked fine for me.


• Tethering your Laptop via Bluetooth DUN results in speeds around 250Kbs. If you tether your laptop via USB the speeds are around 950Kbs!

Besides the killer speed increase there has also been a large round of polishing. Some things I've noticed in that regard include:

• The "screen is locked" dialog now shows the time.


• Contacts can be assigned a custom ring tone in the Contacts app.


• The SMS app has seen a face lift.


• The excellent Documents To Go app with PDF, MS Word, MS Excel (incidentally, it does calculations on TEXT cells the same way as Excel), MS Powerpoint support is now included and installed the ROM.

All in all I'm very pleased with the upgrade to the Treo700p.

(June 08, 2006 10:37 PM UTC)

Uggh. I hate to do this, but I don't want to have someone trip over this unmarked landmind and possibly lose a bunch of money/reputation/sanity.

All over the world OpenOffice.org/StarOffice is pitched as a replacement for Microsoft office including Excel.

As such OO calc can read MS Excel files, but it does something very very bad. It performs calculations DIFFERENTLY than Excel (no warnings even).

This is pure evil.

The issue is that Excel will perform math calculations on numbers even if the cell is formatted as "TEXT" or has text in it. The very newest Excel indicates something is amiss by having a small green triangle in the corner of the cell, but this behavior is not likely to ever change so as to maintain backwards compatibility.

The problem with OpenOffice Calc is that in most situations (but not always) it will silently ignore numbers in "text" cells that are part of formulas or calculations and in the end produce wrong answers.

This Excel compatibility problem was reported 5 years ago!

See http://www.openoffice.org/issues/show_bug.cgi?id=5658 for the sad sad commentary, many duplicate bug reports as well as the unfortunate inability by the OO.org developer(s) to consider this a problem of any importance.

For example, some developer comments:

"not a defect."
"Not a bug ! Text is text and not a number so you can't calculate with text."
"IMHO not a bug from Calc but from Excel"
"we are not an Excel clone and will not be !"

I *almost* had a $20,000 mistake (not in my favor) thanks to OpenOffice.org Calc while I was creating an invoice from an Excel XLS file emailed to me by a client.

(June 07, 2006 10:56 PM UTC)

Server vendors like Dell love Linux as it helps them sell hardware. It is in their best interest to have their servers work well with Linux.

Dell has long had a server management software called Dell OpenManage Server Administrator (OMSA) which provides a command line and web interface to monitors hardware details and failures as well as has the ability to "plug-in" to various datacenter management platforms like HP OpenView, CA Unicenter, and Novell Zenworks.

Historically OMSA required several binary-only kernel modules for drivers to the system management chips. This meant that if you used OMSA, it would "taint" your kernel rendering your system unsupported by kernel developers (although you could still get support from your Enterprise Linux vendor and Dell).

Today I noticed that Dell OpenManage Server Administrator v5.0 was released. The press release didn't mention this, but digging deeper I discovered this tidbit:

Starting with OMSA 5.0, all necessary kernel components are now fully open source, GPL licensed, and included in kernel.org 2.6.x. This includes the OpenIPMI drivers/char/ipmi/ipmi* drivers, drivers/firmware/dell_rbu Remote BIOS Update driver, and drivers/firmware/dcdbas Dell Base Systems Managment driver. This should make it much easier to install and run OMSA on a variety of Linux distributions (userspace library incompatibilities, if any, notwithstanding).

That is very cool! Well done Dell.

I also found out today that Dell makes it easy (relatively so) to install OMSA via a "unofficial" yum repository. Do any other big hardware vendors have yum repos for their management tools?

Information on the repository is available at: http://linux.dell.com/repo/software/

(June 07, 2006 08:44 PM UTC)

Us folks at Guru Labs have long been Treo users and most everyone at the office has one.

There are extremely powerful communication tool and whenever we doing a Linux training gig on the road the Treo makes it easy to stay in touch (and even drop in on #utah).

The Treo700p will be official announced on Monday May 15th 2006. However, in some places of the world that time has already arrived and the press embargo has been lifted.

For official/non-rumor Treo700p details check out the first article to be published at Treo Central, titled "Palm Reveals Treo 700p Smartphone".

The 2nd article now online is from Palm themselves, see the "Treo 700p Smartphone". There is a PDF as well as a flash demo.

(May 15, 2006 05:39 AM UTC)

An anonymous Sprint employee posted page "4" of their weekly sales "playbook". It in it shows the Treo 700 launching on May 28th. In the thread discussing this new info it has also confirmed that this is the Treo 700p (and not the 700w).

This info is from www.TreoCentral.com which has the best forums for Treo owners and fans.

(May 10, 2006 06:31 PM UTC)

The Treo700p is soon to be released and I plan on upgrading. Some of the new (rumored) features to be included are:

* EV-DO support on CDMA networks
** Can receive incoming calls while actively using data
* Increase of built-in memory to 64MB
* Update of all built-in apps
** New "fast mode" in blazer
* 1.3MP camera
* FAT32 support (can be hacked into a Treo650 today with a custom rom)
* Enhanced keyboard

The EV-DO support is probably the "killer app" as it provides DSL-like speeds.

The N. Utah Sprint EV-DO coverage map shows EV-DO coverage available today in orange and future coverage in beige.

I look forward to the EV-DO Rev A rollouts as that greatly increases the speed down and up while providing much better latency that will make VoIP and interactive apps (such as ssh) a joy to use. Unfortunately I doubt the EV-DO radio in the Treo700p will support EV-DO Rev A. Oh well, it just gives me yet another reason to upgrade to a future Linux based Treo.

Palm has just announced a Trade-In Program for old PDAs and SmartPhones that can be used as credit towards the purchase of a new Treo 700p (or any Palm PDA).

Some of the Trade-In values I checked:

Treo 650 in excellent condition = $170
Treo 650 in good condition = $142
Treo 600 in excellent condition = $65
Treo 600 in good condition = $53

(May 09, 2006 06:47 PM UTC)

The market for Linux training is heating up and we are looking for more talented folks to become Guru instructors. We recently filled a position (big wave to Clint), but we have several more spots open.

We have traditionally hired via word-of-mouth.

Job details follow...

=======================
Job title: Guru
Location: Bountiful, Utah and North America (see description below)
Type: full-time position with benefits
Salary: Negotiable depending on experience
Description: You would be joining an extremely talented team of Linux
enthusiasts. Core job responsibilities include teaching Linux classes
locally and abroad, and developing and updating Linux course materials.
Requirements: Strong Linux administration skills with additional broad topic knowledge in security, networking, scripting, and programming very beneficial. The ability
to communicate effectively is required with an outgoing personality a plus. The willingness and
ability to travel also required.

Pros:
* No dealing with pointy haired bosses, corporate red-tape, hostile
workplace politics, etc.
* We are a small company that has been in business for 7 profitable
years. Owned 100% by employees with no outside funding allows us
to operate without external pressures.
* Guru Labs environment and culture foster rapid skills development.
You will be constantly working with smart people on cutting edge Linux
projects. Teaching Linux will add a whole new depth to what you thought
you already knew.
* Gurus are actively encouraged to participate in the open source community.
* Fun travel at least 2 weeks a month. We teach Linux classes (both
public enrollment, and private corporate on-site) all over the US and
beyond. Spend your evenings enjoying local attractions and culinary
wonders.

Cons:
* Expensed meals from the best restaurants in the country will soon
make all the restaurants in Utah seem a bit dull.
* Being surrounded by geeks with tech gadgets may give you "gadget
envy" and lead to increased electronics purchases.
* Your ego may take a hit as you discover that having your laptop
multi-boot between 5 Linux distros sporting custom kernels that you
built and packaged is suddenly the norm. :)

Send resumes to jobs@gurulabs.com

(April 20, 2006 10:10 PM UTC)

When installing and/or upgrading packages using the /usr/bin/rpm command you have several choices depending on the exact outcome desired and the pre-existing situation.

First one should be aware of one of the RPM rules that is the main factor in this choice, namely "A file can only be 'owned' by a single RPM package". As with all rules in the UNIX/Linux it is possible to override this rule, but you get to keep all the pieces when stuff breaks.

Because of this rule, for the vast majority of packages you might install, you can only have one version installed.

For example, lets say you have two RPMs for the Apache web server.

httpd-2.0.54-10.3
httpd-2.2.0-5.1.2

(the package names come from Fedora Core v4 and v5 respectively).

You can examining the packages (before installation) and see what files are contained. In this case we'll just look at what files have "sbin" in their path since the complete list is over 300 files.

First the package for Apache version 2.0:

$ rpm -qlp httpd-2.0.54-10.3*rpm | grep sbin
/usr/sbin/apachectl
/usr/sbin/httpd
/usr/sbin/httpd.worker
/usr/sbin/rotatelogs
/usr/sbin/suexec

And for Apache version 2.2:

$ rpm -ql httpd-2.2.0-5.1.2 | grep sbin
/usr/sbin/apachectl
/usr/sbin/htcacheclean
/usr/sbin/httpd
/usr/sbin/httpd.worker
/usr/sbin/httxt2dbm
/usr/sbin/rotatelogs
/usr/sbin/suexec

Out of the 300+ files if a single file is the same you can't have both packages installed at the same time. Really the constraint isn't the two Apache RPMs, but the entire set of RPMs that are installed or will be installed on a box. No files can "conflict" (be the same).

With this rule covered, now what RPM options are available and when would one use them. Pretty much you will always use the "vh" options to get verbose output and hash (#) marks. But of the primary action options are "-i", "-U", and "-F".

* "-i". Performs an installation without removing (aka upgrading) any older version of the package. If you have an older version of the package installed, most likely THE COMMAND WILL FAIL because of overlapping files (see the Apache example above). So, for the most part, you can only use "-i" if you know ahead of time that you don't have an older version of the package already installed.

This begs the question, "When can I have two versions of a package installed simultaneously?". There are two situations, one fairly common and the other not so common.

* With the "kernel" RPM package. It turns out that every file provided by the kernel RPM package has the kernel version string somewhere in the full path, for example:

/lib/modules/2.6.15-1.2054_FC5/kernel/arch/i386/crypto/aes-i586.ko

Because of that you CAN have multiple kernel RPM packages installed at the same time, and you might actually WANT to. You might want to because the kernel is very critical to the operation of the system and if you install a new kernel version, and for whatever reason (bad driver, bug, etc) it doesn't work properly or won't boot, by having your old "known good" kernel installed you can easily recover (reboot and select the old kernel from the GRUB menu).

* The other case is when trying to run an old binary you discover it is requires /usr/lib/libfoo.so.1 and you have /usr/lib/libfoo.so.2 installed. Like the kernel RPM, most (but not all), library packages have the version string embedded in the file name and therefore don't conflict.

By using "-i" you can install libfoo-1.0.18.i386.rpm alongside libfoo-2.0.22.i386.rpm.

Finally, for the sake of completeness another related question "How can I have two packages installed where both are supplying a file with same full path?". Here are some example scenarios:

* sendmail and postfix both trying to provide /usr/sbin/sendmail
* SUN Java, IBM Java, and GCJ trying to provide /usr/bin/java
* CUPS, LPRng both trying to provide /usr/bin/lpr

The answer is (as is often the case in computer science), don't have the files conflict and use an abstraction layer. This was first done by the Debian folks in the creation of the "alternatives" system, it is used very widely in Debian/Ubuntu for lots of different packages. Red Hat adopted it during the 7.x time frame but used it just with MTAs (sendmail, postfix) and printing subsystems. SUSE has now adopted it with version 10.0 but only for Java packages from the jpackage project. The complete discussion of the alternatives system is beyond the scope of this blog post. We do have excellent coverage in our Linux training classes though.

* "-F". Performs an installation and removes (aka upgrades) any older version of the package if and only if you DO have an older version of the package installed. This option I like to call the "upgrade only" option. It is relic of the olden days of updating a Linux box with errata. Back then you update your system with the updates by:

1. Download all available updates (using ftp and mget *rpm) into a local directory.
2. In that directory run "rpm -Fvh *rpm".

This way you wouldn't install any new software packages that happened to have an update and instead you would just update the packages you did have installed.

Today we keep our systems current with smarter methods such as "yum -y update, you, up2date, rug, etc".

* "-U". This option performs an install if you don't have an older version already installed, and an upgrade if you do. I call it the "install or update as needed" option.

So to answer the question, "What RPM option does Dax Kelson use to install or upgrade RPM packages?" the answer is, "I try not to use /usr/bin/rpm unless I'm installing packages I've created myself or manually downloaded." Instead to install software I use a front end that figures out and downloads the dependencies automatically for me. For example:

* yum install packagename ...
* yast -i packagename ...
* up2date packagename ...

In the case when I've created my own RPM or done a manual download of a RPM package I like to use the "-U" option. This way RPM does the right thing (install or upgrade as needed) for me and I don't have to keep track of mentally if I already have the package installed.

(April 20, 2006 07:48 PM UTC)

Today Novell/SUSE submitted the AppArmor patches to the Linux Kernel Mailing List (LKML). Following the discussion is likely to be interesting.

Red Hat has adopted the SELinux security framework (already accepted into the Linux kernel). The SELinux frameworks plugs into the kernel's LSM subsystem. Some people have complained of the complexity of SELinux. Because of the complexity and interference many people just turn off SELinux. The response from the SELinux folks is that Linux software has complex interactions and *any* solution to properly secure it will be, by definition, at least as complex. Furthermore, the SELinux developers say that they have worked hard on developing a clean foundation that is basically complete now and that all the easy to use front end management software can now appear.

Novell/SUSE has chosen an alternate, less complex security framework, AppArmor. The benefit is well, that is less complex and doesn't "interfere" as much as SELinux so it is less likely to get turned off. The complaint about AppArmor is that it doesn't provide full security and depends on file pathnames, and won't scale well because of required locking. If a file's name changes (hard link, mount, etc) the security goes out the window. Another issue brought up is that the use AppArmor precludes the use of filesystem namespaces support for which has been slowly added to the kernel. The use of namespaces is supposed to usher in a new era of flexible and wonderful abilities that could be very useful for desktop users and virtualization. Today however, nobody is making use of filesystem namespaces in any mainstream distribution.

Personally, as a system administration and user of Linux I encourage the distributions to "un-fork" as much as possible. Thanks to the Linux Standards Base (LSB) and other efforts managing Red Hat boxes and SUSE boxes is, for the most part, the same. So from this stand point I'm pretty disappointed to see this split. It becomes yet another thing I must wrap my brain around and keep up on. Also, from an efficiency and pace of innovation perspective I would have preferred all the resources and development pushing and pulling in the same direction.

At Guru Labs we already have extensive SELinux coverage in our GL550 Linux security training class. When we do the big rev for RHEL5 and SLES10 we will be adding extensive coverage of AppArmor as well.

(April 20, 2006 01:28 AM UTC)

Being a computer user on a network that uses single sign on (SSO) is very convenient. Another benefit is the "other thing" that users don't generally concern themselves with, increased security. The Kerberos Network Authentication Protocol developed at MIT in the 1980s is the open standard that has been adopted widely.

On your network, the more services that are using SSO authentication, the greater the benefit of SSO. This is commonly called the "Fax Effect" (the more people that own fax machines, the greater the benefit to each fax machine owner). Today many services are able to use Kerberos authentication either directly, or indirectly through GSSAPI or SASL+GSSAPI.

Some of these services include:

* SQL Servers (PostgreSQL, Oracle)
* SMTP (Postfix, Sendmail)
* IMAP (Cyrus-imapd, Dovecot)
* Email clients (Evolution, Thunderbird, Kmail)
* SSH (OpenSSH)
* telnet/ftp/rlogin/rsh
* rsync (via ssh)
* Web Applications (Apache +mod_auth_kerb or IIS plus Mozilla/Firefox/Konqueror/IE)
* File Servers (NFSv3/v4 with "sec=krb5" on Linux, or Samba)
* Print Servers (LPRng or later this year, CUPS)
* Network equipment (Cisco IOS and others)

Here at Guru Labs, we have been on a multi-year mission get every service on our network using Kerberos authentication. Not just with Kerberos, but across the board we try to develop best practices, "dog food" them and then write about them in our Linux courseware and training.

One service we recently Kerberized was our Jabber instant messaging server. Getting Jabber kerberized is very nice, particularly when using Gaim. If you configure Gaim to store your passwords (not the default, but very conveniently tempting), it stores them in plaintext in your ~/.gaim/accounts.xml file.

As of April, 2006 the GSSAPI+Kerberos Jabber landscape is as follows:

There are two open source Jabber server implementation that supports GSSAPI+Kerberos authentication.

* Jabberd v2.0 with Simon Wilkinson's Kerberos/GSSAPI/SASL patch. This is a mature well tested solution. This is what we are using at Guru Labs. The patch has been accepted into the CVS tree and will be in the future v2.1 release.

* The highly regarded and actively developed Java based Wildfire Server is just barely (days ago) starting to work with GSSAPI. Once the rough edges are polished off and a stable release is made with GSSAPI support we are going to strongly consider moving to this server.

On the client front there are patches for Psi and Coccinella and Gaim. I haven't used Psi or Coccinella so I don't know if the patches are current or have been accepted into the official trees.

For gaim v1.5.x there are two patches. Simon Wilkinson developed a SASL-GSSAPI patch that was later modified by Greg Hudson of MIT to support gracefull fallback by prompting for a password if a Kerberos ticket is not obtainable. This is something I wish more client software would do.

The soon to be released gaim v2.0 has Simon's patch integrated, so it will support GSSAPI/Kerberos authentication out-of-the-box. There are plans to add graceful fallback and other features.

Our experiences getting Jabber Kerberized will be rolled into our GL550 "Enterprise Linux Security Administration" training course. The course includes extensive Kerberos coverage both of MIT's implementation and KTH's Heimdal implementation (used on SUSE Linux Enterprise Server 9) as well as best practices for Kerberizing common services (see the list above). It is the only Kerberos training class that I'm aware of.

(April 20, 2006 12:02 AM UTC)

My laptop has the Intel 2200BG card and uses the ipw2200 driver. By default, when the driver loads, it tries to associate to any network that is open and accessible. This is the physical equivalent of your laptop automatically plugging itself into any network port in the area.

I don't like this behavior, both from a I-want-control-of-my-network-status as well as go-to-jail-or-pay-a-big-fine stand point.

Fortunately driver allows you to turn off this auto-associate behavior with a parameter. In my /etc/modprobe.conf I added the line:

options ipw2200 associate=0

Problem solved.

(April 19, 2006 09:42 PM UTC)

I take my laptop pretty seriously since I use it as my primary computer both at work and home. I'm picky about the performance, weight, screen and durability. It's the same for most of us at Guru Labs. A major line of work for us is lugging our laptops around the world delivering Linux training. The ThinkPad T series is a common sight around the office.

For years laptop hard drives ran at 4200RPM and were a major bottleneck in mobile performance. Fortunately 5400 and 7200RPM drives brought "desktop like" performance to laptops. Two years ago when I bought my ThinkPad T42p I went for the largest 7200RPM drive available at the time, 60GB. I have really enjoyed the speed and vowed that I wouldn't get anything slower than 7200RPM in my laptop. The only problem is that I have been a bit cramped by the space and, even today, the largest 7200RPM 2.5" laptop hard drive is only modestly larger at 100GB.

Not too long ago the Seagate Momentus 5400.3 ST9160821A 160GB Hard Drive was released and took the crown as the new champion in 2.5" laptop capacity. When I saw that it was a 5400RPM hard drive I was a bit bummed -- however when I found out it was the first hard drive to ship with perpendicular recording technology I was intrigued.

Reviews were hard to come by, and the ones I read didn't have any comparisons against 7200RPM laptop hard drives. I took a chance and bought one with the strong hopes that the high areal density would translate into performance that could match my 7200RPM drive.

Here are what the initial performance numbers (average numbers reported from several hdparm -tT runs) look like:

For my original 60GB 7200RPM drive:
/dev/hda:
Timing cached reads: 2104 MB in 2.00 seconds = 1051.93 MB/sec
Timing buffered disk reads: 114 MB in 3.00 seconds = 37.95 MB/sec

For the new Seagate Momentus 160GB 5400RPM drive:
/dev/hda:
Timing cached reads: 2112 MB in 2.00 seconds = 1055.82 MB/sec
Timing buffered disk reads: 122 MB in 3.00 seconds = 40.61 MB/sec

As you can see it exceeded, not just matched, the performance I have been used too. Additional benefits of the drive are quieter operation and the 5400RPM uses less power to increases my battery life. I'm very pleased.

At the Guru Labs office you can get easily blinded by all the shiny geek toys and I'm afraid I've triggered another round of upgrades. :)

(April 08, 2006 08:56 AM UTC)

Modern Palm PDAs connect to Linux via USB or Bluetooth. The pilot-link software provides the command line utilities and a library that GUI apps and frameworks (such a gnome-pilot) are built on top of.

Access to the Palm PDA hardware has traditionally been done via the visor kernel module. When the Treo 600 was released I submitted a minor kernel patch that accepted by Linus that enabled the visor kernel module to handle the new Treo 600.

With the visor kernel module, a character device such as /dev/ttyUSB1 used to access the Palm PDA.

A new method available with pilot-link v0.12 is direct USB access via libusb. Besides being twice as fast, access via libusb gets around the problem of tricky timing issues and UDEV being slow to create to the /dev files.

With Fedora Core v5 I decided to benchmark the exact difference in speed between the visor and libusb access methods. To do this I had to recompile pilot-link with libusb support, I filed a bug to have this be enabled by default in the future.

I used pilot-xfer to back my Treo650's 15,668KB of data.

Using the visor method:

pilot-xfer -p /dev/ttyUSB1 -b /tmp/Treo650-backup-visor

Results: 415 seconds or 37.75KB/sec

Using the libusb method:

pilot-xfer -p usb: -b /tmp/Treo650-backup-libusb

Results: 201 seconds or 77.95KB/sec

The results speak for themselves. Using the libusb method is more than twice as fast as using the visor kernel module. I can't wait for pilot-link v0.12 to be officially released.

(March 30, 2006 10:19 PM UTC)

This image is the basis of a coming blog entry or guruguide

Continue reading "Reverse Proxy with httpd"

(February 03, 2006 11:42 PM UTC)

I took the time to update the movement table to use the new GuruLabs KeyCaps font. Check it out
here

(November 01, 2005 05:41 AM UTC)

Understanding the initialization process of your Linux distro is quite important, as the boot sequence is where the majority of problems occur. It's also very useful to know and understand how to create or modify a System-V init script for dealing with starting and stopping of services.

Continue reading "Keep your pants on"

(October 25, 2005 03:38 AM UTC)

VI or VIM... there is a name which will inspire hope or despair in the hardiest of the command line jockies. I have adopted as my goal to teach the layperson the beneifits of learning the big VIM monster, and here are some of the tricks and tools I've come across

Continue reading "VIM freebies"

(October 08, 2005 12:08 AM UTC)

Host security is a very important topic. You want to keep your machine as secure as possible. One security principle that most overlook is the "Principle of Least Privilege." This principle states that you should only give sufficent security access to a user to allow them to get their job done, but no more. There have been many different tools, ideas, and practices created to help stick to this principle. (eg su, sudo, PAM etc) I'm going to show you two very powerfull tools/ideas that will vastly improve your security by limiting certian accounts, while still maintaining sufficent access as to not restrict functionality. I'm first going to introduce you to scponly. Then I'll demonstrate a cool PAM trick to create a "su only" user.

Continue reading "Lock Down"

(September 21, 2005 11:24 PM UTC)

Ever wanted to do multiple concurrent GUI logins ala "fast user switching" in Windows XP? It's really not that hard.

These instructions assume you are using GDM as your display manager. The file paths are written assuming that you are using a RedHat based distro.

Continue reading "Concurrent GUI Logins"

(July 27, 2005 10:38 PM UTC)

The system-config-packages graphical utility can be used for RPM package management. It allows for the installation and removal of RPM packages. When installing RPM packages the default will prompt for a specific CD to install the RPM package from. Trying to install several RPM packages using CD's becomes cumbersome and sometimes requires that CD's be inserted into the CD-ROM drive many times. There are several options that can change the default installation source tree. These options are --tree= and --isodir=.

The --isodir= option is used to specify the directory that contains the iso images.

The --tree= option is used to specify the directory that contains the contents from the installation CD's.
NOTE: In order for the --tree option to work properly the .discinfo file must be copied from one of the installation media CD's into the installation source tree directory. If the .discinfo file does not exist in the installation source tree directory, error messages will be displayed about an improper installation source directory.

An example:
sytem-config-packages --tree=/var/ftp/pub

(July 25, 2005 05:21 PM UTC)

Lets say you want to add "disable = yes" after specific two lines in a file.

For example, the two lines:

service finger
{


The "N" command to sed tells it to read another line into the "input buffer" you can stack multiple "N"s if you need more than 2 lines.

So, the answer is:

sed -i -e N -e "s/service finger\n{/service finger\n{\n\tdisable = yes/g" /path/to/file-to-be-edited

To read 3 lines you would do something like:

sed -i -e N -e N -e N -e "s/changethis/tothis/g" /path/to/file-to-be-edited


(July 14, 2005 06:38 PM UTC)

Under Red Hat Enterprise Linux 4 or Fedora Core 3 when SELinux is disabled all files that are created do not contain any security information. When SELinux is enabled, these files which are missing the "security information" or security context will not function correctly. One method to quickly relabel all files based on default contexts is to use the touch /.autorelabel command. This creates an empty file that will be used by the rc.sysinit script to relabel all files when the system is rebooted.

(May 19, 2005 06:21 PM UTC)

These Guru Labs blogs where created to allow us instructors to share information that was historically shared via internal mailing lists. There has been a large number of very interesting and powerful tips/tricks, as well as funny/usefull websites. I have personally combed the archives of these mailing lists and have compiled quite a list of URLS.

Continue reading "Catching up"

(May 13, 2005 08:13 PM UTC)

Don't get alarmed, I'm not being demeaning. TWIT is just an acronym. An acronym that has made me all sorts of (howdy Brent) excited!!! Why am I excited? Well let me tell you. TWIT stands for This Week In Tech. A podcast which talks about many different aspects of technology today. This podcast features guests that share their views, a site of the week, and have a generally geeky good time. You may be wondering, "Why then is this such a good podcast?" or thinking, "I've heard of a miriad of podcasts like this." Let me explain my overjoyment.

Continue reading "You TWIT!"

(May 13, 2005 02:49 AM UTC)

At the end of class today we had a little party, and a student brought in this cake. I think it's my favorite design ever. :-)

(April 14, 2005 11:24 PM UTC)

For some time now I've been writing code, doing web development, creating documents, etc... I've learned that the more of this you do the more important a good RCS (revision control system for you laypersons out there) can be. The bigger a project gets the more important source code control becomes.

In the past, CVS has been the de-facto standard of the RCS's out there, I don't think there's been a programmer who hasn't at least heard of it. CVS makes it very easy to keep track of the sourcecode and who's doing what with it.

There are a few downsides to CVS however, and it's starting to show it's age. One of the biggest problems to CVS and it's way of doing things is the open source paradigm (I'm gonna take what you've done, and make it better). Commonly known as a distributed repository. It's difficult to say the least to accomplish this with CVS.

Enter arch, or more correctly tla arch. It gives you the ablilty to break off of the main repository and work on a branch yourself, commiting changes and the whole nine yards. You can also merge these changes back into the main branch at any time in a smart fashion.

Now, I am, by no stretch of the imagination, an arch master/guru/demi-god, I just do realitively simple source code control. I therefore refer to a mailing list post that very well defines an arch "sucess story."

There are quite a few resources out there for learning about arch, not least of which is the arch wiki (link posted above). However there are many command-line options and commands that go into making arch a robust program, so it can be kind of disarming to get into arch with no previous knowlege of a RCS or transitioning from CVS. Brett Rasmussen (author of the above mailing list post) was kind enough to make up a little cheat sheet for those of us who don't really like digging through the wiki or the online help. And I thank him for letting me post it here.

Hopefully this info is of use to you, I know that I've benefited from it quite a bit.

derek

(March 08, 2005 11:54 PM UTC)

Before modifying a device's partition table create a file that contains a list of the current partitions. If for some reason there's a problem or the original partition table needs to be recovered (before modification) this file can become invaluable.

Create the file using sfdisk and redirect it's output to a file.
sfdisk -d /dev/hda > hda_partitions.pt

To restore the partition table
sfdisk /dev/hda < hda_partitions.pt

(March 08, 2005 10:42 PM UTC)

I found a Portage search tool called eix. It looks like it has been around for a while, but I didn't notice it until recently. eix allows you to search with both regular expressions and fuzzy searches (match to "similar" strings). What's really nice is that it can search by information field (package name, description, license, etc). The output is clean and it's much faster than 'emerge -s'.

http://eixwiki.unfoog.de/

(March 02, 2005 01:59 AM UTC)

I just created my first guruguide:
Router on a Stick

Check it out.
neato tricko

derek

(March 02, 2005 12:20 AM UTC)

I had a ton of laundry to do this evening, so I decided to leave my laptop at work (so I'd actually get it done). In between loads I decided to play around with my NeXTstation turbo. Several months ago I incorrectly set the NIS domain which caused the system to hang during boot. I found out this evening that if the network cable isn't plugged in, the network subsystem won't start (since I'm using DHCP), and the NIS check won't occur. It was a non-elegant way to get it to work, but at least it's up. I'll need to learn more about the NeXTOS boot procedure. Here's a shot of it:

(March 01, 2005 04:19 AM UTC)

This post sent from my treo650 using Mo:blog
I love technology.
Watch for more awesome posts in the near future.

(February 28, 2005 11:49 PM UTC)